Are the Sykipot’s authors obsessed with next generation US drones?

December 20, 2011 | Jaime Blasco

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

For several weeks there has been a great deal of talk about the “undeclared global cyber war”. There have been accusations that China is stealing almost anything they choose and that they have a “shopping list” that gives priority to key industries like:

  1. Clean energy industry
  2. Biotechnology
  3. Semiconductors
  4. Information technology
  5. Aerospace technology
  6. Medical technology

This month, Lockheed Martin raised the alarm on an Adobe Reader zero-day exploit that was being exploited in the wild.  Once again the payload dropped was Sykipot, a known malware that has appeared several times in combination with zero-day exploits and has been used to launch targeted attacks since 2007. The list of known zero-day exploits used by Sykipot’s authors during these years is as following:

CVE-2007-06712007-02-02Microsoft Excel
CVE-2009-39572010-12-01Adobe Reader
CVE-2010-08062010-05-04Internet Explorer
CVE-2010-28832010-09-08Adobe Reader
CVE-2010-36542010-10-28Adobe Flash Player
CVE-2011-24622011-12-06Adobe Reader

The “drone” campaign

There have been a lot of different campaigns with different Command-And-Control servers. The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit to key employees of different organizations.

In most of the campaigns the malware dropped displays some document or media attractive to the victim. After analyzing most of the campaigns, we discovered a group of samples connecting to the same C&C server that attracted our attention because of the media displayed after the infection:

As you can see, all the content is related with US UCAVs (unmanned combat air vehicle):

We can imagine that this campaign could target organizations related to technology used in this kind of vehicles like aerospace and military industries.

Some of the mails used contain attachments with names like:

  • X-37B Orbital Test Vehicle.scr
  • X-45b.scr

With the information we collected it appears that this campaign has been running for months. The domain used for the C&C server was registered on 2011-03-04 and we detected two different campaigns with timestamps on 09/08/2011 and 09/26/2011.

Here is the list of analyzed samples:

MD5Creation DateCampaign String
d978d8071c19a4aca13b4180d250f4db09/08/2011 13:16:19-help20110908
425c0856e5aec8bdf91ac0cf5aec280504/19/2011 12:55:24
09/08/2011 13:16:19
cb0ceb37e2eb11ea4ee5090a09fd8b4d09/26/2011 09:16:19-help20110926
6f8601931c450e1f79ae560f4de9866504/19/2011 12:55:24
09/26/2011 09:16:40
23309fbec1b3a063415c00fbeb50ee6604/19/2011 12:55:24
09/26/2011 09:16:40
e36a8ff79bc641530071da6c8b8f15d704/19/2011 12:55:24
09/26/2011 09:16:40
45b8cb1b9aa3c22ff10a2a00deed82a604/19/2011 12:55:24
09/08/2011 13:16:19
bf61f5d008c385b6342912784999874504/19/2011 12:55:24
09/08/2011 13:16:19
248def2faa654efb0fb4c4d59475795704/19/2011 12:55:24
09/08/2011 13:16:19
08883b00a3969db54bbfb7bb1a20b53109/08/2011 13:16:05-help20110908
5144c11008eae61f7c654794b00b119d04/19/2011 12:55:24
09/08/2011 13:16:19

The trojan injects itself into Internet Explorer, Firefox or Outlook process memory and then connects to the C&C server, retrieving an encrypted configuration file with commands to execute on the victim’s system and then sends the results back to the C&C server. In this case the config file is as follow:





ipconfig /all

net start

net view /domain

net group "domain admins" /domain

tasklist /v

net localgroup administrators

dir c:\*.url /s


type c:\boot.ini

Apart from this, the C&C mechanism permits the following actions:

  1. cmd
  2. shell
  3. run
  4. getfile
  5. putfile
  6. kill
  7. process
  8. reboot
  9. time
  10. door

Tracing C&C servers

After an analysis of the different domains used this year by Sykipot and the C&C headers and data, we discovered that they were using hacked servers mainly in the US to mask the real C&C server.

It appears that they used well known public exploits to hack into US based servers and then install a software to proxy the connections between the infected systems and the real C&C server.

We realized that most of the C&C servers were running a webserver called “Netbox” ( and most of them were using a self-signed certificate with the following subject:

/C=US/ST=North Carolina/L=Salisbury/O=Internet Widgits Pty Ltd/OU=VeriSign Trust Network/CN=ITU Server/

After a short investigation on the Netbox webserver, we learnt that it is a windows based webserver that allows developers to compile and deploy ASP web applications into a stand-alone executable file.

We also checked Shodan and discovered that there were only a couple of thousand servers running the webserver and nearly the 80% of the servers were located on China.

With this information, we thought that there was a good chance to localize these servers on Chinese network ranges. So we began to search Netbox servers running SSL on port 443 with a certificate issued to on the main Chinese ISP providers.

After some time, we confirmed our suspicion and we found 7 ip addresses belonging to “China Unicom Beijing province network”  that matched our criteria.

Six of them were pointing to the same webserver (same certificate, same headers, timestamps) so it appears that they are using that machines to proxy the connections as well but we don’t know if one of them was the last C&C server.

Here is the certificate information:

Download [no longer available]

There was another server serving a different certificate that seems to be pointing to a different C&C server:

Download [no longer available]

Here is the Map with the active redirections (2011-12-17):

As we can see, the malware authors are masquerading the C&C through US servers in order to make the connections less suspicious as well as using SSL certificates that contain a mail address from Lawrence Tech University (

They are using the default common name on the certificate. I have seen this behavior in other malware’s C&C. In order to detect a remote site serving this kind of certificates is good to run the following IDS signature:

alert tcp any 443 -> any any (msg:"POLICY self-signed certificate default common name detected"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"Internet Widgits Pty Ltd"; within:400; classtype:bad-unknown; sid:11111111113; rev:8;)

Apart from this rule, I think it is good to run the following rules for a while to detect the certificate serial number and other certificates that they can be serving using the mail address:

alert tcp any 443 -> any any (msg:"MALWARE Sykipot certificate serial number detected"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"|00 ec 32 09 67 c9 34 3f 50|"; within:30; classtype:bad-unknown; sid:11111111112; rev:8;)
alert tcp any 443 -> any any (msg:"MALWARE Sykipot certificate subject emailAddress detected"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:""; within:400; classtype:bad-unknown; sid:11111111113; rev:8;)

Who is behind Sykipot

We shouldn’t jump to assumptions but whoever is behind Sykipot is massively collecting information from targeted victims that covers dozens of industries.

It’s true that the piece of malware isn’t too sophisticated, but it is related with at least six zero-day attacks that require skills and/or money. Anyway we have been seeing that “not too sophisticated malware” works, see Shady RAT for instance  that targeted organizations ranging from defense contractors to accounting firms.

On the other hand, we have identified at least six Chinese ip addresses that are used to proxy or host the C&C servers. We also identified a tool that the Sykipot authors use to package and create campaigns:

In some of the samples it contains some Chinese message errors.

Apart from this, the “Netbox” ( webserver used in the C&C servers is mainly used by those who speak Chinese. In fact all the documentation to setup and learn the framework is only available in Mandarin.

Most of the domains used on these campaigns are registered on Xinnet, a Chinese domain registrant. Also the information of the domain owners (names, addresses, etc) are from China (not very relevant).

Finally, we related one of the tools used that redirects the traffic from the hacked servers to a tool called ZXPortMap:

The origin of the tool seems to be from China, someone called LZX ( but anyone could have gotten the code, and compiled it.

The last piece of information is a string embedded in all of the Sykipot binaries: “19990817”  used for another layer of encryption. It can be the date “Aug 17, 1999”. The only relevant event on that date was a 7.6 magnitude earthquake that killed around 17000 people in Turkey (

Someone has said that cyberwar does not exist?. Draw your own conclusions.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›