The Question of WireLurker Attribution: Who Is Responsible?

Posted on by Jen Miller-Osborn

After news of WireLurker began circulating in handful Chinese-language tech forums over the summer, a Chinese-language technology blogger conducted online research in an attempt to track down the author of WireLurker and engage him in an online chat. While it is unclear whether he found the actual author, it appears he was able to locate someone associated with the company that produced WireLurker and controlled the Command and Control (C2) domain.

The following is a translated summary of the Chinese blogger’s investigation with supplemental research and analysis conducted by Unit 42. Due to the amount of personal information the original blog contains, we will make the blog address available only upon request.

Continue reading "The Question of WireLurker Attribution: Who Is Responsible?"

Kuluoz Trends – October 2014

Posted on by Rob Downs

The Asprox/Kuluoz malware family has a special place in our hearts at Palo Alto Networks. This botnet-related Trojan malware has evolved from its 2007 roots into a simple and yet robust mass e-mail phishing threat that is the origin of a significant percentage of Internet spam today. This post further explores trends for this malware family, based on October 2014 data from our WildFire platform.

Some Background

The modern Kuluoz is known for the following:

  • High distribution volume through geolocation-associated spam e-mail templates
  • Use of e-mail attachments and Web links that masquerade as document or media files
  • Modular design, promoting extensibility
  • Distinct, default botnet node roles of spam generator for continued botnet propagation, downloader of additional malware and distributor of generalized commercial spam
  • Platform-specific malware delivery based on user agent detection

Themes for Kuluoz propagation spam have ranged across legal notices (e.g., court order), package delivery messages (e.g., FedEx, UPS, DHL), voicemail service notifications (e.g., WhatsApp), general current events (e.g., 2014 polar vortex), and online deals (e.g., free pizza from Pizza Hut) – to name a few. Continue reading "Kuluoz Trends – October 2014"

WireLurker for Windows

Posted on by Claud Xiao

Summary

Yesterday we published a whitepaper introducing WireLurker, the first malware attacking both non-jailbroken and jailbroken iOS devices from a Mac OS X system. Shortly after we released the paper, Jaime Blasco from AlienVault Labs notified us that he’d found a Windows executable file that contains WireLurker’s command and control server address. We analyzed and investigated the sample and have confirmed that it is an older version of WireLurker.

This variant is being distributed by a different Chinese source that is hosting 180 Windows executables and 67 Mac OS X applications, each of which contains a version of the WireLurker Trojan. The Windows variant opens a new vector for iOS users to be infected with WireLurker, but appears to have been less successful than its Mac OS X descendent. Continue reading "WireLurker for Windows"

WireLurker: A New Era in OS X and iOS Malware

Posted on by Claud Xiao

Today we published a new research paper on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months. We believe that this malware family heralds a new era in malware attacking Apple’s desktop and mobile platforms based on the following characteristics:

  • Of known malware families distributed through trojanized / repackaged OS X applications, it is the biggest in scale we have ever seen
  • It is only the second known malware family that attacks iOS devices through OS X via USB
  • It is the first malware to automate generation of malicious iOS applications, through binary file replacement
  • It is the first known malware that can infect installed iOS applications similar to a traditional virus
  • It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning

WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.

How It Works

Continue reading "WireLurker: A New Era in OS X and iOS Malware"

Examining a VBA-Initiated Infostealer Campaign

Posted on by Vicky Ray

While Microsoft documents that leverage malicious, embedded Visual Basic for Applications (VBA) macros are not a new thing, their use has noticeably increased this year, thanks in part to their simplicity and effectiveness.

Some threat actors commonly use this class of malware to drop a second stage payload on victim systems. Even though Microsoft attempts to mitigate this threat by disabling macros by default, the percentage of users who explicitly bypass this protection and enable macros remains high.

Exploiting the human factor, the most effective attacker strategy is the tried and true spear phishing attack, ideally made to look authentic by appearing to originate from a legitimate organization/individual and containing role-relevant or topic-of-interest content to entice its intended target. This post examines an information stealer campaign that leveraged a VBA macro script, focusing on its progression, from delivery to Command and Control (C2), and its attribution to a malicious actor for context on objectives and motivation.

Delivery and Exploitation

The recent campaign started with an email sent to an employee responsible for processing financial statements at a global financial organization (Figure 1). The sender’s email address was spoofed as originating from an energy company. Subsequent analysis would show that this façade was very thin; yet, it is often all that is required to encourage a user to open an attachment or click on a link that then executes malicious code. Continue reading "Examining a VBA-Initiated Infostealer Campaign"

Dridex Banking Trojan Distributed Through Word Documents

Posted on by Ryan Olson

Dridex, the latest descendent of the Bugat/Feodo/Cridex banking Trojan lineage has been a constant source of attacks using the malware since its release in July. To date, Dridex has centered on sending executable attachments via e-mail. That seems to have changed this week, as we’ve seen a tactical shift to sending those executable attachments via Microsoft Word documents loaded with macros that download and execute the malware.

Like its precursors, Dridex is a sophisticated Banking Trojan, similar to the infamous Zeus malware. Its core functionality is to steal credentials of online banking websites and allow a criminal to use those credentials to initiate transfers and steal funds. Dridex uses an XML-based configuration file to specify which websites it should target and other options for the malware. For instance, the configuration specifies which websites to capture form submissions from, and which to ignore with the following XML. Continue reading "Dridex Banking Trojan Distributed Through Word Documents"

Tracking New Ransomware CryptoWall 2.0

Posted on by Ryan Olson

The latest development in the ransomware world is CryptoWall 2.0, a new version of this malware family that uses the Tor network for command and control.

F-Secure was the first to spot this new version on October 1, but since then the attacks have ramped up and new variants of the malware are emerging daily. Our WildFire analysis platform has picked up 84 CryptoWall 2.0 variants since September 30, delivered primarily through e-mail attachments but also through malicious PDFs and web exploit kits.

CryptoWall 2.0 is similar to other ransomware attacks that have plagued users and businesses for nearly a decade. Once it is running on a system, CryptoWall 2.0 seeks out document files and encrypts them using the RSA encryption algorithm. The attacker holds the key necessary to decrypt the files unless the victim agrees to pay a $500 ransom.

Unlike previous versions of CryptoWall, 2.0 communicates with its command and control (C2) server through the Tor anonymization network. This allows attackers to hide their communications and avoid having their C2 servers shut down, but also makes it easy for organizations to block the threat. CryptoWall isn’t the only threat that communicates over Tor and if your network doesn’t have an explicit reason to allow anonymization networks, you should consider blocking the application altogether with your firewall.

If your system has already been infected with CryptoWall 2.0, you’ll see a pop-up just like this one shortly after the malware has encrypted your documents.

Continue reading "Tracking New Ransomware CryptoWall 2.0"

POODLE like it’s 1999

Posted on by Ryan Olson

1999 was a pretty interesting year for the Internet and security. To jog your memory, here are just a few of the major events from the ultimate (or penultimate, depending on your point of view) year of the last millennium.

  • The Melissa Virus was infecting millions of hosts using malicious e-mails.
  • Both Napster and MySpace made their first public appearances.
  • Internet Explorer 5.0 was released for Windows 3.1, 95 and 98.
  • The TLSv1 specification was published to replace SSLv3 to improve security of Internet communications.

In the 15 years since TLS was introduced it has been widely adopted, but in many ways SSLv3 has hung on. The two specifications are very similar, but not interoperable and applications that implement TLS are often capable of falling back to SSL to support legacy servers. Cryptologists have slowly chipped away at the security of SSL over the last decade, discovering ways to reveal larger and larger pieces of information from encrypted sessions. Continue reading "POODLE like it’s 1999"

Super Tuesday: A Patch Tuesday We Won’t Forget

Posted on by Ryan Olson

Sometimes “Patch Tuesday” comes and goes with little excitement or fanfare; yesterday was not one of those days. In just one day, Oracle released patches for 154 new vulnerabilities, Adobe issued updates for Flash and ColdFusion, and Microsoft released 24 patches of their own. On top of the sheer volume of patches, we learned that three of the Microsoft vulnerabilities were being exploited in targeted attack campaigns.

Sandworm

Continue reading "Super Tuesday: A Patch Tuesday We Won’t Forget"

Palo Alto Networks Identifies Critical Internet Explorer Vulnerability

Posted on by Ryan Olson

Palo Alto Networks researcher Bo Qu discovered a new critical Internet Explorer (IE) vulnerability impacting IE versions 6, 7, 8, 9 and 10. The vulnerability allows for full remote code execution using a memory corruption flaw. The vulnerability is documented in Microsoft Security Bulletin MS14-056 and is part of the October 2014 Security Bulletin.

In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP), which ensures the timely, responsible disclosure of new vulnerabilities and creation of protections from security vendors. Continue reading "Palo Alto Networks Identifies Critical Internet Explorer Vulnerability"

Rovnix and the Declaration Generation Algorithm

Posted on by Ryan Olson

Since the success of Conficker in 2008, multiple malware families have started using Domain Generation Algorithms (DGAs) to make their command and control infrastructure more resilient to take-down. By generating new domains every day, the attacker can re-capture their botnet even if one of the command and control domains is taken down or if security teams block access to them. Most DGAs create new domains somewhat randomly based on the day, month and year, along with some predefined inputs that allow the attacker to predict which domain the malware will use on a particular day. On October 9, CSIS published a blog on the latest version of Rovnix, which appears to use the text of the US Declaration of Independence as an input to its DGA. Continue reading "Rovnix and the Declaration Generation Algorithm"

New Indicators of Compromise for APT Group Nitro Uncovered

Posted on by Jen Miller-Osborn

In mid-July of this year, we noticed yet another legitimate website had been compromised by APT actors and was serving malware. In this case, it was a group commonly referred to as “Nitro,” which was coined by Symantec in its 2011 whitepaper.

As we dug deeper, we found additional compromised legitimate websites and malware from the same group back through March of this year. In most instances, the malware is one commonly referred to as “Spindest,” though we also found “PCClient” and “Farfli” variants in use by the group. We don’t have enough data to say for certain that all of the malware in this blog was delivered via compromised legitimate websites.

Historically, Nitro is known for targeted spear phishing campaigns and using Poison Ivy malware, which was not seen in these attacks.  Since at least 2013, Nitro appears to have somewhat modified their malware and delivery methods to include Spindest and legitimate compromised websites, as reported by Cyber Squared’s TCIRT.  Our findings indicate they are continuing to evolve with the addition of PCClient and Farfli variants.  The Maltego screenshot below shows the activity we describe in this blog.

nitro_blog Continue reading "New Indicators of Compromise for APT Group Nitro Uncovered"

Malware Trending: STUN Awareness

Posted on by Rob Downs

Session Traversal Utilities for NAT (STUN) is a network protocol with standardized methods that enables an internal network address space host employing Network Address Translation (NAT) to determine its Internet-facing/public IP address.

STUN has several legitimate uses, including enablement of NAT traversal for voice over IP (VOIP), messaging, video, and other IP-based interactive communication. As an example, Palo Alto Networks wrote a blog post back in 2010 covering how STUN works with VOIP. The standard ports for STUN include 3478 for TCP and UDP, as well as 5349 for TLS. In the information security tradition of turning things on their side and looking for interesting findings, this post focuses on the misuse of STUN by malware and associated trending.

The impetus for closer inspection of malware’s use of this protocol was a Stop Malvertising report on Dyreza, which noted how the banking trojan employed STUN to determine an infected host’s public IP behind a NAT. While the variant analyzed included a fallback mechanism of reaching out to icanhazip.com in the event STUN didn’t work, its inclusion of STUN functionality still caught our attention.

To start our investigation we searched the Palo Alto Networks WildFire platform for samples flagged as malware that had communicated with the STUN servers listed in the Stop Malvertising report: Continue reading "Malware Trending: STUN Awareness"

Palo Alto Networks Addresses Bash Vulnerability Shellshock: Mitigation for CVE-2014-6271

Posted on by Ryan Olson

Around 6:00 am PST on September 24, the details of a vulnerability in the widely used Bourne Again Shell (Bash) were disclosed by multiple Linux vendors. The vulnerability, assigned CVE-2014-6271 by Mitre, was originally discovered by Stephane Chazelas, a Unix and Linux network and telecom administrator and IT manager at UK robotics company SeeByte, Ltd.

While this vulnerability didn’t come with quite the fanfare or a catchy name like Heartbleed, the security community quickly dubbed it “Shellshock.” Bash is present in most Linux and Unix distributions as well as Apple’s Mac OS X, and there’s a good chance anyone reading this has a system they need to patch.

Palo Alto Networks initiated an emergency IPS content release to detect this vulnerability last night with Signature ID: 36729 "Bash Remote Code Execution Vulnerability.”

All versions of PAN-OS and Panorama include the vulnerable version of Bash, but we’ve determined the issue is only exploitable by authenticated users. Normal PAN-OS maintenance release updates will provide a fix for the vulnerability. We have posted the advisory on our product vulnerability page. Read on for more details.

Continue reading "Palo Alto Networks Addresses Bash Vulnerability Shellshock: Mitigation for CVE-2014-6271"

We Know It Before You Do: Predicting Malicious Domains

Posted on by Wei Xu

Today at the 2014 Virus Bulletin International Conference (VB2014) in Seattle, Palo Alto Networks is presenting a paper entitled “We Know It Before You Do: Predicting Malicious Domains.” We’re excited to share the key points of our paper and presentation here for everyone who couldn’t see it in person.

VB2014-dates-web
 

Malicious domains are key to the success of nearly all popular attack vectors, supporting malware distribution, command and control (C2) server hosting and traffic distribution. Most modern domain reputation systems are designed to detect and block malicious domains based on observation of suspicious activity. This activity can include detection of malicious content (e.g., malware, web pages with exploit code, web pages with drive-by downloads, etc.) and observed behavior (e.g., communication with infected hosts to collect private information, launch attacks, etc.).

To bypass such defenses, an increasing trend is that many malicious domains are only used for a very short period of time. There are two factors that make this practice appealing to an attacker: Continue reading "We Know It Before You Do: Predicting Malicious Domains"

Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow