The document is an interesting read. Below is a summary of some of the attack vectors used with this malware. You can use this information to detect the presence of the NetTraveler malware.

Nettraveler uses a couple of C&C scripts

aasogspread.asp, adfsdfclnggsldfc.asp, advertisingservicesa3sb.asp, aneywsf. asp, apple.asp, applebag005.asp, azarweforrell.asp, azofjeljgo648rl.asp, certify.asp, dochunter.asp, dochunter1.asp, dochunteradfaefaer.asp, fish.asp, happy. asp, heritage.asp, huyuio67.asp, little.asp, madmaswhbe.asp, nethttpfile.asp, netpass. asp, nettraveler.asp, orphaned.asp, rice.asp, sabcfsf.asp, shenghai.asp, time.asp, update. asp, weathobloe.asp, yegnfvhemc.asp

Two of the C&C domains are sinkholed, pkspring.net and yangdex.org by Kaspersky. The other domains listed in the report were used by the malware as a command and control.

allen.w223.west263.cn, andriodphone.net, bauer.8866.org, buynewes.com, cultureacess.com, discoverypeace.org, drag2008.com, eaglesey.com, enterairment.net, faceboak.net, gami1.com, globalmailru.com, hint09.9966.org, imapupdate.com, inwpvpn.com, keyboardhk.com, localgroupnet.com, mailyandexru.com, msnnewes.com, newesyahoo.com, newfax.net, lab, ra1nru.com, ramb1er.com, sghrhd.190.20081.info, southstock.net, spit113.minidns.net, tsgoogoo.net, vip222idc.s169.288idc.com, viplenta.com, vipmailru.com, viprainru.com, viprambler.com, vipyandex.com, vpnwork.3322.org, wolf0.3322.org, wolf001.us109.eoidc.net, yahooair.com, lab, zeroicelee.com

Files marked to be uploaded are put in a directory %Temp%\ ntvba00.tmp\.

The saKer’ (‘xbox’) bacKdoor (droPPed file) uses a specific user agent string.

GET /301000000000F0FD...0000000000000000000 000000 HTTP/1.1 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win- dows NT 5.0; .NET CLR 1.1.4322)
Host: tsgoogoo.net

Host: pitgay.minidns.net:8090 
Cache-Control: no-cache
</blockquote>

Warning! This template worked for me, you should adjust it for your case.

GET /myfile.php HTTP/1.1
Host:myhost.com
User-Agent: Mozilla/5.0 (compatible; MSIE 8.2; Windows NT 6.0; en-US)
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Cookie: mycookie=12345
Referer: http://localhost.com/

Update

I created a small python script, http-py, available on Github do the manually queries.

Although the distribution itself is already very interesting, the list of tools provided by the distro is even more interesting. It is the ideal starting point if you want to build your own toolset.

6tunnel – TCP proxy for non-IPv6 applications
aircrack-ng – WEP/WPA cracking program
amap – a powerful application mapper
arp-scan – arp scanning and fingerprinting tool
bfbtester – Brute Force Binary Tester
bing-ip2hosts – Enumerate hostnames for an IP using bing
bsqlbf – Blind SQL injection brute forcer tool
btscanner – ncurses-based scanner for Bluetooth devices
chaosreader – trace network sessions and export it to html format
chkrootkit – rootkit detector
cryptcat – A lightweight version netcat extended with twofish encryption
darkstat – network traffic analyzer
dhcpdump – Parse DHCP packets from tcpdump
dissy – graphical frontend for objdump
dmitry – Deepmagic Information Gathering Tool
dns2tcp – TCP over DNS tunnel client and server
dnswalk – Checks dns zone information using nameserver lookups
dsniff – Various tools to sniff network traffic for cleartext insecurities
enum4linux – a tool for enumerating information from Windows and Samba systems
etherape – graphical network monitor
exploit-db – Exploit Database
fcrackzip – password cracker for zip archives
fimap – local and remote file inclusion tool
flasm – assembler and disassembler for Flash (SWF) bytecode
foremost – forensic program to recover lost files
fping – sends ICMP ECHO_REQUEST packets to network hosts
ftp-proxy – application level proxy for the FTP protocol
galleta – An Internet Explorer cookie forensic analysis tool
ghettotooth – a simple but effective blue driving tool
hostmap – hostnames and virtual hosts discovery tool
hping3 – Active Network Smashing Tool
httptunnel – Tunnels a data stream in HTTP requests
httrack – Copy websites to your computer (Offline browser)
hydra – Very fast network logon cracker
ike-scan – discover and fingerprint IKE hosts (IPsec VPN Servers)
inguma – Open source penetration testing toolkit
iodine – tool for tunneling IPv4 data through a DNS server
ipcalc – parameter calculator for IPv4 addresses
isr-evilgrade – take advantage of poor upgrade implementations by injecting fake updates
ipgrab – tcpdump-like utility that prints detailed header information
john – active password cracking tool
kismet – Wireless 802.11b monitoring tool
knocker – Simple and easy to use TCP security port scanner
lcrack – A generic password cracker
lynis – security auditing tool for Unix based systems
macchanger – utility for manipulating the MAC address of network interfaces
mboxgrep – Grep through mailboxes
mdk3 – bruteforce SSID’s, bruteforce MAC filters, SSID beacon flood
medusa – fast, parallel, modular, login brute-forcer for network services
metagoofil – an information gathering tool designed for extracting metadata
metasploit – security project which provides information about security vulnerabilities
mysqloit – SQL Injection takeover tool focused on LAMP
mz – versatile packet creation and network traffic generation tool
nbtscan – A program for scanning networks for NetBIOS name information
netcat-traditional – TCP/IP swiss army knife
netdiscover – active/passive network address scanner using arp requests
netrw – netcat like tool with nice features to transport files over network
netsed – network packet-altering stream editor
netwag – graphical frontend for netwox
netwox – networking utilities
nikto – web server security scanner
nmapsi4 – graphical interface to nmap, the network scanner
nmap – The Network Mapper
nstreams – network streams – a tcpdump output analyzer
obexftp – file transfer utility for devices that use the OBEX protocol
onesixtyone – fast and simple SNMP scanner
openvas-client – Remote network security auditor, the client
openvas-server – remote network security auditor – server
ophcrack-cli – Microsoft Windows password cracker using rainbow tables (cmdline)
ophcrack – Microsoft Windows password cracker using rainbow tables (gui)
otp – Generator for One Time Pads or Passwords
p0f – Passive OS fingerprinting tool
packeth – Ethernet packet generator
packit – Network Injection and Capture
pbnj – a suite of tools to monitor changes on a network
pentbox – Suite that packs security and stability testing oriented tools
pdfcrack – PDF files password cracker
pnscan – Multi threaded port scanner
proxychains – proxy chains – redirect connections through proxy servers
pscan – Format string security checker for C files
ptunnel – Tunnel TCP connections over ICMP packets
ratproxy – passive web application security assessment tool
reaver – brute force attack tool against Wifi Protected Setup PIN number
s.e.t – social engineering toolkit
scrub – writes patterns on magnetic media to thwart data recovery
secure-delete – tools to wipe files, free disk space, swap and memory
sendemail – lightweight, command line SMTP email client
siege – HTTP regression testing and benchmarking utility
sipcrack – SIP login dumper/cracker
sipvicious – suite is a set of tools that can be used to audit SIP based VoIP systems
skipfish – fully automated, active web application security reconnaissance tool
socat – multipurpose relay for bidirectional data transfer
splint – tool for statically checking C programs for bugs
sqlbrute – a tool for brute forcing data out of databases using blind SQL injection
sqlmap – tool that automates the process of detecting and exploiting SQL injection flaws
sqlninja – SQL Server injection and takeover tool
ssldump – An SSLv3/TLS network protocol analyzer
sslscan – Fast SSL scanner
sslsniff – SSL/TLS man-in-the-middle attack tool
sslstrip – SSL/TLS man-in-the-middle attack tool
stunnel4 – Universal SSL tunnel for network daemons
swaks – SMTP command-line test tool
tcpdump – command-line network traffic analyzer
tcpflow – TCP flow recorder
tcpick – TCP stream sniffer and connection tracker
tcpreplay – Tool to replay saved tcpdump files at arbitrary speeds
tcpslice – extract pieces of and/or glue together tcpdump files
tcpspy – Incoming and Outgoing TCP/IP connections logger
tcptrace – Tool for analyzing tcpdump output
tcpxtract – extracts files from network traffic based on file signatures
theHarvester – gather emails, subdomains, hosts, employee names, open ports and banners
tinyproxy – A lightweight, non-caching, optionally anonymizing HTTP proxy
tor – anonymizing overlay network for TCP
u3-tool – tool for controlling the special features of a U3 USB flash disk
udptunnel – tunnel UDP packets over a TCP connection
ussp-push – Client for OBEX PUSH
vidalia – controller GUI for Tor
vinetto – A forensics tool to examine Thumbs.db files
voiphopper – VoIP infrastructure security testing tool
voipong – VoIP sniffer and call detector
w3af-console – framework to find and exploit web application vulnerabilities (CLI only)
w3af – framework to find and exploit web application vulnerabilities
wapiti – Web application vulnerability scanner
wash – scan for vunerable WPS access points
wavemon – Wireless Device Monitoring Application
wbox – HTTP testing tool and configuration-less HTTP server
webhttrack – Copy websites to your computer, httrack with a Web interface
weplab – tool designed to break WEP keys
wfuzz – a tool designed for bruteforcing Web Applications
wipe – Secure file deletion
wireshark – network traffic analyzer – GTK+ version
xprobe – Remote OS identification
yersinia – Network vulnerabilities check software
zenmap – The Network Mapper Front End
zzuf – transparent application fuzzer

Fields

A line in /etc/passwd is one entry for a user account. The fields are separated by a colon (:).

The format is as follows (note that for the purpose of formatting the display, the line is split. A real /etc/passwd file would have all the data on one line).

newusername:x:1050:1001
     1      2   3    4   
 :NewUser,Roomnr,123,456,user@newdomain.com
        5
 :/home/newusername:/bin/sh
        6               7

 1: username
 2: password 
 3: the user id
 4: the group id
 5: user information (display with 'finger')
 6: the home directory
 7: the shell 

If the password field (2) contains an X then the encrypted password is stored in /etc/shadow.
If it contains an * then the account is disabled.

User IDs

Every user on a system must have an ID, called an UID (field 3). The super user, or root user, is assigned UID 0. UIDs of 1 to 99 are reserved for predefined accounts. The IDs from 100 to 999 are reserved for system accounts.

If you spot a user account with UID of 0 and it’s not root then this might be the sign of a break-in.
An easy way to look for UID 0 accounts is with

egrep ':0+:' /etc/passwd

Shadow file

Typically the passwd file is readable by world. This would mean that if passwords would also be stored in the passwd file these passwords are accessible by every account. To avoid this, passwords are stored in another file /etc/shadow that is only accessible by the root user.

Similarly to the passwd file, this file contains one entry per account and all fields are separated by a colon (:). The format is as follows

newusername:$verylongstrong$:15086:0:99999:7:::
   1              2             3  4   5   6

 1: username
 2: encrypted password 
 3: number of days since last change
 4: minimum of days required between password changes
 5: the maximum of days a password is valid
 6: the number of days, before the expiration of a password, that a user is warned  

If the encrypted password field starts with $ then this means it was generated with something else than DES. For example $1$ indicates it is generated with MD5, $6$ is SHA-512.

Edit the password or shadow file

Do not edit the passwd file or shadow file directly with vi.
You should use the special purpose tools as vipw or vigr to change these files.

Only scan networks that you are allowed to scan!

First check that you have TOR installed. It should be listening on a local network port tcp/9050.

tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      xxxx/tor        

You also need to install a package called proxychains that will proxy all the traffic through TOR. Proxychains has its configuration file in /etc/proxychains.conf. When installed, it will add the TOR connection as one of the available proxies./

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 	127.0.0.1 9050

Now, in order to proxy your nmap traffic through TOR, use the nmap command prepended with proxychains. Remember that due to the nature of the TOR network, you should limit your scans to TCP only. Use the sS (SYN) or sT (CONNECT) scan types.

proxychains nmap -sS -PN -n -p 21,443

proxychains nmap -sT -PN -n -p 21,443

UPDATE

A visitor pointed out that nmap breaks out of proxychains.
Further investigation showed that nmap breaks out of proxychains for the SYN (-sS) scan. The CONNECT (-sT) scan is done via proxychains.

#!/bin/sh

PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin

IPFILE=/root/scripts/ipcheck.ip
INTF=tun0
MAILRCPT="yourmail"
MAILSUBJECT="DDclient update"

IP=`ifconfig $INTF | grep "inet " | grep -v inet6 | awk '{print $2}' |
sed 's/addr://'`

if [ -f $IPFILE ]; then
 OLDIP="`cat $IPFILE`"
fi

if [ "$IP" != "$OLDIP" ]; then
 echo $IP > $IPFILE
 /usr/bin/logger -t ipcheck_ddclient new IP address -- changed to $IP
 /sbin/ifconfig -a | mail -s $MAILSUBJECT $MAILRCPT
 /usr/local/sbin/ddclient -daemon=0 -syslog -use=ip -ip=$IP
fi

If you are unable to get your public IP from a local interface then you can use dyndns.org.

wget -q -O - checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//'

Unfortunately Boxcryptor is not available on Linux but it is compatible with encfs. The blog of Boxcryptor has a post describing in details how you can setup encfs on Ubuntu.

The blog post lacks some useful additional details.

Have encfs available for every user

By default only root users are allowed to use encfs. You can allow non-root users to use encfs.

Modify the /etc/fuse.conf file so that the last line “user_allow_other” does NOT have a leading hash. Save and exit. You do not need to reboot.

Add the non-priv user to the group fuse

You can then use encfs:

$ encfs /home/joeuser/encrypted_data /home/joeuser/decrypted -- -o allow_other

Sync files automatically

I sync my files via rsync from crontab. Before running the rsync I verify if the encrypted volume is mounted.

#/bin/bash

if ! mount | grep encfs >/dev/null; then
 echo "ENCFS not mounted"
else
 rsync -artvuc --delete /home/joeuser/files/ /home/joeuser/decrypted/files
fi

Extract the latest redmine file in your web root. I use a symlink pointing redmine to the latest version. This allows you to keep different version and provides an easy way to switch between versions. You then have to copy the different configuration files (database, configuration) from the ‘old’ setup to the ‘new’ setup. Do not copy the settings.yml file.

cp redmine-1.3.1/config/database.yml redmine/config/
cp -r redmine-1.3.1/files redmine/

The first error message is because of bundle.

rake aborted!
no such file to load -- bundler/setup

gem install bundler
bundle install

The bundle command failed because of libmagick problems. It was not a requirement for older Redmine versions but without the package (and the libraries) I couldn’t get the upgrade to continue.

checking for Magick-config... no
Can't install RMagick 2.13.2. Can't find Magick-config in /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin

apt-get install librmagick-ruby
apt-get install libmagick9-dev

Restart the bundle install.

bundle install

Perform the ‘normal’ migration steps.

rake generate_secret_token
rake db:migrate RAILS_ENV=production
rake redmine:plugins:migrate RAILS_ENV=production 
rake tmp:cache:clear
rake tmp:sessions:clear

Restart Apache (and Passenger). The next error was Ruby (browser) complaining that there was no dispatch file.

no such file to load -- dispatcher

To solve this you have to upgrade Passenger manually.

gem install passenger
passenger-install-apache2-module

Change these configuration files

in /etc/apache2/mods-enabled/passenger.load
  LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19/ext/apache2/mod_passenger.so

in /etc/apache2/mods-enabled/passenger.conf
  PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.19
  PassengerRuby /usr/bin/ruby1.8

Restart Apache and Passenger. Log in to Redmine and go to the Administration part and review the roles and configuration.

Have Redmine installed for you

I can help you if you need help installing or maintaining Redmine.

Below is a list of domains and IPs used in the attack. These lists can help system administrators spot infections on their network. The information is taken from the PDF at http://www.securelist.com/en/blog/208194092/Red_October_Indicators_of_compromise.

IPs

141.101.239.225
178.162.129.237
178.162.182.42
178.63.208.49
188.40.19.247
31.184.234.18
31.41.45.9
37.235.54.48
46.4.202.86
77.72.133.161
78.46.173.15
88.198.30.44
88.198.85.161
88.198.85.162
92.53.105.40
95.168.172.69
31.41.45.139
91.226.31.40
178.63.208.63
31.41.45.119
176.9.241.254
31.41.45.179
176.9.189.36
92.53.105.214
188.40.19.244
85.25.104.57

Command and Control domains

bb-apps-world.com
blackberry-apps-world.com
blackberry-update.com
csrss-check-new.com
csrss-update-new.com
csrss-upgrade-new.com
dailyinfonews.net
dll-host.com
dll-host-check.com
dll-host-udate.com
dll-host-update.com
dllupdate.info
drivers-check.com 
drivers-get.com
drivers-update-online.com
genuine-check.com
genuineservicecheck.com
genuineupdate.com
hotinfonews.com
microsoftcheck.com
microsoft-msdn.com
microsoftosupdate.com
mobile-update.com
msgenuine.net
msinfoonline.org
msonlinecheck.com
msonlineget.com
msonlineupdate.com
ms-software-check.com
ms-software-genuine.com
ms-software-update.com
new-driver-upgrade.com
nt-windows-check.com
nt-windows-online.com
nt-windows-update.com
osgenuine.com
os-microsoft-check.com
os-microsoft-update.com
security-mobile.com
shellupdate.com
svchost-check.com
svchost-online.com
svchost-update.com
update-genuine.com
win-check-update.com
windowscheckupdate.com
windows-genuine.com
windowsonlineupdate.com
win-driver-upgrade.com
wingenuine.com
wins-driver-check.com
wins-driver-update.com
wins-update.com
winupdateonline.com
winupdateos.com
world-mobile-congress.com
xponlineupdate.com

Recently I found a map from Use-It with some interesting “things to do”. I’ve put the map in my Evernote notes.