A Short Study on Malware Download Sites

Some malwares have evolved from strictly being either a file infector, worm, backdoor, or Trojan to something like a cross-breed of each. For example, we have PE_LOOKED, which is a file-infector, that propagates to shared folders (worm attribute), and downloads variants of TSPY_LINEAGE/TSPY_WOW(CRAFT)/TSPY_AGENT (Trojan attribute). Following PE_LOOKED’s behaviour, we can formulate the theory that the ultimate goal of PE_LOOKED is not to propagate itself, but act as the propagation vector of TSPY_LINEAGE/TSPY_WOW(CRAFT)/TSPY_AGENT.


However, other malwares took a different evolution route. Instead of becoming the do-it-all type of malware like PE_LOOKED, some malwares developed into specialized components. Take for example the TROJ_AGENT family of malwares. These malwares are custom Trojan downloaders that acts as specialized download components that can be used as a seeding component to download other malwares into the infected system.


Though both evolutionary approach may differ, what remains common between them is the use of multiple component malwares. The infected system is not only infected by PE_LOOKED or TROJ_AGENT, but by the other malware(s) they were able to download.


This type of infection makes manual cleaning tideous and automated cleaning complicated. To make matters worse, the downloaded files may vary. So, for as long as the root downloader is present, AV solutions play catch-up clean-up to the other malwares constantly added by the root downloader.


Now, you may be asking, how frequent is the file to be downloaded changed? Often.


For two weeks running, TMIRT has been monitoring certain malware download URLs from PE_LOOKED, TROJ_AGENT, PE_VBAC, TROJ_DLOADER, TROJ_LINKOPTIM, and WORM_SOHANAD. The variants of these malwares were carefully chosen based on infection reports from the regions they infect. Below are the data of the two week observation we made …


WEEK 1:


TROJ_AGENT.API



  • http://[blocked].debelizombi.com/pl.php – WORM_SPYBOT.MO

PE_LOOKED.FT-O



  • http://60.190.222.233/[blocked]/maaa1.exe – TSPY_LINEAGE.BGT
  • http://60.190.222.233/[blocked]/maaa3.exe – TROJ_AGENT.FKA
  • http://60.190.222.233/[blocked]/maaa1.exe – TSPY_LINEAGE.CCP

WORM_SOHANAD.C



  • http: //66.98.138.31/[blocked]/giaitri/tm.exe

TROJ_LINKOPTIM



  • http:// 81.177.3.[blocked]/images/image.gif – TROJ_ABWIZ
  • http:// 81.177.3.[blocked]/images/image.gif – TROJ_AGENT.FKK
  • http:// 81.177.3.[blocked]/images/image.gif – TROJ_AGENT.FKM
  • http:// 81.177.3.[blocked]/images/image.gif – TROJ_AGENT.FKL
  • http:// 81.177.3.[blocked]/images/image.gif – TROJ_ABWIZ.BV
  • http:// 81.177.3.[blocked]/images/image.gif – TROJ_ABWIZ.BS
  • http:// 81.177.3.[blocked]/images/image.gif – TROJ_ABWIZ.BR

TROJ_DLOADER.DST



  • 81.95.146.[blocked]winudu.exe- TROJ_AGENT.FJY

TROJ_GALAPOPE.BR/BQ



  • http:// megacount.[blocked]/proxy.jpg – TROJ_TIBS.LF
  • http:// megacount.[blocked]/tool.jpg – TROJ_TIBS.LF
  • http:// megacount.[blocked]/tibs.jpg – TROJ_TIBS.LF
  • http:// megacount.[blocked]/winlogon.jpg – TROJ_TIBS.LF
  • http:// megacount.[blocked]/search.jpg – TROJ_TIBS.LF

For the first week of monitoring, TROJ_LINKOPTIM and TROJ_GALAPOPE related download sites were frequently updated to a rate of almost 1 update per day.


WEEK 2:


TROJ_AGENT.API



  • [blocked].debelizombi.com/pl.php – WORM_SPYBOT.MS, WORM_SPYBOT.PA, WORM_SPYBOT.FT, WORM_RBOT.LQ, WORM_SPYBOT.RJ, WORM_SPYBOT.MO, WORM_SPYBOT.PY, WORM_SPYBOT.PX, WORM_SPYBOT.PW, WORM_SPYBOT.PZ, WORM_SPYBOT.PS

PE_LOOKED.FT-O



  • 60.190.222.233/[blocked]/maaa1.exe – TSPY_LINEAGE.DAV, TSPY_AGENT.FNS
  • 60.190.222.233/[blocked]/maaa2.exe – TSPY_AGENT.FNT

The most notable difference between week 1 and week 2 is the number of updated sites. Most of the download URLs are now down or is not updating. This is in stark contrast with the data from the first week, specially with TROJ_LINKOPTIM, where the rate of update dropped from 1 update per day to none for the whole week.


Also, the TROJ_AGENT.API download URL entered overdrive mode on its file download update. In a span of 1 week, we monitored at least 11 unique updates for the file to be downloaded. It is also worthy to mention that the downloaded files are BOT variants, this will mean that every infection of TROJ_AGENT.API will produce a different accompanying BOT, depending on the date of TROJ_AGENT.API infection!


Digesting the data we gathered from only two weeks of monitoring helped us to realize a lot of things about the current malware landscape and the advantages and limitations of current solutions. Blocking of malware related sites definitely prevent further infection, but having a stronger generic detection is also needed.


Having a clearer vision on how malwares operate will definitely help Trend Micro to formulate better solutions and come up with better products that will protect our customers from malwares as complicated as the ones we’re seeing now.


As malwares evolve, so does Trend Micro!

No related posts.