CounterMeasures - A Security Blog � ZeuS

History of the botnet – White Paper

Rik Ferguson — Fri, 12 Nov 2010 13:09:08 +0000

Just a quick update, the three part series I have blogged here has been published today as a White Paper. If you’re interested it can be downloaded here as a 13 page PDF.

Bredolab, dead, dying or dormant?

Rik Ferguson — Tue, 26 Oct 2010 16:14:07 +0000

As I blogged earlier today, Dutch law enforcement took action to remove 143 servers from the internet which were acting as command & control servers for the Bredolab botnet.

In an update to that news, they have also announced the arrest of a 27 year old Armenian citizen suspected of being the brains behind the operation.

So is Bredolab, dead, is it dying or is it simply dormant?

The glib answer is that we don’t know, but let’s consider the current situation. Many if not most of the victim machines infected by Bredolab remain infected, the botnet has simply been decapitated. How effective has that decaptiation been? The graph below shows the marked decrease in the number of Bredolab samples collected from a pool of Bredolab C&C servers, this shows clearly the effectiveness of the law enforcement action.

Bredolab binaries downloaded over time

What we do know though, is that there is at least one Bredolab C&C server still active and that it is not hosted in the Netherlands, where there is one, there is the potential for more.

TrendLabs continue to monitor the situation, but it is clear from past experience with botnets such as Mega-D and Cutwail that criminal software displays remarkable tenacity and a disturbing ability to rise phoenix-like from the ashes of a concerted take-down attempt. Let’s hope that is not the case with Bredolab.

Dutch Authorities move on Bredolab

Rik Ferguson — Tue, 26 Oct 2010 10:53:49 +0000

According to a press release today from the High Tech Crime Team of the National Crime Squad in the Netherlands, action has been taken to isolate 143 servers from the Internet.

The servers were actively involved in the Bredolab botnet, from the release they would appear to be command and control servers. The servers were hosted by a company called LeaseWeb, one of the largest hosting providers in the Netherlands, who fully cooperated in the coordinated takedown operation.

Bredolab infection mails

Bredolab is primarily a downloading platform and has served to distribute fake AV and ZeuS to victim computers. The botnet, which originated in Russia, only rose to prominence in August 2009. Dutch Authorities estimate that it was capable of infecting 3 million computers per month at its peak. The primary initial trigger for infection with Bredolab was usually though mail, but infection vectors have been widely abused and also include drive-by download and even propagation through other forms of malware, for example, Cutwail has been seen to drop Bredolab as a payload, and Bredolab has been known to return the favour!

It is unclear right now whether the botnet has been effectively decapitated or it this only represents a setback to the criminals behind it. The bots remain infected with the malware so if alternative command & control servers exist, then reconfiguration and regrouping remains a possibility. TrendLabs are investigating current activity levels of the botnet and I will update this blog as soon as new information is available.

TechCrunch Europe hacked

Rik Ferguson — Mon, 06 Sep 2010 16:03:22 +0000

The eagle-eyed harmony guy spotted about an hour ago that some malicious code had been added to the WordPress installation over at TechCrunch Europe.

Web reputation breaks the infection chain

The code redirects to a host which is serving up malicious PDF files. The PDFs are designed to exploit a vulnerability which leads to the download of that Poison Ivy of the criminal underworld, ZeuS.

The malicious server is hosted by Netdirect over in Frankfurt Germany, a provider with a relatively colourful history of their own.

The file itself has very low detection rates at present and only serves to underline the need for a security solution that considers the threat as a whole instead of focusing on one aspect of the threat.

If you’re using our stuff, you’re safe, the redirection to the bad host never happens and you never see the malicious file.

The folks at TechCrunch have been made aware and we hope they clean up their WordPress installation soon.

Identity Crisis?

Rik Ferguson — Wed, 31 Mar 2010 20:06:45 +0000

What if confidence in a person’s identity were eroded to such a degree that it became impossible to prove who you are anymore?

Yes sir, that ID appears to be in order.

Cybercrime is already laser focused on information theft in its many forms; banking details, information to assist in the theft of identity such as driving licence numbers, passport numbers, mother’s maiden name, date of birth, place of birth, the list goes on. Underground forums already exist where this information is traded as a commodity, whole identities for the purposes of financial fraud (loans, credit cards etc.) can be bought for as little as $10 USD.

Much of this theft is accomplished through the use of malware, malicious software infecting people’s computers. This type of criminal malware used to be the preserve of organised crime, as the cost of purchase was prohibitive to hobbyists. Now however, ZeuS for example which used to be a top-end product is available to download free of charge. ZeuS and malware like it has advanced information and remote control capabilities that allow an attacker to snoop on, or modify or steal any information stored in your PC, entered into your browser or any key you press on the keyboard. Crimeware of this sort has become so widespread and so cheap that criminals are now resorting to selling it with add-on services such as hosting or management in order to attract customers.

In an age where utilities companies, credit card companies, banks and other financial institutions are moving their customers ever more toward online services, e-billing and e-statements aren’t we only making it more simple to steal an identity and at the same time more ethereal to assert one? Stolen documents and templates for document creation are available online if you know where to look, so that’s your driving licence taken care of and your passport for that matter. When it comes to proving your address; well don’t you normally need something like your most recent utility bill, for a mortgage your last three months bank statements…

The standard advice has always been, and continues to be “Buy a shredder, shred all personal correspondence, deter identity thieves”. The truth is though, much identity theft is perpetrated electronically and if the criminal can use their software to steal your login details for your utility companies, bank and mortgage provider they have no need to go rummaging through your bin bags at three in the morning.

What do I have, what do any of us have, that really incontrovertibly proves that we are who we say we are? Remember biometric identification is only as good as the initial ID itself, so if I can be you, I can be you enough to apply for a biometric document and present my *own* fingerprints, iris or facial geometry. What then? Do I become you? Who then are you? If we gradually change the parts of a car until nothing is left of the original and yet all the parts make the whole, is it the same car?

If trust were eroded to such an extent that no one had the confidence necessary to trust a “proof” of identity, what would be the outcome? Would the local and even global financial system collapse as the risk of lending became too great? Would the world of online consumer commerce carry on regardless, asserting that “reception of funds is sufficient proof to ship” thus furthering the crisis of confidence as everyone’s bank accounts became a public and shared utility?

In a worst case scenario the financial system as we know it today ceases to exist, no further mortgages or loans are possible, bank accounts become untrusted by default rather than inviolate bastions of privacy. Criminal intelligence that relies on tracking identities, such as counter-terrorism, declines in capability until it represents a liability and serious inconvenience to the innocent as they are repeatedly accused of acts they did not commit. We cannot retreat back into the paper based society of the 1900s as advances in information technology have voided any pretence of reliability that may ever have offered. Neither can we rely on having chips implanted under our skin, that technology as it stands today has already been shown to be unreliable, and besides, if all it takes is ownership of a chip, then aren’t offenses such as kidnap and murder viable options for identity theft?

Perhaps society would return to the parochial notion of “If you weren’t born in the village then I don’t know you and I don’t trust you”; no change then for where I live!

Kneber for sale or rent (rooms to let 50 cents)*

Rik Ferguson — Fri, 19 Feb 2010 13:15:58 +0000

I realise I might be getting a reputation as the infosec curmudgeon, always ready with a bucket of cold water when the occasion demands, but once again I feel moved to write about hype.

“Seemingly there is no reason for these extraordinary intergalactical upsets. Only Dr Hans Zarkov formerly at NASA has provided any explanation”*

Stories in the press recently have been aghast at the scale of a “new” botnet called Kneber. According to a report from NetWitness one particular botnet that uses the ZeuS crimeware has successfully infiltrated thousands of corporations and tens of thousands of computers. This is of course terrible news for the companies affected and certainly many corporate security lessons can be learned from experiences such as this.

What is important to point out though is that there is nothing at all that is “new” or “unprecedented” about a botnet using ZeuS or a botnet of this size, ZeuS (or ZBot) has been around since at least 2007. In the online underground ZeuS is the equivalent of commodity crimeware. It is openly traded in online forums both as a software product and as preinfected botnets. Increasingly providers are finding that they must bundle services with their criminal offering, or Crimeware as a Service.

Screen shot from underground forum

Older versions of the software are downloadable free of charge, though these are often backdoored by other criminals. There is no honour among thieves. In fact botnets are in such plentiful supply that the price of preinfected machines is surprisingly low.

175 thousand bots for sale... globally.

Of course if you don’t have the means or the desire to run your own botnet, you can always simply buy the output…

I'm a lumberjack and I'm OK. Logs for sale.

A quick look at ZeuS Tracker shows they are tracking almost 1300 command & control servers for various ZeuS botnets of which about half are online right now. They show the average binary detection rate (how your antivirus products detects using pattern files or signatures) is as low as 49.62% which goes some way towards explaining the successful infection rate.

It is widely known that malware writers and other criminals have already worked out how to overcome traditional anti-malware protection that relies on pattern or signature updates. They simply roll their code as often as possible, estimates say that we are currently seeing a unique malicious binary every 1.5 seconds.

So here’s corporate security lesson number one from this recent publicity…

Make sure your anti-malware solution is not relying simply on the infection layer “what the file looks like“; make sure that it is also investigating the exposure layer, “where the file comes from and who the file reports back to“. If ZeuS Tracker knows where the bad guy servers are, so should every one of your endpoints. At that point, what the actual binary looks like becomes a secondary issue.

By the way here is a free tool to check if you are a part of a bot network.

* With apologies to Roger Miller and Queen

Your guilty conscience could get you pwned

Rik Ferguson — Wed, 03 Feb 2010 15:28:59 +0000

I just received an email from some guy called Willie Hickey. Aside form having an extremely amusing name, Mr. Hickey was offering me some very urgent advice:

Mail from Willie Hickey

The message reads

“Hey, some jerk has posted your pictures (u understand what kind of pictures are there) and sent a link of them to all ur friends. I have already replied back. Said, that he is an idiot. See the link:”.

This little piece of social engineering is obviously designed to arouse fear and doubt in the recipient; “Oh no, not those photos, the zookeeper promised he would destroy the negatives.”

Don’t be tempted though to click the link. There are no photos, there is no Willie Hickey.

The link leads to a malicious JavaScript which redirects the browser to a Russian IP address where multiple PDF exploits and an ActiveX exploit are used to push out a variant of the ZeuS crimeware. The sample itself has very low detection rates with only 9 out of 40 detections on VirusTotal

If you’re already a Trend Micro user you would be protected from this as the malicious website is already blocked by the Smart Protection Network and the malware detected. If you have received a similar mail and clicked the link and are worried you may be affected, run a free clean up with HouseCall.

NoSpace for another banking Trojan

Rik Ferguson — Mon, 09 Nov 2009 16:29:16 +0000

Today saw the beginning of a new spam run from the ZeuS or Zbot family of malware. Victims will receive an email similar to the one below prompting them to “update” their MySpace account, very similar to the Facebook spam run from last week.

: Spam email from Zeus bot

The link in the mail leads to a standard fake MySpace login page, so of course your account details are stolen. Once you have “logged in” though, the supposed “MySpace Update Tool” is waiting to trick the unwary into installing their very own variant of the ZeuS agent. We detect this as TSPY_ZBOT.SMP, the Smart Protection Network also blocks the email spam and web addresses associated with this campaign.

Download page for the ZeuS agent

What’s the big deal with ZeuS? Well here’s an extract from the readme (apologies for the English, I think it’s written for an Eastern European audience…)

“Does not create suspicion on the presence if you it do not want. Here is available in view of that like to do many authors spyware: an unloading firewalls, antiviruses, an interdiction for their updating, blocking Ctrl+Alt+Del etc.Separate file of a configuration that allows to protect itself from loss botnet in cases of inaccessibility of the preferred server. Plus additional (reserve) files of a configuration to which the bot will address when the basic file of a configuration will not be accessible. This system guarantees a survival of yours botnet in 90 % cases.

Interception of POST-data + interception of the pressed keys (including inserted data from a clipboard).

Transparent URL-redirect (on fake-sites etc.) with the task of the elementary conditions of a redirect (for example: only at GET or POST inquiry, at presence or absence of certain data in POST-inquiry).

Transparent HTTP (S) contents substitution (the Web-inject which allows to substitute not only HTML pages, but also any other type of data). Substitution is set by means of instructions of masks of substitution.

Adjusted TAN-grabber for any countries.

The IDEAL DECISION FOR VIRTUAL KEYBOARDS: After calling on necessary URL, there is a reception of a screenshot in the field of the screen where the left button of the mouse has been pressed.

Reception of certificates from storehouse “MY” (certificates with a mark “not exported” are not exported correctly) and its clearing. After it any imported certificate will be saved on a server.

Interception of a login/password of reports POP3 and FTP in independence of port and its record to logs only at successful authorisation.

Change local DNS, removal/addition of file recording %system32 %\drivers\etc\hosts, i.e. comparison of the specified domain with specified IP for WinSocket.

Reception of a screenshot from the computer of a victim in real time, the computer should is out of NAT.

Reception of commands from a server part and report sending back about successful performance. (Now start of a local/removed file, immediate updating of a file of a configuration, OS destruction).

Socks4-server.

HTTP (S) a PROXY-server.“

My favourite part of this particular readme though has to be this:

“Record just visited pages at the first start on the computer. It is useful at installation through sploits if you buy loadings from suspicious service, it is possible to learn that is loaded more in parallel.“

Basically as a budding cybercriminal it’s tough to find partners you can trust. So if the person you paid to load your bot up on their boobytrapped web page decides they will send their own little package to your victims as well, you’ll know about it.

This particular vendor is offering a fully installed, configured and supported ZeuS installation; control panel, agent builder and injection scripts for just $320 (USD).