Posts Tagged ‘command-and-control servers’
Tuesday, May 21, 2013 @ 05:05 PM gHale
A new, massive cyber espionage campaign is hitting as many as 71 victims each day, including government ministries, technology companies, academic research institutions, nongovernmental organizations and media outlets, researchers said.
The “Safe” campaign first came out in October 2012 and has resulted in nearly 12,000 unique IP addresses spread over more than 100 countries to connect to two sets of command-and-control (C&C) infrastructures, but the actual number of targets seems to be smaller as some of these IP addresses ended up focused within specific network blocks so are probably used by the same organization, said Trend Micro researchers.
“Investigating and monitoring the activities of the Safe campaign over time, we were able to take advantage of the mistakes the attackers made and thus gain a deeper understanding of their operations,” the researchers wrote in a whitepaper.
“One of the C&C servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them. As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.”
The attacks start via Tibetan- and Mongolian-themed spear-phishing emails containing a malicious MS Word file specifically designed to exploit a vulnerability (CVE-2012-0158) in older versions of the software.
The decoy document would open, and in the background malicious files would be dropped onto the system in preparation for the second stage of the attack: The downloading and running of additional malware and tools such as off-the-shelf programs that are able to extract saved passwords from Internet Explorer and Mozilla Firefox as well as any stored Remote Desktop Protocol (RDP) credentials.
The analysis of the IP addresses contacting the two C&C servers found most targeted systems were in Mongolia, India, the U.S., China, Pakistan and the Philippines. A closer look at the C&C servers allowed them also to identify the tools and source code the attackers used to create, distribute, and encrypt/decrypt data.
The malware author seems to be China-based and the researchers believe him to be a professional software engineer.
“The entire source code was explicitly written with future development in mind. It was modularized and heavily commented on in a way that allows further development even by several engineers. These qualities are traditionally seen in the work of professional software engineers that have been taught traditional computer science,” they said.
“Apart from being significantly well-organized and well-commented, the code was also developed with defensive programming in mind. Each of the variables was named in a very obvious manner, helping other engineers easily distinguish functionality; again, a trait seen in the work of many professional software engineers. In addition to being heavily commented on and using intuitive variable naming conventions, the code also had an apparent slant toward usability. Each interface was very intuitive and well-designed, something not often seen in the code of a hobbyist.
“The use of terms like ‘bot,’ combined with the author’s posting of the malware code to code-sharing sites, indicate a degree of familiarity with the cybercriminal underground in China.”
But the campaign’s operators remain a mystery due to their use of VPNs and proxy tools.
Click here for a copy of the Trend Micro whitepaper.
Monday, May 20, 2013 @ 01:05 PM gHale
A family of information-stealing malware targeting Pakistan looks like it is coming out of India.
Unlike other known cyber espionage campaigns, this one appears oddly rudimentary in that it uses publicly available tools and basic obfuscation methods, and doesn’t encrypt its command-and-control communications, according to researchers at Eset, which posted its analysis of the malware and attack.
“String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work,” said Jean-Ian Boutin, a malware researcher with Eset.
The malware campaign is at least two years old and spreads via phishing emails with rigged Word and PDF files, according to Eset. It steals sensitive information via keyloggers, screenshots, and uploading stolen documents, unencrypted. “The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation,” Boutin said.
The attack uses a code-signing certificate issued in 2011 to a New Delhi, India-based Technical and Commercial Consulting Pvt. Ltd., and it ensures the malware binaries could spread within the victim organization. The certificate ended up revoked in late March 2012, but was still in use. Eset contacted VeriSign, which revoked the certificate. Eset found more than 70 binary files signed with the malicious certificate.
Among the attachments was one that appears to be about Indian military secrets. “We do not have precise information as to which individuals or organizations were really specifically targeted by these files, but based on our investigations, it is our assumption that people and institutions in Pakistan were targeted,” Boutin said.
Nearly 80 percent of the infections are in Pakistan, according to Eset. One version of the attack exploits a known and patched Microsoft Office flaw, CVE-2012-0158. The malware executes once the victim opens a malicious Word attachment; the other method used in the attack uses PE files that appear to be Word or PDF attachments.
The attackers used NirSoft’s WebPassView and Mail PassView tools for recovering passwords in email clients and browser stores; the tools ended up signed by the malicious cert.
Monday, April 8, 2013 @ 02:04 PM gHale
Yes, it focuses on the banking industry and it doesn’t really work in the manufacturing automation sector, but the credential-stealing Shylock Trojan is growing increasingly sophisticated, a new report said.
Its level of sophistication keeps rising because its creators continue adding new modules and functionalities to the man-in-the-browser malware, according to a Symantec report.
Shylock makes its loot via man-in-the-browser (MiTB) attacks designed to pilfer banking login credentials from a predetermined list of target organizations. Symantec said Shylock is targeting more than 60 banks and financial institutions mostly in the United Kingdom but also in the United States and Italy. From its inception in July 2011 until around May of 2012, Shylock was only targeting institutions in the UK, so this global expansion is part of the Trojan’s new look.
The malware’s creators are also refining the target list to root out less valuable banks that have either become harder to compromise or no longer provide services for high-value clients.
Shylock’s list of potential features includes an archiver that allows it to compress and upload recorded video files to remote servers, a BackSocks mechanism that allows Shylock to use infected machines as proxy servers, a diskspread functionality that lets Shylock spread via removable drives, an ftpgrabber module that supports password theft from various applications, an MsgSpread which gives Shylock the ability to proliferate through Skype instant messages, and a VNC that provides attackers with a remote connection to compromised devices.
Shylock’s creators aren’t just refining their target list and adding features to expand its capabilities and reach; they’re also fortifying its infrastructure to avoid downtime.
Shylock possessed the ability to move itself over Skype messages since January. Before that, its most substantial upgrade happened in November of last year, when its creators added a detection-evading function that let them determine whether the virus was executing organically on a computer or if researchers were opening it in a virtual machine to pick it apart.
Wednesday, March 27, 2013 @ 12:03 PM gHale
Back in July the command and control (C&C) servers utilized by Grum, a spam botnet that was the world’s third largest at the time, ended up shut down by Spamhaus, FireEye and CERT-GIB.
Just a few short months later, FireEye researchers found the botnet’s masters started reinstating its C&C servers . At the time, since there were only a couple of new servers, no major spam-related activities were coming out.
However, now, researchers from Trustwave’s Spider Labs found the volume of spam from Grum is constantly increasing.
So far, the spam volume is small compared to what it had been before the takedown, but it’s a clear sign that Grum is making a comeback. Grum’s main payload is to send out pharmaceutical spam.
“Perhaps bot herders behind Grum botnet are slowly rebuilding it again,” said Rodel Mendrez of SpiderLabs. “We’ve been involved in helping various botnet takedowns before, but most of the time, the effect is temporary. It seems this botnet is deeply rooted, that you couldn’t take it down by its branch and fruit, but by its roots.”
Monday, December 10, 2012 @ 04:12 PM gHale
In what could be a developing trend, there is a botnet out there controlled by its creators over the Tor anonymity network.
Over a period of time, if this botnet plan pans out, it could be the beginning of other operators adopting this approach, said researchers at vulnerability assessment and penetration testing firm Rapid7.
The botnet is called Skynet and can launch DDoS (distributed denial-of-service) attacks, generate Bitcoins — a type of virtual currency — using the processing power of graphics cards installed in infected computers, download and execute arbitrary files or steal login credentials for websites, including online banking ones.
While that is big stuff and can wreck havoc on victims, the core of the issue is the botnet’s command and control (C&C) servers are only accessible from within the Tor anonymity network using the Tor Hidden Service protocol.
Tor hidden services are most commonly Web servers, but can also be Internet Relay Chat (IRC), Secure Shell (SSH) and other types of servers. You can only get access to these services from inside the Tor network through a random-looking hostname that ends in the .onion pseudo-top-level domain.
The Hidden Service protocol hides the IP (Internet Protocol) address of the clients from the service and the IP address of the service from the clients, making it almost impossible for the parties involved to determine each other’s physical location or real identity. Like all traffic passing through the Tor network, the traffic between a Tor client and a Tor hidden service ends up encrypted and randomly routes through a series of other computers acting as Tor relays.
Tor Hidden Services are perfect for a botnet operation, said Claudio Guarnieri, a security researcher at Rapid7 and creator of the Cuckoo Sandbox malware analysis system. “As far as I understand, there is no technical way neither to trace and definitely neither to take down the Hidden Services used for C&C.”
Guarnieri published a blog post about the Skynet botnet. He believes the botnet is the same one described by a self-confessed botnet operator in a “IAmA” (I am a) thread on Reddit seven months ago. Reddit “IAmA” or “AMA” (ask me anything) threads allow people who perform various jobs or have various occupations to answer questions from other Reddit users.
Despite the wealth of information about the botnet offered by its creator on Reddit seven months ago, the botnet is still alive and strong. In fact, Rapid7 researchers estimate the botnet’s current size is of 12,000 to 15,000 compromised computers, up to 50 percent more than what its operator estimated 7 months ago.
The malware behind this botnet is distributed through Usenet, a system originally built at the beginning of the 1980s as a distributed discussion platform, but now commonly used to distribute pirated software and content, commonly known as “warez.”
The Skynet malware has several components: an IRC-controlled bot that can launch various types of DDoS attacks and perform several other actions, a Tor client for Windows, a Bitcoin mining application and a version of the Zeus Trojan program, which is capable of hooking into browser processes and stealing log-in credentials for various websites.
While good for anonymity, Tor does have disadvantages for a botnet operation, such as increased latency and sometimes instability.
“Obviously they [the botnet operators] can’t tunnel just everything through Tor,” Guarnieri said. “If the botnet is performing some heavy, frequent and noisy communication, then it could be problematic.”
However, if the goal is just for the infected machines to be able to retrieve commands from a server in a reasonable time without exposing its location, then Tor works well enough, he said.
Tuesday, December 4, 2012 @ 04:12 PM gHale
Microsoft won a court order to allow the company and its financial-services partners to continue to administer command-and-control servers for two Zeus botnets shut down by the company’s legal and technical campaign in March 2012.
The motion for a default judgment, granted Nov. 28 by the U.S. District Court in the Eastern District of New York, gives Microsoft and the National Automated Clearing House Association (NACHA) an injunction that allows the companies to keep the two Zeus botnets and their associated domains disabled for another 24 months.
The original takedown, codenamed Operation b71, seized command-and-control servers in Pennsylvania and Illinois and disrupted the online-fraud networks.
“This additional time will allow Microsoft to continue to work with Internet service providers and Computer Emergency Response Teams (CERTs) to clean those computers that are still infected with the malware,” said Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit.
Zeus is perhaps the best known of a class of programs known as banking Trojans, designed to silently compromise a victim’s computer and allow an attacker to record banking credentials and piggyback on the user’s online financial sessions to steal money. Overall, Zeus is an infection framework that allows attackers to create malware and spread it using spam campaigns. In addition, the toolkit includes server software to manage the resulting network of compromised machines or botnet.
The takedown effort appeared to have a substantial impact on the spread of Zeus as the foundation of cyber-criminals botnets: Attempts at infecting systems with Zeus fell by more than half to 336,000 for a single week in June, from 780,000 for a week in early March.
Other successes have been minor. On July 2, the company publicly identified two of the defendants, Yevhen Kulibaba and Yuriy Konovalenko, but had discovered that they are currently serving jail time in the United Kingdom for convictions related to the Zeus malware. Officials have identities of only four of the 39 defendants originally named in the lawsuit.
Over the past three years, Microsoft has used a combination of civil lawsuits and technical takedowns to disrupt the operations of four botnets: Waledac in Operation b49, Rustock in Operation b107, Kelihos in Operation b79, and then the Zeus in the latest operation.
The most successful takedown may have been the shuttering of the Rustock botnet, which led to a sustained drop in spam levels. A year after the takedown, for example, spam had dropped to 100 million messages per day, from 150 million at the time of the takedown, according to messaging-security firm Commtouch.
Monday, September 24, 2012 @ 05:09 PM gHale
There is a cyber espionage campaign targeting several large companies, including two in the energy sector, Dell SecureWorks researchers said.
The campaign targeted an oil company in the Philippines, an energy firm in Canada, a military organization in Taiwan and other unidentified targets in Brazil, Israel, Egypt and Nigeria.
Mirage is the second cyber espionage campaign uncovered this year by the Counter Threat Unit (CTU) of security firm Dell SecureWorks.
The first campaign, dubbed Sin Digoo, targeted several petroleum companies in Vietnam, government ministries in different countries, an embassy, a nuclear safety agency and other business related groups.
The Dell SecureWorks researchers believe either the same group is behind both campaigns, or whoever is responsible for Mirage is working closely with those behind Sin Digoo.
There does seem to be a connection between the two attacks. The owner of three command and control domain names in the Mirage campaign has a connection to someone using the same email addresses as the owner of several C&C domains used in the Sin Digoo campaign.
The command and control IP addresses belong to the China Beijing Province Network (AS4808), said researchers. The China Beijing Province Network does have connections to malware and espionage.
The security researchers said the Mirage malware avoids detection by disguising its command and control communications as Google Searches by using SSL communications and a similar URL pattern to that of a Google Search.
According to testing site Virus Total, only half of the major anti-virus scanners detected Mirage.
Victims of the Mirage campaign end up hit by spear phishing emails containing a malicious executable. Clicking on the attachment drops a pdf, along with the executable.
One of the spear phishing emails used in this campaign contained a pdf of a news story titled “Yemeni Women can participate in politics just like men, says President Saleh”.
Energy companies, along with pharmaceutical and high-tech industries, are the most common targets of these advanced persistent threat campaigns, said Don Smith, technology director at Dell SecureWorks.
“But we are seeing other industries now being targeted, and all businesses should ask themselves just how confident they are that their cyber security regime minimizes the risks of attack, but I would say very few in my experience,” he said.
Researchers at Dell SecureWorks have identified more than 580 separate families of malware related to targeted advanced persistent attacks.
In the face of this new breed of attacks, Smith said organizations should ensure they had a layered approach to security.
“There is no silver bullet to deal with these attacks which is why businesses need to have protections at all levels,” he said.
Organizations need to understand the threat landscape, who is likely to attack them and why, said Smith.
Where possible, he said, this should include a forensic capability so in the event of an attack, an organization can identify exactly what went wrong.
“Information security professionals must talk to the business executives to find out what they are most worried about losing and create an informed security strategy based on that,” said Smith.
Friday, August 10, 2012 @ 10:08 AM gHale
There is a new information-stealing malware with similarities to Stuxnet, Duqu and Flame, called “Gauss” that can collect information and send the data to its command-and-control servers, said researchers at Kaspersky Lab.
Kaspersky found Gauss on systems in Lebanon, the Palestinian Territories, and Israel. Gauss was also on a limited number of networks in the U.S.; however, the impact to these systems is currently unknown.
Kaspersky’s analysis found Gauss has similarities to Duqu, Flame, and Stuxnet.
The USB device information-stealing module exploits a known “.LNK” vulnerability (CVE-2010-2568), the same vulnerability exploited by Stuxnet. The USB module also includes an encrypted payload that has unknown functionality. Both ICS-CERT and US-CERT are evaluating the malware to understand the full functionality and will report updates as needed.
However, after early reporting and analysis, no evidence exists that Gauss targets industrial control systems (ICS) or U.S. government agencies.
Gauss collects information using various modules and, according to Kaspersky, has the following functionality:
• Injects its own modules into different browsers in order to intercept user sessions and steal passwords, cookies, and browser history,
• Collects information about the computer’s network connections,
• Collects information about processes and folders,
• Collects information about BIOS and CMOS RAM,
• Collects information about local, network and removable drives,
• Infects removable media drives with an information-stealing module in order to steal information from other computers,
• Installs the custom “Palida Narrow” font (purpose unknown),
• Ensures the entire toolkit’s loading and operation, and
• Interacts with the command and control server, sending the information collected to it, and downloading additional modules.
At this time, no specific mitigations are available.
1. Exercise caution when using removable media, including USB drives, in order to prevent the spread of Gauss.
2. Apply Windows Updates to patch CVE-2010-2568.
3. Update antivirus definitions for detection of the Gauss malware.
4. Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
5. Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
6. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
Wednesday, July 18, 2012 @ 03:07 PM gHale
Two of the command-and-control (C&C) servers for one of the top spam-producing botnets, Grum, are now unplugged, Dutch authorities said.
The action was not a complete knockout though, as there are still two other C&C servers at work, but researchers are optimistic the volume of spam will drop as a result.
Researchers at FireEye had been watching the Grum botnet for a while and had pinpointed the four C&C servers used to control it. Two of the servers were in the Netherlands, one is in Russia and the other in Panama. In the last few days, officials in the Netherlands pulled the plug on the two servers in their country, severing half of the Grum botnet’s command infrastructure.
“These two CnC servers were responsible for pumping spam instructions to their zombies,” said Atif Mushtaq of FireEye in a blog post. “With these two servers offline, the spam template inside Grum’s memory will soon time out and the zombies will try to fetch new instructions but will not able to find them. Ideally this should stop these bots from sending more spam. I am sure the absence of the spam sent by the world’s third largest spam botnet will have a significant impact on the global volume.”
Mushtaq said the company had been in touch with the hosting providers in Russia and Panama where the two remaining C&C servers are, but have had no luck getting them to respond.
“The ISP/Colos involved were contacted but they ignored the abuse notifications sent to them, even though they contained clear and complete evidence of bad behavior. This means that using these two live servers, the bot herders might try to recover their botnets by executing a worldwide update. No action has been taken by the bot herders so far. There is complete silence from their side,” he said.
Researchers and law enforcement agencies worldwide have been targeting major botnets with a variety of techniques for several years, with varying degrees of success. Botnets such as Mariposa, Kelihos, Rustock, and Zeus have been the subject of various takedown attempts. In some cases, they’ve been quite successful, and have had an effect on the level of spam or other criminal activity. In other cases, the botnets have morphed or bounced back in new forms.
But researchers have been honing their techniques, as well, and the involvement of big companies such as Microsoft, with a lot of legal and financial resources behind them, has made life more difficult for botnet providers.
Thursday, May 3, 2012 @ 04:05 PM gHale
Flashback’s latest version hitting Macs has a new command-and-control (C&C) infrastructure that used Twitter as a fallback mechanism in case the normal C&C system isn’t available.
While this is not the first time a botnet used Twitter for command and control, but it is on way attackers are always attempting to stay one step ahead of their potential victims. It also a case here users need to remain vigilant and remember today’s defense may not apply tomorrow.
The most recent version of Flashback, which infects Macs through the exploitation of Java vulnerabilities, has the ability to communicate with two separate tiers of C&C servers. The first type of server is a relay for redirecting traffic from compromised machines. Those servers allow the attackers behind the Flashback botnet to hijack users’ Web search traffic and push it to servers they control. The second tier of servers sends commands to the infected machines to perform specific actions on the Macs.
When infected Macs connect to the second type of C&C server, if they don’t receive a correctly formatted reply, they will then perform a search on Twitter for a specially formatted string, according to analysts at Dr. Web, a Russian security firm that has been following the Flashback case closely.
“If the control server does not return a correct reply, the Trojan uses the current date to generate a string that serves as a hash tag in a search using http://mobile.twitter.com/searches?q=
Bot herders began using Twitter for C&C several years ago, with varying degrees of success. Twitter security officials were somewhat slow to catch on to that phenomenon, but have been quicker to respond.
Flashback is by no means the first piece of Mac malware, or even the most inventive, but it is the most successful. The malware infected several hundred thousand machines over the course of the last six months.
There are a number of different versions of Flashback circulating but the one that’s caused the most trouble is the one that has been exploiting Java vulnerabilities for the last couple of months. That version is going out in drive-by download attacks, which is a classic attack method for Windows vulnerabilities but has not been a big vector in the Mac world.