Introducing Trojan.Badlib: A Malware Distribution Network
Technical analysis: Poul Jensen, Illustrations: Ben Nahorney
It is a given that many malicious software threats seen today will download additional software components to perform various activities. With the transition from malware for fun to profit-driven malware and the connected nature of the computer-using population, it is not unusual to see malware threats download other files onto the compromised computers. While there is much public discussion lately about advanced persistent threats (APT) that also make use of software-downloading techniques to augment their capabilities, there are also other malware threats doing the rounds that are not so concerned about industrial espionage and issues of national security. Perhaps it is because the likes of Trojan.Badlib do not necessarily target these types of high-value information that they may be considered of lesser interest. That does not take away from the fact that the Badlib family is an interesting group in its own right.
Essentially Trojan.Badlib acts like a malware distribution network. Its purpose is to deliver a range of malware onto suitable computers to carry out specific tasks. When it is first installed on a computer, it will check whether the computer has an Internet connection. If there is a connection, it will proceed to contact a control server from a predetermine list of addresses hard-coded into the Trojan. The domains we have seen being contacted by Badlib are as follows:
If these addresses are unreachable, the Trojan also has a default list of IPs that it can try. When contacted initially, the remote servers will register the infection and respond with details of where additional “software” should be downloaded and installed. The response looks something like this:
1|http://free-pac.net /loader20_lite.exe|5736774043355154445315117528586244028140129869149580292800496 943763799653127456287406420816614138608268600797370579065744143954205
The details of the response are as follows:
- Number of files to download
- URL to download the file
- Digital Signature Algorithm (DSA) of the file, which is verified before it runs the software. This is likely to prevent the botnet from being hijacked, since the Badlib component will check the signature first.
The motley collection of malicious software that comes from being compromised by this malware family is currently Trojan.Badfaker, Trojan.Badminer, and Infostealer.Badface. These variants perform three distinct functions which are detailed below:
It doesn’t matter which one of these variants you initially encounter. One sample will invariably download the other components over time until you have the full collection.
It’s Fake AV, but not as we know it
One version of the downloaded software is known as Trojan.Badfaker. What Badfaker does is to attempt to disable security software and then attempt to hide the fact that the software is disabled. Initially when we first saw this, we thought that this was just like a traditional rogue antivirus that attempts to report fake threats and ask for payment to remove the threats. However, on closer inspection we found that the real purpose of this threat is to disable any active security software and then perform activities to make it appear as if the security software is still active. This is done to ensure its survival, as well as the other malicious components which may subsequently be downloaded onto the computer.
It goes about this by performing a scan to try to determine what, if any, security software is running on the computer. It searches for running processes associated with security software. It also attempts to collect details about installed security software by using the Windows Control Panel function. Once it has determined what software is installed, it modifies Windows to boot into safe mode when it next boots up. When booted into safe mode, it attempts to delete files and folders belonging to the security software that was discovered prior to rebooting. In the process of removing the security software, it makes a note of what is being deleted and extracts the icon from the executable file before deletion. It then displays this icon on the system tray to make it appear as if the security software is still running.
It also disables the Windows Firewall and warnings from Microsoft Security Center so that the user is not warned if the firewall is not turned on or if there is no antivirus software running. Finally, it even displays false warnings of security threats with poorly branded dialog boxes to make it appear that the installed antivirus software is still able to detect threats. The Trojan contains a collection of bitmap images targeting a wide range of security product vendors, these images are for the purpose of masquerading as the disabled security software.
Examples of poorly branded dialog box headers used by Trojan.Badfaker.
Enslaving your GPU to enrich the attacker
Another piece of malware that it may download to the computer is detected by Symantec as Trojan.Badminer. Badminer takes the dubious honor of being the first piece of malware seen to be using GPUs for the purpose of bitcoin mining. The advantage for the malware author in using GPUs for bitcoin mining is that modern GPUs can typically outperform CPUs in bitcoin mining by a massive margin. Just how much quicker and the earning potential of using a GPU for bitcoin mining is discussed in another blog published by Poul Jensen.
The fact that this type of bitcoin mining Trojan is being distributed by the Badlib network provides a clue towards the motives of the people behind this malware family. Generating bitcoins is an interesting choice for trying to earn money—it steals your hardware performance rather than real money.
Facing up to data loss
Yet another piece of software distributed by Badlib is Infostealer.Badface. The purpose of Badface is to steal user account details from several popular social networking sites, including some Russian-based sites. The social networking sites targeted by this threat serve a user base that totals over 900 million users,. To put it another way, the potential user base is roughly equivalent to the population of North and South America combined. The Trojan works by installing a local pass-thru Web server on the compromised computer and then modifies the hosts file to redirect a long list of social networking site addresses to the local host IP. This means that any requests for the addresses affected will first be directed to the local Web server that is installed by Badface.
127.0.0.1 facebook.com 127.0.0.1 fa-ir.facebook.com 127.0.0.1 fb-lt.facebook.com 127.0.0.1 fi-fi.facebook.com 127.0.0.1 fo-fo.facebook.com
Extracts from the hosts file entries created by Infostealer.Badface
The local Web server acts as a proxy so it receives the requests from the browser, extracts whatever information is required and then passes on the request to the destination server. By using this scheme, the attackers can “sniff” user credentials as they are being sent by the user.
Facebook.com is being served up from the localhost. Data will be sent to both and the process is transparent to the end user.
In terms of making money from this scheme, there is a thriving market for active and verified user accounts for various social networking sites. For example it was noted in an article posted by the BBC last year that 1.5 million accounts for one of the most popular social networking sites were for sale—$45 per batch of 1000—on a Russian forum. Many of the sale offers and requests for accounts are made in various forums and freelance work websites around the world. Like any traded commodity, the accounts are also graded in terms of quality with low quality accounts changing hands for a lot less than high-grade active or phone-verified accounts.
For example, one forum posting from earlier in 2011 offered phone verified accounts for a popular social network at a $1.50 each. A whole ecosystem is in place where there are people offering various tools and services needed for anybody wanting to procure social networking accounts. Accounts that are bought can then be used for various revenue-generating purposes, such as advertisements, survey scams, spreading pay-per-install malware, and so forth.
Forum posting offering accounts for various websites for sale.
If we take a hypothetical scenario where a fraction of the potential user base for these social networking sites have their credentials stolen and sold by the group behind Badlib, they stand to earn a serious amount of cash.
900,000,000 * 0.001 = 900,000 users
If they are sold at the same price in batches of 1000’s as reported by the BBC, the amount involved would look like:
(900,000 / 1000) * 45 = $40,500
Of course, if the quality of the accounts is high, they could sell them for even more.
Bilingual malware threats are not a new phenomenon; many worms in the past have sent emails in several different languages. For example, W32.Yimfoca.B sent IM messages in many different languages. Being bilingual is another feature of Trojan.Badlib. From what we have seen, its components appear to support two languages: English and Russian. When Badfaker pops up messages, the messages it displays will depend on whether or not the computer is using a Russian locale. If it’s not Russian, it will display an English message.
Given the domains used, the bilingual nature of the Trojan, the targets of its information theft activity and the locations of the computers specified in command-and-control traffic, it would appear to suggest that this malware is of Russian or Eastern European origin. Out of a sample of IP addresses, the majority of them appear to be located in Russia and Ukraine with a few in other countries.
There you have it. Trojan.Badlib and its collection of multi-faceted variants in a one shell. We know that the current Badlib trojans mine for bitcoins and steals social networking credentials, but there is no way to tell which way it will develop in the future. As we already noted, Badlib is a malware distribution network. The people behind such malware threats often target whatever money-making schemes they can find. This means that what it downloads will often change, when its masters decide to latch onto new money making ventures. When that happens we will likely see new variants hit the virtual streets with the new functionalities. Whatever they choose to do, we will be keeping a close eye on them on your behalf.