Thursday, April 28, 2016

Research Spotlight: The Resurgence of Qbot

The post was authored by Ben Baker.

Qbot, AKA Qakbot, has been around for since at least 2008, but it recently experienced a large surge in development and deployments. Qbot primarily targets sensitive information like banking credentials. Here we are unveiling recent changes to the malware that haven’t been made public yet.

Qbot’s primary means of infection is as a payload in browser exploit kits. Website administrators often use FTP to access their servers, so Qbot attempts to steal FTP credentials to add these servers to its malware hosting infrastructure. Qbot can also spread across a network using SMB, which makes it very difficult to remove from an unprotected network.

Wednesday, April 27, 2016

The "Wizzards" of Adware

This post was authored by Warren Mercer with contributions from Matthew Molyett

Executive Summary

Talos posted a blog, September 2015, which aimed to identify how often seemingly benign software can be rightly condemned for being a piece of malware. With this in mind, this blog presents an interesting piece of “software” which we felt deserved additional information disclosure. This software exhibits several questionable behaviors including:

  • Attempts to detect sandboxes via a number of techniques 
  • Attempts to detect AV
  • Attempts to detect security tools and forensic software
  • Attempts to detect remote desktop
  • Secretly installs software on the end host without user interaction or EULAs
  • Informs C2 via encrypted channel what software was installed and what “effective_price” was associated with it

Vulnerability Spotlight: Further NTPD Vulnerabilities

As a member of the Linux Foundation Core Infrastructure Initiative, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. We previously identified a series of vulnerabilities in the Network Time Protocol daemon; through our continued research we have identified further vulnerabilities in the software.

Since 2013, criminals have been abusing NTP packets in order to cause amplified denial of service attacks. The ubiquity of the Network Time Protocol daemon and the importance of co-ordinated time for the correct functioning of many services means that it is a tempting target for attack. Vulnerabilities that allow the time as understood by ntpd to be altered can be used by attackers to set the time to an arbitrary value. This allows attackers to prevent time dependent services from starting because the time of activation is never reached, to provoke the depletion of system resources by repeatedly reaching the time of activation of services, to gain system access by using expired certificates, to deny service by expiring legitimate services and caches. Hence, the importance of identifying and remediating vulnerabilities within the time service.

Cisco has discovered six vulnerabilities within ntpd that allow attackers to craft UDP packets to either cause a denial of service condition or to prevent the correct time being set. We recommend that all users upgrade to the latest version of ntpd. 

Wednesday, April 20, 2016

Threat Spotlight: Exploit Kit Goes International Hits 150+ Countries

Nuclear Activity Across 10,000+ Cities in 150+ Countries
This post is authored by Nick Biasini with contributions from Erick Galinkin and Alex McDonnell


Talos is constantly monitoring the threat landscape and exploit kits are a constantly evolving component of it. An ongoing goal of Talos is to expose and disrupt these kits to protect the average internet user being targeted and compromised. We were able to gain unprecedented insight into Angler exploit kit and reveal details of the activity that were previously unknown. Now we have focused our attention on the Nuclear exploit kit with similar results.

Nuclear exploit kit has been steadily compromising users for years and has been effective in evolving as well as adding new exploits to their arsenal. However, it has been operating largely off the radar compared to some of the more prolific kits that are active today. This lack of deep visibility was one of the driving forces behind the deep investigation into its activity. What we found was a sophisticated threat that has been successfully targeting and compromising users in more than 10,000 different cities in more than 150 countries.

Oracle OIT Image Export SDK libvs_pdf XRef Index Code Execution Vulnerability

This post was authored by Aleksandar Nikolic and Jaeson Schultz.

Talos has recently discovered a vulnerability in Oracle’s Outside In Technology  Image Export SDK which, when exploited, allows an attacker to overflow the heap, leading to arbitrary code execution. The vulnerability lies in the Image Export SDK’s parsing of Portable Document Format (PDF) files.

While parsing a PDF file which contains an Xref object, values from the /Index entry are used to handle the decoded stream. A malformed PDF file with many objects specified by the /Index entry can lead to a memory overwrite past the ends of the allocated buffer, overwriting adjacent heap chunks.

The vulnerability is located in sub_B74EB0EE function in (image base is at 0xB74BF000). A heap structure is being iterated over in 16 byte increments starting at the following code:

.text:B74EC5D6                 mov     eax, [esp+0AFCh+var_A58]
.text:B74EC5DD                 shl     eax, 4
.text:B74EC5E0                 lea     eax, [edx+eax]
.text:B74EC5E3                 lea     edi, [eax+10h]                         [1]
.text:B74EC5E6                 mov     [esp+0AFCh+var_A38], 0
.text:B74EC5F1 loc_B74EC5F1:                           
.text:B74EC5F1                 cmp     word ptr [edi-2], 0
.text:B74EC5F6                 jnz     loc_B74EC856
.text:B74EC5FC                 cmp     [esp+0AFCh+var_A61], 0
.text:B74EC604                 jnz     loc_B74EC7FA
.text:B74EC60A                 mov     word ptr [edi-4], 1                    [2]
.text:B74EC610 loc_B74EC610:                           
.text:B74EC610                 mov     edx, [esp+0AFCh+var_A40]
.text:B74EC617                 mov     eax, esi
.text:B74EC619                 call    sub_B74C40A6
.text:B74EC61E                 mov     [edi-0Ch], eax                         [3]
.text:B74EC621                 add     esi, [esp+0AFCh+var_AD4]
.text:B74EC625                 cmp     [esp+0AFCh+var_A63], 0
.text:B74EC62D                 jnz     loc_B74EC7E5
.text:B74EC633                 mov     dword ptr [edi-8], 0                   [4]
.text:B74EC640                 add     [esp+0AFCh+var_A38], 1
.text:B74EC648                 add     edi, 10h                               [5]
.text:B74EC64B                 mov     eax, [esp+0AFCh+var_A50]
.text:B74EC652                 sub     eax, [esp+0AFCh+var_A58]
.text:B74EC659                 cmp     [esp+0AFCh+var_A38], eax
.text:B74EC660                 jnz     short loc_B74EC5F1                     [6]

In this code excerpt, initial pointer to the structure being iterated over is derived from `eax` into `edi` at [1]. At [2], [3] and [4] depending on the branch taken, different values are written at memory address pointed to by `edi` with an offset. At [5], `edi` is incremented and at [6] execution jumps back to the beginning of the loop. The number of times the loop is executed is 
bounded by the number of objects specified in the /Index entry. 

An abbreviated version of the crashing test case:
1 0 obj <<
        /Index[40 20] 
        /Length 55 
        /Size 6 
        /W[0 1 0]>>
In this sample PDF file, /Size of 6 is specified but /Index states that the object stream contains references to 20 objects starting from object number 40. 

The supplied minimized testcase triggers the vulnerability and results in heap corruption and a function pointer overwrite. This function pointer is later dereferenced resulting in a direct program counter control. The vulnerability can be triggered by the `ixsample` program supplied with the SDK.
Starting program: /home/ea/oit_pdf/sdk/demo/ixsample trigger asd
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/".
Program received signal SIGSEGV, Segmentation fault.
EAX: 0x41454145 ('EAEA')
EBX: 0xb7af5b54 --> 0x36b98c 
ECX: 0x1 
EDX: 0x804eaf0 --> 0x0 
ESI: 0xbfffd298 --> 0xa ('\n')
EDI: 0x80b6b68 (0x080b6b68)
EBP: 0xb74eec64 ("Prev")
ESP: 0xbfffd23c --> 0xb78673ce (mov    edx,DWORD PTR [edi+0x10])
EIP: 0x41454145 ('EAEA')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
Invalid $PC address: 0x41454145
0000| 0xbfffd23c --> 0xb78673ce (mov    edx,DWORD PTR [edi+0x10])
0004| 0xbfffd240 --> 0xb74eec64 ("Prev")
0008| 0xbfffd244 --> 0x0 
0012| 0xbfffd248 --> 0xbfffd274 --> 0x0 
0016| 0xbfffd24c --> 0xb74f6998 --> 0x3787c 
0020| 0xbfffd250 --> 0xbfffd298 --> 0xa ('\n')
0024| 0xbfffd254 --> 0xbfffdd90 --> 0x0 
0028| 0xbfffd258 --> 0xb74eec64 ("Prev")
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41454145 in ?? ()
On April 19, 2016, Oracle released a patched version of the Image Export SDK which addresses this vulnerability. Talos has provided coverage against exploits targeting TALOS-2016-0086 via Snort Rules 37505 and 37506.

Friday, April 15, 2016

Widespread JBoss Backdoors a Major Threat

Recently a large scale ransomware campaign delivering Samsam changed the threat landscape for ransomware delivery. Targeting vulnerabilities in servers to spread ransomware is a new dimension to an already prolific threat. Due to information provided from our Cisco IR Services Team, stemming from a recent customer engagement, we began looking deeper into the JBoss vectors that were used as the initial point of compromise. Initially, we started scanning the internet for vulnerable machines. This led us to approximately 3.2 million at-risk machines.

As part of this investigation, we scanned for machines that were already compromised and potentially waiting for a ransomware payload. We found just over 2,100 backdoors installed across nearly 1600 ip addresses. Over the last few days, Talos has been in the process of notifying affected parties including: schools, governments, aviation companies, and more.

Tuesday, April 12, 2016

Microsoft Patch Tuesday - April 2016

Patch Tuesday for April has arrived with Microsoft releasing their latest monthly set of security bulletins to address security vulnerabilities in their products. This month's release contains 13 bulletins relating to 31 vulnerabilities. Six bulletins address vulnerabilities rated as critical in Edge, Graphic Components, Internet Explorer, XML Core Service, Microsoft Office and Adobe Flash Player. The remaining seven bulletins address important vulnerabilities in Hyper-V, Microsoft Office and other Windows components.

Bulletins Rated Critical

Bulletins MS16-037 through MS16-040 and bulletins MS16-042, MS16-050 are rated as critical in this month's release.

MS16-037 is related to six vulnerabilities in Internet Explorer. The most severe vulnerabilities allow an attacker to craft a website that executes arbitrary code on the victim's device due to the memory corruption vulnerabilities in the browser. The attacker would be limited to executing code with same administrative rights as the current user, but with many users having full administrator rights, an attacker could use this to take full control of a device. To exploit the vulnerability the attacker must get the victim to view attacker controlled content. Previously, this has not proved a major limitation for attackers. Attackers have proved adept at sending spam messages, compromising legitimate websites and abusing web advertising networks to redirect users to malicious websites.

Monday, April 11, 2016

Ransomware: Past, Present, and Future

"What's past is prologue."
-- William Shakespeare, The Tempest


The rise of ransomware over the past year is an ever growing problem. Businesses often believe that paying the ransom is the most cost effective way of getting their data back - and this may also be the reality. The problem we face is that every single business that pays to recover their files, is directly funding the development of the next generation of ransomware. As a result of this we're seeing ransomware evolve at an alarming rate.

In this blog post we explore traits of highly effective strains of self-propagating malware of the past, as well as advances in tools to facilitate lateral movement. This research is important as we expect adversaries to begin utilizing these capabilities in ransomware going forward. This blog post focuses on two avenues of thought - that our past is chock full of successful malware, and that successful cyber extortionists will look to the past to create new and evolving threats going forward.

Ransomware as we know it today has a sort of 'spray and pray' mentality; they hit as many individual targets as they can as quickly as possible. Typically, payloads are delivered via exploit kits or mass phishing campaigns. Recently a number of scattered ransomware campaigns deliberately targeting enterprise networks, have come to light. We believe that this is a harbinger of what's to come -- a portent for the future of ransomware.

Traditionally, malware was never terribly concerned with the destruction of data or denial of access to its contents; With few notable exceptions, data loss was mostly a side-effect of malware campaigns. Most actors were concerned with sustained access to data or the resources a system provided to meet their objectives. Ransomware is a change to this paradigm from subversion of systems to outright extortion; actors are now denying access to data, and demanding money to restore access to that data. This paper will discuss the latest ransomware trends as well as how to defend your enterprise against this threat.

Friday, April 8, 2016

Nuclear Drops Tor Runs and Hides


Exploit kits are constantly compromising users, whether it's via malvertising or compromised websites, they are interacting with a large amount of users on a daily basis. Talos is continuously monitoring these exploit kits to ensure protection, analyze changes as they occur, and looking for shifts in payloads. Yesterday we observed a new technique in the Nuclear kit and found a new payload and technique we’ve not seen before.


It's been awhile since we've discussed Nuclear so let's start with an overview of how users are infected. Like most exploit kits it has a couple of key components: a gate, a landing page, and an exploit page with payload. Let's start by describing the gate that we have been observing associated with Nuclear and specifically this instance associated to a novel payload.


This particular infection begins with a compromised website. Buried on the website is a couple lines of javascript, which you can find below:

Thursday, April 7, 2016

News Flash! Another Adobe Flash Zero-day Vulnerability Spotted in the Wild

In today's threat landscape, Adobe Flash Player unfortunately remains an attractive attack vector for adversaries to exploit and compromise systems. Over the past year, Talos has observed several instances where adversaries have identified zero-day vulnerabilities and exploited them to compromise systems. Talos is aware of reports that CVE-2016-1019, an Adobe Flash 0-day vulnerability, is currently being exploited in the wild and is affecting systems running Windows 10 and earlier.

According to the Adobe Flash Player security advisory published on April 5, Flash Player versions and earlier are susceptible to compromise via CVE-2016-1019. This includes Flash Player version as well as Flash Player Extended Support Release (ESR) version and earlier. One special note is that as of March 10, 2016, Adobe introduced a mitigation that prevents exploitation of CVE-2016-1019 in Flash version and later.

Vulnerability Deep Dive: Exploiting the Apple Graphics Driver and Bypassing KASLR

Cisco Talos vulnerability researcher Piotr Bania recently discovered a vulnerability in the Apple Intel HD 3000 Graphics driver, which we blogged about here. In this post we are going to take a deeper dive into this research and look into the details of the vulnerability as well as the KASLR bypass and kernel exploitation that could lead to arbitrary local code execution. These techniques could be leveraged by malware authors to bypass software sandbox technologies, which can simply be within the software program (browser or application sandbox) or at the kernel level.

In the course of conducting our research, Talos found that Apple OSX computers with Intel HD Graphics 3000 GPU units possess a null pointer dereference vulnerability (in version 10.0.0) as presented below:

Monday, April 4, 2016

Research Spotlight: Enabling Evil for Pocket Change

This post is authored by Tazz.

Executive Summary

At the end of February, one of the researchers on the team received a solicitation email from a domain reseller, which she reviewed the first week of March.  The email was from Namecheap offering deeply discounted domains for .88 cents. The timing of the email couldn’t have been more ironic as it overlapped with some current research into determining if there is a relationship between domain pricing and an aggregation of domains related to malware/phishing/spamming. This article will discuss the relationship between deeply discounting domains and nefarious activities.  For the purpose of discussion in this article, the word malicious will include malware, phishing, and spam activities.


Talos has previously investigated the magnetic relationship between bad guys and cheap/free services.  When it comes to the Internet, undoubtedly you get what you pay for, and when it’s cheap/free it’s bound to be infested with bad guys.  We saw this philosophy ring true with dynamic DNS, and saw bad guys leveraging cheap services when actors migrated to dynamic DNS which you can read more on

Any businessman, good or bad, seeks to make money, fast.  To do this, one must maximize return on investment and/or find a market with a low cost of entry.  If it costs $5,000 to get started, that might not be feasible for many, especially a criminal, but if it only costs $50 or even $5, well there’s obviously a greater chance that many people will seek out that market.  These rules are no different when it comes to bad guys doing bad things on the Internet.  So, given this email offering deeply discounted TLDs, the team formed a hypothesis and we began digging.

Hypothesis:  When domain prices are <= $1 there will be an increase in registrations and a corresponding increase in malicious activities associated with the TLDs.