Rustock's old buddy Harnig is back in action. Harnig is considered to be a very wide spread pay-per-install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system for a small fee. There has been a long term relationship between the Harnig and Rustock botnets. For the last two years or so, Rustock has almost always been seen being spread through Harnig.

I reported back in March (right after the Rustock botnet shutdown) that Harnig botnet has abandoned all of its CnCs as well causing suspension of all of its malicious activities.  Rustock hasn't yet tried to claim back its previous position, but this is not true in the case of Harnig. After months of silence, Harnig is finally back in business, resuming all of its usual malicious activities.

A controlled run of Harnig in my lab is showing Harnig downloading a number of malware onto the infected machine.

It looks like Koobface has started to lose interest in Facebook. We first observed this dramatic change around February this year. All of a sudden, we saw bot herders are no longer instructing zombies to post fake messages to compromised Facebook accounts. Our first impression was that it's just a temporarily move but a continued silence for about two months is not something that can be ignored. Last time we saw Koobface trying to pollute Facebook was around Feb 13th, at that time one of the messages posted looked like this:

February 13 at 3:19pm   
Youu’ve beren caght on our supefr smmall spy camerea!
http://12344cederberglineki.blogspot.com

where as usual, the posted link was redirecting users to a fake YouTube video urging them to install a fake codec (in reality a Koobface malware binary) in order to watch a so called stunning video.

Rustock is not the only botnet which suffered from the recent take down by Microsoft. It appears that Harnig (a.k.a Piptea), a close relative to Rustock, is retreating as well. There is no evidence that someone is trying to shutdown Harnig. It looks like a decision made solely by the bot herders. Why? I'll talk about it shortly.

Harnig is considered to be a very wide spread pay per install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system. In return for this favor, the owners of other malware families pay the bot herders a little sum, normally a few cents per machine. When it comes to pay per install networks, the type and amount of malware being dropped can't easily be determined. What matters is, who and when someone is paying the bot herders. But things between Harnig and Rustock were quite different. There has been a long term relationship between the Harnig and Rustock botnets. For the last 2 years or so, Rustock has almost always been seen being spread through Harnig. Very rarely will one see Rustock using some other infection vector or pay per install network to propagate itself.

One can see from the above screen shot that the Rustock installation is the result of a chain reaction:

Harnig --> Downloader.DigiPog (Rustock Installer in plain text)---> Rustock Spam Engine (semi-fake Password protected 'rar' file containing Rustock Driver file).

As you might have seen in the news, the largest spam botnet, Rustock, was recently taken down in a collaborated, coordinated way.  All parties involved were bound by a sealed federal lawsuit against the John Doe's involved, but now that the case has been unsealed, it's time to talk about a few of the details.  Why has Rustock been so successful for so long?  How has it managed to stay off the radar, yet be the largest spammer in the history of the Internet?  Why has it taken so long for anyone to take action against them?

I often overhear talk about so called next generation anti vm, sandnet and debugger techniques and their *widespread* use by modern malware, and how this is hurting modern day automated malware analysis and detection. Well I find the facts are quite different.  Most of these claims don't provide good evidence and I consider them little more than an attempt to create FUD (Fear, Uncertainty and Doubt). The reality is that after the good old days of IRC bots which were created mostly for fun, the majority of commercial malware shown no interest in detecting VMS and/or debuggers. Why? I will come to the reasons later.

A while back, I talked about the world's top 20 malware list based on FireEye's real time data feed. None of these malware families except for Conficker (number 11) try to detect virtual machines. What about taking into consideration the top 10 malware list given by Microsoft a while back? I can prove that none of these top 10 malware try to detect a Virtual Environment.

How many malware families try to detect popular, publicly available sandnets like ThreatExpert? See for yourself.

[Note: This post is continuation of my previous article]

Let's dive deeper into the internals of this powerful backdoor program.

1. Protocol Decryption

Leouncia's C&C payload decryption consists of two major phases. The first part is the formulation of a dynamic permutation table using a variable 128 bit key. This permutation table is further used to decrypt the actual payload.

Let me explain it step by step:

1.1 Table Construction

The main ingredient of this table construction is a 128 bit key. This key is extracted from the first 16 bytes of every payload stub. By payload stub, I mean the data after removing HTTP headers. After the first 16 bytes will be the actual payload to be decrypted.

As part of the table construction, 1032 bytes of memory is allocated. After skipping the first 8 bytes, the next 1024 bytes are initialized with a counter value ranging 0x00 to 0xff. These values are assigned in chunks of 4 bytes so 256 iterations are enough to initialize this complete buffer. Next comes randomization of this buffer. This randomization is controlled by a dynamic byte value taken from the table itself and using it with one of the key's bytes. Let's explain it using a C style syntax.

buf = Start of 1024 byte long buffer
A    = Initialized with start of buffer
B    = initialized with start of key buffer
R    = Initialized with 0
i and j = two counters initialized with 0

then it happens like this:

START loop

R = R  + A[i] + B[J]
SWAP (A[i], buf[R])

j = j + 1
if ( j >= 16)
    j = 0

i = i + 4

END loop (terminate after 256 iterations)

This is the second article in a row where I am going to disclose the presence of another new backdoor malware. I have recently seen this backdoor emerging on the threat landscape while investigating some targeted attacks. I named this malware Leouncia. Why? I'll make it clear later.

Like Vinself, Leouncia is a powerful backdoor that is designed to take complete control over the infected machine. In terms of code base, both malware look very different, but during my investigation, I found some definite design similarities. I also found additional evidence that is sufficient to link the botnet operators behind these two malware.

Are we prepared to face this threat? When I first submitted this malware to Virus Total last week, anti virus coverage for this backdoor was very limited. There were only two AVs out of 43 available on Virus Total that were able to detect it but using generic heuristics only. At this moment I can see some improvements as one more AV has recently added detection for this, making the detection rate 3 out of 42.

I recently came across a new piece of Modern Malware found to be involved in a highly targeted attack. My initial exploration into the malware revealed it to be a powerful backdoor with the capability to provide an attacker complete control over the infected system.

What's happening at the moment? A few weeks ago, we saw a powerful backdoor Pirpi exploiting the IE 0-day as part of some targeted attacks. Now comes Vinself. The emergence of new and powerful backdoors and their use in the targeted attacks is evidence showing that modern malware is not only used to steal user's credit cards or send spam. There is much more at stake as well.

There are many out-and-out criminal gangs (some with potential political affiliations) who are after something more than material gains. They develop targeted malware to get into sensitive networks and then loiter wating for the chance to snatch confidential documents and/or intellectual property. Cases like Vinself (where malware can fully function even if behind proxy firewalls) are also an indication that the main target here is not desktop users.

During the investigation, I found many interesting facts about this malware like the CnC protocol, the obfuscation in use and the backdoor capability etc. Today I would like to share some high level characteristics of this malware.

.., it's the size of the fight in the dog" that matters.  Bredolab is not giving up.  This morning, I found two more active CnC domains, not only alive but issuing new commands as well. These two domains are :

upload-good.net and lodfewpleaser.com

The Bredolab variant communicating to upload-good.net is especially important as almost all AVs are missing it at the moment.  Only 1 AV out of total 42 AVs available on VirusTotal was able to detect it as malicious.

We are seeing a trend where new banking trojans are emerging on the threat landscape very rapidly.  First came Bugat followed by Carberp.  Unfortunately, it is time to meet 'Feodo'. Since august of this year when FireEye's MPS devices detected this malware in the field, we have been monitoring this banking trojan very closely. In many ways, this malware looks similar to other famous banking trojans like Zbot and SpyEye.  Although my analysis says that this malware is not a toolkit and is in the hands of a single criminal group.

At the time of writing this article, AV coverage for this malware looks very disappointing. Out of 42 antivirus software listed on VirusTotal only two were able to detect it as malicious. Screenshot from VT: