ZeroAccess C&C / Dropzone


Update:

These domains have now been taken from me and sinkholed by Microsoft.


;; ANSWER SECTION:
vzsjfnjwchfqrvylhdhxa.com. 171043 IN    NS    ns1.microsoftinternetsafety.net.
vzsjfnjwchfqrvylhdhxa.com. 171043 IN    NS    ns2.microsoftinternetsafety.net.


 
  
 ;; QUESTION SECTION:
 ;adhavzpbykyffaxqtts.com. IN ANY
 
 ;; ANSWER SECTION:
 adhavzpbykyffaxqtts.com. 10 IN CNAME adhavzpbykyffaxqtts.com.sinkholemeasure.com.
 adhavzpbykyffaxqtts.com. 172800 IN NS ns1.microsoftinternetsafety.net.
 adhavzpbykyffaxqtts.com. 172800 IN NS ns2.microsoftinternetsafety.net.
 

Short:

ZeroAccess does use a fixed, non Peer 2 Peer server to report information to. It might be a Command and Control server as some binary encoded stuff is returned...  I have sinkholed one of the domains (yes there are more) and got some statistics about a part of the network. Though the domain doesn't resolve as expected...

I have seen very little talk about this aspect of ZeroAcces, so I decided to write about it.

If you are not aware of what ZeroAccess is or how it works please read the following great paper by Naked Security.

http://nakedsecurity.sophos.com/zeroaccess2/

The project

I've been doing a bit of work on a project to write a Python bot that can blend-in as a ZeroAccess bot in its UDP Peer 2 Peer network. The above paper helped a lot along the way!

Recently I started looking at this project again and fired up some suspended infected VMs in order to continue my work. This is when I noticed the following:

Failing DNS queries to a domain called: adhavzpbykyffaxqtts.com. I observed the Bot doing this before starting its Ad-clicking campagne.. So assumed it was related to the malware itself.

I did not see this traffic untill ZA received some update using its P2P network. I suspect it is part of its adclicking module as directy after this it will also start visiting ad related urls. 

Sinkhole

So... the domain was not registered, odd. So I bought it and pointed it to a new VPS. I see a resonable amount of traffic, but not as much as I thought I would. Some estimate the botnet to be larger than 2milion bots big. Surely I should be seeing 100.000 of hits per hour? Well I am not. 

Oddity:

Neither of my infected VM's seem to be visiting my Sinkhole. I see DNS look-ups all the time. But when I check the accesslog, MY ip is not in there. At first I thougth that something must trigger the bot to actually visit the domain. Later when I was running Urlsnarf I noticed the bot WAS visiting. I was excited and grep'd the Sinkhole for my IP again... but it wasn't there. 

Looking closer I noticed that the destination IP the bot was visiting was different from that of my Sinkhole! First thought: Some one took over my Sinkhole. But no. None of that.
The bot either does something with the IP it receives back from its DNS query or there is a hardcoded IP in there. As you can see ZeroAccess doesnt even wait for its DNS response... So it must be hardcoded.




In the end I have concluded that it is hardcoded. I took a clean VM. Gave it non-existend DNS servers and infected it with ZeroAccess. I ran FakeDNS in order to return 1.1.1.1 as IP record belonging to adhavzpbykyffaxqtts.com. The bot still visited the same IP as before!

Sinkhole how?

Fact: my infected VMs are visiting 'my sinkholed domain' on a different IP. How is it possible that I still see traffic on my Sinkhole VPS?

My theory is that some bots are going through transparent proxies that will make the HTTP traffic go to its correct destination. 

DropZones:

Domain:                            ResolveTo:                               ConnectTo:
litcyleyzrglkulaifkrx.com*      166.78.144.80* (Rackspace)   178.239.55.170 (AS47869 NETROUTING-AS)
adhavzpbykyffaxqtts.com**  62.113.218.173**                   217.23.9.247 (AS49981 WORLDSTREAM)


*update 2013/09/23:

vzsjfnjwchfqrvylhdhxa.com    62.113.218.173**                            217.23.9.247 (AS49981 WORLDSTREAM)

*Whois says it is a sinkhole. Should see the same traffic as me. 
**My Sinkhole

Traffic:

The URL is a large base64 encoded string that translate to something like this:

v=6.0&id=6bb63542&aid=30549&sid=2&os=5.1-32&fp=11.8.800.94&ad=1ۘ

v = version
id = (?) not Bot-ID it changes too much.
aid = Advertisement ID (?)
sid = Privilege (?)
os = operating system based on the NT version
fp = Flash Plugin
ad = Admin (?)


Sinkhole Statistics:


Requests per day:

26/Aug/2013  282271
27/Aug/2013  290942
28/Aug/2013  297248
29/Aug/2013  317735
30/Aug/2013  308136
31/Aug/2013  286408
01/Sep/2013  302838
02/Sep/2013  301562
03/Sep/2013  305904
04/Sep/2013  253401
05/Sep/2013  204235
06/Sep/2013  202459

Unique IP per day:

26/Aug/2013 13195
27/Aug/2013 13082
28/Aug/2013 12871
29/Aug/2013 13228
30/Aug/2013 12994
31/Aug/2013 12583
01/Sep/2013 12320
02/Sep/2013 12808
03/Sep/2013 13382
04/Sep/2013 13259
05/Sep/2013 13389
06/Sep/2013 13099


More statistics will come, thinking about how to make 'accurate' stats. I do not see a bot-ID so I have to trust source IP. But I already see many IPs with multiple bots behind it.. argggg *help* 

Sample of my current output (50 / 3,800,000):

72.168.96.xx    08/Sep/2013:05:19:34    v=6.0   id=a9543429     aid=30585       sid=0   os=6.1-64       fp=11.8.800.94  ad=1
50.57.104.xx    08/Sep/2013:05:19:34    v=6.0   id=e95f964f     aid=30500       sid=8   os=5.1-32       fp=11.8.800.94  ad=1
180.194.242.xxx 08/Sep/2013:05:19:34    v=6.0   id=f002a4ab     aid=30500       sid=6   os=6.1-32       fp=0    ad=0
220.255.1.xxx   08/Sep/2013:05:19:36    v=6.0   id=26eac959     aid=30549       sid=1   os=6.1-32       fp=11.8.800.94  ad=1
174.128.199.xxx 08/Sep/2013:05:19:36    v=6.0   id=4aece309     aid=30585       sid=0   os=5.1-32       fp=0    ad=0
50.56.58.xx     08/Sep/2013:05:19:36    v=6.0   id=00000000     aid=10000       sid=0   os=6.1-64       fp=11.8.800.94  ad=1
112.198.77.xx   08/Sep/2013:05:19:38    v=6.0   id=558eccda     aid=30501       sid=10  os=6.1-32       fp=11.8.800.94  ad=1
72.168.98.xxx   08/Sep/2013:05:19:38    v=6.0   id=79e401a6     aid=30549       sid=0   os=6.0-32       fp=11.8.800.94  ad=1
183.91.10.x     08/Sep/2013:05:19:39    v=6.0   id=62773f89     aid=30294       sid=0   os=6.1-32       fp=11.8.800.94  ad=1
197.249.226.xxx 08/Sep/2013:05:19:39    v=6.0   id=4ed99176     aid=30566       sid=6   os=6.1-32       fp=11.8.800.94  ad=1
220.255.1.xxx   08/Sep/2013:05:19:39    v=6.0   id=5dfd3a0f     aid=30566       sid=2   os=6.1-32       fp=11.8.800.94  ad=1
50.57.190.xx    08/Sep/2013:05:19:39    v=6.0   id=cca3b301     aid=51019       sid=5   os=5.1-32       fp=11.8.800.94  ad=1
68.68.96.xxx    08/Sep/2013:05:19:39    v=6.0   id=60e31976     aid=30538       sid=0   os=6.1-64       fp=11.4.402.278 ad=1
69.35.194.xxx   08/Sep/2013:05:19:39    v=6.0   id=9402af2e     aid=30445       sid=0   os=6.0-32       fp=11.8.800.94  ad=1
208.54.90.xxx   08/Sep/2013:05:19:40    v=6.0   id=8ebe4807     aid=10000       sid=0   os=6.1-64       fp=11.7.700.169 ad=1
67.142.182.xx   08/Sep/2013:05:19:40    v=6.0   id=f00345c1     aid=51061       sid=5   os=6.0-64       fp=11.8.800.94  ad=1
69.22.169.xxx   08/Sep/2013:05:19:41    v=6.0   id=1e32676a     aid=30398       sid=0   os=5.1-32       fp=11.8.800.94  ad=1
220.255.1.xxx   08/Sep/2013:05:19:41    v=6.0   id=182ff12a     aid=30549       sid=2   os=6.1-64       fp=11.8.800.94  ad=1
220.255.1.xxx   08/Sep/2013:05:19:42    v=6.0   id=736a231d     aid=30435       sid=0   os=5.1-32       fp=11.8.800.94  ad=1
220.255.1.xxx   08/Sep/2013:05:19:42    v=6.0   id=ed79bc76     aid=30532       sid=1   os=6.1-32       fp=11.8.800.94  ad=1
220.255.1.xxx   08/Sep/2013:05:19:42    v=6.0   id=d4691365     aid=30532       sid=1   os=6.1-64       fp=11.0.1.152   ad=1
119.59.82.xxx   08/Sep/2013:05:19:42    v=6.0   id=2dbd22d6     aid=30585       sid=0   os=6.0-32       fp=11.8.800.94  ad=1
141.105.97.xx   08/Sep/2013:05:19:42    v=6.0   id=731746bd     aid=30443       sid=4   os=5.1-32       fp=11.6.602.180 ad=1
220.255.2.xxx   08/Sep/2013:05:19:42    v=6.0   id=29d0edb1     aid=30516       sid=1   os=6.0-32       fp=11.8.800.94  ad=1
220.255.1.xxx   08/Sep/2013:05:19:43    v=6.0   id=7445c17e     aid=30549       sid=1   os=6.1-64       fp=11.8.800.94  ad=1
118.97.95.xxx   08/Sep/2013:05:19:43    v=6.0   id=00000000     aid=10000       sid=0   os=6.1-64       fp=11.8.800.94  ad=1
202.164.204.xxx 08/Sep/2013:05:19:44    v=6.0   id=62364193     aid=30421       sid=2   os=6.1-32       fp=11.8.800.94  ad=0
36.76.203.xxx   08/Sep/2013:05:19:45    v=6.0   id=16fc44a2     aid=30435       sid=6   os=6.1-32       fp=11.2.202.228 ad=1
180.194.29.xxx  08/Sep/2013:05:19:47    v=6.0   id=83d3f7a3     aid=30500       sid=6   os=6.1-64       fp=11.8.800.94  ad=1
37.8.104.xx     08/Sep/2013:05:19:47    v=6.0   id=c324a019     aid=30005       sid=0   os=6.1-32       fp=11.1.102.55  ad=1
69.35.203.xxx   08/Sep/2013:05:19:48    v=6.0   id=cc05935c     aid=30530       sid=2   os=6.0-32       fp=11.8.800.94  ad=1
97.73.51.xx     08/Sep/2013:05:19:48    v=6.0   id=8e8ae22e     aid=30549       sid=2   os=5.1-32       fp=11.8.800.94  ad=1
50.201.237.xxx  08/Sep/2013:05:19:48    v=6.0   id=766544d6     aid=30530       sid=2   os=5.1-32       fp=11.7.700.169 ad=1
186.216.191.x   08/Sep/2013:05:19:50    v=6.0   id=9f13a702     aid=30500       sid=7   os=6.1-32       fp=11.8.800.94  ad=1
72.169.224.xx   08/Sep/2013:05:19:50    v=6.0   id=c12529dd     aid=30532       sid=1   os=6.0-32       fp=11.8.800.94  ad=1
80.40.134.xxx   08/Sep/2013:05:19:50    v=6.0   id=32fe545b     aid=30506       sid=0   os=6.0-32       fp=11.7.700.202 ad=1
69.70.6.xx      08/Sep/2013:05:19:50    v=6.0   id=da506625     aid=30549       sid=1   os=5.1-32       fp=11.8.800.94  ad=1
69.35.184.xxx   08/Sep/2013:05:19:50    v=6.0   id=515363f0     aid=30585       sid=0   os=6.1-64       fp=11.8.800.94  ad=1
121.54.58.xxx   08/Sep/2013:05:19:51    v=6.0   id=dfe1cade     aid=30500       sid=6   os=6.1-64       fp=11.2.202.235 ad=1
112.198.79.xxx  08/Sep/2013:05:19:51    v=6.0   id=0427de30     aid=30500       sid=8   os=6.1-32       fp=11.8.800.94  ad=1
182.23.38.xxx   08/Sep/2013:05:19:52    v=6.0   id=299311a2     aid=30500       sid=7   os=6.1-32       fp=11.8.800.94  ad=0
180.194.244.xxx 08/Sep/2013:05:19:53    v=6.0   id=0755e543     aid=30500       sid=6   os=6.1-64       fp=11.9.900.85  ad=1
50.57.190.xx    08/Sep/2013:05:19:53    v=6.0   id=234c7547     aid=30500       sid=7   os=6.1-64       fp=11.8.800.94  ad=1
198.144.116.xxx 08/Sep/2013:05:19:53    v=6.0   id=00000000     aid=10000       sid=0   os=6.1-64       fp=11.6.602.180 ad=1
67.142.183.xx   08/Sep/2013:05:19:53    v=6.0   id=20219f2e     aid=30585       sid=0   os=6.1-64       fp=11.8.800.94  ad=1
124.121.36.xx   08/Sep/2013:05:19:54    v=6.0   id=09281685     aid=30435       sid=0   os=5.1-32       fp=11.8.800.94  ad=1
50.57.64.xxx    08/Sep/2013:05:19:54    v=6.0   id=331a3ce0     aid=30538       sid=0   os=5.1-32       fp=11.1.102.62  ad=0
197.148.62.xxx  08/Sep/2013:05:19:54    v=6.0   id=2ed99a09     aid=30500       sid=6   os=6.1-64       fp=11.8.800.94  ad=1
101.255.45.xx   08/Sep/2013:05:19:54    v=6.0   id=362bbbbd     aid=30329       sid=2   os=6.1-32       fp=11.8.800.94  ad=1
220.255.1.xxx   08/Sep/2013:05:19:55    v=6.0   id=2f2ad301     aid=30500       sid=5   os=6.1-64       fp=11.8.800.94  ad=1


2 comments:

  1. The DNS resolving is probably just in case the original server goes down.

    ReplyDelete
  2. Interesting post. Thanks for such an informative post. Here i got one more site which contains a DNS tool. By using this tool we can find the domain owner, web ranking and daily visitors.
    whois domain

    ReplyDelete