As you might have seen in the news, the largest spam botnet, Rustock, was recently taken down in a collaborated, coordinated way.  All parties involved were bound by a sealed federal lawsuit against the John Doe's involved, but now that the case has been unsealed, it's time to talk about a few of the details.  Why has Rustock been so successful for so long?  How has it managed to stay off the radar, yet be the largest spammer in the history of the Internet?  Why has it taken so long for anyone to take action against them?

You may have heard something in the news about PDF recently… By the power of Google!

• http://www.heise.de/security/meldung/27C3-Brandgefaehrliche-PDF-Dokumente-Update-1162122.html (The one that started it all)
• http://www.h-online.com/security/news/item/27C3-danger-lurks-in-PDF-documents-Update-1162166.html (… auf Englisch)
• http://it.slashdot.org/story/11/01/02/0231242/Detailing-the-Security-Risks-In-PDF-Standard (Basically the Heise article)
• http://www.daemonforums.org/showthread.php?t=5507 (Links to Heise, like Slashdot)
• http://m.io9.com/5731328/10-devious-new-ways-that-computer-hackers-can-control-your-machines-or-fix-them
• http://66.71.254.238/2011/01/10/c3.html (A blog)
• http://frutosdelcaos.blogspot.com/2010/12/idiosincrasias-de-pdf.html (Un blog en español)
• http://blog.scrt.ch/2011/01/07/27c3-we-come-in-peace/ (Un blog en français)
• http://trackback.fritz.de/2011/01/08/trb-210-27-chaos-communication-congress/ (A Podcast)
• http://www.tablix.org/~avian/blog/archives/2010/12/27c3_wrap_up/ (A mention on another blog)
• … and fifty zillion ever-so-slightly modified copies of the Heise Online news article. Some with creeping errors.
  It is now abundantly clear that the major source for news is other news — negativland
  https://encrypted.google.com/search?q=27c3+julia+wolf+pdf

What's all this then?

I recently gave this presentation at the 27th Chaos Computer Congress in Berlin. For some reason, the slides never made it from Pentabarf to the Fahrplan. (They should be here: http://events.ccc.de/congress/2010/Fahrplan/attachments/1796_27C3_Julia_Wolf_OMG-WTF-PDF.pdf Curerntly 404, not by intent.) So first order of business, here are the long sought after slides: 27C3_Julia_Wolf_OMG-WTF-PDF.pdf (I have had so many requests for these.)

.., it's the size of the fight in the dog" that matters.  Bredolab is not giving up.  This morning, I found two more active CnC domains, not only alive but issuing new commands as well. These two domains are :

upload-good.net and lodfewpleaser.com

The Bredolab variant communicating to upload-good.net is especially important as almost all AVs are missing it at the moment.  Only 1 AV out of total 42 AVs available on VirusTotal was able to detect it as malicious.

 

 

About That PDF Thing

At PH-Neutral, I recently presented a bunch of information about how no two PDF readers will see a PDF file in the same way. Which is useful if you're trying to sneak an exploit past a smart A/V scanner. [Unfortunately, most A/V scanners are not even smart enough to find an exploit sitting in easy-to-read plaintext at the top of a well-formed file.]

Someone took a picture of one of my slides, which has been quite popular, based upon the number of retweets and views.

So, I'll explain how this works, for the benefit of everyone who wasn't there at the time&hellip

The Little Picture

I have a huge pile of notes on various types of malware and exploits. Meticulous details from where I look with my [metaphorical] microscope, but not a lot of big-picture stuff, because that usually takes much more time than just reading through a hexdump. So, I'm going to write a series of blog posts like these, looking at the little picture. Some of my explanations might be a little bit terse. I have a bad habit of going: "Here, look at this disassembly, isn't it obvious what it's doing". But, teaching how to read this stuff is a lot of work. So, I hope you don't find reading this to be too tedious if I'm short on explanations.

Some notes on Neosploit 2.0

The Attack Scheme

So, you're browsing along, and you hit an advert like http://ad.yieldmanager.com/iframe3?7VxIANuGDAAF9EgAAAAAA[A long Base-64 string goes here…]e7f9 which directs you to a page like http://ndpwrgg.info/images/wait.html, which looks like this:

Introduction

Black Energy has been in the news again recently (well, it was recent back when I wrote the first draft of this).

I'm not here to talk about Citigroup, I'm here to talk about cryptography, and how to fail at it. That being said, allegedly Citibank was "hacked" using Black Energy, according to the Wall Street Journal. Citigroup flat out denies it, and aside from this assertion from the WSJ, there's no other information. But it doesn't make sense that "Black Energy" itself, or what is commonly referred to by that name, was used for some kind of banking attack; It's a DDoS bot.

Now, it could actually be Black Energy that's responsible, or something different which just looks like Black Energy. But lately, a very Black Energy-like DDoS "module" tends to get installed along with other malware such as Zeus, via the "Yes Exploit System", or via Oficla/Sasfis, and like every bot, it can download and execute arbitrary files upon command. I have no idea what, if anything, happened at Citibank, but I speculate that a Black Energy bot was just along for the ride. An infection of one bot, quickly leads to an infestation of many. [cute metaphor about infestations goes here] It's kinda like a big ball of malware goo.

Analogy

Ok, so you remember how the five robot lions in the show "Voltron" would form a giant robot to battle space monsters? Each lion had its own distinct identity, like one was green, and another one was pink, etc. but they could combine to form a single robot, with a distinct identity apart from each individual lion. Ok, well malware also combines together to form a giant robot.
[I was going to make the same analogy using the Constructicons as examples, they're evil bots you see… but that's just a little too obscure.]

Anyway, so for something less ambiguous… onto the technical part!

The Present

Hi-ho, Julia here. So, here's a summary of computer security conference related things that I'm involved with.

I'll be at the RSA Expo for at least one of the days next week (probably Wednesday). So if you see a blue-haired weirdo wandering around, asking vendors difficult questions¹, that's probably me. If you would like to wander around the Expo for free too, then enter the code EC10FIR [Expires Friday Feb 26] into the appropriate field from wherever this link <Register Now!> may lead you. You'll need to register — enter a bunch of personal information about yourself first, so that you can get a ton of junk mail later this year. However, note that the only thing they actually seem to check when you pick up your badge at the expo, is the name on your government issued photo ID. So, in previous years my job title has been Professional Tomato Squeezer, working for the Instrumentality of Penguins Project — which is how I know when marketers are using RSA's mailing list.

FireEye has a booth at RSA this year (Booth #332) See also: Official FireEye RSA2010 Stuff.

The Past

And from last October, these are my ToorCon 11 Slides [ironically PDF] They're almost the same as the ones from my Brucon talk, but with a little more stuff.

The Future

I'll be presenting a talk at PH-Neutral 0x7DA on how to do horrible things with PDF files. Not just exploits and syntax abuse/obfuscation, but tricks like generating the Mandelbrot set with the halftone screen spot functions.

I'm thinking of submitting a talk to Black Hat or Defcon. Are there any topics that you, the reader, would like to hear me talk about? Sure, I could do an in-depth technical talk on a specific botnet. Or a less-in-depth presentation on a whole bunch of different malware. Or a talk about reading/writing exploits and reverse engineering. Or an actually-good-talk on old-school phreaking. Of course, Defcon being Defcon, I could probably submit a talk on Goetic demon summoning (with live demonstration!) and it would get accepted. So… suggestions?

I promise that my next blog post will have more crypto and hexdumps in it.

---

¹ For example…
Vendor: Our product is software that you install on your windows laptop, which calls home to check if it has been stolen. And if so, deletes sensitive documents to keep them from falling into the wrong hands.
Me: So, what if rather than booting the laptop into Windows normally, the person who stole the laptop takes the hard drive out and reads the data with Linux?
Vendor: <crickets chirping> … You'll need to talk to one of our engineers.

---

---

Julia Wolf @ FireEye Malware Intelligence Lab
Questions/Comments to research [@] fireeye [.] com

Since around October 2009, Neosploit¹, a black-market exploit toolkit, has been fabricating PDF files in a slightly new way, but in a way which is difficult for many parsers to analyze for maliciousness. In summary, all of the metadata in a PDF is accessible from the Acrobat Javascript environment. And this metadata is being used for obscuring embedded Javascript code. A PDF parser would need to fill in all the document objects with the correct data, and evaluate the Javascript to find the exploit. (Needless to say, many PDF signature parsers don't do this.) These malicious PDFs ultimately install Mebroot (aka: Sinowal)².

[And, oh yeah, our product detects this.]

Breaking News

Update: There's another exploit toolkit doing similar metadata tricks to obscure a CVE-2009-4324 attack. (That's the most recent 0-day.)

Critical government, military, and civilian networks have been repeatedly infiltrated to steal our intellectual property and national secrets. So, how do we build a modern, national cyber security policy as we enter into the 44th Presidency? The Center for Strategic and International Studies' report weighed in on this topic, but I think they missed the point in their technical recommendations.

Before I go further, I should introduce myself. I'm Ashar Aziz, FireEye's CEO and founder. I'll be chiming in to write about the big picture security issues that are facing CIO/CISO's, businesses, our national cyber infrastructure, and essentially anyone who does anything on the Internet these days.