Intelligence report. Beware: Trojan7sec, A wolf in sheep's skin12 Oct 2013 In reversing malware we have to deal with codes and its behavior, thinking backwards. connecting logic on the collected data to go figure how the malicious scheme works.This case is rather unusual, we reverse the social engineering malicious act. Which is way much complicated than reversing a malware code. The concept is the same but instead of codes we need to deal with facts, tracing one fact to another to find the real malicious concept behind it. The big difference between these two reversing concept is, dealing with malware code is easier since codes itself never lies (yes they are some manipulation or tricks but is all readable), but the malicious actor behind social engineering does. Here's the details:
Internet is media that was designed by UNIX engineer gentlemen with the good hope and heart to make people easier to communicate to each other around the globe. So some people think they can lie by online in internet, by faking some personalities, pretend to be good but actually doing bad activities in behind. These people maybe think "who knows?"
In malware fighting, to counter cyber crime, is important to cook our intelligence well, and we in #MalwareMustDie are good in nailing these liar / imposter cases. This is a one disclosure of the case.
For this investigation purpose we are pretending to accept the subject for the close intelligence activities, which the project is done now. Herewith we are Announcing and Clarify that the subject is NOT having anything related to #MalwareMustDie.
Breaking it down
This is probably the most obvious lie to anyone with any security background at all. This claim has many holes, I will go through each.
Botnet Estimates vs Actual
Botmaster usually have a fairly accurate way to determine the number of bots, usually via unique id's that are assigned to each computer on infection. Because security experts very rarely gain access to the botnet command and control panel, the estimated number of bots is mostly calculated by monitoring the C&C servers and logging the unique ips over the course of a month. If you understand IPv4, you'll know that there are far less IPV4 addresses than there are compters, in an effort to combat this, ISPs use a method called "IP Pooling", this simply means instead of assigning each client with a permanent IP Address, the ISP will maintain a collection of IPs that will be assigned on the fly (when a client logs on to the internet, they will be given an IP at random). Because so many ISPs use IP pooling, over the course of a month far more IPs would be logged than there are infected computers, resulting in the total number of estimated infections being far more than the actual.
Large Botnets That Fit The Description
Bearing in mind that botnet estimates are usually way over, the biggest botnet ever is thought to be conficker with an estimated 10 - 15 million infections. Conficker did not produce much spam compared to some of the much smaller botnets, it was also not involved in banking fraud, keylogging or form-grabbing, so conficker is off the table. Now we are not going to bore you by going through every single botnet and showing you how it doesn't fit that claim, so we'll cut to the chase. No recorded botnet over 1 million bots fits all those characteristics.
Stating The Obvious
There is zero chance that a botnet of that size would go unnoticed, never-mind one of the people involved then giving up and going to twitter to talk about it, the fact he owns a gym and what country he lives in (people have gone to jail for far smaller mistakes). We'd also like to state that no one with a botnet of that size would bother with DDoS, the money made from launching denial of service attacks wouldn't even amount to 0.1% of the potential botnet revenue, it would also draw unnecessary attention.
Nearly all of the the high level malware marketplaces are Russian-speaking only, Trojan7Sec is living in England, he does not speak any Russian, which limits him to English speaking forums (We could count the number of banking trojans sold on English forums on 1 finger). Of course he could have someone who is Russian-speaking sell the product for him, but it's very unlikely.
Quality of Code
We'd estimate the average price of a professional bot with said features at about $2k - $5k, 10k would be a push and likely come from a very advanced programmer. Here is some code Trojan7sec posted on his blog a month after he wrote the above post: Link, Mirror. This code is very beginner and low quality, it is not the code you'd expect from someone who can code HTML inject at all, never-mind an expensive piece of malware.
Firstly you'll notice there is no error checking whatsoever, if any of the GetModuleHandle or GetProcAddress calls were to fail, the code would crash the browser on injection.
Secondly you'll notice this "while(Process32Next(handle, &ProcessInfo))", there is no call to Process32First which is generally what anyone with any programming background would do.
Lastly he doesn't close the thread handle, or the snapshot handle. It's hardly the end of the world, but it's something any competent programmer would know to do.
There's also the non standard and over the top use of the #define directive as well as the unnecessary use of strcpy on data that could have been initialized during compile. This is not the code you'd see from a professional malware coder selling code for $10k - $20k, this is the code you'd see from a member of hackforums selling a $100 bot.
UPDATE: The REDDIT posts was restored back and accessible now:
Debunking The Comments
|Just in case anyone doubts this is Trojan7sec's reddit post|
Further, the subject in this post explained, the person arrested in Israel and asked to help defend against cybercrime was Hamza Bendelladj, a botmaster and seller for spyspreader known online as BX1. Hamza was not the Zeus coder and had nothing to do with Zeus (other than using it). Anyone who had access to any private forums would know this fact, only script-kiddie oriented forums such as hackforums were spreading rumors that said otherwise. Furthermore, the real story of BX1 is actually as per described in below:
Deleted Tweets of Trojan7SecHere is a list of features, you'll notice some features such as polymorphic encryption and bootkit, such features he is certainly not capable of coding and are likely taken from the carberp leak.
How and Why
"Thou Shalt Not Lie.. When the truth reveals, it will hurt you!"