The Andromeda botnet – first spotted in late 2011 – has recently resurfaced. This threat arrives via a familiar means: spammed messages with malicious attachments or links to compromised websites hosting Blackhole Exploit Kit (BHEK) code. Here is one spam message we saw recently:
Figure 1. Sample spammed message
Andromeda itself is highly modular, and can incorporate various modules, such as:
- Keyloggers
- Form grabbers
- SOCKS4 proxy module
- Rootkits
As is typical of backdoors, it can download and execute other files like ZeuS, as well as update and remove itself if needed. Typically, variants of the Andromeda malware can be bought online for 300-500 US dollars. However, each of the plugins mentioned above costs an extra sum of money. The most recent version number we have identified is version 2.60. The top affected countries of this threat are Australia, Turkey, and Germany based on our Smart Protection Network feedback below:
Figure 2. Andromeda infection count from January- February 25 2013
One unusual aspect worth mentioning here is how ANDROMEDA spreads via removable drives. Instead of simply dropping copies of itself, it drops component files instead, making detection and analysis more difficult. The latest variant we spotted, which Trend Micro detects as BKDR_ANDROM.DA has the capability to open and listen to TCP Port 8000 and launch Command Shell (cmd.exe). Once a remote system is connected, it can already use all the command capability of the Command Shell rendering the system vulnerable to other malware. It also uses the following native APIs to inject to the normal processes, a technique also seen in DUQU and KULUOZ:
- ZwCreateSection
- ZwMapViewOfSection
- ZwResumeThread
- ZwUnmapViewOfSection
This can make analysis difficult and consequently, malware removal from the infected system.The ultimate payload of Andromeda depends entirely on the commands given from the command-and-control (C&C) server it connects to. This means that a wide variety of threats can be seen on affected systems. In addition, the malware itself is being continuously updated.
In our 2013 security predictions, we mentioned that we’re going to see more refinements in the tools or malware that attackers use. The perpetrators behind Andromeda have improved the malware’s propagation routines to proliferate itself by dropping several component files, one of which creates the registry key containing an encrypted .DLL file for its propagation.
To some degree, these threats can be evaded by not opening links or attachments in suspicious emails, although with well-crafted emails this can be difficult. Trend Micro products already detect and remove this particular threat from user systems.
Leave a reply
