Friday, 7 November 2014

Security Bytes 0x1335433 [Open Source Digest]

Forensics
> Carving for Cookies: Supersize your Internet History Timeline using Google Analytic Artifacts

Malware/APT
> Sandworm APT exploits, BlackEnergy malware
> Spin.com site sent visitors to Rig exploit kit to infect them with a range of malware including Infostealer.Dyranges and Trojan.Zbot.
> ROM – A New Version of the Backoff PoS Malware
> Apple iWorm Malware
> Dridex Banking Trojan
> Dyre/Dyreza packaged with PDF exploits (namely CVE-2013-2729)
> Rovnix Malware
  • [2014-10-10] http://www.infosecurity-magazine.com/news/rovnix-malware-reloads/
  • [2014-10-09] https://www.csis.dk/en/csis/news/4472/
  • [2012-02-22] http://www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-step-of-evolution/
> WireLurker Apple iDevice Malware
  • [2014-11-06] http://www.forbes.com/sites/thomasbrewster/2014/11/06/china-wirelurker-ios-malware/
  • [?] https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

Exploits/Vulnerabilities
> FreeBSD Vulnerability (CVE-2014-8517)
> "Rootpipe" Privilege Escalation Vulnerability in Mac OSX Yosemite
> CVE-2014-0569 Analysis (seen to be integrated into the Fiesta EK)
> CVE-2014-1772 Analysis (IE Use-After-Free Vulnerability)
> CVE-2014-4113 Analysis (Windows Kernel Mode Vulnerability, AKA Sandworm Vulnerability)
> CVE-2014-4115 Analysis (Malicious USB Disks Allow for Possible Whole System Control)

Phishing
> Operation Huyao

Friday, 12 September 2014

RIG Exploit Kit Malware Triage

Hashes:
250819688dc109a79a4de24eeabbb3de (Dropper) [24 / 55] as of 2014-09-12 07:49:15 UTC
bc183d917bc4dcffa954adb437bdcb96 (Backdoor) [2 / 53] as of 2014-09-09 23:33:47 UTC

VirusTotal:
https://www.virustotal.com/en/file/689fb4c908b29aa44859bfc8eef9f6b345ac5601d1046b4f26a5bfb5ff343ecd/analysis/ 

https://www.virustotal.com/en/file/bb58953495d1e4c0791b73abd59930c6240036d152d93c1c5dab3ebce84e50d1/analysis/

Introduction:
This post details a triage of a malware sample retrieved from 2014-09-09 - RIG EK FROM 178.132.204.97 - SDFI.APARTMENTPERCH.COM. The initial sample executed after exploitation is 250819688dc109a79a4de24eeabbb3de.

Creation & Deletion of *.tmp Files:
The startup routine of the Dropper includes the creation and deletion of *.tmp files in the "%TEMP%" folder path. The naming convention of the files are ns[random alphabet][random digit].tmp.
Examples include:
  • %TEMP%\nsx6.tmp
  • %TEMP%\nsr7.tmp

Creation of Staging Folder:
The Dropper
  • Creates the folder "%APPDATA%\NVIDIA Corporation\Updates\". The naming convention is made to look legitimate by likely mimicking a NVIDIA software update folder.

Dropping of Persistent Backdoor:
The Dropper
  • Creates the Backdoor "%APPDATA%\NVIDIA Corporation\Updates\nvid_upd.exe" (md5: bc183d917bc4dcffa954adb437bdcb96).
  • Creates the registry key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv" for persistence. The persistence key points to the file path of the earlier created Backdoor.
  • Creates a new process from the Backdoor (using CreateProcessA) .
  • Deletes itself (using DeleteFileA).

Backdoor Callback:
The Backdoor
  • Initiates a TCP handshake with the IP address "80.91.80.158"
  • If the TCP handshake is successful, the Backdoor sends an additional ACK, with additional data appended to the network traffic:
Notice the additional TCP ACK has an additional 178 bytes of data.
Hex view of the additional bytes appended to the additional TCP ACK.
  • After the initial callback is sent, the backdoor remains dormant until commands are sent to it.

Breakdown of the additional appended Data: 
  • GET /stat?uid=100&downlink=1111&uplink=1111&id=01F7906A&statpass=bpass&version=11140907&features=30&guid=0969e6cd-f722-4f9f-a6e4-35128ffe7946&comment=11140907&p=0&s= HTTP/1.0