securitybananas.com

It will not surprise you that malware authors are using new techniques to make us researchers it hard to analyze the malware they create. In the ongoing battle they came up with a known technique used by many software vendors, but now using it for their malware.

How does it work:

- When a user got infected by the first malware dropper, it’s unraveling all of the tools and then proceeds to hide the malicious payload components. After cleaning up it finally starts up the actual botnet agent.

- Once the agent is started, it looks for an Internet connection. After this check has passed it does a quick systemcheck of the computer e.g. MAC address, CPU ID, OS etc.
The agent then connects for the first time towards the Command and Control server of the botnet. It registers the victims computer and sends through this unique gathered system data.

- The Command and Control server sends a response to the victims computer: a new custom made agent based on the unique system data. It removes the old agent and the new unique agent is ‘locked’ and installed. This agent is unique to this particular victim and will not run on any other computer.

- The ‘new’ agent connects to a new Command and Control server of the botnet and the victims computer is fully in control by the botnet crew.

Botnet and malware authors are using this technique to hide their samples from anti-virus vendors. A general signature for this kind of malware will not work and a solution will not be easy. The antivirus guys must redesign the techniques it currently relies upon for sample analysis and generation of signatures.

Botnets, networks of malware-infected machines that are controlled
by an adversary, are the root cause of a large number of security
problems on the Internet. A particularly sophisticated and insidious
type of bot is Torpig, a malware program that is designed to
harvest sensitive information (such as bank account and credit card
data) from its victims. In this paper, we report on our efforts to take
control of the Torpig botnet and study its operations for a period of
ten days.

Read the full paper:

http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

Trend Micro’s Senior Threat Researcher David Sancho has written a great in-depth analysis of this new threat.

Read it here:

http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/bredolab_final.pdf

In an earlier posting I already emntioned about this new version of Crimeware (link). Doing some research about the spreading of this botnet, I’ve seen an increase

in the amount of Command & Control servers which are hosting the ‘admin panel’. In the last five days I discovered already a total of 17 servers which are hosted in the Netherlands, Germany and Russia. So even in cybercrime the recession seems to be gone

To control and administer botnets, a lot of frameworks are developed for simplifying the
tasks. In a posting on an underground forum, the announcement was made for a new framework called Fragus v1.0.

Login screen:

Fragus, build with PHP,  has a nice and shiney interface which supports the English and Russian language. Statistics can be viewed about browsers, OS and the countries in which the zombies are situated. During the investigation some hosts with Windows 7 were detected to be infected.

Some of the features of Fragus:

#  Exploits imaging of high quality with possibility of checking with the help of ajax whether current exploit infects or not before loadint the next one.
# Possibility to edit host on necessary URL after it is done allows not to lose used traffic, and to utilize it pro domo sua.
# Complete exploits modularity in th system. Your coder will be able to add them easily
# Zero-written cryptor of exploits doesn’t overload browser, but nevertheless protects exploits pack safely from antiviruses
# Cryptor lies in separate file and if you want you can easily add you cryptor
# Patterns of pages on exploits imaging, with the page for those who visits twice,lie separately, disguising as 404 error.
# Fragus hides from searchbots, what disables domain detection
# Fragus is highly optimized for operating with massive traffic flows and minimum load on server

Using the exploit modular system is a piece of cake. You can add easily new ones and crypt them to prevent detection from anti-virus vendors.

Examples of malware in Fragus:

xploits:

* Mdac
* PDF: printf(), collectEmailInfo(), getIcon().
* MS DirectShow, large break increment
* MS09-002 – for IE7
* MS Spreadsheet, rather new exploit
* AOL IWinAmp
* MS Snapshot
* MS COM finish IE6

Example:

The basic pricing for this package is 800 USD; some extra features can be purchased e.g. a Zero-written cryptor for another extra 150 USD.

Trendmicro has posted a great whitepaper about the analisys of the botnet network called ‘ Ilomo / Clampi’.

Ilomo has also being active for several years now, and like Pushdo has done so without attracting too much unwanted attention from the security industry. Like Pushdo, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries.

Their paper can be viewed from:

http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ilomo_external.pdf