APT Never Dies
Introduction
Inspired with one of the section about Advanced Persistent Threat (APT) and Botnet C&C server from Mr. Yung in Bot2010 2010[1] conference, I and Mars have worked out and tried to search live C&C servers to dig into more details in APT area. APT is defined as a kind of targeted attack against high value information with strong resources and authority supported.
With reference to the Shadow in the Cloud Report[2] published in April, in fact, we have experienced that Google has done some filtering itself, however, we have got some lucks and search out active C&C server successfully.
In the Tiger Cave
We have located a .php file and two folders named as “cms” and “tools” respectively (Figure 1). In Figure 2, it shows five files in “cms” folder and the most interesting file is the h_INOC-94C966D10D_4137_t as it contains victim information, OS and IP address. (Figure 3).
For c__BRBRBxxx, c_GTxxx and c_VIRUSCLONExxx, the file size and content is the same (Figure 4) and we have not figured its content meaning.
Figure 1. C&C Server Folder Structure
Figure 2. Files in “cms” folder
Figure 3. List of victim machines shown in h_INOC-94C966D10D_4137_t file
Figure 4. File content found in c_BRBRBxxx, c_GTxxx and c_VIRUSCLONExxx
After 24 hours
We have got a list of victim workstations, which reported to C&C server. We have used domaintools.com[3] to match corresponding domain and found a brief summary as below:
| Country | Number of Infected Machine | Organization(s)/Companies |
| India | 5 | National Information Center, Telecom Service and Internet Backbone Company |
| Brazil | 1 | Telecom Service |
| Great Britain | 1 | High Commission in India |
| Mexico | 1 | Telecom Service |
| Suriname | 1 | Telecom Service |
| China | 1 | Telecom Service |
| USA | 1 | Telecom Service |
| Total Numbers: | 11 |
We have summarized that the attacks targeted India’s government department and infrastructure as well. It is interesting to find that there is a bot planted in Tibet(西藏) Telecom Service Company in China. In addition, most of the attack targets infrastructure/telecom service companies in a country.
Summary
Attack is no longer just for reputation, excitement and fun, there is a kind of attack, which targets high-value information, and for political reasons.
Reference
[1] BoT2010
URL: anti-botnet.edu.tw/confs/BoT2010.htm
[2] Shadows in the Cloud – An Investigation into Cyber Espionage 2.0 (April 2010)
[3] Domaintools - For whois and reverse domain name lookup
URL: http://www.domaintools.com
Appendix: Sample C&C Record
a:2:{s:8:"hostinfo";a:8:{s:6:"hostid";s:8:"BHARAT-2″;s:6:"ipaddr";N;s:9:"outipaddr";s:12:" **maskedIP**”;s:7:"macaddr";s:17:"00:E0:4C:92:64:80″;s:8:"hostname";s:8:"BHARAT-2″;s:6:"ostype";s:34:"Microsoft Windows XP Professional0″;s:7:"version";s:5:"0.5.2″;s:5:"owner";s:6:"bobo10″;}s:10:"reporttime";s:14:"20100716231202″;}s:15:"U-052D8518AEE84″;