Jump to content

botnet rises from the grave


Wazoo
 Share

Recommended Posts

Undead spam

After laying low for the better part of a year, the Warezov botnet is back - with some new tricks up its sleeve.

In the past week, trojan horse programs that install the Warezov bot have been spotted on websites offering free MP3 downloads, according to Joe Stewart, director of malware research at security provider SecureWorks. The attacks are a big change for Warezov, which burst on the scene in 2006 with malware attacks spread in email attachments. The new methodology is an acknowledgment of the futility of email attacks given the difficulty of sneaking malicious payloads past today's email filters.

Stewart says Warezov is more of a payload delivery system than an actual bot. It is in essence a backdoor that installs any software its operator wants. In recent times, the payload of choice is a fast-flux hosting platform that turns compromised PCs into servers that host spoof sites used in phishing campaigns. Fast-flux networks are much harder to shut down because there's no central channel to defeat. If a single node hosting, say, a fraudulent Bank of America website is taken down, there are still thousands of other infected machines ready to take its place.

In the case of Warezov, the malware installs two separate components: a reverse HTTP proxy that serves content from an obscured master server and a DNS server that has been modified from ISC BIND. The DNS server acts as a slave that gets zone updates from the master.

.......

Warezov suddenly came out of hibernation. Oddly enough, Stewart says, it was using Microsoft's Hotmail service. Each bot was given a list of usernames and passwords, and each username sent only a few emails in order to bypass restrictions on the number of emails that a single account holder can send in a set period of time. Warezov isn't the only piece of malware using webmail to send spam. Malware known alternately as Wopla or Hotlan does the same thing.

Link to comment
Share on other sites

...The new methodology is an acknowledgment of the futility of email attacks given the difficulty of sneaking malicious payloads past today's email filters...
Just don't take that for granted - I'm still seeing zips, even rars, that are unrecognized by most of the 36 AVs at VirusTotal at the time of delivery (so even daily updates are no guarantee). Most are recognized by most AVs within 24 hours or so which is something of a testament to the information sharing achieved through VT as well as an indication that the viral attachments thing is far from a dead issue. I think.
Link to comment
Share on other sites

And just to underscore the 'futile' email distribution, this one received today:

http://www.spamcop.net/sc?id=z2366920697z2...af8cf81deacbf9z

- with TWO separate trojan downloaders attached. That's a first for me. Sure, it was a dumber effort than most - one of them was an 'old' file (>24 hours in the wild) therefore recognized by most AV scanners on the planet). The other was new - think it ran to just 6/36 detections IIRC - but sort of wasted unless there might be someone operating on a "lightning only strikes once rule" and who somehow convinced themselves that the rest of the thing is legitimate and who wasn't already so loaded up with trojans that there might be room for another and ... Well, there actually are Forrest Gumps in this world (close enough to) but seems like a slender demographic to be chasing to me. Whatever - email distribution continues and, every now and then through coincidence/circumstance, can come frighteningly close to getting through to the downloader installation phase, even in a reasonably savvy workplace environment.

Link to comment
Share on other sites

  • 4 weeks later...

Just to note that someone is getting 'better' - or more desperate. The attempted trojan drop payload on this one http://www.spamcop.net/sc?id=z2413519580z0...b8e2559abab7d5z was recognized by just one of the 36 AVs on VirusTotal. That is the freshest release I have seen yet. It is quite obvious from the context it will be malicious (or is intended to be so) but, as said here and elsewhere, the context can get lost, particularly when these things are dumped into a workgroup and/or when it just happens to closely coincide with real-world activities. Sure the message is hackneyed and has all sorts of exploit fingerprints all over it but there will be times such things will come very close to slipping through and sooner or later ... Not the end of the world if one does get in but it sure could be inconvenient/harmful especially if not promptly detected (and they are designed to be stealthy).

MD5 hash on that file is 3f43c04732157e17fa3fb136a521db35 by the way - detections are now up to 2 (AVG & Sophos).

Link to comment
Share on other sites

I've received over 200 of those this past week alone. It's spreading like wildfire :(
Yeah, probably an aftermath of the McColo affair and a need to rebuild botnets, as commented around the internet. I've not actually seen an increase (they've been hitting this corporate office for some time in a steady trickle). What was particularly concerning me was the low detection rates on the viral attachments. The one I just saw being the lowest yet. Yes, (your point), increased numbers is of great concern too.
Link to comment
Share on other sites

I guess it's a good thing I use Linux ;)
:lol:
Next time I get one of these, I'll scan it with f-prot and see if it picks it up.
It might, on that one, now. Detection has shot up to 4/36, one of which is F-Prot - but note, 2008.11.20 definitions. These things almost always come out before the typical user's AV would pick them up, even those who update daily. The NEXT day your AV (and most others - which have been added meantime) will pick them up. Seems to be their MO, just a touch more slick now, maybe.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...