When someone is asked to present an analysis of a modern threat, the explanation often becomes complicated very quickly. Here I will present a brief analysis of a Trojan that uses the KISS approach-"keep it simple, stupid."
The reason for this article is that upon hearing what I do for a living, people often ask, "why do people write viruses?" After explaining the various dangers of using a computer online, people often follow up with the following question: "I don't bank online, I don't shop online, etc... so why would someone want to attack my computer?" This article is dedicated to anyone who has ever sat beside me on a plane/train/automobile and asked me these questions. ;-)
The Trojan that is shown below will help to explain why a computer is still valuable to an attacker, even if that computer contains no sensitive data. The Trojan presented is a Trojan that does not steal private data (such as banking credentials, etc.); however, it does contribute to one problem of online computer usage that everyone is familiar with-spam.
What is presented here is nothing new or groundbreaking. Anyone up-to-date on security will be familiar with these Trojans. These Trojans have been around for some time now, but what caught my attention was the simplicity of this particular sample and how easy it is to understand it-perfect for a simple explanation of how these types of Trojans operate. (No encryption, no obfuscation, no time delays or crazy features.)
The threat is called Trojan.Spamthru. It is a threat that simply runs silently in the background whenever an infected computer is online, and its goal is to continuously send spam. When Trojan.Spamthru is executed it immediately connects to a control server to receive configuration data. This configuration data is received as plain text and consists of the following variables:
• A generic email template
• A list of first names
• A list of last names
• A list of subjects
• A list of domains
• A list of URLs
• Other data that is not essential to this article
This is the template that was received the first time the Trojan was executed:
Date: {DATE}From: {$FNAME$} <{$FNAME$}_{$LNAME$}@{$DOMAIN$}>To: {TO}Subject: {%SUBJECT%}This message is intended for {TO}:*SAVE! SAVE! SAVE!**TOP SELLING {SCRAMBLE:MEDICATIONS}*- Available without a prescription- Our brands simply cost less- Fastest processing times onlinehttp://www.{$URL$}{$WIKIARTICLE$}Use http://www. {$URL$}/a.php for removal
Anything within curly brackets (shown in bold) in the above template will be replaced with appropriate data before the spam email is sent. The Trojan knows what appropriate data to use by checking the lists that were previously received as part of the configuration data.
For example, in the configuration data downloaded, the variable {$FNAMES$} refers to a list of 5,494 first names:
mary
patricia
linda
barbara
elizabeth
jennifer
maria
susan
margaret
etc.
Before the Trojan sends a spam email it will replace all occurrences of {$FNAMES$} in the template with a randomly chosen first name from the list above. The same procedure is followed for all of the other variables in the template:
{$LNAMES} = a list of 88,799 last names.
{$SUBJECTS} = a list of 189 different subjects:
Leading Online Pharmacy For Generic Medication
You Are Invited To The Leading Online Pharmacy For Generic Medication
Save money by buying generic brand medications
Generic leading brand weight-loss products
Generic Medication For Everyones Needs
No prescription is required for our medications
Get your medications without a prescription
Huge invetory of generic medications
Substantial savings on your medications
etc.
{$DOMAINS} = a list of popular webmail companies and ISPs to target for sending spam to.
{$URLS} = a list of spam URLs that sell fake products:
rateyaec.com
jeailkic.com
cosatamm.com
kralpeal.com
chinmich.com
liatioslo.com
mistatok.com
slapoute.com
inmidels.com
etc.
The Trojan chooses a random entry from each of these lists, inserts those entries into the template, and then sends a spam message. It then repeats the process while choosing new random entries from the lists.
Here is a sample mail that the Trojan was attempting to send:
Date: Thu, 26 Jun 2008 07:06:14 GMT
From: booker <booker_yamauchi@rr.com>
To: <skrmusic@bellsouth.net>, <skrob@bellsouth.net>, <skrobot@bellsouth.net>, <skrock@bellsouth.net>
Subject: Generic Medication For Everyones Needs
This message is intended for <skrmusic@bellsouth.net>, <skrob@bellsouth.net>, <skrobot@bellsouth.net>, <skrock@bellsouth.net>:
*SAVE! SAVE! SAVE!*
*TOP SELLING M:ICEITLONBEMDAS*
- Available without a prescription
- Our brands simply cost less
- Fastest processing times online
hxxp://xxx.[removed].com
The URL at the bottom of the email was a fake medical supplies site that looked something like this:
The templates are continuously changing. Also, the Trojan reconnects the control server at specified intervals and receives new templates. Here is an example of another spam email that was sent a few days later:
Date: Wed, 10 Sep 2008 07:16:20 GMT
From: justin <justin@branch3es.info>
To: <realtor@blahblah.com>
Subject: Own your own Rolex
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Huge discounts on Gucci bags
hxxp://xxx.[removed].com
This site was trying to sell fake watches and designer bags-the name of the site was Kings Replica, which is a name associated with a well known spam campaign that has been running for a long time. (See here for more details.)
A colleague of mine, Dermot Hartnett, who works in our anti-spam team was recently interviewed about the current trends within spam. Although the interview is from July, the information presented is still relevant and shows what you might expect to see in your inbox (or, rather, what was blocked before it ever got to your inbox):
This Trojan is an example of a very simple threat that can use an infected machine for purposes other than stealing data. Malicious code authors will try to infect thousands of computers with similar Trojans and then use the infected computers in unison, allowing them to send millions of spam emails every minute. A network of 10,000 infected computers would not be considered large!
Although this simple Trojan is capable of sending out a torrent of spam, due to its simplicity it is very easy to detect—both the actual Trojan file and the spam that the Trojan sends. Symantec detects these types of threats as
Trojan.Spamthru.
P.S.> The good news is that the end of this spam campaign may be in sight. The FTC is taking action against the supposed organizers of these spam campaigns, as reported here:
http://www.theregister.co.uk/2008/10/14/prolific_spammers_targeted/Message Edited by SR Blog Moderator on 10-17-2008 04:49 AM