Reverse engineering reveals inner workings of Comfoo Trojan

Researchers at Dell SecureWorks have been able to monitor the command and control system of an advanced Remote Access Trojan being used by Chinese hackers to penetrate government, high-tech companies and educational systems in the United States, Asia and Europe.

The Comfoo Trojan has been in development since at least 2006 and was used in the 2010 breach of RSA, which later was leveraged to compromise the VPNs of Defense Department contractors, including Lockheed Martin. Although it was analyzed in the wake of the RSA incident, Comfoo has had a low profile and has remained in wide use since then.

But the researchers have been able to identify the Comfoo server software used to communicate with compromised systems and have passively monitored command and control activity for the past 18 months.

“You rarely get a chance to reverse engineer the server side of something like this,” said Joe Stewart, director of malware research for Dell SecureWork’s Counter Threat Unit (CTU). “While it’s still live we are able to see the victims, identify them and pass this information back to the victims.”

Dell SecureWork’s research was released in a paper at last week’s Black Hat Briefings. The paper includes threat indicators that can help agencies determine if they have been compromised.

Detecting and cleaning up the malware can be complicated, but determining whether you are a potential target is not. “If one player in an industry is targeted, it is likely all major players (or newcomers with interesting technology) in that industry will be targets at some point,” authors Stewart and CTU researcher Don Jackson wrote.

Stewart said the Comfoo attacks seem to be coming from a group in Beijing. “I think it’s a pretty good assumption that the actors are Chinese,” he said. But that does not necessarily point to the Chinese government. “The question is, who do they work for? That’s something we can’t say with this kind of analysis.”

The largest numbers of victims identified were in Japan, India and South Korea, but there also were victims in the United States, Taiwan and Europe. Targets included government offices as well as educational institutions, news media, mineral exploration and manufacturing companies  and trade organizations. The object of the attacks appeared to be gathering intellectual property, but one of the target industries was audio- and videoconferencing vendors. Steward and Jackson said this indicates they might have been looking for a way to listen in on government and corporate users.

“It looks like they wanted to find a way to tap the conferences of some of the vendors’ customers,” Stewart said. The researchers did not determine if eavesdropping actually took place.

Once the Comfoo server software had been identified in a malware library, the researchers were able to access the command and control network because of a lack of authentication required on the servers and poor cryptography. Using a 10-byte static encryption key hardcoded into the malware, they were able to monitor traffic as compromised computers linked back to the command and control servers and identify the victims.

Passive monitoring began in January 2012 and identified victims in 64 separate attack campaigns. Victims were notified either directly or through local incident response teams. Because not all victim log-ins were observed, there could be many more unidentified Comfoo victims.

Researchers did not access data being passed from the victims.

Once on a target computer, Comfoo hides itself by modifying and using a path in the dynamic link library to an existing unused service rather than installing a new service, which would be more likely to be noticed. A rootkit is also sometimes used to hide files. It also can protect itself by blocking remote inbound connections to prevent maintenance to the server.

Comfoo command and control traffic is passed through a third rendezvous server. The victim connects to the rendezvous server, which acts as a middleman and waits to be contacted by command and control servers. It then passes along information from the victim to the command server and sends commands back to the victim.

Despite the exposure of the system, Comfoo probably will not be abandoned soon.

“It takes a lot of management infrastructure to maintain this,” Jackson said. “They seem to be reluctant to shut it down.” He said it is more likely that changes will be made on the client side software rather than changing the basics on the backend. Domain names and IP addresses could be altered, but “we still understand enough about it to identify further activities.”

Indicators in network traffic, on hard drives, in memory or in the Windows registry can be used to detect the presence of Comfoo on a system. There is a typical phone-home and request exchange that can be identified as well as tell-tale strings of code in memory and on disk, although offline forensic analysis might be needed to find them if a rootkit is being used.

As with many advanced persistent threats, finding and cleaning up after Comfoo could take a major effort, the researchers said.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected