On the trail of Downloader-AAP
Thursday February 22, 2007 at 9:50 am CST
Posted by Vinoo Thomas
Downloader-AAP a.k.a Clagger has been an active family of trojans that has been regularly spammed since May 2005. This trojan downloader provides an excellent case study of how a carefully thought out social engineering approach can deceive users into opening executable attachments in mail.
The Downloader-AAP trojan is usually targeting German computer users who by now must be familiar with receiving spammed mails with executables named “Rechung.pdf.exe or Rakningen.exe or Empfangs.exe”. You would think most organizations would be blocking executables by extension at the email gateway or that people would be careful about running .EXE files. Out of morbid curiosity as to how successful the authors of Downloader-AAP are with their approach, I decided to follow the trojan’s trail back to the author.
Upon infection, the trojan does a WHOIS on the ip address of the infected machine and posts all cached passwords to a webserver hosted in Germany, with folders arranged according to country’s domain name.
Apparently business is good!! There were around 95 countries in all starting from .AE (UAE) to .ZW (Zambia). Pretty decent payback for plain social engineering huh? Looking at the file folder for .DE (Germany), one can see many folders created for infections that occurred around the time the trojan was mass spammed to users.
Each sub folder is created based on a unique hash value generated for every infected machine and contains text files with the stolen passwords. A sample text file with cached auto complete passwords is as follows:
Given that there are thousands of folder and files, how do the authors look for interesting information? Apparently the authors are using bash scripts and the favorites searches are for “bofa, citi, chaser, hsbc and nordea”. (No prizes for guessing the $$$Bank$$$ connection.)
The modus operandi of these criminals is to target vulnerable *nix machines on the internet running Apache. Once the server is compromised, they mass spam an undetected version of the trojan to thousands of email address and any stolen passwords from infected users are posted to this server. Once the rogue server has been found out and taken offline, they find a new target and this vicious circle of crime continues.
The good news is we got root access to the server and were able to collect some incriminating evidence to pass on to the authorities. Hope to hear something soon from them.
February 22nd, 2007 at 10:54 pm
I noticed that you had problems with providing dat updates for most variants of downloader-aap. They usually came too late. I only checked once for extra.dat-availability, that was available.
Other (big) vendors provided their clients with new definitions and protection in a more adequate time.
I want to ascertain that, that is not what i usually experience with mcafee. But i would also like to know: What was so catchy with downloader-aap, that it made you “hit” so often?
February 26th, 2007 at 5:43 am
There’s more and more coverage of these types of attacks in mainstream media these days-earlier only security and technical sites used to cover them.
Also I’ve seen plenty of articles for laypersons on news sites, even published in local newspapers, basically how to never open unknown attachments or click dubious links.
Yet people keep repeating themselves, and phishers make merry.
February 27th, 2007 at 3:51 am
The authors of Downloader-AAP test their new creations against the major AV vendors for detection. If detected, the binary is tweaked until its becomes an undetected version. Then it is mass spammed to thousands of email addresses.
AV vendors usually get the sample within the first 30 mins of the spamming via internal honeypots, customers or malware collectors. On an average it takes a researcher ~10 mins to analyze the sample and another ~15mins for the detection to be incorporated into the Beta Dats. At this point, any customer who submits a sample of the spammed trojan to McAfee Virus Research via (Email/Web Immune) would receive an extra.dat with specific detection for the trojan automatically.
McAfee Avert Labs advice to customers is to configure gateway products to use Beta Dats to stop these mass spammed threats. This way, protection is available within the first hour of the spamming.
Beta Dats are updated multiple times every (hour/day) and can be downloaded from: http://vil.nai.com/vil/virus-4d.aspx
April 18th, 2007 at 9:35 am
[…] Trackback In a previous blog, I had written about the modus operandi that the group behind the Downloader-AAP (a.k.a. Clagger Trojan) uses to host their creations. Today we had another spam run of the Downloader-AAP Trojan and this variant used a legitimate site to host its payload. The spam run was targeted at German eBay customers requesting them to update their e-mail addresses. A copy of the spammed e-mail is shown below. […]