Analysis of a very social malware
Yesterday Polish security portal, Niebezpiecznik.pl, has informed about a new kind of malware spreading through Facebook (article in Polish). CERT Polska got a sample of this malicious software to analyse. Despite Facebook being not a new attack vector, this malware sample is very interesting. Currently it is detected by some antiviruses, but not even a majority. Additionally, this malware is protected against both debugging and network traffic analysis. In order to protect binary code from reverse engineering, it was obfuscated using a special Protector. Network traffic is encrypted (even the DNS queries!) and produced in excess.
Niebezpiecznik.pl provided following VirusTotal results for this malware sample:
How does it spread?
Our analysis showed that malware can spread in a three, very social, ways. Firstly, it spreads through Facebook, writing a chat short chat message and posting following message on a wall:
http://xxxxxxxx.com/xxxxxxxx.php?ref=facebook&w=[random characters]&resource=youtube&w=[name] :* favourite [random characters] :D
Secondly, it sends a following Skype message:
youtube favourite [random characters]! http://xxxxxxxx.com/xxxxxxxx.php?ref=facebook&w=[random characters]&resource=youtube&w=[name]
Finally, it sends an MSN message:
:* http://xxxxxxxx.net/xxxxxxxx.php?ref=facebook&w=[random characters]&resource=youtube&w=[name] youtube hit [random characters] :D
After clicking on one of the above links, malware is downloaded to the victim’s computer. Application icon suggests that it is a JPG image. If user has hidden file extensions (turned on by default), she can be persuaded to click on an application, thinking it is an image.
What is it doing?
Upon starting, malware sends a lot of DNS queries (over 70!) asking for different addresses, both of known services (e.g. goo.gl or tinyurl.com) and malicious sites, which will be used later to communicate with the C&C server. By doing so, it ensures that the C&C domain is present in the Windows DNS cache, so when malware asks for this domain again there is no evidence in the network traffic which server was used as a C&C. List of all domains is provided below.
Additionally, malicious software does not use the DNS answer directly. IP address retrieved from DNS is in some way “encrypted” and after decryption it is used for an encrypted HTTP communication with the C&C. This makes a network traffic analysis very difficult. Server sends a configuration to the malware which specifies, among other things, the way it should spread. Decrypted config, which our sample downloaded, is provided below.
youtube hit %RAND2% :D
:* favourite %RAND2%! :D
skype= youtube favourite %RAND3%!
Configuration is decrypted (and encrypted) using the function below.
Victim’s computer is then used to spread the malware, using contacts from Facebook, Skype and MSN communicator using the links provided above. The
dl property is used to download additional malicious software and infect the computer with it. Additionaly, homepage of all major browsers is set to the value of
hp property using a function provided below.
Malware also adds itself to the Windows autorun list.
Domains used to spread the malware are:
However, it should be noted that these malware domains are easily changable through configuration.
Non-standard use of DNS queries
This malware is exceptional in a way that it generates a lot of DNS traffic. Additionally, to retrieve the IP address of C&C it does not use the DNS response directly, rather decrypting it first using a function presented below.
For example, if the DNS query returned IP address
18.104.22.168, it will be decrypted to
How to recognize it in network traffic?
It is very easy to recognize the presence of this malware during a network traffic analysis. It uses a very specific HTTP header
User-Agent: cvc_v105. Additionaly, an answer from C&C server, always starts with the string