PhishLabs Blog - News on Fraud, Phishing, Malware and Cybercrime » Malware

Avalanche hosted Zeus Trojan disrupted

John LaCour — Tue, 07 Sep 2010 13:37:08 +0000

While investigating an instance of the Zeus Trojan that was using the Avalanche bulletproof hosting botnet, PhishLabs discovered many of the domain names referenced in the Zeus configuration file had not yet been registered including the following four:

eitaepiephohthieleibesha.com
llakjshbeyrv3421jbs88xc.com
nmbnxcbjbh3hbhbdhjb3l4kjbn.com
nzytgero34xbhsbc8484kk.com

PhishLabs registered the domains and then pointed them to a server under our control and began logging requests. We analyzed the data and learned a number of interesting things.

This particular Zeus Trojan had infected approximately 270,000 systems. This is based upon the number of unique IP addresses and is only a rough approximately since IP addresses may change when using home broadband connections and in some cases multiple systems may be behind the same IP address such is the case with a corporate gateway and some ISPs.

There was a broad geographic distribution of infected users. We were not able to determine the original infection source, but given the geographic distribution we suspect it was not a targeted email campaign, but used drive-by exploits or similar to infect any system that could be.

PhishLabs has reported the IP addresses of infected systems to our clients and have now redirected these domains to our friends at Shadow Server who are helping get the data out to the right service providers.

Rock moves to email attachments

John LaCour — Tue, 17 Nov 2009 14:32:33 +0000

For over a year, the Rock Phish Gang was using the Avalanche botnet to host their various phishing scams and malware distribution sites. Fortunately, the botnet was shutdown last week - how long remains to be seen. Unfortunately, the Rock Phish Gang have not gone away.

These criminals continue to distribute their ZeuS trojans and steal funds from banking accounts. They have resorted to the old tactic of attaching the malware file directly to the email.

Recent scam emails have targeted Verizon Wireless and Vodafone with emails claiming that “Your credit balance is over its limit”. Today’s scam announces that “your mailbox has been deactivated” (despite sending you a message to your mailbox!).

Malicious email with attachment

In all three cases, the emails contain a .zip file which contains a Zeus banking trojan. Currently, this trojan is detected by 22 of 41 antivirus products according to VirusTotal. The malware also “phones home” to the same servers previously seen in Rock phish zeus malware. Details in this ThreatExpert report.

Cleaning up from the Avalanche

John LaCour — Fri, 13 Nov 2009 04:21:05 +0000

The Avalanche botnet, also known as “MS-Redirect”, has been responsible for hosting phishing pages and malware distribution attacks on over 35 organizations, including the IRS, Facebook, MySpace, most recently NACHA, and many more. Unfortunately, there’s a great deal of confusion over how this botnet works and how it’s related to other malware.

Let’s clear it up once and for all.

There are actually 3 distinct but related types of malware being used to commit various scams by one or more criminal groups.

Cutwail aka PushDo is a spamming trojan being used to send out massive amounts of spam with links (or lures) to phishing pages or pages that ask the users to download and run programs. Those programs invariably turn out to be instances of the Zeus/ZBot/WNSPOEM banking Trojan. There are also unrelated criminals that also use Zeus Trojans to steal online banking information that are not related to this set of scams. The Avalanche botnet is the middle-step between the spamming botnet and Trojans that steal banking information. It is basically a hosting platform used by the attackers. Because the Avalanche bots act as a simple proxy, and there are thousands of them, it has been exceedingly difficult to shutdown the phish pages. Instead most Anti-Phishing organizations have focused on shutting down the domain names that were used in the phishing URLs.

PhishLabs recently presented new information about the Avalanche botnet at the recent Anti-Phishing Working Group (APWG) fall conference. We were able to acquire a copy of the bot software and analyze it. What we learned is that the malware is actually rather simple. It listens on TCP port 80 for incoming connections and simply relays data receives to another server that hosts the actual phishing pages and malware files.

In an effort to help service providers and others clean-up Avalanche infected machines, here are the key details:

Bot Binary Path:	C:\windows\system32\sysservice.exe
Bot Configuration File:	C:\windows\system32\sysservice.dll
Registry Key:	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
	Microsoft Startup Manager = “%System%\sysservice.exe”

Removing the Avalanche bot components is as simple as deleting the two files and one registry key.

PhishLabs has also been able to determine the IP addresses for a large number of the infected systems. Service Providers are invited to contact us at info -at- phishlabs.com for a list. We have also shared this information with our friends at ShadowServer who are helping report infected systems as well.

CAIXA Brasil malware attack

John LaCour — Mon, 05 Jan 2009 16:40:56 +0000

CAIXA is the Federal Bank in Brasil which not only services private banks but millions of Brasilians through the national lottery, social services, unemployment benefits, and other services.

Recently, cybercriminals sent out the following email scam to tempt users in to installing malware on their systems:

CAIXA Brasil Scam Email

The text says essentially that they’re doing upgrade on their servers and users need to install the update at the link to maintain their Internet Access.

While the URL looks like it’s point to a government site in Brasil, it is actually pointing to a server in France and leads to a malicious software program name “sistema.exe” (MD5=2ce0b316d8ada0c52a6a154ba7a1b3ff). Currently 16 of 38 AntiVirus vendor’s detect this program according to Virus Total.

This attack uses tactics not commonly seen. The malware does not intercept or alter communication with a legitimate web site, nor does it redirect the user to a phishing site. Instead it prompts the user through a series of screens directly:

CAIXA Attack - First Screen

CAIXA Attack - Second Screen

There are several more screens prompting users for account information, personal information, passwords and PINs. Upon submitting the information, the malware application the sends the stolen information out to a couple of email addresses.

Updated: AntiVirus backdoor tests

John LaCour — Sun, 14 Dec 2008 01:06:16 +0000

In a previous blog posting I talked about how phishers typically use backdoor programs called PHP shells to access web servers and install their phish kits. I had tested several leading antivirus programs against a number of PHP shells that had been found in the wild to see how well they were detected. The results were disappointing.

Since I received several comments and questions from vendors after the first round of testing, I decided to do a follow-up test with the same files to see if anything has changed. With one exception, not much has changed. Big kudos go out to the Fortinet Team that moved from detecting only 17% of these backdoors to 98%. Unfortunately, they were the only vendor of the 24 tested to move into one of the top 10 spots.

Here are the entire updated results for all 24 vendors (note some companies use a scan engine from others – hence the duplicate results):

As I mentioned in my previous posting, not all of these vendors develop antivirus products that are designed for server environments and therefore it may be appropriate for them not to detect these files in some cases. That said, certainly web gateway products should prevent these backdoors from being installed via RFI attacks which is one of the more common methods used by phishers to install them. Another common tactic of phishers is to use web applications meant to allow users to upload photos or avatars. Far too often, these applications fail to check that the image file is actually an image or in other words fail the fundamental tenet of application security: don’t trust user input. Gateway antivirus products can help with both cases and should detect these malicious programs. Another class of antivirus product that should detect these files are those that can be configured to run “headless” or only on-demand. It’s not unusual for webhosting companies and system administrators to scan web servers that they suspect to have been compromised for malicious files. If products that support on-demand scanning would do a better job of detecting these files, they could help prevent phishing and other types of cybercrime.

Just in case you’re thinking that these PHP shells and backdoors are only used on Linux systems, don’t forget that PHP does in fact run on Windows. Many of these malicious programs have functionality to detect whether they are running on a Linux system or Windows system and adjust appropriately. Also, there do exist .NET backdoors as well. They are relatively rare compared to the wide variety of PHP shells, but they are out there and in the wild too. To see if the antivirus products had a PHP or .NET bias, I decided to test 7 .NET backdoors against the suite of 24 antivirus products as well. It’s hard to draw any conclusions about bias, but clearly these programs are not well detected. While most products detected at least one file, only 4 products detected at least 3 of the 7 files: BitDefender, ClamAV, Ikarus, and SecureWeb.

While I’ll continue my quest to have security products better detect malicious programs used by phishers, the next project will focus on the vulnerabilities exploited to gain access to web servers for phishing. I’ll be working with my colleagues at the AntiPhishing Working Group on this project and look forward to publishing the results from our study next year some time.

How AV software can stop phishing sites

John LaCour — Fri, 07 Nov 2008 15:59:50 +0000

Over the course of examining hundreds if not thousands of phishing sites I’ve learned that the vast majority of phishing sites are created by compromising legitimate web sites through vulnerabilities of one type or another. Most often the vulnerabilities are web applications which don’t properly check that user content is really just user content. For example, instead of uploading their avatar image to an online forum like ZeroBoard, hackers upload malicious files which they can then run on the server giving them access to the system. The application does a poor job (if any) of checking that the picture file is only a picture file.

The most often uploaded malicious files are PHP shells. A PHP shell is a PHP program which provides a hacker with access to the web server as well as many tools and features:

Find, Edit, Rename, Download Files
Point-and-click Directory and File Navigator
Shell Command Execution
PHP Statement Evaluation
Find Vulnerable Files and Directories
Upload / Download files from FTP Servers
Dump MySQL Databases
Create a proxy server
Create a back-connect shell
Encode / Decode Base64, URL escape encoding, etc.
Show running processes, system name, kernel version, IP addresses, etc.
Show PHP configuration (php.ini), safe-mode, register globals, etc.
FTP brute-force password cracker
Emailer (spammer)
Self-update and self-remove

c99 shell

The most common PHP shells are the C99 shell from the Captain Crunch Security Team and the r57 shell from the Rush Security Team / GHC. However, some PHP shells are simple one-box forms used to enter a command which will be executed on the server.

Because PHP shells make hacking easy and phish kits are freely available, even ‘ankle-biters’ can create phishing sites. In fact, most phishing is done by criminals with only mediocre computer skills. This is unfortunate because it makes the problem seem bigger than it is and limits our ability to focus in on the really bad actors. Those of us wearing the white hats need to find solutions that make it only possible for skilled cyber-criminals to attempt scams like phishing.

One possible solution is to detect and stop malicious programs like PHP shells on web sites. Perhaps anti-virus products could be used to detect malicious files like PHP shells. Then if web hosting companies would use these anti-virus products on their servers there would be less phishing. Of course it wouldn’t stop the problem altogether, but if we can make the ‘script kiddies’ that use PHP shells go away, we can stop a lot phishing and focus in on the really really bad guys.

So do anti-virus products detect PHP shells and other hacker backdoors? It turns out that some of them do with, not a surprise, varying detection rates. It’s ironic that security vendors a huge amount of time and money seeking every phishing site so that it can be included in blacklists and collecting every piece of Windows malware that’s out there, yet they don’t execute well on preventing hackers from plying attacks that lead toward more phishing and malware.

I decided to test out anti-virus products against some PHP shells and backdoors and see exactly how they fare. I started out by collecting PHP shells and backdoors from compromised systems. The files gathered were found ‘in the wild’ and weren’t created by me or by others as proof-of-concepts. Next I submitted them to an antivirus scanning system similar to VirusTotal built by Andreas Marx and av-test.org. Note that Andreas and av-test.org did not otherwise participate in this test in any way except by allowing me to use their multi-vendor scanner. Ultimately 99 malicious PHP files were scanned by 29 anti-virus scanners plus 6 more cases where beta signatures were used.

Top 10 Detection Rates for PHP Backdoors

The results are a bit disheartening, but there are some caveats worth mentioning:

Not all vendors have a Linux based product. Almost always (but not quite), the compromised system which has a PHP shell installed on it is running a version of Linux. So it’s perfectly reasonable not to detect files that generally are only used on an operating system on which your product doesn’t run.

Some anti-virus products are geared as gateway products and not file scanners. That means, that some anti-virus products might detect the HTML generated by these backdoors, identify them as unwanted web applications, and block access to the PHP shell. That’s easy enough to test, but wasn’t tested here.

Some of the PHP programs could be considered dual-use applications – used for evil or for good. That argument is some what constrained by the fact that the tested files were all from compromised web sites and nearly all were made by hackers for hackers.

Another argument is that it’s more important to focus resources on catching desktop malware. I disagree. Server compromises often lead to more desktop malware, more end-user phishing, and more distribution of spam. If every web site on the Internet were secure, almost all of the badness we see every day on the Internet would go away.

So how about it anti-virus vendors! Time to start detecting PHP backdoors?