Despite the antivirus industry's attempts to win the war against security threats, several battles are far from over. One such battle involves botnets--or computer robots--which, despite the evolving threat landscape, continue to proliferate across systems. It's not that surprising, actually, given their long history. One might even say that the industry is fighting a losing battle...and with the number of reported infections received on almost a daily basis, it does seem that there is a lot of catching up to do.

Among the currently detected botnet families (and their expansive variants), a curious little family called MEDBOT recently stood out and became popular--although not in a good sense. First detected in August, recent reports submitted to the Trend Micro Antivirus Department indicate that it is currently affecting users in Japan and the United States

The apprentice?

At first glance, the MEDBOT family looks like the usual run-of-the-mill IRC-based malware. Even less, actually, especially when placed side by side with more prolific families like AGOBOT and SDBOT. Its worm variants simply spread across accessible network shares. It carries the usual payloads, including antivirus retaliation and backdoor capabilities. To say that this family is notable based on its routines seems far-fetched, even absurd.

However, whatever MEDBOT seems to lack in its performance, it compensates with its complexity. Indeed, further analysis reveal that MEDBOT is more of a malware package that consists of a Trojan downloader, the Trojan's hidden copy, and a worm. The worm is responsible for dropping the downloader to the shared folders, while the hidden copy merely serves as a backup in case the main Trojan is removed from the system. The package's heart and soul, therefore, lie in the downloader.

Once running on the affected system, the Trojan downloader connects to several URLs (typically in the medbod.com domain--hence the detection name) to download updated copies of the malware package, and possibly other variants and malicious files. This routine not only further compromises affected machines with--as seen in the more recent variants--dumped adware, spyware, or other worms and Trojans, it also allows the malware to improve, even evolve, in the sense that earlier copies may be replaced by more sophisticated ones. The downloader Trojan, for example, may suddenly get an updated routine, such as network propagation or backdoor capabilities.

Speaking of backdoor capabilities, MEDBOT's own routine is also a little more complicated than the rest. For one thing, it uses Web IRC, rather than connecting to the usual IRC port (port 6667). For another, typical bots connect to an IRC server then join a channel where a remote malicious user will issue the commands that the malware will execute. In the case of MEDBOT, it simply connects to the IRC server and waits for the commands--including the abovementioned download routines--via a private message. This way, remote users can send commands with less risk, compared to a definite location (i.e., an IRC channel) that can be easily pinpointed (and therefore shut down) by security companies and law enforcers. The fact that other users can send commands to the bot also implies that MEDBOT is open for all...perhaps for rent to the highest bidder?

Figure 1: The obvious routines

May the HORST be with you

Apart from its complex (albeit inconspicuous) routines, what is also notable about MEDBOT is that it makes use of the HORST family of Trojans, whose main routine is to convert affected systems into proxy servers. These Trojans are essentially "relay agents", and since they act as an intermediary between a client and a server, a malicious user can use the affected system to hide his actual location when executing remote commands.

In a sense, HORST detections are also--for lack of a better term--"components" of the MEDBOT package. And while these proxy Trojans seem to be a bit useless compared to their more sophisticated counterparts, perhaps they actually serve a higher purpose.

Figure 2: TROJ_HORST acts as a relay agent

To put it simply, maybe HORST is another form of stealth mechanism. Botnets, as mentioned earlier are mere computer robots that execute commands coming from a remote malicious user (i.e., the botmaster). Obviously, the botmaster is located in a specific location that forever remains anonymous, thanks to a myriad of cloaks that more recently included the use of DNS (Domain Name System) servers. Apparently, this more complex setup could allow the botmaster to dynamically change IP addresses without changing host servers. Less mobility for the botmasters (i.e., changing from one host to another), less chances of slipping up and getting caught.

The use of proxy servers further adds to the "security" for botmasters, or at least a head start to cover their tracks yet again. After all, security companies will not just stand in the corner and cower until the next onslaught of bot attacks resume--Trend Micro, for one, is ready to release the BASE engine, which can analyze the behavior of DNS traffic (and thus monitor possible botnet activities). Setting up another barricade like an army of "proxified" zombies may help them get rid of their scents, so to speak.

The dark side of the force

After all is said and done, the irony of MEDBOT is that its intent is simple: to send spam messages. One of the commands issued by remote users in the IRC servers mentioned earlier points to specific URLs where a spam package is located. The said package includes the message templates to be used, along with their intended recipients, among others.

Figure 3: The bigger picture

Again, it all boils down to financial gain. MEDBOT's elaborate attempt to turn machines into spam generators and its collaboration with several domains clearly imply that there is an organized group behind this. Perhaps another malware is involved as well? It's highly probable.

The (antivirus) empire strikes back

Whatever the case, the challenge for antivirus companies is clear: the rise of collaborative infection calls for a holistic approach in threat analysis and removal. Clearly, botnets are also adapting to the changing threat landscape. Unless the industry really wants to lose the battle, it must step up. And by "stepping up", it means that the industry should be able to provide more proactive solutions to counter these threats. A new hope, so to speak.

Trend Micro, for its part, not only currently detects more than 200 MEDBOT and HORST variants, it also detects files that exhibit characteristics and behavior similar to most MEDBOT variants with its IntelliTrap pattern. A generic detection pattern named POSSIBLE_HORST was also created for the same function, this time to detect files that resemble HORST variants. In addition, the Trend Micro URL Filtering Engine (TMUFE) blocks the malicious domains and URLs related to this family, while the Trend Micro Antispam Engine (TMASE) blocks the spam messages the malware sends.

Of course, detecting malware is one thing; removing them is another. Trend Micro addresses this with GeneriClean, a new technology included in Damage Cleanup Engine (DCE) 5.0 that automatically removes malicious files and restores system modifications even without the availability of Damage Cleanup Templates (DCTs). It is already available for all Trend Micro OfficeScan Corporate Edition (OSCE) 7.3 users through the OSCE 7.3 hot fix 1120. Users of other Trend Micro products, on the other hand, can opt to manually download a special fix tool for the same purpose.

Meanwhile, the war continues...