Flame Command & Control Server Password Cracked

Flame was arguably the next big thing in the state sponsored malware section after Stuxnet. If you are not aware, Flame is a malware that was used to infect computers in the Middle East for espionage purposes.

Flame was investigated by a joint effort of Kaspersky, Symantec, ITU-IMPACT and CERT-Bund/BSI. Symantec had earlier failed to crack the password of Flame’s Control Centre and had put out a blog post asking for help in cracking the hash, 27934e96d90d06818674b98bec7230fa. Dmitry Bestuzhev of Kaspersky cracked the hash to find the clear text password as 900gage!@#. We are not yet aware of the method he used to crack the hash.

The decoding of the hash led to the researchers being able to see the Command-and-Control servers for the Flame malware. Kaspersky has posted a detailed blog post analyzing the C&C. All of the servers were running a 64-bit version of Linux called Debian. The programming languages used where PHP, Python and bash and virtualization was run under OpenVZ.

An initial look at the C&C revealed that the attackers had used a minimal interface with no terms such as bot or botnet, possibly to avoid suspicion of hosting company. There was no way to send commands to the C&C as well.

To send a command or set of commands to a victim, the attacker uploaded a specially crafted tar.gz archive, which was processed on the server. A special server script extracted the archive contents and looked for *.news and *.ad files. These files were put into corresponding directories “news” and “ads”. The C&C allows an attacker to push an update to a specific victim, or all victims at a time. It is possible to prioritize a command which allows to organize an order of commands (i.e. collect all data and only after self-removal). The priority and target client ID was transferred in an unconventional way. They were stored in the filename that the attacker uploaded to a C&C.

The researchers also discovered three protocols – SP, SPE, FL and IP which were used to communicate with different clients of which, Flame was identified as FL. This suggests that there are three more Flame like malware in the wild which have not been discovered yet.

The analysis of the C&C shows that servers were first setup on 03 December, 2006 which suggests that Flame was operational for much longer than what we had first thought. The scripts used by the operators also contained other valuable information, the nick name of the developers. Kaspersky hasn’t published their names and has only identified them as D, H, O and R in the blog post.

You can read more about the Kaspersky’s analysis of Flame’s C&C here and a whitepaper by Symantec on Flame here [PDF].

Microsoft Disrupts Nitol Botnet

In an operation named Operation b70, Microsoft was able to disrupt the Nitol botnet that was used to spread malware and launch DDoS attacks. The operation was carried out by Microsoft’s Digital Crimes Unit with the permission of U.S. District Court for the Eastern District of Virginia.

The operation was a result of a study conducted by Microsoft which discovered hackers selling pirated copies of Windows that was embedded with malware. They then got these copies into different unsecured (a distributor or reseller selling products from unconfirmed or unauthorized sources) supply chains for distribution. In the research, it was found that about 20% of pirated copies of Windows consisted of different types of malware.

These malware was used for a multitude of illegal purposes including stealing passwords, credit card information and even remotely turning on the microphone and webcam connected to the victim’s computer.

The computers that were part of the Nitol botnet was controlled by a Nitol command server. The DNS of the server was found to be provided by a rogue website called 3322.org which has been known to be a part of several targeted attacks in the past. With the successful takedown of 3322.org, Microsoft was also able to take down around 500 different strains of malware stored in 70,000 sub-domains of the rogue website.

The operation was part of Microsoft’s wider MAPS (Microsoft Active Response for Security) program which is intended to protect Windows users against malware. This is the second such action against botnets by Microsoft, which had taken down Zeus botnet earlier this year.

Via: Official Microsoft Blog

Kelihos Botnet Resurfaces With New Security Measures

Last September, Microsoft and the Kaspersky Labs claimed a big win on the Kelihos botnet, when they took control of the infected computers. Kelihos was sending 4 billion spam messages a day, and it covers all kinds of spam including pharmaceuticals and stocks. Researchers devised an interesting mechanism to direct all the infected computers to communicate with a “sinkhole” or a computer they controlled. In spite of these stringent measures, Kelihos has started showing its face again, and very soon, its owners might regain control.

Not only has Kelihos started showing back on the radar, it is using new encryption techniques to hide its communications. A researcher at Kaspersky has also noted that two different RSA keys are being used; indicating that there might be two different groups controlling Kelihos.

Although researchers can install updates or clean up the infected computers, it is against the law in many geographical regions. A few days ago, Microsoft named Andrey N. Sabelnikov, a Russian citizen, guilty of running Kelihos. However, Russia does not allow extradition of its citizen, and he cannot be brought to a trial. Kaspersky Securelist investigated into the matter, revealing some interesting facts, like

Our investigation revealed that the new version appeared as early as September 28, right after Microsoft and Kaspersky Lab announced the neutralization of the original Hlux/Kelihos botnet.

Clearly, shutting down the Kelihos botnet will be a big challenge, and it will be interesting to see how far Microsoft and Kaspersky go in this case.