Aurora « The Day Before Zero

Posts Tagged ‘Aurora’

Why Didn’t The Aurora Botnet Operators Use DIY Malware Kits?

Thursday, March 11th, 2010

Does anyone really believe that the botnet operators behind the Aurora attacks chose to use the most basic and amateurish malware they had on hand because they didn’t need anything more advanced? That sounds about as silly as a bank robber choosing to leave his gun at home in favor of taking an 18 inch wooden baton along because he hears that the guards are only armed with 16 inch batons.

But, nevertheless, you’ve got to wonder why the botnet operators in question ended up using such unsophisticated and dated malware tools – especially when much more advanced tools are easily accessible. The output from any number of commercial malware creator kits (e.g. Zeus, Butterfly, SpyEye, Turkojan, etc.) are more sophisticated and capable than Trojan.Hydraq – and those are what I’d term “average” tools for a learner botnet operator. Compared to something like Conficker.C, Trojan.Hydraq had only recently stepped out of the primordial soup – and Conficker.C is over a year old already.

Then of course there’s the question as to why the malware didn’t employ any kind of armoring (e.g. packers, cryptors, anti-VM, anti-debugger, etc.). It’s not as if you have to go far to find or obtain them. Nor could you be blind to their existence – since practically every hacker site in existence contains extensive references to them (and guides on their use).

I’ve also heard a few people say that the botnet operators were so smart that they may have created the malware to look like it was developed by a bunch of amateurs. It’s all beginning to sound like a conspiracy theory – next we’ll hear that aliens have landed and are subtlety infiltrating online businesses as they proceed with their plan for world domination…

What we do know is that the botnet operators were running multiple botnet building campaigns simultaneously, and employing a number of different delivery techniques that targeted a bunch of similar businesses. The campaigns they ran made use of different families of malware and were slowly evolving in sophistication (but not by much) by the time they made the news in mid-January. It also appears that the various malware families were developed by different authors.

One question I’ve got to ask though is “Why didn’t they just use a DIY kit?” Malware generated using one of the kits would have offered greater functionality, armoring, and would generally have had less likelihood of detection. Some possible reasons for not using a DIY kit:

They didn’t trust the kits that are out there. Many of the free and pirated kits are backdoored – meaning that any malware created from them have hidden CnC’s built in, and report back to the kit author/pirate.
Just about every kit I tend to come across is menu driven and relies upon English, Portuguese or Spanish (sometimes Catalan) to use properly. Perhaps the botnet operators couldn’t find a kit that supported their language preference and they couldn’t understand them? (sounds like a market opportunity for some would-be DIY kit author)
The malware authors may have wanted to “learn on the job” and treated the whole thing as a learning experience. As crazy as it seems, this is a popular experiment amongst the newbie hackers and computer science undergrads.
Perhaps the malware authors have led a sheltered life and naively thought they could do it better than the professionals.

Regardless, the botnet operators did what they did and they were successful enough with it. I think they were a little lucky in their attacks and I’m a little surprised they managed to run their campaigns for as long as they did. That said though, it’s a valuable lesson for big businesses out there; if a bunch of amateurs can reap this much havoc with outdated unsophisticated tools and a pinch of luck, how easily do you think an experienced criminal crew can break their defenses?

– Gunter Ollmann, VP Research

Tags: Aurora, botnets
Posted in Threat Research | No Comments »

The Truth About Two Malware Families Related to Operation Aurora

Thursday, March 4th, 2010

As part of our investigation on The Command Structure of the Aurora Botnet. I took a deep look into two malware families that based on the CnC data we have, is related to Operation Aurora. Both of them fall under the Fake AV / Scareware Family of Malwares. They are Fake AV / Login Software 2009 and Fake Microsoft Antispyware Services.

I will summarize the deployment of these families below. For the full details of the analysis and how they relate to Operation Aurora, please read our full report on The Command Structure of the Aurora Botnet: History Patterns, and Findings.

Fake AV: Login Software 2009 Family

This set of malware is propagated through Fake Malware Alerts. The supposed AV installer is the actual malware dropper. Its main purpose is to drop and install the rest of the malware components. Upon execution of the dropper, it assigns a specific ID to the compromised host. It then registers it to its malware server website and downloads the rest of the malware to the compromised host.

To ensure that the malware is downloaded, the creator of this malware dropper uses redundancy in its malware serving web infrastructure. The dropper checks three different malware serving websites.

After the successful download of the main component, the main dropper generates a random name and copies the downloaded component to “C:\Documents and Settings\<User>\Local Settings” folder. It calls itself Login Software 2009. The dropped file is then executed to make it active in memory. For it to survive reboot, it uses the most common way to autostart by using the registry entry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The rest of the components are also downloaded and executed for them to be active. They are placed in the same folder as the first dropped file. These components are exact copies of themselves with names that is designed to full the unsuspecting users that they are Windows executables or legitimate third party software.

These components are hidden from the user by hiding the folder where they are dropped and also setting the attributes of the dropped files themselves as hidden. To survive reboot, these components also are set to autostart using the same technique as the main dropped file.

A DLL file is also dropped in “C:\Windows\System32” with a random filename. Aside from registering (regsvr32.exe) the dropped DLL file for it to be active, the malware dropper also modifies the registry to set it up as a Browser Helper Object (BHO). It also sets up the DLL to autostart every boot up by using SharedTaskScheduler.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

This paves the way for tracking cookies to be downloaded for ads to be served to the compromised host. Take note that this DLL is not hidden unlike the other components.

After setting up all the dropped files, the main dropper sets the stage to protect the dropped files by manipulating the settings of Windows Explorer and Internet Explorer. See Protection Mechanism section for more details.

Once all of these “malware installation” is done by the main dropper, the main dropper activates a batch file to unload itself in memory and deletes both the dropper and the batch file.

The installed malware set are now all active and is actively attempting to communicate with their CnC.

Figure 1: Memory string dump shows the C&C the EXE component is reaching out to

Fake Microsoft Antispyware Services

This set of malware is also propagated through Fake Malware Alerts. The supposed AV installer is the actual malware dropper. Its main purpose is to drop and install the rest of the malware components. It basically drops and installs three components:

EXE Component – This is the one that poses itself as Microsoft Antispyware Services
VXD Component – It downloads and installs ntconf32.vxd, ntsys32.vxd, msimsg32.vxd
SYS Component – It downloads and installs msconfig32.sys

Once the dropper is executed, it can easily bypass UAC since it is given explicit permission by the user that was made to believe that the installation is an AV product. The first thing the dropper does is to connect to its malware server domain to download its components. Unfortunately, as of this writing, the malware server domains are already down so no detail analysis of the other components were done.

The only component on hand is the EXE component.

But if we base it just on the name of the files it downloads, below are some associations of the files with known malware activity:

VXD Components – These filenames are often related to malware families that have keylogging and spyware behavior. They are also found in some IRC bots.
SYS Component – This is related to the publicly known and notoriously popular Aurora variant tied to the Google attack.

Concentrating the analysis on the EXE component, it disguises itself as Microsoft Antispyware Services. It basically sets itself to run on Startup using the tried and true method of the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Because of the absence of some key files, the main functionalities of this malware family cannot be fully analyzed but they all point to one goal and that is to steal information.

Figure 2. Attempting to connect to Amazon EC2

Figure 3: Memory string dump shows the C&C the EXE component is reaching out to

The Allure of Fake AV Websites.

The bad guys find using Fake AV websites effective and have used it extensively. The prevalence of this vector earned it a separate name: Scareware. What makes this effective is the believability of the Fake AV website. It also appeals to the fear of uneducated users. The bad guys leverage this fear to create a sense of urgency and importance that urges the user to not waste any more time and download and execute the dropper immediately. Aside from unknowingly downloading a malware, the victimized user also is fooled into paying for the Fake AV. Not only will the user be charged for the cost of the Fake AV, there’s a high probability that the user’s credit card information has been captured since the website processing the payment is rogue to begin with.

On the technical side, using this vector saves the bad guys time in finding ways to bypass host protection such as UAC since the user gives the malware dropper explicit permission to execute.

- Christopher Elisan, Senior Research Analyst

Tags: APT, Aurora, Aurora Botnet, botnet, bots, Google APT, Google Attack, Google China, Google Hack, Login Software 2009, Microsoft Antispyware Services, Operation Aurora
Posted in Threat Research | 3 Comments »

The Day Before Zero

Posts Tagged ‘Aurora’

Why Didn’t The Aurora Botnet Operators Use DIY Malware Kits?

Recent Posts

Categories

Archives

Blogroll