Monthly Archives: March 2009

Conficker: Catch Me If You Can…

| By | Botnets

Unlike the previous Conficker variants which generated 250 random domains
per day, the new Conficker.C variant can generate up to 50,000 domains in a day.  This was in direct response to the actions the security community took to preregister the domains, much like FireEye did with Srizbi just a few months ago.  One can sense a 'catch me if you can' kind of attitude with this recent move.  Since its appearance in Nov of last year,  Conficker's author(s?) have been trying to introduce different tricks to make the hijacking of Conficker very difficult.

I find it very unlikely that the Conficker worm will be used as an active botnet in the near future. There are lots of differences in the way the normal botnets are run and how Conficker is being maintained by its authors.  Below I'll highlight a few of those differences.

Continue reading »

Filefix Professional 2009 Cryptanalysis

| By | Advanced Malware

Background

https://www.fireeyesolution.com/research/2009/03/a-new-method-to-monetize-scareware.html

http://voices.washingtonpost.com/securityfix/2009/03/antivirus2009_holds_victims_do.html

Exposition

The Filefix Professional 2009 (wizard.exe) demo
version will uncorrupt (read: decrypt) one file. Which means that
I can learn everything I need to know to decrypt all files from analyzing
just this binary itself.

So, where to start looking? Well a file decryption routine is going to
need to read and write files, so search for calls to ReadFile.
Almost the first thing I find is a loop that calls ReadFile,
has an inner loop that XOR's over each byte in the buffer, and
then calls WriteFile. Hmmm… (See appendix.)

Now all I need are some encrypted files. Filefix Pro doesn't encrypt
anything itself, and I didn't have a sample of the malware which did.
Fortunately (for me), we were in contact with some of the victims, so as
soon as I had some samples it confirmed my suspicion about the encryption just being
ECB-XOR. The only thing which took me more than a minute to figure out was
that the crypto key was stored at the end of the file. (Since I had already
figured out how to decrypt it without knowing the key.)

Spending a little more time reading the binary, I also found the routine
which checks for valid keys at the ends of files. This allows Filefix to tell
corrupt and non-corrupt files apart when scanning the disk. There is a
strict mathematical relationship between the four bytes of the key.
Implemented as three simple boolean tests. If you do the math, this
also means that there are only 256 possible valid keys.

Continue reading »

E-Bandits - Part 1

| By | Botnets

This post is the first in a new series of articles about E-Bandits. In these articles I will talk about some of the low profile malware currently involved in various data stealing and phishing scams.
Data stealing is not just about stealing credit card information or login credentials. Some of these malware are capable of taking pictures and/or capturing video from your webcam and uploading them to remote servers.  The worst types of privacy breaches include taking screenshots of your desktop, monitoring your chatting sessions, and grabbing pictures from your 'My Pictures' folder.

Continue reading »

A new method to monetize scareware

| By | Advanced Malware

Scareware in the form of Rogue AntiVirus software, such as XpAntiVirus2009, has long been a way to monetize infected computers.  Previously, the Rogue AVs would present you with screens that listed malware you didn't have, and for a nominal fee, you could buy the full version and clean the "infections".

Over the past couple days, Vundo has been pushing a piece of malware that encrypts various personal file types (.pdf, .doc, .jpg, etc) on your system, and "coincidentally", pushes a program called FileFix Pro 2009 which would decrypt them - for a fee.  Although we (Julia) broke the encryption, it's a sobering realization of the state of malware that it is now actively extorting users by holding their data ransom.  Despite this version of FileFix being trivial to crack, it does not bode well for the future of Internet malware.

Vundo has fundamentally altered its criminal business
model from "Scareware" tactics to "Ransomware" extortion.  While a user may be "silly" to buy into scareware, they
have little choice but to purchase the decryption software once the
ransomware does its thing.

Continue reading »

Cimbot - A Technical Analysis

| By | Botnets

Personal Exposition

I was recently sent a .pcap file of a bot’s C&C communications. Every 182
seconds, the bot would download a GIF file from vazasaki-ji.info
(91.211.65.180 as of Mar 11, 2009). These GIF files however are not
well-formed — that is to say, it’s a GIF89a header, followed by a lot
of random gibberish.

Continue reading »

Bad Actors Part 6 - Eurohost LLC (aka UralNet?)

| By | Advanced Malware

A funny thing happened the day after I posted my last article - the
UralNet IP block was
removed from the global routing table.  I didn't
see any notifications in the press or on any network operations lists
(although I am not on any RIPE-specific listservs), so my suspicion
is that they are simply lying low for a bit.  I assume that if
they had their plug forcibly pulled then the responsible party would
want to be recognized (rightfully) for taking a step against
cyber-crime in the region.

Another reason why I believe they are lying low is
that an AS that had been dormant (unrouted) for months came back
online this week and immediately started hosting much of the malware
that used to be on UralNet.  They've only been back on the Bloc for a week, have
a mere /24 (256 IPs), don't have a corporate homepage, and yet,
already have quite a few criminal customers.

Continue reading »

The Business Of Mr. Alexander S Kopylov

| By | Botnets

On the FireEye blog we have talked a lot about Botnets, their CnC coordinates, bad ISPs, etc. You may be curious to know who actually runs these Botnets. Who are these puppet masters and what is their business model? How they work and who are their customers?

There are many questions but the answers are scarce. In this post I will try to answer some of them which often pop up in my mind as well.

It’s no secret that most of the SPAM Botnets are invented in Russia and controlled by Russian cyber-criminals.  Why should I believe this to be the case?  Srizbi’s recent comeback gave me some valuable hints to confirm the industry suspicion. Here is one email sent by Srizbi that day:

From: "herbie eliot" <dabliktom@centrum.cz>
To: <info@****lends.com>
Subject: =?koi8-r?B?88HNwdEg3MbGxcvUydfOwdEg0sXLzMHNwQ==?=
Date: Thu, 12 Feb 2009 04:28:14 +0000
MIME-Version: 1.0
Content-Type: text/plain;
.charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

.. ….. ….. ……….. ….. ………. ….. ……. - http://advert1.ru

Continue reading »

‘Bancos’ - A Brazilian Crook

| By | Advanced Malware

It’s fairly well accepted that most of the banking
Trojans originate in Brazil, while most of the big SPAM botnets originate in
Russia. One such banking Trojan is ‘Bancos’, a kind of malware that tries
to steal every ‘bit’
of financial data from a victim’s PC.

Normally it happens like this:

Once executed on the victim's system, ‘Bancos’ contacts its ‘Command and Control Server’ and tries to download a .txt file. This .txt file has the exact format as the Windows default hosts file (%system32/drivers/etc/hosts) as shown below:

3

Continue reading »