Friday 27 September 2013

The 'world's biggest cyber attack' swoop

A British schoolboy has been arrested over the “world's biggest cyber attack” as part of an international swoop against a suspected organised crime gang.
The 16-year-old was detained by detectives at his home in south-west London after “significant sums of money” were found to be “flowing through his bank account”.
He was also logged on to what officials say were “various virtual systems and forums” and had his computers and mobiles seized as officers worked through the night to secure potential evidence.
The boy's arrest, by detectives from the National Cyber Crime Unit, followed an international police operation against those suspected of carrying out a cyber attack so large that it slowed down the internet.
The “distributed denial of service” or “DDoS” attack was directed at the Dutch anti-spam group Spamhaus which patrols the web to stop prolific spammers filling inboxes with adverts for counterfeit Viagra, bogus weightloss pills and other illegal products.
Details of the arrest, which happened in April, had been kept secret, but were disclosed to the Evening Standard, The Independent's sister paper, ahead of the formation of the Government's new National Crime Agency. It will take over the National Cyber Crime Unit as part of a drive against offending carried out over the internet, now seen as one of the most serious crime-fighting challenges.
More than half of the 4 000 officers who will form the new agency next month will be trained in combating cyber crime. The arrest of the schoolboy, whose identity has not been disclosed, came during a series of coordinated raids with international police forces.
Others detained included a 35-year-old Dutchman living in Spain.
A briefing document seen by this newspaper on the British investigation, codenamed Operation Rashlike, states that the attack was the “largest DDoS attack ever seen” and that it had a “worldwide impact” on internet exchanges.
The document says services affected included the London Internet Exchange and that although the impact was eventually “mitigated” it managed to cause “worldwide disruption of the functionality” of the internet.
Giving details of the schoolboy's alleged involvement, the briefing note states: “The suspect was found with his computer systems open and logged on to various virtual systems and forums. The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies.”
The boy has been released on bail until later this year.
The disclosure of his arrest follows two cyber attacks on banks. Four men have appeared in court over the first, involving an alleged plot to take over Santander computers by fitting a device during maintenance work.
Another eight were arrested over a £1.3m theft by a gang who took control of a Barclays computer. - The Independent

Chinese behind hacking of PM's mail box

In May, it turned out that the hackers had succeeded in gaining access to the private email account of Prime Minister Elio Di Rupo and the email system of the Belgian Foreign Office.
An investigation was started, and Foreign Minister Didier Reynders now confirms that there are indications that the case has a Chinese link.
Investigators say their research leads to Hongkong. However, it is not clear whether the hacking could be organised by a private Chinese organisation or company, or whether the Chinese government could be behind it. For the moment, there is no evidence that the Chinese government is behind the cyber attack.
Last week, Mr Di Rupo announced that extra cash will be earmarked in the 2014 budget to better protect the government's ICT systems against cyber attacks. It is estimated that this could cost the Belgian tax payer 20 million euros in the next four years.

Icefog cyber espionage campaign exposed

Kaspersky Lab’s security research team discovered Icefog, a small yet energetic Advanced Persistent Threat (APT) group that focuses on targets in South Korea and Japan, hitting the supply chain for Western companies.
The operation started in 2011 and has increased in size and scope over the last few years.
“For the past few years, we’ve seen a number of APTs hitting pretty much all types of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, smuggling out terabytes of sensitive information,” said Costin Raiu, Director, Global Research & Analysis Team.
“The ‘hit and run’ nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that go after information with surgical precision. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave.
In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specializing in hit-and-run operations; a kind of ‘cyber mercenary’ team for the modern world,” he added.
Main Findings:
  • Based on the profiles of identified targets, the attackers appear to have an interest in the following sectors: military, shipbuilding and maritime operations, computer and software development, research companies, telecom operators, satellite operators, mass media and television.
  • Research indicates the attackers were interested targeting defense industry contractors such as Lig Nex1 and Selectron Industrial Company, ship-building companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV and the Japan-China Economic Association.
  • The attackers hijack sensitive documents and company plans, email account credentials, and passwords to access various resources inside and outside the victim’s network.
  • During the operation, the attackers use the Icefog backdoor set (also known as “Fucobha”). Kaspersky Lab has identified versions of Icefog for both Microsoft Windows and Mac OS X.
  • While in most other APT campaigns, victims remain infected for months or even years and attackers continuously steal data, Icefog operators process victims one by one, locating and copying only specific, targeted information. Once the desired information has been obtained, they leave.
  • In most cases, the Icefog operators appear to know very well what they need from the victims. They look for specific filenames, which are quickly identified, and transferred to the C&C.
The attack and functionality
Kaspersky researchers have sinkholed 13 of the 70+ domains used by the attackers. This provided statistics on the number of victims worldwide. In addition, the Icefog command and control servers maintain encrypted logs of their victims together with the various operations performed on them. These logs can sometimes help to identify the targets of the attacks and in some cases, the victims.
In addition to Japan and South Korea, many sinkhole connections in several other countries were observed, including Taiwan, Hong Kong, China, the USA, Australia, Canada, the UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia.
In total, Kaspersky Lab observed more than 4,000 unique infected IPs and several hundred victims (a few dozen Windows victims and more than 350 Mac OS X victims).
Based on the list of IPs used to monitor and control the infrastructure, Kaspersky Lab’s experts assume some of the players behind this threat operation are based in at least three countries: China, South Korea and Japan.

Massive Cyber attack hit Three major U.S. data providers

Three major U.S. data providers said on Wednesday they were victims of cyber attacks, after a cybersecurity news website linked the breaches to a group that sells stolen social security numbers and other sensitive information.
An FBI spokeswoman said the bureau was investing the breaches but declined to elaborate.
The disclosures, by Dun & Bradstreet Corp, Altegrity Inc's Kroll Background America Inc and Reed Elsevier's LexisNexis Inc, came after website KrebsOnSecurity first reported the breaches.
The site said the attacks were masterminded by a cybercrime ring that sold stolen data such as credit reports through the website ssndob.ms, or SSNDOB.
The ring offered social security numbers, birthdays and other personal data of U.S. residents for between 50 cents and $2.50 per record, KrebsOnSecurity reported. Credit reports and background checks cost between $5 and $15, the cybersecurity site reported after a seven-month investigation into SSNDOB.
KrebsOnSecurity said the group placed malicious software on servers at LexisNexis as early as April 2013, suggesting that the attackers had access to its internal networks for at least five months.
SSNDOB administrators operated a small botnet, or group of infected computers remotely controlled by hackers, that was in direct communication with computers inside several large U.S. data brokers, the KrebsOnSecurity report said.
Five hacked servers were identified by examining the web interface used to control the botnet. Two of them were inside LexisNexis, two at D&B, and one at Kroll Background America.
"There are grave implications here from a privacy perspective," said Alex Holden, a cyber forensics expert who served as a consultant to the publication during the investigation.
Two of the victims declined to comment on the potential theft of data, saying they were investigating the attacks to find out exactly what happened. A third, LexisNexis, said it has so far found no evidence of theft.
"To date (we) have found no evidence that customer or consumer data were reached or retrieved," a LexisNexis representative said in a statement.
D&B spokeswoman Michele Caselnova said her firm was "aggressively investigating" the attack.
"Data security is a company priority and we are devoting all resources necessary to ensure that security," she said.
Kroll Background America spokesman Ray Howell said the company was working with external forensics experts to investigate the source and "impact, if any," of malicious software found on web servers at a Nashville, Tennessee data center.

Android Remote Access Trojan AndroRAT is Cheaper and More Dangerous Than Ever

Android Malware
Back in July, we told you about AndroRAT—a remote access Trojan for Android devices that let hackers remotely control every aspect of your phone or tablet. Coupled with another piece of software called a binder, injecting the malicious AndroRAT code into a legitimate app and then distributing the Trojanized version was a snap. Now AndroRAT is back: bigger, more dangerous, and cheaper than ever.
Everything Is Free Now
Originally, AndroRAT was an open-source proof-of-concept that became an actual remote access Trojan. That's bad, but it could be worse. At least it was hard to deliver to victim's phones and notoriously unstable. Bitdefender's senior threat analyst Bogdan Botezatu explained that it was the introduction of an APK binder that truly weaponized AndroRAT. "After you used the APK binder you got a perfect copy for cybercrime," said Botezatu.
Once the malicious code was injected into an app, the resulting infected apps were smaller and more stable than the original AndroRAT. Plus, the Trojanized apps used to deliver AndroRAT—usually cracked games—still worked perfectly.
AndroRAT has always been free and open-source, but the APK binder originally cost $35. Two months ago, Symantec reported only 23 installations of AndroRAT. That is until someone else cracked the binder and posted it for free online. "Look at the irony," said Botezatu. "This tool also got cracked by some other guys who posted it for free."
Infections of AndroRAT sharply increased after the binder application was released for free. Since July, Bitdefender says they've seen 200 infections on devices running Bitdefender's mobile security software. That's only a fraction of the Android using populace, concedes Botezatu. However, he told me that he's seen individuals bragging on forums about AndroRAT botnets with 500 infected phones.
Easy Like Sunday Morning
In addition to being free, AndroRAT is extremely easy to use. In a demonstration, Botezatu showed me the simple point-and-click interface for creating Trojanized apps and for controlling infected devices. With just a few clicks, he showed me all of the data he could access remotely. With a few more clicks, he used an infected device to send SMS messages. I asked him if it was possible to capture video and audio and, sure enough, there was a pull down menu for that.
"Now that these tools are publicly and freely available, we're going to see a huge number of AndroRAT infections," said Botezatu. He expects to see script kiddies, or people with no technial understanding of the tools they're using, driving the spread of infections for now. Mostly, he thinks, to spy on their friends, spouses, and bosses.
Making Money
Most malware has a money-making angle behind it, but right now AndroRAT hasn't been monetized on a huge scale. That's usually the end-goal for Android malware; to exploit the victims in a way that earns the bad guys some cash.
Thankfully, we're not there yet with AndroRAT. "I believe that they are now just experimenting with how well they can spread the malware," explained Botezatu. We've seen similar rumblings with malware like SpamSoldier, which has a lot of potential but hasn't yet taken off. "[I assume] they are doing small time fraud by sending premium SMS, just enough to make money to make money but fly under the radar."
While Botezatu believes that AndroRAT will mostly remain a toy, it is possible that pieces of the software could be broken apart and repackaged into more targeted tools. In fact, Bitdefender experimented with this, creating smaller, stealthier applications that just did one thing—monitor phone calls, for instance. Botezatu said that because AndroRAT is written with Java it could be "easily integrated into basically anything," perhaps even combined with the notorious Android Master Key exploit.
But that's not the future he sees for AndroRAT." For guys who actually know how to code a piece of malware, they're going to go for their own in-house application."
Staying Safe
Though AndroRAT is scary, it's pretty easy to avoid getting infected. Even though AndroRAT can be bound to any application, victims still have to enable sideloading on their device, download the Trojanized app, and install it.
And while being available for free has meant that just about anyone can churn out Android malware, it also means that AndroRAT is extremely well understood and documented by security companies. Using either avast! Mobile Security & Antivirus, our Editors' Choice for free Android anti-malware, or Bitdefender Mobile Security and Antivirus, our Editors' Choice for paid Android anti-malware, should keep you safe.
Despite this, people will still get infected. Botezatu chalked at least part of this up to Android's cryptic warnings about app permissions. After years of developing for Android, he said that even he doesn't understand what some of those warnings mean.
But most infections will be people who are willing to download cracked versions of for-pay apps—generally games, which are the most popular method for spreading malicious software on Android. "AndroRAT works only because people do not take the same approach on security on their mobile phone as they do on their computer," said Botezatu.
Malware still isn't as prevelant for mobile devices as it is for desktops, but AndroRAT is a sobering reminder that the dagers are out there.

Win32/Napolar – A new bot on the block

There is a new bot on the block. ESET identifies it as Win32/Napolar while its author calls it solarbot. This piece of malware came to our attention mid-August because of its interesting anti-debugging and code injection techniques. It recently attracted general attention when it was discussed on various reverse engineering forums.
This malware can serve multiple purposes. The three main ones are to conduct Denial of Service attacks, to act as a SOCKS proxy server, and to steal information from infected systems. The malware is able to hook into various browsers to steal information that is submitted in web forms.
We have uncovered many details about this bot since it became active at the end of July, with in-the-wild infections starting mid-August. There have been reports of thousands of infections, many of them in South America. The countries with the most infections are Peru, Ecuador, and Columbia. More information on the geographical distribution for this threat can be found on virusradar.
The author of Win32/Napolar uses a website to promote it. The website looks very professional and contains detailed information about the bot, including the cost ($200 USD for each build) and even a complete change-log of the evolution of the code.
Although we have not yet directly seen Win32/Napolar being distributed in the wild, it seems likely that this threat has been spread through Facebook. Since malware has the ability to steal Facebook credentials, its operator can reuse those credentials to send messages from compromised accounts and try to infect the victim’s friends. Below is a list of filenames we have seen used by this malware family:
  • Photo_032.JPG_www.facebook.com.exe
  • Photo_012-WWW.FACEBOOK.COM.exe
  • Photo_014-WWW.FACEBOOK.COM.exe
Interestingly enough, the use of doubled file extensions (*.JPG.EXE, *.TXT.EXE and so forth) to obfuscate a file’s true extension is an old trick, dating back to Windows 95, but apparently still in use. What is funny about the usage in this particular instance is that the author of Win32/Napolar does not seem to realize that .COM is a valid, if somewhat old, extension for executable files and that these filenames would have allowed their execution without the added .EXE extension. A very recent blog by our colleagues at AVAST confirms they have also seen similar infection vectors.
In this blog post, we will show some of the anti-debugging tricks used by Win32/Napolar. These tricks were seen in early versions of this malware family. Most recent variants also use third party packers to evade antivirus detection and slow down manual reverse engineering.
We will then explain the Win32/Napolar command and control (C&C) protocol. Finally, we will show some of the information that was retrieved from the promotional website before it was taken offline.

Anti-debugging Techniques

When analyzing Win32/Napolar binaries, the first thing to notice is that there is no valid entry point in the PE header, as shown in the figure below.
01_original_entrypoint_to_0
The first instructions that are executed when the binary is started are saved in the Thread Local Storage (TLS) functions. There are two TLS functions registered.  The first TLS function does not do anything. The second function decrypts more code using the RC4 encryption algorithm and the key 0xDEADBEEF. The decrypted code is registered as a third TLS function before the second function returns, as shown in the code extract below.
02_inserting_third_tls
The third TLS function decrypts the rest of the code before calling the main body of the malware.  The malware uses other tricks to make itself harder to analyze:
  • All imports are resolved at runtime using hashes instead of the import names.
  • Interactions with the operating system are mostly done by directly calling undocumented functions of the NTDLL library instead of using the standard APIs.
  • All the code is position-independent.
To find the offset of its own code that will be decrypted, Win32/Napolar searches through its memory for the opcode 0×55. This opcode represents “push ebp”, the first instruction of the current function in assembly language. If this instruction is replaced by 0xCC, the opcode for a software breakpoint, the decryption of the code will not work. This is a clever way of altering the behavior of the malware if it is being analyzed with a debugger and if a software breakpoint is put on the first instruction of the TLS.
Win32/Napolar has more anti-debugging tricks. To make dynamic analysis harder, Win32/Napolar will create a sub process of itself and will debug this new instance. The screenshot below shows the call to CreateProcess.
05_create_process_debug_only
The software protection technique of self-debugging has been seen before but in the case of Win32/Napolar, the trick happens in the main body of the malware, not in the packer.
Once the debugged process is started, Win32/Napolar will enter a loop that handles debugging events returned by the function WaitForDebugEvent. Pseudocode for the loop handling debugging events is presented below.
04_pseudo_code_debug_loop
The first event handled by this code is CREATE_PROCESS_DEBUG_EVENT. This event takes place when the debugged process is started. In this case, the main process will parse the MZ and PE header of the debugged process in order to retrieve the offset and size of the position-independent code. It will then allocate another area of memory in the debugged process in which to inject the code. This creates two copies of the same code in the same process.
The next event is EXCEPTION_DEBUG_EVENT. In this second event, the main process overwrites the first TLS function of the binary so as to redirect execution at the beginning of the executable, using a push – ret instruction. This, once again, decrypts the main body of the malware and lets it execute within the child process. It is the code of the child process that then proceeds to inject itself into all the processes running sub-processes and hooking various functions to hide its presence on the system and capture desired information.
Finally, the main process receives the EXIT_PROCESS_DEBUG_EVENT event; it stops debugging by calling the function DebugActiveProcessStop and terminates its own process using NtTerminateProcess.
chart
One of the main characteristics of Win32/Napolar is its ability to steal information when a user fills a web form in a web browser. Trusteer’s browser protection probably stops the malware from capturing this information. This is why the malware has specific checks for Trusteer products. It will iterate through all the running processes and specifically kill any process that has the string “trusteer” in it. We did not perform any test to confirm whether or not this attempt at disabling Trusteer’s product is successful or not.

Network behavior

When communicating with its command and control server, Win32/Napolar uses the HTTP protocol. The first query sent by the bot to the command and control server contains the following information:
  • Version of the bot
  • Current windows username of the infected user
  • Computer name
  • A unique bot identifier
  • Version of the operating system
  • System type, which can be 32 or 64 bit.  Indeed, this bot supports both types of architecture.
The server then responds with commands the bot needs to execute. These commands are encrypted using RC4, The bot unique identifier is used as the encryption key. The bot supports a variety of commands, from information stealing and SOCKS proxying, to denial of service, download, execution and update. Each command has a unique identifier stored as a single byte and the information following this byte contains the command parameters. The following figure shows a traffic dump of the communication between a host infected by Win32/Napolar and its command and control server.
06_napolar_POST
The following figure shows the decryption of this command using the proper key. The first byte of the received content is 0xC, and this instructs the bot to sleep. The parameter is a string, “600”, which represents the number of seconds that the bot needs to sleep.
07_decrypted_cnc_nop
We have seen at least seven different command and control servers used by Win32/Napolar. Most of them only stayed online for a couple of days before the operator moved them to a new network. This might indicate that this bot is being actively used in the wild. Below is a list of domain names where we have recently observed command and control servers:
  • dabakhost.be
  • terra-araucania.cl
  • xyz25.com
  • yandafia.com
  • elzbthfntr.com
  • alfadente.com.br
There are some references to TOR in the malware code. Most precisely, some configuration lines and references to the configuration file for TOR. During our analysis of the malware, it didn’t seem to make any usage of this data. This could be some dormant feature that has not been activated in the samples we have analyzed.

Promotional website

The author of Win32/Napolar seems very frank about wanting to sell his new malware. He has put together a very professional-looking website where he boasts that his bot is a “professional shellcode based bot”, referring to the fact the malware is position-independent.
08_solar_website1
The website also provides information for potential customers.  For example, the complete code for the command and control server can be found there, a php script running with an SQL database backend. The code of the command and control server confirms of our analysis of the network protocol used by the Win32/Napolar malware.
The promotional website also provides multiple examples of plugins that can be used by malware operators. The plugins must be written using the Delphi programming language. The example plugins show how one can display a message on an infected victim system, find which version of the antivirus is installed on the victim system, and even how to steal Bitcoin wallets.
Finally, the website even presented a complete log of the changes made to the bot’s source code, including information on new features and bug fixes. The website shows the first changelog entry made on July 14th.  This fits our timeline since we saw the first instances of this bot in the wild in the beginning of August. The registration date for the domain name where the content is hosted is the first day of August, another indication that the beginning of the promotion is recent.
09_solar_website2

Conclusions

Win32/Napolar is a new bot that surfaced in July and started to be observed in the wild in August. It has interesting techniques for countering reverse engineering. The most notable point about this malware is how openly it is being promoted on the web by its creator. The advertisement is probably the same that was identified by Dancho Danchev at webroot in July. We have seen many messages on different forums promoting this bot, in addition to the existence of a publicly-accessible website. As it was previously discussed in the Foxxy case, this is another good example of the specialization of cybercrime operations where we now clearly have authors that create malware and sell it to other gangs who will operate it.
Although this bot has functionalities similar to other families like Zeus or SpyEye, it might gain in popularity because its author is actively maintaining it, and because of its ease of use and the simplicity with which plugins can be created.

Analyzed files

The following are MD5 hashes of the analyzed files:
  • 85e5a0951182de95827f1135721f73ad0828b6bc
  • 9c159f00292a22b7b609e1e8b1cf960e8a4fa795
  • a86e4bd51c15b17f89544f94105c397d64a060bb
  • ce24ae6d55c008e7a75fb78cfe033576d8416940
  • dacfa9d0c4b37f1966441075b6ef34ec8adc1aa6
Author: Pierre-Marc Bureau
Security Intelligence Program Manager