Peter Kruse – Page 2 – WindowsTechs.com

CSIS News: The Rovnix reincarnation

Posted on October 9, 2014 by Peter Kruse

Back in June 2014, we discovered a new malware campaign that was using a new DGA. This sparked our interest.

After unpacking, some of the samples that we retrieved contained an interesting debug string “ISFB” inside the binary code.

We assumed that this was related to Gozi2, as several other sources had already reported the same observations. However, after our investigations we discovered that the ISFB debug string is indeed rather the private name for Rovnix.

A description of Rovnix was already done by our friends over at ESET and can be found here: http://www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-step-of-evolution/
The current version of Rovnix bootkit component has been removed and now only supports a user mode component.

Protocol

In the latest Rovnix variant, the author changed the protocol in order to avoid traffic detection by patterns. So now, it is generating a random file name, of which only the first letter is of importance. It can be one of the following three: “c” for config.php , “t” – for task.php and “d” – for data:

Data is sent with a random generated value encoded by base64:

Campaigns:
We have observed three campaigns, all of which are targeting countries in the EU.

Campaign 1: Poland
Sample 1:
MD5 3435c8ef4a12426347b2c92b35eada4a
Version 2.12.220

C&C:
Rovnix communicates back to its C&C using a POST request like the one provided below:
http://kingthand[removed by CSIS].biz/task.php?version=212220&user=[user ID]&server=12&id=1000&crc=9daa74

As you can see, the request is not encrypted. However, it is compressed as a CAB using “cabinet.dll”.

DGA (Domain Generation Algorithm)
Rovnix implements a DGA, which fits the description from the US Constitution on malware generating domains: http://constitution.org/usdeclar.txt

Sample domains:

accordinglytathdivine.com
operationlegislative.eu
brethavepeotaking.com
abolitbegunknown.eu
prerightlacoursewh.cn
governmentformsact.eu
overmartimeconstrains.cn

Sample 2:
MD5: 3a012ed8a0b5324b4d4a6decd4ba864d
Version of rovnix : 2.12.309
VT first submission 2014-06-13

This variant implements a secure protocol when communicating with C&C. Below, a small snippet for illustration:

https://accordinglytath[removed by CSIS].com/tvbirkod.php?jacwsn=
Y3B3ZWM9ZWFxeXgmdmVyc2lvbj0yMTIzMD
kmdXNlcj0xNzZmZjhiMDc3NTc2YWNlYzEyYzliM2U4MjJiNzg3NiZzZ
XJ2ZXI9MTImaWQ9NzEyODg5JmNyYz1lMmFmJndkYXRhPTIwMTQwNzIy

Instead of encrypting the communication, it encodes the parameter value using base64.

Decrypted string:
lewev=kkmaybjia&version=212309&user=[user ID]&server=12&id=712889&crc=157cf&wdata=20140722

Sinkhole heat map for campaign 1:

Campaign 2: Fast Flux
MD5: 1b3ccd2b97c0544ecc1c4929bcdb2ef1
746e93b066c968572c415e2d19be95b0

C&C musicvideo[removed by CSIS].ru which is the old C&C, now subsided by goliath[removed by CSIS].com

As compared to the previous campaigns, in the recent ones, the criminals added encryption to protect the communication with the C&Cs.

BOT version changed to “version=2.12.356”.

Campaign 3: Norway
Currently, we are undergoing an investigation, in which the target of the attacks is Norway. This specific campaign is related to Rovnix Version 2.11.295 and 2.11.319.

This campaign differs from the above in the following ways:
– added key for encryption
– removed CAB compression

We assume this version is mainly used for debugging and testing webinjects.

C&C Panel
In the current campaign targeting Norway, a new version of the control panel, dubbed “IAP”, is used. The C&C panel was probably rewritten and renamed after a bug affecting the previous version was publicly reported. We managed to obtain a manual for setting up the panel, which is written in Russia.

Translated to English:

Project IAP, version 1.0 beta
Introduction
IAP project is a web-control panel for managing and controlling the product ISFB (hereinafter – the client). More information about the project can be found in the user manual. This document only describes the installation process of the panel on the server.
Note: this document does not cover issues of optimization and server settings for maximum performance. These settings should be made separately.

And that concludes it for now. Rovnix has rebooted!

We have added detection for this malware to Heimdal PRO and corporate and are blocking the malicious domains in the CSIS Secure DNS solution.

Research credit: Yurii Khvyl, CSIS eCrime Unit 2014.

Continue reading CSIS News: The Rovnix reincarnation→

CSIS Blog: Nike, ECCO, and Gucci injections

Posted on October 8, 2014 by Peter Kruse

During the past couple of weeks, CSIS has monitored a swarm of automated script injections being implemented against vulnerable web servers.

The purpose is to tempt victims from a legitimate website on to a fake shop, where a.o. cheap Nike AIR running shoes are offered at a price way below a half of the market price. This is of course an outright swindle, and you better keep far away from this type of offers, which for a good reason sound too good to be true.

The wave in question is primarily aimed at older ASP installations and has even been language adapted. Apart from Denmark, it also affects countries like Sweden, Germany, Norway, Finland, and Austria. Apart from ASP, popular software packages like Joomla and WordPress are also affected as well as – and not least – associated plugins.

Nike AIR is merely a part of a larger campaign, in which naive users are tempted to buy pirated goods manufactured in Asia. Apart from Nike, the same instigators also offer cheap goods from a.o. Gucci and ECCO. The Gucci campaign is injected in a manner similar to the Nike AIR campaign and is recognizable by a sub-site being made with the name “gucci2014.html” while the ECCO campaign uses “ecco-sko-børn-udsalg.html” (in English: ecco-shoes-children-sale.html).

ECCO

An example of a typical fake shop, which is active right now, is provided below:

The domain has been stripped of ’whois’ information using Whoisprotection.cc, and the servers are physically placed in China:

A list of legitimate Danish websites, which involuntarily have had the malicious scripts and references embedded and which thereby force their visitors on to swindle shops, can be found below:

rejseplanen.dk
maegleren.dk
mtgulve.dk
jzz.dk
copenhagen-sc.dk
fashionvictim.dk
kirkplusmaarbjerg.dk
dhic.dk
hvs-info.dk
tobiscafe.dk
markussen-is.dk
dknorthved.dk
emiliana.dk
jacobrisgaard.com
kristinas-hudpleje.dk
flytlie.dk
siforellana.dk
jamesil.dk
footflex.dk

[..]

On rejseplanen.dk, a sub-site is found which apparently uncritically allows for comments in their blog post function. Please note that here, contrary to other similar examples, it is not live script injections but blog posts. This can, of course, be bad but it is not as serious as regular script injections.

Apart from moving visitors directly on to the fake shop, URL abbreviators such as bit.ly as well as simple script obfuscations are used.

The domains, which are the most active right now and which all have been blocked in CSIS Secure DNS, include for example:

bestbag-2014.com
js-jpshop.com
myjpstore.com

The domains are a.o. resolving to the IP address 64.235.47.169, where it is easy to reveal that this server is a nest of lots of fake domains.

A small fraction can be found below (spacing inserted by CSIS):

87 bag.net
bv bag.net
bv sbag.net
lv- bag.net
87 bagss.net
20 13-bag.net
fa ke-brand.net
ch romehearts-sale.com
sh ockmarketing.com
sa le-sshop.com
tra de-bag.com
js- jpshop.com
ba gs90bag.com
ba gfaves.com

[..]

CSIS continues to block these domains in CSIS Secure DNS and will generally warn about shopping in these shops. When buying goods there, you either won’t receive anything or you will only receive low quality pirated goods.

Continue reading CSIS Blog: Nike, ECCO, and Gucci injections→

CSIS Blog: Money mule recruitment in German

Posted on September 26, 2014 by Peter Kruse

As I write this IT criminals send out cascades of spam emails tempting with a job as money mule. What is interesting is, however, that they probably mixed up .de with .dk because all of the analyzed spam emails are written in German but have been sent to .dk email addresses. This is hardly intentional.

We have seen the following subjects used:

Kundenberater
Brauchen Sie das Geld, lernen Sie zu verdienen!
Hochbezahlte Arbeit von zu Hause

The complete spammail looks like this:

The domain which potential future mules shall reply to also indicates that the campaign was intended for the German market:

xpatjobsde.com

The domain is controlled by the name server: nsx.tauthichmi.net, pointing to 178.33.214.99.

The campaign can be tied to the domains below which obviously have similar purposes or are ready for other scams:

usajobsnow.com
jobs-hunters.com
custojustoorg.com
usacareersorg.com
mercury-ldo.net
iprotechsupport.net
rotaryactivities.net
cardealerchicagoil.net

All of the above domains, which have nothing to offer apart from humbug and swindle, have already been blocked in CSIS Secure DNS and Heimdal PRO and Corporate.

Continue reading CSIS Blog: Money mule recruitment in German→

CSIS News: Facts on cybercrime threats in Turkey

Posted on August 27, 2014 by Peter Kruse

CSIS Security Group A/S has briefly engaged with IT Security specialist Stefan Frei, PhD, in order to analyze the volume of Big Data that CSIS stores and which highlights different persistent malware families targeting Turkey. The report is now being m… Continue reading CSIS News: Facts on cybercrime threats in Turkey→

CSIS Blog: CSIS participates in the AVAR2014 conference

Posted on August 14, 2014 by Peter Kruse

Malware researchers Iurii Khyvl and Peter Kruse from CSIS eCrime Unit have been selected to speak at this year’s AVAR conference to be held November 12-14, 2014, in Sydney, Australia. The topic of the talk is “The History of HesperBOT”.

The conference, which is hosted by ”Association of anti-Virus Asia Researchers” and organized by ESET, brings together some of the world’s leading researchers and malware experts.

This year’s keynote at AVAR is Graham Cluley, whom many of you perhaps remember from his time at Sophos. The title for his keynote is: “What 20 years working in the Anti-Virus industry taught me”.

Other speakers and exciting topics include a.o.:

– Stealing the internet, one router at a time, Peter Kosinar (ESET)
– POS Malware: Are we really defenseless?, Ciprian Oprisa & George Cabau (Bitdefender)
– Hardware security, Igor Muttik (McAfee)
– Dragonfly threat actor: TTP, Marcin Siedlarz (Symantec Corporation)
– Mobile Underground Activities in China, Lion Gu (Trend Micro)
– Inside Android banking botnets, Roman Unuchek (Kaspersky Lab)
– Operation Oil Tanker, Luis Corrons (Panda security)

Very exciting lineup of speakers and topics indeed.

We suggest you visit the AVAR 2014 website for more details:
http://www.avar2014.com

Continue reading CSIS Blog: CSIS participates in the AVAR2014 conference→

CSIS Blog: Dyreza on the hunt

Posted on July 18, 2014 by Peter Kruse

This past week, we have observed a wave of spam e-mails being sent to random addresses and containing a short link to a compromised webserver, on which a malicious file is hosted.

In case the victim is fooled to click on the link, it will serve up a zip-file, e.g. “Documents.zip”, “Document-[random numbers].zip”, “eFax -[random numbers].zip” or “CompaniesHouse-[random numbers]”, which when unzipped and run will infect the system with the downloader known as Upatre. As next, it will fetch and execute Dyreza, a recently discovered trojan banker malware, which is downloaded from a list of URLs specified in the downloader.

The e-mail lures are subjects such as:

Important docs
You have a new Secure Message
You’ve received a new fax

They come spoofed, so that they appear to arrive from several banks primarily in the UK. The links are shortened using the legit service: “goo.gl” which redirects to e.g.:

http://ste-fun.ovh.org/Documents.zip
http://www.zespolpik.pl/Documents.zip
[…]

As previously mentioned, the code is “Upatre”, which, when executed, will drop itself to the system as: LOCALS~1Tempwrzjs.exe.

It then makes several HTTP GET requests to download the main payload:

auinvest.eu/cennik/img/1118.zip
marc-heinisch.de/kalender/1118.zip
auinvest.eu/cennik/heap.zip
smartsync.com/order/invoice/heap.zip
www.gestski.com/cqc/Pre.zip
smartsync.com/order/sveta/Pre.zip

Current Dyreza C&C is located at OVH: 94.23.247.202.

More info on Dyreza:
https://www.csis.dk/en/csis/news/4262/

Continue reading CSIS Blog: Dyreza on the hunt→

CSIS News: Tinba/Hunterz source code published

Posted on July 10, 2014 by Peter Kruse

In 2011, the source code for the ZeuS crimekit was leaked on the Internet. CSIS was the first to report this and the blog can be found here: https://www.csis.dk/en/csis/blog/3229/. As a direct result of the ZeuS source code leak, several IT-criminals have been inspired and have even improved the code for newer and more powerful commercial crimekits such as Citadel. Later in mid 2012, we broke the news about the smallest Trojan banker ever discovered, which we dubbed “Tinba” (aka Tinybanker) because of its small size (only approximately 20KB in size).

Last week we found an interesting post on a closed underground forum. It came with a source code, which after further analyses and investigations turned out to be the source code of the version 1 of Tinba from 2011/2012.

This is the code that our first information about Tinba was based upon: https://www.csis.dk/en/csis/news/3566/

Just a few weeks ago, CSIS gave a presentation on FIRST in Boston, USA with the title “Outside of Tinba, looking in”. The presentation has not been released to the public, but it clearly documents how the Tinba code was likely sold or made public and since then reworked and improved by more individuals than were originally involved in version 1. In 2012, we released a joint technical paper with our friends from Trendmicro named “W32.Tinba (Tinybanker) The Turkish Incident” which is available here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf

So, our research on this malware and the group behind it proves to have been correct. Sometimes around 2012, the Tinba version 1 source code was taken over by new criminals and it is precisely the version 1 source code which has now been made available to the public and not the code being used in current and ongoing attacks.

The Tinba leaked source code comes with a complete documentation and full source code. It is nicely structured and our initial analysis proves that the code works smoothly and compiles just fine.

We don’t expect the source code of Tinba to become a major inspiration for IT-criminals as it was the case for ZeuS. However, making the code public increases the risk of new banker Trojans to arise based partially on Tinba source code.

The complete Tinba source code is approx. 2MB.

Continue reading CSIS News: Tinba/Hunterz source code published→

CSIS News: The Shylock operation

Posted on July 10, 2014 by Peter Kruse

On the 9th of July 2014, all known Shylock domains were taken over in a coordinated operation involving law enforcement with NCA (National Crime Agency) in the UK as key player working with several private companies, such as CSIS Security Group A/S.

The purpose of the Shylock takedown operation was to dismantle the botnet and redirect infected hosts to removal tools and solutions for infected Microsoft Windows end users. The CSIS solution ‘Heimdal Security Agent’ is one of such tools and it is capable of both detecting and removing all known variants of Shylock. It also blocks access to all of the known Command & Control servers (C&C).

Shylock is a data stealing malware. It was discovered in 2011 and CSIS has since been tracking the operation and development of this malware family.

The primary targets of the Shylock gang have been Great Britain, Holland, Germany and Italy. The gang has stolen a significant amount of money from both individuals as well as small/medium businesses.

Below we have provided an infection heat map based on CSIS sinkhole statistics:

CSIS has provided the following information on Shylock to ensure this operation a success:

–    Binaries and plugins
–    Domains and information about hosting providers
–    Sinkhole statistics
–    Money mule accounts
–    Intelligence about the suspects behind Shylock
–    Detection and removal tool with Heimdal

CSIS has been working closely with several key players in this and past takedowns such as ZeuS Gameover. We shall continue our efforts in protecting Microsoft Windows end users from getting infected and losing money.

Continue reading CSIS News: The Shylock operation→

CSIS Blog: Spam: Petition leveled against you

Posted on June 19, 2014 by Peter Kruse

Oftentimes we receive spammails or even what appears to be limited or targeted attacks. This is one of these.The spam mail came in earlier today with the content as shown below:The attached zip fil contains the malware:Attached:EFCC Petition.zip -> … Continue reading CSIS Blog: Spam: Petition leveled against you→

CSIS News: New banker trojan in town: Dyreza

Posted on June 16, 2014 by Peter Kruse

We have been analyzing a new piece of banking malware, which is targeting some major online banking services. Among many, we have verified the following to be on the target list:Bank of AmericaNatwestCitibankRBSUlsterbankThe code is designed to work si… Continue reading CSIS News: New banker trojan in town: Dyreza→