#### Michael Sandee, Tillmann Werner, Elliott Peterson August 5, 2015 ----- #### Dr. Brett Stone-Gross, Dell SecureWorks Frank Ruiz, Fox-IT Dr. Christian Rossow, Saarland University Dennis Andriesse, VU University Amsterdam Dr. Christian Dietrich, CrowdStrike @kafeine UK NCA US DOJ CCIPS The ShadowServer Foundation Spamhaus ----- ##### • Spam, infection, account takeover, fraud ``` 11/06/2012 18:03:46 02|300|1500 https://[redacted].com 11/06/2012 21:33:43 01|300|1500 https://[redacted].com 11/07/2012 08:48:50 02|999|1500 https://[redacted].com 11/08/2012 06:48:58 12|300|1500 https://[redacted].com 11/09/2012 03:43:54 02|100|1500 https://[redacted].com 11/10/2012 18:53:56 01|100|1500 https://[redacted].com 11/11/2012 23:53:55 01|100|1500 https://[redacted].com 11/12/2012 23 53 54 01|100|1500 htt //[ d t d] / th ti ti /l ``` ----- # The Gameover Zeus Operation ----- ``` POST /gameover2.php HTTP/1.1 Accept: */* X-ID: 7777 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) H t i k it ``` ----- ### Technology ##### C L k fi i h d l d i ----- ### 3[rd] Party Services ##### • Preferred suppliers like loaders, exploit kits and spammers ----- ----- ##### • Multiple physical servers ----- ----- ``` 000020 d3 96 ee 80 e4 40 1e 7f 9d 80 ab 35 fb 0f fe 57 |.....@.....5...W| 000030 7c 27 6a b2 a2 e0 42 8e aa 7c df 17 3c 3e 98 13 ||’j...B..|..<>..| 000040 bd 4e 33 f7 5c da e8 80 92 58 69 ee 5b e8 d4 ce |.N3.\....Xi.[...| 000050 ca ed e8 20 5a b8 42 a0 66 b8 c0 99 25 4e f2 ee |... Z.B.f...%N..| 000060 08 f0 47 07 ce fb 7d 6e 0d 03 ca 25 27 2a fc 71 |..G....n...%’*.q| 000070 5a 43 41 41 ee 10 d7 7b 03 98 1b 5d f6 40 cb 95 |ZCAA.......].@..| 000080 92 32 d1 86 76 46 68 0a 61 a7 17 de 55 e8 2f 89 |.2..vFh.a...U./.| 000090 46 0e 3d 1b 3c ca 4d cf 58 14 6e 77 97 2d 04 3a |F.=.<.M.X.nw.-.:| 0000a0 9d 58 77 d9 5c be c0 99 1c a6 78 99 6c 7a 75 a6 |.Xw.\.....x.lzu.| 0000b0 36 8d 78 0b bf 53 a9 df fe cf e9 79 58 be e1 7b |6.x..S.....yX...| 0000c0 44 d6 42 0a 00 48 e8 96 97 49 6c 71 52 5a 4d 40 |D.B..H...IlqRZM@| 0000d0 bb c2 43 0a 47 0c 8c 68 3f 5b 97 61 8d a2 4e af |..C.G..h?[.a..N.| 0000e0 dd 6a b5 c7 d4 46 53 4f 0c 4d a0 0b 02 e9 51 9b |.j...FSO.M....Q.| 0000f0 28 21 78 e8 37 37 95 cf c3 0a 26 bb 42 aa c1 95 |(!x.77....&.B...| 000100 4c 75 21 42 60 68 e8 a6 b1 b6 76 fb 23 db 5d 0d |Lu!B‘h....v.#.].| 000110 d0 6f 0f 87 4a 86 c7 5a b4 c0 86 1f ba 32 ba 89 |.o..J..Z.....2..| 000120 d7 06 d8 7 d0 f5 9b 0d 1 ff f b4 54 80 7 1 | T ~ | ``` ----- ``` 000020 75 6c 74 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f |ult..Accept-Enco| 000030 64 69 6e 67 3a 0d 0a 43 6f 6e 6e 65 63 74 69 6f |ding:..Connectio| 000040 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e 74 65 6e |n: close..Conten| 000050 74 2d 4c 65 6e 67 74 68 3a 20 32 33 38 0d 0a 58 |t-Length: 238..X| 000060 2d 49 44 3a 20 37 37 37 37 0d 0a 0d 0a 14 19 f4 |-ID: 7777.......| 000070 55 13 e7 98 b8 f0 35 01 e3 9a 94 96 2a 11 5c be |U.....5.....*.\.| 000080 aa ee 00 00 00 00 00 00 00 07 3c d6 3f 15 81 00 |..........<.?...| 000090 8a b7 2f 62 c4 1a 5e d4 3f 9b 5e 88 8e 65 00 00 |../b..^.?.^..e..| 0000a0 00 00 00 00 00 17 00 00 00 17 00 00 00 36 42 7c |.............6B|| 0000b0 9a 24 45 60 94 51 43 79 e1 53 36 0e 95 23 35 7d |.$E‘.QCy.S6..#5.| 0000c0 95 52 42 7c 66 00 00 00 00 00 00 00 14 00 00 00 |.RB|f...........| 0000d0 14 00 00 00 81 4c f2 55 b1 13 1d b1 4f ad f8 61 |.....L.U....O..a| 0000e0 d4 3f cd 9b ef c8 69 3d 67 00 00 00 00 00 00 00 |.?....i=g.......| 0000f0 08 00 00 00 08 00 00 00 04 6f 5d a5 02 74 0e e2 |.........o]..t..| 000100 c9 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 |................| 000110 ee 07 3c d6 c8 00 00 00 00 00 00 00 10 00 00 00 |..<.............| 000120 10 00 00 00 15 36 0 8 f1 06 82 54 f3 9f 6 0f | 6 T | ``` ----- ----- ----- ## Things you do not expect to see in financial malware ----- # P2P Poisoning Attack ----- ##### • Daily configuration updates ----- ##### • Daily configuration updates ----- ##### • Daily configuration updates ----- #### Type Purpose Comment 00 Version Request Ask for binary/config version 01 Version Report version information 02 Peerlist Request Ask peer for neighbor peers 03 Peerlist Send up to 10 neighbor peers 04 Data Request Ask for binary or config 05 Data Current binary or config 06 Proxy List Contains list of proxy nodes 50 Proxy Announcement Used to propagate a proxy node ----- #### Padding Length 50 Session ID c577aabe9d03a499601d2df4139e9c816bef8ce7 Bot ID e74bce83d714216729aac4b7b238f14d89cf55eb ----- #### Padding Length 02 Session ID c577aabe9d03a499601d2df4139e9c816bef8ce7 Bot ID 517262b78f557456f15c7a65f370b8150d261b5f Peerlist 517262b78f557456f15c7a65f370b8150d261b5f 59.90.10.180:1026 ``` 51f1dab7004aaad6381c703a639dc758146cbd4f 125.23.117.36:7875 5025d1bf2fb998c4b2256596587d7eb603efd7a2 108.76.33.46:1732 50bc0620feef71b6a5d087d6f48637e95af1c5d5 81.90.26.57:7221 522b0c1d8b7fb6cda19ea4407dc82f24a67008f0 66.189.57.144:5807 52338ca13970ab8878908b9bafc70537fed2a85c 86.57.196.12:9607 55c363c17e8b3528f2e20080e5fbc32eef6fcb28 62.7.187.92:6200 53ce43f39cc89e3335ef2e36bf4ec5a9166f7c1b 59.92.54.113:9033 ``` ----- ----- ----- ### g p ``` Bot ID | IP address | Port -----------------------------------------------------------------c2ad2c7621e8cc9057e8ee0fe678acdf216f8d0f | 186.88.196.115 | 10355 c28df459e506e3fbaf0fe4e09c3e8a1fcc697f39 | 142.163.184.154 | 12631 3e6684b8016ad93410bc94803d1da9502239f582 | 208.41.173.138 | 13850 c19aff3ecf6a2e0443640baad118ee528ccd43ce | 95.104.110.191 | 15550 3d0445ac21017cf284191485fc045e23a4d65dba | 75.38.136.56 | 10169 5b68273785dc1a0e19d1461ccb5688e150528697 | 98.203.40.174 | 21918 e10fa5a555f3653837ceef2380da034dc7190261 | 174.134.88.28 | 19433 c1ff72dda4362153a43079ed35301537aaf56634 | 74.234.107.231 | 25975 93b2028482d876a9dd4a3b01b2265956f189aed4 | 190.206.20.161 | 29346 3575b d52b97 1484b 81df 1bf f5d3fd1343 | 79 113 161 10 | 16824 ``` ----- ### g p ----- ----- ----- ----- ### p ----- ----- ----- ----- ----- ----- ----- ----- ----- # The Criminal Investigation ----- ``` ./files/175dacb26 md5 is 796cddf7239eca64025cadce41d361d5 https://regatu written ./files/1e105e4bba md5 is 58787c143811f537b3fe529d52e755dd http: 58787c143811f537b3fe529d52e755dd equal md5 ./files/705a0d5d31 md5 is d77 module=EXETask&id=102&mode=getloader&name=/ldr int2.exe md5 is d7794674b 35e239b4a819601dc35b00f96087f26c http://91.242.217.34/iframecheck/?modul 35e239b4a819601dc35b00f96087f26c equal md5 ./files/d2d2b83280 md5 is b29 module=EXETask&id=53&mode=getloader&name=/ldr ninja.exe md5 is b29ce5968 ``` ----- ##### ”Starting on September 19, 2011, we are beginning to work through the panel where you now find yourselves. (fraudu- lent) Money transferors and drop (mule) managers are synchronizing their work through our panel, which enables a much greater optimization of the work process and increase in the productivity of our work. Starting from this moment, all drop (mule) managers with whom we are working, and all (fraudulent) money transferors who work with us are work- ing through this panel We wish you all ----- ##### ”Starting on September 19, 2011, we are beginning to work through the panel where you now find yourselves. (fraudu- lent) Money transferors and drop (mule) managers are synchronizing their work through our panel, which enables a much greater optimization of the work process and increase in the productivity of our work. Starting from this moment, all drop (mule) managers with whom we are working, and all (fraudulent) money transferors who work with us are work- ing through this panel We wish you all ----- ----- ----- ----- ----- ``` 31.31.119.248 - - {29/Sep/2011:... HTTP/1.1" 404 475 "-" "Mozilla/... (KHTML, like Gecko) Chrome/14.0... 212.117.170.62 - - [29/Sep/2011... /sadmin.php?act=drops&wft HTTP/... Intel Mac OS X 10.7; rv:8.0a2) ... ``` ##### • Developed trail from access to #### Businessclub to ownership of personal ----- ----- ----- ----- ----- # Why does it matter? ----- # Thank You. -----