Sunday, March 08, 2015

Threat Watch Linkfest

Here is a smattering of linkage for threats that caught my attention recently.

MITM/Superfish threats

Thoughts on a VNC-based network probe

It’s not a good sign when the help desk starts getting calls from users asking why IT is trying to remote to their systems with a new “VNC” product. It’s especially not good when IT doesn’t use that product and is not making blanket network connections to our customers.  Someone better tell the little Dutch boy to go stick his finger in the perimeter dyke! 

Some users selected “OK” to allow the remote connection thinking it was the local IT shop. Most did not.

Data has been collected from the incident and I was able to identify some IOC’s to use to go back and search out other systems where users may have selected “OK” but didn’t call in afterward that they had taken the bait.

Looking at logs from some of those systems, it appears that although a remote connection window was presented to the user, the application logs register the inbound connection but do not indicate that a connection was successfully opened to the user’s system, despite the dialog window presentation and the user clicking “OK”.  More research/incident-triage would be beneficial but the order came in to wipe/reimage these systems immediately so…there we are.

My guess (and without additional information it is just an educated guess) is that something got left open on the perimeter, an automated ip/port scan for VNC got by and triggered the local VNC responses seen. The actual mechanism and tool used remains unclear.

Here are some articles and links about VNC-type based attacks for my reference and review.

Dyre Trojan New Variant

Dyre Targets More Websites - ThreatTrack Security Labs Blog – besides looking to steal banking credentials from infected systems, this variant now has expended to file hosting, job hunting, general commerce, and even some income tax service websites!

Previously noted on this GSD blog: Fighting a Hydra named Drye/Dyreza/Upatre

Crypto<insert-name-here>

Turning the Tables

Mr. Zeltser offers a very interesting approach to preventing malware infection of a system. By using known infection-markers and loading them into a clean system, he can inoculate the system from infection.  It uses the tendency of malware writers to check to see if a system is already compromised (or is virtualized) by looking at running processes, maybe registry keys, etc. If those indicators are present, they the payload delivery and infection gets skipped!  The thought here is that if you know what those are, drop the safe “bits” around a system, then when the malware attack comes it “passes-over” the system and the system stays clean.  Very clever indeed!

How Malware Generates Mutex Names to Evade Detection – SANS-ISC InfoSec Handler’s Diary – Great supplemental post to the above by Lenny Zeltzer

See also: Looking at Mutex Objects for Malware Discovery and Indicators of Compromise – SANS Digital Forensics and Incident Response blog – article by Lenny Zeltzer

Constant Vigilance!

Claus Valca

No comments: