Posts tagged: Backdoor Trojan

Aug 14 2013

Android Malware Exploiting Google Cloud Messaging Service

Google Cloud Messaging Hacking Researchers have discovered a number of malicious Android apps are using Google’s Cloud Messaging (GCM) service and leveraging it as a command and control server to carry out attacks.

A post on Securelist today by Kaspersky Lab’s Roman Unuchek, breaks down five Trojans that have been spotted checking in with GCM after launching.

  • Trojan-SMS.AndroidOS.FakeInst.a
  • Trojan-SMS.AndroidOS.Agent.ao
  • Trojan-SMS.AndroidOS.OpFake.a
  • Backdoor.AndroidOS.Maxit.a
  • Trojan-SMS.AndroidOS.Agent.az

These trojans having a relatively wide range of functions:

— Sending premium text messages to a specified number
— Sending text messages to a specified number on the contact list
— Performing self-updates
— Stealing text messages
— Deleting incoming text messages that meet the criteria set by the C&C
— Theft of contacts
— Replacing the C&C or GCM numbers
— Stopping or restarting its operations
— Generate shortcuts to malicious sites
— Initiate phone calls
— Collect information about the phone and the SIM card & upload on server

Kaspersky Lab detected millions of installers in over 130 countries and Kaspersky Mobile Security (KMS) blocked attempted installations for these Trojans.

No doubt, GCM is a useful service for legitimate software developers. But virus writers are using Google Cloud Messaging as an additional C&C for their Trojans. Furthermore, the execution of commands received from GCM is performed by the GCM system and it is impossible to block them directly on an infected device.

The only way to cut this channel off from virus writers is to block developer accounts with IDs linked to the registration of malicious programs.

Jun 27 2012

The Zemra Bot – New DDoS Attack Pack

Zemra BotA new Distributed Denial of Service (DDoS) crimeware bot known as “Zemra” and detected by Symantec as Backdoor.Zemra. Lately, this threat has been observed performing denial-of-service attacks against organizations with the purpose of extortion. Zemra first appeared on underground forums in May 2012 at a cost of €100.

This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. This allows it to issue commands to compromised computers and act as the gateway to record the number of infections and bots at the attacker’s disposal.

Similar to other crimeware kits, the functionality of Zemra is extensive:

  • 256-bit DES encryption/decryption for communication between server and client
  • DDoS attacks
  • Device monitoring
  • Download and execution of binary files
  • Installation and persistence in checking to ensure infection
  • Propagation through USB
  • Self update
  • Self uninstall
  • System information collection

However, the main functionality is the ability to perform a DDoS attack on a remote target computer of the user’s choosing.

Initially, when a computer becomes infected, Backdoor.Zemra dials home through HTTP (port 80) and performs a POST request sending hardware ID, current user agent, privilege indication (administrator or not), and the version of the OS. This POST request gets parsed by gate.php, which splits out the information and stores it in an SQL database. It then keeps track of which compromised computers are online and ready to receive commands.

Inspection of the leaked code allowed us to identify two types of DDoS attacks that have been implemented into this bot:

  • HTTP flood
  • SYN flood

Symantec added detection for this threat under the name Backdoor.Zemra, which became active on June 25, 2012. To reduce the possibility of being infected by this Trojan, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed.

Oct 28 2011

Tsunami – Backdoor Trojan for Mac OS X Discovered

OSX/Tsunami.A, an IRC controlled backdoor Trojan for Mac OS X, has been discovered that enables the infected machine to become a bot for Distributed Denial of Service (DDoS) attacks.

The analyzed sample contains a hardcoded list of IRC servers and channel that it attempts to connect to. This client then listens and interprets commands from the channel. The list of accepted commands can be seen in the following comment block from the C source code of the Linux variant.

Linux Tsunami

In addition to enabling DDoS attacks, the backdoor can enable a remote user to download files, such as additional malware or updates to the Tsunami code. The malware can also execute shell commands, giving it the ability to essentially take control of the affected machine.

In terms of functionality, the Mac variant of the backdoor is similar to its older Linux brother, with only the IRC server, channel and password changed and the greatest difference being that it’s a 64-bit Mach-O binary instead of an ELF binary.

Feb 27 2011

BlackHole RAT Beta – Mac OS X Trojan Horse

BlackHole is a variant of a well-known Remote Access Trojan (RAT) for Windows known as darkComet.
BlackHole RAT Client

“Hello, Im the BlackHole Remote Administration Tool.
I am a Trojan Horse, so i have infected your Mac Computer.
I know, most people think Macs can’t be infected, but look, you ARE Infected!
I have full controll over your Computer and i can do everything I want, and you can do nothing to prevent it.
So, Im a very new Virus, under Development, so there will be much more functions when im finished.
But for now, it’s okay what I can do?”

This message, displayed in the full screen window with the reboot button blocks user’s screen.

As even the malware itself admits, it is not yet finished, but it could be indicative of more underground programmers taking note of Apple’s increasing market share.

Functions :

  • Remote execution of shell commands.
  • Opens URL using victim’s default browser.
  • Sends a message which is displayed on the victims screen.
  • Creates a text file.
  • Perform shutdown, restart and sleep operation.
  • Popping up a fake “Administrator Password” window to phish the target.

Video Demonstration :