By: ThreatLabz

Another Trojan Bamital Pattern

Analysis

The other day I detected a handful of Bamital infected clients beaconing out with a different pattern than that listed in EmergingThreats, and thought I'd post something for the masses to consume and be on the lookout for in their networks. Microsoft's Malware Protection Center, lists a first iteration of the Trojan back in 2009 to do pop-up/injected advertising on behalf of the attacker ... but since then the malware family has grown in variations and scope of capability - for example, search result manipulation and malware dropping. There are now 29 variants listed in the MS encyclopedia, including those published in mid/late April 2011. For example,


The pattern in EmergingThreats was created from this February 2011 ThreatExpert report:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32 Bamital or Backdoor.Win32.Shiz CnC Communication"; flow:established,to_server; content:"/favicon.ico?0="; http_uri; content:"&1="; http_uri; content:"&2="; http_uri; content:"&3="; http_uri; content:"&4="; http_uri; content:"&5="; http_uri; content:"&6="; http_uri; content:"&7="; http_uri; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=fbcdfecc73c4389e8d3ed7e2e573b6f1; sid:2012299; rev:2;)

The different HTTP URI pattern that I'm seeing for the Bamital C&C communication is:

/message.php?subid=
&br=
&os=
&flg=
&id=
&ad=
&ver=

And the C&Cs that I have observed have typically been utilizing free domain services like ".co.cc" and ".cz.cc" ... this type of abuse is nothing new for these "TLDs."


Here is a snippet of domains and servers used for this C&C infrastructure:

00a8cf363ddca6b75e1b5c781b0ba226.co.cc
00a8cf363ddca6b75e1b5c781b0ba226.cz.cc
150224dce21c1056c5140bdfb2e1e8c2.co.cc
150224dce21c1056c5140bdfb2e1e8c2.cz.cc
2675589750ef32cc7fe75d7ff8e3fcbd.co.cc
2675589750ef32cc7fe75d7ff8e3fcbd.cz.cc
4bc53ed6c2c5a32606588c1d72d16a59.co.cc
4bc53ed6c2c5a32606588c1d72d16a59.cz.cc
5c099914bf7eaacb8aab1cab73cdd90b.co.cc
5c099914bf7eaacb8aab1cab73cdd90b.cz.cc
7ffea8c792bb81efca737acc44861bc3.co.cc
7ffea8c792bb81efca737acc44861bc3.cz.cc
85fd1f94d59ff6936e99c281f99a0953.co.cc
85fd1f94d59ff6936e99c281f99a0953.cz.cc
936d16bf80262add68838f96677a9620.co.cc
936d16bf80262add68838f96677a9620.cz.cc
cb9df029fbcea991d8aa64f97ff9fd40.co.cc
cb9df029fbcea991d8aa64f97ff9fd40.cz.cc
ff7cca28c0bdf5a60f09b4ec52db39bf.co.cc
ff7cca28c0bdf5a60f09b4ec52db39bf.cz.cc


The above C&C domains resolve only to a handful of IPs:
112.175.243.21 (KR)
112.175.243.22 (KR)
112.175.243.23 (KR)
112.175.243.24 (KR)
207.58.177.96 (US)

Open-source info on these IPs confirms their badness as C&Cs as well as hosting malicious fake videos/plugins (for example, malwareurl.com, malc0de.com, CleanMX).

There have also been some other open-source reports that include some .info domains with the same hash-like domain format used to host the Bamital C&C infrastructure that uses the same beaconing pattern I identified above, e.g.,

DA9341709E53AD11D84C6284EDA86043.info
D5403E5622841DD806915A4DE67DD9F8.info
87D53FBC27630E53A7CA13B7242DEFB3.info

With this type of bulk registration of new domains to keep the C&C infrastructure alive, you really need to have a set of signatures in addition to domain/IP filtering. Keep an eye out for this other Bamital pattern in your networks:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Zscaler TROJAN W32 Bamital or Backdoor.Win32.Shiz CnC Communication"; flow:established,to_server; content:"/message.php?subid="; http_uri; content:"&br="; http_uri; content:"&os="; http_uri; content:"&flg="; http_uri; content:"&id="; http_uri; content:"&ad="; http_uri; content:"&ver="; http_uri; classtype:trojan-activity; reference:url,research.zscaler.com/2011/05/another-trojan-bamital-pattern.html/;)

Learn more about Zscaler.