Here's the final post in our three-part series on how to protect against Tofsee malware. This blog post concentrates on using a network kill switch - causing an out-of-bounds read error, leading to Tofsee crashing.

Playing catch-up?

If you missed the first two posts in this series, they focus on malware vaccines. These are proactive measures helping prevent malware infections by patching vulnerabilities in the system or blocking known attack vectors. Malware vaccines are not dissimilar to medical vaccines that provide the body immunity to a particular disease.

The first malware vaccine revealed by our researchers, concentrated on the binary file and the second one centered around the InMemoryConfig store.

What is a malware kill switch?

A malware kill switch is a feature that some malware authors include in their code that enables them to shut down the malware or prevent it from causing harm under certain circumstances, such as if the malware is spreading too quickly, causing damage to critical systems, or should their operations be tracked or compromised.

A good example is the case of the WannaCry ransomware attack in 2017 [https://www.bbc.co.uk/news/technology-41753022]; a researcher discovered a kill switch that the cybercriminal had built into the malware. By registering a specific domain name, the researcher could trigger the kill switch and stop the malware from spreading further.

What is a network-based kill switch?

In some cases, security researchers or organizations can develop a network-based kill switch for a specific malware threat. This reactive measure allows security experts to remotely disable or shut down malware infections, allowing them to neutralize the threat quickly and effectively if it is detected.

While using a network-based malware kill switch can be an effective way to limit the damage caused by malware, it is key to note that it may not be a foolproof solution. Malware can evolve rapidly, and attackers may be able to find ways to work around a kill switch or develop new malware that is not vulnerable to it. Therefore, it is essential to use a variety of security measures, such as anti-malware software, firewalls, and regular security updates, to protect against malware infections.

How can a network kill switch be implemented for Tofsee?

One way to render Tofsee useless and kill it without access to the remote infected machine is to locate a bug in its binary code and crash the malware.

The first part of this process is to get our data parsed by Tofsee, and to do this, we need to follow its protocol specification.

Tofsee’s protocol specification

Communication is bi-directional and encrypted using a custom algorithm that requires two state keys. These state keys are specific to each SocketConnection in Tofsee and are modified based on each Transmission Control Protocol (TCP) data transfer between the botnet command and control server (C&C) and the infected bot. This is known as rolling key encryption.


Encryption Algorithm

Tofsee has a complex way of communicating with a C&C – it sends various structures to “latch” the connection with the C&C server. To keep this blog post as short and sweet as possible, we will only reference the relevant ones required as an attack vector to crash the binary.

One is operation number 2 (OP2) the receive resource command.

Tofsee packets are encapsulated in a header packet defined below:

Encapsulated packet for OP2

Taking advantage of this vulnerability

We can exploit this lack of a cross-check, i.e., in the code of the CRC32 hash function, where the length of data is not bound-checked, we can craft a packet with a size greater than the buffer, causing an out-of-bounds read error, leading to a crash.

When the CRC32 hash function is called to calculate the hash of the packet’s data, it continues reading and processing data from memory beyond the allocated buffer size, potentially crashing Tofsee. This function is present when an InmemoryConfig Struct is parsed and populated so that the resource received is stored in the memory.


No length verification checks

For a 4-byte integer, we have the freedom of corrupting the len variable in the range of 0x00-0xFFFFFFFF. This high-range value in the ResourceStructure packet would look something like this (complete with the manipulated len field):

This data is parsed by update_config_resource and eventually fed to the CRC32 hash calculation routine. Due to the manipulated value of len, an out-of-bound read exception is created, ultimately resulting in the binary crashing.

Final words

Both the vaccines discussed in this series and the kill switch are essential tools for protecting computer systems from the ever-evolving threat of the Tofsee malware.

While a malware vaccine can help to prevent infections, and a malware kill switch can help to minimize the damage caused by an ongoing attack, as we’ve previously discussed, neither tool is foolproof, and you should always use them in conjunction with other security measures.

Happy coding.

 

Spamhaus Intelligence API (SIA)

Spamhaus Intelligence API (SIA) contains context-rich metadata relating to IP and domain reputation. Integrate this data with your applications to enhance existing data feeds, or consume as an independent data source.

In this easy-to-consume format, SIA can be used for threat detection and investigation, risk scoring, customer vetting, validation and much more.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in

DNS Firewall Threat Feeds

Applied at the DNS level of your infrastructure, these threat feeds automatically stop users from accessing malicious sites including phishing and malware dropper websites.

These threat feeds can be integrated with existing recursive DNS servers, or for those who don’t manage their own DNS, we have a managed service available.

  • Reduce IT costs
  • Set and forget
  • Save money on risk insurance

Border Gateway Protocol Firewall

Border Gateway Protocol (BGP) Firewall provides your users and network with up-to-date protection against botnets and other external attacks.

Set up takes minutes; our data is constantly updated in real time by our experienced researchers on your behalf and can be utilized in your existing firewalls or routers.

  • Prevent data exfiltration
  • Protect your network from botnets
  • Reduce infected machines on your network

Neutralizing Tofsee Spambot – Part 2 | InMemoryConfig store vaccine

6 April 2023

Blog

In part two, learn about a second malware vaccine our team has produced, focused on polluting Tofsee's internal configuration store.

Neutralizing Tofsee Spambot – Part 1 | Binary file vaccine

6 April 2023

Blog

We've been busy reverse engineering Tofsee malware to provide you with the code required for two malware vaccines and a network-based kill switch.

Dissecting the new shellcode-based variant of GuLoader (CloudEyE)

12 October 2022

Blog Technical Information

One of the Spamhaus Project's malware specialists has been battling GuLoader, attempting to analyze this tricky malware. Here they share their findings and explain how you can extract URLs from GuLoader.