It’s very rare that we researchers get
a chance to explore the inner workings of a botnet command and control
server.  Detailed insight into the botnet server or command component
can give us valuable information about the motives of the botnet and
possibly the bad guys behind it. But granting access to these command
and control servers often depends on the will of the hosting providers.
So what happened in this case?

Recently, while I was casually
monitoring logs from our MAX network to find out the current geo locations for Pushdo CnCs, I got these results for the last 30 days.

 

SOFTLAYER TECHNOLOGIES INC, USA

74.86.100.156
74.86.100.158
74.86.198.178
74.86.100.157
74.86.187.242

LIMESTONE NETWORKS INC, USA

216.245.203.122
216.245.213.194
216.245.219.202
69.162.90.170
69.162.68.114
69.162.90.130
69.162.92.162
69.162.104.250
69.162.84.186
69.162.113.18

LEASEWEB, NETHERLANDS

94.75.233.172
94.75.233.171
94.75.233.163

THEPLANET.COM INTERNET SERVICES INC, USA

74.54.77.82

VRTSERVERS INC

70.36.100.42

Seeing SoftLayer in the above ISP list was something which made me
quite excited. SoftLayer has a good history of dealing with abuse
requests so I knew that taking these servers offline would not be a big
deal.  But this time I was hoping for something more.  Keeping in mind
the good relationship between FireEye and SoftLayer, we requested that
they grant us access to one of the CnCs.  Nick Hale from the SoftLayer
abuse department responded very quickly based on evidence provided by
FireEye, and made a decision to give us access to this notorious server
for a limited time before shutting down all the cnc servers. Before we
get into the details of what was discovered, I’d like to take a moment
to thank SoftLayer, and especially Nick Hale, who offered full
cooperation on the matter.  More actions like this from victimized ISPs
will definitely keep the bad guys on their toes.

Apart from all this, an interesting thing we noticed was that the
C&C servers hosted at other providers were also down the next day.
This is probably a combination of the providers shutting them down or
the bad guys abandoning the servers (as a result of the C&C
shutdown at Softlayer). As of Jan 18, 2010.  All of the US servers
mentioned above are shutdown. Only two servers located in ‘Netherlands’
are still up and running at the time of writing this article.

These are the live servers:

94.75.233.172
94.75.233.171

WHOIS for 94.75.233.172 is like this:

inetnum:   94.75.233.0 – 94.75.233.255
netname:   LEASEWEB
descr:     LeaseWeb
descr:     P.O. Box 93054
descr:     1090BB AMSTERDAM
descr:     Netherlands
descr:     www.leaseweb.com
remarks:   Please send email to “abuse@leaseweb.com” for complaints
remarks:   regarding portscans, DoS attacks and spam.
remarks:   assignment LEASEWEB 20080723
country:   NL
admin-c:   LSW1-RIPE
tech-c:    LSW1-RIPE
status:    ASSIGNED PA

mnt-by:    LEASEWEB-MNT

source:    RIPE # Filtered

Back to the real story.  Infiltrating Pushdo was not something to do
simply for the sake of fun.  There was some serious motivation behind
all this.

Motive # 1

Grab the server component and all related files. This information was essential to understand this botnet’s internals.

Motive # 2

Try to investigate who are the guys behind Pushdo, including their
origin and business model. According to Soflayer records these server
were  based out of Germany (Berlin). Softlayer provided us with further
details such as company and name of registered owner. A quick search on
Google for those did not reveal anything meaningful.  It’s not a
surprise since these guys normally use stolen credit cards for
purchasing such servers, leaving no clue behind.

What I found inside Pushdo’s CnC? What was running as a CnC server?
Did I get any clues abut the guys behind? I would like to discuss all
this in my next article. Stay tuned..

This post originally appeared on the FireEye Malware Intelligence Lab blog.

Categories: Malware

Comments (6)

  1. Anonymous
    1

    hmmm… interesting article, a little build-up and then a whole load of nothing. Maybe it should be published after it has been completed. What’s the rush?

  2. PreachJohn
    2

    What’s with the carrot dangling. This article had as much substance as candy floss. Some kind of filler on a slow news day?

  3. Anonymous
    4

    if ya wanna know, i been fighting the botnet and hackers since aug 2008.  recently i found out that i am the command and control center of the botnet.  the tcp/ip6 is whats now going on.  

    here is some info.   all the info above is what my packets show.   who is ….     tell ……  i been recieving over 2000 incoming ips 24/7 since febuary before april.   the hackers successfully used the dns servers to spread.  it used strings in memory to hide itself.  the botnet used certificates and cookie system to break through.    the first major change in the worm happened nov 17 of 2009.   danielle arrested, then 2 or more days of monitors going black for a sec through all my machines at different times(programming font and color codes)   then my machines went through reboot loops that spread.  and when i got back up on my machines, i noticed a change in the 2000 incoming IPS.   they switched from high ports(linked to the parsings)   to port 445 as the only port.    

     

    when i found eset.com(first to detect any part of the worm aka trojans)(after kasperty’s short success aka generic keyloggers),   it had a link that allowed me to see where my connection routes to.  and even though im in montana, it showed me living in amsterdam.  

     

  4. coetsee
    5

    Affiliate Marketing is a performance based sales technique used by companies to expand their reach into the internet at low costs. This commission based program allows affiliate marketers to place ads on their websites or other advertising efforts such as email distribution in exchange for payment of a small commission when a sale results.

    http://www.onlineuniversalwork.com

Comments are closed.