Guide for CIOs, CFOs, and CISOs on why traditional security defenses are failing and how losing the security battle can hurt your business
Inside look at stopping zero-day attacks and advanced persistent threats with FireEye
Look into the changing nature of today's advanced targeted attacks and why traditional IT security is inadequate
Deep dive into spear phishing attacks and what is needed to combat this type of advanced threat
Insight into how FireEye is able to combat even the most sophisticated threats
Overview of the FireEye product family which protects against advanced cyber attacks
I am glad to announce that, after three days of effort, the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned. How it all happened is a long story, but I would like to summarize it for you.
This post was updated on July 17, 2012, at 3:15 PM.
Last week, I wrote an article covering various aspects of a large spam botnet named Grum. This article mainly covered the current command and control (CnC) coordinates of this botnet. The intention behind this article was not only to share this information for a general awareness, but also to invite the research community to come forward to take down this spam beast. I can see that this strategy is really working. Dutch authorities have pulled the plug on two of the CnC servers pointing to IP addresses 94.102.51.226 and 94.102.51.227.1 Thanks to the Dutch authorities for swift action.
Back in 2009, I started writing a series of articles called "Killing the Beast." These articles were primarily focused on the command and control (CnC) coordinates of popular spam botnets. These articles not only provided readers greater visibility into these spam botnets, but also served as the basis for two botnet takedowns. So far, four articles under this series have been published. After a long time, I have decided to write the fifth one.
For a refresher, older posts can be accessed using the links shown below:
Part 1, Part 2, Part 3, and Part 4.
In recent years, we have seen the fall of many spam botnets including Srizbi, Rustock, Mega-D, Pushdo.A, Storm, and Waledac. But one botnet that has kept itself well under the radar is the Grum botnet. When I look into my Botnet Lab logs, I can see traces of Grum's earlier versions recorded around February 2008. That means that, as of today, this botnet is more than four years old. Readers who have been following the evolution of different botnets would agree that keeping a botnet active and alive for this many years is an achievement in itself.
Based on the latest statistics from M86Security, Grum is currently responsible for 17.4% of worldwide spam traffic, making it the world's third most active spam botnet after Cutwail and Lethic. Interestingly, Grum, which was once the world's number one spam botnet around January 2012 (at that time, Grum was responsible for 33.3% of worldwide spam), is already on its decline after losing its position to the Cutwail botnet.
In the first part of this series, I talked about a few botnets that are using random domain generation algorithms in order to conceal their Command and Control (CnC) servers. But that’s not the only type of evasion being used by advanced malware. There are other types of polymorphism as well.
Some of the polymorphic strains found in these malware are as follows:
Today, I would like to talk about type 2—botnets that are good at randomizing their HTTP communication. Readers will see shortly how intelligently these malware are bypassing signature-based defenses.
The malware threat landscape is changing very fast. New and improved malware are hitting the attack surface on a daily basis. No wonder advanced malware like to operate in stealth mode. They try to change their behaviors, shapes and patterns as much as they can do to fool their enemies. Not only do we need a signature-less technology to handle such malware, but we also need a news resource continuously talking about these emerging threats, and this is where a series of blogs on this topic comes into play.
For the first of these series, I am going to talk about four different botnets that have recently been spotted randomizing their command and control domains. I will call these generically “New Botnet” A, B, C, and D so that we can focus on the details of the morphing behaviors. All of these botnets use custom algorithms to generate/locate their CnCs. The use of random CnC domains is not a new concept. In the past, we have seen Conficker, Srizbi, and Rustock using similar techniques, but in recent days we have seen more and more botnets adopting these stealth tactics.
Some of you may be aware that Microsoft this week went after a group of botnets. These botnets were created from the famous Zeus toolkit. This effort was part of so called Operation B-71.
When I heard this news, the first thing I wanted to find out was if these botnets have been on FireEye's radar. The answer is yes. Based on data collected from the FireEye MPC (Malware Protection Cloud), we have been detecting and protecting our customers from most of these malware.
There was one thing that caught my attention during this investigation. One botnet was able to partially recover from the takeover attempt. This particular zeus variant is known for rapidly changing its CnCs.
Rustock's old buddy Harnig is back in action. Harnig is considered to be a very wide spread pay-per-install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system for a small fee. There has been a long term relationship between the Harnig and Rustock botnets. For the last two years or so, Rustock has almost always been seen being spread through Harnig.
I reported back in March (right after the Rustock botnet shutdown) that Harnig botnet has abandoned all of its CnCs as well causing suspension of all of its malicious activities. Rustock hasn't yet tried to claim back its previous position, but this is not true in the case of Harnig. After months of silence, Harnig is finally back in business, resuming all of its usual malicious activities.
A controlled run of Harnig in my lab is showing Harnig downloading a number of malware onto the infected machine.
It looks like Koobface has started to lose interest in Facebook. We first observed this dramatic change around February this year. All of a sudden, we saw bot herders are no longer instructing zombies to post fake messages to compromised Facebook accounts. Our first impression was that it's just a temporarily move but a continued silence for about two months is not something that can be ignored. Last time we saw Koobface trying to pollute Facebook was around Feb 13th, at that time one of the messages posted looked like this:
February 13 at 3:19pm
Youu’ve beren caght on our supefr smmall spy camerea!
http://12344cederberglineki.blogspot.com
where as usual, the posted link was redirecting users to a fake YouTube video urging them to install a fake codec (in reality a Koobface malware binary) in order to watch a so called stunning video.
Rustock is not the only botnet which suffered from the recent take down by Microsoft. It appears that Harnig (a.k.a Piptea), a close relative to Rustock, is retreating as well. There is no evidence that someone is trying to shutdown Harnig. It looks like a decision made solely by the bot herders. Why? I'll talk about it shortly.
Harnig is considered to be a very wide spread pay per install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system. In return for this favor, the owners of other malware families pay the bot herders a little sum, normally a few cents per machine. When it comes to pay per install networks, the type and amount of malware being dropped can't easily be determined. What matters is, who and when someone is paying the bot herders. But things between Harnig and Rustock were quite different. There has been a long term relationship between the Harnig and Rustock botnets. For the last 2 years or so, Rustock has almost always been seen being spread through Harnig. Very rarely will one see Rustock using some other infection vector or pay per install network to propagate itself.
One can see from the above screen shot that the Rustock installation is the result of a chain reaction:
Harnig -> Downloader.DigiPog (Rustock Installer in plain text)—> Rustock Spam Engine (semi-fake Password protected 'rar' file containing Rustock Driver file).
