It’s that time of year again, time to fill out your taxes and pay your part. We’ve seen more than a few examples of Tax and IRS related spam. Yesterday I received mail with an interesting approach:

This is not the first time the HLUX botnet has been mentioned in this blog, but there are still some unanswered questions that we’ve been receiving from the media: What is the botnet’s sphere of activity? What sort of commands does it receive from malicious users? How does the bot spread? How many infected computers are there in the botnet?

Before answering the questions it’s important to clarify that the HLUX botnet we previously disabled is still under control and the infected machines are not receiving commands from the C&C, so they’re not sending spam. Together with Microsoft’s Digital Crimes Unit, SurfNET and Kyrus Tech, Inc., Kaspersky Lab executed a sinkhole operation, which disabled the botnet and its backup infrastructure from the C&C.

The answers below refer to a new version of the HLUX botnet – it’s a different botnet but the malware being used is build using the same HLUX coding. Analysis of a new bot version for the HLUX botnet (md5: 010AC0BFF69EB945108B57B40A4784BE, size: 882176 B) revealed the following information.

Why?

As we already known, the bot distributes spam and has the ability to conduct DDoS attacks. In addition, we have discovered that:

1. The bot is capable of infecting flash drives, creating a file on them called “Copy a Shortcut to google.Ink” in the same way Stuxnet did.
2. The bot can search for configuration files for numerous FTP clients and transfer them to its command servers.
3. The bot has a built-in Bitcoin wallet theft feature.
4. The bot also includes a Bitcoin miner feature.
5. The bot can operate in proxy server mode.
6. The bot searches hard drives for files containing email addresses.
7. The bot has a sniffer for intercepting email, FTP and HTTP session passwords.

Part of the HLUX code that interacts with FTP clients

Part of the HLUX code used to steal Bitcoin wallets

Where does it come from?

The bot is loaded onto users’ computers from numerous sites hosted on fast flux domains primarily in the .EU domain zone. The bot installs small downloaders (~47 KB) on the system. These downloaders have been detected on computers in the GBOT and Virut botnets. The downloaders can be loaded to computers within minutes of a machine being infected by the malware mentioned above (GBOT and Virut). This distribution method hinders the detection of the primary bot distribution source.

Bot installations have also been detected during drive-by attacks that make use of the Incognito exploit kit.

The number of computers in the new HLUX botnet is estimated to be tens of thousands, based on the numbers in the approximately 8000 IP addresses detected in operations conducted via P2P.

Where’s it going?

As before, the HLUX botnet primarily receives commands to distribute spam. However, another malicious program, which we wrote about here, is also being installed on the botnet. Its main functionality is fraudulent manipulation of search engines along the lines of TDSS.

The passwords harvested from FTP are used to place malicious Javascripts on websites that redirect users of the compromised sites once again to Incognito exploit kit. Exploits for the CVE-2011-3544 vulnerability are primarily used when the bot is installed during these attacks. In other words, HLUX implements a cyclical distribution scheme just like that used by Bredolab.

Summary

The HLUX botnet, both old and new, is a classic example of organized crime in action on the Internet. The owners of this botnet take part in just about every type of online scam going: sending spam, theft of passwords, manipulation of search engines, DDoS etc.

It is not uncommon for new versions of botnets to appear, and it’s one of the challenges we face in the IT security industry. We can neutralize botnet attacks and delay cyber criminal activities but ultimately the only way to take botnets down is to arrest and persecute the creators and groups operating them. This is a difficult task because security companies face different federal policies and legislation in various countries where botnets are located. This causes the law enforcement investigations and legal process to be a long and arduous process.

We’ll continue monitoring this particular botnet and keep you up to speed with any technical developments.

P.S. We noticed this on one fast flux domain that was earlier spreading HLUX:

It’s not yet clear whether this is the control panel of the HLUX botnet.

You’ve probably already heard about the 'Chupa Cabra', literally a "goat sucker". It’s a mythical beast rumored to inhabit parts of the Americas. In recent times it has been allegedly spotted in Puerto Rico (where it was first reported), Mexico and the United States, especially in the latter’s Latin American communities. The name Chupa Cabra has also been adopted by Brazilian carders to name skimmer devices, installed on ATMs. They use this name because the Chupa Cabra will “suck” the information from the victim’s credit card.

The Brazilian media regularly shows videos of bad guys installing their Chupa Cabra onto an ATM. Some of them are unlucky, or incompetent, and get picked up on security cameras and caught by the cops.

That’s what makes installing an ATM skimmer a risky business – and that’s why Brazilian carders have joined forces with local coders to develop an easier, more secure way to steal and clone credit card information. From this unholy alliance, the ‘Chupa Cabra’ malware was born.

The Adobe AIR and Adobe Flash Player Incubator program updated their Flash Platform runtime beta program to version 5, delivered as Flash Player version 11.2.300.130. It includes a "sandboxed" version of the 32-bit Flash Player they are calling "Protected Mode for Mozilla Firefox on Windows 7 and Windows Vista systems". It has been over a year since Adobe discussed the Internet Explorer ActiveX Protected Mode version release on their ASSET blog, and the version running on Google Chrome was sandboxed too.

Adobe is building on the successes that they have seen in their Adobe Reader X software. Its sandbox technology has substantially raised the bar for driving up the costs of "offensive research", resulting in a dearth of Itw exploits on Reader X. As in "none" in 2011. This trend reflects 2011 targeted attack activity that we’ve observed. 2011 APT related attacks nailed outdated versions of Adobe Flash software delivered as "authplay.dll" in Adobe Reader v8.x and v9.x and the general Flash component "NPSWF32.dll" used by older versions of Microsoft Office and other applications. Adobe X just wasn't hit. IE Protected Mode wasn't hit. Chrome sandboxed Flash wasn't hit. If there are incident handlers out there that saw a different story, please let me know.

    Perhaps the worst possible scenario is when a bank website is hosting malicious ads: you never know what can be installed and when on your computer if you click on the ad banners.
Something similar happens with security websites hosting malicious ads. They are supposed to be for security information. The people browsing such sites trust the content to be safe, but in actual fact because of the ad banners the resources may be anything but trustworthy.

In this webcast, Kaspersky Lab senior security researcher Roel Schouwenberg talks about the Diginotar certificate authority breach and the implications for trust on the Internet. Schouwenberg also provides a key suggestion for all major Web browser vendors.