Illuminating The Etumbot APT Backdoor

By: Arbor Networks -

The Arbor Security Engineering Response Team (ASERT) has released a research paper concerning the Etumbot malware.

Etumbot is a backdoor used in targeted attacks since at least March 2011. Indicators suggest that Etumbot is associated with the Numbered Panda group, also known as IXEHSE, DynCalc, and APT12.  Although previous research has covered related malware, little has been publicly discussed regarding Etumbot’s capabilities.

Indicators suggest that the Etumbot dropper is delivered via spear phishing and is contained inside an archive file intended to be of interest to the target. The attackers use the Unicode Right to Left Override technique and document icons to disguise malicious executable content as document files. Once the dropper is executed, the backdoor is activated and a distraction file of interest to the target is opened for viewing.  ASERT has observed several Etumbot samples using distraction documents involving Taiwanese and Japanese topics of interest, and has also observed recent development activity which indicates that attack campaigns are ongoing.

Once installed, the backdoor connects to it’s Command & Control server and receives an encryption key. RC4 encryption, along with HTTP transactions intended to blend in with typical traffic are used for backdoor communications. Etumbot’s core functionality allows for the execution of commands and the capability to upload and download files.

Attackers attempt to obfuscate the malware by using a technique known as “byte strings”, also known as “string stacking”. Through the use of ASERT tools, these byte strings are deobfuscated and revealed herein.

A timeline containing distraction documents along with backdoor and dropper indicators to include MD5 hashes, Command & Control server information, file system and process artifacts are included herein. Some use of the HTran connection bouncer has been observed, indicating that selected C&C’s were simply compromised sites used to relay traffic elsewhere.

It is our aim to assist incident response and security teams and to provide meaningful insight into this threat.

Download the full report: ASERT Threat Intelligence Brief 2014-07: Illuminating the Etumbot APT Backdoor

Mime Sniffing and Phishing

By: Jose -

Friday and today I got a very interesting URL highlighted by our spam traps. The URL looks like a JPG, and so I went to see what it was. I figured it’d be stock spam or pill spam or something. What I didn’t expect was what I got.

hxxp://widutr67e8ds63e7dsz3edsx.land.ru/ViewItehewgast627ewaduj23ew7sd.jpg

So, it turns out that the URL is designed for IE4+ users, and it takes advantage of mime sniffing. The Heise site described mime sniffing as:

Internet Explorer 4 introduced a fourth method, known as MIME sniffing, or mime type detection. So no version of IE now automatically assumes that a file taken from the web has the same content type as that stated by the server in the HTTP header. Nor does it trust the file name extension, or signature, on their own. Instead, Internet Explorer also examines the first 256 bytes of the file to determine its type

So that URL renders as a broken image in FireFox and Safari but OK in IE. You can see that the server response below. It sets “Content-Type: image/jpeg” but then serves up dynamic HTML. The browser, IE in this case, renders the phish.

mime_sniffing and phishing.png

The site, widutr67e8ds63e7dsz3edsx.land.ru has been blacklisted by a couple of sites. I don’t know how many correctly – or incorrectly – catch the phishing attack. The site uses a GMail drop, and Google’s been alerted, too.

Thanks Alex and N for cluing me in to what was afoot. These are the first phishing attacks I’ve seen using them, I don’t know how many I’ve missed over the months.

Research Paper: Phishing Just Doesn’t Pay!

By: Jose -

A very interesting paper came out a few days ago by MSFT researchers Cormac Herley and Dinei Florencio exploring the economics of phishing. In a nutshell they systematically analyze phishing, both in terms of losses and in terms of gains, and find that the dollars in the phenomenon are widely overstated. In a nutshell: too many phishers chasing too few victims for too small a gain, a classic “tragedy of the commons” problem. Value added services are where it’s at. This jives well with anecdotal experience for many of us.

Some of my favorite parts:

But consistent reports of easy money may encourage him to think that he’s doing something wrong and that his returns will improve with time.

Indeed one explanation of the thriving trade in phishing related services reported in [23, 17] is that phishers with more experience prey upon those with less. That is, those who have tried phishing and found it unprofitable or marginally profitable find it better to sell services to those who havent reached that conclusion yet.

We think that this economic analysis has important implications in addressing the problem on a macro level. If we are correct that large phishing dollar losses are an exaggeration, an important conclusion is that repeating those claims feeds the beast, perpetuates the myth of the infinitely capable superuser attacker [21], and attracts poorly-informed new entrants to phishing.

I find the research and analysis compelling. A lot of it fits with the model outlined by levitt and dubner in “freakonomics” in chapter 3, Why Do Drug Dealers Still Live with Their Moms? Granted the organization in phishing is far more unstructured but the premise still stands: that the lure is far greater than the reality.

The paper is online here on slideshare or available in PDF A Profitless Endeavor: Phishing as Tragedy of the Commons.

Busy Little Phishing Botnet

By: Jose -

Today it’s an American Express phish. In the past few weeks it’s been JPMorgan Chase, Bank of America, CitiGroup, Colonial Bank, and many others. All of them are using fast flux hosting techniques on the same hosts. I don’t know the name of this botnet (either the malcode or the coloquial name) but it sure is busy. Here’s a list of domain names they have been using for their activities (gathered using passive DNS techniques, most of them are now suspended domains):

  • dir10.cz
  • adobeflasplayer10.com
  • isapid.cz
  • es-pos1.es
  • es-pos0.es
  • frankiezfunz.com
  • sofia16-online18.com
  • es-pos3.es
  • idsrv1.es
  • serverdemobank.com
  • idsrv2.es
  • id-rt01.cz
  • aktien-news-online24.com
  • id-rt04.cz
  • flashplayercolonial.com
  • srv-3id.cz
  • clrtemp.cz
  • file033.cz
  • file11.cz
  • sofia16-online24.com
  • ref-id.es
  • idsrv4.es
  • player10update.com
  • bankamericademo.com
  • dir017.cz
  • idrtd.cz
  • 0177.es
  • id-ref.cz
  • serversupdates.com
  • srv-1id.cz
  • 72.in-addr.arpa
  • id0.cz
  • bmspeedlab.org
  • id-rt03.cz
  • democolonialbank.com
  • refid73.es
  • refid70.es
  • identify-3.cz
  • colonialshow.com
  • demobankofamerica.com
  • cs03.cz
  • isapi10.cz
  • es-pos2.es
  • id-ref.be
  • 0104.es
  • idsrv10.es
  • bumospo.com
  • hawaiiantel.net
  • isdir.cz
  • cs07.cz
  • cs01.cz
  • identify-4.cz
  • ptil.cz
  • sofia18-online.com
  • idsrv11.es
  • installadobeplayer.com
  • es-pos7.es
  • colonialdemo.com
  • bmspeedlab.com
  • id-rt02.cz
  • srv-4id.cz
  • fasttrk.cz
  • bumotor.org
  • srv-7id.cz
  • bumotor.net
  • identify-1.cz
  • bumospe.tk
  • onlineserverdownload.com
  • clasmatessup.com
  • everettzfunz.com
  • file17.cz
  • demoversions10.com
  • tempdir.cz
  • demoservers1.com

Unlike some other fast flux users, these guys seem to go to different gTLDs as needed:

  • 1 — be
  • 23 — com
  • 29 — cz
  • 15 — es
  • 2 — net
  • 2 — org
  • 1 — tk

The hosts have largely been the same over this time so you can track them using passive DNS to discover their new names. Almost all of these are detected using standard anti-phishing tools.

This BofA Demo Thing Got Big Fast

By: Jose -

The Obama spam and malcode gang is back at it with a new fast flux phishing and malcode ruse. This time it’s a demo from the Bank of America that requires the classic “Flash Upgrade”.

bofa_demo.png

At the peak I was seeing 400 unique URLs for this run an hour. The URLs were unique strings, possibly for tracking purposes or possibly to stress URL blacklists. But, when you look more closely you see they are just a handful of domain names. This is a lot like the Rock Phish of old.

Let’s have a look at the domains and their associated name server via the BFK passive DNS system:

onlineservices777.com	 NS 	ns1.directclieck.com
directclieck.com	 NS 	ns1.directclieck.com
ns1.directclieck.com	 A 	66.197.233.140
ns1.directclieck.com	 A 	208.77.98.103
ieenttio.com	 NS 	ns1.directclieck.com
inyans.com	 NS 	ns1.directclieck.com
frerins.com	 NS 	ns1.directclieck.com
neeunt.com	 NS 	ns1.directclieck.com

So, no more domains at present associated with these name servers.

The malcode download routine is very typical. If you don’t follow the lure, a meta-refresh will get ya.

bofa_demo_src.png

Nothing special here, just the usual crap. Here’s some of the info about one of the samples we saw here:

BASIC INFO:
-----------------------------------------------
FILE TYPE: 	application/x-ms-dos-executable
FILE SIZE: 	3225 bytes
PACKER/S:
FSG v2.0 -> bart/xt
-----------------------------------------------
.
CHECKSUMS:
-----------------------------------------------
MD5: 		2ef0de5993873f26529ac34012eb97d9
SHA1: 		4e9aa725fa887cf65d9f6d1cebbd0a13d48320ab
PEHash: 	a8c73378f9c4a2fb57a5658e09d69bbf4bae0998
-----------------------------------------------

.
A/V INFO:
-----------------------------------------------
SCANNER: VScanner                      VIRUS: Unknown, file is "suspicious"
SCANNER: AVG                           VIRUS: No virus found.
SCANNER: ClamAV                        VIRUS: Trojan.OnlineGames-1517
SCANNER: BDC                           VIRUS: No virus found.
-----------------------------------------------

The malcode is tiny, but downloads hxxp://silviocash.com/usp.exe, aka Paparus or Urlsnif. Driver file, rootkitted, and now the box will send info from IE (ie form data) to the hacker. Owned.

Gary Warner has a nice writeup on his blog worth reading.

Economic Crisis: A Phishing and Malcode Opportunity

By: Jose -

In the past few weeks as a flurry of global financial institutions have suffered, a lot of names have been bandied about. Some banks have merged, some banks have faltered, and some government programs have been highlighted. It turns out that this is giving some enterprising phishers and malcode authors an opportunity. They’re preying on fears and name recognition.

The latest scam I just got was a Goldun spyware delivery scheme claiming to be a statement for your account. The emails look like this:

From: Federal Deposit Insurance Corporation
 To: jose@arbor.net
 Subject: funds wired into your account are stolen                                                        

 Dear bank account owner,                                                      

 Funds wired into your account are stolen from innocent account holders
 through Identity Theft. Please check your account statement (the statement
 is attached to this letter) and contact your bank account manager.            

 Federal Deposit Insurance Corporation

The attachment has the name “statement.exe” and is a UPX packed executable with the MD5 b6883affd9296b11145f6a0dce7056c3. It drops three files:

C:DOCUME~1UserLOCALS~1Tempf5d7_appcompat.txt
C:DOCUME~1UserLOCALS~1Tempf5d7_appcompat.txt
C:DOCUME~1UserLOCALS~1Tempf5d7_appcompat.txt

Goldun’s then try to download other malcode. This malcode has been around for a while, this is just the latest scheme to entice you to run the file.

In the past few days we’ve also seen combined phishing and malcode attacks against Wachovia, Merril Lynch, and other financial institutions. They usually use fast flux domains to host the attack. Some of the enticements are around banking changes, and these institutions have recently merged with other firms, so users may fall for the “we are upgrading our systems, please install this new SSL certificate” scheme. When you visit the site you get a phishing page and malcode dropped onto you box.

One of the Wachovia emails making the rounds right now looks like this:

WACHOVIA CORPORATION NOTICE.                                                                                                                                    

Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago.
All Wachovia bank locations will be in the Citigroup merger to prevent
failure of Wachovia. The Citigroup/Wachovia would focus on upgrading
banks' security certificates. All Wachovia customers must fill the forms
and complete installation of new Citigroup Standard digital signatures
during 48 hours. Please follow the installation steps below:                                                                                                    

Read more here>>                                                                                                                                                

Sincerely, Rodrick Baird.
 2008 Wachovia Corporation.
All rights reserved.

Here’s what this campaign’s website looks like:

We’ve been tracking these fast flux domains and will continue to do so, and we will continue to work with the anti-phishing community to identify and shut down such phishing attacks.

UPDATES

The US FTC has issued a consumer bulletin on this subject: Bank Failures, Mergers and Takeovers: A “Phish-erman’s Special”.

Paper: As the Net Churns: Fast-Flux Botnet Observations

By: Jose -

Together with the esteemed Thorsten Holz, I have a paper at MALWARE 2008 on fast flux botnets. The paper uses the data from our ATLAS platform, specifically the fast flux tracking we added in Q1 of this year, to gather a global perspective on fast flux operations. What we found can be summarized as:

  • most fast flux domains are dormant for more than 30 days before their use in a flux operation; domain name tasting is not an issue, it seems
  • the gTLD distribution is now wider than originally reports by Holz et al at NDSS; this issue affects more registrars
  • we can identify clusters of IPs and associated hostnames, showing how many botnets use how many names. We find only a handful of distinct botnets using fast flux methods.
  • fast flux supports a wide variety of online crime activity, such as phishing, malcode delivery, casino advertisements, illegal or questionable pharmacy sites, and other activities
  • fast flux is smaller than is widely assumed, and only a few thousand hosts globally are involved at any one time
  • involved hosts are extremely “promiscuous”, sometimes having hundreds of domain names associated with them
  • active DNS probing does not appear to be an effective, reliable measure of a botnet’s size. We found only about 1% visibility into the storm worm botnet, and we have not been able to get size estimates of other botnets for comparison

This paper came out of a presentation I did for a conference this summer. We’ve shared this data with groups such as FIRST and ICANN, and now we’re sharing this work with the larger world with this publication. The analysis done in the paper is more or less ongoing in our ATLAS fast flux summary report. We have found far more fast flux domains since our original analysis, but it’s still a small problem (only a few thousand hosts and a few thousand domain names active at any one time).

Fast flux botnets are gathering a great deal of attention, and for good reason. Several groups have been working on similar research questions and have found similar results, ours is just the first study around these specific questions to get published. The paper abstract is below:

While botnets themselves provide a rich platform for financial gain for the botnet master, the use of the infected hosts as webservers can provide an additional botnet use. Botnet herders often use fast-flux DNS techniques to host unwanted or illegal content within a botnet. These techniques change the mapping of the domain name to different bots within the botnet with constant shifting, while the bots simply relay content back to a central server. This can give the attackers additional stepping stones to thwart takedown and can obscure their true origins.

Evidence suggests that more attackers are adopting fast-flux techniques, but very little data has been gathered to discover what these botnets are being used for. To address this gap in understanding, we have been mining live traffic to discover new fast-flux domains and then tracking those botnets with active measurements for several months. We have identified over 900 fast-flux domain names from early to mid 2008 and monitored their use across the Internet to discern fast-flux botnet behaviors. We found that the active lifetimes of fast-flux botnets vary from less than one day to months, domains that are used in fast-flux operations are often registered but dormant for months prior to activation, that these botnets are associated with a broad range of online fraud and crime including pharmacy sites, phishing and malware distribution, and that we can identify distinct botnets across multiple domain names. We support our findings through an in-depth examination of an Internet-scale data continuously collected for hundreds of domain names over several months.

The full paper in PDF format is now available. I am unable to attend MALWARE 2008 myself as something came up, but we’re still releasing the paper.

Atrivo/Intercage Called Out as US RBN

By: Jose -

A report from a trio of known open source security analysts is out and covers the US-based Atrivo, aka Intercage. Dubbed the “US RBN” by some, Atrivo has been, to quote someone in the business:

“At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage.”

Source: Vincent Hanna, Spamhaus.org.

After the research article’s publication, Global Exchange de-peered with them after only a day or two (GBLX had been a BGP peer providing transit, one of two or three distinct ASNs doing so). It’s unknown what debates went on inside GBLX before this action, but the suggestion is pretty clear: public analysis of overtly hostile networks with a long history of security issues can lead to changes. Last year’s collection of reports on RBN (from iDefense, Shadowserver, and others) lead to the dissolution of RBN.

On my team, we’ve been seeing a lot of Atrivo over the years: rogue DNS servers that will send the user to a malicious website if they should typo, configured through DnsChanger malware; lots of fake AV product hosting lately; malcode drops and pickups. Our database is full of these droppings of information.

The fact that this network is supposedly hosted in the US – in the bay area, in fact – is especially surprising. It is unclear to me why they were permitted to operate without any significant investigation by law enforcement. Perhaps it was a lack of priority, or a lack of complaints. Ultimately this is a drop in the bucket in the battle against malicious network operations. We can’t be naïve and think that they’ll simply cease operations, we should expect that they’ll be back and relocate. The question is where.

New Twist in IRS Phishing Scams

By: Jose -

Earlier today I got a new phishing scam in my inbox, this one for the IRS. I’d love a tax refund, but I don’t think this is how they normally notify you. The lure email is shown below, and is quite standard in its formatting. It even threatens you with criminal prosecution if you lie.


Date: Thu, 28 Feb 2008 15:10:22 -0500
From: Internal Revenue Service
Subject: Your Tax Refund (Message ID FV028T3)
.
A Secure Way to Receive Your Tax Refund
.
After the last annual calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of $746.35.
.
Please submit the tax refund request and allow us 3-9 days in order
to process it.
.
A refund can be delayed for a variety of reasons. For example
submitting invalid records or applying after the deadline.
.
To access the form for your tax refund, please click here
.
Note: For security reasons, we will record your ip-address, the date
and time. Deliberate wrong inputs are criminally pursued and indicated.
.
Regards,
Internal Revenue Service
.
Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.

So far nothing special, until you click the link. It’s to an EXE, not to a website. When you download that and look, what you get is a locally hosted website with the phishing site shown below (broken in IE7):

IRS Phish_exe_screen.jpg

Analysis reveals that the executable will take your data and send it to at least two different server:

  • 3comport.sytes.net TCP port 5184
  • 64.28.177.140 TCP port 80

This is a new twist in phishing attacks that can bypass the normal URL filtering bar for malicious sites. It requires that the mechanism that determines if it’s a phishing site recognize that EXEs can also be used in phishing. It makes sense that this would evolve, I suspect we’ll see more of this soon.

I ran the sample through VirusTotal for an overview of the AV detection and saw that it’s not as well detected as it could be. See for yourself.

Complete scanning result of “IRS-Refunds.doc.exe”, processed in VirusTotal at 02/28/2008 22:01:41 (CET).

[ file data ]

  • name: IRS-Refunds.doc.exe
  • size: 363622
  • md5.: 1cc5d1aaf624829e76a149014ab00f27
  • sha1: 17ad552b164c4ce5c4b5ef899d43f575abe8db10
  • peid..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

[ scan result ]

AhnLab-V3 2008.2.28.2/20080228 found nothing
AntiVir 7.6.0.67/20080228 found nothing
Authentium 4.93.8/20080228 found nothing
Avast 4.7.1098.0/20080228 found nothing
AVG 7.5.0.516/20080228 found nothing
BitDefender 7.2/20080228 found [DeepScan:Generic.Malware.SFL!dld!g.AA140EE3]
CAT-QuickHeal 9.50/20080228 found [(Suspicious) - DNAScan]
ClamAV 0.92.1/20080228 found nothing
DrWeb 4.44.0.09170/20080228 found nothing
eSafe 7.0.15.0/20080228 found [suspicious Trojan/Worm]
eTrust-Vet 31.3.5571/20080228 found nothing
Ewido 4.0/20080228 found nothing
F-Prot 4.4.2.54/20080228 found nothing
F-Secure 6.70.13260.0/20080228 found [Suspicious:W32/Malware!Gemini]
FileAdvisor 1/20080228 found nothing
Fortinet 3.14.0.0/20080228 found nothing
Ikarus T3.1.1.20/20080228 found [Win32.SuspectCrc]
Kaspersky 7.0.0.125/20080228 found [Backdoor.Win32.Nuclear.cu]
McAfee 5241/20080228 found nothing
Microsoft 1.3301/20080228 found nothing
NOD32v2 2909/20080228 found nothing
Norman 5.80.02/20080228 found nothing
Panda 9.0.0.4/20080227 found [Suspicious file]
Prevx1 V2/20080228 found nothing
Rising 20.33.32.00/20080228 found nothing
Sophos 4.27.0/20080228 found nothing
Sunbelt 3.0.906.0/20080228 found [Trojan-PSW.Win32.Hooker.24.c (vf)]
Symantec 10/20080228 found nothing
TheHacker 6.2.9.229/20080225 found nothing
VBA32 3.12.6.2/20080227 found nothing
VirusBuster 4.3.26:9/20080228 found nothing
Webwasher-Gateway 6.6.2/20080228 found nothing

[ notes ]

  • packers: UPX

In the time between getting this sample, notifying people, and analyzing the sample, it was shut down. Good.

Active Storm Worm Domains – Christmas, New Year’s Campaign

By: Jose -

Based on a bunch of sources:

familypostcards2008.com
freshcards2008.com
happy2008toyou.com
happycards2008.com
happysantacards.com
hellosanta2008.com
hohoho2008.com
merrychristmasdude.com
newyearcards2008.com
newyearwithlove.com
parentscards.com
postcards-2008.com
santapcards.com
santawishes2008.com
uhavepostcard.com

All of these are worth blocking by DNS methods (become the local SOA, NXDOMAIN them) and looking for in your emails (look for a simple URL with those domain names near the end of a very short email).

Many thanks to the few dozen or so researchers working in this field to help continuously track and report on this new campaign.

UPDATE Added parentscards.com, which is now in use.

Go Back In Time →