SecureWorks: Ozdok/Mega-D Trojan Analysis
by Danny McPhersonEnabled by some spam samples Marshal provided, Joe Stewart and the good folks @SecureWorks, with an assist from Team Cymru and my|NetWatchman, have identified the malware and botnet referred to as Mega-D.
It turns out Mega-D is composed of bots from the little-known Ozdok malware family. Joe provides some analysis on scale and distribution of the botnet here, as well as some detailed bits on behaviors of the Trojan itself.
Based solely on the hostnames provided in the analysis we (Jose, actually) was able to find three samples in our database, with dates all well over a year old:
2006-12-28
2006-12-20
2007-01-03
MD5: c510414a4e3bffb4efe466b2bac1e438
File type: application/x-ms-dos-executable
File size: 51712 bytes
MD5: 8a66e2208ce5258ad65b2ee5531d58bd
File type: application/x-ms-dos-executable
File size: 19398 bytes
MD5: 11cda5647562761ec7b941e7427fb96b
File type: application/x-ms-dos-executable
File size: 43520 bytes
Two of them used an ADS to stash a different filenames mentioned in the SecureWorks analysis:
Drops C:\WINDOWS\system32:svchost.exe
One drops the C:\WINDOWS\system32\svchost.exe:exe.exe file mentioned in the SecureWorks analysis. Registry changes often look like this:
“C:\WINDOWS\system32\svchost.exe” = C:\WINDOWS\system32\svchost.exe:*:Enabled:svchost
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ICF “aaaaaaaaa[..truncated..]aaaaaaaaaaa[REG_BINARY, size: 16 bytes]” = [REG_BINARY, size: 16 bytes]
Given it’s employment of tcp/80 but non-HTTP or even SSL for C&C, looks like we’ll have to start digging at non-HTTP port 80 traffic…
Despite the hype, it’s apparently nowhere near the size of Storm, although Joe does speculate as to some of the reasons why Mega-D might be perceived as so much noisier than Storm as of late. Glad to see this analysis, nice work!
Popularity: 1% [?]