So you got one of the most interesting pieces of Malware I have every had the displeasure of doing IR on…

Multi-Stage, evolving, silent…

It seems to always come from drive-by attacks and silently waits for the C&C to provide instructions…

I drops onto the system and creates a number of registry keys with difficult to anticipate keys, and files with semi random names. That can make it hard to find, but the one key you can count on appearing is,

– HKCU\Software\Microsoft\Internet Explorer\Settings\Gateslist

The most important thing you can do to prevent the spread of Clampi/Ilomo once it is on your network is to do no work with Domain Administrator privileges. One of the most dangerous aspects of Clampi/Ilomo is its ability to log user credentials and use them to spread across your network using legitimate tools like PSEXEC.

@echo off && reg query HKCU\Software\Microsoft\Internet Explorer\Settings\Gateslist /s || echo Does not Exist!!!!

Ilomo Botnet analyzation by TrendMicro

Deny WAN HTTP/S to all systems except Proxy:

!Permit HTTP port 80 traffic
access-list 102 deny tcp any any eq 80
access-list 102 permit tcp any {proxy address} eq 80

!Permit HTTPS port 443 traffic
access-list 102 deny tcp any any eq 443
access-list 102 permit tcp any {proxy address} eq 443

Deny WAN DNS to all systems except DNS server:

access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!— insert any other previously applied ACL entries here
!— you must permit other protocols through to allow normal
!— traffic — previously defined permit lists will work
!— or you may use the permit ip any any shown here
access-list 101 permit ip any any

Does “IP helper-address” help to much?

! We want this protocol.
ip forward-protocol udp bootpc
!
! We don’t want these.
no ip forward-protocol udp biff
no ip forward-protocol udp bootps
no ip forward-protocol udp discard
no ip forward-protocol udp dnsix
no ip forward-protocol udp domain
no ip forward-protocol udp echo
no ip forward-protocol udp isakmp
no ip forward-protocol udp mobile-ip
no ip forward-protocol udp nameserver
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-ss
no ip forward-protocol udp non500-isakmp
no ip forward-protocol udp ntp
no ip forward-protocol udp pim-auto-rp
no ip forward-protocol udp rip
no ip forward-protocol udp snmp
no ip forward-protocol udp snmptrap
no ip forward-protocol udp sunrpc
no ip forward-protocol udp syslog
no ip forward-protocol udp tacacs
no ip forward-protocol udp talk
no ip forward-protocol udp tftp
no ip forward-protocol udp time
no ip forward-protocol udp who
no ip forward-protocol udp xdmcp

USB-TestVM -> http://www.mediafire.com/?oydn0xngdlz
VMware Player -> http://www.vmware.com/products/player/
VMware Player (DDL) -> http://download3.vmware.com/software/vmpla….5.3-185404.exe
PLoP Bootmanager -> http://www.plop.at/en/bootmanager.html

I and effort to expand the fuctionality of this site Ive added a pair of video players.
Hopefully this will allow me to record short demos and howto’s and make them available to the community.
Please reveiw the two player types and let me know which you like better…

Thank you ahead of time.
Read the rest of this entry »