Report - CrySyS Lab
Report - CrySyS Lab
Report - CrySyS Lab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Note that the configuration file contains references to two servers (in this case, newslite.org and<br />
bannetwork.org), where one of them is accessed via the FTP protocol. The necessary access<br />
credentials (e.g., FTP username and password) are also given in this configuration file.<br />
TeamViewer communication is used to directly command the victim computer; to investigate screen<br />
captures in real-time. The goal of the newslite.org and similar C&C traffic is to maintain a list of the<br />
TeamViewer ID and password of victim computers and also to monitor the availability, to check<br />
which victims can be controlled currently. The communication to bulbanews.org at the original victim<br />
stopped when the TeamViewer based malware was installed to the victim computer, therefore, this<br />
server was most likely used for an older type of attack.<br />
We collected the recently used IP addresses of victims from all the above mentioned C&C server<br />
databases, but only those addresses, for which we have an IP address later than 2012-09-01. The<br />
results are depicted on the following heat map.<br />
3.3 bannetwork.org databases<br />
Figure 13 – Heat map of all known victims after 2012-09-01<br />
We have investigated the contents of the C&C servers. For some of them, we have partial<br />
information only. We obtained the best view on bannetwork.org, where we found detailed<br />
information related to multiple attack campaigns.<br />
12