Kaspersky recently released a paper on a cyber-espionage campaign that used NetTraveler, a malicious program used for covert computer surveillance.

The document is an interesting read. Below is a summary of some of the attack vectors used with this malware. You can use this information to detect the presence of the NetTraveler malware.

Nettraveler uses a couple of C&C scripts

aasogspread.asp, adfsdfclnggsldfc.asp, advertisingservicesa3sb.asp, aneywsf. asp, apple.asp, applebag005.asp, azarweforrell.asp, azofjeljgo648rl.asp, certify.asp, dochunter.asp, dochunter1.asp, dochunteradfaefaer.asp, fish.asp, happy. asp, heritage.asp, huyuio67.asp, little.asp, madmaswhbe.asp, nethttpfile.asp, netpass. asp, nettraveler.asp, orphaned.asp, rice.asp, sabcfsf.asp, shenghai.asp, time.asp, update. asp, weathobloe.asp, yegnfvhemc.asp

Two of the C&C domains are sinkholed, pkspring.net and yangdex.org by Kaspersky. The other domains listed in the report were used by the malware as a command and control.

allen.w223.west263.cn, andriodphone.net, bauer.8866.org, buynewes.com, cultureacess.com, discoverypeace.org, drag2008.com, eaglesey.com, enterairment.net, faceboak.net, gami1.com, globalmailru.com, hint09.9966.org, imapupdate.com, inwpvpn.com, keyboardhk.com, localgroupnet.com, mailyandexru.com, msnnewes.com, newesyahoo.com, newfax.net, lab, ra1nru.com, ramb1er.com, sghrhd.190.20081.info, southstock.net, spit113.minidns.net, tsgoogoo.net, vip222idc.s169.288idc.com, viplenta.com, vipmailru.com, viprainru.com, viprambler.com, vipyandex.com, vpnwork.3322.org, wolf0.3322.org, wolf001.us109.eoidc.net, yahooair.com, lab, zeroicelee.com

Files marked to be uploaded are put in a directory %Temp%\ ntvba00.tmp\.

The saKer’ (‘xbox’) bacKdoor (droPPed file) uses a specific user agent string.

GET /301000000000F0FD...0000000000000000000 000000 HTTP/1.1 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win- dows NT 5.0; .NET CLR 1.1.4322)
Host: tsgoogoo.net

Host: pitgay.minidns.net:8090 
Cache-Control: no-cache
</blockquote>