1. /
  2. Security Response/
  3. Trojan.Bredolab

Trojan.Bredolab

Risk Level 1: Very Low

Discovered:
May 28, 2009
Updated:
August 8, 2012 12:43:37 PM
Also Known As:
Troj/FakeAV-BYW [Sophos]
Type:
Trojan
Infection Length:
51,200 bytes
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
CVE References:
CVE-2006-0003, CVE-2008-1084, CVE-2008-2463
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
1.3 Address blocking
2. Infection method
2.1 Drive-by download
2.2 Email
2.3 Websites
3. Functionality
3.1 System modifications
3.2 Network activity
3.3 Other functionality
4. Additional information



1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
It is possible to mitigate the risk of infection by being careful about clicking links found on websites, such as blogs and forums where there is potentially little control or quality checks on the content. Basic checks such as hovering with the mouse pointer over the link will normally show where the link leads to. Users can also check online website rating services such as safeweb.norton.com to see if the site is deemed safe to visit.

Users should be aware that email messages with malicious content may appear to have been sent by people known to them, and as such the fact that the sender is known does not guarantee the safety of any particular message. Users should exercise caution when opening attachments in email messages, especially if:
  • The sender is not known or unexpected
  • Given the sender, the characteristics of the email are unusual
  • The email contains a link to an unknown domain or an executable file

Essentially, users should avoid opening email attachments unless their authenticity can be verified.


1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and antivirus and firewall software are up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are made available.

This threat is known to exploit the following vulnerability in order to lower security settings on the compromised computer:
Microsoft Windows Kernel Usermode Callback Local Privilege Escalation Vulnerability (BID 28554)

The threat is also known to be spread by exploiting certain vulnerabilities. Installation of patches for the following vulnerabilities will reduce the risk to your computer:


1.3 Address blocking
This threat communicates with a remote control server. Block access to the following addresses using a firewall, router or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:
  • 213.155.4.112
  • 213.155.4.80
  • 213.155.6.32
  • 213.155.6.80
  • 213.155.6.85
  • 58.65.235.41
  • 78.109.29.112
  • 78.109.29.116
  • 91.207.61.12
  • abbcp.cn
  • dollaradmin.ru
  • dollarpoint.ru
  • ghthchinalimited.com.cn
  • mudstrang.ru
  • turokgame.cn
  • verringo.cn



2. INFECTION METHOD
Bredolab has been observed using the following two primary methods of distribution:
  • Drive-by download
  • Email


A more detailed description of how the threat employs these techniques is provided in the following sections.


2.1 Drive-by download
Trojan.Bredolab is known to be spread by websites that exploit known vulnerabilities in Web browsers and their associated plugins. These exploits are often served by exploit kits available in the underground market (e.g. Eleonore, Fragus, Phoenix) and as such need not necessarily be crafted by individuals with a high degree of technical ability. The exploits used by these kits may vary as they are modular by design. This means that the attackers can buy new exploits for their website as they become available for purchase.

A drive-by-download may occur when a user visits a website that has been rigged to contain an exploit. The exploit causes malware to be downloaded on to the user's computer without his or her consent. This method can also use more than one exploit to target the following technologies in order to further its chance of success:
  • ActiveX
  • DirectShow
  • Flash
  • PDF
  • Snapshotviewer


Furthermore, a target computer is typically bombarded with many vulnerabilities until one is successful in compromising the computer. In doing this, the attackers illustrate their determination to break into the computer by any means possible.


2.2 Email
The email distribution method employs social engineering tricks to convince the user to open the attachment of the email. All of the emails are crafted in such a way as to appear as legitimate as possible in order to deceive the user.

Several themes have thus far been witnessed, including offering the user free money, informing them of a delivery failure, or requesting that they update their Facebook password. It is also common for the threat to reuse these themes afterward. For example, around May of 2009, it used a theme where it posed as an invoice for a Western Union money transfer. Later on, at the end of August 2009, we started seeing the same theme being used again. It was another email pretending to be an email notice for a Western Union money transfer but with slight variations in the attachment name and message body.

The attachment is typically a .zip file. This should set off alarm bells among the more cautious of Internet users straight away. The .zip file typically contains an .exe file that has a common program icon, e.g. Microsoft Excel, Microsoft Word. The name of the .zip file is usually the same as the .exe file within it. The threat executes its payload once the .exe file is opened.





When it was found that Bredolab emails were coming from many different sources, it was suspected that the Bredolab emails were being sent out from compromised computers that have likely been infected by a spam bot or similar malware. In fact, due to the propensity of malware nowadays to 'help' each other in their propagation, there is a good possibility that there is more than one spam bot or malware distributing Bredolab emails, e.g. Trojan.Pandex (a.k.a. Pushdo/Cutwail).


Known topics used
The following are topics that Symantec have observed in use in emails propagating this threat family.
  • Western Union Free Money
  • UPS delivery failures
  • Shop.corsair.com shipping confirmations
  • Facebook password changes


The following are some representative samples of the types of emails that are used to help propagate this threat.





Subject
Western Union Transfer MTCN: [RANDOM NUMBER]


Email body
Dear client!

The money transfer you have sent on the 9th of April has not been received by the recipient.
Due to the Western Union agreement the transfers which are not collected in [NUMBER] business days are to be returned to sender.
To collect cash you need to print the invoice attached to this e-mail and visit the nearest Western Union branch.

Thank you!


Attachment
One of the following:





Subject
Postal Tracking #[RANDOM CHARACTERS AND NUMBERS]


Email body
Hello!

We were not able to deliver postal package you sent on the 14th of March in time
because the recipients address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America


Attachment
One of the following:


Subject
UPS Delivery problem NR 7861201


Email body
Dear customer!

We were not able to deliver the postal package which was sent on the 26th of April in time
because the addressee's address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America





Subject
UPS Tracking Number W1EYBUS


Email body
Hello!

We were not able to deliver the package which was sent on the 24th of July in time because the recipients address is incorrect.
Please print out the invoice copy attached and collect the package at our department.

Your United Parcel Service of America


Attachment
UPSNR_05fa2628.zip





Subject
Shipping confirmation for order 71766


Email body
Hi!

Thank you for shopping at our internet store!
We have successfully received your payment.
Your order has been shipped to your billing address.
You have ordered Apple iMac MB419LL.
You can find your tracking number in attached to the e-mail document.
Please print the label to get your package.

We hope you enjoy your order!
Shop.corsair.com


Attachment
One of the following:
  • D[NINE CHARACTERS].zip
  • M[EIGHT CHARACTERS].zip





Subject
One of the following:
  • Facebook Update Tool
  • Facebook account update
  • Facebook Account Update
  • Facebook Password Reset Confirmation.
  • Facebook Password Reset Confirmation. Customer Message.
  • Facebook Password Reset Confirmation. Customer Message.
  • Facebook Password Reset Confirmation. Customer Support.
  • Facebook Password Reset Confirmation. Important Message
  • Facebook Password Reset Confirmation. Support Message.
  • Facebook Password Reset Confirmation. Your Support.


Email body
Hey [EMAIL USER NAME],

Because of measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
The Facebook Team



Attachment
Facebook_Password_[FIVE RANDOM CHARACTERS].zip


2.3 Websites

The following addresses have been known to host or facilitate the spreading of this threat family.
  • 213.155.4.112
  • 213.155.4.80
  • 213.155.6.32
  • 213.155.6.80
  • 213.155.6.85
  • 58.65.235.41
  • 78.109.29.112
  • 78.109.29.116
  • 91.207.61.12
  • abbcp.cn
  • dollaradmin.ru
  • dollarpoint.ru
  • ghthchinalimited.com.cn
  • mudstrang.ru
  • turokgame.cn
  • verringo.cn

The following vulnerabilities have been used in spreading this threat through websites:



3. FUNCTIONALITY

The primary function of this threat is to download more malware on to the compromised computer.





Once the Trojan is executed, it opens communication with a remote command and control (CnC) server. All communication is encoded in order to avoid attracting attention to itself and alerting antivirus detection. It then sends a request in order to download files (which it calls entities) from this server. The files are then either executed immediately or saved to the following location and then executed:

%Windir%\Temp\wpv[TWO RANDOM DIGITS][ENTITIY ID].exe

Note: Where [ENTITY ID] is a ten-digit decimal number that the threat assigns to each file that is downloaded in order to identify and keep track of it.

A report is then sent to the remote controller about which files executed successfully. This information is stored in one of the following log files created by the threat:

  • C:\Documents and Settings\All Users\Application Data\wiaserv[ONE ALPHABETIC CHARACTER].log
  • C:\Documents and Settings\All Users\Application Data\wiaserv[TWO ALPHABETIC CHARACTERS].log


Example names used by the threat for the log files include:
  • wiaserva.log
  • wiaservg.log
  • wiaservim.log
  • wiaserviv.log


The log files contain the [ENTITY ID] of each downloaded file along with four flags. The flags indicate the following four possible states of the file:

  • First execution success
  • First execution fail
  • Further execution success
  • Further execution fail


By recording this information, Bredolab can tell whether a downloaded file has been successfully installed on the compromised computer or whether it should re-attempt to download the malicious file.

Some of the threats that Bredolab has been observed installing include:


3.1 System modifications
The following side effects may be observed on computers compromised by members of threat family.

Note: Side effects created by associated threats are not included in this report.


Files created
Often, the threat attempts to pose as a legitimate file and modify the Windows registry to run the impostor file. For example, it may copy itself to one of the following locations:
  • %System%\wbem\grpconv.exe
  • %System%\wbem\proquota.exe


It may also copy itself to one of the following locations:
  • %System%\[THREAT FILE NAME].dll
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\[THREAT FILE NAME]


Files deleted
It may then delete some of the following files:
  • %System%\grpconv.exe
  • %System%\dllcache\grpconv.exe
  • %System%\proquota.exe
  • %System%\dllcache\proquota.exe


Files/folders modified
None


Registry entries created
The threat may then create some of the following registry entries so that the corresponding threat file runs whenever Windows starts:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"RunGrpConv" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"EnableProfileQuota" = "1"


Registry subkeys/entries deleted
None


Registry entries modified (final values given)
The threat may modify the following registry entries so that the corresponding threat file runs whenever Windows starts:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\"SecurityProviders" = "[ORIGINAL VALUE OF DLL FILES], [THREAT FILE NAME]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\"SecurityProviders" = "[ORIGINAL VALUE OF DLL FILES], [THREAT FILE NAME]"


Processes
The threat attempts to inject itself into the following processes:
  • explorer.exe
  • svchost.exe


3.2 Network activity
The threat may perform the following network activities.


Communications with a command and control (C&C) server
When the threat executes, it opens communication with a C&C server. The Trojan sends a request to download files on to the compromised computer. It then sends a report back to the remote server detailing the success or failure of downloading each of the files. The following addresses have been known to be associated with this threat:

  • 213.155.4.112
  • 213.155.4.80
  • 213.155.6.32
  • 213.155.6.80
  • 213.155.6.85
  • 58.65.235.41
  • 78.109.29.112
  • 78.109.29.116
  • 91.207.61.12
  • abbcp.cn
  • dollaradmin.ru
  • dollarpoint.ru
  • ghthchinalimited.com.cn
  • mudstrang.ru
  • turokgame.cn
  • verringo.cn


3.3 Other functionality


Multiple layers of packing

Bredolab is frequently repackaged to evade detection by antivirus software. A different distribution and packing scheme is used depending on the infection vector being used to spread the threat.

The packing scheme used for emails generally differs from the scheme used for website based infections. Furthermore, it is likely that there are several distribution teams being used for both infection vectors. Each team may employ differing additional steps to add further obfuscation to the final product file. This results in files with several layers of armor, which helps it to evade packer-based detections.

Initially, Bredolab is packed with UPX. It is then embedded into an injector component, which is also packed with UPX. This pre-packed threat is then sent to the distribution teams. A different distribution team is used depending on the delivery method, i.e. either email or drive-by download.

When distributed using email, the Trojan is typically packed using custom packers that are armored with anti-debugging and anti-emulation code. It also uses encryption to further obfuscate itself and some of its data. Once the Trojan has been re-packaged with different characteristics and encryption, it is then distributed through spam email.

However, when being distributed through a website, the threat is usually coupled with server-side polymorphism - this means each time the threat is requested from the server it is made to appear different at the code level. This technique ensures that different versions of the threat are constantly being released whenever a user visits a site hosting the threat.


Detecting Virtual Machines
Newer versions of Bredolab are now utilizing techniques to determine whether they are executing within a virtual environment. This can be done by searching for the following files:
  • %System%\drivers\hgfs.sys
  • %System%\drivers\vmhgfs.sys
  • %System%\drivers\prleth.sys


It also checks for the string "VBOX" in the following registry subkey:
HKEY_LOCAL_MACHINE\HARDWARE\Description\System\SystemBiosVersion

Each of the above indicators generally confirm the presence of a virtual environment, which may mean that the threat is being executed and analyzed within the virtual environment. If this is the case, then it is likely that the Trojan is being analyzed by an antivirus software engineer and it is not being run on a computer that it will be able to manipulate for its own intentions. Therefore, if the Trojan manages to detect that it is being executed within a virtual environment, it causes the computer to crash by simulating the termination of a system critical process thereby attempting to prevent any possible analysis of the threat.


Other protection methods
Another technique that the threat uses to avoid detection is by cleaning all possible hooks on usermode and kernelmode functions. It then injects itself into either the explorer.exe or svchost.exe process. By doing this, the threat poses as a legitimate process and attempts to continue executing undetected.

Bredolab also uses a "forced exception" technique, whereby the threat purposefully causes an exception to occur in its code. This can be used to determine whether it is executing in a debugging environment. If it is in a debugging, it quits. Otherwise, it continues its execution.

Similarly, "dummy" (do-nothing) instructions are also used to mislead signature-based detections.


Bredolab v's Zbot
A new variant of Bredolab has been observed disabling the Zbot family of Trojans. The Bredolab sample searches for a list of file names known to be associated with Zbot and moves them to another location, thereby disabling it. It is not doing this in a benevolent way as Bredolab is equally as malicious as the Zbot family. In fact, the reason for doing it is more than likely because Zbot is preventing Bredolab from dominating control of the compromised computer.



4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Éamonn Young, Mario Ballano, and Takashi Katsuki
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver