Sunday, December 29, 2013

Tracking CryptoLocker with Malcovery & IID

First things first: Here are some IP addresses that Malcovery thinks you should block immediately because they are linked to CryptoLocker. You'll see how as you read on!

46.149.111.28, 62.76.45.1, 83.69.233.25, 83.69.233.176, 95.59.26.43,
95.172.146.68, 109.234.154.254, 188.65.211.137, 188.120.255.37, 195.2.77.48

UPDATED == Please add: 81.17.140.104, 185.20.227.220, 194.28.175.8 to your blocking list!

A CryptoLocker walk-through

On December 19th, Malcovery malware analysts found two spam campaigns that were actively distributing malware that lead to CryptoLocker. The first of these was the focus of that day’s T3 report, on AT&T-themed spam. The AT&T spam and the Visa spam from that day both dropped a small “downloader” piece of malware.

The AT&T email had an attached .zip file named VoiceMail.zip which was 8,810 bytes in size and had the MD5 be7d2f4179d6d57827a18a20996a5a42. When unpacked, the included .exe file, VoiceMail.exe, was 15,872 bytes in size and had the MD5 d1ca2dc1b6d1c8b32665fcfa36be810b. At the time of the report, the only VirusTotal detections for that piece of malware were 5 of 49, with most major AV companies failing to detect.

VirusTotal Report 5 of 49

thelabelnashville.com/wp-content/uploads/2013/12/wav.exe206.190.147.141373,248
yellowdevilgear.com/wp-content/uploads/2013/12/wav.exe206.217.194.251373,248

The downloaded Zeus sample, wav.exe had an MD5 of a4bdb44128ca8ee0159f1de3cf11bee0 and was also very poorly detected. The VirusTotal report at that time showed only 8 of 49 detections. Of the major US-based AV, McAfee and TrendMicro detected it, both confirming a Zeus variant.

VirusTotal Report 8 of 49 detects

Immediately after becoming infected with the GameOver version of Zeus, the machine downloaded cryptolocker malware from another site.

marybuenting.com/download/files/dss.exe173.255.213.142806,912
That file, dss.exe, had the MD5 of db482a193060f7d5b81d7779b9414009 and was almost entirely undetected, registering only 1 of 49 on VirusTotal at the time of the report, although now detected by more than 30 AV products. Only Chinese-based Rising software detected this as malware at the time we first saw it at Malcovery Security.

VirusTotal 1 of 49.

CryptoLocker

There are several interesting things we found as we examined this CryptoLocker sample. Perhaps the best way to explain them is to show some of these screenshots first.

#1. This was the first screen that we saw after infection, letting us know we needed to pay a $300 ransom if we anted to decrypt our files.

#2. Our Windows wallpaper was replaced with this image, so we couldn't miss the fact that we were infected.

#3. There was a pull-down menu that gave us two choices of how we wanted to pay. The first choice was to pay 0.6 BitCoins.

#4. This is the BitCoin Account we were supposed to send our money to. We would appreciate anyone else who is infected sending out a tweet with the hashtag "#CryptoBitCoin" letting us know which BitCoin purse you were supposed to send payment to.

#5. We're trying to learn more about the option to pay with a GreenDot MoneyPak. Although we tried to make a payment this way, two valid MoneyPak's that we tried to send were rejected.

CryptoLocker & IID

The CryptoLocker malware has a Domain Generation Algorithm (DGA) that causes it to generate as many as a thousand domain names based on the date of the infection. As we ran the malware on several different occasions, we realized that of the thousands of tested domains, the domains that resolved tended to resolve to the same IP address, 188.65.211.137. In a DGA, bad guys attempt to protect their botnet by having many possible domain names generated using an algorithm that allows both the bots and the author to know what domains might be valid on a given date in the future. Each bot calculates the current domain possibilities, and begins "calling out" to each of those names. Most of them fail to resolve. But as long as even ONE domain resolves (meaning the criminals, or a sink-hole researcher, have registered the domain), the bot can make connection to generate a valid encryption key and continue the scam. Once the date has passed, the domains are no longer useful, except as evidence, but if the IP addresses are being re-used, this gives us a way of protecting systems.

Malcovery Security's daily "Today's Top Threat" reports share details about the top spam campaigns that are distributing malware. Recipients of the T3 reports would have been provided with all of the IP addresses, MD5s, and VirusTotal reports above as part of this report:

As happens in so many cases, the IP address warned about in this report provides lasting protection, as the same IP was used for CryptoLocker from that day forward. But were there other IP addresses involved as well?

Because Malcovery Security is a partner with Internet Identity, we ran the IP against their Passive DNS Database. IID's President Rod Rasmussen and Threat Intelligence VP Paul Ferguson gave us permission to share some of what we learned there.

CryptoLocker Domains found on 188.65.211.137

Dec 13, 2013mqagyenfbebsau.org
Dec 13, 2013ahqnsclgckkpho.org
Dec 13, 2013urkitujgkhsjl.org
Dec 14, 2013kgvmmylyflrqml.org
Dec 16, 2013shjeyrqelevega.org
Dec 16, 2013ohmfbedvtftg.org
Dec 16, 2013rldrrlcakwnumbe.org
Dec 16, 2013hgfcqopaylrvyht.org
Dec 18, 2013wxntojirxraawe.org
Dec 18, 2013jlbrdhtbkmhkryk.org
Dec 18, 2013rwmhbmtauqgyhcqhizinljirjr.org
Dec 18, 2013pdfaayxydaqpyrouwrkydmneu.org
Dec 18, 2013qplmkjrolbvc.org
Dec 18, 2013mdaodtaifpkqkk.org
Dec 19, 2013lnxbofsriihe.org
Dec 20, 2013mpcljoupkkipyl.org
Dec 20, 2013cuxsdtynsyml.org
Dec 20, 2013oxgufearvtqkwh.org
Dec 20, 2013jnptslhlsqise.org
Dec 23, 2013pqulnjwedvbpm.org
Dec 23, 2013vcbetblhrykeyxv.biz
Dec 24, 2013huqenkdqtoatvnc.biz
Dec 24, 2013omeidojwwtmalsy.biz
Dec 24, 2013klufixwglgyb.biz
Dec 24, 2013wwrahwrdcfhygp.org
Dec 24, 2013wnjoalurtgqpd.biz
Dec 24, 2013uwelewosqoirmt.org
Dec 26, 2013yxmbwneyurhxfv.org
Dec 26, 2013mgkppyunffvvd.org
Dec 27, 2013teeusgcggvys.biz
Dec 27, 2013ooqgdlwctrpt.org
Dec 27, 2013www.eliferxmart.com
Dec 28, 2013bsgxxguicafc.org
Dec 28, 2013aemivjtujaddhab.org
Were these other domains also used for CryptoLocker? YES! And here is one of the ways that we can tell. When you visit a CryptoLocker domain, there are two very interesting things about them. First, they offer Technical Support for their decryption service on these domains

As we examine the NAMESERVER choices on the domains above, we can use the Passive DNS service to find other IP addresses that use some of the same Nameservers.

The fact that at various times this DNS server, known to be associated with CryptoLocker Domain Generation Algorithm-created Domain names, has been seen on these IP addresses makes these IP addresses of interest. But does it look like they are hosting CryptoLocker Domains as well as the DNS? We used the IID Passive DNS to find lists of domain names hosted on these various IP addresses, and then checked to see whether they were used for Technical Support *OR* for distribution of Binaries associated with the CryptoLocker malware. Let's look at what we found!

Our original IP address, 188.65.211.137, was very frequently associated with spam domains related to "Ruby Casino" a criminally operated online gaming service. The IID Passive DNS service showed us dozens of "Ruby" related domains on many of these other domains as well. For each of the other IP addresses, we'll ask

- was a CryptoLocker TechSupport website found on this IP?
- was evidence of CryptoLocker Malware found on this IP?
- was this IP used by Ruby Casino spam domains?

On 188.65.211.137 - aemivjtujaddhab.org - Positive for CryptoLocker TechSupport!
Confirmed (VT 40/48) CryptoLocker malware = mgkppyunffvvd.org file at /0388.exe!
Confirmed Ruby Casino domains!

On 109.234.154.254 - yxmbwneyurhxfv.org - Positive for CryptoLocker TechSupport!
Confirmed CryptoLocker malware = jingo-deny-hosting.com file at /0388.exe
Previously used for Fake AV - see 0x3a blog post on Fake AV
Many Ruby Casino domains, such as arubylifeclub.com, erubylifeclub.com, irubylifeclub.com.

On 188.20.255.37 - aemivjtujaddhab.org - Dec 28, 2013 - Positive for CryptoLocker!
Same binary (0388.exe) available here.
No Ruby Casino

On 195.2.77.48 - usyusdoctfpnee.org - most CryptoLocker prior to December 6th.
Hosted malware on "AdobeFlasherUp1.com" on October 31, 2013.
Many Ruby Casino domains, including zrubywinclub.com and orubywinclub.com.

On 46.149.111.28 (Ukraine) - wwfcogdgntlxw.biz - most CryptoLocker prior to December 3rd.
Confirmed to have hosted Cryptolocker binary on November 21, 2013.
Many Ruby Casino domains, including lrubystardream.com and orubywindream.com.

On 62.76.45.1 - teeusgcggvys.biz - confirmed CryptoLocker on December 29th.
0388.exe binary available at IP or domain level.
Many Ruby Casino domains, including yrubyeurodream.com and zrubyeurodream.com

(194.28.174.119), linked by IID Passive DNS based on common Ruby Casino domains on the previous IP address, was found to be actively hosting CryptoLocker Domains found here on October 30th confirmed to be CryptoLocker by our friends at Malware Must Die, including kwajtnjddqetolh.biz. The most recent Crypto look alike was from December 10th. ukyfkufdi7ytdfuit.ru.

83.69.233.176 - mdaodtaifpkqkk.org - confirmed CryptoLocker domain on December 27th
. This IP has not been seen prior to December 27th.

83.69.233.25 - not confirmed as CryptoLocker by passive DNS.
This IP *WAS* declared to be CryptoLocker in a new paper from Dell Secureworks' Keith Jarvis, more below.

95.172.146.68 - mdaodtaifpkqkk.org - confirmed CryptoLocker domain on December 29th
. Also hosted the AdobeFlasherUp1.com domain mentioned above.
Hosted several Ruby Casino domains, including rubypowerland.com and krubywindream.com

95.59.26.43 - dozens of CryptoLocker domains - confirmed TechSupport domains live on December 29th
0388.exe binary available on live domains, including ooqgdlwctrpt.org
Hosted several Ruby Casino domains, including rubystarsland.com, krubymasterclub.com and others.


Just on these IPs in the month of December, we find the following CryptoLocker domains:

1 Dec lbmuvpwgcmquc.org
1 Dec jknuotworuebip.org
3 Dec usyusdoctfpnee.org
3 Dec msncwipuqpxxoqa.org
5 Dec yebdbfsomgdbqu.biz
5 Dec pkakvsexbmxpwxw.org
5 Dec dhjicdgfykqoq.org
5 Dec wjbodchhlgidofm.org
5 Dec ghvoersorwsrgef.org
5 Dec rttvxygkmwlqmq.net
5 Dec wwfcogdgntlxw.biz
6 Dec bsngfunwcpkjt.org
6 Dec tmphandchtcnffy.org
7 Dec qnsoiclrikwj.org
7 Dec nfnfskbniyajd.org
7 Dec swmbolrxyflhwm.biz
7 Dec agwwcjhinwyl.org
7 Dec osmhvqijsiedt.org
7 Dec cmidahhutlcx.org
7 Dec emttankkwhqsoe.org
9 Dec ormyfnlykajkdr.org
9 Dec ypxnqheckgjkbu.org
10 Dec vsjotulrsjhyf.org
10 Dec kmjqcsfxnyeuo.org
10 Dec cpapfioutwypmh.org
10 Dec xivexnrjahpfk.org
10 Dec ukyfkufdi7ytdfuit.ru
10 Dec www.qnsoiclrikwj.org
10 Dec www.jxjyndpaoofctm.com
11 Dec slbugcihgrgny.org
11 Dec ykmccdhpgavm.org
11 Dec wpowcdntgoye.org
11 Dec gavhopncgfmdq.org
12 Dec rkmmrxbpafgnplt.org
12 Dec fpvpnoqmgntmc.org
13 Dec mqagyenfbebsau.org
13 Dec ahqnsclgckkpho.org
13 Dec urkitujgkhsjl.org
14 Dec kgvmmylyflrqml.org
16 Dec shjeyrqelevega.org
16 Dec ohmfbedvtftg.org
16 Dec rldrrlcakwnumbe.org
16 Dec hgfcqopaylrvyht.org
18 Dec wxntojirxraawe.org
18 Dec jlbrdhtbkmhkryk.org
18 Dec rwmhbmtauqgyhcqhizinljirjr.org
18 Dec pdfaayxydaqpyrouwrkydmneu.org
18 Dec qplmkjrolbvc.org
18 Dec mdaodtaifpkqkk.org
19 Dec lnxbofsriihe.org
20 Dec mpcljoupkkipyl.org
20 Dec cuxsdtynsyml.org
20 Dec oxgufearvtqkwh.org
20 Dec jnptslhlsqise.org
23 Dec pqulnjwedvbpm.org
23 Dec vcbetblhrykeyxv.biz
24 Dec omeidojwwtmalsy.biz
24 Dec huqenkdqtoatvnc.biz
24 Dec klufixwglgyb.biz
24 Dec wwrahwrdcfhygp.org
24 Dec wnjoalurtgqpd.biz
24 Dec uwelewosqoirmt.org
26 Dec yxmbwneyurhxfv.org
26 Dec mgkppyunffvvd.org
27 Dec teeusgcggvys.biz
27 Dec ooqgdlwctrpt.org
28 Dec fsihpjionkbb.net
28 Dec bsgxxguicafc.org
28 Dec aemivjtujaddhab.org
28 Dec iwgymewvnfpyveg.org
28 Dec dryadsncyghpyx.org

We actually found THREE of the IP addresses that we found via Passive DNS analysis listed on a blog site in an article called CIS Cyber Alert Releases Recommendations to Combat Cryptlocker Malware by Thu Pham. That same article refers to a list of CryptoLocker C&C's that CIS is recommending to block. I list those IP addresses here from their list found at: CIS CryptoLocker List. Only three of the IP addresses listed by CIS are on on our list of ten.
Keith Jarvis of Dell SecureWorks released an excellent paper on CryptoLocker Ransomware on December 18, 2013. I just found it tonight as I was Googling for additional evidence on some of the IP addresses above. I highly recommend this resource, available at Dell SecureWorks CryptoLocker Ransomware.

The same Dell Secureworks paper made me aware of the excellent thesis BitIodine: Extracting Intelligence from the Bitcoin Network by Michele Spagnuolo.