VPNの脆弱性に関する不安が広がっています。ZPAの60日間無料トライアルを利用して、VPNからの移行のメリットをお確かめください。

Zscalerのブログ

Zscalerの最新ブログ情報を受信

購読する
セキュリティリサーチ

Another Trojan Bamital Pattern

image
THREATLABZ
5月 06, 2011 - 4 分で読了

The other day I detected a handful of Bamital infected clients beaconing out with a different pattern than that listed in EmergingThreats, and thought I'd post something for the masses to consume and be on the lookout for in their networks. Microsoft's Malware Protection Center, lists a first iteration of the Trojan back in 2009 to do pop-up/injected advertising on behalf of the attacker ... but since then the malware family has grown in variations and scope of capability - for example, search result manipulation and malware dropping. There are now 29 variants listed in the MS encyclopedia, including those published in mid/late April 2011. For example,


Image
The pattern in EmergingThreats was created from this February 2011 ThreatExpert report:
 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32 Bamital or Backdoor.Win32.Shiz CnC Communication"; flow:established,to_server; content:"/favicon.ico?0="; http_uri; content:"&1="; http_uri; content:"&2="; http_uri; content:"&3="; http_uri; content:"&4="; http_uri; content:"&5="; http_uri; content:"&6="; http_uri; content:"&7="; http_uri; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=fbcdfecc73c4389e8d3ed7e2e573b6f1; sid:2012299; rev:2;)
 
The different HTTP URI pattern that I'm seeing for the Bamital C&C communication is:
 
/message.php?subid=
&br=
&os=
&flg=
&id=
&ad=
&ver=
 
And the C&Cs that I have observed have typically been utilizing free domain services like ".co.cc" and ".cz.cc" ... this type of abuse is nothing new for these "TLDs."
 

Image

 
Here is a snippet of domains and servers used for this C&C infrastructure:

00a8cf363ddca6b75e1b5c781b0ba226.co.cc
00a8cf363ddca6b75e1b5c781b0ba226.cz.cc
150224dce21c1056c5140bdfb2e1e8c2.co.cc
150224dce21c1056c5140bdfb2e1e8c2.cz.cc
2675589750ef32cc7fe75d7ff8e3fcbd.co.cc
2675589750ef32cc7fe75d7ff8e3fcbd.cz.cc
4bc53ed6c2c5a32606588c1d72d16a59.co.cc
4bc53ed6c2c5a32606588c1d72d16a59.cz.cc
5c099914bf7eaacb8aab1cab73cdd90b.co.cc
5c099914bf7eaacb8aab1cab73cdd90b.cz.cc
7ffea8c792bb81efca737acc44861bc3.co.cc
7ffea8c792bb81efca737acc44861bc3.cz.cc
85fd1f94d59ff6936e99c281f99a0953.co.cc
85fd1f94d59ff6936e99c281f99a0953.cz.cc
936d16bf80262add68838f96677a9620.co.cc
936d16bf80262add68838f96677a9620.cz.cc
cb9df029fbcea991d8aa64f97ff9fd40.co.cc
cb9df029fbcea991d8aa64f97ff9fd40.cz.cc
ff7cca28c0bdf5a60f09b4ec52db39bf.co.cc
ff7cca28c0bdf5a60f09b4ec52db39bf.cz.cc
 
The above C&C domains resolve only to a handful of IPs:
112.175.243.21 (KR)
112.175.243.22 (KR)
112.175.243.23 (KR)
112.175.243.24 (KR)
207.58.177.96 (US)
Open-source info on these IPs confirms their badness as C&Cs as well as hosting malicious fake videos/plugins (for example, malwareurl.com, malc0de.com, CleanMX).
 
There have also been some other open-source reports that include some .info domains with the same hash-like domain format used to host the Bamital C&C infrastructure that uses the same beaconing pattern I identified above, e.g.,
 
DA9341709E53AD11D84C6284EDA86043.info
D5403E5622841DD806915A4DE67DD9F8.info
87D53FBC27630E53A7CA13B7242DEFB3.info

 

With this type of bulk registration of new domains to keep the C&C infrastructure alive, you really need to have a set of signatures in addition to domain/IP filtering. Keep an eye out for this other Bamital pattern in your networks:

 

 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Zscaler TROJAN W32 Bamital or Backdoor.Win32.Shiz CnC Communication"; flow:established,to_server; content:"/message.php?subid="; http_uri; content:"&br="; http_uri; content:"&os="; http_uri; content:"&flg="; http_uri; content:"&id="; http_uri; content:"&ad="; http_uri; content:"&ver="; http_uri; classtype:trojan-activity; reference:url,research.zscaler.com/2011/05/another-trojan-bamital-pattern.html/;)
form submtited
お読みいただきありがとうございました

このブログは役に立ちましたか?

dots pattern

Zscalerの最新ブログ情報を受信

このフォームを送信することで、Zscalerのプライバシー ポリシーに同意したものとみなされます。