Shots from the Malicious Wild West - Sample Seven

The Webmoner is a malware family that's been targeting the WebMoney service for the last couple of years, a service which is mostly used in Russia from both legitimate and malicious parties -- three out of five transfers by malicious parties use WebMoney and the other two use Yandex. What's interesting about this trojan, or we can perhaps even define it as a module given its 2kb packed size and compatibility with popular malware C&C platforms in respect to stats, is that it doesn't log the accounting details of Web Money customers, instead, the attacker is feeding the trojan with up to four of his Web Purses, so that at a later stage when the infected party is initiating transfer, the malware will hijack the process and intercept the payments and direct them to the attacker's web money accounts. See how various AVs are performing when detecting a sample of it.

The disturbing part is a recently made public builder, the type of DIY a.k.a the revenge of the script kiddies with a push of a button malware generation with a built in fsg packing to further obfuscate it and have it reach the 1.5kb size. See attached screenshot. This attack puts the service in a awkward situation, as the transfers are actually hijacked on the fly, and the responsibility is forwarded to the infected party, compared to a situation where the details have been keylogged and transfers made with stolen IDs. How have things evolved from 2001 until 2007? Keylogging may seem logical but is the worst enemy of efficiency compared to techniques that automatically, collect, hijack and intercept the desired accounting data. The screen capturing banking trojan Hispasec came across to is a good example presenting the trade off here. The irony? The author of the builder is anticipating malware on demand requests and charging 10 WMZ in virtual money for undetected pieces of the malware.

There's an ongoing debate on the usefulness and lack of such of popular anti virus software. In January 2007, the Yankee Group released a 4 pages report starting at $599 -- try a 26 pages free alternative released in January 2006 debunking lots of myths -- entitled "Anti-Virus is Dead: Long Live Anti-Malware" in an effort to not only generate lazy revenues on their insights, but to emphasize on the false feeling of security many AVs provide you with. As a consultant you often get the plain simple question on which is the best anti virus out there, to which you either reply based on lead generation relationship with vendors, or do them a favour and answer the question with a question - the best anti virus in respect to what? Detecting rootkits? Removing detected malware and restoring the infected files to their previous condition? Log event management compatibility with existing security events management software? Fastest response times to major outbreaks? -- psst zero day malware ruins the effect here. Or which anti virus solution has the largest dataset for detecting known malware? Anti virus is just a part of your overal security strategy, and given the anti virus market is perhaps the one with the highest liquidity, thus most $ still go to perimeter defense solutions, too much expectations and lack of understanding of the threatscape mean customer dissatisfaction which shouldn't always be the case. If anti virus software the way we use it today is dead, then John Doe from the U.S or Ivan Ivanov from Russia woud still be 31337-ing the world, the Sub7 world I mean.

Some AVs however perform better than others on given tasks. The recently released AV comparatives speak for themselves. If you're going to use an anti virus software, use one from a company who's core competency relies in anti virus software, and not from a company that entered the space through acquisition during the last couple of years, or from one where anti virus is just part of huge solutions portfolio. Boutique anti virus vendors logically outperform the market leaders -- exactly the type of advice I've been giving out for quite a while.

Related posts :
Security Threats to Consider when Doing E-banking
No Anti-Virus, No E-banking for You
The Underground Economy's Supply of Goods

Previous "virtual shots" :
Shots from the Malicious Wild West - Sample Six
Shots from the Malicious Wild West - Sample Five
Shots from the Malicious Wild West - Sample Four
Shots from the Malicious Wild West - Sample Three
Shots from the Malicious Wild West - Sample Two
Shots from the Malicious Wild West - Sample One

OSINT Through Botnets

Open source intelligence gathering techniques from a government sponsored cyber espionage perspective have been an active doctrine for years, and that's thankfully to niching approaches given the huge botnet infected network -- government and military ones on an international scale as well. And yes, targeted attacks as well. It's a public secret that botnet masters are able to geolocate IPs through commercially obtainable databases reaching levels of superior quality. Have you ever thought what would happen if access to botnet on demand request is initiated, but only to a botnet that includes military and government infected PCs only? Here's a related story :

"The misuse of US military networks by spammers and other pond life is infrequently reported, but goes back some years. In August 2004, we reported how blog comment spams promoting illegal porn sites were sent through compromised machines associated with unclassified US military networks. Spam advertising "incest, rape and animal sex" pornography was posted on a web log which was set up to discuss the ID Cards Bill via an open proxy at the gateway of an unclassified military network."

From an OSINT perspective, part by part a bigger picture emerges from the tiny pieces of the puzzle, and despite that these would definitely be unclassified, a clerk's email today may turn into a major violation of OPSEC tomorrow. Moreover, the security through obscurity approach of different military networks might get a little bit shaken up due to the exposure of the infrastructure in a passive mode from the attacker's perspective.

In the wake of yet another targeted attack on U.S government networks in the form of zero-day vulnerabilities in Word documents neatly emailed to the associated parties, it's worth discussing the commitment shown in the form of the Word zero day, and the attach congressional speech to Asian diplomacy sent to Asian departments :

"The mysterious State Department e-mail appeared to be legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, Reid said. By opening the document, the employee activated hidden software commands establishing what Reid described as backdoor communications with the hackers. The technique exploited a previously unknown design flaw in Microsoft's Office software, Reid said. State Department officials worked with the Homeland Security Department and even the FBI to urge Microsoft to develop quickly a protective software patch, but the company did not offer the patch until Aug. 8 — roughly eight weeks after the break-in."

The life of this zero day vulnerability started much earlier than anyone had predicted, and obviously specific emails of various departments are known, are harvested or obtained through the already infected with malware PCs - pretty much everything for a successful targeted attacks seems to be in place right? But what makes me wonder is where are the attacking emails originating from, an infected ADSL user somewhere around the world whose spoofed .gov or .mil email somehow made it not though and got undetected as spam, or from an already infected .gov or .mil host where the attackers took advantage of its IP reputation?

In the majority of news articles or comments I come across to, reporters often make the rather simplistic connection with China's emerging cyber warfare capabilities -- a little bit of Sun Tzu as a school of thought and mostly rephrasing U.S studies -- whenever an attacking email, or attack is originating from China's netblocks. Perhaps part two of my previous post "from the unpragmatic department" sparkled debate on physically bombing the sources of the attacks, just to make sure I guess. Engineering cyber warfare tensions nowadays, providing that China's competing with the U.S for the winning place on botnet and spam statistics for the last several years speaks for itself -- the U.S will find itself bombing U.S ISPs and China will find itself bombing Chinese ISPs. So the question is - why establish an offensive cyber warfare doctrine when you can simple install a type of Lycos Spam Fighting screensaver on every military and government computer and have it periodically update its hitlists?

Black humour is crucial if you don't want to lose your real sense of humour, and thankfully, for the time being an offensive cyber warfare provocation -- or the boring idleness of botnet masters -- isn't considered as a statement on war yet. The Sum of All Fears's an amazing representation of engineering tensions in real-life, so consider keeping your Cyber Defcon lower.

Open source visualization courtesy of NYTimes.com, MakeLoveNotSpam's effect courtesy of Netcraft.

UPDATE: Apparently, seven years ago North Korea's hyped cyber warfare unit was aware of the concept of targeted attacks so that :

"Kim Jong Il visited software labs and high-tech hubs during his rare trips to China and Russia in 2000 and 2001. When then-U.S. Secretary of State Madeleine Albright visited Pyongyang in 2000, he asked for her e-mail address."

On a future visit, in a future tense, perhaps IM accounts would be requested to rotate the infection vectors. Meanwhile, read a great article on North Korea's IT Revolution, or let's say a case study on failed TECHINT due to a self-serving denial of the word globalization.

Google in the Future

Great fake as a matter of fact. Don't blame the crawler while crawling the public Web, but the retention of clickstreams for indefinite periods of time and the intermediaries selling them to keyword marketers. And of course the emerging centralization of too much power online with its privacy implications -- power and responsibility must intersect. Two more fakes for you to enjoy.

Shots from the Malicious Wild West - Sample Six

Continuing the "Malicious Wild West" series, the Blacksun RAT integration on the web is so modules-friendly it makes you wonder why it's not another case study on malware on demand, but a publicly obtainable open source malware like it is. Process injections in explorer.exe by default, and with a default port 2121, this HTTP bot is still in BETA. And BETA actually means more people will play around with the code, and add extended functionalities into it. There's a common myth that the majority of botnets are still operated through IRC based communications, and despite that there're still large botnets receiving commands through IRC, there's an ongoing shift towards diversification and HTTP in all of its tunneling and covert beauty seems to be a logical evolution.

Here are some commands included in default admin.php that speak for themselves :

OPTION value=cmd
OPTION value=cmd
OPTION value=bindshell
OPTION value=download
OPTION value=ftp_upload
OPTION value=msgbox
OPTION value=power
OPTION value=monitor
OPTION value=cdrom
OPTION value=keyboard
OPTION value=mouse
OPTION value=crazymouse
OPTION value=funwindows
OPTION value=version
OPTION value=exitprocess
OPTION value=killmyself

Killmyself is quite handy in case you get control of the botnet in one way or another and desinfect the entire population with only one command. Stay tuned for various other "releases" in the upcoming virtual shots during the next couple of days.

Shots from the Malicious Wild West - Sample Five

Open source malware with a MSQL based web command and control? It's not just Sdbot and Agobot being the most popular malware groups that have such features by default, but pretty much every new bot famility. The Cyber Bot, a malware on demand is one of these. Among the typical DDoS capabilities such as SYN,ACK, ICMP, UDP, DNS and HTTP post and get floods, it offers various rootkit capabilities in between the ability to bypass popular AV and firewall software. I recently located various screenshots from the web command and control which I'm sure you'll find enlightening. A picture is worth a thousand fears as usual. Rather interesting, the bot is able to figure out whether the infected user is on a LAN, dialup, or behind a proxy connection, the rest of the statistics such as IP geolocation and infected users per OS are turning into a modular commodity. It's also worth noting that the web interface has the capability to offer access to the control panel to more than one registered user, which logically means that it's build with the idea to provide rental services.

Here's a related post with more web command and control screenshots, and another one taking into consideration various underground economics.

A Compilation of Web Backdoors

The other day I came across to a nice compilation of web backdoors only, and decided to verify how well are various AVs performing when detecting them :

"I have collected some WEB backdoors in the past to exploit vulnerable file upload facilities and others. I think a library like this may be useful in a variety of situations. Understanding how these backdoors work can help security administrators implement firewalling and security policies to mitigate obvious attacks."

Here are some results listing the AVs that detected them -- as they should :

* name: cfexec.cfm
* size: 1328
* md5.: cce2f90563cb33ce32b6439e57839492
* sha1: 01c50c39e41c6e95262a1141dbfcbf9e8f14fc19

_No AV detects this one

* name : cmdasp.asp
* size: 1581 bytes
* md5: d0ef359225f9416dcf29bb274ab76c4b
* sha1: 9df3e72df372c41fe0a4d4f1e940f98829b752e1

Authentium 4.93.8 04.14.2007 ASP/Ace.G@bd
Avast 4.7.981.0 04.16.2007 VBS:Malware
BitDefender 7.2 04.16.2007 Backdoor.ASP.Ace.C
ClamAV devel-20070312 04.16.2007 ASP.Ace.C
DrWeb 4.33 04.16.2007 BackDoor.AspShell
Ewido 4.0 04.16.2007 Backdoor.Rootkit.10.a
F-Prot 4.3.2.48 04.13.2007 ASP/Ace.G@bd
F-Secure 6.70.13030.0 04.16.2007 ASP/Ace.G@bd
Kaspersky 4.0.2.24 04.16.2007 Backdoor.ASP.Ace.q
Microsoft 1.2405 04.16.2007 Backdoor:VBS/Ace.C
Symantec 10 04.16.2007 Backdoor.Trojan
VBA32 3.11.3 04.14.2007 Backdoor.ASP.Rootkit.10.a#1
Webwasher-Gateway 6.0.1 04.16.2007 VBScript.Unwanted.gen!FR:M-FW:H-RR:M-RW:M-N:H-CL:H (suspicious)

* name: cmdasp.aspx
* size: 1442
* md5.: 27072d0700c9f1db93eb9566738787bd
* sha1: 2c43d5f92ad855c25400ee27067fd15d92d1f6de

_No AV detects this one

* name: simple-backdoor.php
* size: 345
* md5.: fcd01740ca9d0303094378248fdeaea9
* sha1: 186c9394e22e91ff68502d7c1a71e67c5ded67cc

_No AV detects this one

* name: php-backdoor.php
* size: 2871
* md5.: 9ca0489e5d8a820ef84c4af8938005d5
* sha1: 89db6dc499130458597fe15f8592f332fb61607e

AhnLab-V3 2007.4.19.1/20070419 found [BAT/Zonie]
AntiVir 7.3.1.53/20070419 found [PHP/Zonie]
Authentium 4.93.8/20070418 found [PHP/Zackdoor.A]
AVG 7.5.0.464/20070419 found [PHP/Zonie.A]
BitDefender 7.2/20070419 found [Backdoor.Php.Zonie.B]
F-Prot 4.3.2.48/20070418 found [PHP/Zackdoor.A]
F-Secure 6.70.13030.0/20070419 found [PHP/Zackdoor.A]
Ikarus T3.1.1.5/20070419 found [Backdoor.PHP.Zonie]
Kaspersky 4.0.2.24/20070420 found [Backdoor.PHP.Zonie]
McAfee 5013/20070419 found [PWS-Zombie]
Microsoft 1.2405/20070419 found [Backdoor:PHP/Zonie.A]
NOD32v2 2205/20070419 found [PHP/Zonie]
Norman 5.80.02/20070419 found [PHP/Zonie.A]
VBA32 3.11.3/20070419 found [Backdoor.PHP.Zonie#1]
Webwasher-Gateway 6.0.1/20070419 found [Script.Zonie]

* name: jsp-reverse.jsp
* size: 2542
* md5.: ebf87108c908eddaef6f30f6785d6118
* sha1: 24621d45f7164aad34f79298bcae8f7825f25f30

_No AV detects this one

* name: perlcmd.cgi
* size: 619
* md5.: c7ac0d320464a9dee560e87d2fdbdb0c
* sha1: 6cd84b993dcc29dfd845bd688320b12bfd219922

_No AV detects this one

* name: cmdjsp.jsp
* size: 757
* md5.: 3405a7f7fc9fa8090223a7669a26f25a
* sha1: 1d4d1cc154f792dea194695f47e17f5f0ca90696

_No AV detects this one

* name: cmd-asp-5.1.asp
* size: 1241
* md5.: eba86b79c73195630fb1d8b58da13d53
* sha1: 22d67b7f5f92198d9c083e140ba64ad9d04d4ebc

Webwasher-Gateway 6.0.1/20070419 found [VBScript.Unwanted.gen!FR:M-FW:M-RR:M-RW:M-N:H-CL:H (suspicious)]

Rather interesting, there have been recent targeted attacks aiming at gullible admins who'd put such web shells at their servers, thus opening a reverse shell to the attackers. As always, this compilation is just the tip of the iceberg, as Jose Nazario points out having variables means a different checksum, and considering the countless number of ASP, PHP and PERL based reverse backdoors, the threat is here to remain as silent and effective as possible. Grep this viruslist, especially the ASP, PHP and PERL backdoor families to come up with more variants in case you want to know what's already spotted in the wild. Here's a very well written paper by Gadi Evron on Web Server Botnets and Server Farms as Attack Platforms discussing the economies of scale of these attacks.