MMD-0017-2014 - A post to sting Zeus P2P/Gameover crooks :))

The Background

This end of week, Zeus P2P Gameover (in short: GMO) is having a large campaign by utilizing Upatre (with using latest version to download encrypted ZZP file w/many extensions) which are riding the Cutwails spambots (I checked those by IP and templates). As so many good writings and coverage stated out there, these recent GMO is having a new trend to use Necurs Rootkit, sending new callback (with POST /write) HTTP header to the CNC, dropping themself (GMO payloads) with the polymorphic hashes to evade detection, thus tons of randomized DGA to fire P2P callbacks for the botnet functionality purpose (the last one is apparently not new).

Shotly, this new "trend" with the large volume of campaign brought my interest, so I started to collect what came up to my honeypot from March 18, 2014 until today as the background of this post.

The Quick Research

Below is the pictures of the malvertisement that the crook was kindly sent me personally:

And the below is the list of analysis I did in Virus Total, see the comment of each post for the details:
d866214d1f921028f9001ae399e9f8dec32ec8998c84d20d60a992164888a6fc37a835b0ac6d9727bf881743a90e3a8684ca53fdf485645ce07617ec1a203067947470a114311049e707dfefce904fa727c8170eae8c46165730c699e7636b5f4514fc971127fb0a38a7eb6ce45ce44a68b1b3298ff98d5dd6e4f9bd2af0b1acabf2a63b0b02979d79edd4563f784c7c375eb0cb3ef4dc12ccba2612d07a9dc2e49c5883dfe16916a262f54013735d20fec64ecaf5d6f598c4493f4f68fb9199e5270d906ef13a91e176cf60473747e5bf91bc60fe457dd0f3201a5f51cf65245593370060e811aeacbb09161b9d8ebbf4251286f821503dbede0993f248d13ca7739611b998ed82e060d4297d38f8f0792f4866c54575ba5ba6f2b454246f07e85446688c08dd62bb17a21255fe486eb2fb8ca4acc2e4ae974e31a4ad9dfbe0

There are many interesting details about this threat, like VRT (link) and CERT Polska (link), which are very good reports! Since I am dead busy right now, so please kindly bear with this short post, and I won't wrote much of etc technical details covered in previous reports by others. SO I want to stress here is only one aspect: the DGA callback domains used by GMO (as per below picture) which wasn't covered much in prev. articles, but it is important to understand and learned since the DGA used by GMO is having their weak points to be used stop or mitigate the threat, and giving the bad actor behind the scene a "sting" :))

What's with these "Lame" DGA?

By skipping the details of reversing binaries for security purpose and and comparing the result in the forensics, I collected these callbacks as per below list of domains:

aqivobfijnxoprdqldqqkvwdix,com
aqxoythmntgevmjqsjrugdadhyjn,com
aulbbiwslxpvvphxnjij,biz
bajzlscthulrtnjvcibtgmuouwzd,ru
bemjdihsgemsgiwgdyfizxvrw,org
bjvinbegehaukxdsmfzpeq,com
bnzcehetzhqwxlzhqtnjivr,ru
butjbrljaucztbiwolfpzgyrmz,biz
bywcdgijrswmbeulnmjsijcx,info
dayhqkcqojyhaqjvovtazttaul,info
desushrswsiinxwzprvogafml,com
dgklnrswwccmkjhutgujzxkaep,com
dmayvgdknfuxsyugbaeukbxw,ru
eqqbubmhueuxtmvbiojxba,ru
eqqcdilqbqfxspbecde,org
famvcsozxzdlnhyrchdjqw,ru
gmqxkrkeaugifzaurtvhuqcxslr,com
gysskqkhygyhgaeueiqoayskbmk,biz
hatkyptpevgemjlrbqbexor,com
hcauodzppnmrijgyxvdzhdq,info
hgfuzrgylxkllnbkrvorkuox,info
hswldexoeuamvkswaqgmhgairpj,net
irvgwtcxcyxptqsbmbqeitwf,biz
iveienbhxqhqtqcepxkfm,biz
jbdswlfxvctooztvgjfdbquspr,biz
jzcyqbadyhqovwsdaqpkrtpnciib,com
kflfhivsfybaknyhwckvbagqdof,com
kvinhaqkbygelobdanlzphqfq,com
kzhmtwovopnvwfdthsgirpzp,biz
kzpaqmrmjdifztxcbuynvcqkfkj,info
mptwtibibmrhqtobeizlzzdnfwc,com
nqocjrqxuknbmbqgkhmtoxpcu,ru
ofpgecihvtcwaeamcepvmnt,info
ojwpbugadizpnzdipnlvrwhpuoyp,info
oozovinytdpbbelsqgsodtsc,net
ovmffmmneilyzpqwsonztcbqo,net
pdmvoeqbacuizdmojswirkrkvqgqw,org
peucehqxsgmzhgujfsoeihmpvhiz,info
pifztmzgezpdmgylwkyqnzmzgum,org
pntcizrlfqjzuklhlnlnauln,com
ppbxsydtwvjvrvkiflzfiqcrylor,biz
qcrosgrnrlvtdmjtdzlfad,net
qlbaibmivxcucpgdyaescxdq,org
qroeyypcaqsoyzxxkyldifulry,org
rgpjaymbpfizgionvclzlbjzlwsov,com
rwinsaewkqkrokrhucofaqwxwkv,ru
scrgemdyymrtdqfieaibjbqrs,ru
tccieupuwpyxtzxdqohuqwdqx,org
tcvkwsbqnjhjobgyttklnfxo,com
ucqgfpqcfqzpemgahmylfathq,info
udtgqcgulzjzgqpvkyplzfxzh,net
xkjjvucjfhmkvvgqwyptxshgqo,ru
xohmozgqxkncqcmljrqsyllkrfy,biz
xqavknbthqjvnvxsuojnrsc,org
xwporinufyfyrgdnvzplrfaofbpf,net
ztcpgudtkrwpzjrpcebaoxgp,ru
zxjzaypibnjayfmpzpalkbaunzl,com
zxxpvolvljwkeuofkukydiugrwro,org

"// Additional:"
ojsuwplrsygiduobtlbvw,ru
yltwhytojzhenrxwxoeuljztivbq,biz
bafagqcapzxsvghrhtwzpylgy,net
qkljydlcikfqktsunraynji,org
aemzlxlnduaigyqpjfqdiqopnyp,info
vwbaxhtylxcbetsdwdhahhmx,com
tcrcxkvcvkovvgcadeiqwfqvc,ru
yhqomvsdcmjvhywcjfeieybq,com
huuwvcrbyzmjirmfujbgmeqjb,info
daiaxifkbrtydtamghe,org
daeemibxfaifxocuaevklr,net

"// Additional:"
hyvguwdisgtkfjvpzrshijmjmngu.info
vsskfudeqsorzhhawghonhknp.ru
zttwocyqkpdegqgiytvcxphhy.biz
mftodqwheaiozkbzduwjzydwkonv.com
pvdlcaxlflgavwmfzvgcqhafm.com
swskvaylddwvkhursjhbyx.org
rccicerggqhswvgwolryhvsgqwsxvs.net
aulbbiwslxpvvphxnjij.biz
uoxztdipjzppjdpyttxcjrdiz.ru
zzgezdvwtwyhypfqhytcjraygqp.com
gugquwcumizhgyibbaqobajfvolbh.info

"// Aditional:"
ylaylfxuoscicyxtgbefjb.net
wydyprzfyydcumzqclbhdm.info
vovgytxofhdprlzhzxbmijr.biz
xsjbizzdydceiztcdobtwugisokv.com

"// Additional:"
vclbvginizzlydbqpdumvqclv.info
biayvwobmkptpjddpjnvrc.com
ypzdfiheskxgmjpjvunvvvsmjtvw.ru
hzdmjjneyeuxkpzkrunrgyqgcukf.org
qkdapcqinizsczxrwaelaimznfbqq.biz
fejbjfceztaigmizxlpjtkivcy.info
These are the "Lame DGA" that GMO uses, means these are strings that are being decoded in the malware binary and without seeds, a wannabe DGA (Domain Generation Algorithm) which is not randomized and the logic of extracting each strings is in the GMO binary itself for the listed samples I stated above. One doesn't have to be a reverser to figure some of these "Lame DGA" domains are used & spotted over and over in many samples. So why so many domains made, and "looks" to be randomized in name? "Maybe" they (as of GMO crooks) want us to think as DGA to avoid blocking actually. It is an insult to decent people's intelligent and will be a massive big #FAIL for the crooks itself if people starting to aim cannon for this weak spot (yes, friends, aim your cannon there, THERE!).

What? Blocking? Is it blockable? Not a decoy or something? Are these really activated? < Answer of all these generally are "YES!", and also could be a decoy too (if they're not going to activate these domains anyway). Great, isn't it? :D

Activation, IP Information & Getting Closer to CNC??

As the PoC: Now (TODAY to be precised) I found four of the domains above is actually activated and ALIVE:

aulbbiwslxpvvphxnjij,biz,           "50,116,4,71     DNS1-5,REGISTRAR-SERVERS,COM"
peucehqxsgmzhgujfsoeihmpvhiz,info, "212,71,235,232 NS1-4, MONIKERDNS,NET"
tcvkwsbqnjhjobgyttklnfxo,com, "23,239,140,156 NS1-4,MONIKERDNS,NET"
zxjzaypibnjayfmpzpalkbaunzl,com, "178,79,178,243 DNS1-2,NAMESECURE,COM"

"// Additional:"
bjvinbegehaukxdsmfzpeq.com, "94.126.178.29 NS61.DOMAINCONTROL.COM"
daeemibxfaifxocuaevklr.net, "88.80.191.245 NS1-4.MONIKERDNS.NET"
mftodqwheaiozkbzduwjzydwkonv.com "192.210.237.212 DNS1.REGISTRAR-SERVERS.COM
xsjbizzdydceiztcdobtwugisokv.com, "192.210.237.212 NS1-4.MONIKERDNS.NET"
qkdapcqinizsczxrwaelaimznfbqq.biz, "178.79.178.243 DNS1.NAMESECURE.COM"

With the details information below:


Yes, LINODE is having a serious matter with Zeus/Gameover, because all of these IP addresses are GMO's control and centre front ends :-))

These 4 (four) and just added one new (will add more) IP addresses, which are also not ISDN/pool IP, but a static IP, and two of them are in the status of Corporate ones. So if you think that these four IPs are the peer-tp-peer's or infected PC's IP, the answer is no, and please start to deduct the further investigation step on why GMO is collaborating these IPs.

ADDED: Cut the crap! What's the connection of the DGA to CNC??

I was asked many questions about what's this DGA actually does. I will try to write simple explanation as per follows, sorry to my fellow researchers to burp this fact here, because "some people" are starting to think that I am trying to sell "candy bar" here..

Gameover is rapidly requested DNS for the active IP address of CNC by using this DGA, "WITH OR WITHOUT internet connection" (since I heard a noise said to prevent internet connection to make GMO querying lots of domain..which is just WRONG).
Even the connection of internet exists, GMO will request the rapid calls as per screenshot PCAP above (see below for re-post)

The purpose is to confuse researchers and they are aiming only one (or max: two) IP address(es) of CNC that actually being registered under "few" of "tons" of lame DGA domains. To be more clear, take a look of the PoC below:

As the PoC look at the latest sample's DGA, we detected the activation of the IP address below:

Receiving the IP address from the DGA requested, then GMO can send request to the CNC as per below PoC in real:

This is the connection, and how the DGA is actually very important for Gameover communication to the CNC, blocking these DGA will block its communication to CNC, and without CNC connection GameOver is just "another" bonnet without master's command and control and will work on peer to peering each other without any control from the herder < this is the connection you all asked for, this is the attack point. (Forgive me the God if InfoSec to burp this info out in public here, there is no way I can convince others without telling this fact loud and clear..)

What's the point??

Below are my points, I make it as simple as possible:

1. Get these DGA domain registration info! These DGA is registered only by the bad actor, is not hacked sites, is not a hacked domains. We have tons of experience now for nailing crook's ID by this method, so please extract the information from your known registrars and please passed to law enforcement immediately.

2. A suggestion; Chance to catch "in the act". The unregistered domains will likely to be registered sooner or later after the current ones are blocked/suspended, so it is a good for registrars, CERT and law enforcement to make an extra effort: A list, or better yet, an Auto Block Scheme and maybe a Direct Alert System to be sent to law enforcement to trap the crook's collaborated channels to be "caught in the act" to be legally investigate.

3. Do it NOW. GMO coders is implementing the logic of the DGA in the GMO binary which are stuff that is not easily remake, unless redeveloping big part of the current malware, so we can hope this scheme lasts for a while, so it is a chance for good guys! :-))

4. Words for the "malware crooks": I really love to see malware "crooks's" faces while they're reading this post :P) A few words for the malware coders from us; We are security engineers here, we reverse stuffs very good, we investigate things deep, don't make us coming at you now, STOP your coding malware practise and get the decent work like all of us. Life, no matter what, is never easy, let's code something useful & positive even we only receive few pennies for it.

Samples

Additional & Follow up

Mr. Conrad Longmore was extracting more related DGA via verdicted IP addresses above, thank's Conrad so we don't have to crack binary per binary to get these. Please visit Dynamoo Blog in the link below:

Epilogue

What we are posting here is the knowledge for awareness of many PC users, the victims who are getting many hits by this malware's infection, whose credentials were stolen in some botnets panel by these GMO's affiliated gates/panels, to inform you that actually there are so many methodology that can be applied and executed to stop the malware infection scheme that is coming from/using internet. As long as the good guys are still in control in the networking and internet, the scheme to stop malware infection via malvertisement can always be applied.
The only problem is always: HOW BAD we REALLY want to stop these malware?

#MalwareMustDie!!