Biggest Botnet: Technical Details on Hexzone
Finjan’s report of a huge 1.9 million node botnet that’s ensnared government computers has caused quite a stir. I have to admit I was hungry for details like everyone else. One of the biggest questions that came to mind immediately, I’m sure for many, was “Are we affected? How can I tell?”
As is often the case with these sorts of “press first, tech details someday” kind of things you’re at a loss. Especially with the fact that everyone’s monikers differ, you can’t just go and look at a family description. You need some sort of hook into the malcode swarm to figure it out.
Luckily, we have just such a nibble to bite on and use to gather more technical information. From the MD5 for one of the samples in Finjan’s report we see this updated Virus Total report. Finjan had originally shown that only a small minority of AV tools detected it. That’s not surprising, in some ways, because everyone’s got a huge input queue of malcode to analyze and detect, much less characterize. You would think, though, that if this thing were 1.9 million nodes big a number of customers for each of the companies would have raised a flag, submitted a sample, and made sure it was detected.
The Virus Total reports help because now we have some family names we can mine. It looks like common, specific names (as opposed to “Agent” or some other such nonsense) include Procesemes (MSFT) or Hexzone (Eset). From ThreatExpert you can see a typical report of a member of this family. Again, this helps dramatically. With this single report, based strictly off of searching for the family names in TE, we can see the following network connections we should look for:
|Server Name||Server Port|
Each of these hosts lives in AS47867:
AS | IP | AS Name
47867 | 188.8.131.52 | UKNETCOM-AS UKNETCOM Ltd
Those hosts have seen at least one DNS name tied to it, here’s some more with active date ranges:
'zsgszzzszggzzs.com', '184.108.40.206', 'A', '3600', 'Wed, 25 Mar 2009 00:45:16 UTC', 'Wed, 25 Mar 2009 10:02:38 UTC'
'9aga999a9gg99a.com', '220.127.116.11', 'A', '3600', 'Sun, 12 Apr 2009 23:03:14 UTC', 'Sun, 12 Apr 2009 23:15:39 UTC'
'4jgj444j4gg44j.com', '18.104.22.168', 'A', '3600', 'Sun, 12 Apr 2009 23:14:32 UTC', 'Sun, 12 Apr 2009 23:15:39 UTC'
'f3g3fff3fggff3.com', '22.214.171.124', 'A', '3600', 'Sat, 18 Apr 2009 03:15:45 UTC', 'Sat, 18 Apr 2009 03:15:45 UTC'
'ogggooogoggoog.com', '126.96.36.199', 'A', '3600', 'Thu, 09 Apr 2009 20:24:11 UTC', 'Wed, 22 Apr 2009 22:53:09 UTC'
Sure enough, we can see who registered them (possibly bogus info):
Domain Name: ZSGSZZZSZGGZZS.COM
Damir I Filatovskij
Damir I Filatovskij (email@example.com)
ul. Kuncevskaja 134/2 11
Creation Date: 26-Feb-2009
Expiration Date: 26-Feb-2010
Domain servers in listed order:
Mr Filatovskij’s name appears in a lot of Google searches. I didn’t try to distill any pattern or meaning there. Those domain name servers, however, service hundreds, if not more, domain names. Some are pretty obviously questionable, like “adult-videos.ru”, “wa-t-ch.ru”, “premiumwatches.ru”, “usatreasurydept.com”, etc. Stuff you’d expect to see in spams or scams.
Back to the malcode. The GET requests listed in the TE report have a format that I can search our local database for, as well:
Based on that, samples we have lying around that look similar include:
Virus Total for that sample shows it decently detected by most major AV tools (but not all). Notice that the same /24 is used here to distribute the malware. We have seen hundreds of malcode samples with URLs that subdirectory “pornishere” and lots of samples with minor variations.
Back in January 2009 that hostname resolved to 188.8.131.52 in AS6854; it’s dead now, and the whois information for it has been pulled (and I can’t find any archives of it).
There’s a picture emerging here of a complex ecosystem around this malware. I’ve summarized the relationships between people, networks, and how they appear to relate in the graphic below. AS48867 appears to be the epicenter for most of this, with distribution and check-in URLs hovering there. This is certainly an ASN to watch.
What’s interesting about the above URLs is that they’re clearly suspicious and I’m sure someone has investigated it before. But frankly we’re all at or near capacity and don’t get the chance to “deep dive” on everything we would like to. Such is the business.
Also, while preparing this post I came across a similar technical dive by FireEye. Great post by the folks at FireEye, and again needed info for folks that was squarely missing from Finjan’s reports earlier this week.
- Hexzone Hotzone from the ESET blog.