Targeting Japan: a story from infection vector to C&C server hidden using fast flux and everything in between

Doina Cosovan, Catalin Valeriu Lita/SecurityScorecard

By analyzing Pushdo botnet’s communication protocol and speaking with its Command and Control (C&C) server, one can continuously download fresh samples of its spamming module - Cutwail. After reverse engineering and implementing Cutwail’s communication protocol, one can contact its C&C server regularly in order to request fresh spam templates its bots are distributing at the time. One particular Cutwail campaign we have been monitoring has most of its infections in Japan and its corresponding C&C server has been sending spam targeting only Japan. Examples of spam we have been downloading from this Cutwail C&C server include phishing for Amazon and Apple in Japanese. The spam templates received from the C&C server include a large list of source email addresses to be used when sending the spam. The domains, used for these source email addresses, have also been observed in the wild for spam in Japanese containing excel attachments leading to particular Gozi and Bebloh campaigns. Both Gozi and Bebloh use Domain Generation Algorithms with multiple seeds. The campaign targeting Japan is separated, using its own seed. Thus most victim IP addresses contacting the domains we generated and sinkholed for these seeds are located in Japan. In order to protect its C&C server, Gozi uses a malicious fast flux infrastructure we have been monitoring.

Most pieces of this puzzle have been known separately, but to the best of our knowledge, all these dots haven’t been connected before.

November 8 at 14:00 - 14:30, Stage A

Doina Cosovan has a Computer Science degree. Prior to joining Security Scorecard 4 years ago, she worked for Bitdefender`s malware research team since her second year of college. She presented at conferences such as Caro, Virus Bulletin, AAVAR. Some of her interests include malware, botnets, reverse engineering and machine learning.

Cătălin Valeriu Liță received a Bachelor`s degree in Computer Science from the Technical University Gheorghe Asachi, Romania, Iasi, Faculty of Automatics and Computer Science. He has a Master`s degree in Information Security from the Alexandru Ioan Cuza University of Iași, Faculty of Computer Science, a Master`s degree in business administration from the Alexandru Ioan Cuza University of Iași, Faculty of Economics and Business Administration, and a Ph.D. in Computer Science from the Faculty of Computer Science. He presented at CARO and VirusBulletin conferences. Prior to joining Security Scorecard he worked for nine years in Bitdefender`s anti-malware team