RSA Admin

FirstWatch Has Ring-Side Seats for the Battle of the Botnets

Blog Post created by RSA Admin Employee on Feb 11, 2014

RSA FirstWatch’s primary mission is to find new intelligence about threats and malware and publish those indicators of compromise into our FirstWatch feeds.  We don’t often look at old intelligence.  Once we know about something, we automate the tracking and detection of that known threat so we can concentrate on looking for new intelligence.  But one known botnet published a list of new Dynamically Generated Domain names today, and it caught our attention.  As we investigated, we were surprised to learn that one malware family associated with Cutwail malware was launching a Denial of Service attack against the infrastructure of a botnet associated with Zbot, Zeus and Blackhole.

 

Our investigation started by reviewing our automated report that looks for DNS names that do not resolve. It is a strong indicator of DGA names, or hard-coded malware that is waiting for its command and control server to come online.  By clicking on the hyperlink in the report, we could see the source IP addresses attempting to communicate with this known Zbot/Zeus.  Each of these new DGA domains have been added to the FirstWatch feed.

78403

 

When we looked at the infector malware that generated this traffic, we found an IP address in the VirusTotal report that is a popular botnet command and control server.  That IP is 195.22.26.231.  A google search of the IP shows that it has been detected to participate in Zeus, and that it has been hosting dynamically generated algorithmic domains.  The MalwareMustDie blog delves into an earlier variant of this malware.

 

Here is what our malware database shows when we do a focused drill on this as a destination IP address.  It has a long history of malicious activity.  We have been tracking this IP address since mid August, and it is associated with known Zbot, kryptik, bitcoin mining, and several additional variants of Zeus.  Highlighted in the first figure are hundreds of thousands of connections of zero payload, but we will discuss this further in a moment.


78404


In the next screenshot you will see that several threat sources besides FirstWatch recognize that this host is malicious.  Comments in the threat descriptions track the varying malware campaigns this host has been involved with, including the blackole exploit kit.  Additionally, you can see from the detected service types that this host has also engaged in spam campaigns and even delivers malware via IRC and BitTorrent.

 

78429

 

The one obvious standout in the above screencaps was the amount of “zero payload” sessions detected. I drilled into that alert and was surprised to find just a single IP address responsible for the traffic.  You will see our destination IP of interest, 195.22.26.231 listed second in the figure below.  You will also see that there are other IP addresses within that same netblock as well as others, each receiving over 8000 connections on TCP port 443. This malware is obviously engaged in Denial of Service attacks, blasting these IPs with over 300,000 connections in less than a minute.

 

78430

 

We researched the other destination IP addresses under attack, and each one has been previously listed by FirstWatch as having been related to Zeus and Zbot command and control hosts.

 

The infector malware that launched the attack can be seen here at VirusTotal.  Most AV vendors agree that this is a sample of the Cutwail bot. Like most botnets, the malware can participate in DDoS attacks.

 

In summary, malware authors using the Cutwail framework are actively engaging in attacks against Zbot and Zeus command and control infrastructure.  This suggests fierce competition within the criminal underground.

 

RSA customers subscribing to the FirstWatch Live feeds have detection for each of the indicators of compromise listed above.

Outcomes