RSA Admin

The Kargen Zbot and How to Detect It

Blog Post created by RSA Admin Employee on Apr 30, 2014

The Kargen Zbot variant has been around for a few months, but it has recently added new Command and Control domains to its traditional stable of high-availability hosts.  A host infected with the Kargen Zbot has been observed to engage in Search Engine abuse, bitcoin mining, pay-per-click advertising abuse, and pay-per-install software referral abuse.  But what makes this variant unique is its tell-tale beaconing pattern as shown below.

 

First, Security Analytics' new Coordinates Visualization Tool in Investigator makes it easy to see how these Command and Control domains are spread among several providers to provide maximum uptime.  They don't use Dynamic DNS, nor fast flux- just standard round-robin name resolution.  (click image to see larger version)

 

83346

Next, you can see the hostnames involved, along with the multiple destination IP addresses used by the botnet to maintain it's uptime.

 

83347

Now you will also see the unique beaconing pattern.  24character filenames are posted to two distinct directories.

 

83348

And finally, the beacon session is encoded and looks like this:

 

83352

 

The simple rule to detect this beaconing pattern is:

action=put && directory='/b/req/', '/b/opt/'

 

Name the Rule Kargen Zbot Variant Beacon and alert it into risk.warning or your preferred alert key.

 

Finally, each of the domains listed above have been added to the FirstWatch C2 Domain feed so customers will better detect this threat.

 

Good Luck and Happy Hunting!

Outcomes