The malware landscape has always been very dynamic. New threat types and malware always replace the old ones. The prevalence of a particular malware family at any given time is dependent upon multiple factors like the business model, the efficiency of the person(s) driving this malware, and sometimes, actions by the anti malware industry. For example, due to efforts of the research community, Storm 1.0 and Srizbi, which were once the world's largest botnets, are history now. Due to certain design limitations, IRC botnets which were dominant back in 2004-2006 are no longer very popular. We have also seen a constant uptick in new banking trojans. The popularity of online banking has led cyber criminals to seek huge opportunities by operating info stealers. The Web 2.0 era is responsible for giving birth to a new breed of malware spreading through social networking. A perfect example is Koobface. Security awareness in the public at large led to fears about these malware threats which gave a boost to rogue "antivirus" software.
The first principle of a successful defense is identifying the enemies and their strengths. Believing in the philosophy of "keeping your friends close but your enemies closer" is a big step towards defeating your opposition. So let's do it. What are the latest trends? What are the world's most widespread malware and what these do? I am going to answer a few of these questions today based on data collected by FireEye during the last quarter.
Continue reading "World's Top Malware" »
Update: Oracle released an emergency patch recently to fix this major flaw. See details in the bottom.
-------------
The recent discovery of a 0-day design flaw in the 'Java Web Start' module has opened new avenues for malware drive by attacks. This flaw was exposed by Tavis Ormandy a few days back and it did not take a long time for bad guys to start using the proof of concept code for real exploitation. I have been reading about the exploit details for the last few days, but very few details were available on the active use of this exploit. Who are the guys using this exploit and for spreading what? This article is all about this, with emphasis on the post infection stuff.
Users who are interested in the inner workings of this 0-day flaw itself, can read the full disclosure here.
It all started like this... yesterday afternoon my colleague Stuart Staniford pointed me to a malicious domain hxxp://zikkuat.com (dead at the moment) which he believed seemed to be exploiting this 0-day flaw. After a little analysis, I found it to be true indeed. Here are the details of my findings after a detailed analysis.
Continue reading "Who is Exploiting the Java 0-day?" »
It's very rare as a researcher to get a chance to explore the inner workings of a botnet command and control (CnC) server. Detailed analysis of a botnet CnC server or command sub-component can yield valuable information about the capabilities of the botnet itself, and possibly the motives of the bad guys behind it. However, gaining access to a botnet CnC server often depends on the will of the hosting providers. Recently, while I was casually monitoring our MAX Network logs for the current geo-locations of Pushdo CnCs, I got the following results for the past 30 days:
Continue reading "Infiltrating Pushdo -- Part 1" »
If you’ve read our last couple blogs, you know that FireEye recently hijacked the Ozdok/Mega-D botnet. Smashing the Mega-d/Ozdok botnet in 24 hours
We registered some C&C backup domains and worked with registrars and hosting providers to have the primary domains and systems taken down. We directed the Ozdok bots to a sinkhole and watched the connections come pouring in. After about 5 days we saw 487,430 unique IP addresses connecting to us. It’s difficult to estimate the true size of this botnet using this number, but we can get a good idea of where the infected systems are.
Brazil is the number 1 infected country with 11.5% of the total infections, followed closely by India and Viet Nam. China came in at number 16 followed by the USA at 17, each with 1.6% of the total infections we saw. There were 214 countries represented, but after the top 3, total infections rapidly decreased.
So how big is this thing? Due to dynamic addressing, one infected system will have many real and advertized IP addresses over time. When researchers at UCSB hijacked the Torpig botnet, they were able to find a unique bot identifier in the communication to their sinkhole.
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Continue reading "Checking In With The Ozdok Sinkhole" »
In my previous article, I talked about the Ozdok command and control architecture and its fallback mechanisms in great detail. That article was an attempt to highlight different approaches to take down this botnet theoretically. But when it comes to the actual shutdown, it's far more complex than just finding out the command and control server coordinates and fallback mechanisms. An actual shut down attempt requires someone to take the initiative and start a combined effort involving third parties like ISPs, registries, registrars, etc.
Instead of playing a passive role, this time FireEye
decided to come forward and start working with these groups to
make this happen. The good news is that at the time of writing this
article, all the major Ozdok command and control servers (as mentioned
in my last post) have been taken down. As it turns out, no matter how
many fallback mechanisms are in place, if they aren't all implemented
properly, the botnet is vulnerable.
Continue reading "Smashing the Mega-d/Ozdok botnet in 24 hours" »
Note: Updates are available at the bottom of this article.
Ozdok a.k.a Mega-d is one of those botnets that has been very successful flying under the radar over the past few years. Recent stats by Marshal TRACE show Ozdok is currently responsible for about 4.2% of the world's overall SPAM. The question that arises again is who are the guys controlling this botnet, and more importantly from where? I recently conducted a detailed study of Ozdok's active command and control servers. There are two main things I took away from this study.
1. The USA is still a first choice for bad guys when it comes to hosting CnC servers.
2. After the McColo experience, these guys are no longer relying on a single net block for hosting their CnCs. To further ensure their safety, most botnets today are equipped with a fallback mechanism. As a matter of fact, in the case of Ozdok, there is more than one fallback mechanism involved. These come into play once the primary command and control structures fall apart. How? I'll explain that shortly.
Continue reading "Killing the beast...Part 4 (Ozdok)" »
In the third part of this series, I'm going to discuss the command and control structure of another famous botnet, Clampi a.k.a ilomo. Clampi is all about data stealing and is famous for its anti-reversing and evasion techniques. The financial damage this information stealer can cause is evident from the fact that it has recently been publicly disclosed of a cyber theft of more than $150,000. Notorious isn't it..?
Like the first two parts where I discussed the command and control structure of the Pushdo and Koobface botnets, I'll start by showing the current geographical distribution of Clampi CnCs, followed by a brief analysis on the chances of shutting down these control servers and hence the complete botnet.
Continue reading "Killing the beast...Part 3" »
Just a day before Patch Tuesday, when Microsoft is going to release couple of patches for DirectShow vulnerabilities including MSVIDCTRL 0-day , IE (Internet Explorer) users are hit by another surprise. A new 0-day vulnerability has been identified in MS office web component and is currently being exploited via the IE scripting interface. There is no patch available at the moment but MS has come up with a workaround.
One of the malicious URL which has been found to exploit this vulnerability is hxxp://www.fdsdffdfsf.cn/of.htm.
Continue reading "Who is Exploiting the Office Web Components 0-day?" »
The DDOS attacks which started around July 4th 2009 and paralyzed some important US and South Korean web sites have come to an end, but the madness behind these attacks is not quite finished yet.
The MYDOOM variant (msiexec1.exe: 0f394734c65d44915060b36a0b1a972d) which initially downloaded a DDOS component has recently been seen to download another component (wversion.exe: f5c6b935e47b6a8da4c5337f8dc84f76) whose sole purpose is to permanently damage the infected systems hard drives. This hard drive killer component acts like a time bomb which will start triggering from July 10th onwards. Sadly it means that today, on July 11th, all those infected pcs which were up and running yesterday are already damaged.
Continue reading "DDOS Madness Continued..." »
As most readers will already know, a new 0-day vulnerability in MS Video ActiveX Control is currently being exploited in the wild. Lots of research material has already been published covering different aspects of this vulnerability and the attack vector. I have nothing more to add on this front. I would rather focus on explaining the details of the malware behind the scenes.
Continue reading "Who is Exploiting the Windows 0-day (MSVIDCTL.DLL) ?" »
