Introduction:
I started doing some analysis on a beaconing
pattern that I observed this past week. Initially the pattern and domains that I
observed had little open-source information available for my searches, but as I
started widening my search in the logs I found other infected customers across a
variety of sectors and was able to track a botnet using a large number of IPs
and domains for its command and controls. This is the "Cycbot" botnet... newly
detected around August 2010 (reference),
it is a botnet that has not appeared much in the media, but appears to be making
its rounds infecting hosts in greater numbers- especially within the last month
from my perspective.
The Beaconing Pattern:
The pattern typically followed HTTP GET requests with this format:
FQDN/blog/images/3521.jpg?vNUM1=NUM2&tq=BASE64_Data
and the transactions were made with User Agent string: "mozilla/2.0"
The BASE64_Data appears to be base64 encoded "encrypted" data.
The vNUM1=NUM2 parameter was occasionally omitted, when this was omitted I
was able to obtain a possible brute-force the BASE64 data that was XOR
"encrypted". When the "v" parameter was present I was not able to decrypt. This
particular encoded pattern was consistent among infected hosts:
Which might be decoded with:
0x30 XOR key, displaying:
t=ss&q=id%3D1649%26c%3D137&s=1&hrs=0
which
is, t=ss&q=id=1649&c=137&s=1&hrs=0
or 0x55 XOR key, displaying a possible cryptic output / command:
s:tt!v:nc"4C613>"51d"4C640!t:6!out:7
Some of the C&Cs appear to be sites that were compromised, for
example: onlineinstitute.com
Using the above information in Google searches, it is
possible to correlate other malicious domains. Keep an eye out for Cycbot in
your networks, this botnet does not seem to be slowing down. And always be on
the lookout for new beaconing patterns that emerge within your environment!
Note: while tracking the incident back in time, really the only consistent
string to trigger on for the beacons are:
- ?tq=BASE64_data
- ?vNUM1=NUM2&tq=BASE64_Data
Which by itself could generate some false-positives.
Tracing back in time through our logs, this pattern first emerges the
morning of March 10th. From this initial infection to present, the number of
infected hosts and C&C IPs/domains used has consistently risen.
Open-Source Information:
Googling around, this was a related and very recently submitted samples to
These reports identify that the malware opens a backdoor on the infected
system (e.g., 59495/TCP), and also shows the MD5 of the submitted samples:
Using the MD5 as
a search on VirusTotal, I was able to find recent anti-virus reports with very
low detection:
Which is identified as malware names:
Gen:Variant.Kazy.19331, Win32:Cycbot-CL, Win32/Kryptik.MPX
Command and Control
Infrastructure:
Tracking the observed infections back over
time, I was able to track a fairly robust set of IPs and domains used to keep
the botnet alive. Below is the information that I saw since March
10:
C&C Domains
C&C IPs
Some of the C&Cs appear to be sites that were compromised, for
example: onlineinstitute.com
In each of the cases of these sites, directory
indexing is on, e.g.,
onlineinstitute.com/g7/images/
Many of the sites appear to be hosted by .
But the majority of the C&Cs were recently registered domains with
registration information ranging from China to Russia to "private" registration.
Below is a list of some of the email addresses used (by the criminals) to
register the domains,
