Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1411568
  • 博文数量: 416
  • 博客积分: 13005
  • 博客等级: 上将
  • 技术积分: 3297
  • 用 户 组: 普通用户
  • 注册时间: 2006-04-05 16:26
文章分类

全部博文(416)

文章存档

2014年(1)

2013年(4)

2012年(46)

2011年(64)

2010年(12)

2009年(4)

2008年(40)

2007年(187)

2006年(58)

分类: 网络与安全

2011-08-18 20:09:08


30 Days of Cycbot
Introduction:
I started doing some analysis on a beaconing pattern that I observed this past week. Initially the pattern and domains that I observed had little open-source information available for my searches, but as I started widening my search in the logs I found other infected customers across a variety of sectors and was able to track a botnet using a large number of IPs and domains for its command and controls. This is the "Cycbot" botnet... newly detected around August 2010 (reference), it is a botnet that has not appeared much in the media, but appears to be making its rounds infecting hosts in greater numbers- especially within the last month from my perspective.

The Beaconing Pattern:
The pattern typically followed HTTP GET requests with this format:

FQDN/blog/images/3521.jpg?vNUM1=NUM2&tq=BASE64_Data
and the transactions were made with User Agent string: "mozilla/2.0"

The BASE64_Data appears to be base64 encoded "encrypted" data.
The vNUM1=NUM2 parameter was occasionally omitted, when this was omitted I was able to obtain a possible brute-force the BASE64 data that was XOR "encrypted". When the "v" parameter was present I was not able to decrypt. This particular encoded pattern was consistent among infected hosts:

tq=RA1DQxZBDVlUFQN0AQYECRUCBlMVA3QBAwcWQw0BFlhCQw0APXNzJnE9aWQ=

Which might be decoded with:

0x30 XOR key, displaying:
t=ss&q=id%3D1649%26c%3D137&s=1&hrs=0
which is, t=ss&q=id=1649&c=137&s=1&hrs=0

or 0x55 XOR key, displaying a possible cryptic output / command: s:tt!v:nc"4C613>"51d"4C640!t:6!out:7

Note: while tracking the incident back in time, really the only consistent string to trigger on for the beacons are:
  • ?tq=BASE64_data
  • ?vNUM1=NUM2&tq=BASE64_Data
Which by itself could generate some false-positives.

Tracing back in time through our logs, this pattern first emerges the morning of March 10th. From this initial infection to present, the number of infected hosts and C&C IPs/domains used has consistently risen.

Open-Source Information:
Googling around, this was a related and very recently submitted samples to
These reports identify that the malware opens a backdoor on the infected system (e.g., 59495/TCP), and also shows the MD5 of the submitted samples:
Using the MD5 as a search on VirusTotal, I was able to find recent anti-virus reports with very low detection:
Which is identified as malware names:
Gen:Variant.Kazy.19331, Win32:Cycbot-CL, Win32/Kryptik.MPX

Command and Control Infrastructure:
Tracking the observed infections back over time, I was able to track a fairly robust set of IPs and domains used to keep the botnet alive. Below is the information that I saw since March 10:

C&C Domains
C&C IPs
Some of the C&Cs appear to be sites that were compromised, for example: onlineinstitute.com
In each of the cases of these sites, directory indexing is on, e.g.,
onlineinstitute.com/g7/images/
Many of the sites appear to be hosted by .

But the majority of the C&Cs were recently registered domains with registration information ranging from China to Russia to "private" registration. Below is a list of some of the email addresses used (by the criminals) to register the domains,
Using the above information in Google searches, it is possible to correlate other malicious domains. Keep an eye out for Cycbot in your networks, this botnet does not seem to be slowing down. And always be on the lookout for new beaconing patterns that emerge within your environment!

阅读(446) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~