Somebody once said..

"If you convince people that the wheel isn't right, they will allow you to re-invent it"

Thursday, September 24, 2009

Interesting C&C BotNets

Gone are the days when “Command & Control” Botnets were controlled using IRC channels or web servers. These days, attackers have moved to more sophisticated techniques or rather they are taking advantage of already available public infrastructure to control their army of Bots.

One such case is that of a Bot using Google Groups for sending out the control commands. Discovered by a researcher at Symantec, this Trojan upon infecting a machine, connects to a private Google group called “escape2sun” and requests a page. This page contains encrypted commands for the Trojan that typically consist of an index number, a command line to execute, and optionally, a file to download. Now not only can the malware author control the Botnet, but he also gets all the additional features of Google groups such as version control and tracking group activity, etc. !  Smart stuff, eh ?! Read more about it here.

Other similar publically available service that is being exploited by Botnet authors is “Twitter”. Using obfuscated Twitter status messages on a account, the malware author is able to send commands to its Trojans. The Trojan works by reading the RSS feed to a particular Twitter account designated by the Botnet author.  This appears to be a direct fall out of a PoC that was presented at Defcon 17 regarding a tool called “KreiosC2”. More about this here.

But this is not the only social networking site that is being targeted by Botnet authors, other sites such as Jaiku and Tumblr are also being used. A big advantage of using such techniques is that, it will be difficult for content filtering systems to detect & stop such communication since this is legit communication to well known websites. But at the same time, the biggest disadvantage is that they are all public services, so whatever activity that the Botnet is doing is easily visible to others too !

Friday, September 4, 2009

Strange piece of Malware..

Recently I came across two strange pieces of malware – Win32/Induc.A and Win32/Skytap.A.

Well, you can’t exactly call the first one a malware because it does not do the usual malicious stuff like disabling AV’s, downloading Trojans, stealing data etc.. But it’s very interesting in the way it spreads. Win32/Induc.A is the first of its kind malware that affects Delphi compilers. For those who don’t know Delphi is an object-oriented, visual programming environment to develop 32-bit and Microsoft .NET applications for deployment on the Internet, Windows and Linux. So essentially, any Delphi program complied by a machine infected with this Trojan contains a copy of the Trojan itself embedded inside the program and that is how it spreads !

Now what’s even more interesting is that this smart little Trojan managed to stay undetected for more than a year from all the AV/AS vendors ! In this process, it infected lot of Delphi programs including other Malware ! :) Yes, there are variants of Win32/Bancos – a popular password stealing Trojan infected with Win32/Induc code ! We’re lucky the Win32/Induc doesn’t do anything more than just affecting Delphi compiler otherwise this could have been a whole different story. Now AV vendors claim that this was the very reason for it not getting detected for so long, but never the less, at least the malware authors got a taste of their own medicine :P !

The second malware - Win32/Skytap is again a unique Trojan whose source code was published by a Swiss software developer on his website last month. It affects users of Skype software which is an application popularly used for making voice over IP (VoIP) calls. As you might have already guessed, this Trojan can tap into Skype function calls, extract and dump audio data to files. Not only that, it also converts audio conversations to the mp3 format and encrypts it.

Win32/Skytap.A contains two components: SkyDLLInjector.exe and DLLToInject.dll. These components hook to various Windows API calls that are used in audio input and output. It then is able to intercept all audio data traveling between the Skype process and the underlying audio device making Skype's network level encryption useless ! The extracted audio data is then saved to .mp3 files and can be sent out to a remote website using backdoor component. I am sure we will soon see variants of this Trojan that will adapt to other VoIP/Messaging software as well.

Now that’s some interesting stuff I have come across after a long time :) !