Cedric PERNET - Computer Security, Forensics, Malware & Cybercrime

A new article from the excellent Brian Krebs has been published today on the Washington Post.

The article is spreading Jart Armin's whitepaper about ATRIVO, a famous hosting company ... Well when I say "famous" I should say famous to fraudsters and computer security researchers.

The case is quite similar to the RBN case at the end of last year : a bulletproof hosting company, acting for years, suddenly gets in the spotlights. Several things have been said concerning RBN. Having studied the organisation for a while, I have to say some releases about RBN have been upsetting me. According to almost the whole security community, RBN had disappeared...Only to be spotted and mentionned everywhere for any fraudulent action taking place in the malware/phishing/fraud world. RBN has spread all worldwide malware, has done every phishing case, has hosted all illegal content worldwide, and has attacked Georgia... Crap.

It just seems that most researchers have simply forgotten one thing: RBN had customers. When RBN "died", I heard shouts that they had gone to "AbdAllah" host for example. I think that's totally untrue ; people noticed fraudulent domains had moved from ex-RBN to AbdAllah, and claimed it was a RBN move, which wasn't, in my opinion.
Instead, it was only a move from customers, from one bulletproof hoster to another.

Now Atrivo is "following" the RBN case, being shown as an evil host. Emil K, its founder, is declaring just like Tim Jaret did for RBN, that he is responding to the abuse requests. But he doesn't. He's quite following the same politic of communication than Jaret.

As for Jart's paper, I don't agree totally with him, thought I respect his work. I won't say more, and let you read his paper. What will Atrivo's future be, now that all eyes are on them ? Will they vanish just like RBN did ? Time will tell...

Edit: (2008-09-01) It seems that some people are reacting fast (speaking of GLBX). Read this excellent article from Jose Nazario.
Edit: (2008-09-05) An excellent investigation from Knujon about Directi can be read here. Excellent work.
Edit: (2008-09-08) It seems that everyone is running away from Atrivo :
http://sunbeltblog.blogspot.com/2008/09/more-interesting-atrivointercageestdoma.html
http://voices.washingtonpost.com/securityfix/2008/09/scam-heavy_us_isp_grows_more_i.html
Edit: (2008-09-09) Another striking article from Brian about EstDomains this time. Brian is very active recently against cybercrime hosting companies and registrar, and it seems to work fine. This shows us all the power of the press... But it shouldn't go too far, since it could ruin some LE investigations. I hope it will not be the case.

Update: (2008-09-15): EstDomains declares global war against malware... Can you really believe it ? Article here.

Update (2008-09-15): Thanks to Communautech for a nice french article here.

Update (2008-09-17): Gary Warner has done a great work, showing us a huge amount of domain names pointing to Intercage. Here is the result.
Update (2008-09-22): Atrivo seems to be down for the moment. link here and here.
Update (2008-09-22): Atrivo is back tonight. Some new peering appeared, as can be seen here:

Report for AS27595
Name
INTERCAGE - InterCage, Inc.
AS Adjancency Report
In the context of this report "Upstream" indicates that there is an adjacent AS that lines between the BGP table collection point (in this case at AS2.0) and the specified AS. Similarly, "Downstream" refers to an adjacent AS that lies beyond the specified AS. This upstream / downstream categorisation is strictly a description relative topology, and should not be confused with provider / customer / peer inter-AS relationships.
27595 INTERCAGE - InterCage, Inc.
Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS23342 UNITEDLAYER - Unitedlayer, Inc.

Thanks to cidr-report.org as usual for the info :-)

Eh oui, voilà le traditionnel post blog qui revient tous les 6 mois, à chaque changement de version d'Ubuntu...

Ce coup-ci, alors que j'avais été enchanté par la migration Edgy->Gutsy il y a 6 mois, il n'en a pas été de même avec la migration vers Hardy Heron (8.04 LTS).
J'ai migré ma machine principale le jour de la sortie de Hardy Heron, je suis comme ça ... Certains attendant quelques jours en lisant nerveusement tous les posts dans les divers forums dédiés à Ubuntu, mais pour ma part je suis plutôt confiant (naïf?) ... J'ai cette tendance à penser qu'après 6 mois le labeur acharné, une nouvelle mise à jour a peu de chances de me planter tout mon système, et que tout est réparable de toute façon... Je vous rassure, je n'ai pas crashé mon système, j'ai juste eu quelques petits désagréments que voici :

• Problème de montage de disques : ma config sur cette machine est somme toute très classique. Il s'agit d'une tour dans laquelle se trouve un gros disque dur IDE, monté habituellement hda. Un autre disque dur, externe, est connecté à ce poste en permanence, en USB, pour divers backups etc.
  Au reboot d'après install, me voilà donc, sous l'oeil et le rire méchant d'un FreeBSDien breton avec qui je passais la soirée, en face d'une console qui m'indique des problèmes de montage... Et qui ne démarre pas X.
  Un examen rapide de mon fstab, histoire de vérifier que le fichier n'est pas altéré de façon bizarre, puis un mount pour voir ce qui se passe : mon disque dur IDE est monté en sda, provoquant un conflit bien légitime... Changement de mon fstab pour monter le disque dur externe en sdb, et voilà ma distrib qui reboot de façon saine et fonctionne correctement. Je n'ai pas encore cherché le pourquoi du comment de ce changement radical, mais bon, du moment que tout fonctionne, ce n'est pas ma priorité.

• Truecrypt : Problème très visible immédiatement en checkant mon système : mes partitions TrueCrypt ne sont plus présentes. Je farfouille un peu, puis me dit que ce doit être lié au nouveau kernel ... Je recompile Truecrypt rapidement, et hop, tout est rentré dans l'ordre.

• Firefox 3 beta : Aïe ... J'ai toujours été farouchement opposé à avoir Firefox beta sur ma machine, et là, on ne m'a pas posé la question, on me l'impose... Du coup, j'ai effectué un downgrade pour être à nouveau sous Firefox 2...

A part ça, quelques plugins Amarok qui n'ont pas aimé la nouvelle version, mais je n'ai constaté aucun problème grave sur mon système. Comme d'habitude, je ne poste pas sur les divers nouveaux logiciels/changements GUI et autres, je n'en ai pas vraiment le temps ni l'envie, ubuntu-fr.org le fait bien mieux que moi ;-)

I decided to translate a post from my colleague Fabien Perigaud, from french to english. The original post in french is here.

I wanted to share this great post with foreign readers, because this topic is always of high interest for me, as I am a heavy virtual machine user... Please apologize for the bad translation, I'm dead tired and will not re-read it I guess :-p

There it goes :

"In the world of malware, the race between malware author and anti-virus companies is famous, the first ones trying to make their creation the most invisible against the second one's solutions.
Before the so-called malware can be detected as malicious by an anti-virus product, he undergoes a strong analysis, so that his behaviour is understood. That way, a signature can be extracted of it, to allow detection, and to have a way of cleaning the infected machines.
Malware developers have got to counter the analysis tools, the first one being the virtual machine, which allows to launch the malware without any fear, because the system can be restored in its previous state in few seconds.
A new caught malware, spreading via a malicious Flash banner found on many web sites, has shown us a new method of virtual machine detection, impacting QEmu (and probably Virtual PC, and VMware without hardware acceleration).
The packer used by the malware, not identified at the time of writing, executes the "asin" function after having decrypted a part of itself. This function is part of the msvcrt library. This function will return in EAX register a different value according to the value of the Control Word register from the FPU (Typically, a 0 value will be given to EAX if FCW is not equal to 0x27F).
The FCW register undergoes some operations equivalent to a logical AND with a 0x23F mask, at the loading of the msvcrt.dll library (FPU register init). According to Intel's specs, the 6th bit of the FCW register is marked as reserved, and it has been discovered it was fixed to 1 on physical machines.



On a physical machine, FCW will therefore have the value 0x27F after the loading of the library. Unfortunately, QEmu's full emulation mode (without using kqemu) doesn't set the 6th bit to 1 ; the register takes the value of 0x23F, provoking a different result to EAX after it gets out of the asin function.
According to this value of EAX, the malware will initialise or not the variable of its decrypting loop, provoking its own crash if not set properly (writing on an unauthorized memory zone), preventing any analysis.



We can expect more and more malware use this kind of detection method, preventing this way automated analysis based on virtual machines. So the race goes on..."

I've been publishing a short post about XSSED.COM on CERT LEXSI's weblog.

Here is the link.

And thanks to Reseaux-Télécoms.net for their nice article about it.

Well, it's about noon here, on saturday night, and I should be away with friends, drinking a bit, having fun, meeting new people... But things are a bit different this saturday night. Yes, I'm stuck home, being sick. Just like a malware, flue has spread amongst co-workers, and it finally struck me yesterday.

What could I do then, except spending some time on my laptop, lying in my bed ?

As the "social monster" I am supposed to be, like one of my co-worker has called me, I thought I would spend some time talking with one or two friends on IRC or MSN (well, I'm using "pidgin" under my Linux for MSN protocol, of course).

So I've been chatting a bit, and then, suddenly, a friend asked me :

"hey, is this you ? http://members.lycos.co.uk/xxxx/?=myemailaddress"

I immediately tried to tell her that she was having a malware on her computer, but it seems that she didn't get my message. Luckily enough, I had her phone-number so I called her and explained her some things ;-)

Now as curious as I can be, I got to this url and of course, it opened a window asking me if I wanted to download a file called "naked0453.com" , which I did.

I immediately sent this file for analysis to virustotal.com (Hi Julio ;-)) and got this result:

So now I could have googled around to find more information about this Trojan.Win32.Agent.dwd, but it would have been no fun.

Instead, I decided to launch the naked0453.com file ... Of course, under a special environment : a Windows XP SP2 in a VirtualBox. My sniffer (Wireshark) already on of course, to check for the network communication.

Well as soon as I ran the binary, it opened a window containing the "supposed" me :



Ok, it definitely is not me, I feel better, none of my ex-girlfriend has sent naked pics of me through Internet ;-P

Anyway, some files have been dropped on my system when I launched the binary:

* a file "services.exe" in my C:\Documents and Settings\user\localsettings\temp.
* some temporary files (image.jpg for example)

The services.exe binary is immediately run by the "naked" binary.

Once again, I ran the binary on virustotal.com, obtaining the following results:



As you can see, the malware itself is less detected than his dropper, which is usual. And oh, Armadillo is there... But I don't have reversing skills anyway :-p

Of course, the malware has also added himself in Windows registry, so that it will restart when Windows reboots.

Another funny thing is that services.exe (I'll call it the malware from now on) has been reading my autoexec.bat file, but I don't know why.


A remote thread is also injected in c:\windows\explorer.exe

I'm hushing through all these files manipulation because I'm not finding it so sexy : my main interest is to check what the malware has done on the network.

Letting Wireshark run for some time, I see there is quite an amount of communication. After some ten minutes, I stopped it, and put my Windows XP in my VirtualBox in his precedent state. (uninfected)

The first packets sent by the malware are DNS requests :

1 0.000000 192.168.x.x 192.168.x.x DNS Standard query A james.ccpower.ru
2 0.003170 192.168.x.x 192.168.x.x DNS Standard query response A 127.0.0.1
3 3.848609 192.168.x.x 192.168.x.x DNS Standard query A asl.aldanma.net
4 3.852151 192.168.x.x 192.168.x.x DNS Standard query response A 209.205.196.3

james.ccpower.ru points to 127.0.0.1, being useless. But we see that asl.aldanma.net is resolved to 209.205.196.3.

Immediately afterwards (5th packet) the malware establishes a connection to a IRC server at asl.aldanma.net :

NICK FQ[FRA-0H-hebxpefcz
USER heh heh heh :kakap
:log.on.sys 001 FQ[FRA-0H-hebxpefcz :Cisco
:log.on.sys 005 FQ[FRA-0H-hebxpefcz

:log.on.sys 422 FQ[FRA-0H-hebxpefcz :
:FQ[FRA-0H-hebxpefcz MODE FQ[FRA-0H-hebxpefcz :+i
JOIN #.niw
:FQ[FRA-0H-hebxpefcz!heh@AFontenayssB-x-x-x-x.wx-x.abo.wanadoo.fr JOIN :#.niw
:log.on.sys 353 FQ[FRA-0H-hebxpefcz @ #.niw :FQ[FRA-0H-hebxpefcz @abc
:log.on.sys 366 FQ[FRA-0H-hebxpefcz #.niw :End of /NAMES list.
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
PING :log.on.sys
PONG :log.on.sys

:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ 32415c24f4c28fb144f37921a7f4dc26 .........................
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ a7d10aaf0e52b98963bc13232d4e88f1 .................................
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
PING :log.on.sys
PONG :log.on.sys

:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ 32415c24f4c28fb144f37921a7f4dc26 .........................
PING :log.on.sys
PONG :log.on.sys

:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ 32415c24f4c28fb144f37921a7f4dc26 .........................
PING :log.on.sys
PONG :log.on.sys

:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................


As we can see, the malware connects to the IRC server using a nick "FQ[FRA-0H-hebxpefcz" which at least contains a country reference.It also uses a user name "heh heh heh :kakap"
The answer from the server, the MOTD, is "Cisco".
The bot (malware) then joins the secret channel #.niw on the server.

We see only one user on the channel, with operator rights, called "abc". I would have liked seeing all bots connected at the same time but it seemed that the server was configured to hide everything. Even whois'ing was forbidden on the server.

After that, my machine started to connect to a lot of different web servers, getting hundreds of files (porn, affiliation, more malware...) but I had no time to keep digging, and furthermore I have to write another post on this blog about "Solutions Linux 2008" ... :-p

So this fast funny analysis is over, and as you can see it took me quite some time to publish it (mainly because I was away on hollidays) ;-)

Eh non, je ne ferais pas de post sur la vague Storm de noël-nouvel an ...

A la place, je me contenterais paresseusement de vous souhaiter une bonne année 2008.
Puisse cette année vous apporter santé, réussite, amour, bonheur et rires, parce qu'après tout, il n'y a pas que le boulot dans la vie ...

Je continue à n'avoir pas le temps de poster ici, mais pitié gardez-moi quand même dans vos flux RSS ;-))
Je me soupçonne d'avoir prochainement la volonté de reprendre ce blog en main ...

Et au pire, à bientôt à Solutions Linux !

Certains s'étonnaient que je ne parle pas de la nouvelle distribution d' Ubuntu, voilà un post qui devrait les rassurer mais qui sera bref.

J'ai migré mes machines de Feisty Fawn (7.07) vers Gutsy Gibbon (7.10) le jour après la sortie de la version officielle, sans aucune difficulté. Mieux encore, je devais résinstaller un nunux sur mon vieux laptop, et vu sa config, j'avais l'habitude de devoir installer Ubuntu en console, pour ensuite configurer X à la main, à cause d'une Nvidia récalcitrante...
Ce n'est plus le cas, Gutsy Gibbon m'a permis de tout faire en GUI, n'en déplaise à certains... :-p

Autre bonne découverte, Dolphin, gestionnaire de fichier que je ne connaissais pas et qui me satisfait pleinement. (J'utilisais Nautilus avant)

Bref, que du bon dans cette mise à jour, tout s'est bien passé sur toutes mes machines, sans avoir à trifouiller de fichier de config, et c'est parfois bien agréable ;-)

Well here are good news following the opening of the new .asia gTLD. I've blogged about it HERE. This week-end I'm sick, so I guess I could find some time to blog at least one new post here ;-)

Pareil que pour le post précédent, je vous donne le lien direct ici ... (english)

Mais je vais quand même reposter quelques trucs ici, il faut juste que je trouve un peu de temps le soir ;-)
(Je dis ça pour les rares fidèles de ce blog que je remercie au passage)