Unlike the previous Conficker variants which generated 250 random domains per day, the new Conficker.C variant can generate up to 50,000 domains in a day.  This was in direct response to the actions the security community took to preregister the domains, much like FireEye did with Srizbi just a few months ago.  One can sense a 'catch me if you can' kind of attitude with this recent move.  Since its appearance in Nov of last year,  Conficker's author(s?) have been trying to introduce different tricks to make the hijacking of Conficker very difficult.

I find it very unlikely that the Conficker worm will be used as an active botnet in the near future. There are lots of differences in the way the normal botnets are run and how Conficker is being maintained by its authors.  Below I'll highlight a few of those differences.

Background

http://blog.fireeye.com/research/2009/03/a-new-method-to-monetize-scareware.html

http://voices.washingtonpost.com/securityfix/2009/03/antivirus2009_holds_victims_do.html

Exposition

The Filefix Professional 2009 (wizard.exe) demo version will uncorrupt (read: decrypt) one file. Which means that I can learn everything I need to know to decrypt all files from analyzing just this binary itself.

So, where to start looking? Well a file decryption routine is going to need to read and write files, so search for calls to ReadFile. Almost the first thing I find is a loop that calls ReadFile, has an inner loop that XOR's over each byte in the buffer, and then calls WriteFile. Hmmm… (See appendix.)

Now all I need are some encrypted files. Filefix Pro doesn't encrypt anything itself, and I didn't have a sample of the malware which did. Fortunately (for me), we were in contact with some of the victims, so as soon as I had some samples it confirmed my suspicion about the encryption just being ECB-XOR. The only thing which took me more than a minute to figure out was that the crypto key was stored at the end of the file. (Since I had already figured out how to decrypt it without knowing the key.)

Spending a little more time reading the binary, I also found the routine which checks for valid keys at the ends of files. This allows Filefix to tell corrupt and non-corrupt files apart when scanning the disk. There is a strict mathematical relationship between the four bytes of the key. Implemented as three simple boolean tests. If you do the math, this also means that there are only 256 possible valid keys.

This post is the first in a new series of articles about E-Bandits. In these articles I will talk about some of the low profile malware currently involved in various data stealing and phishing scams.
Data stealing is not just about stealing credit card information or login credentials. Some of these malware are capable of taking pictures and/or capturing video from your webcam and uploading them to remote servers.  The worst types of privacy breaches include taking screenshots of your desktop, monitoring your chatting sessions, and grabbing pictures from your 'My Pictures' folder.

Scareware in the form of Rogue AntiVirus software, such as XpAntiVirus2009, has long been a way to monetize infected computers.  Previously, the Rogue AVs would present you with screens that listed malware you didn't have, and for a nominal fee, you could buy the full version and clean the "infections".

Over the past couple days, Vundo has been pushing a piece of malware that encrypts various personal file types (.pdf, .doc, .jpg, etc) on your system, and "coincidentally", pushes a program called FileFix Pro 2009 which would decrypt them - for a fee.  Although we (Julia) broke the encryption, it's a sobering realization of the state of malware that it is now actively extorting users by holding their data ransom.  Despite this version of FileFix being trivial to crack, it does not bode well for the future of Internet malware.

Vundo has fundamentally altered its criminal business model from "Scareware" tactics to "Ransomware" extortion.  While a user may be "silly" to buy into scareware, they have little choice but to purchase the decryption software once the ransomware does its thing.

Personal Exposition

I was recently sent a .pcap file of a bot's C&C communications. Every 182 seconds, the bot would download a GIF file from vazasaki-ji.info (91.211.65.180 as of Mar 11, 2009). These GIF files however are not well-formed — that is to say, it's a GIF89a header, followed by a lot of random gibberish.

A funny thing happened the day after I posted my last article - the UralNet IP block was removed from the global routing table.  I didn't see any notifications in the press or on any network operations lists (although I am not on any RIPE-specific listservs), so my suspicion is that they are simply lying low for a bit.  I assume that if they had their plug forcibly pulled then the responsible party would want to be recognized (rightfully) for taking a step against cyber-crime in the region.

Another reason why I believe they are lying low is that an AS that had been dormant (unrouted) for months came back online this week and immediately started hosting much of the malware that used to be on UralNet.  They've only been back on the Bloc for a week, have a mere /24 (256 IPs), don't have a corporate homepage, and yet, already have quite a few criminal customers.

On the FireEye blog we have talked a lot about Botnets, their CnC coordinates, bad ISPs, etc. You may be curious to know who actually runs these Botnets. Who are these puppet masters and what is their business model? How they work and who are their customers?

There are many questions but the answers are scarce. In this post I will try to answer some of them which often pop up in my mind as well.

It’s no secret that most of the SPAM Botnets are invented in Russia and controlled by Russian cyber-criminals.  Why should I believe this to be the case?  Srizbi’s recent comeback gave me some valuable hints to confirm the industry suspicion. Here is one email sent by Srizbi that day:

From: "herbie eliot" <dabliktom@centrum.cz>
To: <info@****lends.com>
Subject: =?koi8-r?B?88HNwdEg3MbGxcvUydfOwdEg0sXLzMHNwQ==?=
Date: Thu, 12 Feb 2009 04:28:14 +0000
MIME-Version: 1.0
Content-Type: text/plain;
.charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

.. ..... ..... ........... ..... .......... ..... ....... - http://advert1.ru

It’s fairly well accepted that most of the banking Trojans originate in Brazil, while most of the big SPAM botnets originate in Russia. One such banking Trojan is ‘Bancos’, a kind of malware that tries to steal every ‘bit’ of financial data from a victim’s PC.

Normally it happens like this:

Once executed on the victim's system, ‘Bancos’ contacts its ‘Command and Control Server’ and tries to download a .txt file. This .txt file has the exact format as the Windows default hosts file (%system32/drivers/etc/hosts) as shown below:

I'm not actively picking on the Eastern Bloc, but finding purely malicious IP blocks there is duck soup.  In this posting I'll be looking at UralNet, which is registered to an organization in Russia, but appears to be administered out of the Ukraine.