This post is the first of a two-part report about how cybercrime kits such as exploit toolkits enable even the less technical of cybercriminals to build botnets and conduct malicious attacks.
Large-scale botnets that compromise hundreds of thousands of systems around the world receive plenty of attention and deservedly so. However, there are many smaller botnets that often escape such scrutiny. The tools and services required to create, maintain, and profit from a botnet are widely available in the cybercrime underground for a price. These do-it-yourself (DIY) cybercrime kits enable those with limited technical skills to create botnets of their own.
The tools available include exploit kits that attempt to deliver various exploits to a visitor’s system based on the availability of vulnerable software on the said system as well as on the traffic direction systems that divert visitors to other websites or that direct them to download additional malware.
Sophisticated Malware Distribution Schemes
These tools allow botnet operators to form partnerships or to participate in affiliate programs. These programs allow distributors to pay to have their own malware installed by the botnet operator. A single botnet may be used to distribute a wide variety of malware such as SpyEye, ZeuS, or fake antivirus software.
Cybercriminals need to generate traffic to their malicious websites so they can attempt to install malware onto the visitor’s computer. In order to generate traffic, botnet operators often purchase FTP credentials for legitimate websites in underground chat rooms and forums. In addition, once their botnets are operational, their operators can extract FTP credentials from the systems that they managed to compromise. These stolen credentials are then used to compromise legitimate websites, which are then modified to redirect users to servers under the control of the criminals themselves.
This post analyzes the operation of a single malicious server that is used to receive traffic from compromised websites. Visitors are then redirected to an exploit kit. If a visitor’s system is compromised, the visitor’s computer then connects to a loader, which pushes a wide variety of malware onto the visitor’s computer, depending on the visitor’s geographic origin. All of these tools and methods are available to prospective cybercriminals in the cybercrime underground.
Phoenix Exploit Kit
In this specific case, three malicious iframes were inserted into a legitimate website. These cause a visitor’s computer to load external websites that are under the control of botnet operators. One of the iframes silently connects visitors to a server that hosts instances of the Phoenix Exploit Kit.
The exploit kit attempts to determine the OS and browser version of the visitor and serves an appropriate exploit designed to execute malware on the visitor’s computer. It contains exploits for popular software packages such as Adobe Flash Player, Adobe Reader, and Java.
In total, this instance of the Phoenix Exploit Kit received 17,628 visitors and successfully exploited 850 (4.82 percent) of them. The exploit kit found the most success targeting vulnerable versions of Java . After successful exploitation, a malicious executable (detected as TROJ_RENOS.NRT) is dropped onto the visitor’s computer then connects to a completely different set of command-and-control (C&C) servers.
Connections to Other Toolkits
Nearly all of the visitors to this instance of the Phoenix Exploit Kit originated from the United Kingdom. This suggests that the botnet operators may have purchased UK-specific traffic from other cybercriminals or managed to compromise websites that are popular in Britain.
This same server also contained other instances of the Phoenix Exploit Kit. In all cases (in addition to the one discussed above), the kit dropped payloads that connected to instances of DLoader hosted on the same server. For example, other instances received 5,871 visitors. These were primarily from Germany and Russia. Of these, 360 (6.13 percent) were successfully exploited with Java exploits again proving the most successful.
The malicious payload forced the visitor’s computer to connect to instances of DLoader hosted on the same server. The payloads of these Phoenix Exploit Kit copies are detected by Trend Micro as TROJ_INJECT.XSI, TROJ_DLOADER.TEP, TROJ_BAMITAL.AJ, and TROJ_OBFUS.CJ.
For the second part of this report, which we will release in the near future, we will further discuss the DLoader toolkit, and how it is used for the pay-per-install botnet business model.