The bots produced by the kit were in turn called ”Ntos” and ”Zbot” by major software security vendors. We’ve kept on top of its activity over the past couple of years, describing its distribution as a part of other attacks, drive by attacks, and spam blasts. The ThreatExpert blog maintains posts here and here. ThreatFire is one of the most effective, if not the most effective, products on the market at detecting and preventing the Zbot variants on user systems. It detects them clearly as “Spyware.Zbot”. Because one gang of the bot distributors have been so determined and successful at distributing the malware to high-value targets over the past couple of years, an individual zbot botnet currently made up of a reported 74,000 zbot infected systems is being renamed as the “Kneber Botnet“, based on the username this Zbot variant uses.

We have posted a dozen times about Zbot over the past couple of years, including stats on Zbot-downloading Bredolab variants being run on user’s systems. Locations of the tens of thousands of systems on which users have run Zbot itself over only the past six months vary across globe, but here are a recent top ten from the ThreatFire community.

These Zbot hits are the malware that get through spam filters, mail AV scanners, etc, and Zbot actually was run on the user’s system and then prevented by ThreatFire. It’s also interesting to know that over 70% of ThreatFire users are running another security solution on their system (indicating that ThreatFire is first and only to detect and prevent in a startling number of incidents). ThreatFire protected all of our users that were tricked into running Zbot, and it’s a good thing. The vast majority of these variants were configured to steal banking credentials, in addition to other valuable user data.

Note – the Dns domains registered to “Hilary Kneber” from which the attacking web sites served the zbot spyware (which cleverly must helped in naming the botnet), maintained the Zbot executables as “bot.exe” from a couple of different directories. One would think that this filename may be a giveaway to security monitors. On victim systems where the malware was run, it seems that the file was downloaded and renamed to both “svchost.exe” and random names like “58e.tmp” so as to camoflage its purpose. It predictably then would attempt to copy itself to c:\windows\system32\sdra64.exe.

The Bredolab downloader variant repeats the same exploits to bypass security apps and perform “hook overwrites”. It abuses the same exploits as our previous variant; MS07-017, MS08-025, CVE-2004-2339. These hook overwrites are performed across the dropper threads and all injected threads (within explorer.exe and svchost.exe) with a simple comparison and copy: rep movs dword ptr es:[edi], byte ptr ds:[esi].

After the injection into explorer, the malcode reports its installation and retrieves info at dollardream .ru, dropping a tmp file to disk and running it. Following the connection with dollardream. ru, the new process creates a directory under users\application data\microsoft\windows and the mspdp<number>.dll, making the dll a persistent presence on the system with an AppInit_dlls registry entry. After the dll and reg key have been created, it deletes itself and calls InitiateSystemShutdown, restarting the system.

Because this DLL maintains an entry under the AppInit_DLLs registry key, it reliably will load into each process running on the victim system’s, including all web browser processes. At dll load time within Internet Explorer, for example, it hooks a dozen different windows API prologues. The malicious code is precisely placed to be reliably notified when data important enough to be encrypted is being sent off of the machine. It intercepts and examines all user data prior to encryption.  When data being sent over http is examine, the code first performs a hash comparison on the HTTP headers to identify “interesting” Urls. These approximately 25 “interesting” Url strings are all banking and financial account related, except for a couple social networking and photo share web sites. Here is a view of the code locating content within the raw packet data, after a user has typed their username/pass and clicked on “Login”:

Once the malcode parses the data stream and identifies interesting locations within the stream, it retrieves the input data (i.e. banking user names and passwords), and immediately writes the sensitive data out to file. The file is placed in the same subdirectory as the dll itself, in our lab example: “all users\application data\Microsoft\Windows\Network\Network\mspdb80.dll”. This “.dll” file extension and name choice mimics that of a legitimate file distributed with Visual Studio, and instead contains the stolen login data in plain text. This content is gathered and sent off the system to a server hosted in Russia in the 109.196.143.xx range…

As you can see, it is very important to pay attention to the attachments that you attempt to open, and whether or not they are malicious executables or just look like a harmless spreadsheet.

Update (2/10/2010): appears that other researchers are interested in alerting the public as well, only their February writeup includes interesting details that ACH and wire transfer institutions are targeted by the dll, in addition to what was posted above.

The 0day Google hack attacked a invalid pointer reference within Internet Explorer. It seems that malicious web links were visited by Google employees, resulting in FUD spyware installations on their workstations. Over the past couple of decades, this type of vulnerability has been exploited and sometimes resulted in hugely prevalent and successful exploits on the web, such as the infamous createTextRange Internet Explorer mshtml.dll hole.

Update: Google China employees seem to have been given an early holiday, according to Tech Crunch IMers.

The trojan itself has been analyzed and described on our ThreatExpert blog here and more information from Symantec on the attacks here.

The first, larger waves we saw in February targeted German users, protected within the ThreatFire community from the menace. As more european banks and countries were hit, we continued to monitor for more of a global presence, as the malware package becomes even more popular among multinational banking cyberthieves. Distribution servers have been appearing on American providers’ networks, the next logical step is to find American banks targeted as well. We will be monitoring the situation closely.

The stealer is being spread by attacking the usual client side vulnerabilities in browsers and third party plugins.

The large numbers in the news refer not to the trojan, or the malware that was hosted on gumblar and martuz. The large numbers are detections of web pages that, however accurate the volume reporting may be, most likely are a part of hijacked web sites redirecting browsers to the exploits and trojans on the gumblar.cn and trojans on the martuz.cn domains.

When a user doesn’t patch their system for whatever reason, they may be maintaining known vulnerabilities in their software, which in turn is exploited when visiting a hijacked web presence. Following successful third party plugin exploitation, the delivered dropper is executed. The dropper uses an interesting technique to register loaded components for auto start on an unsuspecting user’s system. Instead of the usual run key and service locations, this writer decided to abuse a user-mode auxiliary audio driver location that is loaded when Internet Explorer is started. This ThreatExpert report and here shows a “Infostealer.Daonol/Trojan-Dropper.Win32.Agent.apfn/Troj/Daonol-Fam” trojan abusing the “Drivers32″ key, much like the original gumblar variant:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
aux = “%Temp%\..\doo.val”

The group is not using any 0day attacks. Instead, they are sending down malformed .pdf and .swf files. It seems that enough reminders cannot be sent out about updating third party software:
Antivirus 360 Distribution – Update Third Party Plugins
PDF Reader Exploitation 2009
Pdf Reader Exploitation 2009 (cont)
Rigged pdf files
browser-security.microsoft.com Hosts File Modification

We will post more data as it is gathered, the trojan itself is not in high prevalence in the ThreatFire community — the attack has gotten far enough to launch the trojan on only a couple of systems and is prevented as “Spyware.Grumbler”.

In the meantime, be sure to update your favorite third party plugins, applications and your system software.

One of the more interesting updates from the report about new versions of the bot is its use of Twitter trend data in generating url data in its fast flux domain algorithm: “A recent update to this algorithm is particularly interesting. Similarly to the previous version, the new algorithm uses the current date to generate the drive-by-download domain. However, the new algorithm also relies on search trends from Twitter to generate one additional seed byte. More precisely, the algorithm fetches the URL http://search.twitter.com/trends/weekly.json?callback=c&exclude=hashtags. This URL returns a JSON object that contains trends for searches on twitter, organized by date. The algorithm gets the trend data for the day before yesterday (4/25 in our case) and extracts the second letter from the first data item (for 4/25, it was “TGIF”, so it gets ‘G’). This letter is then used to calculate a “magic number”, which is used to compute the domain name as shown in the screenshots below.”

This morning, ThreatFire made bacon of another attempted Torpig infection, also detected as Trojan.Anserin, Troj/Torpig-Gen, and Trojan-Spy.Win32.Small.dg. That’s one less infection that will not be added to the 180,000 infections that the researchers observed in a 10 day period, because TF prevented its associated BoF exploit targeting none other than Adobe Acrobat v8.0. One of the first things that the delivered spyware performs is to infect the system’s Mbr, and ThreatFire prevents its raw disk write to \Device\Harddisk0\DR0.
ThreatFire prevents multiple behaviors of this guy on a daily basis.

The site itself, defaptgvif.com, continues to serve up exploits. Do not visit the site.

The source of the file, “jk982732-2309.zip”, which extracts simply to an aspack’ed “jk982732-2309.exe”, is not entirely clear at this point. If any of our users have seen this file prevented on their desktop, please contact us on the forums or here in the comments with some information on its source and any IM messages or email related to this file.

A dead giveaway that something is unusual is the “Google Inc” file company name property, along with the Microsoft MSN butterfly icon:

Another giveaway that something is amiss is that the file also attempts to download components from free web hosting site “nofeehost.com” that masquerade as Brazilian security Buster Browser Defense components.

Any further information from users would be welcome.

Security researcher Paul Ferguson speculated that the original targeted attack, in which a Word document was sent to a select group of individuals, was similar to previous attacks targeting pro-Tibetan groups:
“Although Ferguson does not know who wrote the attack code, he said that it looks similar to software that was sent to pro-Tibetan groups about a year ago, apparently for the purpose of intelligence gathering…Whether this will lead to more widespread Internet Explorer attacks is unclear, Ferguson said.”

The exploit code itself is beginning to spread and has shown up on additional servers in the Pacific rim. While the original attack may have been very targeted, the exploit code itself looks the same. Even variable and function names remain the same across the exploit pages we’ve seen.
The shellcode and the delivered malware executables differ altogether across servers. In one case, the writers jumped through hoops to complete some stable download and execute shellcode, and in another, the writers added some unusual loops to download “menu.dat” to the user’s temp directory and execute it as “U.exe”.
The original executable was not packed and dropped a dll that phoned data over an encrypted session to a server hosted in China. The second, U.exe, is a downloader packed with a somewhat common compressor known as nPack.
So it appears that different groups already are using the exploit, leading us to believe that this reliable and effective exploit code will continue to spread in the wild.

Be sure to update your Windows system if you have not done so already.

The Waledac operators have automated a fairly predictable registration and setup of their malicious web sites and corresponding online pharmaceutical sites reported as fraudulent. They are abusing fast flux dns at an impressive rate as well.
DO NOT VISIT THESE SITES. THEY ARE MALICIOUS AND MAY INFECT YOUR SYSTEM IF YOU CHOOSE TO VISIT THEM WITH A WEB BROWSER. Here are a few that were registered and set up this morning. Be aware that this spamming/botnet operation is an ongoing one:
hxxp://topgreetingsite.com
hxxp://www.greetingsupersite.com
hxxp://www.greetingcardgarb.com
hxxp://greetingcardcalendar.com
hxxp://directchristmasgift.com

You get the idea. Do not fall for the links being spammed out in email messages as ecard deliveries and do not fall for the current “card.exe” being distributed.

A visit to this page results in multiple client side exploits, delivered by multiple redirected web pages, which TF prevents. ThreatFire also stops the attacking executable file as Trojan.Waledac.

The attackers make it obvious what web site they are attempting to mimic in their social engineering scheme. The entire HTML header for the attacking web page on the malicious site was ripped directly from 123greetings.com, a popular ecard site. Here is some of the header from the malicious web page:
Title: New Year Cards, Free New Year eCards, Greeting Cards
meta name =”keywords” content=”new year cards,free new year ecards,greeting cards,greetings,wishes for the new year,free e cards for new year,christmas and new year wishes,free new year greetings,free ecards for new year”
meta name=”description” content=”2009 is here! Fill your heart with new hopes, reach out for new opportunities and celebrate the New Year! Reach out to your friends, family,…”

Keep in mind that the legitimate www.123greetings.com site appears to send out ecards as Flash videos, and not as “postcard.exe” files.

Update (1/5/2008): Waledac variant card.exe continues to be distributed — we’re seeing hxxp://direct christmas gift.com as an offending server up and running with the same card store front.