Online Virus / Malware News

BlackEnergy DDoS Bot Analysis: by Jose Nazario, Ph.D. (Arbor Networks) Oct 2007 – Source: http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf Summary BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike most common bots, this bot does not communicate with the botnet master using IRC. Also, we do not see any exploit activities from this bot, unlike a traditional [...]

Last week, we talked about the Tequila botnet that was targeting Mexican users. Since our last post, there has been one big development—the botnet appears to have been taken down by the owners themselves.

On Thursday (June 3, 2010), the botnet’s controllers sent out new instructions to all of the active bots. One of the effects of this was to stop all of the bots’ phishing attacks perhaps because our own post exposed all of the proxy servers and redirected hosts used in those attacks.

We were also able to find another botnet developed by the same person behind the Tequila botnet. This particular botnet, which we have called the Mariachi botnet, is not as feature rich as the Tequila botnet. It could be used to mount phishing attacks or to install software onto affected systems but those appear to have been its main capabilities.

This Monday (June 7), however, both the Mariachi and Tequila botnets went offline after their command-and-control (C&C) servers were taken down. The Mariachi botnet’s C&C server appears to have been taken down by its hosting provider, Bluehost.

Soon afterward, the Tequila botnet’s C&C server went offline as well.

We have not seen any new activity out of either the Mariachi or the Tequila botnet since then although we are continuing to monitor the now-orphaned bots for any new activity.

Once again, we express our thanks to Juan Castro of Trend Micro LAR for all the information he passed on about these botnets.

Post from: TrendLabs | Malware Blog - by Trend Micro

Bye, Bye Tequila Botnet

We recently received a report of a new phishing attack that originated from Mexico. It takes advantage of the controversial news about an allegedly missing four-year-old girl, Paulette Gebara Farah, who was later found dead in her own bedroom.  On investigation we found that this attack came from a Mexican botnet and that it was trying to steal banking / financial related information from users.

Online banking is widely used in Latin America, and this attack is another example of Cybercriminals targeting the online banking community in an effort to extort money and sensitive financial information. 

Users who are following the said news may fall prey to this attack by visiting the page http://www.knijo.{BLOCKED}0.net/fotografias-al-desnudo-de-la-mama-de-paulette.htm, which contains an article about Paulette and claims to show nude photos of her mother. When a user accesses this page, a fake dialog box pops up and requests the user to download and install Adobe Flash Player.

Clicking Run leads to the download of the file video-de-la-mama-de-paulette.exe, which is actually the client program of a bot detected by Trend Micro as TSPY_MEXBANK.A.

During our investigation, we were able to access the botnet’s command-and-control (C&C) interface and to learn about its management functions. We were able to enter the management interface and to see for ourselves the complete capabilities of this new botnet.

The bot menu shows the total number of zombies and a list of the compromised computers. The list of zombies displays the ID number, name of the client, and the action executed on a bot. It has options to disable or enable a bot, to start netcat (a powerful networking utility that can be used as a backdoor) on a bot, and to remove the bot from the botnet.

This newly discovered botnet has a fairly comprehensive feature set that can be compared with other older, more established botnet families. Each feature is placed in its own “module,” which the botnet herder can configure one by one.

It should be no surprise that a pharming module is part and parcel of its available features. As can be seen in the screenshot of the phishing module, this particular botnet targets Mexican users, particularly PayPal’s local site and the largest bank in the country, Bancomer.

Aside from this, the Tequila botnet can also download files from various malicious URLs, either via HTTP or FTP. Both ZBOT info stealers as well as FAKEAV malware have been spotted being dropped by this new family.

However, consumers are not the only ones the cybercriminals behind this botnet are ripping off, the AdSense module allows a site to be repeatedly loaded along with that site’s advertisements. In effect, cybercriminals use this to raise the traffic to their own sites, increasing the payments made by advertising networks such as Google’s AdSense.

In addition to being found on malicious websites, the Tequila botnet can also arrive via USB devices as well as via MSN Messenger. It sends messages that either contain the file itself (as an attachment of sorts) or links that go to copies of the malware.

The location of the C&C server appears to be no longer available, in effect taking this particular botnet down. However, if the developer starts a new campaign and distributes new files, the number of bots may increase again, thus encouraging the developer to create new modules for the botnet in the future.

Hat tip to Juan Castro of Trend Micro LAR for initially bringing this botnet to light.

Post from: TrendLabs | Malware Blog - by Trend Micro

“Tequila Botnet” Targets Mexican Users

Early this year, the SASFIS Trojan became notorious in relation to spoofed email messages supposedly from Facebook. SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from ZeuS and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.

TrendLabs^SM engineer Shih-Hao Weng came across a new SASFIS variant that uses the right-to-left override (RLO) technique, which was more commonly associated with spamming in the past, but has now become a new social engineering tactic.

This SASFIS Trojan arrives via a spammed message with a .RAR file attachment, which contains an .XLS file. Upon extraction to the desktop, the supposed .XLS file looks like an authentic MS Excel document. In reality, however, the file is a screensaver detected by Trend Micro as TROJ_SASFIS.HBC. This Trojan drops BKDR_SASFIS.AC, which allows threads to be injected to the normal svchost.exe process.

While the file may appear at first to be an Excel worksheet, it possesses a Win32 binary header, which only executable files have. Its real file name (minus the Chinese characters) is phone&mail).[U+202e}slx.scr, wherein U+202e is the Unicode control character that tells the system to render succeeding characters from right to left. Thus, to the user, the file will appear to be named phone&mail).xls.scr. This could lead them to believe that the file is indeed an Excel file and thus “safe” to open, when in reality it is an executable .SCR file.

This technique also uses other file names for the same purpose, such as BACKS[U+2020e]FWS.BAT and I-LOVE-YOU-XOX[U+2020e]TXT.EXE to be rendered as BACKSTAB.SWF and I-LOVE-YOU-XOXEXE.TXT instead. In the former case, a batch file is disguised as an Adobe Flash file; in the latter an executable file is disguised as a text file.

Users can, however, prevent this attack from affecting their systems by employing the usual best practices—not opening suspicious-looking email messages and not downloading and executing attachments.

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching their inboxes via the email reputation service. Trend Micro products also detect and delete the malicious files TROJ_SASFIS.HBC and BKDR_SASFIS.AC from affected systems via the file reputation service.

Update as of June 2, 2010, 12:30 a.m. (GMT – 7:00)

In related news, JPCERT/CC has issued an alert warning users in Japan that spam messages with a malicious attachment are now using this very tactic. (A translation of the alert into English can be found here.) Trend Micro detects this malicious attachment as TROJ_UNDEF.QC.

Post from: TrendLabs | Malware Blog - by Trend Micro

SASFIS Malware Uses a New Trick

The KOOBFACE botnet continuously evolves to keep on generating profit for its perpetrators. The fact that the botnet is still alive shows that the cybercriminals behind it are making a fortune off it.

In our effort to conduct research on and to monitor the latest developments made to the KOOBFACE botnet, we have noticed several changes in the way it operates. Some of the major changes the botnet has undergone from when we started unmasking it include the following:

1. Using proxy command-and-control (C&C) servers
2. Encrypting the gang members’ C&C communications
3. Banning IP addresses from repeatedly accessing KOOBFACE-controlled sites
4. Introducing new binary components
5. Employing several layers of binary protection with the use of more complex packers

These changes pose a greater challenge to security researchers in reverse-engineering existing KOOBFACE binaries and in monitoring the gang members’ C&C communications. Though the changes the gang has made to their botnet have made it interesting, someone has to put a stop to their malicious schemes and put the perpetrators where they belong—behind bars.

For more information on the most recent developments on the KOOBFACE botnet based on our latest findings, read “Web 2.0 Botnet Evolution: KOOBFACE Revisited.” You may also find the following papers a good read to learn more about one of the most notorious botnets in existence today—KOOBFACE:

• “The Real Face of KOOBFACE: The Largest Web 2.0 Botnet Explained”
• “The Heart of KOOBFACE: C&C and Social Network Propagation”
• “Show Me the Money!: The Monetization of KOOBFACE”

Post from: TrendLabs | Malware Blog - by Trend Micro

The Evolution of KOOBFACE: A Web 2.0 Botnet

A Twitter bot builder is currently being freely distributed on the Internet with the capability to attack users’ systems and to have some fun at the same time. It may, however, act as a threat when an attacker uses the tool to start a distributed denial-of-service attack (DDoS) on critical systems and to download malicious files.

The program is used to build an executable file that connects to Twitter.com and to execute commands based on a user’s Tweets. The attacker can send emails with file attachments or send instant messages with links to copy and trick victims to download and execute the file.

The bot builder comprises two files—TwitterNet Builder.exe and Stub.exe. TwitterNet Builder.exe is the interface for the builder, which requires a user to input a Twitter user name to follow and click the “Build” button. Stub.exe is the base file to which the builder will integrate the Twitter user name entered.

The builder will generate the bot server TwitterNet Builder.exe from Stub.exe, which the user may send to a target victim:

Once the server runs on a system, it will regularly connect to the target Twitter page to read the Tweets the attacker posted. The executable file is capable of downloading and executing a file from the Internet. It can start a DDoS attack via User Datagram protocol (UDP). It also opens a Web page, uses the Windows Text-to-Speech Application, stops all bot-related activities, and removes connecting bots.

However, for the botnet to work, the attacking profile should be a public one so that bot server can read its Tweets. By being listed as a public profile, attackers can easily be tracked by security staff and administrators by simply searching any of the commands it used.

Though it does not have any propagation capability nor autostart technique, it is also possible for an attacker to manually install the bot server onto a system or to trick a user into executing the file. Users should then be careful when opening attachments and when executing files from unknown sources.

The bot builder TwitterNet Builder.exe is detected by Trend Micro as TROJ_TWEBOT.BLD while Stub.exe and the generated bot servers TwitterNet.exe are detected as TROJ_TWEBOT.STB.

Trend Micro™ Smart Protection Network™ already protects product users from this threat by preventing the download and execution of all the related malicious files—TROJ_TWEBOT.BLD and TROJ_TWEBOT.STB—onto affected systems via the file reputation service.

Hat tip to Chris Boyd for first writing about this Twitter botnet creator here.

Post from: TrendLabs | Malware Blog - by Trend Micro

Your Tweet Is My Command

ZeuS/ZBOT is best known for its information-stealing routines via the use of configuration files downloaded from their home sites. They are created using toolkits that allow remote control of the malware. Getting them to infect target systems is the tricky part. Cybercriminals have thus tried utilizing drive-by downloads, spammed messages, worm propagation, and many more ways. This time, they are trying out file infection.

The malware detected by Trend Micro as PE_ZBOT.A injects code into target files and modifies its entry point to redirect to its code. This allows the malware to run its code whenever the infected file is executed. It then attempts to connect to the remote sites from which it downloads and executes malicious files that allow it to steal information from an affected system. The downloaded files are detected as TROJ_KRAP.SMDA and TSPY_ZBOT.SMAP. Once it completes its routine, it returns control of the affected system to its host file.

This only shows that cybercriminals are continuously finding new ways to make sure they do not go out of business. The best way to protect one’s system is to be aware of the many techniques cybercriminals use and to keep security solutions and other pertinent applications patched and up-to-date.

Post from: TrendLabs | Malware Blog - by Trend Micro

ZeuS/ZBOT Tries Out File Infection

The ZeuS/ZBOT botnet has been entrenched in the cybercrime business for a long time now and has continuously evolved and improved. Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses continues to thwart both antivirus and other security solutions as well as the efforts made by the security industry.

This time, the malware upholds it notorious reputation with a new version related to previous detections TSPY_ZBOT.CRM and TSPY_ZBOT.CQJ.

ZBOT variants steal account credentials when users visit various social networking, online shopping, and bank-related websites. They have rapidly become popular tools for cybercriminals to use, thanks to exceptional information-stealing routines and rootkit capabilities, which allows them to stay stealthy and to affect users’ systems without their knowledge.

Current ZBOT variants use fixed file names (both for their executable and component files). The file names may vary from one ZBOT version but they are recognized by security analysts.

This is not the case for the new ZBOT variants seen above. Instead of using prespecified names, both TSPY_ZBOT.CRM and TSPY_ZBOT.CQJ use random names for the files and directories they create. In addition, ZBOT now injects its code into the Explorer process, something that previous variants did not do. Both of these attempts by cybercriminals to lessen the profile of ZBOT are in response to the malware family’s notoriety, which means that ZBOT malware are now becoming somewhat easier to detect.

The under-the-hood changes to the ZBOT variants are, if anything, more significant. These new ZBOT variants inject themselves into the following processes:

• ctfmon.exe
• explorer.exe
• rdpclip.exe
• taskeng.exe
• taskhost.exe
• wscntfy.exe

From this list, we can see that the new ZBOT version now “features” support for both Windows Vista and Windows 7. Taskeng.exe and Taskhost.exe are processes both found in Windows Vista and Windows 7 though neither were found in older versions such as Windows XP. (In previous ZBOT versions, Windows Vista and Windows 7 support was purchased as a separate add-on.)

The changes in file names used and the start of providing official support for Windows Vista and Windows 7 highlight the fact that ZBOT developers are keeping track of developments and are adjusting their tactics accordingly. For now, older ZBOT variants will represent the bulk of infection threats. However, it will not take long for new variants to become more widespread.

Trend Micro™ Smart Protection Network™ already protects product users from ZeuS-related attacks of this kind by detecting and preventing the malicious files from being executed on systems. Below you can find the number of attacks that the Smart Protection Network has prevented these past few months.

Update as of April 27, 2010, 6:18 p.m. (GMT +8:00):

Some ZBOT variants can modify target Web pages in such a way that they ask users to provide additional information that legitimate sites do not. Previously, this was only done in Internet Explorer (IE). However, data captured from new ZBOT variants now show that this behavior is also done on Mozilla Firefox.

Post from: TrendLabs | Malware Blog - by Trend Micro

At a Glance: New ZeuS Variants

The KOOBFACE FTP grabber component, which is a variant of the LDPINCH Trojan family, usually drops stolen FTP user names and passwords to a remote server controlled by the KOOBFACE gang. This remote server, located in Hong Kong, was taken down last week, thanks largely to the efforts of the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT). However, the KOOBFACE gang was quick to move their server to another hosting company located in China.

The FTP grabber sends stolen credentials to the remote server using the word “malware” as user-agent and HTTP POST request to the the URL, http://{BLOCKED}find.com/adm/index.php.

The admin page is located in the /adm/admin.php directory.

When a botnet server is taken down, botnet owners tend to avail of bulletproof hosting services or the services of hosting companies that are hard to take down, which not only means business as usual for cybercriminals but also means they are shoring up their “defenses.” In light of these developments, Trend Micro will continuously observe the KOOBFACE family of threats in order to keep our customers protected.

Post from: TrendLabs | Malware Blog - by Trend Micro

KOOBFACE IP Taken Down, Gang Transfers Hosting to China

News of a new botnet has been circulating recently in the threat landscape. According to reports, several systems have been infected by TROJ_DLOADE.ATJ, which has been built to download and install other malware. The Trojan does not, however, seem to have any distributed denial-of-service (DDoS) capability.

This Trojan may be downloaded when users visit sites under the domain {BLOCKED}m.com or {BLOCKED}n.net. It may also download other malware from the said domain. Once installed, it attempts to connect to the command-and-control (C&C) server using TCP port 8090 to register itself and to wait for commands. It also has the capability to communicate with other bots via some kind of peer-to-peer (P2P) connection over ports 7000–7010. It also connects to specific malicious sites, which are currently inaccessible.

Botnets have been dubbed as the most prevalent and dangerous threats lurking in the Internet, as they can cause severe damage such as information theft and malware infections.

Trend Micro™ Smart Protection Network™ already protects product users from this particular threat blocking access to malicious sites and domains via the Web reputation service and by preventing the download and execution of TROJ_DLOADE.ATJ and other related malware onto systems via the file reputation service.

Update as of April 15, 2010, 4:40 p.m. (GMT +8:00):

TROJ_DLOADE.ATJ is now detected by Trend Micro as BKDR_HELOAG.SM. It receives specific IP addresses and commands from a host bot.

Post from: TrendLabs | Malware Blog - by Trend Micro

Emerging P2P Trojan Botnet Uncovered