Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    January 2014
    S M T W T F S
    « Dec   Feb »
  • Email Subscription

  • About Us

    Archive for January 7th, 2014

    Reports have surfaced that ZeuS/ZBOT, the notorious online banking malware, is now targeting 64-bit systems. During our own investigation, we have confirmed that several ZBOT 32-bit samples (detected as TSPY_ZBOT.AAMV) do have an embedded 64-bit version (detected as TSPY64_ZBOT.AANP). However, our investigation also lead us to confirm other noteworthy routines of the malware, including its antimalware evasion techniques.

    Below is a screenshot of the extracted code of TSPY_ZBOT.AAMV, which is injected with the 64-bit ZBOT:

    Figure 1. Screenshot of 32-bit ZBOT

    Going through the code, the 64-bit version can be seen as a part of the text section (executable code) of the malware.

    Figure 2. Screenshot of injected 64-bit ZBOT

    Like any ZBOT variant, TSPY_ZBOT.AAMV injects its code into the normal process explorer.exe. If the running process is 64-bit, the malware then loads the 64-bit version of the malware. If not, it will continue to execute the 32-bit version.

    The other notable feature of this ZBOT variant is its Tor component, which can hide the malware’s communication to its command-and-control (C&C) servers. This component is embedded at the bottom part of the injected code, along with the 32-bit and 64-bit versions. To initiate this component, the malware suspends the process svchost.exe and injects it with the Tor component’s code then resumes the process. In doing so, the execution of Tor is masked. It is launched using the following parameters:

    “%System%\svchost.exe” –HiddenServiceDir “%APPDATA%\tor\hidden_service” –HiddenServicePort “1080{random port 1}” –HiddenServicePort “5900 {random port 2}”

    These parameters specify how the Tor client will run. In this case, the Tor client runs as a hidden service and specifies the location of the private_key and hostname configuration. TSPY_ZBOT.AAMV then reports to its C&C server the said configuration, which is then relayed to a remote malicious user. The Tor client redirects the network communications in ports 1080 and 5900 to randomly generated ports, which the remote user can now access.

    The Tor component will act as a server, which the malicious remote user will use to access an infected system. This ZBOT variant contains Virtual Network Computing (VNC) functionality, which the remote user can then use to execute its desired commands. This functionality of certain ZBOT variants was reported as early as 2010 , effectively creating a remote-control capability for these malware, similar to how a backdoor controls an infected system.

    64-bit ZBOT Levels Up Antimalware Evasion Tricks

    Aside from these functionalities, we found new routines added to this ZBOT. One is the execution prevention of certain analysis tools such as OllyDbg, WinHex, StudPE, and ProcDump among others.

    Another noteworthy addition is this ZBOT’s user mode rootkit capability, which effectively hides the malware processes, files, and registry.

    The said variant also hides its dropped files and autostart registry. As the images below show, the malware’s created folders can be seen using the dir command in CMD, but are hidden when browsed via File Explorer.

    Figure 3. ZBOT hidden folders visible in CMD using dir command

    Figure 4. ZBOT files hidden in File Explorer

    As for the TSPY_ZBOT.AAMV autostart registry, created folders and files, users can view this by restarting in Safe mode. Because the malware only has a user mode rootkit capability, which only hides malware-related files and processes as opposed to  a kernel mode rootkit, users can delete these while in Safe Mode.

    This 64-bit version for ZeuS/ZBOT is an expected progression for the malware, especially after ZeuS source code was leaked back in 2011. Since then, we have seen several reincarnations of the malware, most notably in the form of KINS and its involvement with other malware such as Cryptolocker and UPATRE. Adding other functionalities such as rootkit capability and the use of a Tor component are further proof that we can see more modifications in the future, particularly those that help circumvent or delay antimalware efforts.

    Trend Micro protects users from this threat by detecting  ZBOT variants if found in a system. It also blocks access to known C&C sites of the malware.

    Additional information about Tor may be found in the paper “Deepweb and Cybercrime: It’s Not All About TOR.”

    Posted in Malware | Comments Off on 64-bit ZBOT Leverages Tor, Improves Evasion Techniques

    2013 was a year of change in the spam landscape.

    The volume of spam increased from 2012. We witnessed the decline of a previously-successful exploit kit. The old became new again, thanks to different techniques used by spammers. While we still saw traditional types of spam, we also saw several “improvements” which allowed spammers to avoid detection and victimize more users. We also saw spam utilized more to carry malware since the start of the year.

    Figure 1. Spam volume from 2008

    The Slow Death of the Blackhole Exploit Kit

    The Blackhole Exploit Kit (BHEK) is a notorious exploit kit that was widely used in numerous spam campaigns.  This exploit kit was highly adaptive, incorporating vulnerabilities, current “hot topics,” and even social networks into several campaigns.

    In 2013, we saw 198 BHEK spam campaigns, a smaller number compared to the previous year. The volume may have lessened but this didn’t make such campaigns less effective. For example, we saw spammed messages just hours after the official announcement of the birth of the “Royal Baby.”  In this particular spam run, the volume of spammed messages reached up to 0.8% of all spam messages collected during the time period.

    Figure 2. Number of BHEK campaigns from March 2012 to December 2013

    The end of the third quarter was marked by the arrest of Paunch, a person believed to be the creator of the BHEK. We noted that in the two weeks after his arrest, we found no significant BHEK spam runs. The number of BHEK spam runs dwindled until there was none in December.

    Health Spam Spikes

    Entering the third quarter, we noticed an increase in the number of health-related spam. At one point, this type of spam constituted 30% of all spam we saw, with over two million samples spotted daily. The content of these messages ran the gamut from weight loss tip to pharmaceutical products.

    What’s notable about this particular spam run is that these messages have evolved from using traditional “direct” approaches (with an image of the product and call-to-action to buy) to more “subtle” methods. Health spam now uses a newsletter template to peddle products. The purpose of the newsletter template may be two-fold: to avoid detection by anti-spam filters and to appear more legitimate to users. Several messages even claimed to be from reputable news sources such as CBS, CNBC, CNN, the New York Times, and USA Today.

    Figure 3. Sample health-related spam

    These messages were sent from computers in various countries, including India (10%), Spain (8%), Italy (7%) and the United States (6%).

    The spike wasn’t the only notable health spam we saw this year. We also saw several spammed messages that leveraged the controversial Affordable Care Act or Obamacare, even before it was officially launched. Once users click on the links in these messages, they were led to survey scam sites.

    The Change in Malware Attachments

    Aside from advertising and selling pharmaceutical products, spam is also used to distribute malware. Even though there may be more complex ways of infecting systems, the use of malware attachments remains constant in the threat landscape. This suggests that there are users who still fall prey to simple techniques (such as urging users to click on an attachment). We noticed that the number of spam with malicious attachments fluctuated throughout the year, before it steadily increased in the latter months.

    Figure 4. Volume of spam messages with malicious attachments

    From the first to third quarter of the year, ZBOT/ZeuS was the top malware family distributed by spam. This family is known for stealing financial-related information. Halfway into the third quarter, however, we noticed that TROJ_UPATRE unseated ZBOT and became the top malware attachment. In November, about 45% of all malicious spam with attachments contained UPATRE malware.

    UPATRE became notorious for downloading other malware, including ZBOT malware and ransomware, particularly CryptoLocker. This type of attack is doubly risky for users because not only will their information be stolen, their files will also become inaccessible.

    Spam, 2014 and Beyond

    We anticipate that the 2013 spam landscape will set a precedent for the threats we’ll see in the upcoming year:

    • Spammers will blend old spam techniques in order to avoid detection and successfully victimize users.
    • Spam will still be used to spread malware.
    • Social networking spam will experience a drastic increase in terms of spam volume.

    You may read our upcoming annual year-end report for more information and insights about spam and other elements about the threat landscape in 2013.

    Posted in Exploits, Malware, Spam | Comments Off on A Year of Spam: The Notable Trends of 2013


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice