By Limor S. Kessem, Cybercrime and Online Fraud Communications Specialist, RSA
It appears that a much anticipated event has finally transpired in the cybercrime arena, with the release and active sale of a new commercially-available Trojan family that has begun around January this year, circulating under the name Beta Bot.
RSA researchers have recently come across samples of this user-mode rootkit, analyzing its behind-the-scenes infrastructure. Beta Bot actually started out as an HTTP bot and not a banking Trojan, but it has since evolved, donned a trigger list, and was repurposed for financial fraud that includes targets such as banks, ecommerce and even Bitcoin wallets.
According to research performed by RSA it was inferred that Beta Bot (alias: Troj/Neurevt-A) is not the creation of an amateur. The malware is a persistent Ring-3 rootkit with layers of anti-security protection (such as not executing within virtual machines, thus avoiding sandboxes), AV-disabling features, and even a DNS redirecting scheme to isolate bots from security-themed online resources, including RSA’s official website.
Examining the Features of Beta Bot
Since Beta Bot’s earlier vocation as an HTTP bot was performing repetitive automated tasks, it approaches its new job in mostly the same way – taking commands from its master and delivering stolen data from infected PCs.
Beta Bot sports a data grabbing feature (by capturing HTTP POST requests), as well as a rather uncommon social engineering component that takes over the Windows user interface prompts, allowing it to interact with the end-user, escalate its own processes’ privileges, and make the infected PC its new home for the long run.
In a rather unusual move, Beta Bot’s developer chose to make the victim click through to allow the Trojan to deploy on the PC, making sure to have pop-ups in 10-12 different languages that will match the user’s geo location in order to have them authorize the file.
Additional features include: local pharming attacks (via DNS settings changes); downloading of files from the Internet as needed; and worm-like spreading capabilities via Skype or USB-devices. The Trojan can kill competing malware communications by terminating their processes or blocking their code injections, and, keeping with current malware trends, possesses DDoS capabilities.
Stay Away RSA
Beta Bot’s local DNS poisoning feature is similar to Citadel’s DNS-redirection scheme and is used for the same purpose: to isolate the infected user from reaching information security-themed web resources. In the settings of Beta Bot samples, the botmaster can block out a list of AV and security provider websites, live update resources and online virus scans. Attempting to reach any of the listed URLs shall result in a redirection to an IP address predefined by the botmaster.
Interestingly, the developer chose to block out RSA’s official website RSA.com, as well as another domain that reaches RSA, registered as RSASecurity.com.
What Sets Beta Bot Apart?
What sets Beta Bot apart from other modern-day banking Trojans is that it is built like software. Instead of having a minuscule binary surrounded by plugins, Beta Bot is heavier and does not support plugins. This choice of architecture makes the file rather large and somewhat of an issue to spread via popular exploit kits.
According to the developer, the malware was written in C++ over the period of about 18 months. It logs stolen data in a MySQL database and it seems to target a mixed bag of entities including large financial institutions ,payment platforms, social networking sites, online retailers, gaming platforms, webmail providers, FTP and file-sharing user credentials, as well as domain registrars for the common malware use of registering new resources.
The Beta Bot Server-side
The custom-written control panel, which is encoded in ionCube, does not show any advanced banking Trojan modules. However, since Beta Bot is a rootkit-type malware, it easily enables its botmaster to control the infected machines, send commands to the bots, download additional malicious files, remote control the PC and impersonate victims in fraudulent transaction scenarios.
The control panel’s interface is web-based and accessible remotely. In fraudster tongue-in-cheek fashion, failed login attempts present the user with images of Brian Krebs, an independent security blogger, stating that failure to provide the correct password would result in “a 3-part article”.
Beta Bot on the Cyber Market
While Beta Bot’s developer is keeping the Trojan private and will not sell the builder, he is selling binaries and providing technical support. At this time, Beta Bot can be bought from a vendor going by the alias “betamonkey” for anywhere between $320 and $500 USD per build (~€250-€390), including the customized server-side control panel interface.
Variant ‘rebuilds’ (recompiled for the same customer) go for $20 for those who require configuration changes for the C&C while basic recompiles are only $10.
Capitalizing on the privatization trend the FaaS models are working in favor of the developer who can charge for new variants every time a botmaster wishes to modify the trigger list or make changes to the resources.
How is the Underground Reacting?
So far, reactions from Beta Bot buyers have been coming from hacking-themed boards and the open underground communities. Although Beta Bot is a rootkit, it is not considered as sophisticated as Trojans that are expressly designed for bank fraud, nor does it allow for the operation of necessary modules such as web-injects and third-party transaction orchestration panels.
Vendors selling this Trojan are offering it up for testing and are asking for reactions from their buyers in an effort to continue developing while pushing sales and the overall buzz around this malware.
At this time it is not known whether Beta Bot will pick up momentum with cybercriminals; at least not until it beefs up its feature-set with additional capabilities that will create fans in the darker corners of the web.
Limor Kessem is one of the top Cyber Intelligence experts at RSA, The Security Division of EMC. She is the driving force behind the cutting-edge RSA FraudAction Research Lab blog Speaking of Security. Outside of work you can find Limor dancing salsa, reading science fiction or tweeting security items on her Twitter feed @iCyberFighter
 ionCube is a commercial encoding solution for securing and licensing PHP scripts. Beta Bot’s developer likely wanted to protect the malware files with PHP encoding, encryption and obfuscation.
 HTTP (or Internet) bots are malware that automates tasks predicated by a controller. The bot’s purpose is to perform repetitive tasks quickly and without human intervention.