Posts Tagged ‘malware’

« Older Entries

Spy vs SpyEye

Wednesday, August 25th, 2010

In late December 2009, a new bot (known as SpyEye), which has properties that compare and compete with the Zeus Bot, appeared in the Russian underground market. Similar to other theft-based malware, it too has a web-based command-and-control backend that collects and sorts the stolen data and its statistics. Features include specifically targeting Bank of America customers, and sorting can be based on infected processes, Bot GUID (Globally Unique Identifier) and ftp logins.  The configuration requires a standard LAMP (Linux, Apache, MySQL and PHP environment). The installation is simple, and the majority of the frontend web code utilizes AJAX (XMLHTTP) to post the data queries to the viewer. Spy-Eye divides itself into two setups, the CnC controller (this houses the statistics and communication with the machines interactively), and the Form Grabber which is used to collect the login data and store in a database for querying. The Form Grabber and the CnC identify themselves to an outside observer via the html title tag found usually at the top of the browser when accessing the page.

Figure 1 C&C Identifier within the “<title>” tag (CN 1)

Figure 2 Formgrabber Identifier within the “<title>” tag (SYN 1)

To access either “CN 1”or“SYN 1”a password prompt is displayed to authenticate access.

Figure 3 Password Prompt

Latest Spy-Eye findings reveal certain botnet operators “skinning” their web panel:

Figure 4 “Show me the money” skin

Features for the CnC portion of the web panel include ftp back connect, socks 5, code insertion, binary uploads, task monitoring, global statistics and Settings.

Figure 5 Binary Update Function

Binary Update Function:

This function is used to continuously update the bots within the network. Further analysis indicates that this activity happens frequently, at minimum on a daily basis. The purpose of this is to replace binaries continuously that are unknown to the Anti-Virus community, since the updates are not distributed in the wild via exploits, but internally through the tunnel created between the C&C and the operator. Further investigation enables Damballa to identify the new MD5’s updated to the bots, and reveals how many active bots are receiving updates.

Figure 6 Real-time update log identifying the new MD5 and the originating MD5

Tests run by Damballa’s Threat Research team identify that the majority of these new md5’s are not identified by any major Anti-Virus vendors:

Figure 7 MD5 a3fe1f59d8d72699ad342adb992ba450 with 4.9% identification according to VirusTotal

Up Sell:

Within the “SYN 1” form grabber panel, a few features that have been updated for version 1.2 including a private certificate stealer. This feature allows the botnet operator to request certificates from the controlled bots.

Figure 8 Certificate Grabber

Also available is a specific “Bank of America” grabber. Both of these features require the buyers of the malware DIY kit to pay extra if they desire these features.

Backdoor Access:

Within the “CN 1” panel there are FTP Back Connect and SOCKS5 controls designed for miscellaneous use such as remote administration and sending spam. For each bot with SOCKS5 availability, the server binds a unique port on the C&C server for the botnet operators to perform a reverse connection with the infected host.

Figure 9 SOCKS5 Reverse Connection Status

Statistics and Data Collection

A common trend in many other botnet control panels is the Geographical IP location and version tracking and Spy-Eye also follows suit:

Figure 10 GeoIP and Version tracking

Other statistics acquired are infected OS versions, Internet Explorer versions, and user type:

The latest Spy-Eye malware is also enumerating the software information that exists on the victim hosts:

Figure 11 Enumerated Software on Infected Host

In addition, checkboxes have been added to the stolen data query page enabling wildcard lookups with the “LIKE?” option for Bot ID’s. These features were likely added to enable granularity for each query.

Conclusion

Spy-Eye’s evolution is progressing rapidly and the success rate of the malware itself appears to be increasing quietly, yet effectively. Combined with impactful distribution campaigns this malware appears to be an up and coming contender in the ongoing threats plaguing the Internet.

Part 2 will unveil specific information on the amount of stolen data that is acquired by Spy-Eye and will follow the flow of the activity of some of the specific bot operators.

by Lance James

Tags: , , , , , , ,
Posted in Threat Research | No Comments »

It’s Safer to Write Your Password Down

Tuesday, July 6th, 2010

Common wisdom over the last couple of decades has been to never write down the passwords you use for accessing networked services. But is now the time to begin writing them down? Threats are constantly evolving and perhaps it’s time to revisit one of the longest standing idioms of security – “never write a password down”.

Back in the day, a password was a critical part of the corporate identity system. You supplied your user ID and password pair in order to get online and to access key corporate resources. Access controls then extended the authentication model to enable  greater control of what users could see, do and change. As new systems came online, and as business extended beyond the in-house corporate networks, additional (i.e. separate) authentication systems came in to play. Despite multiple attempts at developing and deploying single sign-on (SSO), most employees still need to juggle a dozen passwords in order to do their work. If they have external Internet accounts as well, then they’ll be juggling several dozen additional passwords. Once you thrown in their personal Internet accounts (webmail, Twitter, Facebook, LinkedIn, PayPal, Amazon, etc.) you’re quickly neck-deep in password soup.

Whats traditionally been the problem with writing down password anyway? Well, since passwords are the critical ingredient for access control, corporate security teams have long “educated” employees in to never writing them down. To do so would potentially expose yourself to impersonation – and you’d ultimately be responsible for whatever (damage) the impersonator did in your name.

In the meantime, Internet guides, popular PC magazines, and practically every website that forces you to create a login account, all extol the virtues of never writing your passwords down. They also give you lots of additional advice – such as “use a strong password”, “use a unique password”, “never use the same password on a different site”, etc. All of which make it incredibly difficult for any practically minded human to keep track of which password belongs to which website. The net result being that the “password rules” are being repeatedly broken.

Now, to ease some of this burden, there have been a spurt of software tools that’ll help remember passwords on your behalf. For example, the popular web browsers all provide some capability in this area. The problem though is that the bad guys have better tools. Practically all of today’s malware(along with all those botnets you hear about each day) have the built-in capabilities of grabbing/stealing both the passwords you’ve remembered and type in each time you visit a favorite website, and the passwords being conveniently “remembered” by the software on your computer.

Why would writing down a password be good? Well, it’s not a question of being good – just better. Granted, anything you type on your computer can (and will) be grabbed by the malware it’s been compromised with- but the lowest hanging fruit for the bad guys lies with all the stuff you’ve already asked your computer to remember on your behalf. After 3 months of use, web browser “remember” functions may have captured 50+ sets of authentication details. Within a few seconds of computer compromise, all three moths worth of stored credentials will have been copied and stolen (oh, and they’re neatly formatted and sorted) – so the malware doesn’t need to do any work, and it doesn’t matter if your anti-virus software gets an update tomorrow capable of detecting the malware and removing it. The damage is already done.

Staying hidden on a victims computer is not a trivial task for many malware – particularly wide-spread Internet malware (anythingwith a name you may have read about). There are lots of things that can go wrong. AV updates may detect the infection, dropper websites may be taken down, uploading sites may be sinkholed, CnC domains may be hijacked, etc. so it’s become important for modern malware to steal as much information as possible within the shortest possible time. Factors such as conveniently storing all your authentication details on your computer and recycling popular (i.e. memorable) passwords reduce the time the malware needs to be operating in order to steal critical data.

What about a few high-level odds?

  • 1:3 – home PC being infected with malware with password stealing capabilities in a given year.
  • 1:4 – home PC being infected with a botnet agent in a given year
  • 1:8 – corporate PC being infected with malware with password stealing capabilities in a given year
  • 1:12 – corporate PC being infected with a botnet agent in a given year
  • 1:160 – your car being stolen  in a given year
  • 1:700 – your home being burgled
  • 1:600,000 – being struck by lightning

I think it’s time to revisit the “never write a password down” idiom. Prioritizing best practices in password management, I’d be inclined to list them in the following order:

  1. Don’t use the same password on multiple websites
  2. Don’t let your computer “remember” your password!
  3. Use a “strong” password – preferably something with 12+ mixed characters
  4. Don’t use a predictable algorithm – e.g. abc<siteName>123
  5. Change your passwords regularly. For sites with lots of personal information and associated monies, change every 2-3 months. For other sites, try every 6-12 months.
  6. Don’t reuse past passwords – even if you think it’s a cool password.
  7. Don’t write your password down.

Yes, that’s right – writing down your passwords come in at a distant 7th place. In practical terms, even if you only manage the first 4 on the list, you’re probably going to be juggling at least a couple of dozen passwords (or more thank likely that’ll be 40+ on a regular basis for most people that spend any time online). The probability that your computer(s) will be compromised and that the information will be stolen by the bad guys malware is much, much greater than the probability that someone will manage to break in to your house and target all the post-it notes you’ve stuck around your screen with all your passwords on them. In corporate environments there’s a higher probability that the evening cleaning crew would gain visibility of he passwords (so post-it notes aren’t to be recommended), but that risk of an insider threat is still going to be lower than your work computer being compromised.

The first 6 password recommendations would trump the 7th in most cases – provided you take care in how and where you write your passwords down. Be smart about it… but don’t underestimate the risks posed by modern malware either.

– Gunter Ollmann, VP Research

Tags: , , , , ,
Posted in Threat Research | 2 Comments »

Hooked on Malware Counting

Wednesday, June 9th, 2010

It’s more than a little disappointing that the anti-malware industry is still fixated upon measuring a threat by the quantity of malware being distributed. Despite the fact that you could learn within an hour or two’s study (e.g. watching YouTube) how to generate a million brand spanking new, unique and “undetectable” malware by the end of the week, many people end up doing their best impressions of a stranded carp gasping for air as they attempt to digest the latest round of hefty malware statistics from security vendors.

But, for precisely the same reason you can generate your own personalized million malware samples, smarter analysis and threat mitigation techniques make the number counting largely irrelevant. Sure, signature-based detection systems have gone the way of the dinosaur and so too have hash matching black-list processes – both defeated by serial variant production systems – but smarter systems can peer deeper in to the binary file and automatically peel back the layers of armoring and obfuscation to get to the malicious core. Once you have your fingers wrapped around the heart of the badness contained within the binary, it becomes much easier to ascertain and understand the true nature of the threat.

Why is this important? Well, in the first instance, the criminals who pump out the most malware aren’t necessarily the biggest threat. For example, a criminal operator may be distributing their latest piece of uber-malware through a massive spam campaign. Even though they may have sent out 5 million spam emails containing the malicious file as an attachment, very few of the messages will probably make it their intended victims – largely due to anti-spam technologies that utilize a heuristic based upon observing the same binary destined for multiple mail-boxes (regardless of the message’s text content) – and every anti-malware security vendor will have been alerted and have analyzed a copy of it within a few hours. So, despite the malware’s “uber” status and the “millions of samples observed worldwide”, the threat is minimal in reality.

Meanwhile let’s say a different malware author creates a million serial variants of the same uber-malware, but because each sample binary “looks” different it falls under dozens of different generic malware names (should it ever be “detected”), it becomes practically impossible to cluster all the different samples in to a single threat – so the single attack is attributed to dozens of lesser attacks. All this of course is assuming that the malware author didn’t first QA each of their serial variant malware samples before release – and only a few thousand were subsequently caught with heuristic or behavioral analysis engines that happened to get updated during the authors release cycle or while the malware was waiting patiently in the victims inbox prior to be opened.

Because the first attack makes it so easy to count the captured malware and the second attack is evasive, only the first will get much public attention – even though, by actually being in a position to count the distributed malware’s volume, the threat to the targets has already been neutered. Consequently, the “smaller” threat (and the criminal operator) slips under the radar once again. If the malware from the second attack had been analyzed correctly (i.e. peeling back the onion), the size and sophistication of the attack would have been evident and organizations would have been able to correctly prioritize that threat.

Meanwhile, as far as “counting the malware” goes, both attacks consisted of the same – single – piece of malware. 6 million, 5 million, 1 million or one single piece of malware? Which number do you think makes sense to worry about? Where does the threat really lie – in the number sent, the number captured and counted, or the sophistication of delivery?

Greater care needs to be taken by the industry in evaluating the malware threat. Big numbers always sound great and garner a lot of public and media interest, but it’s rarely an indicator of where the real threat lies for those tasked with protecting the enterprise network.

– Gunter Ollmann, VP Research

Tags: , ,
Posted in Threat Research | No Comments »

Top-10 Botnet Malware Families of 2009

Wednesday, February 17th, 2010

Botnets aren’t malware and not all malware is useful to botnet operators. So what malware families proved to be most popular for those criminal botnet operators targeting enterprise business networks in 2009? Following on from this weeks earlier post covering the Top-10 Botnet Outbreaks in 2009, today I’d like to share with you Damballa’s analysis of the thousands of individual botnets we identified and tracked last year, along with the tens-of-millions of victim computer systems that were usurped in to joining these botnets.

Note that the analysis here relates to the malware components that were successful in joining and participating in botnet command and control activities from within enterprise networks – and does not include “malware infections” that were caught/intercepted/removed beforehand.

Based upon our observations of botnet activity with enterprise networks (which are obviously different from the Internet at large), we found that the most frequently encountered malware used by botnet operators in 2009 was Koobface. Much of the success of this particular malware family had to do with its delivery technique, rather than any particular sophistication of the malware itself. The three major variants of the Koobface family (B, C, and D) dominated the Top-10 largest botnet infections of 2009 (as discussed in the previous blog).

Running a close second behind Koobface, was the Zeus malware family. The popularity of this particular malware DIY construction kit cannot be under estimated. While the largest individually operated botnet found within enterprise networks during 2009 utilized the Zeus malware, many other smaller botnet operators also relied extensively on the same malware family. As such Zeus-based botnets were the most frequently encountered botnets found to be successfully operating within enterprise networks (i.e. most enterprises have several distinct botnets operating within their networks – and Zeus-based botnets were found to be operating in almost all enterprise networks studied by Damballa).

It is interesting to note that the Top-10 botnet malware families uncovered within enterprise networks in 2009 all had fairly standard antivirus names. Unlike the majority of botnets that use custom/unique malware families that typically have no antivirus name, the most frequently encountered malware families had fairly good antivirus coverage. This perhaps speaks to the fact that many of the largest botnets are focused upon fast propagation and infection – therefore their samples of their malware are easily obtained and are available for antivirus vendors to develop signatures. Unfortunately, many of these large (and efficient) botnet operators are increasingly focused upon monetizing their botnet acquisitions by carving them up for sale or sub-leasing their operation. When this occurs, they simply push down the preferred malware components of the new owner/operator of that botnet segment – and subsequent antivirus coverage is poor or (more commonly) non-existant.

It is for this very reason that the Top-10 botnet families of 2009 doesn’t (and can’t) include all those “unnamed” malware used by the more specialist and focused botnet operators. For example, the malware family now associated with the “Aurora” APT and referred to as Trojan.Hydraq didn’t have an antivirus name until a forensically acquired sample was obtained and the antivirus vendors had a chance to disect it and develop a signature for it. In the months leading up to the public disclosure, the botnet operators and the malware family they spawned simply didn’t have a name – and would have never had an opportunity for consideration in a Top-10 malware families report. Just something to think about.

– Gunter Ollmann, VP Research

Tags: , ,
Posted in Threat Research | 1 Comment »

Corporate Espionage and Tethered Criminal Actions

Wednesday, January 13th, 2010

The media is buzzing with the latest news concerning Google and Adobe and the targeted attacks directed at their corporate systems. While it’s news, it’s important to understand that this isn’t something that’s only just happened – rather it’s been something that both these organizations (and dozens more) have been subjected to for quite some time; it’s just become public, and they’re admitting to be the victims. But this is important.

I’ve been providing security consultancy advice for a couple of decades. I’ve been pulled in to do post attack forensics along with specialized pentesting, bug-hunting and reverse engineering for the majority of the Fortune 500 companies and in all that time, unless they were required to by law, not one have gone public about the attacks they were subjected to and the losses they have incurred. That’s why this Google/Adobe/etc. news is so significant – some Fortune-500 companies are actually saying “hey, enough already, we’re under constant attack – we need to do something collectively about this!”

Whats the primary vehicle for these (ongoing) attacks? You’ll hear plenty of discussion portraying viruses and malware as being the problem, and plenty of implications that the Chinese government lies behind the attack(s). But let’s be clear – that’s a fantastically simplistic view of the threat. Implying that the threat lies with targeted malware and China is like saying that drunk driving deaths are due to poor car design, and that the underlying cause is a particular beer brewery.

Malware is just a tool. The fundamental element to these (and any espionage attack) lies with the tether that connects the victim with the attacker. Advanced Persistent Threats (APT), like their bigger and more visible brother “botnets”, are meaningless without that tether – which is more often labeled as Command and Control (CnC).

The methods for getting a malware agent into an organization and on to key/critical hosts are incredibly diverse but, most importantly, can best be phrased as “trivial”. If someone wants to infect systems within a targeted organization and is willing to spend more than a few thousand dollars worth of effort to do so, it’ll happen – simple as that. Just as importantly, the malware being distributed and used in these kinds of attacks can be thought of as a Swiss Army knife with Klingon cloaking capabilities.

I jest only in part about the Klingon cloaking part – but it actually works well as a visual metaphor. Just as the Klingon Warbirds must decloak in order to launch their attack with photon torpedoes etc., APT’s and botnets must decloak themselves at the network level in order to maintain their CnC connections and be successful in harvesting espionage data. While APT’s are more surreptitious when it comes to CnC connectivity, their weakness lies in their network communications. At the host level, the probability of detecting an installation prior to actual financial/legal damage lies largely in the realm of dragons and mermaids.

Looking at the botnets we identify and track at Damballa that target enterprise networks, many of them fall in to the classification realm of APT’s. The malware component is under constant change – often being updated on a daily basis. Meanwhile the low-and-slow stealthy CnC traffic navigates the corporate network, weaves it’s way through fast fluxing networks and stratified levels of command relays, and makes it back to the team who’s really in control of the compromised assets – a bunch of contracted criminals located somewhere safe and far away. I use the term “team” on purpose because this is an organized collective of professional operators – each with their own skills and specialties.

I see a lot of discussions about preventing systems from being compromised – in fact most of the security business today is exclusively focused on threat prevention. But, you know what, every year (for the last two decades at least) as antivirus vendors release their annual threat reports the percentage of hosts known (or suspected) of being a victim and running malware has increased. As we launch in to 2010, I think the percentage most industry experts and veterans would throw about would be 35-40 percent of all Internet connected systems are compromised and currently running malware. Despite the terrific advances in detection, mitigation and cleanup – the numbers continue to go up. Despite the new detection technologies, the bad guys retain their lead. APT’s related malware lie in a particular niche, but they aren’t being prevented from getting in to an targeted organization. Let’s just face facts – if someone wants in on your organization and are willing to invest time and resources to do so, the probability that they will be successful in doing so certainly favors them.

Detecting and mitigating the CnC – breaking that tether of control – lies at the heart of dealing with this threat. By blocking those CnC channels, the bad guys can’t remotely control your enterprise systems, and they can’t extract the secret data they want. Tracing back who lies at the end of the CnC communication ultimately leads to he contracted criminals running the operation. The fact that those criminals happen to be located in a particular country is only part of identifying the instigators of the threat – but it’s probably as far as we’ll get.

Like I said earlier, I’ve had to deal with many of these threats before. In the UK, it appeared that many of the corporate espionage attacks were masterminded by French or US entities. In Taiwan it appeared to be China and South Korea. In China it appeared to be Taiwan and Australia. In Greece it appeared to be Turkey and Egypt. And so on… but those are only my specific experiences. [unfortunately, not a single corporate victim ever went public about the attacks they fell victim to - and probably never will... sigh]

With regards to the APT’s and botnets that Damballa tracks, detects and mitigates… well, those CnC’s are spread around all over the world and most likely reflect the locations of the professional teams that contract out there services, rather than the location of their their ultimate customers.

My advice to organizations being targeted with APT’s, botnets and unauthorized remote control of corporate resources? Focus on the network CnC – and mitigate there. By all means protect your perimeter and clean up your hosts – that’ll keep the unsophisticated script-kiddies and rif-raf off your systems – but it means very little to the pros. Success in dealing with this threat – the threat that Google, Adobe, and most global businesses (and governments) face constantly – is to identify which assets are currently compromised and “nuke-and-pave” them asap. I.e. identify systems that are trying to connect to their remote CnC, immediately cut that tether, and rapidly rebuild that system from a known good state (which is increasingly looking like a bare-metal state). If you can get that notification-to-rebuilt process down to 20 minutes or less, you’ll be in a good position to deal with this class of threat long term. Until then, you’re just messing around at playing detective.

– Gunter Ollmann, VP Research

Tags: , , , , ,
Posted in Threat Research | 2 Comments »

Third-Party Scanning: Who’s Really Responsible

Tuesday, May 19th, 2009

We have seen a number of large, well-known, third-party websites being used to deliver malware to unsuspecting users’ computers. Recently, Robert Graham of Errata Security highlighted this security problem with third-party sites. Mr. Graham identified two likely causes for this problem. First, the site may be using an outsourced advertising solution that is responsible. In this situation, the ad network provider is responsible for the content being delivered via their channels. Any lack of oversight here and a malicious ad can be sent that, in turn, delivers a malicious payload. The second possible scenario Mr. Graham presents is that the large site may itself have a security problem. In this case, attackers could find an appropriate attack vector such as SQL injection or cross-site scripting. The attacker can then leverage this vulnerability to directly manipulate the site and use it to deliver their malicious software.

I agree with these assumptions and am glad other security professionals have started to take notice of this growing problem. However, I vehemently disagree with Mr. Graham’s last point: “Large organizations might consider scanning websites that are popular among their users to look for obvious vulnerabilities like SQL injection. Like it or not, popular websites like CNN are part of your infrastructure, and when they get hacked, your users can get hacked.”

Third-party websites, such as CNN, are no more a part of a company’s infrastructure than the national power grid. While an enterprise may heavily depend on the electricity being delivered in a timely and reliable manner to their data center, they are at the mercy of the power companies to do just that. Individuals, teams, departments and companies that are not official employees or contractors for the power company have no right to independently test and certify the security of the power grid, and very well could face prosecution and detainment for attempting such. Knowing this, and realizing there may be problems, prudent data center operators ensure they are prepared to deal with any shortcomings of the local and national power company. We see this in the form of surge protection systems and uninterruptible power supplies.

Bringing this back to the specific argument at hand, does anyone other than CNN have a right to perform security scans on CNN infrastructure because it may impact their ability to work? No. If a company is reliant on the data a third-party site is providing, and they think there may be problem with the integrity or availability of that system due to a security breach, the company needs to plan accordingly. Interestingly enough, most networks employ the appropriate tools and techniques to combat these security issues, however they may not be deployed to combat this specific emerging threat.

Proper ingress and egress filtering can be used to shutdown possible infection vectors as well as contain outbreaks due to maliciously delivered content. Content proxies can be used to cache heavily used websites as well as monitor the data for malicious content. Host based intrusion detections systems and antivirus software can proactively scan files and eliminate some threats before they become a real problem. Network monitoring systems can keep an eye on the flow of information and detect when something is out-of-bounds and may require a closer examination. Each of these technologies can be deployed and utilized, in a company’s real infrastructure to combat the problem faced while interacting with infrastructure that isn’t exactly theirs.

Make no mistake; Mr. Graham has highlighted a very important issue that is often overlooked. Malware is entering networks through the innocent and normal behavior of users browsing “trusted” third-party websites. While we disagree on the specific methodology for handling such situations, we can agree that companies have a right and responsibility to identify the threat, analyze the risk and use what’s legally in their power to reduce or remove the issue from impacting their operations.

- Randy Janinda, Senior Threat Analyst

Tags: , ,
Posted in Threat Research | 1 Comment »

Domain Registrar Bailout Worm

Tuesday, January 27th, 2009

In today’s downtrodden macro-economic climate (for those playing the executive buzzword drinking game, you may now drink), everyone is looking for a helping hand…full of cash. But perhaps there are those who find help in helping themselves. Domain registrars and hosting providers have been aware of an approaching dilemma for some time now; there are an exhaustive number of quality domain names available. This is why some names have supposedly been sold for over $100k, and people like Kevin Ham have made multi-million dollar careers out of domain real estate. They have realized, like the single woman in her forties and late arrivals to the big shoe sale, “all the good ones have already been taken.” The average user can relate to this experience when signing up for an already bloated online service like MySpace or Gmail. Someone is already using all your favorite and most secret usernames, so you end up with a nonsense handle or last week’s lottery numbers appended to your name.

Nobody wants a gobbledegook domain name (gobbledegook.com is already taken), and registrars know this. So how do you sell “alkdfnvsdk.biz” or “zxyvchgaffq.com” and all their blatherskite brethren (blatherskite.com is already taken)? The answer lies in a worm called Conficker and in chumps called researchers or security experts. Conficker or Downadup, the little worm making the big noise in the press, generates hundreds of random gibberish domain names everyday as potential Command-and-Control sites. Many of these are not registered, with good reason: They are not real words so they are not valuable as domain names (some don’t even have vowels). However, researchers across the board are anxious to gather statistics on Conficker and are doing so by registering these domain names under the security umbrella. This umbrella unfortunately does not shield us from having to pay registrars/hosting providers for their services. Good guys and bad guys alike have to pony up for these otherwise useless and formerly revenue dead end domain names, and the money is flowing.

So is this just an elaborate Conficker con to give a collective registrar a cash boost? Is the security industry, Damballa included, being duped by Downadup to make more domain dough? (Think Batman TV narrator from the 60′s) Not likely, but it would be hard to hold a grudge against such a creative ploy. That’s like getting angry at kittens.

- Matt Sully, Senior Threat Analyst

Tags: , , , , , , ,
Posted in Threat Research | No Comments »

Rogue AV: Just Blame the Dog

Friday, October 17th, 2008

Every thread in a computer troubleshooting forum begins about the same. “My wife was messing around on the Internet and got this strange virus,” or “my kids were goofing on the computer and now I’m sure we’ve got a trojan or something.” First off, I’m fairly sure CastleCops doesn’t demand to know who is at fault when you approach them for assistance. Secondly, in an age where we have commercials about erectile dysfunction and TV game show contestants fail to match wits with fifth grade children, is it really that emasculating or embarrassing to admit your computer got compromised? So when my girlfriend calls and tells me she was looking for decorative additions to her MySpace page and her computer is now spewing pop up alerts about a possible infection, I felt a twinge of kinship for these troubled men and their unfortunate circumstances. It was also quite coincidental that I was neck deep in rogue AV analysis and knew instantly what had happened to her.

Rogue AV has been giving people false impressions for years now, spouting exaggerations on par with anyone in the early stages of courtship. So while the rogue dater is all flowers and joy, the rogue software is free scans and fear. Unknown to the inexperienced is that this thing (person or software) may just end up taking your money with only empty promises in return.

For those with no base of understanding on the subject, rogue AV is fake antivirus software, designed to fool you into believing you have an infected system when the newly installed rogue AV may be the only legitimate infection you have. It fakes virus scans of your computer, almost always alerting you of massive findings. Once you’re convinced that your computer is infested with malware, you’re offered the assistance of the bogus product to remediate the problem. Of course, even after purchase of the full version, the product fails to work and only continues to make false claims of compromise. The big difference is that now the bad guys have your credit card information.

One reason for my blooming interest in rogue AV is in witnessing just how widespread this problem is, now emphasized by its presence in my home. I see it daily in my research, adding list after list of domains involved with its propagation. It has stemmed from fake codecs, fake or hacked ad banners on key sites, and has even bombarded OS straddling clipboards that force pasting of relevant URLs into forums, unbeknownst to the user. Rogue AV is an international epidemic, as seen by the rogue AV sites written in German, Swedish, Dutch, French, Spanish, Italian, and Chinese. It has affected users of sites like Photobucket.com, Newsweek, 123greetings, ClassMates, Metacafe, Expedia, MySpace, CNN, and Rhapsody. Presumably this malware has reached millions, but how many have been duped and actually purchased these products? How much money is being shelled out for these hollow applications? At $50 a pop this could be quite a profitable grift, especially when I see complaints filed by customers claiming to have been charged triple that amount. According to PandaLabs’ blog they estimate profits for rogue AV to be $15,000,000 per month. (I can’t help but picture Scrooge McDuck swimming through a pool of gold pieces.)

People who buy these rogue AV products aren’t stupid and shouldn’t feel embarrassed about sharing their stories. Why shouldn’t they listen to what their computer tells them? That’s what it looks like to the layman, an alert from Windows, and it is understandable that people are fooled. From the virus scans, to the desktop alerts, the blue screen screen savers, and the product website, down to design of the packaging, the logos, the color schemes, testimonials and endorsements. It all looks real and trustworthy. It doesn’t feel like advertising and it wasn’t promoted to them via spam, but appears to be endorsed by the OS. The user may be suspicious of this savior showing up only moments after a gang of hooligans, but they are in trouble and any help becomes welcome. Following the button clicking trail to eventual purchase seems natural, safe, and the anticipation of relief from this disaster greases the process. This is a sophisticated and well formed ruse making the misspellings and questionable grammar unseen at first glance. These people are good at what they do and they’re taking advantage of people’s trust and lack of information, which is why this problem needs to be publicized as much as possible.

Inform the people you know about rogue AV. Research it and tell them what to look for. Pay attention to what site you were on when you received the first alert and let the site owners know what happened. I failed to talk about this particular malware with my girlfriend, but she knew who to call when things got shady. (Sorry for the after school special wrap up but seriously, this stuff is rampant.)

Last bit: Beyond antivirus software, there are other rogue programs floating around out there as well, including data encryption, system optimization, and filtering programs. One of the filtering programs claims to “guard your family from: violence…addictions…drugs…pornography…adult chats…religion…gambling (and)…politics.” If you extract these subjects from the Internet experience I’m really unsure what would remain. Guess I could still order a pizza, but without drugs, violence and porn my weekends are sure going to be dull.

- Matt Sully, Damballa Researcher

Tags: , , , ,
Posted in Threat Research | No Comments »

Don’t Forget the BIOS!

Friday, September 19th, 2008

Jeff McGough, Damballa’s VP of Operations, gave some sage advice in his post titled, “So you have a compromised asset….” His claim, “Nothing about this asset can be trusted,” may be more of a mouthful than even he realizes. Damballa has seen first-hand that some forms of malware will attack and compromise a computer’s Basic Input/Output System (BIOS). A comprehensive incident response program should include mandatory BIOS reinstall from a known good BIOS image for all compromised systems.

I’m going to go a step further and say something that may make you think I’m off my rocker entirely: for the ultra-paranoid tin-foil hat types, you really should consider complete physical destruction of the entire system. I’ve heard that in certain government agencies, this actually is their policy.

Insanity you say? Perhaps, but consider the following:

  • There have been cases of large batches of hard drives manufactured overseas being shipped with compromising malware pre-installed on them (http://blogs.zdnet.com/hardware/?p=928). In this case, it wasn’t compromised firmware, but incidents like this clearly illustrate a quality assurance failure that opens the door for compromise at every link in the supply chain.
  • Users with (and often without) local administrator rights can download and apply firmware updates for dozens of system components, including wired and wireless networking, audio, and video cards. If local users have this level of access, attackers with access to a compromised operating system have had the opportunity as well.

As Jeff says, truly nothing about the asset can be trusted.

Comprehensive enterprise security programs need to cover the entire asset lifecycle from acquisition through disposal. They also need to include participation from all levels of the supply chain. If you aren’t sure you have clean BIOS and firmware images for all system components, press your vendors to provide them to you for independent verification and your use in internal system preparation.

If installation of these images isn’t part of your acquisition process, you are already at-risk. If reinstallation of these clean images isn’t part of your incident response host remediation process, your process is incomplete.

As Jeff noted, enterprises that take compromise response programs seriously are probably best off in the long run by developing highly efficient processes for complete system re-imaging. Unfortunately, that means the BIOS and firmware too.

If you have performed a business case assessment of the cost of a scalable re-imaging program versus manual processes for forensic response, we’d love to hear your thoughts.

- Tripp Cox, Damballa VP of Engineering

Tags: , , , , , ,
Posted in Threat Research | No Comments »

Circumstantial Evidence

Thursday, September 18th, 2008

Damballa’s engineering team uses an interesting internal lexicon for the various technologies employed by our Failsafe solution for enterprises. In many ways, our product architecture is modeled on the American legal system. Evidence is collected, perpetrators and victims are identified by name and other known aliases, a jury is assembled, a trial conducted, and the presence of a crime is decided by the jury’s consideration of all of the evidence.

Network security staff in many enterprises often struggle to grasp this concept, because they have been well trained in the model of host-based antivirus. They expect to be shown host-based evidence, such as a specific virus name and information about which files, registry keys, or other modifications to the compromised system confirm that the compromise is present. Damballa often cannot provide this level of precise host-based information for compromises we identify, and some of our customers initially view this as a weakness of our solution. It’s the network equivalent of lacking habeas corpus.

In many ways, however, this “weakness” is actually a key strength. Our Failsafe solution is incredibly non-disruptive compared with deployment requirements for the plethora of other, much less effective security tools. You don’t have to deploy software to each of your 100,000 Windows workstations or pass all of your Internet traffic through one of our devices in order to get the actionable information you need about compromises that exist on your network and how to eliminate them.

Instead, we look at the circumstantial evidence. It’s the network monitoring equivalent of who talked to whom, when, and what is said to each other. Some of our technologies are focused specifically on identifying patterns in these communications that are indicative of Command-and-Control (CnC) and/or attack behaviors (who, whom, and when). Other parts of our proprietary technology stack inspect what was said in the more suspicious of these conversations. Finally, we use sophisticated decision logic to correlate communication patterns with the transmission of high-risk content to draw our conclusions about who the victims are, what crimes were perpetrated against them, and by whom.

Our enterprise customers receive a full summary of each of these network crimes and the ability to view all of the evidence we collected that lead to the verdict that was rendered. Damballa provides network-derived evidence for these network-enabled crimes. That said, we are increasingly able to extract more intelligence from the network about specific host-based modifications, as well.

Much of our proprietary technology currently in development is focused on extending the actionable intelligence we provide to include specific instances of malware that have likely been installed on victim hosts, and detailed information about what modifications that malware likely made to them. These details are especially useful intelligence, as a vast amount of malware we identify is not recognized by the latest host-based tools and signatures from other vendors. Stay tuned as Damballa continues to lead the industry in these innovative technologies.

- Tripp Cox, Damballa VP of Engineering

Tags: , , , , , , ,
Posted in Threat Research | No Comments »

« Older Entries