Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Suspected Active Rovnix Botnet Controller - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Suspected Active Rovnix Botnet Controller

We have received information about a suspected Rovnix botnet controller currently using at least 2 domains (mashevserv[.]com and ericpotic[.]com) pointing to the same IP address of 37.9.53.126 (AS 44050).

This is the information that we currently have available that should help identify if any hosts in your network is currently contacting this botnet:

  • mashevserv[.]com/config.php?version=[value here]&user=[value here]&server=[value here]&id=[value here]&crc=[value here]&aid=[value here] is where the compromised clients send an HTTP GET request to when requesting a configuration file.  If the correct values are inputted the server will return an encrypted configuration file.
  • mashevserv[.]com/admin appears to be the admin console

  • ericpotic[.]com/task.php has similar values appended to it an when the GET request is done it appears to be some sort of check-in to tell the server it is alive.
  • Posts to ericpotic[.]com/data.php are use to exfiltrating data. All communications with C&C are unencrypted over TCP 80.

It also appears this malware has very little detection. This is all we currently have. If you can recover samples either on the host or via packets and are willing to share them with us, you can upload them to our contact page.


[1] https://www.robtex.com/dns/mashevserv.com.html#graph
[2] https://www.robtex.com/dns/ericpotic.com.html#graph
[3] https://www.robtex.com/ip/37.9.53.126.html#whois
[4] http://www.xylibox.com/2013/10/reversible-rovnix-passwords.html

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

427 Posts
ISC Handler
- https://www.virustotal.com/en/ip-address/37.9.53.126/information/

- http://google.com/safebrowsing/diagnostic?site=AS:44050
.
PC.Tech

34 Posts
Found this IP inside a file from ericpotic[.]com -- 85.17.222.24
HackDefendr

65 Posts
Found this IP inside a file from ericpotic[.]com -- 85[.]17[.]222[.]24
Looks like a mirror, as it contains same files.


Jeff
HackDefendr

65 Posts

Sign Up for Free or Log In to start participating in the conversation!