The security industry is waiting eagerly for Finjan to release more technical details about their recent discovery of a multi-million sized botnet. I got a chance to speak with Fijan's representatives at RSA on April 23rd. I asked them about this new un-named / un-identified botnet, Unlucky me, Finjan couldn't give any more information, saying that currently they are working with law enforcement agencies so they are not in a position to talk more on this right now.
This did not stop me from carrying my investigation further. I need to assess the severity of this threat myself and have to make sure that our customers are protected against this particular threat. As far as I'm concerned, it's not cops or other law enforcement agencies that will protect those poor 1.9 million victims, its the job of the security industry. The challenge in front me was that Finjan did not disclose any clear information which could lead other security researchers to the true identity of this un-named botnet.
There were a few hints in the Finjan report which could be used to explore some hidden aspects of this botnet. The first hint was that this botnet had been seen to download Hexzone around March 29. I have covered Hexzone in detail in a previous article. ESET has also come up with a very good write-up about Hexzone here. The second hint was the joebox analysis report. This report showed a list of additional malware components downloaded by the un-named botnet.
For a quick re-cap, here is the first GET request as mentioned in the Finjan report:
GET /ploads/eula.exe HTTP/1.1
GET /ldr/loadlist.php?version=1 HTTP/1.1
A quick look into my sandnet data identified eula.exe as Trojan.VBInject which itself is a known generic downloader.
Here is a traffic snippet from my sandnet data:
GET /ldr/loadList.php?version=1 HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP/1.1 200 OK
Date: Mon, 09 Feb 2009 06:22:48 GMT
Server: Apache/2.2.3 (CentOS)
VBinject reads malware links from the HTTP response and installs them on the infected machine. These downloads are also visible in Finjan's download report. My next step was to traverse through all of my sandnet data in an attempt to find out how many malware samples have been seen downloading Trojan.VBInject. As expected, the results were quite interesting.
According to my limited sandnet data there were only two malware samples that ever downloaded Trojan.VBInject. One was Virus.Virut and the other was Trojan.Autoit. I have covered Virut in detail in a previous article where I described it as one of the biggest BotnetWebs, responsible for downloading lots of the other big botnets. Is Virut the 1.9 million host botnet? My guess is no. Virut always relied on Trojan.Injector (another big malware download service) to download further components but in this case the VBInject download link was found to be hard coded into the Virut binary. This is not the characteristics of a generic downloader/botnet which downloaded VBInject as the result of a botmaster command.
Here is a traffic snippet from that Virut sample while downloading Trojan.VbInject
So we are only left with Trojan.Autoit. Trojan.Autoit is a powerful malware download service and according to my data, it has been seen downloading both Hexzone and VBInject. A perfect match, isn't it?
GET /0/x.php?hid=531e237606675012bef96b4bef939b8d&mhid=bd1de70c62b17015b639adb2d30f0f0b&version=7&name=Codec_v.1004.1.exe&os=WIN_XP&_=262604330120091 HTTP/1.1
User-Agent: AutoIt v3
HTTP/1.1 200 OK
Date: Sun, 22 Mar 2009 08:17:05 GMT
As one can see, there are multiple instructions in the HTTP response which instruct Autoit to download and install additional malware components.
The URL mentioned under [version] is the updated version of VBInject itself.
The URLS under [download_onconnect] are downloaded each time VBInject connects to its CnC, where as the [download_once] urls are downloaded only once.
Is Autoit the botnet discovered by Finjan? There is only one problem, according to Finjan the botnet CnCs were located in Ukrain, and the Autoit sample I analyzed was talking to www.ophywmntzrtew.info which is hosted in Malaysia.
address: PIRADIUS NET
address: Unit 21-3A, Level 21
address: Plaza DNP 59, Jalan Abdullah Tahir
address: Taman Century Garden
address: 80300 Johor Bahru, Johor
phone: +607 334 8605
fax-no: +607 334 8605
It looks as though all my efforts to track down the unknown botnet were fruitless. I am still unsure. On the bright side, in this process I managed to explore few new BotnetWebs and got a chance to verify the BotnetWeb concept based on data from other security vendors like Finjan.
I will try to cover Autoit in detail in my next article, for the time being let's just say Autoit is a BotnetWeb downloading second stage malware as shown below:
A Trojan which spreads through IM based social engineering.
These are the binaries mentioned under download_once, so there is a good chance that these are pay-per-install malware not owned by the actual botmasters.
AVs are confused on this, so am I. Nothing can be said about it without a detailed analysis. I'll try to cover it in some future post.
A famous backdoor and downloader know as TDSS.
IRC.SDbot, a famous IRC Bot.
Most AVs are calling this Trojan-Dropper.Win32.Wlord. Nothing detailed from my side right now.
No great intel from my side at this moment, most AVS are calling it a downloader.
A trojan/downlaoder , often seen downloading Rogue AVs.
Trojan.VBInject. It's discussed in detail in the beginning of this article.
Trojan.Piptea, another powerful malware downloader.
Vundo a.k.a. Virtumonde.
A generic downloader.
The end picture is quite miserable. Autoit downloaded dozens of other malware components including some of the most power mawlare downloaders like Virut and Trojan.VBInject which further downloaded more malware components. Here I try to plot all these downloads in a graphical form to make it easier to visualize.
Here is the Virut graph from my earlier post. Lets integrate it with the Autoit graph and see how the combined graph looks.
One can easily sense the level of cooperation these malware master minds must offer each other. Maybe it's time for us in the security industry to come closer and show the same level of cooperation. As I always say, there are plenty of bad guys out there to keep us (the good guys) in business :).
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM