Early this year, we were challenged by our CEO Amit Yoran to take this perpetual battle against Malware to the next level.  Easily, one of the most common use cases today of NetWitness Nextgen, is the combating of various forms of commercial and custom malicious code.  The goal of helping our customers optimize their efforts in this regard seemed like a natural progression.  It seemed like every day customers or NetWitness analysts were finding yet another zero day, or yet another piece of custom code, or yet another group of professional thieves.  We are very fortunate to have so many experts on staff, as well as customers, who regularly use our solution to sift through terabytes of network data to identify threats from malware.

The first step was to interview these experts, and ask them how we could ease this effort.  We also asked them to quantify and explain their magic sauce.  Surprisingly, explaining how they go about their day-to-day efforts was very easy for most of them. However, when we asked what our system should do to help – nearly every one of them found it hard to come up with any specific requirements.  Inevitably, they would defer and simply say, “Well – do some of that stuff I just told you.  That’s a start.”

Tell us the same thing enough times, and we will eventually listen.  What if we automated all their steps during investigations? What if we could ask all the questions they ask?  What if all the information needed to highlight what was bad, was analyzed for them?  It slowly dawned on us, that their “secret sauce” was the answer.  We did not need to invent a new paradigm.  We needed to make their paradigms work and scale. They were telling us what they wanted done for them, by describing all the laborious steps they took to get there manually.  They were telling us what tools, services, and intelligence they liked to use.  They were telling us the combinations of indicators that really peaked their interest.  And we had a very distinct advantage.  They were telling us all this, by showing us in NetWitness what they look for.  We already had collected the majority of the information we needed.  We just needed to ask the right questions.

Today at the 2nd annual NetWitness user conference, we introduced NetWitness Spectrum.  We are in the process of taking requests for early access any NetWitness customer. Spectrum is an expert automated analytics engine that provides extraction and prioritization of executable content within an enterprise.  Spectrum is your virtual Malware expert, sifting through thousands of executables and doing the laborious legwork to prioritize malicious content, all on a continual, real-time, port and protocol independent basis.

Over the next few weeks, we will be discussing more and more features and capabilities of Spectrum. We have a history here at NetWitness of thinking a little differently than the industry tells us to think. We prefer to innovate rather than copy, lead rather than follow.  This time however, our innovation is purely you, our user community.  We are following your lead.

For more information regarding Spectrum and the early access program, visit www.netwitness.com.

Tim Belcher, CTO

Zeus is evolving. In regards to a new release, one Anti-Virus vendor recently noted:

“[the new exe] uses techniques designed to avoid automatic heuristics-based detection.”

The discussion then proceeds to examine how the exe is different from previous versions of the malware.

Should we be alarmed that Zeus is getting so sophisticated that it evades heuristics-based detection mechanisms?

I suppose if it actually evaded heuristics-based detection mechanisms, that would be alarming. I’m sure the version of Zeus in question evades the mechanisms of certain AV vendors. However, when looking at the exact sample in question (verified by MD5) using the techniques we use for malware identification here, we see the sample stands out like a sore thumb.

Using our own internally-developed heuristic malware identification methods (also used by components of NextGen), we see the exe has traits such as the following (not a complete list!):

1. The binary contains packed sections, indicative of packed, obfuscated, and/or encrypted malware.
2. The size of the binary is abnormally small considering the conditions and context in which it was found.
3. The PE checksum fails to validate, something malware packers are notoriously bad about.
4. The binary does not have any information normally found within the version info table in the resource section of the PE.

But… Why get overly wrapped around the minutia related to the abnormal facets of this particular sample of Zeus? There’s a more important note to be made here. That is, Zeus is malware, so it does the things that malware does! You can’t get more “heuristically obvious” than that!

From the same vendor as above:

“…common ZeuS 2.0 variants contain relatively few imported external APIs… By contrast, [this version] imports many external APIs. To a heuristic scanner, this changes the appearance of the file and lowers the possibility of detection.”

Finding a binary that has very few external imports is generally a sign that something is suspicious. Specifically, it’s generally a sign the file is packed, obfuscated, and/or encrypted and the real imports are likely hidden inside. Such is the case when finding binaries that only import between two and five specific API’s from kernel32.dll (in the more obvious cases).

However, when finding a binary with a lot of imports, that’s even better since you get to see the full range of imports needed by the binary/malware! Without even running the sample or doing deep low-level reverse engineering, you can start to make assumptions about the functionality of the binary based on the API’s it uses. Further, it’s a simple matter to separate malware from legitimate binaries by comparing the API’s it uses to the ones it doesn’t need/use.

As is the case with this sample of Zeus, we see it (like the thousands of different types of malware not related to Zeus) imports APIs related to hooking the Windows API, creating mutexes, and managing services – without importing the functions used by legitimate binaries that also use the same functions.

So, should we be alarmed some people say Zeus is getting so sophisticated that it evades heuristics-based detection mechanisms?

If your security vendor is looking for Zeus, then yes, you should be alarmed. However, if your security vendor is looking for general signs of malware, infection, and so on, then no… Fortunately Zeus is still malware, just like all the rest of it…

Gary Golomb

In the “malware of the minute” news,  information surrounding the “Murofet” trojan has hit some malware research blogs.

Details around this trojan, which shares code similarities with ZeuS, can be found here:

• http://www.prevx.com/blog/159/WinMurofetor-just-ZeuS.html
• http://threatpost.com/en_us/blogs/new-malware-murofet-following-confickers-lead-101510

What’s interesting about Murofet is that it borrows a page from the Conficker playbook and uses an algorithm to generate command and control domain names on the fly based on the date and time on the infected host. This makes it very difficult to take down from a defender standpoint because coordinated effort is required to control all of the possible domain names as they are detected.

http://blog.threatexpert.com/2010/10/domain-name-generator-for-murofet.html

In this case, reverse engineering has revealed a way to generate the domain names used by the malware in advance, which allows us to build a list of all possible domains that will be used by the malware in its current state.

But that brings us to our challenge. Murofet can generate 1,020 usable domain names a day… which if we say, push that out for a few months in advance, quickly reaches into the tens of thousands of possible domain names. If I’m an incident responder at a large enterprise, I may need to parse through multiple gigabytes a day of proxy logs to attempt to locate these tens of thousands of possibly malicious domains. As you can imagine, this can quickly become a very tedious and unwieldy problem.

One of the many strengths of the NextGen framework is that it is built around addressing this sort of “needle in a haystack” problem. The NetWitness Live system is built around the concept of using external intelligence and applying it to *your* network in real-time, with alerting and in some cases we have feeds with *millions* of entries.

In this case, and given a big list of Murofet domains, it is a trivial exercise to create a custom feed that identifies when they are seen on the network. Add an Informer Alert, and you have real-time notification if any one of these 74,000 domains are accessed by any of your monitored hosts. This strategy was also successfully used to track Conficker infections at some of our clients.

If you’d like more information on creating your own custom feeds, please see this link in the community:

https://www.netwitness.com/community/showthread.php?t=320

The press has been a buzz over the past few weeks with news of law enforcement busts of some prominent ZeuS miscreants.

This has renewed interest at NetWitness around the data and publication of our “Kneber” paper, which documented the data stolen by a large ZeuS botnet.

Today I took a second look at the domains reported to malwaredomainlist.com (since in the release of our research in February) that were registered by our nemesis,  hilarykneber@yahoo.com

http://www.malwaredomainlist.com/mdl.php?search=kneber&colsearch=Registrant&quantity=all

Here’s what I found:

Since February, seven-one new “kneber” domains have been identified as malicious and whois records indicate the vast majority of them were created after the publication of our research:

• Created On:09-Feb-2010 20:20:43 UTC
• Created On:13-Apr-2010 14:58:46 UTC
• Created On:20-Jan-2010 13:02:23 UTC
• Created On:20-Jan-2010 13:02:23 UTC
• Created: 2009-12-22
• Created: 2010-01-14
• Created: 2010-02-09
• Created: 2010-02-11
• Created: 2010-02-12
• Created: 2010-02-17
• Created: 2010-02-18
• Created: 2010-02-23
• Created: 2010-02-23
• Created: 2010-03-11
• Created: 2010-03-11
• Created: 2010-03-11
• Created: 2010-03-15
• Created: 2010-03-15
• Created: 2010-03-15
• Created: 2010-03-16
• Created: 2010-04-13
• Created: 2010-04-27
• Created: 2010-05-06
• Created: 2010-05-26
• Created: 2010-06-10
• Created: 2010-06-14
• Created: 2010-06-14
• Created: 2010-06-25
• Created: 2010-06-29
• Created: 2010-07-05
• Created: 2010-07-08
• Created: 2010-07-16
• Created: 2010-07-26
• Created: 2010-07-29
• Created: 2010-08-01
• Created: 2010-08-02
• Created: 2010-08-06
• Created: 2010-08-06
• Created: 2010-08-06
• Created: 2010-08-13
• Created: 2010-08-14
• Created: 2010-08-14
• Created: 2010-08-17
• Created: 2010-08-26
• Created: 2010-08-28
• Created: 2010-08-28
• Created: 2010-08-28
• Created: 2010-08-28
• Created: 2010-09-05
• Created: 2010-09-09
• Created: 2010-09-21
• Created: 2010-09-21
• Created: 2010-10-05

Of these domains, 56 had registrar information in the whois records, and 53 of those were a single registrar:

Registrar: BIZCN.COM, INC.

These domains are being reported for a number of different malicious elements, but there are 100 instances of ZeuS components from this group of domains, including:

• zeus v1 config file
• zeus v1 drop zone
• zeus v1 trojan
• zeus v2 config file
• zeus v2 drop zone
• zeus v2 trojan

So what does this tell us about the state of the internet?

• Domain registration and monitoring of activities is still a weak point in the security of the internet.
• Top-level .com and .net dns providers are in a key place to act against this sort of activity but don’t.
• Despite massive press coverage and industry acknowledgement of hilarykneber@yahoo.com and associated maliciousness,  registrars (and BIZCN in particular) are still allowing ongoing registration by this email address, and not suspending existing “kneber” domains.
• Not surprisingly, ZeuS is still very active.

NetWitness customers that subscribe to NetWitness Live automatically detect these domains due to our partnership with malwaredomainlist.com.

Happy Hunting!

Alex Cox, Principal Research Analyst