Trojan Analysis Leads To Russian Data Hoard

Stolen Identity writes "An attack by a single Trojan variant compromises thousands, circumvents SSL, and uploads the results to a Russian dropzone server. A unique blow-by-blow analysis reveals evidence of cooperation between groups of malware specialists acting as service providers and points to the future of malware's growing underground economy."

What About Firefox Users?

[eldavojohn (898314)]

From the article,

• Steals SSL data using advanced Winsock2 functionality
• State-of-the-art, modularized trojan code
• Spread through IE browser exploits
• etc ...

When I read the Slashdot summary, I was initially concerned that I may be at risk. But then I noticed the above three lines and realized there was no risk since I don't use IE.

But, in the end, if this is an exploit utilizing the very basic network DLL that windows provides for socket connections (Winsock2--which is what I assume all network applications eventually link against in Windows) then why aren't other browsers at risk?

I know Firefox is awesome & more secure & all that jazz but I haven't done enough network programming to know the nitty gritty details of it. Does anyone know why, if this trojan is exploiting the basic socket connection library that the Windows API provides, all browsers aren't potential victims?

I mean, it makes sense to introduce some sort of security that never ever lets anything but the browser's code access the interfaces to these libraries ... is IE really that flawed?

Re:What About Firefox Users?

[BlueTrin (683373)]

is IE really that flawed?

+2 funny

Re:

[evought (709897)]

You are about to have your butt shoved up your nose, Cancel or Allow?

Seriously, though, several things struck me. One was that a screenshot of the (malware) author's webpage showed that Firefox "support" was expected in a new release. Of course, I browse with NoScript enabled on a Macintosh which has been significantly tightened down. I regularly complain to sites that require users to have javascript enabled to do business with them and generally get favorable responses, especially when referring them to r

Speads!=Affects

[by Anonymous Coward]

You need IE to install the trojan, once it is running it will compromise all SSL traffic.

Re:

[meshko (413657)]

+5 informative my ass. RTFA. It only intercepts IE traffic and JavaScript traffic originating from IE. According to the article it seems that there is a newer version with Firefox support, but the one dissected in the article only affects IE.

Re:What About Firefox Users?

[Aladrin (926209)]

You stopped reading too early. Later in TFA, it shows a screencap of the website that has badly translated text that basically says 'Snatch 2 - will work on firefox'. In other works, you're not affected... yet.

Re:

[Billosaur (927319)]

Well, it uses an IE browser exploit to get in, so if you don't uses IE, you're at low risk. But far be it from anyone to think that these crooks won't find a way to deliver the Trojan in another manner if their IE route dries up. Everyone will have to remain vigilant, because if it gets on your system, it can theoretically corrupt any browser.

Re:What About Firefox Users?

[Cyberax (705495)]

No, IE uses a layer called WinInet to access the Internet (http://msdn2.microsoft.com/en-us/library/aa385483 .aspx). It automatically provides SSL/TLS connectivity to IE.

FireFox uses basic sockets and encrypts data using standalone SSL library.

M$ is just trouble.

[twitter (104583)]

The further away you get from M$, the better off you are. IE is the pits but other browsers on the platform will use M$'s flawed underlying code at times for compatibility. There are lots of IE specific bones on this one but once the machine is compromised anything is possible. You keep IE around for that one page that needs it, right? All it takes is a rotten banner ad to blow you out that one time you use it. M$'s internet services are starting to mirror their PC performance when it comes handing out [slashdot.org]

Re:

[jb.hl.com (782137)]

IE is the pits but other browsers on the platform will use M$'s flawed underlying code at times for compatibility.

Would you like to cite an example of this, or are you just talking shite as usual? If you don't reply then it'll be fairly clear that it's the latter.

Examples where Mozilla uses M$.

[twitter (104583)]

The one I'm most familiar with is to get mail from Outlook to Thunderbird. M$'s own interface is terrible and forces the user to save each message as text one at a time with poor control of output location. Mozilla automates the use of the program called, but still uses the program.

You might also look at Mozilla's ActiveX [wikipedia.org]. While I'm sure it's much saner than the controls which were exploited in this threads topic, it's still a use of M$'s unsafe machinery.

Finally, even good code is more dangerous on Wi

Re:

[TheNicestGuy (1035854)]

Monster of an article, so I don't blame anyone for not catching the details on this. What it boils down to is that IE exploits are the main propagation vector of Gozi, but its actual performance of nastiness does not necessarily rely on IE. Once it's installed and running, it will intercept and leak to its "mothership" any and all HTTP POSTs that go through WinSock2, no matter what browser they come from, because it manages to register itself as a "Layered Service Provider" sitting between the browser and t

Re:

[HomelessInLaJolla (1026842)]

The page included in this last IFRAME contained JavaScript code using XMLHTTP and ADODB (ActiveX Data Objects) functions to download and run an EXE file which was hosted on the same server.

Any browser with similar JS, XMLHTTP, and ADODB capability is susceptible as an infection vector. The system put in place by the EXE relies on common OS infrastructure.

The code reveals that calls to functions in ws2_32.dll are used to establish itself as an LSP (layered service provider) using the Winsock2 SPI (Service Provider Interface). It "goes in between" Internet Explorer and the socket used to send the data.

Do other browsers qualify for this? I see no objection.

This technique captures the data sent by Internet Explorer only. Many new authentication systems use AJAX, where JavaScript objects are used to create another HTTP session, send requests, and receive responses. This is implemented in code elsewhere, where the SSL sniffer component cannot see it. To capture this valuable data, Gozi includes a "grabs" module that hooks into the JavaScript engine...That page uses XMLHTTP to send form field data via an SSL-protected connection to the bank's authentication without having to refresh the page. The IE sniffer cannot see that, but the JavaScript sniffer can.

Okay, there's the exception. If you use IE then your data is nabbed. If your bank uses AJAX then your data is nabbed.

Note that because this trojan includes the capability to download and execute arbitrary code from untrusted sources, a complete rebuild of the infected PC is the only absolute way to ensure 100% confidence and trust in data and system integrity.

Unless it hides itself in auxiliary BIOSs as well.

Re:

[Ilgaz (86384)]

I think non technical Firefox users may have same risk as OS X users by thinking they are already secure by default and not caring about some simple security methods.

So the sense of security is the security risk there.

Re:

[CDarklock (869868)]

"An examination of his home PC revealed a previously unclassified malware executable. It appeared to have been installed surreptitiously via a remote exploit on December 13, 2006."

Go ahead. Call me a shill. But this is a massive handwave - what evidence is there that this executable was installed by a remote exploit? Is that evidence in any way bigger or more reliable than the usual "I don't know where that came from! I didn't download it!" from the machine's owner?

"Hey, Bob. All of your problems seem to ha

IP traceback

[jshriverWVU (810740)]

Can't you just do a traceroute on the IP that this info is being sent to? Seems this would be a nice way of figuring out where the info is going. Then blacklist it or possibly a range router side.

Re:IP traceback

[Klaus_1250 (987230)]

I doubt they will use a single IP for long, in fact, I would say that if they are pro's, they'll only use it for several hours. There are quite a few organizations tracing and logging such IP's and some of the better security software blocks them. The longer you use a single IP, the less effective they'll be and the higher the risks.

Possible solution...

[Dogtanian (588974)]

...to the problem of AV companies not picking them up; offer a large-ish reward for information, and have someone involved tell the AV companies about the trojan as soon as possible. It only needs one relatively unimportant person (coder peon?) to blab and give the game away, so long as they're assured of having their identity kept secret.

I'm sure there are a million flaws in this idea, but it's a start.

Re:Possible solution...

[BlueTrin (683373)]

I guess the major flaw would be that I could write code and report it ?

Re:

[Dogtanian (588974)]

I guess the major flaw would be that I could write code and report it ?

That had occurred to me; the reward, however, would likely not be enough to warrant writing a piece of genuinely new code.

If the case was genuine and one guy had written all the code, he would be getting paid for writing the code (by Mr. Big, presumably) *and* for blowing the lid on the whole thing (by the AV company). If someone writes the code for use by themselves, they either have to report it before it becomes prominent (and hence they don't make much money from the use of the code), or if they wait

headline strike again!

[Arielholic (196983)]

Trojan Analysis Leads To Russian Data Hoard

So the analysis led the the hoarding? Everybody stop analyzing NOW!

Re:

[Hoi Polloi (522990)]

They meant "Horde". It is obviously being run by a WoW guild.

Hmm.. smth does not compute

[wumpus188 (657540)]

TFA mentions 81.15.146.42, which apparently is a42.skierniewice.mediaclub.pl, which is Poland.
Where Russia came from?

Re:

[coolnicks (865625)]

The actual IP is 81.95.146.98, and is indeed in Russia, although this IP is no longer responding on port 80.

I don't think so..

[madsheep (984404)]

I don't think so.. this is using the Internet 101:


inetnum: 81.95.144.0 - 81.95.147.255
role: RBusiness Network Registry
address: RBusiness Network
address: The Century Tower Building
address: Ricardo J. Alfari Avenue
address: Panama City
address: Republic of Panama
phone: +1 401 369 8152
e-mail: noc@rbnnetwork.com
admin-c: JK4668-RIPE
tech-c: JI424-RIPE
nic-hdl: RNR4-RIPE
mnt-by: RBN-MNT

Re:

[Ilgaz (86384)]

It could be a IP in some weird Island, it is basically another layer of compromised machine network, they aren't that stupid to use their own machines for anything at all.

I remember evil BBS guys were using hacked phone lines other side of Earth to do dirty jobs.

If I was an American black hat, I would learn Russian language or hire a Russian and act like Russia based which will provide another layer of security. I guess we have right to go paranoid in such issue :)

i'm in awe

[circletimessquare (444983)]

reading that article is like looking at the blueprint for a neutron bomb: beautiful, magnificent, and pure evil

the mind boggles at what these men (or women) of such high craft could achieve were they to devote their genius to good efforts rather than bad. as it is, in the business they are in, they will probably very rapidly come under the thumb of the russian mafia, if they aren't already. then their life will be on a short leash, that, if they attempt to tug, will land them with a swift reprimand from guys you don't want to know what a swift reprimand from is like

sad. these are no script kiddies here. these are smart blokes. and they are also doomed to a life under the thumb of men a thousand times more evil than their devilish and brillaint exploits ever could be

Re:

[Dogtanian (588974)]

sad. these are no script kiddies here. these are smart blokes. and they are also doomed to a life under the thumb of men a thousand times more evil than their devilish and brillaint exploits ever could be

Can't say I have too much sympathy. They may be genius programmers, but it doesn't take more than a shred of common sense for anyone to figure out what you said for themselves. Or maybe they were blinded by their greed.... whatever, fuck 'em.

Re:

[arivanov (12034)]

Or maybe having kids to feed.

With a relatively small local software market as well as relatively small outsourcing market Russia (and to lesser extent Bulgaria and Romania) are ripe for the picking by the mafia. Most of the qualified software engineers who do this kind of work will very happily work on an outsourcing contract instead. Further to this, they are likely to deliver considerably better quality code than most Indian outsourcing shops (I have seen code and projects from both so this statement is b

that is sad

[circletimessquare (444983)]

tell me something, as you appear to be russian: is it merely a hollywood stereotype that the russian mafia exerts so much influence in russia? i mean even putin seems to be playing the authoritarian game of "do as i say or you're going down". is it a stereotype? or is it true that the underworld seems to have an especially strong grasp on russia? why? hangover from the collapse of the soviet union? filling some sort of power void?

i ask in complete innocence, but sitting here in new york city, where we are n

Re:

[zoftie (195518)]

This comes from my experience:

Most Russian coders [in russia] are assholes and lazy, I am russian and grew up in Canada. I went to russia to work for a while, to see how it is. After all wages in moscow are 2000$+ so it I wasn't just surviving.
I was little dismayed at the experience being in russia, finding that while there are alot of brilliant coders, many are lazy and have too few team skills to be usable in a company. Another thing, russians are daring, so this sort of stuff comes up all the time. They

Re:

[Dogtanian (588974)]

Or maybe having kids to feed.

Building a future for your family by forever being under the thumb of the Russian mafia? Please.

Re:

[krunk7 (748055)]

Ok, let's go with this evil genius take on things. Now, you take one look at their situation and within the time frame it took you to click "reply" and start typing you came up with this angle.

Now I'm supposed to accept that these evil geniuses suddenly got retarded when it came to the common sense risks with their new business? They've developed a real cracker jack exploit of commercial quality able to mass infect systems, avoid tracing, the whole nine yards. They then market this to organized crime syndic

zzz

[circletimessquare (444983)]

you seem to have some problems understanding how the world works. the programmers who do these things are not untouchable, nor do they go to the great lengths you describe to make themselves untouchable. why? because no one can do business and also be a puff of smoke at the same time. it's a balance you have to strike between being hard to find by the authorities and easy to find by your business interests. it easy to be hard to find by the authorities. even when they see you, their hands are tied

however, i

Re:

[mav[LAG] (31387)]

Excellent post. I'm reminded of this famous monologue:

Henry Hill: [narrating] Now the guy's got Paulie as a partner. Any problems, he goes to Paulie. Trouble with the bill? He can go to Paulie. Trouble with the cops, deliveries, Tommy, he can call Paulie. But now the guy's gotta come up with Paulie's money every week no matter what. Business bad? Fuck you, pay me. Oh, you had a fire? Fuck you, pay me. Place got hit by lightning huh? Fuck you, pay me."

thank you, and fgood quote

[circletimessquare (444983)]

might i ask where it is from? ;-)

the problem with this world is the naive and clueless, yet full of bravado, happily waltzing into a world of crime, extremely confident in their ability to take care of themselves and to handle any bad news guys they encounter

they have no fucking clue

they simply wind up trapped and under the thumb of a guy who has no problem killing their wife or children or girlfriend or parents. and, trapped under that thumb, they sit their silently rueing their younger dumber selves, a yo

Re:

[mav[LAG] (31387)]

might i ask where it is from? ;-)

Sure. It's from Goodfellas [imdb.com], probably the best mafia film ever made. The commentary track on the DVD features the real Henry Hill talking about his life as dramatised by Scorcese in the film. He comes to the same conclusion you do for the same reasons - it's no kind of life for anyone.

Re:

[mgblst (80109)]

Yes, because that is the way the world works. You know, if the people behind Microsoft Office had put there skills to good, no doubt we would have a base on the moon. And the people behine Oracle database had diverted their efforts to Space Travel, we would have FTL speed. And if all those Linux geeks had just studies up on some Medicine, we would have a cure for AIDS and the common cold.

Let me guess, you REALLY like cartoons?

Re:

[ConceptJunkie (24823)]

We had a base on the moon, but it blew up on the third day. We had FTL travel, but it cost $9 billion per mile to use. And we had cures for AIDS and common cold, but to use it you had to compile the retrovirus against your DNA yourself, which takes about 100 years, assuming you have all the libraries installed.

Also in awe

[HomelessInLaJolla (1026842)]

reading that article is like looking at the blueprint for a neutron bomb: beautiful, magnificent, and pure evil

Indeed. Whoever wrote that (both the trojan and the article) knew quite a bit about the internal structures of Windows.

Check this out:

The malware opened the named pipe "\\.\PIPE\lsarpc" and the "C:\autoexec.bat" file, but the tools did not log any writes.

The tools were "a Windows XP VMware virtual machine with tools designed for behavioral analysis". A little further down:

Upack stub code is executed from the memory allocated for the executable's PE header. However, as it executes, that code changes, making normal breakpoints -- those set for certain code at certain addresses -- ineffective.

Whoever wrote that binary also knew quite a bit about the way the overall architecture of the x86 series running the Windows kernel can be used to hide between the cracks.

SecureWorks Senior Security Researcher Joe Stewart wrote OllyBonE (Break on Execute), a plug-in for OllyDbg that would be very useful. To use it, the malware executable would have to be moved out of the virtual machine and debugged on native hardware. A 750 MHz Pentium III and 512 MB RAM was loaded with a default install of Windows XP Professional SP2 in an isolated environment. OllyDbg, Joe's OllyBone plug-in, and the malware executable were copied to the system.

Now we're getting to the point:

After dismissing the error, execution is paused in ntdll.dll code. Upack must go back to the PE header for the working EXE file at some point, so bringing up the memory map (ALT+M) and right-clicking on that memory range brings up a context menu, where "Set breakpoint on execute" can be selected.

Single stepping.

There's an entire internet full o

Re:

[Ilgaz (86384)]

I always wondered what would happen if the author of Hybris wanted to harm the systems. I also believe that Virus was so advanced that it got own "uninstall yourself" command from its master/creator.

http://news.com.com/2009-1017-250870.html [com.com]
http://www.f-secure.com/v-descs/hybris.shtml [f-secure.com]

When you look at detail, it is much more advanced than this trojan which does amazing things such as finding out the e-mail addresses via watching the communications just like Ethereal.

The genius of old time DOS viruses is IMHO

Who's the target customer?

[BobMcD (601576)]

What frustrates me a bit about TFA is where they stopped. They identified what the malware is, does, where it comes from, etc. They seem to have left out the 'why' part of the equation. Who would buy the data, and for what purpose? Dig a little deeper here. What we are defending against becomes a lot clearer when the motives of the attacker are known. This exploit is sophisticated and mature. It appears to be a viable business. This is not the action of an individual bent on personal gain, rather a true-world example of organized crime. This is much more serious than we're being led to believe. This is what gives me pause: What kind of customer would pay for access to such a broad set of data?

Re:

[guruevi (827432)]

Simple, I pay $10 to this programmer that will install it to 100 zombies for me. I can then get all information that passes through the zombies.

Eg. you are using a zombie computer, trying to check your balances. I get the data from the 100 zombies and I have your login data for your bank but about 50 other persons' data, I check your account see that 'you Americans' makes 20x as much as I do in a month.

I transfer 50x your paycheck to my 'business' account, I get all the money off the same day, close the 'bu

Re:

[TheNicestGuy (1035854)]

What kind of customer would pay for access to such a broad set of data?

That's one of the points the article is trying to make, as a sea change in this sort of malware: Because the data is so broad and voluminous, the providers could have a quite varied customer base. It's been commoditized. Data mined from this store could be of use to unscrupulous folks ranging from simple carders, to account drainers, to mob bosses, to terrorists. Notice that the data was not just credentials for banking and shopping sites, but included access to law enforcement and other government applica

Very Interesting article

[crabpeople (720852)]

"This filename was written into the registry so it would be run again on startup:"

And thats the ticket. Everything has to load from somewhere, and a safemode scan with something like hijack this would show this up no problem. The only issue I can see is that unless there was significant system lag, you would have no idea to even scan your system.

Very pro deconstruction though. I usually just whipe the little buggers.

Point

[HomelessInLaJolla (1026842)]

While infected, the xx_id value remains the same. Upon "cleaning" and re-infections, it changes; therefore it doesn't appear to be tied to globally unique identifiers (GUIDs).

What they've written suggests that it was tied to GUIDs of the most meticulous kind--a data set constructed to be as resilient as possible against swamping the data pool with false grouping. This is indicative of a specific desire to track people individually even if it means assigning them a new number.

very nice article, one correction

[meshko (413657)]

One lists the price as a Russian "scumbag" slang word that loosely translates to "super-duper!"

# create object associated with price list
$price = 'pesdato!';

The correct translation of 'pesdato!' would be 'fukken-A!'.

Undernet, is that you?

[HomelessInLaJolla (1026842)]

At one point the 76service development/trial server was located at an ISP in Atlanta, Georgia, USA, the same city where SecureWorks is headquartered. A few days later, they moved to a server that appears to be located in the American Midwest (Texas, Oklahoma, or Kansas), but the server's IP address is in a block assigned to a company in Tampa, Florida, USA. They will likely move again soon.

A google search on 76service [google.com] shows this page [robtex.com].

 

route 65.254.48.0/20 Proxy registered route object GNAXNET NET 65 254 32 0 1 GNAXNET NET 65 254 48 0 1 Global Net Access, LLC 55 Marietta St, NW Suite 1720 Atlanta, GA 30303

and

as3595 AS GNAXNET AS Global Net Access, LLC 1100 White Street Atlanta, GA 30310

Who ran the Undernet's atlanta.ga.us.undernet.org server? Who worked for GNAX?

Obligatory joke

[dkleinsc (563838)]

In Soviet Russia, data hoard leads to you!

Sorry, we'd just gotten well into commenting without a decent Russian reversal yet.

Re:

[CmdrGravy (645153)]

The correct term for someone who does this is Standover Man. See "Chopper" Reid for more information on this subject.