Cross at EITest: how to eliminate the largest network for the spread of viruses
EITest botnet consisted of more than 52 thousand servers and cybercriminals used it to spread malware. Specialists from Abuse.ch, BrillantIT and Proofpoint, which deal with corporate information security, managed to carry out a syncholing (redirecting traffic to a fake web server) of the EITest network management infrastructure and neutralize it.
About how EITest arose, and how it managed to "cover up", we will tell under the cut.
/ Flickr / Christiaan Colen / CC
')
EITest botnet was considered the "king of traffic distribution" and was used by attackers to spread exploits and redirect users to malicious sites and phishing pages.
EITest entered the cybercrime market in 2011. At first, the creators used it for their own purposes - mainly for routing traffic to sites with their “homegrown” set of exploits, Glazunov (he infected devices with the Zaccess trojan).
At that time, the EITest network was not a serious threat. However, by the end of 2013, the attackers “pumped” their infrastructure and already in July 2014, they began to lease EITest to other malware creators.
As one of the specialists at Proofpoint noted , the EITest team began selling intercepted traffic from hacked sites at $ 20 per thousand users. Moreover, the minimum unit for the transaction was 50 thousand users.
Since then, EITest has become the daily “pain” of information security specialists: the network distributed a huge number of ransomware viruses from different families and redirected traffic to resources with exploits (including Angler and RIG ). Recently it was noticed that EITest sent users to sites with fake updates , font packages and browlock viruses .
Experts Proofpoint estimated that the malicious network consists of 52 thousand servers that are located in the United States, Brazil, Britain, Kazakhstan, Australia, China, India, South Africa and other countries. The highest concentration of hacked servers was noted in the USA, Australia and China. From March 15 to April 4, 2018, these servers processed about 44 million requests.
At the beginning of the year, BrillantIT specialists were able to discover a method for connecting infected sites to the management infrastructure. Analysis of the system showed that C & C domains were formed on the basis of stat-dns.com. This domain was redirected to a different IP address, and four new EITest C & C domains were generated.
Having created new domains, the specialists were able to replace the malicious server with a synchol. Now it receives traffic from all compromised sites with backdoors, and their visitors are not threatened with malware and the introduction of third-party code. You can find the network structure and location of the “security server” in it in the diagram provided by Proofpoint (available here ). The actions of security experts have prevented 2 million potential transitions to malicious sites per day.
Proofpoint reports that after the “interception” of EITest, cybercriminals have disabled C & C proxy. However, the researchers still found a number of encrypted requests to the Sinkhole server, which can be regarded as attempts to take control of the network (because of the commands contained in them). However, experts have no evidence that they were EITest owners.
The Abuse.ch, BrillantIT and Proofpoint teams said they would continue to monitor EITest activity so that hackers could not re-launch their traffic distribution system.
/ Flickr / Christiaan Colen / CC
As reported by the Independent, in December 2017, another major malicious system was neutralized - the Andromeda (or Gamarue) botnet.
The botnet first showed up in September 2011 and has since become a serious threat. Its creators sold toolkits that allowed customers to deploy their custom infrastructure to steal user data and install malware on the victims' machines.
It took the specialists a year and a half to find and neutralize the Andromeda C & C servers. Germany, the USA, Belarus participated in the “destruction” of the infrastructure. Microsoft representatives even joined the investigation.
Microsoft claims that the Andromeda botnet distributed over 80 types of malware, including Petya, Cerber, Kasidet and others. According to researchers, he infected 1.1 million systems every month through social networks, email and instant messengers.
About how EITest arose, and how it managed to "cover up", we will tell under the cut.
/ Flickr / Christiaan Colen / CC
')
Little about EITest
EITest botnet was considered the "king of traffic distribution" and was used by attackers to spread exploits and redirect users to malicious sites and phishing pages.
EITest entered the cybercrime market in 2011. At first, the creators used it for their own purposes - mainly for routing traffic to sites with their “homegrown” set of exploits, Glazunov (he infected devices with the Zaccess trojan).
At that time, the EITest network was not a serious threat. However, by the end of 2013, the attackers “pumped” their infrastructure and already in July 2014, they began to lease EITest to other malware creators.
As one of the specialists at Proofpoint noted , the EITest team began selling intercepted traffic from hacked sites at $ 20 per thousand users. Moreover, the minimum unit for the transaction was 50 thousand users.
Since then, EITest has become the daily “pain” of information security specialists: the network distributed a huge number of ransomware viruses from different families and redirected traffic to resources with exploits (including Angler and RIG ). Recently it was noticed that EITest sent users to sites with fake updates , font packages and browlock viruses .
Experts Proofpoint estimated that the malicious network consists of 52 thousand servers that are located in the United States, Brazil, Britain, Kazakhstan, Australia, China, India, South Africa and other countries. The highest concentration of hacked servers was noted in the USA, Australia and China. From March 15 to April 4, 2018, these servers processed about 44 million requests.
How to "neutralize" the network
At the beginning of the year, BrillantIT specialists were able to discover a method for connecting infected sites to the management infrastructure. Analysis of the system showed that C & C domains were formed on the basis of stat-dns.com. This domain was redirected to a different IP address, and four new EITest C & C domains were generated.
Having created new domains, the specialists were able to replace the malicious server with a synchol. Now it receives traffic from all compromised sites with backdoors, and their visitors are not threatened with malware and the introduction of third-party code. You can find the network structure and location of the “security server” in it in the diagram provided by Proofpoint (available here ). The actions of security experts have prevented 2 million potential transitions to malicious sites per day.
Proofpoint reports that after the “interception” of EITest, cybercriminals have disabled C & C proxy. However, the researchers still found a number of encrypted requests to the Sinkhole server, which can be regarded as attempts to take control of the network (because of the commands contained in them). However, experts have no evidence that they were EITest owners.
The Abuse.ch, BrillantIT and Proofpoint teams said they would continue to monitor EITest activity so that hackers could not re-launch their traffic distribution system.
/ Flickr / Christiaan Colen / CC
Another large case
As reported by the Independent, in December 2017, another major malicious system was neutralized - the Andromeda (or Gamarue) botnet.
The botnet first showed up in September 2011 and has since become a serious threat. Its creators sold toolkits that allowed customers to deploy their custom infrastructure to steal user data and install malware on the victims' machines.
It took the specialists a year and a half to find and neutralize the Andromeda C & C servers. Germany, the USA, Belarus participated in the “destruction” of the infrastructure. Microsoft representatives even joined the investigation.
Microsoft claims that the Andromeda botnet distributed over 80 types of malware, including Petya, Cerber, Kasidet and others. According to researchers, he infected 1.1 million systems every month through social networks, email and instant messengers.
Related posts from our corporate blog:
Source: https://habr.com/ru/post/358134/
All Articles