Malware RSS Feed
The past Saturday we had the privilege of participating in this year’s edition of “Nuit du Hack”, a French security conference which brings together professionals and amateurs of all skill levels for a series of lectures and challenges. It’s a full day (and night) of hacking goodness. A cloudy day set the perfect mood at the venue, the Academie Fratellini, in the marvelous and beautiful city of Paris.
With an interesting mix of security talks, capture the flag challenges, bug bounty programs, and workshops, the audience was welcome to join in any activities they chose. It was a security professional’s vision of heaven: learning about the latest security trends and issues while enjoying a beer and even getting a glimpse of the legendary Captain Crunch walking around. It’s also a great place for people of all ages and backgrounds to get involved.
The event started at full throttle with a memorable keynote from the director of ANSSI (National Agency for the Security of Information Systems) Guillaume Poupard, who spoke about local cyber security risks such as industrial espionage, electronic warfare and infrastructure sabotage. Moreover, he emphasized the importance of maintaining a balance between security and legality, an ethical dilemma that many security practitioners are facing right now in their daily activities.
The content of the talks was undoubtedly varied, including some that were more technically oriented, while others focused exclusively on the analysis of current security trends, malware and vulnerabilities.
David Melendez spoke about how he was able to build drone control system from scratch, basing his architecture and design on a GNU/Linux OS. Using a regular home Wi-Fi router and conventional hardware materials such as Wii accelerometer, he demonstrated a plausible way to control the drone’s flight using nothing more than an everyday gaming joystick. By sending commands and establishing a secure communication channel between the drone and the pilot, he successfully implemented a new protocol based on the 802.11 standard so as to prevent man-in-the-middle attacks.
The Internet of Things (IoT) is a topic that cannot be ignored any security event. With a very interesting approach, Guillaume Greyhound put on the table a hypothetical scenario about what would happen if some disaster were to damage the current technological infrastructure of a country. How could we face the impending chaos?
Faced with this situation, he exposed how IoT technologies can play a very important role in the implementing low-cost solutions that rely, for example, on Raspberry Pi devices or custom built drones and antennae to maintain a backup communication network that can ensure the exchange of goods and services.
Afterwards, Karsten Nohl introduced us to the world of mobile communication vulnerabilities. Showing a wide array of different technologies and mobile communication protocols such as SS7 and 3G, and how these can be compromised, he grabbed the audience’s attention right from the start. The presentation made it clear that the basic security level for mobile networks is not the same in every country around the world, he explained that some regions are evidently more exposed to intervention and eavesdropping. He also shared some specific tools to evaluate a network’s security, asking attendees to join him in his effort to protect free speech and the privacy of every individual that uses this type of communication (everyone). Interestingly, he also showed some solutions to defend against such attacks, once again highlighting the importance of protecting and defending privacy in digital communications.
My colleague Santiago Pontiroli and I presented our joint research into the evolution of .NET and PowerShell malware, which we titled “The TAO of .NET and PowerShell Malware analysis”. In our talk, Santi showed how malware development on .NET and PowerShell has increased more than 6,000% since 2009 (unique detections), all while presenting a detailed analysis several samples built with these technologies. Everything from devious ransomware campaigns such CoinVault to more complex and persistent threats used by pro-government Syrian hacking groups was shown to the audience.
From my side, I shared another side of the seemingly benevolent PowerShell, demonstrating its powerful incident response and forensics capabilities for us security researchers, and how malware developers are using these same methods for anti-forensics and code protection. As they seek to avoid detection and extend a particular piece of malware’s functionality in post exploitation activities, a plethora of offensive frameworks depending on PowerShell are amongst the bad guys’ favorite weapons of choice.
In addition, I tried to explain how malware developers could be using different penetration testing frameworks as a way to develop malware more rapidly. Certainly, we have found enough evidence in a considerable amount of malware samples showing the usage of SET and other offensive frameworks in the development of everyday malware and APTs, such as the case with the previously reported Machete.
I raised a question with the crowd, asking about the risks involved in the growing trend of cross-platform software development… Will the ability of running a piece of software between different platforms easily enable cybercriminals to create the ultimate multi-platform malware?
In summary, this was a great event with exceptionally exciting talks and very interesting with professionals from all over the world (having Captain Crunch there was an added bonus). As they say…we’ll always have Paris. And Nuit du Hack, of course.
For a long time the Winnti group had been considered as a Chinese threat actor targeting gaming companies specifically. But we’ve seen information indicating that the scope of targets can be wider and is not limited to the entertainment business. We track samples of Winnti malware all the time, but had not been able to catch one with solid clues indicating other targeted industries. Also our visibility as a vendor does not cover every company in the world (at least so far ;)) and the Kaspersky Security Network (KSN) did not reveal other attacks except those against gaming companies. Well, sometimes targeted entities have been telecommunication companies, rather large holdings, but at least one of their businesses was in some way related to the production or distribution of computer games.
In April Novetta released its report on Winnti malware spotted in the operations of Axiom group. And Axiom group has been presented as a Chinese universal hacking actor carrying out espionage APT attacks against a whole range of different industries. So this report was another source of intelligence that Winnti was already not focused just on online games. Finally, we received a sample proving this.
The sample belongs to one of the Winnti versions described in Novetta’s report – Winnti 3.0. This is one of the Dynamic Link Libraries composing this RAT (Remote Access Trojan) platform – the worker library (which in essence is the RAT DLL) with the internal name w64.dll and the exported functions work_end and work_start. Since, as usual, this component is stored on the disk with the strings and much of other data in the PE header removed/zeroed, it is impossible to restore the compilation date of this DLL. But this library includes two drivers compiled on August 22 and September 4 2014. The sample has an encrypted configuration block placed in overlay. This block may include a tag for the sample – usually it is a campaign ID or victim ID/name. This time the operators put such tag in the configuration and it turned out to be the name of the well-known global pharmaceutical company headquartered in Europe:
Besides the sample tag, the configuration block includes the names of other files involved in the working of the RAT platform and the service name (Adobe Service), after which malware is installed. The presence of the following files could indicate that the system has been compromised:
One of the mentioned drivers (a known, malicious Winnti network rootkit) was signed with a stolen certificate of a division of a huge Japanese conglomerate. Although this division is involved in microelectronics manufacturing, other business directions of the conglomerate include development and production of drugs and medicine equipment as well.
Although the nature of the involvement of Winnti operators, who were earlier perceived to be a threat only to the online gaming industry, in the activities of other cyber-espionage teams still remains rather obscure, the evidence is there. From now on, when you see Winnti mentioned, don’t think just about gaming companies; consider also at least targeted telecoms and big pharma.
Here are the samples in question:
8e61219b18d36748ce956099277cc29b – Backdoor.Win64.Winnti.gy
5979cf5018c03be2524b87b7dda64a1a – Backdoor.Win64.Winnti.gf
ac9b247691b1036a1cdb4aaf37bea97f – Rootkit.Win64.Winnti.ai
Unlike conventional World Wide Web technologies, the Tor Darknet onion routing technologies give users a real chance to remain anonymous. Many users have jumped at this chance – some did so to protect themselves or out of curiosity, while others developed a false sense of impunity, and saw an opportunity to do clandestine business anonymously: selling banned goods, distributing illegal content, etc. However, further developments, such as the detention of the maker of the Silk Road site, have conclusively demonstrated that these businesses were less anonymous than most assumed.
Intelligence services have not disclosed any technical details of how they detained cybercriminals who created Tor sites to distribute illegal goods; in particular, they are not giving any clues how they identify cybercriminals who act anonymously. This may mean that the implementation of the Tor Darknet contains some vulnerabilities and/or configuration defects that make it possible to unmask any Tor user. In this research, we will present practical examples to demonstrate how Tor users may lose their anonymity and will draw conclusions from those examples.How are Tor users pinned down?
The history of the Tor Darknet has seen many attempts – theoretical and practical – to identify anonymous users. All of them can be conditionally divided into two groups: attacks on the client’s side (the browser), and attacks on the connection.Problems in Web Browsers
The leaked NSA documents tell us that intelligence services have no qualms about using exploits to Firefox, which was the basis for Tor Browser. However, as the NSA reports in its presentation, using vulnerability exploitation tools does not allow permanent surveillance over Darknet users. Exploits have a very short life cycle, so at a specific moment of time there are different versions of the browser, some containing a specific vulnerability and other not. This enables surveillance over only a very narrow spectrum of users.
The leaked NSA documents, including a review of how Tor users can be de-anonymized (Source: www.theguardian.com)
As well as these pseudo-official documents, the Tor community is also aware of other more interesting and ingenuous attacks on the client side. For instance, researchers from the Massachusetts Institute of Technology established that Flash creates a dedicated communication channel to the cybercriminal’s special server, which captures the client’s real IP address, and totally discredits the victim. However, Tor Browser’s developers reacted promptly to this problem by excluding Flash content handlers from their product.
Flash as a way to find out the victim’s real IP address (Source: http://web.mit.edu)
Another more recent method of compromising a web browser is implemented using the WebRTC DLL. This DLL is designed to arrange a video stream transmission channel supporting HTML5, and, similarly to the Flash channel described above, it used to enable the victim’s real IP address to be established. WebRTC’s so-called STUN requests are sent in plain text, thus bypassing Tor and all the ensuing consequences. However, this “shortcoming” was also promptly rectified by Tor Browser developers, so now the browser blocks WebRTC by default.Attacks on the communication channel
Unlike browser attacks, attacks on the channel between the Tor client and a server located within or outside of the Darknet seem unconvincing. So far most of the concepts were presented by researchers in laboratory conditions and no ‘in-the-field’ proofs of concept have been yet presented.
Among these theoretical works, one fundamental text deserve a special mention – it is based on analyzing traffic employing the NetFlow protocol. The authors of the research believe that the attacker side is capable of analyzing NetFlow records on routers that are direct Tor nodes or are located near them. A NetFlow record contains the following information:
- Protocol version number;
- Record number;
- Inbound and outgoing network interface;
- Time of stream head and stream end;
- Number of bytes and packets in the stream;
- Address of source and destination;
- Port of source and destination;
- IP protocol number;
- The value of Type of Service;
- All flags observed during TCP connections;
- Gatway address;
- Masks of source and destination subnets.
In practical terms all of these identify the client.
De-anonymizing a Tor client based on traffic analysis
This kind of traffic analysis-based investigation requires a huge number of points of presence within Tor, if the attacker wants to be able to de-anonymize any user at any period of time. For this reason, these studies are of no practical interest to individual researchers unless they have a huge pool of computing resources. Also for this reason, we will take a different tack, and consider more practical methods of analyzing a Tor user’s activity.Passive monitoring system
Every resident of the network can share his/her computing resources to arrange a Node server. A Node server is a nodal element in the Tor network that plays the role of an intermediary in a network client’s information traffic. In this Darknet, there several types of nodes: relay nodes and exit nodes. An exit node is an end link in traffic decryption operation, so they are an end point which may become the source of leaking interesting information.
Our task is very specific: we need to collect existing and, most importantly, relevant onion resources. We cannot solely rely on internal search engines and/or website catalogs, as these leave much to be required in terms of the relevance and completeness of contained information.
However, there is a straightforward solution to the problem of aggregation of relevant websites. To make a list of the onion resources that were recently visited by a Darknet user, one needs to track each instance of accessing them. As we know, an exit node is the end point of the path that encrypted packets follow within the Darknet, so we can freely intercept HTTP/HTTPS protocol packets at the moment when they are decrypted at the exit node. In other words, if the user uses the Darknet as an intermediary between his/her browser and a web resource located in the regular Internet, then Tor’s exit node is the location where packets travel in unencrypted format and can be intercepted.
We know that an HTTP packet may contain information about web resources, including onion resources that were visited earlier. This data is contained in the ‘Referrer’ request header, which may contain the URL address of the source of the request. In the regular Internet, this information helps web masters determine which search engine requests or sites direct users towards the web resource they manage.
In our case, it is enough to scan the dump of intercepted traffic with a regular expression containing the string ‘onion’.
There is a multitude of articles available on configuring exit nodes, so we will not spend time on how to configure an exit node, but instead point out a few details.
First of all, it is necessary to set an Exit Policy that allows traffic communication across all ports; this should be done in the configuration file torrc, located in the Tor installation catalog. This configuration is not a silver bullet but it does offer a chance of seeing something interesting at a non-trivial port.
>> ExitPolicy accept *:*
The field ‘Nickname’ in the torrc file does not have any special meaning to it, so the only recommendation in this case is not to use any conspicuous (e.g. ‘WeAreCapturingYourTraffic’) node names or those containing numbers (‘NodeNumber3′) that might suggest an entire network of such nodes.
After launching a Tor server, it is necessary to wait until it uploads its coordinates to the server of directories – this will help our node declare itself to all Darknet participants.
An exit node in operation
After we launched the exit mode and it began to pass Tor users’ traffic through itself, we need to launch a traffic packet sniffer and intercept the passing traffic. In this case, tshark acts as a sniffer, listening to interface #1 (occupied by Tor) and putting the dump into the file ‘dump.pcap':
>>tshark –i 1 –w dump.pcap
Tshark intercepts packets that pass through the exit node in unencrypted format
All the above actions must be done on as many servers as possible to collect as much information of interest as possible. It should be noted that the dump grows quite quickly, and it should be regularly collected for analysis.
Thus, once you receive a huge dump, it should be analyzed for onion resources. Skimming through the dump helps to categorize all resources visited by Tor users by content type.
It should be noted that 24 hours of uninterrupted traffic interception (on a weekday) produce up to 3GB of dump for a single node. Thus, it cannot be simply opened with Wireshark – it won’t be able to process it. To analyze the dump, it must be broken into smaller files, no larger than 200 MB (this value was determined empirically). To do so, the utility ‘editcamp’ is used alongside with Wireshark:
>> editcap – c 200000 input.pcap output.pcap
In this case, 200,000 represents the number of packets in a single file.
While analyzing a dump, the task is to search for strings containing the substring “.onion”. This very likely will find Tor’s internal resources. However, such passive monitoring does not enable us to de-anonymize a user in the full sense of the word, because the researcher can only analyze those data network packets that the users make available ‘of their own will’.Active monitoring system
To find out more about a Darknet denizen we need to provoke them into giving away some data about their environment. In other words, we need an active data collection system.
An expert at Leviathan Security discovered a multitude of exit nodes and presented a vivid example of an active monitoring system at work in the field. The nodes were different from other exit nodes in that they injected malicious code into that binary files passing through them. While the client downloaded a file from the Internet, using Tor to preserve anonymity, the malicious exit node conducted a MITM-attack and planted malicious code into the binary file being downloaded.
This incident is a good illustration of the concept of an active monitoring system; however, it is also a good illustration of its flipside: any activity at an exit node (such as traffic manipulation) is quickly and easily identified by automatic tools, and the node is promptly blacklisted by the Tor community.Let’s start over with a clean slate
- Various graphics drivers and hardware components installed on the client’s side;
- Various sets of software in the operating system and various configurations of the software environment.
The parameters of rendered images can uniquely identify a web-browser and its software and hardware environment. Based on this peculiarity, a so-called fingerprint can be created. This technique is not new – it is used, for instance, by some online advertising agencies to track users’ interests. However, not all of its methods can be implemented in Tor Browser. For example, supercookies cannot be used in Tor Browser, Flash and Java is disabled by default, font use is restricted. Some other methods display notifications that may alert the user.
Thus, our first attempts at canvas fingerprinting with the help of the getImageData()function that extracts image data, were blocked by Tor Browser:
However, some loopholes are still open at this moment, with which fingerprinting in Tor can be done without inducing notifications.By their fonts we shall know them
Tor Browser can be identified with the help of the measureText()function, which measures the width of a text rendered in canvas:
Using measureText() to measure a font size that is unique to the operating system
If the resulting font width has a unique value (it is sometimes a floating point value), then we can identify the browser, including Tor Browser. We acknowledge that in some cases the resulting font width values may be the same for different users.
It should be noted that this is not the only function that can acquire unique values. Another such function is getBoundingClientRect(),which can acquire the height and the width of the text border rectangle.
When the problem of fingerprinting users became known to the community (it is also relevant to Tor Browser users), an appropriate request was created. However, Tor Browser developers are in no haste to patch this drawback in the configuration, stating that blacklisting such functions is ineffective.
Tor developer’s official reply to the font rendering problemField trials
This approach was applied by a researcher nicknamed “KOLANICH”. Using both functions, measureText() and getBoundingClientRect(), he wrote a script, tested in locally in different browsers and obtained unique identifiers.
Using the same methodology, we arranged a test bed, aiming at fingerprinting Tor Browser in various software and hardware environments.
A fragment of a web-server’s log with a visible Tor Browser fingerprint
At this time, we are collecting the results of this script operating. To date, all the returned values are unique. We will publish a report about the results in due course.Possible practical implications
- Internal onion resources and external web sites controlled by the attackers. For example, an attacker launches a ‘doorway’, or a web page specially crafted with a specific audience in view, and fingerprints all visitors.
- Internal and external websites that are vulnerable to cross-site scripting (XSS) vulnerabilities (preferably stored XSS, but this is not essential).
Objects that could fingerprint a Tor user
The last item is especially interesting. We have scanned about 100 onion resources for web vulnerabilities (these resources were in the logs of the passive monitoring system) and filtered out ‘false positives’. Thus, we have discovered that about 30% of analyzed Darknet resources are vulnerable to cross-site scripting attacks.
The process of de-anonymizing a Tor user
Following this approach, the attacker could, in theory, find out, for instance, sites on which topics are of interest to the user with the unique fingerprint ‘c2c91d5b3c4fecd9109afe0e’, and on which sites that user logs in. As a result, the attacker knows the user’s profile on a web resource, and the user’s surfing history.In place of a conclusion
Let’s examine a couple of interesting delivery techniques from an APT active for the past several years, the Spring Dragon APT. A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label “the Lotus Blossom Operation“, likely named for the debug string present in much of the “Elise” codebase since at least 2012: “d:\lstudio\projects\lotus\…”.
The group’s capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years. Instead, the group is known to have employed half day spearphish exploits, strategic web compromises, and watering holes employing fake Flash player update re-directions. The group’s spearphish toolset includes PDF exploits, Adobe Flash Player exploits, and the common CVE-2012-0158 Word exploits including those generated from the infamous “Tran Duy Linh” kit. While ongoing attacks by the Spring Dragon APT take us back to a focus on Vietnam, they appear to have rolled out a steady mix of exploits against defense subcontractors around the world and government related organizations in VN, TW, PH, and other locations over the past few years. Let’s take a quick look at a couple more examples of their intrusion capabilities that haven’t been mentioned elsewhere.
Organizations located in Myanmar and targeted by Spring Dragon have gone unmentioned. But Spring Dragon’s infiltration techniques there were not simply 0158 spearphish, they also compromised sites. In one case, they replaced specialized font installers needed to render Myanma font. You can see an image here of the “Planet Myanmar” website in late 2012 distributing such a package. All of the zip links were redirected to a poisoned installer zip file. The download name was “Zawgyi_Keyboard_L.zip”, and it dropped a “setup.exe” that contained several backdoor components, including an Elise “wincex.dll” (a42c966e26f3577534d03248551232f3, detected as Backdoor.Win32.Agent.delp). It beacons out with the typical Elise GET request “GET /%x/page_%02d%02d%02d%02d.html”, as documented in the Lotus Blossom paper.
Another APT later abused this exact site to deliver malicious VBS (CVE-2014-6332) exploits in November of 2014 with a Lurid variant payload. And that same group also served a malicious PDF exploit (CVE-2010-2883) from this site in June 2012 as “Zawgyi Unicode Keyboard.pdf”. Even earlier than that, they spearphished with that same PDF exploit object later hosted on the website under different file names. In November 2011, they used filenames appropriate for their spearphishing targets with this exploit like “台灣安保協會「亞太區域安全與台海和平」國際研討會邀 請 函_20110907.pdf” (“Taiwan Security Association International Seminar Invitation – the Asia-Pacific regional security and peace in the Taiwan Strait”), “china-central_asia.pdf”, “hydroelectric sector.pdf”, and various governmental related proposals. In this case, there was unexpected overlap from two APT.
Another interesting technique that we observed in use against government targets was a campaign that lured recipients to a site redirecting users to a spoofed Flash installer site.
This site in turn redirected users to a Flash installer bundled with the common Elise backdoor, eventually communicating with 18.104.22.168 and its usual “GET /14111121/page_321111234.html HTTP/1.0″.
hxxp://www.bkav2010.net/support/flashplayer/downloads.html → redirected to
While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past, Spring Dragon employs more involved and creative intrusive activity as well.