The Spamhaus Project


Neutralizing Tofsee Spambot – Part 1 | Binary file vaccine

The Spamhaus Malware Researchers have been busy in their lairs, reverse engineering Tofsee malware to provide you with the code required for two malware vaccines and a network-based kill switch. A hat trick of protection against this spambot! This is the first in this three-part series, and looks at how to inject a malware vaccine into the binary file.

by The Spamhaus TeamDecember 07, 20224 minutes reading time

Jump to

An introduction to malware vaccines

An introduction to malware vaccines

This security concept works by proactively introducing a small piece of harmless code into a computer system to disrupt and prevent malware from executing and spreading. This is not dissimilar to how medical vaccines work (hence the use of the same terminology). Essentially, the premise is to “immunize” the system against specific types of malware by providing the system, in advance, with a form of defense.

There are various types of malware vaccines, including file-based, memory-based, and network-based. They can be delivered as standalone software tools or integrated into other security products such as antivirus software.

While malware vaccines can be an effective defense against certain types of malware, they should never be used as a substitute for other security measures such as keeping software and operating systems up to date, using strong passwords, and avoiding suspicious email attachments or downloads, to name but a few. It’s also important to note that as new malware strains are developed, the vaccines must be updated accordingly to remain effective.

Let’s move on to the malware taking center stage in this series…

An introduction to Tofsee

Tofsee, also known as Gheg, is a sophisticated modular malware primarily designed to send spam email along with other full-fledged botnet activities such as mining and stealing login and email credentials, as well as downloading further malware. Generally, the additional malware downloaded is either ransomware or banking Trojans.

The malware is written in C/C++ and uses various techniques to avoid detection and remain persistent on infected systems.

Identifying where a vaccine can be “injected” in Tofsee

To create a vaccine for a malware family, you need to have the ability to mimic the existence of part of the malware, for example, its binary file. This tricks the malware into believing that an instance of the malware code is already running on the system and, therefore, won’t try to re-infect it.

The first stage in identifying points to distract from the normal execution of the binary file is to reverse engineer the malware to understand the flow process of the code.

To explore the possibility of imitating the binary file, you need to check if it’s in the installer/installed path.

Tofsee installer/installed paths deviate from the norm

When we ran these checks with Tofsee, we noticed a slight deviation from the typical routine. Instead of checking file or registry-based artifacts, Tofsee cross-checks against an in-memory variable injected during installation.

This makes it impossible to imitate the binary file; however, it did make us ask the following question:

“How does Tofsee manage the duplicate runs of the same binary?”

The answer is that Tofsee handles this process using Inter-Process Communication (IPC) pipes [].

IPC communications initiate an exist

In the binary, we noticed a subroutine where Tofsee opens an IPC pipe and processes various data. The malware uses this IPC channel to communicate with another running instance to trigger an exist.

An algorithm is used to generate the pipe name, creating a name based on a predetermined value. This value is specific to the infected machine and is based on the hard drive’s volume serial number. The malware purposefully does this to make hardcoded indicator of compromise (IOC) detection impossible on machines.

After generating the pipe name, the data received from the pipe is cross-checked as follows:

  1. A 4-byte random integer is generated and sent across the pipe.
  2. A 4-byte integer is read from the pipe.
  3. The integrity of communication is checked using the following check (WRITE_DWORD >> 2) + WRITE_DWORD == READ_DWORD.
  4. If the check is passed, another DWORD is written, which is generated from (READ_DWORD >> 2)
  5. The calling process terminates.

A chink in Tofsee’s armor

Here, where the data check creates the binary, there is the potential to leverage this process for the vaccine on the proviso that the binary isn’t already running. If it is running, unfortunately, the opportunity to stop it is missed.

But let’s focus on the scenario where the pipe doesn’t exist; from here, an IPC pipe of the same name is created, and another set of data is received and cross-checked with specific parameters. These checks are a little more complex than the previous ones:

  1. A 4-byte integer is read from the pipe.
  2. A 4-byte integer is generated from right-shifting the integer by 2 and adding it back.
  3. Two internally defined structures are read successively from the pipe. These structures are defined as follows:

At this point, the vaccine packet can be used.

The entire code for the Tofsee vaccine

Below is the complete C code that you can use as a vaccine for new infections of Tofsee and existing ones, named as first dose vaccine and booster vaccine (ring any bells from the COVID days?!?).

Happy vaccination coding!

In our next blog post, we’ll look at a second vaccine you can use to protect against Tofsee. This one concentrates on injecting code into the memory configuration store.

Help and recommended content

See below for helpful articles and recommended content
Malware Digest January 2024

Malware Digest January 2024

Report • February 15, 2024 • The Spamhaus Team
Malware Digest December 2023

Malware Digest December 2023

Report • January 09, 2024 • The Spamhaus Team
Malware Digest November 2023

Malware Digest November 2023

Report • December 05, 2023 • The Spamhaus Team