You are here: start » 2010 » 12 » 05 » sudden_death

sudden death

As you can see on the picture, there was a sudden decrease in attacks on the epmapper service at my sensor during September 2010.

Looking at September 2010 only 1/4th of the attacks came in starting at September 18th.

So, we can assume some malware which was active before 18th September, was shut down somehow at or before 18th September.

First, lets gather the information we have:

protocol is epmapper
attacks decreased at or before 18th September
- normal at 16th September
- likely the there are no more attacks of the family after 18 September

Based on this information, we can compile a query to the sqlite database, which returns a list of malware hashes which exploited epmapper during 16th-18th Sepember, and did not afterwards:

Click for SQL

Collapse SQL

malwareinquestion.sql

SELECT
	download_md5_hash AS md5sum,
	COUNT(download_md5_hash),
	date(MIN(root.connection_timestamp),'unixepoch') AS firstseen, 
	date(MAX(root.connection_timestamp),'unixepoch') AS lastseen
FROM
	downloads
	NATURAL JOIN connections 
	JOIN connections AS root ON(connections.connection_root = root.connection) 
WHERE
	root.connection_protocol = 'epmapper'
	AND ( 
		download_md5_hash IN 
		(
			SELECT 
				download_md5_hash 
			FROM 
				downloads 
				NATURAL JOIN connections
				JOIN connections AS root ON(connections.connection_root = root.connection) 
			WHERE
				root.connection_protocol = 'epmapper'
				AND root.connection_timestamp < strftime("%s","2010-09-18") 
		) AND
		download_md5_hash IN 
		(
			SELECT 
				download_md5_hash 
			FROM 
				downloads 
				NATURAL JOIN connections
				JOIN connections AS root ON(connections.connection_root = root.connection) 
			WHERE
				root.connection_protocol = 'epmapper'
				AND root.connection_timestamp > strftime("%s","2010-09-16") 
		) AND
		download_md5_hash NOT IN 
		(
			SELECT 
				download_md5_hash 
			FROM 
				downloads 
				NATURAL JOIN connections
				JOIN connections AS root ON(connections.connection_root = root.connection) 
			WHERE
				root.connection_protocol = 'epmapper'
				AND root.connection_timestamp > strftime("%s","2010-09-18") 
		) 
	)
GROUP BY
	download_md5_hash
 
ORDER BY
	COUNT(download_md5_hash) DESC;

md5 hash	hits	first seen	last seen
2fa0e36b36382b74e6e6a437ad664a80	258	2010-02-21	2010-09-17
1d419d615dbe5a238bbaa569b3829a23	199	2010-02-21	2010-09-16
14a09a48ad23fe0ea5a180bee8cb750a	171	2010-02-21	2010-09-17
bb39f29fad85db12d9cf7195da0e1bfe	155	2010-02-21	2010-09-17
e269d0462eb2b0b70d5e64dcd7c676cd	142	2010-02-22	2010-09-17
98eb0fdadf8a403c013a8b1882ec986d	139	2010-02-21	2010-09-16
833cda5b5bef5989deb6bf57c557ce30	121	2010-02-23	2010-09-16
f4a200f7818dfb166b9a3d238ac55a2d	104	2010-02-23	2010-09-16
fd28c5e1c38caa35bf5e1987e6167f4c	103	2010-02-21	2010-09-17
f8815cdca238ad5ab566f05f5a6335a4	65	2010-02-21	2010-09-17
a2bf71ed94580d2e957b550c9aae1490	50	2010-02-26	2010-09-17

So we got eleven different malware samples which share basically the same characteristics:

spread by exploiting epmapper services
first appearance in the end of february, which is basically where my database starts
last appearance in the within two days before 18th September 2010

Given the hashes, looking up behavior for the samples at anubis/norman sandbox, it seems like their botnet, which was hosted on botz.noretards.com, changed operations during September 2010.
As the domain is not offering any c&c services atm, one can assume the botnet was taken down.

This blog post was created on 2010-12-05 at 16:18 by Markus. It is tagged with

Comments

[…] 2010:12:05:sudden_death [carnivore news] […]

Twitter Trackbacks for 2010:12:05:sudden_death [carnivore news] [carnivore.it] on Topsy.com

2010/12/05 17:12

2010/12/05/sudden_death.txt · Last modified: 2010/12/05 16:18 by common

sudden death

Comments

Related

Recent Posts

Tags

Comments