Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Loucif Kharouni (Senior Threat Researcher)

    All of us have heard about SpyEye, a malware family comprising information/data stealers like ZeuS/ZBOT. This malware is sometimes known as a “ZeuS killer,” as it stops ZeuS malware from running on affected systems, assuming that the latter is already present. This topic was discussed before in the blog post, “Keeping an Eye on the EYEBOT and a Possible Bot War.”

    We were able to further investigate a command-and-control (C&C) server of a SpyEye botnet, most of whose zombies were located in Poland. This is somewhat unusual, as bot herders prefer to target Western countries like the United States, the United Kingdom, Germany, Italy, Spain, and France.

    This particular SpyEye C&C server is located in the Ukraine:

    IP address: {BLOCKED}.{BLOCKED}.159.29
    Org: Tavria Host Network
    ISP: PAN-SAM Ltd.
    ASN: AS196814

    We were able to access different Control Panel tabs on this SpyEye server and saw some interesting bits of information such as its number of bots and their locations:

    Click for larger view

    A statistical breakdown of the bots by OS, Internet Explorer version, and whether they run as administrators or not was also found:
    Read the rest of this entry »


    Last week it was reported that the Pushdo botnet, used to send spam using the Cutwail spamming module, was taken down, thanks to the efforts of several security researchers. Thirty command-and-control (C&C) servers of the Pushdo/Cutwail botnet were identified, almost 20 of which were taken down after their Internet hosting providers were notified.

    So far, the takedown appears to have been effective. Our monitoring indicates that the volume of spam sent using the Cutwail bots has significantly decreased. Our monitoring of the C&C servers Pushdo used indicates that the botnet has fallen silent since the takedown.

    It’s too early to see if this particular takedown will have real long-term effects. There have been many takedowns before such as that of McColo in late 2008. However, in many of these cases, the affected botnets were able to recover and resume their operation within weeks.

    Taking down botnets is a good thing but is not enough to stop the spam pandemic. The issue here is that while this botnet may have been crippled, the Spammers behind it are still at large – and can continue to create botnets in the future. Spammers like this must be arrested and should spend time in jail if we are to have any real chance of winning this war on Cybercrime. Trend Micro will continue to work closely with law enforcement to ensure that criminals like these are put behind bars

    Last year, our researchers looked into the activities of the Pushdo/Cutwail botnet and released their findings in the paper “A Study of the Pushdo/Cutwail Botnet.”

    The issue here is that while this botnet may have been crippled, the Spammers behind it are still at large – and can continue to create botnets in the future. Spammers like this must be arrested and should spend time in jail if we are to have any real chance of winning this war on Cybercrime.
    Posted in Botnets, Spam | 1 TrackBack »

    While conducting research, I encountered a curious-looking new ZeuS/ZBOT sample (detected as TSPY_ZBOT.ZCZ) using a very old toolkit version. I retrieved the sample two days ago. After some debugging/reversing, I found out that this specific sample targeted several banks around the globe, including Russian banks.

    Here is a snippet listing down the targeted Russian banks and/or Yandex:

    @*/**TAN* *transactionID=* **TAN* *pincode=* *

    This ZeuS/ZBOT sample also targeted banks found in Germany, the United States, the United Kingdom, Poland, the Netherlands, Italy, Spain, France, Belarus, Bulgaria, Australia, Ireland, the United Arab Emirates, Turkey, and New Zealand.

    This is the first time I’ve seen ZeuS target Russian banks given that online banking is not so popular in Russia. I can recall a few ZeuS/ZBOT samples targeting Yandex services, but I definitely can’t recall anyone targeting MDM Bank or other online Russian banking systems.

    Is this a sign? Are we going to see more ZeuS/ZBOT variants targeting this region once online banking becomes more popular in the country as in Western countries? If this is so, how much will the cybercriminals sell the information they will steal?

    These are just some of the thought-provoking questions that, I guess, only the future can answer.

    TrendLabsSM has also documented previous yet interesting finds about ZeuS/ZBOT in the following entries:



    You might be wondering what this illustration is all about. Well, if you have heard or read about botnets, spam, and pay-per-install (PPI) techniques, you may realize that these three elements are related to one another. This discussion focuses on answering how.

    Correlation Mapping 101

    Before proceeding to determining the how, it is imperative that we understand the what first. Let me walk you through each of these elements. The tagged figures represent botnets. We have classified them into three categories—primary threats (in turquoise), comprising CUTWAIL, BREDO, SASFIS, and KOOBFACE; secondary threats (in red), comprising ZEUS, TDSS, and WALEDAC; and tertiary threats (in blue), comprising FAKEAV.

    The arrows basically represent the flow from point A to point B. A green arrow means that botnet A sends a malicious file related to botnet B via email. A purple arrow means that botnet C downloads a variant of botnet D via download (PPI). For example, CUTWAIL sends a malicious file related to ZeuS via email. CUTWAIL can also send malware files via email related to BREDO, FAKEAV, and SASFIS. BREDO, on the other hand, can download a file related to KOOBFACE, which can download FAKEAV.

    Looking at the Big Picture

    Malware related to these botnets can function on their own. They do not depend on one or others in order to perform their malicious routines on affected systems. Let us take BREDO again as an example. When a user detects BREDO on his/her system, the user only knows that his/her system is infected by BREDO. However, since BREDO is a downloader of other malware (as indicated in the correlation map), we can expect the user’s system to be infected by more than two different kinds of malware. If this is the case, one cannot readily identify which malware variant affected the system and performed its payload first.

    Say, for example, a user scans the system and finds that it is infected by ZeuS, BREDO, and CUTWAIL. Which of these came first?

    To attempt to answer this tough question, let us trace some trails where we can make a couple of assumptions. From the illustration, we can deduce that either BREDO or CUTWAIL was the original infector. If the user receives an email pointing to BREDO, then CUTWAIL was the first. Otherwise, BREDO came first, which in turn downloaded CUTWAIL and ZeuS onto the affected system.

    Forging Alliances Is Key

    Anyone can probably tell that the correlation map is pretty complicated so one cannot help but feel a little overwhelmed by its sophistication. However, from the point of view of cybercriminals doing business underground, understanding how the elements in the map work is easy enough.

    Let us illustrate by taking BREDO and CUTWAIL again from the previous sample. Since CUTWAIL spammed messages contain BREDO variants, we can say that the criminals behind BREDO are paying the criminals behind CUTWAIL to do just that and that they are paid per machine infected by the BREDO variant they spammed. Note that these infected machines, which are part of the CUTWAIL botnet, report back to the BREDO botnet master. The same case happens between ZeuS and BREDO. The criminals behind ZeuS pay the minds behind BREDO to install their malware. As we all know, ZeuS malware steal bank account information, among other things (e.g., POP3 and FTP accounts). At the end of the day, the aim of this succession of infections is to steal money from affected users. Keep in mind that every time a primary botnet downloads another malware, criminals behind the botnet are paid.

    There is an ongoing cycle of money moving from one place to another. Criminals behind FAKEAV get paid if users buy their fake antivirus programs and they use this money to pay other botnets to spread their programs.

    ZeuS guys use several different business models, depending on the data they steal. They can either sell the data they stole or they can rent their own botnet.

    For your reference, you can find detailed research for some of the botnet-related malware here plus a new report outlining the business of cybercrime here.

    Posted in Botnets | 1 TrackBack »

    TrandLabs engineers recently discovered that cybercriminals now use shortened URLs to spam malware via instant-messaging (IM) applications like Yahoo! Instant Messenger and MSN. As we all know, URL-shortening services are used to compress long and unreadable URLs into short, bite-sized ones. Short URLs are more portable and are now preferred over the (normally long) actual URLs when one wishes to share news within networks using their own websites, blogs, Tweets, and other social media tools.

    The bad guys seem to have changed their strategy. We have gotten used to seeing malicious URLs like http://{BLOCKED}, http://www.{BLOCKED}, and http://www.{BLOCKED} in instant messages. Now, we see a slew of instant messages containing shortened URLs like http://{BLOCKED}.com/pict04042010jpg and http://{BLOCKED}.com/va98d.

    Shortening URLs may mean two things. First, this makes it harder for antivirus companies to block malicious URLs, as it would take them longer to get the landing link. Second, URL-shortening services can be used by cybercriminals to trick users into clicking suspicious links.

    Malware that spread via IM applications based their messages on the OS a computer uses. Cybercriminals have also been known to use shortened URLs for spamming purposes as shown in the following screenshots.

    Click for larger view Click for larger view

    Clicking the shortened URLs in the sample instant messages lead to the download of {BLOCKED}082010-jpg-www-facebook-com.scr detected as WORM_BUZUS.AG, which propagates via physical/removable/floppy drives and peer-to-peer (P2P) networks by spoofing the names of some popular applications, games, and movies. It is also capable of launching a denial-of-service (DoS) attack using SYN floods.

    Trend Micro™ Smart Protection Network™ protects users from this kind of threat by blocking access to all related malicious URLs and preventing the download and execution of the malicious file.

    Update as of April 12, 2010, 3:00 p.m. (GMT +8:00):

    The links were also found to download a new KOOBFACE variant detected as WORM_KOOBFACE.ZD.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice