Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    June 2014
    S M T W T F S
    « May   Jul »
  • Email Subscription

  • About Us

    Archive for June 2nd, 2014

    Earlier this week, the Federal Bureau of Investigation announced that an international effort had disrupted the activities of the peer-to-peer (P2P) variant of ZeuS/ZBOT known as “Gameover.” Trend Micro was one of the parties that was involved in this effort to disrupt the activities of this well-known online banking Trojan.

    Gameover is well-known for its resilience to takedowns. This is due to its peer-to-peer connection to its command and control (C&C) server as compared to other ZeuS variants (such as IceIX, Citadel and KINS) that employed centralized C&C servers.

    Gameover is based on the source code of ZeuS, which was leaked in May 2011. However, it has significant differences from other malware families (like Citadel and Kins) that are also based from the said leaked source code. Typically, a ZeuS malware only connects to a specific command-and-control (C&C) server defined in its configuration file. If the server is already inaccessible, the ZBOT malware will unable to download the dynamic configuration file that contains the targeted banking URLs.

    The first ZBOT variant with P2P capabilities was seen in late September 2011, and was detected as TSPY_ZBOT.SMQH. Users are lured into clicking a malicious link pointing them to a malicious website that served the  Blackhole Exploit Kit (BHEK). BHEK was an exploit kit known for using various software vulnerabilities; at the time it was the most common exploit kit in use.

    More recently, Gameover variants still propagate via spam mails, but with the help of other malware like UPATRE that download encrypted executable files to bypass firewall filters. Some of these newer variants are detected as TSPY_ZBOT.ABTE. UPATRE malware is one of the malware commonly seen in email attachments which download other malware onto infected systems.

    Based on our investigation, Gameover builders are not sold to individuals. Instead, they are privately operated which means only one Gameover botnet is running , compared to the multiple botnets that power other ZeuS variants. Gameover has been using the same RC4 key to decrypt the downloaded configuration file since it was first discovered; this also makes Gameover resistant to takedowns as the entire botnet can quickly share new configuration files and updated versions.

    Infection Flow

    Gameover initially decrypts the static configuration file which contains the hardcoded peers and the RC4 key to decrypt the downloaded configuration file. Usually 20 IP addresses with different port and communication keys are listed in the static configuration file.

    It queries the hardcoded peers to check which are still alive to connect to the botnet network. Once connected to a peer, it can download updated configuration file, binary, and list of peer IPs.

    If all 20 peers are dead, Gameover will still try to connect to its C&C server. To find the URL of this server, it uses a domain generation algorithm (DGA) to generate domains which are renewed every start of the week, making it more resilient to takedowns.

    ZBOT-CryptoLocker Ties

    The disruption of Gameover also damaged another malware threat, CryptoLocker. In October 2013, we spotted a spam campaign that illustrated how ZeuS and CryptoLocker are connected. The spammed message contained a UPATRE variant which download ZeuSs variant, these in turn downloads the CryptoLocker on the system. This serves as the final payload of infection chain.

    As we’ve mentioned before, CryptoLocker is a ransomware family known for encrypting certain files and locking the system it infects. Once the system is infected, the user is asked to pay ‘”ransom” to regain access to their files. Some of the payment methods used include:

    • Bitcoin
    • cashU
    • MoneyPak
    • Ukash

    The latest Gameover update also contains a notorious rootkit family, NECURS. The purpose of installing NECURS is to protect the files, registries and process related to Gameover malware making it more arduous to remove.

    Trend Micro protects users from this via its Smart Protection Network that detects the malicious files and spammed messages, and blocks all related URLs.

    We have created various Trend Micro tools for GOZ and Cryptolocker Malware, which can be accessed by visiting the above link.

    Posted in Malware | 1 TrackBack »

    In its recent report,  National Police Agency mentioned that the current estimated total cost of unauthorized transactions suffered by Japanese users reached 1.417 billion yen during the period of January-May 2014. In comparison the estimated total damage cost from these kinds of threats was 1.406 billion yen in 2013.

    Data released by Japanese Bankers Association also gives similar alarming statistics: 21 cases of online banking theft occurred in Q1 2014 compared to 14 cases for the whole of 2013. The damage cost in Q1 2014 for these cases is already three times more than the entire damage cost in 2013. Similarly, our Trend Micro Security Roundup for Q1-2014 shows Japan placing second in the countries most affected by online banking malware, following the United States.


    Figure 1. Countries Most Affected by Online Banking Malware, January–March 2014

    We have seen ZBOT variants like Citadel and Gameover targeting Japanese users in the past, but now we are seeing that a significant increase in the number of online banking Trojans is almost single-handedly due to a single malware family – the VAWTRAK family of online banking malware.

    VAWTRAK was first spotted in August 2013 as an attachment to fake shipping notification emails. However, at the time, it was only engaged in the theft of information from FTP and email clients. Recently, however, VAWTRAK has expended to include the theft of banking credentials. As a result of this new behavior, we have seen a significant increase in the number of users affected by VAWTRAK.

    We assume that several popular sites in Japan may have been compromised – either directly or via malicious advertisements. From these sites, they are led to malicious sites which contain the Angler Exploit Kit; in several cases the Angler Exploit Kit was identified as leading the users to various Flash and Java exploits. These exploits are then used to install VAWTRAK onto affected systems. Angler is one of the more popular replacements for the Blackhole Exploit Kit, which was shut down in 2013. Feedback from the Smart Protection Network  indicates that the top countries affected by this threat are Japan (79.22%), United States (6.47%), and Germany (6.29%).



    Figure 2. Top countries affected by VAWTRAK, May-June 2014

    In terms of behavior, VAWTRAK is not particularly innovative. Its behavior is very similar to previous malware families. Its previous behavior of stealing FTP credentials is similar to FAREIT malware, while its banking theft routines is similar to the ZBOT family of banking malware. Both of these families are frequently distributed by spam messages via malicious attachments.

    In addition to stealing your money, VAWTRAK also increases the risk of users being affected by other malware. It checks for the presence of a wide variety of security software (including Trend Micro products). If it finds any, it tries to downgrade the privileges of the security software, in an attempt to render these ineffective. Four major banks and five other credit card companies in Japan have been targeted by this malware.

    According to senior threat researcher Matsuka Bakuei, the increase in banking malware targeting JP banks can be attributed to information stealing malware such as VAWTRACK and TSPY_AIBATOOK, that have added a functionality allowing it to steal banking credentials.  Furthermore,  traditional banking malware like ZeuS/Citadel is not the only malware which hit JP banks.

    In the meantime, we advise that users disable or uninstall browser plug-ins (like Java, Adobe Flash, and Adobe Reader) if they are not needed. If they are needed, we strongly recommend that they be kept up to date, in order to minimize the risk from exploit kits that frequently use exploits for old vulnerabilities.

    We block the websites involved in these VAWTRAK attacks, as well as the various VAWTRAK variants (detected as BKDR_VAWTRAK.PHY, BKDR_VAWTRAK.SM, and BKDR_VAWTRAK.SMN.)

    With additional analysis from Arabelle Ebora, Rhena Inocencio and Kawabata Kohei



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice