Within the past few days,  We’ve seen the emergence of a new zero-day attack that involves flash files embedded into word documents.   These have purportedly been used in an attempt to compromise machines belonging to government-affiliated persons, as detailed here:

http://krebsonsecurity.com/2011/04/new-adobe-flash-zero-day-being-exploited/

http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html

As detailed in previous posts,  NetWitness tries to stay away from “signature” based detection of these types of attacks, and instead look for indicators that point to something that is not the norm.

In this particular case, we took a sample of the zero-day attack, and ran it through a NextGen system that is configured with some of the malware detection parser technology that is part of our Spectrum Malware Analysis product.

Even with no prior knowledge of this attack, we are immediately alerted to the presence of an XOR encoded executable in the session:

Because the use of XOR to obfuscate executable content is common in the malware world, we’ve chosen to have this alert into our highest Risk Category.

Additionally,  our forensic fingerprinting parsers identify the content in this session as containing executable content, as well as flash content, which appears to be a Flash version 10 swf file, despite the “.doc” filename.

So in this case, even if we weren’t aware of the *specific* attacks, a NextGen user would have been notified of the attack because of the collection of “abnormal” network activities.

Since we’ve determined that this is an incident that warrants further investigation.  We can use the data-extract function to extract the word document for further analysis:

Which allows us access to the fully reconstructed doc for further analysis:

Who needs signatures, when you have NetWitness!   More to follow involving malware analysis of the extracted samples.

- Alex Cox, Principal Research Analyst

Brian Krebs posted an article on his blog this morning that documents a recent spam attack on U.S. government employees that occurred around christmas time.

http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov-geeks/

which has in-depth technical coverage at:

http://contagiodump.blogspot.com/2011/01/general-file-information-file-card.html

Using a very simple ruse of “Merry Christmas from the White House”, this message used the common “ecard” social engineering hook to push a ZeuS trojan variant to the unlucky recipient.

From a configuration standpoint, this ZeuS bot used the following command and control points, all of which are down as of this writing:

Configuration Files:

http://patmarclean.us/flash/resny.bin

http://rogersvillechamber.us/components/tmpny.bin

http://ingunnanvik.no/templates/system/sysny.bin

http://argentum.lv/modules/rssny.bin

Binary Updates:

http://ingunnanvik.no/templates/system/botny.exe

Information Drops:

http://209.172.60.242/~newdowni/stat/gate_in.php

http://someonesome.mobi/imgs_ctn/icon_sml/gate_in.php

http://shock-world.mobi/zs/tmp/gate.php

It was poised to collect credentials from most major banks, but also includes site such as ebay, myspace, and microsoft, as well as online-payment processors, paypal and e-gold.

While these facts alone show similarities to infrastructure aspects of the “kneber” compromise that we documented back in February 2010, a very specific tie-in makes us believe that this attack was driven by operators that were also a part of the initial “kneber” compromise.

One domain in the original kneber data, “updatekernel.com” was tied specifically to a phishing email that used a spoofed address to push ZeuS to targeted government-employees, which Brian details here:

http://krebsonsecurity.com/2010/02/zeus–attack–spoofs–nsa–targets–gov–and–mil/

An interesting sidenote to this particular aspect of the kneber data was that the ZeuS bot that was involved with this phish had a second stage download of an executable called “stat.exe”. This malware was revealed to be a perl script converted to a stand-alone executable with the perl2exe tool.

This malware searched the local harddrive of the victim PC for xls,doc and pdf files, and uploaded them via FTP to:

packupdate.com

Which at the time, resided on a server in Belarus.

This current spam run, also downloaded a second-stage executable, called “pack.exe”, which was also:

- A perl2exe exectuable
- Searched the victim PC for all xls, doc and pdf files
- Uploaded stolen information to a server in Belarus, which resolved to “uploadpack.org”

So in this case, we have two executables, and three domain names, that have three converging elements, (pack, belarus and perl2exe)

When compared, these two files, separated by almost a year, are nearly identical in size:

Furthermore when analyzed with HBGary’s “fingerprint” tool, which looks for code similarities and “toolmarks”, a 95.8% match is indicated, with the only differing factors being the CPUID of the machine on which the malware was compiled:

This, because it is such a small and fairly unknown aspect of the kneber compromise, makes us think that this is indeed the same operator, who is again after documents pertaining to U.S. Government activities.

This evidence shows the continuing convergence of cyber-crime and cyber-espionage activites, and how they occassionally mirror or play off one another.

The question again, which we posed in our initial Kneber document, is:

Who is the end consumer of this information?

Alex Cox, Principal Research Analyst

This is a significant percentage of the related government activity we mentioned with the release of the report.  Much of this is ongoing, and there are dozens of similar operations.  Credit where credit is due, Nart Villeneuve, from SecDev.cyber has a great write up on the targeted government attacks here:

www.infowar-monitor.net

If you have recently heard of the North Korean nuclear spear phish…  same guys.

I was helping a fortune customer yesterday determine if they were targeted by Operation Aurora. From everything we know to date, they were not. How do we know this? We looked. In 15 minutes or so, we looked back over the last 6 months of every bit and byte that has left that company, and compared every hostname, IP address, and HTTP URL that have been associated with these attacks. This is the power of full network surveillance, and this is why you MUST be performing real-time continual deep analysis of your network activities.

There is a discussion today of some of the malware, and zero day exploits out of McAfee. They are now calling this Operation “Aurora”. In the post, George Kurtz discusses how APT, or Advanced Persistent Threats is changing the security landscape once again. It is a message, and the discussion we at NetWitness have been pushing for years. While this attack has gone largely unnoticed for months, NetWitness customers have all the historic evidence necessary to assess damage. For some, this means gaining rapid confidence that they were not compromised. For some, it means rapid damage assessment, capturing evidence, and using everything they learn to increase their security today. As I watch the best security teams in the world struggle to collect evidence of this attack over the course of days or weeks, I cannot help but wonder how much easier it would have been had we been in place.

In early December, we were called into one of the affected companies, in partnership with a large service provider. Within days, we had NetWitness gear recording at every major gateway in the country, and were scheduling international deployments. While it appears that the damage was already done to this company long before we arrived, we were instrumental in shutting down many other infestations, as well as identifying hundreds of systems that were displaying abnormal or concerning communication patterns. Had this company been a NetWitness client only 30 or 60 days before, I am absolutely confident we would have been able to bring this particular activity to light weeks earlier.

We have been reaching out to our customers, providing them details of the communication that Operation Aurora utilized, along with very simple instructions that allow them to look back over time and reassess their security. One thing is certain, while we may not know the vector of a specific attack until after the fact, it is imperative that we have the ability to quickly assess the damage and retain evidence.

This is why we must begin recording our network activity NOW. Giving your network some form of memory is an absolute imperative, and the foremost defense against APT. Furthermore, simple recording is not enough. Good luck if your recording architecture is IP based. Customers of NetWitness can search the URLs, hostnames, and other application level beaconing activities in seconds. Try doing this by scanning over 50 terabytes of packet data manually. Had this attack employed more sophisticated hosting or resolution techniques like fast flux, and even the IP addresses would have been useless.

George is absolutely correct in his assessment that the landscape has changed. These types of organized, sponsored attacks are here to stay. I am sure those in the financial community, used to dealing with advanced ACH fraud and highly targeted attacks by the Russian Business Network are sitting back this morning and saying “Welcome to the party, pal!”

Welcome to the party, pal!