[AusNOG] FW: Apparent "encrypted" P2P botnet using port 8/tcp

matthew at auscert.org.au matthew at auscert.org.au
Tue May 2 09:54:20 EST 2006

Hash: SHA1

Hi all,

This came from another list with permission to pass on.  It would be
interesting to find out if anyone is seeing this type of activity in their
or customer networks.  

It would also be interesting to see if/when/how such techniques will be
applied to criminal activities such as phishing.

Hope this is of some use,

- -- Matthew McGlashan --
Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
(AusCERT)                                   | Fax:     +61 7 3365 7031
The University of Queensland                | WWW:     www.auscert.org.au
Qld 4072 Australia                          | Email: auscert at auscert.org.au

Hash: SHA1

A bot was seen spreading via AOL Instant Messenger (AIM) earlier today
that appears to be using "encrypted"[1] peer-to-peer (P2P - possibly
Waste?) as the Command and Control (C&C) mechanism. The bots communicate
with each other via port 8/TCP.

The bot does not use DNS to find any C&C. It also does not use any human
readable strings in its client/server communication. Therefore, many IDS
measures will not help you detect infected hosts on your network. Flow
analysis and/or tcpdump looking for mysterious port 8/TCP traffic seems
to be the best way to detect these infections on your network.

I realize that phatbot has been able to use Waste as the C&C for several
years. However, I remember finding these botnets years ago, and the bots
involved, and they typically were 600KB or more in size. The bot
involved here is comparatively lean at 173KB.

Info about the sample I obtained:
MD5: 74600e5bc19538a3b6a0b4086f4e0053
Installation Location (when run): %WINDIR%\System32\mstc.exe
WinXP Firewall: Grants itself an exception called "null", which allows
inbound 8/tcp from anywhere. This was done without the user notification
pop-up (it likely edited the registry entry directly).

The file distributed via the AIM link and %WINDIR%\System32\mstc.exe are
identical - no other files are dropped, etc.

I infected a test computer with the binary. It tried to connect to port
8/tcp on 22 different IP addresses. (Note that these are most likely the
"seeds" of the P2P network that were coded into the version of the
binary that I downloaded.) Only four of the IP addresses responded that
they were listening on 8/tcp.

My lab computer tried to contact each of the 22 IP addresses many times
(I left it infected for about 15 minutes with a firewall in place that
blocked all incoming packets, solicited or otherwise). Since it tried to
contact each of these many times, and not any other IP addresses, I feel
it is fairly safe to guess it was not randomly selecting IPs to obscure
"the real C&Cs".

Anyhow, after 15 minutes of firewalling off all inbound packets
altogether (even SYN/ACKs) to my infected lab computer, I lifted the
incoming IP restriction. The first host my lab computer connected to on
8/tcp started a relatively short connection (10-12 packets each way),
and nothing was in cleartext. In the middle of the TCP conversation,
that same host connected to port 8/tcp on my host (the malware holds
that port open). The connection from them to me was simply a three-way
handshake, immediately followed by FIN/ACKs from them, then me. It then
closed my connection to it altogether, via FIN/ACKs again.

My host then tried several others in the list above, before connecting
to the same host again. The same thing happened as above (my bot
connected to it, it connected to me, it "hung up").

My host then tried several other IPs (still in the list of 22, with only
four of them online), and this time, connected successfully to a
different host. The connection lasted for a couple of minutes before I
pulled the plug.

There was more communication this time around. During the connection,
the remote host connected to 8/tcp on me just like the other one did
(three-way handshake, then FIN/ACK, just like before). The initial
connection from my host to theirs continued afterward. One of the
packets from the remote host contained a full 1460 bytes of data. (Other
packets to/from 8/tcp on infected hosts thus far had contained 64 bytes
of data or less.) There was no SSL/TLS negotiation evident, and again,
the contents were not human readable. I haven't taken the time yet to
see if it's something simple like XOR or Base64. I suspect the content
was an updated list of other infected hosts.

While still connected to that host, my bot still tried connecting to
others (not common for a traditional botnet, but expected for a P2P
connection). It connected successfully to a third host. My host did to
that host as the others above did to it - complete the three-way
handshake, then ended it with FIN ACKs. It then connected to another
host that was NOT on the initial seed list. (My theory is that my host
learned of this one from another bot) After that, I turned it off, so
that I could write this.

VirusTotal results for MD5: 74600e5bc19538a3b6a0b4086f4e0053
Antivirus	Version		Update	Result
AntiVir	04.20.2006	no virus found
Avast		4.6.695.0	04.28.2006	no virus found
AVG		386		04.28.2006	no virus found
Avira	04.29.2006	no virus found
BitDefender	7.2		04.29.2006	no virus found
CAT-QuickHeal	8.00		04.29.2006	(Suspicious) - DNAScan
ClamAV		devel-20060202	04.27.2006	no virus found
DrWeb		4.33		04.29.2006	no virus found
eTrust-InoculateIT 23.71.142	04.29.2006	no virus found
eTrust-Vet	12.4.2184	04.28.2006	no virus found
Ewido		3.5		04.29.2006	Backdoor.SdBot.apt
Fortinet	04.30.2006	suspicious
F-Prot		3.16c		04.30.2006	no virus found
Ikarus	04.29.2006	P2P-Worm.Win32.Polipos.a
Kaspersky	04.30.2006	no virus found
McAfee		4751		04.28.2006	no virus found
Microsoft	1.1372		04.30.2006	no virus found
NOD32v2		1.1513	04.29.2006	Win32/IRCBot.RV
Norman		5.90.17	04.28.2006	no virus found
Panda	04.29.2006	no virus found
Sophos		4.05.0	04.29.2006	no virus found
Symantec	8.0		04.30.2006	no virus found
TheHacker	04.29.2006	no virus found
UNA		1.83	04.28.2006	no virus found
VBA32		3.11.0	04.29.2006	suspected of Backdoor.xBot.1 (paranoid heuristics)

Moral of the story: Prepare to watch for 8/tcp flows for a while. Unless
I'm wrong, this botnet should be able to stick around for a while.

- - - --
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

[1] I am using "encrypted" in quotes because I have not identified the
protocol - but it is not human-readable. I'm sorry if this sounds
FUD-like, but I wanted to get the word out sometime *before* I had done
hours of analysis!
Version: GnuPG v1.4.1 (MingW32)

Version: GnuPG v1.4.1 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967


More information about the AusNOG mailing list