For any given base W32/Worm-AAEH crypter stub (which the polymorphic engine uses to mutate and generate other samples), the RC4 key is composed of the original project name concatenated with a hardcoded number treated as a string.
CRYPTER 2014 CODE
We can verify this by comparing strings from the UI library source code to the W32/Worm-AAEH binaries. Some of these samples included the entire “Wizard-TemplateXP” UI library, originally located at.
To make up for the lost variety of distributed samples, the attackers replaced an average of eight variants per day, with 35 variant replacements on the same day the packer changed.Īlthough the samples were functionally similar across variants, the top-level crypter was consistently modified to change its final binary code. The worm switched from its custom crypter to the underground “29A Loader” crypter on July 21, 2014, losing all of its server-side polymorphism capabilities. For example, from March to July 2014, the Beebone control server served at least one new sample every day (we conclude with 93.6% confidence) with up to four variant changes per day.
The actors behind Beebone went the extra mile by replacing the base worm sample multiple times per day.
CRYPTER 2014 DOWNLOAD
One mechanism is the botnet’s polymorphic nature, which guarantees unique samples for every download request. The sinkhole has revealed multiple obfuscation techniques.
We now have a more accurate count of infected hosts, we have identified additional indicators of compromise, and we have greater visibility into the botnet’s geographic reach. In addition to halting additional infections and the continued morphing of the W32/Worm-AAEH worm, the sinkhole allows McAfee Labs and other partners in the takedown to better understand the scope and complexity of the Beebone operation. This action redirected traffic from infected hosts to a sinkhole operated by the Shadowserver Foundation. On April 8, the takedown operation for the polymorphic botnet known as Beebone successfully concluded.
0 kommentar(er)
