Here’s the second in our three-part series focused on protecting against Tofsee malware. This spambot is prolific, but various vaccines and kill switches are available to defend against Tofsee. Our malware researchers are sharing two vaccines and a network-based kill switch in this series.

A recap

If you’re wondering what malware vaccines are and how they can be utilized, or you’d like to read about the first vaccine our researchers have shared relating to Tofsee and its binary file, read this blog post. Alternatively, keep reading to learn about a second vaccine our team has produced, focused on polluting Tofsee’s internal configuration store.

A deeper dive into Tofsee’s config stores

During the runtime of Tofsee and the communications with its command and control (C&C) server, Tofsee stores various configuration values pertinent to the proper runtime of the code in a memory-based structure which we call the InMemoryConfig store. This is a circular linked list structure, and Tofsee defines it as follows:


InMemoryConfig store structure

Locations of Tofsee’s configuration storage

Each ConfigValue buffer has its internal structure based on the ConfigType value. This chained config is dumped and stored in various locations on the infected system so Tofsee can retrieve it after a reboot.

The various configuration storage locations are:

File Storage
1 %USERPROFILE%\:.repos (ADS)
2 %USERPROFILE%\Local Settings:.repos
3 %USERPROFILE%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.repos
4 %USERPROFILE%\wincookie.repos

Registry storage
1: HKEY_CURRENT_USER\\Control Panel\\Buses\\Config0
2: HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Buses\\Config0

A simple Tofsee xor algorithm encodes the data stored in one of these places:

Once retrieved and decoded, this data looks something like this in its raw parsed form:

The config stores of particular interest to us are the work_srv and start_srv structures. Both are retrieved during the initial C&C connection of the Tofsee botnet.

Tofsee’s botnet C&C environment

Tofsee has a tier-2 C&C ecosystem. The malware uses the hardcoded C&Cs in the binary only once to retrieve a list of tier-2 peers. These tier-2 piers then act as forwarding C&Cs and are stored in the work_srv and start_srv config stores.

work_srv and start_srv have the following definition in the memory:

struct srv
{
char NumElements;
struct __srv
{
char IP_C2[0x41];
DWORD Port;
}Src[NumElements]
};

How can you exploit this for a vaccine?

In order to vaccinate Tofsee from connecting to first-tier or second-tier C&Cs, we can pollute these config stores’ values before the start of the infection chain.
work_srv will point to a controlled sinkhole IP. In this example, we’re going to point it to 127.0.0.1. In addition to this, we will recalculate the crc32 of data buffer so that it passes the integrity check inside the binary:

Modified value for wrk_srv ( with proper crc32 hash value)

To create a vaccine, the above binary blob has to be encoded using the same algorithm and written back to one of the config store paths file or registry:


“Config0” modified registry value for vaccine

When Tofsee makes the connection, it only connects to the local sinkhole.

Simple!

The final of our Tofsee series looks at a network-based kill switch to protect against this malware.

DNS Firewall Threat Feeds

Applied at the DNS level of your infrastructure, these threat feeds automatically stop users from accessing malicious sites including phishing and malware dropper websites.

These threat feeds can be integrated with existing recursive DNS servers, or for those who don’t manage their own DNS, we have a managed service available.

  • Reduce IT costs
  • Set and forget
  • Save money on risk insurance

Spamhaus Intelligence API (SIA)

Spamhaus Intelligence API (SIA) contains context-rich metadata relating to IP and domain reputation. Integrate this data with your applications to enhance existing data feeds, or consume as an independent data source.

In this easy-to-consume format, SIA can be used for threat detection and investigation, risk scoring, customer vetting, validation and much more.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in

Border Gateway Protocol Firewall

Border Gateway Protocol (BGP) Firewall provides your users and network with up-to-date protection against botnets and other external attacks.

Set up takes minutes; our data is constantly updated in real time by our experienced researchers on your behalf and can be utilized in your existing firewalls or routers.

  • Prevent data exfiltration
  • Protect your network from botnets
  • Reduce infected machines on your network

Neutralizing Tofsee Spambot – Part 3 | Network-based kill switch

6 April 2023

Blog

In part three, we focus on using a network kill switch - causing an out-of-bounds read error, leading to Tofsee crashing.

Neutralizing Tofsee Spambot – Part 1 | Binary file vaccine

6 April 2023

Blog

We've been busy reverse engineering Tofsee malware to provide you with the code required for two malware vaccines and a network-based kill switch.

Dissecting the new shellcode-based variant of GuLoader (CloudEyE)

12 October 2022

Blog Technical Information

One of the Spamhaus Project's malware specialists has been battling GuLoader, attempting to analyze this tricky malware. Here they share their findings and explain how you can extract URLs from GuLoader.