Our new 1H 2011 Advanced Threat Report is out!  It is our inaugural report and I think you will find it interesting because it is uniquely focused on the new and dynamic threats. We have thousands of appliances protecting organizations around the world, and they are deployed _behind_ firewalls, intrusion prevention systems, antivirus and Web gateways. So, the threat data we reviewed in this report are the _successful_ malware attacks breaking through traditional defenses.
 
This report really illuminates the sophistication of the new breed of cyber-attacks and the success cyber criminals are having penetrating today’s corporate networks.  Based on 1H 2011 data, we found a significant gap in today’s enterprise IT defenses. After reviewing hundreds of thousands of infection cases, 99% of enterprises had  malicious infections in their network. Plus, 80% of the enterprises facing more than a hundred new infections per week.  The bottom line: Today’s existing traditional enterprise IT defenses are not keeping up with highly dynamic, multi-stage attacks that cyber-criminals now use to attack today’s enterprises and federal agencies.
 
We highlight the top infections for 2011, and the (not-so-surprising) fact that attackers continue to rely on customized malicious code toolkits to develop and distribute their threats. The “Top 50” malware families account for over 80% of successful infections seen in the wild. Please have a read of the threat report and let us know if you were surprised by our findings and other interesting malware research topics you'd like to hear more about.

Rustock's old buddy Harnig is back in action. Harnig is considered to be a very wide spread pay-per-install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system for a small fee. There has been a long term relationship between the Harnig and Rustock botnets. For the last two years or so, Rustock has almost always been seen being spread through Harnig.

I reported back in March (right after the Rustock botnet shutdown) that Harnig botnet has abandoned all of its CnCs as well causing suspension of all of its malicious activities.  Rustock hasn't yet tried to claim back its previous position, but this is not true in the case of Harnig. After months of silence, Harnig is finally back in business, resuming all of its usual malicious activities.

A controlled run of Harnig in my lab is showing Harnig downloading a number of malware onto the infected machine.

The recent Adobe Flash 0 Day (CVE-2011-2110) is a classic case of an old malware that has used new 0 days as a vector to spread itself. How and why I will explain shortly, first a little detail about the exploit itself. The exploit is targeting a vulnerability in the Action Script Virtual machine according to our good friends at Shadowserver. The swf file takes an info parameter and a successful exploitation leads to the download of a zlib compressed and xor encoded binary. The two GET requests in succession would look like this

It looks like Koobface has started to lose interest in Facebook. We first observed this dramatic change around February this year. All of a sudden, we saw bot herders are no longer instructing zombies to post fake messages to compromised Facebook accounts. Our first impression was that it's just a temporarily move but a continued silence for about two months is not something that can be ignored. Last time we saw Koobface trying to pollute Facebook was around Feb 13th, at that time one of the messages posted looked like this:

February 13 at 3:19pm   
Youu’ve beren caght on our supefr smmall spy camerea!
http://12344cederberglineki.blogspot.com

where as usual, the posted link was redirecting users to a fake YouTube video urging them to install a fake codec (in reality a Koobface malware binary) in order to watch a so called stunning video.

Have you ever wondered how malware spreads, why there are so many compromised machines out there talking back to their CnC's? There must be a medium, a vehicle if you may, to get a Zeus, a Rogue AV, a Rustock (not anymore :)) or any new malware onto a box. Have you ever wondered what this vehicle could be? If you answered exploits, then your answer is right. Exploits, Pay Per Installs, Social Engineering are the main vectors to get malware on a machine. Exploit Tool kits are like point and click tools that use these exploits to make life easy for a hacker. At FireEye Labs, we continuously monitor the latest threats and exploit toolkits. One such toolkit that has come to our attention is the Incognito Toolkit. In the year 2011 we have noticed a sudden surge in our Incognito detections. This blog attempts to explain why this toolkit is so hard to detect, the obfuscation techniques it uses to the kind of malware it drops.Though not as widespread as the Blackhole Toolkit, this toolkit looks like it is here to make a mark.

Without further delay lets get into the finer workings of this Toolkit.  Let's see what happens once a user clicks on a malicious Incognito link.

The initial GET reuquest gets a heavily obfuscated HTML page, the initial GET request looks like

Rustock is not the only botnet which suffered from the recent take down by Microsoft. It appears that Harnig (a.k.a Piptea), a close relative to Rustock, is retreating as well. There is no evidence that someone is trying to shutdown Harnig. It looks like a decision made solely by the bot herders. Why? I'll talk about it shortly.

Harnig is considered to be a very wide spread pay per install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system. In return for this favor, the owners of other malware families pay the bot herders a little sum, normally a few cents per machine. When it comes to pay per install networks, the type and amount of malware being dropped can't easily be determined. What matters is, who and when someone is paying the bot herders. But things between Harnig and Rustock were quite different. There has been a long term relationship between the Harnig and Rustock botnets. For the last 2 years or so, Rustock has almost always been seen being spread through Harnig. Very rarely will one see Rustock using some other infection vector or pay per install network to propagate itself.

One can see from the above screen shot that the Rustock installation is the result of a chain reaction:

Harnig --> Downloader.DigiPog (Rustock Installer in plain text)---> Rustock Spam Engine (semi-fake Password protected 'rar' file containing Rustock Driver file).