Trilight Zone

[tricore]

Websense Security Labs researchers have caught a somewhat rare insight into an interface used by an attacker to control infected systems in a bot network.

Websense discovered the new malicious Web sites yesterday, using the company's ThreatSeeker technology. The sites are designed to install Trojan horse bots that seek out banking credentials for more than 50 financial institutions and e-commerce sites from infected machines.

The sites, hosted in Germany, England and Estonia, resolve to five unique IP addresses, apparently by use of a round-robin DNS. All of the sites host the same exploit code, which tries to get into systems via the Microsoft AdoDB/XML HTTP flaw. That flaw was fixed in Microsoft's MS06-014 bulletin in April 2006.

(That particular patch appears to be something of a favorite in the botnet herder crowd: Researchers at Exploit Prevention Labs in June said they saw several bot-seeding scripts targeting the MDAC (Microsoft Data Access Components) flaw covered in the MS06-014 bulletin.)

When users visit one of the sites, it displays a page that says the server is temporarily busy and asks that the user shut off firewalls or anti-virus software. If one of the malicious sites gets in via the AdoDB/XML HTTP flaw, it downloads and installs a Trojan downloader called "iexplorer.exe" without the need for an end user to click on anything or otherwise interact with the site.

The Trojan also installs five more files from a server in Russia. The filenames are:

IEMod.dll
IEGrabber.dll
IEFaker.dll
CertGrabber.dll
PSGrabber.dll

The server in Russia acts as a remote bot controller from which additional files can be uploaded or downloaded and more phishing attacks can be appended. Unlike traditional bots, which are controlled through IRC, this server has a user-friendly Web interface that allows the attacker to run searches and queries and stay on top of their attack's success. With this interface, the attacker can see how many systems have been affected and can redirect infected systems to other locations. Websense has posted screenshots of the bot-controller interface.

Once the DLLs are in place and the infected system connects to one of the financial institutions or e-commerce sites, the code replaces some HTML within the page and then posts the user's log-on credentials to the server in Russia. At this point, the malicious site's statistics showed more than 1,000 successful infections per day. Systems in the United States and Australia are topping the list.

Botnet use is on the rise, particularly in the case of for-profit botnets. Check out this OnSecurity podcast with Jose Nazario, software and security engineer at Arbor Networks, about the extent of the proliferation.

The shift from IRC to the Web likely spells out further success for botnet attacks, Hubbard said. "There's a chance it will work in more networks. A lot of networks filter IRC traffic," he said. "[Use of the Web for a vector] will work better in organizations that don't have port 80 and don't have products like our own."

It just shows, Hubbard said, that botnet attackers are getting better at it: They're updating, they're tracking, they're using sophisticated control technology, and they're even running some level of data analysis. "This is very professional," he said.

Not good.