Last week, in the previous part of this post, we went over the behavior of Control Panel (CPL) malware before the actual infection. In this second part, we go over what happens after the malware has reached a system. (Note: much of this analysis was carried out with Deep Discovery Advisor, so some of the screenshots will have been taken from this product.)

This particular CPL malware (detected as TROJ_BANLOAD.ZAA) appears to be targeted at Windows 7 users – specifically, those using the 32-bit version. How do we know this? Based on previous research, we know that CPL malware is frequently used as a downloader for other malware. We see this behavior in 32-bit Windows 7:

Figure 1. Behavior under 32-bit Windows 7
(Click above image to enlarge)

However, on other platforms (like 64-bit Windows 7), we do not see that behavior.

Figure 2. Behavior under 64-bit Windows 7

So, let’s look into what this malware does when it is run in its “right” target environment.

It accesses four URLs, two of which are non-malicious and Microsoft-related. One is the Compatibility View list for Internet Explorer 9; the other is the browser icon (favicon.ico) for Bing. Two are potentially malicious, with Deep Discovery Advisor flagging one as malicious.

Figure 3. URLs accessed by CPL malware

Let’s look at the first potentially malicious domain. It is a .com domain; the WHOIS records also identify a Spanish man as both the registrant and the technical contact for the domain. It was first registered in 2010.

All this site does is return a simple text string: “NTFD!”. It’s possible that this may be used for command-and-control, although no definitive evidence either way is present. However, by itself, there’s nothing here that indicates malicious behavior, so it is not flagged as such.

The other domain is more interesting. It appears that it is a compromised site belonging to an Israeli company – the domain is under the .co.il top-level domain, it is hosted in Israel, and the content clearly belongs to the company as well.

However, the malware downloaded an executable file directly from this server. While it has a different name - 07-03.exe.exe instead of morph.exe – it has the same hash as the dropped file identified earlier. The file name itself is also intriguing, as if read in a day-month format , it reads “March 7″, which was just days before I actually analyzed this particular attack.

Once on the system, this particular malware drops multiple copies of itself and proceeds to carry out its information theft routines.

Figure 4. Analysis of payload
(Click above image to enlarge)

From there, the usual information theft routines as discussed in our earlier research proceed, targeting the user’s personal information, as outlined in the threat diagram below. We detect this malware as TSPY_BANKER.ZAA.

Figure 5. CPL malware threat diagram

Detection and Prevention

By providing details on how this attack was able to reach user systems, we hope that this can help others from becoming victims of this threat. Our previous research has indicated that Internet users in Brazil are the most common victims of CPL malware, and that has not changed here.

Beyond common best practices, this incident allows us to see some possible defenses against attacks like these. For emails, checking the sender IP address is already standard behavior. However, defenses and policies against attachments should be considered – these should be scanned for malicious content, and some potentially risky tile types can be blocked.

As for the potentially malicious URLs, it may be worth considering to block the download of executable files. In this particular case, doing so would have prevented the download of the main payload by the initial CPL downloader. Failing that, endpoint software should be in place to check the reputation of any downloaded files.

Trend Micro solutions protect against all aspect of this attack, as well as other similar incidents using CPL malware.

Recently we’ve discussed how Control Panel (CPL) malware has been spreading in Latin America. In the past, we’ve analyzed in some detail how CPL malware works as well as the overall picture of how this threat spreads. In this post, we shall examine in detail how they spread, and how they relate with other malicious sites and components.

Recently, while I was checking my spam mailbox, I found one of these messages there. Specifically, I found this email sample:

Figure 1. Spam message

This roughly translates to:

From: {Dear Customer} (delivery-receipt@outlook.com)
Subject: As requested, the Invoice of Payment is Below
Message Body:
Good Morning  Sir/Madam customer,
As requested, the following is the invoice for payment

[PDF icon] Click here to download.

The email address used in this attack may look authentic at first glance, but it is actually just an address from Outlook.com, Microsoft’s free webmail service. In the message itself, there are two highlighted items: the PDF icon, and a link after the PDF icon.

The PDF icon is actually a hot-link of an image hosted by Google which is a PDF download icon. When clicked, this leads to a fake “access denied” website.

However, if the user does click on the link, as opposed to the icon, they are directed to a document that is hosted on a Google Drive. From this document, the user is redirected to a malicious page, as seen below:

Figure 2. Google Drive document

After more redirections, the user is sent to the URL of a malicious archive. Inside this downloaded archive named Fature.zip one finds the Control Panel malware.

Figure 3. Malicious archive

Redirection Details

As seen, there are actually three malicious sites necessary to get to the malicious file. The overall infection chain is:

1. Spam message
2. Google Drive URL
3. http://{malicious domain #1}/Pdf/Visualizar.php
4. http://{malicious domain #2}/Fatura.zip

Both of the mentioned malicious domains above are hosted in Brazil, and use the .br top-level domain.

Using a Google Drive URL as the initial infection vector was a clever decision, as network traffic with Google will not be found malicious, and URL scanners will frequently whitelist a Google-related URL as well.

The page at this Google URL is actually an HTML document that uses the META tag to redirect users to the first malicious site, as shown in Figure 2.

Note that at malicious domain #1, there is also one redirect within the site: the URL from Google only goes to the Pdf directory; the site itself redirects users to the Visualizar.php page.

Figure 4. Malicious site redirection

From here, how did it download the malicious payload Fatura.zip? It used HTTP status code redirection, as was used by malicious domain #1:

Figure 5. HTTP status redirection

The HTTP Location header field (highlighted above) is provided to the web browser under two circumstances:

• To ask the browser to load a different page. In this case, the Location header would sent with the HTTP 302 status code, and then would provide a “Moved Temporarily” status. This is what was described above. The user has no choice in the matter, as this is part of the HTTP protocol itself.
• To provide information about the location of a newly created resource, but this would go with an HTTP status code of 201 or 202.

We can see how the attacker designed this attack to make it more difficult to block: by using a Google-related URL, it makes blocking these URLs very difficult. Even its misuse of the Google Drive service would be tricky to deal with, since the attacker did not actually use the service to host malicious content, but instead used it as a redirector. The multiple redirections can make detecting the “right” URL to block more difficult if no network monitoring is conducted. (A casual inspection might lead someone to believe that the malicious URL came from Google, which is clearly not the case.)

In the next part, we will look at how this attack proceeds once it has been installed on an affected system.

Last week, we talked about what Tor is, how it works, and why system administrators need to be aware of it. Now the question is: should I block Tor, and if I do decide to do that, what can be done to block Tor?

Tor, by itself, is not inherently malicious. If a user wants to prevent any third party from finding out what sites they are visiting, Tor is an incredibly useful tool. For example, security researchers use Tor routinely to help investigate various online threats. Many dissidents use Tor to hide their traffic from repressive governments.

However, the same traits that make it useful for legitimate parties also make it attractive for cybercriminals. Particularly in an enterprise context, the idea of having completely anonymous traffic going to somewhere on the Internet is not only terrifying, it may even be an unacceptable risk. Blocking Tor is something that a network administrator must consider, but it is not malicious in and of itself.

If one does decide to block Tor traffic, how does one do this?

To block Tor, one has to try and block the connection from the client to Tor servers. These servers frequently listen on several specific ports: ports 80, 443, 9001 and 9030. Clients would try one port or another until it is able to connect to the Tor node(s).

Figure 1. Internet connection to a Tor node by malware

So Tor has a recognizable pattern that can be blocked on the network level. Broadly speaking, there are two possible ways to do this. One can attempt to control the traffic outbound to the Internet by the ports being used. For example, one can block outbound traffic to specific ports, or limit the allowed outbound traffic to certain ports.

Alternately, one can try to use application-level filters or other network inspection techniques to try and determine which is legitimate traffic and which is malicious traffic. For example, application-level filtering, an extension of stateful packet inspection (SPI), would be able to tell the difference between HTTP traffic (port 80) used for web browsing and traffic used for peer-to-peer networking.

For smaller networks – such as those in homes or small businesses – the best solution is to try and block Tor at the endpoint by detecting any malware that uses it. The inexpensive routers used in these situations are not set up by default to block outgoing traffic, nor do they have sophisticated network inspection tools. In addition, blocking some commonly used ports like port 80 (HTTP) or port 443 (HTTPS) would severely affect the user experience, so it’s not really an option either.  That leaves endpoint protection as the best option.

For medium to large businesses, it would be a different story. These have the resources and the personnel to implement Tor detection at the network level. Ideally, rules regulating network traffic should already be in place – which may already cover both HTTP and HTTPS traffic.

So what specific steps should be done to guard against Tor-related network traffic?

A web application proxy with application control may be useful. Companies often need to control or scan Internet applications.  A good way to do this would be to implement application control, which is more powerful than a simple allow-or-block option, although a combination can be applied:

• Step 1: implement a web proxy that can perform application control.  This is usually implemented in a machine in a DMZ.
• Step 2: restrict all direct Internet access to just that web proxy.

Here’s an illustration of what such a setup would look like:

Figure 2. Network segmentation for larger networks

Aside from this, one should monitor firewall hits for outgoing traffic to ports 9001 and 9003. This kind of traffic is characteristic of endpoints trying to access the Tor network. Going through voluminous firewall logs may be daunting, but some firewalls allow logs to be forwarded to security information and event management (SIEM) software, where rules can trigger an automatic notification.

These recommendations allow a network administrator to tell what goes through port 80 and 443. This not only helps mitigate the effects of have a Tor-related malware, but also improves the overall security posture of the network. For one, this may allow a more proactive position in terms of network defense and countermeasures.  This in better than just waiting for the offending piece of malware to reach the desktop and deal with the effects of infection (i.e., cleanup.)

Trend Micro offers InterScan Web Security that allows both application control and visibility that is essential to understanding ongoing network risks. Being able to sift through normal web traffic and identify Tor traffic through is as easy as allowing or denying it, as seen below:

Figure 3. Application Control Screen for Policy Creation

In addition, the Deep Discovery Inspector allows network-wide visibility of Tor-related traffic:

Figure 4. Detection logs for Tor-related applications

Both of these products can be integrated with security information and event management (SIEM) software. The combination of these two security software (InterScan Web Security and Deep Discovery Inspector) as well as other firewall/unified threat management solutions working within a network, all tied to a SIEM product, is an important tool for a network administrator.

This allows him to visualize the events within a network, allowing him to defend the network against newer threats (such as Tor-related malware) and possibly making it easier to pinpoint devices that may be the cause of security alerts.

In the past few months,  the Tor anonymity service as been in the news for various reasons. Perhaps most infamously, it was used by the now-shuttered Silk Road underground marketplace. We delved into the topic of the Deep Web in a white paper titled Deepweb and Cybercrime. In our 2014 predictions, we noted that cybercriminals would go deeper underground – and part of that would be using Tor in greater numbers.

Cybercriminals are clearly not blind to the potential of Tor, and network administrators have to consider that Tor-using malware might show up on their network. How should they react to this development?

What’s Tor, anyway?

Tor is designed to solve a fairly specific problem: to stop a man-in-the-middle (such as network administrators, ISPs, or even countries) from determining or blocking the sites that a user visits. How does it do this?

Previously known as “The Onion Router”, Tor is an implementation of the concept of onion routing, where a number of nodes located on the Internet that serve as relays for Internet traffic. A user who wants to use the Tor network would install a client on their machine.

This client would contact a Tor directory server, where it gets a list of nodes. The user’s Tor client would select a path for the network traffic via the various Tor nodes to the destination server. This path is meant to be difficult to follow. In addition, all traffic between nodes is encrypted. (More details about Tor may be found at the official website of the Tor project.)

In effect, this hides your identity (or at least, IP address) from the site you visited, as well as any potential attackers inspecting your network traffic along the way. This is quite useful if you’re a visitor who wants to cover your tracks or if, for some reason, the server that you’re trying to connect to denies connections from your IP address.

This can be done for both legitimate and illegitimate reasons. Unfortunately, this means that it can and has already been used for malicious purposes.

How can it be used maliciously?

Malware can just as easily use Tor as anyone else. In the second half of 2013, we saw more malware making use of it to hide their network traffic. In September, we blogged about the Mevade malware that downloaded a Tor component for backup command and control (C&C) communication. In October 2013, Dutch police arrested four persons behind the TorRAT malware, a malware family which also used Tor for its C&C communication. This malware family targeted the bank accounts of Dutch users, and investigation was difficult because of the use of underground crypting services to evade detection and the use of cryptocurrencies (like Bitcoin).

In the last weeks of 2013, we saw some ransomware variants that called itself Cryptorbit that explicitly asked the victim to use the Tor Browser (a browser bundle pre-configured for Tor) when paying the ransom. (The name may have been inspired by the notorious CryptoLocker malware, which uses similar behavior.)

Figure 1. Warning from Tor-using ransomware

Earlier this month, we discussed several ZBOT samples that in addition to using Tor for its C&C connection, also embeds its  64-bit version “inside” the normal, 32-bit version.

Figure 2. Running 64-bit ZBOT malware

This particular malware runs perfectly in a 64-bit environment and is injected into the running svchost.exe process, as is typically the case with injected malware.

This increase in Tor-using malware means that network administrators may want to consider additional steps to be aware of Tor, how to spot its usage, and (if necessary) prevent its use. Illegitimate usage of Tor could result in various problems, ranging from circumvented IT policies to exfiltrated confidential information.

We will discuss these potential steps in a succeeding blog post.

Over the past few weeks, we’ve been seeing an increase in the number of spreading CryptoLocker malware. This new kind of ransomware has been hitting more users over the past few weeks. Compared to the month of September, the number of identified cases in October has almost tripled.

CryptoLocker infections were found across different regions, including North America, Europe Middle East and the Asia Pacific. Almost two-thirds of the affected victims – 64% – were from the US. Other affected countries include the UK and Canada, with 11% and 6% of global victims, respectively.

Previously, we discussed how these threats were arriving via email. CryptoLocker can be viewed as a refinement of a previously known type of threat called ransomware. Such “improvements” are in line with our 2013 Security Predictions, where we mentioned that the focus of cybercriminals would be the refinement of existing tools, rather than the creation of entirely new threats.

What can I do?

There are different ways an individual or an organization can handle the CryptoLocker threat. Since this threat starts as spam carrying TROJ_UPATRE (a downloader), its success depends on the social engineering lures used in the message and how users would respond to it.

Let us start off first with simple (but frequently ignored) safe computing practices to consider when opening emails and file attachments, in general:

• Always check who the email sender is. If the email is supposedly coming from a bank, verify with your bank if the received message is legitimate. If from a personal contact, confirm if they sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of spammers as well.
• Double-check the content of the message. There are obvious factual errors or discrepancies that you can spot: a claim from a bank or a friend that they have received something from you? Try to go to your recently sent items to double-check their claim. Such spammed messages can also use other social engineering lures to persuade users to open the message.
• Refrain from clicking links in email. In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly. If you have to click on a link in email, make sure your browser uses web reputation to check the link, or use free services such as Trend Micro Site Safety Center.
• Always ensure your software is up-to-date. Currently there are no known CryptoLocker that exploits vulnerabilities to spread, but it can’t be ruled out in the future. Regularly updating installed software provides another layer of security against many attacks, however.
• Backup important data. Unfortunately, there is no known tool to decrypt the files encrypted by CryptoLocker. One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state, and is enabled by default. Cloud storage services (such as SafeSync) can be a useful part of your backup strategy.

For enterprise customers, review your policies regarding email attachments. It is generally considered bad form to send an executable file using email. Most organizations also have strict attachment blocking policies – if you don’t have one right now, it would be a good time to consider creating one.

Configuring devices for specific purposes is another method to reduce chances of Cryptolocker infection. For example, if the user is only required to use Microsoft Word, a system and user account with limited privileges would be adequate. Most enterprises may already have this approach, but this can be enhanced to use a list of whitelisted software applications and take advantage of certain Windows features like AppLocker.

This can complement an organization’s overall security strategy. Users can implement an antimalware solution that not only protects users from executing malicious files, but provides protection even before the malware arrives in your system.

Our email reputation service is able to block these spammed messages with malicious attachments. Specifically, the True File Type Filtering feature can alert users if an email attachment is potentially malicious:

In addition, our web reputation service can also block access to the related URLs. A combination of antimalware solution plus a solid list of applications allowed to run reduces the surface area of attack on a desktop.

Conclusion

While not presenting anything new to the table, CryptoLocker has taken the scare tactics effectively used before by ransomware and fake antivirus attacks to a new level. Most users rely nowadays on good antimalware software, but it is important to note that user education, regular software update, and a strict computer usage policy are crucial defense against CryptoLocker and similar threats.

As malware nowadays are being refined by cybercriminals, computer systems must be likewise hardened to resist these attacks. A holistic approach in addressing malware infections aims not only to address to reduce the rate of the infection itself, but can help in breaking the whole cycle of the malware infection chain by providing a defense in depth strategy that covers multiple facets of an attack.

Trend Micro customers who use OfficeScan (OSCE) and Worry-Free Business Security/Services (WFBS/WFBS-SVC) can follow these best practices to prevent ransomware infection.