In this post I will go over the latest botnet making the headlines. The "Finjan botnet" appears to be large and strikes fear into many. As an average computer user, should you be afraid of the botnet, or should you be scared of being compromised by a Trojan? How bad can one piece of malware be?

I would like to give credit to FireEye for trying to track down the Finjan Botnet that Finjan first reported on. Reading through the Finjan and FireEye write-ups, one is able to reconstruct the trail and also discover the path taken. We can see two major types of Trojans that play a part in this. We have the VBInject Trojan and the AutoIt Trojan.

There are two servers on the same network to which VBInject phones home: x.x.62.2 and x.x.21.186. The server at x.x.21.186 is no longer responsive and appears down at this time. The server at x.x.62.2 is still up and DNS still responds with that IP address for the domain name used in these attacks. If you actually try to browse to that domain though, you will not arrive at this server. As you can see from reading the FireEye article, the Trojan phones home to /ldr/loadlist.php. It downloads more malware from /ldr/dl/. One of the Trojans it downloads is AutoIt.

At the time of this post, if you navigate to /ldr/dl/ you are presented with a directory structure where the Trojans had been kept but now they are gone. If you navigate to the /ldr/ directory you are presented with a login screen. It says "A username and password are being requested by http://.x.x.62.2. The site says: Fun House-10001" Is this a login page to control a botnet?

Now AutoIt looks to phone home to one server with different domain names. I have found at least five different .info domains associated with one particular IP address in the 124.217.x.x range. If you look at /proxy.cfg off of one of those domains it pops up proxy information that says to have everything open and to use the OpenDNS name servers for DNS resolution. When attempting to do a fake phone home I was presented with the below response which is the same response that FireEye got back, however the domains have changed from one ten-letter nonsensical .com domain name to another.

Here is the fake phone home that FireEye posted.

Notice that the user agent is listed as AutoIt. This is the AutoIt Trojan phoning home and the response is to download around 15 pieces of malware. FireEye posted the details of all of the malware in their blog post. Also I found an interesting script where AutoIt sends email through a Gmail account at http://pastie.org/pastes/385624/.

From my investigations into the various malware that use these domains I saw that anIP address in the 124.217.x.x range also pops up. This IP might serve the same function as the one in the 124.217.x.x range but I have not seen any domains for it. Both the ten-letter nonsensical .com domain names resolve to an IP address in the 94.75.x.x range. By using Google and one of the.com domain names in a search I found the whole directory listing for this malware server. When going to /_private/ it asks for a login page. “A username and password are being requested by http://xxxxxxxxxx.com. The site says: "xxxxxxxxxx.info"” The .info domain name also resolves to the same 94.75.x.x IP address.
 

Other notes in regards to the Finjan article. The Trojan that is partially redacted from their write-up is ZCHMIB.EXE and can be seen phoning home "66.90.x.x/bots /control.php?action=getMessage&version=test|16". An interesting thing about this Trojan is that it uses a site called Decaptcha to bypass captcha’s for sites. The site also has a /bot/captcha/ directory to bypass Gmail captcha so it can send spam.

The other file that was partially redacted on the Finjan site looks to be SENEKA[random].DLL. This might be associated with the TDSS/Seneka rootkit. It performs a phone home to a server in the Ukraine "GET /seneka/engine/ld.php?affid=303350&action=2". This might be the server that Finjan was talking about in regard to the botnet. The IP addresses related to this are both on the same 78.26.x.x network.

The 78.26.x.x IP addresses are no longer in use. The IP addresses resolved to a domain name that now resolves to an IP address in the 94.75.x.x range which is already associated with yet another domain name. The original domain comes to a login page but new domain name does not. At this time there is no “0-day” binary that has been identified by Finjan or anyone else to be the botnet.
 

As you can see by following the trail, gone are the days where you have just one Trojan infection. When you have an infection it usually comes from what is known as a Trojan dropper or downloader that will then download many more Trojans that each serves a purpose. From the Finjan article, the botnet masters used their dropper to open up a botnet. From this botnet they were able to specify what Trojans to download for whatever purpose they wanted. Trojans now come in many flavors.

You have spamming Trojans, ransomware, keyloggers, ones that steal your personal data, and many more. The end goal is monetary gain. When you become infected today, it is best to just do a complete reformat of your machine instead of trying to recover it, because you really don’t know how many infections you have. I have read plenty of articles where someone cleans their machine and they think everything is fine only to find more malware days to weeks later.

There is not any perfect AV tool; there is no perfect solution for any one problem. Your best defense is to practice what is called defense in depth and to only go to known websites. Don’t open mail from people you don’t know and be careful opening attachments from people that you do know. Update your OS and software regularly, including AV. Just having AV does not mean that you are protected; you also have to keep it updated.

• FireEye Blog – http://blog.fireeye.com/research/2009/04/botnetweb-part-ii.html
• Finjan article – http://www.finjan.com/MCRCblog.aspx?EntryId=2237
• Prevx shows ZCHMIB.EXE – http://www.prevx.com/filenames/1521641268775071064-X1/ZCHMIB.EXE.html
• ThreatExpert shows TDSS/Seneka activity – http://www.threatexpert.com/report.aspx?md5=5a1a6f4e83900e86c3e7dc62554318ac

On October 23, 2008, Microsoft released an out-of-cycle emergency patch for a flaw in the Windows RPC code. The reason for this unusual occurance was the discovery of a “zero-day” exploit being used in the wild by a worm (or trojan, depending on how you look at it). The announcement of a new remote exploit for unpatched Windows systems always raises tension levels among network administrators. The fact that this one was already being used by a worm evoked flashbacks of Blaster and Sasser and other previous threats that severely impacted the networked world.

But, unlike these past worms, Gimmiv turned out to have infected scarcely any networks at all. One reason for this is that the scanning done by Gimmiv looking for vulnerable hosts is limited to the local subnet, meaning it can only jump networks if an infected computer is moved from one network to another. Even if this were not the case, by default Windows XP SP2 (and above) restricts connections to the RPC ports to the local subnet only. So although future trojans and worms might utilize the same exploit, the window of opportunity for a globally impacting worm using this vector has passed for the most part.

Because of some mistakes made by the author(s) of Gimmiv, third parties were able to download the logfiles of the Gimmiv control server. Although most of the data in the logs is AES-encrypted, we were able to find the key hardcoded in the Gimmiv binary and decrypt the data.

Although it has been reported that Gimmiv is a credential-stealing trojan, this functionality is actually not used – the gathered data is never sent. What is sent is simply basic system information, such as the Windows version, IP and MAC address, Windows install date/time and the default system locale. Using this data we were able to track exactly how many computers had been infected prior to October 23rd (after this time infection counts are somewhat skewed due to malware researchers all over the world investigating Gimmiv). As it turns out, only around 200 computers were infected since the time Gimmiv was actively deployed on September 29, 2008.

By converting the decrypted log data into KML format, we were able to use Google Maps and Google Earth to take a look at the global impact and spread of Gimmiv. Only 23 countries had infected users, and Southeast Asia appeared to have the greatest number of infections:

Each computer on the maps above represents a Gimmiv-infected location – due to NAT, this may include dozens of computers. For example, two networks in Malaysia had the most infections:

While Malaysia was the hardest hit, it appears that the “in-the-wild” spread of Gimmiv may have started in Vietnam on September 29:

But, looking in the logs, we actually see that Gimmiv appeared first on August 20, 2008 – but we don’t count this as being in-the-wild. This is because logs were seen from only two IP addresses, only briefly. One of these IP addresses, located in Korea, we can tell was running Gimmiv in a VMware virtual machine – exactly the kind of thing you might expect someone testing a piece of malicious mobile code to do:

Additionally, a zip file left behind on one of the control servers contained Korean characters in the compressed folder name. For these two reasons, we believe Gimmiv’s author is probably from South Korea.

The KML file used to generate the maps above can be downloaded into Google Earth and is available here.

If you saw the following browser window pop up on your desktop today for no apparent reason, you are:

For several years now, there has been a steady, increasing effort by computer criminals to utilize malware in order to steal data from victim computers. Often the criminals don’t actually write the malware, they simply download a trojan kit, configure it for their purposes and then spread it using various methods. We talk about these schemes all the time, yet there’s no good term to describe these miscreants.

They’re not exactly phishers, although they have the same goals.

They’re not VXers, and “trojan-fraudsters” doesn’t quite have a ring to it. But, if we think about what it is these criminals do for a living, it is quite analogous to piracy on the high seas. Hijacking (boarding) your computer and stealing your money, all done over the Internet, where no single jurisdiction applies.

Thus, I propose we redefine the term “computer piracy” to mean “the hijacking/unauthorized entry of another person’s computer for the purpose of stealing resources, data or money”. What most people think of as computer piracy these days isn’t really piracy anyway, it’s copyright infringement. It’s time to take back the definition of piracy and apply it to something it actually fits. The trojan-using fraudsters and thieves are nothing more than modern pirates.

Having this redefinition also suggests alternate ways of dealing with the problem – in days of old, private parties were commissioned with capturing and seizing the assets of pirates by letters of marque and reprisal. Although it sounds like an archaic concept, letters of marque are still authorized by the U.S. Constitition, and in fact, have been suggested as a possible means for capturing Osama bin Laden, in the Marque and Reprisal Act of 2001 introduced into Congress by Rep. Ron Paul of Texas.

You may be thinking “yes, but privateers were often indistinguishable from pirates in previous centuries.” Yes, that’s true – it was difficult for a country issuing a letter of marque to monitor the activities of its privateers on the high seas. This kind of unchecked power plus the amount of wealth that travelled on merchant ships often led to greed and corruption.

These days we have computer security researchers already tracking down the pirates in their spare time, for free. They’re not looking for a payoff for their efforts other than seeing the miscreants go to jail and/or pay restitution. Seizing an asset these days might simply mean forcing a registrar to remove a domain name or an ISP to identify and/or disconnect a customer (given proof of fraudulent activity) – something the private crimefighter currently doesn’t have the authority to do. Most already work with law enforcement at home and abroad, however it is becoming increasingly clear that the current level of law enforcement effort is not making a noticeable impact in the amount of trojan activity.

In late June, SecureWorks Senior Researcher Joe Stewart and I discovered new, previously undetected variants of the Prg Trojan. (see Prg Trojan). This week, I uncovered the largest, single cache of stolen data from the PrgTrojan. The Trojan, also called wnspoem, was originally discovered by Secure Science and analyzed by Michael Ligh in November 2006.

The data, which includes bank and credit card account information, SSNs, online payment account usernames and passwords and other personal information, is from 46,000 victims who were all individually infected. The infection began in early May. The victims are being infected and reinfected by ads on various online job sites. The hackers behind this scam are running ads on job sites and are injecting those ads with the Trojan.

Thus, when a user views or clicks on one of the malicious ads, their PC is getting infected and all the information they are entering into their browser (including financial information being entered before it reaches the SSL protected sites) is being captured and sent off to the hacker’s server in Asia Pacific. This server is still collecting stolen data and at any one time, we are seeing 9,000 to 10,000 victims sending information to the server.

When I first discovered this large cache of data, I couldn’t figure out how the hackers were compromising so many websites, and as a result, infecting so many victims. However, when I uncovered the Trojan-injected advertisements, it made total sense. These job sites get quite a bit of traffic so it is no wonder that the hackers are having such success. Not only is SecureWorks seeing a large infection rate among victims but they have found that many of the victims are being reinfected, causing them to have chronic infections of the Prg Trojan.

PC users are visiting these job sites and viewing these ads. They are then getting infected and two to three weeks later (after the hacker has captured their information) their anti-virus is catching the Trojan and wiping it off their PC. However, they are then going back to these online job sites, clicking or viewing another malicious ad and getting reinfected by the latest variant.

The hackers behind this scam are releasing a new variant every five days to a week on average, and sometimes even quicker. Anti-virus is having a hard time keeping up with so many variants, so infections are going undetected for several weeks, and although it might eventually get cleaned off the user’s machine, many of them are getting reinfected by a totally new, undetectable variant, and the infection cycle starts all over again.

How to Detect if Your Computer is Infected

Computers infected with the Prg Trojan will have a backdoor proxy server listening for connections on port 6081. This port is not assigned to legitimate services and is not hidden by the rootkit functionality. If port 6081 is open on your computer, you are likely infected with the Prg Tojan. If anti-virus is not detecting the infection, then you will need to boot the computer into Safe Mode and run another scan. If that fails, manual removal or reinstalling the operating system may be necessary.