My Name is Hunter, Ponmocup Hunter - SANS
October 30, 2017 | Author: Anonymous | Category: N/A
Short Description
Ponmocup Hunter. SANS DFIR Three SANS ISC Diaries (new Java Exploits ITW). – Make sure you ......
Description
My Name is Hunter, Ponmocup Hunter
SANS DFIR Summit 2013 © 2013 by Tom Ueltschi
The Mission • List of Malware Network Indicators – 49 IP Adresses, 386 Domains (URL)
• Search for … – Any Connection Attempts (accessed or blocked) – From any Workstation / Endpoint – Proxy-aware / -capable or not – Over the last 3 years – Finished in 15 minutes
Possible Reactions 1. Are you crazy? Mission Impossible! 2. Why 15 minutes? It doesn‘t take that long! 3. Why over 3 years? Makes no sense! (we have Logs only for N months)
4. *speechless* 5. Anything in-between What is YOUR Reaction?
Mission Completed (1/2) • Stats from Default Gateway (non-proxy aware) – 1587 Connection Attempts – 6 Unique Workstations – 12 Distinct Destination IPs – Query took 5:46 minutes • mySQL DB not optimized for speed
Mission Completed (2/2) • Stats from Web Proxy – 1500 Connection Attempts – 619 accessed between 2010 - 2013 – 881 blocked between 2010 - 2013 – Query took 1:20 minutes
$ whoami / about.me • • • • • •
Tom Ueltschi, Security Officer @ Swiss Post / SOC 1995 – 2001: B.S. & M.S. CSE @ UTA 2001 – 2007: Software Engineer (C++ / Java) 2007 – current: IT Security (SOC, CERT, CSIRT) SANS Courses, GIAC Certs (GCIH, GWAPT, GXPN) Sharing and collaborating with public and trusted parties • Member of several trusted / closed groups of Malware & APT Intelligence sharing
Sharing, sharing, sharing • Three SANS ISC Diaries (new Java Exploits ITW) – Make sure you update that Java (2009-07-15) – Report of Java Object Serialization exploit in use in web drive-by attacks (2010-01-05) – Beware of strange web sites bearing gifts (2010-12-29)
• Mila‘s Contagio Malware Dump Blog (2010-08-02) – CVE-2009-3867 + CVE-2008-5353 JAVA low detection obfuscated malware VirusTotal: 0/42 (both)
• Sharing IOCs, maintain CIF malware feeds, helped develop ET rules, Blogger, Twitter
Agenda „Promises“ You will learn: • how the malware was discovered, what indicators were derived • how all infected hosts were identified and how remediation was done • how this malware spreads and how to defend against it • how to detect infected systems • how to find infected web servers used to spread it • what malware functionalities are known / unknown
Outline • Intro – Security Architecture (simplified) • The Incident – Sinkholing (how big the botnet?) • The Malware – Vulnerability exploited – Delivery – Indicators (HBI / NBI) – AV detection rates and names (VT) – AV vendor descriptions & analysis of Malware
• Benefits of sharing & some examples • Botnet visibility (is there a hidden Botnet?)
Intro: Security Architecture “A brief high-level overview of the security architecture will help you understand how the indicators could be found and searched for.”
Simplified Security Architecture „Logs or it didn‘t happen“ By ThreatThoughts.com (Kyle)
IDS / IPS
Mail GW + AV
Web Proxy + AV
Mailservers + AV Default GW Logs Clients ++AV Clients AV Clients Clients++AV AV
Special Capabilities on Web Proxy • Detection / Monitoring – Daily Log Aggregation • Accessed | Blocked, #Reqs, Domain, IP pDNS+ • Available since 2009 • Very useful data source • Quickly check for malicious Domains & IPs hits – Suspicious Patterns Regex list (Daily Report Mails) • URL patterns, Domains, IPs, User-Agents
Special Capabilities on Web Proxy • Prevention / Blocking – Own Malware Blacklists • URL patterns, (Sub-)Domains, IPs, Nets, User-Agents
• Implemented later (2011 – 2012) – Restrict EXE (MZ) downloads to certain Categories – Java Whitelist • Allow JRE User-Agents only to Whitelist Domains • Also blocks Java 0-Day Exploits
Quick Quiz (1st prize: Swiss Chocolate) • Who can name the Botnet / Malware first? – Botnet appeared in December 2008 – Existence discovered in May 2009 – Botnet takedown on December 23rd 2009 – Several million Bots big (~13M) – Infected >50% Fortune 1000 and >40 major Banks – Bot Malware named after flying insect ;-) – Was maybe the biggest Botnet so far (?)
Mariposa Botnet / Butterfly Bot • “Mariposa stole account information for social media sites and other online email services, usernames and passwords, banking credentials, and credit card data” • “… infiltrating an estimated 12.7 million compromised personal, corporate, government and university IP addresses in more than 190 countries” http://www.net-security.org/secworld.php?id=8962
Mariposa Botnet / Butterfly Bot • “ButterflyBot.A is specifically designed to avoid being detected. That’s why the user will not appreciate any symptom of the infection.” • „.. main purpose is to allow its creator to use the computer as a zombie, so that it can receive instructions without user’s awareness. • “… commands: download and run malware in the computer and to update the bot.“ http://www.pandasecurity.com/homeusers/security-info/217587/ButterflyBot.A
Quotes from „anonymous“
(known to me)
• “We find Ponmocup on almost every customer engagement we do.” (Feb 2013) • “We finally got around to looking at our Ponmocup incidents from last year and I can report that we saw this malware across approx half of our customers in 2012.” (May 2013)
The Incident You‘ll learn: • how the malware was discovered • what indicators were derived • how all infected hosts were identified • how remediation was done
The Incident Date: 2011-03-10 • Just another A/V event… or not – File: C:\Users\...\AppData\Local\Temp\2a97ad.exe – Detection: Generic PWS.y!cyt – Date/Time: 03/10/11 06:18:33 UTC – Client-IP: 10.6.6.6
• How many A/V events do you see each day? • Where did it come from?
The Incident • Let‘s check the proxy logs… – "[10/Mar/2011:07:18:08 +0100]" 1005 10.6.6.6 OBSERVED "none" 200 GET application/octetstream http HTTP/1.1 94.75.234.107 80 /images2/BD3506FB...F05F4CCF.swf "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" 94.75.234.107 109865 1655
• >100 KB binary file from uncategorized IP (no domain) using faked User-Agent
The Incident • What happened before and after? (17 minutes before) "[10/Mar/2011:07:01:06 +0100]" 778 OBSERVED "Travel" 302 GET text/html www.vietnamhotels.biz 80 /condaoresort/index.htm – 65.182.184.230 862 592 http://www.google.ch/search?q=con+dao+resort&meta= "[10/Mar/2011:07:01:08 +0100]" 565 OBSERVED "Search Engines/Portals" 302 GET - herocopter.com 80 /cgi-bin/r.cgi ?p=10003&i=69d21892&j=321&m=c36d1fb4044b29f72172 245d90405d59&h=www.vietnamhotels.biz&u=/condaoreso rt/index.htm&q=&t=20110310000106 85.17.132.193 409 699 http://www.google.ch/search?q=con+dao+resort&meta=
The Incident • What happened before and after? (17 minutes before) "[10/Mar/2011:07:01:16 +0100]" 5836 10.6.6.6 OBSERVED "Search Engines/Portals" 200 GET application/xmsdownload continue4.ladyofvirtuestore.com 80 /se/3da1...a047/526f1975/con_dao_resort.com "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)" 85.17.19.203 385853 767 http://www.google.ch/search?q=con+dao+resort&meta=
The Incident • What happened before and after? (23 seconds later) "[10/Mar/2011:07:18:31 +0100]" 296 10.6.6.6 OBSERVED "none" 200 POST text/html;%20charset=iso-8859-1 http HTTP/1.1 amegatech.net 80 /cgi-bin/shopping3.cgi ?a=D9971...7734 "Mozilla/5.0 (Windows; MSIE 8.0; Windows NT 6.0; en-US)" 94.75.234.98 329 1236 "[10/Mar/2011:07:18:32 +0100]" 1423 10.6.6.6 OBSERVED "none" 200 GET image/jpeg http HTTP/1.1 xyec.info 80 /images/im24j.jpg - "Mozilla/5.0 (Windows; MSIE 8.0; Windows NT 6.0; en-US)" 91.215.159.110 525963 778 "[10/Mar/2011:07:18:34 +0100]" 297 10.6.6.6 OBSERVED "none" 404 GET text/html;%20charset=iso-8859-1 http HTTP/1.1 amegatech.net 80 /cgi-bin/unshopping3.cgi ?b=C36A23...4128 "Mozilla/5.0 (Windows; MSIE 8.0; Windows NT 6.0; en-US)" 94.75.234.98 1062 1400
The Incident • What happened before and after? (23 seconds later) "[10/Mar/2011:07:18:31 +0100]“ 200 POST amegatech.net /cgi-bin/shopping3.cgi ?a=[hex] 94.75.234.98 "[10/Mar/2011:07:18:32 +0100]“ 200 GET xyec.info /images/im24j.jpg - 91.215.159.110 "[10/Mar/2011:07:18:34 +0100]“ 404 GET amegatech.net /cgi-bin/unshopping3.cgi ?b=[hex] 94.75.234.98 • Another fake UA: (compared to previous one) "Mozilla/5.0 (Windows; MSIE 8.0; Windows NT 6.0; en-US)“ "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" • JPEG (??) download > 500 KB (Content-Type: image/jpeg) • shopping3.cgi / unshopping3.cgi / hex data (encoded?)
The Incident • Malware Infection path (Infector Download) 07:01:06 07:01:06 07:01:08 07:01:16 07:01:20
302 302 302 200 403
http://www.google.ch/search?q=con+dao+resort&meta= http://www.vietnamhotels.biz/condaoresort/index.htm http://herocopter.com/cgi-bin/r.cgi?p=... http://continue4.ladyofvirtuestore.com/se/3d..75/*.com http://checkwebspeed.net/html/license_[hex-1515].html
• Initial C2 traffic, two large binary downloads 07:18:08 07:18:31 07:18:32 07:18:34
200 200 200 404
http://94.75.234.107/images2/BD35...CCF.swf (~100 KB) http://amegatech.net/cgi-bin/shopping3.cgi?a=D997... http://xyec.info/images/im24j.jpg (~500 KB) http://amegatech.net/cgi-bin/unshopping3.cgi?b=C36A...
The Incident • Searching Web Proxy and DefGW Logs with Network Indicators • Malicious Domains: (3) – continue4.ladyofvirtuestore.com (Infector download) – amegatech.net, xyec.info (C&C)
• Malicious IPs: (4) – 85.17.19.203, 94.75.234.107 – 94.75.234.98, 91.215.159.110
• Fake User-Agents: – "Mozilla/5.0 (Windows; MSIE 8.0; Windows NT 6.0; en-US)“ – "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
The Incident • Check DefGW Logs, compare to Proxy Logs… Date 10Mar2011 10Mar2011
Time 07:17:46 07:18:09
Source 10.6.6.6 10.6.6.6
Destination 94.75.234.107 94.75.234.98
[10/Mar/2011:07:18:08] 94.75.234.107 [10/Mar/2011:07:18:31] amegatech.net 94.75.234.98
• Malware first tries to connect without Proxy, then approx. 20 seconds later using Proxy
The Incident • Searching Proxy and DefGW Logs with Network Indicators Find all infected hosts • Iterative Process – Search Proxy Logs „way back“ for Domains & IPs – Search DefGW by Dst IPs find new Infections – Search DefGW by Src IPs find new C2 IPs – Search Proxy Logs for new C2 IPs Domains Repeat until no new IPs or Domains found
The Incident Dest IP const = 174.36.82.151
DLL File Timestamps
The Incident
The Incident
The Incident
The Incident • Find the Persistence
The Incident • Find the Persistence – System Information (NFO), Sysinternals Autoruns HKCU\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run Cqri = rundll32 "c:\users\user\ appdata\roaming\mssitlby.dll",kyik
• Scan for Reg Run Key with „appdata\roaming“ path using Microsoft SCCM – Disadv: HKCU available only from logged on users
The Incident • Identification done – 29 suspicious hosts, analyzed (infector download) – 6 infected hosts (C2 traffic) • Persistence verified (Reg Run Key, DLL File) • longest infection just over a year 10.03.2010 16.03.2010 13.06.2010 06.02.2011 04.03.2011 10.03.2011
10:33 11:09 20:25 19:06 10:10 07:01
75'776 75'776 69'632 61'440 118'784 131'072
ole32H.dll ** ds32gtc.dll crtdllo.dll ** ncsi9.dll HPZipm12L.dll ** mssitlby.dll
The Incident • Prepare Remediation – Create memory dumps, order HD to analyze – Add to blacklist on web proxy • All known Malware and C2 Domains & IPs • All known C2 URL patterns • Fake User-Agents (regex)
• Remediation strategy – Activate all blacklists at once – Order re-install of all infected workstations – Workstations remain on company network
The Incident • Add to blacklist on web proxy – All known Malware and C2 Domains & IPs marksandco.net intermediacorp.org rapidstream.biz inetspeedup.com amegatech.net omniwebpro.org
95.211.8.196 94.75.201.35 94.75.201.36 85.17.139.238 85.17.139.239 85.17.188.195
The Incident • Add to blacklist on web proxy – All known C2 URL patterns and User-Agent regex /r.cgi\?p= /images2/[A-F0-9]*\.swf /shopping3.cgi /unshopping3.cgi /rokfeller3.cgi MSIE.[78]\.0;.Windows.NT.6\.0;.en.US
Targeted or not? Could this be… Targeted Attack? APT? Untargeted crimeware?
Sinkholing C&C Domains • Shared list of C2 Domains with abuse.ch • Sinkholing (* 5 domains) started 2011-03-31 * rapidstream.biz * mastertraffic.org * marksandco.net * inetspeedup.com * intermediacorp.org amegatech.net omniwebpro.org
Sinkholing C&C Domains http://www.abuse.ch/?p=3294 / How Big is Big? Some Botnet Statistics
Sinkholing C&C Domains http://www.abuse.ch/?p=3294 / How Big is Big? Some Botnet Statistics
Sinkholing C&C Domains Anonymized Stats from 130 ASN in Switzerland Major ISPs 4156, 1371, 860, 264 IPs Swiss EDU Net 78 IPs Swiss Gov Org’s (national, state) Some major Companies from: Finance, Pharma, Media, Energy Appears to be untargeted, but hitting major companies and org’s at least as much as home users
Are you vulnerable? There needs to be a combination of two different vulnerabilities
Vuln 1: Humans using Computer Managing CVE-0: https://isc.sans.edu/diary/Managing+CVE-0/10933
What is Social Engineering? No idea!
Picture source: http://www.guardian.co.uk/technology/2011/apr/30/computers-v-humans-loebner-artificial-intelligence
Vuln 2: Permit EXE & ZIP downloads
Vuln 2: Permit EXE & ZIP downloads
The Malware You‘ll learn: • how this malware spreads and how to defend against it • how to detect infected systems (host & network indicators) • how to find infected web servers used to spread it • what malware functionalities are known and currently still unknown
Infection Vector / Delivery • how the malware spreads
Google: are you searching for this EXE?
Google: are you searching for this EXE?
Google: are you searching for this EXE?
Google: are you searching for this EXE?
Infection Vector / Delivery • No exploits used – What do your IDS / IPS detect?
• Plain malware EXE or inside ZIP file served – Restrict EXE or ZIP file downloads?
• Exploit the Human Vulnerability – simplest Social Engineering – Searching for XYZ file served with XYZ
Infection Vector / Delivery • Different redirection patterns used over time – „/cgi-bin/r.cgi?p=“ ET snort rule (2013181) – „/url?sa=X&source=web&…“ (~= Google redir) – More randomized patterns (samples Oct-Dec 2012)
• Ponmocup, lots changed, but not all (March 8, 2012) http://c-apt-ure.blogspot.com/2012/03/ ponmocup-lots-changed-but-not-all.html
• URL samples from January to March 2012 http://security-research.dyndns.org/pub/botnet/ponmocup/ Ponmocup-Domains_2012-03-08.htm
Infection Vector / Delivery • Redirection through infected .htaccess file – Ponmocup, lots changed, but not all (March 8, 2012) http://c-apt-ure.blogspot.com/2012/03/ ponmocup-lots-changed-but-not-all.html
Now let's take another look at the first step of infection, the redirection URLs from the infected ".htaccess" file on a hacked webserver. I believe the .htaccess files are manipulated using stolen (FTP or other) logins to these webservers. I got hold of such a .htaccess file and located the malicious "code". The 33 lines of code are well hidden in the middle of the over 3,000 lines long file, which is really hard to find ;-) (end of sarcasm)
Symantec Blog (July 2012) http://www.symantec.com/connect/blogs/trojanmilicenso-infection-through-htaccess-redirection
Symantec Blog (July 2012) http://www.symantec.com/connect/blogs/trojanmilicenso-infection-through-htaccess-redirection
Symantec Blog (July 2012) “… very carefully crafted in order to prevent exposure of infection by […] researchers.” Redirect only if all checks successful: 1. It is the first time that the website has been visited (no Coockie sent) 2. The website is visited by clicking on a link in search engine results, SNS, or email 3. The threat is running on the Windows platform 4. A popular web browser is being used
Infection Vector / Delivery • how the malware spreads • how to find infected web servers used to spread it
Introducing Ponmocup Finder http://c-apt-ure.blogspot.com/2012/06/introducing-ponmocup-finder.html
Introducing Ponmocup Finder • Single HTTP GET request using WGET – to each suspicious domain – using Google URL in referrer header – using common IE User-Agent – ignore „Set-Cookie“
• Check for 1st redirection Location-header with suspicious domain as parameter – very few false positives (try to detect)
Introducing Ponmocup Finder http://c-apt-ure.blogspot.com/2012/06/introducing-ponmocup-finder.html
Tweeting about Ponmocup Finder
Tweeting about Ponmocup Finder
Delivery || Dropped Malware • how the malware spreads • and how to defend against it • how to detect infected systems (host & network indicators)
How to Prevent & Detect Infections • Prevention: block Malware IP-ranges (redir.) – 178.211.33.202 – .206 or .0/24 – 31.210.96.155 – .158 or .0/24 – 81.92.219.60 – .62 or .0/24 – Occasionally new IPs (+/-1) and rarer new nets
• Blocking domains useless, change quickly • Complete list of Malware domains & IPs – http://security-research.dyndns.org/pub/ malware-feeds/ponmocup_all-domains-ips.txt
How to Prevent & Detect Infections • Detection: Network-based Indicators – Check logs for known Domains & IPs (few ex.) – DNS Lookups for Domains: intohave.com / fasternation.net – Connections to IP: 88.216.164.117 / 5.199.175.164 93.115.88.220
• Detection: Host-based Indicators – Check Registry Keys from Ponmocup IOC – Check Persistence using Rundll32 (suspicious)
Mandiant Forums Thread (2011-11-15) https://forums.mandiant.com/topic/ioc-request-for-ponmocup-malware-botnet
Created Ponmocup IOC (2012-04-06) http://ioc.forensicartifacts.com/2012/04/ponmocup-2/
Created Ponmocup IOC http://ioc.forensicartifacts.com/2012/04/ponmocup-2/
Testing Ponmocup IOC with IOC-Finder
Testing Ponmocup IOC with IOC-Finder
Testing Ponmocup IOC with IOC-Finder
The Malware You‘ll learn: • how this malware spreads and how to defend against it • how to detect infected systems (host & network indicators) • how to find infected web servers used to spread it • what malware functionalities are known and currently still unknown
Anti-Virus Detections Analyze 3 DLL samples from own infected systems Detection names and rates
AV Detections of DLL samples http://www9.dyndns-server.com:8080/pub/botnet-links.html
Malware samples The following 3 DLL samples were extracted from infected hosts: (Disk Forensics) ced3103e366d2eeac145639b080b3426 HPZipm12L.dll (VT 8 / 43 40 / 46)
dfe859eda8d9ed88863896ac233b17a9 crtdllo.dll (VT 14 / 42 24 / 34) 04366dfaa4a7d32066fa6dcda14c9e94 ole32H.dll (VT 12 / 42 34 / 46)
AV Detections of DLL samples Detections for „Vundo“ of 3 DLL Samples (28)
3 3 3 3 2 2 2 2
ClamAV McAfee Microsoft TotalDefense BitDefender Emsisoft Gdata McAfee-GW-Ed
1 1 1 1 1 1 1 1
AntiVir F-Secure MicroWorld-eScan nProtect PCTools Symantec TrendMicro TrendMicro-HC
AV Detections of DLL samples Detections for „Monder“ 1 Antiy-AVL 1 Fortinet 1 Ikarus 1 NANO-Antivirus 1 nProtect
(5)
Detections for „Virtumonde“ 3 Commtouch 3 F-Prot 1 VIPRE
(7)
AV Detections of DLL samples Detections for „Kryptik“ 3 ESET-NOD32 2 Fortinet 2 Norman 2 VIPRE 1 TheHacker 1 Agnitum
Detections for „Pirminay“ 2 Ikarus Detections for „Ponmocup“ (none)
(11)
Monder [Ikarus] Virtum (Gen) Vundo (Gen) Monder (Gen) Virtumonde (Adw) Mal/Generic Packed.Generic Adware.*
Ponmocup Malware VT check
Ponmocup Malware VT check
Ponmocup Malware VT check
Ponmocup Malware VT check
Ponmocup Malware VT check MD5: 584fe856bb348e0089f7b59ec31881a5 google_born_help.exe 2 / 42 2012-10-05 Kryptik MD5: 636a985d6e14c27ffc4fe6393ec96208 goog1e_hotel_mariina.exe 2 / 44 2012-11-10 Pirminay MD5: 43953a6cbeaa3dc0b5cddf0af12b4b80 plugin__mehdi_andynews__setup.exe 0 / 47 2013-05-21 27 / 47 2013-06-04 3x Vundo, 3x Pirminay, Ponmocup, Virtumonde
More about the Malware Malware OSINT research Meaningful or useless/stupid?
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocupanalysis_2012-02-18.html
Why is this malware known under so many different names? (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc.) Why aren't AV companies connecting the dots? Using one common indicator, the existence or creation of a registry key, namely HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ INTERNET SETTINGS\6
and/or HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ INTERNET SETTINGS\6
I've been finding malware analysis reports from different AV's and online malware analysis sites.
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocupanalysis_2012-02-18.html
Here are some Google search queries to find more analysis reports: site:xml.ssdsandbox.net "SOFTWARE\UOSBEU" site:mcafee.com "SOFTWARE\XFFNHFHAM" site:threatexpert.com "SOFTWARE\qrjaslop" site:sophos.com "SOFTWARE\zpppmcegc2 site:trendmicro.com "SOFTWARE\GHUZPSK" site:greatis.com "SOFTWARE\qbyyjp"
(4'220 hits) (3'480 hits) (227 hits) (59 hits) (24 hits) (6 hits)
Some AV's don't include the SOFTWARE registry key, but a well known initial C&C request: site:securelist.com "gehut4.cn/update/utu.dat“ (354 hits) site:camas.comodo.com imagehut4.cn (28 hits)
What’s in an A/V name? 1 1 1 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 2
Mal/Ponmocup-A Mal/Ponmocup-B Mal/Ponmocup-C Troj/Agent-AAEV Troj/Agent-AAOT Troj/Agent-ABAZ Troj/Agent-ABGO Troj/Agent-ABHU Troj/Agent-ABMF Troj/Agent-ABRV Troj/Agent-MSB Troj/Agent-PRC Troj/Agent-QTH Troj/Agent-QTM Troj/Agent-RML Troj/Agent-RQQ Troj/Agent-TOS Troj/Agent-UCY Troj/Agent-ULW Troj/Agent-VMY Troj/Agent-XUX
2 2 2 2 2 2 2 2 2 1 2 1 1 1 1 1 2 2 2 1 2
Troj/Agent-XXY Troj/Agent-YAC Troj/Agent-YDY Troj/Agent-YOJ Troj/Agent-YSA Troj/Agent-ZEY Troj/Agent-ZIK Troj/Agent-ZIW Troj/Agent-ZJT Troj/Agent-ZTN Troj/Agent-ZZX Troj/DwnLdr-ISR Troj/DwnLdr-ITH Troj/DwnLdr-IXA Troj/DwnLdr-IYO Troj/DwnLdr-KGA Troj/DwnLdr-KIL Troj/DwnLdr-KJC Troj/Inject-AJC Troj/Inject-VY Troj/Kasky-A
2 1 1 1 2 2 2 2 2 2 2 2 1 1 2 2 1 1 2 2
Troj/Luiha-BE Troj/Mdrop-CLC Troj/Mdrop-DXG Troj/Mdrop-EJV Troj/Mdrop-EMJ Troj/Mdrop-ERQ Troj/Mdrop-ETB Troj/Mdrop-FAZ Troj/Meredr-C Troj/Pirminay-C Troj/Pirminay-D Troj/Pirminay-E Troj/Ponmo-A Troj/RENOS-ET Troj/Sisron-J Troj/Smad-A Troj/Swisyn-AN Troj/Swisyn-AQ Troj/Vundo-AV Troj/Zbot-DIQ
What’s in an A/V name? 3 3 1 2 1 10 10 52 62
Mal/Ponmocup Troj/Pirminay Troj/Ponmo Troj/Swisyn Troj/Vundo
Known Aliases Others 10 = 16%
.
29 7 2 1 1 7 1 1 1 1 1
Troj/Agent Troj/DwnLdr Troj/Inject Troj/Kasky Troj/Luiha Troj/Mdrop Troj/Meredr Troj/RENOS Troj/Sisron Troj/Smad Troj/Zbot
Let’s look at some more samples Get Samples (VT reports) from VirusShare.com Kryptik Vundo Virtum Swisyn Monder Pirminay Ponmocup Milicenso
772,675 129,613 84,966 53,061 34,075 8,135 3,460 94
Total: 898,698
Subset matching >= 4 Detections 29,168
Let’s look at some more samples VT Detections for “Vundo” 28771 19882 16346 16319 15714 15122 14743 13216 12094 11766 11125 10772 8544 8162 7620
Microsoft McAfee BitDefender GData F-Secure AntiVir McAfee-GW-Edition Emsisoft TrendMicro Ikarus TotalDefense TrendMicro-HouseCall CAT-QuickHeal VIPRE nProtect
98.6% 68.2% 56.0% 55.9% 53.9% 51.8% 50.5% 45.3% 41.5% 40.3% 38.1% 36.9% 29.3% 28.0% 26.1%
Let’s look at some more samples VT Detections for “Virtum*” (Virtumond[eo]) 24745 22645 22177 9302 5418 4439 3621 2786 2733 2172 1011 943 900 881
F-Prot Commtouch Sophos DrWeb VIPRE Norman Ikarus AhnLab-V3 Panda Authentium Fortinet VBA32 NOD32 a-squared
84.8% 77.6% 76.0% 31.9% 18.6% 15.2% 12.4% 9.6% 9.4% 7.4% 3.5% 3.2% 3.1% 3.0%
Let’s look at some more samples VT Detections for “Virtumond*” [eo] 24745 22645 4564 4439 3619 2785 2733 2172 900 881 875 869 869
F-Prot Commtouch VIPRE Norman Ikarus AhnLab-V3 Panda Authentium NOD32 a-squared CAT-QuickHeal VBA32 Kaspersky
84.8% 77.6% 15.6% 15.2% 12.4% 9.5% 9.4% 7.4% 3.1% 3.0% 3.0% 3.0% 3.0%
Let’s look at some more samples VT Detections for “Kryptik” 14751 11667 9084 7650 5887 5153 4153 3484 2295 797 781 729 439
NOD32 ESET-NOD32 Fortinet VIPRE TheHacker Comodo Norman VirusBuster Agnitum Rising NOD32Beta SUPERAntiSpyware Avast
50.6% 40.0% 31.1% 26.2% 20.2% 17.7% 14.2% 11.9% 7.9% 2.7% 2.7% 2.5% 1.5%
Let’s look at some more samples VT Detections for “Monder” 4890 3867 3734 2414 2411 2334 2078 1780 1660 1631 1492 1398 1327
Kaspersky AhnLab-V3 Jiangmin nProtect VBA32 Antiy-AVL TheHacker ViRobot Norman Ikarus CAT-QuickHeal Fortinet NANO-Antivirus
16.8% 13.3% 12.8% 8.3% 8.3% 8.0% 7.1% 6.1% 5.7% 5.6% 5.1% 4.8% 4.5%
Let’s look at some more samples VT Detections for “Swisyn” 44 40 28 7 4 4 3 2 2 2
AhnLab-V3 TotalDefense eTrust-Vet VBA32 Panda Norman Kaspersky SUPERAntiSpyware Sophos Fortinet
0.2% 0.1% 0.1% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%
Let’s look at some more samples VT Detections for “Milicenso” 63 61 3 3
Symantec PCTools eSafe AhnLab-V3 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%
0.2% 0.2% 0.0% 0.0%
Another Incident Printer Bomb
Printer Bomb/Troj Milicenso (2012-06-21) http://www.symantec.com/connect/blogs/trojanmilicenso-paper-salesman-s-dream-come-true
Printer Bomb/Troj Milicenso http://www.symantec.com/connect/blogs/trojanmilicenso-paper-salesman-s-dream-come-true
Printer Bomb/Troj Milicenso http://www.symantec.com/connect/blogs/trojanmilicenso-paper-salesman-s-dream-come-true
Printer Bomb/Troj Milicenso http://www.symantec.com/connect/blogs/trojanmilicenso-paper-salesman-s-dream-come-true
Printer Bomb/Troj Milicenso The Trojan Milicenso • creates and executes a dropper • dropper creates a DLL file • dropper executable deletes itself • main body of the dropped DLL is heavily encrypted • the decryption key itself is encrypted • key is unique on each infected computer
Printer Bomb/Troj Milicenso • Detects presence of a sandbox or VM • instead of ceasing all activity, contacts sites, downloads Adware.Eorezo “… seems that it is using the adware as a decoy to distract attention from itself, thereby attempting to avoid malware analysis as this would categorize it as low risk and be dismissed.”
Printer Server gone wild (2012-06-08) http://www.symantec.com/connect/forums/print-server-gone-wild
• What is it doing? • Its downloading two types of files: – Payload -- Adware.Eorezo and Trojan.Milicenso – JPEGs -- used steganographically to provide commands to the payload
Printer Server gone wild http://www.symantec.com/connect/forums/print-server-gone-wild
• Why is it taking so long to create "complete" detection? • Each component of this threat is highly encrypted. The key for that encryption is different for each computer because it is based on - VolumeSerialNumber of the system volume. - Creation time of "c:\windows\system32" and "c:\System Volume Information“ • This means that each individual machine will have a series of files that are unique at the byte level.
Printer Bomb/Troj Milicenso (2012-07-02) http://www.symantec.com/connect/blogs/printer-madness-w32printlove-video
Printer Bomb/Troj Milicenso http://www.symantec.com/connect/blogs/printer-madness-w32printlove-video
Printer Bomb/Troj Milicenso http://www.symantec.com/connect/blogs/printer-madness-w32printlove-video
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx? Name=TrojanDropper%3AWin32%2FVundo.R
Downloads arbitrary files TrojanDropper:Win32/Vundo.R connects to a remote server to download a DLL (dynamic link library) file into the following location: \.dll (for example, wmsdmodo.dll) - detected as Trojan:Win32/Vundo.gen!AV We have observed TrojanDropper:Win32/Vundo.R contacting the following servers in the wild: • •
somethingclosely.com repliedstreets.com
The DLL, detected as Trojan:Win32/Vundo.gen!AV, is used to decrypt the payload data, which was placed on your computer during the installation of TrojanDropper:Win32/Vundo.R. It creates the following registry key to store the encrypted data that, when decrypted, is detected as Trojan:Win32/Vundo.QB:
In subkey: HKLM\Software\ (for example, OAVALSGS) Sets value: "" (for example, abcmhecs) With data:
Botnet Visibility (hidden == true?) A botnet of this size certainly must be on the radar, or not?
…
…
Kindsight Security Labs Malware Report
• Downloader.Ponmocup.A 2012 Q1
Q2
Q3
Q4
Top 20 Home Network infections 11 19 20 -- Top 20 High Threat Level Threats 4 13 11 ---
Passive DNS for some C&C Domains
Benefits of Sharing • Examples of sharing Threat Intel • How others benefit from it
Started sharing in public Overview: c-APT-ure.blogspot.com posts and other public infos • • • • • • • •
2012-06-03: "Introducing Ponmocup-Finder“ 2012-04-27: "Hunting Ponmocup Botnet“ 2012-04-13: Storify "A/V failed for Ponmocup malware!?“ 2012-04-08: IOC.ForensicArtifacts.com "Ponmocup IOC released“ 2012-03-08: "Ponmocup, lots changed, but not all“ 2012-02-20: "Why so many diff A/V detections?“ 2012-02-18: "Not APT, but nasty malware (Ponmocup botnet)“ 2011-11-15: Mandiant forum "IOC request for Ponmocup malware (botnet)“ • 2011-05-30: "Collection of links related to the Ponmocup botnet"
Started sharing in public http://www9.dyndns-server.com:8080/pub/botnet-links.html
Sharing C&C traffic details C&C traffic details / URL-patterns /cgi-bin/r.cgi?p=...&h=%{HTTP_HOST}&u= %{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME} /se/...[long hex string].../...[7-8 char hex string].../.com
After executing the downloaded .COM-file infector: /html/license_...[long hex string].html /images2/...[long hex string].swf /cgi-bin/shopping3.cgi?a=[long hex string] /cgi-bin/unshopping3.cgi?b=[long hex str] /cgi-bin/rokfeller3.cgi?v=11 (with long hex string in POST body)
C&C patterns devel ET Snort rules Snort EmergingThreat Rules
http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=Ponmocup
[pre infection] ET CURRENT_EVENTS Ponmocup Redirection from infected Website to TrojanDownloader"; content:"/cgi-bin/r.cgi" ET TROJAN Possible Ponmocup Driveby Download"; pcre:"/\/se\/[a-f0-9]{100,200}\/[a-f0-9]{6,9}\/[A-Z0-9_]{4,200}\.com/Ui"
[post infection] ET CURRENT_EVENTS Ponmocup C2 Post-infection Checkin"; pcre:"/\/html\/license_[0-9A-F]{550,}\.html/Ui" ET CURRENT_EVENTS Ponmocup C2 Sending Data to Controller 1"; pcre:"/^\/images2\/[0-9a-fA-F]{500,}/U" ET CURRENT_EVENTS Ponmocup C2 Sending Data to Controller 2"; uricontent:"/cgi-bin/rokfeller3.cgi?v=11" ET CURRENT_EVENTS Ponmocup C2 Malware Update before fake JPEG download"; uricontent:"/cgi-bin/shopping3.cgi?a=" ET CURRENT_EVENTS Ponmocup C2 Malware Update after fake JPEG download"; uricontent:"/cgi-bin/unshopping3.cgi?b=„ ET USER_AGENTS Spoofed MSIE 7 User-Agent Likely Ponmocup" ET USER_AGENTS Spoofed MSIE 8 User-Agent Likely Ponmocup"
Benefits of sharing
Benefits of sharing
Ponmocup Blog Post http://c-apt-ure.blogspot.com/2012/03/ponmocup-lots-changed-but-not-all.html
Ponmocup Blog Post http://c-apt-ure.blogspot.com/2012/03/ponmocup-lots-changed-but-not-all.html
Saito_Waru March 29, 2012 at 8:03 AM you sir are a life saver. We have been having some trouble with our webpage redirecting to some malware sites for a couple of months and we couldn’t find where the problem was. Until I found this article, thank you so much. TomU March 29, 2012 at 8:56 AM Thank you Saito Waru for kind comment :)
Printer Bomb/Troj Milicenso SANS Advisory-Board Mailing List
Printer Bomb/Troj Milicenso SANS Advisory-Board Mailing List
Printer Bomb/Troj Milicenso SANS Advisory-Board Mailing List
Printer Bomb/Troj Milicenso https://isc.sans.edu/diary/Print+bomb/13405
Printer Bomb/Troj Milicenso https://isc.sans.edu/diary/Print+bomb/13405
Printer Bomb/Troj Milicenso https://isc.sans.edu/diary/Print+bomb/13405
Not all is done… yet • There’s a botnet out there • Who knows how big it is? • Now what to do about it…?
Latest Sinkholing C&C Domains • Sinkholing started on 2013-05-13 • Four expired C&C domains were sinkholed Thanks to “anonymous” for initiative
• • • •
After 1 day 337 IPs After 1 week 1646 IPs Infections happened likely a long time ago Maybe bots were not under botmaster control anymore
Ponmocup Botnet working group https://groups.google.com/group/ponmocup-botnet-working-group
Call to action / Join me, anyone? Created “Ponmocup Botnet working group” • Some Ideas (just a few) Malware Reverse Engineering Confirm “anti-sinkholing” IP = funct(DNS) Find new C&C domains, IPs, URL patterns Sinkhole more (active, current) C&C domains Add IOC reg-key to MS AV detection (MSRT?) More to come...
Please join if you’re interested
Thanks goes to… For contributions & collaborations • J-Michael from VirusShare.com • Roman from abuse.ch & Re2 for feedback • Everyone who gave permission to mention their names or share content • All members from closed groups / lists who helped me and contributed in one way or another • DNSDB @ ISC, Umbrella Security Labs (Sgraph) for free accounts
Questions ?
???
Malware feeds / links (Demo) Introducing Ponmocup-Finder Ponmocup-Finder has evolved into a little "workflow" :-) • add new infected domains to the list • daily cronjob to run Ponmocup-Finder • latest Ponmocup-Finder script • list of currently infected webservers • history of all previously infected webservers • notification lists for CH / LI and DE domains
Malware CIF feeds (Demo) For malicious domains and IPs you can download my malware feeds (also using CIF) here: http://security-research.dyndns.org/pub/malwarefeeds/ponmocup-botnet-domains.txt http://security-research.dyndns.org/pub/malwarefeeds/ponmocup-botnet-ips.txt http://security-research.dyndns.org/pub/malwarefeeds/ponmocup-malware-domains.txt http://security-research.dyndns.org/pub/malwarefeeds/ponmocup-malware-ips.txt http://security-research.dyndns.org/pub/malwarefeeds/ponmocup-infected-domains-CIF-latest.txt
View more...
Comments
