Part 1: Teaching old Malware new Tricks
Why Carberp, ZeuS, and Other Vintage Malware Have a Bigger Bite Than You Think
As a sales engineer working at FireEye, I spend my days running production pilots with prospects, discussing advanced persistent threats (APTs), customer’s security posture, and the current advanced threat. While the focus here at FireEye is all about detecting the zero-day or advanced targeted attacks, I’m constantly surprised by how much plain old “commodity malware” or “crimeware” I find in networks.
I shouldn’t see these malicious files at all on networks supposedly protected by traditional defenses: next-generation firewalls, intrusion prevention systems, network anti-virus, secure web gateways, and so on. If these products are working as advertised, then the only malware left to discover should be the APT or zero-day attacks detected by our advanced technology.
The unfortunate reality is that relics such as ZeuS/Zbot, Ice IX, Carberp, and even Conficker are regularly spotted by FireEye in the field. These are all “mature” malware families — ostensibly defanged, if not vanquished, by traditional defenses long ago.
As the leak in June of Carberp’s source code reminds us, the line between “crimeware” (banking Trojans and other commodity malware) and APTs is blurry. And it doesn’t take a lot of technical savvy to use old-school malware in fresh new APT campaigns.
Supposed you are Bad-Guy Bob and want to steal inside information about Foo Corp.’s rumored takeover of Bar Inc. You have several options:
1. Launch an attack using social engineering: send a targeted email with a URL that links to a zero-day exploit and a custom-built, never-before-seen malware payload
2. Compromise a well-known website used by your targets and use it to host your custom exploit and malware payload
3. Go shopping:
(~This email address is being protected from spambots. You need JavaScript enabled to view it.) joined #secret_hacker_chat. <bob> Hey guys. Does anyone have any bots at Foo Corp? <h4x0r> Yeah – I’ve got six. Two in R&D, one I think in Finance and a few others. <bob> Good. I’ll buy them from you… How much?
In many cases, it really is as simple as option 3. Systems already comprised by old malware are available, for the right price, to use in targeted attacks. And as I witness every day in my line of work, an alarming number of systems are compromised.
Take ZeuS, for example. The ZeuS botnet family, known for the most part as a “Banking Trojan,” was first seen in 2007 [1]. It grew more widespread and by 2009 controlled 3.6 million U.S. PCs [2]. The ZeuS source code leaked into the public domain in August 2011, which led to new variants offering features such as peer-to-peer botnet communication.
Today, I see infections by ZeuS or one of its variants in almost every company I visit. It has a number of well-known offshoots (Citadel, Ice IX, Wsnpoem), and features prominently in news stories about high profile takedowns of botnets [3].
One of the fascinating aspects of ZeuS is just how resilient it has been. Data provided by the Zeustracker site [4], which compiles information about known and submitted ZeuS infections, shows the malware’s astounding knack for evading anti-virus systems.
As Table 1 shows, 3,416 samples — about 42% percent of the ZeuS-related samples submitted to malware analysis website VirusTotal — evaded 80 percent or more of the site’s anti-virus engines. And 626 samples, or about 7 percent of the total, remained undetected by any of the anti-virus engines.
VirusTotal, a free Google-owned service, lets users upload file sample and have them tested for malicious activity. It's important to note that using VirusTotal is illustrative and should not be thought of as a way to determine the absolute efficacy of AV. However, it can give us an indication.
Percentage of anti-virus |
Number of ZeuS Binaries |
100% |
47 |
90% |
585 |
80% |
643 |
70% |
514 |
60% |
551 |
50% |
741 |
40% |
678 |
30% |
968 |
20% |
1613 |
10% |
1177 |
0% |
626 |
Table 1: ZeuS detection rate for samples submitted to VirusTotal.
The upshot is clear: Shrugging off the threat posed by older malware (“But it’s only a ZeuS infection…”) is not just risky. It’s downright foolhardy.
[1] Reuters. “Hackers steal U.S. government, corporate data from PCs.” July 2007.
[2] University of Alabama at Birmingham. “UAB computer forensics links internet postcards to virus.” July 2009.
[3] Microsoft. “Microsoft, financial services and others join forces to combat massive cybercrime ring.” June 2013.
[4] http://zeustracker.abuse.ch
Part 2: Cybercriminal Intent: How to build a Botnet in less than 15 minutes.
In my last post, I argued that mature, seemingly tamed malware families such as ZeuS can still do some serious damage. In this post, I’ll prove it.
Numerous technical presentations and articles aimed at security professionals have described various botnet families and detailed their inner workings. What I haven’t seen is a simple, straightforward explanation of how easy building a botnet is and key features available to anyone with a criminal bent and 15 minutes to spare. So in the interest of showing you what you are up against, here is a step-by-step outline of how easily someone can create a ZeuS-based botnet targeting your organization.
Before I begin, let me be clear: my aim is not to instigate more botnets or give cybercriminals new ideas for attacks. The bad guys already know how simple this is — I’m trying to help the good guys appreciate precisely how vulnerable they might be. To this end, after much thought, I have decided to remove a couple of steps to make the process slightly (but only slightly) more opaque. Honestly, if you're determined to do this, then you don't need my blog post to figure it out. Just spend some time with your favorite search engine looking through the murkier parts of the web...
Step 1: Find a builder kit (3 minutes)
Using a combination of search terms, you can usually find a link to a version of a popular builder kit in 3 minutes or less. Our chosen kit was originally an underground - yet commercial - product based on the ZeuS code, and originally cost $600 for a hardcoded command-and-control (C&C) server and $1,800 for an unlimited builder license. But considering that you’re building a botnet to steal massive amounts of sensitive data, we’ll assume that you have no qualms about using a pirated copy.
Our bot has the following core components:
§ A settings.txt file for configuring the C&C callback channel
§ The Full_builder.exe file for compiling the bot payload
§ C&C host files. This is a PHP-based website used for reporting and C&C functions
§ bot-bc.exe. This process allows your malware to back-connect through the Socket Secure (SOCKS) protocol for remotely controlling compromised machines
Figure 1 (http://www.fireeye.com/blog/corporate/2013/08/cybercriminal-intent-how-to-build-your-own-botnet-in-less-than-15-minutes.html) shows the settings.txt file, highlighting a number of options. The “URL Masks” section lets you specify certain actions if the user of the compromised machine visits a website whose URL matches a given text string. These URLs can be anything you want. In Figure 1, the URL masks include ebay.com and owa (Outlook Web access, for gaining control of the target’s corporate email account).
The “URL Masks” options enable any of the following when the user visits any of the sites defined in the URL Masks section:
§ N — do not write data in reports
§ S — make screenshot with mouse clicks on the page area
§ C —preserve all cookies associated with that site and block access to it
§ B — block access to the site
The injects.txt file highlighted in Figure 1 is arguably the killer feature of the Zeus family of bots. Essentially, the “injects” capability lets you interact with any site that the compromised machine accesses. Because it works on the infected user’s machine directly, the feature renders meaningless security features on those sites, such as two-factor authentication and SSL/TLS encryption. Forget man-in-the-middle attacks — this is a “man-at-the-keyboard” attack!
For Figure 2 go to: http://www.fireeye.com/blog/corporate/2013/08/cybercriminal-intent-how-to-build-your-own-botnet-in-less-than-15-minutes.html
In Example 1, the contents of the accountOverview section are uploaded to the C&C server whenever the compromised host goes to a URL containing “https://www.payment-site.com/*/webscr?cmd=_login-done*.” With this handy report of users’ account balances, you can focus on targeting those with the most money in their accounts.
In Example 2, a "Big Bank Corp" site viewed by a compromised system would show an additional field on the password page asking for user’s “ATM PIN.” Because your grafted-in field is designed in the same style as the standard page, it looks like it belongs there. Sensing nothing amiss, many computer users would not hesitate to enter this information — which is immediately sent to you, the attacker.
Those are only two examples. As a botnet owner, you could create all sorts of targeted injects files to steal new and useful information. If that’s too much work, you can download ready-to-use injects definitions that serve as recipe books of sorts for specific attacks. Need to target end-users in France? Simply download the French Banks injects pack containing recipes for the purely illustrative and imaginary “La Banque Centrale” or “Crédit Français”, among others.
Step 2: Build your payload (5 minutes)
Once your injects file is ready, open the easy-to-use GUI interface to build the executable malware file (see Figure 3).
You’ll need two pieces of information to build the malware:
§ The URL to your setting.txt file (you’ll store the file on your C&C server so you can change it at will)
§ A symmetric-key encryption key to embed in the payload, so that it can communicate securely with your C&C server. This key can be any string of characters
Screenshot of builder GUI to compile malware: http://www.fireeye.com/blog/corporate/2013/08/cybercriminal-intent-how-to-build-your-own-botnet-in-less-than-15-minutes.html
After you have compiled the malware, you’ll run your executable through a file compressor or obfuscator, also known as a packer or a crypter. Originally designed to reduce the file size of an executable file, these packers have the added benefit of disguising files when scanned by anti-virus software. For this example, I have used popular compressors which is this example I have called packers "A" to "C".
To see whether the compressed files are sufficiently camouflaged, you’ll submit your files to VirusTotal, a free site that scans uploaded files using a number of anti-virus engines. (Note: if you were a real cybercriminal, you’d probably choose a different virus-scanning site such as Scan4You, Chk4Me, or ElementScanner. VirusTotal shares its scanning results with anyone — including IT security companies — which could put your malware on the radar.)
Most of the anti-virus engines catch the uncompressed EXE file (40 out of 46). Apparently, security vendors are well-acquainted with our botnet kit. Compressing it with "Packer A" doesn’t fare much better (36 out of 46). But more than a third of the engines miss the file when compressed with "Packer C". Not bad for a well-known malware threat using off-the-shelf compression.
For better cover, you can shop a virtual bazaar of obscure file packers and "crypters" that promise to hide the malware from a larger percentage of anti-virus engines. As little as $20 (USD) will buy a couple of months access to an crypter guaranteed to evade every anti-virus engine on the market.
Some builder kits offer higher-priced “Enhanced”, “Private”, or “Enterprise” editions that compile malware already packed and obfuscated to beat anti-virus engines. They even come with regular updates.
If you have a little more time, you can use other techniques to obscure your file. For example, the shikata ga nai encoder can give your malware polymorphic properties, producing a brand new, undetectable file with each new encoding.
Step 3: Set up your C&C infrastructure (5 minutes)
Now that the malware payload is ready, you’ll need a C&C server to control infected computers. The bot builder kit includes all of the files you need.
You can sign on with a Web host or cloud server provider to create a low-cost, low-power Unix server in minutes. Figure 5http://www.fireeye.com/blog/corporate/2013/08/cybercriminal-intent-how-to-build-your-own-botnet-in-less-than-15-minutes.html shows the web user interface for a popular host.
After uploading the C&C files provided by our kit, a Web interface for the installer appears (see Figure 6 - http://www.fireeye.com/blog/corporate/2013/08/cybercriminal-intent-how-to-build-your-own-botnet-in-less-than-15-minutes.html).
Fill out the relevant fields, and you’re all set. Now that you have a working malware payload and C&C server, your botnet is ready for its first target.
As I mentioned earlier, these steps are not some groundbreaking new way to build a botnet — this is all child’s play for today’s sophisticated attackers. If you can build a botnet with a few spare minutes, imagine what a team of well-trained, well-funded threat actors can do working around the clock.
Part 3: Thinking outside the Sandbox
Are Anti-Virus Vendors Using Uploaded File Samples To Find New Command-and-Control Servers?
Previously, I detailed ZeuS and related malware families – and I demonstrated just how easy it is to build your own botnet.
While building my own research botnets for the previous blog entries, I submitted samples to a well-known anti-virus (AV) site to check for AV coverage.
Imagine my surprise when all of a sudden I saw many incoming web requests to my command-and-control (CnC) server — from all around the world! Keep in mind that my botnet had only one member: a virtual machine in my lab. So why would I see inbound connections coming from Japan, Finland, Russia (and so on)?
What? How?
After an initial moment of confusion (and panic), I regained my composure and promptly trashed the CnC server. Then I created a new CnC server (on a different continent) and built a new version of the payload. Instead of embedding the new payload with the URL to the typical settings file, I pointed it to a text file on the CnC server containing the following text:
Hello. This is not a botnet. This is for research! Please move along…
I created two different bots for this test: one was a ZeuS variant, which we’ll call “Botnet A” (detailed extensively in my previous two posts <link>). The other was from a different malware family that we’ll call “Botnet B”.
In this investigation, I used ip_loc.pl, a tiny Perl program I wrote to look up the geographic location and reverse resolution of an IP address. I have redacted the specifics of the IP addresses I detected and include only the location details.
Botnet A - ZeuS variant:
# grep botnet-a.txt /var/log/apache2/other_vhosts_access.log | \ awk '{print $2}' | sort -u | ./ip_loc.pl xxxx.compute-1.amazonaws.com, Ashburn, Virginia, US (no PTR), New York, New York, US< (no PTR), Mountain View, California, US xxxx.neoplus.adsl.tpnet.pl, Warsaw, Mazowieckie, PL xxxx.dynamic.clientes.euskaltel.es, Bilbao, Pais Vasco, ES xxxx.elisa-mobile.fi, Helsinki, Southern Finland, FI xxxx.broadband.corbina.ru, Moscow, Moscow City, RU tor-exit-nl1.privacyfoundation.dk, Amsterdam, Noord-Holland, NL xxxx.jp, Tokyo, Tokyo, JP xxxx.ovh.net, London, London, City of, GB xxxx.pools.arcor-ip.net, Teningen, Baden-Württemberg, DE norman.norman.no, Lysaker, Akershus, NO (no PTR), Oslo, Oslo, NO
Botnet B – Alternate malware family:
# grep botnet-b.txt /var/log/apache2/other_vhosts_access.log | \ awk '{print $2}' | sort -u | ./ip_loc.pl xxxx.pools.arcor-ip.net, Gundelfingen, Baden-Württemberg, DE (no PTR), Derwood, Maryland, US
Now, I cannot claim to know with certainty who the owners are of most of these IPs. But I would be surprised if home computer users were scouring the public domain for new malware samples to analyze. This leads me to speculate that AV research labs in Tokyo, Helsinki, and Moscow, among other locations, were checking my callback URL. (That was clearly the case in one instance — an AV software vendor made no attempt to hide its identity.)
What does all this mean?
Obvuously, some anti-virus vendors are using public-domain malware submissions to improve their detection capabilities. While this isn’t news, I think it is interesting that AV vendors are mining new malware sample in sandboxes to identify CnC servers so they can add them to their AV or URL-filtering signatures.
So … these guys are relying on voluntary malware file uploads to find new CnC servers? I am not sure that this tactic is reliable. Even worse, it appears susceptible to abuse or deception. For example, it seems that AV companies are focusing on specific malware families such as ZeuS — you may have noticed that my CnC server for Botnet B (the non-ZeuS one) drew only a couple of hits. Why focus only on ZeuS variants? What about other botnet families? Even more important, what about highly targeted, zero-day attacks?
My conclusions from the simple experiments in this series of posts are as follows:
§ Finding a botnet builder kit is very easy (in minutes).
§ The botnet is very easy to deploy (in minutes).
§ You can fool a large percentage of AV engines using off-the-shelf tools (in minutes).
§ You can purchase previously unknown variants of the payload builders.
§ If you take a little time with shellcode obfuscation or custom EXE packers, then you can beat more than 95 percent of the anti-virus engines.
§ If compromising a chosen host is this easy using publicly available tools, it must be even easier for dedicated, focused attackers with significant resources supporting them.
Now that the Carberp source code has been leaked, I expect to see a number of new variants, undetectable by AV engines, surface in the coming weeks.
I also expect that the Carberp source is being poured over by many malware researchers in the AV industry who are looking for heuristic hits they can use to detect Carberp variants being uploaded to VirusTotal. And I’m sure the same thing will happen for the CnC servers found in these samples.
Final thought:
The techniques outlined in this series of blog entries are very simple and in no way reflect the real level of sophistication available to a determined attacker. I was only demonstrating by example how easy it is to compromise a host using a well-known builder kit of a well-known malware variant.
For the future, the world needs a platform that is not dependent on a priori knowledge of any of the stages of a targeted attack — one that goes beyond the mere sandbox analysis of discrete objects, and is able to detect web-based exploits that are used to hide the latter stages of the attack.