The Bredolab Files - Symantec

email or as a component of a drive-by download attack when a user ... A specially crafted email using the DHL invoice theme .... Additionally, the domain ad-.
2MB Sizes 1 Downloads 151 Views
Security Response

The Bredolab Files Gilou Tenebro Software Engineer


Introduction...........................................1 Infiltration methods..............................1 Installation.............................................5 Controller and Agent.............................6 Covert Messages...................................8 Extracting the Entities........................11 Actions per Entity ...............................12 Report per Entity.................................13 Log File................................................14 Conclusion...........................................14 Appendix A: More samples of Bredolab-related spam........................15 Appendix B: Detailed packet capture of drive-by downloads.........................18 Appendix C: Binary Protections..........19 References...........................................23

Introduction Trojan.Bredolab is a downloader that acts as a carrier or installer for arbitrary threats. It may download a password stealer, bot, rootkit, backdoor, or a misleading application. Some of the well-known threats it has been observed downloading include Backdoor.Rustock, Trojan.Srizbi, Trojan.Fakeavalert, and W32.Waledac. Since Bredolab installs a random mixture of threats, the symptoms of infection are often a combination of the different threats’ payloads and may vary from one computer to another. As a matter of fact, these blended symptoms often lead to confusion. Some affected users are inclined to think that they have been infected by a new threat when in fact the symptoms were caused by multiple threats present on the system. Unlike most downloaders, Bredolab uses several different tactics to propagate and armor itself. It uses different attack vectors, social engineering techniques, and protects itself with server-side polymorphism, armored packers, and encrypted communications. Figure 1 shows how Bredolab gains access to a system and infects it with a random number of different threats. These aspects and techniques will be discussed in more detail in the sections that follow.

Infiltration methods This malware may not be self-propagating, but it still manages to spread through other attack vectors. We have currently seen Bredolab infiltrate systems in two ways—arriving as an attachment in a specially crafted email or as a component of a drive-by download attack when a user visits a malicious Web site.

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

Specially crafted emails In this attack vector, Bredolab arrives as an attachment to a spoofed email that may claim to be an invoice from well-known courier companies like UPS or DHL. It may also arrive in an email pretending to be a Western Union money transfer notice. Another theme also used by Bredolab is a spoofed email claiming to be a tracking number notice for well-known online shopping Web sites. See figure 2 for an example of a Bredolab email. (More examples of Bredolab spam can be found in appendix A of this paper.)

Figure 1

A sample Bredolab infection process

While it uses a variety of topics, we sometimes see Bredolab reuse these themes. For example, around May 2009, it sent out a series of emails that purported to be an invoice for a Western Union money transfer. Later on, at the end of August 2009, we started seeing the same theme being used again. It was another email pretending to be a notice for a Western Union money transfer, but with slight variations in the attachment name and message body. While the subject, message body, and the file name of the attachment vary, a Bredolab email usually contains a .zip file attachment containing the installer for Bredolab. The file extracted from the attached archive in figure 2 disguises itself as an Excel file by using a similar file icon. This is a common social engineering trick often used by threats to convince the user to open the email attachment.

Figure 3

File icons used by Bredolab

If the user’s operating system is set to hide file name extensions, they would not see the .exe extension and the file would look like a legitimate Excel document. The user might think that it is a valid invoice document and open it without question. For more samples of file-type icons that Bredolab is known to imitate, see figure 3. Figure 2

A specially crafted email using the DHL invoice theme

Page 2

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

The bar graph in figure 4 provides a quick look at the Bredolab emails that we have received in our spam traps and their source countries over the last month. The source IP addresses shown below are the top 27 countries found to be a source of Bredolab emails. Figure 4

Top 27 source countries from Bredolab emails received August 1 - September 8, 2009

Due to the variety of source addresses for the Bredolab spam emails, we can reasonably assume that the Bredolab emails were sent out from compromised computers that have been infected by a spam bot. One such distributor of Bredolab emails that we have found is Trojan.Pandex, also commonly known as Pushdo or Cutwail. The Pandex botnet has the capability to pull email templates from its command and control (C&C) servers and create customized emails. Using these templates, Pandex is able to combine different email headers, message bodies, and randomize the attachment file name. During our tests, Pandex was observed downloading a Bredolab spam template from its C&C server and attempting to send Bredolab emails. At this point we are still conducting investigations to determine if the Bredolab emails are originating exclusively from Pandex or if other spam bots are also being used to distribute them.

Drive-by-download A second vector used by Bredolab to propagate is drive-by download attacks. This attack method has evolved over several months, from using a small number of exploits with basic exploit encoding, to using multiple exploits with a relatively sophisticated exploit encoder. Figure 5 shows five examples of the decoded forms of the obfuscated JavaScript code that have been used in drive-by download attacks observed installing Bredolab. Figure 6 shows a snapshot of HTTP traffic captured during a drive-by download attack and the traffic generated by Bredolab after it was successfully installed. (A more detailed snapshot of the packet captures for this attack is shown in appendix B.) The first GET request shows the first stage of the attack, in which malicious JavaScript is downloaded and executed when the attacker’s Web site is visited. Upon success, the exploit downloads load.php with an “id” of 0, indicating that the successful exploit was CVE-2006-003,1 a vulnerability in the RDS.Dataspace ActiveX control that comes with Microsoft Data Access Components (MDAC). This exploit-tracking is used by the attacker to statistically follow the success rate of each exploit deployed. The load.php GET request that follows downloads load.exe, which is an installer for Bredolab. Figure 7 shows a partially decoded fragment of the JavaScript code that downloads the Bredolab component through a load.php GET request. This code fragment is still partially obfuscated, even though it has already been decoded from its original form.

Page 3

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

Figure 5

Five examples of JavaScript code in drive-by download attacks used to install Bredolab

Figure 6

First stages of an HTTP traffic capture of a sample drive-by download attack, June 2, 2009

Figure 7

A snippet of JavaScript code that downloads and runs the “load.exe” installer for Bredolab

Page 4

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

Typically in a drive-by attack, a number of exploits are served, including ones for DirectShow, Snapshotviewer, ActiveX, PDF and Flash. It could also include older exploits, like the aforementioned MDAC, or a newer exploit like CVE-2008-00152,2 a Microsoft Video ActiveX Control stack-based buffer overflow vulnerability that may allow remote code execution.

Installation One way to identify Bredolab presence in a system is through the traffic generated while communicating with its C&C server. When a Bredolab binary is executed, it connects to a remote server and sends an “action=bot” GET request to a controller.php URI. The obfuscated response received contains entities, which are arbitrary threats that Bredolab attempts to install into the computer. Later, Bredolab sends a report to the remote server through an “action=report” GET transaction, as shown in the last exchange in figure 6. (More details about Bredolab’s communication protocol will be discussed in a later section.) The first time a Bredolab binary is executed, it creates a mutex and tries to hide its presence by injecting itself into a valid Windows process, such as explorer.exe or svchost.exe. Moreover, this Trojan utilizes self-starting methods so that it can run every time Windows starts.

Mutex Upon installation, the Trojan may create a mutex with a name that follows this format: _ SYSTEM _ [SEVEN OR MORE RANDOM HEX DIGITS] _ Examples of mutex names that have been used by Bredolab are: • _ • _ • _ • _


_ 3F8A2F5D _ _ 4D2EF3A _ _ A6F2DE5 _ _ F2A5DE7 _

However, even if the mutex is not successfully created, the Trojan may still continue to function.

Self-starting methods As a means to run itself whenever Windows starts, Bredolab has been observed using the following methods.

Method 1 It may copy itself into the %System% folder as grpconv.exe so that it can masquerade as the legitimate file of the same name: %System%\wbem\grpconv.exe It then deletes the following files: • %System%\grpconv.exe • %System%\dllcache\grpconv.exe Afterwards, it creates the following registry entry so that the grpconv.exe file runs when Windows starts: HKEY _ CURRENT _ USER\Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\”RunGrpConv” = “1” The data inside the Winlogon registry key is where many auto-logon activities are based.

Method 2 Similar to the previous method, it may drop a copy of itself into the following path as proquota.exe: %System%\wbem\proquota.exe Page 5

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

It deletes the following files: • %System%\proquota.exe • %System%\dllcache\proquota.exe Then, it creates the following registry value: HKEY _ CURRENT _ USER\Software\Microsoft\Windows\CurrentVersion\Policies\ System\”EnableProfileQuota” = “1” This registry value is where the configuration data for the “Limit Profile Size” policy setting is stored. Enabling this causes proquota.exe to run when Windows starts; however, this time it’s Bredolab posing as proquota.exe.

Method 3 Another method Bredolab uses is to drop a copy of itself as a .dll file into the following path: %System%\[BREDOLAB FILENAME].dll Then, the Trojan modifies the following registry values to include the Bredolab file: • HKEY _ LOCAL _ MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\”SecurityProvi ders” = “[PREVIOUS VALUE OF .DLL FILES], [TROJAN.BREDOLAB .DLL FILE]” • HKEY _ LOCAL _ MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\”Security Providers” = “[PREVIOUS VALUE OF .DLL FILES], [TROJAN.BREDOLAB .DLL FILE]” It just so happens that any .dll file included in this registry value gets loaded as a service when Windows starts.

Method 4 Bredolab may also drop a copy into the Startup folder. As we know, any file found in the Startup folder is opened or executed whenever Windows start. %Programs%\Startup\[TROJAN.BREDOLAB EXECUTABLE] Notice that in methods one and two above, Bredolab tries to pose as a legitimate Windows file. It also tends to add itself to registry values that are not commonly used as a startup method. These actions are more attempts to avoid suspicion and stay under the radar for as long as possible.

Controller and Agent For this paper, a remote server that acts as the Bredolab C&C server will be referred to as a “Controller”. In contrast, the Bredolab malware installed on a compromised computer will be referred to as an “Agent”. Table 1 shows a short compilation of some of the Controller domains that may have been used in the past or are still being used. Most of the Controller domains are hosted in China, Germany, and Ukraine. There are also times when the host of a domain is moved somewhere else at a later time, possibly due to the host being taken down at some point. For example, one controller domain that was hosted in Ukraine three months ago is now hosted in China. The Controller serves the files that are downloaded and installed by the Agent. At the moment, the Bredolab network of Controllers and Agents suggests a star topology. Additionally, the domain ad-

Table 1

A list of Bredolab Controller domains

Page 6

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

dress of the Controller is currently hardcoded in the binary body of each Agent. These factors may make communication faster but they also make Bredolab vulnerable. If the hardcoded domain is taken down or unavailable, the Agent will not be able to connect to its Controller to download files. However, Bredolab tries to compensate for this by either moving the domain of the Controller to another host, or by setting up a new domain and distributing Agent installers with the new address hardcoded in them. As for the Agent, it is the component in the Bredolab network that carries out the actual malicious payload. For an overview of the Agent’s functionalities, figure 8 details its main routine, providing a look at how the Bredolab downloader operates once it is installed on a compromised computer. Figure 8

An overview of an Agent’s main routine

Page 7

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

Upon execution, an Agent connects to a Controller to fetch entities or files. If it receives a response, the files are extracted and each file is processed based on instructions included in the Controller response. After the files are processed, the Agent tries to connect to the Controller again in order to send a report. Regardless if the report message is successfully sent, the Agent updates its log file and then terminates. Note from the flowchart in figure 8 that an Agent downloads files only once and then it terminates. The next attempt for a download only happens the next time the Agent starts.

Covert Messages The Bredolab communication protocol makes use of encoded messages that are exchanged through HTTP GET requests and responses. The purpose of the conversations is mainly for the Agent to download files and send a report to the Controller. Note that in its encoded messages, Bredolab refers to a downloaded file as an entity. The following is a typical transaction sequence between a Bredolab Agent and Controller: 1. When an Agent is installed on a compromised computer, it “calls home” by connecting to the domain hardcoded in the binary and requests for entities to download. 2. The Controller responds by sending the Agent an encoded message that includes one or more entities, a key to decode the entities, and an action flag that tells the Agent what to do with each entity. (These entities often turn out to be installers for other threats.) 3. After the Agent executes the action for each entity, it sends a corresponding report. 4. Upon receiving the report, the Controller responds back with an acknowledgement. In the sections that follow, these transactions will be explained further. Notice that whenever an Agent communicates with one of its controller domains, the URI reference would often start with the string “/[VARIABLE FOLDER NAME]/controller.php?action=” in it. It implies that the Controller server uses a controller.php module to communicate with the Agent.

Downloading from a Bredolab controller An Agent initiates a download from a Controller using an HTTP GET request like the one shown in the packet capture snapshot in figure 9. As you can see, the response to the download request is obfuscated. Figure 9

Sample of an obfuscated Bredolab download transaction

Page 8

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

Descriptions of the elements used by Bredolab for this particular type of transaction are shown in table 2 and table 3. Table 2

Elements of Bredolab’s download request message GET Request Description Element action=bot

This is always the first element, and when combined with a “bot” value, it can be a string marker for a “callhome” message, or to be more specific, a download request message.


If the Bredolab log file is empty, this element has no value (such as the example shown in figure 10). Otherwise, it contains a list of 10-digit decimal numbers (referred to as EntityID in this paper) that are used to identify each entity or downloaded file, delimited by a comma. This list is taken from the Bredolab log file, which is a list of the IDs of previously downloaded entities. [ENTITYID], [ENTITYID], [ENTITYID], [ENTITYID] For example: &entity _ list=1241643870,1241292389,1241530597


This value is taken from a hardcoded location in the body. If it contains zero or is empty, this element will be empty.


This has a value of 1 if the malware mutex is present, otherwise it is 0.


This value is the decimal equivalent of drive C's volume serial number.


This value is the decimal equivalent of a hardcoded number, which is possibly used by Bredolab for tracking purposes.


The value for this is hardcoded in the binary. It also may or may not refer to a version or variant number. At this time, the latest value seen for this element is "&v=15".

Table 3

Elements of Bredolab’s download response message GET Request Description Element Entity-Info

This element contains the properties for the entities sent down by the controller. Each entity has its corresponding information and it follows this format: [ENTITYID]:[FILESIZE]:[ACTIONFLAG]; There will be one of these for each entity or downloaded file. The list will be delimited by a semicolon character. • EntityID: This is a 10-digit decimal number that serves as an ID number for the corresponding entity. (Note: This number is possibly a Unix-format timestamp for the downloaded files.) • FileSize: This is the decimal size of the downloaded file or entity. • ActionFlag: This refers to the action flag that tells the Agent what to do with a file. If the value for this flag is 1, it immediately runs the file. If the value is 2, it saves the decoded file into the Windows temporary folder before running it. (More details about the action flag will be discussed in the “Actions per Entity” section of this paper later.)


This value appears to be a pseudorandom number and may differ in each response received from the controller. As of this writing, this element is not utilized in any function. It may possibly be there just for tracking purposes.


This value follows this format: [KEYSIZE]|[DECRYPTIONFLAG]|[KEY] • KeySize: This is the decimal size of the window key to be used in decoding the message. • DecryptionFlag: This is the flag used to determine the type of decryption to use. • Key: This is the window key represented in decimal numbers. Each byte key is delimited by a colon character.

Page 9

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

Reporting to a Controller After the Agent is done processing the entities sent down by the Controller, it sends back a notification report through an HTTP GET transaction, like the one shown in figure 10. Figure 10

Sample of a Bredolab report transaction

The GET request above contains information on whether the instructed actions for each of the downloaded entities or files were successfully executed. Table 4 shows brief descriptions of the elements used in the request portion of the report message. Table 4

Elements of Bredolab’s report message GET Request Description Element action=report

This is always the first element, and when combined with the “report” value, it can be considered a string marker for a report message.


At the moment, this element always has a zero value for this type of message.


This value is the decimal equivalent of another hardcoded number (though different from the one used for the download request message). Again, this element may possibly be there just for tracking purposes.


This value is the same as the one used for the download request message. If it contains zero or is empty, this element will be empty. Otherwise, it copies the value found in the hardcoded location.


This element contains the actual status report for each entity or downloaded file and it follows this format: [ENTITYID]:[REPORTCODE]; There will be one report for each entity or downloaded file. The list will be delimited by a semicolon character. • EntityID: This is a 10-digit decimal number that serves as an ID number for the corresponding entity. (Note: This number is possibly a Unix-format timestamp for the downloaded files.) • ReportCode: This value depends on whether a couple of status flags or conditions are met, specifically on whether the file has already been downloaded before and if it was successfully executed. So depending on both of these conditions, the value may be any of the following: • unique_start • unique_failed • repeat_start • repeat_failed More details about this element will be discussed in the “Report per Entity” section of this paper.

Page 10

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

As you may have noticed in figure 10, the response portion of a Bredolab report conversation is simply an acknowledgment. No elements table is necessary for the response part.

Extracting the Entities The downloaded files sent to an Agent are contained in an obfuscated message response similar to the example shown in figure 9. The Agent has to decode the message to extract the entities. To deobfuscate a message the Agent uses the data provided in the Entity-Info and Magic-Number lines of the HTTP GET response header. As indicated in table 3, the Entity-Info field contains the EntityID, FileSize and ActionFlag properties of each entity included in the obfuscated message. The Magic-Number field contains the KeySize, DecryptionFlag and Key values that are to be used to unlock the encoded message. The attached entities in the download response are encrypted with XOR using a sliding window key. The size and value of the sliding window key, as well as the type of encryption, are dynamic and set by the Controller. So far, key sizes of 32, 64, 128, 256, 512 and 1024 have been seen in use. The key values differ in each download transaction between the Agent and Controller. In addition, the bytes in the window key are represented as decimal numbers delimited by a colon character. Depending on a flag sent down by the controller, the decryption of the downloaded file may be one of these types: • Forward: decryption starts at the beginning of the encrypted file and slides forward. • Reversed: the order of the bytes in the window key is reversed. Decryption starts at the end of the encrypted file and then slides backward. A snippet of the entity decryption routine is shown in figure 11. Figure 11

Decryption routine for Bredolab entities contained in an obfuscated message

Page 11

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

Having learned the obfuscation techniques used by Bredolab, we developed a tool to extract and decode the obfuscated files from the HTTP response message. For example, applying the tool to the obfuscated HTTP message received by the Agent in figure 9 showed us that the load.exe component actually received four arbitrary files from the remote server. Scanning the files Figure 12 shows that the payload is consisted of two infostealScan results for the four files extracted ers, a Trojan, and a backdoor, as shown in figure 12. from the encoded message in figure 9 This random mixture of threats installed by an Agent on compromised system is often made up of highrisk threats. This is one of the major reasons for its notoriety. Table 5 shows a small subset of well-known malware that Bredolab has downloaded. The actual connection between these threats and Bredolab still remains to be seen.

Actions per Entity As mentioned in the description for the Entity-Info header field in table 3, the Controller sends down a flag that determines what action to apply to a corresponding entity. This flag is referred to in this paper as the ActionFlag and it has two possible values.

ActionFlag = 1 If the value for the ActionFlag is 1, the Agent ensures the file size is not below four bytes. If the file size is valid, it immediately runs the entity by injecting it into the svchost.exe process. As shown in the code snippet in figure 13, this is achieved by calling the CreateProcessA function, with “svchost” as the CommandLine parameter, and enabling the SW_SHOW flag. With this injection technique Bredolab creates another instance of svchost.exe using CreateProcessA, only with the malware running inside, pretending to be a legitimate instance of svchost.exe.

Table 5

A subset of known malware downloaded by Bredolab Backdoor.Rustock Backdoor.Haxdoor Downloader.MisleadApp Hacktool.Rootkit Infostealer Trojan.Pandex (aka Cutwail) Trojan.Srizbi Trojan.KillAV Trojan.Fakeavalert W32.Koobface W32.Waledac

Figure 13

Code snippet of the CreateProcessA routine for ActionFlag=1

Page 12

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

ActionFlag = 2 If the ActionFlag value is 2, the Trojan saves the decoded file into the Windows temporary folder and gives it the following file name format. %Windir%\Temp\wpv[LAST TWO DIGITS OF A PSEUDO-RANDOM NUMBER][ENTITYID].exe The seed for the pseudo-random number indicated above is initially based on the current tick count. However, the generated number is used later on as the seed for the pseudo-random number of the next file to be created in the temporary folder. To demonstrate how a file is named by Bredolab, let’s say a file has an EntityID of 1241292389 and a pseudorandom number was generated with 48 as the last two-digits. This file will be saved into the Windows temporary folder with wpv481241292389.exe as a file name. After the entity is saved into the disk, it is then executed by Trojan.Bredolab by again calling the CreateProcessA function, but this time with the SW_HIDE flag enabled. A code snippet of this subroutine is displayed in figure 14. Figure 14

Code snippet of the CreateProcessA routine for ActionFlag=2

Report per Entity In table 4 we mentioned how the ReportCode is dependent on a couple of status flags. For this discussion, the following flag names will be used to identify the status flags: • FirstTimeFlag: This refers to a flag that is set to 0 if the entity is found to be a repeater. This is done by checking if its EntityID can be found in the log file. Its presence in the log file signifies that the entity was previously downloaded. On the other hand, this flag is set to 1 if the EntityID cannot be found. This implies that this is the first time the entity has been downloaded Table 6 and processed. Bredolab report message lookup table • CreateProcessFlag: This refers to a flag that is set to 0 if the entity process failed to run. ReportCode FirstTimeFlag CreateProcessFlag In contrast, this flag is set to 1 if the entity unique_start 1 1 process is successfully executed. Table 6 lists the combination of flag values that are required for each equivalent ReportCode value.










Page 13

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

The information is most likely used by the Controller to track which files are successfully installed on compromised computers. It is also possible that the reported data is used to decide whether to resend an entity to the Agent the next time contact is made.

Log File Bredolab creates a log file with one of the following file name formats: • %AppData%\wiaserv[A-Z].log • %AppData%\wiaserv[A-Z][A-Z].log In these cases, [A-Z] is an alphabetical character and %AppData% is the Windows folder used for applicationspecific data (i.e. C:\Documents and Settings\Administrator\Application Data). Examples of log file names that Bredolab uses are wiaserva.log, wiaservg.log, wiaservim.log, and wiaserviv.log. The contents in the Bredolab log file are the hexadecimal equivalent of the entity IDs from the downloaded and processed files. These are the same entity IDs that we see in the response received by the Agent while downloading an entity. The log file basically contains a 4-byte hexadecimal number corresponding to the ID of each entity downloaded. Recall that the decimal equivalent of the IDs in the log file is used for the value of the “entity_list” element in the download request message sent by an Agent to the Controller on subsequent transactions. For those curious about the naming of the Bredolab log file, the use of “wiaserv” as a root word for the file name is most likely the malware’s attempt to mimic the name of a legitimate diagnostic log file for the Windows Image Acquisition (WIA) driver. This WIA diagnostic log file is named wiaservc.log and unlike the Bredolab log file, it is normally found in the Windows folder.

Conclusion Despite being just a downloader, Trojan.Bredolab employs different attack vectors and protection mechanisms to compromise computers and run its payloads. These efforts have made this downloader more complicated than most. Since most of the time it downloads high-risk threats, by association, this makes Bredolab a high risk threat as well. As of this moment, we do not yet know if the reason we have seen what appears to be arbitrary downloads of other threats is because Bredolab is hiring out its traffic. The downloading of Trojan.Fakeavalert also suggests financial motivation, since authors of rogue applications are usually included in a pay-per-install affiliate program. For now we can only speculate on the relation is between Bredolab and these various threats. One thing is for sure though—the threat posed by Bredolab is far from negligible. Users are advised to be very careful when receiving suspicious emails and opening attachments. In addition, safe browsing should be practiced. Suspicious Web sites should be avoided and vendor patches must be applied diligently.

Page 14

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

Appendix A: More samples of Bredolab-related spam Figure 15

A fake Western Union invoice from May, 2009

Figure 16

A fake UPS invoice used from June, 2009

Page 15

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

Figure 17

A variation of a fake UPS invoice from June, 2009

Figure 18

Another fake DHL invoice from around August, 2009

Page 16

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

Figure 19

A fake online-order tracking number from around September, 2009

Page 17

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

Appendix B: Detailed packet capture of drive-by downloads Figure 20

Packet capture snapshots of the sample drive-by download attacks

Page 18

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

Appendix C: Binary Protections Bredolab comes packaged in different forms and protections so that it can evade detection for as long as possible. It repacks itself server-side using custom packers that are armored with anti-debugging and anti-emulation code. It also uses encryption to further obfuscate itself and some of its data. A snapshot of the multiple layers of protection and encryption used by Bredolab is shown in figure 21. Figure 21

An illustration of the multi- layered armor used in a Bredolab packer

Packers Bredolab uses more than one kind of packer, and these packers keep evolving over time. The following terms will be used to refer to the general types of packers used by Bredolab. • Packer A: The packer used in Bredolab agents that arrive through crafted emails • Packer B: The packer used in Bredolab agents that arrive using drive-by-downloads Page 19

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

At present, Packer A is different from Packer B. A possible explanation is that a different person or group is handling the distribution for each propagation method. Whoever is distributing the Bredolab agent is probably packing it with their own custom packers on top of its already-packed form. Bredolab itself is packed with UPX and embedded into an injector component, which is again packed with UPX. This is the form that most likely arrives to the distribution point. When it is disseminated through email, it seems that it is being packed by the spam bot’s own custom packer. Meanwhile, the drive-by-download distributor of also appears to wrap Bredolab with their own custom packer. The extra packing adds extra layers of armor to the Bredolab binary and the use of different packers also helps it in evading packer-based detections. As an example, figure 22 shows a snapshot of three sample decryption routines used by Packer B for the surface layers of a Bredolab sample. Currently these routines cannot be found in Packer A. Figure 22

Sample decryption routines used by one of the packers

In both cases server-side polymorphism is used. For example, the Bredolab agent that you received today is most likely packed differently from the binary sample that you will receive next week. This is obviously an attempt to further evade detection. Not surprisingly, only the binaries packed with Packer A make use of file icons that mimic common applications. As of this writing, Packer B does not use custom icons for Bredolab binaries. We have also found other non-Bredolab malwares using Packer A. Again, a likely explanation for this is that the spam bot is distributing more than just Bredolab and is using the same custom packer on other threats. Another possible reason is that malware authors are sharing or selling the custom packer underground for use by other malware authors.

Obfuscation and Protection methods The following are some of the methods currently being used by Bredolab and its packers to evade detection and throw off debuggers and emulators. Page 20

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

API address resolution using checksums Part of Bredolab’s armor is to use checksums to resolve API addresses. This is an obfuscation trick that is sometimes used by malware. A sample of the related code is shown in figure 23. Figure 23

Snapshot of an API address-resolving routine used in a loader packer

Process injection Bredolab may inject itself into the explorer.exe or svchost.exe process. The Bredolab process is created in memory using VirtualAllocEx and WriteProcessMemory, and then started using CreateRemoteThread. Another technique used by Bredolab is to create another instance of svchost.exe using CreateProcessA, but with the malware running in it and pretending to be a legitimate instance of svchost.exe.

EIP via Exceptions Packer B contains several EIP via Exceptions3 tricks to control the flow of execution. For this trick to generally work an exception is intentionally triggered and the program finds out if it is being debugged, emulated, or otherwise running normally. If it finds itself being debugged or emulated, the next instructions executed could cause an immediate termination, an endless loop, or anything designed to throw off the debugger or emulator. Here are some of the techniques used by Packer B to implement EIP via Exceptions. • INT 3: It uses an INT 3 exception trick to change the next instruction (EIP) to be executed if a debugger or emulator is detected. • INT 2D: Another technique used is the INT 2D or Softice DbgMsg driver local denial of service4 trick. A code snippet of this trick being used in the Bredolab packer is shown in figure 24. INT 2D triggers an exception if Figure 24

A code snippet showing the Int2D trick

Page 21

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

executed without a debugger, so it jumps to the exception handler, which in this case has been set to point to the Trojan code. However, if the INT 2D instruction is executed with a debugger, there will be no exception and the next instruction executed will depend on the debugger being used. It could either skip the next instruction, run until the next breakpoint (if there is one), or just stop after INT 2D.

Dummy instructions Packer B used this mostly by inserting multiple jumps and dummy instructions within its actual code. These instructions are called “do-nothing” instructions. Executing them does not have an effect on the output, but they can be used to throw off some signature-based detections.

Overriding kernel level and user level hooks Bredolab tries to hide its presence from analysis or security tools by overriding hooks that it finds in some user-mode APIs in kernel32.dll, user32.dll, and gdi32.dll. It also removes hooks from certain kernel mode APIs exported by ntdll.dll or ntkrnlpa.exe. To be able to run in kernel mode and override the hooks, it exploits some privilege-escalation vulnerabilities. At the time of writing, it specifically ties to unhook nine kernel-mode APIs, namely ZwAllocateVirtualMemory, ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwCreateThread, ZwAdjustPrivelegesToken, ZwOpenProcess, ZwOpenThread, ZwQueueApcThread, and ZwSetValueKey.

Data Obfuscation Bredolab seems to like using variations of encryptions that make use of the XOR operation. An example is the topmost subroutine shown in figure 11 that uses XOR and a byte modifier. This particular subroutine is used to decrypt the Bredolab downloader’s embedded form from the body of the injector. Bredolab may also obfuscate the URI of the controller domain. In some binaries, the domain address is encrypted inside the body of the Bredolab binary, while in others it is not obfuscated. In one case, Bredolab decrypted the URI string inside the data section of the binary using an XOR operation and a sliding window key. The window key itself is actually encrypted at first. Hence, before the URI can be deobfuscated, the window key has to be decrypted with the same decryption routine, but using a different key. The window key for this subroutine may also vary in size (i.e. a 7- or 8-byte key).

Page 22

Security Response

Targeted Attacks: Patern, Attack Vectors, and Mitigation Strategies

References 1. CVE-2006-0003. 2. CVE-2008-0015. 3. Anti-Unpacker Tricks. Peter Ferrie. May, 2008. 4. Compuware Softice (DbgMsg driver) Local Denial of Service. Piotr Bania. May 29, 2005.

Page 23

Security Response

Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY . The technical information is being delivered to you as is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.

About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help businesses and consumers secure and manage their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at

About the author Gilou Tenebro is a Security Response Engineer located in Calgary, Canada.

For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free 1 (800) 745 6054.

Symantec Corporation World Headquarters 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA +1 (408) 517 8000 1 (800) 721 3934

Copyright © 2009 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.