Triple-Barreled Trojan Attack Builds Botnets

June 4, 2005
By Ryan Naraine


Anti-virus researchers are sounding the alert for a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets-for-hire.

The three-pronged attack is being described as "unprecedented" because of the way the Trojans communicate with each other to infect a machine, disable anti-virus software and leave a back door open for future malicious use.

"This is so slick, it's scary," said Roger Thompson, director of malicious content research at Computer Associates International Inc. "It clearly points to a very well-organized group either replenishing existing botnets or creating new ones."

According to Thompson, the wave of attacks start with Win32.Glieder.AK, dubbed Glieder, a Trojan that downloads and executes arbitrary files from a long, hardcoded list of URLs.

Glieder's job is to sneak past anti-virus protection before definition signatures could be created and "seed" the infected machine for future use. At least eight variants of Glieder were unleashed on one day, wreaking havoc across the Internet.

On Windows 2000 and Windows XP machines, Glieder.AK attempts to stop and disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2.

The Trojan then quickly attempts to connect to a list of URLs to download Win32.Fantibag.A (Fantibag) to spawn the second wave of attacks.

With Fantibag on the compromised machine, Thompson said the attackers can ensure that anti-virus and other protection software is shut off. Fantibag exploits networking features to block the infected machine from communicating with anti-virus vendors. The Trojan even blocks access to Microsoft's Windows Update, meaning that victims cannot get help.

Once the shields are down, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker.

Once the three Trojans are installed, the infected computer becomes part of a botnet and can be used in spam runs, distributed denial-of-service attacks or to log keystrokes and steal sensitive personal information.

A botnet is a collection of compromised machines controlled remotely via IRC (Inter Relay Chat) channels.

According to CA's Thompson, the success of the three-pronged attack could signal the end of signature-based virus protection if Trojans immediately disable all means of protection.

"These guys have worked out that they bypass past signature scanners if they tweak their code and then release it quickly. The idea is to hit hard and spread fast, disarm victims and then exploit them," Thompson said in an interview with Ziff Davis Internet News.

He said he thinks the attack, which used virus code from the Bagle family, is the work of a very small group of organized criminals. "There's no doubt in my mind we are dealing with organized crime. The target is to build a botnet or to add to existing ones. Once the botnets reach a certain mass, they are rented out for malicious use."

"There's a black market for infected computers. The bigger your botnet, the more money you can make," Thompson said. He said researchers tracking underground hacker activity had seen a price tag of about 5 cents per infected machine.

Next Page: The spyware connection.
Thor Larholm, senior security researcher at PivX Solutions LLC, said there's enough evidence that the sophisticated botnet activity is highly organized by small groups of skilled hackers.

"Over the last year or so, we've seen how easy these guys have created these armies of zombie machines. We believe there are less than 200 people controlling 95 percent of all the botnets out there."

Click here to read about Sasser, the last big network worm.

Larholm said the botnet owners have shied away from using major network worms and have instead turned to very small attacks. "We're not seeing the Slammer and Sasser attacks anymore. We're now seeing these virus variants infecting just 20 or 30 machines. The attacks are smaller and the botnets are smaller, and that allows them to stay under the radar," he said.

Both Thompson and Larholm said they see a direct connection between the botnets-for-rent and the adware/spyware scourge. "Botnets are not just for spamming anymore. They are being rented to install spyware," Larholm said.

He said the complicated affiliate schemes that pay commissions based on spyware installs have created a lucrative market for botnet controllers.

Computer Associates' Thompson agreed. "I think that the adware component is becoming clearer, particularly on the bigger botnets. Whenever someone yells at the adware providers, they blame the affiliates. Well, that's the problem. The affiliates are using criminal means to install spyware, and these botnets are a key part of the puzzle."

Andrew Jaquith, security analyst at Yankee Group Research Inc., said the notion of purchasing the use of botnets, or zombie grids, is well-known in the industry. "There's a sharp uptake in the amount of spam being generated by these zombies. It's pretty well-organized," Jaquith said.

"I see this particular malware cocktail as being more evolutionary than revolutionary. The so-called 'blended threat' that it represents is just a combination of existing techniques, updated and tweaked," Jaquith added.

He said he had independent information that zombies are rented out for illegal use and said Computer Associates' assertion of a 5 cents-per-machine market price is quite eye-opening.

"What's interesting about the general trend in malware such as this is that the goal is not to do damage on the victim's system per se, but to enlist it in the attacker's zombie network," Jaquith said.

"It's more useful to the bad guys to leave their targets alive. All Granny's going to notice is that her computer is running slowly while, unbeknownst to her, it's blasting out spam or assisting in a denial-of-service attack."

Even worse, CA's Thompson said, "I think the bad guys are in danger of winning."

"Here we have people who understand how anti-virus works and are smart enough to release multiple approaches to get the 'seeds' through. This wasn't your usual mass-mailer," Thompson said.

Shane Coursen, senior technology consultant at Kaspersky Lab, said CA's theory of a small band of organized criminals is very credible. "We're seeing all kinds of coordination and communication between Trojans, botnets and virus writers."

In an interview, Coursen said there's a massive race among malicious hackers to build and control massive botnets. "It's a very lucrative business, so this is not a surprise at all."

PROTECTION AND DISINFECTION:

With the rapid proliferation of new types of virus, Trojan and worm attacks, PC users are urged to be strict about following security guidance.

This includes never opening and executing file attachments from unknown sources. Even if the source of the attachment is known, a good rule of thumb is to double check with the sender to make sure it is a legitimate file.

Microsoft Corp. offers detailed information on how to protect against viruses. These include applying security patches in a timely manner and using an Internet firewall. For computers running Windows XP SP2 (Service Pack 2), Microsoft suggests turning on automatic updates and using the Windows Firewall that is enabled by default.

It is also important to subscribe to industry standard anti-virus software and to keep updates current.

Microsoft also offers free clean-up tools, including a malicious software removal tool and an anti-spyware application.

Symantec Corp. also provides a free removal tool for the Bagel virus and its variants.

Editor's Note: This story was updated to include instructions regarding protection and disinfection.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.