|
Archive for the ‘Bot’ Category
Thursday, October 8th, 2009
In Wisconsin, they’ve got a great smelt fry on Lake Michigan. In Louisiana, you can find great crayfish boils. But in Los Angeles, the Fbi announced a very different fry — another major international cyberfaud takedown they named Operation Phish Phry. The hundreds of people involved defrauded online banking users with phony banking sites, stealing online user identities and later money with those user names and passwords from thousands of individuals.
We’ve posted previously on projects more closely related to ThreatFire’s anti-bot capabilities, like Operation Bot Roast. Sometimes, phishing web servers hosting fraudulent/spoofed banking web pages are provided by compromised, bot-infested systems, without the knowledge of the system’s user. Either way, this multi-year, multinational Phish Phry takes another facet of cybercrime off the grid.
Posted in Bot, Fbi | No Comments »
Monday, August 10th, 2009
Cutwail (also known as Pandex) malware is not a new family name on the bot scene. However, the Cutwail/Pandex botnet is described as one of the largest and most active botnets currently known. This resilient botnet managed to bounce back after both the McColo ISP and the more recent Pricewert/3FN ISP shutdowns in California, both of which brought down global levels of spam for a short time and cut off the control servers where many bots retrieved their command and control instructions.
To further the botnet’s resilience and spread, the distributors of the malicious executables attempt to re-pack and re-obfuscate the components to evade security file scanners on victim systems. The executable runtime behavior may change across variants just a bit, but the fingerprint and physical makeup changes dramatically. This type of evasion, of course, is ineffective against a behavioral-based solution like ThreatFire. Cutwail is succesfully prevented from running on ThreatFire community user systems on a daily basis.
Some of the latest Cutwail/Pandex variants are themselves delivered in a variety of ways to a user’s system, renamed to reader_s.exe and run (note, other prevalent and current variants are renamed to update.exe). Reader_s.exe drops 0.exe, which drops an ADS or “alternate data stream” to the drive. This sort of location on the drive is tricky for a user to spot, because the svchost.exe:ext.exe stream cannot be seen as a file within an explorer window. This ADS executable code is installed as a system service by the Cutwail dropped executable 0.exe. Then, 0.exe launches and hijacks a svchost.exe process, communicating from it over an encrypted channel to a set of ip addresses. These communications eventually result in the compromised system gathering information to spew enough spam to help generate over 74 billion messages a day from the botnet.
The packing and evasion techniques implemented within these executables changes over time. One of the recent techniques is one that we have seen before in a variety of Fakealert executables in the past — intermixing random mmx instructions into the compiled code itself. These instructions have no functional purpose whatsoever. They simply modify values within the mmx registers arbitrarily. Intermixing the mmx instruction set unexpectedly within functions using the general-purpose intel instructions can cause problems for recognizing Cutwail malcode for emulators, backend automation, and AV scanners themselves — the evasion technique can be effective.
You can see one such function that was modified with mmx “nop” filler:
Protecting your system from becoming a part of the largest, most active botnet on the web requires an effective behavioral based layer like ThreatFire.
Posted in Bot, Dropper, Evasion technique, FakeAlert, Undetected malware | No Comments »
Friday, August 7th, 2009
koob-Face or ter-Twit? The ongoing abuse of twitter feeds by malware distributors continues to net more social networking victims. As always, be wary of any executable you are prompted to download and execute. Currently, evil tweets for “My home video  ” or “cool video! WOW!” redirect to a set of spoofed social network pages. The malicious pages present visiting users with a prompt for a plugin install, “Flash player upgrade required”. An example here:
The malicious Koobace worm that ThreatFire has been preventing on desktops is served up and named “setup.exe” from this site. Interestingly, a number of these ip addresses serving up Koobface have been in use by Waledac distributors.
The ThreatFire community has been reporting the Koobface nastiness being served from multiple web servers today, with fairly heavy Koobface volume from web servers hosted on these ip addresses:
24.99.76.139
68.190.49.24
76.127.120.44
81.108.192.83
91.121.135.189
199.0.205.28
Update: Thankfully, as the malware distributors have changed some of their tweet tactics, their web server at kukuruku-290709. com has been pulled out from under them. Here is an example portion of javascript (mods mine) hosted on redirect pages that examines the victim’s search url, and based on a list of extremely popular social networking sites, redirects them to a variety of spoofed pages:
// KROTEGvar
abc1 = 'hxxp://kukuruku-290709. com/go/';
var abc2 = 'hxxp://kukuruku-290709. com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook. com', abc+'fb.php'],
['tagged. com', abc+'tg.php'],
['friendster. com',abc+'fr.php'],
['myspace. com', abc+'ms.php'],
['msplinks. com', abc+'ms.php'],
['myyearbook. com',abc+'yb.php'],
['fubar. com', abc+'fu.php'],
['twitter. com', abc+'tw.php'],
['hi5. com', abc+'hi5.php'],
['bebo. com', abc+'be.php']];
Again, if you are a user of these sites and receive a tweet from someone you don’t know that redirects you to a page that serves up an executable download, be very suspicious. And of course, run a behavioral-based solution like ThreatFire as a layer on your system.
Posted in Bot, Koobface, Social Engineering, Trojan, Worm | No Comments »
|
|
|
|
