Botnets « M86 Security Labs Blog

Archive for the ‘Botnets’ Category

The Cridex Trojan Targets 137 Financial Organizations in One Go

By Daniel Chechik • March 1st, 2012 • Botnets Cybercrime Malware Spam

A few weeks ago M86 Security Labs alerted that cybercriminals managed to compromise hundreds of WordPress-based sites. These attacks started with several large spam campaigns as reported in our most recent blog post on Cutwail. These emails included embedded URL links or HTML attachments that tricked the user to browse to the compromised Web sites. All these links eventually lead to Web pages infected with the Phoenix exploit kit. These cybercriminals operate Fast flux networks, which are a DNS technique used by botnets to hide the main C&C servers.

After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim’s machine. The downloaded Trojan is recognized by antivirus vendors under several names such as Cridex, Carberp and Dapato. Antivirus detection is quite low and only ten out of 43 antivirus scanners in VirusTotal can detect it.

VirusTotal scan of Cridex

Let’s take a look how this Trojan operates step by step.

Once the Cridex Trojan is loaded to the victims’ machine it executes several actions. First, it copies itself to drive C: as KB00447841.exe and creates the following files:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT
C:\Documents and Settings\Administrator\Application Data\KB00447841.exe

The BAT file upon its execution removes the original malware downloaded by the Phoenix exploit kit.

In the second phase, the malware hooks into the “explorer.exe” process. Then it communicates with its C&C which is done over Fast flux networks to make it harder to identify and shut down their C&C servers. Every several hours one domain becomes unavailable and is replaced by another one. In some cases, the traffic flow of the Trojan can look like this:

Fiddler dump of the Trojan’s traffic activity

Cridex consistently tries to find a live proxy to reach the C&C server. At first glance the domain names look random. However, when taking a closer look, we see that the Trojan generates a new domain name before every attempt to access the C&C:

Ollydbg - Debugging of "Explorer.exe" infected by the Trojan

Here is a pseudo code of the Trojan’s code:

ECX = ECX * 0x19660D
ECX = ECX + 0x3C6EF35F
ECX = ECX << 0×10
ECX = ECX – 0x7FFF
EAX = ECX
EDX = 0
EAX = EAX XOR 0×88
EBP = 0x1A
EAX = EAX / 0x1A
EDX = EAX % 0x1A
ESI++
EDX = EDX + 0×61
Address[EBX + ESI] = DX
If not reached the end of the domain name length continue

Using this logical algorithm to generate and access domains, the cybercriminals can resume the attack even after their server(s) are offline for some period of time.

Once the Trojan finds a live proxy, it connects to the C&C server and downloads a customized configuration from the Cridex botnet. The cybercriminals are currently running multiple botnets with over 25,000 infected machines.

Cridex botnet control panel

This Trojan’s capability is basically similar to Zeus and SpyEye. It collects information from the user’s machine and sends it to the C&C server. This information can include, for example, cookies, FTP credentials and email accounts.

The configuration panel of the Cridex Trojan

The cybercriminals can track specific Web sites that are accessed by the user by taking screenshots of every page the user accessed in real time. They can also blacklist URLs, redirect URLs and more. Same as with the Zeus Trojan, the administrators can supply a code to be injected into Web pages. The Cridex Trojan intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet. This way the cybercriminal can trick the user to enter valuable information the cybercriminal is looking for, without raising suspicion.

What’s new in the Cridex Trojan compared to Zeus or SpyEye?

Cridex has a “WORLD BANKER CENTER” plug-in which includes a database of 137 banks. Yes, one hundred, thirty seven different banks or financial organizations from all over the world!

Data collected by the "WORLD BANK CENTER" plug-in

This control panel provides simple user experience for the cybercriminals. It contains the structure of the banking organization’s Web site pages, so the Trojan can identify which valuable fields to send back to the C&C. Moreover, the cybercriminals can create and change forms that are normally completed by the victim.

Templates of "WORLD BANK CENTER" plug-in

In conclusion, the Cridex Trojan takes control of the victim’s machines and allows it to collect information and potentially make fraudulent transactions by manipulating the bank Web pages.

M86 MailMarshal Secure Email Gateway customers are protected against these blended threat spam campaigns, and M86 Secure Web Gateway customers are protected against the Phoenix exploit kit and in particular against the Cridex Trojan.

M86 Security Threat Report for the Second Half of 2011 is Now Available

By Ziv Mador • February 8th, 2012 • Botnets Cybercrime Reports Social Networking Spam Vulnerabilities

We are releasing today our bi-annual Threat Report for 2H 2011. The report relies on M86 Security Labs analysis of spam and malware activity, including the current use of exploit kits, fraudulent digital certificates and social networking schemes. Key points from the M86 Security Labs for the second half of 2011 are:
1. Targeted attacks became sophisticated and pursued a wider range of organizations, including commercial, national critical infrastructure and military targets.
2. Use of stolen or fraudulent digital certificates has become more common, especially as part of targeted attacks.
3. In several targeted attacks, malware was hidden by embedding itself in various file formats—with a few cases of multiple embedding layers. This method can evade security software that fails to scan deep enough.
4. Blackhole has become the most prevalent exploit kit in the second half of 2011 with a huge margin over other exploit kits. Some of the exploit kits which were active in the past are rarely used now or were practically abandoned.
5. Newer versions of Blackhole are being deployed first in Eastern Europe. Its authors increased its update frequency and added new exploits and tricks to evade detection, such as checking the software version on the client machine before attempting to exploit it.
6. Fake social media notifications are now a mainstream way for spammers to dupe users into clicking links.
7. Facebook continues to be a conduit for spam and malware, as many campaigns are spreading virally by enticing users to share posts that promise gift cards or other rewards.
8. Hacked, but otherwise legitimate, websites played a major role in distributing spam and malware by redirecting browsers to the ultimate destination.
9. Malicious Web content currently exploits more than 50 vulnerabilities in various software products. The most commonly exploited products are Microsoft Internet Explorer, Oracle Java, Adobe Acrobat Reader, Adobe Flash and Microsoft Office products.
10. The overall volume of spam continued to decline in 2011, reaching a four-year low in December 2011.
11. Eight spamming botnets were responsible for 90% of the spam monitored by M86 Security Labs. All of these botnets are familiar and have been established for some time.
12. The proportion of malicious spam rose in the second half of the year from less than 1% to 5%, including a massive spike in malicious attachments in August and September. Later in the year, the focus shifted from malicious attachments to malicious links that led to exploit kits, in particular, the Blackhole exploit kit.
13. Some noticeable wins by law enforcement authorities and researchers against cybercriminals, botnets and affiliate programs like fake AV and rogue online pharmacies, took place this year.
14. Malicious Web content hosted in China targets mostly older versions of Internet Explorer, which is popular in that country.
15. Almost half of the global malicious Web content is hosted in the U.S. The states hosting most malware are Florida, California, Texas and Washington.

The report provides statistics about the geographical distribution of web-based malware, about the most commonly used exploits and about the prevalence of exploit kits. Statistics about spam categories and spam botnets are also provided. In addition to these statistics, the report includes eleven featured articles about current cyber threats and ends with recommendations for administrators, Website owners and end users.
The M86 Security Labs Report can be downloaded from http://m86.it/2HSecReport.
We hope you find the information in this report useful.
M86 Security Labs

New Bots, Old Bots: Xarvester Returns

By Phil Hay • May 24th, 2011 • Botnets

There has been quite a shake up in the spamming underworld ever since SpamIt.com closed shop and the Rustock botnet was disrupted. A look at our weekly spam statistics shows that spam volume has dropped substantially, making this year (so far) a happy one for anti-spammers. While spam output has remained low, the statistics also show quite a shakeup in the bots used to distribute spam.

Surprisingly, since around March, we have observed a big rise in spam from two botnets well known to us from the past – Donbot and Xarvester. Six months ago, spam from these botnets hardly got our attention. But now, clearly, someone has breathed new life into these spamming machines.

Xarvester first came to our attention over two years ago, when it rose to prominance after the hosting provider McColo was unplugged, decimating the then leading spamming botnet Srizbi. We have also seen Xarvester clearly linked to Spamit.com, when we discovered Spamit ‘footprints’ in Xarvester spam templates. So when we recently came across a Xarvester bot, we decided to take a closer look. The sample we used is not named Xarvester by any anti-virus vendor, Microsoft were calling it Bymot, and AVG called it simply SpamTool (VirusTotal Report). A look at the strings in the malware body confirmed to us that what we we looking at was indeed Xarvester, as we had seen these strings in previous Xarvester bots.

Both the highlighed command and control domains are hard coded into the malware and both point to the same IP address.

The spambot itself is relatively simple. When the executable is run, it first performs a query to checkip.dyndns.com to check the IP address of the host. The bot then connects to the def2010cnt[dot]biz domain on port 12309, and requests an encrypted file, which, when decrypted, proves to be a container for a bunch of files the bot needs to spam.

Again, this is very similar to what we saw with Xarvester over two years ago. The bot typically does not perform DNS lookups for each spam message, instead the IP address for each target domain are downloaded in the package. The headers of the spam messages are very uniform, and closer inspection shows that the bulk of the header is hard coded in the malware body, which is unusual when compared to many of the other bots we see today that vary headers regularly. Even the content of the message body has a familiar look to it. Compare the message body today:

With a message we saw from Xarvester two years ago:

So, Xarvester has been dusted off and is back to flogging replica watches – who would have thought?

We have updated our spambot description for Xarvester, which you can find here.

Thanks to Gavin Neale and Rodel Mendrez who contributed to the analysis of this bot.

Pushdo Botnet Crippled – II

By Phil Hay • September 9th, 2010 • Botnets

Two weeks ago we reported on the sudden drop in spam from the Pushdo botnet as a result of many of its control servers being taken down. Since then, spam output from this botnet has remained subdued, as the following updated chart shows.

As Pushdo (otherwise known by its spamming component Cutwail) was only responsible for about 10% of spam prior to the takedown, overall spam volumes have not been hugely affected. It is not uncommon to see 10% volume swings in a day. Having said that, last week our spam volume index did show slightly reduced overall levels of spam for the week.

Things seem to be warming up, however. Other researchers have observed more Cutwail control servers being added. Also, yesterday we saw a resumption of malicious spam from Pushdo with the Sasfis downloader as the payload. This simply reaffirms our earlier suspicions that these guys will not be down for long.

Tags: Cutwail | Malicious Spam | Pushdo | Sasfis | takedowns

Pushdo Botnet Crippled

By Phil Hay • August 27th, 2010 • Botnets

This morning we noticed that the usual torrent of spam from the Pushdo (or Cutwail) botnet had turned into a dribble. The chart below shows an index of Pushdo spam volume over the month of August.

Pushdo Stats

So what’s the reason for this sudden decline? It turns out that the folks at TLLOD have been busy analyzing Pushdo command and control servers, and coordinating their take down. According to their blog, over 30 Pushdo control servers were identified and 20 were taken down with the help of the relevant hosting providers. However, there still remains a few active control servers still serving up spamming data.

As the chart above shows, this coordinated takedown has had an immediate impact on Pushdo’s spam output. This is welcome news indeed, especially as Pushdo has been responsible for wave after wave of malicious spam campaigns in recent months. Still, we must sound a note of caution. Previous experience has taught us that these botnet take downs are short lived. Disabling control servers does not incapacitate the people behind the botnet. It is highly likely they’ll be back before long with new control servers, and bots to do their spamming. In the meantime, we can enjoy a few days with less spam about.

Tags: Cutwail | Malicious Spam | Spambot | takedowns

Revisiting the King of Spam

By Rodel Mendrez • July 29th, 2010 • Botnets

We keep a close eye on spam and the malware that drives spam production. Our recent report highlighted some of the worst offenders, and Rustock is without a doubt the leader of the pack. Over the last six months, the proportion of Rustock spam in our spam traps peaked to nearly 60% and it has never returned to levels lower than 20% of total spam.

Who’s the Rustock spambot that we know?

Over time, we have observed regular updates to Rustock. There is no consistent name given to it by anti-virus vendors, but recent Rustock binaries are detected by some anti-virus engines as Bubnix. The newest Rustock variant was first detected last December 2009. A month after that we observed a large influx of Rustock spam that spiked to over 50% of the spam we observed over the next few months. Though the malware may have different detection names and OS installation behavior, it employs a similar rootkit-based spamming engine, similar command and control architecture, and similar observable patterns in spam traffic.

Tags: Canadian Pharmacy | Rustock | Spambot

Another round of Asprox SQL injection attacks

By Rodel Mendrez • June 23rd, 2010 • Botnets

Earlier this month, we reported on a new variant of Asprox malware which was being spammed out by the Pushdo botnet. At that time, the Asprox executables we analyzed were purely sending spam. However, a few days after our post, we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks.

As of this writing, there are three fast-flux domains that the bot attempts to contact.

CL63AMGSTART.RU
HYPERVMSYS.RU
ML63AMGSTART.RU

These domains resolve to Asprox’s control servers, which respond with spam templates, target email addresses, Asprox malware updates, as well as SQL injection attack information and lists of target ASP websites.

When analyzing the new Asprox binary that we pulled from the command and control server, we noticed some interesting clues that show that Asprox is behind the latest SQL injection attacks.

Figure 1: SQL statement in the Asprox malware body used to launch the SQL injection attack. As of this writing this malware had a poor detection rate .

The Asprox bot downloads an encrypted XML file that contains a list of target ASP websites and some other information such as a Google search term to search for more potential targets.

Figure 2: The decrypted XML file which the bot receives. Contains a list of information such as target websites.

When the Asprox bot launches an SQL injection attack, the initial request looks similar to this:

The SQL statement is passed to a target ASP website and executes a series of URL encoded SQL queries, which when decoded, look like this:

Enclosed in the SQL CAST function is another hexadecimal encoded string. Decoding it reveals a <script> tag that reveals malicious JavaScript code hosted on a remote site. The sub-domain part of this URL varies, so administrators should seek to block the domain:

Update:

We have seen new domains hosting the malicious JavaScript, although, as yet, the number of infected sites are not as numerous. Again, the sub-domain part varies.

http://manage[dot]webservicekuz[dot]ru/js.js

http://stream[dot]webservicesttt[dot]ru/js.js

http://media[dot]webservicefull[dot]ru/js.js

http://edit[dot]webservicezok[dot]ru/js.js

http://redir[dot]webserviceforward[dot]ru/js.js

http://shell[dot]webserviceget[dot]ru/js.js

http://rid[dot]webservicedevlop[dot]ru/js.js

The SQL attack queries a special table in the SQL server sysobjects and syscolumns in an attempt to get the available “user” tables and fields in the website’s database. Walking through the tables and fields, the attack appends the malicious <script> tag to the selected values, in effect poisoning the website’s database. Once a web page uses a string from the poisoned database, the malicious <script> tag is injected into that web page. When we performed a Google search of this domain, we saw over 5000 websites infected:

So Asprox is back with a vengeance, and doing its typically Asprox-like things, namely spamming and SQL injection. Anyone have a feeling of déjà vu?

Tags: ASP | Asprox | Spambot | SQL Injection