Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Excerpt from a chapter in the continuing saga of Fast Flux and SSDD

Published: 2007-12-06
Last Updated: 2007-12-07 00:46:05 UTC
by William Salusky (Version: 1)
0 comment(s)

Throughout my daily incident response thought process I contemplate whether any given issue is the result of a new "Web 2.0 worm".  Well, I didn’t necessarily find a new one in this case, but I almost can't avoid stumbling into surges of fast flux network activity.  What follows here is not new, but certainly worthy of rehashing the state of flux.

If we "Flash back" to the handler diary from June 26-28th 2007 where we posted details involving a drive-by vector which leveraged MySpace user pages, and you will see this is just a continuing chapter into "SSDD"; same STUFF different domains. 

The malicious life cycle of this specific flux net is maintained through:

  •  MySpace User credentials compromised by Phishing campaign
  •  The above referenced phish sites are Fast Flux hosted domains
  •  Every Phish site page load contains a drive-by exploit
  •  Drive-by exploit results in Fast Flux network growth
  •  New flux nodes become service endpoints
  •  Phished MySpace user credentials are injected with links to the drive-by flux domains

                 Rinse, wash and repeat

Only the domains and IPs of the innocent have been changed.
   *Actually, I see no innocence here, it's just bad!* 

If you are unlucky enough to fall prey [or intentionally fall prey!] during a visit to one of the many Flux net hosted MySpace Phish sites: (By no means is the following an attempt to build a complete list of active flux domains, I can't cut/paste faster than domains are being registered)

                        *** LIVE BROWSER EXPLOIT CODE - BE WARNED *** 

            http://profile.mysp ace.com.fuseaction.id.user.viewprofile.198 7383.cn/
            http://profile.mysp ace.com.fuseaction.id.user.viewprofile.370 913.cn/
            http://profile.mysp ace.com.fuseaction.id.user.viewprofile.187 098.cn/
            http://profile.mysp ace.com.fuseaction.id.user.viewprofile.188 273.cn/

The resulting drive-by would attempt to add your computer into the fast flux fold and begins it’s iframe journey through the inclusion of:

            http://currentses sion.net/session/index.php

The only new element in all of this worth noting is an incorporation of the recently published QuickTime exploit, and that is only in addition to what has become an almost de-facto standard suite of browser exploits.  Once the usual JavaScript tricks have been decoding away, you would find that a successful exploitation of your host leads to the download and execution of the following malware:

            http://currentses sion.net/session/file.php (file.exe)

            Sample: currentses sion.net/session/file.exe
           
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
            Size: 14848 Bytes
            MD5:  5d82154be8afc311dd7dca691e5889e8
            SHA1: 40d1e47e1bc3bf7c04dc0c59af9819859ec6b804

I'm going to skip the technical deep dive involved in foot printing the local host activity for a host that has been compromised and file.exe was executed. I will only offer that the criminal goal has been accomplished.  A Fast Flux proxy node has been deployed and you would find that both TCP port 80 and UDP port 53 listeners were bound via dll injection into the iexplore.exe process.  As a result of encoded configuration file updates, connections inbound to the affected host on TCP 80 or UDP 53 are transparently relayed upstream to the Flux Mothership who is responsible for servicing the respective web or dns request.  This particular Fast Flux mothership has been sitting quite happily at IP 72.232.173.210, in addition to 72.232.163.26 which manages health/availability monitoring of the flux net and serving flux node configuration files.  I might normally advocate a host take-down but in cases like this, this will only mean we would need to spend the time to find the new Mothership when it migrates 20 minutes after takedown.  They're bad hosts, so block them.  Bad host, no traffic! 
 

            My T-Shirt today says,
            "I was a fast flux node and all I got to serve were a few online casino's"

If the NoScript browser plug-in were a person, they would so be on my buddy list.  Consider yourself introduced, and it goes without saying, be careful when and where you choose to browse. 

 

William Salusky

Handler on Duty ;)

 

Keywords:
0 comment(s)
Diary Archives