FireEye Malware Intelligence Lab

As most readers will already know, a new 0-day vulnerability in MS Video ActiveX Control is currently being exploited in the wild.  Lots of research material has already been published covering different aspects of this vulnerability and the attack vector.  I have nothing more to add on this front.  I would rather focus on explaining the details of the malware behind the scenes.

The number of mobile payment users worldwide will total 73.4 million in 2009, up 70.4 percent from 2008 when there were 43.1 million users.

                                                                                                   Gartner, Inc.

Keeping in mind the above stats, it's pretty clear that these millions of mobile payment user's are an ideal target for mobile spam. Spam emails have already polluted the Internet experience for millions of PC users.  Here by mobile spam I don't mean the smaller number of cellular phones connected to the Internet using expensive GPRS or 3G networks receiving email messages (including spam) just like a normal PC via POP3, HTTP or IMAP etc. Instead I am talking about the millions of those cellular phones which are capable of receiving/sending simple text messages using Short Message Service communication (SMS). How can these spammers send spam to these millions of mobile users?

As you may or may not know, the popular SPAM bots work off something called a "template".  These templates contain tokens for the system-resident malware to replace with a word list that is periodically fetched from an external server.  In the past we've seen some bots that clearly separate the template update mechanism from the c&c communication (like Pushdo/Cutwail) and some that combine it more into one blurry malware package (like Rustock or Grum).

It all started when reports started to come from WebSense that more than 40,000 legitimate web sites had been compromised by a new wave of attacks being dubbed as 'Nine Ball'.  Initial reports did not have enough details to help identify the malware behind these attacks.  Luckily soon after, Andrew Martin came up with a very good write up about the malware behind the scenes.  My article is an extension of Martin's initial analysis.  I'll try to concentrate on aspects of this malware not already covered.  From Andrew's analysis, I was able to find the md5 of the parent malware (the one which is dropped by web exploit(s)). It was enough to give me a good starting point.

In this second part of the series I will try to analyze the command and control structure/coordinates for another famous botnet, Koobface. This article is not a detailed analysis of the malware itself but covers mostly its botnet aspect. Readers who are interested to learn about the internals of this malware may refer these articles:

Koobface Leaves Victims the Black Spot

How to Defeat Koobface

These articles were published back in December 2008 but most of the details are still valid for the newer versions.

Back to the CnC structure ...  Koobface relies mostly on domain names to locate its CnC servers, instead of using hard coded IPs like Pushdo.  As a matter of fact, I observed that it tends to change its CnC domains more often than the IPs behind those domains. Based on my lab data (for the last 3 months or so) I see Koobface connecting to 23 unique domains.

Here is the complete list:

The purpose of this series of articles is very simple, to give our readers an idea about the current geographical distribution of command and control coordinates for the some of the top botnets.  Based on this data I'll try to estimate whether it is possible to shutdown these botnets by puling the plug for these servers.  The Botnets which will be discussed in these articles are Pushdo, Xarvester, Rustock, Koobface and Ozdok.  These stats are based on my sandnet logs for the last 3 months or so.  By no means is this list complete but it will give our reader a reasonable idea about the current motherships for these botnets.

Pushdo

Here is the list of Pushdo CnCs arranged in tabular form:

I was recently sent an email by someone who was hit with a new species of ransomware. This one encrypted all of the documents on the system, attached the extension .vscrypt to the end, and changed the desktop wallpaper to a ransom note written in Russian. Here are my findings…

Today while I was casually going through my sandnet logs, one malware outbound communication suddenly caught my attention.  This communication certainly looked like a SPAM template download.  Unlike other famous botnets like Cutwail, Rustock, Tofsee, Srizbi, Xarvester, etc, the spam template was in plain text and all the artifacts were clearly visible. 

I recently got an important clue how the ransom exchange takes place between a victim and cyber criminals. One of readers who became a victim of this ransomware dropped an email to the author at the address otrazhenie_zla@mail.ru for his files to be recovered. This was the response by the author:

"Transfer into account pay pal 50 dollars here email pay pal otrazhenie_zla@mail.ru'

Interestingly, instead of asking him for the standard $10 ransom (as mentioned in his earlier message) he asked him for $50 - typical criminal mentality, isn't it?  Unfortunately his greed doesn't end here. This malware instance came bundled in a fake 'SWF video codec' file.  Upon execution, this setup file installs three different pieces of malware on the victim machine including this ransomware.

Continuing the legacy of GPcode and FileFixer , a new file encoder trojan (5f9927ee59b4881a2ce8634332f63fa8) is on the loose. Upon execution, this malware looks for user's data files (ending with .jpg, .zip, .doc , and .text etc) on the system drives and encrypts them.

For example a user's file having name 'mic.jpg' will be replaced by 'mic.jpg.vscrypt'. After finishing encrypting user data files this malware will change desktop image with its own version and simply quit after restarting the user's machine. It doesn't attempt to install itself on the user's system permanently.

Here is a sample encrypted Download Sunset.jpg file. The message which is left behind for victim on desktop looks like this: