1. /
  2. Security Response/
  3. Trojan.Downbot

Trojan.Downbot

Risk Level 1: Very Low

Discovered:
May 24, 2011
Updated:
May 24, 2011 1:12:48 PM
Also Known As:
Troj/Dalbot-A [Sophos]
Type:
Trojan
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
CVE References:
CVE-2009-3129, CVE-2011-0611
1. Prevention and avoidance
1.1 Ensure antivirus is up-to-date and active
1.2 Use IPS

1.3 Use email filtering

1.4 Patch operating system and software

1.5 User awareness

2. Infection method

2.1 Email containing a link

2.2 Email with attachments

3. Functionality

3.1 Use of Steganography

3.2 Hiding commands in HTML

3.3 Opens a back door

3.4 System modifications

3.5 Network activity

4. Additional information




1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 Ensure antivirus is up-to-date and active
Symantec has detected many of the older versions of these threats as Backdoor.Trojan, Downloader, and Trojan Horse, but more recent samples (as of May 2011) have been grouped into the Trojan.Downbot family. Symantec reputation-based detection technologies are also able to proactively protect against many of the files used in these attacks.


1.2 Use IPS
In addition to standard antivirus detections, Symantec also has IPS signatures that can help to prevent such attacks. Some are geared towards prevention of remote exploitation, back channel communications, and file downloads.


1.3 Use email filtering
Email filter services such as BrightMail or Symantec MessageLabs Email Security.cloud can help to filter out potential targeted attack emails before they can reach the intended users.


1.4 Patch operating system and software
Many of these attacks often start with a file containing exploit code. In most cases the exploits are for vulnerabilities that are already patched. It is therefore wise to ensure that operating systems and any installed software are fully patched. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.

This threat is known to use certain vulnerabilities. Installation of the following patches will reduce the risk to your computer:


1.5 User awareness
In many cases the users can often be the weakest link. This is the reason why social engineering is a method of attack that is always used. The emails sent in these attacks follow the typical targeted attack modus operandi - that is they contain some subject or topic that may be of interest to the recipient, such as rosters, contact lists, budgets, and so forth. They contain an attachment as part of a social engineering ploy.

The attached files are typically Microsoft Office files such as Word documents, Excel spreadsheets, PowerPoint presentations, and PDF documents have also been used. These files are loaded with exploit code, so that when the user opens the file, the exploit code is executed resulting in the computer becoming compromised. While email filtering and file scanning can help to reduce risk, education and awareness programs can also play a major part to help to reduce the risk of this type of attacks.



2. INFECTION METHOD
To date, the only attack vector known to Symantec is through email. Two distinct patterns of email have been observed. These are:
  • Email with a link to a self extracting archive (SFX)
  • Email with an attached file that contains exploit code

Both email types may deliver a variant of this Trojan.


2.1 Email containing a link
These attacks do not employ any exploits or sophisticated techniques. An email from a free email provider is sent to the target. The email sender may purport to be from the same organization as the target, but is using their personal rather than corporate email account. The email uses basic social engineering, linking to an executable file with a suggestive name. The executable downloaded is a self extracting archive with a Word/Excel or folder icon. When executed it drops the a copy of Trojan.Downbot.


2.2 Email with attachments
A more sophisticated variant of this attack was intercepted by the Symantec MessageLabs Email Security.cloud service. These emails were not sent from a free email address but instead from within a corporate network. In this scenario, the attacker had previously compromised the corporate network and was using it as a staging point from which to launch further attacks on a more secure network. In addition, the email sent does not contain a link to a SFX archive, a file is attached instead.





In instance, an XLS file containing an exploit using the Microsoft Excel 'FEATHEADER' Record Remote Code Execution Vulnerability (BID 36945) (detected by Bloodhound.Exploit.306) was used. Once the file is opened on an un-patched computer, a clean copy of an Excel file is dropped and opened so that the user is not suspicious. The main Trojan executable is also dropped and executed. One possible tell-tale sign of this exploit is that Excel appears to hang for a short time before it resumes, and the application may even crash and restart.


Subject

The following subjects were some of those observed in these attacks.
  • Obituary Notice
  • Contact List Update
  • Updated Roster [DATE IN YYYYMMDD FORMAT]
  • F-16 Sale


Attachment
The following attachment names were also observed.
  • XXXXX_Kickoff_Meeting_Minutes_Update.exe
  • press_releases_doc.doc.exe
  • ReferencefortheInformalWorkshop.exe
  • Salary_Admin_Worksheet.exe
  • The16thAsianGames.exe
  • nato_countries.xls
  • Participant_Contacts.xls
  • 2011 project budget.xls
  • Contact List -Update.xls
  • The budget justification.xls
  • Conference_Draft_Agenda_May_2011.pdf
  • The economic impact of military expenditures.pdf
  • DECLARATION- COMMENTS-Netherlands.pdf


Known topics used
The following are some of the topics that Symantec have observed in use in the emails associated with this Trojan.
  • Meetings
  • Salary accounts
  • Games



3. FUNCTIONALITY

For the most part, the Shady Rat attacks are not particularly sophisticated, relying on basic social engineering and older exploits which are still effective. The attacks consists of three stages, targeted email, initial infection, and comprehensive back door. The final stage of installing a back door allows the attacker to assume a high level of control over the compromised computer.


3.1 Use of Steganography
Steganography is a form of communication whereby the existence of a message is only known to the sender and the intended recipient. The message is hidden in some other format that has a different appearance to any other observer. In the case of Trojan.Downbot, the Trojan downloads content that appears to be legitimate images or Web pages.

While this downloaded content may look perfectly innocent, they contain hidden commands that are extracted and interpreted by the Trojan that instructs it to perform various actions.

Images found on the command and control servers included pictures of women, Egyptian scenes and cartoon like images of landscapes. All those these were found to contain extra bytes embedded inside them for use as instructions.









3.2 Hiding commands in HTML
Additionally, web pages such as an Under Construction page were also found to contain embedded HTML commands representing commands.



The web page that the Trojan retrieves contain a comment at the top of the HTML code.




This comment is actually an encrypted command that can be processed by the Trojan. The instruction may be one of the following actions:
  • Download a file from a URL and save it to %Temp%\[FILE NAME], then execute the file
  • Sleep for a specified number of minutes
  • Connect to an IP address on a specified port (open a back door on the computer)

Command and control servers associated with Trojan.Downbot.B stores its commands in custom HTML tags instead of comments. The encrypted instructions are store in the tag attributes.

<yahoo [COMMAND]="[ENCRYPTED INSTRUCTIONS]"></yahoo>

Where [COMMAND] is one of the following:
  • ex
  • sb

For example:
<yahoo sb="h|Pkv|nWLCnW3ksL8ZjH(637)"></yahoo>

This value is interpreted by the Trojan and may instruct it to perform the following actions on the compromised computer:
  • Download and execute a file
  • Sleep for a specified amount of time
  • Upload files from the computer to a remote location

Different types of back door components have been observed being downloaded by Trojan.Downbot.B. They are a back door using SQL commands, a back door using the same base64 style encoded commands as Trojan.Downbot, and a secure shell back door. Thus these attacks can use a similar approaches to initially infect the computer and then install a more complicated back door components on the computer later.


3.3 Opens a back door
After the Trojan receives the initial instructions to open a back door, it connects to the specified address using the specified port. This establishes the back door allowing a remote attacker to perform the following actions on the compromised computer:
  • Retrieve a file from the remote server
  • Upload a file to the remote server
  • Retrieve a file from a remote URL, download and execute it
  • Send a command from the remote server
  • Send the results of the command executed to the remote server to report the status


3.4 System modifications
The following side effects may be observed on computers compromised by members of threat family.

Files created
  • %Temp%\cisvc.exe

Files/folders deleted
  • None

Files/folders modified
  • None

Registry entries created
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "%Temp%\cisvc.exe"

Registry subkeys/entries deleted
  • None

Registry subkeys/entries modified (final values given)

  • None


3.5 Network activity
The threat may perform the following network activities.


Downloading
The Trojan may download files from the following locations:
  • 122.147.13.8/down/iistar[REMOVED]
  • 65.105.157.228/Default.aspx?INDEX=[RANDOM CHARACTERS]
  • aolserver.rebatesrule.net
  • fordfoundation.AlmostMy.com
  • ftp.google.otzo.com
  • seoulsummit.DSMTP.COM
  • us.gnpes.org/1.asp


Uploading
Once a back door has been opened on the computer, the Trojan is capable of uploading files from the computer to a remote server when instructed by the attacker.



4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Éamonn Young and Eoin Ward
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver