Fresh Malware ChewBacca Hosts its C&C in Tor Network

Kaspersky says that its security researchers have encountered one fresh malware nicknamed "ChewBacca" which supports its sinister server in Tor network that characteristically remains anonymous. The function has been integrated into increasing number of malware strains, particularly the Atrax attack toolkit and ZeuS.

When ChewBacca hijacks PCs, it searches for processes running on the systems, records their process memory followed with informing the same to remote systems.

Director Marco Preuss for Kaspersky's Europe-based research team stated that the new malware couldn't be found on underground forums, as different from ZeuS' case. Incidentally, Kaspersky experts lately detected one 64-bit form of the notorious ChewBacca banker Trojan using Tor, reported threatpost.com, December 18, 2013.

According to Preuss, the Trojan possibly was going through an evolution else it was simply utilized in private alternatively shared. Apparently, Tor was drawing the attention of certain crooks for hosting their servers, since the protocol offered greater security for command-and-control systems, although there were drawbacks in it, the chief added.

The Trojan got written using Free Pascal 2.7.1 as also was spread like an executable file of a 5Mb PE32 size which as well contained Tor 0.2.3.25.

Upon running, ChewBacca or Trojan.Win32.Fsysna.fej plants one .exe file inside "Startup" folder of the OS as well as acquires the Internet Protocol address of the infected user through a service known as ekiga.net/ip. After that, it plants tor.exe inside the "Temporary Files" folder for execution.

Soon as the malware rests on the infected computer, it begins logging keystrokes that are stored in certain 'system.log' file, which's subsequently uploaded onto one server located elsewhere.

After carrying out all the activities, cyber-crooks then uninstall ChewBacca.

Meanwhile, as Tor draws the attention of criminals increasingly as a means to support their C&Cs, there could be fewer similar malware versions and at greater intervals. Gap exists in stopping crooks against running servers utilizing Tor, Preuss explains. Informationweek.com published this, December 18, 2013.

Because of the structure along with overlay, one finds Tor working slowly. Gigantic botnet operations could affect the entire Tor network; consequently, they may get detected easily. Furthermore, everything becomes more complex with Tor's implementation, Preuss concludes.

» SPAMfighter News - 12/25/2013