4 May, 2017

Propagation Of The 5-Year-Old Bot

Learn how a 5-year-old bot propagates and infects websites, and how Quttera can help you detect and remove such threats from your website.
We have encountered a 5-year-old malware while cleaning up one of our customer's websites. The malware used a drive-by download method to infect the users.
What is Drive-by Download?
The drive-by download is an attack vector wherein the users are downloading the payload without their knowledge or consent. It usually happens during the visit to an infected site, reviewing an email or by just clicking a popup advertisement.
What does the payload do?
The malware payload varies from time to time, depending on the attacker’s goal. Usually, the GOTO application of this type of infection is Bots. Once the system is infected, hackers can take control of the compromised computers to use them for the illegal purposes, - e.g. advertisement (ads click fraud), user data encryption (ransomware) to later demand a ransom, etc…
Dissecting the Malware
The site contains a regular code, but when you scroll it down after the HTML tag, you will notice that the site has been hijacked.
The “4D5A” letters on the screenshot could be easily identified as a PE (Portable Executable) File by a Malware Analyst. If you convert it from ASCII to HEX it will look like this:
After the conversion, the file will display the strings “.UPX0”, this only means that the file is still packed but can still be executed, we unpacked it nevertheless so that we can check for strings on file.
After unpacking, we were not able to see any unique identifiers for the file aside from the API's that the file used. A quick search on the VirusTotal and shows malicious tagging from different security vendors.
A couple of clicks from the VirusTotal indicates that the file is nearly five (5) years old already but still circulating in the wild.
We were able to execute the malware in a controlled environment to check if the servers are still active and below you can see that they are.
The image above shows that the server is still responding to the request being made by the malware.

The file uses the user’s default browser to connect to the server via PORT 80. As of now, the server is only acknowledging the requests being made by the clients usually to tell the server that 'I am infected and ready to be at your disposal.'
Here at Quttera, we were able to block the websites involved in the Bot propagation to help our customers and to protect their machines from possible infection.
Is your website flagged for malware, blocked by the search engines or disabled by the host?
Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select appropriate ThreatSign! Anti-Malware plan and get back online.

For other issues and help: Quttera help-desk