It has been three years since we published Lock, stock and two smoking Trojans in our blog. The article describes the first piece of malware designed to attack users of online banking software developed by a company called BIFIT. There are now several malicious programs with similar functionality, including:

• Trojan-Spy.Win32.Lurk
• Trojan-Banker.Win32.iBank
• Trojan-Banker.Win32.Oris
• Trojan-Spy.Win32.Carberp
• Trojan-Banker.Win32.BifiBank
• Trojan-Banker.Win32.BifitAgent

In spite of its functionality no longer being unique, the last program on the list caught our attention.

Words and strings used by Trojan-Banker.Win32.BifitAgent

This particular piece of malware has a number of features that set it apart from other similar programs.

Last week, Adobe released a patch for a vulnerability in Flash Player that was being exploited in targeted attacks.

Before reading any further, we recommend you to take a moment make sure you apply this patch. Adobe offers this nifty tool to check that you have the latest version of Flash Player.

If you are running Google Chrome, make sure you have version -24.0.1312.57 m- or later.

Now back to CVE-2013-0633, the critical vulnerability that was discovered and reported to Adobe by Kaspersky Lab researchers Sergey Golovanov and Alexander Polyakov. The exploits for CVE-2013-0633 have been observed while monitoring the so-called -legal- surveillance malware created by the Italian company HackingTeam. In this blog, we will describe some of the attacks and the usage of this 0-day to deploy malware from -HackingTeam- marketed as Remote Control System.

Today, cybercriminals are quick to exploit vulnerabilities in Adobe Reader, Flash and Java to infect users’ computers. There is a simple reason for this popularity: exploits of vulnerabilities found in these products can infect computers regardless of which operating systems and browsers are used on the attacked machines. We assumed that the threats posed to users were unaffected by their choice of browser and undertook a little research to test this assumption.

Picture courtesy of the PCMAG website

Yesterday lots of antivirus labs got a sample of the new antivirus program targeting MAC OS X users. This sample named Backdoor.OSX.Morcut was distributed using social engineering techniques via a JAR file with the name AdobeFlashPlayer.jar and allegedly signed by VeriSign Inc.

Notification from the JAVA virtual machine about the launch of the untrusted applet

It is quite rare to analyze a malicious file written in the form of a cross-platform browser plugin. It is, however, even rarer to come across plugins created using cross-browser engines. In this post, we will look into a Facebook worm that was written using the Crossrider system – a system still in beta testing.

Image source: http://crossrider.com

In early March, we received a report from an independent researcher on mass infections of computers on a corporate network after users had visited a number of well-known Russian online information resources. The symptoms were the same in each case: the computer sent several network requests to third-party resources, after which, in some cases, several encrypted files appeared on the hard drive.

The infection mechanism used by this malware proved to be very difficult to identify. The websites used to spread the infection are hosted on different platforms and have different architectures. None of our attempts to reproduce the infections were successful. A quick analysis of KSN statistics that might help to identify the connection between compromised resources and the malicious code being distributed did not yield any results, either. However, we did manage to find something that the news sites had in common.

This is not the first time the HLUX botnet has been mentioned in this blog, but there are still some unanswered questions that we’ve been receiving from the media: What is the botnet’s sphere of activity? What sort of commands does it receive from malicious users? How does the bot spread? How many infected computers are there in the botnet?

Before answering the questions it’s important to clarify that the HLUX botnet we previously disabled is still under control and the infected machines are not receiving commands from the C&C, so they’re not sending spam. Together with Microsoft’s Digital Crimes Unit, SurfNET and Kyrus Tech, Inc., Kaspersky Lab executed a sinkhole operation, which disabled the botnet and its backup infrastructure from the C&C.

The answers below refer to a new version of the HLUX botnet – it’s a different botnet but the malware being used is build using the same HLUX coding. Analysis of a new bot version for the HLUX botnet (md5: 010AC0BFF69EB945108B57B40A4784BE, size: 882176 B) revealed the following information.

Why?

As we already known, the bot distributes spam and has the ability to conduct DDoS attacks. In addition, we have discovered that:

1. The bot is capable of infecting flash drives, creating a file on them called “Copy a Shortcut to google.Ink” in the same way Stuxnet did.
2. The bot can search for configuration files for numerous FTP clients and transfer them to its command servers.
3. The bot has a built-in Bitcoin wallet theft feature.
4. The bot also includes a Bitcoin miner feature.
5. The bot can operate in proxy server mode.
6. The bot searches hard drives for files containing email addresses.
7. The bot has a sniffer for intercepting email, FTP and HTTP session passwords.

Part of the HLUX code that interacts with FTP clients

Part of the HLUX code used to steal Bitcoin wallets

Where does it come from?

The bot is loaded onto users’ computers from numerous sites hosted on fast flux domains primarily in the .EU domain zone. The bot installs small downloaders (~47 KB) on the system. These downloaders have been detected on computers in the GBOT and Virut botnets. The downloaders can be loaded to computers within minutes of a machine being infected by the malware mentioned above (GBOT and Virut). This distribution method hinders the detection of the primary bot distribution source.

Bot installations have also been detected during drive-by attacks that make use of the Incognito exploit kit.

The number of computers in the new HLUX botnet is estimated to be tens of thousands, based on the numbers in the approximately 8000 IP addresses detected in operations conducted via P2P.

Where’s it going?

As before, the HLUX botnet primarily receives commands to distribute spam. However, another malicious program, which we wrote about here, is also being installed on the botnet. Its main functionality is fraudulent manipulation of search engines along the lines of TDSS.

The passwords harvested from FTP are used to place malicious Javascripts on websites that redirect users of the compromised sites once again to Incognito exploit kit. Exploits for the CVE-2011-3544 vulnerability are primarily used when the bot is installed during these attacks. In other words, HLUX implements a cyclical distribution scheme just like that used by Bredolab.

Summary

The HLUX botnet, both old and new, is a classic example of organized crime in action on the Internet. The owners of this botnet take part in just about every type of online scam going: sending spam, theft of passwords, manipulation of search engines, DDoS etc.

It is not uncommon for new versions of botnets to appear, and it’s one of the challenges we face in the IT security industry. We can neutralize botnet attacks and delay cyber criminal activities but ultimately the only way to take botnets down is to arrest and persecute the creators and groups operating them. This is a difficult task because security companies face different federal policies and legislation in various countries where botnets are located. This causes the law enforcement investigations and legal process to be a long and arduous process.

We’ll continue monitoring this particular botnet and keep you up to speed with any technical developments.

P.S. We noticed this on one fast flux domain that was earlier spreading HLUX:

It’s not yet clear whether this is the control panel of the HLUX botnet.

Bitсoin is an electronic currency built with P2P and designed for anonymous financial transactions in the Internet. Besides the obvious advantages for users this currency is also very ‘capable’ for cybercriminals. We wrote about different examples of malware used for monetization here and here. But now we will discuss TDSS and its new module for Bitcoin.

In the beginning of August a new section [tslcaloc] has appeared in the TDSS configuration files while bot was running on infected machine after a short stint:

The TDSS loader, a malicious program that we wrote a lot about (e.g. here and here) now has legs, i.e. a tool for self-propagation. TDSS is a very complicated piece of malware and the cybercriminals have created an ingenious propagation tool for its loader.

Kaspersky Security Network is an integral part of Kaspersky Lab technology. With its ‘cloud’ architecture KSN automatically detects and blocks unknown malware and infected/dangerous websites, filters spam, protects children from unwanted content and lots more. Our aim is for users to always have as full a picture as possible of the current threat landscape around the world. That’s why we have come up with the Irida screensaver. It displays statistics about the latest threats that have been detected and blocked using KSN and is updated every 12 hours.

Install our screensaver and discover the full potential of Kaspersky Security Network! Download at: http://irida.kasperskyclub.com/scr.zip