Malicious Google AppEngine Used as a CnC
December 3rd, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Over the weekend our zoo found a malware sample that revealed a malicious Google AppEngine application. The app in question is being used to feed URLs to the zombies for them to download. We got the malware via sample sharing, and its original location and infection information is absent. The malware details are below:
MD5: 2143a7b9a9de6ea26987ed8ece29d2c6
SHA1: 30f6befc76e4e269e5aa9c01c735d55d7ca4099a
File type: application/x-ms-dos-executable
File size: 65024 bytes
It’s a simple HTTP engine and downloader, packed with UPX. The C&C is visible in the unpacked sample:
http://xiaoiboxip.appspot.com/[OMITTED]?hostname=
&&systemcpoy=
&&userName=
Where [Omitted] refers to a four letter explicative (this is a family friendly blog, folks!).
This was bound to happen, after all, in an open environment like this where people’s abilities are limited by their intentions. The C&C appears to manage infections on the basis of the computer hostname sent in the request; a unique hostname yields the malcode URL to update:
<br>http://XX.XX.76.85/aa.exe</br>
In this case aa.exe is a PCClient backdoor to the infected PCs. When you come back, at this time you just get the word “cmd”. It’s unclear to be what additional commands the C&C can issue to clients.
A quick analysis of the original malware doesn’t reveal any additional functionality, just the downloader bits. (See below) Google’s been contacted for the AppEngine to be taken down, and the site hosting the second stage malware has been contacted for takedown, as well.
UPDATE Google has confirmed the malicious AppEngine is now down.
UPDATE 2 Actually, looking at the sample reveals that it talks to a host in China using what at first blush appears to be a Grey Pigeon protocol.
UPDATE 3 Found another URL the app used, but i’m not sure what it was used for:
http://xiaoiboxip.appspot.com/getip?speed=100
The google cache of the results suggest it reads something like “Today visited 42 times this month, visited 587 times.” It’s unclear if that’s the size of the botnet or what.
