Re: The Criminal Underground: A Walk on the Dark Side

[coderman <coderman () gmail com>]

On 9/5/07, Dude VanWinkle <dudevanwinkle () gmail com> wrote:
> ...
> so most comcast machines send hash fragments over the web? or is it
> just port 443 traffic to legitimate sites? I tried googling but found
> only theory. If anyone has a good link I would appreciate it. It seems
> impossible to me that they have no centralized communications, else
> how would commands be given?

the root of the C&C is surely a few people, with a small number of
servers (maybe even one person?).  these are obfuscated via multiple
hops to the "injector" or "controller" peers in the DHT ring
(eDonkey2k/overnet/kademlia).

so, finding connections from the anonymized C&C into the ring is very
hard.  then you get to track backwards (if you even get this far) and
try to break the anonymized hops (where each hop is monitored by
upstream router) to find the source, and without alerting the suspects
to your investigation...
[is it any wonder storm continues unabated? *g*]


> > (where each hop is monitored upstream as well, to know when to cut and
> > run...)
>
> You can use their size against them, you cant personally watch that
> many machines at once, or is the cut-and-run programmatic, because if
> so, I see a great solution ;-)

i don't know much detail about this aspect of it.  it is certainly
programmatic, but i have no idea what constitutes an "alarm" from the
upstream router.  this is also the least discussed aspect of these
networks, perhaps because the white hats are trying to sleuth as well
as inform without tipping their hand too much.

who knows.  ask arbor, caida, or $malware_research_team  :P


[with millions of hosts to pick from, a non trivial subset will have
vulnerable upstream routers.  these working in tandem are great for
each anonymized hop.]


> I keep thinking that if the bot herder has a way to tell all machines
> to do something (DDoS, send spam, etc), we could take advantage of
> that and tell them to uninstall the malware.. after RCE'ing their code

yes, if you can break the encryption.  i'll avoid a tangent about the
ethics of hacking others with good intent.  remember creeper and
reaper? :)


> thanks for the info! I have a lot of terms to google!

i just found this paper which is an excellent overview of how it works:

"Peerbot: Catch me if you can"
http://www.symantec.com/avcenter/reference/peerbot.catch.me.if.you.can.pdf

a decription of the kademlia dht protocol is here:
http://en.wikipedia.org/wiki/Kademlia


and a collection of interesting facts about
W32.Mixor.Q@mm -> Trojan.Peacomm -> "storm worm"
- it uses MMX, FPU, and exotic API calls like User32!DdeQueryConvInfo
to thwart virtualized environments.

- it actively detects VMWare, Virtual PC, and other VM's and goes into
an infinite loop.

- it uses a variant of the Tibs polymorphic packer to continually push
out variants every ~30? minutes to evade detection signatures.

- the rootkit functionality pulled after initial infection can hide
from rootkit revealer, and other malware detectors (although parts of
it, like the packer, the wincom32.sys, the spammer, etc, may be
detected)

- it has a DDoS component that has been used to react aggressively
toward defensive measures like network scans [see
http://lists.sans.org/pipermail/unisog/2007-August/027405.html ] as
well as others researching the trojan/botnet.

interesting stuff, even if it is nasty business...

best regards,
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.