Search



SpiderLabs Services
Resources

Research Stats

Categories

Security Advisories

Trustwave Press Releases

Malware Feed

20 May 2013

Machine Learning Update 1

It has been almost exactly a month since my last post regarding the new project I am working on, so I figure it is time for an update. First off, I was excited and encouraged with the responses I received via Twitter after my initial posting. One response in particular mentioned the related work that @silviocesare is doing with the SimSeer project as well as a book he co-authored “Software Similarity and Classification”. Both appear to be excellent resources and I plan to check them both out in more detail as time allows.

MLIt seems as if the stars were in alignment because just after I announced the project, a little birdy (@spookerlabs) let me know that a free Machine Learning course from Stanford University was being presented through Coursera. Did I mention that it is free? I signed up for it and we are about four weeks through the 10-week course. I have to say that I am pretty impressed with how the course is laid out and presented. We wasted no time jumping right into the math, but that shouldn’t really be of any surprise to anyone. The course mainly applies Linear Algebra, but an understanding of at least first year Calculus is a definite bonus. For example, here is a slide from the first week of the class covering the application of a Linear Regression Model and the Gradient Descent Algorithm, which would be used to help predict something like house pricing based on known square footage:  Formula1

Continue reading "Machine Learning Update 1" »

Posted by on 20 May 2013 at 11:16 in Big Data, Malware, Security Research | | Comments (0)

17 May 2013

Alina: Following The Shadow Part 1

Last I spoke with you, I went into the details of a family of Point of Sale (POS) malware, named 'Alina'. At the time, I chose to talk about version 4.0, mainly because I felt it gave a good representation of the entire family itself. In the course of my research, I've been able to acquire 12 distinct versions. As you may recall from the last blog post, Alina is versioned in the User-Agent field for all HTTP-based communication. For example, the User-Agent last time around was "Alina v4.0". Knowing this, I plan on talking about the evolution of this malware today, going from version 0.1 up to 5.5. Just for reference, I have the following versions at this time:

0.1, 1.0, 2.0, 2.1, 3.1, 3.2, 3.3, 3.4, 3.5, 4.0, 5.2, 5.3, 5.5

I'm going to break up this post into a few different sections, and talk about how the malware family has evolved over time with respect to various categories. As I started writing this, it became apparent that it wouldn’t fit into one blog post. As such, I’ve split it up into different parts. For this blog post I’m going to focus on the creation timeline, exfiltration, and C&C.

Continue reading "Alina: Following The Shadow Part 1" »

Posted by on 17 May 2013 at 13:01 in Malware | | Comments (0)

15 May 2013

Analysis of Malicious Document Files Spammed by Cutwail

In our Global Security Report, we highlighted a zero day vulnerability in the Windows Common Controls affecting Microsoft Office (CVE-2012-0158). This was reportedly being used for targeted attacked against NGOs and human rights activist.

Over the past week, the Cutwail botnet has been sending out spam containing malicious documents of the aforementioned vulnerability, CVE-2012-0158.  The use of a loaded RTF attachment  is a departure from normal for Cutwail, usually it distributes executable attachments or links to exploit kits.

The spam claims to be from Citibank or  Bank of America. The spam may use the “Merchant Statement” as a subject line and has an accompanying .DOC file attached.

Spam Campaign
Spam Campaign Samples

Continue reading "Analysis of Malicious Document Files Spammed by Cutwail" »

Posted by on 15 May 2013 at 08:04 in Global Security Report, Malware, Phishing, Spam | | Comments (0)

23 April 2013

Basic Packers: Easy As Pie

Throughout Trustwave SpiderLabs’ many forensic investigations, we often stumble upon malicious samples that have been ‘packed’. This technique/concept can be unfamiliar to the aspiring malware reverser or digital forensic investigator, so I thought it would be fun to use this opportunity to talk about portable executable (PE) packers at a high level. If you already know what PE packers are and how they work, you’re more than welcome to continue reading, however it’s certainly possible you may not learn something new. Think of this as a 101 blog post.

So what are PE packers? How do they work? How can you defeat them? I’m going to do my best to answer these questions.

Continue reading "Basic Packers: Easy As Pie" »

Posted by on 23 April 2013 at 22:23 in Incident Response, Malware | | Comments (0)

18 April 2013

Large scale malicious spam campaign exploiting Boston bombing

In our latest Global Security Report, we noted malicious spam campaigns were on the increase, and roughly 1 in 10 spam messages were malicious. 

There is a large scale malicious spam campaign going on that is shamelessly exploiting the Boston bombing. Subject lines are similar to the following:

Subjects

Continue reading "Large scale malicious spam campaign exploiting Boston bombing" »

Posted by on 18 April 2013 at 06:13 in Exploit Kits, Malware, Spam | | Comments (0)

17 April 2013

Me Myself and I, Robot

I_RobotGrowing up I read every book my library had to offer by Jules Verne and Isaac Asimov. These and many other similarly minded authors inspired me to think far beyond "what is" into "what might be". I was so excited about the ideas proposed by some of these early science fiction writers that I seriously considered post-graduate study in Artificial Intelligence (A.I.) before ultimately accepting a job as a Pentester. Yeah, I sold out early - so what. However, those initial seeds have stuck with me through my life and have continued their influence into my eventual career in computing and security. Imagination and idea creation are still invaluable tools that I credit directly to my world being expanded while reading under the covers with a flashlight as a boy.

"That's right. When I was your age, television was called books."
--The Princess Bride (1987)

Now, ████ years later as a Security Researcher with Trustwave SpiderLabs I get to spend a percentage of my time working on pet1 research projects. I am in the opportune position to be able to come full circle and attempt to seriously explore some of those exciting buds of ideas I once only day dreamed about while flipping through the pages of whichever Philip K Dick novel I had just discovered.

The purpose of this post is actually several fold. The first is to publicly announce the project I am about to work on because I am excited about it, and because by doing so I have taken the first step in being accountable for its progress. Secondly, by self-admission, I am no expert in this advanced field but I hope to document my progress here on this blog, both the happy successes AND the inevitable failures. Lastly, by posting here with my progress it is my hope that a discussion will be created with others out there who are also interested in this topic. To share ideas, and to brainstorm new approaches in such a way that the whole community can benefit from them.

Continue reading "Me Myself and I, Robot" »

Posted by on 17 April 2013 at 07:35 in Big Data, Malware, Security Research | | Comments (0)

10 April 2013

Ransomware Author <3's Farm Animals

As security researchers, our virtual journey in revealing new threats on the web is never-ending. Every once in a while we come across a curious and interesting web attack. Today’s blog post will tell the story of one such case we’ve encountered recently. 

During last week, we ran into what looked like a hacked adult website that redirected browser requests to a web page which served two malicious Java applets. The landing page and the Java applets were recognized as Sweet Orange Exploit kit (thanks to Kafeine):

Continue reading "Ransomware Author <3's Farm Animals " »

Posted by on 10 April 2013 at 09:10 in Java, Malware, Secure Web Gateway, Security Research | | Comments (0)

12 March 2013

Mimicking Attackers: Building Malware for CCDC

This past weekend my fellow coworkers/friends and myself had the opportunity and the privilege to partake in Michigan State’s Collegiate Cyber Defense Competition (CCDC). Specifically, we were asked to act as the ‘Red Team’, which essentially translates into making the student teams’ lives as miserable as possible. 

Awesome_dude

I have no idea who this guy is, but he's my hero.

For those that have never heard of CCDC, it is a national competition between teams of students in various colleges around the country, where students spend a day or more acting as network and security administrators of a small, fictional company. Student teams are asked to take a previously created network of systems and secure them against the threats of the world (in this case those threats come in the form of the Red Team), all the while being asked to handle the needs of the business and demands from their fictional users.

Ok, so we’re being asked to come in and hack student network essentially. I realized that persistence tends to be half the battle with these competitions. Getting in is easy, but staying on the system while students are actively looking for any hair out of place is not. About two or so weeks before the competition, I resolved to create some custom malware that our team could utilize after compromising a Windows system. This is that story.

Continue reading "Mimicking Attackers: Building Malware for CCDC" »

Posted by on 12 March 2013 at 11:26 in Contest, Malware, Tools | | Comments (2)

Fresh Coffee Served by CoolEK

As you may already know, the past few months have been problematic to Oracle when it comes to security issues discovered in the popular and notorious Java browser plugin. The latest vulnerability that has been spotted to be exploited in the wild is CVE-2013-1493.

It has already been published that CoolEK became the first exploit kit to add an exploit to CVE-2013-1493, so I won’t bother you with the details of that. What’s probably more interesting is the nature of this exploit. Most Java exploits from the past year or two used missing security checks in the Java source code in order to bypass SecurityManager – the part in Java which is responsible to make sure that unsafe code (unsigned code written by 3rd parties) won’t be able to perform certain operations which require elevated privileges. Other exploits used some type confusions or tricked the optimizer into doing the same thing. Yet, in our current case, a memory corruption bug was found which allows the attacker to entirely nullify the SecurityManager.

This is the kind of exploits which are usually found in browsers and other non-sandboxed applications, so it was a little bit of a surprise to see such techniques in Java code.

Continue reading "Fresh Coffee Served by CoolEK" »

Posted by on 12 March 2013 at 08:35 in Java, Malware, Secure Web Gateway, Security Research | | Comments (0)

06 March 2013

Kelihos is Dead… No wait… Long Live Kelihos! Again!

This post is inspired by a news article which highlighted a recent presentation at RSA. Kelihos, for those that don’t know, is a spamming botnet. For the last few years it has been around in some form or another, but its spam output has not been nearly as large as some of the other botnets we regularly talk about, like Cutwail or Lethic. 

Anyway, the article is entitled Latest Kelihos Botnet Shut Down Live at RSA Conference 2013. Wow! Cool! A Live Takedown!  “But then again”, I thought, “that would the third time this particular botnet has supposedly been taken down”.  So I went over to check our spam traps for evidence of the effect.

And here is what was found, huge amounts of stock ‘pump & dump’ spam:

KelihosSpamConsole

Ironically, in spite of this spectacular takedown (or perhaps because of it?), spam output from Kelihos has jumped upwards to spectacular levels. Below is a chart showing the Kelihos spam levels in a daily spam sample over the past three months. Clearly someone has got a whole bunch more bots from somewhere! You can see however a slight dip around 26 February – shown by the arrow – on the day of the live takedown presentation.  

KelihosSpam

So this increase is significant indeed. Today spam from Kelihos bots is making up over 50% of the total spam arriving at our spam traps. That’s a big deal. Just to make sure we weren’t confusing it with something else, we ran some recent Kelihos malware samples in our lab. Sure enough, classic Kelihos pump & dump as evidenced by this template we extracted from the set of instructions the bot received prior to spamming:

KelihosTemplate

The template matches exactly what we see in our spam traps. We won’t go into too much more here, others have recently provided some excellent insight into Kelihos; Lavasoft in particular has a very detailed analysis here.

In the past, there have been numerous much-publicized attempts to takedown Kelihos, and its predecessors, Storm and Waledac. For some reason, it always gets a lot of attention by researchers, probably because its peer-to-peer nature is both interesting, and lends itself to such interference. 

But, despite such efforts, Kelihos and its code persists. Each time it merely morphs into something else. It goes to show that botnet takedowns may be flashy, but unless you arrest the people running it, or otherwise hamstring them somehow, the chances of a long term effect are minimal. And even if you do arrest people, code persists, and can be reused by someone else.  These days, it’s also easy for botnet operators to build their bot numbers again through the use of third-party loaders, or pay-per-install programs, where the criminals simply pay someone else to load their malware onto a bunch of already compromised machines. Symantec recently blogged about this sort of relationship: Waledac Gets Cozy with Virut. In fact, we have been observing Virut loading spambots for years, here is an M86 Security blog from 2009: Virut’s Not So Obvious Motive.

So taking down botnets is not simple or easy. It’s not to say I don’t applaud such efforts. On the contrary, hamper them any way you can, I reckon. Just don’t always expect long lasting results.

Thanks to my SpiderLabs colleague Rodel Mendrez for his research and input into this blog.

Posted by on 06 March 2013 at 11:40 in Malware, Spam | | Comments (0)

Anterior »