“There is no delight in owning anything unshared.”

Trojan Abuses Sendspace

Trojan Horse – a standalone malicious executable file that does not attempt to infect other computers in a completely automatic manner without help. Trojan horses can make copies of themselves, steal information, or harm their host computer systems.

Purpose and Uses:

Malware – a destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves, but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to get rid of viruses but instead introduces viruses onto the computer.

Security – Trojan may allow a hacker remote access to a target computer system. Once a Trojan has been installed on a target computer system, a hacker may have access to the computer remotely and perform various operations, limited by user privileges on the target computer system and the design of the Trojan.

  • Operations that could be performed by a hacker on a target computer system include:
  • Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
  • Data theft (e.g. retrieving passwords or credit card information)
  • Installation of software, including third-party malware
  • Downloading or uploading of files on the user’s computer
  • Modification or deletion of files
  • Keystroke logging
  • Watching the user’s screen
  • Crashing the computer

-The latest Abuses 2012-

Recently discovered a Trojan that harvested documents on affected systems and uploaded them to the file hosting site, sendspace.com.

This email contains a downloader Trojan which installs TSPY_SPCESEND.A.” This downloader also installs other malicious executables on affected systems including FAKEAV variants from the BestAV affiliate network and FakeHDD variants from the Yamba network. These were observed to be downloaded from compromised, legitimate websites.

Furthermore, this downloader Trojan also shares the same C&C with the TSPY_SPCESEND.A. This strongly suggests that the document-stealing sendspace Trojan is pushed by cybercriminals who are also involved in the Pay-Per-Sell (PPS) underground business.

Command and Control Server

After the malware uploads a .ZIP archive containing the victim’s documents to sendspace, it sends the sendspace download link along with a unique ID, the password for the .ZIP archive and the victim’s IP address to the command and control (C&C) server.

As of this writing, we have seen at least three C&C servers used by the malware: {BLOCKED}28889.ru, {BLOCKED}8483825.ru, and {BLOCKED}372721.ru . These three domains point to the IP addresses 31.184.237.143 and 31.184.237.142. These IPs, along with a number of IPs in the same range, have records of hosting malicious files since July 2011. These malicious files included variants of bots such as BFBot (Palevo), NgrBot, and IRCBot.

Digging deeper into the directory structure of the C&C server shows an “open directory” that contains a log file that records this information.

Trend Micro and Sendspace Efforts:

Contacted sendspace upon discovering the attack and assisted them by sharing out findings in order for them to deploy proper mitigation measures.

At the time the attack was reported, sendspace discovered and removed more than 75,000 uploaded malicious archives from their server. Based on the upload logs, the first archive was uploaded on December 25, 2011, which may indicate the start of the malicious campaign.

As a result of our collaboration with sendspace, they are currently monitoring their servers through an automated job that blocks archives uploaded by the sendspace Trojan every few minutes. This effectively removes innocent users’ stolen documents from their server, therefore preventing the perpetrators behind this attack from retrieving stolen data.

Some popular Trojans:

  • Netbus (by Carl-Fredrik Neikter)
  • Subseven (by Mobman)
  • Y3K Remote Administration Tool (by Konstantinos & Evangelos Tselentis)
  • Back Orifice (Sir Dystic)

-Hidden malicious have multiple purposes-

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s