Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Loucif Kharouni (Senior Threat Researcher)




    Last week it was reported that the Pushdo botnet, used to send spam using the Cutwail spamming module, was taken down, thanks to the efforts of several security researchers. Thirty command-and-control (C&C) servers of the Pushdo/Cutwail botnet were identified, almost 20 of which were taken down after their Internet hosting providers were notified.

    So far, the takedown appears to have been effective. Our monitoring indicates that the volume of spam sent using the Cutwail bots has significantly decreased. Our monitoring of the C&C servers Pushdo used indicates that the botnet has fallen silent since the takedown.

    It’s too early to see if this particular takedown will have real long-term effects. There have been many takedowns before such as that of McColo in late 2008. However, in many of these cases, the affected botnets were able to recover and resume their operation within weeks.

    Taking down botnets is a good thing but is not enough to stop the spam pandemic. The issue here is that while this botnet may have been crippled, the Spammers behind it are still at large – and can continue to create botnets in the future. Spammers like this must be arrested and should spend time in jail if we are to have any real chance of winning this war on Cybercrime. Trend Micro will continue to work closely with law enforcement to ensure that criminals like these are put behind bars

    Last year, our researchers looked into the activities of the Pushdo/Cutwail botnet and released their findings in the paper “A Study of the Pushdo/Cutwail Botnet.”

    The issue here is that while this botnet may have been crippled, the Spammers behind it are still at large – and can continue to create botnets in the future. Spammers like this must be arrested and should spend time in jail if we are to have any real chance of winning this war on Cybercrime.
     
    Posted in Botnets, Spam | 1 TrackBack »



    While conducting research, I encountered a curious-looking new ZeuS/ZBOT sample (detected as TSPY_ZBOT.ZCZ) using a very old toolkit version. I retrieved the sample two days ago. After some debugging/reversing, I found out that this specific sample targeted several banks around the globe, including Russian banks.

    Here is a snippet listing down the targeted Russian banks and/or Yandex:

    @*/login.osmp.ru/*
    @*/atl.osmp.ru/*
    @*/mylk.ru/*
    https://www.telebank.ru/web/front/login.x/*TAN* *transactionID=* *
    https://i.bank24.ru/confirm/payment.*TAN* *pincode=* *
    *citibank.ru*

    http://*citibank.ru*

    *agent.e-port.ru/cp/lkan/lka.cp*
    *client.mdmbank.ru/retailweb/login.asp

    http://*.osmp.ru/

    *rbkmoney.ru*
    *light.webmoney.ru*
    *money.yandex.ru*
    *passport.yandex.ru*
    *//mail.yandex.ru/index.xml
    *//mail.yandex.ru/
    *//money.yandex.ru/index.xml
    *//money.yandex.ru/

    This ZeuS/ZBOT sample also targeted banks found in Germany, the United States, the United Kingdom, Poland, the Netherlands, Italy, Spain, France, Belarus, Bulgaria, Australia, Ireland, the United Arab Emirates, Turkey, and New Zealand.

    This is the first time I’ve seen ZeuS target Russian banks given that online banking is not so popular in Russia. I can recall a few ZeuS/ZBOT samples targeting Yandex services, but I definitely can’t recall anyone targeting MDM Bank or other online Russian banking systems.

    Is this a sign? Are we going to see more ZeuS/ZBOT variants targeting this region once online banking becomes more popular in the country as in Western countries? If this is so, how much will the cybercriminals sell the information they will steal?

    These are just some of the thought-provoking questions that, I guess, only the future can answer.

    TrendLabsSM has also documented previous yet interesting finds about ZeuS/ZBOT in the following entries:

     



    Click

    You might be wondering what this illustration is all about. Well, if you have heard or read about botnets, spam, and pay-per-install (PPI) techniques, you may realize that these three elements are related to one another. This discussion focuses on answering how.

    Correlation Mapping 101

    Before proceeding to determining the how, it is imperative that we understand the what first. Let me walk you through each of these elements. The tagged figures represent botnets. We have classified them into three categories—primary threats (in turquoise), comprising CUTWAIL, BREDO, SASFIS, and KOOBFACE; secondary threats (in red), comprising ZEUS, TDSS, and WALEDAC; and tertiary threats (in blue), comprising FAKEAV.

    The arrows basically represent the flow from point A to point B. A green arrow means that botnet A sends a malicious file related to botnet B via email. A purple arrow means that botnet C downloads a variant of botnet D via download (PPI). For example, CUTWAIL sends a malicious file related to ZeuS via email. CUTWAIL can also send malware files via email related to BREDO, FAKEAV, and SASFIS. BREDO, on the other hand, can download a file related to KOOBFACE, which can download FAKEAV.

    Looking at the Big Picture

    Malware related to these botnets can function on their own. They do not depend on one or others in order to perform their malicious routines on affected systems. Let us take BREDO again as an example. When a user detects BREDO on his/her system, the user only knows that his/her system is infected by BREDO. However, since BREDO is a downloader of other malware (as indicated in the correlation map), we can expect the user’s system to be infected by more than two different kinds of malware. If this is the case, one cannot readily identify which malware variant affected the system and performed its payload first.

    Say, for example, a user scans the system and finds that it is infected by ZeuS, BREDO, and CUTWAIL. Which of these came first?

    To attempt to answer this tough question, let us trace some trails where we can make a couple of assumptions. From the illustration, we can deduce that either BREDO or CUTWAIL was the original infector. If the user receives an email pointing to BREDO, then CUTWAIL was the first. Otherwise, BREDO came first, which in turn downloaded CUTWAIL and ZeuS onto the affected system.

    Forging Alliances Is Key

    Anyone can probably tell that the correlation map is pretty complicated so one cannot help but feel a little overwhelmed by its sophistication. However, from the point of view of cybercriminals doing business underground, understanding how the elements in the map work is easy enough.

    Let us illustrate by taking BREDO and CUTWAIL again from the previous sample. Since CUTWAIL spammed messages contain BREDO variants, we can say that the criminals behind BREDO are paying the criminals behind CUTWAIL to do just that and that they are paid per machine infected by the BREDO variant they spammed. Note that these infected machines, which are part of the CUTWAIL botnet, report back to the BREDO botnet master. The same case happens between ZeuS and BREDO. The criminals behind ZeuS pay the minds behind BREDO to install their malware. As we all know, ZeuS malware steal bank account information, among other things (e.g., POP3 and FTP accounts). At the end of the day, the aim of this succession of infections is to steal money from affected users. Keep in mind that every time a primary botnet downloads another malware, criminals behind the botnet are paid.

    There is an ongoing cycle of money moving from one place to another. Criminals behind FAKEAV get paid if users buy their fake antivirus programs and they use this money to pay other botnets to spread their programs.

    ZeuS guys use several different business models, depending on the data they steal. They can either sell the data they stole or they can rent their own botnet.

    For your reference, you can find detailed research for some of the botnet-related malware here plus a new report outlining the business of cybercrime here.

     
    Posted in Botnets | 1 TrackBack »



    TrandLabs engineers recently discovered that cybercriminals now use shortened URLs to spam malware via instant-messaging (IM) applications like Yahoo! Instant Messenger and MSN. As we all know, URL-shortening services are used to compress long and unreadable URLs into short, bite-sized ones. Short URLs are more portable and are now preferred over the (normally long) actual URLs when one wishes to share news within networks using their own websites, blogs, Tweets, and other social media tools.

    The bad guys seem to have changed their strategy. We have gotten used to seeing malicious URLs like http://{BLOCKED}img.com/IMG-004592.com?=, http://www.{BLOCKED}ok.com/view.php?=PHOTO1598526.JPG?, and http://www.{BLOCKED}-photos.com/view.php?=PHOTO23032010.JPG? in instant messages. Now, we see a slew of instant messages containing shortened URLs like http://{BLOCKED}.com/pict04042010jpg and http://{BLOCKED}.com/va98d.

    Shortening URLs may mean two things. First, this makes it harder for antivirus companies to block malicious URLs, as it would take them longer to get the landing link. Second, URL-shortening services can be used by cybercriminals to trick users into clicking suspicious links.

    Malware that spread via IM applications based their messages on the OS a computer uses. Cybercriminals have also been known to use shortened URLs for spamming purposes as shown in the following screenshots.

    Click for larger view Click for larger view

    Clicking the shortened URLs in the sample instant messages lead to the download of {BLOCKED}082010-jpg-www-facebook-com.scr detected as WORM_BUZUS.AG, which propagates via physical/removable/floppy drives and peer-to-peer (P2P) networks by spoofing the names of some popular applications, games, and movies. It is also capable of launching a denial-of-service (DoS) attack using SYN floods.

    Trend Micro™ Smart Protection Network™ protects users from this kind of threat by blocking access to all related malicious URLs and preventing the download and execution of the malicious file.

    Update as of April 12, 2010, 3:00 p.m. (GMT +8:00):

    The links were also found to download a new KOOBFACE variant detected as WORM_KOOBFACE.ZD.

     



    Today, Trend Micro threat researchers ran across a new ZBOT variant mainly targeting four European countries’ banking systems in Italy, England, Germany, and France.

    Trend Micro detects this variant as TSPY_ZBOT.AZX. It targets major consumer European Banks and financial institutions with high-profile clientele. The targeted companies include the major UniCredit Group Subsidiary Bank of Rome; U.K.-based Abbey National (more commonly known as Abbey); Hong Kong’s HSBC; Germany’s leading IT service provider in the cooperative financial system, the FIDUCIA Group; and one of France’s largest retail banks, Crédit Mutuel.

    “At this point, we do have the data that show that these banks are indeed being currently targeted. We are including some names of the banks here to make people aware,” says advanced threats researcher Ivan Macalintal.

    ZBOT is a crimeware phenomena created using a toolkit. The ZeuS toolkit enables cybercriminals to create and customize their own remote-controlled malware. The infected machine then becomes part of the criminal ZeuS botnet. ZBOT variants are information stealers specializing in robbing online banking information from victims and sending back the information to its command-and-control (C&C) server.

    At its most basic level, ZeuS has always been known for engaging in criminal activities, as it signals a new wave of online criminal business enterprises wherein different organizations can cooperate with one another to perpetrate outright online theft and fraud. Read up more on this malware in our white paper, “Zeus: A Persistent Criminal Enterprise.”

    Click for larger view

    The domains used by TSPY_ZBOT.AZX are both hosted on the same server, which is located in Serbia under a registered name. The IP address used and its registered name are both well-known for being part of FAKEAV-hosting domains and previous Canadian pharmacy spam campaigns.

    Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service. Not a Trend Micro user? We also offer free system checks with HouseCall, which identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. You may also use RUBotted to find out if your machine is already part of a botnet.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice