Michal Krejdl

15 October 2009

Kavo - a neverending story?

Go to comments Leave a comment

Hello again, this time I would like to present a story of one successful malware family. Why successful? Because it established a new way of spreading some time ago and mainly because it always scored very well in our statistics of malware detected in the wild. And what's Kavo? It's a name derived from the filenames of some binaries used by the malware family (kavo0.dll, kavo1.dll etc.). The malware family is known under different names such as Oliga, Kavos, Kamso, OnLineGames, Taterf etc.

Well, let's start the story of Kavo. We would have to go over two years back in time in order to see the first attempts of Kavo author to rise his online games password stealer. It was roughly the same time when rootkits became quite popular. So the author wrote a rootkit and a user mode binary intended to drop the rootkit and do some additional changes to the system (will be described later). He also wrote/bought his first obfuscator to protect the binary and to carry the server-side polymorphism. Great, the payload is ready - now, how to spread it? The most efficient way was probably ever the exploitation of OS weaknesses. The Kavo author decided for autoruns. This function was enabled on all drives by default (btw: I could never understand why should anything be autorunned from HDD or pen-drive with default OS settings), so why not to abuse it? This way proved its efficiency and a huge amount of computers got quickly infected through the pen-drives exchange (borrowing between friends, plugging them in different computers in net-cafe etc.). Kavo was the first malware family that used this way of spreading so massively (the same way was used later by Conficker, Virut and some others). What's bad is the fact that also nowadays is this way of spreading relatively successful.

After the starting phase the author decided to change the obfuscator (this has been done about five times in the whole Kavo life cycle) and tighten the cohesion between the rootkit and system. The stable era of Kavo brought no major functionality changes. The functionality remains relatively unchanged also in recent variants. So what this malware family does?

  • drops a rootkit (klif.sys)
  • drops its user mode binaries to system folder
  • drops autoruns and autorunned binaries to each drive (in order to spread itself)
  • injects explorer.exe with own code

kavo01
  • injects iexplore.exe to force the update procedures

updating of Kavo
  • steals passwords for online games

The analysis of the server infrastructure used to update established infections and collect stolen data is a thing that always amazes me. It seems to be only a few computers to handle all the hundreds of thousands of victims. In fact, the servers are quite busy all the time (sometimes even fully overloaded) and the download speed of the updates is really low (and the download sometimes doesn't finish). When I wrote that this malware family is successful, I didn't consider possible earnings from this activity (they are anyway hard to guess). I considered only the rising and the currently running life cycle, which is - based on the conditions - a success. Let's notice

  • the author has not been traced ever (for more than two years) even when we (and not only we) know where his domains were registered. There's no need to enter any significant credentials when registering a domain. And the servers (maybe also the author himself) reside somewhere in China, that may be a problem for European or US law.
  • whole infrastructure is running on almost ridiculous machinery, but this malware family is able to spread, is able to react to the new detections by AV and change the obfuscator etc.
  • this family is an evergreen. It is still alive and well visible even when there are lots of another widespread malware families (all the rogues etc.)

So that's the current stage of Kavo story. And what will be the next? Unfortunately I think the current activity will be still enough to stay alive. I absolutely can't expect, that the author will be traced, prisoned and all his infrastructure will be put down. What do you think? Will this story have some (happy)end? The conclusion for us is - always keep an eye open and watch the steps made by Kavo author - it's a typical cat & mice game.

Virus Lab, Analyses, kamso, gamona, oliga, monga, kavos