Microsoft, njRat, and No-IP

Microsoft's Digital Crimes Unit is claiming their 10th major botnet action, this time targeting the malware known as Bladabindi, or more popularly njRAT, and Jenxcus, better known as H-worm. To do so, Microsoft filed a lawsuit in Nevada against three parties:

Naser Al Mutairi, a Kuwait City resident known to be the author of njRAT through his varias aliases, njq8, xnjq8x, njq8x, and njrat

Mohamed Benabdellah, an Algerian living in or near Mila, Algeria, who uses the aliases Houdini, houdinisc, and houdini-fx

and Vitalwerks Internet Solutions, LLC, d/b/a No-IP.com, with offices at 5905 South Virginia Street, Suite 200, Reno, Nevada 89502.

The lawsuit is also filed against "John Does 1-500" who are supposedly the 500 priniciple operators of njRAT and H-Worm malware. (H-Worm is a closely related RAT software, likely based off the same source code). Because they do not yet know the identities of these RAT operators, the are assigned "John Doe" aliases, in hopes that the power of discovery granted by the lawsuit can help to reveal their true identities.

On the other side of this Internet battle is Vitalwerks and their literally millions of service users. Vitalwerks provides the capability to host an Internet service despite the fact that your computer may be using DHCP-assigned IP address. Normally a webserver has to have a permanently assigned IP address which is listed by a DNS service so that computers on the Internet can find the service you are offering. With Dynamic DNS services, your computer can link to the service and constantly update its IP address so that even if your IP changes many times per day, your service users can find you. In Microsoft's lawsuit, they agree that "Dynamic DNS is a vital part of the Internet because it allows anyone to have a domain name even though they have a changing IP address." Their accusation is found in the next sentence, "However, if not properly managed, a Dynamic DNS service can be susceptible to abuse."

The lawsuit points out that in April 2013, OpenDNS published an article online detailing its investigation into Dynamic DNS abuse. In that study,On the Trail of Malicious Dynamic DNS Domains by my friend Dhia Mahjoub, OpenDNS collected resolutions of various Dynamic DNS domains, and concluded that during their study some domains, such as "hopto.org" were used for malicious purposes as often as 56% of the time! Other highly malicious URLs included:

hopto.org - 56.71%
us.to - 49.45%
myftp.org - 37.50%
myvnc.com - 33.33%
myftp.biz - 20.20%
dlinkddns.com - 12.22%
no-ip.info - 10.70%
no-ip.org - 4.57%

The lawsuit also discusses Symantec reporting about the malware being used on no-ip. One such Symantec report is: Simple njRAT fueld nascent middle east Cybercrime Scene. (Microsoft doesn't really mention that basically NOBODY calls the malware Bladabindi except Microsoft. Just call it njRAT like everyone else, please!) In that report, from March 2014, Symantec mentions one particular group that infects as many as 4500 computers per day using their C&C Servers at njratmoony.no-ip.biz and nrj.no-ip.biz.

This blogger confirmed the complaint firsthand that is made by No-IP themselves. Although Microsoft was supposedly going to ensure that "legitimate" no-ip customers were not impacted, for a significant part of the day on June 30, 2014, large portions of the Internet (including three linux servers that this blogger uses on three separate networks) had no idea how to find the no-ip domains. The nameservers were not propagated in such a way that the changes were seamless. No-IP's Formal Statement on Microsoft Takedown can be found on their website. In that statement, No-IP claims that "billions of queries" from "millions of innocent users" were dropped "because of Microsoft's attempt to remediate hostnames associated with a few bad actors" and implies that Microsoft did not dedicate enough resources to handle the traffic.

The primary purpose of the court orders was in fact to allow Microsoft to take matters into their own hands and filter the traffic for 130 pages worth (more than 18,000 3LDs) that were hosted by NO-IP and were associated with criminal activity and malware, primarily related to the two RATs, njRAT and H-Worm.

Of course on the other side of that is the fact that Microsoft documents that in the past twelve months MORE THAN SEVEN MILLION WINDOWS USERS were impacted by malware hosted on NO-IP domains! If someone's infrastructure is routinely abused to harm seven million of your customers, don't you have a right to do something about it? While NO-IP can claim that they have an active abuse desk that deals with these complaints, dozens of criminal tutorials would not recommend that you host your malware by setting up a NO-IP address, many of which have lived on consistent names for MANY MONTHS (as in the names mentioned in the above Symantec link) unless there was a clear pattern of NOT terminating offending 3LD (third level domains).

Cisco's fabulous cybercrime fighter, Levi Gundert, who I first worked with while he was working on the LA Electronic Crimes Task Force, as one of the most effective U.S. Secret Service cybercrime agents, and who later worked for Team Cymru, recently wrote a piece for Cisco's blog on Dynamic Detection of Malicious DDNS. Levi says that Free DDNS services "check all of the necessary attack boxes" that make the service desirable for criminals. As he explains:

Free DDNS services, by comparison, check all of the necessary attack boxes. Sub-domains can be quickly and easily generated and DNS records are trivially changed. For the remote access Trojan (RAT) crowd that are typically attempting to spy on female victims and running servers from home, DDNS is a natural fit. In fact, searching the web for tutorials on using freely available RATs like Black Shades, Dark Comet, or Poison Ivy returns results that all instruct RAT attackers to first create DDNS sub-domains in order to properly configure the RAT, specifically enabling a “back connect” to the attacker. Naturally, one segment of RAT users tend to be less technical, relying on tutorials and point and click interfaces to actually launch the RAT, which likely contributes significantly to the overall metrics of malicious DDNS use.

Levi provides this graph showing how often Cisco's Cloud Web Security blocks Dynamic DNS third level domains based on the reputation of that service in the following graph:

(source: blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/ click image to enlarge )

zapto.org, one of the NO-IP domains, is blocked 100% of the time by users of Cisco's Cloud Web Service. no-ip.info, no-ip.org, and no-ip.biz are also all blocked between 50% and 100% of the time based on reputation. Levi next goes on to show of all the DDNS base domains, "what do the corresponding malware numbers look like for the DDNS domains most abused by threat actors?"

(source: blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/ click image to enlarge )

Even after such widespread and published reports of NO-IP being used for malware abuse, Microsoft observed no significant change in their abuse practices, based on the malware analysis they performed. Following the February 2014 Cisco report, Microsoft "continues to see 2,000-3,000 new unique malware samples per month that are supported by No-IP."

But that doesn't mean No-IP is not responsive. Brian Krebs reported on this conflict in his article today Microsoft Darkens 4mm Sites in Malware Fight where he quotes No-IP's Natalie Gogun as saying that of the 18,000 sites mentioned in the Temporary Restraining Order, only about 2,000 of them were actually still live. Krebs quotes Crowdstrike's Dmitri Alperovitch mentioning that No-IP has always been very responsive, and I've seen the same. In fact, immediately following the Cisco blog above, a member of the No-IP security team was observed by this blogged on a security researcher mailing list asking if anyone could help him get the full list so he could make sure they killed all of the domain names mentioned. (Hi, Kurt!)

The problem here may be the nature of the malware used on these sites. While the security community regular sees and reports on financial crimes malware, such as Zeus, or malware that has significant and widespread distribution, in most cases njRat no-ip domains are being used by small-time botmasters to allow themselves to spy on a few dozen webcams. In fact, a review of more than 1800 recent URLs associated with delivering financial crimes malware observed by Malcovery Security's T3 product, NONE of the No-IP domains were seen to be used. Financial crime malware does not seem to be heavily associated with No-IP. While njRat certainly has the capability to be used for more significant crimes (including installing any additional malware desired by the criminals, and famously being used by the Syrian government to spy on the rebels) its primary reputation is as a tool for online perverts. Their typical victims tend to lack the Internet-savvy that allows corporate, industry, and government malware victims to report malware victimization to No-IP to receive a response. Sophisticated financial crimes malware criminals are very unlikely to link their malware back to dynamic DNS hosts that they personally control and are much more likely to use "more permanent" hosting in the form of hacked or leased servers.

The Microsoft complaint mentions YouTube, and we were able to quickly find many similar njRAT tutorials. There were also njRAT groups hosted on Facebook where botmasters were openly trading photographs of victims and offering to "trade slaves" (as they refer to the pretty girls whose webcams they control.) We reported three such groups to Facebook Security who took quick action to kill the groups which had a combined membership of more than 16,000 users!

Some examples of these creeps work might help illustrate the type of crimes committed by the typical njRat botmaster:

Farid shows a screenshot boasting of 200 simultaneously online njRAT victims.

Farid frequently posts photos of his conquests:

Others do the same:

Here's the Before and After of Farid's njrat group . . .

and after we reported the group to Facebook Security . . .

Conclusions?

I can't really take sides on this one. Do we need to do something more to help the victims of this kind of malware? Absolutely. Was it necessary to seize 22 domains at No-IP? I can't argue with Microsoft wanting to prevent infections to more than 7 million Windows victims, but I certainly can understand the great frustration experienced by the No-IP folks.

Is the Game Over for GameOver Zeus?

Several weeks ago law enforcement friends in Pittsburgh started asking people not to publish anything too public about GameOver Zeus. When we asked why, we got a teasing "You'll see!" Now our ISP friends that were participating in the effort are grinning ear to ear as we may actually have a chance to disrupt Zeus in a meaningful way. Being a legal geek, I was excited to have the documents published on the main Justice website today at www.justice.gov/opa/gameover-zeus.html.

The Complaint against Evgeniy Mikhailovich Bogachev aka Slavik, aka Pollingsoon was unsealed in court where the Pittsburgh FBI led the investigation into CryptoLocker and GameOver Zeus. In addition to Bogachev, charges are filed against several aliases of as-yet-unidentified hackers, "Temp Special", "Ded", Chingiz (aka Chingiz 911), and Mr.KyKyPyKy. The Complaint charges that "Together, GOZ and Cryptolocker have infected hundreds of thousands of computers around the world and have generated losses that exceed $100 million."

Some of the specific cases mentioned in the complaint include:

• A composite materials company in the Western District of Pennsylvania which lost more than $198,000 from its bank account using credentials stolen by the Defendants through the use of GOZ; (The Pittsburgh Indictment shares more details, telling us this was Haysite Reinforced Plastics, whose PNC Bank account was fraudulently accessed and used to send their money to a Mule account in the name of Lynch Enterprises, LLC, at SunTrust Bank in Atlanta, Georgia, after they clicked on a NACHA email informing them their ACH payment had failed, in October 2011. They also transfered $175,756.91 to an account belonging to R&R Jewelers, and ATTEMPTED six additional transfers, all on October 20, 2011. The money in the SunTrust account was quickly moved on ($99,822 of it, anyway) to an HSBC account in London.)
• An Indian tribe in Washington - $277,000
• A corporation managing assisted living facilities in Pennsylvania - $190,800
• A regional bank in Northern Florida - $7 Million

CryptoLocker is described separately as having "first emerged in mid-to-late 2013" and infected "more than 230,000 computers, including more than $120,000 in the United States.

Just between October 15, 2013 and December 18, 2013, we know that $27 million in ransom payments were made, just by tracking the ransom payments made using Bitcoin!

The charges in the criminal complaint are:

Count I: Wire fraud: 18 USC Section 1343 "Having devised a scheme or artifice to defraud and for obtaining money by means of false or fraudulent pretenses and transmitting and causing to be transmitted by means of wire communications in interstate and foreign commerce, writings, signs, and signals for the purpose of executing such scheme or artifice.

Count II: Bank Fraud: 18 USC Section 1344 "knowingly executing a scheme or artifice to defraud financial institutions insured by the FDIC and to obtain moneys under the custody and control of these institutions by means of false and fraudulent pretenses and representations.

Count III: Unauthorized interception of electronic communications: 18 USC Section 2511 "intentionally intercepting electronic communications, and intentionally using and endeavoring to use the contents of the electronic communications knowing that the information is obtained through the unauthorized interception of electronic communications."

all of which, according to 18 USC Section 1345(a) and (b) allows Injunctive Relief to prevent a continuing and substantial injury to the owners and legitimate users of the infected computers.

An FBI Pittsburgh cyber agent was the affiant in the 28 page Application for Temporary Restraining Order recounts that while the largest known single wire transfer was a $6.9 million wire, fraudulent wires in the amount of $1 million dollars were "very common." A single bank experienced 11 fraudulent wires, with six being for more than $950,000 and the largest being 2 million dollars!

The GOZ affidavit mentions a few email addresses, Bogachev uses as one email address, bollinger.evgeniy@yandex.ru, while Chingiz 911 uses charajiang16@gmail.com. Seeing the nickname "Ded" as one of the members of the gang, I can't help but recall "Ded Pixto" the nickname for Stanislav Avdeiko the Koobface malware author.

So how will this "takedown" actually work? First, some hard work by a couple genius malware reverse engineers at Dell Secure Works and CrowdStrike helped the Pittsburgh FBI agent to understand the current Command & Control infrastructure so it could be rendered harmless. The problem though, is that both GOZ and Cryptolocker have a built-in backup plan in the form of a Domain Generation Algorithm. The job of a DGA is to allow the botmaster to IN THE FUTURE reconnect to his bots using infrastructure that neither the bots nor the botmaster have even created yet. A formula is used to calculate a domain name based on a timestamp. So, if NONE of the hard-coded IP addresses are able to be reached, the bot will look up the current date and begin "guessing" domains that the criminal may have registered for use to update the bot with new hard-coded addresses. As a few examples, on July 1, 2014, CryptoLocker will try to connect to 1,000 domains, including:

wncbbejfurrw.net
kbdnkmpgxlxh.biz
aevmpupnouqy.ru
nrwyydvorowj.org
bvgurlkgcwya.co.uk
ojhhbtqhfqfk.info
eqcoayuicfrp.com
fsdnbhyofoiv.net
fimwcppbphaq.biz
gknvdxthsqqw.ru
iygiqgvjjkys.org
jbhhroapmtpy.co.uk
jqqqswqcwmht.info
ksrptfuiavxa.com
klrmfgyihrch.net
xysyolodvgen.biz
mgcjywthscyu.ru
atdvicjchqbb.org
otvgvnajowjk.co.uk

The Temporary Restraining Order (TRO) seeks an Order that:

1) directs four U.S. based internet domain Registries to block access to around 900 PAGES of domain names seemingly the "future" list of DGA-generated domain names for CryptoLocker and GOZ. The GameOver Zeus domains are listed in Appendix A while the CryptoLocker domains are listed in Appendix B. Because ICANN only has jurisdiction over the Generic TLDs, this approach doesn't work for the ".ru" domains. CryptoLocker also uses ".co.uk" domains, so one would hope that the British government has asked for a similar favor from their counterpart registries. The four Registries in the US were, VeriSign, Inc., representing .com and .net, Neustar, Inc., representing .biz, Affilias USA, Inc., representing .info, and Public Interest Registry, representing .org.

Appendix A actually contains 25,937 domains for Game Over Zeus, arranged in ten columns, with three columns of domains listed on pages 1-69, 70-138, 139-207, and then a single column on pages 208 to 276. Its actually seven columns of 2594 domains and three columns of 2593 domains or 25,937 domains for Game Over Zeus.

Appendix B has six columns on pp. 1-176, pp.177-352, and then six columns of various length from 353 to the end of the 704 page document, for a total of 130,421 domains for CryptoLocker.

Affilias, Neustar, Verisign, and Public Interest Registry are ordered to redirect all of those 156,000 or so domains to use the nameservers ns1.kratosdns.net and ns2.kratosdns.net, preventing the criminals from using those domains to re-establish control of their botnet.

2) directs the twenty largest ISPs in America to not allow access from their networks to the .RU domains that the DGA can make, as the .RU domains are not under ICANN control. The ISPs named here are:

Cablevision, AT&T, Cox, Comcast, Mediacom, AOL, Frontier, Sprint, Time Warner Cable, Verizon, Charter, CenturyLink, Suddenlink, Wide Open West, Windstream, Level 3, Armstrong Group of Companies, Bright House, Earthlink, and NTT America.

Those ISPs are forbidden to allow traffic to the .ru domains listed in Appendix C.

3) To redirect all traffic intended for one of those domains to .gov controlled servers

and

4) to seek a Pen Register/Trap and Trace Order that would gather information about the nodes directed to those replacement boxes, and to share that information back to the ISPs and victims to help protect themselves. This "Dialing, Routing, Addressing, and Signaling" data (called DRAS in telephone-legalese) is to be turned over to the government so that attempts can be made to clean up these victims computers.

In cooperation with these efforts, McAfee is providing their "Stinger" program to be used by any victims to clean and remove GameOver Zeus or CryptoLocker infections.

All of that is now in play ... it is too early to tell if the game is really over, but best of luck and congratulations to the fine agents and CCIPS lawyers who made this possible!