A variant of a banking Trojan known as Cridex can communicate with a CAPTCHA-breaking server in order to establish malicious email accounts. Researchers at Websense Security Labs posted a video documenting how Cridex broke a CAPTCHA test and opened a Yahoo email account in six attempts.
The Cridex network grows as it infects new machines via malicious emails.
The emails contain links to a Black Hole exploit kit, which attacks vulnerabilities in Web browsers and plug-ins. If successful, the kit downloads Cridex onto the machine.
“Cridex is a data-stealing Trojan that is similar to Zeus in the way it operates: It logs content from Web sessions and alters them to harvest information from the infected user,” according to the Websense Security Labs blog.
Cridex targets information from platforms like Facebook, Twitter and several online banking services. That data is then sent to a remote server.
Finally, it uses the infected machine to grow the size of the bot.
According to Websense, the Trojan “opens Web sessions to online mail services and registers new email accounts that are later used by the bot to send spam/malicious emails.”
Cridex cannot run without a successful attack by the Black Hole exploit kit. Machines with updated Web browsers and applications, as well as the latest antivirus software, should be protected, Websense said.
How to break a CAPTHA
Step 1: The starting point of an infection is a banking Trojan variant known as Cridex. This variant is propagated via malicious email messages that hold shortened links leading to exploit kits (see this example), in our case the Blackhole exploit kit.
Step 2: If the exploit is successful, the Cridex variant is downloaded to the machine.
Step 3: Cridex runs on the machine.
Step 4: Cridex is a data-stealing Trojan that is similar to Zeus in the way it operates: It logs content from Web sessions and alters them to harvest information from the infected user. The Cridex configuration file downloaded by this variant (safe to view and download and shortened here) shows which websites the variant monitors and steals data from, along with Web form injection points (data alteration injected into Web forms to harvest additional data like ATM PIN numbers). We have observed that Facebook, Twitter, and many banking services are targets. A partial list of targeted websites can be found here. Step 5: Any stolen data from the system is uploaded to a command and control server.
Picture 1: The Cridex ecosystem:
Step 6: One of the components downloaded by Cridex with the configuration file is a propagation module or spamming module that allows the botmaster to send spam/malicious emails to infect other systems and increase the bot size. The spamming module holds backdoor components that allow browsing activities in the name of the user. The module opens Web sessions to online mail services and registers new email accounts that are later used by the bot to send spam/malicious emails. As we know, online mail services hold security checks like CAPTCHA challenges to verify that a human is indeed behind any account registration.
Step 7: According to our findings, CAPTCHA challenges in some cases can be broken with the help of a CAPTCHA-breaking server, which allows the bot to register a mail account or address after only a few attempts. This video documents the registration of an online mail account by the bot on an infected machine:
The CAPTCHA-breaking process consists of posting CAPTCHA challenge images harvested from the online email registration form to a remote Web server (the CAPTCHA-breaking server). The request is an HTTP POST with an embedded CAPTCHA image posted to the CAPTCHA-breaking server. Once the server processes the image, it outputs a response in JSON format with the CAPTCHA text result that responds to the submitted image (see Picture 2). The backdoor component then tries to use that returned CAPTCHA text result in the online email account registration form. In case the CAPTCHA-breaking server output is wrong and does not correspond to the CAPTCHA image challenge, the process continues and the next CAPTCHA image challenge is submitted until the server manages to break the CAPTCHA. You can look at Picture 3 to see the images submitted to the CAPTCHA-breaking server and the corresponding results from the server. Not all the attempts succeed in breaking the CAPTCHA, but some do and in our example you see it took 6 attempts.
The malware reports to the CAPTCHA-breaking server whether the result it got actually broke the CAPTCHA. Picture 4 shows HTTP requests that report back to the CAPTCHA-breaking server whether the CAPTCHA result the server gave in previous sessions was indeed successful in breaking the CAPTCHA. A successful CAPTCHA break is signed with the r parameter: If the parameter is 0 (&r=0), the CAPTCHA break attempt was unsuccessful, whereas if the parameter is 1 (&r=1), the CAPTCHA break attempt was a success.
Picture 2: An HTTP POST request of an image to the CAPTCHA-breaking server and the response from the server
Picture 3: The images posted to the CAPTCHA-breaking server and their corresponding results
Picture 4: The malware reports to the CAPTCHA-breaking server if the CAPTCHA break attempt was successful