One of the Most Complex Cybercrime Attacks Ever

Filed under: — By Aviran Mordo @ 5:35 pm

PandaLabs has reported a sophisticated ‘chain’ attack, perpetrated through the SpamNet.A Trojan, discovered on a web page hosted on a server in the USA, with a domain registered from an address in Moscow. The attack is highly complex, using a tree structure to infect with up to 19 species of malware. Its principal goal is to send out junk mail, and, by using this complex structure, has so far compiled more than 3 million email addresses worldwide. Panda Software has contacted the companies that host the files and web pages that are the main part of this organized attack.

The infection chain begins when a user visits the web page mentioned above. This web page uses the Iframe tag to try to open two new pages. This initiates two parallel processes, each one associated to one of the two pages:

1. When the first of the two pages opens, it in turn opens six other pages, which redirect the user to several pages with pornographic content. It also directs the user to a seventh page, which starts the principal attack process. This page exploits two possible vulnerabilities to carry out its actions: Ani/anr and Htmredir. In any event, if the attack is successful, it installs and executes one of two identical files — Web.exe or Win32.exe, on the computer.

When run, these files create seven files on the computer, one of which is a copy of itself. The other six are as follows:

a. The first two are binarily identical copies of Downloader.DQY, and both create a file called svchost.exe in the operating system, which is really Downloader.DQW. This registers as a system service that tries to download and run files every ten minutes from four different web addresses, two of which were not available at time of writing, and the other two are:

i. The Multidropper.ARW Trojan

ii. The Sapilayr.A trojan

b. The third of the six files is Adware/SpySheriff

c. The fourth is the Downloader.DYB Trojan, which tries to find the computer ID. If the computer is in the UK, it downloads and runs Dialer.CHG. If it is not in the UK, it downloads another file identified as Dialer.CBZ. These types of files redirect users dial-up connections to premium-rate numbers.

d. The fifth, Downloader.CRY, creates two files. The first of these, svchost.exe, is created in c:\windows\system. The second has been identified as Lowzones.FO.

e. The sixth, Downloader.EBY, creates, in turn, another six files:

i. The first is the Downloader.DLH Trojan which uses another application to compile email addresses and sends them to a remote address via FTP. At time of writing, it had compiled 3 million addresses.

ii. The second, the Agent.EY Trojan, installs itself on the system and runs on every startup, visiting a web page which could be used to compile the IPs of the computers affected, thus providing statistical information about the infections.

iii. The third, Clicker.HA, waits ten minutes after executing and then opens a pornographic web page every 40 seconds.

iv. The fourth is Dialer.CBZ

v. The fifth is Adware/Adsmart

vi. The sixth, the Downloader.DSV Trojan downloads the backdoor Trojan Galapoper.C from a certain address. Galapoper.C carries out the main purpose of the attack: sending spam. It checks if there is an open Internet connection and, if there is, visits three web pages specified in its code and depending on the computer infected, downloads a file. This enables personalized attacks, and can even contain other instructions or updates for the backdoor Trojan. Galapoper.C also opens a principal thread and two secondary ones: in the first it periodically checks the availability of content on the three pages mentioned above. It uses the secondary ones to send spam (from the infected computer) and compile information from the server (email addresses, subject, message texts) for the spam messages, every 10 minutes or every time it sends 70,000 spam mails.

2. The second of the pages redirects the user to another, which tries to use the ByteVerify vulnerability to execute a file located on a URL. It also invokes a new page using an HTML tag, which was not available at time of writing.

It also opens another page, whose code is masked by a Javascript function, which uses the ADODB.Stream function to overwrite Windows Media Player using a file located on another page.

The complexity of this attack is virtually unprecedented. As Luis Corrons, director of PandaLabs, explains, “This attack is far more elaborate than usual. Users of TruPrevent(TM) Technologies have been protected from the outset, but this is one of the most complex organized attacks that we have ever witnessed at PandaLabs. The fact that more than 3 million addresses have been compiled to send spam to is an indication of the success the creator of this attack is enjoying. The primary motivation of these attacks is financial gain over and above notoriety, and spam is one of the chief sources of income for malware creators.” Corrons points out, “In addition to having an antivirus solution, users need to ensure their systems are updated, as the success of SpamNet.A depends largely on vulnerability exploits”.

To prevent infection from SpamNet.A or any other malicious code, Panda Software advises users to keep their security software up-to-date. Panda Software clients already have the updates at their disposal to detect and disinfect this new malicious code. To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.activescan.com

Digg this story ?


Leave a Reply

You must have Javascript enabled in order to submit comments.

All fields are optional (except comment).
Some comments may be held for moderation (depends on spam filter) and not show up immediately.
Links will automatically get rel="nofollow" attribute to deter spammers.

Powered by WordPress