ThreatFire Research Blog » Bifrost

Removal Tool? No.

admin — Tue, 24 Jun 2008 00:09:00 +0000

A little detected “tool” is downloading and executing bots. A version of “driveguard.exe”, with promises of cleaning up your system from infections and keeping it clean, is worming its way onto machines and downloading strains of Poison Ivy as “WinSecSys.exe”, a bot capable of stealing screenshots, keystrokes, spreading to other machines, etc. We wrote about these “RAT” tools in previous posts and the characters behind them, some of whom are sentenced to prison terms now. TF detects it as a worm.

British anti-hacktool guidelines

admin — Thu, 03 Jan 2008 14:36:00 +0000

In yesterday’s post, I mentioned that the ChaseNET forums have been shut down. The distribution links for their SharK project, Bifrost and Poison Ivy Rat (Trojan) suites also have been removed. These projects could arguably be described as “Remote Administration Tools”.

Monday, the British legislature published guidelines for the application of a 1990 Computer Misuse Act that makes it illegal to distribute “hacking tools”. A perfect example of tools that this new application might apply to would be the ChaseNET projects. While these RATs could be argued as tools comparable to PCAnywhere or GoToMyPC, they include stealth and information stealing functionality that is designed to evade security solutions for effective system compromise, control and theft of sensitive user data. These sorts of tools certainly fit under the description of “dual-use” tools, and I suppose the British law was developed with the intent to take down this sort of site.

We’ll take a look from a low level technical perspective at some of these RATs’ bad behaviors and provide some details in a later post.

Botnet arrests and indictments around the world from Bot Roast II

admin — Tue, 11 Dec 2007 02:20:00 +0000

Two teen botnet herders that went by the aliases Akill and Digerati were arrested by the fbi and New Zealand authorities.
“The FBI estimates that more than one million computers have been infected and puts the combined economic losses at more than $20 million.”
The arrests are a part of the Fbi’s ongoing ‘Bot Roast II‘.

The arrest and past behavior of the Penn State student Ryan Brett Goldstein that went by the handle “Digerati” also is being discussed on the underground forums where he shared advice and code since around 2000. Rumors surrounding his bot herding and bot update techniques, his activities of accidental university server DoS attacks, and intentional DDoS’ing groups of other underground coders continue to circulate.

Update: Bot Roast II resulted in another guilty plea. This time from Gregory King, indicted at the same time as “Digerati”. His deal includes a two year prison term.

Online games and false positives

admin — Tue, 27 Nov 2007 21:36:00 +0000

Online games have always had the problems of cheats, password stealers and bots. Volumes of information have been written on the topic, including Hoglund and McGraw’s published material. In response, game developers at studios like Blizzard Entertainment and Amped have developed ways to unexpectedly “govern” the software that is running on their users’ systems, and ways to “harden” their software against reverse engineering attempts. For better or worse, these “tools” have turned into somewhat intrusive tools that peek into everything on the system and prevent RE activity using methods similar to those used by malware writers.

Sometimes, these defenses cause problems for the software security industry. You can see here from virustotal signature-based scan results today that our Tantra-playing friends in the Phillipines trying to play “Tantra” might be interrupted by their game’s security software:

These problems cropped up with today’s binaries, and have cropped up in the past. In August, AVG already was detecting the “tantrum.exe” component as a virus with its generic packer detections: Regarding Virus “obfustat.iiy” On Wr Ph, Problem Fixed
The problem, in part, for the av signature-based products seems to be the packer. The packer that Amped is using, Molebox, is polymorphic and provides some difficulties for black, grey and white hat reversers trying to peek into the code behind their tantrum.exe component. Malware writers and distributors in the recent past have used molebox to evade detection and make their creations more difficult to reverse engineer. You might notice that the screenshot above shows that Ikarus detects the component as “Rbot”.

For behavioral-based security products, a problem arises when these components, which have very similar file characteristics to malware that we’ve seen, exhibit behaviors similar to malware. For example, this Tantra game component injects itself into operating system components in the same way as backdoors like Bifrost and other trojans.

For now, it seems that these problems will be ongoing. The game developers need to protect their games the best that they can, and security software products need to be as sensitive as possible.