Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Jose Nazario of Arbor Networks recently posted an analysis of Trojan.Heloag on their blog, mentioning that some observed behaviour might be related to Peer-to-Peer C&C functionality. However, Jose's analysis was dynamic only and thus he was not certain about this when I contacted him (also thanks to Alex Cox for sharing network traces of his honeypot). Being interested in Peer-to-Peer botnets (e.g. Stormfucker: Owning the Storm Botnet [MP4 Video]), I had to take a deeper look.
The Heloag binaries I've looked at (6ede527bb5aa65eae8049ac955b1018d dropped by d9b14a7bc0334458d99e666e553f0ee0) did not contain any Peer-to-Peer C&C functionality! Instead, the bot rather speaks a very simple protocol over TCP with the following command types supported (encoded as the first byte of the packet):
Disassembly for function 4
This means that even though during dynamic analysis, multiple C&C servers were observed, it is just some kind of hand-over to another C&C server which can be used for load-balancing or renting out bots. Since there is always only one server, the bot is connected to at a time, this does not add a lot to take-down resilience (phew!).
A new reincarnation of the infamous Storm Worm -- or Zhelatin as it is called by Kaspersky Lab - has been making the rounds in the news lately. Felix Leder, Mark Schlößer and Tillmann Werner have already posted an extensive analysis , where they conclude that the new samples spreading share about 66% of code with the original Storm worm. They were so kind to share detailed analysis results (their .idb for you technical folks) with me to look into this quickly and confirm their results.
The analysis shows that it seems to be only the spam and DDoS engines extracted from the original Zhelatin, surrounded by a HTTP C&C mechanism. The samples are calling back to one central command and control server (the IP is hardcoded at the end of the file) located in the Netherlands.
ShadowServer have already contacted the hoster for takedown, so this should be an easy threat to contain. Currently, we've seen only 139 detections for Trojan.Win32.Fraudload.apnh (our detection before that specific new threat) through our KLoud Security Network and therefore consider it a relatively moderate threat.
Number of detections of current Zhelatin
Geographical distribution of Zhelatin detections
While analysing Kido network behaviour we’ve been able to develop an application that helped us to get an in depth insight into the peer-to-peer network communications of the malware, which have been used to distribute updates over the last week. Over a 24 hour observation period, we’ve been able to identify 200652 unique IPs participating in the network, far less then initial estimated Kido infection counts.
This is mostly due to the fact that only the latest variants of Kido are participating in the peer-to-peer network and only a fraction of the nodes infected with earlier variants have been updated with new variants.
In terms of global distribution, we’re seeing the picture expected from initial infection counts. Brazil and Chile clearly stand out as regions in terms of peer counts:
As already reported by F-Secure earlier, criminals are using the Kido/ Conficker hype to bring their rogue Anti-Virus amongst the people. Their solution will sometimes display false alerts on clean systems and try to lure their victims into buying a fake cleaning program for $39.95 from them. Opposed to what they were claiming on remove-conficker.org (website already taken down), their solution fails to detect Kido: