'i2Ninja' Trojan Taps Anonymized Darknet

New malware being sold via underground Russian cybercrime markets uses decentralized, anonymizing P2P system.

Mathew J. Schwartz, Contributor

November 21, 2013

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Beware a new, Russian-built banking Trojan, dubbed i2Ninja, that uses an anonymizing cryptographic network to mask its related botnet communications.

That warning comes via IBM's Trusteer, which has spotted the malware for sale on underground Russian cybercrime forums.

"The i2Ninja [malware] takes its name from the malware's use of I2P -- a networking layer that uses cryptography to allow secure communication between its peer-to-peer users," said Trusteer security researcher Etay Maor in a blog post. "While this concept is somewhat similar to Tor and Tor services, I2P was designed to maintain a true Darknet -- an Internet within the Internet where secure and anonymous messaging and use of services can be maintained."

I2P stands for the Invisible Internet Project, a still-in-beta project described by its developers as "a computer network layer that allows applications to send messages to each other pseudonymously and securely." The software can also be used for surfing the web and transferring files anonymously, courtesy of HTTP proxies.

[The Kelihos botnet is not dead, thanks to fast flux architecture and Windows XP infections. Read Kelihos Botnet Thrives, Despite Takedown.]

While such technology has obvious privacy applications, in the hands of botnet controllers -- a.k.a. herders -- it also provides a way to disguise communications between command-and-control (C&C) servers and the i2Ninja-infected PCs serving as botnet nodes.

Why not use the Tor anonymizing network instead? According to the I2P development site, this anonymizing network is designed and optimized for hidden services, which are much faster than in Tor, while it also supports peer-to-peer communications and does not require Tor's centralized view of network activity. "Using the I2P network, i2Ninja can maintain secure communications between the infected devices and command-and-control server," said Maor. "Everything from delivering configuration updates to receiving stolen data and sending commands is done via the encrypted I2P channels. The i2Ninja malware also offers buyers a proxy for anonymous Internet browsing, promising complete online anonymity."

Indeed, i2Ninja's use of I2P also enables malware customers to directly communicate with i2Ninja's customer-support team -- using encrypted communications, naturally -- as well as to tap a trouble-ticket system that's built into the malware's admin panel. "A potential buyer can communicate with the authors/support team, open tickets and get answers -- all while enjoying the security and anonymity provided by I2P's encrypted messaging," said Maor.

As with other types of modern financial malware, the Trojan offers multiple modules, each designed to steal a different type of valuable information. Some of the modules, for example, include an FTPgrabber that can steal FTP credentials from 33 different clients; a PokerGrabber to grab any usernames and passwords for popular online Poker games such as 88poker, Absolute Poker, and Full Tilt Poker that are stored on the PC; and a MailGrabber that can grab credentials for 16 different email clients. The malware can also search for -- and remove -- files with specified extensions or filenames from an infected PC.

In addition, the malware can launch HTTP/HTTPS injection attacks -- the developer claims this feature works for all versions of Internet Explorer, Firefox, and Chrome -- which allow attackers to make hidden financial transactions while users are logged into a banking website. Coming soon, i2Ninja's developer has promised to release virtual network connection (VNC) capabilities so that botnet herders can remotely access and control infected PCs.

But one of the Trojan's most notable features, said Maor, is the level of customer care being offered. The malware sellers promise around-the-clock support, which suggests that they're distributing their wares globally. "While some malware offerings have offered an interface with a support team in the past -- Citadel and Neosploit, to name two -- i2Ninja's 24/7 secure help desk channel is a first," Maor said.

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights