Thursday, October 14, 2010

Some domains for the LICAT / Murofet / Trojan/ZBOT.B threat

Update (2 November): A deep and very itneresting analysis from Trend Micro:
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/file-patching_zbot_variants_-_zeus_2.0_levels_up__oct_2010_.pdf

Update (15 October):  ThreatExpert has release the domain name generation algorithm for MUROFET/Licat
http://blog.threatexpert.com/2010/10/domain-name-generator-for-murofet.html

(14 October)
I have found some new domains involved in this threat as you can see in the following list:

lrulqnsknrngii.com/news/?s=333
oxgtnnefurwoym.com/news/?s=333
ppmnvoykjkpznso.info/news/?s=333
qqwnudmsqzkyvnig.info/news/?s=333
rrpgrrvlospmndum.com/news/?s=333
sprkslhjshwdcomn.com/news/?s=333
tnjulxjrlletzj.org/news/?s=333
xrfrpevxvjbimup.info/news/?s=333
xrfrpevxvjbimup.info/news/?s=111
hsosqykotrpsapxb.com/news/?s=333

The 333 value for “s” URL parameter permit to download what is recognized as Trojan/ZBot.B (Symantec name). While the 111 stand for , “get Zeus 2.1 (as named by Zeustracker) config fil"e”. The drop zone is requested with the following syntax:

<domainname>.<tld>/news/

This malware seem use a C&C domain name generation approach similar to that used by conficker.  For example, the latest domain (hsosqykotrpsapxb.com/news/?s=333 ) seem registered for the 14th of October 2010 malware activity as reported by http://domain-daily.com/
 

The following Anubis Binary Analaysis submission show the behavioral of this malware:
http://anubis.iseclab.org/?action=result&task_id=1215b9b1d959c52e4bdd0ff4a38062aa3&call=first

and the ThreatExpert analysis with detection engine info:
http://www.threatexpert.com/report.aspx?md5=1e940baeb962042a6628f81c93aaecd1

The domains above seems hosted by the following IP address:
195.189.226.107
 

The following Robtex table permits to retrieve other domains involved:
http://www.robtex.com/ip/195.189.226.107.html

No comments:

Post a Comment