Generic Dropper.p (XtremeRAT)

This is where, from the research side, things begin to get fun.

Automated malware analysis is nothing new to our industry. Most vendors (ourselves included) have tools to handle this internally, and assist our skilled human analysts with proper classification, documentation, and other recurring tasks that must occur with the daily barrage of new and unique malicious binaries. The bar for this threat, however, has been raised. With ValidEdge, we were able to generate enormous amounts of usable and actionable data from the execution of malware samples. We get feedback from basic static analysis, as well as from runtime data. We get all the usual system modification data, and full and complete network/communication data, and samples and memory dumps from second-level threats (dropped, created, downloaded entities). And it’s all done in a safe environment, with extremely robust reporting.

To fully illustrate, let’s focus on the Trojan that affected the Israeli police. In the McAfee universe, we detect this threat as Generic Dropper.p.

To start with, you simply submit your sample(s) to the ValidEdge appliance/host. The ways to do that vary depending on implementation. In my setup, it’s as simple as dropping the file, via FTP, on the appliance, then picking up the results set the same way (different directory on the FTP server). Easy and fast. I immediately had a set of results from my submission of the following sample:

The result sets are organized as a specific directory structure.

Analysis report sample

This is where we typically end with most tools. The exception here, from my experience, is that there is much more data generated by the appliance to start taking action on.  The way in which the information is organized is also very friendly and workable. Some basic examples follow:

Sample Data	Sample Data 2
Sample Data 3	Sample Data 4

From here we can get enough static data to build a picture of the malware and its behavior. We also have network data and full memory dumps and screenshots at our disposal should we need to dig further.

Memory dumps

PCAPs

All the secondary/dropped files are presented as well. As such, these can be easily analyzed in context.

Dropped files

Dropped files, specific to this threat, are detected via McAfee Global Threat Intelligence along with the current DATs.

Example:

Name: word.exe
MD5: 2BFE41D7FDB6F4C1E38DB4A5C3EB1211
Detection: Artemis!2BFE41D7FDB6

At this point you have plenty of information to understand what this threat is doing, how it communicates, and much more. Some would argue that deep malware analysis is an art form. But to embark on that sort of journey you need enough data to make constructive, creative, and accurate decisions. Tools like ValidEdge do exactly that.

If you would like to learn more, you can read the following sources:

• http://www.opswat.com/partners/technology-partners
• http://www.mcafee.com/us/products/network-threat-response.aspx

We see this type of attack over and over. Most recently LinkedIn and eHarmony were in the news with similar issues. This Yahoo breach is just the latest in a series of similar attacks that occur in multiples every day.

The attack was launched by the D33DS Co., whose release included this:

D33DS is probably correct in that latter sentence. But are their methods and motivation ethical or legal? That’s a different story. Regardless, Yahoo’s overlooking basic countermeasures against basic attacks (such as SQL injection) cannot be excused.

This is not the first time that Yahoo has been compromised in this way. During the last five years, Yahoo Local Neighbors, Yahoo Kids, Yahoo Classifieds, and others have been successfully targeted.
Ironically, there is a blog on SQL-injection prevention on Yahoo Voices. It was posted in 2009.

What else is interesting about the latest breach?

More than just @yahoo.com usernames and accounts were exposed. If there was ever a time to heed warnings about password reuse, especially across public and high-traffic social systems, this is it. Yahoo may have been the focus of this attack, but data in the dump could be used to target specific users from AOL, Microsoft, Google, Comcast, SBC Global, and others.

Here is a breakdown of associated domains that appear in the D33Ds release:

Yahoo breach Top 20 domains

I’ll leave you with several McAfee resources for understanding SQL injection:

• WebSec 101 – SQL Injection. http://www.mcafee.com/us/resources/audio/transcripts/websec101-sqlinjection-slides.pdf
• McAfee Security Scanner for Databases. http://www.mcafee.com/us/products/security-scanner-for-databases.aspx
• Threat Brief – LizaMoon. http://www.mcafee.com/us/resources/solution-briefs/sb-lizamoon-sql-injection.pdf
• White paper on Real-time Database Monitoring, Auditing, and Intrusion Prevention.  http://www.mcafee.com/us/resources/white-papers/wp-real-time-database-monitoring.pdf

—————————————————-

The March Security Bulletin release from Microsoft was relatively light in volume. Out of the six bulletins released, only one was rated as Critical.

And for good reason. MS12-020 includes CVE-2012-0002. This flaw is specific to the Remote Desktop Protocol (RDP) present on most current versions of Microsoft Windows. The RDP service, by default, listens on TCP port 3389. And because it’s so darn convenient, lots of people like to open their firewalls/ingress points to the traffic.

This is a bad/dangerous/insecure thing. (Choose your own favorite term.) I hope this issue (and many others before it) will influence anyone’s decision-making process when it comes to network hardening, external access, etc.

This is certainly not the first flaw in RDP. It is quite significant in that it does not require authentication to exploit the flaw–just a firing of some specially crafted packets. From that point the world (or the world that the compromised host lives in) is the attacker’s oyster. This is especially bad because the RDP service runs in kernel mode, under the System account (in most cases).

Keep in mind that it is very easy and takes little time to find targets. You see this type of situation all too often:

It's Open!

This situation very quick leads to an intruder’s trying to login via brute force, or trying something new (like the flaw described in MS12-020) !

It Actually Works!!!!!

So, what can you do to protect your environment?

McAfee, Microsoft, and others firmly recommend that you prioritize the deployment of the MS12-020 update.

Other steps:

• RDP is typically disabled by default. If there is any doubt, investigate and confirm in your environment whether and where it running.
• In Windows Vista or later, enable Network Level Authentication (NLM)
• Even if you have NLM enabled, the flaw can be exploited if the attacker can gain authentication. This means you should verify strong (nondefault, sufficiently complex) user/password combinations.

Resources

• CVE-2012-0002: A closer look at MS12-020′s critical issue
• Microsoft Security Bulletin MS12-020
• McAfee Vulnerability Manager

McAfee Coverage Data

Coverage exists in:

• McAfee Vulnerability Manager (FSL release): 3/13
• McAfee Network Security Platform (Sig release): 3/13
• McAfee Remediation Manager (V-Flash): 3/13
• McAfee DATs (partial coverage, for known PoC code, is provided as “Exploit-CVE2012-0002″ in the 6652 DATs): 3/17

CVSS: (AV:N/AC:M/Au:N/C:C/I:C/A:C)(E:POC/RL:OF/RC:C)

——————- UPDATES ———————————

March 15: McAfee Labs has observed in-the-wild proof-of-concept code targeting this vulnerability. There are a few varied samples that we are both monitoring and analyzing. At this time the coverage/mitigation data already in this post is still valid.

We are continuing to monitor this situation and will provide updates as needed. An updated MTIS Security Advisory has been sent to subscribers.

To stay up to date on these and other critical security events, please subscribe to our McAfee Threat Intelligence Alerts.

March 16: The last 24 hours have been a virtual flood of proof of concept (PoC) and exploit details. Some of these are reliable; some are not.

• This flaw was actually discovered by Luigi Auriemma in May 2011
• There are numerous fake code examples and scripts on Pastebin and similar sites. As is typical, links to these fakes are advertised all over Twitter, etc.
• The code examples/PoCs that are valid can successfully crash the RDP service, but do not move beyond that (to code execution or to allow for the possibility of code execution)

There have been a number of reports and studies on the SQLi threat and the extent to which various regions/platforms/verticals/etc. are exposed. The basic takeaway runs along these lines:

• On any given day, it is normal to expect to see around 1,600 SQLi attacks against the most attractive servers (Microsoft IIS/ASP.NET and Apache, for example)
• The most prevalent and attractive (to the attackers) servers or platforms could easily expect to log 40 to 80 SQLi attempts per hour

Those are the current stats. Does this mean we should not be worried about the Urchin.js attacks? Goodness, no. But, my answer would be the same for the other 1,599 attacks going on every day.

As I highlighted in my previous LizaMoon blog:

Before any of us blow our IT budgets on database security goodies, we must all take the basic first steps. Simple and core techniques, such as constraining user input, validating user input, limiting types of input, encrypting sensitive data, and designing accounts with the principle of least privilege will go a long, long way.

The same basic principle holds true for this event.

On a side note, a few other handy stats may help put this into perspective.

• According to Netcraft and a few others, there are around 505,000,000 sites on the web
• Apache is the most popular web server platform, running around 327,000,000 sites
• Microsoft (IIS/ASP.NET) is the second-most popular server platform, running around 79,000,000 sites

The SQLi attacks associated with the urchin.js script inclusion are specific to ASP.NET servers. Current stats indicate that the number of injected/affected hosts is just over 1,000,000.

This particular attack really began to take root at the beginning of this month.

Once the news broke, it was quite easy (via simple Google queries) to see evidence of the injections on affected sites.

Searchin' for Urchin

Technical Meat and Potatoes?

The injected script (urchin.js) forces the browser session to direct traffic to a number of malicious domains. At this point we have observed a variety of secondary malware. They range from the most basic generic Trojan families, to DNS changers, and now to rogue video codecs (bogus Adobe Flash Player, for example), which are backdoor Trojans.

The latest variants (example: MD5: fb4c93935346d2d8605598535528506e) are no different. This sample in particular is a rogue Flash Player install.

This Trojan contacts an number of remote hosts that are known to be “sketchy” and have been associated for years with other malware campaigns. (Remote hosts are registered under GigeNET.)

The LizaMoon Relationship

The original attack domains are:

• nbnjki.com
• jjghui.com

Both of these share the same domain registration details as the original LizaMoon attacks.

Again, both the original attack domains are registered under BIZCN.COM, which has a less than stellar reputation of associations (direct or otherwise) with malicious domains. This reputation can be traced back for several years.

Make Me Feel Safe–Again

I hope this information has put the threats in perspective. Don’t get me wrong; this attack is certainly visible, and deserves the attention of those who are exposed. I would like to stress (as we have done before) that this attack is one of many that occur constantly. Establishing a strong security posture and embracing the most basic and essential steps in web and database security will go a long way. You’ll find yourself much less exposed to Urchin.js as well as to the thousands of other SQLi attacks that are targeting your environments.

As of this writing, here’s your McAfee-specific coverage information:

We will continue to update our content/coverage/countermeasures, as the situation requires.

The proposed transaction will bring together best-in-class technologies:

•     NitroSecurity’s strong foothold in the SIEM market will help McAfee significantly expand our “Situational Awareness,” our risk and compliance coverage, and our Global Threat Intelligence capabilities

•     NitroSecurity’s SIEM management technology, which has already passed integration testing with McAfee® ePolicy Orchestrator (ePO), gives customers a single security platform for event analysis and management across the enterprise. The integration expands the capability of the McAfee ePO platform to view events, activities and logs created by networks, databases and applications.

•     The McAfee ePO platform can leverage the extended SIEM capabilities to more rapidly institute a range of monitoring and mitigation actions, such as issuing new configurations, implementing new policies, and deploying more recent software updates

I’m very excited about this acquisition and believe that NitroSecurity has the technology McAfee needs to expand its enterprise security portfolio. NitroSecurity is quite simply the most advanced SIEM on the market, and has a leadership position in Gartner’s Magic Quadrant. NitroSecurity offers the only product with integrated application monitoring, database monitoring, log management, SIEM, IPS and Network Flows in a single, active dashboard.  This capability provides the most visibility and the most advanced correlation capabilities giving McAfee true “Situational Awareness”, and will provide the best overall security solution for McAfee customers.

For more information, please visit the acquisition landing page.

Stuart McClure

GM and SVP, Risk & Compliance Business Unit, McAfee

McAfee Virtual Patching for Databases—This technology solution protects unpatched databases against known threats and all databases from common hacker techniques, without the need to modify the database or bring the database down to patch.  Utilizing a memory-based sensor, the system detects attempts to exploit these vulnerabilities, and can then issue alerts in real-time or terminate the offending session.

McAfee Security Scanner for Databases—This client-based vulnerability assessment solution complements the previously-released McAfee Vulnerability Manager for Databases and addresses the specific needs of penetration testers, auditors, consultants and Systems Integrators.  Enterprises will likely prefer the feature set of Vulnerability Manager for Databases in achieving continuous compliance objectives.

McAfee Database User Identifier— Many compliance regulations require full accountability for who did what in the database, but this detail can be lost when applications connect to the database on behalf of multiple users.   As an add-on to the McAfee Database Activity Monitoring solution Database User Identifier traces the identities of specific users as they access the database from applications using pooled connections, in order to meet audit requirements.

The addition of these three new products to McAfee’s arsenal of database security solutions provides enterprises with a strong defense against damaging database breaches. If you are developing a comprehensive security strategy for your sensitive data, the McAfee Database Security solutions can deliver the combination of visibility and policy enforcement to best meet your needs.

According to Ericsson, there will be 50 billion IP-connected devices by 2020, up from 1 billion just a year ago. These are not just the omnipresent gadgets everyone is familiar with. A bigger share is made up of the proliferation of what the industry calls embedded devices; these are often single-purpose devices such as cash registers, airport check-in kiosks, medical devices, access card readers, manufacturing equipment, programmable logic controllers, industrial control systems and much more that is now being connected. As history has proven, security is an afterthought for most manufacturers. All these devices need proper security and management that is built in from day one.

At McAfee we protect the digital world, including this emerging class of embedded devices. As we go about doing this, we have moved to a fresh, proactive strategy. The scale and sophistication of recent cyberattacks prove that the traditional reactive model is no longer adequate – and quite frankly, irresponsible. Security strategy for any piece of technology should evolve at the same or greater pace as a hacker’s attacks.

We recently assembled a team of elite experts dubbed TRACE for Threat Research and Counterintelligence Experts, who can think like criminal hackers. McAfee now has the ability to conduct deep-dive threat research into hitherto-unknown areas such as embedded devices. Our team of elite white hat hackers will be probing for unexpected vulnerabilities, giving us valuable insight into how a “black hat” hacker thinks, with the ultimate goal of uncovering the problems before the black hat hackers do and provide protection.

Armed with this knowledge, companies have a better chance of withstanding any future malicious cyber attacks on valuable assets, whether that asset is as large as a nuclear power plant or as small as an embedded heart pacemaker. Our TRACE team has helped us put together a new series of Hacking Exposed webinars on hacking embedded devices. Be sure to join those.

Small and medium sized businesses are subject to similar security, risk and regulatory requirements as their larger counterparts. However, SMBs must often rely on much smaller staff, and limited resources and technology, to effectively manage these requirements.

For SMBs, implementing a comprehensive security strategy might seem like a daunting task. By following these simple steps as part of an overall security strategy, SMBs can realize more effective data protection, lower their risk exposure, and more effectively comply with policies and regulations.

1.  Conduct a Candid Data Quality Assessment

SMBs should review the meaning, quality and timelines of the data stores stored in sensitive areas, like those that contain regulated information or intellectual property.  The assessment will identify which databases may need additional security protocols and identify vulnerabilities that could serve as a gateway for hackers in the future.

2.  Create a Detailed Description of all Data Touch Points

Creating a map of who contributes to the relevant data stores, which applications use them, and their business purpose is essential to create effective application access security roles – a crucial step in ensuring data security.  As SMBs better understand how their applications interact with their data overall, they will be able to use this information to develop more effective procedures to protect the accuracy of data where inputted.

3.  Conduct Periodic System Reviews

As new applications are deployed within an organization, it is critical to ensure these same applications have not introduced new vulnerabilities. In particular, SMBs moving toward inexpensive cloud applications (e.g., on-line backup services), where sensitive data is stored outside the business’s firewall, will need to weigh the economic benefits of deploying databases in the cloud with the risks of placing sensitive data in the hands of third parties.

4. Develop Comprehensive and Specific Security Policies

A key part of a security vendor’s ‘Value Add’ is the vast experience and wide exposure to best practices attained through customer deployments. With this in mind, SMBs should look for a security vendor with specific industry expertise and an extensive client roster in their vertical market (e.g., retail, financial services, pharmaceutical and education)

5.  Deploy Comprehensive Solutions

Similar to a large enterprise, SMBs must deliver a complete security solution in order to appropriately protect customer and company data wherever it resides.  A comprehensive approach to security must include three key features: 1) The solution is scalable and can grow as the business expands yet must also remain cost-effective; 2) It should be easy to implement and able to be deployed and maintained with minimal time and resource investment; 3) The solution should simply and reliably support all areas where sensitive date resides, including the database layer.  Database activity monitoring, coupled with vulnerability management for databases, gives SMBs a holistic view of their security posture, helps further mitigate risk, and can reduce the likelihood of a damaging breach.

Sure enough, there were a series of attacks: Night Dragon, the attack on EMC, which put SecureID tokens at risk, Sony, and, recently, Lockheed Martin.

Lockheed Martin is very important to the U.S. as a defense contractor. Some of the most critical information, such as the arsenal used in the Afghanistan war and future military technology information, are residing in the Lockheed Martin network. I don’t want to speculate how the attackers were able to break in, but there are multiple theories, one being spear-phishing. Some of the blogs and reports are correlating the Lockheed Martin attack with the EMC breach, where the attacker entered the network via a VPN. Lockheed Martin has neither confirmed nor denied this, so we have to wait for the information to unfold.

At McAfee, we see 55,000 new pieces of malware each day. There are 2,000,000 (2 million) malicious website detected each month. These numbers cannot be managed by patches or blacklisting technology alone. But before we talk about the solution, let’s look at the anatomy of an attack. Any attack involves three stages:

1. Exploit the service or application.
2. Drop and execute the payload either in the memory or on the disk.
3. Finally, get p0wned!!

You should be able to dissect any attack (e.g. Operation Aurora, Night Dragon, Stuxnet and possibly other future attacks) into these three stages. Let me briefly explain the protection. For blacklisting solutions, we need to have a signature to stop the vulnerability or the behavior-based detection to identify that something is wrong, but behavior-based detection is not 100% and signatures for zero day-vulnerabilities are not always available. Therefore, the attackers will successfully be able to go to step 2 after exploiting the “zero-day” vulnerability. Don’t forget, Stuxnet used four “zero-day” vulnerabilities. This is not a story from the movie Mission Impossible or Swordfish. This is real. Once the vulnerability is exploited, the attacker can execute payload and connect to a command and control center to download more malicious code, such as keyloggers and sniffers.

With a shift to application whitelisting solutions, you can protect against all stages of an attack. Memory protection will prevent the attacker from exploiting the vulnerability and, in case the attacker was successful in exploiting the vulnerability, the payload will not be able to execute from the disk or from the memory because payload is not part of the whitelist.

It is time to change the current structure of security – we need a combination of whitelisting and blacklisting solutions.

Look for a solution that can cater to your server and desktop environment and support a Unix or Windows operating system.

For Lockheed Martin, there is a possibility that it is linked to the RSA token breach. Regardless, it is a crucial reminder that we must design a layered defense. While designing the internal layer, we should assume that the outer defense layer has already been breached.  Application whitelisting is going to play a huge role in security architecture in the years to come! Next time you are designing a security architecture with VPN, firewall, two-factor authentication or antivirus, ask yourself a simple question: If there is a zero-day vulnerability, will a security breach on my system be prevented with any of these technology?

The systems in question are advanced controllers that cannot afford to behave erratically as it can lead to lost time, destruction of property, production safety issues and even fatalities. The consequences of altering the integrity of integrated automation systems are somewhat predictable and very unpleasant. Implementing off-the-shelf security solutions on these systems can be very risky if not thoroughly examined and tested. Furthermore few companies have adequate test environments or the resources to explore this option.   

We are pleased that Siemens-Division of Industry Automation has tested the compatibility of McAfee Application Control with their systems to defend against advanced persistent threats. As part of this joint effort, McAfee Application Control for Siemens-Division Industry Automation is available now from McAfee and its partners to deliver effective security controls and ongoing integrity of these systems.

No one wants to consider the disruptive possibilities that advanced persistent threats bring to our world. We at McAfee will continue to monitor these threats and look for ways to provide proper protection.