Cisco Logo


Security

Craig Williams and Jaeson Schultz have contributed to this post.

We blogged in September of 2013 about variants of Havex. A month ago on June 2, 2014, I had the chance to give a presentation at AREA41.  In my presentation “The Art of Escape,” I talked about targeted attacks involving watering holes.

If we look at the timeline of the attacks we see two clear impacting factors:

This explains why we saw an increase in watering hole attacks peaking in August

timeline_havex

I noticed different URL patterns to serve different pieces of malware. We observed patterns such as “dwl=fne” and “dwl=fnl”. The LightOut Exploit Kit (EK), currently increasing in visibility in the industry, was in fact the same EK used in several watering hole attacks targeting the energy sector. We have seen the following two IP addresses used by the command and control  infrastructure or have identified them by reverse engineering the actual malware samples.

The malware variants I worked with had several notable traits including escape mechanism which we can use to identify the malware:

    1. Wireshark
    2. CommView
    3. HTTP Analyz
    4. TracePlus32
    5. Network Analyz
    6. HTTP Snif
    7. Fiddler
    8. Proxifier

Additionally we noticed some interesting command strings in the binaries :

At that time I didn’t know why we had so many common criteria but this was certainly not due to chance. The list of security tools on some variants was smaller, indicating  the malware authors actively supported and improved variants to make them more difficult for security researchers to analyze.

I was able to identify two key types of traffic, one to download more malware :

first_version-1024x625

And another request to the command and control server to deliver another type of malware family entirely!  This malware is currently identified as Havex RAT :

havex_traffic

If one disassembles previous Havex RAT DLL versions, you will usually find a significant number of command and control servers which are often reused to deliver different types of malware.

cnc

In June, based on the details we extracted from the Havex DLLs we blocked 124 command and control servers.

One thing I observed during my analysis was a relatively unknown botnet kid known as “DREAM LOADER v1.0″. If you look closely to the command and control options offered by this botnet kit, you will see a strong similitude of commands between this and Havex – the command set is nearly identical.

russian_dream_loader

Translated from google gives us the following details :

All known command and control servers have been blocked for Cisco web security customers. We will continue to monitor the situation and respond accordingly. It’s important to realize most if not all of these sites have been compromised and may be in various stages of remediation.

Havex detection in this case was a great testament to our AMP technology and its machine learning features.  When we started looking into the hashes that were convicted as part of Havex, we noticed that all of the detection was automatic, meaning, humans didn’t have to do anything to make sure the samples were convicted as malicious.  AMP has the ability to look at files, compare them to other evil pieces of malware, look into things like the child or the parent of the malicious file, or even observe the behavior of the file in the wild.  In this case, AMP auto-convicted all the Havex samples as “W32.Backdoor:HavexE.17ib.1201”.

The Sourcefire IPS also catches Havex and its variants with Signature Identification (SID) numbers: 31247-31256.  These pieces of detection look for the outbound connection to the CNC, the response from the CNC, as well as the domain lookups for infected machines.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 90 days. Please visit the Cisco Blogs hub page for the latest content.

1 Comments.


  1. please examine linux ELF binaries too.

       0 likes

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. All Security
  3. Return to Home