Command & Control Server « M86 Security Labs Blog

Posts Tagged ‘Command & Control Server’

Shedding Light on the NeoSploit Exploit Kit

By Daniel Chechik • January 4th, 2011 • Malware

Over the last few years, we’ve witnessed dozens of Exploit Kits such as the Phoenix Exploit Kit, Eleonore Exploit Kit, Yes Exploit Kit and even some old Exploit Kits such as IcePack and MPack. We’ve observed that most of Exploit Kits don’t last more than one year, except for one…

NeoSploit Administration Login Panel.

Background: The Old NeoSploit

Neosploit Exploit Kit was first seen by M86 Labs in 2007. It was one of the first exploit kits that was developed in order to exploit browser vulnerabilities such as MDAC RDS and ActiveX vulnerabilities. The NeoSploit Exploit kit then evolved to spread the attack vector via the Adobe Reader Collab CollectEmailInfo vulnerability.

In April 2008, the NeoSploit team released Version 3 which included improved statistics and configuration control as well as a stabilized and sophisticated exploit package. However, in July the team announced it would stop supporting and updating the Neosploit project due to financial problems. This lead to a rapid decline in Neosploit’s prominence in the wild until it disappeared. Rumors began to spring up that the source code of Neosploit had been leaked.

Tags: Command & Control Server | Exploit Kit | Neosploit

Bredolab Trojan – Malware Review

By Daniel Chechik • December 23rd, 2010 • Malware

Two months ago, the authorities in the Netherlands announced a massive botnet takedown of Bredolab Trojan. Despite these efforts, the Bredolab Trojan is still spreading malware on user’s machines.

Unlike the Zeus or SpyEye Trojans, the Bredolab Trojan is a pretty simple and has limited capabilities, which is similar to the Ofikla Trojan. It’s functionality was reviewed in a very interesting and detailed blog of Kaspersky Lab Expert Alexei Kadiev “End of the Line for the Bredolab Botnet?” Our blog sheds a light on additional aspects of Bredolab communication, its evasive techniques and C&C functionality.

Let’s take a step by step look at how the Trojan operates.

Tags: Bredolab | Command & Control Server | Encryption Key | Malware Analysis

The Golden Cash Botnet

By Anonymous • June 17th, 2009 • Cybercrime

In our recent Cybercrime Intelligence report, we described the business side of the Golden Cash botnet.
In this blog post, we will provide you with more technical information about the botnet C&C server and the attack lifecycle.
Here is how it works:
A user visits a legitimate compromised website which contains malicious Iframe. This Iframe causes the victim’s browser to pull the exploit code from a server armed with the exploit toolkit.
Upon successful exploitation, a special build of a Trojan, created for the attacker, is being pulled from Golden Cash server. Once installed, the Trojan reports back to the Golden Cash server and the attacker’s account at Golden Cash is credited with currency.
The first instruction sent by Golden Cash to the victim’s machine, is to install an FTP-grabber (to steal FTP-credentials). Our research found about 100,000 stolen FTP-credentials on the Golden Cash server.
The victim’s machine is now in a pool of infected machines controlled by Golden Cash and being auctioned to other criminals, using a different website for buyers. From time to time, the victim’s machine gets instructions to install malware on behalf of the criminal-customer. The Trojan on the victim machine reports back to Golden Cash on each successful installation of the customer’s malware and the criminal-customer account is charged with currency. The victim machine is back in the ‘available for more infections’ pool.
One interesting discovery that was found indicated that the botnet’s command and control server uses another website as a proxy that tunnels the bots communication to and from the C&C server. By applying this technique the C&C server remained ‘protected’ and undetected by security vendors for a longer time. In fact, we found Zeus Trojan logs on the C&C server from June 2008. Normally, we find logs that are about 3-4 month old.
As noted above, the botnet spreads using distributors. For each distributor, a special bot build is created. The special build assists the cybercriminal to track the installations of each distributor.
Following is a screenshot of Virus Total scan results (26/40) for one of those builds:

For managing and building the bots, the cybercriminals utilized the notorious “Zalupko” Trojan. Below is a screenshot taken from the admin panel:

The system is set up in such a way, that only bots communicating with the C&C server in the previous 15 days are counted; bots that didn’t communicate in this period of time were removed from the database.
Zalupko has “built-in” FTP-grabbing capabilities that were utilized by the cybercriminal to steal around 100k FTP-credentials:

Some of the stolen FTP-credentials were used to inject malicious Iframe to the webpages that were stored on the FTP server. The reason for this was to infect more machines and generate organic growth.
The C&C server is hosted in Texas, US; the registrant country is China.
The “proxy’ website that tunnels traffic to the C&C server is hosted in Krasnodar, Russia.
Posted by Golan Yosef

Tags: Command & Control Server | FTP-grabber | Golden Cash

Did You Update Your Unique Pack Toolkit Today?

By Moshe Basanchig • May 20th, 2009 • Cybercrime Vulnerabilities

Recently we wrote about a crimeware toolkit called “Unique Pack”, which is one of the most popular toolkits ”in the wild” these days. Just like other popular toolkits we reported on in the past, these are highly successful in exploiting end-users PCs when released. However, the effectiveness in exploitation decreases as time passes, since more and more users are patching their PCs.
Just like operating systems and browser updates, some toolkits get updates as well, allowing them to exploit newer vulnerabilities and offer the cybercriminal more options in orchestrating the attack. This is also the case with “Unique Pack”.
Recently we’ve found an updated version of the “Unique Pack” toolkit.
Let’s take a look at the changes in the administration panel:

The new “settings”tab in the panel shows the collection of exploits included in the toolkit. The toolkit provides links to information about each exploit (google.com, Microsoft.com, SecurityFocus, etc.). Moreover, it enables the cybercriminal to change the exploitation order and to enable/disable individual exploits during the attack. In the above screenshot that was taken from a cybercriminal’s server, we see that no exploit was enabled for the Firefox web browser while almost all exploits for IE 7,8 were enabled. Indeed, visiting the malicious site using Firefox wouldn’t trigger any exploit.
Following is the obfuscation used by the toolkit:

As you can see, it’s a rather simple JavaScript obfuscation merely used to avoid AV signatures.
The obfuscated code is generated dynamically at the server side according to the user’s browser.
Below are the different vulnerabilities being exploited by the new “Unique Pack” in order to install malicious software on computers running Internet Explorer 6:

AOL SuperBuddy ActiveX Control Code Execution Vulnerability.
NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow.
Yahoo! Messenger ywcvwr.dll ActiveX Control Buffer Overflow.
Yahoo! Messenger ywcupl.dll ActiveX Control Buffer Overflow.
Microsoft Windows XVoice.dll and Xlisten.dll Buffer Overflow Vulnerability.
Real Player IERPCtl Remote Code Execution Vulnerability.
GOM Player GomWebCtrl.GomManager ActiveX RCE Vulnerability.
Aurigma Facebook Image Uploader ActiveX RCE Vulnerability.
Real Player rmoc3260.dll ActiveX Control Remote Code Execution Vulnerability.
CA BrightStor ARCserve Backup ActiveX Remote Buffer Overflow Vulnerability.
Microsoft Works ActiveX Control Remote Code Execution Vulnerability.
Ourgame GLWorld GLIEDown2.dll multiple RCE Vulnerabilities.
Creative Software CTSUEng.ocx ActiveX Control RCE Vulnerability.
Microsoft Access Snapshot Viewer ActiveX Control Vulnerability.
Sina DLoader File Download Vulnerability.
Windows Media Encoder (wmex.dll) ActiveX Vulnerability.
IE RDS ActiveX Vulnerability.
IE WMIScriptUtils createObject vulnerability.
IE WebViewFolderIcon vulnerability.

Indeed – quite an impressive list. Some of these vulnerabilities are rather new, such as the “Snapshot viewer”, while others are old, yet effective. If the client would have used a newer version of Internet Explorer, such as 7 or 8, different vulnerabilities would be exploited, such as MS08-078.
When using the Opera web browser, “Unique Pack” is trying to exploit the opera.setPreference method, to change the handler of TN3270 protocol, and execute such a URL. The new handler is an executable downloaded by the toolkit and saved in the temporary internet folder by Opera. Due to another weakness of the Opera browser, the attacker can figure out the full path for it and set this path as the protocol handler. This would result in the browser running the executable file. The vulnerability that allows this exploit was fixed in Opera 9.62.
Apart from exploiting web browsers, “Unique Pack” also tries to exploit both Adobe Acrobat Reader and FoxIt Reader vulnerabilities. Following is part of the PDF file exploiting one of the latest Acrobat Reader vulnerabilities:

Finally, had the attack been successful, a malicious executable file would be pushed and installed on the client machine.
The VirusTotal report below shows that only 2/40 AV products detected it:

As always, we encourage users to upgrade their OS, browser, PDF reader, and the rest of their software stack with the latest security updates. Stay safe!
Posted by Moshe Basanchig

How a cybergang operates a network of 1.9 million infected computers

By Anonymous • April 22nd, 2009 • Cybercrime

Today we announced our recent discovery of a network of 1.9 million infected computers controlled by cybercriminals. This is one of the largest bot networks controlled by a single team of cybercriminals (or cybergang) that we found this year. In this blog post we will provide you with additional details about this network, the malware in use and how the operators are using it to make money – after all, this is the main drive for cybercrime today.
We found that the botnet’s command and control server is hosted in Ukraine. As folders on this server were left open, we were able to get more information for our research.
The following screenshot sheds some light on the number of infected computers this cybergang managed to infect. Actually we have seen this number increasing during our research – on an hourly basis.

The server has a nice backend management application making it easy for the attackers to manage the infected machines. One of the management console features that we identified is a Command Editing panel through which instructions are sent to the infected machines (bots).
We have seen commands asking the bots to download and execute additional malware, download settings files, apply update files etc.
Following is an example of such a command being sent to the infected machines:

This command instructs the bot on the infected computers to download and execute a Trojan horse. As indicates on the VirusTotal report below, only 4 out of 39 Anti-Virus products detected this Trojan.

The description field of this command led us to a hacker’s forum in Russia with a post requesting to trade in infected computers.
Let’s image for a moment that your infected computer is being traded without you knowing about it……..or that your company’s infected computer is being traded…..And what about your government agency infected computer being traded ….. Isn’t it scary?!
Here is another instruction sent to the botnet:

This command instructs the infected machines to download and execute a Trojan horse that later installs a group of other malicious executables without the user’s consent.
Downloaded files that were identified include SENEKA[removed].DLL; Zch[Removed].exe and many others. When inspecting these files, we identified that they can perform the following actions: read email address and other details from the infected computer; communicate with other computers using HTTP protocol; execute a process; inject code into other processes; visit websites without end-users’ consent; register as a background service on the infected computer and a few dozen other commands.
Below is a partial log of the downloaded files:

joebox.org analysis
Those were only two examples; below is a screenshot of some others as shown on the management console:

Overall, the cybergang can remotely execute anything it likes on the infected computers.
The log file on the server disclosed the IP addresses of the infected computers and their names in the network. After running them via our Geo IP database we found the following distribution of the botnet around the world:

US: 45%
UK: 6%
Canada: 4%
Germany: 4%
France: 3%
Other: 38%

In conclusion, we notice that the volume of infected computers that we identify around the world keeps growing year by year.
Posted by MCRC

Tags: Botnet | Command & Control Server | Infected Machines | SENEKA

A strike for lucky – LuckySploit Toolkit Exposed

By Anonymous • March 18th, 2009 • Cybercrime Vulnerabilities

In the past three years we wrote many times about Crimeware toolkits. These toolkits have become the cyber criminals’ tool of choice when conducting crime online. Starting from the moment we spotted the first crimeware toolkit – the WebAttacker – we have since seen hundreds of them all over the web, also today.
Blockbuster Crimeware toolkits include AdPack, Fiesta,and G-Pack;. Less popular ones include UniquePack 2.0, Sploit25 2.2, Nuc_Pack, and Nuke sploits P4ck – to just name a few.
In this blog post, we would like to share with you one of the toolkits that we have been tracking for the last six months – LuckySploit. LuckySploit brings code obfuscation to a whole new level of sophistication, far more advanced than all others we have seen so far.

LuckySploit tries to exploit the same vulnerabilities other toolkits are trying to – Adobe Flash and PDF exploits, IE7 data binding vulnerability, the recent MS09-002, signed applets etc. its uniqueness consists of the way it hides/obfuscates these exploits to avoid detection by signature and heuristic based security products.
Code Obfuscation by LuckySploit
Here’s how it works. First, as we have seen with many other crimeware toolkits, a user is visiting a compromised website and is being redirected (using IFRAME or other techniques) to a server armed with LuckySploit. All is invisible to the user’s eyes and happens “behind the browser scene”.
The first LuckySploit’s malicious page that is sent to the user’s browser contains a moderately obfuscated JavaScript code. The code is created at runtime with random variables and functions names. This part is used to construct the “brains” of the toolkit – an asymmetric key encryption and decryption.
From this point on forwards, there’s a ‘dialog’ between the victim’s browser and the remote server, in which the browser sends metadata regarding its supported features (running platform, supported applications, installed plug-ins etc.). It receives in return an exploit suitable for those features. The browser’s supported features are being sent encrypted to the remote server using the server’s public key along with a random key generated at the client side. In return, the exploiting code is being sent encrypted by server, using the client’s key.
This dynamic technique makes it almost impossible to do an offline (or post-infection) analysis of the toolkit and the served malicious code, since the key used by the client is not available. On every round a new key is generated. Following is a diagram demonstrating the entire process:

We simplified this s diagram to make the process easier to understand. The dialog between the client and the server could be longer or shorter depending on the toolkit’s settings, the version of the client browser and the installed plug-ins.
While the key generated by the browser is a simple, symmetric key, the server key is truly asymmetric, and uses RSA-like algorithm. Here’s a screenshot of a malicious server private key:

Here are some code snippets of LuckySploit we want to show you.
First, the obfuscation JS (partial) sent at the beginning of the attack:

Here’s how it looks like when de-obfuscated (partial):

Highlighted are two interesting lines of code: 1) the setting of the server’s public key, and 2) the dynamic creation of the result, which leads to the second part of the dialog between the client and the server.
A new script tag is added to the page, the SRC value of the script tag contains the “next key” generated by the client as GET data. Below is shown how the server response at this stage looks like (partial):

Please note that it is assumed that the browser already knows “rc4Decrypt” and the key.
Below you see how it looks like when decrypted (partial):

Please notice the generation of the “nextkey”, which contains the browser’s supported features (plug-in versions in this case) and the new SCRIPT tag.
Administration
LuckySploit is accompanied with a very handy administration panel. Below is a screenshot of this panel.

The options “extra silent”, “silent”, etc. differs from one another by the amount of round-trips between the client and the server. As more round-trips are involved, it’ll be more difficult to detect the exploitation, and to decrypt the messages. The cost would be a higher load (CPU time and traffic) on the malicious server.
LuckySploit’s administration panel supports multi-campaigns/users. This is achieved by special parameters allowing each campaign control over the evasive level, the download executable, the exploits used, stats collected etc.

Finally, let’s have a look at the LuckySploit’s administration dashboard:

Just look at the 20% infection rate – alarming!
This toolkit is a great example for the sophistication, time and efforts that toolkit makers are investing in to make their “Swiss knife” undetectable for security products. The reason they are investing so much in this is clear – they make money out of it, and money is what drives the cybercriminals.
Posted by Moshe Basanchig & Daniel Chechik

Tags: Command & Control Server | Exploit Kit | Luckysploit Exploit Kit | Obfuscated Code | Private Key

Crimeware server and the international man of mystery

By Anonymous • February 28th, 2008 • Cybercrime

While conducting research for the latest Malicious Page of the Month we have just released, we tried to track down the origins of the crimeware.
Obviously, this is a daunting task by itself, and although sometimes security researchers are able to point at specific people as the ones running the criminal activity, it does not always help that much (remember the RBN case where multiple law enforcement agencies were notified, but the people behind the scenes were never arrested or indicted).
Well then, back to our little server – the domain name hosting the crimeware (Neosploit 2.0.13) was hosted in Hong-Kong (see below)

So that does not bring us any closer to who is this – as the address is located at a hosting company. Fortunately, our research brought in some additional IP addresses. We managed to grab these from the web server just like we have uncovered the 8,700 FTP account credentials that the research paper talks about (no exploits or attacks were used to do so – simply thinking outside the box sufficed).
Tracking these down proved to be a nice tour around the globe (long whois info deprecated for clarity):

inetnum: 78.109.19.160 – 78.109.19.167
netname: activebill
descr: activebill – Andrey Smirnov

person: Andrey Smirnov
address: 125167, Leningradsky prospekt, 47, Moscow, Russia
remarks: phone: +7 095 795 0295
phone: +7 495 795 0295
remarks: fax-no: +7 095 795 0295
fax-no: +7 495 795 0295
nic-hdl: AS32250-RIPE
e-mail: admie@svetcorp.net
source: RIPE # Filtered

inetnum: 82.146.40.0 – 82.146.47.255
netname: ISPSYSTEM
descr: ISPsystem at MSM
country: RU
admin-c: DS2036-RIPE
tech-c: AB11726-RIPE
status: ASSIGNED PA
mnt-by: ISPSYSTEM-MNT
source: RIPE # Filtered
<>person: Dmitry Sidorov

address: PoBox 30, 664017, Irkutsk, Russia
phone: +7 495 727 38 79
e-mail: inet@ispserver.com
nic-hdl: DS2036-RIPE
source: RIPE # Filtered

person: Alexandr Brukhanov
address: PoBox30, 664017, Irkutsk, Russia
phone: +7 495 727 38 79
nic-hdl: AB11726-RIPE
source: RIPE # Filtered

inetnum: 85.17.111.0 – 85.17.111.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to “abuse@leaseweb.com” for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE

status: ASSIGNED PA

mnt-by: OCOM-MNT

source: RIPE # Filtered

OrgName: Galaxyvisions Inc

OrgID: GALAX-6

Address: 882 3rd avenue 8th floor

City: Brooklyn

StateProv: NY

PostalCode: 11232

Country: US

Putting all these guys on the map results in a very interesting “international man of mystery” cross-continent network of connections:

Obviously we are looking at some eastern-bloc oriented operation, with some access to resources in the Netherlands and the US (either other people, or just computers from which access could have been made).
Now that law enforcement agencies are involved with this, maybe we would see some developments on the matter, although from the looks of these pins on the map, I expect some really interesting multi-lingual cop-speak to spur out soon…
Posted by Iftach Amit

Tags: Command & Control Server | Neosploit