Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2015
    S M T W T F S
    « May    
  • Email Subscription

  • About Us

    Author Archive - Maxim Goncharov (Senior Threat Researcher)

    Cybercriminals Go to The Cloud

    In an article by Dancho Danchev, he illustrated Trend Micro’s prediction that cloud hosting services such as Amazon EC2M can be easily used for fail-over command and control (C&C) botnet services.

    Just recently, Trend Micro had an issue with some IP ranges from the Amazon EC2 data centers. Based on the procedures of our email reputation database, active spamming IP addresses are automatically blocked.

    Hosting, as always, can be used as a platform for malware distribution. It does not really matter if it is a really small hosting provider with a few racks of hardware boxes or huge infrastructure with tons of hardware offering services in the cloud.

    The legitimate IP addresses of the cloud pool enables cybercriminals to use the malware services as abuse free hosting. If we take EC2 as an example, a client can reserve the pool of IP addresses and can easily manipulate this list by assigning the virtual instance of the existing IPs from the pool or by adding new ones.

    Fraudulent activities in the hosting cloud are difficult to trace. This makes perfect sense for cybercriminals who are trying to take advantage of a reputable organization by using it to hide their malicious business model. With that in mind, it is likely that in 2010, we will see a significant growth in the misuse of cloud hosting services.


    A few days ago, I got access to the source code of the well-known Elite Loader for free. Yes. It was published on one of the Russian underground forums. It even had a detailed description and screenshots showing how to use the application’s command and control (C&C) server.

    Click for larger view Click for larger view
    Click for larger view Click for larger view

    Apart from dropping malicious files on infected machines, Elite Loader also allows malicious users to upload additional software to targeted systems to steal passwords or deploy spam or distributed denial of service (DDoS) modules that other cybercriminals can use.

    The bot’s C&C also contains siginificant statistics and makes use of a log-filtering feature to manage module downloads from the bots in different countries. It can also enable or disable target bots based on their location.

    The bot’s size is only 8kb, making the dropping process relatively hidden. The bot works perfectly well on the Microsoft XP Service Packs 1, 2, and 3 and Vista OSs and supports multiple job instances.

    The malware distribution business seems to have gone public. Elite Loader, for instance, was published by well-known Lonely Wolf—one of the moderators of the underground forum, DaMaGeLaB—with detailed instructions in the archive and even dedicated thread posts. This will make it easy even for script kiddies to create their own malicious code.

    Trend Micro detects the variants of the Elite Loader dropper as part of the DLOADER family of Trojans so product users need not worry about being infected. Trend Micro Smart Protection Network™ blocks the download of all malicious files and access to malicious URLs related to this bot.

    Non-Trend Micro product users who think their systems may have already been infected can clean their PCs using RUBotted.


    In the past few weeks, Trend Micro researchers have become aware that the Russian cybercriminal underground has been overflowing with offers for a new kind of information-stealing malware. These new malware variants pose as agent programs used by Russian social networking sites, such as Odnoklasniki and Vkontakte. (Agent programs are programs used by some websites to allow users to log into their services without having to start their browser.)

    Click for larger view Click for larger view

    A group of cybercriminals interested in stealing the login credentials of the users of these target sites would provide the authors of these new fake agent programs an email address or an ICQ number where the stolen credentials would be placed. These “authors” would then be responsible for distributing their malware to users.

    Users who did download and run these fake agents would be presented with an interface similar or identical to legitimate agent programs.

    Click for larger view Click for larger view

    Upon users would attempt to enter their login credentials by using these fake agents, they would receive a message that the connection to the server has failed. In reality, the credentials have been captured and sent to the cybercriminals via the supplied email address or ICQ number. This threat is detected and removed by Trend Micro as TSPY_FKANTAKTE.A.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice