As interesting as the legacy of Operation Troy is, even more enlightening are the fingerprints and footprints that allow McAfee Labs to trace its legacy. In the “fingerprint” category is what developers term the compile path. This is simply the path through the developer’s computer file directory to the location at which the source code is stored.
An early Troy variant in 2010, related to NSTAR and HTTP Troy via reused components, used this compile path.
A second variant from 2010, compiled May 27, also contained a very similar compile path. We were able to obtain some traffic with the control server.
McAfee Labs has consistently seen the Work directory involved, just as throughout the other post-2010 malware used in this campaign. By analyzing attributes such as compile path, McAfee Labs researchers have been able to establish connections between the Troy variants and document functional and design changes programmed into the variants.
Both the Chang and EagleXP variants are based on the same code that created NSTAR and the later Troy variants. The use of the same code also confirms the attackers have been operating for more than three years against South Korean targets.
In the “footprint” category McAfee Labs documented the most significant functional change that occurred, in the 2013 release of the Concealment Troy. Historically, the Operation Troy control process involved routing operating commands through concealed Internet Relay Chat (IRC) servers. The first three Troy variants were managed through a Korean manufacturing website in which the attackers installed an IRC server.
From the attacker’s perspective there are two problems with this approach. The first is that if the owners of infected servers discover the rogue IRC process, they would remove it and the attacker would lose control of the Troy-infected clients. The second is that the Troy developers actually hardcoded the name of the IRC server into each Troy variant. This means that they had to first find a vulnerable server, install an IRC server, and then recompile the Troy source into a new variant controlled by that specific server. For this reason nearly all Troy variants needed to be controlled by a separate control server.
The Concealment Troy variant was the first to break this dependency on a hardcoded IRC control server. Concealment Troy presumably gets its operating instructions from a more sophisticated (and likely more distributed) botnet that is also under the control of the Troy syndicate.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.