Monday, October 29, 2012

The crusaders' note: Found the CNC of TrojDownloader/Backdoor/Spy in GoDaddy

We know how GoDaddy is quite popular to be used as victim of infector, but this time we found the rare case which showing hard proof that GoDaddy is being used as CNC server of the Trojan which Download other stuff, implementing Backdoor and Spying/send information to CNC.
It is well written in our pastebin here:--->>[PASTEBIN] so I'm not going to repeat writing it again here. but I pasted below the GoDaddy CNC PoC only:
==================================
NETWORK TRAFFIC DETAILS
=================================
 
//CNC Remote Access:
IP: 184.168.194.39
Port: TCP/1433
Protocol: Unknown

//Host:
184.168.194.39
kibars.db.7172228.3d8.hostedresource.net
ALIAS kibars.db.7172228.hostedresource.com
 
//N/W:
NetRange:       184.168.0.0 - 184.168.255.255
CIDR:           184.168.0.0/16
OriginAS:       AS26496
NetName:        GO-DADDY-COM-LLC
 
//Domain
   Registered through: WWDomains.com
   Domain Name: HOSTEDRESOURCE.NET
      Created on: 24-May-11
      Expires on: 24-May-21
      Last Updated on: 20-Jun-11

//Communication Details↓

Data sent:
1201 0034 0000 0000 0000 1500 0601 001b    ...4............
0001 0200 1c00 0c03 0028 0004 ff08 0001    .........(......
5500 0000 4d53 5351 4c53 6572 7665 7200    U...MSSQLServer.
b004 0000                                  ....
Data received:
0401 0025 0000 0100 0000 1500 0601 001b    ...%............
0001 0200 1c00 0103 001d 0000 ff0a 3210    ..............2.
a700 0000 00                               .....
Data received:
0401 0025 0000 0100 0000 1500 0601 001b    ...%............
0001 0200 1c00 0103 001d 0000 ff0a 3210    ..............2.
a700 0000 00                               .....
Data sent:
1201 004e 0000 0000 1603 0100 4101 0000    ...N........A...
3d03 014d 6ed2 fa41 7a79 d17f 599e 3b32    =..Mn..Azy..Y.;2
9aea 9e90 f45a 4818 b6e7 bf80 ff67 1be2    .....ZH......g..
3c4c 2e00 0016 0004 0005 000a 0009 0064    <L.............d
0062 0003 0006 0013 0012 0063 0100         .b.........c..
Data received:
1201 0262 0000 0000 1603 0102 5502 0000    ...b........U...
4603 0150 8ada 9c4c ffea 4ba0 be32 bd85    F..P...L..K..2..
7120 3126 edce 653b dba6 1437 a061 8fba    q 1&..e;...7.a..
c2d6 2420 7c2a 0000 da01 e188 e247 4e70    ..$ |*.......GNp
82a0 da01 de9a a672 dca9 34c6 c756 3ac9    .......r..4..V:.
5ce0 c2e6 0005 000b 0002 0300 0200 0001    \...............
fd30 8201 f930 8201 62a0 0302 0102 0210    .0...0..b.......
3fd7 0913 e161 b0b0 4a0c 5d54 1ee0 57a4    ?....a..J.]T..W.
300d 0609 2a86 4886 f70d 0101 0505 0030    0...*.H........0
3b31 3930 3706 0355 0403 1e30 0053 0053    ;1907..U...0.S.S
004c 005f 0053 0065 006c 0066 005f 0053    .L._.S.e.l.f._.S
0069 0067 006e 0065 0064 005f 0046 0061    .i.g.n.e.d._.F.a
006c 006c 0062 0061 0063 006b 301e 170d    .l.l.b.a.c.k0...
3132 3130 3132 3037 3430 3234 5a17 0d34    121012074024Z..4
3231 3031 3230 3734 3032 345a 303b 3139    21012074024Z0;19
3037 0603 5504 031e 3000 5300 5300 4c00    07..U...0.S.S.L.
5f00 5300 6500 6c00 6600 5f00 5300 6900    _.S.e.l.f._.S.i.
6700 6e00 6500 6400 5f00 4600 6100 6c00    g.n.e.d._.F.a.l.
6c00 6200 6100 6300 6b30 819f 300d 0609    l.b.a.c.k0..0...
2a86 4886 f70d 0101 0105 0003 818d 0030    *.H............0
8189 0281 8100 b723 bf01 a2c2 4948 6867    .......#....IHhg
4013 9a8f 60df 5931 0079 ab9d 86ec faae    @...`.Y1.y......
6a29 ca24 310a 9503 49c5 1a68 fba7 6e27    j).$1...I..h..n'
0194 806c 984c 7d9f d9a7 bf1b 4a21 2ac4    ...l.L}.....J!*.
f991 15d0 78ec 3616 3fbd 2e29 284b 4fe6    ....x.6.?..)(KO.
95d9 1652 c074 bfef 7011 f49c f298 d049    ...R.t..p......I
3644 83fc 6b45 c073 33c4 11d2 c643 5c54    6D..kE.s3....C\T
366d bed7 1f32 95e0 66af 1b5a 1705 44df    6m...2..f..Z..D.
e2dd bbdd 4a5b 0203 0100 0130 0d06 092a    ....J[.....0...*
8648 86f7 0d01 0105 0500 0381 8100 3fb9    .H............?.
2a04 9d21 a08b 246d 50b5 c6fa f43c 2068    *..!..$mP....< h
06b4 1fe8 8d87 63d9 db8c e26a 0350 1b4e    ......c....j.P.N
43f6 0028 d949 509b 40f7 45fd 1704 77ff    C..(.IP.@.E...w.
43ac 7691 9e3e 904e 2865 383e 92d4 36f2    C.v..>.N(e8>..6.
f288 a1c1 17de fe1a d802 5845 5441 84a0    ..........XETA..
2a44 ccc1 3255 73fa 5a1b 00b4 1a5d 99e6    *D..2Us.Z....]..
9f70 e7bf 180a e038 3b8d d062 529e 1454    .p.....8;..bR..T
47af e431 03ba e29b 4427 655e 604f 0e00    G..1....D'e^`O..
0000                                       ..
Data sent:
1201 00c2 0000 0000 1603 0100 8610 0000    ................
8200 80b3 d498 e24c 1dc7 f64f 3936 9003    .......L...O96..
39d8 b500 6b69 b224 8f6f c28c 2a3b 239f    9...ki.$.o..*;#.
2a58 c8df 5e25 2152 d16d e2e5 0734 8428    *X..^%!R.m...4.(
d297 2ef1 debe 114d 5a1e 0831 168f 26ce    .......MZ..1..&.
f3c9 3d51 d3a2 1e8b ccf2 a795 ccef de18    ..=Q............
bc05 c33c 533b a4d5 30ba f192 18e8 4699    ...<S;..0.....F.
91fd 601a 74df 2f1d 7db2 095f 9964 ef04    ..`.t./.}.._.d..
5606 3231 8a02 9fa7 37f5 90d2 ea8f bb68    V.21....7......h
3a39 6414 0301 0001 0116 0301 0024 b7cd    :9d..........$..
6104 1932 a285 637a e79e fd73 42bb df15    a..2..cz...sB...
b6d2 7ae9 5b4d 878b a986 c41d 059e 5e83    ..z.[M........^.
7486                                       t.
Data received:
1201 0037 0000 0000 1403 0100 0101 1603    ...7............
0100 2409 770c ced7 501f 2755 01f9 2a55    ..$.w...P.'U..*U
d935 2976 c9f4 4614 0b0e 908a cc33 bae1    .5)v..F......3..
51d0 5b6c 6963 79                          Q.[licy
Data received:
0000 0000 0000                             ......

Hope this report will make Godaddy clean up the CNC soon.

#MalwareMustDie