The Latest in IT Security

Trojan Abuses Sendspace: A Closer Look

10
Feb
2012

We recently discovered a Trojan that harvested documents on affected systems and uploaded them to the file hosting site, sendspace.com. This post will discuss more of our findings on the said attack.

In order to infect users, email disguised as a shipment notification from Fedex were mass-mailed to target victims.

This email contains a downloader Trojan which installs the “sendspace Trojan.” This downloader also installs other malicious executables on affected systems including FAKEAV variants from the BestAV affiliate network and FakeHDD variants from the Yamba network. These were observed to be downloaded from compromised, legitimate websites.

Furthermore, this downloader Trojan also shares the same C&C with the sendspace Trojan. This strongly suggests that the document-stealing sendspace Trojan is pushed by cybercriminals who are also involved in the Pay-Per-Sell (PPS) underground business.

Command and Control Server

After the malware uploads a .ZIP archive containing the victim’s documents to sendspace, it sends the sendspace download link along with a unique ID, the password for the .ZIP archive and the victim’s IP address to the command and control (C&C) server.

As of this writing, we have seen at least three C&C servers used by the malware: {BLOCKED}28889.ru, {BLOCKED}8483825.ru, and {BLOCKED}372721.ru . These three domains point to the IP addresses 31.184.237.143 and 31.184.237.142. These IPs, along with a number of IPs in the same range, have records of hosting malicious files since July 2011. These malicious files included variants of bots such as BFBot (Palevo), NgrBot, and IRCBot.

Digging deeper into the directory structure of the C&C server shows an “open directory” that contains a log file that records this information.

There are two logs files that contain the same data: log.txt and serialse.txt. The only difference is that serialse.txt is formatted for automated, programmatic parsing (it appears to be in JSON format). The contents of the log file contain the following information about the victims and the uploaded data:

We processed the log file and found that there have been 18,644 unique victims (based on a victim ID assigned by the malware) with 21,929 unique IP addresses (spanning over 150 countries) and 19,695 unique sendspace URLs generated.

Country Victims (based on IP address)
United States 13,939
United Kingdom 1,877
India 669
Canada 619
Australia 568
Spain 391
China 304
Mexico 292
Turkey 206
Colombia 189
Germany 178
United Arab Emirates 139
South Africa 134
France 121
The Netherlands 120

Some of the victims have been identified by looking up the IP addresses in the WhoIs databases of the Regional Internet Registries. While the majority consists of IP addresses in the ranges of ISPs (i.e. the subscribers of residential and commercial ISP services) we were able to identify several government, academic and corporate networks.

Trend Micro and Sendspace Efforts

We contacted sendspace upon discovering the attack. We assisted them by sharing our findings in order for them to deploy proper mitigation measures.

At the time the attack was reported, sendspace discovered and removed more than 75,000 uploaded malicious archives from their server. Based on the upload logs, the first archive was uploaded on December 25, 2011, which may indicate the start of the malicious campaign.

As a result of our collaboration with sendspace, they are currently monitoring their servers through an automated job that blocks archives uploaded by the sendspace Trojan every few minutes. This effectively removes innocent users’ stolen documents from their server, therefore preventing the perpetrators behind this attack from retrieving stolen data.

Trend Micro is pleased to assist sendspace in mitigating this abuse to their service. Nevertheless, this is probably not the last time similar attacks will take place. As always, Trend Micro is willing to assist in any effort that will make the Internet a safer place for everyone.

Hat tip to Senior Threat Researcher Nart Villeneuve for additional research.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments