Variants versus Persistent Campaigns

Filed Under: Malware

It was not too long ago that each unique variant of a threat would be assigned a variant letter (-A, -B, -C etc) and a description. Recent times are a whole lot different. Certain families (and I can think of several notorious ones) contain so many variants that assigning variant letters is practically impossible, and even if it were done, useless. In this post, I look at a snapshot of one such family Mal/Cimuz - a family of Win32 trojans whose chief payload is the stealing of banking credentials.

A new web attack was noticed recently with various sites compromised creating drive-by sites to hit victims. The purpose of the attack was the installation of Cimuz. Let's start from the bottom up, Cimuz itself.

It would be fair to say we have seen a huge number of Cimuz variants over the past 6 months. Thankfully, the publication of a number of generic detections (1,2,3) have resulted in these all being proactively detected. Aside from protecting customers, this also enables us to track the threat over time. The graph below shows the number of unique samples, proactively detected, received each day over the past 6 months. The numbers are huge, with several hundred unique binaries being received on several days. For all you variant letter fans we would be well past Cimuz-NTP by now!

2007 Statistics for Mal/Cimuz variants

Without wanting to read too much into the numbers (there are some caveats with the raw data), there are several conclusions we can draw:

  • the whole Cimuz campaign is aggressive, coordinated and persistent
  • we have received samples in waves, suggestive of waves of attack
  • the bad guys are using automation to churn out huge numbers of 'variants' (some would take issue at the use of the term variant here, but that is an uninteresting digression)
  • generic detection is absolutely required for threats such as this

An installation of Cimuz is typified by symptoms such as:

  • DLL of name IPV6MONL.DLL in %SysDir%
  • this DLL installed as a BHO
  • Registry key set to allow Internet Explorer through the Windows firewall

Once installed, specific behaviour varies through the family, but the payload is stealing credentials related to online banking. For example, many Cimuz variants will monitor the active browser session, and log keystrokes when the user browses a site of interest (banking related).

So how is Cimuz installed? What is the next link up the chain? A large number of the Cimuz variants are installed via a Trojan dropper. This is some utility written for the purposes of dropping and executing a piece of malware. Commonly, the dropper carries the malware in an encrypted form (helping to evade detection). Many droppers attempt to terminate security software prior to dropping and executing the malware. In the case of Cimuz, various droppers have been used. Recent months have seen the use of a dropper we proactively detect as Mal/Binder-C.

Stepping up the chain another level, we come to the wonderful world of downloader Trojans. A plethora of downloaders are encountered every week - they provide a convenient tool for the bad guys to use in the installation of malware. The downloader Trojan family used by Cimuz is another notorious family - Mal/Clagger (1,2,3,4,5,6). This downloader Trojan has continuously evolved over the past few months in attempts to evade detection.

Finally, the first link in the chain concerns the delivery of the Clagger downloader. Many have been spammed out (directly or via links), but more recently we have seen web attacks using drive-by sites to hit unpatched client browsers and silently download/execute Clagger. The most recent attack is using a malicious script (proactively detected as Mal/ObfJS-A). Several sites have been compromised, the most humourous of these being a foot-fetish site!

feet

The lengthy infection mechanisms used by Cimuz to hit victims are not unique - many other families take a similarly aggressive approach. As illustrated in a previous posting, even if not all of the components are proactively detected, so long as several are, users can still be protected *. By tracking such campaigns, and ensuring we maintain detection for the various components involved, the chance of providing protection is significantly increased.

* This is particularly true for the 'utility' Trojans (downloaders, droppers) which can be reconfigured and used in other attacks to download/drop different malware.

You might like

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.