IDC Herzliya Efi Arazi School of Computer Science MSc in Computer Science Kuluoz: Malware and botnet analysis M.Sc. dissertation for applied project Submitted by: Shaked Bar ID: 300895224 Supervisor: Mr. Amichai Shulman August 15, 2013 Kuluoz – malware and botnet analysis Shaked Bar, IDC, Hertzelia, Israel Table of Contents 1. Abstract ..............................................................................................4 2. Introduction ........................................................................................4 3. Related Work ......................................................................................5 4. Infection Process and Summary of Capabilities ........................................6 4.1. Infection and Distribution ................................................................6 4.2. Revision History ..............................................................................7 4.3. Software Engineering ......................................................................8 5. Module Overview ................................................................................9 5.1. Botnet Expansion Module .............................................................. 10 5.1.1. General description .................................................................. 10 5.1.2. Flow ........................................................................................ 10 5.1.3. Configuration ........................................................................... 11 5.1.4. Manipulating the C&C ............................................................... 13 5.2. Vulnerability Scanning Module ....................................................... 14 5.3. Information Stealing Module .......................................................... 15 5.4. Commercial Spam Module ............................................................. 15 6. Malware injected through the Botnet................................................... 16 6.1. Win32/FakeAV .............................................................................. 16 6.2. Win32/ZBot .................................................................................. 17 6.3. Win32/ZeroAccess ........................................................................ 18 7. C&C Communications ......................................................................... 19 7.1. Victim ID ...................................................................................... 19 7.2. C&C protocols overview ................................................................. 19 7.3. “Next action” Request ................................................................... 20 7.4. Update C&C Server List .................................................................. 22 7.5. Additional Requests....................................................................... 23 7.6. Multiple C&C Networks.................................................................. 23 2 7.7. Encryption algorithms .................................................................... 24 7.7.1. Module encryption ................................................................... 24 7.7.2. C&C protocol encryption ........................................................... 24 7.7.3. Module communications encryption ........................................... 24 8. C&C Network Structure ...................................................................... 25 8.1. Overview...................................................................................... 25 8.2. Number of C&C Servers by Date ..................................................... 25 8.3. C&C Servers Life Span .................................................................... 26 8.3.1. Life span by version .................................................................. 26 8.3.2. Life Span by Geography ............................................................. 26 8.4. Servers by Geography .................................................................... 27 9. Malware Changes Over Time ............................................................... 29 9.1. DLL Revision Changes .................................................................... 29 9.2. C&C Request Protocol .................................................................... 29 9.3. C&C Response Protocol.................................................................. 29 10. Analysis Protection ............................................................................. 30 10.1. Blacklisting ................................................................................... 30 10.1.1. Identifier based blacklisting ....................................................... 30 10.1.2. IP based blacklisting .................................................................. 30 10.1.3. Empty responses on error .......................................................... 31 10.1.4. Using IP addresses rather than domain addresses ........................ 31 11. Mother-Ship Investigation ................................................................... 32 11.1. Triangulation ................................................................................ 32 11.2. Injection and Request Smuggling Attempts ...................................... 34 11.2.1. SQL Injection attempts .............................................................. 34 11.2.2. Cross Side Scripting (XSS) attempts ............................................. 34 11.2.3. Request Smuggling Attempts ..................................................... 35 12. Conclusions ....................................................................................... 36 13. Table of figures .................................................................................. 38 13.1. Figures ......................................................................................... 38 13.2. Tables .......................................................................................... 38 14. References ........................................................................................ 39 תקציר 14 3 1. Abstract Kuluoz is a commercial malware that infected a large number of machines around the world, and produced a significant amount of spam. The botnet induced by the malware, also known as the Asprox botnet, has drawn the interest of security researchers worldwide, and was covered by a report by Trend Micro1. The Asprox botnet is an old botnet, which achieved great success a few years ago2, mainly at 2008, and have gone off the radar since 2010. This work extends the report, using research results from work on a large amount of data, from the last 10 months. Our work presents a view on the malware and its capabilities, and adding new information on its structure, C&C network, and changes to the malware over time, and different protection mechanisms. We will try to spot the main keys for its success and long run – the ability to make changes quickly and easily, features that help it to stay off the radar, and its C&C architecture, which hides the core servers by a series of hacked proxy servers that are easily replaced. The report will also try to shed light on the C&C's "Mothership" – in terms of location, roles, and security. 2. Introduction This report describes a family of malware, spread by spear-Phishing, which is identified by most antivirus vendors as Kuluoz. The malware, despite being rather simple in terms of infection process, reached impressive spread and created a large botnet with many capabilities – generating a large amount of spam, spreading various third party viruses, and stealing information from users. We analyzed the malware for the last 10 months, focusing on functional analysis – trying to understand the Trojans capabilities, methods of infection and distribution, and C&C protocols. We dynamically analyzed the malware, both in open (Internet) and closed (local virtual network simulation) environments. We used network captures, system monitoring tools and a variety of scripts, developed specifically for the analysis of the data. After understanding the C&C protocols, we also created simulations for the different modules, in order to test the C&C responses and understand how it works, and to try to learn about its core – the C&C's "Mothership". 1 Asprox report on Trend Micro 2 An Analysis of the Asprox Botnet, Ravishankar Borgaonkar 4 3. Related Work Initial reports on the malware Kuluoz have been published at June 2012. Most of the preliminary reports were basic anti-virus vendors' reports, such as [21], which had basic information about the malware's capabilities, and ways to remove it. However Asprox, the botnet induced by the malware, has drawn attention, mainly at 2008, and was covered by reports such as [2], that explained its previous structure and actions. The main and only extensive report on Kuluoz and the updated Asprox botnet so far was published by Trend Micro [1] on March 2013, during the later stages of our research. The report covered the malware's infection methods, its main modules and affiliates, the network communications and the C&C network. Our work extends the view on the malware in a number of aspects: Explaining in detail the malware's modular structure, that helped it to succeed for a long period of time. Adding more data on some of the malwares modules and affiliate malware, especially on the botnet expansion module, including interesting discoveries on their network communications and C&C network. Focusing on the malware's improvements