The family selected for addition to MSRT this month is Win32/Bamital. Win32/Bamital was first discovered in September 2009 and was able to intercept and modify queries performed by search engines such as AltaVista, Bing, Google and Yahoo. Win32/Bamital has evolved over a number of generations, employing a varying range of system modifications to ensure that the malicious code is executed. Whilst the complexity of Win32/Bamital has increased over time, the core functionality of search hijacking has remained.
For example, here is an extract from a current generation template Win32/Bamital employs to drive this functionality:
Some of the modifications observed over time include the ability to generate domain names for command and control algorithmically, a technique also employed by other high-profile malware such as Win32/Sinowal and Win32/Conficker for example.
In this case, the Date header in the HTTP response from a simple request to google.com acts as the seed for this process.
Date: Wed, 14 Sep 2011 00:42:36 GMT
An MD5 hash is calculated on a portion of this string, prepending 10 different single characters.
MD5(%character%14 Sep 2011)
This currently provides an upper limit of 40 domain names per day by using four different suffixes.
Here are a couple of examples for the small number of IP addresses to which the generated domain names resolve currently.
Interestingly, we can see that the authors of Win32/Bamital are employing the use of Amazon Web Services as part of their command and control infrastructure. We notified Amazon of the abuse and received confirmation that it is being investigated.
-- Scott Molenkamp