Archive

Archive for the ‘Microsoft DCU’ Category

Microsoft assists law enforcement to help disrupt Dorkbot botnets

December 3rd, 2015 No comments

Law enforcement agencies from around the globe, aided by Microsoft security researchers, have today announced the disruption of one of the most widely distributed malware families – Win32/Dorkbot. This malware family has infected more than one million PCs in over 190 countries.

Dorkbot spreads through USB flash drives, instant messaging programs, and social networks. It steals user credentials and personal information, disabling security protection, and distributing several other prevalent malware families.

The Microsoft Malware Protection Center (MMPC) and the Microsoft Digital Crimes Unit (DCU) led the analysis of the Dorkbot malware in partnership with ESET and Computer Emergency Response Team Polska (CERT Polska, NASK).

We activated a Coordinated Malware Eradication (CME) campaign, performed deep research, and provided telemetry to partners and law enforcement such as CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission (CRTC), the Department of Homeland Security’s United States Computer Emergency Readiness Team (DHS/USCERT), Europol, the Federal Bureau of Investigation (FBI), Interpol, and the Royal Canadian Mounted Police (RCMP), to help take action against Dorkbot infrastructure.

The MMPC has closely monitored Dorkbot since its discovery in April 2011 and released our research in the following blogs:

Our real-time security software, such as Windows Defender for Windows 10, and standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can detect and remove Dorkbot. It’s important to keep your security software up-to-date to ensure you have the latest protection.

Dorkbot telemetry

During the past six months, Microsoft detected Dorkbot on an average of 100,000 infected machines each month. The top 10 countries shown in Figure 2 represent 61 percent of the total infections.

Dorkbot example  
Figure 1: Dorkbot infection trend for the past six months
 
Dorkbot example

Figure 2: Dorkbot detections by country for the past six months

Dorkbot example

Figure 3: Dorkbot machine detections heat map for past three months

Dorkbot is an Internet Relay Chat (IRC) based botnet. It is commercialized by its creator as a “crime kit” called NgrBot, which hackers can buy though underground online forums. The kit includes the bot-builder kits as well as documentation on how to create a Dorkbot botnet. Figure 4 and 5 show one of the builder interfaces for Dorkbot – illustrating all available functionalities that the operator can set through the kit, including the IRC server settings and the command settings.

Dorkbot example  
Figure 4: Dorkbot builder IRC server settings

Dorkbot example 

Figure 5: Dorkbot builder command settings

Distribution

Dorkbot malware has been distributed in various ways, including:

  • Removable drives (USB “thumb-drives”)
  • Instant messaging clients
  • Social networks
  • Drive-by downloads / Exploit kits
  • Spam emails

Dorkbot example

 
Figure 6: Dorkbot distribution methods

During a drive-by-download infection, a cybercriminal places specialized software known as an exploit kit on a website. An exploit kit is software that is designed to infect user computers that connect to the website using software vulnerabilities. These websites are known as exploit websites. Sometimes exploit websites are created by the botnet operator specifically for the purpose of spreading the infection, but in other cases they may be legitimate websites that have been hacked by the botnet operator. 

When a computer connects to an exploit website, the exploit kit tries to exploit unpatched software to install the Dorkbot worm.

Once a machine is infected with the bot, Dorkbot will distribute itself through removable drives, instant messaging clients and social networks.

Behaviors

Dorkbot’s primary goal is to steal online account user names and passwords, as well as other personally identifying information.

Dorkbot loader

Being sold online, there are several operators utilizing Dorkbot. In the most active campaign, Dorkbot was distributed within a loader module. This loader has its own code for updating itself and distributing other malware. It is also responsible for guiding Dorkbot’s connection to another command-and-control (C&C) server. The operator appears to be abusing the older IRC-based Dorkbot variant by disabling the self-check routine, changing IRC commands, and using the loader to force it to connect to the operator’s own C&C server.
 

Dorkbot example 

Figure 7: Original Dorkbot has self-check routine that was cracked by a recent operator

Dorkbot loader – update and download other malware

The loader module contains an encoded download URL in its binary. Currently the binaries hosted in these URLs are Dorkbot’s downloader component, self-update, and other malware families.
 
Dorkbot example

Figure 8: Decoded download URLs in the loader module

The Dorkbot worm can receive commands to download and install additional malware on the infected computer, causing users whose computers are infected with Dorkbot to be infected with other types of malware as well. Some of the malware families that we have seen downloaded by Dorkbot worms are listed in the below:

The Microsoft Malicious Software Removal Tool (MSRT) has detection for Dorkbot and most of these malware families.

Dorkbot loader – guide IRC module to real C&C

Since mid-2011, the IRC module version has remained the same and only had some byte patches performed by its operators. Patching the original C&C domain inside the IRC module has length limitations, so the operators put code inside the loader module to redirect the IRC module’s connection to a preferred C&C domain.

The loader creates a trap process (for example, mspaint.exe) and installs a code hook on a DNS-related API (DnsQuery_A, DnsFree). The hook code will compare if the query was on the old C&C server domain, and return the DNS query value of the preferred domain.

Dorkbot example

Figure 9: Overview of trap process guiding to real C&C
 
Dorkbot example

Figure 10: C&C server overriding
Dorkbot example  
Figure 11: List of C&C domains

After connecting to C&C server, the IRC module will start receiving commands.

Dorkbot – IRC module (aka NgrBot)

After a Dorkbot worm infects a computer, it connects to one of its pre-programmed C&C servers. Some variants communicate over IRC using encryption technology such as Secure Sockets Layer (SSL). In its first communication, the worm sends the C&C server its geolocation, the version of Windows running on the computer, and a unique computer identifier. At this point, it is ready to begin executing commands sent to it by the botnet operator. The commands available are shown in Figure 5.

Typically, after connecting to the C&C server, the infected computer will be instructed to download other malware or spread to other computers.
 
Dorkbot example

Figure 12: Dorkbot C&C communication via IRC

Operators keep patching string fragments such as IRC related commands (USER, PASS, NICK, PRIVMSG etc) or machine’s unique nickname format.
 
Dorkbot example

Figure 13: Comparison with the old (top) and new (bottom) version of Dorkbot

Stealing online user credentials

Dorkbot monitors Internet browser communications and intercepts communications with various websites. It does this by hooking network-related APIs such as the following:

  • HttpSendRequestA/W
  • InternetWriteFile
  • PR_Write

It then steals the user name and password used to log onto the website. Some of the websites that we have seen being targeted include:

  • AOL
  • eBay
  • Facebook
  • Gmail
  • Godaddy
  • OfficeBanking
  • Mediafire
  • Netflix
  • PayPal
  • Steam
  • Twitter
  • Yahoo
  • YouTube

Anti-security techniques

Blocking websites

Once connected to the C&C server, Dorkbot may be instructed to block certain security websites by blocking access to them. It does this through the hooked DnsQuery API in the IRC module. The main purpose is to prevent an infected machine from updating its antimalware definitions, thus preventing proper remediation of Dorkbot infections. The antimalware and security companies targeted by Dorkbot are listed in our Win32/Dorkbot description.

Anti-sandbox techniques

Whenever the loader runs on a system, it will record the time of its first execution in %TEMP%c731200 as UTC converted to seconds. Before downloading the newest Dorkbot variant and other malware, the loader will check if current time is at least 48 hours past the time recorded on installation. This way the loader can hide the download URLs from antimalware backend analysis system.

Remediation

To help prevent a Dorkbot infection, as well as other malware and unwanted software:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run antimalware software regularly.

Our real-time security software, such as Windows Defender for Windows 10 for Windows 10 with up-to-date AV definitions will to ensure you have the latest protection against Dorkbot threats.

Alternatively, standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can also detect and remove Dorkbot.

Microsoft is also continuing the collaborative effort to help clean Dorkbot-infected computers by providing a one-time package with samples (through the Microsoft Virus Initiative) to help organizations in protecting their customers.

If your security organization is interested in joining or initiating a malware eradication campaign, or you are just interested in participating in the CME program, see the CME program page. You can also reach out to us directly through our contact page for more information.

Katrin Totcheva, Rodel Finones, HeungSoo Kang and Tanmay Ganacharya
MMPC

Microsoft assists law enforcement to help disrupt Dorkbot botnets

December 3rd, 2015 No comments

Law enforcement agencies from around the globe, aided by Microsoft security researchers, have today announced the disruption of one of the most widely distributed malware families – Win32/Dorkbot. This malware family has infected more than one million PCs in over 190 countries.

Dorkbot spreads through USB flash drives, instant messaging programs, and social networks. It steals user credentials and personal information, disabling security protection, and distributing several other prevalent malware families.

The Microsoft Malware Protection Center (MMPC) and the Microsoft Digital Crimes Unit (DCU) led the analysis of the Dorkbot malware in partnership with ESET and Computer Emergency Response Team Polska (CERT Polska, NASK).

We activated a Coordinated Malware Eradication (CME) campaign, performed deep research, and provided telemetry to partners and law enforcement such as CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission (CRTC), the Department of Homeland Security’s United States Computer Emergency Readiness Team (DHS/USCERT), Europol, the Federal Bureau of Investigation (FBI), Interpol, and the Royal Canadian Mounted Police (RCMP), to help take action against Dorkbot infrastructure.

The MMPC has closely monitored Dorkbot since its discovery in April 2011 and released our research in the following blogs:

Our real-time security software, such as Windows Defender for Windows 10, and standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can detect and remove Dorkbot. It’s important to keep your security software up-to-date to ensure you have the latest protection.

Dorkbot telemetry

During the past six months, Microsoft detected Dorkbot on an average of 100,000 infected machines each month. The top 10 countries shown in Figure 2 represent 61 percent of the total infections.

Dorkbot example  
Figure 1: Dorkbot infection trend for the past six months
 
Dorkbot example

Figure 2: Dorkbot detections by country for the past six months

Dorkbot example

Figure 3: Dorkbot machine detections heat map for past three months

Dorkbot is an Internet Relay Chat (IRC) based botnet. It is commercialized by its creator as a “crime kit” called NgrBot, which hackers can buy though underground online forums. The kit includes the bot-builder kits as well as documentation on how to create a Dorkbot botnet. Figure 4 and 5 show one of the builder interfaces for Dorkbot – illustrating all available functionalities that the operator can set through the kit, including the IRC server settings and the command settings.

Dorkbot example  
Figure 4: Dorkbot builder IRC server settings

Dorkbot example 

Figure 5: Dorkbot builder command settings

Distribution

Dorkbot malware has been distributed in various ways, including:

  • Removable drives (USB “thumb-drives”)
  • Instant messaging clients
  • Social networks
  • Drive-by downloads / Exploit kits
  • Spam emails

Dorkbot example

 
Figure 6: Dorkbot distribution methods

During a drive-by-download infection, a cybercriminal places specialized software known as an exploit kit on a website. An exploit kit is software that is designed to infect user computers that connect to the website using software vulnerabilities. These websites are known as exploit websites. Sometimes exploit websites are created by the botnet operator specifically for the purpose of spreading the infection, but in other cases they may be legitimate websites that have been hacked by the botnet operator. 

When a computer connects to an exploit website, the exploit kit tries to exploit unpatched software to install the Dorkbot worm.

Once a machine is infected with the bot, Dorkbot will distribute itself through removable drives, instant messaging clients and social networks.

Behaviors

Dorkbot’s primary goal is to steal online account user names and passwords, as well as other personally identifying information.

Dorkbot loader

Being sold online, there are several operators utilizing Dorkbot. In the most active campaign, Dorkbot was distributed within a loader module. This loader has its own code for updating itself and distributing other malware. It is also responsible for guiding Dorkbot’s connection to another command-and-control (C&C) server. The operator appears to be abusing the older IRC-based Dorkbot variant by disabling the self-check routine, changing IRC commands, and using the loader to force it to connect to the operator’s own C&C server.
 

Dorkbot example 

Figure 7: Original Dorkbot has self-check routine that was cracked by a recent operator

Dorkbot loader – update and download other malware

The loader module contains an encoded download URL in its binary. Currently the binaries hosted in these URLs are Dorkbot’s downloader component, self-update, and other malware families.
 
Dorkbot example

Figure 8: Decoded download URLs in the loader module

The Dorkbot worm can receive commands to download and install additional malware on the infected computer, causing users whose computers are infected with Dorkbot to be infected with other types of malware as well. Some of the malware families that we have seen downloaded by Dorkbot worms are listed in the below:

The Microsoft Malicious Software Removal Tool (MSRT) has detection for Dorkbot and most of these malware families.

Dorkbot loader – guide IRC module to real C&C

Since mid-2011, the IRC module version has remained the same and only had some byte patches performed by its operators. Patching the original C&C domain inside the IRC module has length limitations, so the operators put code inside the loader module to redirect the IRC module’s connection to a preferred C&C domain.

The loader creates a trap process (for example, mspaint.exe) and installs a code hook on a DNS-related API (DnsQuery_A, DnsFree). The hook code will compare if the query was on the old C&C server domain, and return the DNS query value of the preferred domain.

Dorkbot example

Figure 9: Overview of trap process guiding to real C&C
 
Dorkbot example

Figure 10: C&C server overriding
Dorkbot example  
Figure 11: List of C&C domains

After connecting to C&C server, the IRC module will start receiving commands.

Dorkbot – IRC module (aka NgrBot)

After a Dorkbot worm infects a computer, it connects to one of its pre-programmed C&C servers. Some variants communicate over IRC using encryption technology such as Secure Sockets Layer (SSL). In its first communication, the worm sends the C&C server its geolocation, the version of Windows running on the computer, and a unique computer identifier. At this point, it is ready to begin executing commands sent to it by the botnet operator. The commands available are shown in Figure 5.

Typically, after connecting to the C&C server, the infected computer will be instructed to download other malware or spread to other computers.
 
Dorkbot example

Figure 12: Dorkbot C&C communication via IRC

Operators keep patching string fragments such as IRC related commands (USER, PASS, NICK, PRIVMSG etc) or machine’s unique nickname format.
 
Dorkbot example

Figure 13: Comparison with the old (top) and new (bottom) version of Dorkbot

Stealing online user credentials

Dorkbot monitors Internet browser communications and intercepts communications with various websites. It does this by hooking network-related APIs such as the following:

  • HttpSendRequestA/W
  • InternetWriteFile
  • PR_Write

It then steals the user name and password used to log onto the website. Some of the websites that we have seen being targeted include:

  • AOL
  • eBay
  • Facebook
  • Gmail
  • Godaddy
  • OfficeBanking
  • Mediafire
  • Netflix
  • PayPal
  • Steam
  • Twitter
  • Yahoo
  • YouTube

Anti-security techniques

Blocking websites

Once connected to the C&C server, Dorkbot may be instructed to block certain security websites by blocking access to them. It does this through the hooked DnsQuery API in the IRC module. The main purpose is to prevent an infected machine from updating its antimalware definitions, thus preventing proper remediation of Dorkbot infections. The antimalware and security companies targeted by Dorkbot are listed in our Win32/Dorkbot description.

Anti-sandbox techniques

Whenever the loader runs on a system, it will record the time of its first execution in %TEMP%c731200 as UTC converted to seconds. Before downloading the newest Dorkbot variant and other malware, the loader will check if current time is at least 48 hours past the time recorded on installation. This way the loader can hide the download URLs from antimalware backend analysis system.

Remediation

To help prevent a Dorkbot infection, as well as other malware and unwanted software:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run antimalware software regularly.

Our real-time security software, such as Windows Defender for Windows 10 for Windows 10 with up-to-date AV definitions will to ensure you have the latest protection against Dorkbot threats.

Alternatively, standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can also detect and remove Dorkbot.

Microsoft is also continuing the collaborative effort to help clean Dorkbot-infected computers by providing a one-time package with samples (through the Microsoft Virus Initiative) to help organizations in protecting their customers.

If your security organization is interested in joining or initiating a malware eradication campaign, or you are just interested in participating in the CME program, see the CME program page. You can also reach out to us directly through our contact page for more information.

Katrin Totcheva, Rodel Finones, HeungSoo Kang and Tanmay Ganacharya
MMPC

Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months

April 13th, 2015 No comments

'Simda.AT' designed to divert Internet traffic to disseminate other types of malware.

Today Interpol and the Dutch National High Tech Crime Unit (DNHTCU) announced the disruption of Simda.AT, a significant malware threat affecting more than 770,000 computers in over 190 countries. The Simda.AT variant first appeared in 2012. It is a widely distributed malware that causes significant damage to users through the manipulation of internet traffic and spread of other malware. 

Interpol coordinated the operation and the DNHTCU, with the support of the Federal Bureau of Investigation (FBI), successfully took down Simda.AT's active command and control infrastructure across four countries including the Netherlands, Luxembourg, Russia and the United States.

The Microsoft Malware Protection Center (MMPC) and the Microsoft's Digital Crimes Unit (DCU) led the analysis of the malware threat in partnership with CDI Japan, Kaspersky Lab, and Trend Micro.

MMPC activated the Coordinated Malware Eradication (CME) platform to provide in-depth research, telemetry, samples, and cleaning solutions to law enforcement and our partners.  This information helped law enforcement take action against Simda.AT and its infrastructure, while providing easy remediation and recovery options for victim machines around the world.  

Since 2009, the Simda malware family has been a dynamic and elusive threat.  Simda's function has ranged from a simple password stealer to a complex banking trojan.  To read more about the Simda family, see Win32/Simda.

Encounters

Simda.AT makes up the vast majority of our current detections for this malware family. We've measured approximately 128,000 new cases each month over the last six months with infections occurring around the world. The 'Top 10' countries accounted for 54 percent of the detections our customers have experienced from February through March:

Simda.AT machine detections from October 2014 to March 2015

Figure 1: Simda.AT machine detections from October 2014 to March 2015

Percentage of Simda.AT machine detections by country from February to March 2015

Figure 2: Percentage of Simda.AT machine detections by country from February to March 2015

Simda.AT machine detections heat map from February to March 2015

Figure 3: Simda.AT machine detections heat map from February to March 2015

Distribution

Over time, the Simda family was distributed in various ways, including:

With Simda.AT, the most common infection vector we identified was compromised websites using embedded or injected JavaScript.  Compromised sites were used to redirect users' traffic to another website, named the "gate".  Figure 4 shows an example of an injected JavaScript which is detected as Trojan:JS/Redirector.  

This gate website is part of the exploit tool chain, which will redirect the browser to the exploit landing page. The "gate" in this Simda.AT example, is detected as Exploit:JS/Fiexp (aka  Fiesta Exploit kit). Fiesta can serve several types of exploits. For example, we have observed Fiesta delivering Simda.AT through malicious SWF files (Shockwave Flash), detected as Exploit:SWF/Fiexp, malicious Java applet files, detected as Exploit:Java/Fiexp and malicious Silverlight files, detected as Exploit:MSIL/CVE-2013-0074.  More specific details related to the exploits can be found in the following CVEs: 

Compromised website with injected malicious JavaScript

Figure 4: Compromised website with injected malicious JavaScript

 

The “gate” contains script that redirects the browser to the Fiesta landing page. From the landing page, Fiesta attempts to deliver one of three exploits to compromise the machine.  Figure 5 shows the general Simda.AT payload delivery process:

Fiesta exploit kit in action

Figure 5: Fiesta exploit kit in action          

Behaviors

Simda.AT provides two primary functionalities:

  • Internet traffic re-routing
  • Distribution and installation of additional software packages or modules

Anti-emulation/Anti-sandbox techniques

For years, Simda used anti-sandbox techniques to evade detection. In most cases, the malware will not run properly, or might sleep indefinitely when the malware suspects that it's being installed into a software security research environment like the one we have at MMPC.  

During installation, the binary checks against a list of black-listed programs and running processes.  The checks performed might seem standard and predictable, but Simda.AT collects information from machines it deems suspicious to update the list. Then it uses an automatic and sustainable process for releasing a new binary every couple of hours with updates that cannot be detected by the majority of the AV scanners.  See the Simda.AT encyclopedia page for details about the dozens of files, processes, and registry keys checked by Simda.AT at the time of installation.

HOSTS file manipulation

During installation, Simda.AT also modifies the file %SYSTEM32%driversetchosts by updating the content and changing the file attributes to be read-only and hidden.  The specific changes are hard-coded into each binary, and can cause the victim machine's internet traffic to be routed according to the new instructions for targeted hosts. 

After applying the updates, the installer creates a new and empty file %SYSTEM32%driversetchosts.txt to further obfuscate the changes made to the system. The most recent samples are targeting network communication from the following URLs:

  • connect.facebook.net
  • google-analytics.com
  • www.google-analytics.com

Older samples were also seen targeting Bing.com hosts for redirection (e.g. u.bing.com, bing.com, ca.bing.com, gb.bing.com, www.bing.com) and a portion of recent Simda.AT samples connecting to Bing.com using the following URL pattern:  http://www.bing.com/chrome/report.html?<encoded string> 

The malware authors might have intended to use the HOSTS file modifications to relay additional information about victim machines to the servers of their choosing.  However, from our research, Simda.AT samples stopped updating the HOSTS file with the Bing.com hosts in early February.  As a result, we've been able to monitor traffic to this, normally unused, location for the last several days, and we have observed an average of approximately 5,000 unique IPs reach out to us each day.

Software distribution and modules

Based on our research, we believe the primary monetization method for this is through a Pay-Per-Install (PPI) program in which the authors can be compensated for distributing and installing additional software packages or modules.  Over time, we have observed the following types of software to be distributed by Simda.AT:

Persistence

The initial infection modifies the system registry to execute during every system start-up.  There are no communications outside of the initial program execution. 

C&C communication

DGA/Command and Control Infrastructure

The Simda.AT command and control infrastructure is organized differently than similar malware families.  Each binary contains up to six hard-coded IPs that dictate the communication infrastructure for each bot.  The Domain-Generation-Algorithm (DGA) that's normally used to define the infrastructure is instead used to generate a seed for the encryption that is used by the host and the command and control servers.

Using RDTSC instruction, the DGA creates a random, 15-19 character long string that's embedded into a domain in one of the following formats:

  • report.<random>.com
  • update[1,2].<random>.com 

These domains are then injected as the 'Host' in the associated POST requests issued to the command and control servers.

To decrypt the 'report' HTTP request, append the query string to the hostname and use as the key. Then unquote the query value and enumerate each byte and get the decrypted byte with the following python code snippet:

decrypted_string += chr(ord(cipher[i]) – ord(hostname[i % len(hostname)]))

The third, or 'update' request, requires an additional step to base64 decode the query string.

Check-In and update

As alluded to earlier, Simda.AT has two primary functions while communicating with the command and control server:

  • 'report'
  • 'update'

These two functions are differentiated in the POST request sent to the servers, and they are normally issued to different servers through the hard-coded configuration in the binary.

The 'report' function acts as a simple check-in and provides the following type of information, from the victim machine, to the command and control server prior to terminating the connection ahead of the server response:

  • Adapter information
  • Assorted other system and registry information to distinctly identify the computer
  • Creation time of the folder "C:System Volume Information"
  • Computer name
  • Hard disk information
  • MAC address
  • Volume serial number

This information is used to provide a unique ID for the bot.

In some situations, the bots can also append information about installed applications and processes that are running that we suspect are used for anti-emulation updates for new samples.

The 'update' command is used when downloading modules or additional software packages.  Again, a small amount of machine and binary information is packaged from the victim machine and sent to a different, 'module', or server.  When the module servers receives the request and then responds with an 'Active' message, the bot drops an embedded component (TrojanDropper:Win32/Simdown.A) that handles the download and installation of all modules using hard-coded paths. 

Both functions are called at the initial infection and at every system restart.

It's interesting to note that Simda.AT has been using the same user agent strings in its command and control communication since 2012, which can provide a valuable signature for IPS/IDS engines:

"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre"

"Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"

While the disruption action can disable the ability of existing infections to download or update new software components, it will not disable modules that might have been installed by Simda.AT. 

If you have been infected by Simda.AT, run a comprehensive scan of your environment using Microsoft Safety Scanner, Microsoft Security Essentials, Windows Defender, or your preferred Anti-Malware Solution.

As a part of our cleaning solution, we will detect and remove any malware distributed by this family, and return your HOSTS file to the default, blank, state.

As always, we urge Windows users to be vigilant against malware:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

As a reminder to organizations invested in security, if your organization is interested in joining or initiating an eradication campaign, or you are just interested in participating in the CME program, please see the CME program page. You can also reach out to us directly through our contact page for more information. 

Tommy Blizard, Rex Plantado, Rodel Finones, and Tanmay Ganacharya

MMPC

Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months

April 13th, 2015 No comments

'Simda.AT' designed to divert Internet traffic to disseminate other types of malware.

Today Interpol and the Dutch National High Tech Crime Unit (DNHTCU) announced the disruption of Simda.AT, a significant malware threat affecting more than 770,000 computers in over 190 countries. The Simda.AT variant first appeared in 2012. It is a widely distributed malware that causes significant damage to users through the manipulation of internet traffic and spread of other malware. 

Interpol coordinated the operation and the DNHTCU, with the support of the Federal Bureau of Investigation (FBI), successfully took down Simda.AT's active command and control infrastructure across four countries including the Netherlands, Luxembourg, Russia and the United States.

The Microsoft Malware Protection Center (MMPC) and the Microsoft's Digital Crimes Unit (DCU) led the analysis of the malware threat in partnership with CDI Japan, Kaspersky Lab, and Trend Micro.

MMPC activated the Coordinated Malware Eradication (CME) platform to provide in-depth research, telemetry, samples, and cleaning solutions to law enforcement and our partners.  This information helped law enforcement take action against Simda.AT and its infrastructure, while providing easy remediation and recovery options for victim machines around the world.  

Since 2009, the Simda malware family has been a dynamic and elusive threat.  Simda's function has ranged from a simple password stealer to a complex banking trojan.  To read more about the Simda family, see Win32/Simda.

Encounters

Simda.AT makes up the vast majority of our current detections for this malware family. We've measured approximately 128,000 new cases each month over the last six months with infections occurring around the world. The 'Top 10' countries accounted for 54 percent of the detections our customers have experienced from February through March:

Simda.AT machine detections from October 2014 to March 2015

Figure 1: Simda.AT machine detections from October 2014 to March 2015

Percentage of Simda.AT machine detections by country from February to March 2015

Figure 2: Percentage of Simda.AT machine detections by country from February to March 2015

Simda.AT machine detections heat map from February to March 2015

Figure 3: Simda.AT machine detections heat map from February to March 2015

Distribution

Over time, the Simda family was distributed in various ways, including:

With Simda.AT, the most common infection vector we identified was compromised websites using embedded or injected JavaScript.  Compromised sites were used to redirect users' traffic to another website, named the "gate".  Figure 4 shows an example of an injected JavaScript which is detected as Trojan:JS/Redirector.  

This gate website is part of the exploit tool chain, which will redirect the browser to the exploit landing page. The "gate" in this Simda.AT example, is detected as Exploit:JS/Fiexp (aka  Fiesta Exploit kit). Fiesta can serve several types of exploits. For example, we have observed Fiesta delivering Simda.AT through malicious SWF files (Shockwave Flash), detected as Exploit:SWF/Fiexp, malicious Java applet files, detected as Exploit:Java/Fiexp and malicious Silverlight files, detected as Exploit:MSIL/CVE-2013-0074.  More specific details related to the exploits can be found in the following CVEs: 

Compromised website with injected malicious JavaScript

Figure 4: Compromised website with injected malicious JavaScript

 

The “gate” contains script that redirects the browser to the Fiesta landing page. From the landing page, Fiesta attempts to deliver one of three exploits to compromise the machine.  Figure 5 shows the general Simda.AT payload delivery process:

Fiesta exploit kit in action

Figure 5: Fiesta exploit kit in action          

Behaviors

Simda.AT provides two primary functionalities:

  • Internet traffic re-routing
  • Distribution and installation of additional software packages or modules

Anti-emulation/Anti-sandbox techniques

For years, Simda used anti-sandbox techniques to evade detection. In most cases, the malware will not run properly, or might sleep indefinitely when the malware suspects that it's being installed into a software security research environment like the one we have at MMPC.  

During installation, the binary checks against a list of black-listed programs and running processes.  The checks performed might seem standard and predictable, but Simda.AT collects information from machines it deems suspicious to update the list. Then it uses an automatic and sustainable process for releasing a new binary every couple of hours with updates that cannot be detected by the majority of the AV scanners.  See the Simda.AT encyclopedia page for details about the dozens of files, processes, and registry keys checked by Simda.AT at the time of installation.

HOSTS file manipulation

During installation, Simda.AT also modifies the file %SYSTEM32%driversetchosts by updating the content and changing the file attributes to be read-only and hidden.  The specific changes are hard-coded into each binary, and can cause the victim machine's internet traffic to be routed according to the new instructions for targeted hosts. 

After applying the updates, the installer creates a new and empty file %SYSTEM32%driversetchosts.txt to further obfuscate the changes made to the system. The most recent samples are targeting network communication from the following URLs:

  • connect.facebook.net
  • google-analytics.com
  • www.google-analytics.com

Older samples were also seen targeting Bing.com hosts for redirection (e.g. u.bing.com, bing.com, ca.bing.com, gb.bing.com, www.bing.com) and a portion of recent Simda.AT samples connecting to Bing.com using the following URL pattern:  http://www.bing.com/chrome/report.html?<encoded string> 

The malware authors might have intended to use the HOSTS file modifications to relay additional information about victim machines to the servers of their choosing.  However, from our research, Simda.AT samples stopped updating the HOSTS file with the Bing.com hosts in early February.  As a result, we've been able to monitor traffic to this, normally unused, location for the last several days, and we have observed an average of approximately 5,000 unique IPs reach out to us each day.

Software distribution and modules

Based on our research, we believe the primary monetization method for this is through a Pay-Per-Install (PPI) program in which the authors can be compensated for distributing and installing additional software packages or modules.  Over time, we have observed the following types of software to be distributed by Simda.AT:

Persistence

The initial infection modifies the system registry to execute during every system start-up.  There are no communications outside of the initial program execution. 

C&C communication

DGA/Command and Control Infrastructure

The Simda.AT command and control infrastructure is organized differently than similar malware families.  Each binary contains up to six hard-coded IPs that dictate the communication infrastructure for each bot.  The Domain-Generation-Algorithm (DGA) that's normally used to define the infrastructure is instead used to generate a seed for the encryption that is used by the host and the command and control servers.

Using RDTSC instruction, the DGA creates a random, 15-19 character long string that's embedded into a domain in one of the following formats:

  • report.<random>.com
  • update[1,2].<random>.com 

These domains are then injected as the 'Host' in the associated POST requests issued to the command and control servers.

To decrypt the 'report' HTTP request, append the query string to the hostname and use as the key. Then unquote the query value and enumerate each byte and get the decrypted byte with the following python code snippet:

decrypted_string += chr(ord(cipher[i]) – ord(hostname[i % len(hostname)]))

The third, or 'update' request, requires an additional step to base64 decode the query string.

Check-In and update

As alluded to earlier, Simda.AT has two primary functions while communicating with the command and control server:

  • 'report'
  • 'update'

These two functions are differentiated in the POST request sent to the servers, and they are normally issued to different servers through the hard-coded configuration in the binary.

The 'report' function acts as a simple check-in and provides the following type of information, from the victim machine, to the command and control server prior to terminating the connection ahead of the server response:

  • Adapter information
  • Assorted other system and registry information to distinctly identify the computer
  • Creation time of the folder "C:System Volume Information"
  • Computer name
  • Hard disk information
  • MAC address
  • Volume serial number

This information is used to provide a unique ID for the bot.

In some situations, the bots can also append information about installed applications and processes that are running that we suspect are used for anti-emulation updates for new samples.

The 'update' command is used when downloading modules or additional software packages.  Again, a small amount of machine and binary information is packaged from the victim machine and sent to a different, 'module', or server.  When the module servers receives the request and then responds with an 'Active' message, the bot drops an embedded component (TrojanDropper:Win32/Simdown.A) that handles the download and installation of all modules using hard-coded paths. 

Both functions are called at the initial infection and at every system restart.

It's interesting to note that Simda.AT has been using the same user agent strings in its command and control communication since 2012, which can provide a valuable signature for IPS/IDS engines:

"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre"

"Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"

While the disruption action can disable the ability of existing infections to download or update new software components, it will not disable modules that might have been installed by Simda.AT. 

If you have been infected by Simda.AT, run a comprehensive scan of your environment using Microsoft Safety Scanner, Microsoft Security Essentials, Windows Defender, or your preferred Anti-Malware Solution.

As a part of our cleaning solution, we will detect and remove any malware distributed by this family, and return your HOSTS file to the default, blank, state.

As always, we urge Windows users to be vigilant against malware:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

As a reminder to organizations invested in security, if your organization is interested in joining or initiating an eradication campaign, or you are just interested in participating in the CME program, please see the CME program page. You can also reach out to us directly through our contact page for more information. 

Tommy Blizard, Rex Plantado, Rodel Finones, and Tanmay Ganacharya

MMPC