ASERT’s malware collection and processing system has automatic heuristics that bubble up potentially new and interesting DDoS malware samples into a “for human analysis” queue. A recent member of this queue was Trojan.Eclipse and this post is my analysis of the malware and its associated campaigns.
Analysis was performed on the sample with an MD5 of 0cdd10cd3393d3fe916a55b946c10ad6.
The name Eclipse comes from two places: a mutex named “eclipseddos” and a hardcoded Cookie value used in the command and control (C2) phone home. [...]
Marc Eisenbarth, Alison Goodrich, Roland Dobbins, Curt Wilson
A very serious vulnerability present in OpenSSL 1.0.1 for two years has been disclosed (CVE-2014-0160). This “Heartbleed” vulnerability allows an attacker to reveal up to 64kb of memory to a connected client or server. This buffer-over-read vulnerability can be used in rapid succession to exfiltration larger sections of memory, potentially exposing private keys, usernames and passwords, cookies, session tokens, email, or any other data that resides in the affected memory region. This flaw [...]
I’ve always found sites which test IPv6 connectivity interesting. In 2005, I implemented the ipv6calc cgi software as part of a server-side include that reported which IPv4 or IPv6 address the visitor was using to visit the Web site. At that time, the number of IPv6-enabled visitors to the site per month averaged in single digits.
As mentioned in another posting (you can read it here), the “test-ipv6” software is available open-source. I’ve implemented a mirror of this site at http://test-ipv6.arbor.net [...]
There is a certain level of skill to creating an IPv6-capable network. There is even more skill to creating an IPv6-capable network correctly. To help confirm an IPv6-capable network has been configured correctly and that “upstream” IPv6 connectivity is correct, there are several Web sites which offer basic insights into the quality of IPv6 connectivity.
Such sites have been around in one form or another since at least 2000. The most famous early “test” Web site was perhaps “www.kame.net” – if [...]
Arbor Networks has built a massive, global intelligence network centered around ATLAS, a unique collaboration with nearly 300 service provider customers who have agreed to share anonymous traffic data with Arbor. This massive traffic data set, totaling 80Tbps, is combined with information from a global honeypot network of sensors in dark IP address space as well as strategic partnerships, such as the Red Sky Alliance.
Arbor’s Security Engineering & Response Team (ASERT) is one of the largest dedicated research organizations in [...]
Today marks our first major product release since Packetloop became part of Arbor Networks in September 2013. It marks a major step in realizing the combined vision of Arbor Networks and Packetloop and also sees us change the Packetloop name to Pravail Security Analytics.
The combined vision is leveraging Arbor Networks’ ability to “see things that others can’t,” analyze and mitigate. It’s implemented by integrating Arbor Networks’ expertise in threat intelligence (ASERT), analysis and forensics (Pravail Network Security Intelligence and Packetloop) [...]
The last time I blogged about Drive, it had just added some new attacks and obfuscation to its attack commands. Fast forward seven months, and Drive has another new variant that has adopted a completely new set of tactics while being used in some recent high-profile attacks.
Similar, Yet Different
I first discovered this new Drive variant in early January 2014 when I noticed that my previous Yara rule was alerting on samples that my network classifiers were not. Upon [...]
In February, Kirk Soluk’s post on NTP Attacks: Welcome to The Hockey Stick Era reported that we have seen a increase in NTP-based application attacks. We thought we would take a few minutes to post an update on the state of traffic metrics.
The graphs below are depicting aggregate traffic based on the NTP network port (123). The first graph shows observed NTP traffic via UDP since December of 2013 until early [...]
An increase in credit and debit card theft via Point of Sale (PoS) malware campaigns over the late 2013 holiday season has resulted in significant media attention and has likely emboldened threat actors as the success of past campaigns comes to light. Media attention has decreased since news of the Target breach and associated fallout, however threat actors targeting PoS systems are still engaged in active [...]
Although Network Time Protocol (NTP) reflection/amplification attacks have been observed in the wild for many years, they have received an uptick in popularity due to recent high-profile attacks, first in late December 2013 on gaming networks, and again this week in Europe.
Arbor is able to confirm that our ATLAS system monitored an attack on Monday, February 10 targeting a destination in France, peaking at 325 Gbps. Since then, ATLAS has observed no less than 4 more attacks exceeding 100 Gbps [...]