New Malware Family Highlight: Kuluoz

According to Palo Alto Networks ''Threat Landscape Review'', one particular malware family, Kuluoz (also known as Asprox), stands out as prevalent in the sample data. This single family accounts for 4.9 million malicious sessions recorded during the month of October 2014. It impacted 1,933 companies across 10 industries reviewed. Firewall WildFire identified a total of 268,084 unique samples determined to be Kuluoz, 82.4% of which had not been collected by VirusTotal at the time of analysis.

The first version of Asprox appeared in 2007, and it was given its name by researchers who identified that it frequently tried to infect ASP (Active Server Pages) based websites. At the time the malware used command and control infrastructure hosted by the now-defunct McColo Corp ISP. By 2013, the primary components of Asprox had been replaced by a new malware family dubbed Kuluoz. While Asprox was an “all-in-one” malware, Kuluoz uses a modular design, which allows it to evade detection and gives attackers more flexibility. In May a new campaign was identified distributing Kuluoz that was generating over 30,000 new WildFire sessions per hour. Since that time Kuluoz has persisted to be highly prevalent across the entire world and the October data shows this pattern continues.

The constantly evolving Kuluoz family is currently known for the following:

•High distribution volume through geo location-associated spam e-mail templates

•Use of e-mail attachments and Web links that masquerade as document or

media files

•Modular design, promoting extensibility

•Distinct roles for nodes in botnet including:

• Spam generator for continued botnet propagation
• Downloader of additional malware
• Distributor of generalized commercial spam

•Platform-specific malware delivery based on user agent detection

Much of Kuluoz’s success is owed to its self-propagation feature and its selection of e-mail themes geared towards social engineering of targets. After Kuluoz infects a system, it immediately begins downloading additional components, which can take the following actions:

•Retrieve the latest spam templates and e-mail address list from the attacker and

e-mail copies of itself to those addresses using the supplied template.

•Download and install additional malware that can earn money for the attacker

(i.e. AdWare, RansomWare and Banking Trojans).

•Attempt to infect websites through known vulnerabilities.

•Steal e-mail, FTP and Web browser credentials from the infected system.

While the total number of Kuluoz sessions in October 2014 is very high, viewing this data on a daily basis revealed a distinct pattern. Every weekend the total number of Kuluoz sessions drops close to zero, indicating that the systems responsible for sending much of the spam have stopped doing so, either on instructions from the attacker or by shutting down completely.

The Kuluoz attackers stay ahead of antivirus detection by regularly regenerating the malware so that it frequently appears brand new, despite containing the same functionality.

Defending Against Kuluoz

It is important that information security professionals and defenders are aware of the threats specific to their company and industry and stay up to date on the latest threat intelligence focused on their area. The following recommendations will ensure defenders are best poised for success:

• User awareness:

Awareness and training for users will reduce the impact of any type of e-mail phishing. A number of Kuluoz variants require extra steps to be performed by a user (e.g., opening of a ZIP archive and then running a malicious binary). Encourage users to be wary of unexpected or unsolicited e-mails, especially those that employ any sort of pressure tactic and/or leverage the themes cited above.

• Protocol monitoring and control:

Visibility into the protocols used by malware for delivery of Command and Control (HTTP, SMTP, IMAP, FTP) with structured and clearly defined response actions (most of which can and should be automated) to prevent or reduce associated impacts.

• Automated analysis:

Automation of static and dynamic analysis for unknown samples addresses the natural gap between the development of a variant for a threat and its coverage through signature-based technology. Antivirus and other security control-related signatures fall short. Solutions such as Palo Alto Networks WildFire allow for enterprises to identify new and emerging threats that remain unknown to other security controls in the environment.

• Intelligence fusion:

Leveraging actionable intelligence is a cornerstone of Computer Network Defense (CND) operations. Threats such as Kuluoz rely heavily on embedded initial Command and Control (C2) communications to fully realize the potential of its role(s) within the botnet. Up-to-date feeds on malicious domains, IPs, file signatures and hashes, as well as integration of intelligence gleaned from automated solutions in the environment, enable robust security solutions that empower network defenders.