A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21598  by patriq
 Fri Dec 06, 2013 7:41 pm
I took a look at the IP contacted from 10 random ZeroAccess samples and found they contact some of the same inital C&C's:
Code: Select all
 8x - 85.114.128.127 - (Germany) - SSH-2.0-OpenSSH_6.1p1 Debian-4
 5x - 199.21.165.8 - (Saint Kitts and Nevis) filtered
 5x - 195.158.13.161 - (Uzbekistan) filtered 
 4x - 89.125.44.231 - (Ireland) 49152-6 open
 4x - 200.60.63.108 - (Peru) filtered
 4x - 196.20.97.53 - (Algeria) filtered
 4x - 188.114.130.243
 4x - 178.249.152.4
 4x - 122.61.0.75
 3x - 94.71.12.95
85.114.128.127
ZeroAccess pushed via SweetOrange and Nuclear EK's
ZeroAccess traffic to this IP detected since Summer 2013
http://urlquery.net/report.php?id=7096426
http://urlquery.net/report.php?id=4140845
 #21600  by EP_X0FF
 Sat Dec 07, 2013 3:39 am
Not really new as all these was discussed here http://www.kernelmode.info/forum/viewto ... 13&p=18816 and http://www.kernelmode.info/forum/viewto ... =16&t=2613. I don't really know details as I don't monitor ZeroAccess anymore but according to public information the mentioned IP's are likely click fraud trackers (they are hardcoded inside numerous Sirefef plugins), initial call home (geo-ip) addresses + pattern traffic filtering (as Sirefef data easy to recognize) preventing botnet communications. So this is likely the way Sophos suggested about a year ago. Simple and rough.

How effective this against ZeroAccess? You can test it yourself - take a fresh sample from this thread, run it and look where it will connect (initial geo-ip call home, bootstrap lists in s32, s64 files and finally click fraud trackers), what it will download (if it will) and how fresh this stuff will be (extract IP addresses from tracker plugin "80000000.@" and look if they are alive/sinkholed).

What the ZeroAccess will do? They will establish new infrastructure (if they don't anything for backup already) then push new version (3.0) with updated data and maybe new protocol with adding to bypass network data filtering. Still Sirefef experienced damage though.
 #21603  by rinn
 Sat Dec 07, 2013 9:00 am
Hi.
Yep, they actually already tried to do "come back", but failed.

Below is screenshot of what actually now distributed in p2p ZeroAccess network.


http://i.imgur.com/f5QxKah.png

Quite obvious for now this botnet is operational but out of control and they don't have a plan "B" as their backup servers (many of them were already sinkholed by various researchers etc) banned by MS. What more important - for now ZeroAccess gang have no countermeasures for this. Maybe they are under development right now :)

Best Regards,
-rin
 #21754  by EP_X0FF
 Sat Dec 21, 2013 3:49 am
ZeroAccess botnet work paralyzed for more than 2 weeks.

http://blogs.technet.com/b/microsoft_bl ... crime.aspx

As you can read from above rinn post and this blog entry:

1) Technically ZeroAccess is alive. Still several millions of infected PC can communicate via p2p protocol. But it is dying without new bots and updates like any other abandoned botnet.
2) Practically (for it customers and their money) - ZeroAccess is dead as profitable botnet because it now impossible safely deliver new payload modules because of terminated infrastructure and high risk of new losses.
3) There were no updates for ZeroAccess payloads over 2 weeks (since white flag message), which means botnet operators really give up.

From the perspective we have three options also:

1) Another attempts to regain control of dying botnet. But they already tried and failed.
2) Give up. Impossible. It is way too profitable business.
3) New bot, new botnet. Maybe it even will be named differently.

As a conclusion: Sirefef experienced greatest hit since beginning of it existence and now in comatose.
 #21828  by unixfreaxjp
 Wed Jan 01, 2014 5:00 am
On the other hand, congratulations friends, on the effort in taking down ZA.
Is a hard effort and I believe me I do know how it is.
A hit just don't make it down for good, sometimes we must deliver multiple hits and keep on it.

ZA is nasty one yet its network group is actually splitting, pls noted.
One of the group is share IP w/Kelihos that's why I know this.
Tigzy has a very good data if you want to see 3rd party feedback on what you did.

Wish you all Happy new year 2014! Thank's for the hard work!
 #21890  by EP_X0FF
 Tue Jan 07, 2014 3:41 pm
kmd wrote:So it finaly dead?
Yes, in term of botnet it is dead. Last update 6 dec 2013. White Flag in attach, "excellent" VT detection ratio.
Attachments
pass: infected
(545 Bytes) Downloaded 98 times
 #22513  by EP_X0FF
 Fri Mar 21, 2014 6:53 pm
Sirefef resurrected, date stamp 20/03/2014. If you have new sirefef droppers (presumable they will be pushed soon on drop zones) please share, as for now we have data only from sirefef farms.

edit:

Updated modules attached. Click fraud is back.
Attachments
pass: infected
(45.67 KiB) Downloaded 91 times
Last edited by EP_X0FF on Fri Mar 21, 2014 7:16 pm, edited 2 times in total. Reason: edit
 #22533  by flyroom
 Mon Mar 24, 2014 7:05 am
It's interesting to see that the botmaster behind all this switch to port 16471/16470 for click fraud, still no funtional plugins seen on the other branches.
EP_X0FF wrote:Sirefef resurrected, date stamp 20/03/2014. If you have new sirefef droppers (presumable they will be pushed soon on drop zones) please share, as for now we have data only from sirefef farms.

edit:

Updated modules attached. Click fraud is back.
  • 1
  • 48
  • 49
  • 50
  • 51
  • 52
  • 56