Wednesday, September 30, 2015

Down the Rabbit Hole: Botnet Analysis for Non-Reverse Engineers

This post is authored by Earl Carter & Holger Unterbrink.

Overview

Talos is often tasked with mapping the backend network for a specific piece of malware. One approach is to first reverse engineer the sample and determine exactly how it operates. But what if there is no time or resources to take the sample apart? This post is going to show how to examine a botnet from the Fareit family, starting with just an IP address. Then, using sandbox communities like Cisco ThreatGRID and open source products like Gephi and VirusTotal, we will track down and visualize the botnet.

Talos recently discovered some activity from the Fareit trojan. This family of malware has a significant history associated with malware distribution. It is mainly an information stealer and malware downloader network which installs other malware on infected machines. In this campaign, it mainly tries to steal Firefox and other credentials. It is possible that this botnet is sold as a pay-per-infection botnet in the underground markets. Pay-per-infection is an underground business model where criminals are paying other criminals to distribute their malware. The analysis below was mainly done in July 2015. Let’s take a walk on the wild side....

AMPs behaviour based detection found suspicious executables that downloaded files by using the following URLs in one of our customer networks.

http://89.144.2.119/cclub02.exe
http://89.144.2.115/cclub02.exe

We began analysing the infrastructure with focus on these two IP addresses and checked what other files they had been distributing. Initial analysis showed that VirusTotal found 25 and 38 files distributed from these two IP addresses. Almost all of the files in VirusTotal had different hashes, but similar or identical filenames. The following list is a sample of some of the files found in VirusTotal.

1197cb2789ef6e29abf83938b8519fd0c56c5f0195fa4cbc7459aa573d9e521b (cclub02.exe)
58f49493aa5d3624dc225ba0a031772805af708b38abd5a620edf79d0d3f7da0 (cclub02.exe)
d1b98b7b0061fbbdfc9c2a5a5f3f3bbb0ad3d03125c5a8ab676df031a9900399 (cclub02.exe)
c054e80e02c923c4314628b5f9e3cb2cad1aa9323cbcd79d34205ad1e3cad6c3 (cclub12.exe)
bd30242996a3689c36008a63d007b982d9de693766d40e43fe13f69d76e61b63 (cclub12.exe)
c609ef45f7ff918cbac24755a3a3becc65d1c06e487acd801b76a1f46e654765 (tarhun1.exe)

Wednesday, September 23, 2015

SYNful Knock Scanner

This post was authored by William McVey.

Update 2015-09-23: We updated the tool to version 1.0.1

Talos is constantly researching the ways in which threat actors are evolving to exploit systems. Recently, a piece of persistent malware coined as “SYNful Knock” was discovered on Cisco routers. While this malware attack is not a vulnerability, as it had to be installed by someone using valid credentials or who had physical access to the device, Cisco has published an Event Response Page for customers to provide the information needed to detect and remediate these types of attacks. We are also working with partners to identify compromised systems.

The most recent addition to the toolkit Cisco is providing customers comes after the Cisco PSIRT worked with internal teams and customers to acquire copies of the malware. Talos has now developed a tool for customers to scan their own network to identify routers that may have been compromised by this specific malware. The tool works by scanning devices and networks, looking for routers answering the SYNful Knock malware.

Note: This tool can only detect hosts responding to the malware "knock" as it is known at a particular point in time. This tool can be used to help detect and triage known compromises of infrastructure, but it cannot establish that a network does not have malware that might have evolved to use a different set of signatures.

Tuesday, September 15, 2015

When Does Software Start Becoming Malware?

This post was authored by Earl Carter, Alex Chiu, Joel Esler, Geoff Serrao, and Brandon Stultz.

Defining what is malware relies on determining when undesirable behavior crosses the line from benign to clearly unwanted. The lack of a single standard regarding what is and what is not acceptable behavior has established a murky gray area and vendors have taken advantage of this to push the limits of acceptable behavior. The "Infinity Popup Toolkit" is a prime example of software that falls into this gray area by bypassing browser pop-up blocking, but otherwise exhibits no other unwanted behavior. After analyzing the toolkit, Talos determined that software exhibiting this type of unwanted behavior should be considered malware and this post will provide our reasoning.

Overview


Without a clear standard defining what is and is not acceptable behavior, identifying malware is problematic. In many situations, users are confronted with software that exhibits undesirable behavior such as the Java installer including a default option to install the Ask.com toolbar. Even though many users objected to the inclusion of the Ask.com toolbar, Oracle only recently discontinued including it in Java downloads after Microsoft changed their definition of malware which then classified the Ask.com toolbar as malware.

There is more to unwanted software than just browser toolbars or widgets. Suppose a piece of software exhibits the following characteristics. Would this be considered malware?

  • The user was not given a choice whether or not to execute this piece of software.
  • The software was designed to specifically bypass browser security and privacy controls using clickjacking techniques.
  • The software avoids detection by encrypting portions of its payload.
  • Extensive fingerprinting (browser, plugins, operating system, and device type) takes place and sent to a third party without user consent.

Tuesday, September 8, 2015

Vulnerability Spotlight: Microsoft Windows CDD Font Parsing KernelMemory Corruption

Discovered by Andrea Allievi and Piotr Bania of Cisco Talos.

Talos, in conjunction with Microsoft’s security advisory issued on September 8th, is disclosing the discovery of a memory corruption vulnerability within the Microsoft Windows CDD Font Parsing Kernel Driver. This vulnerability was initially discovered by the Talos and reported in accordance with responsible disclosure policies to Microsoft. Please see Talos's Microsoft Tuesday Blog for coverage information for this vulnerability. Read the full Talos Vulnerability Report via the talosintel.com portal here: TALOS-2015-0007

Details

A specially crafted font file can cause the Microsoft Windows CDD Font Parsing Kernel driver to corrupt internal memory structures. The DrvTextOut routine acquires and locks the associated device and behaves differently based on the surface type. If the type is a bitmap and the Windows DWM is on, the driver will read and write directly to the video frame buffer and calls EngTextOut, then exits. However, the driver behaves in an unexpected manner where a new background rect is generated mixing the "OpaqueRect" rectangle located in the sixth parameter and the rectangle located in the "pStringTextObj" object.


If the ClipObject describes a NON-Trivial clip, even the "rclBounds" of the clip object is merged to the background rectangle. The Font Object is parsed, and finally the routine decides if it should clip the background rect or not.


The final decision is based on the following check:

VulBlog1


Microsoft Patch Tuesday - September 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 55 CVEs. Five bulletins are rated "Critical" this month and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Journal, and Office. The other seven bulletins are rated "Important" and address vulnerabilities in the .NET Framework, Active Directory, Exchange, Hyper-V, Media Center, Skype for Business, and Task Management.

Thursday, September 3, 2015

Cognitive Research: Learning Detectors of Malicious Network Traffic

This post was authored by Karel Bartos, Vojtech Franc, & Michal Sofka.

Malware is constantly evolving and changing. One way to identify malware is by analyzing the communication that the malware performs on the network. Using machine learning, these traffic patterns can be utilized to identify malicious software. Machine learning faces two obstacles: obtaining a sufficient training set of malicious and normal traffic and retraining the system as malware evolves. This post will analyze an approach that overcomes these obstacles by developing a detector that utilizes domains (easily obtained from domain black lists, security reports, and sandboxing analysis) to train the system which can then be used to analyze more detailed proxy logs using statistical and machine learning techniques.

The network traffic analysis relies on extracting communication patterns from HTTP proxy logs (flows) that are distinctive for malware. Behavioral techniques compute features from the proxy log fields and build a detector that generalizes to the particular malware family exhibiting the targeted behavior.

The statistical features calculated from flows of malware samples are used to train a classifier of malicious traffic. This way, the classifier generalizes the information present in the flows and features and learns to recognize a malware behavior. We use features describing URL structures (such as URL length, decomposition, or character distribution), number of bytes transferred from server to client and vice versa, user agent, HTTP status, MIME type, port, etc. In our experimental evaluation, we used 305 features in total for each flow.