Trojan.Peacomm: Building a Peer-to-Peer Botnet
Symantec Security Response has seen some moderate spamming of a new Trojan horse. The threat arrived in an email with an empty body and a variety of subjects such as:
A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Re: Your text
The attachments may have any of the following filenames:
The attachment is not a video clip, but a Trojan horse program, which Symantec heuristic technology already detected as Trojan.Packed.8. Today's LiveUpdate definitions detect it as Trojan.Peacomm. Users of Symantec’s Brightmail Anti-Spam are also protected from this spam email.
The executable drops a system driver (wincom32.sys, also detected as Trojan.Peacomm), which injects some payload and hidden threads directly into the services.exe process, using a sophisticated technique similar to Rustock (see Mimi Hoang’s blog and Elia Florio’s blog). However, in spite of its name, wincom32.sys driver is not a "real" rootkit as it does not hide its presence or its registry keys in the system.
Once the computer is infected, Trojan.Peacomm attempts to establish peer-to-peer communication on UDP port 4000 with a small list of IP addresses, in order to download and execute more malicious files. If you use a personal firewall with egress filtering, you will be notified that the services.exe process is attempting to connect to a remote address on this port. Symantec’s Threat Management System shows a spike in traffic for UDP port 4000:
When it manages to connect to any of these initial IP addresses, it receives a list of additional IP addresses of infected machines and adds them to its list of available peers, building up a distributed network to aid in the download of more malware. The Trojan also keeps a "blacklist" of unsuitable peers. Part of this encrypted P2P configuration is stored in a file peers.ini stored in the %System% folder.
Currently the malware being downloaded is as follows:
game0.exe: A downloader + rootkit component – detected as Trojan.Abwiz.F
game1.exe: Proxy Mail Relay for spam which opens port TCP 25 on the infected machine – detected as W32.Mixor.Q@mm
game2.exe: Mail Harvester which gathers mail addresses on the machine and post them as 1.JPG to a remote server – detected as W32.Mixor.Q@mm
game4.exe: It contacts a C&C server to download some configuration file – detected as W32.Mixor.Q@mm
From a malware writer’s point of view, this strategy of using peer-to-peer communication presents clear advantages over the traditional botnet method of one (or a few) Command & Control server(s). First and foremost, it minimizes the chances of losing the botnet if you "cut the head" by bringing down the C&C server or redirecting the traffic. It also helps spread the load that such downloads would impose on a single server.
You are advised to update your products to the latest available security updates from Symantec. We also recommend following the safe computing practices and exercising caution when opening emails.