We have recently found samples of a new C&C (command-and-control) engine, named Dream Loader, and detected as Trojan.Karagany by Symantec products, that is being used in the wild. The engine comes in a pack that contains both a builder to build your own executable bot, and a Web interface to control all your bots by sending them commands through the Web.
Origins and marketing
The pack, version 0.3, is relatively new and seems to be originating from Russia; it was first found in November and is designed to be modular and load plugins. It has some nice features, although it is not as advanced as other packs, like Zeusbot for example. The pack was being sold for $550 in order to buy the backdoor itself (not the builder) and the Web interface. Every update to the backdoor configuration (e.g. a new url to be used for the C&C server) would require an additional cost of $30. Unfortunately, the “nohonoramong thieves” rule spares no one, and this pack is already being leaked in various forums, allowing anyone to use it for free.
The builder
The pack comes with its own backdoor component, configurable with a builder that has a minimalist interface:
Figure 1: Configuring the backdoor
You can specify your C&C server and the tool will customize the backdoor for you. You are now ready to distribute your malware and administer it through your Web site!
The Web interface
The C&C server has a classic implementation in PHP and SQL. It has two main components: the “gate”, which is the page being periodically requested by the backdoor listening for new commands, and the “stats” page which is the administrator’s page, where he can log in and control his bots, distribute new commands, etc.
Figure 2: Sending commands to the bots
The interface allows you to send commands to specific bots, and also offers the functionality to track command usage.
Of course you also have the possibility of listing your bots to get information about uptime and country of origin:
Figure 3: A list of all the active bots controlled by the backdoor
Figure 4: Statistics about the countries of origin of the active bots
What it can do
The backdoor offers very simple functionality, mainly to load other components. It has some common tricks to hide itself in the infected machine, in order to make it more difficult for a user to notice its presence.
The main commands that can be sent to the backdoor are: download and run an executable, download and install a plugin, update the bot itself, reboot the machine, and uninstall the bot. The main purpose of this backdoor is therefore to offer a gateway to the attacker so that he can download and install his own malware.
The authors of the pack also advertise that future versions of the bot will be upgraded to contain new features such as DDoS, keylogging, and support for SOCKS5 and FTP.
Some deeper analysis
The bot uses some known tricks in order to bypass security products and conceal its presence on the infected machine, although the end result is still a pretty basic executable which is easily detectable and removable.
It hooks the ‘FindNextFile’ API in order to hide filenames related to its own files. The hook is only performed in ring3, therefore it won’t fool any security product.
It uses the ‘NtQueueApcThread’ API in order to inject its code into other processes (e.g. explorer and svchost), it also uses the print provider functionality to inject itself into the spooler process:
Figure 5: A trick borrowed from Tidserv!
Haven’t we seen this trick already? Yes! Mainly in Tidserv/TDSS, but it can also be found in some other malware.
It’s worth noticing that the actual bot can crash the ‘explorer.exe’ process due to a bug in the communication with the C&C server: if the communication fails or gets unexpected data, the backdoor code may incorrectly handle the communication data and end up repeatedly crashing the ‘explorer.exe’ process, rendering the machine unusable.
This backdoor is not very widespread yet, but it has the potential to evolve into a more dangerous threat in the future; as always, we recommend the users to update their software and security products, and to use common sense in order to avoid malware.
Thanks to Peter Coogan and Masaki Suenaga for their contributions to this blog.