Vulnerabilities / Threats
11/21/2013
12:20 PM
Connect Directly
RSS
E-Mail
50%
50%

'i2Ninja' Trojan Taps Anonymized Darknet

New malware being sold via underground Russian cybercrime markets uses decentralized, anonymizing P2P system.

Beware a new, Russian-built banking Trojan, dubbed i2Ninja, that uses an anonymizing cryptographic network to mask its related botnet communications.

That warning comes via IBM's Trusteer, which has spotted the malware for sale on underground Russian cybercrime forums.

"The i2Ninja [malware] takes its name from the malware's use of I2P -- a networking layer that uses cryptography to allow secure communication between its peer-to-peer users," said Trusteer security researcher Etay Maor in a blog post. "While this concept is somewhat similar to Tor and Tor services, I2P was designed to maintain a true Darknet -- an Internet within the Internet where secure and anonymous messaging and use of services can be maintained."

I2P stands for the Invisible Internet Project, a still-in-beta project described by its developers as "a computer network layer that allows applications to send messages to each other pseudonymously and securely." The software can also be used for surfing the web and transferring files anonymously, courtesy of HTTP proxies.

[The Kelihos botnet is not dead, thanks to fast flux architecture and Windows XP infections. Read Kelihos Botnet Thrives, Despite Takedown.]

While such technology has obvious privacy applications, in the hands of botnet controllers -- a.k.a. herders -- it also provides a way to disguise communications between command-and-control (C&C) servers and the i2Ninja-infected PCs serving as botnet nodes.

Why not use the Tor anonymizing network instead? According to the I2P development site, this anonymizing network is designed and optimized for hidden services, which are much faster than in Tor, while it also supports peer-to-peer communications and does not require Tor's centralized view of network activity. "Using the I2P network, i2Ninja can maintain secure communications between the infected devices and command-and-control server," said Maor. "Everything from delivering configuration updates to receiving stolen data and sending commands is done via the encrypted I2P channels. The i2Ninja malware also offers buyers a proxy for anonymous Internet browsing, promising complete online anonymity."

Indeed, i2Ninja's use of I2P also enables malware customers to directly communicate with i2Ninja's customer-support team -- using encrypted communications, naturally -- as well as to tap a trouble-ticket system that's built into the malware's admin panel. "A potential buyer can communicate with the authors/support team, open tickets and get answers -- all while enjoying the security and anonymity provided by I2P's encrypted messaging," said Maor.

As with other types of modern financial malware, the Trojan offers multiple modules, each designed to steal a different type of valuable information. Some of the modules, for example, include an FTPgrabber that can steal FTP credentials from 33 different clients; a PokerGrabber to grab any usernames and passwords for popular online Poker games such as 88poker, Absolute Poker, and Full Tilt Poker that are stored on the PC; and a MailGrabber that can grab credentials for 16 different email clients. The malware can also search for -- and remove -- files with specified extensions or filenames from an infected PC.

In addition, the malware can launch HTTP/HTTPS injection attacks -- the developer claims this feature works for all versions of Internet Explorer, Firefox, and Chrome -- which allow attackers to make hidden financial transactions while users are logged into a banking website. Coming soon, i2Ninja's developer has promised to release virtual network connection (VNC) capabilities so that botnet herders can remotely access and control infected PCs.

But one of the Trojan's most notable features, said Maor, is the level of customer care being offered. The malware sellers promise around-the-clock support, which suggests that they're distributing their wares globally. "While some malware offerings have offered an interface with a support team in the past -- Citadel and Neosploit, to name two -- i2Ninja's 24/7 secure help desk channel is a first," Maor said.

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
11/22/2013 | 1:09:54 PM
Re: Security backfires
Excellent question, maybe someone will be able to cite a case, if feel at the end of the day it will all mount to a resource game. I mean, brute force attacks that are aimed at i2p networks that try to monitor all the communication between all the nodes to predict flows are expensive to carry out, likewise building a defense in the form of a Tarzan's mimics to even out network flow is even more expensive -- resource game. 

As far as cryptographic attacks are concerned, I think most i2p networks use a 256-bit key and if processors (on a reasonable financial scale) have not become fast enough to crack them as of 2013, eventually processors are going to crack a 256-bit key. However, I don't think that current needs are to have 512-bit key but definitely, we need better key management.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
11/22/2013 | 6:43:39 AM
Re: Security backfires
Brian, having AV watch for the related malware is the first step. Aside from that, have any readers had success with either tracking or blocking unauthorized I2P or Tor connections from inside their network? 
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
11/21/2013 | 2:21:39 PM
Security backfires
Getting a message from point A to B is nice and getting it across securely in an encrypted format without the worries of an eavesdropper listening in is excellent. Having a Trojan do the same, is just not fair!

I am guessing user can follow best practices and protect themselves by keeping their PC etc updated with the latest antivirus and malware software, and not installing software that they don't trust. In light of security firms that have to deal with systems that are already infected and that have to try to stay one step ahead of attackers, I am wondering, how exactly can they monitor behavior that is encrypted?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.