donderdag 21 februari 2013

SSHD rootkit in the wild

There are a lot of discussions at the moment about a SSHD rootkit hitting mainly RPM based Linux distributions.

Thanks to our reader unSpawn, we received a bunch of samples of the rootkit. The rootkit is actually a trojanized library that links with SSHD and does *a lot* of nasty things to the system.
At this point in time we still do not know what the initial attack vector is – it is unknown how the attackers get root access on the compromised servers that is needed to change the legitimate libkeyutils library with a trojanized one. We are, of course, keeping an eye on the development and will post a new diary or update this one if we receive more information about the attack vectors.
The trojanized library is very, very nasty. Upon execution it performs a number of actions, as described below.

The code first deobfuscates the text strings needed for it to work. The original text is only XORed so this is very easy to retrieve and the deobfuscated strings have already been posted on a lot of sites.
Once that has been done, the library sets up everything needed for it to work. It resolves symbols for the following functions which are used later: PEM_write_RSAPrivateKey, PEM_write_DSAPrivateKey, MD5_Init, MD5_Update, and MD5_Final. As you can already see, it is definitely messing up with the authentication mechanism.

Besides resolving the symbols, the library also hooks the following functions: pam_authenticate, pam_start and crypt as well as audit_log_user_message and audit_log_acct_message. By hooking these functions, the rootkit can modify the flow of the SSHD – as you can see, this is a user-mode rootkit, as it does not affect the kernel.

The main activity of the rootkit consists in collection of credentials of authenticated users. Notice that the rootkit can steal username and password pairs as well as RSA and DSA private keys, so no matter which authentication mechanism you use, if the target host is infected it will successfully steal your information. The hooking of audit_log* functions was done to allow the attacker to stay as low profile as possible – if the attacker uses the hardcoded backdoor password to issue any commands to the rootkit, no logs will be created.

The current version of the rootkit supports three commands: Xver, Xcat and Xbnd. The first command just prints the rootkit’s version; the Xcat commands print the collected information back in the session for the attacker while the Xbnd command allows the attacker to setup a listener.
Besides this, the rootkit can automatically send collected credentials to the attacker. In order to do this the rootkit has a DGA (Domain Generation Algorithm) implemented that will create random looking domain names in the .biz, .info and .net domains (in that order). It will then send a DNS packet containing collected credentials to the target IP address, if it was able to resolve it (meaning the attacker has registered that day’s domain). If no domains have been resolved, the DNS packet is sent to the hard-coded IP address, which in all samples we received was 78.47.139.110.

The rootkit itself looks very similar to the Ebury trojan which was detected back in 2011. In fact, I’m pretty sure that a lot of the code has been directly copied, however, the Ebury trojan patched the whole SSHD and required the attacker to change it.

This was easier to detect and prone to being overwritten with patching. The libkeyutils library, which comes as part of the keyutils-libs package is not changed that often so the chance of it being overwritten automatically is much lower.

If you run a RPM based system you can check the integrity of the file with the rpm command:
# rpm -Vv keyutils-libs-1.2-1.el5
........    /lib/libkeyutils-1.2.so
S.5.....    /lib/libkeyutils.so.1
........    /usr/share/doc/keyutils-libs-1.2
........  d /usr/share/doc/keyutils-libs-1.2/LICENCE.LGPL


This will check a lot of things, the most important being the MD5 checksum so if you see the output as one above you have a trojanized library. Proper output should have all (and only) dots. Keep in mind that the RPM’s verification, of course, depends on the integrity of its database and the kernel itself.

Bron: ISC

dinsdag 19 februari 2013

Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Indicators

Today, The Mandiant® Intelligence Center™ released an unprecedented report exposing APT1′s multi-year, enterprise-scale computer espionage campaign.  APT1 is one of dozens of threat groups Mandiant tracks around the world and we consider it to be one of the most prolific in terms of the sheer quantity of information it has stolen.

Highlights of the report include:
  • Evidence linking APT1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398).
  • A timeline of APT1 economic espionage conducted since 2006 against 141 victims across multiple industries.
  • APT1′s modus operandi (tools, tactics, procedures) including a compilation of videos  showing actual APT1 activity.
  • The timeline and details of over 40 APT1 malware families.
  • The timeline and details of APT1′s extensive attack infrastructure.

Mandiant is also releasing a digital appendix with more than 3,000 indicators to bolster defenses against APT1 operations. This appendix includes:
  • Digital delivery of over 3,000 APT1 indicators, such as domain names, IP addresses, and MD5 hashes of malware.
  • Thirteen (13) X.509 encryption certificates used by APT1.
  • A set of APT1 Indicators of Compromise (IOCs) and detailed descriptions of over 40 malware families in APT1′s arsenal of digital weapons.
  • IOCs that can be used in conjunction with Redline™, Mandiant’s free host-based investigative tool, or with Mandiant Intelligent Response® (MIR), Mandiant’s commercial enterprise investigative tool.

The scale and impact of APT1′s operations compelled us to write this report.  The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one.  What started as a “what if” discussion about our traditional non-disclosure policy quickly turned into the realization that the positive impact resulting from our decision to expose APT1 outweighed the risk of losing much of our ability to collect intelligence on this particular APT group.  It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively.  The issue of attribution has always been a missing link in the public’s understanding of the landscape of APT cyber espionage.  Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.  We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.
We recognize that no one entity can understand the entire complex picture that many years of intense cyber espionage by a single group creates.  We look forward to seeing the surge of data and conversations a report like this will likely generate.
You can download the report, the appendices and view the video showing APT1 attacker activity at http://www.mandiant.com/apt1.

Bron: Mandiant

donderdag 14 februari 2013

In Turn, It's PDF Time

We have found IE, Java, and Flash zero-days in a row in the past several months, and now it's PDF’s turn. Today, we identified that a PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1.

Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.

0day

We have already submitted the sample to the Adobe security team. Before we get confirmation from Adobe and a mitigation plan is available, we suggest that you not open any unknown PDF files. We will continue our research and continue to share more information.

[Update: February 13, 2013]
In response to the many requests we’ve received for more detailed information, we would like to let our readers know that we have been working with Adobe and have jointly agreed to refrain from posting the technical details of the zero-day at this time. This post was intended to serve as a warning to the general public. We will update this post with more information at a later time.

Bron: Fireeye

donderdag 7 februari 2013

Business Partners Give Hackers Easy Access to Secure Firms

As frequently targeted, high-value companies continue fortifying their defenses, FireEye researchers claim that attackers are increasingly setting their sights on the affiliated but not-as-well-protected third-party organizations that do business with them.

By aiming phishing email campaigns at softer targets, attackers believe they can compromise the networks of more relevant organizations in a roundabout way without having to defeat their sophisticated security systems.

The FireEye Malware and Intelligence Lab illustrated this assertion in their analysis of an attack targeting a Taiwanese tech firm that frequently works with the government and financial services industry in that country. The attackers reportedly wanted to compromise both the Taiwanese Government and financial services organizations. Rather than launch a direct attack, they crafted an email purportedly coming from the Taiwanese Ministry of Finance in an attempt to phish employees at and compromise the unnamed tech firm.

Once an attacker infiltrates the tech firm, he can leverage access given to the tech firm by the higher value targets in order to piggyback his way onto the more valuable Taiwanese Government and financial service networks.

The attack itself evades pattern-based malware detection methods by hiding its payload in an encrypted and password protected word document. In this way, attackers don’t need to develop their own zero-day exploit, but can rely on their victims to execute the malware themselves.
It may seem ineffective for an attacker to password protect his malware payload, but as from Ronghwa Chong, the senior malware and forensic engineer at FireEye explained to Threatpost via email, a password protected, encrypted word document promises to be interesting and the password, in this case, was easily guessable, so a number of users made the mistake of opening the malicious document.

In his analysis, Chong claims a number of tell-tale signs indicate that this particular attack is emanating from China. You can read the more of the technical aspects of the attack in Chong’s write-up on the FireEye Malware and Intelligence Lab blog.

Bron: Threatpost

dinsdag 5 februari 2013

Inlogs Nu.nl en Telegraaf.nl gestolen via Dorifel

Oost-Europese criminelen die 750 GB aan Nederlandse overheids- en ziekenhuisdata stalen via Dorifel en Citadel, opereerden vanaf Chinese domeinen. Ook inlogs van Nu.nl en Telegraaf.nl zijn gestolen.
Die Chinese link is gelegd door beveiligingsbedrijf Surfright. De domeinen pobelka.com en ipo90.com blijken in het Chinese Xiamen te zijn geregistreerd. Het domein pobelka.com is gelinkt aan het Citadel-botnet dat vorig jaar specifiek Nederlandse computers aanviel. Het tweede domein is verbonden met de uitbraak van Dorifel, dat vorig jaar grote paniek veroorzaakte bij onder meer besmette Nederlandse gemeenten.
Het Pobelka-botnet dat verantwoordelijk is voor de diefstal van 750 GB aan Nederlandse gevoelige data leek vorig jaar platgelegd te zijn door Digital Investigations in samenwerking met Surfright en de High Tech Crime Unit van de KLPD, maar naar nu blijkt zijn de criminelen overgeschakeld naar nieuwe Command & Control-servers. Veel van de 150.000 besmette Nederlandse pc's krijgen hun commando's nu van een nog onbekende server.

Ook ziekenhuizen en multinationals getroffen

Hoe veel van die 150.000 computers nog steeds besmet zijn, is onduidelijk. Veel van die computers staan en stonden bij overheidsinstellingen, ziekenhuizen en bedrijven, waaronder vliegtuigmaatschappijen, een Nederlandse multinational en een Nederlands hightechbedrijf. Van al die overheden en bedrijven is data gestolen.
Daarbij ging het onder meer over complete overzichten van de ict-netwerkinfrastructuur van bedrijven, van productieplannen van een hightechbedrijf, notities van ziekenhuismedewerkers, overheidsmedewerkers die aan antwoorden bezig waren op Kamervragen en login-gegevens van diverse organisaties. Al die gegevens stonden op de door Digital Investigations buitgemaakte Command & Control-server die het botnet aanstuurde.

Loigingegevens van Nu.nl en adservers

Met name de logingegevens hebben voor veel vervolgellende gezorgd. Doordat er tevens inloggegevens van mediabedrijven waren gestolen, kon zonder te hacken toegang worden verkregen tot het content management systeem van Nu.nl en werd schadelijke code in documenten in het cms gezet. Ook de adservers waarvan onder meer De Telegraaf gebruik maakte, zijn zo binnengedrongen.
Volgens Erik Loman van Surfright zijn op de buitgemaakte C&C-server gegevens gevonden "van vrijwel elk Nederlands bedrijf" en zelfs van zo geheten Industrial Control Systems (ICS). Dat zijn systemen, zoals SCADA, die zorgen voor de aansturing van onder meer sluizen, bruggen, dammen en andere belangrijke infrastructurele werken. Ook worden ze gebruikt in kerncentrales.

Surfright hint op cyberspionage

Doordat er op de C&C-server naast de 750 GB aan Nederlandse data geen bankgegevens werden ontdekt, rijst de vraag wat het doel was van de criminelen. Volgens Loman is er een kans dat de data is doorverkocht aan andere overheden, maar kan hij daarvoor geen bewijs overleggen. "Maar het ontbreken van bankdata, waarvoor Citadel (nota bene een Banking Trojan genoemd) over het algemeen wordt gebruikt om die te vergaren, is opvallend."
Een rapport van Fox-IT's onderzoeker Michael Sandee stelt echter dat een dergelijke spionage niet voor de hand ligt. De nu nieuw ontdekte Chinese domeinconnectie is in deze wel verdacht.

Lauwe interesse van Nederlandse overheid

Overigens klaagt Surfright over de lauwe interesse van de Nederlandse overheid in de bevindingen van het bedrijf en dat van Digital Investigations. Hoewel er samengewerkt is met de Nederlandse opsporingsdiensten, was er verder weinig interesse, ondanks dat getroffen gemeenten dagenlang plat lagen en er zelfs servers op ministeries waren getroffen. "Omdat overheidsbeambten de bevindingen niet interessant genoeg vonden en geen reden zagen tot een nationaal onderzoek, is ons uitputtend onderzoek geen nationaal nieuwsitem geworden", schrijft het bedrijf in een blogpost.
Loman zegt dat de aanval van de Pobelkacriminelen niet zo gericht is uitgevoerd als de aanval op Amerikaanse mediabedrijven als New York Times en Washington Journal, maar wijst er wel op dat de Citadelbesmettingen in Nederland liefst acht maanden onder de radar is gebleven.

Bron: Webwereld