1. Prevention and avoidance1.1 Ensure antivirus is up-to-date and active
1.2 Use IPS
1.3 Use email filtering
1.4 Patch operating system and software
1.5 User awareness
2. Infection method
2.1 Email containing a link
2.2 Email with attachments
3. Functionality
3.1 Use of Steganography
3.2 Hiding commands in HTML
3.3 Opens a back door
3.4 System modifications
3.5 Network activity
4. Additional information1. PREVENTION AND AVOIDANCEThe following actions can be taken to avoid or minimize the risk from this threat.
1.1 Ensure antivirus is up-to-date and activeSymantec has detected many of the older versions of these threats as Backdoor.Trojan, Downloader, and Trojan Horse, but more recent samples (as of May 2011) have been grouped into the Trojan.Downbot family. Symantec reputation-based detection technologies are also able to proactively protect against many of the files used in these attacks.
1.2 Use IPSIn addition to standard antivirus detections, Symantec also has IPS signatures that can help to prevent such attacks. Some are geared towards prevention of remote exploitation, back channel communications, and file downloads.
1.3 Use email filteringEmail filter services such as
BrightMail or
Symantec MessageLabs Email Security.cloud can help to filter out potential targeted attack emails before they can reach the intended users.
1.4 Patch operating system and softwareMany of these attacks often start with a file containing exploit code. In most cases the exploits are for vulnerabilities that are already patched. It is therefore wise to ensure that operating systems and any installed software are fully patched. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.
This threat is known to use certain vulnerabilities. Installation of the following patches will reduce the risk to your computer:
1.5 User awarenessIn many cases the users can often be the weakest link. This is the reason why social engineering is a method of attack that is always used. The emails sent in these attacks follow the typical targeted attack modus operandi - that is they contain some subject or topic that may be of interest to the recipient, such as rosters, contact lists, budgets, and so forth. They contain an attachment as part of a social engineering ploy.
The attached files are typically Microsoft Office files such as Word documents, Excel spreadsheets, PowerPoint presentations, and PDF documents have also been used. These files are loaded with exploit code, so that when the user opens the file, the exploit code is executed resulting in the computer becoming compromised. While email filtering and file scanning can help to reduce risk, education and awareness programs can also play a major part to help to reduce the risk of this type of attacks.
2. INFECTION METHODTo date, the only attack vector known to Symantec is through email. Two distinct patterns of email have been observed. These are:
- Email with a link to a self extracting archive (SFX)
- Email with an attached file that contains exploit code
Both email types may deliver a variant of this Trojan.
2.1 Email containing a linkThese attacks do not employ any exploits or sophisticated techniques. An email from a free email provider is sent to the target. The email sender may purport to be from the same organization as the target, but is using their personal rather than corporate email account. The email uses basic social engineering, linking to an executable file with a suggestive name. The executable downloaded is a self extracting archive with a Word/Excel or folder icon. When executed it drops the a copy of Trojan.Downbot.
2.2 Email with attachments
A more sophisticated variant of this attack was intercepted by the Symantec MessageLabs Email Security.cloud service. These emails were not sent from a free email address but instead from within a corporate network. In this scenario, the attacker had previously compromised the corporate network and was using it as a staging point from which to launch further attacks on a more secure network. In addition, the email sent does not contain a link to a SFX archive, a file is attached instead.
In instance, an XLS file containing an exploit using the
Microsoft Excel 'FEATHEADER' Record Remote Code Execution Vulnerability (BID 36945) (detected by
Bloodhound.Exploit.306) was used. Once the file is opened on an un-patched computer, a clean copy of an Excel file is dropped and opened so that the user is not suspicious. The main Trojan executable is also dropped and executed. One possible tell-tale sign of this exploit is that Excel appears to hang for a short time before it resumes, and the application may even crash and restart.
SubjectThe following subjects were some of those observed in these attacks.
- Obituary Notice
- Contact List Update
- Updated Roster [DATE IN YYYYMMDD FORMAT]
- F-16 Sale
AttachmentThe following attachment names were also observed.
- XXXXX_Kickoff_Meeting_Minutes_Update.exe
- press_releases_doc.doc.exe
- ReferencefortheInformalWorkshop.exe
- Salary_Admin_Worksheet.exe
- The16thAsianGames.exe
- nato_countries.xls
- Participant_Contacts.xls
- 2011 project budget.xls
- Contact List -Update.xls
- The budget justification.xls
- Conference_Draft_Agenda_May_2011.pdf
- The economic impact of military expenditures.pdf
- DECLARATION- COMMENTS-Netherlands.pdf
Known topics usedThe following are some of the topics that Symantec have observed in use in the emails associated with this Trojan.
- Meetings
- Salary accounts
- Games
3. FUNCTIONALITYFor the most part, the Shady Rat attacks are not particularly sophisticated, relying on basic social engineering and older exploits which are still effective. The attacks consists of three stages, targeted email, initial infection, and comprehensive back door. The final stage of installing a back door allows the attacker to assume a high level of control over the compromised computer.
3.1 Use of SteganographySteganography is a form of communication whereby the existence of a message is only known to the sender and the intended recipient. The message is hidden in some other format that has a different appearance to any other observer. In the case of Trojan.Downbot, the Trojan downloads content that appears to be legitimate images or Web pages.
While this downloaded content may look perfectly innocent, they contain hidden commands that are extracted and interpreted by the Trojan that instructs it to perform various actions.
Images found on the command and control servers included pictures of women, Egyptian scenes and cartoon like images of landscapes. All those these were found to contain extra bytes embedded inside them for use as instructions.
3.2 Hiding commands in HTMLAdditionally, web pages such as an Under Construction page were also found to contain embedded HTML commands representing commands.
The web page that the Trojan retrieves contain a comment at the top of the HTML code.
This comment is actually an encrypted command that can be processed by the Trojan. The instruction may be one of the following actions:
- Download a file from a URL and save it to %Temp%\[FILE NAME], then execute the file
- Sleep for a specified number of minutes
- Connect to an IP address on a specified port (open a back door on the computer)
Command and control servers associated with
Trojan.Downbot.B stores its commands in custom HTML tags instead of comments. The encrypted instructions are store in the tag attributes.
<yahoo [COMMAND]="[ENCRYPTED INSTRUCTIONS]"></yahoo>
Where [COMMAND] is one of the following:
For example:
<yahoo sb="h|Pkv|nWLCnW3ksL8ZjH(637)"></yahoo>
This value is interpreted by the Trojan and may instruct it to perform the following actions on the compromised computer:
- Download and execute a file
- Sleep for a specified amount of time
- Upload files from the computer to a remote location
Different types of back door components have been observed being downloaded by Trojan.Downbot.B. They are a back door using SQL commands, a back door using the same base64 style encoded commands as Trojan.Downbot, and a secure shell back door. Thus these attacks can use a similar approaches to initially infect the computer and then install a more complicated back door components on the computer later.
3.3 Opens a back door After the Trojan receives the initial instructions to open a back door, it connects to the specified address using the specified port. This establishes the back door allowing a remote attacker to perform the following actions on the compromised computer:
- Retrieve a file from the remote server
- Upload a file to the remote server
- Retrieve a file from a remote URL, download and execute it
- Send a command from the remote server
- Send the results of the command executed to the remote server to report the status
3.4 System modificationsThe following side effects may be observed on computers compromised by members of threat family.
Files createdFiles/folders deletedFiles/folders modifiedRegistry entries created- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "%Temp%\cisvc.exe"
Registry subkeys/entries deleted
Registry subkeys/entries modified (final values given) 3.5 Network activityThe threat may perform the following network activities.
DownloadingThe Trojan may download files from the following locations:
- 122.147.13.8/down/iistar[REMOVED]
- 65.105.157.228/Default.aspx?INDEX=[RANDOM CHARACTERS]
- aolserver.rebatesrule.net
- fordfoundation.AlmostMy.com
- ftp.google.otzo.com
- seoulsummit.DSMTP.COM
- us.gnpes.org/1.asp
UploadingOnce a back door has been opened on the computer, the Trojan is capable of uploading files from the computer to a remote server when instructed by the attacker.
4. ADDITIONAL INFORMATIONFor more information relating to this threat family, please see the following resources:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
