API tools faq
paste
MalwareMustDie

#MalwareMustDie - A quest of TDS Sutra CNC(188.40.204.81)

MalwareMustDie
Nov 4th, 2012
2,241
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.78 KB | None | 0 0
raw download clone embed print report
  1. =========================================
  2. #MalwareMustDie - A quest of TDS Sutra CNC
  3. *) This is a team work of crusaders.
  4. Thanks to DL for great effort figuring the links
  5. =========================================
  6.  
  7. Case of Suspectted TDS Sutra CNC 188.40.204.81 & 199.21.149.60
  8. Which 199.21.149.60 - had Sutra, confirmed(closed).
  9. From the second one - SUtraTDS forward us in case you have correct referer:
  10. h00p://sparc-ftp[.]de/~artem/index.html to uqzzxgwg.lflinkup.com -
  11. its Dynamic switching DNS service lead to 206.212.240.202
  12.  
  13. Ref: http://www.projecthoneypot.org/ip_46.4.179.69 (DAG Randomized comparison pattern)
  14. Ref1: http://pastebin.com/raw.php?i=0VM5ycgq (first type of deobfs burped urls)
  15. Ref2: http://pastebin.com/raw.php?i=xjwM4gfy (second type of deobfs burped urls)
  16.  
  17. 0) Additional (see the random feedback domain)
  18. Nmap scan report for flpwgfdzcjppotrp.pro (188.40.204.81)
  19. Host is up (0.099s latency).
  20. rDNS record for 188.40.204.81: static.81.204.40.188.clients.your-server.de
  21. Nmap scan report for rfhwhftjormwjzfj.pro (188.40.204.81)
  22. Host is up (0.10s latency).
  23. rDNS record for 188.40.204.81: static.81.204.40.188.clients.your-server.de
  24. Nmap scan report for whwfcjiwplgmriew.pro (188.40.204.81)
  25. Host is up (0.096s latency).
  26. rDNS record for 188.40.204.81: static.81.204.40.188.clients.your-server.de
  27. Nmap scan report for fzrttttthlzcewjd.pro (188.40.204.81)
  28. Host is up (0.11s latency).
  29. rDNS record for 188.40.204.81: static.81.204.40.188.clients.your-server.de
  30. Nmap scan report for rhofafmfwfgwwgpw.pro (188.40.204.81)
  31. Host is up (0.10s latency).
  32. rDNS record for 188.40.204.81: static.81.204.40.188.clients.your-server.de
  33. Nmap scan report for wpefzadawawhhirl.pro (188.40.204.81)
  34. Host is up (0.12s latency).
  35. rDNS record for 188.40.204.81: static.81.204.40.188.clients.your-server.de
  36. Nmap scan report for wflippciqffirplr.pro (188.40.204.81)
  37. Host is up (0.10s latency).
  38. rDNS record for 188.40.204.81: static.81.204.40.188.clients.your-server.de
  39. Nmap scan report for iwwqcwacppghdwch.pro (188.40.204.81)
  40. Host is up (0.10s latency).
  41. rDNS record for 188.40.204.81: static.81.204.40.188.clients.your-server.de
  42. Nmap done: 145 IP addresses (8 hosts up) scanned in 884.02 seconds
  43.  
  44.  
  45. 1) These below domains is currently alive and up,
  46. -----------------------------------------
  47. flpwgfdzcjppotrp.pro,188.40.204.81
  48. rfhwhftjormwjzfj.pro,188.40.204.81
  49. whwfcjiwplgmriew.pro,188.40.204.81
  50. fzrttttthlzcewjd.pro,188.40.204.81
  51. rhofafmfwfgwwgpw.pro,188.40.204.81
  52. wpefzadawawhhirl.pro,188.40.204.81
  53. wflippciqffirplr.pro,188.40.204.81
  54. iwwqcwacppghdwch.pro,188.40.204.81
  55. dirohpdwcrfppqji.pro,199.21.149.60
  56. agogfwfwpjfhedfp.pro,199.21.149.60
  57. gfeimowjdeirhfjj.pro,199.21.149.60
  58. djgreepfomichmah.pro,199.21.149.60
  59. affqdfmtffpjzhop.pro,199.21.149.60
  60. whzwpzeriodiqwlo.pro,199.21.149.60
  61. oqjlwrzrwrrhtgil.pro,199.21.149.60
  62. fcgcfmzrpiwwtizp.pro,199.21.149.60
  63. lighhrwweiaztapc.pro,199.21.149.60
  64. prpmphwjfjwpjmac.pro,199.21.149.60
  65. fwichowrpgaperwf.pro,199.21.149.60
  66. riwhzhwagwejffcm.pro,199.21.149.60
  67. jalfwrjcajwcezep.pro,199.21.149.60
  68. foqriiwqwwidwhow.pro,199.21.149.60
  69. grrgcjgrjrpzwhhe.pro,199.21.149.60
  70. hcwwewhgwgtjpeow.pro,199.21.149.60
  71. zeehpwewpiwgqahm.pro,199.21.149.60
  72. wmljjfqgrrwwitez.pro,199.21.149.60
  73. hfqhhcwegwcmrepz.pro,199.21.149.60
  74. zfzlpwwlzgcwijow.pro,199.21.149.60
  75. qffioftzzaglfhrj.pro,199.21.149.60
  76. hhahfzwctwdhwcwo.pro,199.21.149.60
  77. cwcotghdcqwirfoz.pro,199.21.149.60
  78. pcfpwedjzwircdpw.pro,199.21.149.60
  79. iizwpcrprjdjzgrh.pro,199.21.149.60
  80. frfzwcippeleghmg.pro,199.21.149.60
  81. jwagermjwfrcemfc.pro,199.21.149.60
  82. iiddpofwiwhrppwh.pro,199.21.149.60
  83. fafttwtagccwrwcr.pro,199.21.149.60
  84. rocrelfemepjrcch.pro,199.21.149.60
  85. wrwrwdzqigcdqwhh.pro,199.21.149.60
  86. ecjepiiwepaewiwm.pro,199.21.149.60
  87. eewdzjjiciclhpli.pro,199.21.149.60
  88. mpcwicfmefcpicpl.pro,199.21.149.60
  89. ifhjthtgffrmfahg.pro,199.21.149.60
  90. dpwpewdcewwficcr.pro,199.21.149.60
  91. mwodwwgijowogiar.pro,199.21.149.60
  92. gdegwflhwieawjrf.pro,199.21.149.60
  93. twpiirawhgrqrihp.pro,199.21.149.60
  94. fjhfweqffghppdgh.pro,199.21.149.60
  95. ljcwfejwatejwmep.pro,199.21.149.60
  96. petwtmfrrjwiwmdi.pro,199.21.149.60
  97. fewzqzjffqeflpiw.pro,199.21.149.60
  98. lmhazdjfcicfhqjp.pro,199.21.149.60
  99. ptifprwwwizgztzj.pro,199.21.149.60
  100. fldrjdjcwjdaprfh.pro,199.21.149.60
  101. gfjwddcorwmfzrgp.pro,199.21.149.60
  102. hhgwfcrtwoigfdtw.pro,199.21.149.60
  103. zqwhpghgwjgftgwg.pro,199.21.149.60
  104. dcjfgzwgjwcdwwhe.pro,199.21.149.60
  105. hpotwehpfdjrmjaf.pro,199.21.149.60
  106. zfeipreiipwiepap.pro,199.21.149.60
  107. wwlfghcwpgdigwwf.pro,199.21.149.60
  108. hdmawgrdmwewehtf.pro,199.21.149.60
  109. wwwoefrjhplamgwj.pro,199.21.149.60
  110. ojofafiipflthilf.pro,199.21.149.60
  111. jjefptgiarpwdpef.pro,199.21.149.60
  112. relizfjdwzpjwwef.pro,199.21.149.60
  113. pefwrpqpwwmmmhhf.pro,199.21.149.60
  114. imwwzfcwegceftgw.pro,199.21.149.60
  115. rtrwtrcccrtimwop.pro,199.21.149.60
  116. jlwletjjgwtlzfjw.pro,199.21.149.60
  117. cfejwwlggfwhjcji.pro,199.21.149.60
  118. ehfwprfifjrgeghw.pro,199.21.149.60
  119. ewzwzpgjpfjwlaaw.pro,199.21.149.60
  120. wcjchprowwffwpip.pro,199.21.149.60
  121. eprhiehomiwaacwz.pro,199.21.149.60
  122. efmfwtrwfhfgfewf.pro,199.21.149.60
  123. wwffrrrwrjcwghaf.pro,199.21.149.60
  124. mwtwfjwpcfwpwrfo.pro,199.21.149.60
  125. ggihihgfwhtfeiih.pro,199.21.149.60
  126. tfrfwocdfwchwhgw.pro,199.21.149.60
  127. fpmrwmcwiljmfgrz.pro,199.21.149.60
  128. igfgfmazrpprgwja.pro,199.21.149.60
  129. thpcwwopwoeiwigw.pro,199.21.149.60
  130. fqwiqfwmfhjlwewj.pro,199.21.149.60
  131. lcemwctqgezwchfc.pro,199.21.149.60
  132. pifppfepggawwzhd.pro,199.21.149.60
  133. rrzlgijwwwjmfwwo.pro,199.21.149.60
  134. wwfcwwprrfllmwjj.pro,199.21.149.60
  135. wdazirmtwfljidwf.pro,199.21.149.60
  136. iweapwfrmegjrrwg.pro,199.21.149.60
  137. gocdwwhwgjtgjpfa.pro,199.21.149.60
  138. hrtcgqigfrrhwtih.pro,199.21.149.60
  139. ichjpwpitwczwheg.pro,199.21.149.60
  140. deirztiwairgrrjg.pro,199.21.149.60
  141. agaafrdgpwfwfrgp.pro,199.21.149.60
  142. wfccpgrwweweowzp.pro,199.21.149.60
  143. optrrpiphpcgfrac.pro,199.21.149.60
  144. jghrwowepaetpifw.pro,199.21.149.60
  145. whgptdchwrwfrgwq.pro,199.21.149.60
  146. owpeihfawzejihrl.pro,199.21.149.60
  147. jcwzpcooalffiroi.pro,199.21.149.60
  148. ripgwpfoeiwgwgcr.pro,199.21.149.60
  149. jrhjelhcqfwrzgzf.pro,199.21.149.60
  150. cwwprcwwzzffwtpc.pro,199.21.149.60
  151. edoeaejcwhclwgcl.pro,199.21.149.60
  152. hwzwzjeiqihacoij.pro,199.21.149.60
  153. coeewhrirpgpffzl.pro,199.21.149.60
  154. erlaicwidrpphqco.pro,199.21.149.60
  155. ecwtwcjamtgdwort.pro,199.21.149.60
  156. werrflhwrjpqghra.pro,199.21.149.60
  157. qhtwotipizlwpzcm.pro,199.21.149.60
  158. hphazfrfpedhaeic.pro,199.21.149.60
  159. cfifpeeidwwcgfjw.pro,199.21.149.60
  160. pwdreawwhrdpczew.pro,199.21.149.60
  161. gwzjfwgehjwmwpmg.pro,199.21.149.60
  162. tdfrjewdgehrpllr.pro,199.21.149.60
  163. pwgeqrdjzwlwcirr.pro,199.21.149.60
  164. ijgqwwrwahpflrmc.pro,199.21.149.60
  165. fjptwretwhdwwfhh.pro,199.21.149.60
  166. reiigailcwfpwwfw.pro,199.21.149.60
  167. wwrfelwfcrwqhchz.pro,199.21.149.60
  168. wghifhrjgcgcffww.pro,199.21.149.60
  169. rtqwwgfjdewgpgwp.pro,199.21.149.60
  170. wlrwwcpwjwdecpfp.pro,199.21.149.60
  171. ihefpmcaflpziwwf.pro,199.21.149.60
  172. dqlrgeezrctocfdl.pro,199.21.149.60
  173. apqmqcrfremjerwg.pro,199.21.149.60
  174. wfrwtwpdcdwjwpwf.pro,199.21.149.60
  175. twwiejclegoirjgi.pro,199.21.149.60
  176. awafaccwiwgawoaz.pro,199.21.149.60
  177. wdcrcjwpzwgwfrpe.pro,199.21.149.60
  178. owfgrwpflgejtmdw.pro,199.21.149.60
  179. jjziwwwtwzwhfjpj.pro,199.21.149.60
  180. ljfhwrmdrqmdqfah.pro,199.21.149.60
  181. peafefrmdaazlwfp.pro,199.21.149.60
  182. fwcfrefroptththe.pro,199.21.149.60
  183. ggpeppwpifrlzcjm.pro,199.21.149.60
  184. jtccirgcffghhjpw.pro,199.21.149.60
  185. clwhrwwpjwwhwtjr.pro,199.21.149.60
  186. gfjmwpwmgflrgtwi.pro,199.21.149.60
  187. hhwcwrwfrpreidwe.pro,199.21.149.60
  188. zwplfefiwccmcqha.pro,199.21.149.60
  189. wcwwrcrpptrwwwif.pro,199.21.149.60
  190. hrwmpcddmeiwoqcp.pro,199.21.149.60
  191. ccjowfwdjtmwejtz.pro,199.21.149.60
  192.  
  193. 2) And evil-ly DNS hosted by:
  194.  
  195. ;; AUTHORITY SECTION:
  196. flpwgfdzcjppotrp.pro. 3419 IN NS east.inapple.com.
  197. flpwgfdzcjppotrp.pro. 3419 IN NS north.inapple.com.
  198. flpwgfdzcjppotrp.pro. 3419 IN NS west.inapple.com.
  199. flpwgfdzcjppotrp.pro. 3419 IN NS south.inapple.com.
  200.  
  201. ;; ADDITIONAL SECTION:
  202. east.inapple.com. 3420 IN A 184.173.149.221
  203. east.inapple.com. 3420 IN A 184.173.149.222
  204. east.inapple.com. 3420 IN A 184.173.150.57
  205. east.inapple.com. 3420 IN A 184.173.150.58
  206. west.inapple.com. 3420 IN A 67.15.47.189
  207. west.inapple.com. 3420 IN A 67.15.253.219
  208. west.inapple.com. 3420 IN A 67.15.253.220
  209. west.inapple.com. 3420 IN A 67.15.47.188
  210. north.inapple.com. 3420 IN A 50.23.136.230
  211. north.inapple.com. 3420 IN A 50.23.136.173
  212. north.inapple.com. 3420 IN A 50.23.136.174
  213. north.inapple.com. 3420 IN A 50.23.136.229
  214. south.inapple.com. 3420 IN A 50.23.75.97
  215. south.inapple.com. 3420 IN A 50.23.75.44
  216. south.inapple.com. 3420 IN A 50.23.75.45
  217. south.inapple.com. 3420 IN A 50.23.75.96
  218.  
  219. 3) Some infector hosts + TDS CNC followed....
  220.  
  221. 206.212.240.202
  222. PORT STATE SERVICE
  223. 80/tcp open http
  224. 443/tcp open https
  225. Device type: broadband router|media device|general purpose
  226. Running (JUST GUESSING) : Linux 2.4.6 - 2.4.21/ Linux 2.4.X
  227. Is an embedd/ router gateway...
  228. The EK servers are behind this.. I suggest stop attempt, is the innocent Data Center.
  229. With the infected EK inside.
  230.  
  231. Checked on:
  232.  
  233. Suspected TDS Sutra server (199.21.149.60) report:
  234. Uptime 27.923 days (since Wed Oct 3 22:58:34 2012)
  235. Interesting ports on 199.21.149.60
  236. PORT STATE SERVICE
  237. 22/tcp open ssh
  238. 68/tcp filtered dhcpclient
  239. 80/tcp open http
  240. 135/tcp filtered msrpc <--- windozzzz
  241. 136/tcp filtered profile
  242. 137/tcp filtered netbios-ns <--- windozzzz
  243. 138/tcp filtered netbios-dgm <--- windozzzz
  244. 139/tcp filtered netbios-ssn <--- windozzzz
  245. 445/tcp filtered microsoft-ds <--- windozzzz
  246. ps /admin is authed... cant b***, access rejected on 9th attempt.
  247.  
  248. (188.40.204.81) <=================== CNC
  249. PORT STATE SERVICE
  250. 21/tcp open ftp
  251. 22/tcp open ssh
  252. 25/tcp open smtp
  253. 53/tcp open domain
  254. 80/tcp open http
  255. 81/tcp open hosts2-ns
  256. 110/tcp open pop3
  257. 135/tcp filtered msrpc
  258. 136/tcp filtered profile
  259. 137/tcp filtered netbios-ns
  260. 138/tcp filtered netbios-dgm
  261. 139/tcp filtered netbios-ssn
  262. 143/tcp open imap
  263. 443/tcp open https
  264. 445/tcp filtered microsoft-ds
  265. 465/tcp open smtps
  266. 587/tcp open submission
  267. 993/tcp open imaps
  268. 995/tcp open pop3s
  269. 1500/tcp open vlsi-lm // Smalls a VPS server on this.. lets check on whois...
  270.  
  271. inetnum: 188.40.204.64 - 188.40.204.95
  272. netname: VPSSERVER
  273. descr: vpsserver
  274. country: DE
  275. admin-c: VK1952-RIPE
  276. tech-c: VK1952-RIPE
  277. person: Viacheslav Krivosheev // maybe bingo....
  278. address: vps-server
  279. address: Poliykovskaiy 8a
  280. address: 153011 IVANOVO
  281. address: RUSSIAN FEDERATION
  282. phone: +79270563774
  283. nic-hdl: VK1952-RIPE
  284.  
  285. (((while 199.21.149.60)))
  286. PORT STATE SERVICE
  287. 22/tcp open ssh
  288. 68/tcp filtered dhcpclient // can't believe.. he's using DHCP to get global IP, too honest....
  289. 80/tcp open http // a victim....
  290. 135/tcp filtered msrpc
  291. 136/tcp filtered profile
  292. 137/tcp filtered netbios-ns
  293. 138/tcp filtered netbios-dgm
  294. 139/tcp filtered netbios-ssn
  295. 445/tcp filtered microsoft-ds
  296. Device type: general purpose
  297. Running: Linux 2.4.X|2.5.X|2.6.X
  298. //BTW we can contact this guy for cleaning his web service up....
  299. NetRange: 199.21.148.0 - 199.21.151.255
  300. CIDR: 199.21.148.0/22
  301. OriginAS: AS22923
  302. NetName: YESUP-COM
  303. NetHandle: NET-199-21-148-0-1
  304. Parent: NET-199-0-0-0-0
  305. NetType: Direct Allocation
  306. RegDate: 2010-08-10
  307. Updated: 2012-03-02
  308. OrgName: Yesup Ecommerce Solutions Inc.
  309. OrgId: YESUP
  310. Address: 565 Gordon Baker Road
  311. City: North York
  312. StateProv: ON
  313. PostalCode: M2H-2W2
  314. Country: CA
  315.  
  316. ----
  317. #MalwareMustDie!
  318. End of Oct Investgation Log as Team.
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!