How the feds put a bullet in a “bulletproof” Web host

Being an online criminal isn't always easy. For one thing, there's all that tedious administrative overhead of deploying command and control servers, finding proxies to mask them, and shifting IP addresses to stay off of private security blacklists. Today's savvy cyber criminal, therefore, often outsources the work to so-called "bulletproof" hosting operations, which rent servers to criminals and take care of all the dirty details needed to keep them online. That was the approach taken by the Russian creator of malware known as Gozi—malicious password-stealing software which the US government today called "one of the most financially destructive computer viruses in history"—to store his stolen data. But as the malware man found out, bulletproof hosts can be taken down with enough effort. Even when they're based in Romania.

Gozi was coded back in 2005 and deployed in 2007. Back then, it largely targeted Europeans. When installed on a computer, the virus waited until the user visited an online banking site and then grabbed account names and passwords—anything that might be needed for a criminal to transfer money out of the user's account. This information was then sent silently to the Gozi command and control servers, from which it was harvested on a regular basis.

By 2010, the malware innovated in two important ways. First, it had gained the capability to do sophisticated Web injection. When an infected computer was pointed at a banking website, the virus wouldn't simply steal account login information; it could be configured to inject additional data requests right into the bank's webpage. This made it almost impossible to tell the requests were not being made by the bank itself. In this way, the malware could be tweaked to ask for Social Security numbers, driver's license information, a mother's maiden name, PIN codes—anything a client wanted.

Read 13 remaining paragraphs | Comments

MDK: The Largest Mobile Botnet in China

In February 2012, we blogged about Android.Bmaster (a.k.a. Rootstrap), which infected hundreds of thousands of devices. At that time, it was the largest mobile botnet documented to date. Recently, the Bmaster botnet has been overtaken by the newly uncovered MDK botnet. Dubbed as Android.Troj.mdk, Kingsoft believes it is hidden in more than 7,000 apps and has infected up to one million devices.

Symantec’s analysis suggests the MDK Trojan is a new variant of Android.Backscript. Our detection for this threat family has been in place since September 2012. The code of MDK is very similar to Android.Backscript and they use the same certificate to sign APKs. However, unlike the previous versions, this new variant uses an Advanced Encryption Standard (AES) algorithm to encrypt data, like servers and commands, in a file.

Figure 1. The same certificate used by MDK and Android.Backscript


Figure 2. File containing encrypted Servers and commands


Once installed, the Trojan enables the attacker to remotely control users’ devices, consequently allowing the attacker to harvest user data, download additional APKs, and generate nuisance adware. The following server is used to download scripts and additional APKs:

The Trojan has been repackaged into legitimate apps, including popular games such as Temple Run and Fishing Joy, to lull users into installing the malware. The Trojan also uses dynamic loading, data encryption, and code obfuscation to evade detection.

Figure 3. Trojanized Temple Run, malicious service “m” started to decrypt data


Symantec detects this MDK botnet as Android.Backscript. Our detection has caught more than 11,000 malicious apps. The infections appear to be confined to China as the Trojanized apps are mostly found on Chinese third-party markets.

Android users can stay safe by only downloading apps from well-known and trusted app vendors, and by installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on the device. For general smartphone and tablet safety tips, please visit our Mobile Security website.

Trojan.Pandex – A New Spam Affair

Contributor: Lionel Payet

Last week we saw how W32.Waledac was getting cozy with W32.Virut, but let us not forget about other spam botnets, like Trojan.Pandex (a.k.a. Cutwail), as they also persist in their propagation affairs.

The people behind W32.Cridex have used many attack vectors to spread the malware, including taking advantage of exploit kits like Blackhole, or attempting to deceive users with crafted PDF documents. This month they have managed to compose a more elaborate attack.

The attackers have managed to host a malicious HTML file at a legitimate web site, which has been compromised. This file would then redirect the user to a Blackhole exploit kit, which would deliver W32.Cridex to the compromised computer. But how did they attempt to deceive the user? By renting a botnet.

The Pandex botnet, also known as Cutwail and Pushdo, is not a new threat: it has been in the wild for more than six years and is responsible for roughly 18 percent of the spam emails detected by Symantec per day, worldwide. It not only sends spam, it is able to collect email addresses from compromised computers which can then be used in future campaigns. Symantec has several detections for the threat:

Using our telemetry systems, we can estimate the following distribution of the threat:

Figure 1. Heatmap illustrating the distribution of the Trojan.Pandex spam

W32.Cridex attack vector

The following image illustrates how W32.Cridex may arrive on a compromised computer.

Figure 2. W32.Cridex attack steps

Computers that were infected with Trojan.Pandex sent emails like the following:

Figure 3. Sample Trojan.Pandex email

If the user follows the link, a malicious HTML file hosted at is then accessed, which would redirect the user to the following malicious URL:


The domain resolves to the following locations:

  • 212.112.[REMOVED] (Germany)
  • 89.111.[REMOVED] (Russian Federation)
  • 91.224.[REMOVED] (Lithuania)

Symantec has a number of IPS detections for the BlackHole v2 exploit kit, and our telemetry data indicates that we have detected the following signatures from the malicious URL:

  • Web Attack: Blackhole Exploit Kit Website 8
  • Web Attack: Blackhole Exploit Kit
  • Web Attack: Blackhole Functions
  • Web Attack: Blackhole Toolkit Website 20
  • Web Attack: Blackhole Toolkit Website 31

The following heatmap illustrates the distribution for the above detections:

Figure 4. Heatmap distribution for IPS detections associated with Blackhole exploit kit

If the Blackhole exploit is successful, W32.Cridex is then downloaded onto the compromised computer. Symantec has the following detections in place:

The worm then communicates with its command-and-control (C&C) servers, enabling the C&C servers to download, upload, and execute files on the compromised computer, potentially exposing the user to even more malware.

At the time of analysis, the C&C servers being used included:

  • 140.123.[REMOVED]:8080      
  • 182.237.[REMOVED]:8080     
  • 220.86.[REMOVED]:8080       
  • 221.143.[REMOVED]:8080       
  • 64.85.[REMOVED]:8080       
  • 163.23.[REMOVED]:8080      
  • 210.56.[REMOVED]:8080      
  • 173.245.[REMOVED]:8080      
  • 173.201.[REMOVED]:8080     
  • 203.217.[REMOVED]:8080     
  • 97.74.[REMOVED]:8080      
  • 62.28.[REMOVED]:8080      
  • 69.64.[REMOVED]:8080        
  • 38.99.[REMOVED]:8080       
  • 174.142.[REMOVED]:8080     
  • 78.28.[REMOVED]:8080       
  • 88.119.[REMOVED]:8080      
  • 188.117.[REMOVED]:8080     
  • 217.65.[REMOVED]:8080
  • 188.165.[REMOVED]:8080   

After our analysis, we can confirm the findings of our colleagues from Dynamoo and that the compromised server has been notified and the malicious file removed.

We advise users to ensure operating systems and software are up to date and to avoid clicking on suspicious links while browsing the Internet or checking email.

Botnet Control Servers Span the Globe

McAfee Labs has long monitored botnet activities and their control servers as they plague the Internet.  With millions of McAfee endpoints and network security appliances sending information to McAfee Global Threat Intelligence (GTI) in the cloud, coupled with a vast collection of malicious binary and proactive research, McAfee Labs has a clear view of botnet threats around the world.

Here’s an image of the global distribution of active botnet control servers:


Topping the list of countries hosting active control servers is the United States.

Here’s the list of top 10 countries hosting active command servers:

  1. United States – 631
  2. British Virgin Islands- 237
  3. Netherlands – 154
  4. Russia – 125
  5. Germany – 95
  6. Korea – 81
  7. Switzerland – 77
  8. Australia – 63
  9. China – 48
  10. Canada – 38