There has been a lot of talk over the past few months about the rumored merger of ZeuS and SpyEye, two popular banking trojans that have been used by cybercrimals to commit fraud against consumers and businesses.

This is detailed in Brian Kreb’s blog here:

http://krebsonsecurity.com/2011/02/revisiting-the-spyeyezeus-merger/

While ultimately this appeals to many people’s interest in the “sex, drugs and rock and roll” aspect of the underground economy and its parallels with traditional organized crime, it is in reality, business as usual.

Much like a modern business, the criminal underground works under a development life-cycle model.   Mergers occur.   New innovations and technology emerge.  Collaboration happens.

What that means in the grand scheme of cyber-security is this:   You’ve got to be agile, and more importantly, understand your network and connected systems.  The bad guys will be one step ahead of you until you can do this.

Here’s an example.   NetWitness tracks botnets and malware families as part of our routine day-to-day business.   This practice is good for essentially two things.  Being able to cover items that are popular media fodder for the inevitable “What are we doing about this?” question from your CISO, as well as understanding the common methodology used by cybercriminals in the pursuit of their business. Ultimately, it is largely a game of “whack-a-mole”.

The really “fun stuff” is discovered when you start comparing your traffic against what is known good, and looking for outliers.    Here’s an example put together by a couple of our senior analysts, Gary Golomb (Malware Research) and Mike Sconzo (Professional Services), whose day-to-day jobs involve ferreting intrusions out in very large networks.

In this case, Mike wrote a flex parser which analyzes header elements in an HTTP session, and identifies things that are abnormal or that don’t match the RFC for properly formed HTTP header entries.   When it sees this, it creates an alert entry in the NextGen framework that identifies the issue.

Gary then combined this parser logic with the idea of using a watchlist on countries and file extensions.   He focused on countries that we commonly see involved with trojan and cybercrime activity:

and the following file extensions, all common, but seen with an above average frequency in cybercrime investigations.

exe

cgi

php

bin

rar

zip

pdf

txt

jar

js

In plain-language, this essentially asks the NextGen framework to:

“Show me only those sessions that have unusual http header combinations, from watchlist countries with these ten file extensions”

What Gary found was that of the millions of sessions that he started with, this three part “pivot” reduced those sessions to about 180.   Of those 180, 175 were intrusions.

These 175 consisted of common Trojan activity like ZeuS and SpyEye, but also never seen before cases and custom malware.

So when it comes to detecting malware families, who cares?   Can you detect what’s unusual for YOUR network?   That’s where the good stuff is hiding.

Happy Hunting!

Alex Cox, Principal Research Analyst

Sometimes – even I have to admit working at NetWitness is quite a unique experience.  Because of what we do, the company has a very open culture.  Our Internet connections always have various deployments of our products on them, and our engineering staff is encouraged to use them for monitoring.  Today I posted a couple of pictures to a friend on Facebook.  Within minutes, I received the following from a colleague:  ”Hey – check out the new Facebook parser!” – along with the attached:

It seems that our holiday from rustock-generated spam is over.

http://bits.blogs.nytimes.com/2011/01/06/spamming-declines-at-least-temporarily/?partner=rss&emc=rss

We monitor a number of botnets at NetWitness and check them occasionally for new information.  Since Rustock is in the news, we’ve paid close attention to it recently.   Sometime this morning, Rustock begain spamming again,  pushing viagra from shady .ru sites.

Looking at the traffic in Investigator,  I see a quick overview of subject lines:

And reconstructed, we see a very in-depth message of “CLICK HERE!”

Which of course takes us to Canadian Pharmacy!

Welcome back Rustock…We can’t say we’ve missed you.   There is no telling if this will be continued activity, but appears to be business as usual for the Rustock operators.

Brian Krebs posted an article on his blog this morning that documents a recent spam attack on U.S. government employees that occurred around christmas time.

http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov-geeks/

which has in-depth technical coverage at:

http://contagiodump.blogspot.com/2011/01/general-file-information-file-card.html

Using a very simple ruse of “Merry Christmas from the White House”, this message used the common “ecard” social engineering hook to push a ZeuS trojan variant to the unlucky recipient.

From a configuration standpoint, this ZeuS bot used the following command and control points, all of which are down as of this writing:

Configuration Files:

http://patmarclean.us/flash/resny.bin

http://rogersvillechamber.us/components/tmpny.bin

http://ingunnanvik.no/templates/system/sysny.bin

http://argentum.lv/modules/rssny.bin

Binary Updates:

http://ingunnanvik.no/templates/system/botny.exe

Information Drops:

http://209.172.60.242/~newdowni/stat/gate_in.php

http://someonesome.mobi/imgs_ctn/icon_sml/gate_in.php

http://shock-world.mobi/zs/tmp/gate.php

It was poised to collect credentials from most major banks, but also includes site such as ebay, myspace, and microsoft, as well as online-payment processors, paypal and e-gold.

While these facts alone show similarities to infrastructure aspects of the “kneber” compromise that we documented back in February 2010, a very specific tie-in makes us believe that this attack was driven by operators that were also a part of the initial “kneber” compromise.

One domain in the original kneber data, “updatekernel.com” was tied specifically to a phishing email that used a spoofed address to push ZeuS to targeted government-employees, which Brian details here:

http://krebsonsecurity.com/2010/02/zeus–attack–spoofs–nsa–targets–gov–and–mil/

An interesting sidenote to this particular aspect of the kneber data was that the ZeuS bot that was involved with this phish had a second stage download of an executable called “stat.exe”. This malware was revealed to be a perl script converted to a stand-alone executable with the perl2exe tool.

This malware searched the local harddrive of the victim PC for xls,doc and pdf files, and uploaded them via FTP to:

packupdate.com

Which at the time, resided on a server in Belarus.

This current spam run, also downloaded a second-stage executable, called “pack.exe”, which was also:

- A perl2exe exectuable
- Searched the victim PC for all xls, doc and pdf files
- Uploaded stolen information to a server in Belarus, which resolved to “uploadpack.org”

So in this case, we have two executables, and three domain names, that have three converging elements, (pack, belarus and perl2exe)

When compared, these two files, separated by almost a year, are nearly identical in size:

Furthermore when analyzed with HBGary’s “fingerprint” tool, which looks for code similarities and “toolmarks”, a 95.8% match is indicated, with the only differing factors being the CPUID of the machine on which the malware was compiled:

This, because it is such a small and fairly unknown aspect of the kneber compromise, makes us think that this is indeed the same operator, who is again after documents pertaining to U.S. Government activities.

This evidence shows the continuing convergence of cyber-crime and cyber-espionage activites, and how they occassionally mirror or play off one another.

The question again, which we posed in our initial Kneber document, is:

Who is the end consumer of this information?

Alex Cox, Principal Research Analyst

In the “malware of the minute” news,  information surrounding the “Murofet” trojan has hit some malware research blogs.

Details around this trojan, which shares code similarities with ZeuS, can be found here:

• http://www.prevx.com/blog/159/WinMurofetor-just-ZeuS.html
• http://threatpost.com/en_us/blogs/new-malware-murofet-following-confickers-lead-101510

What’s interesting about Murofet is that it borrows a page from the Conficker playbook and uses an algorithm to generate command and control domain names on the fly based on the date and time on the infected host. This makes it very difficult to take down from a defender standpoint because coordinated effort is required to control all of the possible domain names as they are detected.

http://blog.threatexpert.com/2010/10/domain-name-generator-for-murofet.html

In this case, reverse engineering has revealed a way to generate the domain names used by the malware in advance, which allows us to build a list of all possible domains that will be used by the malware in its current state.

But that brings us to our challenge. Murofet can generate 1,020 usable domain names a day… which if we say, push that out for a few months in advance, quickly reaches into the tens of thousands of possible domain names. If I’m an incident responder at a large enterprise, I may need to parse through multiple gigabytes a day of proxy logs to attempt to locate these tens of thousands of possibly malicious domains. As you can imagine, this can quickly become a very tedious and unwieldy problem.

One of the many strengths of the NextGen framework is that it is built around addressing this sort of “needle in a haystack” problem. The NetWitness Live system is built around the concept of using external intelligence and applying it to *your* network in real-time, with alerting and in some cases we have feeds with *millions* of entries.

In this case, and given a big list of Murofet domains, it is a trivial exercise to create a custom feed that identifies when they are seen on the network. Add an Informer Alert, and you have real-time notification if any one of these 74,000 domains are accessed by any of your monitored hosts. This strategy was also successfully used to track Conficker infections at some of our clients.

If you’d like more information on creating your own custom feeds, please see this link in the community:

https://www.netwitness.com/community/showthread.php?t=320

If you’ve kept a view on security news in the past 24 hours, you may have noticed some press around a new email worm spreading on corporate networks.   Dubbed the “Here You Have” worm, it is a good case study on how to manage emerging threats with your NetWitness technology.  You can find additional info on the worm here:

http://isc.sans.edu/diary.html?storyid=9529

As a general overview, the worm works in a similar manner as other recent malware observed in the wild.

• It tempts the user to click on an attachment or link with a social engineering hook.
• When clicked, the malware establishes itself on the targeted machine to run automatically and propogates itself.
• The malware downloads additional executables intended to steal saved credentials and establishes a beacon mechanism to receive updates or transmit stolen data.

Like most emerging threats, research teams at NetWitness analyzed this variant as soon as we found out about it, and I’ll use a few basic incident response questions to demonstrate detection mechanisms using our technology.   One thing to note is that none of this worm’s activity requires any content generation other than simple application rules since the metadata extraction process in our engine  extracts all of the relevant meta by default.

1)  Who in my environment was targeted?

Targeted email addresses related to this worm’s activity can be detected by simply using a custom-drill in Investigator:

subject contains ‘here you have’,'just for you’ && email = ‘iraq_resistance@yahoo.com’

This drill will focus the collection on the email sessions related to this activity, and relevant email addresses, ip addresses, hostnames, etc. can be extracted for additional analysis.

2) Who in my environment actually clicked on the link or attachment?

In this case, there are a few ways to detect this activity.   Once executed, the malware downloads a number of files with the extension “iq”.   Since this is an unusual extension, an initial quick pivot to locate infected hosts is:

extension = ‘iq’

Or, you could specifically target some of the filenames themselves:

filename = ‘ie.iq’,'pspv.iq’,'op.iq’,'im.iq’,'m.iq’,'w.iq’,'gc.iq’,'ff.iq’,'rd.iq’,'tryme.iq’

Or, you could look for hits to the alias.host where the files reside:

alias.host = members.multimania.co.uk && directory contains ‘yahoophoto’

Or, if your sniffing equipment is monitoring a backbone, you could look for the malware being copied to mapped network drives:

filename = ‘pdf_document21_025542010_pdf.scr’

3) Who in my organization is infected and beaconing?

In this case, one of the downloaded files in Step 2 attempts to contact “tarekbinziad.no-ip.biz”, so you can use an alias.host pivot to locate machines that may have transmitted credentials to a third-party:

alias.host = ‘tarekbinziad.no-ip.biz’

One thing to keep in mind is that both “tarekbinziad.no-ip.biz” and “members.multimania.co.uk/yahoophoto/” have been taken down by the security industry at this point, so with this variant, you are looking at a cleanup effort.   Also keep in mind that infected machines will continue to spam messages until they are cleaned.

Happy Hunting!

There are some exciting new enhancements to NetWitness coming with the release of 9.5 in early August.  One of the most compelling areas we have been working on is in content extraction.  If there is a single use-case that I see at almost all of our best client sites, it would be the extraction and analysis of malware.  Another very common use case is the collection and analysis of certain types of content, such as executables, PDF files, and other documents.  In many cases, the second is to facilitate the first.

Well, we listen.  We decided getting at any piece of content should be easy.  And we did it the way we always do it – at enterprise scale and speed.  In the end, exporting anything from NetWitness is as much as 10 or 20 times faster in 9.5 than in 9.0, all while EASING the burden on capture.

Once we had such immediate access to content, we began exploiting that access.  What follows is a quick demo of two of the many enhancements in 9.5.  Content exporting through NetWitness Investigator, and the new NetWitness Visualize.  For those customers interested in content extraction, and even our freeware community, exporting any type of file – or indeed ALL files – from network captures could not be easier.

The Export Files dialog in Investigator

For our enterprise customers, NetWitness Visualize is something we have wanted to create since the very early days of NetWitness.  People who have seen Visualize frequently bring up references to that Tom Cruise movie Minority Report.  The product does not ship with a pool full of hairless psychics, but the perspective that Visualize can provide is something I think is unique to our industry. 

Visualize Screenshot

What follows is a very quick demo:

NetWitness Visualize and Content Extraction Demo

We really recommend that you watch the video first, before checking out our demonstration site:

http://visualize.netwitness.com

If you would like to see Visualize in action before the release – find us at Blackhat 2010 in Las Vegas next week!

This is a significant percentage of the related government activity we mentioned with the release of the report.  Much of this is ongoing, and there are dozens of similar operations.  Credit where credit is due, Nart Villeneuve, from SecDev.cyber has a great write up on the targeted government attacks here:

www.infowar-monitor.net

If you have recently heard of the North Korean nuclear spear phish…  same guys.

I am not sure anyone really can understand how hard it is, to make a computer tutorial video that looks even remotely watchable on youtube.  It took quite a few trys to figure out how far I needed to zoom in, to make it readable at a resolution that was cutting edge in 1992.

In my searches for options, I stumbled on ViddYou.  Consider it a youtube clone, that will allow HD content for about 3 dollars a month.  The tutorial is now there as well – in a much clearer format.