Sunday, April 24, 2016

Analyzing the Bill Gates Botnet - An Analysis

We've, recently, intercepted, a high-profile, Linux-based, botnet-driven, type of, malicious, software, that's capable, of launching, a multitude of malicious attacks, on, compromised servers, potentially, exposing, the, integrity, confidentiality, and, availability, of, the compromised servers. Malicious attackers, often rely, on the use of compromised servers, for, the purpose, of, utilizing the access for malicious purposes, including, the capability, to launch malicious DDoS (Denial of Service Attack) attacks, and the ability, to spread additional malicious software, to potential users, including the capability to monetize access to the service, by, launching, DDoS for hire type of malicious and fraudulent services, including, the capability to launch high performance DDoS attacks.

In this post, we'll, profile, and analyze, the Bill Gates botnet, provide, actionable intelligence, on, the infrastructure, behind it, and, discuss, in depth, the tactics, techniques, and procedures, of the cybercriminals, behind it.

Malicious MD5s known to be part of the Bill Gates botnet:
MD5: 5d10bcb15bedb4b94092c4c2e4d245b6
MD5: 0d79802eeae43459ef0f6f809ef74ecc
MD5: 9a77f1ad125cf34858be5e438b3f0247
MD5: 9a77f1ad125cf34858be5e438b3f0247
MD5: a89c089b8d020034392536d66851b939
MD5: a5b9270a317c9ef0beda992183717b33

Known Bill Gates botnet C&C server:
hxxp://dgnfd564sdf.com - 122.224.34.42; 122.224.50.37

Malicious C&C servers known to be part of the Bill Gates botnet:
202.103.178.76
121.12.110.96
112.90.252.76
112.90.22.197
112.90.252.79

Known to have responded to the same malicious IP (122.224.50.37) are also the following malicious domains:
hxxp://lfs99.com
hxxp://chchong.com
hxxp://uc43.net
hxxp://59wgw.com
hxxp://frade8c.com
hxxp://96hb.com
hxxp://cq670.com
hxxp://776ka.com

Malicious MD5s known to have phoned back to the same C&C server IP (122.224.50.37):
MD5: 6739ca4a835c7976089e2f00150f252b
MD5: eb234cee4ff769f2b38129bc164809d2
MD5: dc893d16316489dffa4e8d86040189b2
MD5: 0c1cac2a019aa1cc2dcc0d3b17fc4477
MD5: b7765076af036583fc81a50bd0b2a663

Known to have responded to the same malicious IP (122.224.34.42) are also the following malicious domains:
hxxp://76.wawa11.com
hxxp://903.wawa11.com
hxxp://904.wawa11.com
hxxp://905.wawa11.com
hxxp://906.wawa11.com
hxxp://907.wawa11.com
hxxp://91ww.0574yu.com
hxxp://9911sf.com
hxxp://901.t772277.com
hxxp://aisf.jux114.com
hxxp://520.wawa11.com
hxxp://awooolsf.com
hxxp://2288game.com
hxxp://588bc.com
hxxp://488game.com
hxxp://588bc.com

Malicious MD5s known to have been downloaded from the same malicious C&C server IP (122.224.34.42):
MD5: 5d10bcb15bedb4b94092c4c2e4d245b6
MD5: 9a77f1ad125cf34858be5e438b3f0247

Malicious MD5s known to have been phoned back to the same malicious C&C server IP(122.224.34.42):
MD5: 815e453b6e268addf6a6763bfe013928

Once executed the sample phones back to the following malicious C&C server IPs:
hxxp://awooolsf.com/222.txt - 122.224.34.42
hxxp://xxx.com/download/xx.exe - 67.23.112.226

Known to have responded to the same malicious IP (67.23.112.226) are also the following malicious domains:
hxxp://falconglobalimpex.com
hxxp://deschatz-army.net
hxxp://m.xxx.com
hxxp://xxx.com
hxxp://xxxsites.com
hxxp://t.xxx.com
hxxp://m.xxx.org
hxxp://m.xxxsites.com
hxxp://xxx.org

Known to have been downloaded from the same malicious IP (67.23.112.226) are also the following malicious MD5s:
MD5: b4b483eb0d25fa3a9ec589eb11467ab8

Known to have phoned back to the same malicious C&C server (67.23.112.226) are also the following malicious MD5s:
MD5: 53a7fc24cb19463f8df3f4fe3ffd79b9
MD5: 268b8bcacec173eace3079db709b9c69
MD5: 0faf6988dfeaa98241c19fd834eca194
MD5: 87f8ffeb17a72fda7cf28745fa7a6be8
MD5: c973f818a5f9326c412ac9c4dfaeb0bd

This post has been reproduced from Dancho Danchev's blog.