Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Mitglieder hell SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Mitglieder hell
I have been very recently (and still am) investigating the business end of a very active Mitglieder proxynet.  In my experience, these proxy botnets are traditionally used to relay spam, but I have over time witnessed other uses of proxy botnets including and not limited to advertising click-thru fraud, fraudulent email and IM registration/creation, http based web attacks, and all manner of authentication brute force attacks.

I am currently a witness to the receiving end of a large scale brute force attack leveraged by a decently sized proxy botnet consisting of anywhere from 8k-12k nodes attacking at any time on any given day.  I'm somewhat frustrated by the ongoing success of these botnet variants due to this particular variant's HTTP based phone home method to register the client IP and socks proxy listner port.  Why oh Why does it have to be so hard to kill these international web servers dead.  The specific Mitglieder variant I have been looking at lately has at least 42 unique HTTP phone home destinations that are still DNS resolvable.  The bots phone home with the following HTTP GET patterns which result in the target HTTP server logging the client IP address including the socks proxy port number as a query string argument.  Even though many of these servers are obviously virtual hosting environments that return 404 errors or other status codes, it is still possible that they are involved in this mess since the HTTP server will still continue to gladly log the pertinent client IP and port number of infected nodes via error logging.

In the following list, the tpoint.ru host is currently THE WORST of them and possibly the primary node in masterminding the aggregation and distribution of the active botnet list to other top level proxy abusers to be used for bulk mailer and other abuse types that benefit from an additional hop of anonymous connectivity.  This is absolutely organized big business.  Within minutes of sending a fake connection to tpoint.ru you would see inbound socks proxy abuse.  Try it, you'll see.  Whether you like it is another matter altogether.

Here's a snort signature that can help identify not only Mitglieder proxy infections on your networks, but just about any other proxy bot variant when they are abused for bulkmailing purposes.  Apologies for the snort signature line wrap.  Yes, the rule should be one single line.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Spambot Proxy Control Channel"; flow: established; content:"|04010019|"; offset: 0; depth: 4; classtype: trojan-activity; sid: 2001814; rev:4; )


After you've completed your own personal investigations, I myself recommend blocking access to the following host names from your networks.

http://www.lowenbrau.ru/manager_old/images/scr5.php?p=$PORT&id=#######
http://www.gasterixx.de/gfx/scr5.php?p=$PORT&id=#######
http://www.deadlygames.de/DG/BF/BF-Links/clans/scr5.php?p=$PORT&id=#######
http://www.eurostretch.ru/scr5.php?p=$PORT&id=#######
http://mir-auto.ru/scr5.php?p=$PORT&id=#######
http://artesproduction.com/scr5.php?p=$PORT&id=#######
http://www.hhc-online.de/home/links/pics/scr5.php?p=$PORT&id=#######
http://www.komandor.ru/sessions/scr5.php?p=$PORT&id=#######
http://www.mirage.ru/sport/omega/pic/omega/scr5.php?p=$PORT&id=#######
http://avistrade.ru/prog/img/proizvod/scr5.php?p=$PORT&id=#######
http://service6.valuehost.ru/images/scr5.php?p=$PORT&id=#######
http://pvcps.ru/images/scr5.php?p=$PORT&id=#######
http://monomah-city.ru/vakans/scr5.php?p=$PORT&id=#######
http://mir-vesov.ru/p/lang/CVS/scr5.php?p=$PORT&id=#######
http://promco.ru/sovrem/panorama/scr5.php?p=$PORT&id=#######
http://www.13tw22rigobert.de/_themes/kopie-von-fantasie-in-blau/scr5.php?p=$PORT&id=#######
http://die-cliquee.de/inhalt/mitglieder/foto/scr5.php?p=$PORT&id=#######
http://plastikp.ru/img/scr5.php?p=$PORT&id=#######
http://www.levada.ru/htmlarea/images/scr5.php?p=$PORT&id=#######
http://www.levada.ru/mitglieder.html?p=$PORT&id=#######
http://www.metzgerei-gebhart.de/pic/scr5.php?p=$PORT&id=#######
http://www.ferienwohnung-in-masuren.de/bochmann/images/scr5.php?p=$PORT&id=#######
http://www.admlaw.ru/new/translations/scr5.php?p=$PORT&id=#######
http://egogo.ru/lj/0223/scr5.php?p=$PORT&id=#######
http://investexpo.ru/banners/scr5.php?p=$PORT&id=#######
http://www.etype.hostingcity.net/mysql_admin_new/images/scr5.php?p=$PORT&id=#######
http://tpoint.ru/sys/include/QuestionClasses/scr5.php?p=$PORT&id=#######
http://blackwidow.nsk.ru/group/zlyeyazyki/photos/scr5.php?p=$PORT&id=#######
http://inetra.ru/?p=$PORT&id=#######
http://www.emil-zittau.de/karten/scr5.php?p=$PORT&id=#######
http://www.ordendeslichts.de/intern/scr5.php?p=$PORT&id=#######
http://stroyindustry.ru/service/construction/scr5.php?p=$PORT&id=#######
http://vladzernoproduct.ru/control/sell/t/scr5.php?p=$PORT&id=#######
http://hannes-wacker.de/galerie/util/scr5.php?p=$PORT&id=#######
http://schiffsparty.de/bilder/uploads/scr5.php?p=$PORT&id=#######
http://sound-cell.de/prosite/pics/scr5.php?p=$PORT&id=#######
http://shop-of-innovations.de/media/scr5.php?p=$PORT&id=#######
http://bernlocher.de/cms/img/scr5.php?p=$PORT&id=#######
http://www.progame.de/newtexte/_notes/scr5.php?p=$PORT&id=#######
http://st-agnes.de/geschichte/scr5.php?p=$PORT&id=#######
http://gnet30.gamesnet.de/photogallery/photo25939/scr5.php?p=$PORT&id=#######
http://roszvetmet.com/images/scr5.php?p=$PORT&id=#######


Give 'em hell.

William Salusky
Handler on Duty (heh heh)
Future homepage for the above handler.


William

39 Posts

Sign Up for Free or Log In to start participating in the conversation!