API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 13th, 2019
664
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.66 KB | None | 0 0
raw download clone embed print report
  1. This IP address is infectedThis IP address is infected with, or is NATting for a machine infected with a botnet, usually associated with the Avalanche malware network. This infection will probably be of the Dofoil or Gamarue malware (or one of the other Anti-Virus vendor aliases, such as: Andromeda, Smoke Loader, Win3/Dofoil, W32/Zurgop.BK!tr.dldr, Gamarue and many others
  2.  
  3. This is one of the most dangerous bot networks ever to be discovered, every node is fully capable of participating in identity theft, keystroke logging, disk erasure, camera capture, or encrypting files and holding them for ransom (for example the recent Wannacry debacle).
  4.  
  5. Gamarue is a downloader (also known as smoke loader/dofoil) largely used in the Andromeda and Avalanche botnets.
  6.  
  7. Andromeda is a very large scale malware delivery platform, using Gamarue (and other downloaders) to download malicious software to infected machines. At it's peak (Nov/Dec 2017) had more than 5 million infected machines.
  8.  
  9. Avalanche is a large-scale content and management platform also designed for the delivery of bullet-proof botnets, and used Andromeda to bootstrap. Avalanche's scale and scope spanned victims from 180 countries, over 800,000 domains in 60+ top-level domains (TLD), more than one million phishing and spam e-mails, 500,000 infected machines worldwide, and 130TB of captured and analyzed data.
  10.  
  11. There was a coordinated effort from international law enforcement agencies that included Germany's Public Prosecutor's Office Verden and the Lüneburg Police, the U.S. Attorney Office for the Western District of Pennsylvania, Department of Justice and the Federal Bureau of Investigation (FBI), Europol, and Eurojust as well as partners in ShadowServer, resulted in one of the most successful anti-cybercrime operations in recent years (late 2016).
  12.  
  13. An even more successful take down of Andromeda took place in Nov 29/2017.
  14.  
  15. WARNING: Despite the above, it MUST NOT be assumed that since the network has been disabled that this listing no longer matters. As long as the malware remains present on your machine, there is a strong possibility that this infection may become re-enabled. Therefore, all effort should be made to find and eradicate it.
  16.  
  17. This was detected by a TCP connection from "" on port "n/a" going to IP address "184.105.192.2" (the sinkhole) on port "80".
  18.  
  19. The botnet command and control domain for this connection was "disorderstatus.ru".
  20.  
  21. This detection corresponds to a connection at Tue Feb 12 20:37:58 2019 UTC (this timestamp is believed accurate to within one second).
  22.  
  23. Detection Information Summary
  24. Destination IP 184.105.192.2
  25. Destination port 80
  26. Source IP
  27. Source port n/a
  28. C&C name/domain disorderstatus.ru
  29. Protocol TCP
  30. Time Tue Feb 12 20:37:58 2019 UTC
  31. Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address "184.105.192.2" or host name "disorderstatus.ru" on any port with a network sniffer such as Wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to "184.105.192.2" or "disorderstatus.ru". See Advanced Techniques for more detail on how to use Wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.
  32.  
  33. Please note that some of the above quoted information may be empty ("") or "na" or "-". In those cases, the feed has declined or is unable to give us that information. Hopefully enough information will be present to allow you to pinpoint the connections. If not, the destination ports to check are usually port 80, 8080, 443 or high ports (around 16000) outbound from your network. Most of these infections make very large numbers of connections; they should stand out.
  34.  
  35. These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.
  36.  
  37. You will need to find and eradicate the infection before delisting the IP address.
  38.  
  39. Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in each case. It probably works with many other infections.
  40.  
  41. If Microsoft Windows Defender is available to you, use it!
  42.  
  43. We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP address[es] given above. These IP address[es] are of sinkholes operated by malware researchers. In other words, they are "sensors" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, will still be able to connect to command and control servers under the botnet owner's control, and they will STILL be stealing your users/customers personal information, including banking information to the criminal bot operators.
  44.  
  45. If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.
  46.  
  47. We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.
  48.  
  49. Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.
  50.  
  51. For more information on this botnet, and mitigation strategies, please see:
  52.  
  53. Andromeda Takedown
  54. Trend Micro on Gamarue::
  55. Microsoft
  56. FortiGuard
  57. Malwarebytes Labs Smoke loader still alive
  58. Microsoft on Gamarue
  59. Data Security Blog on possible recurrence with, or is NATting for a machine infected with a botnet, usually associated with the Avalanche malware network. This infection will probably be of the Dofoil or Gamarue malware (or one of the other Anti-Virus vendor aliases, such as: Andromeda, Smoke Loader, Win3/Dofoil, W32/Zurgop.BK!tr.dldr, Gamarue and many others
  60.  
  61. This is one of the most dangerous bot networks ever to be discovered, every node is fully capable of participating in identity theft, keystroke logging, disk erasure, camera capture, or encrypting files and holding them for ransom (for example the recent Wannacry debacle).
  62.  
  63. Gamarue is a downloader (also known as smoke loader/dofoil) largely used in the Andromeda and Avalanche botnets.
  64.  
  65. Andromeda is a very large scale malware delivery platform, using Gamarue (and other downloaders) to download malicious software to infected machines. At it's peak (Nov/Dec 2017) had more than 5 million infected machines.
  66.  
  67. Avalanche is a large-scale content and management platform also designed for the delivery of bullet-proof botnets, and used Andromeda to bootstrap. Avalanche's scale and scope spanned victims from 180 countries, over 800,000 domains in 60+ top-level domains (TLD), more than one million phishing and spam e-mails, 500,000 infected machines worldwide, and 130TB of captured and analyzed data.
  68.  
  69. There was a coordinated effort from international law enforcement agencies that included Germany's Public Prosecutor's Office Verden and the Lüneburg Police, the U.S. Attorney Office for the Western District of Pennsylvania, Department of Justice and the Federal Bureau of Investigation (FBI), Europol, and Eurojust as well as partners in ShadowServer, resulted in one of the most successful anti-cybercrime operations in recent years (late 2016).
  70.  
  71. An even more successful take down of Andromeda took place in Nov 29/2017.
  72.  
  73. WARNING: Despite the above, it MUST NOT be assumed that since the network has been disabled that this listing no longer matters. As long as the malware remains present on your machine, there is a strong possibility that this infection may become re-enabled. Therefore, all effort should be made to find and eradicate it.
  74.  
  75. This was detected by a TCP connection from "" on port "n/a" going to IP address "184.105.192.2" (the sinkhole) on port "80".
  76.  
  77. The botnet command and control domain for this connection was "disorderstatus.ru".
  78.  
  79. This detection corresponds to a connection at Tue Feb 12 20:37:58 2019 UTC (this timestamp is believed accurate to within one second).
  80.  
  81. Detection Information Summary
  82. Destination IP 184.105.192.2
  83. Destination port 80
  84. Source IP
  85. Source port n/a
  86. C&C name/domain disorderstatus.ru
  87. Protocol TCP
  88. Time Tue Feb 12 20:37:58 2019 UTC
  89. Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address "184.105.192.2" or host name "disorderstatus.ru" on any port with a network sniffer such as Wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to "184.105.192.2" or "disorderstatus.ru". See Advanced Techniques for more detail on how to use Wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.
  90.  
  91. Please note that some of the above quoted information may be empty ("") or "na" or "-". In those cases, the feed has declined or is unable to give us that information. Hopefully enough information will be present to allow you to pinpoint the connections. If not, the destination ports to check are usually port 80, 8080, 443 or high ports (around 16000) outbound from your network. Most of these infections make very large numbers of connections; they should stand out.
  92.  
  93. These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.
  94.  
  95. You will need to find and eradicate the infection before delisting the IP address.
  96.  
  97. Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in each case. It probably works with many other infections.
  98.  
  99. If Microsoft Windows Defender is available to you, use it!
  100.  
  101. We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP address[es] given above. These IP address[es] are of sinkholes operated by malware researchers. In other words, they are "sensors" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, will still be able to connect to command and control servers under the botnet owner's control, and they will STILL be stealing your users/customers personal information, including banking information to the criminal bot operators.
  102.  
  103. If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.
  104.  
  105. We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.
  106.  
  107. Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.
  108.  
  109. For more information on this botnet, and mitigation strategies, please see:
  110.  
  111. Andromeda Takedown
  112. Trend Micro on Gamarue::
  113. Microsoft
  114. FortiGuard
  115. Malwarebytes Labs Smoke loader still alive
  116. Microsoft on Gamarue
  117. Data Security Blog on possible recurrence
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!