Sometimes, I'm amazed at the ease with which it's possible to create a Botnet Empire . Don't believe me? Well, check out the screenshot below, obtained by a colleague of mine in a random IRC Chatroom:
Now, you would hope people wouldn't fall for this.
I am afraid you would be totally, utterly wrong. Check this out, it's the page hosting the infection file. The novel aspect here is, it's a webhosting page that shows how many times the file has been downloaded.
Now, it's reasonable to assume that almost all the people who were naive enough to download the file, would also be naive enough to run the thing. Screenshot time:
Downloaded 375 times in 2 days.
Downloaded 380 times in 10 days.
...
amazing. That's 375 brand new drones for some random Botnet owner, in only two days.
The download rates drop sharply after the first few days- why is this?
Well, they don't need to keep injecting the link in chatrooms to infect new boxes. They can simply use the drones they have to scan new machines for vulnerabilities instead.
You probably noticed that on the hosting page, they even tell you what the file is likely to do:
EXE (short for 'executable') and COM are the common filename extension for denoting an executable file (a program) in the MS-DOS, Microsoft Windows, and OS/2 operating systems.
Generally, "exe" may be used as a noun to refer to such a file.
..
.and yet, people will still run it. Whoops.
As for the Botnet itself, I imagine you probably want to see it, yes? Well, today is your lucky day. We skipped the boring part where I download and run the file, as that's not particularly interesting to watch.
What is interesting, is seeing how these guys use some common tricks of the trade to convince the infected user that there's "nothing to see here".
At this point, I've run the executable and a new folder has "mysteriously" appeared in the System32 folder.
It's movie time.
..
Hit the "Play" button to start video.
Close Window to Return to Blog 00:00 to 00:08 seconds: We're looking at the folder dumped onto the system shortly after the Alexander file is let loose on the PC. Check out those file names..
. ? With a icon?
Sorry, that's just too suspicious! Ignoring the other files (which point to the relevant servers hosting the Botnet channel, pre-determined user nicknames and the like), I click the file to open it up. Whoops - it doesn't like that, as you can see.
A small, minimised box appears in the extreme top -right hand corner of the screen, before vanishing (blink and you'll miss it!)
Again, I try - doh! We could be at this for a while.
00:10 to 00:12 seconds:Thankfully, this isn't a particularly difficult problem to resolve. See that file, "close.dll"?
Think the name is a bit of a major clue? Well, you'd be right. Deleting the file means you can click on svchost.
exe and it'll stay open - open it up, and...
00:13 to 00:18 seconds: Ah, a minimised IRC Channel! Shall we open it up? Yeah, let's do this thing.
In Mystery Box Number 1, we have...
00:19 to 00:28 seconds: Botnet Central! I love the message:
..
.no kidding! Perhaps you shouldn't be dumping people into a Botnet then?
In any case, you can see the channel is packed with people - sorry, drones - and from there, the aspiring Bot Master can do a wide variety of not so lovely things to pretty much anyone he pleases. Remember once they control the computer, what they can do is only limited by their imagination. We are actively working on getting this Botnet shut down.
..with any luck, it'll be out of the picture within a few days at most.
Fingers crossed...
On a side-note my colleague, Wayne Porter and I have been conducting some new "top secret" methods in which to identify and knock out these rogues (that's why we are a lab - remember?) It has extended into a far deeper and more complex research project than we imagined, but it may produce some startling new ways to combat the menace at large..
.
IMPORTANT UPDATE: Google has reacted very quickly to our concerns, and we have been in discussions with their top engineers. As netizens we are encouraged by their quick reaction to our concerns, and willingness to listen thoughtfully to our feedback.
Successful companies like Google understand that one must be a part of the conversation, not stand outside the conversation or try to obscure it. Our hats are off!
Stay tuned for more news.
..(See Addendum At Bottom)
Sr.
Dir. Greynets Research, FaceTime Communications
Back to the entry and analysis from Paperghost..
..
The idea of problems behind "gated" communities is a pretty interesting one, even more so when the idea regularly rolls around that segregating various parts of the Internet to "keep the bad guys out" would be a great idea.
But what happens when those bad-guys are already inside the gates?
(Orkut is) run by Google and named after its creator, Google employee Orkut Buyukkokten. It claims to be designed to help users meet new friends and maintain existing relationships.
Similar to Friendster and MySpace, orkut goes a step further by permitting "communities" of users. It is also invitation-only: users must be invited to join the community by someone already there.
So, an interesting concept.
But as we saw with not so long ago, people can (and will) game the system. In this case, the targets are (primarily) Brazilian users of Orkut - because for some reason, something like 70% of all users are from Brazil, and Portuguese is the language of choice right now. Of course, Orkut are not to blame here - nor are social networking sites in general.
The sad fact is, large concentrations of end-users in a confined space are like the world's biggest honeypot to a social engineer.
It figures, then, that this particular infection - a variant of an older password stealer, which we dubbed Orc.Malware - should contain a message in Portuguese.
Following up a hot tip from (FallenHawk, an extremely resourceful Security Researcher), I was able to get a look at something rather nasty. Something that has apparently been nailing Orkut users for at least a month or so, but (until now) has been ultra-elusive with regards trying to pin it down. The early variants (one or two of which I've since obtained) didn't do very much, and there was no direct tie to Orkut, other than this was where the bad-guys were pushing it.
Now, however, the infection will pop up a message telling you your data is being mailed off someplace, before sending you to the Orkut site (as you'll see from the video later on. Bring some popcorn).
Let's have a look at how these things get on board in the first place.
We'll start off with the method of delivery...
the infection message. The most common one we've seen so far is this:
"Oi..
. tudo bom? Como o orkut limita a quantidade de fotos que podem ser publicadas na minha conta, eu criei um slide com algumas fotos minhas, pra ver e so clicar clicar no link!
!! [link removed] - Sei que vai gostar"
A (very rough!
) translation: "As Orkut limits the amount of photos that can be published in my account, I created a slideshow with some photos of mine, please click to see!"
This message is deposited in an Orkut user's "Scrapbook" (similar to a guestbook), and as the Scrapbooks are public, anyone visiting can see the link and click it. As you probably guessed, that's a real bad idea in this case.
The end-user is presented with what looks like an image file - open it up, and covert ops of the nastiest kind are instigated against the PC. Two more files are installed.
They don't look like much, but they're busy trying to drain your pockets of cash and anything else they can get their hands on.
One of the files contains references to a pile of specific login pages for Brazilian banks, as well as a whole section devoted to Orkut and its Friends and Scrapbook pages. On the Orkut help site, they mention how automated Scrap sending :
"If you use other sites to log into orkut or send your friends scraps, you will likely be blocked from performing any actions on orkut.com for about 15 minutes and you'll see the message "We're sorry.
..but your query looks similar to automated requests.
"
However, there are many examples of people abusing the system - Orkut has had lots of problems previously with people creating . And this particular infection does seem to have at least a (very) basic automated functionality. I first tested this on the Eighth of June, and was more interested in the data-theft aspect at that point.
I didn't see anything particularly unusual going on (beyond the keylogging, of course!) and yet when I logged in a few days later, I saw this:
During testing, I had two contacts in my "Friends" network. To my surprise, both of those users now had the infection message sitting in their scrapbooks.
As you can see, the time / date of both messages is identical: 09:54 AM, 08/06/2006.
Now that's pretty freaky.
Worse still, this infection seems to be amazingly random.
During one round of testing, it even deposited me into an :
Yay, I'm file-sharing pirated content!
As for how the data is actually sent back to the hacker guy, you'll probably want to check this short movie clip out:
00:00 to 00:09 seconds: End-user is going about their daily business, logging into Orkut. Note that you could be performing any web-based activity here; it's just a little thing I like to call context.
Plus, I don't actually have any Brazilian bank accounts so you'll just have to make do with Orkut.
00:10 to 00:14 seconds: The end-user clicks into "My Computer". Oh dear - an "error message", warning that you have insufficient virtual memory and the application will now close (or words to that effect.
I never was very good with ).
00:17 to 00:27: At this point, the end-user is probably wondering what on Earth is going on, as they see a message telling them their "form has been submitted", and that they will be redirected somewhere in 5 seconds. Can you guess where?
00:28 to 00:34: That's right, Orkut! I mean, he stole all your bank details and website logins, but at least he gives you a chance to get back into Orkut and change your password before he steals that too!
Make no mistake about it - this infection is a real nasty one.
And worse still, it looks like the tip of a very ugly iceberg. I'd insert a really rubbish comment at this point about "how I hope we're not too late to avoid a Spyware-Titanic", but you'd probably hate me for it. Even if it was a nice tie in to the whole iceberg thing.
So I'll just leave you with the advice that randomly clicking links to check out pictures, especially when those pictures are from some magical party you've never heard of, is probably not a very good idea.
Many thanks to Peter in our Bangalore office for his incredible sleuth work and the entire team for assisting in pulling this complex case to pieces. Special thanks to Wayne Porter for all night monitoring and revisions.
ADDENDUM: A startling event was discovered during extended testing on an infected machine, which was infected in a lab setting on the 13th of June. The link to the dangerous payload was propogated on the 16th..
.however the infection message is timestamped as having been sent on the 14th of June:
ADDENDUM Saturday, 17 2006 Happy Endings for Orkut
Google confirmed the worm. "We are aware of this issue and will have a temporary fix in place within the hour," a company representative said in an e-mailed statement.
"We are working on a more permanent solution for users to guard against these malicious efforts."
For their protection, Orkut users, just as users of all online services and applications, should always be careful when opening or clicking on anything suspicious, the Google representative said.
Sr.
Dir. Greynets Research, FaceTime Communications
I have written JS/Yamanner@MM Worm that has been discovered 12 June 2006. I found that in Yahoo!
mail and use it to execute scripts ( collecting yahoo addresses from someone mail, sending this email using Ajax technology to them and then redirecting them into a sample site).
Finally I should mention that I don't like to disturb no one. Since I live in iran and taking a Job in good computer companies is very hard (becaue getting Visa is very hard from US) I just want to prove that I have some abilities in web programming .
And I like to work with professional team like you if there is any way to do that.
Perhaps they should have named the worm JS/BadManners?
Bottom line is security companies don't hire digital criminals.
The actions don't say much for this misguided individual. As Silicon Valley Sleuth notes he simply could of have written a proof of concept instead of steam rolling innocents via e-mail. Security ethics are cemented around integrity.
Some of the finest malware fighters I know are truly great people- who care not only about our technological ecosphere but simply want to make it more safe.
On that note stay tuned to this bat channel- PaperGhost has been leading a mad hunt, guns blazing, with the team into the murky depths of- let's say the "Lords of The Underworld". That's your hint.
The days get stranger...
I also promise you won't want to hire this guy either...
not even to stock your grocery shelves or to mow your lawn.
I recently came across an installer file being - nothing new there, but it serves up an interesting take on how Adware companies need to make sure that it's not just their software springing up in hijacks - it's their websites, too.
In this case, the Zango.
com website is popped open on the user's desktop (ignore the box mentioning Poker, that's from a different popup):
...
this is what's known in the trade as "strangeness incarnate". Usually someone will try and install something, so they can make money. Simply popping open the Zango.
com website doesn't seem to point to any financial gain, unless the person behind it gets a cut of the profits from the clips on that page. But that would also be stupid, as it wouldn't be too hard for the Zango people to then find out who stuck what movie files where on their website. Plus, I'm under the impression that Zango themselves are responsible for placing the videoclips on Zango.
com anyway.
I ran the infection again, and who should pop up in the next barrage of adverts but Bestoffers Network (another name for Direct Revenue):
..
..whoops.
As for what's installed, it's the usual (rather popular) mish-mash of files from WebHancer, Dollar Revenue, SurfSidekick and Toolbar888, which is apparently a . I've spoken about in relation to Direct Revenue many times. At any rate, here's a screenshot:
Nice collection!
Of course, it goes without saying that the PC is hosed shortly after the install:
...
ouch. Still, at least the hijacked end-user will have no shortage of Smileys to play with, pills to take and celebrity videos to watch while smoke starts to pour out the back of their monitor. All in all, I'd say that's a pretty good tradeoff.
..!
Question from a Reader: "Can people hide messages in pictures? Is this for real?"
Yes this is for real!
It is not limited to just pictures, although this is one the common uses, but messages can be embedded in any number of digital media types. It can even be embedded into sound files.
This practice is called steganography, or stego for short.
Steganography is the science of writing hidden messages in such a way that no one, except the intended recipient knows of the message.
Usually a steganographic message will appear to be something else: a picture, an article, a shopping list, or some other message - this is referred to as the covertext or in the case of digital file- the carrier.
Steganography is different than cryptography.
With cryptography, encryption is the process of obscuring information to make it unreadable without special knowledge. In this case the message is not concealed just scrambled or obscured.
The obvious advantage of steganography over cryptography is that messages do not attract any attention.
A coded message that is unhidden, no matter how strong the encryption, will arouse suspicion and may in itself be problematic. For example, in some countries encryption is illegal.
A common form of steganography is the use of jpeg files (a computer image) to hide the message.
Research is already underway to create systems that can detect secret files or messages hidingwithin digital images.
News RSS