Investing in oil dubai hotels13 comments
Demo binary options brokers
Tofsee is a multi-purpose malware with wide array of capabilities — it can mine bitcoins, send emails, steal credentials, perform DDoS attacks, and more. All of this is possible because of its modular nature. Reading or at least skimming it is probably required to fully understand this post. Note that it is meant as an extension of that research, focusing on plugin functionality that we previously ignored. We will shortly summarize each plugin and highlight its most important features.
This plugin can perform DDOS attacks. This plugin listens for TCP connections on 0. After extracting them from the registry, they are decrypted and used to send more emails. Additionally, it generates email in form [computer name] mail. This is HTTP server plugin. It can serve files, probably for other bots. It is able to blacklist some IPs — probably security analysts for example Forcepoint and Google are banned. Very important module — it generates and sends emails.
Most interesting thing about it is the fact that it uses its own dedicated scripting language for generating messages. We have never seen something like this, so we analyzed interpreter of this language. The syntax is rather simple, but very assemblish and primitive. A lot of opcodes are supported — take a look at this simplified parsing function for example:. This plugin checks if a bot is listed as a spambot and blacklisted.
Technical details are outside of the scope of this post, but any interested reader can take a look at http: This is as the name suggests cryptocurrency miner.
This plugin only coordinates the work, but it has few accompanying binaries, that perform the dirty work. Other binaries are downloadable through URLs specified in configs — in theory.
In practice, servers distributing miners seem to be dead, so we were not able to download miners. This short plugin processes malicious attachments — encodes them with base64 and appends to emails. This plugin is used to spread Tofsee through social media: Facebook, Twitter and Skype communicator.
Exact method depends on the browser, but generally plugin reads cookies stored on disk by the browser — for example cookies. List of friends is downloaded through API and a message is sent to them. Format of message is stored in configuration, for example:. Twitter is handled very similarly: VKontakte also seems to be supported, but that functionality is optional and held in another plugin. Plugin can also spread itself through Skype, but reverse engineering Skype protocol was clearly too hard for malware authors, so plugin waits until Skype is started, and then sends windows messages to Skype window:.
The plugin has dozens of strings hardcoded, so analyzing it in disassembler is a breeze. Few more interesting groups:. This plugin uses methods more than 15 years old, and tries to spread Tofsee through… infected USB drives! The malicious binary that will be spread is downloaded from the internet see also sys. This plugin seems to be a downloader or rather an updater. If we send this request to that IP address on port 80, we will get yet another malicious binary.
Different requests lead to different binaries. This plugin tries to locate iexplore. List of hooked functions:. Hooks intercept called functions and can change their parameters. This plugin is rather short. Also adds port mapping using UPnP, in the same way as plugin 4 proxyR. A deeper look at Tofsee modules Date of publication: The post is rather long — for the impatient, list of hashes and table of contents in one: The binary contains a lot of strings, what simplifies analysis greatly: When any value is missing in configuration, binary has some sane defaults inside.
Strings from the binary give a little more insight about the purpose of this plugin: A lot of opcodes are supported — take a look at this simplified parsing function for example: J lbl — J ump to label lbl.
W text — W rite something to output — in this case to final email. Again, few from the most interesting strings from that binary: Nothing interesting here, as can be seen in hardcoded strings: After that, plugin uses that cookies to impersonate user in facebook API: Format of message is stored in configuration, for example: Plugin can also spread itself through Skype, but reverse engineering Skype protocol was clearly too hard for malware authors, so plugin waits until Skype is started, and then sends windows messages to Skype window: Few more interesting groups: Strings related to Facebook spread: Strings related to cookie stealing: Strings related to Skype hijacking: Finally, things needed to send stolen cookies somewhere: Nothing too interesting in hardcoded strings, except operation logs: If a request is invalid, or not supported, following image is sent instead: We appreciate the humor.
Nothing surprising in hardcoded strings: List of hooked functions: For completeness, interesting hardcoded strings: