At the beginning of this month, my colleague Robert Lipovsky posted an article on a new threat called Win32/Delf.QCZ, also known as Trojan.Badlib or Trojan.Win32.Miner.h. This threat caught the attention of others and additional information has since been added by fellow researchers on the blogs of Kaspersky and Symantec as well as on the H-Online
At the beginning of this month, my colleague Robert Lipovsky posted an article on a new threat called Win32/Delf.QCZ, also known as Trojan.Badlib or Trojan.Win32.Miner.h. This threat caught the attention of others and additional information has since been added by fellow researchers on the blogs of Kaspersky and Symantec as well as on the H-Online news site. In this article, I will give a description of the different components of this threat and provide some new details.
Win32/Delf.QCZ is a peer-to-peer botnet that uses the HTTP protocol as a channel of communication. After the initial infection, the threat retrieves additional executables and installs them. Those executables are components of the malware. At the time of this writing, there are 10 executables being distributed :
- loader2.exe : A loader that downloads other software
- loader_rezerv.exe : A loader that downloads other software
- w_distrib.exe : Creates a web server on port 8080 for peer communication and on port 80 for serving fake Youtube pages
- iecheck12.exe : Creates a proxy to intercept communication to Facebook and Vkontakte
- btc_server.exe : The Bitcoin server, sends tasks to the clients
- client_8.exe : Installs and runs Bitcoin mining software
- ddhttp.exe : HTTP DDoS component
- udp.exe : UDP DDoS component
- gbot_loader.exe : Dropper for 3rd party malware
- resetsr.exe : Disables System Restore
Those components share a lot of code and have a similar behavior. They are packed with UPX, however the purpose is probably to reduce the size of the executables which are pretty big, ranging from 111 KB up to 1.2 MB.
On first execution, the component creates a copy of itself in the folder C:WINDOWSupdate.[NUMBER] and creates a Windows service. It also creates a registry key HKEY_LOCAL_MACHINESOFTWARE[NAME] (where name is such as sysdriver32, systemdrv64 or w_distrib.exe) and stores information such as its version, path and last execution time. The component constantly monitors its close key and can be used by another component to stop its execution.
To check for Internet connectivity, Win32/Delf.QCZ will attempt HTTP connections on websites such as youtube.com, blogspot.com, baidu.com or twitter.com. Strangely, it also tries to connect to 126.96.36.199 on port 55611/tcp. This address belongs to the Department of Defense Intelligence Information Systems. Due to the pattern of the address it is probable that the authors of this threat forgot to change it.
When a component is successfully installed, it sends a message to one of the domain names included in the binary. The serial parameter is the concatenation of 2 values. The first part is the Volume Serial Number of the first drive (usually the one containing the C: partition). The second one is the sum generated by adding the characters of the Computer Name. This value uniquely identifies the infected computer.
Social network account hijacking
In his article, Robert described how the malware propagates itself by hijacking accounts on social networking sites such a Facebook or Vkontakte. This task is performed by the components iecheck12.exe and w_distrib.exe. As described by Symantec, iecheck12.exe creates a web server on ports 80/tcp and 443/tcp that acts as a proxy and intercepts requests to Facebook or Vkontakte. When someone logs in from the infected computer, the credentials are stored in the registry.
Win32/Delf.QCZ will then create fake conversations with friends of the hijacked account. To serve the fake YouTube page, it will contact another peer which has a web server accessible on port 80/tcp. This task is handled by w_distrib.exe, which is also responsible for serving the requests on port 8080/tcp. It accepts the following requests:
The following screenshot shows the page returned on when get_homevideo1_en_test is requested. We can see the string “name_surname” that will be replaced by the name of the contact Win32/Delf.QCZ is attempting to infect.
Win32/Delf.QCZ also has functionality to use the URL shortening services tinyurl.com, bit.ly and goo.gl to make it less obvious that the Youtube link is fake.
As already mentionned in the blog posts I referenced at the beginning of this article, this botnet is used to do Bitcoin mining as a way to generate revenue. This task is accomplished by the client_8.exe and btc_server.exe components where client_8.exe is responsible for downloading and running the bitcoin software and btc_server.exe provides tasks to be executed. They use a JSONRPC interface over 9442/tcp. Here we can see a getwork request and the server responding with a task.
Win32/Delf.QCZ will actually go further than install the Bitcoin mining software. As it is more efficient to use the GPU to do this type of computations, it will check if the computer is equipped with an ATI graphics card and download the drivers if needed. It feels kind of strange to have malware doing your upgrades…
HTTP and UDP Denial of Service
Win32/Delf.QCZ also downloads two modules, ddhttp.exe and udp.exe, to launch respectively HTTP and UDP Distributed Denial of Service (DDoS) attacks. On August 21st, we observed a DDoS attack against German websites. This was reported on the H-Online a couple days after.
In his blog post Robert Lipovsky mentionned that Win32/Delf.QCZ could be used as a mean to distribute third-party malware. It turns out he was right, the executable gbot_loader.exe does exactly that. When executed, it retrieves another executable embedded as a resource named NEW and executes it.
This executable is very different from the other ones and it is clear it was developped by a different team. This threat embeds rootkit functionality that kills tools that attempt to access its process. It is detected as Win32/Agent.SZI trojan.
Botnet size and geographical distribution
Tillman Werner from Kaspersky described how it is possible to enumerate the IP addresses of the botnet by recursively requesting the peer lists. We reproduced the experiment and collected 44 400 distinct IP addresses in 12 hours, which is consistent with the 38 000 addresses collected by Werner in 7 hours.
We also looked at the geographical distribution of the botnet. Here is the list of the 10 countries having the most peers. We can see that the botnet is highly concentrated in Eastern Europe, with the top 4 countries containing 56% of the hosts. This is probably due to the fact that this malware targets the Vkontakte social network which is mostly used in this part of the world.
While this threat initially attracted attention because of its innovative use of Bitcoin mining as a way to generate revenues, the operators of this botnet are also using more classic means such as DDoS services and 3rd-party malware distribution. Social networks also remain an interesting target for miscreants to convey social engineering attacks and distribute malware.
We will continue to monitor this threat closely. ESET detects the latest versions as Win32/TrojanDownloader.Delf.QPN.