Security Response

(Note: This blog was written on September 2. We decided to postpone publishing it due to an ongoing joint effort to shut down servers and block domain names. The variant studied is not the latest but accurately reflects the functionalities of the threat.)

Trojan.Bamital appeared in the summer of 2010. The threat really became prevalent at the beginning of 2011, shortly after the discovery of the B variant. Bamital hooks into various browsers in order to modify search results and redirect the user to advertisement links. In this blog, we’re going to dissect a recent variant of Bamital to understand how the click-fraud scheme is implemented.

Installation

Bamital comes as a UPX-packed executable. When executed, it drops two components to the %CommonFiles% folder...

W32.Virut is a Windows file infector that’s been around since 2006. It usually makes the top 10 in threat charts and therefore deserves regular scrutiny.

Analysis of recent variants show that changes were made to strengthen the communication protocol between the bots and the command and control server to prevent blacklisting, sinkholing, and hijacking of their command and control servers.

Virut connects to one of two IRC servers that act as the command and control servers (C&C) (note that they are currently ilo.brenz.pl and ant.trenz.pl). The IRC commands are usually encrypted and tunneled over TCP ports 80 or 443–used by HTTP and HTTPS respectively. The main commands sent by the C&C instruct bots to download and install additional malware.

Because these domains can be blacklisted or blocked, the first improvement...

We’ve published a detailed analysis of Sality in a whitepaper titled, “Sality: Story of a Peer-to-Peer Viral Network.”

Sality is a file infector that spreads by infecting executable files and by replicating itself across network shares. Infected hosts join a peer-to-peer network used to propagate malware on the compromised computer. Typically, those additional programs will be used to relay spam, proxy communications, steal private information, infect Web servers, or achieve distributed computing tasks, such as password cracking.

The combination of file infection mechanism and the fully decentralized peer-to-peer network, along with other anti-security measures, make Sality one of the most effective and resilient malware in today’s threat landscape. Estimations show than hundreds of thousands of computers are infected by the virus.

...

A few months ago, at least prior to February 7th, Sality operators pushed a new malware onto their P2P network of infected bots. The malware in question hooks into Internet Explorer using its standard COM interface, and gathers credentials submitted via web forms. February’s variant treated Facebook, Blogger, and Myspace logon information differently: on top of stealing and sending the username/password to a Command and Control (C&C) server, the information was also dumped to an encrypted file, onto the user’s compromised computer. At that time, the plausible guess was that these credentials would be used by upcoming malware – the Sality programmers are very imaginative.

This was confirmed last weekend. The newest Sality package contained a new malware, on top of their usual spam/web relays. The...