we planned to write an article about it but since we don’t get the time, and some good stuff are already available, we just publish the stat.
Good article about zeroaccess:
- http://malforsec.blogspot.no/2013/02/zeroaccess-analysis-part-i-network.html
- http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf
- http://www.kindsight.net/sites/default/files/Kindsight*Malware_Analysis-ZeroAcess-Botnet-final.pdf
To make the stat we just ask each peer to give us ip list and add it to the database and so on. In one month of mononitoring we get 1 million of ip.
Quick stats
If some ppl are motivated to make more stat I can release the scripts and my database.
Number of peers in db
y0ug@malwarelu:~/scripts$ date && sqlite3 zeroaccess.sqlite "SELECT count(*) FROM peers;"
Tue Feb 19 13:18:27 CET 2013
1081273
Top 20 country infection
y0ug@malwarelu:~/scripts$ sqlite3 zeroaccess.sqlite " SELECT country, count(ip) as cpt FROM peers INNER JOIN geolocations ON peers.id=geolocations.peer_id group by country_code ORDER BY cpt;" | tail -n 20
Australia|10315
Hungary|11023
Sweden|11284
Iran, Islamic Republic of|12507
Russian Federation|12523
France|14028
United Kingdom|15872
Venezuela|16188
Canada|17279
Argentina|17325
Turkey|30210
Romania|31039
Spain|33153
Japan|40820
Germany|41569
Brazil|56705
Taiwan|57805
Italy|103732
United States|132816
India|245987
Top 20 city
y0ug@malwarelu:~/scripts$ sqlite3 zeroaccess.sqlite " SELECT city, count(ip) as cpt FROM peers INNER JOIN geolocations ON peers.id=geolocations.peer_id group by city ORDER BY cpt;" | tail -n 20
Caracas|5148
Santiago|5609
Bangkok|5965
Kaohsiung|5971
Milan|6179
Taichung|6220
Bucharest|6864
Tokyo|8369
Rome|9303
Istanbul|9841
Chennai|10591
Kolkata|10784
Hyderabad|11597
So Paulo|11839
Pune|12060
Delhi|21610
Taipei|26104
Bangalore|26387
Mumbai|63686
Unknown|100637
Factorize and win a botnet
Before install plugin the malware check the signature with this public key
Pem format
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXrUXWGv6r/yGEWmtu/TCvWsn3
SXC0xcFLULey0xNIKIzxnNzn2Jb/pHRr6CfyQl6Hg6Zt2+efsyTkBRuORs5X1PPg
bISZl8TVUgxH4TzH1x16FLrYWucK08pUgc+e6G91ksjOfC6iKs8g8V54VA8bq71q
zk+QyacS3fEZOSbyYwIDAQAB
-----END PUBLIC KEY-----
The number to factorize
151453432407647819546100166014997951339320507307775254255564495382719040186797150720297483224621783999714587428216607423638262973816754776881098546670647487634628357600030115489745806469124906416028850570212254186170613390107370526681765360119559566943010421386885215034263978631334356541676857160132695880291
The factore is not know here
If someone manage to factorize the key he can win a beautifull botnet ^^