[Peter Kleissner]

The current (as of right now) C&C domain (fast flux):

Code: Select all

Domain name: 1413rrr1luqjub1bstdcunc3tnr.net
Registry Domain ID: 

Registrar WHOIS Server: whois.bizcn.com
Registrar URL: http://www.bizcn.com
Updated Date: 2014-07-16T11:29:10Z
Creation Date: 2014-07-16T11:29:11Z
Registrar Registration Expiration Date: 2015-07-16T11:29:11Z
Registrar: Bizcn.com,Inc.
Registrar IANA ID: 471
Registrar Abuse Contact Email: abuse@bizcn.com
Registrar Abuse Contact Phone: +86.5922577888
Reseller: Cnobin Technology HK Limited
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Registry Registrant ID: 
Registrant Name: indsay Goff
Registrant Organization: indsay S. Goff
Registrant Street: 952 Longview Avenue
Registrant City: Queens
Registrant State/Province: NY
Registrant Postal Code: 11413
Registrant Country: us
Registrant Phone: +1.7185279108
Registrant Phone Ext: 
Registrant Fax: +1.7185279108
Registrant Fax Ext: 
Registrant Email: goodepictures@gmx.us

Resolves here to IPs: 178.211.41.246, 211.108.69.117, 4.30.111.88

[g0dmoney]

Unpacking the latest samples of V3 (eg md5: 5e5e46145409fb4a5c8a004217eef836) is a bit different from the last few versions that dropped the rootkit. The crypter used has checks for "VBoxService.exe" and "vmtoolsd.exe", then checks if sandboxie's module sbiedll.dll is loaded if any of those are found, it xor eax,eax then call's eax to terminate. Bypass those by breaking on CreateToolhelp32Snapshot, and modifying those strings in memory or modifying the ZF after they're checked.

Next you can set BPs on Get and SetThreadContext; after the Get you'll see some calls to NtUnmapViewOfSection, then a few calls to WriteProcessMemory (writing data to a process it created with CreateProcess). The last WriteProcessMemory call just before a call to SetThreadContext you'll see EAX modified to point to the new entry point just efore it calls ResumeThread. You can then write an EBFE to the child process at that OEP, run the ResumeThread call letting the parent exit then Dump the process and you should be unpacked, just change the EBFE back to whatever it was. Pretty common old crypter iirc, at least very similar to some I've seen in the past. Unpacked version looks like old zbot for the most part, haven't reversed the DGA yet though, I'd assume its different.

[forty-six]

Recent sample:

[Xylitol]

Inside the $100M ‘Business Club’ Crime Gang ~ http://krebsonsecurity.com/2015/08/insi ... rime-gang/
Bad Guys and Backends (slide blackhat): https://www.blackhat.com/docs/us-15/mat ... ckends.pdf

[unixfreaxjp]

BP Hosts & domains who serves GMO are serving different stuff still.. THAT is the one should be aimed.. new players always come..infrastructure is only few to use.

[EP_X0FF]

Inside the $100M ‘Business Club’ Crime Gang ~ http://krebsonsecurity.com/2015/08/insi ... rime-gang/
Bad Guys and Backends (slide blackhat): https://www.blackhat.com/docs/us-15/mat ... ckends.pdf

Propaganda bullshit.

[patriq]

Bad Guys and Backends (slide blackhat): https://www.blackhat.com/docs/us-15/mat ... ckends.pdf

Propaganda bullshit.

@EP_X0FF
I don't understand what you mean. "Propaganda", as in the FBI does not control GoZ as of now? Or propaganda that Bogachev likes pussy(cats)? He looks more like a perv pedo to be honest.


On a serious note: they got control of a few proxy nodes and then take down the principal proxies. How did the feds poison the network with the sinkhole p2p peerlist if the data is encrypted using a private RSA key? What am I missing?

This video that goes with those slides:
https://www.youtube.com/watch?v=dYJJZHYSQsk