Sunday, June 3, 2012

Introducing Ponmocup-Finder

Update 2013-06-01:
Please also read my newer blog posts about Ponmocup:
Ponmocup-Finder has evolved in a little "workflow" :-)
  1. add new infected domains to the list
  2. daily cronjob to run Ponmocup-Finder
  3. latest Ponmocup-Finder script
  4. list of currently infected webservers
  5. history of all previously infected webservers
  6. notification lists for CH / LI and DE domains
If you can do notifications for any infected webservers, go ahead and feel free to let me know.

It would be great to see some search engines (like Google, MS Bing etc.) to add checks for these infections to their spiders (need to change user-agents just for one request per site), since infections happen only through search engine redirects.

Update 2012-10-18:
Finally I updated the ponmocup-finder script as promised. I also managed to download a new infector and analyze the malware in a VM. You can also just look at some screenshots of the analysis.
And lastly here are some network indicators of C2:

  intohave.com / 64.179.44.188  (DNS request only)
  88.216.164.117

For more malicious domains and IPs you can download my malware feeds (also using CIF) here:

http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-domains.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-ips.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-domains.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-ips.txt



Update 2012-09-25:
The Ponmocup finder script needs some update / tweeking, since the redirection URL patterns changed massively again (samples). Instead of just checking for the two previously known URL patterns ("/url\?sa=|/cgi-bin/r.cgi\?p=") it should check if the infected website domain appears in the URI parameters of the redirection URL. I will update the script on this post as soon as I find time.

You may have recently read a lot of hype about Flame or SkyWiper "cyber weapon", the son (or big brother) of Stuxnet and Duqu, which was found on a few thousand systems in a limited number of countries for espionage. Interesting and somewhat impressive, but this post is not about any of this stuff.

The Ponmocup malware and botnet is something totally different. A year ago the botnet was several million bots big (at least 4 million IPs, maybe a multiple thereof number of bots) [1]. And it does not target or discriminate against any specific country, so chances are likely bigger that you may find one of these bots in your network than a Flame infection.
Please read my previous three posts about Ponmocup to get an idea of what it is and how it works.


[1] Not APT, but nasty malware (Ponmocup botnet)
[2] Ponmocup, lots changed, but not all
[3] Hunting Ponmocup Botnet

Just to clarify something first, this post is more about detecting hacked or infected web servers redirecting unsuspecting visitors to malware downloads than about detecting infected bots themself. For the latter see my request to researchers to find current C&C domains in [3].

I don't know of any service including all 32 from urlvoid.com that detects these infected web servers.

So I threw together this little shell script that takes a list of domains and checks each domain with a single request if it's infected and redirecting visitors to Ponmocup malware (see [2]).

This script is aimed at registrars, ISPs, web hosters, GovCERTs, malware researchers, botnet hunters, or generally anyone who wants to find (and hopefully report) infected web servers and who has access to a large number of domains.

$ cat ponmocup-finder.sh
#!/bin/bash
echo "date started: `date`"
cat $1 | \
while read domain; do
  echo -ne "checking domain: $domain --> ";
  wget -Sv --tries=1 --connect-timeout=5 \
    --user-agent="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13" \
    --referer="http://www.google.ch/search?q=ponmocup+check" \
    http://${domain}/ -O ${domain}.out > ${domain}_wget.log 2>&1
  redir=`egrep -m 1 "Location: " ${domain}_wget.log`
## match=`echo $redir | egrep "(/url\?sa=|/cgi-bin/r.cgi\?p=)" | wc -l`
  match=`echo $redir | cut -d"?" -f2- | egrep "$domain" | wc -l`
  if [ $match -gt 0 ]
  then
    echo -ne "seems to be INFECTED: "
    echo -ne `echo $redir | cut -d" " -f2 | cut -d"?" -f1`
    egrep -m 2 "Resolving " ${domain}_wget.log | tail -1 | sed -e 's/Resolving/ --> DNS:/g'
  else
    echo "seems to be CLEAN"
  fi
done
echo "date finished: `date`"


Now let's run this script with a list of 88 domains (known to have been previously infected)

$ ./ponmocup-finder.sh domains-1.txt | tee ponmocup-finder_domains-1.log
checking domain: aviationhumor.net --> seems to be INFECTED: http://philosophymercer.com/cgi-bin/r.cgi --> DNS: philosophymercer.com... 62.212.74.228
checking domain: bgs-architekten.com --> seems to be INFECTED: http://capitalinformer.com/cgi-bin/r.cgi --> DNS: capitalinformer.com... 82.98.86.165

...
checking domain: www.w-en-ve.nl --> seems to be INFECTED: http://reportedtechniques.org/cgi-bin/r.cgi --> DNS: reportedtechniques.org... 208.91.197.108

How long did it take to check these 88 domains?  About 160 seconds

$ egrep "date " ponmocup-finder_domains-1.log
date started: Sat Jun  2 18:33:08 CEST 2012
date finished: Sat Jun  2 18:35:48 CEST 2012


Let's separate the clean and infected domains and do some stats:

$ egrep CLEAN ponmocup-finder_domains-1.log > ponmocup-finder_domains-1_CLEAN.log
$ egrep INFECTED ponmocup-finder_domains-1.log > ponmocup-finder_domains-1_INFECTED.log
$ wc -l ponmocup-finder_domains-1_*.log
   36 ponmocup-finder_domains-1_CLEAN.log
   52 ponmocup-finder_domains-1_INFECTED.log
   88 total

Let's look at the malware domains and IPs: (these are not C&C domains of infected clients)

Important note: some of the older, inactive domains appear to have been grabbed by some domain parking services. Thus not all domains and IPs below are used for malware distribution. I need to separate the good from the bad and ugly (later).

$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2" "$1 }' | sort | uniq -c
      1 176.53.112.108 ceprez.recycling-computers-portland.com...
      1 178.211.33.202 49847.hotel-sarajevo.com...
      1 178.211.33.202 lerberg.belanyi.com...
      1 178.211.33.203 38831.learn2drive4free.com...
      1 178.211.33.203 45215.thomasyohannan.com...
      1 178.211.33.203 46722.azangelfish.com...
      1 178.211.33.205 vamped.wonderfulroofing.com...
      3 199.59.241.218 herocopter.com...
      3 199.59.241.218 indanetwall.net...
      1 199.59.241.218 infernomag.com...
      2 208.91.197.108 reportedtechniques.org...
      2 217.11.251.173 underbuild.net...
      6 62.212.74.224 lewisentitled.com...
      2 62.212.74.228 philosophymercer.com...
      1 69.43.161.177 trialworld.net...
      1 77.79.11.96 45531.3d-tablet.cc...
      1 77.79.11.96 45585.3d-tablet.cc...
      2 82.98.86.165 capitalinformer.com...
      1 8.5.1.34 jesusonlynet.org...
      1 91.207.4.51 41950.thepetserver.com...
      1 91.207.4.51 52984.pballgames.com...
      1 94.63.149.247 handsexual.com...
      1 failed: 35803.finishline-fitness.co.uk...
      1 failed: 43560.vicandbarbs.net...
      1 failed: apartliberal.com...
      4 failed: besidesdream.com...
      2 failed: costslaid.com...
      3 failed: dutytraditional.net...
      1 failed: earlyanswered.com...
      1 failed: interestingchapter.net...
      1 failed: thousandmilitary.com...
      1 failed: twiceseparate.com...
      1 failed: watchingsquare.com...

And here are just the IPs:

$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2 }' | sort | uniq -c
      1 176.53.112.108
      2 178.211.33.202
      3 178.211.33.203
      1 178.211.33.205
      7 199.59.241.218
      2 208.91.197.108
      2 217.11.251.173
      6 62.212.74.224
      2 62.212.74.228
      1 69.43.161.177
      2 77.79.11.96
      2 82.98.86.165
      1 8.5.1.34
      2 91.207.4.51
      1 94.63.149.247
     17 failed:

And here's a list of all malware domains and IPs discovered: (numeric only subdomains replaced with "*")

$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2"\n"$1 }' | sed -e 's/[0-9][0-9][0-9][0-9][0-9]/\*/g' | sed -e 's/\.\.\.//g' | sort | uniq | egrep -v failed
176.53.112.108
178.211.33.202
178.211.33.203
178.211.33.205
199.59.241.218
208.91.197.108
217.11.251.173
62.212.74.224
62.212.74.228
69.43.161.177
77.79.11.96
82.98.86.165
8.5.1.34
91.207.4.51
94.63.149.247
*.3d-tablet.cc
apartliberal.com
*.azangelfish.com
besidesdream.com
capitalinformer.com
ceprez.recycling-computers-portland.com
costslaid.com
dutytraditional.net
earlyanswered.com
*.finishline-fitness.co.uk
handsexual.com
herocopter.com
*.hotel-sarajevo.com
indanetwall.net
infernomag.com
interestingchapter.net
jesusonlynet.org
*.learn2drive4free.com
lerberg.belanyi.com
lewisentitled.com
*.pballgames.com
philosophymercer.com
reportedtechniques.org
*.thepetserver.com
*.thomasyohannan.com
thousandmilitary.com
trialworld.net
twiceseparate.com
underbuild.net
vamped.wonderfulroofing.com
*.vicandbarbs.net
watchingsquare.com

And here's the list of infected domains (servers with malicious .htaccess file)


$ cat ponmocup-finder_domains-1_INFECTED.log | awk '{ print $3 }' | sort | uniq
aviationhumor.net
bgs-architekten.com
cryptonaux.co.uk
europschool.net
flowerbouquetsforweddings.com
hellokittyfighters.de
insurancepersonalpropertyassessments.com
pippatoledoshop.com
rabita-ms.ch
schoenstefaschingskostueme.com
www.apollonreisen.com
www.armsnetafrica.org
www.artistas-americanos.com
www.autocamp-nordsee.com
www.aylar.no
www.babfinance.net
www.canadawideflowers.ca
www.chinchillazucht.eu
www.demton.hu
www.dynam-med.info
www.europschool.net
www.extremebusa.com
www.feliceapicella.it
www.ferienwohnung-hotels-kroatien.de
www.flowerbouquetsforweddings.com
www.football-session.com
www.forexonlinegeheimnisse.com
www.guatemala-tourisme.info
www.hexenkostueme.com
www.hillsidebeachclub.com
www.hotelanderoper.com
www.hypequest.com
www.jenniferhejna.com
www.krcgent.be
www.lotex24.net
www.lotusnaturalspa.ch
www.moebel-direkt.net
www.oceanview-house.com
www.pr-klartext.de
www.ps3-fifaliga.de
www.radiofreecuba.com
www.smelugano2.ch
www.stadtbredimus.lu
www.stublla.net
www.sudani.co.za
www.swisshelp.info
www.thehighheelstore.com
www.theleesonhotel.com
www.titan.vc
www.vdomil.com
www.voegelitherapie.com
www.w-en-ve.nl

I'd be curious to know what percentage (or ppm) of any list of domains would be infected. Anyone wants to take a guess?


No comments:

Post a Comment