Topic: UPDATE (2013-05-14)! Travnet Botnet Steals Huge Amount of Sensitive Data

[Pez]

Travnet Botnet Steals Huge Amount of Sensitive Data

In a earlier article, we discussed high-level functioning in the malware Travnet. Since then we have continued to analyze different samples and now classify Travnet as a botnet rather than a Trojan because of the presence of control code, and the malware’s ability to wait for further commands from the malicious control server.

The Travnet bot not only steals sensitive information from a victim’s machine; it also steals document files. Generally speaking, we store most of our sensitive information in Office files, PDFs, etc. Using data compression and data-encoding methods allows Travnet to steal huge amount of data including large files.

The bot at first gathers sensitive information about victim’s machine. Then searches for document files (doc, docx, xls, xlsx, txt, rtf, pdf). Here is snippet of code:



The preceding code includes computer name, IP address, username, operating system, list of running processes, IP config details, and information about different accounts present on the system. The malware creates the file system_t.dll to store this information in plain text. It also creates the file travelbackinfo-(SystemTime).dll, which will be used in an HTTP GET request.

The data stored in the file can be huge, depending upon running processes and IP config details. The bot will use data compression and encoding methods to send the sensitive data to a remote server. The packet capture looks like this:



The bot sends the stolen data with the parameter “&filetext,” which starts with “begin::.” But the compressed file can be too big to send over the HTTP, so the bot sends the compressed file in chunks of 1,024 bytes. To track this, it uses the parameter “&filestart.” The bot appends the string “::end” to signal the end of the file.

Data compression and encoding techniques

The bot processes the original data in two passes:

• In the first pass, it uses a data compression method similar to LZSS (Lempel–Ziv–Storer–Szymanski) to compress the original data

• In the second pass, it encodes the compressed data using custom Base64


First pass data compression

The bot’s data compression maintains a dictionary (a sliding window) of previously seen data that is similar to data compression with LZSS.

The bot uses a similar method to maintain a large sliding window size (to achieve a high compression ratio) but outputs variable-length “Length- Offset” pairs (the number of bits required to represent the number). We have not seen yet any references or implementation that outputs variable lengths and variable offsets, so for now we will call this method a variant of the LZSS data compression algorithm.

The bot starts compression by reading original data in chunks of 65,536 bytes (so it has to maintain sliding windows of this size). The final output of compression will be in chunks following this format:

Original Length (2 bytes) + Compressed Length (2 bytes) + Compressed Data

This method achieves a high compression ratio and reduces the size of the original data, allowing the bot to upload large files on the remote server. The decompression process is very easy to write because it does not need to search for the longest match but needs only to take care of variable-length values.

Second pass custom Base64 encoding

The Travnet bot uses custom Base64 encoding to encode the compressed binary data. The key and character set used in standard Base64 is “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/” with “=” used for padding; the key used by the bot is “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/” with “*” used for padding.

We wrote a small tool to decompress the data stolen by Travnet.



As we look at the output, we see the size of the decompressed file (the original data) is much higher than that of the compressed file. Let’s now look the decompressed data:



The preceding is the original data stolen from the victim’s machine. Interestingly, the unreadable characters in the decompressed file are in Chinese. While writing the sensitive information in a DLL file, the bot writes some hardcoded strings that are in Chinese. If we convert those strings to English, here is how the file looks:



Stealing files

The bot doesn’t stop; it steals more data. Next we see the functions called by the bot:



The bot will send the following:

• A file containing lists of all filenames on the system drives

• All files that have doc, docx, xls, xlsx, txt, rtf, and pdf extensions

• All files from victim’s desktop

Once it sends all the files to the remote server, the bot will go into sleep mode and wait for further commands.

Server commands

• UNINSTALL

• UPDATE

• RESET

• UPLOAD

Next we see a command from the server telling the bot to upload more data:



Although the botnet uses a simple mechanism to infect and steal information, a few elements make a Travnet botnet unique:

• Using lossless data compression to steal large data files

• Stealing documents files with extensions doc, docx, xls, xlsx, txt, rtf, and pdf

• Stealing all files on the system drives

These unique features and the presence of Chinese strings lead us to conclude that the Travnet botnet may be a targeted attack for stealing sensitive data. We suspect the attackers are using the initial data–computer information, IP’s–to steal sensitive data from a particular group or identity. We also believe that the data uploaded to malicious severs is actively monitored by the attackers. We have found new domains registered to carry out the attack. We believe that huge amounts of data have been stolen from victims whose machines were infected with Travnet.

I would like to thank my colleagues Vikas Taneja, Anil Aphale, Arunpreet Singh, and Subrat Sarkar for their research and assistance.


Orginal article: Tuesday, April 23, 2013 at 5:25pm by Umesh Wanve

[Pez]

Travnet Botnet Controls Victims With Remote Admin Tool

The malicious binary behind the Travnet botnet has been updated. The new code has a new compression algorithm, steals the list of running processes, adds new file extensions to its list of files to steal, and has improved its control commands. Also, after the malware has uploaded the stolen files on its remote server, the bot installs the malicious PCRat remote administration tool (RAT), which can take full control of the victim’s machine. The control server and the list of file extensions are hard coded in the binary with a simple XOR key. Here is a look at the hard-coded XOR and decoded strings:



(click the images to get them larger)

The bot steals files with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .rtf, .pdf, .dwg, .cdw, and .cdr as well as source code files such as “.c” from the victim’s machine. The three new file extensions:

• .dwg = used by CAD applications

• .cdw = used by CAD applications

• .cdr = used by CorelDraw applications

The bot copies the main binary into the %TEMP% folder with the name cmss.exe, creates the startup link seruvice.lnk, and creates the mutex Assassin. The old Travnet bot used to initially steal a lot of information about a victim’s machine, but the new binary collects only the list of running processes on the system. Here is a snippet of code from the new binary:



The bot creates process.dll in the %TEMP% folder and writes all running processes in it. The malware then compresses the file data using an algorithm similar to LZSS. The bot generates its own format with the magic string “Begin” and appends the compressed data to it. This formatted data is encoded with a custom Base64 algorithm before being sent over the wire.



New Algorithm

In my earlier blog (see abow), I wrote about the old Travnet bot’s using a variant of LZSS compression with sliding window of 65KB. The output of the compression was straightforward, reading bits from the start to the end of the full stream. The new binary modifies this algorithm, using 1,024 bytes in a sliding window and requires a fixed 10 bits to store the offset. The algorithm outputs 9 bits for a single byte (1 bit for the flag and 9 bits for literal) and 11 bits for flag and offset. The length of the match is written in a special way. To make standard decompression difficult, the bot writes the output byte in a different way by writing MSB bits into LSB bits in the output. This means you can’t treat the first bit of whole steam as a flag bit. The compression algorithm needs to maintain the previously written bits count to avoid losing all bits. Here is a look at the pseudo code for the new algorithm:



The compressed data is appended to a 15-byte custom header:



The structure of the custom format:

• 2 bytes = compressed length

• 2 bytes = compressed length

• 5 bytes = string “Begin”

• 1 byte = space

• 4 bytes = random number

• 1 byte = space

• …………. compressed data

The preceding data is encoded with a similar custom Base64 algorithm as used previously. This data is first sent over the network to the remote server in an HTTP GET request format. The malicious control server replies with further commands. Decompressing the data using a new tool:



The decompressed text now looks like this:



At this point, the attacker knows which processes are running on the victim’s machine. The control server instructs the bot to upload important files. The bot scans all the drives for these files and creates index.ini, which contains the newly generated name and path of filenames:



Thus the malware steals all of the important files from the victim’s machine. The new binary has only two commands, namely uninstall and upload.

PCRat

Once the victim’s data has been uploaded, the control server instructs the bot to download and install the remote admin program PCRat, a malicious tool written in Chinese. I found a copy of the PCRat builder that supports English:



Once installed, PCRat connects to different remote control server on higher ports and sends information about the machine in encrypted format. Here is the packet capture:



PCRat first sends an HTTP GET request followed by encrypted data:



The structure of the PCRat encrypted data:

• 5 bytes = magic string “PCRat”

• 4 bytes = whole packet length

• 4 bytes = compressed length of data

• … Zlib compressed data

 PCRat sends some information about system. The decompressed data:



PCRat has many commands to control the victim’s machine:



The MD5 hashes:

• Updated Binary : 8D78A9E3DF1E19F9520F2BBB5F04CB54

• PCRat Binary: DA0C19DB8215D8CBF3D0FBA4A1A00183

With the help of PCRat, the Travnet botnet takes full control of a victim’s machine. The attackers behind Travnet are very active. Not only have they updated the main binary, but they are also randomly generating the .asp files that control the bot from their control servers. We have also seen that the attackers are actively restoring previous domains that were down and .asp files so that they can continue to collect data from previously infected machines.


Original article: Monday, May 13, 2013 at 11:53pm by Umesh Wanve

[devnullius]

Travnet Botnet Controls Victims With Remote Admin Tool

The malicious binary behind the Travnet botnet has been updated. The new code has a new compression algorithm, steals the list of running processes, adds new file extensions to its list of files to steal, and has improved its control commands. Also, after the malware has uploaded the stolen files on its remote server, the bot installs the malicious PCRat remote administration tool (RAT), which can take full control of the victim’s machine. The control server and the list of file extensions are hard coded in the binary with a simple XOR key.

Nice! Where to buy? 

Karma!

Devvie


~~~ notemail@facebook.com ~~~

Conare nullius momenti videri fortasse missilibus careant
——
All spelling mistakes are my own and may only be distributed under the GNU General Public License! – (© 95-1 by Coredump; 2-013 by DevNullius)