Cisco Blogs


Cisco Blog > Threat Research

Down the Rabbit Hole: Botnet Analysis for Non-Reverse Engineers

This post is authored by Earl Carter & Holger Unterbrink.

Overview

Talos is often tasked with mapping the backend network for a specific piece of malware. One approach is to first reverse engineer the sample and determine exactly how it operates. But what if there is no time or resources to take the sample apart? This post is going to show how to examine a botnet from the Fareit family, starting with just an IP address. Then, using sandbox communities like Cisco ThreatGRID and open source products like Gephi and VirusTotal, we will track down and visualize the botnet.

Talos recently discovered some activity from the Fareit trojan. This family of malware has a significant history associated with malware distribution. It is mainly an information stealer and malware downloader network which installs other malware on infected machines. In this campaign, it mainly tries to steal Firefox and other credentials. It is possible that this botnet is sold as a pay-per-infection botnet in the underground markets. Pay-per-infection is an underground business model where criminals are paying other criminals to distribute their malware. The analysis below was mainly done in July 2015. Let’s take a walk on the wild side….

AMPs behaviour based detection found suspicious executables that downloaded files by using the following URLs in one of our customer networks.

http://89.144.2.119/cclub02.exe
http://89.144.2.115/cclub02.exe

We began analysing the infrastructure with focus on these two IP addresses and checked what other files they had been distributing. Initial analysis showed that VirusTotal found 25 and 38 files distributed from these two IP addresses. Almost all of the files in VirusTotal had different hashes, but similar or identical filenames. The following list is a sample of some of the files found in VirusTotal.

1197cb2789ef6e29abf83938b8519fd0c56c5f0195fa4cbc7459aa573d9e521b (cclub02.exe)
58f49493aa5d3624dc225ba0a031772805af708b38abd5a620edf79d0d3f7da0 (cclub02.exe)
d1b98b7b0061fbbdfc9c2a5a5f3f3bbb0ad3d03125c5a8ab676df031a9900399 (cclub02.exe)
c054e80e02c923c4314628b5f9e3cb2cad1aa9323cbcd79d34205ad1e3cad6c3 (cclub12.exe)
bd30242996a3689c36008a63d007b982d9de693766d40e43fe13f69d76e61b63 (cclub12.exe)
c609ef45f7ff918cbac24755a3a3becc65d1c06e487acd801b76a1f46e654765 (tarhun1.exe)

Read More »

Tags: , , , ,

Point of Persistence

Several recent cyber attacks have served as great reminders that we need to continue to re-assess how we are protecting our networks and ensure that we make no assumptions of any device being secure in the network.

One example of this is “SYNFul Knock,” a type of persistent malware that allows an attacker to gain control of an affected Cisco device and compromise its integrity with a modified Cisco IOS software image. The attack did not leverage any product vulnerabilities, and was shown to require valid administrative credentials or physical access to the victim’s device. Cisco customers can find more information and resources about SYNful Knock in the SYNful Knock Event Response PageOne can easily say, “Hey, they would need console access and valid credentials in order to successfully upload new firmware.” In the old days we had a saying, “He who owns the console, owns the system.” That used to be true when the consoles were not connected to terminal servers, essentially giving anyone physical access over the network. One thing that can be certain is that for someone to upload firmware into a router, they definitely had a reliable “Point of Persistence.”

Another recent high profile attack, although there have not been any confirmed detailed reports on how the attack occurred, included indications that the attackers may have achieved firm “Point of Persistence” in the network by compromising a printer. When I say persistence in this case, I mean by order of magnitude in duration as indicated by the plethora of information that was leaked. I am intentionally leaving out links and references here and I encourage interested readers to do their research to confirm the “loosely regarded” information. What we do know is that as an industry is that we have known about the risk of printers being compromised in our networks. I just don’t think anybody viewed the risk of printers being used as a pivot point for cyber attackers at the time.

Read More »

It’s That Time Again—Announcing the Cisco IOS & XE Software Security Advisory Bundled Publication

Today, we released the last Cisco IOS & XE Software Security Advisory Bundled Publication of 2015. As a reminder, Cisco discloses IOS vulnerabilities on a predictable schedule (the fourth Wednesday of March and September each calendar year).  Last cycle, we began including Cisco Security Advisories addressing vulnerabilities in Cisco IOS XE Software in this publication.  This change was a direct result of your feedback, and we hope the timeline and additional “bundling” continues to allow organizations to plan and ensure resources are available to analyze, test, and remediate vulnerabilities in their environments.

Today’s edition of the Cisco IOS & XE Software Security Advisory Bundled Publication includes three advisories that affect the following technologies:

  • IPv6 First-Hop Security
  • SSH Version 2 (SSHv2)
  • Cisco IOS XE Software

You may recall that Cisco announced enhancements to the Cisco IOS Software Checker last year. As my colleague Kevin Saling shared, the tool can display first-fixed software release data based on the combination of Cisco IOS Software releases and Cisco Security Advisories selected. Users can now quickly identify the first release that addresses all vulnerabilities disclosed in the selected advisories.   Read More »

Tags: , , , ,

SYNful Knock Scanner

This post was authored by William McVey.

Update 9/23: We updated the tool to version 1.0.1

Talos is constantly researching the ways in which threat actors are evolving to exploit systems. Recently, a piece of persistent malware coined as SYNful Knock was discovered on Cisco routers. While this malware attack is not a vulnerability, as it had to be installed by someone using valid credentials or who had physical access to the device, Cisco has published an Event Response Page for customers to provide the information needed to detect and remediate these types of attacks. We are also working with partners to identify compromised systems.

The most recent addition to the toolkit Cisco is providing customers comes after the Cisco PSIRT worked with internal teams and customers to acquire copies of the malware. Talos has now developed a tool for customers to scan their own network to identify routers that may have been compromised by this specific malware. The tool works by scanning devices and networks, looking for routers answering the SYNful Knock malware.

Note: This tool can only detect hosts responding to the malware “knock” as it is known at a particular point in time. This tool can be used to help detect and triage known compromises of infrastructure, but it cannot establish that a network does not have malware that might have evolved to use a different set of signatures.

Read More »

Tags: , ,

Cognitive Research: Fake Blogs Generating Real Money

Summary

In the past several months Cisco Cognitive Threat Analytics (CTA) researchers have observed a number of blog sites using either fake content or content stolen from other sites to drive traffic to click on ad-loaded web sites. We have observed traffic volume up to 10,000 requests per hour, targeting hundreds of sites. The estimated lifetime of this campaign is at least 9 months. With a single click worth anywhere from $0.01 and $1, these scams can yield substantial returns for their owners.

Fake blogs are not new, but these actors are operating with a slightly different MO. Effort has been made to evade web reputation based blocks and hide from the eyes of investigators. First, we observe a large number of similar sites with word-based and topic-based generated domain names. These sites look like benign travel-related blogs full of content at first sight. Secondly, most of the intermediate infrastructure will redirect a random request away towards Google, making the investigation more difficult.

The general traffic pattern was observed as follows:

  1. Large numbers of requests arrive from infected clients to the fake blog sites. To look less suspicious, the requests look like search queries – for example: cruiserly.net/search/q/greyhounds.
  2. There is a series of redirects via intermediate sites, which are already associated with click-frauds – for example: findreek.com.
  3. These redirects bring the clients towards another set of fake sites, with travel related names (e.g. tourxperia.com), this time these sites have no content.
  4. Finally, clients are sent to browse arbitrary web sites to generate clicks and/or revenue.

Details of the analysis follow: Read More »

Tags: , , ,