Trojan Analysis Leads To Russian Data Hoard

Stolen Identity writes "An attack by a single Trojan variant compromises thousands, circumvents SSL, and uploads the results to a Russian dropzone server. A unique blow-by-blow analysis reveals evidence of cooperation between groups of malware specialists acting as service providers and points to the future of malware's growing underground economy."

What About Firefox Users?

[eldavojohn]

From the article,

• Steals SSL data using advanced Winsock2 functionality
• State-of-the-art, modularized trojan code
• Spread through IE browser exploits
• etc ...

When I read the Slashdot summary, I was initially concerned that I may be at risk. But then I noticed the above three lines and realized there was no risk since I don't use IE.

But, in the end, if this is an exploit utilizing the very basic network DLL that windows provides for socket connections (Winsock2--which is what I assume all network applications eventually link against in Windows) then why aren't other browsers at risk?

I know Firefox is awesome & more secure & all that jazz but I haven't done enough network programming to know the nitty gritty details of it. Does anyone know why, if this trojan is exploiting the basic socket connection library that the Windows API provides, all browsers aren't potential victims?

I mean, it makes sense to introduce some sort of security that never ever lets anything but the browser's code access the interfaces to these libraries ... is IE really that flawed?

Re:What About Firefox Users?

[BlueTrin]

is IE really that flawed?

+2 funny

Re:What About Firefox Users?

[Aladrin]

You stopped reading too early. Later in TFA, it shows a screencap of the website that has badly translated text that basically says 'Snatch 2 - will work on firefox'. In other works, you're not affected... yet.

Re:What About Firefox Users?

[Billosaur]

Well, it uses an IE browser exploit to get in, so if you don't uses IE, you're at low risk. But far be it from anyone to think that these crooks won't find a way to deliver the Trojan in another manner if their IE route dries up. Everyone will have to remain vigilant, because if it gets on your system, it can theoretically corrupt any browser.

Re:What About Firefox Users?

[Cyberax]

No, IE uses a layer called WinInet to access the Internet (http://msdn2.microsoft.com/en-us/library/aa385483 .aspx). It automatically provides SSL/TLS connectivity to IE.

FireFox uses basic sockets and encrypts data using standalone SSL library.

Re:What About Firefox Users?

[TheNicestGuy]

Monster of an article, so I don't blame anyone for not catching the details on this. What it boils down to is that IE exploits are the main propagation vector of Gozi, but its actual performance of nastiness does not necessarily rely on IE. Once it's installed and running, it will intercept and leak to its "mothership" any and all HTTP POSTs that go through WinSock2, no matter what browser they come from, because it manages to register itself as a "Layered Service Provider" sitting between the browser and the socket. Unfortunately, I do not know which browsers make use of WinSock2 and its LSP functionality, and which don't. It would have been nice to mention that in the article as an aside.

Another way IE is specifically involved is that Gozi does some extra sniffing inside IE's JavaScript engine to get data that's being sent AJAX-style rather than through normal POSTs.

Re:What About Firefox Users?

[Ilgaz]

I think non technical Firefox users may have same risk as OS X users by thinking they are already secure by default and not caring about some simple security methods.

So the sense of security is the security risk there.

Re:What About Firefox Users?

[evought]

You are about to have your butt shoved up your nose, Cancel or Allow?

Seriously, though, several things struck me. One was that a screenshot of the (malware) author's webpage showed that Firefox "support" was expected in a new release. Of course, I browse with NoScript enabled on a Macintosh which has been significantly tightened down. I regularly complain to sites that require users to have javascript enabled to do business with them and generally get favorable responses, especially when referring them to recent articles. I often find that even if functionality is degraded, most sites I visit function.

Another interesting thing is that the trojan itself presumably only needed normal user permissions to do its main job, nullifying account protection and one of the things which makes Mac/Windows/Vista better than XP. It needs privilege escalation to hide and make sure it can survive removal attempts, but the encryption and other things also make detection harder without rooting the box.

IE 7/Vista's browser sandbox, in theory, should make this kind of attack less successful, since it makes it harder to convince the browser/system to modify the environment without user intervention even when account permissions would normally allow it. Newer memory protections in both Vista and gcc 4.1+ systems should also make its job significantly harder, but one of the best things is just to limit what a web page is allowed to do and that is one of the things that is much easier to customize in Firefox (with your choice of extensions).

The fact that this is yet another case where otherwise trustworthy systems are the source of an attack is disturbing. Site-rating systems like WOT and certificate rating are rapidly becoming worthless. Also, this means that, since the e-commerce sites are obviously not secure, the attackers can obviously get access to your data from them, regardless of what precautions you take. Systems like Paypal where your account information is not provided to the vendor become more valuable, assuming Paypal itself is not compromised. One-time credit-cards are also very useful.

As for two-factor authentication, something akin to a scramble-pad may work. use multiple choice for a challenge (with randomized positions) or provide randomized buttons to enter a pin. Similar systems are sometimes used for physical security to good effect.

IP traceback

[jshriverWVU]

Can't you just do a traceroute on the IP that this info is being sent to? Seems this would be a nice way of figuring out where the info is going. Then blacklist it or possibly a range router side.

Re:IP traceback

[Klaus_1250]

I doubt they will use a single IP for long, in fact, I would say that if they are pro's, they'll only use it for several hours. There are quite a few organizations tracing and logging such IP's and some of the better security software blocks them. The longer you use a single IP, the less effective they'll be and the higher the risks.

Possible solution...

[Dogtanian]

...to the problem of AV companies not picking them up; offer a large-ish reward for information, and have someone involved tell the AV companies about the trojan as soon as possible. It only needs one relatively unimportant person (coder peon?) to blab and give the game away, so long as they're assured of having their identity kept secret.

I'm sure there are a million flaws in this idea, but it's a start.

Re:Possible solution...

[BlueTrin]

I guess the major flaw would be that I could write code and report it ?

Re:Possible solution...

[Dogtanian]

I guess the major flaw would be that I could write code and report it ? That had occurred to me; the reward, however, would likely not be enough to warrant writing a piece of genuinely new code.

If the case was genuine and one guy had written all the code, he would be getting paid for writing the code (by Mr. Big, presumably) *and* for blowing the lid on the whole thing (by the AV company). If someone writes the code for use by themselves, they either have to report it before it becomes prominent (and hence they don't make much money from the use of the code), or if they wait too long the AV companies figure out the info for themselves first, and they don't get paid.

Basically, though, this idea operates under the premise that there is more than one person involved (preferably many), and that this individual stands to gain by giving the game away.

Speads!=Affects

You need IE to install the trojan, once it is running it will compromise all SSL traffic.

headline strike again!

[Arielholic]

Trojan Analysis Leads To Russian Data Hoard

So the analysis led the the hoarding? Everybody stop analyzing NOW!

Re:headline strike again!

[Hoi+Polloi]

They meant "Horde". It is obviously being run by a WoW guild.

Hmm.. smth does not compute

[wumpus188]

TFA mentions 81.15.146.42, which apparently is a42.skierniewice.mediaclub.pl, which is Poland.
Where Russia came from?

Re:Hmm.. smth does not compute

[coolnicks]

The actual IP is 81.95.146.98, and is indeed in Russia, although this IP is no longer responding on port 80.

i'm in awe

[circletimessquare]

reading that article is like looking at the blueprint for a neutron bomb: beautiful, magnificent, and pure evil

the mind boggles at what these men (or women) of such high craft could achieve were they to devote their genius to good efforts rather than bad. as it is, in the business they are in, they will probably very rapidly come under the thumb of the russian mafia, if they aren't already. then their life will be on a short leash, that, if they attempt to tug, will land them with a swift reprimand from guys you don't want to know what a swift reprimand from is like

sad. these are no script kiddies here. these are smart blokes. and they are also doomed to a life under the thumb of men a thousand times more evil than their devilish and brillaint exploits ever could be

Re:i'm in awe

[krunk7]

Ok, let's go with this evil genius take on things. Now, you take one look at their situation and within the time frame it took you to click "reply" and start typing you came up with this angle.

Now I'm supposed to accept that these evil geniuses suddenly got retarded when it came to the common sense risks with their new business? They've developed a real cracker jack exploit of commercial quality able to mass infect systems, avoid tracing, the whole nine yards. They then market this to organized crime syndicates around the world and in particular to the Russian mob.

But along the way they never thought about doing all this anonymously. Or maybe, gasp, they aren't even in Russia? Maybe they're in china, india, or the U.S. and chose to vendor to Russian mafia specifically because of the difficulty of extending their reach across continents?

Personally, if I were an evil russian programmer out to make nefarious riches I'd vendor to china, india, or the U.S. Everyone knows the best illegal business is illegal business not done in your own backyard.

Re:i'm in awe

[arivanov]

Or maybe having kids to feed.

With a relatively small local software market as well as relatively small outsourcing market Russia (and to lesser extent Bulgaria and Romania) are ripe for the picking by the mafia. Most of the qualified software engineers who do this kind of work will very happily work on an outsourcing contract instead. Further to this, they are likely to deliver considerably better quality code than most Indian outsourcing shops (I have seen code and projects from both so this statement is based on actual experience and reading the actual code produced).

But for a variety of reasons starting they do not get any work like that and as a result they work for the mafia.

C'est la vie.

Re:i'm in awe

[zoftie]

This comes from my experience:

Most Russian coders [in russia] are assholes and lazy, I am russian and grew up in Canada. I went to russia to work for a while, to see how it is. After all wages in moscow are 2000$+ so it I wasn't just surviving.
I was little dismayed at the experience being in russia, finding that while there are alot of brilliant coders, many are lazy and have too few team skills to be usable in a company. Another thing, russians are daring, so this sort of stuff comes up all the time. They won't do work, but throw them a challenge and they'd go at it.

To put it in other way, those who can do and care to work, left a long time ago. Those who stay, ones who aren't willing to change, thinking that old russian ways are fine. In addition, real estate prices in moscow are soaring. Many sysadmins made their way to buy apartment, by reselling hardware to their own company with 5x - 100x markup. Yes these things happen :)

What can I say its a mess, really.

This virus isn't a surprise, there are alot more covert virii, I'd tell you. Ones that do embed themselves in the kernel, not as a process or a program.
Cheers.

Who's the target customer?

[BobMcD]

What frustrates me a bit about TFA is where they stopped. They identified what the malware is, does, where it comes from, etc. They seem to have left out the 'why' part of the equation. Who would buy the data, and for what purpose? Dig a little deeper here. What we are defending against becomes a lot clearer when the motives of the attacker are known. This exploit is sophisticated and mature. It appears to be a viable business. This is not the action of an individual bent on personal gain, rather a true-world example of organized crime. This is much more serious than we're being led to believe. This is what gives me pause: What kind of customer would pay for access to such a broad set of data?

Re:Who's the target customer?

[TheNicestGuy]

What kind of customer would pay for access to such a broad set of data? That's one of the points the article is trying to make, as a sea change in this sort of malware: Because the data is so broad and voluminous, the providers could have a quite varied customer base. It's been commoditized. Data mined from this store could be of use to unscrupulous folks ranging from simple carders, to account drainers, to mob bosses, to terrorists. Notice that the data was not just credentials for banking and shopping sites, but included access to law enforcement and other government applications. Wanna steal a car and un-report it as stolen the next day? This might not be a bad place to start.

zzz

[circletimessquare]

you seem to have some problems understanding how the world works. the programmers who do these things are not untouchable, nor do they go to the great lengths you describe to make themselves untouchable. why? because no one can do business and also be a puff of smoke at the same time. it's a balance you have to strike between being hard to find by the authorities and easy to find by your business interests. it easy to be hard to find by the authorities. even when they see you, their hands are tied

however, it is those very business interests i describe above whom you have to worry about more than the authorities

you cannot do business with the underworld, and not also be made part of the underworld in the process. you fail to understand the dynamics of the situation these programmers are in. you fail to understand the mafia. if you deal with the mafia, and you yourself are doing something shady, the mafia simply moves into your turf. they will simply come to own you, one way or another, and there is absolutely nothing you can do about it

get someone to protect you from them? who? the authorities? you're already illegal yourself. another mafia group? ok, fine: you're not dealing with the original evil a**holes who were threatening to coopt your life, but now you are dealing with another group of evil a**holes who have the same methodologies and goals, so you have the same problem. protect yourself? ok, now you have become the evil a**hole yourself. you have the stomach to threaten loved ones, put innocents in harms way, deal in murder? it's a big step up from internet crime my friend. it's one thing to pilfer a moron's bank account. it's another thing to kill the 9 year old daughter of the mafia tycoon who won't leave your business alone

in other words, deal with the devil, and the devil owns you, no matter what. you are not untouchable when you deal with the mafia and you also make money shady like they do and you do business with them. you have no relatives who can be threatened? you love no one in this world who can't be hurt or found?

in short, you're rather naive about the subject matter you are commenting on. you really haven't the faintest clue about how vile these people are, the mafias of the world

and, therefore, in a way, you are lucky, in your naivete, to be so blissfully unawares of these monsters in your midst. pray you stay that way, naive and clueless about how these type of organizations really operate. it's the best way to live your life. you really don't want to know about these guys, nor boadly boast about how untouchable you would make yourself from them via a few proxies. right, yeah. if you are doing shady work, and you are in business with them, and you are making a nice amount of cash, consider yourself pwned

Undernet, is that you?

[HomelessInLaJolla]

At one point the 76service development/trial server was located at an ISP in Atlanta, Georgia, USA, the same city where SecureWorks is headquartered. A few days later, they moved to a server that appears to be located in the American Midwest (Texas, Oklahoma, or Kansas), but the server's IP address is in a block assigned to a company in Tampa, Florida, USA. They will likely move again soon. A google search on 76service shows this page.

 

route 65.254.48.0/20 Proxy registered route object GNAXNET NET 65 254 32 0 1 GNAXNET NET 65 254 48 0 1 Global Net Access, LLC 55 Marietta St, NW Suite 1720 Atlanta, GA 30303 and

as3595 AS GNAXNET AS Global Net Access, LLC 1100 White Street Atlanta, GA 30310 Who ran the Undernet's atlanta.ga.us.undernet.org server? Who worked for GNAX?