• Over-sea-ing Operations With W32/Dialer.PZ!tr

	Rank    Malware                    	%
	 1    	W32/Dialer.PZ!tr              9.66
	 2    	W32/Bagle.DY@mm               7.43
	 3    	W32/Netsky.P@mm               7.15
	 4    	HTML/BankFraud.E!phish        6.54
	 5    	HTML/Iframe_CID!exploit       5.97
	 6    	W32/Sober.AA@mm               5.52
	 7    	W32/Stration.JQ@mm            4.15
	 8    	W32/ANI07.A!exploit           3.68
	 9    	W32/Grew.A!worm               3.20
	10   	W32/Bagle.GT@mm               2.73

• Mass mailing is challenged again: phishing was the highlight of last month with HTML/BankFraud.E!phish surpassing Bagle.DY and Netsky.P taking the top position of our malware list. This month, we have witnessed a new phenomenon with the strong surge of an odd candidate, W32/Dialer.PZ!tr. With an aggressive distribution campaign, this dialer proves enough to lead the top list for May and shows activity above and beyond our benchmark of Netsky.P as can be seen by Figure 1 below.

Figure 1: W32/Dialer.PZ!tr activity for the month of May 2007, aggressive distribution roughly every 7 days

• Sober is back on track. This month kicked off with the strong activity of the well-known mass mailer Sober in the form of W32/Sober.AA@mm. As displayed in Figure 2, we noticed a large spike of distribution accounting for Sober.AA began during the first three days of the month, tapering off and laying low thereafter. We had not seen such high activity for Sober since January 2006!
• Stration continues a steady pace. This month again, W32/Stration.JQ has been quite active with a large spike towards the end of the month, on the 24th specifically (Figure 2). This is similar to the trend noticed with Stration last month, with a peak of activity on the 19th of April, as described in our previous roundup.

Figure 2: W32/Stration.JQ@mm and W32/Sober.AA@mm both display dominant spikes of activity

Over-sea-ing Operations with W32/Dialer.PZ!tr

It is rather odd to see frequent activity from a dialer in this day and age, so we will have an in-depth look at this W32/Dialer.PZ!tr phenomenon. Large volumes (see Figure 3) of W32/Dialer.PZ!tr have been reported since April primarily throughout Mexico and the USA. As can be seen from Figure 1 above, the distribution flow has been heavy and consistent throughout May. Prominent spikes every seven days suggest that the malware creators are attempting to cycle their "product" on a weekly basis in order to maintain the market flow and fine-tune the size of their botnet.

From the Factory

As production waves are being seen on a weekly basis, we get more information about the malware manufacturing process used by the malware authors. Every sample sent out in the wild for W32/Dialer.PZ!tr is packed with the well known executable packer UPX, with a slightly modified twist, making it more difficult to observe without a keen eye. According to Derek Manky, Fortinet Security Research Engineer, every variant received to date from the wild has been branded and tagged with manufacturing information. This information has been encrypted and piggybacked on the end of the UPX compressed malware. Included in the encrypted information is a contact server URL, malware ID, a time stamp signifying the creation of the sample off the assembly line, and an optional download link, which points to another file (usually a trojan), which in turn would be downloaded and executed. The piggyback method is most likely used to speed up the production assembly line, encrypting and tacking on new information to the malware before it gets distributed. This allows many variants to be easily distributed with new attributes, such as contact servers and malware IDs, on the fly. It may indicate that the authors are far from being newbies: they perfectly understand that the efficiency and the resilience of a centralized botnet (where bots take orders from a master server rather than using a peer-to-peer communication protocol) is tightly linked to its flexibility and its ability to evolve fast, with new master servers steadily entering the game.

Report for Orders

Once W32/Dialer.PZ!tr has been executed on the victim's computer the first duty of order lined up is to connect to the contact server mentioned above, and report; interestingly enough, if a connection fails, it will delete itself and clean any traces of existence. Once connected, various parameters are sent to the server, including the malware ID, build time, VMWare presence, local ID of the infected machine (to determine geographics), local date, time and bias (to determine UTC time format), the local date and time of the last successful call, the total amount of time dialed/connected for the current month, total/monthly connection attempts, and total/monthly number of established calls. Later variants received in May have an additional field, which reports a unique infected machine ID for the malware manufacturers to keep track of. The fact that parameters are revised and extended over time shows the flexibility of the piggyback system previously mentioned.

Dynamic Commanding

Once the report is complete, W32/Dialer.PZ!tr retrieves an encrypted response from the server and parses it. This response is dynamic, and can contain data, which may or may not be expected by the malware on the victim's machine. It is worth noting that by keeping track of the malware ID, the server can ensure a response that will be appropriate for the infected client, thereby implementing protocol backward compatibility.

As it is nearly always the case in typical centralized botnets, the response from the master server includes information and/or actions for the infected machine to carry out. Retrieved information includes an appropriate international phone number to dial (dynamically formed from the reported machine locale), connection keep-alive time, a custom formed username and password. Additionally, there are other fields which may or may not be present, such as instructions to execute an EXE embedded in the response and exit, or to register a DLL (again embedded in a binary form in the response) and continue to dial the international phone number.

After executing and/or registering any downloaded EXE/DLL's, the malware will create a phone book entry (by system default rasphone.pbk) with all the proper dialing credentials, and attempt to use this entry if a dial-up modem is present.

Putting it Together

The framework of this system gives a lot of control to the malware creators. By retrieving information from the infected machine such as locale and malware ID, the criminals behind this are able to fingerprint their products (and individual users in later cases with the unique machine ID). Based on this fingerprinting, they may be able to fine-tune their variants, actions and distribution methods. And of course, since the server response is dynamic, it is possible to intelligently respond to certain locales with specific phone numbers and instructions.

Currently, the malware creators have heavily seeded their product in the USA and Mexico (see Figure 3); we could illustrate the potential control they have with this framework by the following: If they wish to only send a particular executable to the USA and Mexico, all they need to do is dynamically respond to the USA and Mexico locales with an executable to download and execute. Simultaneously, requests that may be coming in from Japan would not receive the same executable due to their locale.

It appears that malware creators have already learned from their own mistakes: the early variants seen in April contained hard-coded links in the piggybacked file data ( From the Factory ). Since it was contained in the variant itself, it was easy to decode and find the location of the file to download, making the presence of this file much more apparent. Manufacturers have since revised this method, and while keeping backwards compatibility with older variants, have removed the hard coded link and now dynamically respond with the file from the server to download and execute. With this revised method, they simply "flick the switch" on to distribute further EXE/DLL's in periods, and turn it off in an effort to make these files much more transparent. Perhaps, every seven days as seen in Figure 1.

Figure 3: W32/Dialer.PZ!tr reports per country since April 20th, 2007

Figure 4: Server returned phone numbers by continent for W32/Dialer.PZ!tr
Europe (EU), Africa (AF), North America (NA), and Satellite Mobile Phone (Other)