FireEye Malware Intelligence Lab: 9 posts from March 2009

« February 2009 | Main | April 2009 »

9 posts from March 2009

2009.03.31

Conficker: Catch Me If You Can...

Unlike the previous Conficker variants which generated 250 random domains per day, the new Conficker.C variant can generate up to 50,000 domains in a day. This was in direct response to the actions the security community took to preregister the domains, much like FireEye did with Srizbi just a few months ago. One can sense a 'catch me if you can' kind of attitude with this recent move. Since its appearance in Nov of last year, Conficker's author(s?) have been trying to introduce different tricks to make the hijacking of Conficker very difficult.

I find it very unlikely that the Conficker worm will be used as an active botnet in the near future. There are lots of differences in the way the normal botnets are run and how Conficker is being maintained by its authors. Below I'll highlight a few of those differences.

Continue reading "Conficker: Catch Me If You Can..." »

FE Malware Researcher on 2009.03.31 in Botnet Research | Permalink | Comments (2) | TrackBack (0)

2009.03.24

Filefix Professional 2009 Cryptanalysis

Background

http://blog.fireeye.com/research/2009/03/a-new-method-to-monetize-scareware.html

http://voices.washingtonpost.com/securityfix/2009/03/antivirus2009_holds_victims_do.html

Exposition

The Filefix Professional 2009 (wizard.exe) demo version will uncorrupt (read: decrypt) one file. Which means that I can learn everything I need to know to decrypt all files from analyzing just this binary itself.

So, where to start looking? Well a file decryption routine is going to need to read and write files, so search for calls to ReadFile. Almost the first thing I find is a loop that calls ReadFile, has an inner loop that XOR's over each byte in the buffer, and then calls WriteFile. Hmmm… (See appendix.)

Now all I need are some encrypted files. Filefix Pro doesn't encrypt anything itself, and I didn't have a sample of the malware which did. Fortunately (for me), we were in contact with some of the victims, so as soon as I had some samples it confirmed my suspicion about the encryption just being ECB-XOR. The only thing which took me more than a minute to figure out was that the crypto key was stored at the end of the file. (Since I had already figured out how to decrypt it without knowing the key.)

Spending a little more time reading the binary, I also found the routine which checks for valid keys at the ends of files. This allows Filefix to tell corrupt and non-corrupt files apart when scanning the disk. There is a strict mathematical relationship between the four bytes of the key. Implemented as three simple boolean tests. If you do the math, this also means that there are only 256 possible valid keys.

Continue reading "Filefix Professional 2009 Cryptanalysis" »

FE Malware Researcher on 2009.03.24 in Malware Research | Permalink | Comments (4) | TrackBack (0)

Technorati Tags: bad crypto, crypto, extortion, Filefix, Filefix Professional, hexdump, ida pro, Julia Wolf, malware, reverse engineering, web fraud 2.0

2009.03.23

E-Bandits - Part 1

This post is the first in a new series of articles about E-Bandits. In these articles I will talk about some of the low profile malware currently involved in various data stealing and phishing scams.
Data stealing is not just about stealing credit card information or login credentials. Some of these malware are capable of taking pictures and/or capturing video from your webcam and uploading them to remote servers. The worst types of privacy breaches include taking screenshots of your desktop, monitoring your chatting sessions, and grabbing pictures from your 'My Pictures' folder.

Continue reading "E-Bandits - Part 1" »

FE Malware Researcher on 2009.03.23 in Botnet Research | Permalink | Comments (2) | TrackBack (0)

2009.03.19

A new method to monetize scareware

Scareware in the form of Rogue AntiVirus software, such as XpAntiVirus2009, has long been a way to monetize infected computers. Previously, the Rogue AVs would present you with screens that listed malware you didn't have, and for a nominal fee, you could buy the full version and clean the "infections".

Over the past couple days, Vundo has been pushing a piece of malware that encrypts various personal file types (.pdf, .doc, .jpg, etc) on your system, and "coincidentally", pushes a program called FileFix Pro 2009 which would decrypt them - for a fee. Although we (Julia) broke the encryption, it's a sobering realization of the state of malware that it is now actively extorting users by holding their data ransom. Despite this version of FileFix being trivial to crack, it does not bode well for the future of Internet malware.

Vundo has fundamentally altered its criminal business model from "Scareware" tactics to "Ransomware" extortion. While a user may be "silly" to buy into scareware, they have little choice but to purchase the decryption software once the ransomware does its thing.

Continue reading "A new method to monetize scareware" »

FE Malware Researcher on 2009.03.19 in Malware Research | Permalink | Comments (9) | TrackBack (0)

Technorati Tags: filefix pro, filefix pro 2009

2009.03.16

Cimbot - A technical analysis

Personal Exposition

I was recently sent a .pcap file of a bot's C&C communications. Every 182 seconds, the bot would download a GIF file from vazasaki-ji.info (91.211.65.180 as of Mar 11, 2009). These GIF files however are not well-formed — that is to say, it's a GIF89a header, followed by a lot of random gibberish.

Continue reading "Cimbot - A technical analysis" »

FE Malware Researcher on 2009.03.16 in Botnet Research | Permalink | Comments (5) | TrackBack (0)

Technorati Tags: bad crypto, Cimbot, click fraud, cryptanalysis, crypto, email harvesting, GIF, hexdump, ida pro, Julia Wolf, malware, obfuscation, reverse engineering, spam

2009.03.08

Bad Actors Part 6 - Eurohost LLC (aka UralNet?)

A funny thing happened the day after I posted my last article - the UralNet IP block was removed from the global routing table. I didn't see any notifications in the press or on any network operations lists (although I am not on any RIPE-specific listservs), so my suspicion is that they are simply lying low for a bit. I assume that if they had their plug forcibly pulled then the responsible party would want to be recognized (rightfully) for taking a step against cyber-crime in the region.

Another reason why I believe they are lying low is that an AS that had been dormant (unrouted) for months came back online this week and immediately started hosting much of the malware that used to be on UralNet. They've only been back on the Bloc for a week, have a mere /24 (256 IPs), don't have a corporate homepage, and yet, already have quite a few criminal customers.

Continue reading "Bad Actors Part 6 - Eurohost LLC (aka UralNet?)" »

FE Malware Researcher on 2009.03.08 in Bad Actors, Botnet Research | Permalink | Comments (7) | TrackBack (0)

2009.03.06

The Business Of Mr. Alexander S Kopylov

On the FireEye blog we have talked a lot about Botnets, their CnC coordinates, bad ISPs, etc. You may be curious to know who actually runs these Botnets. Who are these puppet masters and what is their business model? How they work and who are their customers?

There are many questions but the answers are scarce. In this post I will try to answer some of them which often pop up in my mind as well.

It’s no secret that most of the SPAM Botnets are invented in Russia and controlled by Russian cyber-criminals. Why should I believe this to be the case? Srizbi’s recent comeback gave me some valuable hints to confirm the industry suspicion. Here is one email sent by Srizbi that day:

From: "herbie eliot" <dabliktom@centrum.cz>
To: <info@****lends.com>
Subject: =?koi8-r?B?88HNwdEg3MbGxcvUydfOwdEg0sXLzMHNwQ==?=
Date: Thu, 12 Feb 2009 04:28:14 +0000
MIME-Version: 1.0
Content-Type: text/plain;
.charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

.. ..... ..... ........... ..... .......... ..... ....... - http://advert1.ru

Continue reading "The Business Of Mr. Alexander S Kopylov" »

FE Malware Researcher on 2009.03.06 in Bad Actors, Botnet Activities / Outbreaks | Permalink | Comments (1) | TrackBack (0)

2009.03.04

‘Bancos’ - A Brazilian Crook

It’s fairly well accepted that most of the banking Trojans originate in Brazil, while most of the big SPAM botnets originate in Russia. One such banking Trojan is ‘Bancos’, a kind of malware that tries to steal every ‘bit’ of financial data from a victim’s PC.

Normally it happens like this:

Once executed on the victim's system, ‘Bancos’ contacts its ‘Command and Control Server’ and tries to download a .txt file. This .txt file has the exact format as the Windows default hosts file (%system32/drivers/etc/hosts) as shown below:

Continue reading "‘Bancos’ - A Brazilian Crook " »

FE Malware Researcher on 2009.03.04 in Botnet Research | Permalink | Comments (2) | TrackBack (0)

2009.03.03

Bad Actors Part 5 - UralNet

I'm not actively picking on the Eastern Bloc, but finding purely malicious IP blocks there is duck soup. In this posting I'll be looking at UralNet, which is registered to an organization in Russia, but appears to be administered out of the Ukraine.

Continue reading "Bad Actors Part 5 - UralNet" »

FE Malware Researcher on 2009.03.03 in Bad Actors, Botnet Research | Permalink | Comments (8) | TrackBack (0)

FireEye Malware Intelligence Lab

Threat research, analysis, and mitigation | www.fireeye.com