Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    June 2013
    S M T W T F S
    « May   Jul »
  • Email Subscription

  • About Us

    Archive for June, 2013

    Command-and-control (C&C) server communication is essential for botnet creators to control zombie computers (or bots). To hide this from security researchers, they often use rootkits and other “tricks”. However, hiding the network traffic – specifically from monitoring outside an infected computer – is not an easy task, but is something that the botnet creators have improved through the years.

    Detecting and blocking C&C communication is one way to protect users against the dangers of botnets. Threat actors know this, thus they have developed different ways to make the C&C communication more resistant to network security products.

    In this report, we will discuss how the latest wave of Pushdo variants keep its C&C communication channel under the radar. Known as a spamming botnet, Pusho/Cutwail was taken down several times in the past. They are also known to distribute ZeuS/ZBOT variants.

    Pushdo Hides Among the Crowd

    If you are a potential attacker, the best way to not get caught is to blend your communications with normal/legitimate traffic and appear as inconspicuous as possible. Pushdo creators understand this and adopted this strategy into their latest malware.

    As shown in Figure 1, these Pushdo variants send out numerous HTTP requests. Among them are requests to the real C&C server. However, most of these requests serve as mere distractions.


    Figure 1. PUSHDO Network Traffic Snippet

    The malware sample we analyzed contains an encrypted list of 200 domains (see Figure 2). It randomly chooses 20 among them and requests either the root path or the path of “?ptrxcz_[random]”. Some of these domains belong to large companies or famous educational institutions, while some are obscure websites. This makes C&C server identification using network traffic analysis more difficult as it can be tough to distinguish real C&C connections among the fake ones.


    Figure 2. Decrypted list of the 200 domains

    Another by-product of this fake C&C feature is the potential distributed denial-of-denial (DDoS) the malware can initiate against the 200 web severs on the list. Though the true intention is not to execute this attack, the huge of number of useless requests eats up a lot of bandwidth of these websites.

    Sandbox analysis is a popular tool in malware analysis. Many organizations have adopted some kind of automatic sandbox system to detect and block unknown malware. This fake C&C feature, however, poses new challenges to these systems. Before adding a server into the C&C blacklist, a system needs to check the whitelist first. If the whitelist is not good enough, there may be some false positives and inadvertently make legitimate websites inaccessible to users.

    Pushdo DGA Complicates Matters

    Another noteworthy PUSHDO feature is its domain generation algorithm (DGA). DGA is a popular among botnet malware these days. It’s purpose is to make malware more resistant to C&C takedowns.

    Pushdo in particular uses calendar date as the seed in its DGA and generates 30 domains for each day. It tries to connect to not only domains for a given day, but also all domains generated from days between 30 days earlier and 15 days latter. In other words, it may try to connect to 1380 domains each day. It seems most of them are parked domains right now and point to an advertisement page (Figure 3).


    Figure 3. Screenshot of Pushdo Generated Domain

    This DGA feature can be challenging for behavior and sandboxing analysis. Using sandboxing analysis without reverse engineering the malware and figuring its DGA may not be enough to block C&C communication, as the malware generates different domains for each day.

    During our analysis, we effectively monitored Pushdo’s C&C using Trend Micro Web Reputation Services feedback. As shown in Figure 4, there were attempts to connect to one of the C&C servers. The query requests came from different locations, suggesting that there are still other computers infected by this malware.


    Figure 4. Requests sent to Trend Micro Web Reputation Service

    Traditional method of combating malware, such as file-signature detection, may not be sufficient in today’s threat landscape.Malware authors and the likes have developed effective tactics against signature-based detection like polymorphism and use of packers.

    Monitoring behavior of a malware inside sandbox is a good approach to address this challenge – but they are not stand alone solution. Malware like PUSHDO proves that a relying on one solution is not enough. Such technology, coupled with deep analysis and tools like Web Reputation Services, provides more robust protection against these threats.

    Posted in Malware | Comments Off on Latest Pushdo Variants Challenge Antimalware Solution

    From the arrest of one of the head members of the ransomware gang to the successful Rove Digital takedown, coordination between law enforcement agencies and security groups has time and again yielded positive results. This time, the Taiwan Criminal Investigation Bureau (CIB), in cooperation with Trend Micro, resolved a targeted attack involving the notorious Ghost RAT family. One person was arrested by the CIB.

    BKDR_GHOST (aka Gh0st RAT or TROJ_GHOST), a well-known remote access Trojan (RAT) is commonly used in targeted attacks and is widely available to both threat actors and cybercriminals alike.

    In this specific targeted attack, the attackers delivered BKDR_GHOST to unsuspecting targets via custom spear phishing emails which contained a link where the malware is automatically downloaded. It poses as the Taiwan Bureau of National Health Insurance which makes the email convincing enough to lure the targets into clicking and eventually executing the malware.

    To avoid easy detection, the attackers designed these emails to contain a link, which redirects users to a specific site and automatically download an official-looking RAR archive file. Moreover, to further persuade users to open a document file inside the archived file, the attacker made use of an old but effective file naming trick- appending multiple spaces in between the document extension (in this case, .DOC) and an executable extensions (in this case, .EXE). This is still an effective technique because putting multiple spaces will hide the real file extension because of the small RAR window. Our threat discovery solutions detects malware with this trait as HEUR_NAMETRICK.A in ATSE 9.740.1046.

    BKDR_GHOST infection chain

    Once the user opens the disguised malware, which is an executable archived file itself, the following are dropped and executed:

    • %windir%\addins\ACORPORATION.VBS (detected as VBS_GHOST) – executes Gh0st RAT installation script (AMICROSOFT.VBS)
    • %windir%\addins\AMICROSOFT.VBS (detected as VBS_GHOST) – extracts password protected Gh0st RAT archive (
    • %windir%\addins\Atask.bat (detected as BAT_GHOST) – searches for and overwrites the following files with the extracted Gh0st RAT components:
      • AdobeARM.exe
      • jusched.exe
      • Reader_sl.exe
    • %windir%\addins\ – contains 2 BKDR_GHOST variants performing similar malicious behaviors:
      • put.exe (Detected as BKDR_GHOST)
      • cd.exe (Detected as BKDR_GHOST)

    In another attempt to be inconspicuous, the final BKDR_GHOST payloads are stored in a password-protected archived file (, the passwords of which can be found inside the installation script AMICROSOFT.VBS. Once these BKDR_GHOST malware are executed, the attackers gain full access onto the infected system to perform their malicious deeds, navigating through the system and exfiltrating valuable data such as personal information.

    Figure 1: Flow of the targeted attack

    Figure 1: Flow of the targeted attack

    Figure 2: Detailed malware execution flow

    Figure 2: Detailed malware execution flow

    To avoid falling prey to these attacks, we highly encourage users to be always cautious before opening any attachments or clicking links contained in email messages. It is fairly common for attackers to spoof government agencies and other institutions, thus users must verify the legitimacy of the email they receive. For more information about how targeted attacks work, you may read our paper Targeted Attack Entry Points: Are Your Business Communications Secure?

    Posted in Targeted Attacks | Comments Off on Targeted Attack in Taiwan Uses Infamous Gh0st RAT

    In recent months, we’ve seen spam, phishing, and other email attacks increasingly use messages that are, as far as users can tell, identical to legitimate messages. In many cases, this is because the attackers did modify legitimate messages and use them for their attacks.

    These attacks are difficult to detect using content-based systems because of this strong resemblance to legitimate messages.   Any filter that is designed to detect these attacks has a good chance of having an unacceptably high false positive rate as well.

    However, we have used the correlation abilities provided by the Smart Protection Network to effectively detect the messages. While these messages may be similar in content, using Big Data techniques we are able to determine other key differences between legitimate and malicious messages and identify the latter.

    If anything, our correlation-based methods renders these techniques used by attackers counterproductive. Unlike traditional solutions, these techniques actually work better with emails that are harder for users to spot. Sophisticated attacks that imitate legitimate messages “stand out” with our new methodology, making it easier for Trend Micro to block these attacks. The “stealthier” an attack is to human eyes, the easier it is to spot using Big Data.

    The details of this methodology will be published next week in a white paper. This methodology highlights Trend Micro’a ability to combine Big Data analytics and our existing threat expertise to create new methods to protect users and create solutions to today’s security threats.

    Posted in Spam | Comments Off on Turning Sophisticated Phishing Against Itself

    I recently obtained a PoisonIvy sample which uses a legitimate application in an effort to stay under the radar.

    In this case, the PoisonIvy variant detected as BKDR_POISON.BTA (named as newdev.dll) took advantage of a technique known as a DLL preloading attack (aka binary planting) instead of exploiting previously known techniques. The malware was located in the same folder as the legitimate application, vnetlib.exe (VMware Network Install Library Executable). Executing vnetlib.exe automatically loads BKDR_POISON.BTA instead of the legitimate newdev.dll, or Add Hardware Device Library located in the %System% folder. Once the malware loads, it creates a registry entry which enables automatic execution of vnetlib.exe at every startup. BKDR_POISON.BTA then launches a hidden web browser process (iexplore.exe) into which it injects its code. The said code contains its backdoor routines which aids in bypassing firewalls.

    We also observed that the number of export functions of BKDR_POISON.BTA differ from the number of export functions of the legitimate newdev.dll. This is probably because BKDR_POISON.BTA only needed to export the function that vnetlib.exe imports.

    Figure 1. Exported functions of BKDR_POISON.BTA newdev.dll (L) versus the legitimate newdev.dll (R)

    Figure 2. Functions vnetlib.exe imported from newdev.dll

    A New Technique? Not Really.

    The usage of DLL preloading, per se, is not new. This technique is known to be utilized by PlugX, which is why its usage by PoisonIvy is notable.

    In our previous post we concluded that the cybercriminals behind PoisonIvy and PlugX campaigns are somehow related. This might mean that the cybercriminals are gearing toward using the DLL preloading technique for future variants. They might have observed that using the DLL for the PlugX successfully kept their malicious activities hidden.

    There was a previous instance where PoisonIvy samples used the DLL preloading aka binary planting technique. The sample arrived as an attached archived file in spear phishing emails sent to a Japanese organization. The archived file’s content is a normal document file and a DLL file named imeshare.dll, detected by Trend Micro as BKDR_POISON.DMI (Note that there is a legitimate DLL named imeshare.dll located in the %System% folder). Opening the normal document file will trigger BKDR_POISON.DMI to load via DLL preloading.

    Since PoisonIvy is stable and have been in the wild for several years, it’s highly likely that they decided reuse the DLL preloading technique in their campaigns but simply changed its infection vector to avoid detection. Though these efforts to evade anti-malware scanning are not in itself groundbreaking, this development in PoisonIvy supports our prediction that conventional malware threats will only gradually evolve, with few, if any; new threats and attacks that will become more sophisticated in terms of deployment.

    Trend Micro users are protected by the Smart Protection Network. In particular, file reputation service detects and deletes Poison Ivy (BKDR_POISON) and PlugX (BKDR_PLUGX and TROJ_PLUGX) variants.


    Although an estimated 1,000 websites, 35,000 email credentials, and over 100,000 Facebook accounts have been claimed as compromised since the announcement of #OpPetrol last month, attacker participation and the overall sophistication of the attacks leading into June 20 appears to be limited. These defacements and disclosures are consistent with what has been seen in recent operations, where the attacks did not seem to get much traction.

    An operation like #OpPetrol, however, allows opportunities for different attackers with different skill sets and agenda to join in the cause and execute their own missions. Furthermore, not all sectors have equal resiliency and countermeasures, so tempered caution with proactive security countermeasures is highly recommended.

    Our researchers have been monitoring the situation with a myriad of global threat intelligence resources. We traced malicious activities to the targeted sites and found IPs that have been identified in the past as compromised and being used as C&Cs by bot herders. It appears connections were made to the target sites with the intention of gaining further access or prepping for a DDoS.

    We also found that the malware CYCBOT is being used to drive the infected systems into the target sites. Initially emerging in 2011, CYCBOT has already been primarily used in the past to drive traffic to sites, particularly ad sites. It is known to be distributed via pay-per-install schemes.

    A significant number of targeted government websites in Kuwait, Qatar, and Saudi Arabia have gone offline after having received attacks from recently compromised IPs. These IPs statistically have not recently communicated to those government sites.

    We will continue to monitor this attack and report our findings. You can also check some steps on how you can keep your organization safe before, during, and after targeted attacks like these in my recent entry Anonymous’ #OpPetrol: What is it, What to Expect, Why Care?.

    Posted in Targeted Attacks | Comments Off on Anonymous #OpPetrol: Leading into June 20


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice