Spear-phishing, watering hole attacks, drive-bys, etc – these are the new favored attack vectors for our adversaries. There are a few primary reasons for this…they know that we’ve got hundreds, thousands or even tens of thousands of users always online and that the business demands virtually unfettered access to the Internet. They know that  human curiosity can’t be patched and that this curiosity not only kills the cat, it gets your network pwned. Unfortunately, they know that we’ve largely left the endpoint to rot in terms of replacing security controls…and they’ve made that endpoint the new perimeter.

I’ve been on the road a lot recently – at a dozen or more industry events talking to literally hundreds of security pros. Through these conversations I’ve been struck by some stark realizations…

1. We all know that the user is our weakest link but don’t have answers to solve this problem

2. For the most part, there is a fundamental lack of confidence in prevention…and there is definitely a lack of confidence in  the layered controls that we currently have in place to stop zero-days and APTs.

3. No one…and I mean NO ONE felt that the existing endpoint controls were effective in stopping advanced threats

4. Most agreed that the endpoint was the new perimeter…yet they had no faith in their approach to protecting it

And it dawned on me…we’re largely losing the battle to our adversaries because touching the endpoint is an uncomfortable proposition…but make no mistake, it MUST be done.

Cynicism has gripped us all – and especially you as practioners. I don’t blame you - you’ve been sold a bill of goods time and time again. Vendors promising silver bullets and “100% security” have let you down (pro-tip: they always will), the business has failed to understand that there is no end-state in security (this is an on-going insurgent war) and you’ve been drawn and quartered by the reduction of staff in the face of increasing adversarial threats and choking compliance regimes.

But here is the thing – we can’t let this cynicism win out or we’ll never be able to retake the high ground against our foes. I want to suggest that we take a new look at prevention – not some security panacea, but a darn good approach to solving the user problem – and lets let the real-world results guide our way of thinking.

And yes, I suggest that this new approach to prevention takes place at the endpoint. This is a hard pill to swallow…its not as easy a proposition as racking and stacking network gear…but we’ve been racking and stacking and we’re still losing ground. The main attack surface – the laptop and desktop – is due up for some innovation.

Here are the wild claims I’ll make and I’ll let you decide if the case for Invincea is made/if we’re the type of firm you want to work with:

1. Invincea solves the user problem by delivering what the business and the security team demands. We give the user unfettered access to the Internet but protect them in a secure virutal container any time they come into contact with untrusted content. It is NOT a silver bullet…but it has been battle tested and proven effective time and time again.

2. We have demonstrated real-world results in terms of prevention – against both known and zero-day exploits and against the spear-phishing, watering hole and drive-by attack methods…look at what we’ve been able to do in just the last couple of months…

Drive-by Downloads detected in the wild:

• Speedtest.net <— used a Java 0day btw
• National Journal
• WTOP and FedNews Radio

Watering hole attacks detected in the wild:

• U.S. Department of Labor
• FemmeComp (U.S. Defense Contractor)

Spear-phishing thwarted by Invincea:

• Mandiant “APT-2″ campaign
• Word borne spear-phishing campaign
• Boston Marathon tragedy spear-phishing campaign

3. We can offer protection of your new perimeter against advanced threats…we’ve proven our ability to spot zero-days without the need for signatures.

4. We will always be your partner – we’ll help you deploy or connect you with partners that you already work with – and we will constantly keep our eye on the battle front and evolve our solutions accordingly. We launched with browser protection – when we saw the adversary move to PDF, we followed. When the tell tail signs were there that the Office suite was the next frontier, we rapidly innovated to move in that direction.

We get it – the bad guys are never going away and you need partners that will help you fight them today, tomorrow and into the distant future.

Take a look at Invincea – put it through its paces in your environment…we do what we say we do and stand at the ready to help you fight back against the scum that are constantly trying to break into your firm.

Keep fighting the good fight!

From Invincea’s perspective, it is important to point out that anytime an organization is victimized we should all take note of just how vulnerable the world is to cyber-threats at current. No organization is immune as the news shows us daily…and all of us need to find new an innovative ways to combat our collective adversaries.  Obviously, we think Invincea offers a good solution to prevent spear-phishing, watering hole attacks and drive-bys…but we’re by no means a panacea, just one new weapon in the fight.

We received a TON of questions about the news that broke over the past couple of weeks and with this short post want to provide answers as best we can to two of the most regularly asked. They relate to whether or not the Department of Labor watering hole and the WTOP/FedNewsRadio attacks were the same…if you read this and still have thoughts or concerns, please drop us a line – info@invincea.com

Keep fighting the good fight!

Q1: Does Invincea believe that the compromise of these mass media sites is related to the recent Department of Labor compromise?
A: At this time, Invincea has no evidence to support any claim that the attack on the Department of Labor (DoL) is related to the compromise of the mass media sites described in this analysis.  The exploit and payload used in the DoL case are vastly different than those observed in the mass media site compromises.

Q2: How are the attacks different?
A: In the DoL compromise, users were redirected to a malicious site that exploited an unknown or “zero day” flaw in Internet Explorer 8 only.  The exploit was only delivered if the operating system of the victim machine was detected as Windows XP.  If successfully exploited, the malware payload consisted of a Remote Access Trojan (RAT) that allow the attackers to gain access to the victim machine and execute arbitrary tasks.

In the case of WTOP and the others, the compromised site redirected users to malicious sites that were hosting a know exploit kit that targeted vulnerabilities not in Internet Explorer itself but rather vulnerable third party plugins such as Java and Adobe Reader.  The exploits used in these cases were not targeted “zero day” vulnerabilities, but rather known bugs that have been previously addressed by their respective vendors.  If successfully exploited, the malware payload consisted of a Fake Antivirus variant and the Zero Access rootkit.  The former attempts to trick the victim into paying to remove false virus infections.  The second payload causes the victim machine to join a botnet and can result in the system downloading additional malicious payloads to perform various tasks from click fraud to conducting DDoS attacks.

To continue on to the blog related to the WTOP and FedNewsRadio attacks, click here.

On the evening of May 6^th, it was reported that wtop[.] and federalnewsradio[.] were compromised and redirecting user traffic to an Exploit Kit serving the same FakeAV malware variant that was affecting visitors to dvorak[.]org over the weekend. We had visited the Dvorak site and conducted a thorough analysis of the infection and were preparing to blog about the same when this discovery was made. WTOP is the largest radio station in the Washington DC metropolitan area by marketshare and is an all-news radio station. FederalNewsRadio is a sister news station targeted to reach the Federal workforce. Dvorak is a tech blogger/pundit. All three sites are known to have been compromised to infect their visitors with browser-based exploits of third party plug-ins including Java and Adobe. In the case of WTOP, the potential risk is a large number of their visitors may get compromised. In the case of FederalNewsRadio, the target audience is the Federal employee; therefore compromising FederalNewsRadio[.] is effectively setting a watering hole attack site for Federal employees. These are all media sites that are we know to have been compromised over the last several days. This is likely an indicator of a larger more widespread attack against online media sites.

Below you will see what happened when we visited the WTOP and FedNewsRadio sites in an Invincea protected browser. Further below we analyze this malware in depth using the Dvorak site infection as our source. Note that in all instances, we confirmed that the malware was detected and contained inside the Invincea protected environment:

wtop[.]com:

Details:

Federalnewsradio[.]com:

Details:

Invincea Browser Protection

The same detection content (Snort, Mandiant IOC, NetWitness rule) made available in our write-up on the dvorak[.]org compromise will detect this threat as well!

On Friday, May 3^rd 2013 several online sources including Graham Cluley of Sophos claimed that the website of well-known technology columnist John C. Dvorak had been compromised and was serving malware. Cluley in his blog stated “that Dvorak’s webmasters have probably fixed the problem by now”. We decided to test the hypothesis that the blog is serving malware or was fixed.

Using an Invincea protected Internet Explorer browser loaded with the typical plug-ins (Java, Acrobat Reader and Flash) we visited the dvorak[.]org site. Sure enough, upon browsing to the site, we received the following infection message from Invincea:

Curiously, we can see that the latest blog entry contains an update regarding recent reports of the site being hacked. The update states that malicious code was discovered in the “wp-config.php” file:

This is the main configuration file for the WordPress configuration management system. Given the amount of attention WordPress has received both recently and historically by miscreants seeking to hijack legitimate websites in order to drive user traffic to malware landing pages, this came as no surprise to us.

Turning our attention to the infection details, we see that shortly after visiting the main index page of dvorak[.]org, IE launches Java web start (javaws.exe) to pull a java application from a suspect jnlp URL:

During our visits to the dvorak[.]org site, we identified the following two jnlp URL’s in use:

javaw.exe writes a file to %userprofile% as 4289695.exe and launches cmd.exe to execute it as a process:

In the analysis window above, you can see that the virtual container was purged before the offending process 4289695.exe could perform additional activity. In a subsequent execution of this malicious payload we can see that it copies itself into %appdata%\Roaming as amsecure.exe and creates a shortcut on the Desktop named “Internet Security 2013.lnk” as seen below:

A simple Google search for these indicators turns up some recent technical articles describing a FakeAV/Kazy malware variant that matches the behavior seen in Invincea:

http://trojan-killer.net/remove-internet-security-2013-uninstall-tips/

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~FakeAV-GOJ/detailed-analysis.aspx

amsecure.exe (md5: addc2c56291dfe9509d9a1e56eb8e1ca) – 11/46 current detection ratio

Now that we have determined we are dealing with a crimeware related threat, we can safely assume that dvorak[.]org was more than likely a target of opportunity via WordPress rather than the target of a more sophisticated attack that was specifically singling out readers of Dvorak’s blog.

Next, we’ll briefly review the infection chain of events from a network perspective.

At the bottom of the main index page at www[.]dvorak[.]org/blog, we can find the following un-obfuscated iframe leading to 4zbc2ox[.]serveblog[.]net (also hosted at 151[.]248[.]123[.]170 as we saw earlier):

A request directed at the source of the iframe above returns a 302 redirect to enkgbqefvo[.]4pu[.]com which is one of the two domains we saw earlier:

The source of “requirements_anonymous_ordinary.php” includes obfuscated Javascript that decodes to the jnlp URL we saw earlier. Decoding the URL below with Revelo from Kahu Security:

Contents of the URL above which loads malicious Java archive:

The source of “requirements_anonymous_ordinary.php” also includes an obfuscated BlackHole Exploit Kit landing page. Looking at the obfuscated source, we can see that an eval() function is being performed on variable “s”. To decode, we simply paste the source into the window and select the “Redirect Variable” option and specify “(s)” as shown below:

The de-obfuscated code is now available on the “Results” tab:

Briefly reviewing the source of the landing page, we were able to enumerate the following exploits for Java and Adobe Reader among others:

CVE-2013-0422 (md5: 1e5ad893ece278245badedd163c7e97f) – 2/46 current detection ratio

CVE-2009-0927 (md5: 44b568efd901626c8ea87f22c9a7bd17) – 28/46 current detection ratio

CVE-2010-0188 (md5: 88fa8481619c61ce75fed97902c2d9ec) – 26/46 current detection ratio

Upon successful exploitation, the malware binary is transferred across the network with a modified DOS stub as seen below:

contacts.exe (md5: 1e9f3728e892bfd4a96511c7314c2301) – 1/39 current detection ratio, drops amsecure.exe as seen previously.

Beaconing activity for amsecure.exe:

saggerboy[.]com (209[.]62[.]88[.]66)

www[.]banglamasala[.]com (96[.]30[.]21[.]164)

The following Snort and NetWitness rules will identify this beaconing activity on the network:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”TROJAN Kazy/FakeAV Checkin with IE6 User-Agent”; flow:established,to_server; content:”/images/m.php?id=”; http_uri; content:”|3b 20|MSIE 6.0|3b 20|”; http_header; content:!”Referer|3a 20|”; http_header; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:xxxxxxxx; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”TROJAN Kazy/FakeAV Checkin with IE6 User-Agent”; flow:established,to_server; content:”/ccbill/m.php?id=”; http_uri; content:”|3b 20|MSIE 6.0|3b 20|”; http_header; content:!”Referer|3a 20|”; http_header; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:xxxxxxxx; rev:1;)

Summary

Based on Internet tips of WTOP[.], FederalNewsRadio[.] and the Dvorak sites being possibly compromised, we checked it out with an Invincea protected browser and found that indeed they were.

While we do not know how all the websites were compromised, in the case of Dvorak, the exploit likely used a WordPress plug-in vulnerability to emplace malicious re-directs on Dvorak’s popular tech pundit blog. Once re-directed, client-side exploits of Java and Adobe Reader via any of:

CVE-2013-0422,

CVE-2009-0927

CVE-2010-0188

is used to compromise the user’s machine and implant FakeAV software. We include Netwitness and Snort rules to help identify malicious traffic from the FakeAV infections.

Note on Analysis Files

While we believe the best protection against these threats are to employ Invincea at every endpoint, we recognize many of our readers do not currently have Invincea but desire immediate protection. As a result, when possible, we are providing Netwitness, Snort, and IOC files and signatures with our recent KIA blogs. See the recent analysis of an exploit using the Boston Marathon tragedy as bait. a Kelihos variant using the RedKit EK and taking advantage of Java CVE-2013-0422 and CVE-2013-1493. The full blog can be found here. We wanted to follow that up with a little more detail on how Invincea’s threat intelligence — gathered from thwarted attacks — can be put to work across the broader security infrastructure.

Below are two good examples of what you can do with Invincea’s captured threat intelligence – remember, you’re protected from the breach in the first place and then also get great forensic information to use across the broader security network.

Based on the forensic data captured by Invincea, we were able to create an “indicators of compromise” (ioc) file using IOC Editor by Mandiant. We have published the developed IOC file for the Kelihos variant observed in this write-up and it is available for download here. The attached IOC file has been written to trigger on the unique registry key modifications and file drop (tempXX.exe) illustrated in the Invincea Threat Analyzer above. The following screen shot illustrates the results of a Mandiant’s IOC Finder report based on the scan of a Kelihos infected system (just in case you don’t have Invincea yet!):

We also developed an RSA-NetWitness Flexparser file that generates an alert based on network traffic consistent with the Kelihos.F check-in seen above. The Flexparser uses a combination of the URI string and the unique User-Agent seen in this analysis and supported by the following technical analysis of Kelihos provided by Microsoft:

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fKelihos

The combination of Invincea protection at the end point together with the threat intelligence it outputs produces a solution for all greater than the sum of Invincea protected clients. Ask for a demo today and browse fearlessly.

Part 1 is available here

On Wednesday May 1^st, Invincea reported that the Dept of Labor website was compromised to re-direct visitors to a website that in turn executed a driveby download exploit of IE8 in order to install the Poison Ivy backdoor Trojan. Our initial reporting and those of other researchers believed that a known vulnerability (CVE-2012-4792) in IE8 was being exploited by this malicious website.

Since this initial reporting, a number of developments have emerged that we summarize in this Part 2 blog. First, the web pages that were compromised on the DoL site are intended for Dept of Energy employees (and their DoL representatives) in dealing with nuclear-related illnesses linked to Dept of Energy facilities and the toxicity levels at each location as reported here. As such the this compromise is now widely believed to be a watering hole attack that involves compromising one Federal Dept (DoL) to target another (DoE). Furthermore, AlienVault is reporting that the C&C protocol involved with this attack matches that of Chinese APT DeepPanda that has been previously analyzed by Crowdstrike.

Today, we announce that after performing additional testing of the exploit described in our original write-up and as confirmed by another source in the Threat Intel community, we have concluded that the vulnerability targeted during this attack campaign was not CVE-2012-4792 as we originally reported. Instead the exploit on the DoL site appears to be exploiting a zero-day exploit affecting Internet Explorer 8 (IE8) only use-after-free memory vulnerability that when exploited allows an attacker to remotely execute arbitrary code. Below you can see that we have patched IE8 on our XP test system with MS13-008 (KB2799329) that resolves the vulnerability described in CVE-2012-4792. However, we were still able to reproduce the malware infection described in part 1 despite having this patch installed:

Even with this patch for CVE-2012-4792 installed, Invincea has been able to reproduce the exploit as seen below:

Invincea has been notified that Microsoft is aware of this vulnerability and is currently investigating. Fortunately, Invincea users are protected from this threat as well as other zero-day exploits. For non-Invincea users, there are no known mitigations for this exploit that is currently in the wild. For users of IE8, there is no patch currently available and with this exploit being out in the wild, the potential risk for damage is high. If you are not using Invincea, we advise switching to an alternate browser such as Mozilla Firefox or Google Chrome, if possible, until an official patch has been released by Microsoft. Or better yet, get Invincea so you are protected against this and future zero-day exploits. We also performed some limited testing with IE6 and IE7 on the XP platform and the specific exploit code seen in this attack does not appear to affect those browser versions. There are also reports that this vulnerability may affect IE8 on the Windows 7 platform, however Invincea cannot confirm those reports at this time.

This research was in partnership with iSight Partner & we like to acknowledge & thank them for their assistance.

Please contact Invincea here to set up a free trial.

UPDATED 8:50 am 5.2.13 – Correction regarding Google black-holing of domain – details in analysis below

UPDATED 2:47 pm 5.1.13 – Now available – IOC file – Download Here!

On the evening of Tuesday, April 30^th 2013, we received a tip that a site hosted by the United States Department of Labor (USDOL) had been compromised and was hosting malicious code. The site has since been fixed and law enforcement is investigating.

In addition, AlienVault also has a write-up of the same exploit here.

As many security companies, including Websense, have recently noted, the vast majority of web-based driveby exploits are occurring from legitimate websites that are compromised with the specific intention to exploit the website visitors. Watering hole attacks gained notoriety over the last year as a method of infecting specific targets by compromising websites they are likely to visit.

In this case one US Federal department website, the Department of Labor, was compromised in order to target what are believed to be employees of US Dept of Energy that work in nuclear weapons programs. As reported by NextGov, the the Dept of Labor’s web pages  that were hijacked in this compromise — the “Site Exposure Matrices”– lists “nuclear-related illnesses linked to Energy facilities  and toxicity levels at each location that might have sickened employees developing atomic weapons”.  In other words, this attack bears the hallmarks of a classic watering hole attack targeting certain employees working in nuclear weapons for the Dept of Energy by compromising a website at the Dept of Labor they are likely to visit.

One highly effective way of getting on to an enterprise network is to infect its website where its employees are likely to visit. Naturally there will be collateral damage to other visitors to the website. In this case, the compromise was to simply insert a re-direct to another malicious website within a Javascript that runs on the DoL website. The re-directed website exploits a well-known vulnerability (CVE-2012-4792) in older versions of Internet Explorer v6 – v8 running on Windows XP machines. This profile fits the enterprise user machine profile typical of large enterprise and government agencies. The exploit was used to implant a variant of Poison Ivy remote access Trojan (RAT) mutated to change the PE magic number to evade network signatures. In the following continuation of our KIA series, Invincea security consultant Eddie Mitchell breaks down the exploit and how Invincea users are protected from this attack.

Armed with an Invincea protected browser (IE8, Windows XP 32-bit), we decided to investigate further.  Upon landing on the affected page, it only took a moment before we received the all too familiar alert notification from Invincea that an infection had been detected:

Drilling into the Details link, we can observe the real-time activity of the captured malware inside the Invincea virtual container:

As we can plainly see, a suspect executable has been dropped onto the virtual file system (conime.exe) and launched as a process.  Furthermore, we observe that network listeners have been opened as well as outbound network communications.  To obtain more forensic data related to this mock infection, we first click Restore to purge the virtual container of all changes and pivot to the Threat Data Server for more detail:

Once we have located the appropriate infection entry as shown above, we can quickly see the total number of virtual system changes recorded as the malware was allowed to run inside the container with breakdowns on number of executables written, processes launched and network connections opened.  In this case, 31 total changes were recorded with 2 distinct executable drops, 3 process launches and 3 network connections opened.  We can also rapidly determine that there are two web redirects present on the main index page associated with www[.]sem[.]dol[.]gov.  These redirects obviously lead to content hosted at dol[.]ns01[.]us which lead to the infection.  Next, we’ll select the Timeline tab to get more detail on the infection chain of events:

In the screen capture above, we can see that shortly after the browser was redirected to the content hosted at dol[.]ns01[.]us, a file previously downloaded to the browser cache is launched as a process.  We can also see the MD5Sum of the offending process listed in the Event Properties window above.

Next, we can see that a network listener is opened on port 443 and several steps are taken to maintain persistence on the host.  Reg.exe is launched from Windows\system32 in order to configure an autorun in the registry and the malware copies itself to a more permanent location in the user’s %appdata% directory as “conime.exe”:

Auto-run entry details:

UPDATED 8:50 a.m. 5.2.13 –

Next, the malware opens additional network listeners on port 53 and 8080 as well as attempts to contact its command and control (C2) server for instructions.  The C2 domain associated with this sample is microsoftupdate[.]ns1[.]name which resolved to 8.8.8.8 (Google) at the time of the original analysis.  The domain is currently resolving to 13.58.46.78 (Xerox Corporation) which may indicate that the attackers are attempting to avoid attribution efforts by the security research community.

During the initial C2 contact, the client attempts to send an encrypted payload of exactly 256 bytes to the C2 server over port 443 as seen below:

This behavior is highly consistent with the Poison Ivy RAT as previously described by Gal Badishi of Cyvera in this blog posting.

If we go back to the Processes tab in our Invincea threat analyzer, we can perform a virustotal.com hash check on our malware:

The results indicate that this Poison Ivy sample has an extremely low antivirus detection ratio (2/46):

Now, let’s backtrack and review the infection chain of events.

The main index page of www[.]sem[.]dol[.]gov contains an embedded script:

If we examine the contents of textsize.js, we can see that the DOM createElement() method is used to write a script tag on the page pointing to hxxp://dol[.]ns01[.]us:8081/web/xss.php as well as an iframe leading to hxxp://dol[.]ns01[.]us:8081/update/index.php:

The contents of xss.php include javascript functions to fingerprint vulnerable browser plugins as well as perform identification of popular endpoint security solutions that may be installed.  After completing the checks, the information is sent via an HTTP POST operation to hxxp://dol[.]ns01[.]us:8081/web/js.php as seen below:

index.php from our iframe above is where the code to exploit the browser lies:

Above, we can see that the javascript checks that the browser language is English and that the operating system is Windows XP based on the User-Agent string.  If these conditions are met, execution is passed to the helo() function contained in a Base64 encoded blob.  You can also notice above that “bookmark.png” (our malware payload) is downloaded into the browser cache.  Once the browser is successfully exploited, the shellcode executes the malware payload.

The following screenshot illustrates the malware download (bookmark.png – md5: a449fdcc2e15655c9f720247646913e4).  Note that the PE magic number has been altered to avoid network detection signatures that rely on the presence of “MZ”:

Summary

It is important to note that most websites are vulnerable to exploit. As a result, exploiting legitimate websites have become a common vector for penetrating enterprise networks and individual machines. The Department of Labor is no exception. Their website was compromised to host a re-direct to a malicious website. The target of this attack appears to be employees of the Dept of Energy that likely work in nuclear weapons research. In addition, AlienVault is reporting that this attack has indicators of compromise that link to the DeepPanda Chinese APT group. This compromise shows that watering hole attacks continue to be employed by advanced threat using exploits customized to their target profile.  The malicious website re-direct exploits an older vulnerability in Internet Explorer and Windows XP machines that fit the typical configuration of enterprise user machines. Invincea users are protected against this attack as they are against other web-based drive-by and spear-phishing attacks.

Please contact Invincea  today to schedule a demo.

As widely reported on Tuesday April 23^rd, Cool EK is now leveraging CVE-2013-2423 against Java 7 Update 17 and earlier in order to install a Reveton ransomware variant.  A Metasploit module was published on April 20^th and as expected, this exploit is being quickly adopted by the popular packs.  In the following screen capture, we are intentionally visiting a website redirecting to a Cool EK landing page using Firefox 19 protected by Invincea.  We also have Java 7 Update 17 installed and receive a Java security warning pop-up immediately upon browsing to the site:

If we, as the user choose the “Run” option instead of “Cancel” we receive an infection alert from Invincea as the Java plug-in has been successfully exploited and has loaded malware that is making changes inside the virtual container:

Once restored, we pivot to the infection details available from our Threat Data Server.  On the summary page we can see a suspicious web redirect as well as recorded changes to the virtual container:

On the timeline tab, we see that the Java process (java.exe) writes an executable file to %localappdata%\Temp and uses regsvr32.exe to register it.  The malicious executable file is never launched directly:

Behind the scenes, we can follow the infection path by examining the network traffic corresponding to each recorded event above.  First, an iframe corresponding to the redirect noted on the Invincea infection summary page above can be seen:

Java applet embedded on Cool EK landing page (sea_guide.htm):

De-obfuscated contents of the landing page are available here.  The downloaded Java archive details are provided below:

Name|md5sum|Current VT detection ratio

• criticism-wind.jar|9339cb68dd4a1301f8b84da55bacd6b4|5/46
• Big.class|9bdb204488ed99efb5d3319d01a17556|1/45
• Big02.class|9c9554bf30ec940f0804d059aa44f6da|1/46
• Big03.class|be4a57dba2ff68545aa89abdd141242b|1/46
• Big04.class|a84ec1ce7019af3f8c3f304bb63b28f7|1/46
• Big05.class|c6691e98ed9d59fa784e9217cf50a43c|1/46
• Big06.class|9c8ad91ef41849e84ae8ee3cdd76bf75|1/46
• Big07.class|ad52f54f1525970da8d66ae49606fea3|1/45
• Big08.class|2579ecb60a7457bbc4c180917f3d0f75|1/46
• Big09.class|4633ac99c45ed241968b369875a117db|1/46
• Big010.class|7ad2c902fab4ea87b3447fe189e71249|1/46
• Big011.class|c616c4396ed206275866605e042fbb6b|1/45
• Big012.class|a31a8603b9da1c1f92510f1c686839a1|1/45
• Big013.class|83fa2dc0d7a98cb78b213abb32cd7165|1/46
• Big014.class|3859a3b24e44515fafbed5f7c0c119e6|1/45
• hw.class|ffd8c8056058da205144918bdad6112f|1/46
• Muse.class|550b845f5691705830548626ce8dfdc8|0/46
• nhgf.class|00a6c2c6f349e7699d18cbdd43d1f6a6|0/46
• SystemClass.class|12aa8107a306ec8c0afa6a75f964b737|0/46
• Union1.class|11a8225627e32ec11c487b33db5f204b|0/46
• Union2.class|bb04caf17efb12685c3caaf2cf21c12e|0/46

If we decompile Muse.class, we can see the type conversion bug that allows for Java security manager to be disabled as described in the proof of concept here.  The contents of Muse.class are as follows:

Next, we see Java downloading the malware payload as seen earlier on the Invincea infection timeline.  Note that the URL request is for a .jpg file and the DOS stub has been altered:

Details of the ransomware binaries observed in use by this particular campaign are included below.  The attachment names observed during the ransomware download will be about.dll, calc.dll, contacts.dll, info.dll or readme.dll.

• getqq.jpg(readme.dll)| d5f6ddf71795ca30c50b095e198d8e80|1/46
• 5a6b2d9d6470171651adbc56c1675fd7|0/46

The following simple Snort NIDS rule will alert on the transfer of these crafted executables on the network:

If you are running Snort/Sourcefire, also ensure that you have SID 1:25627 enabled to catch the outbound command and control on port 443 as recorded by Invincea:

Summary

The latest Java-based exploit in the Cool EK shows the ability of the adversary to quickly react and franchise the latest Java vulnerabilities. Java’s latest security features turns the onus of running untrusted applets on the user. Traditionally this model of entrusting security decisions to users has not been successful. Users will often click on boxes to make them disappear regardless of the consequences. The promise of interesting content trumps the security risks associated with it.

Invincea’s approach of running untrusted content in secure virtual containers gives users risk-free choices. When users do make the wrong security decision and click the Run box, the malware runs inside the virtual container where it is segregated from the host operating system. No infection occurs but infections are noted then vanquished while forensics are collected as shown in this blog.

We are providing actionable forensics with this blog from this analysis including Snort signatures and an IOC file you can directly import into your existing security infrastructure. But instead of waiting to react to the next Java infection, why not get ahead of it with Invincea protection to prevent the infection in the first place?

It’s time to protect your users and your network with Invincea. What are you waiting for, the next Java infection?

Invincea security consultant Eddie Mitchell in his latest KIA series blog provides a detailed analysis of the exploit below. Doing a bit of research on urlquery.net confirmed several other suspicious URL’s with this same pattern.  Some of the entries have been flagged by IDS signatures as being consistent with the RedKit exploit kit:

Picking an entry at random, we browse to the copied URL with an Invincea protected web browser and Java 7 Update 10 in this example.  Immediately upon reaching the page, we can see that several videos related to the recent tragedy at the Boston Marathon have been embedded on the page (see below).  No doubt these links are used in spearphish campaigns and Search Engine Optimization (SEO) poisoning attacks designed to lure users to click on these links. A few moments later, Invincea identifies suspicious activity on the web page:

Clicking on the details link, it is clearly apparent that there is something very wrong with this website:

Specifically, the website dropped a number of executables then launched them in addition to setting up new network comms. In total nearly 200 changes to the virtual container Invincea sets up for the browser were identified and quarantined.

Once we click “Restore” to purge and rebuild the virtual environment, we pivot to the Threat Analyzer to review the details.  In addition to the massive number of recorded changes inside the virtual environment, we can see that the original URL contained several embedded Youtube videos relating to the Boston Marathon bombing, in addition to a redirect to a suspect domain (spareroomwebdesign[.]com):

Reviewing a network traffic capture of the attack in progress, we can clearly see an un-obfuscated iframe leading to the suspect page above:

Content of waiq.html shows an embedded Java applet exploiting CVE-2013-0422 or CVE-2013-1493 depending on the version of Java installed:

lbq.jar (md5: 0d45a1c9d94bb58fcdf241ec4a66c165) –

https://www.virustotal.com/en/file/cf9368494e68d878d349419ce9016b4985cfa6ea76236d1cd8465a5a48998bab/analysis/

Java downloading an XOR encoded payload (49.html):

Invincea shows two executables being written to disk in the %localappdata%\Temp and subsequently launched:

duedm.exe (md5: b9bbe7749b434c7c5df5e4d203dc9331) – https://www.virustotal.com/en/file/764ba4764daae66093b3ca746e97ca3f9e054a317f3e53286698e521341f97c3/analysis/

npcci.exe (md5: 256a2ab30f6d7dcdcae008588df4ec8c) -
https://www.virustotal.com/en/file/93371e13ff4b3db752d65d2d17d8394f3d834e89eac9628b828fc76827ce5518/analysis/

Next, duedm.exe connects to 94[.]231[.]181[.]208 (ymvuchyq[.]ru) (a Russian domain) to download another executable (newbos3.exe).  Note the HTTP headers present in this transaction:

This executable is written to C:\Windows\Temp as “Temp45.exe” and launched as a process.  As seen in Invincea:

temp45.exe (md5: fdbc94958b8f0ec2b24302c6d4685c46) –https://www.virustotal.com/en/file/560766fc73edf8eff02674a220e2794c008caeefc476c8fef04c21a16eb23a0f/analysis/

Registry entries created by temp45.exe are consistent with the Kelihos Trojan:

Full listing of network activity captured by Invincea:

Below is a sample of network traffic initiated by Kelihos to IP 46[.]219[.]27[.]5.  Note the obviously crafted user agent string:

In summary, the Boston Marathon tragedy is simply another opportunity for cyber miscreants to exploit people’s curiosity in order to compromise their machines and the networks they run on. Not surprisingly, they are exploiting Java vulnerabilities to install a remotely accessible Trojan. Based on the location of the command and control server we may conclude this is cyber crime driven, but further examination of the command and control network is necessary to be definitive.

Patching Java is immensely difficult for enterprises for legacy app compatibility reasons. This exploit shows the exposure of not patching Java. Deploying Invincea enterprise wide not only protects your network against user curiosity and this particular vile brand of exploitation, but also allows enterprises to continue to run unpatched Java without inheriting the risk associated with the Java vulnerabilities.

So what are you waiting for? Contact us for a free trial and browse fearlessly.

Warning! Hackers are exploiting Texas explosion news to spread malware – Naked Security

• Once again, cybercriminals are leaping at the opportunity to take advantage of breaking news stories to spread malware.

Time To Dump Antivirus As Endpoint Protection? – Dark Reading

• Attackers find it easy to avoid signature- and heuristic-based anti-malware defenses. Experts recommend alternatives to antivirus programs be used alongside them, not in lieu of them.

News International Frets Over Spear Phishing Bombardment – TechWeek Europe

• Following attacks on rival publishers, News International CISO Amar Singh talks about his spear phishing nightmares.

Most security pros believe they will suffer a data breach – Help Net Security

• More than 70% of IT security professionals would not be willing to bet $100 of their own money that their organization will not suffer a data breach in the next six months, according to Lieberman Software.

Small Businesses Now Bigger Targets In Cyberattacks – Dark Reading

• Half of all targeted attacks last year hit companies with less than 2,500 employees, and overall, targeted cyberattacks jumped 42 percent in 2012, new Symantec data shows.

Cyber threats at the top of US intelligence report for the first time – The Verge

• Cyber threats are the number one type of danger facing the United States, according to US national intelligence director James Clapper.

US and China to Enhance Cooperation on Cyber Security – Softpedia (Editor’s Note: HUH???)

• After numerous accusations made by both China and the US, the two countries appear to have come to an agreement when it comes to safeguarding cyberspace.

Researchers find malware targeting online stock trading software – PCWorld

• Security researchers from Russian cybercrime investigations company Groub-IB have recently identified a new piece of malware designed to steal login credentials from specialized software used to trade stocks and other securities online.

How Hackers Fool Your Employees – Dark Reading

• Attackers are taking aim at the weakest point in your network: human beings.

New stuff from Invincea:

• K.I.A.- KELIHOS TROJAN/REDKIT EK EXPLOITING BOSTON MARATHON ATTACKS: Read Now
• REGISTER FOR NEXT WEEK’S WEBINAR: Solve the User Problem…Protect Every Click
• ANTIVIRUS DOESN’T WORK, YOUR ENDPOINTS ARE THE NEW PERIMETER:  You need to look at Invincea –  Free Trial
• INVINCEA BROWSER PROTECTION SHIELD PC USERS AGAINST ALL TYPES OF WEB-BORNE THREATS: Request a demo and let one of our product specialists show you how – Free Demo

Cyber-Attacks on Infrastructure Firms Highlight Need for New Defenses – eWeek

• Spear-phishing against energy firms and online attacks targeting building-management systems underscore the need for improved security defenses.

DHS warns of spear-phishing campaign against energy companies – Computerworld

• Attackers used information from company website to craft attacks.

APT attackers getting more evasive, even more persistent – CSO Online

• Fear of discovery fuels sneakier tactics by writers of persistent malware.

Budgetary cost-cutting realigns military for cyberwar – Fox News

• President Barack Obama has released a $3.77 trillion, 2,000-page spending plan that cuts some cutting edge military technology projects in favor of a fifth domain for battle: cyber

As Defenders Adapt, Offensive Techniques Continue to Evolve – Threat Post

• The security teams that have to defend enterprise networks are faced with a broad and deep threat landscape populated with all manner of malware and targeted attacks.

North Korea ready for cyberwar – The Daily Caller

• Despite the popular impression that North Korea is technologically inept, the regime boasts a significant and effective cyber arsenal.

Anonymous Hits Israel with a Massive Cyber Attack, Israel Attacks Back – The Atlantic Wire

• On this year’s Holocaust Memorial Day, hackers at Anonymous took down a bunch of Israeli government websites on Sunday and say they caused over $3 billion in damage.

I’m a Fortune 500 Company and I’ve Been Hacked – Security Week

• CEOs show willingness and enthusiasm in discussing their companies and the breaches that have occurred.

South Korea Probe Says North Behind Cyber Attack: Report – Security Week

• An official investigation into a major cyber attack on South Korean banks and broadcasters last month has determined North Korea’s military intelligence agency was responsible.

Detecting Targeted Attacks Means Understanding How Attackers Operate – Mandiant

• Anatomy of an Attack, From Spear Phishing Attack to Compromise in Ten Steps.

How To Successfully Phish Your Own Firm – Dark Reading

• CSOs share advice, war stories on internal simulated phishing attacks for user awareness training.

Targeted social media attacks said to be underreported – CSO

• Cybercriminals’ use of Facebook, Twitter and other social media in targeting individuals with malware is an underreported problem that affects many organizations.

New stuff from Invincea:

• INVINCEA BROWSER PROTECTION SHIELD PC USERS AGAINST ALL TYPES OF WEB-BORNE THREATS: Request a demo and let one of our product specialists show you how – Free Demo
• ANTIVIRUS DOESN’T WORK, YOUR ENDPOINTS ARE THE NEW PERIMETER:  You need to look at Invincea  Free Trial
• ARE YOU ON TWITTER? FOLLOW US.WE TWEET ALL DAY LONG ABOUT ALL INFOSEC: Follow us on Twitter

E-news from our archives:

• POPULAR SITE SPEEDTEST.NET COMPROMISED BY EXPLOIT…DRIVE-BY STOPPED BY INVINCEA: Find out how here
• NATIONAL JOURNAL SITE FOUND SERVING ZEROACCESS ROOTKIT: Read More