RSA Admin

Detecting the TSONE Dorkbot

Blog Post created by RSA Admin Employee on Jan 9, 2014

I named this new botnet type the "TSONE Dorkbot" because the executables downloaded via this botnet have a very low detection rate on VirusTotal, but Fortinet consistently flags the malware as "Dorkbot."  It gets the "TSONE" moniker because the c&c communications each happens from the "/tsone/" directory as shown below.  This botnet may very well be spread via email spam, however each malicious EXE is coupled with a photograph that matches the EXE filename.  For instance, the IAMLOLJPG.exe features elephants doing "funny" things.

 

That said, let's begin with how this botnet was encountered.  FirstWatch has a report that automatically identifies zero days. This is what I saw-  note the highlighted pattern showing multiple direct-to-IP connections looking for dat files in the "/tsone/" directories.

tsone-query.JPG.jpg

Clicking into the report, I was able to see what the dat file request looked like:

 

tsone-datcontent.JPG.jpg

The highlighted portion above certainly looks like command and control encrypted communications.  Next, I drilled into the destination IP to see what else has happened with this website.

 

php-put-exe.JPG.jpg

You can see from above that multiple IP addresses in our sandbox encountered this malware.  There were also 15 puts to a PHP extension where the filetype is a windows executable.  This allows us to create a detection rule to see where these similar conditions have occurred in the past and to flag this activity going forward by creating a decoder capture rule.  Mine looks like this:

service=80 && action=put && extension=php && filetype=windows_executable

 

You can now also see the filenames associated with the HTML Puts of the filename ajuno.php.  The younaked, iamnice, iamfunny, etc, are each named with an enticing name.  Interestingly, the same single ajuno.php file will deliver a different version of dorkbot.  Here is what the EXE session looks like:

 

tsone-response.JPG.jpg

The u=name paramaters likely selects which variant of dorkbot gets downloaded.  I extracted all of the files delivered:

 

extracted-files.JPG.jpg

The three file extractions at the bottom appeared to be corrupt, and the four at the top are actually just two dorkbot variants.  The VirusTotal reports are located here and here.  Each have very low detection rates and were first spotted in the past 24 hours.

 

Each IP address I've encountered by using this rule has been added to the FirstWatch feeds as a malware download domain or IP address, so customers are armored against this threat.  But be sure to run this custom query against your collection, and if there are very few false positives, create an alert with the rule.

service=80 && action=put && extension=php && filetype=windows_executable

 

Good Luck and Happy Hunting!

Outcomes