Infiltrator Botnet Monitor

Usually the first question asked by someone who is interested in botnet monitoring is, "What do you use to monitor botnets?"

New hunters tend to watch IRC networks, then move up to HTTP, P2P, etc. Many new hunters try to use off the shelf IRC clients, until they realize the bloat really isn't worth it, and monitoring more than a dozen nets is incredibly impossible. Furthermore, monitoring custom IRCd's with an RFC compliant client will likely raise the suspicions of the botherder.

A friend (Magictao) found a newer client called Infiltrator and passed it my direction. Infiltrator is a python script written by zeroq. It should run on both Windows and *nix, and will allow you to monitor several botnets at once with very little bloat. We use something similar here at DISOG.

Paul has not had a chance to review the code yet and my python is very weak but I could not see anything too dangerous. Just remember this client will download urls seen in the IRC traffic. Please do what you can to protect yourself from accidental discharge of any downloaded malware. I ran the client for an hour or so this evening, and it did everything as advertised. Its missing documentation, but if you have a few minutes - give it a shot!

Pharmacy related sites - the work of CME711?

Over the last few months there has been a large number of domains registered for what appears to be pharmacy related sites.

Many of the sites are using 5 minute TTL's with multiple A records.

Possibly related, Websense posted this today: http://www.websense.com/securitylabs/blog/blog.php?BlogID=170

Websense believes the spam they have seen is related to Storm/CME711. Its very likely that these domains are also related, but I'm stopping short of claiming that at this time.

~400 examples are:

24storerx.org, aacsrwalty.com, aadwsv.shipany.cn, aaqpsh.flowsame.com, actand.com, aftersilent.com, agoeven.com, agosurface.com, agreecopy.com, agreedoctor.com, aktzu.centurytie.cn, alsochair.com, alsoother.com, alwaysgive.cn, amonggold.com, ancorrect.cn, angerbest.com, ao.drawdecide.com, aokhb.termcrop.com, atg.imagineoh.com, barhair.com, barresult.cn, basicsat.com, baspul.com, bbm.drawdecide.com, beautywest.cn, bestgoodguide.com, bestgrayso.com, besthotelsoxford.com, bestpillstick.com, bestrateon.com, bestwhiteso.com, bestwhitso.com, betweengrass.cn, bhi.wishlisten.com, bigbonger.com, boatnor.cn, bothstill.cn, brightmany.com, bringheart.com, bringpay.cn, brotherwhose.com, buteat.com, buychange.cn, bvogiwr.movesince.com, canwehost.com, cardfresh.cn, carrystood.com, cattable.com, causechild.com, causeshare.cn, centurytie.cn, cheaptmundo.com, chekdirecto.com, chekguia.com, chektierra.com, chickcourse.cn, chiefthird.cn, childturn.cn, chinaonworld.com, colonystone.cn, containadd.com, containyour.com, continueboy.com, continuedouble.com, cooktwo.com, cornerbrother.com, cottondecimal.com, countplace.com, courserule.cn, coverhuman.com, coverpiece.com, creasefine.cn, cureabc.org, dangerwhose.com, davort.com, decidedoor.cn, decideshort.cn, decimalmuch.com, desertother.com, desertsure.com, desertthat.com, develophold.cn, developstudy.com, dgani.throwline.cn, dhino.lookstretch.com, didsoil.com, directdrugred.com, divideif.cn, dkqkao.shallask.com, dogloud.cn, doublespeech.cn, downminute.com, drawdecide.com, ducksong.cn, d.wishlisten.com, e4rxmeds.org, eabch.subtracttree.cn, earlyspot.com, earlywarm.com, eastman.sailhim.com, edgeatom.com, edgegive.com, efp.onewhole.cn, eioow.speeddegree.com, elsedear.com, endlet.cn, entercame.com, eromeds.com, esplhaf.whatshore.com, evenspot.cn, exceptboat.com, experimentshore.cn, factclose.com, fairengine.com, farmmonth.com, fdrei.butseem.cn, feartold.cn, feeddark.com, feedhat.com, fewreason.com, filllead.com, finalmine.com, fitglad.com, flategg.com, flatread.com, flatrub.com, flowerfeet.cn, forcechord.com, foundby.cn, foxlawonline.com, friendgun.cn, fromport.cn, fuvlma.suddensilver.cn, fvzyevo.girlroot.cn, fxzhpu.wishlisten.com, gaswent.com, g.greatsoxdirect.com, gladfarm.com, glassneighbor.com, gohour.cn, goldfear.cn, gonwodm.syllablewill.cn, goodmoodman.com, gotdraw.com, goyapas.net, greatsoxdirect.com, groundoil.cn, groupseem.com, growfell.com, guessbegan.com, hadstop.cn, happenrepeat.cn, hardsummer.cn, hasout.com, healthdivision.org, heardweight.cn, heardwinter.cn, heatpractice.cn, heavyclass.com, heavyobserve.com, hopeyoung.com, hoqte.wishlisten.com, hurryrecord.com, iabqs.lightcapital.cn, ideathan.com, iffraction.cn, imagineanimal.cn, imagineoh.com, imscin.troublesea.cn, intereststudy.com, int-pharma.com, iqdod.spokeeye.cn, iteffect.cn, iwihjb.largeprobable.com, joysurprise.com, kcooj.shipany.cn, kebird.com, kemtkbo.vowelthrough.cn, kingrx.org, largeprobable.com, leadposition.cn, learndegree.cn, leastcall.com, lessvoice.cn, levelsmell.cn, liftduck.cn, liftmatter.com, lightcapital.cn, lookstretch.com, lotthink.com, lovelypills.com, lovepharmcheck.com, lowgood.cn, luecq.whothese.com, l.wishlisten.com, matternote.cn, meantplace.com, measureremember.com, medicalplacetrade.com, medisuccess.com, medsalon.org, medsbuzz.org, medscit.com, medselectron.org, medsher.com, medsjumbo.org, medsonline-new.com, medsplacecolor.com, medsqualitynecessary.com, medssuperstore.org, megumw.beginclimb.cn, melodylone.com, memountain.com, middlecircle.cn, miletake.com, minf.imagineoh.com, mixevery.com, mloism.spokeeye.cn, moment4medical.org, monthlength.com, mountainforward.com, mountstate.com, mountwide.com, mouthsell.com, muchwrite.com, musicindicate.com, musiclarge.com, mw.imagineoh.com, my24meds.com, nearred.com, nearvisit.com, neckespecially.cn, neckfavor.com, newpillsfour.com, ninepaint.com, nirmteq.beautywest.cn, nitrousoxideonline.com, nnusint.caughtkept.com, northfit.cn, ns1.kepcar.com, ns1.podezm.com, ns1.zipolt.net, ns2.bilepa.com, ns2.podezm.com, ns2.telyxnet.com, ns2.zipolt.net, ns4.medabcs.org, oilhow.com, one-edmeds.com, onlinedrugsset.com, onlyexcept.com, onron.intereststop.cn, ooghh.teachclimb.com, opensrx.org, orderhold.com, orx.wishlisten.com, ourroyaloem.net, ownfull.cn, ownreach.cn, parenthorse.cn, partcolumn.cn, particularprint.com, pathexperiment.com, pav.greatsoxdirect.com, pharma-vo.com, pharm-edone.com, pharmonlineyou.com, pharmplaceleave.com, pharm-x-press.com, piecestreet.com, pills33.com, planetclaim.com, playduring.cn, prettyevery.com, productagain.com, propersince.com, protectphrase.com, provethird.cn, psbq.measureremember.com, psezanm.saycame.com, pushfamily.com, p.wishlisten.com, qaicnlj.servehit.cn, qee.presentfly.com, qourm.takeresult.cn, quiteyour.com, raiseend.com, raisesnow.com, rangepattern.com, rangorp.net, rathershape.com, reasonso.com, requireisland.com, ridepossible.com, risecheck.com, rj.wishlisten.com, rollspeak.com, roomcaught.cn, roothad.cn, roundstand.cn, royaloemsoft.com, rqopsip.amonghand.cn, ruborse.com, rulespring.com, rx800.org, rxcounts.org, rxhandsup.org, rxonlinethe.com, rxqualitypresent.com, safechief.cn, samanthafoxsite.com, samosahead.com, sandnatural.com, scorebed.com, seamoment.com, seasonchance.com, seatfeel.cn, segmentsign.cn, selfoh.com, sentencewe.com, servehit.cn, setcross.cn, settlechord.com, settlelie.cn, settletone.com, shecommon.cn, shefill.com, shipany.cn, singwill.com, sisterexact.com, sitepharmgarden.com, sizetruck.com, sleepburn.cn, snowseat.com, softbestgrand.com, softsiteprovide.com, softwareonlinemuch.com, solvewest.cn, sonrain.com, sosgay.subtracttree.cn, speakgas.com, speakpound.com, speeddegree.com, spokeeye.cn, springexcept.com, squareway.cn, standwheel.com, starsrx.org, statewas.com, stretchstar.com, strongmust.com, subtracttree.cn, suggestgrand.cn, suggestleave.com, suitconnect.com, suitleast.com, surefinal.com, tablewhose.com, tailevent.cn, thanpopulate.com, thebetterredso.com, thechiso.com, thepawso.com, theredsoxes.com, thereseason.com, theseatsoxfactory.com, thinspace.cn, thoughtmouth.cn, thoughwalk.com, tmhued.creasefine.cn, to.drawdecide.com, toldexact.com, toldwhere.com, tomdef.com, touchwild.cn, towardvary.com, treecase.com, treetriangle.cn, truckclimb.com, uesjpm.servehit.cn, umajct.subtracttree.cn, unmos.shipany.cn, untilport.cn, uplone.com, verbalso.com, villagedepend.cn, vowellow.com, vowelthrough.cn, walkmore.cn, weekinvent.cn, weekown.com, wfa.drawdecide.com, whatcurrent.com, whensafe.com, whoseour.cn, whothese.com, whyallow.com, willcat.cn, windowloud.com, wintersilent.com, wishlisten.com, wquos.latebring.com, wroteplan.com, wyk.wishlisten.com, xpt.wishlisten.com, xznluo.statejoin.cn, youngchord.com, yourcrease.com, yyoat.suddenfull.com, zkgio.sharecontrol.cn, z.wishlisten.com

These domains share many of the same A records, which is what caught my attention.
More information available as soon as I know more.

CME711: Happy Valentines Day and Halifax phish

The CME711 gang has changed their tactics again. We've started seeing emails in our mail drops with pointers to nodes serving "withlove.exe" and "with_love.exe".

So far they have reverted back to sending IP's in the email body, which makes it easy for most spam filters to catch.

The website code looks the same as in previous runs, with false binaries in comments and the greeting:

Your download should begin shortly. If your download does not start
in 10-20 seconds, you can click hereto launch the download
and then press Run

The link is a javascript: document.write( unescape( '%3C%61%20%68%72%65%66%3D%22%77%69%74%68%5F%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A' ) );

That javascript translates to withlove.exe -- Additionally there is an image of a pink heart on the page that links to with_love.exe. You may wish to update your snort signatures.

Additionally we're tracking a phish using stormworm fastflux nodes with the domain ibank-halifax.com.

CME711 Domains offline.

Steven Adair with Shadowserver is reporting that all the Stormworm domains have been marked NOT DELEGATED.

Randy V also performed some checks today and found the same thing. We're keeping a close eye on our honeypot to see if they change domains or if this is simply a smoke screen.

The authors were probably finished with the domains anyway, since its well passed the new year. The DISOG team is placing bets on the next rouse. I say adult rated material for February 14th (St. Valentines Day).

Domains that have been flagged and appear to be disabled:

i-halifax.com, i-barclays.com, newyearcards2008.com, happycards2008.com, uhavepostcard.com, merrychristmasdude.com, newyearwithlove.com, familypostcards2008.com, freshcards2008.com, hellosanta2008.com, happy2008toyou.com, happysantacards.com, hohoho2008.com, santawishes2008.com, santapcards.com, postcards-2008.com, parentscards.com