1. Prevention and avoidance1.1 Ensure antivirus is up-to-date and active
1.2 Use IPS
1.3 Use email filtering
1.4 Patch operating system and software
1.5 User awareness
2. Infection method
2.1 Email containing a link
2.2 Email with attachments
3.1 Use of Steganography
3.2 Hiding commands in HTML
3.3 Opens a back door
3.4 System modifications
3.5 Network activity
4. Additional information1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.1.1 Ensure antivirus is up-to-date and active
Symantec has detected many of the older versions of these threats as Backdoor.Trojan, Downloader, and Trojan Horse, but more recent samples (as of May 2011) have been grouped into the Trojan.Downbot family. Symantec reputation-based detection technologies are also able to proactively protect against many of the files used in these attacks.1.2 Use IPS
In addition to standard antivirus detections, Symantec also has IPS signatures that can help to prevent such attacks. Some are geared towards prevention of remote exploitation, back channel communications, and file downloads.1.3 Use email filtering
Email filter services such as BrightMail
or Symantec MessageLabs Email Security.cloud
can help to filter out potential targeted attack emails before they can reach the intended users.1.4 Patch operating system and software
Many of these attacks often start with a file containing exploit code. In most cases the exploits are for vulnerabilities that are already patched. It is therefore wise to ensure that operating systems and any installed software are fully patched. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.
This threat is known to use certain vulnerabilities. Installation of the following patches will reduce the risk to your computer:1.5 User awareness
In many cases the users can often be the weakest link. This is the reason why social engineering is a method of attack that is always used. The emails sent in these attacks follow the typical targeted attack modus operandi - that is they contain some subject or topic that may be of interest to the recipient, such as rosters, contact lists, budgets, and so forth. They contain an attachment as part of a social engineering ploy.
The attached files are typically Microsoft Office files such as Word documents, Excel spreadsheets, PowerPoint presentations, and PDF documents have also been used. These files are loaded with exploit code, so that when the user opens the file, the exploit code is executed resulting in the computer becoming compromised. While email filtering and file scanning can help to reduce risk, education and awareness programs can also play a major part to help to reduce the risk of this type of attacks.
2. INFECTION METHOD
To date, the only attack vector known to Symantec is through email. Two distinct patterns of email have been observed. These are:
- Email with a link to a self extracting archive (SFX)
- Email with an attached file that contains exploit code
Both email types may deliver a variant of this Trojan.2.1 Email containing a link
These attacks do not employ any exploits or sophisticated techniques. An email from a free email provider is sent to the target. The email sender may purport to be from the same organization as the target, but is using their personal rather than corporate email account. The email uses basic social engineering, linking to an executable file with a suggestive name. The executable downloaded is a self extracting archive with a Word/Excel or folder icon. When executed it drops the a copy of Trojan.Downbot.2.2 Email with attachments
A more sophisticated variant of this attack was intercepted by the Symantec MessageLabs Email Security.cloud service. These emails were not sent from a free email address but instead from within a corporate network. In this scenario, the attacker had previously compromised the corporate network and was using it as a staging point from which to launch further attacks on a more secure network. In addition, the email sent does not contain a link to a SFX archive, a file is attached instead.
In instance, an XLS file containing an exploit using the Microsoft Excel 'FEATHEADER' Record Remote Code Execution Vulnerability
(BID 36945) (detected by Bloodhound.Exploit.306
) was used. Once the file is opened on an un-patched computer, a clean copy of an Excel file is dropped and opened so that the user is not suspicious. The main Trojan executable is also dropped and executed. One possible tell-tale sign of this exploit is that Excel appears to hang for a short time before it resumes, and the application may even crash and restart.
The following subjects were some of those observed in these attacks.
- Obituary Notice
- Contact List Update
- Updated Roster [DATE IN YYYYMMDD FORMAT]
- F-16 Sale
The following attachment names were also observed.
Known topics used
- 2011 project budget.xls
- Contact List -Update.xls
- The budget justification.xls
- The economic impact of military expenditures.pdf
- DECLARATION- COMMENTS-Netherlands.pdf
The following are some of the topics that Symantec have observed in use in the emails associated with this Trojan.
- Salary accounts
For the most part, the Shady Rat attacks are not particularly sophisticated, relying on basic social engineering and older exploits which are still effective. The attacks consists of three stages, targeted email, initial infection, and comprehensive back door. The final stage of installing a back door allows the attacker to assume a high level of control over the compromised computer.3.1 Use of SteganographySteganography
is a form of communication whereby the existence of a message is only known to the sender and the intended recipient. The message is hidden in some other format that has a different appearance to any other observer. In the case of Trojan.Downbot, the Trojan downloads content that appears to be legitimate images or Web pages.
While this downloaded content may look perfectly innocent, they contain hidden commands that are extracted and interpreted by the Trojan that instructs it to perform various actions.
Images found on the command and control servers included pictures of women, Egyptian scenes and cartoon like images of landscapes. All those these were found to contain extra bytes embedded inside them for use as instructions.3.2 Hiding commands in HTML
Additionally, web pages such as an Under Construction page were also found to contain embedded HTML commands representing commands.
The web page that the Trojan retrieves contain a comment at the top of the HTML code.
This comment is actually an encrypted command that can be processed by the Trojan. The instruction may be one of the following actions:
- Download a file from a URL and save it to %Temp%\[FILE NAME], then execute the file
- Sleep for a specified number of minutes
- Connect to an IP address on a specified port (open a back door on the computer)
Command and control servers associated with Trojan.Downbot.B
stores its commands in custom HTML tags instead of comments. The encrypted instructions are store in the tag attributes.
<yahoo [COMMAND]="[ENCRYPTED INSTRUCTIONS]"></yahoo>
Where [COMMAND] is one of the following:
This value is interpreted by the Trojan and may instruct it to perform the following actions on the compromised computer:
- Download and execute a file
- Sleep for a specified amount of time
- Upload files from the computer to a remote location
Different types of back door components have been observed being downloaded by Trojan.Downbot.B. They are a back door using SQL commands, a back door using the same base64 style encoded commands as Trojan.Downbot, and a secure shell back door. Thus these attacks can use a similar approaches to initially infect the computer and then install a more complicated back door components on the computer later.3.3 Opens a back door
After the Trojan receives the initial instructions to open a back door, it connects to the specified address using the specified port. This establishes the back door allowing a remote attacker to perform the following actions on the compromised computer:
3.4 System modifications
- Retrieve a file from the remote server
- Upload a file to the remote server
- Retrieve a file from a remote URL, download and execute it
- Send a command from the remote server
- Send the results of the command executed to the remote server to report the status
The following side effects may be observed on computers compromised by members of threat family.Files createdFiles/folders deletedFiles/folders modifiedRegistry entries created
Registry subkeys/entries deleted
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "%Temp%\cisvc.exe"
Registry subkeys/entries modified (final values given) 3.5 Network activity
The threat may perform the following network activities.Downloading
The Trojan may download files from the following locations:
- 220.127.116.11/Default.aspx?INDEX=[RANDOM CHARACTERS]
Once a back door has been opened on the computer, the Trojan is capable of uploading files from the computer to a remote server when instructed by the attacker.
4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":