Neutralizing Tofsee Spambot – Part 1 | Binary file vaccine

An introduction to malware vaccines

This security concept works by proactively introducing a small piece of harmless code into a computer system to disrupt and prevent malware from executing and spreading. This is not dissimilar to how medical vaccines work (hence the use of the same terminology). Essentially, the premise is to “immunize” the system against specific types of malware by providing the system, in advance, with a form of defense.

There are various types of malware vaccines, including file-based, memory-based, and network-based. They can be delivered as standalone software tools or integrated into other security products such as antivirus software.

While malware vaccines can be an effective defense against certain types of malware, they should never be used as a substitute for other security measures such as keeping software and operating systems up to date, using strong passwords, and avoiding suspicious email attachments or downloads, to name but a few. It’s also important to note that as new malware strains are developed, the vaccines must be updated accordingly to remain effective.

Let’s move on to the malware taking center stage in this series…

An introduction to Tofsee

Tofsee, also known as Gheg, is a sophisticated modular malware primarily designed to send spam email along with other full-fledged botnet activities such as mining and stealing login and email credentials, as well as downloading further malware. Generally, the additional malware downloaded is either ransomware or banking Trojans.

The malware is written in C/C++ and uses various techniques to avoid detection and remain persistent on infected systems.

Identifying where a vaccine can be “injected” in Tofsee

To create a vaccine for a malware family, you need to have the ability to mimic the existence of part of the malware, for example, its binary file. This tricks the malware into believing that an instance of the malware code is already running on the system and, therefore, won’t try to re-infect it.

The first stage in identifying points to distract from the normal execution of the binary file is to reverse engineer the malware to understand the flow process of the code.

To explore the possibility of imitating the binary file, you need to check if it’s in the installer/installed path.

Installer/Installed path checks in Tofsee

Tofsee installer/installed paths deviate from the norm

When we ran these checks with Tofsee, we noticed a slight deviation from the typical routine. Instead of checking file or registry-based artifacts, Tofsee cross-checks against an in-memory variable injected during installation.

Installer checks Tofsee

This makes it impossible to imitate the binary file; however, it did make us ask the following question:

“How does Tofsee manage the duplicate runs of the same binary?”

The answer is that Tofsee handles this process using Inter-Process Communication (IPC) pipes [https://www.geeksforgeeks.org/ipc-technique-pipes/].

IPC communications initiate an exist

In the binary, we noticed a subroutine where Tofsee opens an IPC pipe and processes various data. The malware uses this IPC channel to communicate with another running instance to trigger an exist.

An algorithm is used to generate the pipe name, creating a name based on a predetermined value. This value is specific to the infected machine and is based on the hard drive’s volume serial number. The malware purposefully does this to make hardcoded indicator of compromise (IOC) detection impossible on machines.

Pipe name generation code

After generating the pipe name, the data received from the pipe is cross-checked as follows:

1. A 4-byte random integer is generated and sent across the pipe.
2. A 4-byte integer is read from the pipe.
3. The integrity of communication is checked using the following check (WRITE_DWORD >> 2) + WRITE_DWORD == READ_DWORD.
4. If the check is passed, another DWORD is written, which is generated from (READ_DWORD >> 2)
5. The calling process terminates.

A chink in Tofsee’s armor

Here, where the data check creates the binary, there is the potential to leverage this process for the vaccine on the proviso that the binary isn’t already running. If it is running, unfortunately, the opportunity to stop it is missed.

But let’s focus on the scenario where the pipe doesn’t exist; from here, an IPC pipe of the same name is created, and another set of data is received and cross-checked with specific parameters. These checks are a little more complex than the previous ones:

1. A 4-byte integer is read from the pipe.
2. A 4-byte integer is generated from right-shifting the integer by 2 and adding it back.
3. Two internally defined structures are read successively from the pipe. These structures are defined as follows:

At this point, the vaccine packet can be used.

Tofsee Vaccine structures

The entire code for the Tofsee vaccine

Below is the complete C code that you can use as a vaccine for new infections of Tofsee and existing ones, named as first dose vaccine and booster vaccine (ring any bells from the COVID days?!?).

Happy vaccination coding!

In our next blog post, we’ll look at a second vaccine you can use to protect against Tofsee. This one concentrates on injecting code into the memory configuration store.