Cisco Blogs


Cisco Blog > Security

New Fake UPS Malware Email Campaign

We have detected evidence of a malware distribution campaign using messages masquerading as UPS delivery notification emails. These campaigns attempt to deceive the targets into thinking they are receiving mail from a trusted sender in order to dupe the recipient into installing malware, possibly for financial gain. Once the initial attack vector is installed, further malware may be distributed.

This  appears to be part of the same campaign seen by MalwareMustDie (http://pastebin.com/n244xN32) and uses the email subject “UPS Delivery Notification Tracking Number”. We have seen a limited number of customers receiving this spam starting yesterday (Tue Nov 5), suggesting that this is a fairly low volume campaign (at the moment). The message contains an attachment with a filename such as “invoiceU6GCMXGLL2O0N7QYDZ” and extension .txt or .doc which is a disguised rtf file.

Section of the mail attachment containing rtf objocx tag

Section of the mail attachment containing rtf objocx tag

According to our analysis the malware attempts to download additional files by exploiting CVE-2012-0158 affecting old versions of Microsoft Office, which is detected by Cisco IPS signature 1131 and is available as a Metasploit module. In this case the malware being distributed seems to be a form of ransomware. Ransomware typically encrypts files on an infected machine and requires the user to pay for the release of their data. This particular piece of ransomware appears to be distinct from the samples we have been seeing as part of the Cryptolocker campaign, but comes in the wake of increased interest and discussion of this kind of attack.

    Attached malware making a request to the control server at 199.16.199.2

Attached malware making a request to the control server at 199.16.199.2

As ever, users should remain vigilant when opening email links and attachments, and be wary of a message purporting to be an automated order confirmation from a company such as FedEx and UPS, as this is a common tactic which has also been identified as a possible method for distributing Cryptolocker.

Additional analysis of this attack can be found here: http://bartblaze.blogspot.com/2013/11/latest-ups-spam-runs-include-exploits.html

Malicious rtf:   7c2fd4abfe8640f8db0d18dbecaf8bb4

Downloaded exe:     e5e1ee559dcad00b6f3da78c68249120

 

Thanks to Cisco researchers Craig Williams and Martin Lee for assistance with this post.

 

Tags: , ,

DNS Knows. So Why Not Ask?

DNS is like the town gossip of the network infrastructure. Computers and apps ask DNS questions and you can ask DNS who has been asking to resolve malware domains. When internal trusted systems are using DNS to resolve the names of known malware sites, this can be an Indicator of Compromise and a warning to clean the potentially infected systems and block traffic to the domain.

Blacklisting the known malware domains using local RPZs, firewalls, Cisco IronPort Web Security Appliance (WSA), or Cloud Web Security (CWS) is a great way to add an extra level of security in organizations. But what if you are just getting started in the process of cleaning systems and just need some situational awareness? Or, how can you manually check to see if these devices are working as expected? How can you determine independently of security devices, and at any point in time, that client systems are not reaching out to malicious domains? You can use dig but this post focuses on a Python example. Let’s first take a look at some DNS mechanics.

Read More »

Tags: , , , ,

Mobility: No Longer a Risky Business?

Risk. It’s not just a strategic board game; in business it’s the analysis that determines the potential for loss.CiscoSecurity

In today’s organization, the consumerization of IT has led to groundbreaking developments in the mobility space. The broad deployment of BYOD, coupled with the availability of corporate data and applications, have challenged how we define security. And with recent news reports citing the rise of mobile hacking and network threats, the security of mobile technology and the data it carries seems to be at risk.

Fortunately, all is not lost.

Mobility gives employees and providers options for the workplace and creating a mobile experience that is efficient and innovative. It is also helping businesses save and make money. Today, employees in any place on any device can access any application across any network in any cloud. As a result, there are challenges associated with implementing a comprehensive BYOD policy that encompasses a proliferation of devices connecting to a network.

Even though mobility can cut costs and increase productivity, 60 percent of IT professionals recently surveyed believe mobile devices in 2013 present more of a risk to their organization than they did in 2012. And even with the growing concerns over mobile security, it still appears that only 60 percent of organizations require security technology for mobility plans. Why isn’t that number higher? After all Android Malware grew 2,577 percent in 2012 alone.

Read More »

Tags: , , , , , , , , , ,

Using DNS RPZ to Block Malicious DNS Requests

October 2, 2013 at 10:00 am PST

After delivering several presentations at Cisco Live and Cisco Connect this year, I received a few questions regarding DNS Response Policy Zones (RPZ) and how can they be used to block DNS resolution to known malicious hosts and sites. I decided to write this short post to explain what it is and provide several pointers.

DNS RPZ is a technology developed by ISC available since Bind version 9.8. Network administrators can use DNS RPZ to essentially stop malware-infected hosts from reaching their command and control (C&C) servers by blocking DNS resolution to known malicious hosts and sites. This effectively turns a recursive DNS server into a DNS firewall. In fact, many people refer to DNS RPZ as the “DNS Firewall.” Various ISPs are testing and implementing this to provide additional protection to their customers.

Note: DNS RPZ will block DNS resolution, machines connecting to the C&C via IP address will not be blocked.

The following figure provides an overview of how DNS RPZ works.

RPZ-overview1

Read More »

Tags: , , , , , , , , ,

Crumbling to the Cookiebomb

Recently we have seen a spate of government websites hosting malicious Cookiebomb JavaScript. We have observed URLs with the top level domains such as ‘.gov.uk’, ‘.gov.tr’, ‘.gov.pl’ and the website of a middle eastern embassy in the US become compromised and expose visitors to malware infection. For malicious actors, highly reputable websites are a valuable target to compromise. Politically motivated attackers, such as the Syrian Electronic Army, can use these websites to highlight their cause, to cause embarrassment to an adversary, or to spread malware, possibly as part of a watering hole attack. Profit motivated distributors of malware can use these websites to infect the steady stream of visitors who trust the website and who are unlikely to suspect that it has been compromised.
Read More »

Tags: , , , ,