Monday, May 25, 2009

Invasion of the PC Snatchers

How to Join a BotNet Army Without Really Trying
(or Knowing Until It's Too Late)


Screen-shot of warning from Avast! A/V for the Trojan Dropper my ex-wife encountered:



Act I: Social Engineering
Ex-wife received an email from someone she knew related to her job. I've deliberately munged the hyperlink it contained with "#" characters to keep it from working (they were originally strings of numbers).
Subject: it should you be pleasant

Body:
Check this out http://rapidshare.com/files/#########/File.exe?0,#######
Disabled the hyperlink by munging it for very good reason. It doesn't simply go to a RapidShare web page; it immediately attempts to download and run a file stored on RapidShare. Firefox doesn't normally allow immediate download file execution, but Internet Explorer gives that option with "Run," "Save" and "Cancel" buttons (in that order). Too many folks will blithely "Run" the executable file out of habit! This type of email employs "Social Engineering" to persuade its recipient to run the program. The Ex's email address was harvested from the address book of a likely trusted source. In this case it was a known co-worker, but it could also be a family member or close friend.
  • The first flag that should cause alarm in this email is its subject line, "it should you be pleasant" which reads like a poorly translated user manual for a cheap Chinese toy (unless the trusted sender actually writes that way all the time)!
  • The second flag that should cause alarm is a RapidShare link for an executable program that attempts to immediately download the file. For those familiar with RapidShare, a proper link to a file stored there should lead to a RapidShare web page with information about the file and a download button. I'm still trying to figure out how this URL was crafted. Haven't been able to replicate my own version using innocuous files I've uploaded to RapidShare. However, I did find references to tools that can convert normal RapidShare download links into immediate, direct download links that bypass the normal RapidShare download web page. I suspect this link was crafted using one of these kinds of tools.
  • The third flag that should cause alarm is an executable file with no explanation about what it is, what it's for, or what it should be expected to do.
Act II: Trojan Horse
"File.exe" is only 23kb in size. This is tiny, even by MS-DOS 3.1 standards. Even so, it's extremely dangerous. Programs that initially penetrate a computer and its defenses are typically this small. They merely create the beachhead to facilitate the installation of larger programs that take over the machine. It signals, calls for the main invasion force payload, and provides the invasion path through a machine's defenses. It can also disable or circumvent the common means used to detect the malware invasion. This particular program is a Trojan Horse Dropper. It's called a Trojan Horse because the victim is enticed to invite it through the gates. This was done in Act I with the Social Engineering that convinced the victim to click on the link, download and run it. The task performed by "File.exe" when it's executed is providing a concealed path for the installation of a Rootkit, one that's completely hidden from the rest of the operating system, anti-virus software, and computer administrator(s) and user(s):
  • Opens a remote thread in "svchost.exe" to retrieve a Rootkit installer in a concealed manner that will not be detected.
  • Downloads the Rootkit installer into the current user's "temp" directory, from a completely different, remote server (using an IP address in, or obtained by "File.exe").
  • Silently runs the executable Rootkit installer in a manner completely concealed from the rest of the operating system, anti-virus software, and computer user(s) or administrator(s).
  • Only takes a few seconds and it's done. After that, "File.exe" has no useful purpose. Even if detected later and deleted, the damage it did is a "Done Deal."
Act III: Coup d'État
Rootkits are insidious. This Trojan Horse dropper pulls in a specific Rootkit called Win32:FaRoot [rtk] (Avast!'s name) and installs it. Rootkits work under a stealthy cloak that hides them from nearly all anti-virus detection software. Different types of Rootkits use a variety of techniques to keep the operating system, computer user, and anti-virus detection software from finding them. The underlying objective is keeping completely hidden from operating system view, not just normal end-user view, but low-level operating system view, protecting it from discovery, and actively preventing its eradication. It accomplishes this by creating "hooks" in the operating system to hide the Rootkit's "drivers" and their system registry entries from the rest of the operating system. They are locked to protect them from being deleted, even by a user with "administrator" privileges employing the system's registry editor, and that's if you can even find them. Once this Rootkit is embedded in the system, it grants itself completely unfettered, undetectable, and highly protected "administrator" control of everything on the computer from a remote location through a hidden "back-door" that's enabled by loading a driver every time the system boots. True Rootkits per se are not the real malware, other than their ability to hide themselves, and other files and processes it's programmed to hide. It's what happens next that does the real damage.

Act IV: Resistance is Futile, You Will Be Assimilated
One of the more insidious modifications this Rootkit makes to Windows is changing some registry entries to force using a pair of different network Domain Name Servers (DNS) that are located in eastern Europe. DNSs are how URLs (site names) get translated into numeric IP addresses. It's like a phone directory; send the name to the DNS and get the IP address number in return. The local service provider (e.g. DSL, cable, etc.) maintains their own Name Servers, usually two primary and two secondary for redundancy. Without a Name Server available, you go nowhere on the internet, but get stream of "site not found" errors instead. Service providers provide the DNS IP addresses to use on their network automatically when a computer connects to it. This is part of the "handshaking" that occurs when the network connection is made. Hijacking which DNS servers are used, and doing so in a way that's permanent unless these registry entries are deleted accomplishes several goals:
  • Every internet site visited by the computer (regardless of browser or other program used) generates traffic to these other DNSs to look up web site IPs; there is now a "history" of sites used by the victim.
  • These other DNSs now being used, presumably under control of the malware creators, can block or redirect attempts to update Windows with patches, Anti-Virus software, or access major Anti-Virus software sites to non-existing IP addresses. All one gets when trying to go anywhere on the internet to eradicate the beast is greeted with a "Site Not Found" error, or worse yet, a porn site that generates popups faster than a popcorn popper. Even Windows and anti-virus software automatic updating needs DNS availability to find their sites and update servers.
  • Can send you (if desired) through a "Proxy Server" they control when the computer is accessing web sites. This is called a "Man in the Middle" attack. If done properly, it's entirely transparent. You never know you're not communicating with an internet site directly, but through an intermediary. Legitimate proxy servers are used on large corporate networks to help protect their internal networks from the outside world. Because they act as a "proxy" they can passively record all the internet traffic passing through, to include HTTPS (encrypted, secure server traffic), effectively record screen shots of every web page, and log all the keystrokes made within a web browser (i.e. when entering a user name and password, or filling in a form with personal information).
Furthermore, it's capable of doing a "Lazarus Act" to resurrect itself using the operating system's "system restore" functions should the victim discover pieces of it and delete them. Many accomplish this by embedding reinstall code in the System Restore Points, deeply hidden (and protected) on the root of the boot drive. While not impossible to eradicate from the system Restore Points, it can be quite arduous and very time consuming to find which one it's been stashed in if there are a few hundred to choose from (typical if the computer has had the O/S installed for a couple years). Another location that can be used is the hard drive's Master Boot Record (MBR). No standard Anti-Virus tool will find it in an MBR, and only a few of the couple dozen Rootkit detectors will find it. The hard drive MBR is also not a place most would think of to find malware either. Worse yet, the MBR survives nuking the hard drive and re-installing the operating system from scratch unless specific action is taken to install or "restore" the drive's MBR. Not normally done when installing an operating system.

Act V: BotNet Army Marching Orders
Most of the time, the Rootkit is directed to install various additional pieces of malware on the victim's system. These include keystroke loggers and sometimes a remote monitoring utility that allows viewing the victim's desktop remotely at will, much in the same manner as a desktop can be shared in NetMeeting. Aside from being able to record keystrokes and capture desktop screenshots, the machine is now part of a BotNet that can be instructed to do just about anything from any remote location. The "generals" in command of these BotNet armies have a known history of doing a variety of things with their Zombie troops:
  • Lease or rent portions of a BotNet to others for a fee (who will use them to do just about anything that follows in this list).
  • Conduct Distributed Denial of Service attacks on internet sites.
  • Inject SPAM email into the internet through the BotNet machines' service providers email accounts (guess who gets blamed for spewing SPAM?).
  • Perform automated scans of internet IP addresses looking for vulnerable computers and servers.
  • Provide hidden server services for distributed storage and distribution of malware, Warez, pirated music/video, and (maybe) last, but certainly not least, (child) pornography (and guess who gets blamed for that, too?).
  • All of the above entails using the Rootkit to load, save, install, and execute additional files and programs, all cloaked under the Rootkit's protection, to comply with a remote location's orders from the BotNet Army commander.
The victim remains blissfully ignorant and unaware of all this . . . until . . .
  • Weird computer behavior is observed, such as unusual and continuous internet activity (the little icon in the tray or MODEM lights) when nothing should be accessing the network.
  • Internet account is suspended or shut down for spamming in violation of the ISP's Terms of Service (ToS).
  • Several Windows or Anti-Virus software update failure errors finally get the victim's attention.
  • Computer bogs down to a crawl slow enough to get the victim's attention.
  • Computer ultimately refuses to reboot (who said malware is bug-free?).
  • RIAA slaps the internet account holder with civil lawsuit for copyright violations (distribution of pirated music; yeah, it's happened).
  • The police or FBI show up with a warrant to seize all electronics in the house and arrest the internet account holder for child pornography distribution.
Epilogue:
We were lucky. The ex-wife declined to execute or download the program, once she found it was, indeed an executable. I copied the URL she was sent and downloaded it to my desktop without executing it, to study it more. It's now sitting innocuously, unable to do anything, in the Avast! Virus Chest on my computer (which prevents it from being accessed or executed).

Screen-shot of warning from Avast! A/V when I moved it to Avast!'s Virus Chest:



Would have been an absolute nightmare to recover from on her laptop. Did a Rootkit eradication to recover a laptop running WinXP that belonged to the son of a close business associate a couple years ago. Took about a week to completely clean up his son's computer, working on it in the evenings. About half the time was spent eradicating all the malware that had been installed under the Rootkit's cloak. The other half was spent finding and eradicating the Lazarus Code that kept resurrecting the Rootkit.

Welcome to JLind.net

Dedicated to the Practice of Polymathy Polymathy: The possession of learning in many fields. Your host is John Lind. Here you wi...