There has been a lot of talk over the past few months about the rumored merger of ZeuS and SpyEye, two popular banking trojans that have been used by cybercrimals to commit fraud against consumers and businesses.

This is detailed in Brian Kreb’s blog here:

http://krebsonsecurity.com/2011/02/revisiting-the-spyeyezeus-merger/

While ultimately this appeals to many people’s interest in the “sex, drugs and rock and roll” aspect of the underground economy and its parallels with traditional organized crime, it is in reality, business as usual.

Much like a modern business, the criminal underground works under a development life-cycle model.   Mergers occur.   New innovations and technology emerge.  Collaboration happens.

What that means in the grand scheme of cyber-security is this:   You’ve got to be agile, and more importantly, understand your network and connected systems.  The bad guys will be one step ahead of you until you can do this.

Here’s an example.   NetWitness tracks botnets and malware families as part of our routine day-to-day business.   This practice is good for essentially two things.  Being able to cover items that are popular media fodder for the inevitable “What are we doing about this?” question from your CISO, as well as understanding the common methodology used by cybercriminals in the pursuit of their business. Ultimately, it is largely a game of “whack-a-mole”.

The really “fun stuff” is discovered when you start comparing your traffic against what is known good, and looking for outliers.    Here’s an example put together by a couple of our senior analysts, Gary Golomb (Malware Research) and Mike Sconzo (Professional Services), whose day-to-day jobs involve ferreting intrusions out in very large networks.

In this case, Mike wrote a flex parser which analyzes header elements in an HTTP session, and identifies things that are abnormal or that don’t match the RFC for properly formed HTTP header entries.   When it sees this, it creates an alert entry in the NextGen framework that identifies the issue.

Gary then combined this parser logic with the idea of using a watchlist on countries and file extensions.   He focused on countries that we commonly see involved with trojan and cybercrime activity:

and the following file extensions, all common, but seen with an above average frequency in cybercrime investigations.

exe

cgi

php

bin

rar

zip

pdf

txt

jar

js

In plain-language, this essentially asks the NextGen framework to:

“Show me only those sessions that have unusual http header combinations, from watchlist countries with these ten file extensions”

What Gary found was that of the millions of sessions that he started with, this three part “pivot” reduced those sessions to about 180.   Of those 180, 175 were intrusions.

These 175 consisted of common Trojan activity like ZeuS and SpyEye, but also never seen before cases and custom malware.

So when it comes to detecting malware families, who cares?   Can you detect what’s unusual for YOUR network?   That’s where the good stuff is hiding.

Happy Hunting!

Alex Cox, Principal Research Analyst