Archive for the ‘Downloader’ Category

« Older Entries

Koobface Continued…

Friday, March 5th, 2010

The Koobface gang’s changing tricks and longevity are noted at a recent USAToday article. They’ve recently upped their activity on a major social networking site and user infections appear to have a quick jump. The current theme has been effective for the past month. A message will arrive in a user’s box from a friend (names purposely removed from image). Note that the gang is no longer using the bit.ly service in their attack links:

Koobface_friendmessage

The link will lead the user to the familiar phony Yuotube “Broadcast Yourself” page with video frame and flash installer prompt “This content requires Adobe Flash Player 10.37. Would you like to install it now?”. The “setup.exe” file from “SquarePants”. When setup.exe is run, this file in turn drops and runs “bill103.exe” or “bill104.exe” and begins its badness. ThreatFire prevents it effectively.

Koobface_spongebob

Past posts on Koobface here.

If you are prompted to install the Flash Player, you can skip the install and go to the vendor’s site directly to download the player’s installer and install it in your web browser. Then browse the page you want to view. For legitimate sites, the content should play.

Posted in Bot, Downloader, Dropper, Koobface, Social Engineering, Uncategorized | 1 Comment »

Cutwail Spamming for Russian Spammers

Monday, February 1st, 2010

Spam continues to clog the internet with providers reporting spam stuffing 80% – 95% of all email content en route. It’s an ongoing problem into 2010, so last week we examined the active spambot Tedroo, some of its suspicious behaviors, one of its anti-debug/antiRE techniques, and its spam delivery. This week we’ll take a look at Cutwail, a long standing and very active downloader/spambot that suggests regardless of various ISP takedowns, the underground market continues to thrive.

In what seems to be fairly unique to Cutwail (also described as Pandex and Pushdo), the initial Cutwail component delivered to a victim’s system is a downloader/dropper, and the spambot code itself doesn’t touch the disk. This scheme is by design. The spambot code appears to exist relatively unchanged over time, while that initial delivery component is re-developed, re-packed and re-distributed in a myriad of ways along with a set of other components. The end goal is to execute the spambot on the system without it touching disk and without maintaining its code in the downloader.

This particular Cutwail downloader connects to these hosts to download the spambot payload and data (domains modified for readability)…

75.126.159 .19:443
89.149.254 .213
89.149.244 .141
94.75.233 .173:443
94.75.233 .171
94.75.233 .172
89.149.244 .23
aaa.oduvanchic .com
aaa.news2days .ru
fireas*eye .com
f*ckbriankrebs .com
antisgetout .cn

It will attempt to connect to one of the above web severs every 20 seconds until a payload is available and downloaded. The sites are actively brought up and down and often do not respond to an infected host, stymieing research progress on the bot. The bot and data payload itself is served up from these hosts as one encrypted stream of data. Once the downloader completes retrieval, the downloader will deobfuscate/decrypt the payload and launch svchost.exe in suspended mode, injecting the payload into that newly spawned process’s memory. After modifying some the loader data structures inside the process via the GetThreadContext/SetThreadContext APIs, the injector redirects execution to the injected code causing the payload to be run instead of the svchost code.

Due to the complicated packing schemes and highly variable injector code, these initial injectors seem more difficult to detect than the relatively consistent spam payload.  Since the payload is injected directly into a real windows process and does not get written to disk, it proves to be quite elusive.

Once injected and run, the spambot code waits a prolonged period of time to begin its spam run. From our lab, after an eye-rollingly long wait, we collected image-based spam sent out to market prices to Russian readers for spam services:

cutwail_spam_snip2

The image advertises a Moscow based phone line for the “Email distributions. Affordable prices – high quality” touted across the top and the left panel. Price ranges are provided for both Moscow and Russia blasts below (we added the price conversions to USD):

Our price list:
——————————————————
Whole Moscow  =  5000 rubles  ($166 USD)
4 distributions in Whole Moscow  =  10000 rubles  ($333 USD)
——————————————————
Whole Russia = 10000 rubles  ($333 USD)
4 distributions in Whole Russia = 20000 rubles  ($666 USD)
——————————————————
Russia+CIS (Commonwealth of Independent States, the territory of the former USSR)  = 15000 rubles  ($500 USD)
4 distributions in Russia+CIS = 30000 rubles  ($1000 USD)
——————————————————
We have:
——————————————————
-The lowest prices on a market.
-The most present day software.
-Regularly updated databases.
-High response from distribution.

Posted in Downloader, Dropper, Evasion technique, Obfuscation, Spam, Trojan, Undetected malware | 1 Comment »

Is Someone Stealing Your Search Queries? Why Might They do That?

Friday, January 22nd, 2010

Banload is a malware name that is typically associated with banking trojan downloaders, but the Banload-detected sample covered in this post is a bit different than the norm.  The MD5 hash for this sample is 707D3477CBBEAD4923B17CE353D9761D. And, just to note, currently click fraud is reported elsewhere to challenge even the biggest, most technologically advanced online advertising companies. Some of the up-and-comers are committed to studying low intensity search abuse schemes as well.

Initially this DLL is loaded with regsvr32.exe, in order to perform an installation.  It installs a GUID in the “Browser Helper Objects” registry key which tells Internet Explorer where to find the DLL on disk.  Next it installs an executable (ctfmon_qj.exe) which will start any time the ctfmon.exe executable is launched.  It does this by inserting a “Debug” registry value in the “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe” registry key.  This causes ctfmon_qj.exe to be launched instead of ctfmon.exe, as it is being treated as the “debugger” for ctfmon.exe.

Ctfmon_qj.exe, when run, launches the actual ctfmon.exe; then proceeds to launches Internet Explorer.  This would guarantee that the browser helper object is loaded as soon as ctfmon.exe executes.  Once loaded, the DLL sits in Internet Explorer waiting for someone to navigate to a URL, such as clicking the “Search” button on google.com.  The destination URL is then scanned by the BHO for live.com, yahoo.com, and google.com.  If one of these domains are found in the URL, it starts looking for the search term, which is usually prefaced with something like, “&q=TERM” in Google’s case, or “&p=TERM” in Yahoo’s. It then harvests these query terms for later use and possibly evasion of click fraud detection algorithms.

After the term is found, a connection is made to takeasearch .com and the Bho sends the search term and a machine identification number, which is derived from your primary hard disk’s serial number.  The information that the takeasearch .com site returns tells the BHO what to do next.  There are several commands that can be returned from the web presence: DL:, GO:, REF: and OK:.

The first code path for the Bho to take depends on the returned data containing “DL: URL”. The BHO will send an Http GET to the URL as specified by the “DL:” command, saving the response to a file in the “C:\Program Files” directory, naming it “KB%i.exe”. The %i represents a random number generated by the rand() function.  The downloaded file is then executed via the ShellExecute() API.

If the response contains “GO: “, followed by a URL, the browser will be redirected to that URL.  There is also a timer that runs within Internet Explorer that will control the malware’s launch of a new instance of IE. This instance of  Internet Explorer is launched with a hidden window, so the browser runs on the system without the user’s consent or knowledge. The hidden browser will periodically connect to searchaccelerator .net with the machine identification token. As witnessed with the takeasearch .com result, if a “GO: ” response is provided to the hidden browser, it will be sent to several addresses that redirect the browser to its final destination. This final destination page is covered with ads that reportedly are “pay per impression” with revenues split between affiliates.

Here’s a sample conversation from the “hidden” Internet Explorer window. It is full of redirection:

1) GET http ://searchaccelerator .net/qi3.php?YBNz(shortened)
SERVER HTTP RESPONSE:
REF:http ://totalfinder .info/ search.php?q=Insurance%20recovery%20cars|GO:http ://totalfinder. info/clicks?719578181|DST:comparedby.us1234|RVER:80|TIMW:8|

We can see that the response contains several pieces of information, delimited by the vertial-pipe character. All of this information specifies the queries that the malware running on the user’s system is to carry out. The REF field tells the BHO to set the “Referrer: ” http header to the specified URL when sending a GET to the target URL, specified by the GO field.  The DST field is the browser’s final destination.

2) GET http ://totalfinder .info/ clicks?719578181
SERVER HTTP RESPONSE:
HTTP/1.1 302 Found
Server: Apache/1.3.41 (Unix) PHP/5.2.9
Location: http: //totalfinder .info/ search.php?q=Insurance%20recovery%20cars&sess=719578181

We can see in the response that the web server at totalfinder .info has redirected the browser via the “302/Found” HTTP response code to the next url. This subsequent url is also on the totalfinder .info domain, but this time, we observe high value search terms present in the URL itself: “Insurance recovery cars”. The redirection contains additional information, in our labs, we observed that these queries were most likely harvested from other infected systems, in an effort to randomize the redirected query terms.

3) http ://totalfinder .info/search.php?q=Insurance%20recovery%20cars&sess=719578181
SERVER HTTP RESPONSE:
<html><body><form name=”formrfgz” action=”http://68.169.70. 144/ go.php” method=”GET” target=”_top”><input type=”hidden” name=”c” value=”—truncated for brevity—”></form><script language=”JavaScript”>formrfgz.submit();</script></body></html>

On the third leg of redirections, we can see the that we actually load a regular web page with some html and a javascript.  On this page there is a form, with an action attribute that contains a URL to which the formrfgz.submit() function will tell the direct the browser to fetch this url.

4) http://68.169.70. 144/ go.php?c=truncated-for-brevity-again
SERVER HTTP RESPONSE:

HTTP/1.1 302 Moved Temporarily
Server: nginx
Content-Type: text/html
Location: http ://3151.90539.discover-facts .com/jump1/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars&sid=TRUNCATED&a=zh5&mr=1&rc=0

Again, we see another 302 status redirect to a different URL.

5) GET http ://3151.90539.discover-facts .com/jump1/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars&sid=TRUNCATED&a=zh5&mr=1&rc=0
SERVER HTTP RESPONSE:

<script language=”javascript”>
function v3clicktoit ()
{
document.clickit.submit();
}
</script>

<body bgcolor=”#FFFFFF” OnLoad=”Javascript:v3clicktoit()”>
<form name=”clickit” method=”POST” action=”/jump2/?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars”>
<input type=”hidden” name=”kw” value=”insurance recovery cars”>

The fifth redirect loads a regular webpage as was seen in redirect 3, and it uses the same submit() javascript function to direct the browser to “POST” the form, to the next URL.

6) http://3151.90539.discover-facts .com/jump2/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars
SERVER HTTP RESPONSE:
<frame name=’target’ src=”http ://r.looksmart .com/og/ ad=725195471;ag=732989664;kw=930857280;qt=insurance%20recovery%20cars;ip=127.0.0.1;geo=0;vid=0;rm=|http ://www.comparedby .us/ lander.aspx?pmkeyword=insurance%20recovery%20cars&referrer=looksmart-a&camp=Moxy+H+RON&group=Moxy+H+RON&keyword=insurance%20recovery%20cars”>

As we near completion of our redirects, we can see a frame on this page, which loads the ‘target’ url which is on the r.looksmart .com domain.  It contains many parameters in the URL, which was shortened a bit, but still shows some of the interesting pieces of information being passed along.  From what we’ve seen thus far, we can speculate that there is an advertisement id, advertisement group, keyword id, query term, the computers external IP address, geological location id, and a the destination URL.

7) http ://r.looksmart .com/og/ …
RESPONSE:
HTTP/1.1 302 Found
Location: http ://www.comparedby .us/ lander.aspx?pmkeyword=insurance%20recovery%20cars&referrer=looksmart-a

After this last “Found” redirect, we arrive out our destination. Here is a list of final destinations for the Bho and hidden IE process, and matching query terms returned by the servers:

iaf .net — injury lawyer
yb .com — maricopa employment
theyellowpages .com — car insurance quotes
comparedby .us — sewing material
theyellowpages .com — fish window cleaning
comparedby .us — memory tattoos
glimpse .com — QUEST SECURITY
allthebrands .com — sowing machine
yellowpages.lycos .com — teleflora
hotjobs .com — lyrics to anberlin unwinding cable car
hotjobs .com — mortgage companys in brownsville
theproductdepot .net — where does ivy tech culinary arts program rank
healthline .com — commercial locksmiths contra costa
yellowbook .com — will st johns wort stop pantic attacks
freepornvideos .com — anniversary party
hilcoind .com — scoliosis
longmontflorist .com — hall funeral home
milehigh-harley .com — www rentals
comparedby .us — advanced driver improvement

In all search queries above, the common points of redirect are 206.161.121. 110, 68.169.70. 144, local-search-pages .com, discover-facts .com, find-dozens .com.  Not coincidentally, all of the domains hide behind the same privacy registration service, making whois registration information unavailable.

In some instances, the search query is handed off to pay-per-click advertising sites and in others it passes the search directly to a site with an affiliate-id. It’s a complicated trail to follow, considering all of the redirections and affiliates, but the end result is artificially generated traffic to ad-serving sites. And stealing real search queries, misspellings and all, help to create data that best replicates input from a real online “consumer”.

Posted in Adware, Bot, Click Fraud, Crimeware, Downloader, Dropper | 4 Comments »

« Older Entries