Have you ever wondered how malware spreads, why there are so many compromised machines out there talking back to their CnC's? There must be a medium, a vehicle if you may, to get a Zeus, a Rogue AV, a Rustock (not anymore :)) or any new malware onto a box. Have you ever wondered what this vehicle could be? If you answered exploits, then your answer is right. Exploits, Pay Per Installs, Social Engineering are the main vectors to get malware on a machine. Exploit Tool kits are like point and click tools that use these exploits to make life easy for a hacker. At FireEye Labs, we continuously monitor the latest threats and exploit toolkits. One such toolkit that has come to our attention is the Incognito Toolkit. In the year 2011 we have noticed a sudden surge in our Incognito detections. This blog attempts to explain why this toolkit is so hard to detect, the obfuscation techniques it uses to the kind of malware it drops.Though not as widespread as the Blackhole Toolkit, this toolkit looks like it is here to make a mark.
Without further delay lets get into the finer workings of this Toolkit. Let's see what happens once a user clicks on a malicious Incognito link.
The initial GET reuquest gets a heavily obfuscated HTML page, the initial GET request looks like
Rustock is not the only botnet which suffered from the recent take down by Microsoft. It appears that Harnig (a.k.a Piptea), a close relative to Rustock, is retreating as well. There is no evidence that someone is trying to shutdown Harnig. It looks like a decision made solely by the bot herders. Why? I'll talk about it shortly.
Harnig is considered to be a very wide spread pay per install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system. In return for this favor, the owners of other malware families pay the bot herders a little sum, normally a few cents per machine. When it comes to pay per install networks, the type and amount of malware being dropped can't easily be determined. What matters is, who and when someone is paying the bot herders. But things between Harnig and Rustock were quite different. There has been a long term relationship between the Harnig and Rustock botnets. For the last 2 years or so, Rustock has almost always been seen being spread through Harnig. Very rarely will one see Rustock using some other infection vector or pay per install network to propagate itself.
One can see from the above screen shot that the Rustock installation is the result of a chain reaction:
Harnig –> Downloader.DigiPog (Rustock Installer in plain text)—> Rustock Spam Engine (semi-fake Password protected 'rar' file containing Rustock Driver file).
As you might have seen in the news, the largest spam botnet, Rustock, was recently taken down in a collaborated, coordinated way. All parties involved were bound by a sealed federal lawsuit against the John Doe’s involved, but now that the case has been unsealed, it’s time to talk about a few of the details. Why has Rustock been so successful for so long? How has it managed to stay off the radar, yet be the largest spammer in the history of the Internet? Why has it taken so long for anyone to take action against them?
Adobe recently reported the existence of a new zero day flaw in flash player which, according to them, can affect flash player 10.2.152.33 and earlier versions. Soon after, additional news broke out showing that this flaw had been used as part of limited targeted attacks. The initial attacks used a swf file embedded inside an MS excel file to lure users into clicking it. Once a user opens this excel file, the flash file embedded inside gets activated, exploiting this vulnerability. Bugix-security blog described the exploitation process in great detail here.
Today, I would like to extend this analysis by talking more about the malware behind the exploit. What kind of malware is this? What does it do, and who might be the people behind this attack? During the course of my investigation, I found some clues leading me to the potential hackers behind these attacks. My preliminary analysis shows that Chinese hackers are probably the master minds of this attack. I will come to reasons for this conclusion later.