Saturday, October 21, 2006

Simple Yet Effective Malware Tricks

SecureWorks has a great write-up on a piece of malware called "SpamThru Trojan Analysis".

While it does not employ rootkit type hiding tricks that are so common these days, it is anything but simple. This is a botnet trojan that took time, skill and money to create. This was made for the blackart of underground business...

Here are several of the tricks that it uses to keep the botnet alive, kicking and making money:

Peer-to-Peer Communication
It uses P2P technology to pass information from bot to bot and therefore update the network. It reminds me of Cisco CDP in some ways. Each bot knows about the bot around it and they update each other as new information is loaded. The botnet is still controlled via a central C&C (command and control) server, but the bots can be directed to a new C&C server via the P2P technology if the server is ever taken down.

Anti-Virus Scanning
Like most trojans, this one was tweaked and customized during creation time to minimize AV detection; however SpamThru takes AV scanning to a step beyond the normal trojan. It actually installs a hacked version of Kaspersky AntiVirus for WinGate to clean the machine before main infection takes place. This helps increase the stability of the new bot and decrease the chance that it will be "stolen" by a rival botnet controller.

Encrypted Template-based Spam
Each bot in the net has its own spam engine. Each bot downloads a spam creation template from a central template server using an AES-based challenge-response authentication system. This challenge-response system reduces template leakage to third-party and AV researchers. The template contains e-mail addresses, spam hashes that are used to bypass filters and random "from" names. The templates are also encrypted using AES for extra protection.

GIF randomization
GIF files in the spam template are modified with each spam sent, to change the width and height, and a section of random pixels is appended to the bottom, in order to defeat anti-spam solutions which might try and reject mail based on a static image.

Very interesting indeed. As you can see, spam is very very serious business and these groups take every step possible to keep their business up and running.

Check out the SecureWorks link at the top for more details on this cool piece of malware.

No comments:

Post a Comment