Video Screencast Help
Security Response

Trojan.Peacomm: Building a Peer-to-Peer Botnet

Created: 19 Jan 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:53:28 GMT
Amado Hidalgo's picture
0 0 Votes
Login to vote

Symantec Security Response has seen some moderate spamming of a new Trojan horse. The threat arrived in an email with an empty body and a variety of subjects such as:

A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Re: Your text

The attachments may have any of the following filenames:
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe

The attachment is not a video clip, but a Trojan horse program, which Symantec heuristic technology already detected as Trojan.Packed.8. Today's LiveUpdate definitions detect it as Trojan.Peacomm. Users of Symantec’s Brightmail Anti-Spam are also protected from this spam email.

The executable drops a system driver (wincom32.sys, also detected as Trojan.Peacomm), which injects some payload and hidden threads directly into the services.exe process, using a sophisticated technique similar to Rustock (see Mimi Hoang’s blog and Elia Florio’s blog). However, in spite of its name, wincom32.sys driver is not a "real" rootkit as it does not hide its presence or its registry keys in the system.

Once the computer is infected, Trojan.Peacomm attempts to establish peer-to-peer communication on UDP port 4000 with a small list of IP addresses, in order to download and execute more malicious files. If you use a personal firewall with egress filtering, you will be notified that the services.exe process is attempting to connect to a remote address on this port. Symantec’s Threat Management System shows a spike in traffic for UDP port 4000:

udp-4000.jpg

When it manages to connect to any of these initial IP addresses, it receives a list of additional IP addresses of infected machines and adds them to its list of available peers, building up a distributed network to aid in the download of more malware. The Trojan also keeps a "blacklist" of unsuitable peers. Part of this encrypted P2P configuration is stored in a file peers.ini stored in the %System% folder.

Currently the malware being downloaded is as follows:

game0.exe: A downloader + rootkit component – detected as Trojan.Abwiz.F
game1.exe: Proxy Mail Relay for spam which opens port TCP 25 on the infected machine – detected as W32.Mixor.Q@mm
game2.exe: Mail Harvester which gathers mail addresses on the machine and post them as 1.JPG to a remote server – detected as W32.Mixor.Q@mm
game3.exe: W32.Mixor.Q@mm
game4.exe: It contacts a C&C server to download some configuration file – detected as W32.Mixor.Q@mm

From a malware writer’s point of view, this strategy of using peer-to-peer communication presents clear advantages over the traditional botnet method of one (or a few) Command & Control server(s). First and foremost, it minimizes the chances of losing the botnet if you "cut the head" by bringing down the C&C server or redirecting the traffic. It also helps spread the load that such downloads would impose on a single server.

You are advised to update your products to the latest available security updates from Symantec. We also recommend following the safe computing practices and exercising caution when opening emails.