Zscaler Blog

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Abonnieren
Security Research

Tracking A Botnet Infection

image
JULIEN SOBRIER
Juli 10, 2013 - 2 Lesezeit: Min


Recently we found several malicious executables with similar characteristics. These files were found on the following six domains:

 

  • janashfordplumbing.com
  • kalliskallis.com
  • lowes-pianos-and-organs.com
  • continental1.com
  • foreigntire.com
  • gjhimages.com

The URLs used, adhered to the following two formats:

 

 

  • http://www.[domain].com/awstats6_data/[a-f0-9]{10}/?f=sm_main.mp3&k=[0-9]{15}
  • http://www.[domain].com/images/[folder]/[folder]/[a-f0-9]{10}/?f=sm_main.mp3&k=[0-9]{15}

These six domains are otherwise legitimate sites that have been compromised and used to serve malicious content. While I didn't determine the vulnerability used to obtain  control of these websites, all of them were misconfigured, allowing directory listings (viewing all files available in folders) and/or having AWSTATS publicly available.

The malicious files kept changing, with different signatures. Their behavior, however, was always the same and was identified as a botnet. When executed, the botnet hides itself in the Recycle bin and infects other running processes. It connects to over 50 IP addresses over UDP/16471 and TCP/16471. These IPs keep changing with each file and each execution.

The botnet always connects to xlotxdxtorwfmvuzfuvtspel.com through HTTP, but the domain answers with an empty response. You'll notice that the malware uses HTTP/1.0 with a Host header (not RFC compliant), often a good sign of malicious HTTP activity.

 

 

 

Image
HTTP request to C&C


We found the malicious samples through Behavior Analysis, then used our log correlation to find the source of the malicious executables.

 

 

form submtited
Danke fürs Lesen

War dieser Beitrag nützlich?

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Mit dem Absenden des Formulars stimmen Sie unserer Datenschutzrichtlinie zu.