Saturday, October 12, 2013

Intelligence report. Beware: Trojan7sec, A wolf in sheep's skin

In reversing malware we have to deal with codes and its behavior, thinking backwards. connecting logic on the collected data to go figure how the malicious scheme works.This case is rather unusual, we reverse the social engineering malicious act. Which is way much complicated than reversing a malware code. The concept is the same but instead of codes we need to deal with facts, tracing one fact to another to find the real malicious concept behind it. The big difference between these two reversing concept is, dealing with malware code is easier since codes itself never lies (yes they are some manipulation or tricks but is all readable), but the malicious actor behind social engineering does. Here's the details:

Internet is media that was designed by UNIX engineer gentlemen with the good hope and heart to make people easier to communicate to each other around the globe. So some people think they can lie by online in internet, by faking some personalities, pretend to be good but actually doing bad activities in behind. These people maybe think "who knows?"
In malware fighting, to counter cyber crime, is important to cook our intelligence well, and we in #MalwareMustDie are good in nailing these liar / imposter cases. This is a one disclosure of the case.

For this investigation purpose we are pretending to accept the subject for the close intelligence activities, which the project is done now. Herewith we are Announcing and Clarify that the subject is NOT having anything related to #MalwareMustDie.

Trojan7sec

A lot of you have probably noticed a so called "security researcher" claiming to be an "ex-blackhat" with quite an impressive skillset and background. For those who have not read his post about his background, here is a link and here is a mirror of the post in case it is taken down. There is also a second post about himself link here and mirror here. We will be debunking these posts so the people who have fallen for his stories can tell the facts from fiction. 

Breaking it down


This is probably the most obvious lie to anyone with any security background at all. This claim has many holes, I will go through each.

Botnet Estimates vs Actual
Botmaster usually have a fairly accurate way to determine the number of bots, usually via unique id's that are assigned to each computer on infection. Because security experts very rarely gain access to the botnet command and control panel, the estimated number of bots is mostly calculated by monitoring the C&C servers and logging the unique ips over the course of a month. If you understand IPv4, you'll know that there are far less IPV4 addresses than there are compters, in an effort to combat this, ISPs use a method called "IP Pooling", this simply means instead of assigning each client with a permanent IP Address, the ISP will maintain a collection of IPs that will be assigned on the fly (when a client logs on to the internet, they will be given an IP at random). Because so many ISPs use IP pooling, over the course of a month far more IPs would be logged than there are infected computers, resulting in the total number of estimated infections being far more than the actual.

Large Botnets That Fit The Description
Bearing in mind that botnet estimates are usually way over, the biggest botnet ever is thought to be conficker with an estimated 10 - 15 million infections. Conficker did not produce much spam compared to some of the much smaller botnets, it was also not involved in banking fraud, keylogging or form-grabbing, so conficker is off the table. Now we are not going to bore you by going through every single botnet and showing you how it doesn't fit that claim, so we'll cut to the chase. No recorded botnet over 1 million bots fits all those characteristics.

Stating The Obvious
There is zero chance that a botnet of that size would go unnoticed, never-mind one of the people involved then giving up and going to twitter to talk about it, the fact he owns a gym and what country he lives in (people have gone to jail for far smaller mistakes). We'd also like to state that no one with a botnet of that size would bother with DDoS, the money made from launching denial of service attacks wouldn't even amount to 0.1% of the potential botnet revenue, it would also draw unnecessary attention.


At a first glance this is probably believable to even people with a security background, although we cannot fully disprove this, we can state why it is highly unlikely.

Malware Marketplace
Nearly all of the the high level malware marketplaces are Russian-speaking only, Trojan7Sec is living in England, he does not speak any Russian, which limits him to English speaking forums (We could count the number of banking trojans sold on English forums on 1 finger). Of course he could have someone who is Russian-speaking sell the product for him, but it's very unlikely.

Quality of Code
We'd estimate the average price of a professional bot with said features at about $2k - $5k, 10k would be a push and likely come from a very advanced programmer. Here is some code Trojan7sec posted on his blog a month after he wrote the above post: Link, Mirror. This code is very beginner and low quality, it is not the code you'd expect from someone who can code HTML inject at all, never-mind an expensive piece of malware.

Firstly you'll notice there is no error checking whatsoever, if any of the GetModuleHandle or GetProcAddress calls were to fail, the code would crash the browser on injection.
Secondly you'll notice this "while(Process32Next(handle, &ProcessInfo))", there is no call to Process32First which is generally what anyone with any programming background would do.
Lastly he doesn't close the thread handle, or the snapshot handle. It's hardly the end of the world, but it's something any competent programmer would know to do.

There's also the non standard and over the top use of the #define directive as well as the unnecessary use of strcpy on data that could have been initialized during compile. This is not the code you'd see from a professional malware coder selling code for $10k - $20k, this is the code you'd see from a member of hackforums selling a $100 bot.


This is probably the only true statement, It's clear Trojan7Sec is a pathological liar, however "believable" may be a slight overstatement (saying that, some of his stories did make it to big news sites).


Again, more of the same. This time the number is rounded up to an even more unlikely 20 million, We also learn that his botnets uses tor, msn and peer to peer to communicate. If you remember recent news, a botnet of around 400k computers started using tor and was the talk of the internet. Not only would a botnet of the size being talked about here be noticed, but would likely grind the entire tor network to a halt. It is agreed upon by a lot of researcher that peer to peer botnets are the most complex to develop, not the sort of thing you'd expect someone who only knows C++ at an entry level. It is also important to add, that using IM services like MSN to control bots is  ridiculous and the concept is limited to very small botnets and malware usually written by script-kiddies.

/r/netsec

If we do some digging on Trojan7sec, we can find a post on the netsec subreddit that he authored. Although it was deleted due to large amounts of lies, we can find the original comments here. The post is in the form of an IAMA (this means I Am A ... Ask Me Anything). Sadly, this post made it to news sites such as softpedia and welivesecurity, drawing attention away from real problem. 


(Note - If anyone can find a mirror of the full post, please leave a comment with the link or email us)

UPDATE: The REDDIT posts was restored back and accessible now:

Inspiration

The first thing we noticed is similarities between the original post and this, It is likely that Trojan7Sec got his inspiration for the "AMA" from the one written by the skynet botnet developer over a year ago. It's also interesting to note that if you look at the post date, despite being posted around the same time as the blog post, there is a 12 million difference in the alleged number of bots. 

Debunking The Comments

Just in case anyone doubts this is Trojan7sec's reddit post


This is interesting, anyone who works in the malware research industry knows that java malware is notoriously easy to detect. Not only has there never been any record of such a large botnet using java, it's a well known fact that there are not enough targetable OS X and Linux computers running java for it to be worth the loss of windows infections. This is the reason that pretty much all big botnets use native windows executables and are not cross-platform. 

Java malware is only really used by professional botmaster for targeting android devices. If you were to visit a beginner oriented hacking forum, such as hackforums, you would notice an abundance of java malware. This is due to java appealing to script-kiddies because it is easier to write malware with, it is also more suited to beginner botmaster because java application are usually ignored by antiviruses (this would be helpful to someone with little knowledge of advanced rootkit or antivirus evasion techniques).



This is the sort of thing someone pretending to be a mastermind cybercriminal would say, making 15-20k per an hour does not get you out of jail, if someone with Trojan7sec's alleged track record was arrested, it would likely result in the rest of his life in jail. We'll just throw it out there: 20k in 1 hour is a potential 175 million a year, It's up to you if you believe this person had that much earning potential, then gave it all up to sit on twitter insulting security researchers. 



After consulting with many people, blackhat and whitehat, we can conclude that no such board exist. Some private boards (nearly always Russian-speaking ones) do implement a signup fee of $50 - $1000, this fee is to deter low level law enforcement and security researcher who do not want to pay money to profile a forum. $20,000 is a lot of money, more than some people make in a year, a fee so large would deter just about everyone except for very rich cybercriminals, this would of course make the forum a prime target for the FBI (who do have $20,000 to spend on a forum account). 

We also mentioned earlier that Trojan7Sec is English, the most exclusive English hacking forum is darkode, which is so easy to get into that the forum user-base has more security researchers than legitimate members.


Further, the subject in this post explained, the person arrested in Israel and asked to help defend against cybercrime was Hamza Bendelladj, a botmaster and seller for spyspreader known online as BX1. Hamza was not the Zeus coder and had nothing to do with Zeus (other than using it). Anyone who had access to any private forums would know this fact, only script-kiddie oriented forums such as hackforums were spreading rumors that said otherwise. Furthermore, the real story of BX1 is actually as per described in below:

Deleted Tweets of Trojan7Sec

These are some now deleted tweet of Trojan7sec talking about the bot he spent 4 and a half years coding. Here is a list of features, you'll notice some features such as polymorphic encryption and bootkit, such features he is certainly not capable of coding and are likely taken from the carberp leak.

0-Days

Looking at trojan7sec's twitter, blog and reddit, we see the word "0-day" thrown around constantly. Contrary to popular belief, zero-day exploits are incredibly rare on the blackhat scene. Even advanced malware such as TDL and Rovnix uses patched exploits. Especially with the rise of bug bounty programs, if any malware were to use an 0-day exploit, it would be reported as soon as it was seen. 0-day exploits take a great amount of work and are patched very quickly, professional malware developers soon realized that using recently patched exploits was more effective (very few people update software regularly).

"0-Day" is a word that wannabe black-hats throw around to get attention, anyone with little knowledge of how the black-market works would think that 0-day exploits are far more common that they actually are, leading to the constant use of the term.

How and Why

A lot of you are probably wondering why we did this, It's simple. People like Trojan7Sec who make up stories then "become whitehat" draw attention away from the real issue. There are people working day and night doing their best to prevent and destroy malware, they get very little recognition and not a lot of pay. Along comes someone with what looks like a lot of experience and impressive background story, they then sit on twitter insulting hard working security researchers and antivirus companies, as well as feeding false and misleading information to amateur researcher who have been drawn into their web of lies. We have enough evidence to believe that Trojan7sec is very much still a blackhat and is likely only pretending to be whitehat for publicity. 

While writing this article we have consulted with researchers, blackhats, and programmers in order to make sure everything we say is as accurate as possible. For those of you who are actually whitehat, keep up the good work and remember:

"Thou Shalt Not Lie.. When the truth reveals, it will hurt you!"

Additional:

It looks like he is back on action in 2014, sensation? :-)


#MalwareMustDie.