Catch Me If You Can

Antics of a Polymorphic Botnet

Report

ContentsIntroduction 3

Meet the Worm 4

Evolution: as the W32/Worm-AAEH turns 5

Domain generation algorithm 6

Chained download mechanism 7

Polymorphic engine creates unique worm 8

Automated sample harvester 11

Prevalence 12

Preventing infection 13

Takedown 14

Summary 14

This report was researched and written by:

Anand Bodke

Abhishek Karnik

Sanchit Karve

Raj Samani

Catch Me If You Can: Antics of a Polymorphic Botnet | 3

IntroductionThe analogy that fits cybercrime is a game of cat and mouse—played among those fighting cybercrime and those seeking illegal profits. We see multiple examples in which technical innovation on both sides has resulted in one party getting ahead on one occasion and playing catch-up on another. This struggle has played out in multiple guises, as criminals have developed convoluted communications infrastructures to facilitate control capabilities for malware, payments, and laundering services for their ill-gotten gains.

McAfee Labs discusses many examples in reports, white papers, and blogs that present the cybercrime ecosystem, emerging trends, and our engagement with key partners to disrupt or take down such operations. Earlier malware milestones seem rather rudimentary today, but the inescapable fact is that cybercrime is very big business. Last year, Intel Security commissioned a report by the Center for Strategic and International Studies to estimate the global cost of cybercrime. The report estimated that the annual cost to the global economy was more than US$400 billion.

Although it is easy to debate whether that estimate was too high or too low, the inescapable fact is that cybercrime is a growth industry; cyberattacks can bring in significant revenue. With such high returns, it is no wonder that we are witnessing remarkable innovation from both sides, from peer-to-peer communications methods incorporating tens of thousands of domains for infected hosts communication, to advanced evasion techniques (AETs) being introduced into trusted network egress control points.

This report illustrates one example of innovation: Cybercriminals created an AutoRun worm that avoids detection by continually changing its form with every infection. Its evolution was so prolific that new variants appeared as often as six times a day.

In early April 2015, a global law enforcement action took down the control servers for this botnet. Up-to-the-minute details of the takedown can be found here.

—Raj Samani, McAfee Labs CTO for Europe, the Middle East, and Africa

Follow McAfee Labs

Catch Me If You Can: Antics of a Polymorphic Botnet | 4

Meet the Worm Writing code for criminal gain is done with a specific purpose in mind, usually focusing on stealing information such as banking credentials, data, or intellectual property. Unlike the ends we’ve seen in other malware families, the ultimate goal of the cybercriminal behind this particular worm is to maintain persistence on the victim’s machine.

Known as W32/Worm-AAEH (as well as W32/Autorun.worm.aaeh, VObfus, VBObfus, Beebone, Changeup, and other names), the aim of this family is to support the download of other malware—including banking password stealers, rootkits, fake antivirus, and ransomware. The malware includes wormlike functionality to spread quickly to new machines by propagating across networks, removable drives (USB/CD/DVD), and through ZIP and RAR archive files.

The worm was written in Visual Basic 6. Using the inherent complex and undocumented nature of Visual Basic 6 and employing polymorphism and obfuscation, W32/Worm-AAEH has successfully maintained its relevance since it was discovered in June 2009.

Polymorphic malware, which can change its form with every infection, is a very difficult threat to combat. W32/Worm-AAEH is a polymorphic downloader worm with more than five million unique samples known to McAfee Labs. This worm has had a devastating impact on customer systems (more than 100,000 infected since March 2014). Once aboard, it morphs every few hours and rapidly spreads across the network, downloading a multitude of malware including password stealers, ransomware, rootkits, spambots, and additional downloaders. Our tracking of this worm since March 2014 shows that the control server replaces samples with new variants one to six times per day and that the server-side polymorphic engine serves client-specific samples and guarantees a unique sample with each download request. Proactive, automated monitoring has helped McAfee Labs stay ahead of these adversaries in detection and removal, thereby preventing an onslaught of malware in customer environments.

In this report we describe an automation system created in March 2014 by McAfee Labs to mimic the worm’s communication behavior and tap into its control servers to harvest malware. This system has allowed our researchers zero-day access to the malware and has helped McAfee Labs monitor the botnet’s activity prior to infecting customers. The automation has significantly reduced the number of customer system infections and escalations.

A worm is a type of malware that replicates itself in order to spread to other computers. It typically uses a network to propagate itself, relying on security vulnerabilities in a target system to gain access.

A worm often installs a backdoor in the infected system, making it into a “zombie” under the control of the worm’s author. A network of zombie systems is known as a botnet.

Share this Report

W32/Worm-AAEH is notable because it changes its system-specific fingerprints many times each day to to evade detection.

Catch Me If You Can: Antics of a Polymorphic Botnet | 5

Evolution: as the W32/Worm-AAEH turnsThe first known W32/Worm-AAEH sample (6ca70205cdd67682d6e86c8394ea459e) was found on June 22, 2009 (compiled on June 20). It is detected as Generic Packed.c. Despite being the first version released in the wild, the worm’s authors intended to make it hard to analyze by storing every string as individual characters and concatenating them at runtime. Aside from this step, however, no other functionality prevented the analysis of the malware. The sample had modest capabilities:

■ Executing at system startup and hiding in the User Profile directory.

■ Copying itself in all removable drives and using a hidden autorun.inf file to launch automatically. Using the string “Open folder to view files” as the action text in the local language, supporting 16 European languages.

■ Disabling Windows Task Manager’s ability to terminate applications to prevent itself from being manually terminated by the user.

■ Contacting a hardcoded domain (ns1.theimageparlour.net) to download and execute additional malware.

Over time, the authors introduced new features. Currently, the worm can:

■ Detect virtual machines and antivirus software.

■ Terminate Internet connections to IP addresses at security companies.

■ Use a domain generation algorithm (DGA) to find its control servers.

■ Inject malware into existing processes.

■ Use encryption.

■ Disable tools from terminating it.

■ Spread itself via removable CD/DVD drives.

■ Exploit a LNK file vulnerability (CVE-2010-2568).

■ Insert itself in ZIP or RAR archives to aid its persistence and propagation.

The feature set comprises two components: Beebone and VBObfus (also known as VObfus). The first component acts as a downloader for VBObfus, while the latter contains all the Trojan and worm functionality.

Several obfuscation and antianalysis tricks make detection difficult, encryption techniques are updated often, and open-source software projects are occasionally included to further complicate analysis. It is no surprise that these tricks have kept this worm relevant since it was discovered in 2009.

Share this Report

Catch Me If You Can: Antics of a Polymorphic Botnet | 6

The same control server IP address is registered against multiple secret strings.

Domain generation algorithm W32/Worm-AAEH uses a simple yet effective DGA that allows the malware distributors to change server IPs and domain names on demand (for example, when blocked by security products) while communicating with current infections.

■ The algorithm can be represented as {secret_string}{N}.{TLD} in which secret_string is a hardcoded obfuscated string stored in the malware sample.

■ N is a number from 0 to 20.

■ TLD is any of the following strings: com, org, net, biz, info.

While N and TLD remain virtually constant, the secret string occasionally changes. At any time, the malware distributor sets the appropriate DNS records for the current secret string as well as the previous one to ensure that older samples can connect to the new servers for updates.

For example, on September 14, 2014, the control server IP address was 188.127.249.119. This IP address was registered under several domain names using the current secret string ns1.dnsfor and the previous string ns1.backdates. Some of the domain names from the DGA result in successful resolutions, as shown in the following image:

A domain generation algorithm is used by malware to periodically generate a large number of domain names that can be used by malware to exchange information. The large volume of generated domains makes it difficult for law enforcement to shut down botnets.

Share this Report

Catch Me If You Can: Antics of a Polymorphic Botnet | 7

Chained download mechanismOne of the reasons antivirus software struggles with this threat is that the worm can replace itself with new variants before signatures are created to combat them. This tactic is implemented using a chained download mechanism, in which both W32/Worm-AAEH components (Beebone and VBObfus) download new variants of each other. This step ensures that worm’s persistence even if security software can detect one of the components—because the undetected component will eventually download an undetected version of its counterpart.

The chained download is initiated through another component, detected by McAfee Labs as Generic VB.kk. This sample arrives through exploit kits and social engineering attacks and exists solely to download Beebone. An unrelated component detected as Downloader-BJM is an IRC bot that communicates with the same control server but doesn’t interact with W32/Worm-AAEH. This process is illustrated in the following diagram:

The W32/Worm-AAEH worm infection process.

The response received by Generic VB.kk in Step 3.

Generic VB.kkcontactscontrol server with victim’sinformation

3

Victim machine #1

Control ServerAvailable to malware via domain generation algorithm

Control server returns Beebone

4

Beebone contacts control server

5

Control server returns a list of malware including VBObfus, and other third-party malware such as Cutwail, Necurs, Upatre, and Zbot

6

VBObfus contacts control server

7

Control server returns Beebone(again)

8

Exploit kit

Victim visits malicious page

1

Victim machine #2

Exploit kit installs Generic VB.kk

2

Downloader-BJM (IRC bot)

In the preceding illustration, Beebone (in Step 4) downloads a variant of VBObfus (6), which replaces the old Beebone with a new Beebone variant (8). A walkthrough of the download chain follows:

Share this Report

Catch Me If You Can: Antics of a Polymorphic Botnet | 8

This response includes the command (download), the URL, and the filename to use when saving the downloaded Beebone. The URL returns an RC4-encrypted binary large object (blob) that decrypts to Beebone.

Unpacking this blob reveals a new variant of Beebone.

Decrypted URLs provide further malware to the current location.

Encrypted Blob Decrypted Binary

Beebone contacts the control server again (7) and gets an encrypted blob decrypting to a set of URLs (8):

Each URL returns encrypted blobs that decrypt to Beebone and additional malware, and the cycle repeats indefinitely.

Polymorphic engine creates unique wormsBefore the worm switched to off-the-shelf cryptors in July 2014, W32/Worm-AAEH used a unique server-side polymorphic engine that generated victim-specific worm binaries. The engine did this by using information (serial number of C drive and username) in the download request as a seed to generate random strings. These strings were replaced at specific locations in the file, one of which was used as the decryption key for the embedded strings or binary and required the entire plaintext information to be encrypted using the new randomly generated strings:

Catch Me If You Can: Antics of a Polymorphic Botnet | 9

A byte-by-byte comparison between two binaries generated by the polymorphic engine. The executable header is identical.

Differences in red between these two samples indicate the mutability of the malware.

Share this Report

Catch Me If You Can: Antics of a Polymorphic Botnet | 10

The polymorphic engine also stored information about the sample’s origin within itself and prefixed it with a marker. Single-letter alphabets were mapped to individual download ports in the 7001–7008, 8000–8003, and 9002–9004 ranges and indicated that the sample was downloaded by Beebone. Two-digit numbers indicated that the sample was downloaded by the VBObfus malware from the 20000–40000 port range.

Differences in red reveal that the project names are modified each time a new binary is generated.

Changes in encrypted data and strings.

Share this Report

Catch Me If You Can: Antics of a Polymorphic Botnet | 11

Automated sample harvesterIn March 2014, McAfee Labs developed an automation system to communicate with W32/Worm-AAEH control servers to download new worms as soon as they are served by the malware distributor. Our automation engine is designed to mimic the worms’ communication with its control server at every stage in the communication sequence outlined in the previous section.

So far, the system has collected more than 20,000 unique samples from more than 35 control servers—all of which are located in Europe (see map, page 12)—and it has helped McAfee Labs threat researchers write detections for samples before they can infect our customers. Our system also detected that the worm replaced its cryptor on July 21, 2014. On September 15, 2014, the worm introduced the 29A-Loader, which is sold in the underground market for $300.

Using a new McAfee Labs clustering algorithm, we learned that the harvester collected more than 350 variants between March and August 2014, with about 55 samples for each variant. That’s an average of 58 new variants per month.

Share this Report

Clusters Found by the McAfee Labs Sample Harvester

Visual Basic Code Hash Number of Samples

e9e18926d027d7edf7d659993c4a40ab 934

2381fb3e2e40af0cc22b11ac7d3e3074 540

d473569124daab37f395cb786141d32a 500

7738a5bbc26a081360be58fa63d08d0a 379

d25a5071b7217d5b99aa10dcbade749d 362

7856a1378367926d204f936f1cfa3111 353

13eae0e4d399be260cfc5b631a25855d 335

987e0ad6a6422bec1e847d629b474af8 335

0988b64de750539f45184b98315a7ace 332

63463a5529a2d0d564633e389c932a37 320

Catch Me If You Can: Antics of a Polymorphic Botnet | 12

Prevalence The McAfee Labs malware zoo contains more than five million unique W32/Worm-AAEH samples. We have detected more than 205,000 samples from 23,000 systems in 2013–2014. These systems are spread across more than 195 countries, demonstrating the threat’s global reach. The United States reported by far the greatest number of infections.

All of the worm’s control servers detected by McAfee Labs between March 14, 2014, and September 14, 2014, were based in Europe.

9,000

8,000

7,000

6,000

5,000

4,000

3,000

2,000

1,000

USA

Taiwan

Brazil

China

France

Russia

Mexico

Italy

Netherlands

Sweden

0

Total Systems Infected by W32/Worm-AAEH in 2013–2014

Source: McAfee Labs, 2015.

Systems in the United States are the main target for this worm.

Share this Report

Catch Me If You Can: Antics of a Polymorphic Botnet | 13

The preceding numbers are a conservative estimate of the infection’s spread based on data gathered from detections reported from McAfee Labs nodes, which constitute a small subset of the total infections. The geolocation information here may be inconsistent with the actual spread because the geographic distribution of nodes may not be uniform.

Preventing infection Intel Security products detect all variants of this family. Our detection names have the following prefixes:

■ W32/Autorun.worm.aaeh

■ W32/Worm-AAEH

■ VBObfus

■ Generic VB

Although the threat is consistently polymorphic, the core behavior has remained virtually the same, allowing customers to easily prevent infections by taking these precautionary measures:

Access Protection Rules to Stop W32/Worm-AAEH

Category Rule

Common Maximum Protection Prevent programs registering to AutoRun

User-defined Prevent file execution in %USERPROFILE% directory

User-defined Block outbound connections to ports 7001–7008, 8000–8003, 9002–9004, and 20000–40000

(Legitimate applications may use these)

Additional rules are published at https://kc.mcafee.com/corporate/index?page=content&id=KB76807.

■ Firewall: Block access to DGA domains ns1.dnsfor{N}.{TLD}, in which N is a number from 0 to 20 and TLD is any of the following: com, net, org, biz, info.

■ Network Security Platform: Use this Snort rule to prevent malware downloads (instructions at https://community.mcafee.com/docs/DOC-6086):

– alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: “W32/Worm-AAEH C2 Server Communication Detected”; flow: to_server,established; content: “User-Agent: Mozilla/4.0 (compatible\; MSIE 7.0\; Windows NT 5.1\; SV1)”; classtype: trojan-activity; )

Learn how Intel Security can help protect against this threat.

Share this Report

Catch Me If You Can: Antics of a Polymorphic Botnet | 14

TakedownIn early April 2015, a global law enforcement action took down the control servers for this botnet. The U.S. Federal Bureau of Investigation, the European Cybercrime Centre (EC3), Intel Security, and the Shadowserver Foundation worked together to identify and disrupt the infrastructure for this botnet.

Up-to-the-minute details of the takedown can be found here.

SummaryCybercrime is big business—and getting bigger—so it is no surprise that cybercriminals continue to attack. As this example illustrates, thieves will go to great lengths to conceal themselves from IT security practitioners, the security industry, and global law enforcement so that they can continue to steal with abandon.

To stop such attacks, a cooperative effort is required. Security vendors must share crucial information with one another, companies must be protected from legal action for coordinating with other companies and their governments to stop attacks, and global law enforcement agencies must work collaboratively with the security industry and affected companies to take down the most egregious attacks. It is only through a joint effort that we can slow the growth in cyber theft.

About McAfee LabsMcAfee Labs is one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership. With data from millions of sensors across key threats vectors—file, web, message, and network—McAfee Labs delivers real-time threat intelligence, critical analysis, and expert thinking to improve protection and reduce risks.

www.mcafee.com/us/mcafee-labs.aspx

About Intel SecurityMcAfee is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence, Intel Security is intensely focused on developing proactive, proven security solutions and services that protect systems, networks, and mobile devices for business and personal use around the world. Intel Security combines the experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in every architecture and on every computing platform. Intel Security’s mission is to give everyone the confidence to live and work safely and securely in the digital world.

www.intelsecurity.com

The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided “as is,” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2015 McAfee, Inc. 61788rpt_polymorphic-botnet_0315_fnl_PAIR

McAfee. Part of Intel Security.2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.intelsecurity.com

Follow McAfee Labs