1. Many sites disable app processing on port 443 to save load on their IDS engine.

2. Some old content filters used to just look at IP and nothing else for what they assumed was SSL.

3. Port 443 is usually left wide open on firewalls that can’t proxy.

These are the usual reasons for sitting on a known port, but the bad guys usually go port 80 to hide in the noise. So this is a bit unique in that it’s on 443 vs 80. 

The protocol itself is rather simple, and in about 900 samples there is exactly NO variation. That’s a good deal of time, different CnC servers (is very different nets) over time. And no variation at all. Whatever the command is being returned, the bad guys haven’t changed it at all. That was also very interesting. Detection for recent samples of this bot is still very low. Perhaps these guys have not felt much pressure to change. 

The CnC protocol looks basically like so:

Open on port 443, bot to server, 6 byte packet:

Server returns an ACK packet only, no data. Client sends:

Server ACKs. Then sends a 149 byte packet starting out like:

Client FIN/ACK’s and we tear down. 

Rather familiar structure, you could spend a bit of time on the binary and probably figure out the commands and structure of the protocol rather easily. 

More interesting is the DNS in use. Each sample first looks up libdnsmasq (dot) com. Dnsmasq is a legitimate tool, a tiny DNS and DHCP server for small networks. The project does not reside at that domain. Some interesting points:

1. libdnsmasq (dot) com was first registered 3/15/2011, which is just days before the oldest samples we’ve got in archive.

2. Russian registrar Reg.ru

3. Hosted in a Russian dedicated server farm. 

4. Neither the IP (46.161.24.37) or domain are blacklisted anywhere.

5. The IP is not shared, and to our knowledge not associated with any other malware or CnC.

6. The block that server is in has a number of bad things within the /24 including SpyEye and others. NOTE: A couple AV firms call this SpyEye-like, but it’s CnC is different and traditional SpyEye which is primarily HTTP-based. More than coincidence?

There are surely many more interesting things to track down here. If you’ve got time take a look, there are things to be learned. 

But after all, most importantly we have all known variants detected in ET Pro Subscriber sigs 2803190 and 2803191. You’re covered!

Comments welcome! What else can you find on these?