The Citadel and Gameover Campaigns of 5CB682C10440B2EBAF9F28C1FE438468

As the infosec community waits for the researchers involved to present their Zeus Gameover take down spoils at the next big conference; ASERT wanted to profile a threat actor that uses both Citadel, “a particularly sophisticated and destructive botnet”, and Gameover, “one of the most sophisticated computer viruses in operation today”, to steal banking credentials.

Citadel Campaign

When a threat actor decides that they would like to start a Citadel campaign they: buy the builder software, build the malware, distribute [...]

Read More

Snort rules for Etumbot

Since publication of the Etumbot blog on Friday, June 6th, we’ve received numerous requests to publish Snort rules for the network indicators described therein. You can find Snort rules for the Etumbot C&C communications on Arbor’s github at

https://github.com/arbor/snort/blob/master/etumbot.rules

While we are not Snort syntax experts, we have performed basic testing for the Etumbot communications we’ve been able to observe over the wire. Specifically, the first three Snort rules for Etumbot RC4 Key Request, Etumbot Registration Request, and EtumBot [...]

Read More

Illuminating The Etumbot APT Backdoor

The Arbor Security Engineering Response Team (ASERT) has released a research paper concerning the Etumbot malware.

Etumbot is a backdoor used in targeted attacks since at least March 2011. Indicators suggest that Etumbot is associated with the Numbered Panda group, also known as IXEHSE, DynCalc, and APT12.  Although previous research has covered related malware, little has been publicly discussed regarding Etumbot’s capabilities.

Indicators suggest that the Etumbot dropper is delivered via spear phishing and is contained inside an [...]

Read More

The Best Of Both Worlds – Soraya

By Matt Bing & Dave Loftus

Arbor Networks’ ASERT has recently discovered a new malware family that combines several techniques to steal payment card information. Dubbed Soraya, meaning “rich,” this malware uses memory scraping techniques similar to those found in Dexter to target point-of-sale terminals. Soraya also intercepts form data sent from web browsers, similar to the Zeus family of malware. Neither of these two techniques are new, but we have not seen them used together in the same piece of [...]

Read More

Into the Light of Day: Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns

Point of Sale systems that process debit and credit cards are still being attacked with an increasing variety of malware. Over the last several years PoS attack campaigns have evolved from opportunistic attacks involving crude theft of card data with no centralized Command & Control, through memory scraping PoS botnets with centralized C&C and most recently to highly targeted attacks that require a substantial amount of lateral movement and custom malware created to blend in with the target organization.

While [...]

Read More

Trojan.Eclipse — A Bad Moon Rising?

ASERT’s malware collection and processing system has automatic heuristics that bubble up potentially new and interesting DDoS malware samples into a “for human analysis” queue. A recent member of this queue was Trojan.Eclipse and this post is my analysis of the malware and its associated campaigns.

Analysis was performed on the sample with an MD5 of 0cdd10cd3393d3fe916a55b946c10ad6.

The name Eclipse comes from two places: a mutex named “eclipseddos” and a hardcoded Cookie value used in the command and control (C2) phone home. [...]

Read More

The Heartburn Over Heartbleed: OpenSSL Memory Leak Burns Slowly

Marc Eisenbarth, Alison Goodrich, Roland Dobbins, Curt Wilson

Background
A very serious vulnerability present in OpenSSL 1.0.1 for two years has been disclosed (CVE-2014-0160). This “Heartbleed” vulnerability allows an attacker to reveal up to 64kb of memory to a connected client or server. This buffer-over-read vulnerability can be used in rapid succession to exfiltration larger sections of memory, potentially exposing private keys, usernames and passwords, cookies, session tokens, email, or any other data that resides in the affected memory region. This flaw [...]

Read More

Introducing test-IPv6.arbor.net

I’ve always found sites which test IPv6 connectivity interesting.  In 2005, I implemented the ipv6calc cgi software as part of a server-side include that reported which IPv4 or IPv6 address the visitor was using to visit the Web site.  At that time, the number of IPv6-enabled visitors to the site per month averaged in single digits.

As mentioned in another posting (you can read it here), the “test-ipv6” software is available open-source.  I’ve implemented a mirror of this site at http://test-ipv6.arbor.net [...]

Read More

State of IPv6: Web Sites Now Offer Easy IPv6 Connectivity Tests

There is a certain level of skill to creating an IPv6-capable network. There is even more skill to creating an IPv6-capable network correctly. To help confirm an IPv6-capable network has been configured correctly and that “upstream” IPv6 connectivity is correct, there are several Web sites which offer basic insights into the quality of IPv6 connectivity.

Such sites have been around in one form or another since at least 2000. The most famous early “test” Web site was perhaps “www.kame.net” – if [...]

Read More

Global Attack Intelligence Integrated into Local Protection

Arbor Networks has built a massive, global intelligence network centered around ATLAS, a unique collaboration with nearly 300 service provider customers who have agreed to share anonymous traffic data with Arbor. This massive traffic data set, totaling 80Tbps, is combined with information from a global honeypot network of sensors in dark IP address space as well as strategic partnerships, such as the Red Sky Alliance.

Arbor’s Security Engineering & Response Team (ASERT) is one of the largest dedicated research organizations in [...]

Read More