Cryptography Reference
In-Depth Information
Table 1.
Top10 domain names / IP addresses that malware communicate with (left).
Top10 script names that exfiltrated data are “dropped” to (right).
# Domain / IP address
Count Dropzone Script
Count
1 varxx.com
29808 /xt/gate.php
29808
2 nevereversite.ru
18890 /gate321.php
18890
3 95.224.124.151:555
17101 /temp/stuk.php
17820
13218 /
∼
ataactc1/z/gate.php
4 65.60.36.114
13218
5 podgorz.org
9599 /zuo/zsweb cleaned/gate.php
9599
6 iesahnaepi.ru
8042 /y93/ gate.php
6238
7 wifahquaht.ru
4763 /cp11/zengate.php
4243
8 community.infinitie.net
3436 /cp01/zengate.php
2945
9 esvr3.ru
2945 /k1o/ gate.php
2892
10 phaizeipeu.ru
2702 /cache/lang cache/web/s.php
2888
network trac in order to see which of the malware samples have already started
exfiltrating data.
Even in a such a short time period, we already encountered thousands of sus-
picious data transmissions. More precisely, we saw that from 74 out of the 108
VMs, outbound HTTP POST messages were transmitted to websites other than
the ones we are navigating to while injecting, or even to raw IP addresses. These
are most probably drop zones for the credentials stolen by the malware samples
and/or configuration or command updates. In total, we recorded 134,302 such
requests. The body of each POST message is in binary format, most probably
encrypted in some way. Table 1 contains both the top 10 host names / IP ad-
dresses that exfiltrated data were sent to and the top 10 script names in the
POST messages that handle the data, along with the number of times they ap-
peared in our logs. By examining the counter values on both lists, we see that
there are cases where there is an one to one match between host names and script
names. After looking into these cases, we saw that these script names were only
accessed on these host names. On the other hand, in the rest of the cases, where
host name counters do not match script name counters, some scripts with the
same name were installed on different hosts and some host names had more than
one scripts installed.
4.3 Feasibility Study
In total, we encountered two hits on the bait accounts from the 108 installed
malware samples (described in the previous subsection). The first one was on an
account from the anonymous bank, after 26 days. The second hit was a Paypal
account access almost two months after (57 days). These results show that our
technique is indeed effective, which does validate that our new architecture is
working.
As far as the number of hits is concerned, it does raise some interesting ques-
tions. On one hand, it could be normal for only a
2% of the accounts to be
accessed. Some of the dropzones could be inactive or oine. Or, some malware
∼
Search WWH ::
Custom Search