Operation High Roller Revisited

In June 2012, McAfee® Labs and Guardian Analytics released research on Operation High Roller that scratched the surface of a complex web of automated fraudulent transactions. In a follow-on study released today, we dig into and map out the details on the origins and actors. Placing the data in context shows how mature and creative these fraudsters have been and provides a baseline for researchers and security professionals on what to expect in the future.

Global Footprint

The June report found evidence of millions of attempted transactions leveraging Zeus and SpyEye malware against financial institutions in the United States and the Netherlands. This new study documents the origin of these campaigns at a hosting provider in Kemerovo, Russia, with heavy connections to Albania and China. A key finding in our new research was that malicious infrastructure was reused in independent attacks. Both the starting point in Russia and a hosting provider in San Jose, California, have been involved in other Zeus botnet activity. Tracking these malicious activities can provide useful indications, “telltales,” of future events.

Beta Testing

Prior to conceiving Operation High Roller, our data shows that the fraudsters actively participated in early automated transfer systems against consumers and some business accounts and actively used Zeus and SpyEye in these attacks. These initial efforts were likely their test ground to gain knowledge of financial systems and their various fraud prevention practices. After initial experimentation, these groups evolved to more sophisticated techniques. Many of them actively used automated transfer system code against numerous European banks in late 2011, followed by the Winter and Spring 2012 attacks we documented in our first Operation High Roller report.

Next stop: ACH

Financial institutions, regulators, and security researchers should expect the likely next target to be Automated Clearing House payment channels. The fraudsters will build on the methods, malware, and infrastructure employed in Operation High Roller, laced with new ideas and locations to be discovered. We should be looking for any signs of “test cases” against these systems and tracking interactions to uncover malicious sites and infrastructure.

Feds Cite ‘State Secrets’ in Dragnet Surveillance Case — Again

The National Security Agency/Central Security Service (NSA/CSS) building in Fort Meade, Md. Photo: Charles Dharapak/AP

The Obama administration is again arguing that a lawsuit accusing the National Security Agency of vacuuming up Americans’ electronic communications without warrants threatens national security and would expose state secrets if litigated.

“This case may be dismissed on the ground that its very subject matter constitutes a state secret,” the government said (.pdf) in a legal filing in San Francisco federal court.

Brought by the Electronic Frontier Foundation, the case is now four years old and its merits have never been litigated. The civil rights group claims that the major telecoms provided the NSA a warrantless backdoor to the nation’s communication backbone.

For regular Threat Level readers, the allegations should sound familiar. Despite the government’s protestations that talking about the program would expose national secrets, the program is well-known, well-documented, and as of 2008, partially legalized by a compliant Congress.

Just two weeks ago, the Supreme Court terminated the EFF’s case against the telcos for their participation in the program. The justices declined to review 2008 congressional legislation giving the telcos immunity from being sued for their participation. Congress adopted the law after a federal judge rejected the government’s state-secrets claim.

When Congress passed the law, the EFF targeted the government instead, accusing it of running a massive dragnet spy operation without warrants. The allegations are based in part on a former AT&T technician named Mark Klein, who produced internal company documents suggesting that the NSA was surveilling internet backbone traffic from a secret room at an AT&T switching center in San Francisco, and similar facilities around the country.

A federal judge dismissed the case, ruling that it amounted to a “general grievance” from the public and not an actionable claim. But a federal appeals court reversed that decision, and sent it down to new trial judge.

“The speculation and hearsay plaintiffs cite is little more than allegations that would be subject to exacting adversarial proceedings in order to adduce actual proof as to what may be true, partly true, or entirely false. And it is this very process that will inherently risk or require the disclosure of highly sensitive intelligence sources and methods,” the government said Friday while invoking the state secrets privilege.

Usually, when the privilege is asserted, the courts defer to the executive branch and dismiss cases — without even checking the evidence themselves.

One of the few times that did not happen was in 2008, when U.S. District Judge Vaughn Walker of San Francisco kept the EFF’s case alive against the telcos. Walker ultimately dismissed it after Congress passed legislation prohibiting the suit.

The Details of the Rabasheeta Dropper

Last week we reported on a particular piece of malware—detected as Backdoor.Rabasheeta—that is making a stir in the Japanese media.  There are hundreds, if not thousands, of back door malware, but in the last week Japanese media and social networks have been full of discussions about this particular malware. Symantec has discovered the dropper.


Figure 1. Dropper and its contents


A dropper is a Trojan horse that installs a payload onto the compromised computer. The dropper for Backdoor.Rabasheeta drops a main module and a configuration file. The dropper creates a registry entry so that the main module is executed whenever the compromised computer starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"iesys" = "%UserProfile%\Local Settings\Application Data\Microsoft\iesys\iesys.exe"

This dropper also modifies CreationTime, LastWriteTime, and LastAccessTime of the main module with random values to help keep it hidden. Then the dropper will execute the main module before removing itself from the computer.

Graphical user interface

These preceding activities are common for malware. However, there is something that makes this malware stand out from the crowd: both the main module and the dropper have a graphical user interface (GUI). The following figure shows the GUI that is included with this dropper:

Figure 2. Dropper GUI


This GUI is hidden from the user of the compromised computer. However, the dropper contains a flag called testMode and if this flag is on, the GUI is displayed. The malware author enables the GUI for debugging purposes, as the GUI allows the malware to be installed and uninstalled by the click of a button to perform many tests repeatedly.

Version numbers

In our previous blog, we showed three variants of the main module, each with version numbers. The following table shows the version numbers with creation dates including the dropper:


The time zone is Japan Standard Time (JST) and dependant on the author’s computer time setting. Note that the computer time can easily be modified.

This table shows that the author updated the malware periodically over a one month period. It is likely there are other variants of this malware based on the version numbers we have obtained.

The dropper we examined contains version 2.35 of the main module. Based on the creation dates, this dropper was made 22 days after the module version it contains. We do not know why the author stopped updating the main module in this time period. However, there may be other droppers containing different versions of the main module.

Protect yourself

The structure and functions of Backdoor.Rabasheeta are not advanced compared to modern malware. However, it is still capable of surreptitiously opening a back door on a compromised computer.

To protect against this type of threat, users should use caution when downloading software from unknown sources. Do not click on suspicious links or attachments in emails. Symantec also advises users to ensure their operating system and software is up to date. We detect both the dropper and the main module as Backdoor.Rabasheeta.