SpiderLabs investigates a number of suspicious binary files on a daily basis. A week ago we came across a PDF file which had two different vulnerabilities, a remote-code-execution vulnerability in Adobe Reader and a new escalation-of-privileges vulnerability in Windows Kernel.
Just recently we confirmed that the new escalation-of-privileges zero day (CVE-2013-5065) has been delivered in the wild using CVE-2013-3346 as a container. Our goal in this blog post is to raise the public awareness by describing the technical details behind this recent kernel zero-day. We've tested the zero day on Windows XP and Server 2003 only.
Our team’s discovery of the spoils of yet another instance of Pony 1.9 has kept us busy the past couple of days. We’ve enjoyed explaining our discovery to journalists and trying our best to answer the questions that arise over social networks and email with each publication of a story.
A lot of those questions tend to be similar. Since we can’t possibly respond to each and every one, we thought we’d collect some information that answers the most common questions for anyone who’s interested.
In our last episode of "Look What I Found" we talked about a fairly large instance of the Pony Botnet Controller. With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9. One of the latest instances we've run into is larger than the last with stolen credentials for approximately two million compromised accounts.
We've translated our original blog post discussing Ploutus malware into Spanish because it was found to be targeting ATMs in Mexico.
Hace poco, SafenSoft informó al público de una nueva familia de programas maliciosos, conocidos como "Ploutus", que fueron dirigidos a cajeros automáticos (ATM) en México (http://www.safensoft.com/archiv/n/774/1778). El programa malicioso fue instalado cuando "criminales obtuvieron acceso al CD-ROM de los cajeros automáticos, y insertaron un nuevo CD de inicio." Muchos cajeros automáticos utilizan una cerradura sencilla, por cual es muy probable el método que los atacantes utilizaron para obtener acceso físico. Hace poco, recibí dos copias de Ploutus. En esta entrada del blog, voy a presentar algunos detalles sobre el programa malicioso y explicar algunos pasos que tomé para nalizarlo.
A short while ago, SafenSoft reported a new family of malware, named ‘Ploutus’, that targeted a number of ATMs in Mexico (http://www.safensoft.com/archiv/n/774/1778). The malware was installed when “criminals acquired access to the ATM’s CD-ROM drive and inserted a new boot CD into it.” Many ATMs use a simple lock that is easily picked, which is likely how the attackers gained physical access to the machines. I recently acquired two copies of the Ploutus malware. In this blog post, I’ll go into some of the details of the malware and explain some of the steps I took to reverse engineer it.
We at SpiderLabs investigate many suspicious webpages on a daily basis. Occasionally we run into something that seems new and unfamiliar to us, which is generally when things become interesting.
A recent discovery of ours began just like that and ended with our identification of an Internet Explorer 8 vulnerability being actively exploited in the wild. Through collaboration with the Microsoft Security Response Center (MSRC) Team we confirmed that the new zero- day (CVE-2013-3897) has been in the wild for a month (the new CVE-2013-3897 and the previous zero-day CVE-2013-3893). The patch was just released today, and users need time to install it. So we can’t reveal the full technical analysis of this vulnerability yet, but we can share some interesting details about the attack.
Let’s, for a moment, get into the mind of a cyber criminal:
Say you have a malicious executable that steals sensitive data (credit card numbers, credentials, etc.), which you would like to execute on compromised computers. You put lots of efforts into developing the Trojan, and you want to stay under the radar as much as possible. You know that when an unsigned executable or an executable signed by an untrusted certificate is executed, it alerts the user with alerts similar to the following samples:
Every once in a while we get to peek into the lion’s den, this time we’ll be checking out a fairly large instance of the Pony botnet controller, containing a large amount of stolen credentials and other goodies.
Pony, for those of you who have not yet had the pleasure of encountering it, is a bot controller much like any other: It has a control panel, user management, logging features, a database to manage all the data and, of course, statistics. It also seems to be doing these things right, as it appears to be popping up quite a bit lately.