Tracking Coreflood from Shellcode

Sometimes, it can be surprisingly difficult to get malicious code removed from servers. It can be due to a lack of server support by the owners and their support staff, a lack of responsiveness from the ISP, or an intended scheme to profit from malware distribution, as with the groups involved at the RBN this past year.
It's just as surprising when users' systems are getting attacked with malcode that's been in circulation for at least five years and right now, it's almost completely undetected by the major av vendors. Here are some scanning results on the executable. Four of thirty two scanners is not pretty:



Anyways we are observing some download and execute shellcode attacking user systems that pull down the malicious file from a server (that server's admin, the owners of the site, and the ISP have all been contacted over the past couple of days. At least the ISP got back to us with a low priority ticket). Here is an example of the malcode calling "urlmon.UrlDownloadToFileA" on hxxp:// 20x.x16.xx.xx/ white.ccs and copying the undetected "AFCode" or "CoreFlood" variant download to c:\index.tmp. We use a tool and process that we posted last year for shellcode examination:



And here is the call to "kernel32.Winexec" to get that file started on the system, which drops and loads its dll file:



The binary, c:\index.tmp, doesn't carry much of an unpacking stub. We see more xor loops and import redirection tricks than anything, which makes it unusual that the AV crowd can't keep up with this one. It drops a set of unusual looking dat files, and adds CLSIDs and an unusual ShellIconOverlayIdentifiers registry entry for startup. Inside the dropped dll, we find a slew of strings that suggest this malicious component is simply reused Coreflood code:
AFCORE
Removing AF from the system . . .
AF up time: %t
Flooding %s . . .
Flooding of %s has been completed
Processing diskflood log file %s . . .

The file immediately POSTs information about its host operating system, version of the software, etc, back to another server over http, among other things.

It's not especially fun to see this coreflood family back in the wild. Coreflood seems to have caused problems for individuals performing online banking in the past few years, as the Secret Service found it on Joe Lopez's laptop in the disturbing BofA v Lopez. But I suppose we'll never really know for sure about that one. It was settled out of court, and neither side will respond to repeated calls regarding their own settlement.


Update: over the weekend, the malicious "white.ccs" file was silently removed from the server. And the ISP handling the problem interestingly deleted the support ticket they had issued for my request.

Global cyber-intelligence

You can check out a somewhat lengthy and fascinating article on recent cyber intelligence, SCADA systems and various actors on the global cyber stage at The National Journal.

'Asked whether Washington knew of hacker involvement in the two blackouts, Joel Brenner, the government’s senior counterintelligence official, told National Journal, “I can’t comment on that.”'

Ongoing targeted attacks during Tibet, Burma controversy and Olympic torch protests

Unfortunately, targeted computer attacks commonly occur. This morning's NPR show exposed such problems in regards to activists and journalists in China. Sadly, not much data is public about these sorts of attacks and it would be easy to speculate that such types of attacks are on the rise. Sometimes, the groups being attacked do not want members to be exposed or further put into public light and sometimes they do not fully understand they are being attacked. The NPR audio mentioned groups like the Falun Gong, Students for a Free Tibet, Human Rights in China and some China-based foreign journalists. Often, the attackers' identities are more difficult to uncover than more entertaining examples we've given in the past. While spoofed sources may seem to be from friends or friendly members of organizations, the true source remains in the shadows, hiding university or seemingly public ip addresses.

The various code used in targeted attacks that we have evaluated to date are not terribly impressive pieces of malware. The trojans and spyware often are delivered over email as embedded data within files of all formats with enticing names that the recipient would most likely be interested in. For example, the NPR interview mentioned a "resume.doc" file that was delivered to current board members and staff of the targeted Students for a Free Tibet from the spoofed email address of an ex-board member. These Microsoft Word docs, Excel spreadsheets, malicious .chm help files, and Powerpoint slideshows usually are malformed in one way or another to attack vulnerabilities in flawed software on the receiver's side. When opened by outdated software, these maliciously crafted files and the included code drop and run trojans and spyware embedded in the files on the victim's system.
Most can be prevented by keeping software updated and patched, running security solutions, and as always, security in layers is recommended.

The audio mentions that most AV scanners are often evaded by the software components of these targeted attacks (an unusual admission from a member of the AV industry!). And that trojan builders create nastier rodents in response to the AV companies' better mousetraps.
ThreatFire is different -- our behavioral-based cat is bigger and faster than that little piece of cheese sitting on the wire and wood thing in the attic. Purrs like a kitten too.

How do they get my credit card info?

Proper security can only go so far when you use public computers. Keeping your own system up to date is important and exercising caution when using public systems is important as well.

From the L.A. Fbi branch:
"Tandiwidjojo admitted that he hacked into approximately 60 computers inside business kiosks...After hacking into the computers, Tandiwidjojo installed malicious software that allowed him to intercept data, such as credit card information from customers who used the business kiosks. The malicious software transferred the stolen customer data to a website Tandiwidjojo controlled. Tandiwidjojo then used this information to fraudulently make charges to the stolen credit card accounts."

Daily breach reports

For an almost daily fix of forehead slapping disbelief, head on over to the Breach Blog. We believe that this blog will be a busy one throughout 2008: "Unfortunately, this past year was a record year for data breaches, according to a couple of groups. (Although, I'm not sure that statement is completely true. It seems more to have been a record year for reporting breaches, due to a number of new factors. Incident reporting has always provided only a partial view of actual events.)".




















This steady stream of sensitive data flowing into other hands continues to raise questions around "Server in the sky" efforts by government intelligence agencies.

Strategy and book review

A "Strategy" thread was started on the DailyDave mail list by Dave himself, criticizing information warfare papers:
"If you're reading an information warfare book or paper you'll invariably see a lot of:
1. Inane references to Sun Tzu (or, in some even more horrible cases, any two of Sun Tzu, Clausewitz, and John Boyd)
2. Declarations that information warfare is an "asymmetric attack"

Dave goes on to drop a couple product names and then describe the money saving mono-culture Microsoft technology implementations within the US .com and .mil communities, and describes it as poor strategy:
"Bad strategies like this result in flailing and moaning as you get defeated over and over by someone with better strategy, not because the battlefield is inherently asymmetric."

Unfortunately, this past year was a record year for data breaches, according to a couple of groups. (Although, I'm not sure that statement is completely true. It seems more to have been a record year for reporting breaches, due to a number of new factors. Incident reporting has always provided only a cloudy window into actual events.)
Any way you slice it, in light of the sheer volume of security breaches, Dave's statement about the mono-culture of .com and .mil communities is a troubling one -- in spite of a year of record profits for the .com community and record budgets for the .mil community, it seems that technology implementations still are not getting the budget or focus that they require when it comes to effectively addressing security needs.


Another poster on the list responded to Dave's complaints by posting a book review about "Spec Ops: Case Studies in Special Operations Warfare: Theory and Practice" by William McRaven, a U.S. Navy SEAL commanding officer. I got a chance to check it out this past week and the eight case studies McRaven analyzes really are fascinating (if you're a bit of a military history buff). The theory and principles at the beginning of the book (summarized on the DailyDave post) can be applied to analysis of the targeted attacks that have become much more commonplace on the net. It's a stimulating read for security enthusiasts, and applies well to the ongoing security breaches around the world:
"If you can't draw the parallels to general security practices from those principles then the book is not for you, otherwise you might find yourself ripping through the book and thinking in an entirely different light by the final chapter."

Oak Ridge visitor db compromised

While the Oak Ridge National Lab may be known for high tech research like analytical chemistry, neutron science, and providing technology and expertise to support national and homeland security needs, they also might become known for a recent breach of security at their own premises. Granted, the only data they are reporting as having been compromised is their visitors database. Seriously.

"Oak Ridge National Laboratory (ORNL) recently experienced a sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country. A hacker illegally gained access to ORNL computers by sending staff e-mails that appeared to be official legitimate communications. When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory."

Targeted attacks like this one are more common than they were a couple of years ago. Be wary of incoming email attachments and hyperlinks.


UPDATE (12.13.2007): Speaking of data breaches and network intrusion, Bruce Schneier has a related post on his blog today about a newly released study. The UC Berkeley Samuelson Law, Technology, & Public Policy Clinic recently completed and released a study on "Security Breach Notification Laws: Views from Chief Security Officers". It evaluates the profound effects on practices within U.S. companies resulting from the implementation of security breach notification state laws. Great read.

Spy v. cyberspy

An unusually open statement about China's cyberattacks on British businesses from MI5:
"The Government has openly accused China of carrying out state-sponsored espionage against vital parts of Britain’s economy, including the computer systems of big banks and financial services firms."

It interestingly came out a week after the 11/21/2007 report in the American congress from the US-China Economic and Security Review Commission blasted the PRC's espionage activities: "Chinese espionage in the United States, which now comprises the single greatest threat to U.S. technology, is straining the U.S. counterintelligence establishment."
The report also discusses the PRC's DDoS capabilites and cyberwarfare capabilities. The word "cyber" appears over thirty times in that report, in relation to "attacks", "weapons" and "warfare".

Interesting statistics about cyber attacks on U.S. networks

While the usual yearly predictions are coming out from large av scanner vendors, here's an interesting article containing an ex-CIA official's statements on how many attacks occurred against the federal government in 2007 alone. The numbers are staggering, when considering it's only one year of successful criminal activity:

"America is under widespread attack in cyberspace," Palowitch said in citing Cartwright's statistics that there were 37,000 reported breaches of government and private systems in fiscal 2007. There were nearly 13,000 direct assaults on federal agencies then, and 80,000 attempted computer network attacks on Defense Department systems, he added.

The Cars of the Future

Drum roll please...a great NYT article was published this morning about progress that has been made on car technology that learns to drive itself:
In the Future, Smart People Will Let Cars Take Control
Does that mean my parents won't be on the road at 80? Maybe this is a good thing, I remember how my grandmother drove at that age.

"Some people won’t ever want to yield control; others will worry that the first smart cars will be like the early versions of Windows. There will be many, many car-computer jokes involving the word “crash.” "

Yeah, sounds fantastic. Cars that drive themselves. The statement conjures up fond memories of field trips to Chicago's massive Museum of Science and Technology, the futuristic transportation gizmo Piccard Gondola, and other cliches like "the Home of the Future".
Or just maybe, a version of Microsoft Windows driving my car. That statement conjures up memories of blue screens of death (sounds horrible in relation to cars that drive themselves!), third party component heap overflow attacks, flawed ActiveX permissions, "Venetian shell code" techniques, and the confusing acronym soup of security hype that plagues users of the internet. There's a new swarm of security concerns every quarter. And this stuff is going to drive my car?

The implementation is where the rubber hits the road, and it always seems to happen that security concerns fall last in the list of engineering priorities in a project (except for some fine examples, vsFtp and OpenBSD folks). If you've seen The Italian Job, you've watched what can happen when the networking meets transportation -- the L.A. transporation department gets reminded "You'll never shut down the real Napster". These sorts of concerns are very relavent to projects like computer-automated driving learning systems. My hope is that the security efforts of the sorts that Microsoft has aggressively begun attending to over the past couple of years will be built into these driving platforms from the ground up.

Grandma might have thought that would be a fine idea.