After intercepting one of the domain names used by the Flashback/Flashfake Mac Trojan and setting up a special sinkhole server last Friday, we managed to gather stats on the scale and geographic distribution of the related botnet. We published information on this in our previous blog entry.
We continued to intercept domain names after setting up the sinkhole server and we are currently still monitoring how big the botnet is. We have now recorded a total of 670,000 unique bots. Over the weekend (7-8 April) we saw a significant fall in the number of connected bots:
This doesn’t mean, however, that the botnet is shrinking rapidly – these are merely the numbers for the weekend.
Over the last few days our server has registered all the data sent by bots from the infected computers and recorded their UUIDs in a dedicated database. Based on this information we have set up an online resource where all users of Mac OS X can check if their computer has been infected by Flashback.
To find out if your computer is infected and what to do if it is, visit: flashbackcheck.com
Also users can check if they’re infected with Flashfake by using Kaspersky Lab’s free removal tool.
Earlier this week, Dr.Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines.
We followed up with an analysis of the latest variant of this bot, Trojan-Downloader.OSX.Flashfake.ab.
It is being distributed via infected websites as a Java applet that pretends to be an update for the Adobe Flash Player. The Java applet then executes the first stage downloader that subsequently downloads and installs the main component of the Trojan. The main component is a Trojan-Downloader that continuously connects to one of its command-and-control (C&C) servers and waits for new components to download and execute.
The bot locates its C&C servers by domain names, and these names are generated using two algorithms. The first algorithm depends on the current date, and the second algorithm uses several variables that are stored in the Trojan’s body and encrypted with the computer’s hardware UUID using RC4 cipher.
We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.
We cannot confirm nor deny that all of the bots that connected to our server were running Mac OS X. The bots can be only identified by a unique variable in their User-Agent HTTP header named “id”, the rest of the User-Agent is statically controlled by the Trojan. See example below:
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9D66B9CD-0000-5BCF-0000-000004BD266A) Gecko/20100101 Firefox/9.0.1"
We have used passive OS fingerprinting techniques to get a rough estimation. More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs.
Q: What is the Hlux/Kelihos botnet?
A: Kelihos is Microsoft's name for what Kaspersky calls Hlux. Hlux is a peer-to-peer botnet with an architecture similar to the one used for the Waledac botnet. It consists of layers of different kinds of nodes: controllers, routers and workers.
Q: What is a peer-to-peer botnet?
A: Unlike a classic botnet, a peer-to-peer botnet doesn't use a centralized command and control-server (C&C). Every member of the network can act as a server and/or client. The advantages from the malicious user’s point of view is the omission of the central C&C as a single-point-of-failure. From our point of view, this makes it a lot harder to take down this kind of botnet.
Architecture of traditional botnet vs P2P:
Last September, in partnership with Microsoft’s Digital Crimes Unit (DCU), SurfNET and Kyrus Tech, Inc., Kaspersky Lab successfully disabled the dangerous Hlux/Kelihos botnet by sinkholing the infected machines to a host under our control.
A few months later, our researchers stumbled upon a new version of the malware with significant changes in the communication protocol and new “features” like flash-drive infection, bitcoin-mining wallet theft.
Now, we are pleased to announce that we have partnered with the CrowdStrike Intelligence Team, the Honeynet Project and Dell SecureWorks to disable this new botnet.
The internet is full of infected hosts. Let's just make a conservative guesstimate that there are more than 40 million infected victim hosts and malware serving "hosts" connected to the internet at any one time, including both traditional computing devices, network devices and smartphones. That's a lot of resources churning out cybercrime, viruses, worms, exploits, spyware. There have been many suggestions about how to go about cleaning up the mess, the challenges are complex, and current cleanups taking longer than expected.
Mass exploitation continues to be an ongoing effort for cybercriminals and a major problem - it's partly a numbers game for them. Although exploiting and infecting millions of machines may attract LE attention at some point, it's a risk some are willing to take in pursuit of millions of dollars that could probably be better made elsewhere with the same effort. So take, for example, the current DNSChanger cleanup. Here is a traditional profit motivated 4 million PC and Mac node malware case worked by the Fbi, finishing with a successful set of arrests and server takedown.
This is not the first time the HLUX botnet has been mentioned in this blog, but there are still some unanswered questions that we’ve been receiving from the media: What is the botnet’s sphere of activity? What sort of commands does it receive from malicious users? How does the bot spread? How many infected computers are there in the botnet?
Before answering the questions it’s important to clarify that the HLUX botnet we previously disabled is still under control and the infected machines are not receiving commands from the C&C, so they’re not sending spam. Together with Microsoft’s Digital Crimes Unit, SurfNET and Kyrus Tech, Inc., Kaspersky Lab executed a sinkhole operation, which disabled the botnet and its backup infrastructure from the C&C.
The answers below refer to a new version of the HLUX botnet – it’s a different botnet but the malware being used is build using the same HLUX coding. Analysis of a new bot version for the HLUX botnet (md5: 010AC0BFF69EB945108B57B40A4784BE, size: 882176 B) revealed the following information.
As we already known, the bot distributes spam and has the ability to conduct DDoS attacks. In addition, we have discovered that:
Part of the HLUX code that interacts with FTP clients
Part of the HLUX code used to steal Bitcoin wallets
The bot is loaded onto users’ computers from numerous sites hosted on fast flux domains primarily in the .EU domain zone. The bot installs small downloaders (~47 KB) on the system. These downloaders have been detected on computers in the GBOT and Virut botnets. The downloaders can be loaded to computers within minutes of a machine being infected by the malware mentioned above (GBOT and Virut). This distribution method hinders the detection of the primary bot distribution source.
Bot installations have also been detected during drive-by attacks that make use of the Incognito exploit kit.
The number of computers in the new HLUX botnet is estimated to be tens of thousands, based on the numbers in the approximately 8000 IP addresses detected in operations conducted via P2P.
As before, the HLUX botnet primarily receives commands to distribute spam. However, another malicious program, which we wrote about here, is also being installed on the botnet. Its main functionality is fraudulent manipulation of search engines along the lines of TDSS.
The HLUX botnet, both old and new, is a classic example of organized crime in action on the Internet. The owners of this botnet take part in just about every type of online scam going: sending spam, theft of passwords, manipulation of search engines, DDoS etc.
It is not uncommon for new versions of botnets to appear, and it’s one of the challenges we face in the IT security industry. We can neutralize botnet attacks and delay cyber criminal activities but ultimately the only way to take botnets down is to arrest and persecute the creators and groups operating them. This is a difficult task because security companies face different federal policies and legislation in various countries where botnets are located. This causes the law enforcement investigations and legal process to be a long and arduous process.
We’ll continue monitoring this particular botnet and keep you up to speed with any technical developments.
P.S. We noticed this on one fast flux domain that was earlier spreading HLUX:
It’s not yet clear whether this is the control panel of the HLUX botnet.
It has been four months since Microsoft and Kaspersky Lab announced the disruption of Kelihos/Hlux botnet. The sinkholing method that was used has its advantages — it is possible to disable a botnet rather quickly without taking control over the infrastructure.However,as this particular case showed, it is not very effective if the botnet’s masters are still at large.
Not long after we disrupted Kehilos/Hlux, we came across new samples that seemed to be very similar to the initial version. After some investigation, we gathered all the differences between the two versions. This is a summary of our findings:
Let’s start with the lowest layer, the encryption and packing of Kelihos/Hlux messages in the communication protocol. For some reason, in the new version, the order of operations was changed. Here are the steps of processing an encrypted data for retrieving a job message which is organized as a tree structure:
|№||Old Hlux||New Hlux|
|1||Blowfish with key1||Blowfish with new key1|
|2||3DES with key2||Decompression with Zlib|
|3||Blowfish with key3||3DES with new key2|
|4||Decompression with Zlib||Blowfish with new key3|
Kaspersky Lab malware researcher Tillmann Werner joins Ryan Naraine to talk about the threat from peer-to-peer botnets. The discussions range from botnet-takedown activities and the ongoing cat-and-mouse games to cope with the botnet menace.
Kaspersky Lab malware analyst Dmitry Besthuzhev looks at cybercrime in Latin America and makes a prediction regarding state-sponsored cyber-attacks in the region.
At Virus Bulletin 2011, we presented on the exploding level of delivered Java exploits this year with "Firing the roast - Java is heating up again". We examined CVE-2010-0840 exploitation in detail, along with variants of its most common implementation on the web and some tools and tips for analysis. Microsoft’s security team presented findings for 2011 that mirrored ours in relation to Java exploit prevalence on the web – it is #1! At the same time, aside from the recent, well-known BEAST Java implementation, it is striking that it has been very uncommon to see Java backdoors, Trojans and spyware. But that lack of Java malware variety is beginning to change. My colleague, malware analyst Roman Unucheck, identified a new Java bot with some interesting characteristics that we named "Backdoor.Java.Racac".