Story image

Researchers dissect 10-year-old Snowball malware

08 Sep 2017

The creators behind malware toolkit known as ‘Animal Farm’ may have been using one of its implants since at least 2007, and researchers happened on the discovery by chance.

The Animal Farm toolkit is made up of several implants called Bunny, NBot, Dino, Casper, Tafaclou and Babar/SNOWBALL.

While previous samples of Snowball malware dated back to 2011, researchers at Palo Alto Networks’ Unit 42 have discovered a sample with a timestamp of September 2007. Researchers only spotted the malware after scouring a repository for an unrelated malware.

“This earlier sample of Babar uses many features not present in later versions. The sample also uses a compromised third party website as a C2 server like later versions. We also found a simple bug and a design flaw in the code you wouldn’t expect from malware developed by mature actors,” comments researcher Dominik Reichel.

The sample, a portable executable, takes the form of a loader. Inside the loader is the payload. The malware attempts to obtain debug privileges and attempts to detect if the operating system is Windows Vista.  

If successful, the malware then insert event logs and attempts to gain access to the AppData folder path.

“The malware also tries to delete any traces it was executed by deleting the corresponding entries in the registry keys,” Reichel says.

After checking everything is functioning correctly, the malware then tries to access the default internet browser. These seem to work with Firefox and Internet Explorer, but not with Chrome.

Reichel says that Chrome was released in 2008, after the original malware was created. Therefore, it cannot be a bug.

A compromised website was used as a command & control server. In this case, it was the official site of the Permanent council of Accounting of the Democratic Republic of the Congo, however the attack was carried out so long ago the script behind the website is not online anymore.

After a number of tests, the malware can then conduct a number of commands. Those commands can shut down and reboot systems, download files, get lists and types of partitions, report a victim’s system information, terminate and delete itself, and change a range of characteristics via XML.

“This malware has a small set of features ranging from retrieving system information, to downloading files or killing processes on a victim’s system. Technically, it is not outstanding and can be considered only average compared to alleged state sponsored malware written at that time (e.g. Careto or Regin). The code and structure is similar to the Casper implant which is most likely based on this implant. The malware contains an obvious design flaw leaving the main part of the configuration data visible in clear text,” Reichel concludes.

Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.