Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    January 2014
    S M T W T F S
    « Dec   Feb »
  • Email Subscription

  • About Us

    Archive for January 28th, 2014

    In the past few months,  the Tor anonymity service as been in the news for various reasons. Perhaps most infamously, it was used by the now-shuttered Silk Road underground marketplace. We delved into the topic of the Deep Web in a white paper titled Deepweb and Cybercrime. In our 2014 predictions, we noted that cybercriminals would go deeper underground – and part of that would be using Tor in greater numbers.

    Cybercriminals are clearly not blind to the potential of Tor, and network administrators have to consider that Tor-using malware might show up on their network. How should they react to this development?

    What’s Tor, anyway?

    Tor is designed to solve a fairly specific problem: to stop a man-in-the-middle (such as network administrators, ISPs, or even countries) from determining or blocking the sites that a user visits. How does it do this?

    Previously known as “The Onion Router”, Tor is an implementation of the concept of onion routing, where a number of nodes located on the Internet that serve as relays for Internet traffic. A user who wants to use the Tor network would install a client on their machine.

    This client would contact a Tor directory server, where it gets a list of nodes. The user’s Tor client would select a path for the network traffic via the various Tor nodes to the destination server. This path is meant to be difficult to follow. In addition, all traffic between nodes is encrypted. (More details about Tor may be found at the official website of the Tor project.)

    In effect, this hides your identity (or at least, IP address) from the site you visited, as well as any potential attackers inspecting your network traffic along the way. This is quite useful if you’re a visitor who wants to cover your tracks or if, for some reason, the server that you’re trying to connect to denies connections from your IP address.

    This can be done for both legitimate and illegitimate reasons. Unfortunately, this means that it can and has already been used for malicious purposes.

    How can it be used maliciously?

    Malware can just as easily use Tor as anyone else. In the second half of 2013, we saw more malware making use of it to hide their network traffic. In September, we blogged about the Mevade malware that downloaded a Tor component for backup command and control (C&C) communication. In October 2013, Dutch police arrested four persons behind the TorRAT malware, a malware family which also used Tor for its C&C communication. This malware family targeted the bank accounts of Dutch users, and investigation was difficult because of the use of underground crypting services to evade detection and the use of cryptocurrencies (like Bitcoin).

    In the last weeks of 2013, we saw some ransomware variants that called itself Cryptorbit that explicitly asked the victim to use the Tor Browser (a browser bundle pre-configured for Tor) when paying the ransom. (The name may have been inspired by the notorious CryptoLocker malware, which uses similar behavior.)

    Figure 1. Warning from Tor-using ransomware

    Earlier this month, we discussed several ZBOT samples that in addition to using Tor for its C&C connection, also embeds its  64-bit version “inside” the normal, 32-bit version.

    Figure 2. Running 64-bit ZBOT malware

    This particular malware runs perfectly in a 64-bit environment and is injected into the running svchost.exe process, as is typically the case with injected malware.

    This increase in Tor-using malware means that network administrators may want to consider additional steps to be aware of Tor, how to spot its usage, and (if necessary) prevent its use. Illegitimate usage of Tor could result in various problems, ranging from circumvented IT policies to exfiltrated confidential information.

    We will discuss these potential steps in a succeeding blog post.

    Posted in Malware | Comments Off on Defending Against Tor-Using Malware, Part 1

    File infectors and ZBOT don’t usually go together, but we recently saw a case where these two kinds of threats did.

    This particular file infector – PE_PATNOTE.A (MD5 871246d00caffdbed56b1374975c368e) – appends its code to all executable files on the infected system, like so:

    Figure 1. Before infection

    Figure 2. After infection

    What does this code do? It drops and executes the embedded ZBOT variant, TSPY_ZBOT.PNR (MD5 5c492c6300fd9def233bfaa56fb6b0f2), as well as infecting other executable files. TSPY_ZBOT.PNR is dropped as %User Temp%\notepat.exe.

    As we mentioned earlier, PE_PATNOTE.A spreads by adding its code to all executable files on the system. This includes removable and network drives, not just fixed drives on the system. This may allow it to spread across multiple systems, making cleanup and removal much more difficult.

    In addition to its rather unusual behavior, this malware also uses some of the anti-analysis techniques that we started seeing earlier this year. This thwarts some common analysis tools like OllyDbg, ProcDump, StudPDE, and WinHex. This may be an indicator that we will see greater use of these techniques moving forward.

    Figure 3. Embedded ZBOT variant

    This isn’t the first time we’ve seen file infectors used to spread ZBOT. In late 2010, we found that ZBOT was being spread by the LICAT file infector. However, there were some differences between then and now. Then, ZBOT was being downloaded onto the system; today the ZBOT code is dropped directly onto the affected system. This makes it more likely that infection can take place even in networks with restricted Internet access.

    We detect both the file infector (PE_PATNOTE.A) and the ZBOT variant (TSPY_ZBOT.PNR) through the Trend Micro Smart Protection Network.

    Posted in Malware | Comments Off on File Infectors and ZBOT Team Up, Again


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice