Facebook users are once again under attack. A new variant of Bredolab Trojan is spreading through spam email messages appearing to come from Facebook.

The messages pretend to come from the “The Facebook Team”, while the real SMTP from address is in fact spoofed. However, an attached archive file containing an executable file may infect users with a Trojan horse.

The following is an example of the spammed email messages:

The attachment may come with the following name:

Facebook_Password_3db40.zip
or
Facebook_Password_[5 random characters].zip

This Bredolab Trojan downloads and executes further malware files on the affected machine such as rogue anti-virus software, and in order to bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe.

Several Turkish governmental websites have come under web attacks. The following websites have been compromised and obfuscated JavaScripts and IFrame tags have been injected into them:

http://[hidden]isar.meb.gov.tr
http://[hidden]ele.meb.gov.tr
http://[hidden]kale.meb.gov.tr
http://[hidden]lu-gsim.gov.tr
http://[hidden]zigrsh.gov.tr

Each of the IFrame tags leads to a different malicious domain which ends up downloading a variety of Trojans including infostealers, and botnet Trojans.

One of the IFrames leads to a bit interesting malicious script with a 0 detection rate in VirusTotal (We have already added a signature for this script, and it will be available in the next update).

That obfuscated script involves a great deal of HTML tags in the obfuscation routine in such a way it saves data, needed for the de-obfuscation JavaScript routine, into HTML tags.

The script then downloads a Trojan Downloader which once it runs, downloads another FTP accounts stealing Trojan. The latter searches the file system and the registry for multiple FTP clients for saved FTP accounts and sends them to a Chinese domain:
http://f97q.cn/r4/t1.php

In this blog post I’ll examine a botnet attack utilizing Instant Messaging services such as AIM and Live Messenger to recruit infected computers. This botnet spreads a malicious Sdbot variant with a low detection rate; the following is a detailed technical analysis of this bot.

The Attack Vector
The Trojan itself arrives through MSN Messenger as a message with a link sent out by contacts with infected systems. Here is an example of a sent message:

Once the user clicks on the link, an executable will be downloaded into the user’s system. However, for launching the executable, the user must run it manually.

The downloaded executable is a Win32 Cabinet Self-Extractor given a name which makes it appear like an image file: IMG000985215488524-JPEG.EXE.

This Trojan has a very low detection rate according to VirusTotal. Up to the time of writing, only 7 out of 40 AV products detect this bot.

The Cabinet Self-Extractor file drops a file named d.exe, which has another packed PE file in its resource section (the file is packed with some private packer).

The decoding routine

The decoding routine of the bot (part 1).

The decoding routine of the bot (part 2).

The decoding routine of the bot (part 3).

Now, to get the new executable, we can simply dump the memory into a file and using a HexEditor, we cut the junk data from the beginning of the dump file:  

And using a tool such as Stud_PE to cut off the extra data at the end of the dump file:

Now we have the real Trojan. In a quick glance, we can clearly see it is an IRC bot and to be more accurate, it’s an SdBot which connects to an IRC server and joins a channel waiting for further commands from its operators.

The detection rate in VirusTotal gets better now, where 21 out of 40 detect this bot:

The following are the commands used by this botnet:
login || l
logout || lo
rm
download
update
gone || rmzerm3b1tch
threads || t
r.getfile
r.new
r.update || r.upd4te
msn.msg
msn.stop
aim.msg
aim.stop
trion.msg
trion.stop

Inspecting into the strings list of the new executable, we can see that the bot’s multiple functionalities include:
- Download and execute remote files
- Registry manipulation
- Services manipulation
- Opening sockets, including sending and receiving data through sockets
- Sending/Downloading data through HTTP
- Uploading/Downloading files through FTP
- DNS manipulation
- Open ports in the infected systems and hide those ports
- Retrieve TCP, UDP listener tables
- Retrieve MIB-II interface table
- Retrieve IP-to-physical address mapping table
- Add/Remove Network Connections
- Keylogging
- ARP table manipulation
- ODBC functionalities

Once again, eCriminals took advantage of a legitimate and popular website as an attack vector for the purpose of propagating Malweb. Layla.co.il, a popular nightlife website in Israel, was compromised by eCriminals and is serving up a malicious bot to its visitors.


Image 1: Entries in our AID (Attack Intelligence Datacenter) indicating that layla.co.il contains MalWeb.

A hidden IFrame tag has been injected in all pages under “campaign” directory. The IFrame loads a malicious page which will attempt to download and execute a Trojan using one of the following exploits:
1. Microsoft Access Snapshot Viewer ActiveX Control Exploit
2. SWF Exploit
3. PDF Exploit

The downloaded malware executable is a bot instructed to download a rootkit which will function as a sort of keeper for it. The rootkit installs itself as a service named: “DCOM Server Process Launcher DcomLaunchMessenger”.

To evade detection, this Trojan prevents a long list of Antivirus and security applications from running.

Once the bot is launched, it sends some information to its C&C (Command and Control) system hosted at a Ukrainian server.

More than 200000 machines worldwide have been infected by this attack so far; each infected machine joins an army of botnet zombie machines ready to be controlled by eCriminals to launch cyber attacks. The following is a map showing the distribution of infected machines.


Image 2: A distribution map showing the locations of machines infected by the attack.

If you haven’t heard yet, the newest version of Microsoft’s Internet Explorer 8 (RC1) have been endowed with support for “Anti-Clickjacking” (for more background on clickjacking, check out: http://ha.ckers.org/blog/20080915/clickjacking/).

This new feature is basically an implementation for a new header (X-FRAME-OPTIONS) that is returned from a server which defines the scope of “netsing” that is allowed for a specific site. This means that sites can potentially have control over whether their content is allowed to be rendered inside an IFrame element – and where (on pages from 3rd party sites, only on pages within the site itself, or not at all).

The solution that is being proposed here is nice, but time will tell if or when sites would start adopting it. Nevertheless, while playing around with the new feature behavior, I noticed that without much PR, Firefox is also supporting the same functionality.

Image 1: blocking the inclusion of a site in an IFRAME where the site returned a header X-FRAME-OPTIONS: DENY 

Image 2: Firefox blocking the included IFrame, and showing the actual header returned from the site.

Now with only Chrome and Opera to jump on the bandwagon, we might actually have a chance to see some changes in the web security landscape (as you may remember – most of the web borne attacks are delivered through the inclusion of an invisible IFrame hosting malicious code). That isif only this protocol could have been reversed to define that no IFrames should be rendered ON a said site, thus preventing injected IFrame elements from being delivered to the users of a compromised site.