Cisco Blogs

Cisco Blog > Threat Research

Down the Rabbit Hole: Botnet Analysis for Non-Reverse Engineers

This post is authored by Earl Carter & Holger Unterbrink.


Talos is often tasked with mapping the backend network for a specific piece of malware. One approach is to first reverse engineer the sample and determine exactly how it operates. But what if there is no time or resources to take the sample apart? This post is going to show how to examine a botnet from the Fareit family, starting with just an IP address. Then, using sandbox communities like Cisco ThreatGRID and open source products like Gephi and VirusTotal, we will track down and visualize the botnet.

Talos recently discovered some activity from the Fareit trojan. This family of malware has a significant history associated with malware distribution. It is mainly an information stealer and malware downloader network which installs other malware on infected machines. In this campaign, it mainly tries to steal Firefox and other credentials. It is possible that this botnet is sold as a pay-per-infection botnet in the underground markets. Pay-per-infection is an underground business model where criminals are paying other criminals to distribute their malware. The analysis below was mainly done in July 2015. Let’s take a walk on the wild side….

AMPs behaviour based detection found suspicious executables that downloaded files by using the following URLs in one of our customer networks.

We began analysing the infrastructure with focus on these two IP addresses and checked what other files they had been distributing. Initial analysis showed that VirusTotal found 25 and 38 files distributed from these two IP addresses. Almost all of the files in VirusTotal had different hashes, but similar or identical filenames. The following list is a sample of some of the files found in VirusTotal.

1197cb2789ef6e29abf83938b8519fd0c56c5f0195fa4cbc7459aa573d9e521b (cclub02.exe)
58f49493aa5d3624dc225ba0a031772805af708b38abd5a620edf79d0d3f7da0 (cclub02.exe)
d1b98b7b0061fbbdfc9c2a5a5f3f3bbb0ad3d03125c5a8ab676df031a9900399 (cclub02.exe)
c054e80e02c923c4314628b5f9e3cb2cad1aa9323cbcd79d34205ad1e3cad6c3 (cclub12.exe)
bd30242996a3689c36008a63d007b982d9de693766d40e43fe13f69d76e61b63 (cclub12.exe)
c609ef45f7ff918cbac24755a3a3becc65d1c06e487acd801b76a1f46e654765 (tarhun1.exe)

Read More »

Tags: , , , ,

Security Beyond the Sandbox

A few years ago sandboxing technology really came of age in the security industry. The ability to emulate an environment, detonate a file without risk of infection, and analyze its behavior became quite a handy research tool. Since then, sandboxes have become relatively popular (not nearly on the same scale as anti-virus or firewalls) and can be found in larger organizations. You may even have purchased a sandbox a few years ago, but it’s likely that your malware analysis needs have gone beyond the traditional sandboxing technologies that simply extract suspicious samples, analyze in a local virtual machine, and quarantine.

It’s time to go beyond using sandboxing as a standalone capability in order to get the most out of it. You need a more robust malware analysis tool that fits seamlessly into your infrastructure and can continuously detect even the most advanced threats that are environmentally aware and can evade detection.

There are three typical ways that organizations purchase and deploy sandbox technology.

  1. A stand-alone solution designed to feed itself samples for analysis without dependency on other security products. This has the most flexibility in deployment but adds significant hardware costs and complexity to management and analysis, especially for distributed enterprises.
  2. A distributed feeding sensor approach, such as firewalls, IPS, or UTMs with built-in sandboxing capabilities. These solutions are usually cost effective and easy to deploy but are less effective in detecting a broad range of suspicious files including web files. They can also introduce bandwidth limitations that can hamper network performance and privacy concerns when a cloud-based solution is the only option.
  3. Built into secure content gateways, such as web or email gateways. This approach is also cost effective but focuses on web and email channels only and also introduces performance limitations and privacy concerns.

But there’s a fourth way that actually takes the best of what these approaches offer and raises the bar to help you fight well-funded attackers that get better at what they do every day: Cisco AMP Threat Grid. Through AMP Threat Grid, Cisco offers advanced malware analysis and intelligence that delivers a better ROI, better integration, and more visibility into what is happening in your environment. Don’t take my word for it, though. The Center for Internet Security recently described how they are using it to analyze malware samples from more than 19,000 state, local, tribal, and territorial governments.

AMP Threat Grid is available as an on-premises standalone malware analysis solution and as a cloud-based SaaS solution that provides a REST API to automate sample submissions from a wide range of technologies you have already invested in, including:

  • Firewalls and Unified Threat Management (UTM) devices from the most popular vendors, including, of course, Cisco ASA
  • Gateways for both Email and Web traffic
  • Proxy Servers
  • Security Information and Event Management (SIEM) systems
  • Governance, Risk, and Compliance (GRC) tools
  • And numerous others

Cisco has already integrated AMP Threat Grid’s malware analysis capabilities into AMP for Endpoints. This provides advanced malware analysis as part of AMP’s powerful continuous analysis and retrospective security capabilities. AMP Threat Grid is also integrated into Cisco Email and Web security solutions, providing more eyes in more places. Watch this video to hear how ADP have integrated AMP Threat Grid into their business to become an intelligence-led security organization

Each of these solutions eliminates cost and complexity while offering the ability to analyze a broad range of suspicious objects automatically, including executables, libraries (DLLs), Java, PDF, MS Office documents, XML, Flash, and URLs. Most submissions are analyzed in an average of 7.5 minutes. Not only does AMP Threat Grid analyze a broad range of objects, but it also provides deep analytics capabilities wrapped with robust context. With over 450 behavioral indicators and a malware knowledge base sourced from around the globe, AMP Threat Grid provides more accurate, context rich analytics into malware than ever before.

All samples are given a threat score based on severity and confidence that provides a quick and easy way for junior security analysts to prioritize actions and make better decisions. The threat score is on a 0-100 range, with 100 being known malware and the rest ranging from suspicious to benign because malware is not a yes or no answer.

Perhaps even most importantly, AMP Threat Grid knows its audience; it has no instrumentation within the virtual environment ensuring that even the most sophisticated environment-aware malware is caught. It’s an essential way to rise to the challenge of advanced attackers.

To hear more about how your organization to move beyond the sandbox, watch this webinar featuring experts from Forrester Research, ADP, and Cisco.

Tags: , , ,

Espionage in the Internet Age

If you had asked me a few years ago, I might have predicted that the rise of large scale hacking and network-based Advanced Persistent Threats (APTs) would spell the end of old-school espionage (poison-tipped umbrellas, office break-ins, dangles and the like). Those of us who fancy ourselves logical, savvy cyber security specialists can be forgiven for thinking such analog antics wouldn’t persist in a digital world.

And yet, human espionage remains a nagging issue. A Russian spy ring was disrupted in New York in January. New stories about employees stealing trade secrets from their employers regularly make headlines, such as this one in May. More than one article alleges that Vienna and Lausanne (home to recent Iranian nuclear negotiations) are swarming with spies from Tehran. And these are just the stories that get reported.

There is no question that spycraft is changing with the times. Recent, damaging breaches of US government employee information—amply documented elsewhere—provide some interesting hints as to how: Read More »

Tags: , , , ,

Continuous Analysis Yields Continuous Leadership Against Advanced Threats

Organizations today have no shortage of challenges when it comes to cyber security and their growing IT infrastructure. Not only is the frequency and sophistication of malware attacks on the rise, but with the proliferation of mobility, BYOD, IoT, and cloud services; the number of entry points an attacker has into the network grows exponentially with them.

Given this landscape we know the most effective way to address these threats is with security offering continuous analysis and retrospective protection that extends across all attack vectors in the extended network. With AMP Everywhere, security is just as pervasive as today’s advanced threats, and thanks to continuous analysis and retrospective protection, our customers gain reduced time to detection.

For the second year in a row, we have third-party validation from NSS Labs that we provide the most effective security available in the market today. Cisco Advanced Malware Protection (AMP) was tested along with seven other vendors and achieved a 99.2% security effectiveness score – the highest of all vendors tested in the 2015 NSS Labs Security Value Map (SVM) for Breach Detection Systems. What I find most interesting and rather disappointing in these results is that Cisco is the only vendor in the test to successfully handle all evasion attempts.

nss-bds-svm Read More »

Tags: , , , , , , ,

Remembering the small things: IT Security

There are many tasks and responsibilities of the (lone) IT sysadmin, they are sometimes varied, sometimes monotonous.  We know what they are without thinking about them, as if they are unwritten commandments, specific to the IT world.

Security has featured greatly in the world news over the past few years, and even more so within the IT circles. We have the aspects of social responsibility, who is watching the watchers, how should they be held to account (NSA, GCHQ). We have the more particular stories, such as Heartbleed, and the “simplicity” of gaining information from a system.

Sitting down and reading about the recently highlighted issue surrounding a fake Trojan copy of the popular terminal tool, PuTTY, I realized that over all, we spend a great deal thinking about security within IT systems. But sometimes we don’t think about security in the actions we take, or we forget to think about them. Read More »

Tags: , , , ,