Analysis: CryptoWall 3.0, Dyre and I2P

For a moment, put yourself in the shoes of a cyber criminal. You’ve collected an array of tools (malware), built up your infrastructure (command and control (C2) servers) and you have a process to make money off your hard work. You wake up on Monday morning and the domains your carefully built malware uses for command and control are shut down. Some security researcher has taken control of them, completely halting your operation. This would certainly be good news to anyone reading this blog, but for the criminal it’s a big setback and source of frustration. These kinds of takedowns are the impetus for some of the most impressive developments in malware technology over the last decade.

Takedown-Resistant Command and Control

Once attackers have infected a PC through some exploit or social engineering, one of their major challenges is keeping control of that system. Antivirus programs running on the PC are trying eradicate the threat, the command and control domains and IPs are being added to blacklists and blocked by networks around the world. Many malware authors have taken to building complex mechanisms to ensure that their malware is resistant to these kind of blocks and takedowns. Some of the more innovative mechanisms include:

• Peer-to-peer (P2P) Networks: Rather than relying on a single (or small) number of failure ports for command and control, P2P bots communicate with other infected systems that can relay commands from the attacker. These systems aren’t perfect though, as Operation b49proved in the takedown of Waldac.
• Domain Generation Algorithms (DGAs): Why use one domain for command and control when you could use 100, or 1,000, or more? DGAs work by algorithmically generating possible C2 domains that change over time. The attacker often only needs to register one of these domains to ensure control of the network. Conficker, one of the most well-known DGA-based botnets generated 50,000 possible domains each day in it’s final variant.

These mechanisms are often only used when the primary (and simpler) C2 mechanism has been shut down, but their use makes shutting down a botnet much more challenging.

Abusing I2P

Last year we highlighted two malware families on this blog: CryptoWall 2.0 and Dyreza/Dyre. CryptoWall is one of multiple ransomware families that generated income for the attacker by encrypting files on the infected PC with a private key that is in the control of the attacker. The attacker then charges a ransom (normally around $500) to give up the key that will unlock the files. In October, CryptoWall 2.0 began using the Tor anonymity network to serve web pages to infected users who wanted their encrypted files back. In this case a legitimate service (Tor) was being abused by CryptoWall so it could avoid having its C2 servers shut down. Presently another anonymity network, I2P is being abused by both the latest version of CryptoWall (3.0)and the Dyre banking Trojan.

While I2P is far less popular than Tor, it provides similar functionality to the user. I2P is an overlay network on top of the Internet that creates encrypted links between nodes that are running the I2P software. I2P users can access specific I2P services that are only accessible on I2P, or access Internet resources without exposing their IP address.

In the case of CryptoWall 3.0, the malware is attempting to access multiple .i2p resources only accessible through I2P, also known as “eepSites.”

• proxy1-1-1.i2p
• proxy2-2-2.i2p
• proxy3-3-3.i2p
• proxy4-4-4.i2p
• proxy5-5-5.i2p

The CryptoWall 3.0 uses I2P in the same way CryptoWall 2.0 used Tor, to give the victim access to a decrypting service to get their files back.

The Dyre banking Trojan has multiple C2 mechanisms, including encrypted HTTPS requests to a list of hard-coded IP addresses, a DGA generating 1,000 new domains each day as well as an I2P based plugin. These many C2 mechanisms make Dyre much more difficult to fully take down than a simple single (or small group) of C2s. the following IP address are known Dyre C2 servers.

• 228.17.152
• 228.17.155
• 228.17.158
• 78.103.85
• 114.0.58
• 203.50.17
• 203.50.69
• 153.35.133
• 183.172.196
• 56.214.130
• 56.214.154
• 239.209.196
• 172.179.9
• 172.181.164
• 172.184.75
• 23.8.68
• 59.2.42
• 248.224.75
• 25.134.53
• 25.138.12
• 25.145.179
• 190.139.178
• 23.196.90
• 23.61.172

It’s not possible to list all of the domains generated by the DGA, which is the main advantage of this mechanism.

To protect your network from the I2P communication used by both Dyre and CryptoWall 3.0, the easiest route is simply to identify I2P traffic and block it completely. While there are certainly many legitimate reasons to use an anonymity network, many organizations should be weary of I2P (or Tor) traffic transiting their network. Palo Alto Networks App-ID technology can identify I2P traffic as well 51 other tunneling applications.

[Palo Alto Networks Blog]