Tag: botnet

Analysis of Emotet v4

Date of publication: 24/05/2017, Paweł Srokosz

Introduction

Emotet is a modular Trojan horse, which was firstly noticed in June 2014 by Trend Micro. This malware is related to other types like Geodo, Bugat or Dridex, which are attributed by researches to the same family.

Emotet was discovered as an advanced banker – it’s first campaign targeted clients of German and Austrian banks. Victims’ bank accounts were infiltrated by a web browser infection which intercept communication between webpage and bank servers. In such scenario, malware hooks specific routines to sniff network activity and steal information. This technique is typical for modern banking malware and is widely known as Man-in-the-Browser attack.

Next, modified release of Emotet banker (v2) has taken advantage of another technique – automation of stealing money from hijacked bank accounts using ATSs (Automated Transfer Systems, more informations on page 20 of CERT Polska Report 2013). This technology is also used in other bankers. Good examples are ISFB (Gozi) or Tinba.

At the beginning of April 2017, we observed wide malspam campaign in Poland, distributing fraudulent mails. E-mails were imitating delivery notifications from DHL logistics company and contained malicious link, which referred to brand-new, unknown variant of Emotet.

Malware distributed in this campaign differed from previously known versions. Behavior and communication methods were similar, but malware used different encryption and we noticed significant changes in its code. Thus we called this modification version 4.

Read more

How non-existent domain names can unveil DGA botnets

Date of publication: 01/10/2015, piotrb

dga_icon

Domain Generation Algorithms are used in botnets to make it harder to block connections to Command & Control servers and to make it difficult to takeover botnet infrastructure. The main objective of these algorithms is to generate a big number of different domain names which usually look random, like

<span class="text">pkjdgjwzcr.pl</span>

. Only some of them are registered by a botmaster, however compromised hosts tend to query all of them until they find a working domain. As a result bots can receive a big number of non-existent domain name responses (in short: NXDomain). In this entry we will show how such behavior can be utilized to detect DGA botnets using examples of different detection methods.
Read more

DGA botnet domains: on false alarms in detection

Date of publication: 17/04/2015, CERT Polska

dga_icon

Domain Generation Algorithms are often used in botnets to create specially crafted domain names which point to C&C servers. The main purpose of this is to make it more difficult to block connections to these servers (for example with domain blacklists) or to protect the C&C channel (and botnet itself) from a takeover. Often domains generated this way are composed of random characters, for example:

<span class="text">gdvf5yt.pl</span>

, which appear as nonsensical, but nevertheless allow the botmaster to manage their bots. While working on detection of algorithmically generated domains (we have covered cases of their usage here and here) we have found examples of domains, which are similar in weirdness of appearance to those used in botnets, but are utilized for different – legitimate – purposes. Identification of these domains is useful in elimination of large number of false alarms in DGA botnet detection systems. In this entry we will describe how such domains are used in a non-malicious way and in a future post we will look into cases which can be seen as threats.
Read more

E-mail trojan attack on Booking.com and online auction website Allegro.pl clients

Date of publication: 25/06/2014, CERT Polska

slammerDuring the last few days, we have observed an attack on Polish users of auction website Allegro.pl and a hotel reservation portal – Booking.com. These attacks were directed at Polish users. Victims received a personalized e-mail that informed them that their account has been blocked either due to the outstanding fees or due to the inappropriate auction content. In case of Booking.com users were led to believe that they made a reservation and an invoice for that reservation is included in the e-mail message. Both campains had nearly identical infection schemes, which makes it very likely that they were performed by the same person or group.
Read more

A look on the VBKlip “battlefield”

Date of publication: 29/05/2014, CERT Polska

loveletter1On multiple occasions we informed about a new threat to Polish online banking users, which we named VBKlip. This is a new kind of malware that substitutes the bank account number that has been copied to the clipboard. This works when we try to, e.g. pay a bill, and we copy the bank account number to paste it to the online banking wire transfer page. Instead of paying the bill we send that money to the attacker. In this article, we publish a detailed analysis of this threat. We consider it a serious threat, because we constantly receive reports from users that they have been infected with it and their money has been stolen.

Read more

Takeover of Domain Silver, Inc .pl domains – updated with sinkhole statistics

Date of publication: 23/08/2013, CERT Polska

On 30th of July, 2013 NASK terminate its agreement with a registrar, Domain Silver, Inc. We described the reason for that decision in a detailed technical report. Today we publish an updated version of the report with our sinkhole statistics. These statistics were made from 20 different botnets sinkholed by our servers. All of them used domains registered through Domain Silver, Inc. These are not all of the botnets that used Domain Silver as the registrar, but only ones that were sinkholed as of 23rd of July 2013. The botnet malware included ZeuS ICE IX, Citadel, Andromeda/Gamarue and Dorkbot/NgrBot. Among them is also the Citadel plitfi botnet, the takedown of which we described previously in a detailed report. Highlights from the gathered data are:
Read more

Anti-botnet effort continues – takeover of Domain Silver, Inc .pl domains

Date of publication: 31/07/2013, CERT Polska

Today we publish an overview of domains registered through Domain Silver, Inc, a registrar operating in the .pl domain. This Registrar started operating in May 2012. Since that time, the CERT Polska team started to observe a large increase in the amount of malicious domains registered in .pl and to receive many complaints concerning domains registered through Domain Silver. Most of the malicious domains present in the .pl were registered through Domain Silver. In May 2013, dozens of domains used for botnet C&C purpose were seized and sinkholed by NASK and CERT Polska. Following further unsuccessful attempts to remedy the situation, NASK (the .pl ccTLD registry) decided to terminate its agreement with the Registrar. In the following sections of the document we explain what the malicious domains registered were used for (as of 9th July 2013), what botnets used the domains and why they posed a threat to the Internet community.
Read more

123