The Spamhaus Malware Researchers have been busy in their lairs, reverse engineering Tofsee malware to provide you with the code required for two malware vaccines and a network-based kill switch. A hat trick of protection against this spambot! This is the first in this three-part series, and looks at how to inject a malware vaccine into the binary file.

An introduction to malware vaccines

This security concept works by proactively introducing a small piece of harmless code into a computer system to disrupt and prevent malware from executing and spreading. This is not dissimilar to how medical vaccines work (hence the use of the same terminology). Essentially, the premise is to “immunize” the system against specific types of malware by providing the system, in advance, with a form of defense.

There are various types of malware vaccines, including file-based, memory-based, and network-based. They can be delivered as standalone software tools or integrated into other security products such as antivirus software.

While malware vaccines can be an effective defense against certain types of malware, they should never be used as a substitute for other security measures such as keeping software and operating systems up to date, using strong passwords, and avoiding suspicious email attachments or downloads, to name but a few. It’s also important to note that as new malware strains are developed, the vaccines must be updated accordingly to remain effective.

Let’s move on to the malware taking center stage in this series…

An introduction to Tofsee

Tofsee, also known as Gheg, is a sophisticated modular malware primarily designed to send spam email along with other full-fledged botnet activities such as mining and stealing login and email credentials, as well as downloading further malware. Generally, the additional malware downloaded is either ransomware or banking Trojans.

The malware is written in C/C++ and uses various techniques to avoid detection and remain persistent on infected systems.

Identifying where a vaccine can be “injected” in Tofsee

To create a vaccine for a malware family, you need to have the ability to mimic the existence of part of the malware, for example, its binary file. This tricks the malware into believing that an instance of the malware code is already running on the system and, therefore, won’t try to re-infect it.

The first stage in identifying points to distract from the normal execution of the binary file is to reverse engineer the malware to understand the flow process of the code.

To explore the possibility of imitating the binary file, you need to check if it’s in the installer/installed path.


Installer/Installed path checks in Tofsee

Tofsee installer/installed paths deviate from the norm

When we ran these checks with Tofsee, we noticed a slight deviation from the typical routine. Instead of checking file or registry-based artifacts, Tofsee cross-checks against an in-memory variable injected during installation.



Installer checks Tofsee

This makes it impossible to imitate the binary file; however, it did make us ask the following question:

“How does Tofsee manage the duplicate runs of the same binary?”

The answer is that Tofsee handles this process using Inter-Process Communication (IPC) pipes [https://www.geeksforgeeks.org/ipc-technique-pipes/].

IPC communications initiate an exist

In the binary, we noticed a subroutine where Tofsee opens an IPC pipe and processes various data. The malware uses this IPC channel to communicate with another running instance to trigger an exist.

An algorithm is used to generate the pipe name, creating a name based on a predetermined value. This value is specific to the infected machine and is based on the hard drive’s volume serial number. The malware purposefully does this to make hardcoded indicator of compromise (IOC) detection impossible on machines.


Pipe name generation code

 

After generating the pipe name, the data received from the pipe is cross-checked as follows:

1. A 4-byte random integer is generated and sent across the pipe.
2. A 4-byte integer is read from the pipe.
3. The integrity of communication is checked using the following check (WRITE_DWORD >> 2) + WRITE_DWORD == READ_DWORD.
4. If the check is passed, another DWORD is written, which is generated from (READ_DWORD >> 2)
5. The calling process terminates.

A chink in Tofsee’s armor

Here, where the data check creates the binary, there is the potential to leverage this process for the vaccine on the proviso that the binary isn’t already running. If it is running, unfortunately, the opportunity to stop it is missed.

But let’s focus on the scenario where the pipe doesn’t exist; from here, an IPC pipe of the same name is created, and another set of data is received and cross-checked with specific parameters. These checks are a little more complex than the previous ones:

1. A 4-byte integer is read from the pipe.
2. A 4-byte integer is generated from right-shifting the integer by 2 and adding it back.
3. Two internally defined structures are read successively from the pipe. These structures are defined as follows:

At this point, the vaccine packet can be used.


Tofsee Vaccine structures

The entire code for the Tofsee vaccine

Below is the complete C code that you can use as a vaccine for new infections of Tofsee and existing ones, named as first dose vaccine and booster vaccine (ring any bells from the COVID days?!?).

Happy vaccination coding!

In our next blog post, we’ll look at a second vaccine you can use to protect against Tofsee. This one concentrates on injecting code into the memory configuration store.

 

Border Gateway Protocol Firewall

Border Gateway Protocol (BGP) Firewall provides your users and network with up-to-date protection against botnets and other external attacks.

Set up takes minutes; our data is constantly updated in real time by our experienced researchers on your behalf and can be utilized in your existing firewalls or routers.

  • Prevent data exfiltration
  • Protect your network from botnets
  • Reduce infected machines on your network

Spamhaus Intelligence API (SIA)

Spamhaus Intelligence API (SIA) contains context-rich metadata relating to IP and domain reputation. Integrate this data with your applications to enhance existing data feeds, or consume as an independent data source.

In this easy-to-consume format, SIA can be used for threat detection and investigation, risk scoring, customer vetting, validation and much more.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in

DNS Firewall Threat Feeds

Applied at the DNS level of your infrastructure, these threat feeds automatically stop users from accessing malicious sites including phishing and malware dropper websites.

These threat feeds can be integrated with existing recursive DNS servers, or for those who don’t manage their own DNS, we have a managed service available.

  • Reduce IT costs
  • Set and forget
  • Save money on risk insurance

Lifting the lid on a long-time operating Brazilian malware gang

6 May 2023

News

For over 8 years, our researchers have been tracking an operation that targets Brazilian internet users, and is focused on stealing their banking credentials, withdrawing funds from its victim’s accounts. Here’s a potted history.

Neutralizing Tofsee Spambot – Part 3 | Network-based kill switch

6 April 2023

Blog

In part three, we focus on using a network kill switch - causing an out-of-bounds read error, leading to Tofsee crashing.

Neutralizing Tofsee Spambot – Part 2 | InMemoryConfig store vaccine

6 April 2023

Blog

In part two, learn about a second malware vaccine our team has produced, focused on polluting Tofsee's internal configuration store.