Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 17 June 2009

FireEye: Killing the beast .... Part II

These articles were published back in December 2008 but most of the details are still valid for the newer versions.

Back to the CnC structure ... Koobface relies mostly on domain names to locate its CnC servers, instead of using hard coded IPs like Pushdo. As a matter of fact, I observed that it tends to change its CnC domains more often than the IPs behind those domains change. Based on my lab data (for the last 3 months or so) I see Koobface connecting to 23 unique domains.

Here is the complete list:

a22092008.com
upr15may.com
a13092008.com
5824125537.com
a221008.com
y171108.com
a080908.net
main15052009.com
wn20090504.com
nua06032009.biz
lastshanse26032009.com
supersearch20090330.com
wnames1404.com
ram06032009.biz
fdns6mar09.info
nua20090515.com
websrv09.com
er21012009.com
open21012009.com
onames0603.com
586523333.com
x17012009.com
f071108.com


Surprisingly, when I count the collective IPs behind all these domains, I hardly find 4 unique IPs. Multiple domains have been resolving to these fixed IPs over the period I examined.


Read more
http://blog.fireeye.com/research/2009/06/killing-the-beastpart-ii.html

No comments: