MindshaRE: Statically Extracting Malware C2s Using Capstone Engine

It’s been far too long since the last MindshaRE post, so I decided to share a technique I’ve been playing around with to pull C2 and other configuration information out of malware that does not store all of its configuration information in a set structure or in the resource section (for a nice set of publicly available decoders check out KevTheHermit’s RATDecoders repository on GitHub). Being able to statically extract this information becomes important in the event that [...]

Read More

FCC advised on Remediation of Server-based DDoS Attacks

Yesterday, the Communications Security, Reliability and Interoperability Council (CSRIC), a federal advisory committee to the Federal Communications Commission (FCC), submitted its final report on Remediation of Server-based DDoS Attacks.

The CSRIC’s Working Group 5 was tasked with developing recommendations for communications providers to enable them to mitigate the impact of high volume DDoS attacks launched from large data center and hosting environments.

The final report includes a comprehensive look at the DDoS threat landscape, covering everything from the massive size [...]

Read More

Let’s Talk About NewPosThings

by Dennis Schwarz and Dave Loftus

NewPosThings is a point of sale (PoS) malware family that ASERT has been tracking for a few weeks. It operates similarly to other PoS malware by memory scraping processes looking for credit card track data and then exfiltrating the spoils to a command and control (C2) server. Based on compilation times, it has been in active development since at least October 20, 2013—with the latest timestamp being August 12, 2014. Since we haven’t come across [...]

Read More

IPv4 Is Not Enough

Last week in Chicago, at the annual SIGCOMM flagship research conference on networking, Arbor collaborators presented some exciting developments in the ongoing story of IPv6 roll out.  This joint work (full paper here) between Arbor Networks, the University of Michigan, the International Computer Science Institute, Verisign Labs, and the University of Illinois highlighted how both the pace and nature of IPv6 adoption has made a pretty dramatic shift in just the last couple of years. This study is a thorough, well-researched, effective analysis and [...]

Read More

Five Sinkholes of newGOZ

By Dennis Schwarz and Dave Loftus

It has been a few weeks since news broke of the Zeus Gameover variant known as newGOZ. As has been reported, the major change in this version is the removal of the P2P command and control (C2) component in favor of a new domain generation algorithm (DGA).

The DGA uses the current date and a randomly selected starting seed to create a domain name. If the domain doesn’t pan out, the seed is incremented and the [...]

Read More

DDoS and Geopolitics – Attack analysis in the context of the Israeli-Hamas conflict

Since its inception, the ASERT team has been looking into politically motivated DDoS events [1] and continues to do so as the relationship between geopolitics and the threat landscape evolves [2]. In 2013, ASERT published three situational threat briefs related to unrest in Syria [3] and Thailand [4] and threat activity associated with the G20 summit [5].  Recently, other security research teams, security vendors and news agencies have posited connections between “cyber” and geopolitical conflicts in Iraq [6], Iran [7], [...]

Read More

The Citadel and Gameover Campaigns of 5CB682C10440B2EBAF9F28C1FE438468

As the infosec community waits for the researchers involved to present their Zeus Gameover take down spoils at the next big conference; ASERT wanted to profile a threat actor that uses both Citadel, “a particularly sophisticated and destructive botnet”, and Gameover, “one of the most sophisticated computer viruses in operation today”, to steal banking credentials.

Citadel Campaign

When a threat actor decides that they would like to start a Citadel campaign they: buy the builder software, build the malware, distribute [...]

Read More

Snort rules for Etumbot

Since publication of the Etumbot blog on Friday, June 6th, we’ve received numerous requests to publish Snort rules for the network indicators described therein. You can find Snort rules for the Etumbot C&C communications on Arbor’s github at

https://github.com/arbor/snort/blob/master/etumbot.rules

While we are not Snort syntax experts, we have performed basic testing for the Etumbot communications we’ve been able to observe over the wire. Specifically, the first three Snort rules for Etumbot RC4 Key Request, Etumbot Registration Request, and EtumBot [...]

Read More

Illuminating The Etumbot APT Backdoor

The Arbor Security Engineering Response Team (ASERT) has released a research paper concerning the Etumbot malware.

Etumbot is a backdoor used in targeted attacks since at least March 2011. Indicators suggest that Etumbot is associated with the Numbered Panda group, also known as IXEHSE, DynCalc, and APT12.  Although previous research has covered related malware, little has been publicly discussed regarding Etumbot’s capabilities.

Indicators suggest that the Etumbot dropper is delivered via spear phishing and is contained inside an [...]

Read More

The Best Of Both Worlds – Soraya

By Matt Bing & Dave Loftus

Arbor Networks’ ASERT has recently discovered a new malware family that combines several techniques to steal payment card information. Dubbed Soraya, meaning “rich,” this malware uses memory scraping techniques similar to those found in Dexter to target point-of-sale terminals. Soraya also intercepts form data sent from web browsers, similar to the Zeus family of malware. Neither of these two techniques are new, but we have not seen them used together in the same piece of [...]

Read More