This is the second half of our 2-part report about how cybercrime kits aid cybercriminals in conducting malicious attacks. The first post primarily discussed how the Phoenix Exploit Kit is used to exploit many possible bugs on a user’s system, thus leading to system compromise. This second part discusses the employment of the DLoader toolkit, and how the earlier mentioned compromise escalates further to the installation of multiple malware into the user’s system.
DLoader and the Botnet Business Model
The distribution of malware is typically conducted within partnerships and affiliate programs. One model used to monetize botnet operations is known the pay-per-install (PPI) model wherein affiliate programs pay malware distributors whenever the distributor installs a specific piece of malware onto a victim’s computer.
DLoader is a Web-based administration tool that allows botnet operators to manage the malware that they force the bots under their control to install. For each installation, the botnet operator receives payment from partners or affiliates.
DLoader is advertised on underground forums for approximately US$250. While it primarily serves to install other malware, it can also come with additional modules such as an FTP GRABBER that steals FTP credentials and a POKER ACCOUNT GRABBER that steals login information for popular online poker sites. These cost up to US$200. The FTP stealer is important because it allows the botnet operators to inject legitimate websites with malicious code that directs users to an exploit kit. This way, the botnet operator is able to maintain a steady supply of victims. These modules are detected by Trend Micro as TROJ_XORPE.JAN.
Country-specific Malicious Payloads
We analyzed several instances of DLoader on the server. One of the instances had 7,957 bots, primarily from Vietnam and Indonesia. Another had 10,726 bots, primarily from Germany and Russia. The instances of DLoader on this server contained a variety of executable malware that were distributed based on the bot’s country of origin.
For example, bots in Germany were exclusively directed to download a version of SpyEye (TSPY_SPYEYE.ATC). Targets in the United States, Canada, United Kingdom, Australia, and France were also directed to download SpyEye, albeit a different variant (TROJ_SPYEYES.JAN).
Meanwhile, Russian victims received a Meredrop variant (TROJ_MEREDROP.TG). The default downloads were various fake antivirus products.
To appreciate the variety of malware that was distributed via this server, here are our detection names for the files we analyzed:
While small-scale botnets often escape detailed scrutiny, they are still important components of the malware underground. Their operators act as consumers of malicious toolkits as well as suppliers of victims to larger botnet operators and fake antivirus suppliers. The malicious toolkits that are available allow aspiring cybercriminals with limited technical know-how to access exploits and malware that would otherwise be beyond their own capabilities.