bots « The Day Before Zero

Posts Tagged ‘bots’

The Truth About Two Malware Families Related to Operation Aurora

Thursday, March 4th, 2010

As part of our investigation on The Command Structure of the Aurora Botnet. I took a deep look into two malware families that based on the CnC data we have, is related to Operation Aurora. Both of them fall under the Fake AV / Scareware Family of Malwares. They are Fake AV / Login Software 2009 and Fake Microsoft Antispyware Services.

I will summarize the deployment of these families below. For the full details of the analysis and how they relate to Operation Aurora, please read our full report on The Command Structure of the Aurora Botnet: History Patterns, and Findings.

Fake AV: Login Software 2009 Family

This set of malware is propagated through Fake Malware Alerts. The supposed AV installer is the actual malware dropper. Its main purpose is to drop and install the rest of the malware components. Upon execution of the dropper, it assigns a specific ID to the compromised host. It then registers it to its malware server website and downloads the rest of the malware to the compromised host.

To ensure that the malware is downloaded, the creator of this malware dropper uses redundancy in its malware serving web infrastructure. The dropper checks three different malware serving websites.

After the successful download of the main component, the main dropper generates a random name and copies the downloaded component to “C:\Documents and Settings\<User>\Local Settings” folder. It calls itself Login Software 2009. The dropped file is then executed to make it active in memory. For it to survive reboot, it uses the most common way to autostart by using the registry entry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The rest of the components are also downloaded and executed for them to be active. They are placed in the same folder as the first dropped file. These components are exact copies of themselves with names that is designed to full the unsuspecting users that they are Windows executables or legitimate third party software.

These components are hidden from the user by hiding the folder where they are dropped and also setting the attributes of the dropped files themselves as hidden. To survive reboot, these components also are set to autostart using the same technique as the main dropped file.

A DLL file is also dropped in “C:\Windows\System32” with a random filename. Aside from registering (regsvr32.exe) the dropped DLL file for it to be active, the malware dropper also modifies the registry to set it up as a Browser Helper Object (BHO). It also sets up the DLL to autostart every boot up by using SharedTaskScheduler.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

This paves the way for tracking cookies to be downloaded for ads to be served to the compromised host. Take note that this DLL is not hidden unlike the other components.

After setting up all the dropped files, the main dropper sets the stage to protect the dropped files by manipulating the settings of Windows Explorer and Internet Explorer. See Protection Mechanism section for more details.

Once all of these “malware installation” is done by the main dropper, the main dropper activates a batch file to unload itself in memory and deletes both the dropper and the batch file.

The installed malware set are now all active and is actively attempting to communicate with their CnC.

Figure 1: Memory string dump shows the C&C the EXE component is reaching out to

Fake Microsoft Antispyware Services

This set of malware is also propagated through Fake Malware Alerts. The supposed AV installer is the actual malware dropper. Its main purpose is to drop and install the rest of the malware components. It basically drops and installs three components:

EXE Component – This is the one that poses itself as Microsoft Antispyware Services
VXD Component – It downloads and installs ntconf32.vxd, ntsys32.vxd, msimsg32.vxd
SYS Component – It downloads and installs msconfig32.sys

Once the dropper is executed, it can easily bypass UAC since it is given explicit permission by the user that was made to believe that the installation is an AV product. The first thing the dropper does is to connect to its malware server domain to download its components. Unfortunately, as of this writing, the malware server domains are already down so no detail analysis of the other components were done.

The only component on hand is the EXE component.

But if we base it just on the name of the files it downloads, below are some associations of the files with known malware activity:

VXD Components – These filenames are often related to malware families that have keylogging and spyware behavior. They are also found in some IRC bots.
SYS Component – This is related to the publicly known and notoriously popular Aurora variant tied to the Google attack.

Concentrating the analysis on the EXE component, it disguises itself as Microsoft Antispyware Services. It basically sets itself to run on Startup using the tried and true method of the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Because of the absence of some key files, the main functionalities of this malware family cannot be fully analyzed but they all point to one goal and that is to steal information.

Figure 2. Attempting to connect to Amazon EC2

Figure 3: Memory string dump shows the C&C the EXE component is reaching out to

The Allure of Fake AV Websites.

The bad guys find using Fake AV websites effective and have used it extensively. The prevalence of this vector earned it a separate name: Scareware. What makes this effective is the believability of the Fake AV website. It also appeals to the fear of uneducated users. The bad guys leverage this fear to create a sense of urgency and importance that urges the user to not waste any more time and download and execute the dropper immediately. Aside from unknowingly downloading a malware, the victimized user also is fooled into paying for the Fake AV. Not only will the user be charged for the cost of the Fake AV, there’s a high probability that the user’s credit card information has been captured since the website processing the payment is rogue to begin with.

On the technical side, using this vector saves the bad guys time in finding ways to bypass host protection such as UAC since the user gives the malware dropper explicit permission to execute.

- Christopher Elisan, Senior Research Analyst

Tags: APT, Aurora, Aurora Botnet, botnet, bots, Google APT, Google Attack, Google China, Google Hack, Login Software 2009, Microsoft Antispyware Services, Operation Aurora
Posted in Threat Research | 3 Comments »

The ABC Advantage of Controlling Enterprise Networks

Monday, January 25th, 2010

Control of an enterprise network is a high commodity for botmasters. Aside from the wealth of information that can be stolen, access to corporate hosts can be sold for higher values to other botmasters. This is why enterprises are being targeted more. Let me sum up the advantages of enterprise network infection against home PC infection. I call it the ABC advantage.

Availability – Availability of a bot agent to a botmaster is very important. This means that anytime the botmaster wants to do something with a herd, the numbers are always there. Corporate hosts are usually on all the time, making it more available to the botmaster compared to home PCs.
Bandwidth – Corporate networks have higher bandwidth, which means faster internet connection. This means better communication between C&C and the bot agents and higher reliability when it comes to executing commands and updating itself with new binaries.
Confidentiality – Most of the time, corporate infections are not reported and is just kept within the enterprise. This makes mitigation harder. This is what botmasters like the most. They want to remain invisible, which is why enterprise botnets are less noisy than internet botnets that target home PC’s. If the enterprise is able to discover and mitigate the infection, the details are shared only within a handful of people in the company. This is good for the botmaster since he will just target the next enterprise in his list with the same tactics

- Christopher Elisan – Senior Research Analyst

Tags: ABC Advantage, botherd, botmaster, botnet, bots, corporate infection, enterprise infection
Posted in Threat Research | No Comments »

Zeus Still Zoning in on OWA Users

Monday, January 25th, 2010

After a hard day’s work at the office, we often find ourselves still sitting in front of the computer or our laptop at home checking our corporate e-mail accounts. Some corporate users use Outlook Web Access (OWA) to check their work e-mail.

These are the kind of corporate users that Zeus botmasters are targeting since October of 2009, as first reported by Gary Warner in his blog, where an e-mail posing to be coming from the user’s own domain is alerting the recipient of a security upgrade that must be installed. But even after 3 months, the same tactic is still being used.

Figure 1: Sample OWA Spam

Clicking on the link will open a page urging the corporate user to download an executable to update the user’s mailbox settings.

Figure 2: Webpage urging the user to download an executable file

Of course, the file is a Zeus bot agent, aka Zbot. Since the installation will be user-driven, UAC warnings will simply be ignored by the user.

This shows how Zeus botmasters are targeting enterprise users specifically those with corporate laptops used at home. Once an infected laptop is connected to a corporate network, there is a big possibility that the rest of the systems in the same network will be infected giving the botmaster access to the corporate network. This actually gives the botmaster leverage as he now has control over infected corporate hosts and not just the laptop that was initially compromised. Access to corporate bots are more valuable than infected home PC’s. Aside from the wealth of information that can be stolen, access to corporate hosts can be sold for higher values to other botmasters. See related post on The ABC Advantage of Controlling Enterprise Networks.

This leads us to ask, how did the Zeus Botmaster get a hold of a corporate user’s e-mail address? Below are possible scenarios:

The original e-mail addresses were scraped from a newsgroup or other public list that keeps the e-mail headers. The headers contain a wealth of information that enables the Botmaster to determine whether OWA is applicable.
The Botmaster is able to get a hold of a directory of company employees. Even without the e-mail addresses listed, the Botmaster can guess the e-mail address format through simple trial and error or through social engineering. Some common e-mail address format are <firstname>.<lastname>@company_name.com, <firstname>_<lastname>@company_name.com.
The Botmaster bought it from other spammers.

As for corporate users that used their home PC to access their work e-mail through Outlook Web Access. Their PC still becomes part of the Botmaster’s herd waiting for a command.

- Christopher Elisan, Senior Research Analyst

Tags: bot, botnet, bots, enterprise, OWA, spam mail, Zbot, Zeus
Posted in Threat Research | No Comments »

Shouldn’t we be listening?

Wednesday, September 10th, 2008

I’ve noticed the following trend in network configuration: networks that do not have default routing and DNS resolution to the Internet for internal hosts. While I can somewhat understand this method of network configuration, it does reduce Internet functionality, and without using a proxy of some type, you do not get to the Internet. Does this increase your Internet security posture, or is it blinding you to the real threat that may still exist while also reducing functionality?

My thought is those using this method are saying to the Internet, “La la la, I can’t hear you” all the while the Internet is merrily chatting away. Just because you are not listening, does not mean things are not being done.

It is important to point out that several BotArmies are proxy aware. With today’s mobile workforce, assets are readily leaving the network (doing God knows what), and then reconnecting, and home users/telecommuters are using VPNs to access corporate assets. Given that, shouldn’t we be listening and paying attention?

- Jeff McGough, Damballa VP of Operations

Tags: BotArmies, bots, Damballa, DNS, threat
Posted in Threat Research | No Comments »

The Day Before Zero

Posts Tagged ‘bots’

The ABC Advantage of Controlling Enterprise Networks

Zeus Still Zoning in on OWA Users

Shouldn’t we be listening?

Recent Posts

Categories

Archives

Blogroll