Targetted Attack, A True Story

While there is nothing new on the technical side of it, however this story is now circulating everywhere on the internet, just because it is a true story, the details are available to the public, and the infected machines are considered high value.
The report might be part of political efforts targeting China.



Here are some points from the report:

- Almost 30% of infected computers are high-value and include ministries of foreign affairs of different countries, embassies, news organizations, a Bank, an unclassified computer at NATO headquarter and Office of the Dalai Lama.

- Infected computers reached 1,295 in 103 countries

- The attacker used several infection vectors, infected web page serving exploit code to infect computers visiting it, and used also emails carrying infected pdf and doc files with trojan.

- Once the computer is infected, it will create a backdoor and try to contact the controlling servers, waiting for orders.

- The targets themselves may infect others by forwarding infected documents to their contacts

- The controlling servers are located in China

- The trojan used is known as gh0st RAT

- The 1st family of malware used HTTP connections to connect to PHP files, while the 2nd family used HTTP POST to connect to CGI

- The most recent sample in the report was on March 12, 2009

http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network

http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf

Updated:

The next chapter of the story is now released by shadowserver.

Web Browser Security, Malware Protection Comparison

NSS Labs released a comparative test results for web browsers and the effectiveness of protecting from socially engineered malware.

Surprisingly (at least for me) Microsoft scored very well in its latest version of IE.

http://www.nsslabs.com/anti-malware/browser-security

Is Your ADSL Modem Part of a Botnet?

A very interesting pdf file on a malware infecting ADSL modems, the study is about Netcomm devices, however there are some other (unnamed) vendors vulnerable the same way.

The modems are running MIPS processors and embedded linux.
http://www.adam.com.au/bogaurd/

Another analysis:
http://www.dronebl.org/blog/8

in Another blog, a newer version of the malware is found, and it seems that there is an ongoing development in this area, so stay tuned !
http://www.teamfurry.com/wordpress/2009/03/23/botnet-running-on-mips-cpu-devices/

The study showed that some ADSL modems from USA, Egypt, Malaysia, and other countries are already infected and spreading the bot.

Web Malware, LuckySploit Toolkit Analysis

Hundreds of Crimeware toolkits are widely used by underground communities, here is a new analysis for one of these toolkits named LuckySploit, the main interesting issue here is its obfuscation techniques.

http://www.finjan.com/MCRCblog.aspx?EntryId=2213

Fighting Keyloggers With Virtual Keyboard

Keyloggers can steal user's passwords easily, that is why virtual keyboards are there.
This is a simple article about virtual keyboards, and some simple techniques to defeat keyloggers.

http://palisade.plynt.com/issues/2009Feb/fight-against-keyloggers/

Conficker/Downadup Update

Updated:

Conficker is getting a new third generation version, which is pushed to already infected systems, the new version will use a new algorithm for calling domain names looking for new updates, moving from 500 domain per day with old versions into an aggressive 50,000 domain per day, which will make the security researchers life much harder to catch it by predicting the domain it will call, specially if the new version will use 116 different domain suffixes.

The new version is not more aggressive in infecting other machines, however its purpose is to keep the current infected machines as long as possible. 

There are more stages to come from the worm, as many experts are expecting the worm author to transform the infected machines into a botnet to be used in SPAM, DDOS or other malicious activities.

https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245#A249

Detailed Analysis:

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976

Free removal tool:

http://www.bdtools.net/

Updated:

more details on conficker.C

https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/253

Extensive Analysis:

http://mtc.sri.com/Conficker/addendumC/

PRNG Algorithm:

http://en.wikipedia.org/wiki/Pseudorandom_number_generator

Dumping Password Hashes From Physical Memory, Remotely

The tools to be used are Metasploit, Man Tech Memory DD, Volatility

- Use Metasplit to launch exploit
- Upload MDD using Meterpreter
- Execute MDD on the victim machine
- Download the memory image
- Use volatility tool to dump the hashs from the memory image

The link below has other external detailed links on volatility framework.
The problem will be downloading the memory dump with large size...

http://carnal0wnage.blogspot.com/2009/03/dumping-memory-to-extract-password.html

IPhone Forensics

This is a very good paper on IPhone forensics, it shows there are lots of personal information can be revealed from the IPhone.

http://chicago-ediscovery.com/iphone-forensic-software/iphone-forensic-white-paper.html

Botnet in Enterprise

Here is what the recent study by Damballa found:

- Almost 3-5% of corporate PCs are compromised with bot malware, even with updated anti-virus

- Enterprise-grade Antivirus and IDS/IPS fail to capture 20-70% of new threats

- The typical gap between malware releases and detection by antivirus is 54 days

- Almost 50% of malware samples were not detected on the day they were received

- 15% of samples remained undetected after 180 days

http://www.damballa.com/downloads/press/Failsafe_3_(PR_FINAL_2009-3-2).pdf