kmd wrote:u mean this ? :DThis is maybe the funniest part. I too lol'd when first time saw the guy (who is proposed to be russian hacker) with stereotypical caucasian face.
Based on the Georgian CERT article (GCERT next), the conclusion of a foreign-intelligence involvement was made from following information:
1. C&C domains registration data
2. Set of keywords this trojan looking in documents
3. Bot target audience and geography
4. Additional data as proclaimed they gathered from botnet operator computer.
Ok, turn off political BS and lets think logically. First let look on both reports we have. ESET from 03/12 and GCERT from 24 Oct 12
Short about the bot
The bot itself, lets name it Calacreo (from calc.exe non changing constant name on C&C) is written in FlatAssembler (fasm) with some added custom obfuscation. Payload pretty trivial and have seen before in many other bots. The exceptional part related to "sensitive words" lookup, itself nothing special and just a bot feature. With same success instead of "CIA","FSB","KGB","tie" can be used any kind of words - for example "pass", "creditcard", "login" etc. Other set of commands are basic for usual stealer/backdoor: rdp, screenshots, ddos, passwords, video (nothing new - see spyeye). Overall this commands designed for more-less comfortable remote controlling of infected machine. Classical backdoor in other words.
Unique Characteristics (page 16 GCERT report)
Sensitive words lookup - well I told it before - nothing unique. Recording videos? So new. Self created packer? No, the same "lapsha" obfuscation was seen long time before. As a extremely "NEW METHOD OF MALWARE UPDATING" GCERT presented screenshot of Wireshark with dump of HTTP GET request, where update transfered as base64 encoded buffer. Is this something really new? Not at all.
And finally the most intrigue part, that is all that really caught my attention in this shitty georgian comedy section (oh sorry it was a spoiler).
opening network socket at ring0 level (evading firewall) / TDSS Rootkit Modificationlolwut?
How did that user mode backdoor turned out to be TDSS rootkit modification - that puzzled me a lot. Maybe TDSS was downloaded additionally? Then what the hell it need to be able to evade firewall, if you already capable of downloading whatever you want? And when it started to open sockets from ring0? Oh lol, I need to find this wonderful TDSS - I told myself. No hashes as prooflinks - nothing. Hopefully GCERT provided domain/IP addresses of Calacreo C&C, here they are.
georgiaonline.xp3.biz
ema.gov.ge
178.32.91.70
88.198.240.123
88.198.238.55
94.199.48.104
173.212.192.83
31.31.75.63
31.214.140.214
78.46.145.24
Publishing this data is obvious mistake, because everybody can check quality of this report. So I looked on every address they pointed. And yes I found this "TDSS Rootkit Modification". Here is it check IP 178.32.91.70 via cleanmx database. Famous super duper rootkit https://www.virustotal.com/file/c17f726 ... /analysis/ which is wrongly identified by Kaspersky Calacreo dropper (likely because of crypter they used... wait, did not it had to be "unique"?). Only the fact that GCERT analysts failed to distinguish Calacreo and TDSS is indicating their lack of professionalism. Plus impudent lies in their report, just to add more noise - "hey we have famous TDSS involved, all must fear". Wow, just wow.
GCERT all time used word "virus" in it report. So I must disappoint them - this is trojan and it cannot into virus, simple can't by design. It super duper fancy stealth is autostart from \Software\Microsoft\Windows\CurrentVersion\Run reg key as usbserv.exe
Next we are going to the funnies part of this GCERT report.
Domains and FSB (page 19 GCERT report)
So they managed to track C&C domains (they are all hardcoded inside bots) and their registration data via simple WHOIS. Next they are looking on domain registration information (it all the same for all domains btw) and MAKING CONCLUSION based on "Street Address" about Russian Federal Security Service affilation.
Example given.
Code: Select all
Don't know even how to comment professionalism of GCERT if they are really count on values set in domain registration data. So malware authors take a hint - register all your domains now with links to various agencies or people for example NASA, White house, Barack Obama, EADS etc.Domain ID:D5460389-AFIN
Domain Name:KUPILKOPRODF.IN
Created On:05-Nov-2011 05:49:56 UTC
Last Updated On:05-Nov-2012 22:32:47 UTC
Expiration Date:05-Nov-2013 05:49:56 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. dba PublicDomainRegistry.com
(R5-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:AUTORENEWPERIOD
Registrant ID:DI_18679104
Registrant Name:Artur Jafuniaev
Registrant Organization:WSDomains tld
Registrant Street1:Lubianka 13
Registrant Street2:
Registrant Street3:
Registrant City:Moscow
Registrant State/Province:MoscowLook how they carefully tracking "Lubianka 13", to find out "proof" that it is FSB building in Moscow (page 20-21 GCERT report).
On page 22 we have Borat photo, who is proclaimed as malware author and operator. I have a strong feeling that this is photo of GCERT report author. Typical squalid surroundings, working from notebook.
Next pages we can observe dumps, logs and screeshots of something that must make us believe in Kremlin hand. You should remember bot geography - it affected not only Georgia but Russia as well, so having access to logs from hacked C&C is not so problematic to fabricate data as you want.
To conclude this long post.
The level of sophistication in this malware incredible low. It does not have any "unique" features on board. If such operation was sponsored by a state it would be much more professional.
What we have in final? GCERT butthurt report with 20+ pages about nothing filled with fabricated data and impudent lie. Political order.
Ring0 - the source of inspiration
