Win32 Medbod Trojan

This is an interesting trojan. It's been around for a year or more, and we have samples through the sandnet. But we'd never noticed these UDP broadcasts sent to ads.zablen.com.

Destination ports are 6994, 6992, 6990.

Source ports generally start 1040 and increment up. Natural selection, no reason to think that's intentional.

Packet payloads look like so:

Sample 1

Dest port 6992

0000   6d 7e 61 39 39 68 60 57 39 3b 3e 3c 3a 39 3d 3f  m~a99h`W9;><:9=?
0010   3a 51 36 2c 4d 6a 78 69 7e 2c 5f 78 6d 62 68 6d  :Q6,Mjxi~,_xmbhm
0020   7e 78 2c 45 62 65 78 06                          ~x,Ebex.

Sample 2

Dest port 6994, 40 bytes

0000   6d 7e 61 39 39 68 60 57 39 3b 3e 3c 3a 39 3d 3f  m~a99h`W9;><:9=?
0010   3a 51 36 2c 4d 6a 78 69 7e 2c 5f 78 6d 62 68 6d  :Q6,Mjxi~,_xmbhm
0020   7e 78 2c 45 62 65 78 06                          ~x,Ebex.

Dest port 6994, 40 bytes

0000   6d 7e 61 39 39 68 60 57 3e 3c 3b 38 3f 38 3a 39  m~a99h`W><;8?8:9
0010   3a 51 36 2c 4e 69 6a 63 7e 2c 45 62 65 78 58 69  :Q6,Nijc~,EbexXi
0020   7f 78 06                                         .x.

Dest port 6994, 35 bytes

0000   6d 7e 61 39 39 68 60 57 3e 3c 3b 38 3f 38 3a 39  m~a99h`W><;8?8:9
0010   3a 51 36 2c 4e 69 6a 63 7e 2c 45 62 65 78 58 69  :Q6,Nijc~,EbexXi
0020   7f 78 06                                         .x.

Dest port 6994, 27 bytes

0000   6d 7e 61 39 39 68 60 57 3e 3c 3b 38 3f 38 3a 39  m~a99h`W><;8?8:9
0010   3a 51 36 2c 45 62 65 78 2c 3d 06                 :Q6,Ebex,=.

Sample 3

Dest port 6990, 39 bytes

0000   3d 35 3f 3e 3a 4c 4c 45 42 45 58 36 2c 4b 69 78  =5?>:LLEBEX6,Kix
0010   45 7c 4e 75 44 63 7f 78 4c 4c 3c 2c 21 21 2c 3c  E|NuDc.xLL<,!!,<
0020   39 3c 3f 68 01 06 00                             9<?h...

Dest port 6990, 46 bytes

0000   3d 35 3f 3e 3a 4c 4c 45 42 45 58 36 2c 43 62 69  =5?>:LLEBEX6,Cbi
0010   4d 7c 7c 60 65 6f 6d 78 65 63 62 43 62 60 75 4c  M||`eomxecbCb`uL
0020   4c 3c 2c 21 21 2c 3c 39 3c 3f 68 01 06 00        L<,!!,<9<?h...

Dest port 6990, 22 bytes

0000   42 58 69 7f 78 36 2c 5f 78 6d 7e 78 2c 58 69 7f  BXi.x6,_xm~x,Xi.
0010   78 2c 22 22 22 06                                x,""".

Dest port 6990, 19 bytes

0000   42 58 69 7f 78 36 2c 58 69 7f 78 2c 5c 6d 7f 7f  BXi.x6,Xi.x,\m..
0010   69 68 06                                         ih.

Dest port 6990, 39 bytes

0000   3d 35 3f 3e 3a 4c 4c 45 42 45 58 36 2c 65 7f 42  =5?>:LLEBEX6,e.B
0010   69 78 58 69 7f 78 69 68 4c 4c 3c 2c 21 21 2c 3c  ixXi.xihLL<,!!,<
0020   39 3c 3f 68 01 06 00                             9<?h...

Sample 4

Dest port 6992, 33 bytes

0000   6b 61 7e 61 3d 22 3d 34 57 3b 39 3b 3d 38 3b 51  ka~a="=4W;9;=8;Q
0010   36 2c 4e 69 6a 63 7e 2c 45 62 65 78 58 69 7f 78  6,Nijc~,EbexXi.x
0020   06                                               .

Sample 5

Dest 6994, 35 bytes

0000   6d 7e 61 39 3f 68 60 57 3d 3d 3b 34 39 3c 3d 38  m~a9?h`W==;49<=8
0010   34 51 36 2c 4e 69 6a 63 7e 2c 45 62 65 78 58 69  4Q6,Nijc~,EbexXi
0020   7f 78 06                                         .x.

40 bytes

0000   6d 7e 61 39 3f 68 60 57 3d 3d 3b 34 39 3c 3d 38  m~a9?h`W==;49<=8
0010   34 51 36 2c 4d 6a 78 69 7e 2c 5f 78 6d 62 68 6d  4Q6,Mjxi~,_xmbhm
0020   7e 78 2c 45 62 65 78 06                          ~x,Ebex.

35 bytes

0000   6d 7e 61 39 3f 68 60 57 3a 3b 39 3e 3c 35 3b 3c  m~a9?h`W:;9><5;<
0010   3a 51 36 2c 4e 69 6a 63 7e 2c 45 62 65 78 58 69  :Q6,Nijc~,EbexXi
0020   7f 78 06                                         .x.

27 bytes

0000   6d 7e 61 39 3f 68 60 57 3a 3b 39 3e 3c 35 3b 3c  m~a9?h`W:;9><5;<
0010   3a 51 36 2c 45 62 65 78 2c 3d 06                 :Q6,Ebex,=.

Added 2007949. Please report hits on this so we can find the packet pattern.

-- MattJonkman - 09 Mar 2008