Once upon a time a Trojan…
Luis Corrons 09/21/2007
1 Once upon a time a Trojan…
TThhee TTrroojjaann
2 Once upon a time a Trojan…
TheThe TrojaTrojann
First discovered January, 2007 via “Targeted Attack Alert Services”
Affects multiple financial institutions
Detected as Bakolimb, also known as Limbo or Nethell.
Consists of 3 main components – Helper.XML – Helper.DLL
– Control Server and Control Panel 3 Once upon a time a Trojan…
TheThe TrojaTrojann
DLL
BHO (Browser Helper Object) Keylogger Creates a UniqueID per infected machine. Uses this UID to communicate with the Control Server and to receive commands from it Client <-> server communication via PHP scripts Delete cookies Info stored in text files. As soon as it connects send TXT file
4 Once upon a time a Trojan…
TheThe TrojaTrojann
XML
Code to be injected in websites
Encrypted in latest versions
5 Once upon a time a Trojan…
XML
6 CCoonnttrrooll PPaanneell
7 Once upon a time a Trojan…
ControlControl PaPanneell
UserUser AdmiAdminn
CommCommanandd AAdmidminn
SeaSearcrchh inin logslogs
InInfefectct ststaattss
EtcEtc..
8 Once upon a time a Trojan…
ControlControl PaPanneell
9 Once upon a time a Trojan…
ControlControl PaPanneell
10 Once upon a time a Trojan…
ControlControl PaPanneell
-- ComCommanmandd exexecuecuttiionon aanndd monmoniittorizaorizattiionon..
-- ComCommanmandsds aarere ququeueueedd iinn casecase cliclienentt iiss notnot conconnnectecteedd..
11 Once upon a time a Trojan…
ControlControl PaPanneell
12 Once upon a time a Trojan…
ControlControl PaPanneell
13 Once upon a time a Trojan…
ControlControl PaPanneell
14 Once upon a time a Trojan…
ControlControl PaPanneell
15 DDaattaa SSttoolleenn
16 Once upon a time a Trojan…
DaDattaa ststoleolenn
17 TTrroojjaann’’ss AAuutthhoorr
18 Once upon a time a Trojan…
Trojan’s Author
GoogleGoogle
SelSelllss eveveerrytythhiningg (T(Trojarojann && ConConttrrooll PanPaneel)l)
EveryEverytthhiinngg iiss welwelll docdocumenumentteedd
AdvAdvertertiisseedd iinn didifferenfferentt foruforummss (al(alll RuRusssiasiann))
PPricerice:: 11000000 –– 335500 wmzwmz
19 Once upon a time a Trojan…
TrojaTrojan’n’ss AAuthoruthor
– logging of virtual keyboards stealing of keys (bankofamerica but also of other banks which have key-based security system)
– scam (aka fake pages with substitution of the IE address bar and status bar)
– setting filters for sites which should not be grabbed
– code inject - to add your own text box into a particular site, e.g. for getting the holder's PIN
20 Once upon a time a Trojan…
TrojaTrojan’n’ss AAuthoruthor
For an additional fee:
– Hidden transfer (transfer on command by the admin software) - adapted SPECIFICALLY for one particular bank
– Automatic download (e.g. when the user makes a transfer the Trojan substitutes your account completely or a drop and the appropriate sum) - useful if the transfer requires an SMS confirmation. Adapted specifically for a particular bank.
21 Once upon a time a Trojan…
TrojaTrojan’n’ss AAuthoruthor
- Antivirus software removal - 40 wmz - Reprogramming to a different host - 40 wmz
- Build - 1000 wmz
In addition, there is an option to buy a local parser for logs, separately. For all questions please contact me via ICQ.
There are plans for sales of the builder. Estimated price: 3500 wmz. .
22 SSeerrvveerrss
23 Once upon a time a Trojan…
SServerversers
GoogleGoogle
SeveralSeveral servserveerrss
GroGroupupss ooff sseervrversers belbelonongedged ttoo didifferenfferentt hhaacckekerrss
““SuSushshii”” serserverver
24 Once upon a time a Trojan…
““SuSushshii”” serserverver
InTfoetcatle Idn fCeoctmedp uCtoermsp puetre Drsay
50003000 45000 400020500 35000 30002000 25000 200010500 15000 1000 10000 5000 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 e 0 0 0 t 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 a : : : : : : : : : : : : : : : : : : : : : : 0 0 0 0 0 0 0 0 0
0 D
0 0 0 0 0 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / 1 1 1 1 2 2 2 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 2 2 2 2 2 2 2 2 2 1 1 1 1 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / 7 1 5 9 6 0 4 5 9 3 7 1 2 4 6 8 0 2 4 8 2 6 4 6 8 2 4 6 8 1 3 5 7 1 3 5 7 1 3 5 7 0 0 9 9 1 1 1 2 2 2 2 2 3 0 0 0 0 1 1 1 1 1 2 2 2 2 1 1 1 2 2 2 2 2 3 0 0 0 0 0 1 1 1 1 1 2 2 2 2 25 Once upon a time a Trojan…
““SuSushshii”” serserverver
26 Once upon a time a Trojan…
““SuSushshii”” serserverver
Win32.exe = Trojan downloader
February 28th, 2007
InInststalallled:ed: Trj/Spammer.ZO Adware/Bravesentry Application/Bravesentry
27 Once upon a time a Trojan…
““SuSushshii”” serserverver
Earning money via sending spam and promoting rogue antispyware
Everyday there was a new downloader that installed different malware
We finally managed to take the server down
28 Once upon a time a Trojan…
““SuSushshii”” serserverver
Who pays?
29 Once upon a time a Trojan…
““SuSushshii”” serserverver
Who pays?
How much? USA $0.30 Canada & UK $0.10 Western Europe $0.03 Other Countries$0.02
30 Once upon a time a Trojan…
““SuSushshii”” serserverver
Let’s do some maths
Other Countries: $0.02 * 43,323 = $966.46 Western Europe: $0.03 * 43,323 = $1,299.69 Canada & UK: $0.10 * 43,323 = $4,332.30 USA: $0.30 * 43,323 = $12,996.90
Other Countries: $0.02 * 43,323 *20 = $19,329 Western Europe: $0.03 * 43,323 *20 = $25,993 Canada & UK: $0.10 * 43,323 *20 = $86,646 USA: $0.30 * 43,323 *20 = $259,938
31 IInnffeecctteedd TTeeaamm
32 Once upon a time a Trojan…
InInffeectcteded TeaTeamm
33 Once upon a time a Trojan…
InInffeectcteded TeaTeamm
ValValuuee addeaddedd servserviicceess
Proxy sales 5 - $2.5 1,000 - $300
DDoS 1 hour - $20 1 day - $100 Major projects starting at $200 10 minutes for free!
34 Once upon a time a Trojan…
InInffeectcteded TeaTeamm
ValValuuee addeaddedd servserviicceess
Spam – Russia (enterprises): 5,000,000 – US$120 / million messages – Russia (home users), Ukraine and CIS: 20,700,000 – US$100 / million messages – USA: 121,000,000 – US$150 / million messages – Western Europe: 45,902,256 – US$130/million messages
TTototaall:: 191922,0,0000,0,000000
35 Once upon a time a Trojan…
InInffeectcteded TeaTeamm
SoftSoftwawarree
Personal cryptor ($15, updates $5)
ABLoader ($60, builder $500)
RooT iFrame ($25 Russian, $50 English)
SpamPHP Script ($2)
FTPCheckIframe ($25)
36 ““CCooooll”” ssttuuffff ffoouunndd oonn tthhee sseerrvveerrss
37 Once upon a time a Trojan…
““Cool”Cool” sstuftufff ffoundound onon tthhee servserversers IDPIDPaacckk
Plastic ID card Support Double Side ID Card Printer Simulate Double Side Card Printer Signature Pad Fingerprint Reader Magnetic Stripe Encoder Smartcard Contact Station Fast and easy to use Design an unlimited number of badges User-friendly interface Unlimited badge formats Flexible layouts: PVC, 1000 Avery, 36 Zebra/Citizen and 40 DYMO LabelWriter label formats. Takes pictures from a Webcam, a CamTracer or imports it from file Powerful print management Operates in local and network setups High production volume 14 security levels with color codes 28 types of barcodes built in 38 Once upon a time a Trojan…
““Cool”Cool” sstuftufff foundfound onon tthehe servserversers
PPhhiishshiinngg
39 Once upon a time a Trojan…
40 Once upon a time a Trojan…
CoolCool ststuffuff ffououndnd onon tthehe seserverversrs
DDreareamm DDownownloaloaderder
41 Once upon a time a Trojan…
CoolCool ststuffuff ffououndnd onon tthehe seserverversrs
HowHow coucoulldd ththeeyy manmanaagege ttoo ininfectfect tthhouousansanddss ooff compucomputters?ers?
42 MMPPaacckk
43 Once upon a time a Trojan…
MPack
44 Once upon a time a Trojan…
MPack
TTraciracinngg MpaMpackck forfor 22 momonnththss (A(Apriprill && MayMay 2200007):7):
41 different servers with Mpack running
366,717 web pages “iframed”
More than 1 million users infected (1,217,741)
45 Once upon a time a Trojan…
MPack
TToolool ttoo insinsttaallll mmalalwareware
WrWriitttteenn iinn PPHHPP
DDeevveelopelopedd byby ““DDreareamm CoCoddeerrss TeaTeam”m”
PPricerice $$770000 ($($1,1,000000 iinnclucludidinngg DrDreeamam DDownownlloaoaddeerr))
46 Once upon a time a Trojan…
MMPPaackck
AddinAddingg nnewew eexplxploioitt:: $5$500 -- $1$15500
AvAvoioidd AVAV detdeteecctiontion:: $$2200 –– $$3300
47 Once upon a time a Trojan…
MMPPaackck
MaMannyy ddiffereifferenntt exexplploitsoits::
WebViewFolderIcon overflow
WinZip ActiveX overflow
QuickTime overflow
ANI overflow
Etc.
48 Once upon a time a Trojan…
MMPPaackck
MostMost uusedsed wawayy ttoo iinnfectfect uusseerrs:s: iframiframee
49 Once upon a time a Trojan…
MMPPaackck
DDeettectectss bbrowsrowseer:r: Opera Konqueror Lynx Internet Explorer Netscape Mozilla Firefox
50 Once upon a time a Trojan…
MMPPaackck
DDeettectectss OOS:S: Linux Windows Mac
51 Once upon a time a Trojan…
MMPPaackck
52 OOrrggaanniizzeedd CCrriimmee
53 Once upon a time a Trojan…
OOrrgaganinizezedd CrimeCrime
54 Once upon a time a Trojan…
OOrrgaganinizezedd CrimeCrime
55 Once upon a time a Trojan…
OOrrgaganinizezedd CrimeCrime
56 Once upon a time a Trojan…
OOrrgaganinizezedd CrimeCrime
57 Once upon a time a Trojan…
OOrrgaganinizezedd CrimeCrime
58 Once upon a time a Trojan…
OOrrgaganinizezedd CrimeCrime
59 Once upon a time a Trojan…
OOrrgaganinizezedd CrimeCrime
60 Once upon a time a Trojan…
OOrrgaganinizezedd CrimeCrime
61 Once upon a time a Trojan…
OOrrgaganinizezedd CrimeCrime
62 Once upon a time a Trojan…
OOrrgaganinizezedd CrimeCrime
63 Once upon a time a Trojan…
OOrrgaganinizezedd CrimeCrime
64 TThhaannkkss!! Luis Corrons luis.corrons@pandasecurity.com
PandaLabs Blog: http://www.pandalabs.com
65