Biggest Botnet: Technical Details on Hexzone

Finjan’s report of a huge 1.9 million node botnet that’s ensnared government computers has caused quite a stir. I have to admit I was hungry for details like everyone else. One of the biggest questions that came to mind immediately, I’m sure for many, was “Are we affected? How can I tell?”

As is often the case with these sorts of “press first, tech details someday” kind of things you’re at a loss. Especially with the fact that everyone’s monikers differ, you can’t just go and look at a family description. You need some sort of hook into the malcode swarm to figure it out.

Luckily, we have just such a nibble to bite on and use to gather more technical information. From the MD5 for one of the samples in Finjan’s report we see this updated Virus Total report. Finjan had originally shown that only a small minority of AV tools detected it. That’s not surprising, in some ways, because everyone’s got a huge input queue of malcode to analyze and detect, much less characterize. You would think, though, that if this thing were 1.9 million nodes big a number of customers for each of the companies would have raised a flag, submitted a sample, and made sure it was detected.

The Virus Total reports help because now we have some family names we can mine. It looks like common, specific names (as opposed to “Agent” or some other such nonsense) include Procesemes (MSFT) or Hexzone (Eset). From ThreatExpert you can see a typical report of a member of this family. Again, this helps dramatically. With this single report, based strictly off of searching for the family names in TE, we can see the following network connections we should look for:

Server Name Server Port
91.205.111.53 80
91.205.111.52 80

Each of these hosts lives in AS47867:

AS | IP | AS Name
47867 | 91.205.111.53 | UKNETCOM-AS UKNETCOM Ltd

Those hosts have seen at least one DNS name tied to it, here’s some more with active date ranges:

'zsgszzzszggzzs.com', '91.205.111.52', 'A', '3600', 'Wed, 25 Mar 2009 00:45:16 UTC', 'Wed, 25 Mar 2009 10:02:38 UTC'
'9aga999a9gg99a.com', '91.205.111.52', 'A', '3600', 'Sun, 12 Apr 2009 23:03:14 UTC', 'Sun, 12 Apr 2009 23:15:39 UTC'
'4jgj444j4gg44j.com', '91.205.111.52', 'A', '3600', 'Sun, 12 Apr 2009 23:14:32 UTC', 'Sun, 12 Apr 2009 23:15:39 UTC'
'f3g3fff3fggff3.com', '91.205.111.52', 'A', '3600', 'Sat, 18 Apr 2009 03:15:45 UTC', 'Sat, 18 Apr 2009 03:15:45 UTC'
'ogggooogoggoog.com', '91.205.111.52', 'A', '3600', 'Thu, 09 Apr 2009 20:24:11 UTC', 'Wed, 22 Apr 2009 22:53:09 UTC'

Sure enough, we can see who registered them (possibly bogus info):

Domain Name: ZSGSZZZSZGGZZS.COM
.
Registrant:
Damir I Filatovskij
Damir I Filatovskij (fil-damir@yandex.ru)
ul. Kuncevskaja 134/2 11
Moskva
Moskva,120023
RU
Tel. +7.4992746592
Fax. +7.4992746592
.
Creation Date: 26-Feb-2009
Expiration Date: 26-Feb-2010
.
Domain servers in listed order:
dns2.naunet.ru
dns1.naunet.ru

Mr Filatovskij’s name appears in a lot of Google searches. I didn’t try to distill any pattern or meaning there. Those domain name servers, however, service hundreds, if not more, domain names. Some are pretty obviously questionable, like “adult-videos.ru”, “wa-t-ch.ru”, “premiumwatches.ru”, “usatreasurydept.com”, etc. Stuff you’d expect to see in spams or scams.

Back to the malcode. The GET requests listed in the TE report have a format that I can search our local database for, as well:

GET getid.php?getcode=1&wid=58&client=unknown
GET report.php?action=DOWNLOAD_START&OS=Microsoft%20Windows%20XP%20Professional%20Service%20Pack%202%20build%202600&pid=
GET update.exe
GET report.php?action=DOWNLOAD_FAILED&error=5&pid=

Based on that, samples we have lying around that look similar include:

Origin: hxxp://91.205.111.64/pornishere/inst6/flowMediaDecoder_58.exe
MD5: 6d443c8570c2d0d29bf44155ed5a2bda

Virus Total for that sample shows it decently detected by most major AV tools (but not all). Notice that the same /24 is used here to distribute the malware. We have seen hundreds of malcode samples with URLs that subdirectory “pornishere” and lots of samples with minor variations.

Origin: hxxp://bestloads.cn/forum/load.exe
MD5: 967ac63d8180139dda9450ed0f338ef2

Back in January 2009 that hostname resolved to 94.103.80.150 in AS6854; it’s dead now, and the whois information for it has been pulled (and I can’t find any archives of it).

There’s a picture emerging here of a complex ecosystem around this malware. I’ve summarized the relationships between people, networks, and how they appear to relate in the graphic below. AS48867 appears to be the epicenter for most of this, with distribution and check-in URLs hovering there. This is certainly an ASN to watch.

hexzone.png

What’s interesting about the above URLs is that they’re clearly suspicious and I’m sure someone has investigated it before. But frankly we’re all at or near capacity and don’t get the chance to “deep dive” on everything we would like to. Such is the business.

Also, while preparing this post I came across a similar technical dive by FireEye. Great post by the folks at FireEye, and again needed info for folks that was squarely missing from Finjan’s reports earlier this week.

More links

2 Responses to “Biggest Botnet: Technical Details on Hexzone”

April 24, 2009 at 3:14 pm, Gunter Ollmann said:

One problem with this “Biggest Botnet” is that, apart from some totals within an HTML-based Web portal, I’m missing any real sizing information. Any botnets I know that approximate that kind of size are well known and well covered… which is why I have doubts about the sizing.

I blogged about the sizing aspect of the botnet and why I wouldn’t necessarily trust a Web portal figure earlier this week — “Caution over counting numbers in CnC Portals” — http://blog.damballa.com/?p=157

April 26, 2009 at 11:42 pm, blah said:

Why give these things cool names? Microsoft always refers to attackers in the feminine and you should do the same. So this would be something like… “douchebag net”.

Also, not good of Finjan to keep this to themselves so they’d have something to present at RSA.

Comments are closed.