ΑΠΟ ΧΘΕΣ ΤΟ ΑΠΟΓΕΥΜΑ ΑΝΑΚΟΙΝΩΣΕ ΤΑ ΕΥΣΧΗΜΑ ΤΟ FACEBOOK .. ΓΙΑ ΤΗΝ ΔΙΕΘΝΗ ΕΠΙΤΥΧΙΑ ΤΗΣ ΕΛΛΗΝΙΚΗ ΑΣΤΥΝΟΜΙΑΣ Κ ΤΗΣ ΔΙΩΞΗΣ ΗΛΕΚΤΡΟΝΙΚΟΥ ΕΓΚΛΗΜΑΤΟΣ !!!
 |
| Η ΔΗΕ με τους "χάκερς" αστυνομικούς που διοικεί ο Μάνος Σφακιανάκης αποκάλυψε τους δυο έλληνες δράστες που είχαν μολύνει με υιούς τον παγκόσμιο ιστό του FACEBOOK |
Conclusion
Staying ahead of the latest threats is a complex job, and Lecpetex was a particularly persistent malware family. We hope this example will illustrate that cooperation can be helpful and productive in shutting down botnets, particularly when criminals abuse multiple online platforms to achieve their aims. We would like to thank the Head of the Greek Cyber Crime Division and the police officers involved for the professionalism they showed while investigating this malware. As we take down botnets like Lecpetex, we learn more about malware techniques — and we build that knowledge directly into our systems to help make people using our platform even safer and more secure.
If you believe your computer may have been infected by Lecpetex or if you would just like to check, take a look at this page from our Help Center: https://www.facebook.com/help/
Σας Προωθώ το link!!!
https://www.facebook.com/notes/protect-the-graph/ taking-down-the-lecpetex- botnet/1477464749160338 Taking Down the Lecpetex Botnet
The Threat Infrastructure team at Facebook analyzes threat information from all over the web to help keep people on Facebook safe and secure. We build platforms like ThreatData and work closely with our abuse-fighting teams to stay a step ahead of people who try to use Facebook's popularity and reach for bad intentions. Over the last seven months we battled and ultimately helped bring down a little known malware family known as “Lecpetex” that attackers were attempting to spread using Facebook and other online services. We coordinated with several industry partners in disrupting the botnet and proactively escalated the the case to law enforcement officials. This post covers the interesting technical elements of the malware and describes our role in taking down the botnet.
Outline
a. Malware technical detailsDelivery techniques (JAR + VBS + Dropbox)
- History and overview
- Mechanics of the Lecpetex botnet
- Facebook helps take down the botnet
- Malware technical detailsDelivery techniques (JAR + VBS + Dropbox)
b. Malware string payload obfuscation (AES128 + SHA1)
c. C2 methodologies (dedicated C2, Pastebin, disposable email accounts)
History and overview
Late last year, our abuse-fighting teams started to see a distinct new botnet. The attack was given the name “Lecpetex” by our peers at the Microsoft Malware Protection Center. Based on statistics released by the Greek Police, the botnet may have infected as many as 250,000 computers. Those infections enabled those directing the botnet to hijack those computers and use them to promote social spam, which impacted close to 50,000 accounts at its peak. As we describe below, there were several technical features of the malware that made it more resilient to technical analysis and disruption efforts. In addition, the Lecpetex authors appeared to have a good understanding of anti-virus evasion because they made continuous changes to their malware to avoid detection. In total, the botnet operators launched more than 20 distinct waves of spam between December 2013 and June 2014.
Lecpetex worked almost exclusively by using relatively simple social engineering techniques to trick victims into running malicious Java applications and scripts that infected their computers. (For more on the success of social engineering being used to induce people to run malicious code, see our recent post about self-XSS).
On April 30, 2014, we escalated the Lecpetex case to the Cybercrime Subdivision of the Greek Police, and the agency immediately showed strong interest in the case. On July 3 the Greek Police reported that the investigation had progressed to the final stage and that two suspects were placed in custody. According to the Greek Police, the authors were in the process of establishing a Bitcoin “mixing” service to help launder stolen Bitcoins at the time of their arrest. More details about their findings are available here.
The heat map below shows the distribution of Lecpetex victims as of June 10, 2014, with the highest concentration of victims found in the vicinity of Greece. Because Lecpetex spread through friend and contact networks, the distribution of victims tended to concentrate in specific geographies. From our analysis, the most frequently affected countries were Greece, Poland, Norway, India, Portugal, and the United States.
The Greek Police developed the following image to illustrate the botnet's operations as part of a presentation on Lecpetex.Mechanics of the Lecpetex botnet
To better understand the botnet, here is a bit of additional detail about its capabilities and how the operators used it in an attempt to profit.
Fundamentally, the Lecpetex botnet is a collection of modules installed on a Windows computer that can steal a person's online credentials and use that access to spread through private messages. Along the way, it self-installs updates to try to evade anti-virus products and installs arbitrary executables. Our analysis revealed two distinct malware payloads delivered to infected machines: the DarkComet RAT, and several variations of Litecoin mining software. Ultimately the botnet operators focused on Litecoin mining to monetize their pool of infected systems. We saw reports that the botnet was also seeded using malicious torrent downloads, but did not observe this tactic in our research.
The infection cycle looked like this:
- Person receives spam message, typically a simple message like “lol” with a zip archive attachment
2. Person opens the attachment and executes the embedded Java archive (executable file)
3. JAR file downloads the Lecpetex main module from free file sharing service and injects into Windows Explorer
4. Main module receives instructions from command and control sites including
a. update main module
b. download, install, and begin Litecoin mining
c. download and run the Facebook spamming module
d. download and run arbitrary executable (our analysis observed DarkComet RAT)
5. Facebook spamming module hijacks a person's account by stealing cookies from their browser, using that access to obtain the victim's friend list, and sending private messages to each friend with a zip file containing malware
Over the last seven months we saw the botnet operators experiment with different social engineering tactics, including embedding Java JAR files, using Visual Basic Scripts (VBS), and creating malformed ZIP archives and Microsoft Cabinet files (CAB). The operators put significant effort into evading our attachment scanning services by creating many variations of the malformed zip files that would open properly in Windows, but would cause various scanning techniques to fail. The files used in the spam messages were also refreshed frequently to evade anti-virus vendor detection.
Facebook helps take down the botnet
Once we realized that traditional protections such as anti-virus products would not altogether remediate this threat, we began employing a range of efforts including working with other infrastructure providers and engaging law enforcement. Our team coordinated efforts and used automated tools to extract critical information from the botnet. Ultimately, remediating a threat like Lecpetex requires a combination of technical analysis capabilities, industry collaboration, agility in deploying new countermeasures, and law enforcement cooperation. All of these played an equally important role in our efforts.
Timeline:
In May we noticed the command and control servers had started leaving notes for our team such as “Hello people.. :) <!-- Designed by the SkyNet Team --> but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz..” Around the same time we also noticed that encryption keys used in the malware began to use phrases that appeared to be messages such as “pepeishereagain1” and “IdontLikeLecpetexName.” These changes suggested to us that the authors were feeling the impact of our efforts.
- December 2013 - First automated identification of a spike in messages from Greece
- April 10-17, 2014 - Coordinated takedown of technical infrastructure including C2's, distribution accounts, testing accounts, monetization accounts
- April 30, 2014 - Referral to Greek law enforcement
- May 2014 - Authors leave notes for us on command and control pages and in their malware; authors switch to disposable email sites and Pastebin for command and control
- May-June 2014 - Facebook adds targeted backend measures to disrupt botnet operations
- June 2014 - Authors add mass email spreading technique to malware (presumably after spamming via Facebook became more difficult)
- July 3, 2014 - Greek law enforcement arrests people alleged to be primary authors
Malware technical details
Lecpetex uses several stages and modules to achieve its objectives, including a first stage downloader, main module loader, main module backdoor, updater, Litecoin miner, and Facebook spam module. Some of these modules such as the Litecoin mining and DarkComet RAT used commodity software that can be freely downloaded from the Internet. Other components appear to have been custom written by the botnet operators to achieve anti-virus evasion and implement a custom command and control architecture.
The first stage of the malware consists of either a Java JAR executable or a VBS script that is responsible for downloading the main module loader from free file sharing services. Generally these first stage files use simple obfuscation to hide the URLs and intentions of the downloader. Because many free file sharing sites limit the amount of downloads or bandwidth, the Lecpetex operators would embed a list of 10-20 URLs as download options. The names of these files included 'xml.zip', 'pepsimax.dat', 'd.dat', 'coffebreak.dat', 'main.dat', 'mod.dat', 'module.dat', 'fbsgen.dat', 'pd.dat', 'Documents.zip', and 'folder.zip.' Once the main module loader is downloaded, the first stage attempts to execute the file using a command line 'Runtime.getRuntime().exec("regsvr32 /s C:\\temp\\fbsgen.dat");'. Because the user has downloaded the JAR or VBS file to their local hard drive and executed it, the normal Java sandbox restrictions do not apply. This allows the JAR to read and write local files as well as execute arbitrary commands without using an exploit.
The main module loader consists of a Windows Dynamic Link Library (DLL) that is loaded into the Windows Explorer process. The DLL contains several encoded blobs that are encrypted using AES128 and the SHA1 hash algorithm. Since SHA1 does not produce a viable keylength for AES128, the password is mixed using the Microsoft Windows API CryptDeriveKey algorithm for AES128/SHA1. What is interesting is that the malware doesn’t actually know the correct password to decrypt the strings, so it attempts to decrypt the blob using a hardcoded string combined with a three digit number. The malware iterates over all possible values until it decrypts to a value that matches a stored SHA1 hash of the decrypted payload. The visible strings in the malware such as ‘IdontLikeLecpetexName’ are the password base strings, and the actual password will be a string such as ‘IdontLikeLecpetexName337'.
Here is a decompiled example of the DLL decrypting the main module:encrypted_exe_blob = calloc(0x26A01Au, 1u);
copy_memory_block((unsigned int)encrypted_exe_blob, 0x10369530, 0x1B010u);
decrypted_exe = decrypt_with_salt(encrypted_exe_blob, 110608u, &sha1_validation_hash, "thisispepe1", dword_1000BD28, dword_1000BD2C);
One of these encrypted strings is a 110,608-byte Windows DLL that is injected into explorer.exe. This is the main module that will communicate with C2 servers and execute commands. This module contains logic to contact the command and control infrastructure and decrypt any commands. We have observed dedicated hosting providers, Pastebin, and disposable email account providers being abused to host command and control for the botnet. The commands are specially encoded HTML that must contain the string“<!-- Designed by the SkyNet Team -->”. If the page contains this string the malware will search for an embedded image tag containing the encrypted payload beginning with the string “<!-- <img src="data:image/bmp;base64,Qk02UgIAAAAAADYAAAAoAAAABwEAAM AAAAABABgAAAAAAABSAgDEDgAAxA4A AAAAAAAAAAAA”. The malware then decrypts the remainder of the payload using AES128 and a password embedded in the image “alt” tag, such as “alt="IMAG0034-lll111-gm00078" ”.
From our analysis, the supported bot commands are:Early versions of the malware used hardcoded IP addresses and disposable email sites for command and control. One of the unique aspects of the malware is the use of disposable email providers for command and control. They leveraged sites such as dispostable.com that allow anonymous clients to check a mailbox, which in the case of Lecpetex mailboxes would contain bot commands. Later, as our disruption efforts made it harder to use dedicated hosting providers, the operators switched to sites such as pastebin.com to post their commands on public pages hardcoded into the malware.
- fbspread (spread via Facebook)
- fbusernames (use browser cookies to collect Facebook usernames and passwords)
- ltc (turn Litecoin mining on or off for a group or all)
- hwinfo (collect CPU, RAM, GPU info from each victim)
- payload install (arbitrary executable)
- restart system
- CoreUpdate (update core module)
The known command and control IP addresses used by the botnet include:
- 82.103.136[.]228
- 64.90.187[.]192
- 64.90.187[.]181
- 207.12.89[.]163
- 85.25.19[.]211
Conclusion
Staying ahead of the latest threats is a complex job, and Lecpetex was a particularly persistent malware family. We hope this example will illustrate that cooperation can be helpful and productive in shutting down botnets, particularly when criminals abuse multiple online platforms to achieve their aims. We would like to thank the Head of the Greek Cyber Crime Division and the police officers involved for the professionalism they showed while investigating this malware. As we take down botnets like Lecpetex, we learn more about malware techniques — and we build that knowledge directly into our systems to help make people using our platform even safer and more secure.
If you believe your computer may have been infected by Lecpetex or if you would just like to check, take a look at this page from our Help Center: https://www.facebook.com/help/389666567759871. From there you can scan your computer using one of the free anti-virus scanners provided by our partners to detect and clean Lecpetex
