Attack Intelligence™ Research Center
Monthly Threat Report
How Much is a Picture Worth?
A l a d d i n . c o m / e S a f e
Background
During the Attack Intelligence Research Center’s (AIRC) recent research activities, we have come into some
interesting incidents that involve celebrities and botnet herders, tying them all together with the common desire for
money.
In the past few weeks, both spam- as well as MalWeb-related techniques for drawing people to view attackercontrolled content, while performing a sophisticated attack on the user, have focused on a current media fad:
photographs of Angelina Jolie. The high ticket price for the photos of BranGelina’s newborn twins is probably not
just a coincidence.
After looking into one of these attacks and analyzing the Trojan installed as part of it, the AIRC team has come to
some interesting conclusions.
Attack Vector
The attack takes place through the two most common vectors that criminals use these days: Web-borne attacks
(MalWeb), and spam messages. MalWeb disguises itself as a legitimate site that entices the user to view recent
pictures of the above mentioned subjects, while spam emails do the same, but also contain files proclaiming to be
related to the Angelina Jolie pictures.
In both cases the initial stage of the attack gets the unsuspecting user to run a file which is the “stub” of the
infection stage.
Infection Vector
After the Trojan downloader was run on the victim’s PC, it brings in the actual Trojan crimeware in a file called
“video-nude-anjelina.avi.exe”. According to VirusTotal, only two security products out of 34 detected the Trojan at
the time of this writing — one of which was eSafe.
Figure 1: VirusTotal showing the detection rate for the Trojan
Once run, this Trojan contacts its operator’s server to receive instructions. The server in return supplies the Trojan with
a list of email addresses to be spammed, together with the message body of the spammed email including an attached
copy of the Trojan downloader.
Figure 2: Communication between the Trojan and its command and control center
The Trojan then drops a file into the Windows folder named services.exe, executing multiple processes to parallel the
spamming operation.
Figure 3: The Trojan execution trace on the infected machine
A l a d d i n . c o m / e S a f e
After tracing back the command and control servers used in this attack, the AIRC team has had the opportunity
to once again take a peek at the criminal operations from the bottom up. The central, business-like organization
commissioning the criminal activity and collecting revenues is structured in a hierarchy, much like legitimate
corporations, and is therefore more the responsibility of law enforcement officials to identify and eradicate. What
we have been witnessing is more of the “field operations” level of the overall campaign that brings in more
infections and sends back instructions for further malicious acts. We have observed a huge amount of data related
to other ongoing botnet attacks being carried out by the same botnet herders. The data recovered includes statistics
of computers infected with other botnets from compromised computers being used for stealing personal data and
launching different sorts of attacks.
We can clearly see how MalWeb and spam are operating together from the same criminally operated servers.
However, as the spam countermeasures pick up on illicit activity coming from certain IP addresses, MalWeb stays
relatively untouched, due to the more dynamic nature of the Internet, and the use of Web 2.0 techniques to run the
code “under the radar” and still maximize the return out of the investment in the technical facilities.
As we can see from the image below, the MalWeb part of the campaign is pretty successful and yields (at the time of
writing) more than 3000 unique victims running the Trojan – and that’s for just one part of the campaign. We have
found more than 10 different “command and control” centers for controlling infected machines – all ran from the
same server.
eSafe
Figure 4: One of the MalWeb operations status reports for more than 3000 infected machine
Below is a screen capture showing the status of one of the botnet controlling servers. The server status includes
information such as the commands currently being executed, total accesses, total traffic, and so on.
Figure 5: The command and control center status screen showing a few thousand compromised
machines reporting back on their actions and readiness.
This method of splitting one botnet into several smaller ones has long been known in the security field as a way to cut
down on each botnet’s visibility in order to evade detection. We suspect that another reason is to be able to rent out
smaller-sized botnets to multiple clients instead of running a more complicated “time-share” system on a large botnet
(enforcing the SaaS model that has started to emerge in the past year as part of the e-Crime mode of operation).
Collateral Infection
Moreover, we have found a fake “Porn Tube” website hosted on the same server that hosts this Trojan. This infamous
Porn Tube, which is an adult type version of YouTube, serves up an ActiveX malware component.
Figure 6: A PornTube site hosted on the server, delivering additional Trojans to victims
A l a d d i n . c o m / e S a f e
Malicious Server Information
This attack has spanned two different servers. One server is hosted in the US, and the other in the Seychelles Islands
– both at a server hosting company. Below is some more specific information about these IP addresses (note the
blacklisting of the Seychelles IP address due to spam activity).
Both servers have been reported to the appropriate authorities, and have been taken down.
Server 1:
The above server has been spotted for some spam activities and has been blacklisted, though the Web portion of it
still remains active and has been successfully serving MalWeb.
MALICIO
Server 2:
Looking Forward
This analysis does not attempt to bring some new concept or technical revelation into the open. Instead, we urge
readers to accept the significant criminal activities happening in and amongst daily life. eCrime must be regarded as a
business, rather than a mob-like operation that seemingly runs by itself in some parallel world. The same “rules” apply
to criminally-operated organization just like to any other corporation. If that means following the fads and trends in
the process of appealing to a larger crowd, and to get as much targeted audience as possible – then that’s what we
will see.
It would be an interesting experiment to try to synchronize world and local news, with the content that is associated
with them on the Internet at any given time. As many have pointed out before, most of the MalWeb is coming from
seemingly legitimate sites – which means that tracking down new attacks is as easy as getting in sync with the current
news. On the flipside, this also means that there isn’t such a thing as a “trusted” site, and that everyone is a suspect.
This approach, as bleak and paranoid as it may be, should be the MO of every security solution that implies to protect
OUS SERVER
INFORMATION
a modern corporation.
A l a d d i n . c o m / e S a f e
About the Attack Intelligence™ Research Center
The Aladdin Attack Intelligence Research Center (AIRC) is a premier facility for Internet threat detection and cybercrime
investigation. The mission of the AIRC is to deliver security research and intelligence that educates, supports and
strengthens the security community, and drives innovation in Aladdin’s content security solutions. Based in Tel Aviv, the
AIRC is comprised of global security researchers and law enforcement and cybercrime specialists dedicated to finding and
eradicating Internet threats that compromise legitimate business safety. AIRC goes beyond traditional threat detection
to provide business intelligence around evolving threats, predict future trends in Internet security, and uncover the
inner workings and affects of the business of eCrime. For more information, visit www.Aladdin.com/AIRC.
About Aladdin
Aladdin Knowledge Systems (NASDAQ: ALDN) is an information security leader with offices in 12 countries, a worldwide
network of channel partners, and numerous awards for innovation. Aladdin eToken is the world’s #1 USB-based
authentication solution, offering identity and access management tools that protect sensitive data. Aladdin HASP SRM
boosts growth for software developers and publishers through strong anti-piracy protection, IP protection, and secure
licensing and product activation. Aladdin eSafe delivers real-time intelligent Web gateway security that helps protect
data and networks, improve productivity, and enable compliance. Visit www.Aladdin.com.
France: +33-1-41-37-70-30 • Benelux: +31-30-688-0800 • Spain: +34-91-375-99-00 • Italy: +39-022-4126712
Portugal: +351-21-412-36-60 • Israel: +972-3-978-1111 • China: +86-21-63847800 • India: +91-22-67255943
Japan:
+81-426-607-191
•
Mexico:
+52-1-55-4159-9733
•
All
other
inquiries:
+972-3-978-1111
© 2008 Aladdin Knowledge Systems, Ltd. All rights reserved. Aladdin is a registered trademark of Aladdin Knowledge Systems, Ltd. All other names are trademarks or registered trademarks of their respective owners.
F o r m o r e c o n t a c t i n f o r m a t i o n , v i s i t : w w w. A l a d d i n . c o m / c o n t a c t
North America: +1-800-562-2543, +1-847-818-3800 • UK: +44-1753-622-266 • Germany: +49-89-89-4221-0