Threat Watch Linkfest

Here is a smattering of linkage for threats that caught my attention recently.

MITM/Superfish threats

• Extended Validation Certificates - Warning Against MITM Attacks – TrendLabs Security Intelligence Blog
• EFF unearths evidence of possible Superfish-style attacks in the wild - Ars Technica
• Zero Day Weekly: Superfish attacks, FBI GameoverZeus bounty, Komodia in Lavasoft - ZDNet
• Lenovo promises to cut the crapware in the wake of Superfish debacle - Ars Technica

Thoughts on a VNC-based network probe

It’s not a good sign when the help desk starts getting calls from users asking why IT is trying to remote to their systems with a new “VNC” product. It’s especially not good when IT doesn’t use that product and is not making blanket network connections to our customers.  Someone better tell the little Dutch boy to go stick his finger in the perimeter dyke! 

Some users selected “OK” to allow the remote connection thinking it was the local IT shop. Most did not.

Data has been collected from the incident and I was able to identify some IOC’s to use to go back and search out other systems where users may have selected “OK” but didn’t call in afterward that they had taken the bait.

Looking at logs from some of those systems, it appears that although a remote connection window was presented to the user, the application logs register the inbound connection but do not indicate that a connection was successfully opened to the user’s system, despite the dialog window presentation and the user clicking “OK”.  More research/incident-triage would be beneficial but the order came in to wipe/reimage these systems immediately so…there we are.

My guess (and without additional information it is just an educated guess) is that something got left open on the perimeter, an automated ip/port scan for VNC got by and triggered the local VNC responses seen. The actual mechanism and tool used remains unclear.

Here are some articles and links about VNC-type based attacks for my reference and review.

• AGbot Attacks Internet VNC Servers - Fortinet Blog
• Remote Access Forensics for VNC and RDP on Windows Platform (PDF link) – Paresh Kerai with Edith Cowan University
• Tracing VNC And RDP Protocol Artefacts on Windows Mobile (PDF link) – Paresh Kerai with Edith Cowan University
• HowTo: Track Lateral Movement – Windows Incident Response blog
• VNC: Threats and Countermeasures - Dragon Research Group (DRG)
• ATLAS Attack Report: Global VNC network scanning activity – Arbor networks
• VNC Authentication - Metasploit Unleashed

Dyre Trojan New Variant

Dyre Targets More Websites - ThreatTrack Security Labs Blog – besides looking to steal banking credentials from infected systems, this variant now has expended to file hosting, job hunting, general commerce, and even some income tax service websites!

Previously noted on this GSD blog: Fighting a Hydra named Drye/Dyreza/Upatre

Crypto<insert-name-here>

• CryptoFortress, a TorrentLocker clone that also encrypts unmapped network shares – Bleeping Computer forums – This one is very interesting as it looks like it can connect to network shares not mapped to a drive letter and do file encryption. 
• New crypto ransomware in town : CryptoFortress - Malware don't need Coffee – Marc-Etienne M.Lévei
• CryptoFortress - Weblog Lexsi – in-depth analysis from Renaud Tabary
• Cryptowall ,again! - InfoSec Handlers Diary Blog

Turning the Tables

• Contemplating Malware Immunization via Infection Markers – Lenny Zeltser

Mr. Zeltser offers a very interesting approach to preventing malware infection of a system. By using known infection-markers and loading them into a clean system, he can inoculate the system from infection.  It uses the tendency of malware writers to check to see if a system is already compromised (or is virtualized) by looking at running processes, maybe registry keys, etc. If those indicators are present, they the payload delivery and infection gets skipped!  The thought here is that if you know what those are, drop the safe “bits” around a system, then when the malware attack comes it “passes-over” the system and the system stays clean.  Very clever indeed!

How Malware Generates Mutex Names to Evade Detection – SANS-ISC InfoSec Handler’s Diary – Great supplemental post to the above by Lenny Zeltzer

See also: Looking at Mutex Objects for Malware Discovery and Indicators of Compromise – SANS Digital Forensics and Incident Response blog – article by Lenny Zeltzer

Constant Vigilance!

Claus Valca