CryptoLocker, Kegotip, Medfos Malware Triple-Threat
Victims of October’s malware infection campaigns (so far) can expect to receive a triple-cocktail of threats: a particularly cavalier ransomware called CryptoLocker; clickfraud on a massive scale; and (it goes almost without saying) the theft of passwords and other personal data.
Since the beginning of last month (we first saw the malware on September 6th), actively infected PCs have been receiving instructions to download the CryptoLocker ransomware application. Unlike previous ransomware campaigns, which tend to employ social engineering to convince the victim that he or she faces imminent arrest for one of several alleged cybercrimes, CryptoLocker is surprisingly brief and to-the-point with its extortionate demands: The malware simply informs the victim that it has already encrypted most document filetypes on the infected computer.
A stern warning accompanies a 72-hour countdown clock; Deliver $300 (or 2 bitcoins) before the time runs out, or CryptoLocker claims it will delete the decryption key, rendering those files tantalizingly undeleted, but unreadable. It’s another case of give us the money or the data gets it.
Cryptolocker runs itself from a long, random-looking filename in the current user’s Application Data (or AppData, depending on the version of Windows you’re using) folder, and it’s actually quite easy to find, kill, and delete. Just in case your antivirus program deletes the Trojan, CryptoLocker also changes the desktop background to deliver a more sinister message: You won’t be able to decrypt your files without the Trojan, so you really ought to download it again, or the data gets it. That’s a bit like asking a hostage to adjust the gun being held to his head so the barrel is pointed straighter.
One notable new development in ransomware is that the cost of retrieving your data is rising, at least compared to about a year ago, when the criminals only demanded $200. Ah, inflation. Of course, in either case, the problem remains that there’s no guarantee that the payment will even result in your files being decrypted, so we generally advise against paying the extortionists, as success only emboldens them, and funds the creation of newer, more elaborate scams.
If the threat of losing all your most valuable data wasn’t enough to worry about, the same malware campaign is also delivering, as a payload to the initial infection, a clickfraud Trojan called Medfos, which also earns the malware distributors money by simply being allowed to run on unattended computers. Medfos isn’t exactly a new Trojan; It appears to have been around the block a few times, with a lot of writeups dating to early 2012.
The Trojan receives a list of Web sites on which so-called Pay Per Click advertising appears. As it sounds, the advertising agencies pay an affiliate based on the number of real people who click through an advertisement. In rapid succession, Medfos loads those Web pages in “headless” instances of Web browser applications, which lack visible windows, and pretend to “click” an advertisement. A single infected computer running just Medfos by itself can easily overwhelm a typical home broadband connection, maxing out the downstream bandwidth by loading hundreds of ads a minute.
And if that wasn’t bad enough, the bot controller periodically reinstalls Medfos and performs regular checks to make sure it’s still running. If it isn’t, it will try to reinstall it every half hour — that is, if it hasn’t so overwhelmed the network components of the infected system that the system simply bluescreens, which seems to happen a lot.
Medfos is identifiable in an number of ways. It operates by running from two DLLs (also from the Application Data folder), which are visible in the process list. It adds a new browser add-on to Firefox as well (the one we’ve seen used most recently calls itself Addons Engine 3.0.1, a change from last year’s name), but typically will use Internet Explorer for most of the heavy downloading. It also hijacks search engine settings in the browser so that searches you think are being sent to big search engines like Google or Bing instead appear on one of the pages controlled by Medfos’ operators.
Trojan Wants All The Things
By now, it’s become pretty much de rigueur for botmasters to distribute a password stealer of one form or another along with all this other stuff. After all, if you’re a typical cybercriminal, you don’t want to let anything of value potentially slip your grasp. But one of the more intriguing payloads of this nature I’ve seen in the recent campaign appears to crawl the infected computer’s filesystem searching for anything, in any file, that resembles an email address.
The bot then sends a batch of email addresses every 15-30 seconds, in the form of a specially-crafted packet, to a server listening for them on TCP port 20051, for as long as the Trojan continues to find them. The packets are not just identifiable because the bot always performs a TCP PUSH to port 20051, but also because the data portion of the packet always starts with the text string “Asdj” (which, translated to the Base-64 encoding format used by the bot, ends up always looking like the string “QXNka…” in the packets)
The Trojan, which some vendors have named Kegotip, also trolls all the usual locations in the Registry for stored credentials in Internet-enabled applications, like browsers, email apps, or FTP clients. In fact, the first thing it sends back is a decoded list of all the FTP credentials it can find. Over the course of the past two weeks, just two instances of Kegotip despatched over 15MB of stolen email addresses and fake credentials from two infected machines in the lab network to one of two IP addresses, shown below (22.214.171.124 and 126.96.36.199).
Amusingly enough, the copy of Kegotip that infected one of my non-VM testbeds got a lot more than it bargained for when it began scraping email addresses from the hard drive. Stored on a secondary partition of that machine is a huge archive of extracted Web pages that originated from infected hosts and command-and-control servers. Embedded in many of those extracted artifacts, which include a significant amount of other malware files, Kegotip found boatloads of bogus email addresses, as well as the addresses embedded into many, many malicious emails and pages hosting dangerous content.
This is extremely useful information for me to have, so thanks for doing all the heavy lifting for me, Kegotip operator dude.
Hopefully, the operators of this bot will then turn around and begin spamming (or selling to spammers) the addresses they harvested from my 18-month-old archive of thousands of infected Web pages and forged emails and other malware. I like to imagine that they’ll just spam other spammers or criminals to death, but they probably won’t. The address list they culled from this collection is utterly useless. Turnabout is fair play, idiots.