Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mitglieder hell

Published: 2005-10-03
Last Updated: 2005-10-03 23:13:31 UTC
by William Salusky (Version: 1)
0 comment(s)
I have been very recently (and still am) investigating the business end of a very active Mitglieder proxynet.  In my experience, these proxy botnets are traditionally used to relay spam, but I have over time witnessed other uses of proxy botnets including and not limited to advertising click-thru fraud, fraudulent email and IM registration/creation, http based web attacks, and all manner of authentication brute force attacks.

I am currently a witness to the receiving end of a large scale brute force attack leveraged by a decently sized proxy botnet consisting of anywhere from 8k-12k nodes attacking at any time on any given day.  I'm somewhat frustrated by the ongoing success of these botnet variants due to this particular variant's HTTP based phone home method to register the client IP and socks proxy listner port.  Why oh Why does it have to be so hard to kill these international web servers dead.  The specific Mitglieder variant I have been looking at lately has at least 42 unique HTTP phone home destinations that are still DNS resolvable.  The bots phone home with the following HTTP GET patterns which result in the target HTTP server logging the client IP address including the socks proxy port number as a query string argument.  Even though many of these servers are obviously virtual hosting environments that return 404 errors or other status codes, it is still possible that they are involved in this mess since the HTTP server will still continue to gladly log the pertinent client IP and port number of infected nodes via error logging.

In the following list, the tpoint.ru host is currently THE WORST of them and possibly the primary node in masterminding the aggregation and distribution of the active botnet list to other top level proxy abusers to be used for bulk mailer and other abuse types that benefit from an additional hop of anonymous connectivity.  This is absolutely organized big business.  Within minutes of sending a fake connection to tpoint.ru you would see inbound socks proxy abuse.  Try it, you'll see.  Whether you like it is another matter altogether.

Here's a snort signature that can help identify not only Mitglieder proxy infections on your networks, but just about any other proxy bot variant when they are abused for bulkmailing purposes.  Apologies for the snort signature line wrap.  Yes, the rule should be one single line.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Spambot Proxy Control Channel"; flow: established; content:"|04010019|"; offset: 0; depth: 4; classtype: trojan-activity; sid: 2001814; rev:4; )


After you've completed your own personal investigations, I myself recommend blocking access to the following host names from your networks.

http://www.lowenbrau.ru/manager_old/images/scr5.php?p=$PORT&id=#######
http://www.gasterixx.de/gfx/scr5.php?p=$PORT&id=#######
http://www.deadlygames.de/DG/BF/BF-Links/clans/scr5.php?p=$PORT&id=#######
http://www.eurostretch.ru/scr5.php?p=$PORT&id=#######
http://mir-auto.ru/scr5.php?p=$PORT&id=#######
http://artesproduction.com/scr5.php?p=$PORT&id=#######
http://www.hhc-online.de/home/links/pics/scr5.php?p=$PORT&id=#######
http://www.komandor.ru/sessions/scr5.php?p=$PORT&id=#######
http://www.mirage.ru/sport/omega/pic/omega/scr5.php?p=$PORT&id=#######
http://avistrade.ru/prog/img/proizvod/scr5.php?p=$PORT&id=#######
http://service6.valuehost.ru/images/scr5.php?p=$PORT&id=#######
http://pvcps.ru/images/scr5.php?p=$PORT&id=#######
http://monomah-city.ru/vakans/scr5.php?p=$PORT&id=#######
http://mir-vesov.ru/p/lang/CVS/scr5.php?p=$PORT&id=#######
http://promco.ru/sovrem/panorama/scr5.php?p=$PORT&id=#######
http://www.13tw22rigobert.de/_themes/kopie-von-fantasie-in-blau/scr5.php?p=$PORT&id=#######
http://die-cliquee.de/inhalt/mitglieder/foto/scr5.php?p=$PORT&id=#######
http://plastikp.ru/img/scr5.php?p=$PORT&id=#######
http://www.levada.ru/htmlarea/images/scr5.php?p=$PORT&id=#######
http://www.levada.ru/mitglieder.html?p=$PORT&id=#######
http://www.metzgerei-gebhart.de/pic/scr5.php?p=$PORT&id=#######
http://www.ferienwohnung-in-masuren.de/bochmann/images/scr5.php?p=$PORT&id=#######
http://www.admlaw.ru/new/translations/scr5.php?p=$PORT&id=#######
http://egogo.ru/lj/0223/scr5.php?p=$PORT&id=#######
http://investexpo.ru/banners/scr5.php?p=$PORT&id=#######
http://www.etype.hostingcity.net/mysql_admin_new/images/scr5.php?p=$PORT&id=#######
http://tpoint.ru/sys/include/QuestionClasses/scr5.php?p=$PORT&id=#######
http://blackwidow.nsk.ru/group/zlyeyazyki/photos/scr5.php?p=$PORT&id=#######
http://inetra.ru/?p=$PORT&id=#######
http://www.emil-zittau.de/karten/scr5.php?p=$PORT&id=#######
http://www.ordendeslichts.de/intern/scr5.php?p=$PORT&id=#######
http://stroyindustry.ru/service/construction/scr5.php?p=$PORT&id=#######
http://vladzernoproduct.ru/control/sell/t/scr5.php?p=$PORT&id=#######
http://hannes-wacker.de/galerie/util/scr5.php?p=$PORT&id=#######
http://schiffsparty.de/bilder/uploads/scr5.php?p=$PORT&id=#######
http://sound-cell.de/prosite/pics/scr5.php?p=$PORT&id=#######
http://shop-of-innovations.de/media/scr5.php?p=$PORT&id=#######
http://bernlocher.de/cms/img/scr5.php?p=$PORT&id=#######
http://www.progame.de/newtexte/_notes/scr5.php?p=$PORT&id=#######
http://st-agnes.de/geschichte/scr5.php?p=$PORT&id=#######
http://gnet30.gamesnet.de/photogallery/photo25939/scr5.php?p=$PORT&id=#######
http://roszvetmet.com/images/scr5.php?p=$PORT&id=#######


Give 'em hell.

William Salusky
Handler on Duty (heh heh)
Future homepage for the above handler.


Keywords:
0 comment(s)

Arnold muscles in to put the smackdown on phishers.

Published: 2005-10-03
Last Updated: 2005-10-03 22:28:35 UTC
by William Salusky (Version: 1)
0 comment(s)
California Governor Arnold Schwarzenegger flexed his muscles in signing California bill 355 into law on Friday September 30th making phishing offenses punishable by law to the tune of either actual damages, or $500,000(USD).  I'll take the latter thank you very much.  Now the problem is actually left in find a phisher that stands still for their punishment.  California Bill 355 is viewable here.

I hope it's not long before Virginia has an equivalent law on the books.  If not, I'll petition for it and ask that the default maximum amount be set to 1mil(USD).  Hey, Why not?
Keywords:
0 comment(s)

UDP/1030 (continued)

Published: 2005-10-03
Last Updated: 2005-10-03 21:49:45 UTC
by William Salusky (Version: 1)
0 comment(s)
In a continuing effort since yesterday, our readers have been providing us with packet captures of UDP/1030 traffic and does in fact confirm the Dshield port utilization increase is attributed to Windows messenger popup spamming attempts.  We are no longer in need of new packet captures.  I repeat, we are no longer in need of packet captures.  We however, have been unable to confirm any case in which this traffic would result in a successful display of messenger popup spam.

All samples provided were of the 'Registry fix, You need our application' spam, and if you regularly look at traffic capture this is will be nothing new.  I am almost to the point where I treat UDP/1025-1030 as universal background noise.
Keywords:
0 comment(s)

Kaspersky Anti-Virus Products Remote Heap Overflow Vulnerability

Published: 2005-10-03
Last Updated: 2005-10-03 16:26:35 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
From the advisory the "issue is due to a heap overflow error in the CAB file format parser that does not properly handle a specially crafted file containing large header records and particular header flags set, which could be exploited by attackers to execute arbitrary commands (e.g. by sending an email containing a specially crafted CAB file)."
Keywords:
0 comment(s)

udp/1030 Increase

Published: 2005-10-03
Last Updated: 2005-10-03 00:44:39 UTC
by Marcus Sachs (Version: 3)
0 comment(s)
We've noticed a significant increase in udp/1030 activity in the past 24 hours.  Our initial assessment is that this is a new form of pop-up spam.  If you have captured any of this and have thoughts or analysis you can contribute, please drop us a note on our contact page.  (Update:  earlier I had said "tcp" vice "udp" - I didn't pay close attention to our sensor outputs.  It should be udp.)  (Second update:  this is pop-up spam.  Thanks to those who sent in samples.)

Keywords:
0 comment(s)
Diary Archives