Posted on behalf of Tony Millington (Malware Operations Engineer, Symantec Hosted Services), with contributions from Dan Bleaken (Malware Data Analyst, Symantec Hosted Services)
Today we saw a targeted attack against seven different companies via email, sent mostly to Public Sector addresses, but also to the Education Sector. The attack began on February 16, but the fact that we've seen a targeted attack at all is not particularly interesting, we see targeted attacks every day: for example, in the month of January 2010 we stopped 1,976 confirmed targeted emails. The interesting part with this particular attack is that it is using the Bredolab malware as the payload in the email.
Bredolab (for more information click here) is usually spammed out in vast quantities using the Cutwail botnet (one of the largest botnets currently in operation), and uses many techniques to trick people into running the executable. The most common technique was during the DHL/UPS scams where the emails would state that a package could not be delivered and that the recipient should open the attached document (which is actually an executable that ends in the double extension .doc.exe), for more information. Once the executable is opened, another file is dropped on to the computer and the local firewall is turned off. Furthermore, other malicious files may also be installed by the controllers of Bredolab, who may also be selling or renting the control of that computer for malicious use by other cyber criminals.
Bredolab-controlled PCs have most commonly been used to create bots (one means by which bot-herders can grow their botnets); or to install Rogue or Fake Security Software, leading to pop-ups and fake virus alerts that trick the victim into paying $50 or more for what they believe to be anti-virus software). In fact Bredolab is so flexible, it may conceivably be used to perform any task that its controllers wish.
This latest example is a little different, however: Firstly, it’s targeted to very specific recipients, especially as mentioned earlier, and it wasn't being spammed indiscriminately in large volumes. Secondly, the malicious file in the email is indeed a variant of the Bredolab virus, it has exactly the same characteristics, except that the files it subsequently downloads are not the usual Bredolab fare. They are, in fact, data stealers, and very few anti-virus companies identified the downloaded files at the time or writing (see below).
We also investigated the characteristics of the emails, and some things that are very common to targeted attacks are that they often use free, online webmail accounts rather than sending them directly from botnets. These accounts are likely to have been established in advance, perhaps through CAPTCHA-breaking, or they may be compromised legitimate accounts. It is relatively easy for attackers to purchase fake, CAPTCHA-broken webmail accounts through the underground shadow economy for perhaps $30-40 per 1,000 accounts. A buyer may purchase 10s of thousands of accounts in this way, in preparation for a malicious attack. These accounts will either be used manually (Nigerian-419 scammer style), or used en-masse through botnets in order to send spam (this approach is much more likely if a large number of accounts are used in a single attack).
This particular example has used one of the more popular, free webmail services and as is often the case, the email headers reveal the connecting IP address of the sender. By analysing these addresses, we can see that they have actually originated from all over the world.
Many of the IP addresses used in the sending these attacks have also been used for sending a variety of other spam and malware during the past few months, under the control of a variety of different botnets, not just Cutwail. It’s now clear that most of these IP addresses have been the victim of previous malicious attacks and have themselves become infected and used for criminal activities. The recent sending of Bredolab-laden targeted attacks is just the latest in a long line of abuse for the owners of these PCs.
The fact that it's coming from all over the world strongly indicates that some form of botnet is being used to connect to to the webmail service to send these malicious emails, and at the moment, we’re not certain which botnet, but it’s highly likely to be linked to Cutwail, as virtually all the other Bredolab attacks we have seen originate from Cutwail.
Sending a virus through a free webmail service adds a certain level of legitimacy and can make it harder for traditional security software to identify when an email is malicious, as the email headers and SMTP conversation will have all of the normal legitimate webmail characteristics. If the attacker sends mail directly from a botnet, they usually rely on some form of spoofing, and it can be much easier to detect and block these types of emails. Moreover, there are many suspicious characteristics that we can still pick up on, for example, here the attackers have spoofed the recipients' To: address incorrectly as a webmail address, when in fact most of them are heading for bona fide Public Sector or Education Sector email addresses.
The Subject of the mail may give the appearance of being benign, but it is actually quite interesting. We often find that targeted attacks try to emply political themes or topics as subjects and filenames. However, just as often they'll use completely benign references that may only mean something to the intended recipient. Words like 'Invitation' 'Conference' 'Resume' are often used to try and entice the recipient in opening the mail.
The filename will often follow the same format, 'Description CIO Conference Annex 1.scr'. In this case, the email is talking about a conference that the recipient is invited to - perhaps innocent-looking enough - however, alarm bells should be ringing that the extension of the attached file is a '.scr' file. Many non-technically savvy people may not always recognize this though.
The actual attachment is a .zip file, the malicious '.scr' file is contained within it along with an office document file. The office document is completely safe and contains no malicious code and is just a copy of the contents of the body of the email with a nicely formatted header.
The malicious code connects to a web server in the Internet in order to download some additional malicious software and upload information stolen from the compromised computer, which the criminals may collect later. The domain of the website appears to have been up and down periodically, for example, this morning we conencted with no problem, but by the afternoon we couldn't connect, and after a while it was back up again.
The commercial scanner detection for the downloaded files, at the time of writing was as follows:
pinch_c1.exe: 5 vendors detected as malicious or suspicious.
1.exe: 3 vendors detected as malicious or suspicious.
The commercial scanner detection for the malcious attachment in the email, at the time of writing was as follows: 9 vendors detected as malicious or suspicious.
Skeptic (tm) stopped all samples of this with its unique proactive heuristic engine, which unlike traditional signature-based detection, performs deep analysis of files and applies 1,000s of predictive detection techniques to block new malware at first sight.