A Wrench in the Cogwheels of P2P Botnets. Werner, Senior Virus Analyst, Kaspersky Lab 23 Annual FIRST Conference Vienna, 13th June 2011

A Wrench in the Cogwheels of P2P Botnets Tillmann Werner, Senior Virus Analyst, Kaspersky Lab rd 23 Annual FIRST Conference Vienna, 13th June 2011

The Story Slide 2 23rd Annual FIRST Conference Vienna, 13th June 2011

The Story Slide 3 23rd Annual FIRST Conference Vienna, 13th June 2011

The Story Slide 4 23rd Annual FIRST Conference Vienna, 13th June 2011

The Story :-) Slide 5 23rd Annual FIRST Conference Vienna, 13th June 2011

No Tweets, Please Slide 6 23rd Annual FIRST Conference Vienna, 13th June 2011

Storm Slide 7 23rd Annual FIRST Conference Vienna, 13th June 2011

Waledac Slide 8 23rd Annual FIRST Conference Vienna, 13th June 2011

Storm 2 Slide 9 23rd Annual FIRST Conference Vienna, 13th June 2011

Timeline today Storm Waledac Storm 2 Hlux 27 28 29 Slide 10 23rd Annual FIRST Conference Vienna, 13th June 2011 2010 2011

Helping small cocks grow since 1908 Slide 11 23rd Annual FIRST Conference Vienna, 13th June 2011

usapharmacy.com Slide 12 23rd Annual FIRST Conference Vienna, 13th June 2011

sleepingpill.ru Slide 13 23rd Annual FIRST Conference Vienna, 13th June 2011

HTTP Redirects Slide 14 23rd Annual FIRST Conference Vienna, 13th June 2011

Logging... kthx. 01.02.2011 17:58:41 Init logging. Level=4 Log path=c:\documents and Settings\analyst\Desktop. 01.02.2011 17:58:41 [Socks][013A66C8] ~ create connection object 01.02.2011 17:58:41 Client 0.0.57 started. 01.02.2011 17:58:41 [vo]looing for old client... 01.02.2011 17:58:41 Looing for old client... 01.02.2011 17:58:41 Timing zone[find_and_kill_old_clients] ms=460 01.02.2011 17:58:41 Config loaded Ok. own_id=3eeeaa97 2777 410c 8e82 b341c484eb8f, port = 80 01.02.2011 17:58:41 Loaded bootstrap list: client: 5f4988ea c685 458d 9835 efdaa33e7c2a 119.192.5.1:80 client: afcc1707 deac 447e 8850 22078c5f4b1c 190.142.151.1:80 client: 059bfaba eae3 4ed4 858c f06b732988d3 116.72.243.2:80 client: b4aaca53 b5c7 4569 a964 6f6b05ed1795 109.62.167.3:80 client: b236072c 5712 4fb3 bb45 fe581f1ed2eb 79.119.180.3:80 client: e9732ec8 a7e7 450f 904f 111c5611da81 145.236.14.5:80 client: 4a8f952a 56e2 472d 98ea ec8113e4729c 187.62.251.6:80 client: 510b3ab8 a953 44a0 812e 605e3951072c 119.206.223.7:80 client: be1d7ba4 5e1d 44df ba77 a6077fc55e18 2.8.218.8:80 client: e9158ba9 8828 47dc 8c96 043ea17fde67 183.82.173.9:80 client: df82b95d 7f8c 4bb1 99fa ffe0d0a286e8 178.66.36.10:80 client: 333dc74b 4d7e 4bc7 8793 a520e27bb954 75.75.137.10:80 client: f3d652db d2e6 4f26 b3b0 ddd8f69327eb 89.42.118.11:80 client: 8b2fa981 f80e 4e8a 83d5 8e72e7add684 61.81.143.11:80 client: 7d6deaac 1a49 43df 9501 e5fb249ab4ed 24.222.160.11:80 client: 97a8cb9b e780 4085 836f ad9cbdba2bae 84.32.92.13:80 client: 6323514c e144 4a34 9ee1 c86d23555244 82.227.213.13:80 client: 20458c90 882e 4534 813f 08f2978bd15d 212.163.228.14:80 client: 3b8e3108 111e 43ed 8f85 531212d109c6 81.203.243.15:80 Slide 15 23rd Annual FIRST Conference Vienna, 13th June 2011

Controllers, Workers, Router Controller The brain of the botnet Distributes commands Worker On private IP address Does all the dirty work Router On public IP address Routes messages between Controllers and other nodes Slide 16 23rd Annual FIRST Conference Vienna, 13th June 2011

Architecture of the Hlux Botnet... Slide 17 23rd Annual FIRST Conference Vienna, 13th June 2011

Communication Protocol Message Types 0x03e8 0x03ea 0x03eb 0x03ec 0x03ed 0x Bootstrap Message Job Request Ping Pong Harvest Results Job Response Serialization ANMP Int, String, List, List of Strings, Map, Blob Compression, Encryption Lempel-Ziv Blowfish CBC Slide 18 23rd Annual FIRST Conference Vienna, 13th June 2011

Message Header 36 bytes Static signature Contains length and type Last header byte: padding length 10 20 30 40 50 60 70 80 90 a0 b0 01 02 01 e8 0b 45 1a 4d 01 d1 99 bc a2 f2 cf 72 f3 33 89 9f 19 55... 01 03 76 4e 69 18 44 c9 63 58 da 43 01 44 2b 6f 69 8f 2b 6b dd df d1 01 6d 13 3d b7 b5 4e ef 9b 79 ca Slide 19 23rd Annual FIRST Conference Vienna, 13th June 2011 01 86 ac 13 97 ce 77 fe af b9 26 02 14 f0 3a f1 cc 14 ef ac bd f9 01 63 6c a7 38 34 e4 e8 4a 53 66 91 3b 29 06 79 6a bb 93 74 12 97 01 fe 29 f8 99 ba 6b b9 8a cf 26 67 f4 ed 6c 49 c6 af ed 09 70 ad 0c 09 0e 38 c4 9f 9f ca 71 29 4e 59 06 dc 83 f4 eb 39 c0 10 40 df 72 e4 21 e8 c6 3d b5 72 26 e0 7a 22 77 c0 7f ac 57 ee 90 35 82 43 0b 3f 3f f4 08

Version 2 10 20 30 40 50 60 70 80 90 a0 b0 c0 d0 e0 f0 01 0110 0120 5d 1d 9f e5 03 94 5e 1e b7 22 fa 16 88 03 e3 93 cb a3 3d 0f 4b 4f ef 1d b4 84 42 bd e1 be b8 45 02 68 c8 c3... ed a2 d7 7e e3 c3 37 5f 7c 02 ae 6b c5 0c d1 a4 73 87 ab f3 1b a3 8d 9e 4e 74 f6 62 18 49 cc 81 d6 95 1b 62 c2 0f 5e dd b9 eb c2 04 6c 6e ac a5 e1 8a bf db 7f Slide 20 23rd Annual FIRST Conference Vienna, 13th June 2011 54 75 c9 51 5f b5 2e 19 a8 ef 81 8e d9 64 90 19 a2 92 b7 40 55 31 6e ac 0c c9 3b 55 39 bd 4c 17 dc db a4 78 e0 b4 38 90 50 b0 15 ed 6b 72 c4 e3 43 8b e0 28 c1 4c c7 2c d9 b0 b8 83 d5 ad 49 28 bc 99 0c 0b b5 af 94 1f 9a 9a 77 39 a4 0e 44 58 54 5d a4 f9 da e2 87 9e bb 1e bd da f2 fc f3 74 29 01 22 f0 d6 78 63 e4 41 ce 48 1b 5e 7d 0e 9e 9a dd 06 32 30 b9 d0 a3 9f c1 4c 65 7d c2 68 bc da 9e f3 64 cc c9 dd c8 ae 11 3d c5 48 9e df 54 9e e1 85 23 10 72 af 34 b3 49 27 fb 23 74 97 79 54 92 cc 0b 98 15 a6 b6 08 7d d3 c6 40 19 1a d2 2d 76 93 a4 1c f7 a2 49 ec cb 33 22 c9 eb bc 0c 04 4d ee b2 5a

Version 2: Hashes instead of Labels Human readable labels make analysis a lot easier Since protocol version 2: hashes CB8FF469694798 995E533b9AB120 F74FB6B49E16A9 Slide 21 23rd Annual FIRST Conference Vienna, 13th June 2011 m_job_servers m_list_id m_client_id

Version 3 10 20 30 40 50 60 70 80 90 a0 b0 c0 d0 e0 f0 01 0110 0120 e0 17 c1 99 80 f9 23 e1 ce 4f 7c ed a8 ce 2f aa b7 24 f5 71 7e 1d b6 66 85 f3 d5 fb 40 07 3a 2e fb b5 b3 53 3e... 5e ae 1f d8 59 35 5b 06 11 10 09 7a 03 bf f5 fc 99 c1 dc 13 9e 91 ad 20 c5 3b ee 6d e6 33 e7 3e 6e 15 a7 c5 48 70 c7 49 b3 27 d4 7a fa 6e 1a af b7 d8 1d 61 e7 84 d7 f1 Slide 22 23rd Annual FIRST Conference Vienna, 13th June 2011 8c 17 2f cc 50 77 0f fa cb 6e 6e 91 68 c4 1e d8 4e 8a a0 02 5d 58 e5 e6 e3 5e 58 92 7c 16 cc 95 a1 49 2b de 31 3b 0c 3d c2 8e c0 d7 84 28 43 4b e2 d6 28 6f df 38 72 47 ca c0 62 f0 0d 34 de 8e 3a 5b 10 f4 45 41 dc 4c cd 20 07 85 61 20 0d 21 a8 10 60 c9 cf ec 5b da a9 29 ec 52 ae ab f2 50 d7 29 66 5e ce da 6a aa 80 9a 41 67 fd e1 34 41 d7 8b 64 d1 0c d3 f3 be bf ef cf 05 c6 7e 29 b3 8f 4f 8d 84 d9 d2 5c 1c b8 72 d0 95 43 9e df b2 16 25 47 ad e2 3b 3c 8f e7 b7 0e 62 c4 9d 50 4b b5 89 f2 97 fc 25 de 12 d3 3c c5 5e f2 69 12 2c 4e bf a7 0c 13 91 12 4e 35 de 18 77 17 96 d9 09 8e 56 c4 f3 b8 a0 32 bc df 60 e3

Version 3: Non-Static Message Headers No signature Encodes dynamic payload offset and message length Random amount of garbage before actual message Slide 23 23rd Annual FIRST Conference Vienna, 13th June 2011

Decoding Messages Slide 24 23rd Annual FIRST Conference Vienna, 13th June 2011

Harvesting Phase Search pattern:.*@.*\..{1,3} Later versions: sniffer for HTTP/FTP/POP3/SMTP Logins m_reports_bag: m_harested_mails: (string list with 1443 elements): MN@KgNB.A2V WL9@W0.9O k0716w@p.s3 gi@r0.kfa Uo@mh.bI 9@BqkEu7.g O YbPD@.RT7 B@j.Jr SU@p.COl lcnk @.ph3.0 HA2@1Y3C..l.7j l@.inb O7D@p7A7i4.2t K@lbN9ET.5W S@o6.2c k@vmufolmwro.qsg... Slide 25 23rd Annual FIRST Conference Vienna, 13th June 2011

Spam Jobs m_mail_section: m_tasks: m_tasks: (1 elements) m_adress: (string list with 250 elements): m_name: string (1 bytes): 2 m_body: string (664 bytes): Received: from %^C0%^P%^R3 6^%:... m_dictionaries: m_dictionaries: (4 elements) name: string (6 bytes): pharma m_file_timestamp: 2011 05 01 06:30:07 GMT m_words: (string list with 1 elements): m_dictionaries: m_dictionaries: (4 elements) name: string (6 bytes): pharma m_file_timestamp: 2011 05 01 06:30:07 GMT m_words: (string list with 1 elements): name: string (16 bytes): mirabella_links2 m_file_timestamp: 2011 05 01 06:30:07 GMT m_words: (string list with 10 elements): name: string (5 bytes): names m_file_timestamp: 2011 05 01 06:30:01 GMT m_words: (string list with 298 elements):... Slide 26 23rd Annual FIRST Conference Vienna, 13th June 2011

Status Messages m_is_first_meet: string (1 bytes): m_last_worked_job_id: string (8 bytes): 1a0fc04d a6509ddd4ef054: string (16 bytes): 47e9557b8c4823b55677cd3ae741a8 m_reports: m_mail_reports: (20 elements) d: string (17 bytes): nej123@corvus.com v: string (1 bytes): 2 z: string (3 bytes): ERR d: string (30 bytes): ingeborg.schoeffmann@utanet.at v: string (1 bytes): 2 z: string (3 bytes): ERR d: string (15 bytes): ilug@nijjar.net v: string (1 bytes): 2 z: string (3 bytes): ERR d: string (26 bytes): kkruegernn@capstoneins.com v: string (1 bytes): 2 z: string (3 bytes): OK d: string (25 bytes): medioambiente@amacweb.org v: string (1 bytes): 2 z: string (3 bytes): ERR... Slide 27 23rd Annual FIRST Conference Vienna, 13th June 2011

The 'mirabella' Template Slide 28 23rd Annual FIRST Conference Vienna, 13th June 2011

'mirabella' Spam Slide 29 23rd Annual FIRST Conference Vienna, 13th June 2011

The 'casino' Template Slide 30 23rd Annual FIRST Conference Vienna, 13th June 2011

inter-casino-poker.com Slide 31 23rd Annual FIRST Conference Vienna, 13th June 2011

Spam Frequency One successsfully delivered spam message every 10 seconds smtp sink f QUIT A little bit of iptables magic Slide 32 23rd Annual FIRST Conference Vienna, 13th June 2011

bit.ly Slide 33 23rd Annual FIRST Conference Vienna, 13th June 2011

Clicks on April 27th, 2011 37.683 Slide 34 23rd Annual FIRST Conference Vienna, 13th June 2011

Clicks per Country CC Klicks US 20231 CA 2097 NL 1707 GB 1485 KR 972 BE 955 DE 742 IN 501 CZ 494 DK 471 Sonstige 8028 Slide 35 23rd Annual FIRST Conference Vienna, 13th June 2011

Renting Out the socks5 Proxy Network ^E^A^@^E^A^@^Ab<82>^A<AA>^@^YEHLO bn d932da66.pool.mediaways.net AUTH LOGIN cmv0ywlsqg5pzghpcmvzb3vyy2vzlmnvbq== QWpLOEhOOUw= MAIL FROM: RCPT TO:david.mcgrath@tvu.ac.uk DATA Subject: Job Proposal From: retail@nidhiresources.com To: david.mcgrath@tvu.ac.uk Hello, It's Bryan Green, ENGINEERING & CONSULTANCY SERVICES, HR manager. We found your e mail in the base of applicants for a job.... Get in touch with us and join our company. E mail : hr@engineering and consultancy.co.uk Yours respectfully, Bryan Green, HR manager. Slide 36 23rd Annual FIRST Conference Vienna, 13th June 2011

Distribution of Fake AV Slide 37 23rd Annual FIRST Conference Vienna, 13th June 2011

Introducing Own Peers Slide 38 23rd Annual FIRST Conference Vienna, 13th June 2011

Speaking Hlux Slide 39 23rd Annual FIRST Conference Vienna, 13th June 2011

Thank You A Wrench in the Cogwheels of P2P Botnets Tillmann Werner, Senior Virus Analyst, Kaspersky Lab rd 23 Annual FIRST Conference Vienna, 13th June 2011