What do Win32 / Redyms and TDL4 have in common?
Since the beginning of 2013, we began to track an interesting family of Trojans - Win32 / Redyms. This threat is notable in that it uses the technique of replacing the results of search queries of popular search engines. We found that it was most prevalent in the United States and Canada . It is in these countries that the cybercrime market offers the highest prices for redirecting (clicks) a user from popular search engines to malicious or advertising resources.
Our lead analyst Alexander Matrosov performed an in-depth analysis of Win32 / Redyms. As a result, the similarity of this malicious code with another program, Win32 / Agent.TJO, which is also known as part of the Olmarik / TDL4 family, was discovered. Win32 / Agent.TJO is a user mode Trojan based on the clicker mechanism of one of the TDL4 components. Both TDL4, and Win32 / Agent.TJO, and Win32 / Redyms use similar mechanisms for managing network traffic, which is transmitted by the browser. To control traffic, the bot intercepts several functions from the Microsoft Windows Socket Provider library (mswsock.dll):
Fig. Interception functions of the library mswsock.dll.
')
All three families of these malicious programs use the same methods of intercepting functions, as well as interaction with the C & C manager encrypted using the RC4 encryption algorithm.
The graph of the function responsible for interacting with the C & C server is as follows:
Fig. Graph work function C & C.
Another interesting feature of Win32 / Redyms was found in the Domain Generation Algorithm (DGA), which selects C & C servers for interaction. This algorithm is based on simple alphabetic permutations and other changes, in accordance with the original constant. The pictures below show the reconstruction of this algorithm in python, as well as the usual decompiled code.
Fig. Reconstructed python code DGA function.
Fig. Decompiled code DGA function.
Fig. List of C & C servers of malicious code.
The first domain names from the list shown in the figure above were registered in mid-December 2012 - early January 2013. This indirectly indicates that Win32 / Redyms was distributed from the end of December.
Win32 / Redyms implements the introduction of its malicious code into all active processes. If the embedded code detects that it is running in the browser application, it creates a special thread in the process, and also intercepts functions from the mswsock.dll library.
Fig. A piece of Win32 / Redyms malicious code that creates a special stream in the browser process.
The embedded code intercepts network activity in the running browser process and tries to find search engines from the list shown in the figure below.
Fig. List of search engines that tracks malicious code.
If it detects a search engine activity, all search queries are redirected to the command C & C server, and the URL links themselves that were issued during the search query are replaced in accordance with those obtained from C & C. The URL verification code is based on the interception of the WSPSend () function, which uses AVL trees as a structure for storing data. To work with AVL tree structures, the malicious code uses the RTL_GENERIC_TABLE structure from kernel32.dll. TDL4 uses the same ideas in the user mode component cmd.dll.
Our lead analyst Alexander Matrosov performed an in-depth analysis of Win32 / Redyms. As a result, the similarity of this malicious code with another program, Win32 / Agent.TJO, which is also known as part of the Olmarik / TDL4 family, was discovered. Win32 / Agent.TJO is a user mode Trojan based on the clicker mechanism of one of the TDL4 components. Both TDL4, and Win32 / Agent.TJO, and Win32 / Redyms use similar mechanisms for managing network traffic, which is transmitted by the browser. To control traffic, the bot intercepts several functions from the Microsoft Windows Socket Provider library (mswsock.dll):
Fig. Interception functions of the library mswsock.dll.
')
All three families of these malicious programs use the same methods of intercepting functions, as well as interaction with the C & C manager encrypted using the RC4 encryption algorithm.
The graph of the function responsible for interacting with the C & C server is as follows:
Fig. Graph work function C & C.
Another interesting feature of Win32 / Redyms was found in the Domain Generation Algorithm (DGA), which selects C & C servers for interaction. This algorithm is based on simple alphabetic permutations and other changes, in accordance with the original constant. The pictures below show the reconstruction of this algorithm in python, as well as the usual decompiled code.
Fig. Reconstructed python code DGA function.
Fig. Decompiled code DGA function.
Fig. List of C & C servers of malicious code.
The first domain names from the list shown in the figure above were registered in mid-December 2012 - early January 2013. This indirectly indicates that Win32 / Redyms was distributed from the end of December.
Win32 / Redyms implements the introduction of its malicious code into all active processes. If the embedded code detects that it is running in the browser application, it creates a special thread in the process, and also intercepts functions from the mswsock.dll library.
Fig. A piece of Win32 / Redyms malicious code that creates a special stream in the browser process.
The embedded code intercepts network activity in the running browser process and tries to find search engines from the list shown in the figure below.
Fig. List of search engines that tracks malicious code.
If it detects a search engine activity, all search queries are redirected to the command C & C server, and the URL links themselves that were issued during the search query are replaced in accordance with those obtained from C & C. The URL verification code is based on the interception of the WSPSend () function, which uses AVL trees as a structure for storing data. To work with AVL tree structures, the malicious code uses the RTL_GENERIC_TABLE structure from kernel32.dll. TDL4 uses the same ideas in the user mode component cmd.dll.
Source: https://habr.com/ru/post/169039/
All Articles