When security researchers encounter a piece of code, they often have little idea about its ultimate objective. Analysts have to play online gumshoe when it comes to tracing the relationship of a single file to what is very often a multi-component attack.
Storm has been on the foreground for quite some time as a primary example of how rampant (and undetected) zombified computers have become. Whenever analysts want to talk about the Internet’s propensity to help administer organized crime, the Storm botnet always comes to mind. There have been several reports in the past few months that point to Storm’s various nefarious activities:
- downloading Bancos info-stealers in February
- advertising Canadian pharmaceutical products in January
- phishing information from Royal Bank of Scotland customers, also in January
Now we are beginning to see Zango-related codes being passed around and distributed among known Storm proxies.
One of these files, now detected as TROJ_MUTANT.BN, is an AdPack kit that contains a file named zango.php. Within this file can be found CLSIDs that are similar to those modified in line with Zango or Hotbar routines.
The other PHP files, detected as either JS_AGENT.BB or PHP_MPHAK.AL, seem to be products of signature detection’s arch-enemy: server-side polymorphism. This is a technique that enables malware writers to produce a slightly different version of a file (technically a new variant) each time a request to access the remote malicious server (typically by an infected computer) is made.
At this time, we have no explicit knowledge on why Storm (or a portion therein) may be pushing Zango adware, nor whether Zango explicitly knew about this situation or authorized it. Zango (also ePIPO, 180solutions, HotBar) is an adware company that has a history of distributing software that runs on startup, displays advertisements, and comes bundled with other software.
Trend Micro and Zango are in contact and expect to work together to more fully understand the situation.
Users with computers under the control of a botnet often have little idea that their units are involved in any of the activities that the botnet is currently performing. It therefore becomes a big responsibility for users to make sure not only that they are not infected by agents of these botnet malware (by using adequate and updated Web Threat Protection technology) but also that they are not aiding in carrying out online theft and fraud.
Update — 17 May 2008 23:34 PDT: After further review it appears the ‘AdPack’ exploit toolkit and the Storm authors are specifically targeting systems with Zango-related software installed.
We apologize for the confusion.
Updated by Paul Ferguson, Advanced Threats Research