Exceptional – Botnets and Exploit Kits

Exploit Kits and Botnets are synonymous to each other. If one is responsible for infecting then the other is utilised for generating revenue, they just cannot co-exist without each other.

For past few weeks, we have been observing a new wave of infection. Win32.XPAJ . This is a polymorphic file infection virus which after successful infection turns into a bot-net client.

There are many things which have been observed are new to this virus

As with every piece of technology, evolution is a must and Win32.XPAJ is not far behind. The method used to infect is highly complex and every bit of care has been taken to protect itself from detection by Anti-Viruses.

Most Antiviruses detect by using MD5 signatures or by inspecting the internals of the file. Secondly, based on the number of computer systems / networks or a geographical area which are infected by a particular trojan/malware, the threat factor is decided.

Computer Domains such .gov and .mil are related to governments and military, which already are paranoid about such threats and if infected the threat level posed by such a trojan/malware is raised exponentially.

Organizations such as Google and some of the AV product developers, which are known to aggressively deny access to websites which host these exploit kits or incorporate detection algorithms are the number two enemy of such Exploit kits and Botnet Clients.

The success of Exploit Kits is based on

A: Evasion- How can this piece of code evade the existing technologies during all the stages of infection?
B: Stealth- How can it not raise suspicion after delivering and for what period?
C: Penetration – How many computer systems/networks can it exploit?

Win32.XPAJ has done it all.

Before infecting any system/network, Win32.XPAJ verifies the domain and exits if it finds .mil or .gov. It just refuses to infect these domains.

It also verifies the country in which the computer is located by way of IP address geo-location and doesn’t infect certain European Countries and a few others. In other words, it chooses who should be infected and who shouldn’t be.

Entry point is changed and payload resides in the different parts of the infected executable / DLL. Thus ensuring that detection by an Anti-virus is difficult if not impossible.

Its very rare to find a trojan/virus/phishing site which is selective in nature (country specific , domain specific).

A few hours ago, Cryptome.org was hacked and infected with Blackhole Exploit Kit.

According to Wikipedia

Cryptome is a website hosted in the United States since 1996 by independent scholars and architects John Young and Deborah Natsios that functions as a repository for information about freedom of speech, cryptography, spying, and surveillance.

Targeting this website ensures infecting a select group of individuals and organizations but there is a similarity between Win32.XPAJ and BlackHole exploit Kit residing on Cryptome Servers.

No need for guessing, its “Exception“. This infection on Cryptome avoids attacking Google IP addresses while Win32.XPAJ goes one step ahead by not attacking .mil .gov and certain countries.

Since, a security related web-site was targeted, it has ensured a prompt reaction from the whole community.

The future of “Threat Escalation” is going to change as we will come across more and more exploit kits and trojans / viruses which are selective about their targets. We will have to change our perspective and segregate the threat based on global and geographically specific attacks.

We have seen a lot of Phishing Sites employing such “Exception” based techniques, and Win32.XPAJ is not the last.

Win32.XPAJ, upon infection converts itself into a botnet client and the payload this time is Ad-Click fraud.

For the year 2012, we had said that India would be the largest hub of botnets and with Win32.XPAJ, this will soon become a reality as most of the infected computers are based in India. My previous blog on DNS MITM is a bleak reminder.

This entry was posted in eScan 11, Security and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>