The latest version of the MSRT was released on the 8th of July. The newest family selected for inclusion was “Horst“. The Horst family is made up of a number of different components. Each of which, can perform different tasks.
Tasks include downloading, malware distribution and email account registration by CAPTCHA bypass.
Horst family variants have existed for a number of years, some of which appeared as early as 2004. Over the years, both the components and the techniques employed by the malware authors have evolved.
However, the true purpose of this family of malware has remained the same. It is designed to send spam. Typically, the content of spam messages promotes online pharmacy “retailers”.
As the main method of distribution in the wild, Horst masquerades as a software crack or key generator on the eDonkey peer to peer network. There is a specific Horst component which is dedicated to this task. It distributes a copy of a Horst trojan downloader, using an ‘enticing’ filename. The filenames used, target numerous commercial software packages. An example of such a filename might be “Microsoft Virtual PC 2007 crack0.exe”.
This passive distribution technique has also been employed by other families of malware. Most notably of which, is the Bagle family. This subtle approach means that a potential victim will have no hesitation before executing the malware they have unwittingly downloaded.
The logical progression of the passive distribution technique employed by Horst is to torrent sharing. The proliferation of the peer to peer protocol BitTorrent has not gone unnoticed by malware authors. Here at the Microsoft Malware Protection Center (MMPC), we have observed malware which does just that. It “publishes” malicious torrents to distribution sites such as the notorious ‘Pirate Bay’.
Whilst, not at the leading edge of malware distribution methodology. The Horst family of malware employs spamming techniques which are not highly prevalent in malware today.
Early generations of Horst components facilitated spamming through proxy functionality or performed the task of spamming via SMTP directly. Most modern malware exhibits the latter capability.
As anti-spam filtering technologies improved and the advent of real-time black hole list (RBL) usage, Horst has sought to sidestep these anti-spam techniques entirely. The technique employed, is to “virtually” compose and send spam which originates from trusted web-based email providers. By relying on a potential “trust” of email from these sources, a higher success rate of delivery is the probable outcome.
The authors of Horst have been developing these techniques for at least the last year. Components of Horst have targeted Hotmail, Gmail, AOL and Yahoo web-based email systems over this time period.
However there is one hurdle which the Horst authors must overcome in order to manipulate a web-based email service. Sending email requires a valid account. Rather than attempting to hijack accounts of legitimate users, Horst components attempt to manually register accounts.
In order to create a web-based email account, the signup process requires “proof” that a human is behind the request. A visual CAPTCHA is employed to validate that the request in not originated by some variety of ‘bot’.
There are multiple components of Horst which perform this task that are able bypass this very test. There is historical evidence which points to the use of online services which employ people in a “data entry” capacity. This means that Horst is not solving the CAPTCHA programmatically, the solution is being provided by a human.
Over approximately the last three months, the MMPC has observed some interesting developments within the Horst family of malware. The Horst authors are turning their efforts towards components which attempt to register accounts on various social networking sites. This shift is presumably an attempt to broaden the potential penetration of their “advertising”.
To the MSRT numbers for the first week:
For all variants of Win32/Horst, there have been a total of 54,335 disinfections on 30,358 unique machines. This represents approximately 2.74% of the total number of infected machines reported thus far.
Scott Molenkamp (MMPC)