Wednesday, June 22, 2011

TDSS - SRVs list

I just found via pastebin (http://pastebin.com/jWDhEfGB) a domains list related to TDSS. The SRVs , in according with this analysis http://resources.infosecinstitute.com/tdss4-part-2/, are the C&C from where bots receive commands.What's sound a bit strange is that the content in the pastebin above match with the syntax used in the configuration file of the rootkit. Anyway is possible count 2514 entry (or config file ?). I simply sorted the domains reported with the following result:

https://01n02n4cx00.cc/
https://01n02n4cx00.com/
https://01n20n4cx00.com/
https://0imh17agcla.com/
https://10n02n4cx00.com/
https://178.17.164.129/
https://178.17.164.92/
https://1il1il1il.com/
https://1l1i16b0.com/
https://34jh7alm94.asia
https://34jh7alm94.asia/
https://4gat16ag100.com/
https://4tag16ag100.com/
https://61.61.20.132/
https://61.61.20.135/
https://68.168.212.20/
https://68.168.212.21/
https://68b6b6b6.com/
https://69b69b6b96b.com/
https://7gaur15eb71.com/
https://7uagr15eb71.com/
https://86b6b6b6.com/
https://86b6b96b.com/
https://91.193.194.8/
https://91.212.226.67/
https://91.216.122.250/
https://9669b6b96b.com/
https://cap01tchaa.com
https://cap01tchaa.com/
https://cap0itchaa.com/
https://countri1l.com/
https://dg6a51ja813.com/
https://gd6a15ja813.com/
https://i0m71gmak01.com/
https://ikaturi11.com/
https://jna0-0akq8x.com/
https://ka18i7gah10.com/
https://kai817hag10.com/
https://kangojim1.com/
https://kangojjm1.com/
https://kur1k0nona.com/
https://l04undreyk.com/
https://li1i16b0.com/
https://lj1i16b0.com/
https://lkaturi71.com/
https://lkaturl11.com/
https://lkaturl71.com/
https://lo4undreyk.com/
https://n16fa53.com/
https://neywrika.in/
https://nichtadden.in/
https://nl6fa53.com/
https://nyewrika.in/
https://rukkeianno.com/
https://rukkeianno.in/
https://rukkieanno.in/
https://sh01cilewk.com/
https://sho1cilewk.com/
https://u101mnay2k.com/
https://u101mnuy2k.com/
https://xx87lhfda88.com/
https://zna61udha01.com/
https://zna81udha01.com/
https://zz87ihfda88.com/
https://zz87jhfda88.com/
https://zz87lhfda88.com/

Anoter interesting Google dork is "wsrv:=http://" that shown another Pastebin link with a WSRVs domain lists. The WSRVs are the handlers of results of the search provider activity on impacted systems.

Tuesday, June 7, 2011

DroidKungFu - just some piece of code

Following the trend of the moment, I play a bit with the sample of DroidKungFu retrieved from the  contagiodump malware sample repository. For obtaining the JAR archive I used dex2jar (http://code.google.com/p/dex2jar/downloads/list) after that I extracted the Dalvik Executable Format embedded in the APK. Once obtained the JAR file is very easy obtain the clear code with (for example) Java Decompiler
One of the more interesting thing is that , at least the variant that I analyzed (md5 39D140511C18EBF7384A36113D48463D) use the method DoSearchReport notified using the well know Google Search gadget. Seems that this malware install as legacy app for grant persistence even after remove the rest of malicious packages from device. This is easily readable from the source code as shown in the following screen shots:



In the screenshot above is shown the  begin of DoSearchReport method where is called a custom method named  (updateInfo() ). While the following screenshot shown the place in the DoSeachReport method where all data , collected from impacted devices, are dropped via HTTP POST:

The data collected and sended to the URL are the following (extracted by code):
Some info about the URL (from Robtex):

Other domains related to the 222.186.37.93 IP address: 


Playing a bit more with the URL above I found this IP form request:

This variant seems forged for Chinese users. In the code there are many others evidence of this.