Trojan.Downbot is a Trojan that is implicated in a widely reported series of targeted attacks collectively known as "Operation Shady RAT".
These attacks were initially reported in the media on August 2nd, 2011 when McAfee published a report about an attack dubbed "Operation Shady RAT
". The report described a series of attacks which had been occurring for over five years against over seventy organizations. The targets ranged from private companies to government agencies located worldwide. They speculated that these attacks were aimed at stealing highly sensitive and proprietary information belonging to these organizations and may potentially be state sponsored.
These targeted attacks typically consisted of three stages:
- Targeted email to individuals within targeted organizations
- Initial infection
- Opening of a back door
Target organizations are selected and then emails are crafted and sent to selected individuals within those organizations. The emails follow the typical targeted attack modus operandi - that is they contain some subject or topic that may be of interest to the recipient, such as rosters, contact lists, budgets, and so forth. The attached file contains the details promised in the email text, as part of a social engineering ploy. The attached files are typically Microsoft Office files such as Word documents, Excel spreadsheets, PowerPoint presentations, and PDF documents have also been used. These files are loaded with exploit code, so that when the user opens the file, the exploit code is executed resulting in the computer becoming compromised.
When one of these attachments are opened, for example an Excel spreadsheet, a clean copy of a spreadsheet file is dropped and opened so that the user is not suspicious. The Trojan is also dropped and executed. One possible tell-tale sign of an exploit taking place is that the application may appear to hang for a short time before it resumes, and the application may even crash and restart.Functionality
Once the Trojan is installed, it attempts to contact a remote site that is hard-coded into the Trojan itself. The remote sites used have been either attacker controlled sites made to look like code tutorial web sites or hacked web sites. These sites are used to host command and control configuration files for the Trojan. At first glance, these web sites do not appear contain anything malicious. On closer inspection of the HTML and image files, some of them are found to contain specially formatted and encoded comments in HTML files or extra bytes in image files. This is an interesting ploy used by the attackers to hide the commands as many firewalls are configured to allow image and HTML files to pass through as HTTP traffic. Without close inspection, based on the context provided by studying the Trojan in detail, these images and HTML files look completely legitimate.
The commands are encrypted and hidden in HTML comments that are further encoded. While these commands are clearly visible to a user if they view the HTML code in a text editor, they look completely harmless, and indeed are harmless unless the file is parsed by the Trojan on a compromised computer. The commands may be one of the following:
- Download and execute a file on the compromised computer
- Sleep for a specified amount of time
- Connect to a remote IP on a specified port
The final command is really useful from the attacker’s point of view, since it opens a direct connection to the specified IP address through the specified port number. When the Trojan connects to a remote computer it establishes a remote shell with the computer. This enables the attacker at the remote site to directly issue shell commands to be run on the compromised computer.
Next, the Trojan periodically checks with the remote server and allows a attacker to perform any of the following commands:
- Retrieve a file from the remote server
- Upload a file to the remote server
- Retrieve a file from a remote URL and execute it
- Send a command from the remote server
- Send the results of the command executed above to the remote server to report the status
This small collection of commands is enough for an attacker to stage a comprehensive breach into the affected organization. Any functions not available to the attacker in the Trojan itself can be easily downloaded onto the compromised computer and executed at will. Collected data is then simply uploaded back to the remote attacker.SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.Antivirus signaturesAntivirus (heuristic/generic)Intrusion Protection System
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.