Catch Me If You Can Antics of a Polymorphic Botnet - Report
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Report
Catch Me
If You Can
Antics of a
Polymorphic Botnet
Contents
This report was researched Introduction 3
and written by:
Anand Bodke
Meet the Worm 4
Abhishek Karnik Evolution: as the W32/Worm-AAEH turns 5
Sanchit Karve
Domain generation algorithm 6
Raj Samani
Chained download mechanism 7
Polymorphic engine creates unique worm 8
Automated sample harvester 11
Prevalence 12
Preventing infection 13
Takedown 14
Summary 14
Introduction
The analogy that fits cybercrime is a game of cat and mouse—played among
those fighting cybercrime and those seeking illegal profits. We see multiple
examples in which technical innovation on both sides has resulted in one party
getting ahead on one occasion and playing catch-up on another. This struggle
has played out in multiple guises, as criminals have developed convoluted
communications infrastructures to facilitate control capabilities for malware,
payments, and laundering services for their ill-gotten gains.
McAfee Labs discusses many examples in reports, white papers, and blogs that
present the cybercrime ecosystem, emerging trends, and our engagement with
key partners to disrupt or take down such operations. Earlier malware milestones
seem rather rudimentary today, but the inescapable fact is that cybercrime
is very big business. Last year, Intel Security commissioned a report by the
Center for Strategic and International Studies to estimate the global cost of
cybercrime. The report estimated that the annual cost to the global economy
was more than US$400 billion.
Although it is easy to debate whether that estimate was too high or too low, the
inescapable fact is that cybercrime is a growth industry; cyberattacks can bring in
significant revenue. With such high returns, it is no wonder that we are witnessing
remarkable innovation from both sides, from peer-to-peer communications
methods incorporating tens of thousands of domains for infected hosts
communication, to advanced evasion techniques (AETs) being introduced into
trusted network egress control points.
This report illustrates one example of innovation: Cybercriminals created an
AutoRun worm that avoids detection by continually changing its form with every
infection. Its evolution was so prolific that new variants appeared as often as six
times a day.
In early April 2015, a global law enforcement action took down the control
servers for this botnet. Up-to-the-minute details of the takedown can be
found here.
—Raj Samani, McAfee Labs CTO for Europe, the Middle East, and Africa
Follow McAfee Labs
Catch Me If You Can: Antics of a Polymorphic Botnet | 3
Meet the Worm
Writing code for criminal gain is done with a specific purpose in mind, usually
A worm is a type of malware that
focusing on stealing information such as banking credentials, data, or intellectual
replicates itself in order to spread property. Unlike the ends we’ve seen in other malware families, the ultimate goal
to other computers. It typically of the cybercriminal behind this particular worm is to maintain persistence on
uses a network to propagate itself, the victim’s machine.
relying on security vulnerabilities
in a target system to gain access. Known as W32/Worm-AAEH (as well as W32/Autorun.worm.aaeh, VObfus,
VBObfus, Beebone, Changeup, and other names), the aim of this family is to
A worm often installs a backdoor
support the download of other malware—including banking password stealers,
in the infected system, making it
rootkits, fake antivirus, and ransomware. The malware includes wormlike
into a “zombie” under the control
of the worm’s author. A network functionality to spread quickly to new machines by propagating across networks,
of zombie systems is known as removable drives (USB/CD/DVD), and through ZIP and RAR archive files.
a botnet.
The worm was written in Visual Basic 6. Using the inherent complex and
undocumented nature of Visual Basic 6 and employing polymorphism and
obfuscation, W32/Worm-AAEH has successfully maintained its relevance since
it was discovered in June 2009.
Polymorphic malware, which can change its form with every infection, is a very
difficult threat to combat. W32/Worm-AAEH is a polymorphic downloader worm
W32/Worm-AAEH is notable
because it changes its system- with more than five million unique samples known to McAfee Labs. This worm
specific fingerprints many times has had a devastating impact on customer systems (more than 100,000 infected
each day to to evade detection. since March 2014). Once aboard, it morphs every few hours and rapidly spreads
across the network, downloading a multitude of malware including password
stealers, ransomware, rootkits, spambots, and additional downloaders. Our
tracking of this worm since March 2014 shows that the control server replaces
samples with new variants one to six times per day and that the server-side
polymorphic engine serves client-specific samples and guarantees a unique
sample with each download request. Proactive, automated monitoring has
helped McAfee Labs stay ahead of these adversaries in detection and removal,
thereby preventing an onslaught of malware in customer environments.
In this report we describe an automation system created in March 2014 by
McAfee Labs to mimic the worm’s communication behavior and tap into its
control servers to harvest malware. This system has allowed our researchers
zero-day access to the malware and has helped McAfee Labs monitor the
botnet’s activity prior to infecting customers. The automation has significantly
reduced the number of customer system infections and escalations.
Share this Report
Catch Me If You Can: Antics of a Polymorphic Botnet | 4
Evolution: as the W32/Worm-AAEH turns
The first known W32/Worm-AAEH sample (6ca70205cdd67682d6e86c8394ea459e)
was found on June 22, 2009 (compiled on June 20). It is detected as Generic
Packed.c. Despite being the first version released in the wild, the worm’s authors
intended to make it hard to analyze by storing every string as individual characters
and concatenating them at runtime. Aside from this step, however, no other
functionality prevented the analysis of the malware. The sample had
modest capabilities:
■■ Executing at system startup and hiding in the User Profile directory.
■■ Copying itself in all removable drives and using a hidden autorun.
inf file to launch automatically. Using the string “Open folder to view
files” as the action text in the local language, supporting 16 European
languages.
■■ Disabling Windows Task Manager’s ability to terminate applications to
prevent itself from being manually terminated by the user.
■■ Contacting a hardcoded domain (ns1.theimageparlour.net) to
download and execute additional malware.
Over time, the authors introduced new features. Currently, the worm can:
■■ Detect virtual machines and antivirus software.
■■ Terminate Internet connections to IP addresses at security companies.
■■ Use a domain generation algorithm (DGA) to find its control servers.
■■ Inject malware into existing processes.
■■ Use encryption.
■■ Disable tools from terminating it.
■■ Spread itself via removable CD/DVD drives.
■■ Exploit a LNK file vulnerability (CVE-2010-2568).
■■ Insert itself in ZIP or RAR archives to aid its persistence and
propagation.
The feature set comprises two components: Beebone and VBObfus (also known as
VObfus). The first component acts as a downloader for VBObfus, while the latter
contains all the Trojan and worm functionality.
Several obfuscation and antianalysis tricks make detection difficult, encryption
techniques are updated often, and open-source software projects are occasionally
included to further complicate analysis. It is no surprise that these tricks have kept
this worm relevant since it was discovered in 2009.
Share this Report
Catch Me If You Can: Antics of a Polymorphic Botnet | 5
Domain generation algorithm
W32/Worm-AAEH uses a simple yet effective DGA that allows the malware
distributors to change server IPs and domain names on demand (for example,
when blocked by security products) while communicating with current infections.
A domain generation algorithm is
used by malware to periodically ■■ The algorithm can be represented as {secret_string}{N}.{TLD} in
generate a large number of
which secret_string is a hardcoded obfuscated string stored in the
domain names that can be used by
malware sample.
malware to exchange information.
The large volume of generated ■■ N is a number from 0 to 20.
domains makes it difficult for ■■ TLD is any of the following strings: com, org, net, biz, info.
law enforcement to shut down
botnets. While N and TLD remain virtually constant, the secret string occasionally changes.
At any time, the malware distributor sets the appropriate DNS records for the
current secret string as well as the previous one to ensure that older samples
can connect to the new servers for updates.
For example, on September 14, 2014, the control server IP address was
188.127.249.119. This IP address was registered under several domain names
using the current secret string ns1.dnsfor and the previous string ns1.backdates.
Some of the domain names from the DGA result in successful resolutions, as
shown in the following image:
The same control server IP address is registered against multiple secret strings.
Share this Report
Catch Me If You Can: Antics of a Polymorphic Botnet | 6
Chained download mechanism
One of the reasons antivirus software struggles with this threat is that the worm
can replace itself with new variants before signatures are created to combat
them. This tactic is implemented using a chained download mechanism,
in which both W32/Worm-AAEH components (Beebone and VBObfus) download
new variants of each other. This step ensures that worm’s persistence even
if security software can detect one of the components—because the undetected
component will eventually download an undetected version of its counterpart.
The chained download is initiated through another component, detected by
McAfee Labs as Generic VB.kk. This sample arrives through exploit kits and
social engineering attacks and exists solely to download Beebone. An unrelated
component detected as Downloader-BJM is an IRC bot that communicates
with the same control server but doesn’t interact with W32/Worm-AAEH.
This process is illustrated in the following diagram:
Downloader-BJM (IRC bot)
Victim machine #2 Control Server
Available to malware via domain generation algorithm
3 4 5 6 7 8
Generic VB.kk Control server Beebone contacts Control server VBObfus contacts Control server
contacts returns Beebone control server returns a list of control server returns Beebone
control server malware including (again)
with victim’s VBObfus, and
information other third-party
malware such as
Cutwail, Necurs,
Upatre, and Zbot
1
Victim visits malicious page
2
Exploit kit installs Generic VB.kk
Exploit kit Victim machine #1
The W32/Worm-AAEH worm infection process.
In the preceding illustration, Beebone (in Step 4) downloads a variant of
VBObfus (6), which replaces the old Beebone with a new Beebone variant (8). A
walkthrough of the download chain follows:
The response received by Generic VB.kk in Step 3.
Share this Report
Catch Me If You Can: Antics of a Polymorphic Botnet | 7
This response includes the command (download), the URL, and the filename to
use when saving the downloaded Beebone. The URL returns an RC4-encrypted
binary large object (blob) that decrypts to Beebone.
Encrypted Blob Decrypted Binary
Unpacking this blob reveals a new variant of Beebone.
Beebone contacts the control server again (7) and gets an encrypted blob
decrypting to a set of URLs (8):
Decrypted URLs provide further malware to the current location.
Each URL returns encrypted blobs that decrypt to Beebone and additional
malware, and the cycle repeats indefinitely.
Polymorphic engine creates unique worms
Before the worm switched to off-the-shelf cryptors in July 2014, W32/Worm-
AAEH used a unique server-side polymorphic engine that generated victim-
specific worm binaries. The engine did this by using information (serial number
of C drive and username) in the download request as a seed to generate random
strings. These strings were replaced at specific locations in the file, one of which
was used as the decryption key for the embedded strings or binary and required
the entire plaintext information to be encrypted using the new randomly
generated strings:
Catch Me If You Can: Antics of a Polymorphic Botnet | 8
A byte-by-byte comparison between two binaries generated by the polymorphic engine.
The executable header is identical.
Differences in red between these two samples indicate the mutability of the malware.
Share this Report
Catch Me If You Can: Antics of a Polymorphic Botnet | 9
Differences in red reveal that the project names are modified each time a new binary
is generated.
Changes in encrypted data and strings.
The polymorphic engine also stored information about the sample’s origin
within itself and prefixed it with a marker. Single-letter alphabets were mapped
to individual download ports in the 7001–7008, 8000–8003, and 9002–9004
ranges and indicated that the sample was downloaded by Beebone. Two-digit
numbers indicated that the sample was downloaded by the VBObfus malware
from the 20000–40000 port range.
Share this Report
Catch Me If You Can: Antics of a Polymorphic Botnet | 10Automated sample harvester
In March 2014, McAfee Labs developed an automation system to communicate
with W32/Worm-AAEH control servers to download new worms as soon as they
are served by the malware distributor. Our automation engine is designed to
mimic the worms’ communication with its control server at every stage in the
communication sequence outlined in the previous section.
So far, the system has collected more than 20,000 unique samples from
more than 35 control servers—all of which are located in Europe (see map, page
12)—and it has helped McAfee Labs threat researchers write detections for
samples before they can infect our customers. Our system also detected that the
worm replaced its cryptor on July 21, 2014. On September 15, 2014, the worm
introduced the 29A-Loader, which is sold in the underground market for $300.
Using a new McAfee Labs clustering algorithm, we learned that the harvester
collected more than 350 variants between March and August 2014, with about
55 samples for each variant. That’s an average of 58 new variants per month.
Clusters Found by the McAfee Labs Sample Harvester
Visual Basic Code Hash Number of Samples
e9e18926d027d7edf7d659993c4a40ab 934
2381fb3e2e40af0cc22b11ac7d3e3074 540
d473569124daab37f395cb786141d32a 500
7738a5bbc26a081360be58fa63d08d0a 379
d25a5071b7217d5b99aa10dcbade749d 362
7856a1378367926d204f936f1cfa3111 353
13eae0e4d399be260cfc5b631a25855d 335
987e0ad6a6422bec1e847d629b474af8 335
0988b64de750539f45184b98315a7ace 332
63463a5529a2d0d564633e389c932a37 320
Share this Report
Catch Me If You Can: Antics of a Polymorphic Botnet | 11All of the worm’s control servers detected by McAfee Labs between March 14, 2014, and
September 14, 2014, were based in Europe.
Prevalence
The McAfee Labs malware zoo contains more than five million unique W32/
Worm-AAEH samples. We have detected more than 205,000 samples from
23,000 systems in 2013–2014. These systems are spread across more than 195
countries, demonstrating the threat’s global reach. The United States reported by
far the greatest number of infections.
Total Systems Infected by W32/Worm-AAEH in 2013–2014
9,000
Systems in the United States are
8,000
the main target for this worm.
7,000
6,000
5,000
4,000
3,000
2,000
1,000
0
USA
Taiwan
Brazil
China
France
Russia
Mexico
Italy
Netherlands
Sweden
Source: McAfee Labs, 2015.
Share this Report
Catch Me If You Can: Antics of a Polymorphic Botnet | 12The preceding numbers are a conservative estimate of the infection’s spread
based on data gathered from detections reported from McAfee Labs nodes,
which constitute a small subset of the total infections. The geolocation
Learn how Intel Security can help information here may be inconsistent with the actual spread because the
protect against this threat. geographic distribution of nodes may not be uniform.
Preventing infection
Intel Security products detect all variants of this family. Our detection names
have the following prefixes:
■■ W32/Autorun.worm.aaeh
■■ W32/Worm-AAEH
■■ VBObfus
■■ Generic VB
Although the threat is consistently polymorphic, the core behavior has remained
virtually the same, allowing customers to easily prevent infections by taking
these precautionary measures:
Access Protection Rules to Stop W32/Worm-AAEH
Category Rule
Common Maximum Protection Prevent programs registering
to AutoRun
User-defined Prevent file execution in
%USERPROFILE% directory
User-defined Block outbound connections
to ports 7001–7008, 8000–8003,
9002–9004, and 20000–40000
(Legitimate applications may
use these)
Additional rules are published at https://kc.mcafee.com/corporate/
index?page=content&id=KB76807.
■■ Firewall: Block access to DGA domains ns1.dnsfor{N}.{TLD}, in which
N is a number from 0 to 20 and TLD is any of the following: com, net,
org, biz, info.
■■ Network Security Platform: Use this Snort rule to prevent malware
downloads (instructions at https://community.mcafee.com/docs/
DOC-6086):
–– alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:
“W32/Worm-AAEH C2 Server Communication Detected”;
flow: to_server,established; content: “User-Agent: Mozilla/4.0
(compatible\; MSIE 7.0\; Windows NT 5.1\; SV1)”; classtype:
trojan-activity; )
Share this Report
Catch Me If You Can: Antics of a Polymorphic Botnet | 13Takedown
In early April 2015, a global law enforcement action took down the control
servers for this botnet. The U.S. Federal Bureau of Investigation, the European
Cybercrime Centre (EC3), Intel Security, and the Shadowserver Foundation
worked together to identify and disrupt the infrastructure for this botnet.
Up-to-the-minute details of the takedown can be found here.
Summary
Cybercrime is big business—and getting bigger—so it is no surprise that
cybercriminals continue to attack. As this example illustrates, thieves will
go to great lengths to conceal themselves from IT security practitioners, the
security industry, and global law enforcement so that they can continue to
steal with abandon.
To stop such attacks, a cooperative effort is required. Security vendors must
share crucial information with one another, companies must be protected from
legal action for coordinating with other companies and their governments to
stop attacks, and global law enforcement agencies must work collaboratively
with the security industry and affected companies to take down the most
egregious attacks. It is only through a joint effort that we can slow the growth
in cyber theft.
Catch Me If You Can: Antics of a Polymorphic Botnet | 14About McAfee Labs
Follow McAfee Labs McAfee Labs is one of the world’s leading sources for threat research, threat
intelligence, and cybersecurity thought leadership. With data from millions of
sensors across key threats vectors—file, web, message, and network—McAfee
Labs delivers real-time threat intelligence, critical analysis, and expert thinking
to improve protection and reduce risks.
www.mcafee.com/us/mcafee-labs.aspx
About Intel Security
McAfee is now part of Intel Security. With its Security Connected strategy,
innovative approach to hardware-enhanced security, and unique Global
Threat Intelligence, Intel Security is intensely focused on developing proactive,
proven security solutions and services that protect systems, networks, and
mobile devices for business and personal use around the world. Intel Security
combines the experience and expertise of McAfee with the innovation and
proven performance of Intel to make security an essential ingredient in every
architecture and on every computing platform. Intel Security’s mission is to give
everyone the confidence to live and work safely and securely in the digital world.
www.intelsecurity.com
The information in this document is provided only for educational purposes and for the convenience of McAfee
customers. The information contained herein is subject to change without notice, and is provided “as is,” without
guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance.
McAfee. Part of Intel Security. Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and
2821 Mission College Boulevard the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Santa Clara, CA 95054 Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions
888 847 8766 herein are provided for information only and subject to change without notice, and are provided without warranty of
www.intelsecurity.com any kind, express or implied. Copyright © 2015 McAfee, Inc. 61788rpt_polymorphic-botnet_0315_fnl_PAIRYou can also read
