AV Plays Catch Up

No security or AV company is equipped with a procedure, independent of hardware or personnel requirements, that can easily keep up with the daily barrage of newborn threats. Shadowserver shows they receive daily unique binaries numbering in the tens of thousands. With the mass amount of malware being created and distributed across the internet, each security company is left with the burden of being unable to “catch ’em all.”

They must then employ a prioritization method of analysis, often leaving data too long in the queue, some collecting dust. Some security companies concentrate on searching for malicious domains and IPs while others concentrate on binary identification, many using a hybrid approach. All, however, are in search of a way to efficiently label these variables as malicious or benign, trying desperately to keep pace with the release of new malware.

AV companies have of course felt the strain of keeping up with the Joneses and for fear of looking inferior have made the choice to often “borrow” the conclusions made by other AV groups.

According to this “Analyst’s Diary” entry at Kaspersky Lab, an experiment was used to show just how often AV groups rely on one another to categorize samples as malicious in order to appear up to date. From the blog:

“We created 20 clean files and added a fake detection for 10 of them. Over the next few days we re-uploaded all twenty files to VirusTotal to see what would happen. After ten days, all of our detected (but not actually malicious) files were detected by up to 14 other AV companies…”

I can’t exactly blame those copycat AV companies for trying to stay on par with others. There is constant pressure, of which all security groups are aware, to try and balance reputation, integrity, and effectiveness. Trying to avoid false positives means evil may slip by unnoticed, while avoiding false negatives means sacrifices in accuracy. A series of check systems could be put in place but often there is insufficient detail or time for quality assurance, and delays in the conviction process detracts from the goal of real-time protection.

Security researchers often collaborate in some way, perhaps only in certain circles, but we do so because each performs their own independent analysis in their own area of expertise, bringing unique input to the table. Our products should behave no differently. Only shared information that meets certain quality requirements should be used, according to the individual company’s ruleset. If a company or security product has nothing to contribute and only relies on the work of others then it has little purpose in this industry, (yet may find success with the right marketing). However, a company will struggle greatly if they dismiss or completely separate themselves from the security zeitgeist.

In recognition of this need for both dependence and originality, Defence Intelligence is working to bring security and internet architecture groups together to create something new and more complete. We want to make a product that takes a more global approach to the threats we’re facing, but also bring a confidence and purpose back to our industry that seems to have waned. A strong offence may rely on a good defence but we need both if we’re ever going to make real advancement on this battleground.

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]

Rumor has it.

Facebook users are being targeted again, but in a more roundabout manner. Rumors are spreading, as rumors do, that an “unnamed app” is integrated into user accounts which is responsible for slowing down facebook and is being used to spy on user activity. (These rumors have not been proven true.)

Users are then advised in the form of ALERTS to delete this unnamed app. The interesting part is that user suspicion of these messages is what gives them their malicious power. A Facebook user would then Google the alert or the keywords “unnamed app” and be directed through several sites to ones serving rogue AV. Using SEO techniques many of the top sites listed are the key redirection sites in this process.

One such site, at the number three spot in our google search:
“http://kittingservice.com/canst.php?avi=facebook-unnamed-app”

The domain kittingservice.com is found at 62.93.239.41.

Using javascript redirection, we are taken to:
“http://onlinetechnicals.ru/sm/r.php”
at 212.95.58.37

It looks like the referrer might be necessary for the redirection: “Referer: http://www.google.ca/search?hl=en&source=hp&q=facebook+unnamed+app&meta=&aq=f&oq=” Otherwise a page comes up with the multiple facebook and SEO terms planted throughout, including some of the original instigating Facebook alert phrases:

“Has your facebook been slow today? Check your application settings, go into ” added to profile”. If you see one in there called “unnamed app” delete it.”

“There is a ” Unnamed App ” spybot on facebook and it may be slowing down Facebook applications or it may be work as a Spyware.”

The onlinetechnicals.ru page then uses another javascript to direct us to uscaau.com:

uscaau.com 212.95.58.37

Looking up uscaau.com/back.php comes back with the location of: “http://battlestartedsecurity.com/hitin.php?land=20&affid=94801”

battlestartedsecurity.com
109.232.225.22

and “hitin.php?land=20&affid=94801”
is said to be at the location:
“index.php?affid=94801”

This is where we finally download the beginnings of the Rogue AV. A pop up window tells us that “Your computer contaigns various signs of viruses and malware programs presence….” Our browser window has also seemingly disappeared but if you move the warning slightly you can see it resized to hide behind the pop up.

Agreeing to the scan displays the fake scan of our system, going back to battlestartedsecurity.com for the necessary visual items.

A few more agreements to clean up our system advises us to download “install.exe”, currently only detected by 7 of 41 AV groups.

Other researchers have indicated different redirection paths being taken and different end result fake security tools.

As for the unnamed app it is said to just be the “boxes” tab on your Facebook profile.
“The Boxes tab contains application profile boxes. A user or Page will have a Boxes tab added to their new profile by default if they currently have application boxes that do not support integration with the main profile/Page left column or if they have more profile boxes than can fit into the main profile/Page left column (more than 5).” (http://wiki.developers.facebook.com/index.php/Tabbed_Profile)

Removing it seems to be both nondestructive and reversible. According to
(http://answers.yahoo.com/question/index?qid=20100126190431AAJkPoW)
“to put back your boxes tab:

1. go back to the page where you removed the Unnamed App from.
2. select “edit settings” for an app under the “added profile boxes” section
3. click remove, then click add when it appears.”

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]

CN Less Clearly

On December 11, the China Internet Network Information Center (CNNIC) announced that individuals hoping to register .CN domain names are now required to provide a written application. This written application must be stamped with a business seal, and a photocopy of the applicant’s business license and ID must be included. This effort is touted as simply part of a greater effort to remove a significant amount of pornographic content from the web.
The reality is far more complex.
China has long used the Great Firewall of China to block any material it deems offensive, including pornographic material, so-called biased news sources and political commentary. Facebook, Twitter, and thousands of other sites are blocked and cannot be accessed from within China. As reported by Rebecca McKinnon, Assistant Professor, University of Hong Kong:
“People who work for Chinese Internet companies continue to complain that they remain under heavy pressure to be more thorough about the way in which they police and censor blogging platforms, social networking sites, discussion forums, and any form of user-generated content. “
By restricting the .CN TLD to businesses that must meet with approval by a governing body, China is reigning in control over the Internet at a time when people are increasingly looking to the web for freedom of expression, political action, and news and information from a wide variety of sources all with their own particular bias.
Since the announcement, the information security community has been abuzz with the notion that this new restriction will result in fewer malicious domains registered at .CN. That would certainly be good news for China, which has long been considered a pernicious purveyor of malicious content.
Unfortunately, it isn’t true.
Looking at the original notice, it is clear that following the initial online submission and subsequent allocation of a domain name, individuals then have 5 days to provide the appropriate governing body with the required written material. If after 5 days or if the applicant is rejected, the domain will be revoked.
It doesn’t require much thought to see how this system can easily be abused. Individuals with criminal intent can simply register for a domain and generate and propagate as much malicious content as desired over the course of the next 120 hours. It is also likely, though unknown at this time, that any money spent of the domain registration would be refunded so as not to unduly penalize legitimate businesses who may simply make an error on their forms, be rejected, and have to resubmit. To be clear, I find it unlikely that the CNNIC would require people to pay for domains that they do not own. Criminals can simply use a domain for free for 5 days and then move onto the next.
On that same note, will there be any process in place to permanently ban individuals who continually register domains only to be rejected? And does the CNNIC really expect to be able to intake and process what is potentially thousands of applications a day? What happens when that 5 day window becomes 10 days? Much to the dismay of the security world, criminals may rejoice at this announcement.
So, while cybercriminals need only a few minutes to distribute malicious content, individuals within China whose views are not in accordance with their governments’ need many words, many pages, and much support to leverage the power of the Internet to engage and enlighten the world. It is these people who will be most affected and individuals of all sorts, not just security professionals, should lament any moment when the Internet becomes a little less free, a little less open.
Meaghan Molloy
Threat Analyst

Mariposa and BlackEnergy DDOS

Talk of Mariposa may have faded, but the botnet is still very active. Some new occurrences have been observed here and merit reporting for those still following the story.

The origins of the Mariposa botnet for Defence Intelligence goes back to the observance of a suspicious domain that was being queried for quite frequently.

Butterfly.bigmoney.biz had popped up in our radar as unusual in both its name and the volume of queries for it that were being made. With some fairly extensive analysis, our investigation revealed some other domains of interest:

butterfly.sinip.es
bfisback.sinip.es
qwertasdfg.sinip.es

These four, butterfly.bigmoney.biz included, had proved to be command and control domains for the botnet.

On October 4th an update occurred and new domains were contacted.

lalundelau.sinip.es
bf2back.sinip.es
thejacksonfive.mobi

The latter of these has taken on a much different role over time. Communication to 200.74.244.84, where thejacksonfive.mobi was also pointed, was readily seen after the 4th. Various commands to Mariposa were being issued from this IP, including one to spread itself across MSN using the drop site URL http://obamawebcam.com/load.php. The file to be dropped was named bin.exe but the spread on our test system was ineffective at the time. A Virustotal report showed detections as palevo as many of the malware behind Mariposa are labeled. Several other binaries were also downloaded, most of them from rapidshare.com.

Recently, on November 3rd, a new binary was grabbed from rapidshare as instructed by butterfly.bigmoney.biz. This file, named blackjackson.exe, was found to be version 1.92 of the BlackEnergy DDOS bot and along with its installation came a new C&C domain, thejacksonfive.us. Both thejacksonfive.us and thejacksonfive.mobi are now also used as web based GUI controls for BlackEnergy.

A good writeup on BlackEnergy can be found in Arbor’s BlackEnergy+DDoS+Bot+Analysis.pdf. A third related domain, tamiflux.net, is also used as a web interface for the DDOS malware and is currently the only one blacklisted by Firefox.

On November 4th, thejacksonfive.us issued a command to begin an HTTP GET request flood of three domains and one IP:

al-hora.net
saaid.net
islamlight.net
74.86.18.4 (the IP address for saaid.net)

These Saudi Arabian sites appear to be forums for religious and regional political discussion so the motivation behind the attacks may also be religious or political. Al-hora.com has been targeted for “censorship” for quite some time now and has apparently been kept offline since December 2007. Read more at www.rsf.org. Currently, of the sites being targeted, only saaid.net has managed to recover from the attacks.

On November 5th, thejacksonfive.us site changed orders to alter the attack slightly, using a syn flood instead of a GET request flood and only targeting islamlight.net and saaid.net. This alteration was likely made in response to saaid.net’s sustained presence online. (They talk about the attack on the home page.) Tamiflux.net is HTTP flooding the same domains.

Gaining some insight into the attacks we’ve discovered that the DDOS botnet has about 5500 members under active control at any given time, and over 60,000 unique compromised systems. This is rather small however compared to the 1.5 million unique computers we believe to be members of the Mariposa botnet.

The Mariposa botnet has continued to grow in size since we first observed it in May and has far surpassed our original estimation of 150 to 200k compromised systems. The distribution of compromised systems is fairly wide but concentrations are obvious in Central America, Europe and South Korea.

MaCatte’s Green roots are showing.

As an update to my previous post on GreenAV, it seems that they are still trying to “Save the green forests of Amazonia” by having you install rogue antivirus.

MaCatte is the newest rogue AV to appear and has ties to the GreenAV software that was recently promoted , all the websites sharing the same IP 174.142.96.2

express.greencustomersupport.com
green-av-2010-pro.com
green-av-2010.com
green-av-pre.com
green-av-pro.com
macatte.com
my-green-av-pre.com
my-green-av-pro.com
my-green-av.com
p4678z.my-green-av.com
progresivescan.info
zp4.green-av.com
zp45.green-av-pro.com

In fact, going to express.greencustomerssupport.com will take you to the MaCatte homepage. MaCatte, like so many other rogue AVs, runs fake scans on the machine and advises the user that the machine is infected, and that they will gladly remove the infections as long as one pays to register the product for $99. Macatte is propagating in the same manner as GreenAV through torrent sites, website redirection and freeware.

MaCatte seems to be attempting to ride the coat tails of McAfee, with the similar name, logo and also similar website design. Included features on the site are a lovely challange-response captcha in the support section to ensure that the support requests are generated by an actual person and not a machine. There is a “Latest Threads Detected” box that lists a few common threats such as Conficker, and if you actually want to buy the product for $99 there is a link to plimus.com’s payment processing. (At the time of writing, the order page at plimus.com was currently unavailable.) It would be interesting to see stats on how many people actually land on that payment page for MaCatte.

Plimus.com is a company that offers payment processing for online businesses and takes a commission rate from each sale. Your own conclusions can be drawn regarding Plimus’ track record after reading Google’s Safe Browsing diagnostic page for Plimus also the reviews on Web of Trust. Norton did have the site flagged as unsafe for selling key logger software but has since changed its rating to safe. Also, the Plimus site does show a McAfee and Verisign Secure logo at the bottom of their page. I am unsure at this time if the Plimus website is in fact MaCatte secure or not.


MaCatte offers to detect, block, and remove viruses, spyware and rootkits with a quick scan. The program also has an anti-phishing component that is supposed to warn you before accessing dangerous scam websites like their own. The feature that looks the most interesting is the Identity Protection. “Let’s you shop, bank and trade online safely by asking permission before personally identifiable information like PIN’S, Bank accounts, Social Security numbers are sent from your machine.” I do not believe the effectiveness or honesty behind these statements.

Currently there are no removal tools readily available to the public, but for now you are able to do a system restore back to a `pre-infection` restore point. Although there have been reports that MaCatte has added a feature to block attempts to do a system restore. So if you are infected with MaCatte Rogue AV, you might as well reformat.

MaCatte is just another rendition of Rogue Antivirus using fake scans and scareware tactics to con people into paying for their software while selling off their information as an added bonus. But hey, they do have a refund policy.


B.Kilrea
Threat Analyst

Blogspot Whammies

Slot machines in the Trump Taj MahalImage via WikipediaI enjoy seeing what the world has to say from time to time and to give everyone’s voice a fair shake I will often click “Next Blog” in Blogspot’s standard blog header. I know that Blogspot pages are now a popular point of redirection for initiating malware download, especially with Koobface. I also know that rogue AV is the gravy train of scam software and is now being promoted through Koobface. Now when I go gambling I never win anything, but it appears the Blogspot “Next Blog” slot machine has shown up all cherries. Well, maybe lemons.

In a very swift redirection I was brought to “antivirusn.com/scan1/?pid=156&engine=%3DnQyzTjuNjgyLjIzLjI4JnRpbWU9MTI1MTgxMI0OaA%3DN”. This was supposed to perform a “scan” of my computer as is customary with rogue AV, but Firefox was kind enough to report this as a “Reported Attack Site!”
Let’s take a peek at “antivirusn.com” and see what this family of rogue AV looks like. Maybe I know some of your relatives.

antivirusn.com A 83.133.119.154
antivirusn.com A 91.212.107.7
antivirusn.com NS ns1.everydns.net
antivirusn.com NS ns2.everydns.net
antivirusn.com NS ns3.everydns.net
antivirusn.com NS ns4.everydns.net

Registrant:
Name: Lian S Richard
Address: Overhogdal 25
City: MOLNLYCKE
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510

Administrative Contact:
Name: Lian S Richard
Organization: n/a
Address: Overhogdal 25
City: MOLNLYCKE
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510
Phone: +5.3017560166
Fax: +5.3017560166
Email: info@airlineshun.be

Technical Contact:
Name: Lian S Richard
Organization: n/a
Address: Overhogdal 25
City: MOLNLYCKE
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510

Nameserver Information:
ns1.everydns.net
ns2.everydns.net
ns3.everydns.net
ns4.everydns.net

Create: 2009-10-28 18:44:36
Update: 2009-10-29
Expired: 2010-10-28

What else is going on at these IPs?

Passive DNS over at www.bfk.de reveals the following:

virus-detect01.com A 83.133.119.154
bestantispyware11.com A 83.133.119.154
top-scanner11.com A 83.133.119.154
detect-spyware1.com A 83.133.119.154
top-scanner02.com A 83.133.119.154
top-scanner2.com A 83.133.119.154
virus-detect2.com A 83.133.119.154
top-scanner04.com A 83.133.119.154
virus-detect04.com A 83.133.119.154
detect-spyware5.com A 83.133.119.154
virus-detect6.com A 83.133.119.154
detect-spyware7.com A 83.133.119.154
virus-detect08.com A 83.133.119.154
bestantispyware09.com A 83.133.119.154
detect-spyware9.com A 83.133.119.154
top-scanner9.com A 83.133.119.154
kill-virusc.com A 83.133.119.154
kill-virusd.com A 83.133.119.154
scannerg.com A 83.133.119.154
scannerh.com A 83.133.119.154
antivirusk.com A 83.133.119.154
antivirusm.com A 83.133.119.154
antivirusn.com A 83.133.119.154
scannerr.com A 83.133.119.154
scanneru.com A 83.133.119.154
154.119.133.83.in-addr.arpa PTR id1148.rdso.ru

virus-detect01.com A 85.12.24.12
bestantispyware11.com A 85.12.24.12
top-scanner11.com A 85.12.24.12
top-scanner02.com A 85.12.24.12
top-scanner2.com A 85.12.24.12
top-scanner04.com A 85.12.24.12
bestantispyware09.com A 85.12.24.12
top-scanner9.com A 85.12.24.12

And we find another IP: 91.212.107.7

virus-detect01.com A 91.212.107.7
bestantispyware11.com A 91.212.107.7
top-scanner11.com A 91.212.107.7
detect-spyware1.com A 91.212.107.7
top-scanner02.com A 91.212.107.7
top-scanner2.com A 91.212.107.7
virus-detect2.com A 91.212.107.7
top-scanner04.com A 91.212.107.7
virus-detect04.com A 91.212.107.7
detect-spyware5.com A 91.212.107.7
virus-detect6.com A 91.212.107.7
detect-spyware7.com A 91.212.107.7
virus-detect08.com A 91.212.107.7
bestantispyware09.com A 91.212.107.7
detect-spyware9.com A 91.212.107.7
top-scanner9.com A 91.212.107.7
kill-virusc.com A 91.212.107.7
kill-virusd.com A 91.212.107.7
scannerg.com A 91.212.107.7
scannerh.com A 91.212.107.7
antivirusk.com A 91.212.107.7
antivirusm.com A 91.212.107.7
antivirusn.com A 91.212.107.7
scannerr.com A 91.212.107.7
scanneru.com A 91.212.107.7

Well, rogue AV is obviously the name of the game here. Let’s look on a larger scale at the AS level.

83.133.119.154 is under AS13237 (LAMBDANET)

MalwareURL.com reports 200 domains under Lambdanet, the majority of which relate to rogue AV.

85.12.24.12 points to AS34305 (EUROACCESS)

They are small time with only 23 domains reported by MalwareURL.com. They consist of rogue AV and Zbot.

The big guy comes with AS49038 (RICCOM) which was over the IP 91.212.107.7.

326 Riccom domains were reported by MalwareURL.com, and only about seven were unrelated to rogue software.

There’s a dozen other IPs mixed in here going back to March, but most notable is 91.212.107.103 which also comes up under AS29550 (EUROCONNEX). This IP gem has hundreds of domains pointed to it in relation to rogue software, such as:
windoptimizer.com A 91.212.107.103
woptimizer.com A 91.212.107.103
goscandir.com A 91.212.107.103
in5cs.com A 91.212.107.103
general-antivirus.com A 91.212.107.103
www.general-antivirus.com A 91.212.107.103
generalantivirus.com A 91.212.107.103
goscanneat.com A 91.212.107.103
in5ct.com A 91.212.107.103
in5it.com A 91.212.107.103
wopayment.com A 91.212.107.103
goscanrest.com A 91.212.107.103
ereuqba.cn A 91.212.107.103
dycotda.cn A 91.212.107.103

just to list a few. This also leads back to Koobface and the “2008 ali baba and 40, LLC” which you can read about in Dancho’s blog from September. It looks like antivirusn.com was part of a large family after all. No surprise there. I’m sure I’ll be bumping into you again.

Matt Sully
Director
Threat Research & Analysis

Related articles by Zemanta

Reblog this post [with Zemanta]

ICANN and IDNs

ICANN is meeting in Korea this week to discuss several issues regarding domain management, including post-expiration domain name recovery, registration abuse policies, new gTLDs and IDN ccTLDs. While all of this is interesting, I started to think about how many of English-as-their-only-language web users are even aware of this final issue. Did you ever consider that while the Internet is dominated by English focused websites, 60% of its users are non-English speakers? How many of you were aware that a URL could even be written in Chinese?

IDNs are internationalized domain names that are written using local language characters, not just limited to Latin or ASCII based script. The second level domains have been available for some time, such as “日本語ドメイン.com” but are currently limited to 2LDs and on, leaving the ASCII familiar TLDs (top-level domains) like “.com” to remain as a foreign language appendix. What we are likely to see very soon however, thanks to the ICANN discussions, is domains completely constructed using just one language.

ICANN has set up a test page at idn.icann.org. Here you can see the same example.test domain in Arabic, Greek, Cyrillic, and Hebrew.

So what does this mean for DNS which performs its Q&A based on the ASCII code? In order for DNS to understand and interpret these IDNs the unicode domain string is encoded using punycode, transforming it into ASCII so it can resolve properly. A full explanation of the punycode bootstring algorithm can be found here.

For every domain there is a label assigned to it. The DNS stored label is usually the same as the displayed label for Latin based domain names, but with IDNs and punycode we see a more significant difference between the two. A displayed label is called a U-label for unicode and its stored version is an A-label for ASCII. The result now, that most consumers will never realize, is you can have “‘example.test’, displayed as ‘пример.испытание’, (in cyrillic) but is stored as ‘xn--e1afmkfd.xn--80akhbyknj4f'”(example from ICANN). Every punycode version of these IDNs will begin with “xn--“.

It’s great that ICANN is making this movement for a more internationally conscious and applicable Internet, but it seems very delayed. How much has an English dominated Internet kept the rest of the world out of the loop? A couple of examples provided by ICANN documents bring up everyday situations many of us take for granted. If I read a billboard or advertisement that has an accompanying web address, I go there for more information. But what if that URL was in Chinese or Hindi? I wouldn’t be able to remember the address or use my keyboard to even reproduce it. I would of course prefer to have the web address in the same language as everything else I’m reading. This change will be especially advantageous for script such as Arabic that reads from right to left. You can imagine how confusing that is currently for conveying a URL properly to international consumers.

There are three programs for obtaining entire native language IDNs. The proposed launch date for the IDN ccTLD Fast Track Process is November 16, 2009.

For some application and browser IDN handling issues, check out IDNnews.com.

Matt Sully
Director
Threat Research & Analysis

Wireshark Plugin for Mariposa Botnet Command and Control

“Yamata Li of the Palo Alto Networks Threat Research Team has developed a Wireshark plugin that will allow you to view obfuscated pcaps of traffic from a Mariposa infected client and actually decrypt them within Wireshark.”

http://www.paloaltonetworks.com/researchcenter/2009/10/mariposa-tool/

Thanks Yamata, the time and effort you have put into this plug-in is much appreciated. 

B.Kilrea
Threat Analyst

Mariposa Botnet Analysis

*** Update ***

An updated version of the Mariposa Technical Analysis can be found at http://defintel.com/docs/Mariposa_Analysis.pdf

***

Mariposa was first observed in May of 2009 by Defence Intelligence as an emerging botnet. In recent months, Mariposa has shown a significant increase in beaconing traffic to its command and control servers. This is indicative of an increasingly high number of compromised computers actively participating in the Mariposa botnet.

The most dangerous capability of this botnet is that arbitrary executable programs are downloaded and executed on command. This allows the bot master to infinitely extend the functionality of the malicious software beyond what is implemented during the initial compromise. In addition, the malware can be updated on command to a new variant of the binary, effectively reducing or eliminating the detection rates of traditional host detection methods.

Commands from the botnet master may be directed at participants in a specific country, individual computers, or all computers. As a result, the observation of the live command and control channel may not include all of the activity and capabilities of Mariposa.

The command and control channel employs custom encrypted UDP datagrams to receive instructions and transmit data. A detailed analysis of the encryption and message formats used by the protocol are presented in this paper.

During empirical analysis of internal controlled compromised systems, the following DNS domain names were observed as the command and control servers:

  • lalundelau.sinip.es
  • bf2back.sinip.es
  • thejacksonfive.mobi
  • butterfly.BigMoney.biz
  • bfisback.sinip.es
  • qwertasdfg.sinip.es
Over the last two weeks of analysis, two unique malicious programs were downloaded and executed on the compromised computers. One malware update was received during this period, introducing new command and control domain names, adding a ‘confirmation of download’ message, and renaming ASCII commands.

It has also been observed that the botnet participants are receiving Google custom search engine URL fragments in a command from the bot master. This indicates a possible hijacking of Google AdSense advertisement revenue.

This paper details the result of static binary analysis, a review of the command and control protocols including a breakdown of the encryption, and empirical behaviour analysis findings.

The full Mariposa Botnet Analysis is available in PDF form at defintel.com

Mariposa Defined

Defence Intelligence has received quite a few responses to our story on the Mariposa botnet. They have run the gamut from polite information inquiries to accusations of falsifying our findings for media coverage, and thinly veiled threats of legal action. A response of our own has become necessary and we hope it at least answers some common questions many of you have asked.
Who is Defence Intelligence?
To begin with we are not an anti-virus company. We have spent the last 14 years protecting companies from hackers, not viruses. Until just a few years ago a virus and a hacker had very little to do with each other. Viruses are annoying and at times destructive but pose very little actual threat to a company or government’s information and its assets. A hacker’s goal on the other hand is to stealthily gain control of a targeted system with the intent of stealing data, attacking the internal network, or using the controlled system to attack an external network.
In the last few years these two distinct threats have blended. Hackers have discovered that direct external attacks are unnecessary and risky. It is now easier to engineer malicious software that is delivered to a system remotely through various means. Once that malicious software is on an internal computer, it then communicates outbound to the hacker, handing them complete control of the affected system.
When a system is compromised in this manner the attack is all too often misunderstood and dismissed as a mere virus, not just by the victim but by those providing that victim’s system security.
The Defence Intelligence team comes from an information security background, and not an anti-virus background, which means we view things differently. Within incident response, multiple events form an incident and events are constructed using various components. IP addresses, domain names, binaries, people, companies, and networks are all parts of this particular incident, which in this case, is a botnet.
What is Mariposa?
Mariposa is a collection of compromised computers that are directly under the control of a single malicious entity. In the security industry we call this a botnet.
Mariposa is NOT a virus, or a worm, or a trojan or any other dated designation still inappropriately assigned to modern day malware. The malicious software used by Mariposa, and any other botnet, actively evolves to become whatever is needed by its controller and is not limited by the boundaries of antivirus labels. This means that a trojan can be told to spread like a worm. It means that malware designed to send spam can be instructed to steal banking information.
Modern malware can no longer be classified by its perceived purpose or propagation method because those change in an instant. This software is engineered to gain access to and maintain control over the victim machine, and infiltrating a user’s computer is not difficult. Using a variety of software exploits and social engineering tactics, an attacker will find a way to distribute his malware to his victims.
Panda Security released a report this week showing that almost 60% of all PCs that scanned their computer this month had malware of some kind on their system.
Once the malware is on the system it seeks communication with its controlling entity. With communication to the controlling entity, any compromised machine can be capable of carrying out any order issued by the botnet controller and any data on the compromised machine can be extracted for use, sale or distribution by the attacker.
Why did you call it Mariposa?
Our naming of this botnet as Mariposa has been a cause of concern for some. The confusion comes when antivirus companies or those using antivirus, search for the Mariposa name only to find no results. This is because Mariposa refers to the botnet and not the malware it utilizes.
The malware used by Mariposa goes by many names, and this is part of the problem. Even amongst antivirus groups and within their own companies it is difficult to find a common name for any one family of malware. Below are some of the names attributed to binaries which are used within Mariposa that are detected by McAfee and Trend. This provides a quality example for the current confusion in botnet malware identification.

McAfee Trend
W32/Autorun.worm.zzq WORM_AUTORUN.ZRO
W32/Virut.n.gen WORM_Generic.DIT
Downloader-BQP TROJ_Generic.DIT
W32/Autorun.worm.zzk PE_VIRUX.A
PWS-Zbot WORM_PALEVO.T
Generic.dx!dpk WORM_PALEVO.AZ
Downloader-BRW WORM_PALEVO.AS
W32/Virut.j WORM_AUTORUN.EUC
W32/Autorun.worm.fq WORM_AUTORUN.EPB
W32/Autorun.worm.c TSPY_ZBOT.SMQ
W32/Autorun.worm!bf PE_VIRUX.F-1
Generic.dx!la PE_VIRUX.E
Generic.dx!ha PE_VIRUX.D
Generic.dx!dqe PE_VIRUX.C-1
PE_VIRUX.A-3
PE_VIRUT.AP
BKDR_VOTWUP.D

It is our hope that perhaps not in our terminology, but with our methodology, that Defence Intelligence can provide some guidance to improve upon the multiple naming convention, allowing a clearer arena for botnet discussion and understanding.
Why didn’t my AV pick this up?
Using signatures and automated classification, especially when involving heuristics, results in a cacophony of naming options for every distinct variant of a given piece of malware. That said, many AV companies have had the ability to detect some variations of the malware behind Mariposa long before we became aware of this botnet’s activity.
With our approach to compromise detection, utilized by our Nemesis software, we can detect the botnet which allows the organization to track down systems affected by the malware, regardless of the variant or antivirus identification ability. While AV companies look at single binaries and classify based upon discrete behavior of code, or the packer that is used to obfuscate the binary, we look at the threat holistically, a macro versus micro approach.
At Defence Intelligence we consider the code used within Mariposa as only one identifying factor. Command structure is another. This is defined by domain names, IP addresses, and communication protocols and the fluctuation of each. We also consider the end point organization or individual over the botnet, ultimately any indicator as to who is responsible for the formation and/or control of the hosts affected by this malware.
With perpetual addition of variants and updates, the reliance on AV detection to keep pace is not advised. Virustotal is a free web based service that analyzes files through multiple antivirus engines, revealing their detection capability of any suspected malware. The following is a virustotal output on one of the malicious binaries related to Mariposa.

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.24
AhnLab-V3 5.0.0.2 2009.07.24
AntiVir 7.9.0.228 2009.07.24
Antiy-AVL 2.0.3.7 2009.07.24
Authentium 5.1.2.4 2009.07.24
Avast 4.8.1335.0 2009.07.24
AVG 8.5.0.387 2009.07.24
BitDefender 7.2 2009.07.24
CAT-QuickHeal 10 2009.07.24
ClamAV 0.94.1 2009.07.24
Comodo 1742 2009.07.24
DrWeb 5.0.0.12182 2009.07.24
eSafe 7.0.17.0 2009.07.23 Suspicious File
eTrust-Vet 31.6.6637 2009.07.24
F-Prot 4.4.4.56 2009.07.23
F-Secure 8.0.14470.0 2009.07.24
Fortinet 3.120.0.0 2009.07.24
GData 19 2009.07.24
Ikarus T3.1.1.64.0 2009.07.24
Jiangmin 11.0.800 2009.07.24
K7AntiVirus 7.10.800 2009.07.23
Kaspersky 7.0.0.125 2009.07.24
McAfee 5686 2009.07.23
McAfee+Artemis 5686 2009.07.23
McAfee-GW-Edition 6.8.5 2009.07.24 Heuristic.LooksLike.Worm.Palevo.B
Microsoft 1.4903 2009.07.24
NOD32 4273 2009.07.24
Norman 2009.07.22
nProtect 2009.1.8.0 2009.07.24
Panda 10.0.0.14 2009.07.24
PCTools 4.4.2.0 2009.07.23
Prevx 3 2009.07.24
Rising 21.39.42.00 2009.07.24 Trojan.Win32.DangerGL.a
Sophos 4.44.0 2009.07.24 Mal/EncPk-IY
Sunbelt 3.2.1858.2 2009.07.23
Symantec 1.4.4.12 2009.07.24
TheHacker 6.3.4.3.373 2009.07.24
TrendMicro 8.950.0.1094 2009.07.24 PAK_Generic.001
VBA32 3.12.10.9 2009.07.24 suspected of Malware-Cryptor.Win32.General.3
ViRobot 2009.7.24.1851 2009.07.24
VirusBuster 4.6.5.0 2009.07.23
Additional information
File size: 123392 bytes
MD5 : 6939c088f59258da7410f66837c62192
SHA1 : 500bb963602d45584303a4dc3f6fd6052a6752d8
SHA256: 996c2667b2bcf86c9c7c20d7c79a3024131c84e0d82d5338db99812830ad778a

As you can see, only 6 of the 41 antivirus groups was able to detect the malware. Once again, the naming is inconsistent. Given time however, most antivirus companies are able to identify the same binary.

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.29 P2P-Worm.Win32.Palevo!IK
AhnLab-V3 5.0.0.2 2009.09.29
AntiVir 7.9.1.27 2009.09.29
Antiy-AVL 2.0.3.7 2009.09.29
Authentium 5.1.2.4 2009.09.29
Avast 4.8.1351.0 2009.09.28 Win32:MalOb-H
AVG 8.5.0.412 2009.09.29 SHeur2.ASQE
BitDefender 7.2 2009.09.29 Trojan.Generic.2263367
CAT-QuickHeal 10.00 2009.09.29
ClamAV 0.94.1 2009.09.29
Comodo 2469 2009.09.29 Heur.Suspicious
DrWeb 5.0.0.12182 2009.09.29 Trojan.Packed.541
eSafe 7.0.17.0 2009.09.29 Suspicious File
eTrust-Vet 31.6.6768 2009.09.29
F-Prot 4.5.1.85 2009.09.29
F-Secure 8.0.14470.0 2009.09.29 Packed.Win32.Krap.y
Fortinet 3.120.0.0 2009.09.29
GData 19 2009.09.29 Trojan.Generic.2263367
Ikarus T3.1.1.72.0 2009.09.29 P2P-Worm.Win32.Palevo
Jiangmin 11.0.800 2009.09.27
K7AntiVirus 7.10.856 2009.09.29 P2P-Worm.Win32.Palevo.jaz
Kaspersky 7.0.0.125 2009.09.29 Packed.Win32.Krap.y
McAfee 5755 2009.09.28 W32/Autorun.worm.zzq
McAfee+Artemis 5755 2009.09.28 W32/Autorun.worm.zzq
McAfee-GW-Edition 6.8.5 2009.09.29 Heuristic.LooksLike.Win32.NewMalware.B
Microsoft 1.5005 2009.09.23 VirTool:Win32/Obfuscator.FL
NOD32 4467 2009.09.29 a variant of Win32/Kryptik.LR
Norman 6.01.09 2009.09.29
nProtect 2009.1.8.0 2009.09.29 Trojan/W32.Agent.123392.EB
Panda 10.0.2.2 2009.09.28 Trj/CI.A
PCTools 4.4.2.0 2009.09.29
Prevx 3.0 2009.09.29 Medium Risk Malware
Rising 21.49.14.00 2009.09.29 Trojan.Win32.DangerGL.a
Sophos 4.45.0 2009.09.29 Mal/EncPk-IY
Sunbelt 3.2.1858.2 2009.09.29 Trojan.Win32.Generic!BT
Symantec 1.4.4.12 2009.09.29 Spyware.Screenspy
TheHacker 6.5.0.2.021 2009.09.28
TrendMicro 8.500.0.1002 2009.09.29 WORM_AUTORUN.ZRO
VBA32 3.12.10.11 2009.09.29 Malware-Cryptor.Win32.General.3
ViRobot 2009.9.29.1963 2009.09.29
VirusBuster 4.6.5.0 2009.09.29

File size: 123392 bytes MD5 : 6939c088f59258da7410f66837c62192 SHA1 : 500bb963602d45584303a4dc3f6fd6052a6752d8 SHA256: 996c2667b2bcf86c9c7c20d7c79a3024131c84e0d82d5338db99812830ad778a
So I just need to wait for an update to my AV then?
If malware were to remain static and unchanged an identification and removal option would eventually be provided by your antivirus of choice. At that point, however, the malware has likely fulfilled any of its initial goals and its removal would be a futile and meaningless task. Unfortunately, Mariposa does not use static malware.
Malware authors often update their code to evade detection as well as try different configurations, all of which result in a new malware variant. Mariposa has over 70 variants, resulting in a persistent and dynamic botnet.
One example is this update file recently dropped onto a compromised system as instructed by the Mariposa botnet controller. Virustotal shows that only two of the 41 AV groups currently detect it.

File svc.exe received on 2009.09.29 15:27:36 (UTC) Current status: finished Result: 2/41 (4.88%)
http://www.virustotal.com/analisis/7987d324cedbfeb9df94f7cbaf0ed2091431d6443c5b5fbff6ad7a7c380bf8d3-1254238056
A signature may soon come out for this code from your AV vendor, but by that time, a new piece of code may be written and downloaded that bypasses AV yet again.
Well, how do I stop this thing?
As IPs, ports, and domains involved in the command structure of Mariposa are changing, it becomes difficult for security administrators to mitigate the ability of this botnet. At this time we suggest an approach of tracking down the compromised systems rather than establish rules to block the communication to the botnet controller. UDP connections are still actively used for Mariposa communication, so observance of your network activity is the best place to start. If one system is frequently sending data across the outbound UDP protocol, regardless of port, mark it as suspicious and consider removing it from the network. Your own remediation technique is up to you but reimaging, though time consuming, is the only confident way to cleanse a compromised machine.
So what is Defence Intelligence doing about this?
As before we are contacting companies that have been affected by Mariposa. We also have other researchers and companies looking to help out in this mitigation effort and the formation of a small working group with these individuals is taking place. Updates on this and other Mariposa details will follow.

var gaJsHost = ((“https:” == document.location.protocol) ? “https://ssl.” : “http://www.”);
document.write(unescape(“%3Cscript src='” + gaJsHost + “google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E”));

try {
var pageTracker = _gat._getTracker(“UA-11400163-2”);
pageTracker._trackPageview();
} catch(err) {}