Tuesday, July 24, 2012

Saturday, July 21, 2012

Website of South Korean news agency hosting malware

Google safe browsing is showing that the website of Yonhap news, South Korea's largest news organization, is hosting malware. See images below.

Monday, July 9, 2012

MacControl cyber espionage RAT linked to Chinese source code

The recently discovered Mac Control cyber espionage tool used within an espionage campaign against Tibetan related NGOs and described by AlienVault probably draws on code available on the Chinese web. Searching for strings within the tool reveals the following function names(the below image linked from the Microsoft analysis).

A Google search of the Internet for the strings "ParseCMD" "NM_CMD_S" results in only 5 hits. 
These five results are all Chinese programming forums. The number 1 hit is for a posting to the programming forum www.pudn.com/. The hit is for strings within the source code package shykVC.rar(size 1072 K) uploaded 2009-03-02 by 许凤(Xu Feng) and downloaded 425 times.

blog post by dmackey

Monday, July 2, 2012

SSL encryption being used in malware command and control

Evolution in malware command and control presents a significant challenge to network based intrusion detection. According to an October 2011 report by TrendMicro some targeted attacks are making use of SSL encrypted command and control communications. These techniques are a response to defensive measures taken against standard command and control mechanisms which use specially created domains and DNS. Damballa's work provides an example of such defense. Here are some excepts from the TrendMicro report.

"There are malware samples that use webmail accounts as elements of command and control. When malware connects to well known services such as Gmail or Yahoo! Mail the session is protected by SSL encryption and therefore network monitoring software will be unable to determine if the subsequent traffic is malicious or not. The attackers use such webmail accounts to send commands to compromised hosts, update compromised hosts with additional malware tools or components, and ex-filtrate data from compromised hosts. In addition to webmail services, could-based storage services are being used to host additional malware components. The use of such services provides the attackers with command and control infrastructure that cannot be easily detected as malicious."

"Some threat actors use compromised legitimate sites as command and control servers. This allows the attackers some element of deception because even if the network communication is detected as anomalous, upon further inspection the website will be determined to be legitimate. One threat actor simply embeds commands within HTML comment tags in web pages on compromised, legitimate web sites. The malware simply visits these pages and extracts and decodes the commands. The use of custom base64 alphabets and XOR makes decoding the command and the network traffic increasingly difficult. In addition, attackers are making use of stolen or forged SSL certificates in an attempt to make their network traffic appear to be legitimate."

These techniques make detection of command and control communications very difficult and will defeat many network based IDS. This situation reveals problems at the core of computer security. A small change by the attacker results in a significant expense by defenders to produce new defensive measures. Lets look at the most troubling of these techniques.

SSL encrypted session with Gmail, command and control via Gmail

An example, syschk.ocx (md5:16ba21c1eac48eb20c04ac91ef9c2bd1) is available at the links below.




How is an enterprise to detect this? One detection option is to use an SSL interception proxy and then run signatures over the decrypted traffic. But this is terribly cumbersome, running an SSL interception proxy can be a nightmare for a large enterprise. And this suffers from the problems standard IDS has which is that the system only detects known threats. The other is to use anomaly detection to detect anomalous SSL flows, some research on this has been done, see this report. But anomaly detection suffers from high false positives, and I have my doubts about whether this would work with a large enterprise. In addition an attacker could modify their malware so that C&C communications better mimic standard SSL communications.

As the Australian Defense Signals Directorate showed network based IDS is not the best way to prevent targeted attacks. The best approach involves an effective OS and third party software patching program coupled with application whitelisting and a heavy reduction in administrative accounts.

Tuesday, June 26, 2012

Security Service(MI5) Director General speaks on cyber security

The Director General of the British Security Service(MI5), Jonathon Evans, spoke at Mansion House on security threats facing the UK including cyber security issues.  Some interesting points fromm the speech include the following.

"Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states. And the extent of what is going on is astonishing – with industrial-scale processes involving many thousands of people lying behind both State sponsored cyber espionage and organised cyber crime."

"What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations. And the threat to businesses relates not only to major industrial companies but also to their foreign subsidiaries, and to suppliers of professional services who may not be so well protected."

"One major London listed company with which we have worked estimates that it incurred revenue losses of some £800m as a result of hostile state cyber attack – not just through intellectual property loss but also from commercial disadvantage in contractual negotiations. "

The full speech is available here.

Friday, June 22, 2012

South Korea facing North Korean cyber attack campagin

South Korea is facing an increasing onslaught of cyber attacks from North Korea. Below is a list of the most recent significant incidents. This is a useful tactic for North Korea as it is difficult for South Korea to respond.North Korea has little Internet infrastructure to attack via computer network operations(CNO) and it would take an extreme North Korean attack involving loss of life to prompt South Korea responding militarily. South Korea, one of the most networked countries on Earth, has to just play defense and take the hits.

June 2012, South Korean Newspaper JoongAng Ilbo
In June 2012 cyber actors linked to North Korea attempted to destroy the newspaper's article database and the editing system which moves articles through the paper's intranet. Link. Previous blog entry.

April 2011, South Korean National Agricultural Co-operative Federation(NACF, Nonghyup Bank)
In April 2011 cyber actors linked to North Korea destroyed 100s of the Nonghyup Bank's internal computer servers disrupting banking services for millions of customers for over a week. Link.

March 2011, DDoS against South Korean websites
In March 2011 an advanced DDoS attack was launched against a number of South Korean websites, the computers used by the botnet which launched the attack were rendered unusable after the attack by overwriting the hard drive's Master Boot Record(MBR). Link.
The attacks in March were also linked to a covert North Korean operation to import computer games containing malware into South Korea. Link.

July 2009 DDoS against South Korean and US websites
In July 2009 several waves of DDoS attacks targeted South Korean and US websites. Link.

Further reading

"Increasing concerns regarding cyber warfare capabilities of North Korea", Security Affairs Blog
"North Korea's cyber warfare strength grows", Bloomberg News
"North Korea's IP address space"North Korean Tech blog