Thursday, March 8, 2012
Ponmocup, lots changed, but not all
This summary is not available. Please
click here to view the post.
Saturday, February 18, 2012
Not APT, but nasty malware (Ponmocup botnet)
For once I don't write about APT, but about some nasty malware / botnet that I've been researching for almost a year. It's been called "Ponmocup botnet", but the malware has been called many different names (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc).
I've been putting most of my research on a privately hosted page here:
http://www9.dyndns-server.com:8080/pub/botnet-links.html
(Sorry about the bad formatting and strange URL)
My very latest "OSINT research" is on the following page:
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html
It shows that you can find many (recent and old) analysis reports just by googling a couple of registry keys or domains. These would also be good indicators to look for (hint).
My biggest questions are:
There has been some cooperation to create IOC's and ET snort rules to detect this malware:
https://forums.mandiant.com/topic/ioc-request-for-ponmocup-malware-botnet
http://ioc.forensicartifacts.com/2012/01/ponmocup/
http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=Ponmocup
A friend of mine (from abuse.ch blog and zeustracker) was able to sinkhole some C&C domains for a while to estimate the botnet size and it seemed to be quite big at that time: (April - May 2011)
How Big is Big? Some Botnet Statistics
By the way, I've been tweeting about some general malware threat intel recently, which caught some attention on Digital4rensics blog (thanks Keith!)
http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing/
http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing-indicators/
How do you share your malware and threat intelligence?
Do you know of better ways or platforms to do it?
Feedback is welcome!
I've been putting most of my research on a privately hosted page here:
http://www9.dyndns-server.com:8080/pub/botnet-links.html
(Sorry about the bad formatting and strange URL)
My very latest "OSINT research" is on the following page:
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html
It shows that you can find many (recent and old) analysis reports just by googling a couple of registry keys or domains. These would also be good indicators to look for (hint).
My biggest questions are:
Why is this malware known under so many different names?
(Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc.)Why aren't AV companies connecting the dots?
So I would be interested to know if these keys exist on a clean system under any circumstance?the existence or creation of a registry key, namely
"HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\
INTERNET SETTINGS\6"
and/or
"HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\
INTERNET SETTINGS\6"
There has been some cooperation to create IOC's and ET snort rules to detect this malware:
https://forums.mandiant.com/topic/ioc-request-for-ponmocup-malware-botnet
http://ioc.forensicartifacts.com/2012/01/ponmocup/
http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=Ponmocup
A friend of mine (from abuse.ch blog and zeustracker) was able to sinkhole some C&C domains for a while to estimate the botnet size and it seemed to be quite big at that time: (April - May 2011)
How Big is Big? Some Botnet Statistics
By the way, I've been tweeting about some general malware threat intel recently, which caught some attention on Digital4rensics blog (thanks Keith!)
http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing/
http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing-indicators/
How do you share your malware and threat intelligence?
Do you know of better ways or platforms to do it?
Feedback is welcome!
Saturday, November 19, 2011
Finding Malware and APT activities
Updates and feedbacks will be posted as comments below (unless I chose otherwise)
There are two ways to find infected or breached systems that I know of:
First, looking for known (or suspicious) command and control (C&C) traffic on the network. Second, looking for known bad or suspicious indicators on the hosts.
Well, there's actually a third one, combining the two together.
Indicators of Compromise
Mandiant's Indicators of Compromise (IOC) provide a way to describe host and network based indicators of malicious activity or traits.
IOC Editor is free software to create IOC's. And there's even a free software, IOC Finder, to check hosts for signs of infection. However, IOC Finder has a limited capability of checking for network based indicators on hosts. The commercial product MIR should have much greater network based capabilities I assume.
For sharing IOCs I found these two sites, openIOC and Mandiant's forums about IOC Finder.
Thanks Mandiant for all your great free software and resources!
Network based indicators
Another solution that looks very promising is Damballa's Failsafe, which looks for known bad or suspicious network traffic (DNS, proxy, egress firewall).
There are some demo videos online available with free registration.
Something similar seems to be available from Trisul Networks Analytics. A limited version is available for free. The plugins Badfellas, GeoIP and URLFilter look interesting and promising.
If you have experience with on of these products or know other similar, I'd be interested to hear about.
Any network based solution I guess is only as good as the intelligence of known bad or suspicious patterns to look for.
For some IDS based open source solutions, you might find Richard Bejtlich's blog post "Seven Cool Open Source Projects for Defenders" interesting.
Host based indicators
The host based approach is to look at the memory or disk (binaries, registry, services etc.) for known malware or suspicious patterns. There are certainly many ways to do this besides the already mentioned solutions from Mandiant (and HBGary in a previous post).
Other free tools from Mandiant to check out are Memoryze, Audit Viewer and Redline to inspect memory for malicious or suspicious signs.
David Hoelzer has some interesting screencasts and blog posts (inlucding scripts) about finding signs of infections.
# 19 : Detecting Signs of APT and Malware
# 18 : Detecting APT and Malware through Baseline Auditing
Detecting Malware & APT Like Threats - Domain Wide File Finder
Detecting APT and Other Zero Day Malware through Service Auditing
There are also some open source projects like MIR-ROR, Rapier and probably others I haven't looked at. The two mentioned above haven't been active for a while now.
Feedback welcome
If you have corrections, suggestions or other feedback, please contact me (toms.security.stuff at gmail dot com).
If you found my blog other than from my Twitter profile, feel free to follow me there (@c_APT_ure)
Saturday, August 13, 2011
Lots has hAP(T)ened since... Kill those Shady RATs...
Well, it's been a long time since my last post and lots has happened since. Where should I start...
Earlier this year there were details released about Operation Night Dragon.
Mandiant released its second M-Trends report ("when prevention fails"), also mentioned on Businesswire. There were also some new, interesting "State of the Hack" and "Fresh Prints of Malware" presentations.
And most recently, there was lots of news about the "Operation Shady RAT".
Read Ira Winkler's article about it and make your own opinion.
I'd like to cite one paragraph of it:
Or are IOCs widely used and shared and I just don't know about it? Please let me know.
And then there's yet another interesting paper linked in there, which I've previously found, but haven't fully read yet.
Earlier this year there were details released about Operation Night Dragon.
Mandiant released its second M-Trends report ("when prevention fails"), also mentioned on Businesswire. There were also some new, interesting "State of the Hack" and "Fresh Prints of Malware" presentations.
And most recently, there was lots of news about the "Operation Shady RAT".
Read Ira Winkler's article about it and make your own opinion.
I'd like to cite one paragraph of it:
"This is the root of the problem with how security vendors are dealing with the chronic issue of APT. They treat their customers' misery as their own intellectual property. Companies that investigate APT-related attacks rarely share their findings. They don't exchange information about the most recent malware obfuscation techniques, the best methods to identify compromised systems, the newest malware signatures, etc. Instead, they keep most of the information to themselves and treat it as a competitive advantage. What sharing there is falls far short of what would be required to encourage a robust response capability."So what are Indicators of Compromise (IOCs) good for? Well, if they only get used by one security company, they can't reach the full potential.
Or are IOCs widely used and shared and I just don't know about it? Please let me know.
And then there's yet another interesting paper linked in there, which I've previously found, but haven't fully read yet.
"Far more information about this sort of thing came out in 2009, when The US-China Economic and Security Review Commission released a Northrop Grumman-prepared report called "Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation". That paper is infinitely more informative than anything that any security company has been willing to disclose."Well, now it's time to read it. (before it gets too outdated)
Friday, September 3, 2010
Mandiant's "Indicator of Compromise" (IOC) -- Part 2
Well, lots has happened since my last blog post. I'll try to focus on the things about APT and IOC that might interest you.
Mandiant had some interesting presentations about IOC and released the free tool IOCe to create them. There's also a forum about OpenIOC.
Lots of other interesting things to talk about... as soon as I find time to write more :-)
Mandiant had some interesting presentations about IOC and released the free tool IOCe to create them. There's also a forum about OpenIOC.
State of the Hack: ABCs of IOC (May 24, 2010)
Fresh Prints of Mal-ware: 0x1,0x2,0x3s of IOC (Aug 26, 2010)
Lots of other interesting things to talk about... as soon as I find time to write more :-)
Friday, April 9, 2010
Are all these APT?
Would you agree, that all the following are connected to the APT? What else is missing?
More than 100 companies targeted by Google hackers
The attack was larger than initially thought
"ISec Partners has published technical recommendations for companies to follow in order to mitigate the Aurora risk."
Security industry faces attacks it cannot stop
Analysis: Today's security products not much help for advanced persistent threat attacks
Update: Researchers track cyber-espionage ring to China
'Shadow' network detailed in report Tuesday by the Information Warfare Monitor
>>> http://shadows-in-the-cloud.net/ <<<
Targeted cyberattacks test enterprise security controls
Instead of prevention, the real focus should be attack mitigation
After Google-China dust-up, cyberwar emerges as a threat
The episode highlighted cyberthreats facing the U.S., but it's not a war -- yet
Update 24/04/2010:
Thanks Richard for the correction in your comment. I think I was mislead by the mention of Mariposa Botnet and APT in the same paragraph on several posts. But when re-reading it again, it does not make a connection between the two (except maybe that the usual security devices failed on both).
http://www.cio.com/article/574563/Security_Industry_Faces_Attacks_it_Cannot_Stop
http://www.blackhatsolutions.com/companynews/update_security_industry_faces_attacks_it_cannot_stop/
"The big news at the show had to do with the takedown of the Mariposa botnet -- a massive network of hacked computers that has infectedhalf of the Fortune 100 companies. So-called advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December, were another hot topic.
Both Mariposa and the Google attacks illustrate the same thing, however. Despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe."
- Operation Aurora
Mariposa Botnet- GhostNet
- Shadow network
More than 100 companies targeted by Google hackers
The attack was larger than initially thought
"ISec Partners has published technical recommendations for companies to follow in order to mitigate the Aurora risk."
Security industry faces attacks it cannot stop
Analysis: Today's security products not much help for advanced persistent threat attacks
Update: Researchers track cyber-espionage ring to China
'Shadow' network detailed in report Tuesday by the Information Warfare Monitor
>>> http://shadows-in-the-cloud.net/ <<<
Targeted cyberattacks test enterprise security controls
Instead of prevention, the real focus should be attack mitigation
After Google-China dust-up, cyberwar emerges as a threat
The episode highlighted cyberthreats facing the U.S., but it's not a war -- yet
Update 24/04/2010:
Thanks Richard for the correction in your comment. I think I was mislead by the mention of Mariposa Botnet and APT in the same paragraph on several posts. But when re-reading it again, it does not make a connection between the two (except maybe that the usual security devices failed on both).
http://www.cio.com/article/574563/Security_Industry_Faces_Attacks_it_Cannot_Stop
http://www.blackhatsolutions.com/companynews/update_security_industry_faces_attacks_it_cannot_stop/
"The big news at the show had to do with the takedown of the Mariposa botnet -- a massive network of hacked computers that has infectedhalf of the Fortune 100 companies. So-called advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December, were another hot topic.
Both Mariposa and the Google attacks illustrate the same thing, however. Despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe."
Mandiant's "Indicator of Compromise" (IOC)
There's another interesting approach from Mandiant:
Combat the APT by Sharing Indicators of Compromise (IOC)
"At DoD CyberCrime 2010 MANDIANT will formally release this format and tools to leverage it in your investigations today. We’ll have full coverage of the release on M-unition – stay tuned."
There's also a Google Group about IOC. But are there any tools available yet, or any IOC's?
I'll update when I find out.
Combat the APT by Sharing Indicators of Compromise (IOC)
"At DoD CyberCrime 2010 MANDIANT will formally release this format and tools to leverage it in your investigations today. We’ll have full coverage of the release on M-unition – stay tuned."
There's also a Google Group about IOC. But are there any tools available yet, or any IOC's?
I'll update when I find out.
Subscribe to:
Posts (Atom)