The Lurid Downloader

Sep 2011

Link: link

It constantly communicates with a C&C server to perform certain info-stealing tasks. The main feature of the Trojan is that all communication is started by the client by http. Firewalls and other security devices will never see any communication from outside in. Even the interactive command line is built this way so everything is done from the inside out. The communication is always encrypted although it's a simple XOR single- byte encryption. This means that network security devices won't readily see anything suspicious going on.

While we were unable to recover the data obtained by the attackers, we were able to collect some of the command issued by the attackers that hint at their objectives. We found that the attackers often issued the "LS" command to send a directory listing from specific directories on the compromised computers back to the command and control server. We also observed the use of the "SEND FILE" that ordered the compromised computers to compress, split and upload specific files (.rar, .xls, .doc) to the command and control server. However, we were unable to recover the ex-filtrated data.

APTnets are the new Botnets. Several years ago large numbers of computers were compromised and organized into Botnets. These Botnets were typically used to send out spam or launch DDoS attacks. Today large numbers of computers are compromised to steal the information on them.

This APTnet, named Lurid by the investigators, penetrated 1,465 hosts as determined by the addresses of machines sending information to the command and control computers. A large number of space and research-related as well as government systems were penetrated, especially in Russia. Computers in 61 different countries were penetrated.

As is usually the case, because of encryption and lack of host-based sensors, no one will probably know exactly what information was stolen.

@NetSquared_USA  copyright Net Squared, Inc., 2008-2013