Sunday, December 15, 2013

Ponmocup Hunter is (re-)tired

Update: Video from BotConf talk available now :-) (see below)

For over two and a half years now, since March 2011, I've been researching and analysing this Ponmocup malware, which has so many different names. During this time I've written several blog posts, malware analyses [1, 2], a "Ponmocup Finder" tool and published (CIF) feeds of malware domains.

This year I have given three presentations called "My name is Hunter, Ponmocup Hunter", and each talk was different in some ways. To get the most out of all you may want to view the slides in chronological order, or you can just skip to the latest and most complete one from BotConf (although previous ones had more details about certain things).

The BotConf talk was video recorded and hopefully soon I will be able to review the video and decide if I want to release it or not. (Tweet me if you would like to see it for sure)

I recieved some very nice feedback after every presentation, here one of my favorite one:

My public work is done (at least for a while, who knows), but the fight against this botnet has just begun. If you have first hand knowledge about this malware (most commonly known probably as Vundo) please ask to join the Ponmocup Botnet Working Group which has been formed for this reason.

Update 2013-12-29:

There have been some great blog posts about the delivery of Ponmocup called Zuponcic Kit:

by Malwageddon

by Maarten van Dantzig, Yonathan Klijnsma & Barry Weymes (Fox-IT)

In February at SAS2013 Eugene Aseev from Kaspersky Labs presented "The Hidden Bot", which also highlights the fact, that this malware / botnet is not well known and researched (yet). Unfortunately, the PDF doesn't show all details from the presentation, so if you would like the full-featured PPT version, please contact Eugene or me.

This post is a work in progress mostly just to link to my presentations and I will update it for a while, when new details become available.

Update 2014-01-30:

The video recorded from my latest "Ponmocup Hunter" talk at BotConf has been made publically available. Thanks to Frederic (@udgover) for the hard work put into making the video.

Just a couple warnings before linking to the video:

1) I don't consider myself a great nor experienced speaker. I was still very nervous for every talk, but during the talk it got better.

2) I had a very hoarse voice during my BotConf presentation because I was talking too much and too loud the night before with many great speakers and attendees at the dinner event.

So hopefully you keep this in mind when watching the video and can see past it. I was giving the talk because I wanted to make more people aware of this botnet, and looking at the activity in my working group I think I succeeded with that.

So without further ado, I hope you like the video !

Also check out the other BotConf videos available.

I also like this picture from my talk at DeepSec :-)


Tuesday, June 25, 2013

Free DFIR Summit ticket contest

Sorry guys and gals, the contest ended prematurely and a winner has been chosen and notified already. So no more submissions will be processed.

This may end up being just a temporary blog post for this one reason...

SANS generously offered me a complementary DFIR Summit ticket to invite someone ("my guest"). So I'd like to pass this on to someone who deserves it and otherwise couldn't attend the Summit.

So if you would really like to attend the DFIR Summit (to see my talk) and your employer is not paying for it and you can't afford the $1995 then you should enter the contest or raffle or what should I call it. Also, if you are going to the summit, but a colleague can't go, you can refer them here as well.

There are some requirements to qualify:

You need to be able to attend the Summit on July 9 and 10 in Austin TX. You need to pay for travel and hotel room yourself.

And this requirement from SANS directly:

"The only requirements are that your guest be recommended by you personally, and your guest must reserve his/her own room at the event hotel.  (Note: This special offer applies only to NEW hotel reservations, not existing ones.)"

An Omni hotel reservation must be made before July 1st !

Additionally, use the comment form from this post to apply for the free ticket before Saturday morning and give me the best reason why you deserve it... (any or all of the follwing)

  • give your full name, twitter handle, blog URL or whatever to show your identity
  • list contributions to or collaborations with the DFIR (or IT-sec in general) community with examples
  • list any other good reason you can think of
  • how many adult beverages you're gonna buy me at the summit ;-)

If you want to share some information only with me and not publically, please clearly state (which part) in your comment, since they are moderated.

I will decide on Saturday evening (10 pm UTC+2) who will get the spot and notify them. Hotel booking would need to be done on Sunday.

I just like to give someone a chance to attend the DFIR Summit who otherwise could not.

So please spread the word and may the best (most deserving) person win the free ticket!



Thursday, May 30, 2013

"Ponmocup Hunter" SANS DFIR Summit 2013

Update: the presentation slides have been online for a while [PDF Link].
I've given a newer version of this talk at DeepSec and BotConf. Slides will be linked when made public.

I'm thrilled to give a presentation "My name is Hunter, Ponmocup Hunter" in July at the SANS DFIR Summit 2013 in Austin, Texas. (Summit / Agenda).

In early 2011 we discovered some botnet malware infected systems in our network. Starting from one A/V event we discovered several host- and network-based indicators to identify and confirm several infections. A brief high-level overview of the security architecture will help you understand how the indicators could be found and searched for. With a one-strike remediation all infected systems were quarantined and cleaned. A few weeks later the sinkholing of several known C&C domains showed the botnet was very big (several million bots). Quickly I got obsessed with analyzing and hunting this malware, which could infect fully patched systems without using exploits (only social engineering) and protected by firewalls, IPS and multi-layered A/V. The malware got some visibility and media attention in June 2012 with titles such as "printer virus", "printer bomb" or "Trojan.Milicenso: A Paper Salesman’s Dream Come True". This was likely due to an unwanted side-effect or "mistake" by the bot-master and probably didn't happen to all infected hosts or networks.
You'll learn:
  • how the malware was discovered, what indicators were derived
  • how all infected hosts were identified and how remediation was done
  • how this malware spreads and how to defend against it
  • how to detect infected systems (host & network indicators)
  • how to find infected web servers used to spread it
  • what malware functionalities are known and currently still unknown

If you can attend the DFIR Summit and haven't registered yet, you can use the discount code "Swiss10" to get 10% off.

In the mean time, if you're not familiar with the Ponmocup Malware yet, you can read my previous posts:

There are some more "Threat Intelligence" feeds available, beside the ones that have previously been listed:

Lists of Malware Domains and IPs (pre- and post-infection) [CIF usable]

Now there's also a list for:
Malware redirection servers and .htaccess infected web servers [CIF]

Ponmocup-Finder output:
Currently infected websites (redirecting to Malware downloads)
History of all infected websites (first and last seen)

For more details you can follow me on Twitter (@c_APT_ure) or look for #Ponmocup tweets.

If you would like to get involved with analyzing or fighting this Malware / Botnet please get in touch with me.


Monday, September 10, 2012

DeepINTEL 2012

The first DeepINTEL conference is over and it was great with a fairly small crowd, where you got to meet and talk to everyone.

Andrew Barrat, who was giving a talk about "Better Breach Disclosure = Better Risk Management?" wrote a couple of blog posts about other talks (day 1, day 2).

So for those who couldn't attend DeepINTEL, here's a high level overview of the topics, concepts and resources I gave in my talk, which was tittled "Preventing and Detecting Mass-Malware and Advanced Threats".

Here's the abstract that was given for CFP:

Your organization has firewalls, network IDS/IPS, anti-virus on multiple layers, maybe even HIPS, hardening and patching done and feels pretty safe and secure. But lots of companies and organizations who got breached had all that too. So maybe that’s not enough for today’s threats any more? This speech should give you lots of new intelligence resources to know who are the different threat actors, what are their motivations and techniques, what vulnerabilities are exploited by what threat actors, and some (maybe more or less unconventional) methods for prevention or detection of these threats. Most resources used are freely available, some need free registration and some are from personal work experience.

As a brief introduction to what I think is missing, I introduced the Security event System (SES) and Collective Intelligence Framework (CIF) project from REN-ISAC.

The introduction about me and why I like to share malware and threat intelligence contained references to SANS ISC blog diaries (1, 2, 3), Mila's contagio malware dump blog post and a couple posts on Kyle's threatthoughts blog about sharing indicators, that were based on information I collected and provided to them. Another example is the discovery and analysis of the Ponmocup botnet on blog, where I shared a list of C&C domains for sinkholing.
This first part of the talk was also meant to show the limitations of antivirus, because lots of malware samples I discovered had zero or very low (less than 10%) initial detection rates (out of 42 AV scanners on VirusTotal), which I consider pretty bad.

Next I introduced some terms and concepts like "cyberrisk intelligence", "actionable intelligence" and "cyber-risk data" from the SBIC report Getting Ahead of Andanced Threats.
This report contains several "charts" (though I'd call it more tables) of such cyber-risk data along with examples. The first table about "cyber attack indicators" gives interesting examples like "description of spear phishing mails", "lists of domains hosting malware" and "set of binaries used by attackers" (which for example could be file hashes like MD5 etc).

Then I used two quotes from Richard Beitlich's posts on Mandiant's M-unition blog, which I like.
In a post about "understanding each type of targeted attacker" he says:
"When trying to defend an organization, it’s imperative to understand the nature of the threats who seek to compromise the enterprise. This is not a common belief, unfortunately."
In another post about "understanding state-serving adversaries" he wrote:
"A hallmark of a disciplined adversary, however, is to only use the level of “force” required to accomplish the mission, only escalating when the minimum fails to get the desired result. This is the true definition of "advanced," because it means the adversary knows how to properly deploy resources against a target."

Elaborating on the different types of threat actors I used resources from Mandiant's M-trends 2012 report, SANS Cyber Attack Threat Map (page 2 from 20 Critical Security Controls poster 2010 -- not found online anymore), and Dell SecureWorks Advanced Threat Resource Center.
The presentation "Why Are Our Defenses Failing Us? One Click Is All It Takes" from Bryce Galbraith gives a very detailed and technical analysis, how little it takes to get breached.

To give some examples and history of APT attacks I used the paper "Advanced Persistent Threats: A Decade in Review" from Command5 and the site about "Cyber Attacks Timeline".
The next point I was trying to make is the importance of knowing what exploits are being used by what threat actors. An overview of exploits kits (also called browser exploit packs / BEP) has been updated frequently on Mila's contagio malware dump blog. This blog is also great to find out what exploits (see categories / labels) are used and find malicious document samples from targeted attacks.

Another great resource giving details about what exploits are used for APT attacks is a blog post from Xecure Lab. Also from this company is XecScan, an online scan service for spear phishing document analysis. It's also a great OSINT source for indicators (MD5 hashes, C&C domains / IPs etc.) of APT spear phishing documents.

The next topic was "the need for analysis in Intelligence-Drive Defense" from the Windows-IR blog which gives a nice summary of Dan Guido's paper "A case study of intelligence driven defense" and the Exploit Intelligence Project (EIP).

The paper "Intelligence Driven CND Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" introduces the "intrusion kill chain" and "kill chain phases" along with the definition of "late phase detection" (C2) versus "early phase detection" (delivery).

So what's the relevance of all this? What do I make of it?

Well, patching and updating all software, especially OS, browser and all browser plugins (Java, Flash, Adobe Reader etc.) should be a very high priority. But some software, like Java with all its dependencies, are hard(er) to be patched very timely in some enterprises.

So here are some suggestions for additional mass-malware prevention on a web proxy:
  • implement a Java whitelist, allowing Java from trusted domains only (user-agent based)
  • limit executable downloads (magic bytes) to trusted domains (or categories if available)
  • block all malicious IPs, IP ranges, 1st level domains (esp. dyndns) as possible and business allows (start using CIF with many feeds)

And additional protection for a mail gateway:
  • block or strip all executable (magic bytes) attachments, also inside ZIP or RAR files
  • keep mail logs of A/V events (with context) for a long period

Detecting a series of targeted attacks:

Knowing what exploits (CVE's) have been used for targeted attacks I spotted a single A/V event (containing "CVE-2011-0611" SWF exploit) from a PDF email attachment amongst hundreds other mass-malware events. Now knowing the targeted person I found previous attack mails using CVE-2009-3129 inside a XLS and an unknown exploit inside a PDF with JavaScript. Monitoring the mails of the targeted person I found a IMG-SRC in an HTML mail without attachments. The URL was using a domain hosted on the same IP that was used for C2 of the previous PDF/SWF exploit and contained the target's email address in it. The attack series continued with a number of DOC attachments with CVE-2012-0158 exploits, some of which were very similar to the ones described on this Securelist blog.

The above are of course just some examples of additional prevention and detection measures you can put in place.

Some other projects, collaboration groups and tools you may want to look at are:

Feedback is always welcome!


Monday, July 2, 2012

Intelligence-driven Security

Is "Intelligence-driven security" the next big thing?

In my first blog post I put a link to Deloitte's paper "Cyber crime: a clear and present danger -- Combating the fastest growing cyber security threat". Just recently I looked over it again and stopped at page 12: "Developing “actionable” cyber threat intelligence" and "Cyber Threat Intelligence Collection Research, and Analysis Process" -- a great picture. That's an old paper.

I really like the recent "Getting ahead of Advanced Threats" report from Security for Business Innovation Council (sponsored by RSA).

Report PDF: Getting Ahead of Advanced Threats

Youtube video: Getting Ahead of Advanced Threats: Achieving Intelligence-driven Security

Blog series about Deconstructing SBIC's "Getting Ahead of Advanced Threats" Report:

  1. Information vs Intelligence
  2. The Importance of the Extended Enterprise
  3. Intelligence-Driven Information Security
  4. Building Sources
  5. Taking Action
  6. A Day In The Life Fighting Cybercrime
As I have mentioned in a previous post, something to really look out for is the Collective Intelligence Framework (CIF). Take a look at the Community examples and maybe even the Avenger Project.

I heard a rumor that CIF will be covered this month in Russ McRee's toolsmith, which is always a great resource, too.

If you know other good resources alike please let me know.

Thanks for reading...


Wednesday, June 27, 2012

History of Ponmocup Malware / Botnet

This is a history of some events and publications about the Ponmocup malware or botnet.
(work in progress -- will get updated eventually)

There are many aliases from different A/V vendors as previously mentioned on my blog
(Ponmocup, Pirminay, Kryptik, Swisyn, Vundo, Monder, Virtumonde/Virtumondo etc.).
The most often used lately is "Trojan Milicenso" by Symantec, which has a good blog post and detection description about it..
And it's been around at least since 2009, not just 2010 as mentioned in several places.

Update 2012-08-13: there have been some more related posts published since my original post

2012-07-02: Symantec blog "Printer Madness: W32.Printlove Video"

2012-06-25: ComputerWorld article "Malware infection forces printers to print garbled data"
2012-06-25: ITWorld "Printer malware – Wingdings gone wild"

2012-06-23: The Hacker News "Trojan.Milicenso - Printer Trojan cause massive printing"

2012-06-22: ZDNet "Thousands of office printers hit by 'gibberish' malware"
2012-06-22: Bloomberg Tech Blog "When Hackers Fumble: ‘Printer Bomb’ Noisily Announces Attack"
2012-06-22: NET-Security "Trojan infection triggers massive printing jobs"

2012-06-21: ARStechnica "Printer bomb malware wastes reams of paper, sparks pandemonium"
2012-06-21: SANS ISC diary "Print Bomb? (Take 2)"
2012-06-21: Symantec blog "Trojan.Milicenso: A Paper Salesman’s Dream Come True"

2012-06-14: Symantec KB article "Malware is causing network printers to print random ASCII characters"

2012-06-13: Mcafee Threat Advisory "Vundo"

2012-06-08: SANS ISC diary "Print Bomb?" (see also comments)
2012-06-08: Symantec forum thread "Print server gone wild"

2012-06-07: McAfee community forum thread "Printer Virus?"

2012-06-03: c-APT-ure blog post "Introducing Ponmocup-Finder"

2012-05-16: Sophos detection "Troj/Ponmocup-F"

2012-04-27: c-APT-ure blog post "Hunting Ponmocup Botnet"

2012-04-13: Collection of my tweets on Storify "A/V failed for Ponmocup malware!?"

2012-04-08: IOC on "Ponmocup IOC released"

2012-03-08: c-APT-ure blog post "Ponmocup, lots changed, but not all"

2012-02-20: Ponmocup analysis page created "Why so many diff A/V detections?"

2012-02-18: c-APT-ure blog post "Not APT, but nasty malware (Ponmocup botnet)"

2011-11-15: Mandiant forum thread started "IOC request for Ponmocup malware (botnet)"

2011-05-30: created web page "Collection of links related to the Ponmocup botnet"

2011-05-23: blog "How Big is Big? Some Botnet Statistics"

2011-04-22: TrendMicro detection "TSPY_PIRMINAY.A"

2011-04-21: Malware Survival "Media Site Pimping Malware"

2011-04-20: Sophos detection "Mal/Ponmocup-A" (detailed analysis of 3 samples)

2010-12-06: SPAMfighter news: "New Trojan Blocks Access To Bittorrent Websites: Webroot"

2010-11-25: Softpedia news "The Pirate Bay and Mininova Blocked by Mysterious New Trojan"

2010-11-24: Webroot blog "Troublesome Trojan Trammels Torrent Sites"

2010-07-14: Symantec detection created "Trojan.Milicenso"

2010-06-04: Microsoft MPC Encyclopedia entry "TrojanDownloader:Win32/Ponmocup.A"

2010-03-19: Sophos detection "Troj/Mdrop-CLC"

2009-12-30: Microsoft MPC Detection initially created "TrojanDropper:Win32/Ponmocup.A"

2009-11-22: Microsoft MPC Detection initially created "TrojanDownloader:Win32/Ponmocup.A"

Please report any broken (or obviously wrong) links, thanks.

Feedback and questions are welcome!


Sunday, June 3, 2012

Introducing Ponmocup-Finder

Update 2013-06-01:
Please also read my newer blog posts about Ponmocup:
Ponmocup-Finder has evolved in a little "workflow" :-)
  1. add new infected domains to the list
  2. daily cronjob to run Ponmocup-Finder
  3. latest Ponmocup-Finder script
  4. list of currently infected webservers
  5. history of all previously infected webservers
  6. notification lists for CH / LI and DE domains
If you can do notifications for any infected webservers, go ahead and feel free to let me know.

It would be great to see some search engines (like Google, MS Bing etc.) to add checks for these infections to their spiders (need to change user-agents just for one request per site), since infections happen only through search engine redirects.

Update 2012-10-18:
Finally I updated the ponmocup-finder script as promised. I also managed to download a new infector and analyze the malware in a VM. You can also just look at some screenshots of the analysis.
And lastly here are some network indicators of C2: /  (DNS request only)

For more malicious domains and IPs you can download my malware feeds (also using CIF) here:

Update 2012-09-25:
The Ponmocup finder script needs some update / tweeking, since the redirection URL patterns changed massively again (samples). Instead of just checking for the two previously known URL patterns ("/url\?sa=|/cgi-bin/r.cgi\?p=") it should check if the infected website domain appears in the URI parameters of the redirection URL. I will update the script on this post as soon as I find time.

You may have recently read a lot of hype about Flame or SkyWiper "cyber weapon", the son (or big brother) of Stuxnet and Duqu, which was found on a few thousand systems in a limited number of countries for espionage. Interesting and somewhat impressive, but this post is not about any of this stuff.

The Ponmocup malware and botnet is something totally different. A year ago the botnet was several million bots big (at least 4 million IPs, maybe a multiple thereof number of bots) [1]. And it does not target or discriminate against any specific country, so chances are likely bigger that you may find one of these bots in your network than a Flame infection.
Please read my previous three posts about Ponmocup to get an idea of what it is and how it works.

[1] Not APT, but nasty malware (Ponmocup botnet)
[2] Ponmocup, lots changed, but not all
[3] Hunting Ponmocup Botnet

Just to clarify something first, this post is more about detecting hacked or infected web servers redirecting unsuspecting visitors to malware downloads than about detecting infected bots themself. For the latter see my request to researchers to find current C&C domains in [3].

I don't know of any service including all 32 from that detects these infected web servers.

So I threw together this little shell script that takes a list of domains and checks each domain with a single request if it's infected and redirecting visitors to Ponmocup malware (see [2]).

This script is aimed at registrars, ISPs, web hosters, GovCERTs, malware researchers, botnet hunters, or generally anyone who wants to find (and hopefully report) infected web servers and who has access to a large number of domains.

$ cat
echo "date started: `date`"
cat $1 | \
while read domain; do
  echo -ne "checking domain: $domain --> ";
  wget -Sv --tries=1 --connect-timeout=5 \
    --user-agent="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20101203 Firefox/3.6.13" \
    --referer="" \
    http://${domain}/ -O ${domain}.out > ${domain}_wget.log 2>&1
  redir=`egrep -m 1 "Location: " ${domain}_wget.log`
## match=`echo $redir | egrep "(/url\?sa=|/cgi-bin/r.cgi\?p=)" | wc -l`
  match=`echo $redir | cut -d"?" -f2- | egrep "$domain" | wc -l`
  if [ $match -gt 0 ]
    echo -ne "seems to be INFECTED: "
    echo -ne `echo $redir | cut -d" " -f2 | cut -d"?" -f1`
    egrep -m 2 "Resolving " ${domain}_wget.log | tail -1 | sed -e 's/Resolving/ --> DNS:/g'
    echo "seems to be CLEAN"
echo "date finished: `date`"

Now let's run this script with a list of 88 domains (known to have been previously infected)

$ ./ domains-1.txt | tee ponmocup-finder_domains-1.log
checking domain: --> seems to be INFECTED: --> DNS:
checking domain: --> seems to be INFECTED: --> DNS:

checking domain: --> seems to be INFECTED: --> DNS:

How long did it take to check these 88 domains?  About 160 seconds

$ egrep "date " ponmocup-finder_domains-1.log
date started: Sat Jun  2 18:33:08 CEST 2012
date finished: Sat Jun  2 18:35:48 CEST 2012

Let's separate the clean and infected domains and do some stats:

$ egrep CLEAN ponmocup-finder_domains-1.log > ponmocup-finder_domains-1_CLEAN.log
$ egrep INFECTED ponmocup-finder_domains-1.log > ponmocup-finder_domains-1_INFECTED.log
$ wc -l ponmocup-finder_domains-1_*.log
   36 ponmocup-finder_domains-1_CLEAN.log
   52 ponmocup-finder_domains-1_INFECTED.log
   88 total

Let's look at the malware domains and IPs: (these are not C&C domains of infected clients)

Important note: some of the older, inactive domains appear to have been grabbed by some domain parking services. Thus not all domains and IPs below are used for malware distribution. I need to separate the good from the bad and ugly (later).

$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2" "$1 }' | sort | uniq -c
      1 failed:
      1 failed:
      1 failed:
      4 failed:
      2 failed:
      3 failed:
      1 failed:
      1 failed:
      1 failed:
      1 failed:
      1 failed:

And here are just the IPs:

$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2 }' | sort | uniq -c
     17 failed:

And here's a list of all malware domains and IPs discovered: (numeric only subdomains replaced with "*")

$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2"\n"$1 }' | sed -e 's/[0-9][0-9][0-9][0-9][0-9]/\*/g' | sed -e 's/\.\.\.//g' | sort | uniq | egrep -v failed

And here's the list of infected domains (servers with malicious .htaccess file)

$ cat ponmocup-finder_domains-1_INFECTED.log | awk '{ print $3 }' | sort | uniq

I'd be curious to know what percentage (or ppm) of any list of domains would be infected. Anyone wants to take a guess?