Dorifel, Pobelka and a Chinese connection

February 1, 2013

It has been a while since we wrote our last blog. Sorry for this but we were busy with a lot of projects. Two noteworthy projects were the release of our unique solution against ransomware (e.g. FBI Reveton and BKA/GVU trojans) and of course the disclosure of the Pobelka Citadel botnet that haunted 150.000 Dutch (mostly government and business) computers for 8 months last year. The latter hasn’t been discussed much internationally because we released our extensive research in the Dutch language only (which is available here). Regarding this research, we reveal some additional but striking insights now the entire world is talking about Chinese hackers attacking media networks of the New York Times, Wall Street Journal and Bloomberg.

Perhaps you still remember September last year, when cybercriminals were able to launch attacks on Dutch computers by using a compromised marketing server used by ‘De Telegraaf’, a widely read newspaper and the #11 website in The Netherlands. This was the umptiest Dutch incident, after others like NU.nl, weeronline.nl, and of course the Dorifel outbreak which brought operations of many Dutch municipalities, government and large multinational companies to a standstill (for days).

Pobelka botcount

Illustration 1: Bots connecting with Pobelka command and control server

Of course we were curious why the Dutch were hit again and at that time decided to find out what was behind these incidents and if there was a common denominator.

We began investigating the malware dropper used in the Telegraaf incident and discovered (thanks to our HitmanPro cloud data) that it was spreading 4 different malware families during this particular incident: FakeAV, ZeroAccess, Medfos (we omitted Medfos in our earlier blog on the incident) and of course the Pobelka Citadel malware.

Domains
In this investigation we noticed an interesting fact: the Citadel server used in the Telegraaf incident was registered with the EXACT same credentials as a domain used by the gang responsible for spreading the Dorifel trojan. So they are somehow related or perhaps even the same criminals:

pobelka.com

Illustration 2: Pobelka.com domain used by the Citadel server

ipo90.com domain used by Dorifel.3

Illustration 3: ipo90.com domain used by Dorifel-3 to distribute ransomware, that hit mostly non-Dutch systems

Even though we believe that eastern European criminals are behind the attack operations, you obviously have noticed the Chinese registration of the domains as well…

Responsible Disclosure
Remembering their investigative work on the Citadel server responsible for spreading Dorifel, we asked Dutch forensic firm Digital Investigation to work with us and to investigate our early research data. It didn’t took them long to bypass the different proxies that were hiding the server from plain view. In cooperation with law enforcement they seized this Citadel command and control server and discovered over 750 Gigabytes of sensitive information, which included login credentials (passwords), client certificates (remember DigiNotar) and even detailed overviews of internal networks that weren’t directly connected to the internet.

Citadel looking for other systems

Illustration 4: Citadel searching for information about other systems

So all this data was gathered and stolen by the Pobelka Citadel malware from inside Dutch government networks, hospitals, aviation industry and even networks controlling critical infrastructure, including industrial control systems (ICS). We did responsible disclosure e.g. by giving government time to handle the situation internally and by not revealing names of the many, many affected institutions, companies and public authorities. But because government officials did not deem the findings interesting enough to call for a nationwide check (many roaming business and home computers were affected as well), our extensive research didn’t even reach national news, let alone internationally.

Advanced Persistent Threat
It’s also worth noting that the Citadel malware (which is based on source code of the notorious Zeus banking trojan) is not considered to be an advanced persistent threat (APT), even though it also manages to stay under the radar for months (like the malware used in the New York Times breach). Last year we devoted a blog post on the prevalence of banking trojans (like Citadel) which revealed that this type of malware stays undetected for 25 days, on average, on computers actively protected by up-to-date antivirus software: Antivirus shortens the lifetime of financial malware

In our Dutch research paper on the Pobelka botnet we also explain how the Citadel malware easily bypasses these renowned antivirus programs and why it remains undetected for such a long time. And the Pobelka botnet, which was specifically setup to target Dutch and German computers, was not the only botnet operational in The Netherlands last year. We estimate that hundreds of similar (and larger) botnets are still operational right now, not only in The Netherlands. If you think the country of the Dutch is small, insignificant and seemingly unexciting, consider the operations going on in bigger countries, like France, Germany or the United States.

Check Now
If you are Dutch or German and you want to know if your company, network or sensitive data was compromised by the Pobelka botnet, simply go to this website by Digital Investigation to find out:

http://check.botnet.nu

There you can also download HitmanPro, our free second opinion anti-malware, which uses behavioral analysis instead of virus signatures to hunt down zero-day threats, including all variants of malware based on Zeus, like Citadel.

Read here for our blog posting regarding the Dorifel outbreak and our role in rescuing hundreds of millions of documents on government networks and multinationals.

Update: Kaspersky posted an article about McAfee’s research on the Citadel trojan in Europe, spying on government and business computers: Citadel Trojan: It’s Not Just Banking Fraud Anymore


The Dorifel outbreak was only a symptom. But what is the real problem?

August 10, 2012

Earlier this week, government, public sector and networks of private companies were hit hard by a new wave of crypto malware named Trojan-Dropper.Win32.Dorifel. Computers were shut down and the old-fashioned type writers that were gathering dust in the basement reappeared in the work place. For a moment I even thought this was funny.

The Dorifel Trojan scans network shares, local drives and USB connected drives for executables and Microsoft Office (Word and Excel) documents. Documents and programs were replaced with a new executable file that has the .scr file extension. Currently, most affected users will not notice anything since the ‘documents’ open as usual. It looks like the malware is currently only interested in propagating itself to as many machines as possible. But it is not unlikely that the attackers will later start blocking the ‘documents’ and requesting a ransom fee for unblocking them.

This is bad news for the organizations that were hit. But what’s even worse is that the Trojan entered the networks through a variant of the Zeus/Zbot banking Trojan called Citadel. This means that this Trojan was already present on one or more computers inside the network for days, may-be weeks. In other words: the malware could already be snooping all electronic communication inside the organization, including stealing passwords of critical infrastructure, copying confidential documents, social security numbers, passport details, etc. without anyone (or anything) noticing (!)

Not being able to use your computer for a while, while system administrators are shutting them down, cleaning them and bringing them back into the network is very inconvenient. But it is even more worrysome that computers and networks have been infected for a much longer period without anyone noticing.


HitmanPro against police themed Ransomware

April 12, 2012

Recently we’ve seen a rise in the number of computers infected with police themed Ransomware. The malware shows a message, supposedly from the local police, demanding that a fine must be paid in order to unlock the computer.

Various sources promote the use of a rescue-CD to get rid of the malware. But if you don’t want to perform this cumbersome task of burning the CD-image and changing your BIOS settings to boot from it, you can also run HitmanPro from a USB stick to remove the Ransomware.

We’ve made the following short video to illustrate how easy it is to remove the police themed Ransomware with HitmanPro.

The video shows the use of HitmanPro’s unique Force Breach feature (introduced in March 2010) that kills all non-essential processes, including the malware processes that try to prevent HitmanPro from starting.


Follow

Get every new post delivered to your Inbox.

Join 34 other followers