CreateMutex
까보면 다나와~
악성코드 소식 (6)

Shedding New Light on Tor-Based Malware

Alarm bells went off last August when spikes in Tor client downloads were traced to a large click-fraud and Bitcoin-mining botnet called Sefnit.

The malware was using the popular anonymity network to communicate with hackers in order to transmit stolen data and receive additional commands. In Sefnit’s case, the 600 percent increase in Tor usage it kicked off was also its downfall as Tor administrators noticed performance issues and steps were taken to strangle its activity.

Hackers’ use of Tor and other Darknet services is really nothing new, but incidents such as the Sefnit takedown that ensued as well as the disruption of the Silk Road drug and malware underground market that also operated over Tor shed more light on the practice.

For example, researchers have Kaspersky Lab have published research uncovering three different campaigns that use Tor as a host infrastructure for criminal malware activities: a 64-bit version of the Zeus Trojan that sends traffic through Tor and creates Tor hidden services to obscure the hackers’ location; Chewbacca, a Trojan that steals data from memory a la ram scapers, and communicates over Tor; and most recently an Android Trojan that uses a .onion domain as a command and control infrastructure.

Researcher Sergey Lozhkin, a senior researcher with Kaspersky Lab, said his work investigating criminals’ use of darknets turned up 900 Tor hidden services and 5,500 nodes.

“The possibility of creating an anonymous and abuse-free underground forum, market or malware C&C server is attracting more and more criminals to the Tor network,” Lozhkin said. “Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate.”

Lozhkin said Tor underground markets aren’t set up much differently than legitimate ecommerce sites; most include some sort of registration process, offer buyers ratings on traders, and familiar interfaces through which purchases are made. Criminals are selling everything from money laundering services, credit cards, skimmers, carding equipment and more. And most of it is sold using Bitcoin.

Yesterday, Microsoft published new details on Sefnit’s Tor components and configuration data, the domains it was in contact with and how it communicates over Tor.

After the August spike in Tor traffic alerted experts, Microsoft took steps to stop the botnet that were finally realized last Oct. 27 when it modified signatures sent through its update services that removed the outdated Tor client service installed by the malware. The Tor client service had a specific configuration that Microsoft identified, and despite some concerns that Microsoft was overstepping by possibly snaring some versions of Tor legitimately installed by users, the cleanup moved forward and Sefnit numbers dwindled.

The version installed with Sefnit was v0.2.3.25 and it did not automatically update, Microsoft said, leaving users exposed to a number of exploitable vulnerabilities. The Tor client was added as a Windows service on every computer infected by Sefnit and was configured to accept connections over ports 9050 and 9051; 9051 was used by Sefnit to obtain status information regarding its connection to Tor, while 9050 was used as a communication point for the malware’s SOCKS proxy. Any application configured to use a proxy server, Microsoft said, to communicate over Tor. Sefnit, Microsoft said, used this port to contact its command servers and bypass intrusion detection systems, and utilized Tor hidden services to obfuscate server locations.

The malware comes with a list of .onion domains that are drop points for stolen data. Microsoft said the list of C&C servers was found in file inside a random directory that is cryptographically generated. Within that directory is a file with a .ct extension that contains the victim’s IP address, a string that is likely a victim ID, a list of command and control domains, and a working directory of the malware, Microsoft said.

Microsoft said that at its peak in August 2013 there were an estimated four million Sefnit clients which began receiving commands; that number had dipped significantly by the end of December, leaving two million that could still be at risk for attack because of Sefnit-added Tor services that are outdated, Microsoft said.

 

 

'악성코드 소식' 카테고리의 다른 글

ghost, gh0st 관련 정보  (1) 2013.09.17
Targeted ‘phone ring flooding’  (0) 2013.02.14
Red October  (0) 2013.01.16
Ole Trade Tool 악성코드  (0) 2010.12.13
Koobface 새로운 버젼입니다~  (0) 2010.10.28
  Comments,     Trackbacks

ghost, gh0st 관련 정보

오픈소스로 된 고스트 원격제어툴, 현재까지도 중국에서 엄청나게 악성코드로 뿌려지고 있다.
Darkshell, Redosdru 등 탐지 이름도 많다.

http://blogs.norman.com/2012/security-research/the-many-faces-of-gh0st-rat

------------------------

The many faces of Gh0st Rat

Gh0st Rat is an open source backdoor trojan (or “Remote Administration Tool” ) that has been used in a large number of incidents, of which many have been targeted attacks. It is famed for being used in the espionage operation called “GhostNet”.

It is originally Chinese which naturally means that it is popular to use by Chinese hackers.

In a study conducted here at Norman, we have attempted to unmask the links that exist between different known Gh0st Rat attack campaigns. We primarily used the network communication as recognizable characteristic, since Gh0st communication is quite distinctive – it uses a “magic tag” (usually 5 alphanumeric letters) to identify itself to the command & control server.

We clustered samples that used the same tags together, to make plots like this:

brown nodes = samples, purple nodes = IP addresses, yellow nodes = domains, blue nodes = identifier tag

Fig1 : Same Gh0st variant (called “cb1st” because of its communication tag) is seen using two main C&C hubs and many smaller. The hub www.wk1888.com is also used by a large cluster of trojans using the default “Gh0st” tag, branching out at the right.

In the above plot we see that samples of one type (“cb1st”) connect to the same Command&Control server as samples of another type – “Gh0st”, thus these samples can be said to be logically linked.

Other connections were discovered, surprisingly, by miscommunication between the malware and its C&C server. In quite a large number of cases, the server responded to the initial connection by using a different magic tag. In a way, the malware said “Are you there”, and the server said “Que?”.

Fig2 Gh0st Rat of the KOBBX variant attempts to talk to the server, but receives LUCKK back.

Obviously the KOBBX and LUCKK campaigns are connected.

Not only Gh0st Rats exhibited this odd behavior. We also saw other malware miscommunicating in this way, for example DarkShell DDOS bots.

Fig3 DarkShell initial connection receiving “whmhl”, a tag belonging to a particular Gh0st variation.

In our paper, we have examined and clustered 49 variations of Gh0st, divided over some 1200 samples from 2011-2012. We found that a great many Gh0st Rat clusters likely are produced and operated by the same persons or groups.

Fig4 Eight different Gh0st variations that are linked in a “supercluster”.

We have attempted to trace some of the attacks back to apparent perpetrators.

The full paper is 70 pages long, and is available by filling out a request here:
The many faces of Gh0st Rat
It’s free. We won’t try to sell you anything.

'악성코드 소식' 카테고리의 다른 글

Shedding New Light on Tor-Based Malware  (0) 2014.03.12
Targeted ‘phone ring flooding’  (0) 2013.02.14
Red October  (0) 2013.01.16
Ole Trade Tool 악성코드  (0) 2010.12.13
Koobface 새로운 버젼입니다~  (0) 2010.10.28
  Comments,     Trackbacks

Targeted ‘phone ring flooding’

http://blog.webroot.com/2013/02/13/targeted-phone-ring-flooding-attacks-as-a-service-going-mainstream/


Targeted ‘phone ring flooding’


흥미롭네요.

 

119나 이런 기간망에도… 공격한다면 충격이 있을 거 같네요.


흠..

'악성코드 소식' 카테고리의 다른 글

Shedding New Light on Tor-Based Malware  (0) 2014.03.12
ghost, gh0st 관련 정보  (1) 2013.09.17
Red October  (0) 2013.01.16
Ole Trade Tool 악성코드  (0) 2010.12.13
Koobface 새로운 버젼입니다~  (0) 2010.10.28
  Comments,     Trackbacks

Red October

http://www.f-secure.com/weblog/archives/00002486.html


http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation


http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies



'악성코드 소식' 카테고리의 다른 글

Shedding New Light on Tor-Based Malware  (0) 2014.03.12
ghost, gh0st 관련 정보  (1) 2013.09.17
Targeted ‘phone ring flooding’  (0) 2013.02.14
Ole Trade Tool 악성코드  (0) 2010.12.13
Koobface 새로운 버젼입니다~  (0) 2010.10.28
  Comments,     Trackbacks

Ole Trade Tool 악성코드


이번주에 국내 웹을 통해서 유포된 악성코드이다.

이 악성코드가 실행이 되면 imm32.dll 파일이 변경이 되고 ole.dll파일이 생성된다.
또 파일이 실행되면 V3 및 알약 프로세스를 죽이고 국내 게임사이트의 계정을 탈취한다.

재밋는것은 제작자가 "Ole Trade Tool"이라고 스스로 작명을 했는데,
실제 그렇게 작동을 하니.. 쫌, 유치한것도 같고해서.. 올려본다~

'악성코드 소식' 카테고리의 다른 글

Shedding New Light on Tor-Based Malware  (0) 2014.03.12
ghost, gh0st 관련 정보  (1) 2013.09.17
Targeted ‘phone ring flooding’  (0) 2013.02.14
Red October  (0) 2013.01.16
Koobface 새로운 버젼입니다~  (0) 2010.10.28
  Comments,     Trackbacks

Koobface 새로운 버젼입니다~

이름은 "andy141"


지난번 꺼와 동일한 모양새 입니다.


twgen 다운받아서 위와같이 포스팅을 하네요. 물론 다른 것도 있겠지만 확인된 건 이것뿐..
듣기로는 MAC OS에 맞게 재작된(cross-platform version) 것도 있다고 합니다.

주의하시길..

'악성코드 소식' 카테고리의 다른 글

Shedding New Light on Tor-Based Malware  (0) 2014.03.12
ghost, gh0st 관련 정보  (1) 2013.09.17
Targeted ‘phone ring flooding’  (0) 2013.02.14
Red October  (0) 2013.01.16
Ole Trade Tool 악성코드  (0) 2010.12.13
  Comments,     Trackbacks