Into the Light of Day: Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns

By: cwilson -

Point of Sale systems that process debit and credit cards are still being attacked with an increasing variety of malware. Over the last several years PoS attack campaigns have evolved from opportunistic attacks involving crude theft of card data with no centralized Command & Control, through memory scraping PoS botnets with centralized C&C and most recently to highly targeted attacks that require a substantial amount of lateral movement and custom malware created to blend in with the target organization.

While contemporary PoS attackers are still successful in using older tools and methodologies that continue to bring results due to poor security, the more ambitious threat actors have moved rapidly, penetrating organizational defenses with targeted attack campaigns. Considering the substantial compromise lifespans within organizations that have active security teams and managed infrastructure, indicators shared herein will be useful to detect active as well as historical compromise.

Organizations of all sizes are encouraged to seriously consider a significant security review of any PoS deployment infrastructure to detect existing compromises as well as to strengthen defenses against an adversary that continues to proliferate and expand attack capabilities.

In addition to recent publications discussing Dexter and Project Hook malware activity, Arbor ASERT is currently tracking other PoS malware to include Alina, Chewbacca, Vskimmer, JackPoS and other less popular malware such as variants of POSCardStealer and others. Attack tactics shall also be explored through analysis of an attackers toolkit.

The longevity and extent of attack campaigns is a serious concern. In organizations with security teams and well managed network infrastructure, point of sale compromises have proliferated for months prior to detection. If attackers are able to launch long-running campaigns in such enterprise retail environments, one can conclude that many other organizations with less mature network and infrastructure management are also at serious risk. A sample of high-profile incident timelines, showing the date of the initial compromise, compromise timespan and compromise scope (number stores in this context) is included to highlight this point.

Download the full report: ASERT Threat Intelligence Brief 2014-06 Uncovering PoS Malware and Attack Campaigns

ASERT Threat Intelligence would like to thank fellow ASERT team members Dave Loftus, Alison Goodrich, Kirk Soluk and Matt Bing and also wishes to thank David Dunn of FIS Global and the Shadowserver Foundation for providing additional information.

Arbor Networks at Virus Bulletin 2011

By: jedwards -

Arbor’s ASERT team has a paper at this year’s Virus Bulletin conference in Barcelona, Spain. The paper, by Arbor’s Jeff Edwards and Jose Nazario, is titled A survey of Chinese DDoS malware and is based on some of the detailed analysis we did as part of the development of the ATLAS intelligence feed or AIF. Our malware stream contains a lot of DDoS bots, many from China, one of the more interesting ecosystems of malware development.

The abstract follows:

This paper surveys the diverse landscape of Trojan horse families populating a specific niche in the overall malware ecosystem: botnets that primarily serve as Distributed Denial of Service (DDoS) attack agents and which are believed to be of Chinese origin and/or to be primarily controlled from Chinese IP space.

Approximately two dozen distinct malware families will be described and documented, including the Rincux, NetBot Attacker, IMDDOS, Darkshell and YoyoDDoS families. These families will be characterized in terms of their command and control (CnC) protocols, DDoS attack capabilities, general code architecture, organization of their CnC infrastructure, and preferred targets.

Findings regarding the evolution and sharing/cross-pollination of malcode, as well as the build/release frequency of new versions will be presented. An approximate taxonomy of this particular space of malware will be proposed. The bulk malware analysis infrastructure that was used to obtain these findings will also be briefly described.

The paper is quite in-depth and contains a lot of technical details not covered in the talk, so be sure to refer to the paper if the talk is at all interesting.

From Elk Cloner to Peacomm: A quarter century of malware

By: Jose -

A quarter century of malware. You’d think we would have had this problem licked by now, yeah? No, not even close. Self replicating code was first theorized in 1949, the dawn of the computing age, and appeared in the wild around the early 1980s. The fundamental theories on computer viruses were worked out by Fred Cohen; you can read his original paper online from the early 1980s. The tension between usability and security is directly discussed in this seminal paper. From the paper’s ending, “To quickly summarize, absolute protection can be easily attained by absolute isolationism, but that is usually an unacceptable solution. Other forms of protection all seem to depend on the use of extremely complex and/or resource intensive analytical techniques, or imprecise solutions that tend to make systems less usable with time.” In fact, because of the nature of a general purpose computer, Cohen points out, you can never fully protect against viruses.

No great surprise, people started to experiment with the ideas of self replicating code and, in 1982, we saw Elk Cloner, an old Apple II computer virus. Things moved somewhat slowly for a while, moving to the IBM PC when it became more prominent as a platform, and eventually to MS Windows. The timeline below isn’t comprehensive, it’s not designed to be. What it’s designed to show is the progress of a few major milestones: Elk Cloner, one of the first “in the wild” viruses now 25 years old; the Morris Worm, one of the first major Internet worms; then the mass mailers Melissa and Loveletter; Code Red and Nimda, two Internet-disrupting Windows worms; then the continued presence of the mass mailer in Sober, MyDoom, Stration and now Peacomm. In short, what works continues to be used, and it works for many, many years.

VirusTimeline.png

Elk Cloner is almost cute in the way that it just teases you once you’re infected. Looking at the timeline above you can see a progression from “fun” and “proof of concept” to malice to making money with Stration and Peacomm.

ElkClonerSrc.png

Peacomm’s recent timeline tells the tale of an aggressive p2p spam bot. They went from EXE attachments to recently using postcard lures. They’ve been shifting tactics lately quite frequently, and they have also been launching a substantial number of DDoS events, including many at researchers lately.

Peacomm Timeline.png

Peacomm is designed for the long haul, these guys are now sending that flood of PDF stock spam you’ve been seeing. Pushing penny stocks is the new fad; the latest round I bothered to look at was pushing HXPN, a penny stock hovering around 0.25 lately, down from a high of 1.65 in the past year. The US SEC likes to investigate this kind of thing, and people get arrested for this kind of crime.

PDFStockSpam.png

The past 25 years have been a dizzying flurry of malicious activity, from fun and games while exploring the architecture of your computer to disrupting the Internet at large and possibly threatening the very nature of e-commerce. Who knows what the future holds …

Peace Really Does Not Exist In The Information Age

By: Danny McPherson -

When I began a while back to generate a study of interesting cyber attacks to see if there were any common themes and to perhaps make some attempt at generating a chronology of such activity and it’s evolution, I ran across Minihan’s comment “Peace really does not exist in the Information Age“. That pretty much summed up my findings.

Rather than cyber-war, or cyber-terrorism, perhaps cyber-espionage or some other equally sexy title, I thought I’d abstract things a bit here and title this post based on that insightful comment from Lieutenant General Kenneth Minihan’s 1998 U.S. Senate testimony. Minihan, then Director of the National Security Agency/Central Security Service (NSA/CSS), carried a common message about how threats had forever changed as a result of the “Information Revolution”.

As summarized in this TISS report, he talked about the blurring role of nation-state sponsored activities, erosion in distinction between civilians and soldiers and a “diffusion of threats with perpetrators of crimes harder to locate“. Minihan spoke about “how existing paradigms for war and conflict will no longer be appropriate“, “how the term “nation”, a concept pivotal to current thinking about the laws of conflict, will become obsolete“, and “what is an “attack” in the context of cyberspace?”

We’re certianly seeing this today, in the media spotlights surrounding the Estonia attacks, the recent attacks on the Pentagon, and so forth. As a matter of fact, as I attempted to put together some chronology on cyber conflict, I found it to be a daunting task worthy of far more time than my schedule permits.

The more I looked, the more such activity surfaced, with a full spectrum of motivators from which to take your pick. Nearly any newsworthy event is now accompanied by cyber activity of some sort. Michael A. Vitas of Institute For Security Technology Studies at Dartmouth College provides an interesting analysis, albeit a bit dated, of where cyber attacks accompany physical violence, and provides a detailed analysis and case studies of four such events.

I compiled a slew of notes on examples of cyber attacks I’ve come across, most of these associated primarily with Internet-based activities (versus, say, isolated SCADA or PCS systems). I was planning to categorize these attacks based on motivators or suspected sponsors, but instead I’ll provide a subset of my list here, and note that my entire list is clearly more incomplete than I’d ever imagined, and largely U.S. centric.

Some of the interesting presumably geopolitical attacks over the past decade or so include, but are certainly not limited to:

Some presumably less politically motivated attacks that attracted a great deal of attention include:

And l’est we not forget, some notable worms and viruses with attack vectors and [not so] questionable motivators:

The above is in no way a comprehensive list, a full study of such attacks, the impact, and the motivators would be quite interesting, and quite an undertaking. More and more on the commercial front attacks are motivated by financial gain, either directly from extortion, or as retaliation of some sort. The continued anti-spam and anti-bot attacks such as those directed at the likes of Castle Cops and Spamhaus, in response to impacting otherwise streamlined cybercrime activities, illustrate the completion of an underground cybercrime economy and botnet eco-system.

The Internet’s ability to enable asymmetric warfare, providing maximum effect and reach, is clearly one of its most attractive characteristics for any attacker, independent of their motivation. As more and more critical services and economies are reliant on networked systems and the Internet, the criticality of their availability and security grows.

If you believe cyber war, given even the most strict definition (of which I’m not entirely sure what that is), is inconceivable, well, I suspect you’ll one day appreciate that your government, whichever government that may be, is slightly more attune to the threat.

Either way, I tend to agree, peace really doesn’t exist in the Information Age.

AV, how cam’st thou in this pickle?

By: Danny McPherson -

While I’ve seen and heard random spatterings about why AV isn’t effective, or analyst reports from the likes of Yankee declaring “AV is Dead”, there’s been very little qualitative or quantitative study on precisely why. Well, beyond the endless flurry of new malware families and subseqent offspring, that is.. As such, I find myself borrowing from Shakespeare’s The Tempest, and asking: “AV: how cam’st thou in the pickle?”

That’s why I’m pleased some of my colleagues at Arbor, with some co-collaborators at the University of Michigan, published Automated Classification and Analysis of Internet Malware (pdf).

There are basically three main issues with AV in the report:

    • completeness – AV does not provide a complete categorization of the datasets, with AV failing to provide labels for 20 to 62 percent of the malware samples examined in the study
    • consistency – when labels are provided, malware is inconsistently classified across families and variants within a single naming convention, as well as across multiple vendors and conventions
    • conciseness – AV systems provide either too little or far too much information about a specific piece of malware

The authors go on to demonstrate how what something does is more important then what you call it (i.e., behaviors are better than labels). By observing state changes associated with files modified, processes created and network connections, a behavioral fingerprint can be generated for the malware. From there, grouping based on these fingeprints can provide some meaningful output and actionable information.

It’s definitely worth the read…

How We’ll Miss You So, Black Hat ’06…

By: Sunil James -

Las Vegas was an absolute blast! Not just because Arbor had an awesome turn-out for its annual poker tournament (nice job, Lisa and Robin!), but also because the Black Hat sessions that we attended were amazingly strong. Having attended the conference for a number of years now, I was glad to see that CMP Media’s acquisition of Black Hat hadn’t adversely impacted the content that Jeff Moss is renowned for pulling together. A sincere thanks for what was truly a great con!

Each of us from the ASERT that attended this year had various thoughts on the sessions we attended. So, instead of a stream of overlapping blog posts, I compiled our thoughts into what you see below. We encourage you to follow the links and learn as much as you can about the various research these folks are doing…you can be certain we’ll be doing the same.

Device Drivers
Jon Ellch aka johnny cache & David Maynor

These two scared everyone who brought their laptop to the conference in the hope of using the wireless network. In the first half of their talk, they described the process of enumerating wireless drivers. Driver enumeration is interesting, but innocuous, and they both must have known that starting with such an innocuous topic would calm the audience before the storm. In the second half of their talk, Maynor proved that enumeration was very helpful when you’ve already done vulnerability analysis of several wireless drivers. To avoid disclosing the actual shellcode used in their exploit, Maynor showed a video in which a Dell laptop attacked an old PPC-based Mac laptop to install a rootkit. Then, Maynor simply connected to the backdoor (a bound shell listening on a socket) and had a root shell (albeit without any line buffering or shell prompts) on the Mac. Needless to say, none of us used our laptops for wireless Internet access anywhere near the conference.

PDB: The Protocol DeBugger
Jeremy Rauch & Dino Dai Zovi

Jeremy glued together some disparate pieces of code (including libevent) to create a C-written gdb-style protocol debugger with a modular interface allowing it to load Ruby-written modules (of which they’ve two). The demonstration was interesting, but not without issues, as the problem of TCP re-transmits isn’t currently handled by the debugger. Definitely an interesting concept, regardless. The proof-of-concept revealed that Python would have been a much more natural choice for developing the system. Sure, there’s a divide between the Python and Ruby camps, however, in our collective opinion, Python is the “lingua franca” of high-level languages in security. Taking into account the fact that libdnet has built-in Python extension, the existence of Dug’s pyevent and dpkt modules for Python libevent and protocol decoding/composing respectively, the amount of work spent developing the underlying glue could have been spent improving the debugger itself. Not trying to be too hard on Jeremy, though. He’s a sharp dude with some interesting ideas.

Punk Ode—Hiding Shellcode in Plain Sight
Michael Sutton & Greg MacManus

An excellent talk all-around. They had clearly explained and demonstrated how simple it was for anybody to hide exploits in plain-sight for specific kinds of attacks. Using their methods, which simply hide the malicious data as legitimate data inside of images, and presumably video, any attacker could leverage this technique to easily bypass many network security products that analyze network packets looking for specific attacks. While this kind of attack is very interesting, there are also many others ways of achieving the same results. More information available here.

Hacking World of Warcraft: An Exercise in Advanced Rootkit Design
Greg Hoglund

This was one of the best talks at the conference. Very entertaining, and it definitely had something for everybody. Hoglund described “The Supervisor,” a kernel-level rootkit made specifically to bypass “The Warden,” Blizzard Entertainment’s anti-cheating technology. This effectively allows anyone running “The Supervisor” to cheat and get away with it. Supervisor allows Hoglund to inject his own instructions into the World of Warcraft client, allowing him or others to take control of the client while also cloaking the contents of the injected instructions by replacing page tables corresponding to the modified memory with another page table filled with A’s. When The Warden next attempted to scan the system’s memory in order to look for any signs of cheating, it would only come across as bunch of As, rather than the actual instructions. Brilliant…and Hoglund’s presentation was flawless and entertaining as ever.

Subverting Vista Kernel For Fun And Profit
Joanna Rutkowska

Joanna’s presentation on exploiting the 64-bit version of Microsoft’s Windows Vista operating system was, without question, our favorite talk of the conference. She skipped the introductory section found in many technical talks and jumped right into a very straightforward method of exploitation: consuming enough system resources to force the OS to page non-wired memory to disk, thereby allowing her to modify the on-disk representation of this memory, and finally releasing those system resources, allowing the modified memory to be paged back in to the system. She then described how to exploit the virtualization features found in AMD’s newest dual-core processors to inject a hardware virtualized rootkit while seamlessly world switching a non-virtualized and running Vista platform into a hardware virtualized context. If Paris Hilton had been in the audience, she’d have agreed that this portion of talk was “hot”. The first half of the talk and, more so the second half, seemed to be a bit technical for some members of the audience, judging by the questions asked. That said, most people we spoke with afterwards agreed that it was the best session of all of Black Hat 2006.

Virus Names a Lost Cause?

By: Mark Zielinski -

SecurityFocus’ Robert Lemos published a number of months back an article in which he suggests that naming viruses is currently a lost cause. In the article, he mentioned how numerous security companies had warned their customers about a computer virus that had been programmed to delete files on the third of each month, but almost every company who published a report on the virus had used an entirely different name causing a lot of confusion in the process.

Unfortunately, this happens all the time. This is definitely causing much confusion, especially for the less technical computer users, which make up the majority of Internet users. Many of them do not know which threats are related to which, or if they are looking at a previous threat under a new name. Most would not even know that there are multiple organizations each publishing a separate report on the same virus, but all using different names.

Why do these problems even exist? It is simple, really. What it all comes down to is that the majority of security organizations have the wrong priorities. Each company is worrying about being the first to speak with the press, or being the first to release a report, and they are all losing sight of what they are really trying to accomplish. In some ways, they are even making things worse. Why rename a threat? Better yet, why are there multiple reports on the same threat?

If asked, many of the employees who work for these organizations will routinely say that coming up with a name or coordinating a name is not a priority. This is part of the problem. All of these organizations are in the same industry and they all share a common ambition. And if not, then they really should.

This problem is not unique to the computer security industry but others have solved it where we have not. Take hurricanes, for example. Each hurricane, typhoon and tropical storm is assigned a unique name. You do not see reporters who are all reporting on the same storm each coming up with their own name, do you? Why must we?

Arbor’s trying to buck the trend and solve this problem by serving on the Editorial Board for the Mitre Corp.’s Common Malware Enumeration (CME) initiative, which, like Mitre’s widely-adopted Common Vulnerabilities & Exposures (CVE) project, aims to deliver unified naming conventions for burgeoning malware. With the backing of a vendor-neutral organization like Mitre, I have no doubt that this initiative will do a great job in solving a problem that’s getting worse on a daily basis.

Googling for Malware, Bobbing for Mass Mailers

By: Jose -

HD Moore recently released a malware search engine. Dan Hubbard and the team at Websense had released an announcement that they had been able to use Google to find malware specifically. HD Moore was evidently frustrated that they didn’t get a copy of the code (evidently all he had to do was ask …), and so he wrote how own. I’ve looked at both, and I actually prefer HD’s later implementation, as it uses a couple of different ideas. So, I re-wrote HD’s tool in Python using my DuckyLib to wrap the Google queries in a simple API, and PE File from Ero for the Win32 binary analysis. After about 20 minutes, I went from sitting down to having a set of tools. The queries for a few hundred signatures took an additional 10 minutes.

HD’s tool (and hence mine) works like this:

  1. Read in an EXE file
  2. Unpack the PE header and gather up four different values
    1. TimeDateStamp
    2. SizeOfImage
    3. AddressOfEntryPoint
    4. SizeOfCode

    This combination is a unique signature for the malware.

  3. Google for these keys and values, using the Google API, and look at all of the EXEs roll in!

Surprisingly effective. After looking over a few hundred signatures, several dozen malware samples appeared and nary a 404 in the bunch. Another note: Google’s cached EXE exposes some of the APIs used in the program, so you can restrict it to EXEs that contain the function InternetOpenURLA, for example (i.e. downloaders). Dan also points out that you can search for specific sections. Pick a packer and start Googling for it’s common section names….

So far, HD’s live Google hits on his malware search usually return nothing. Most of the malware has been found and removed, so that’s good. I wonder how Google will react to this. On the one hand, it’s just data, and it’s best to avoid drawing a line somewhere about what you will/will not index. On the other hand, this is drawing some heat to them. My guess is that they’ll watch for abuse, work with site operators to notify them when they spot malware, and quietly tuck this one away. But I don’t really know what goes on there… Blocking HD’s site as a referrer may be a simple start to this, who knows. Currently, when we find malware we share the links with the parties responsible for taking it down. We’re doing our part, and people seem to appreciate it.

Most of the malware this method has found is not the secret stash locations you’d expect: it’s mailing list archives. It looks like some mailing list got spammed by the malware and held the attachment in a folder, and it’s been indexed. Nothing unexpected there, but some sites got hit worse than others.

Many thanks to Dan @ Websense for kicking this whole thing off, and to HD for pushing it forward.

Security Employment Here to Stay

By: Carlos Morales -

There will always be jobs in security. Why, you ask? Because the world has an endless string of bad people, ruthlessly ambitious people, desperate people, or just people willing to go to any length to show that they can do things that they are not supposed to. A couple of weeks ago, there was a great deal of celebration when Abu Al-Zarqawi, the leader of al-Qaeda in Iraq, was killed. There was a sense that the situation in Iraq was turning a corner, that a strong blow had been dealt to al-Qaeda, and that perhaps the insurgents in the area would finally soften enough to let the region establish a stable government and finally move towards peace. This was not to be the case. Within a few days of Zarqawi’s death, another terrorist, Abu al-Masri, stepped forward and assumed leadership of al-Qaeda in Iraq. With fresh leadership for terrorists, the region is cursed to remain a morass of insecurity and tragedy for the near future. No matter how many times we pick off someone high within terrorist groups, there is always someone just waiting to take their place.

There is definitely an endless line of bad people in the Internet community as well. Simple hacking just to prove you can has given way to major cyber crimes like:

– Theft of critical data from individuals, companies, banks and even governments
– Internet worms made to annoy, corrupt or destroy
– Internet extortion with threats of gigantic DDoS attacks

Organized groups produce complete “families” of malware. When a defense is found, another variant is created. Slammer, Blaster, MyDoom, Sasser, Bagle, Zotob, Dasher, Danser, Pranser, Rudolph…. They just keep coming.

What makes people do this? Ambition, money, revenge, hate, competition, or just because they can… The reasons are irrelevant. People do it and when these people are caught or decide to retire, someone else will come along. That is why there will always be jobs in security.