Thursday, May 08, 2008

A Chinese DIY Multi-Feature Malware

What is the current state of the Chinese IT Underground? Are its participants copycats who just localize successful malware kits, and port open source malware to web applications in between adding more features within? For the past several years, and more recently with the anti CNN attacking campaigns courtesy of Chinese hacktivists and the average Internet users, the Chinese IT Underground has demonstrated its self-mobilization capabilities and mindset, which when combined with basic principles of unrestricted warfare has the potential to outpace any other country's current cyber warfare capabilities - like it is for the time being from a realistic perspective.

In people's information warfare self-mobilization happens consciously, and the anti CNN campaigns perfectly demonstrate this, with an emphasis on how even the non-technical, but Internet bandwidth empowered Chinese user can consciously become a part of a PuppetNet. And while it may also seem logical that the attacking crowds would already be using a well known set of DoS tools, the most recent case demonstrates their capabilities to code and release such DoS tools on demand. For instance, excluding a popular in China DIY malware with custom DDoS capabilities, the rest of the tools were released for this particular campaign.

Furthermore, in between the average password stealers, and DIY malware droppers, there are releases going beyond the average tools, which demonstrate a certain degree of creativity - like this one.

Key features :
- the GUI C&C's objective is to make it easier to control a large number of infected hosts with an interesting option to measure the bandwidth in order to properly allocate it for DDoS attacks
- has a built-in dropping capability for backdooring the already infected hosts through a web shell
- has a built-in dropping capability of several exploits onto the infected hosts in order to use the infected hosts as infection vectors, a malicious infrastructure on demand
- intranet and Internet port scanning

Scanners result : 13/31 (41.94%)
Trojan.Flystudio.AI
File size: 660659 bytes
MD5...: d3bfb06d992b1274a69a479348f39c60
SHA1..: bc474a8bea0b4a2a4ad446abf6e3b978e1fa79c8

Using a DIY malware kit as a dropper of exploits onto infected hosts, who would later on be used as infection vectors to increase the botnet's population is a new approach applied by the Chinese underground. In comparrison, following an underground's lifecycle, the Chinese one is still more features-centered compared to the Russian one for instance, where once features become a commodity, more emphasis is put into quality assurance and extending the lifecycle of the malware by ensuring it remains undetected for as long as possible - the product concept vs the rootkit stage.

No comments:

Post a Comment