As widely reported elsewhere, the Flamer/sKyWIper malware has largely been attributed to yet another unknown APT actor, which appears to target various organizations in the Middle East. Its size is massive, with the core components written in Lua and modular support for other languages (e.g., C/C++). Compared to Stuxnet and Duqu, it's likely this malware framework was authored and developed in parallel, with a broader goal: comprehensive intelligence gathering.

Rather than speculate on attribution or repeat the initial analysis provided by CrySyS Lab, this blog post will focus on additional indicators of compromise that have yet to be documented elsewhere. These indicators are exceptionally useful for confirming whether or not this malware is active on a suspect system.

In our second half (2H) of 2011 Advanced Threat Report, we provided compelling evidence that illustrated a possible correlation between an increase in email-based attacks and national holidays. Continuing this theme, let’s widen our dataset to worldwide and focus on the corresponding statistics collected year-to-date for 2012. To be clear, these statistics reflect the number of malicious attachments seen after initial SPAM and anti-virus filtering across our customer deployments who share intelligence back to us.

Figure 1. Rate of malicious attachments detected (worldwide) by relative volume (2H2011 + 2012YTD)

By packing their malicious executable, malware authors ensure that, when these malicious executables are opened in a disassembler, these executables do not show the correct sequence of instructions, thus making malware analysis a lengthier and more difficult process. One method to locate the address of the code’s first instruction before it was packed, also known as the Original Entry Point (OEP) of a file, is to apply the breakpoint on the APIs that set up execution environments, like GetLoadLibraryA, and then use step-by-step tracing to locate the initialization of the stack frame. Initialization of the stack frame will denote that the file is unpacked.

For many commonly occurring packers, there are specific instructions for locating the OEP.

Some of you may be aware that Microsoft this week went after a group of botnets. These botnets were created from the famous Zeus toolkit. This effort was part of so called Operation B-71.

When I heard this news, the first thing I wanted to find out was if these botnets have been on FireEye's radar. The answer is yes. Based on data collected from the FireEye MPC (Malware Protection Cloud), we have been detecting and protecting our customers from most of these malware. 

There was one thing that caught my attention during this investigation. One botnet was able to partially recover  from the takeover attempt. This particular zeus variant is known for rapidly changing its CnCs.

Our new 1H 2011 Advanced Threat Report is out!  It is our inaugural report and I think you will find it interesting because it is uniquely focused on the new and dynamic threats. We have thousands of appliances protecting organizations around the world, and they are deployed _behind_ firewalls, intrusion prevention systems, antivirus and Web gateways. So, the threat data we reviewed in this report are the _successful_ malware attacks breaking through traditional defenses.

I often overhear talk about so called next generation anti vm, sandnet and debugger techniques and their *widespread* use by modern malware, and how this is hurting modern day automated malware analysis and detection. Well I find the facts are quite different.  Most of these claims don't provide good evidence and I consider them little more than an attempt to create FUD (Fear, Uncertainty and Doubt). The reality is that after the good old days of IRC bots which were created mostly for fun, the majority of commercial malware shown no interest in detecting VMS and/or debuggers. Why? I will come to the reasons later.

A while back, I talked about the world's top 20 malware list based on FireEye's real time data feed. None of these malware families except for Conficker (number 11) try to detect virtual machines. What about taking into consideration the top 10 malware list given by Microsoft a while back? I can prove that none of these top 10 malware try to detect a Virtual Environment.

How many malware families try to detect popular, publicly available sandnets like ThreatExpert? See for yourself.

[Note: This post is continuation of my previous article]

Let's dive deeper into the internals of this powerful backdoor program.

1. Protocol Decryption

Leouncia's C&C payload decryption consists of two major phases. The first part is the formulation of a dynamic permutation table using a variable 128 bit key. This permutation table is further used to decrypt the actual payload.

Let me explain it step by step:

1.1 Table Construction

The main ingredient of this table construction is a 128 bit key. This key is extracted from the first 16 bytes of every payload stub. By payload stub, I mean the data after removing HTTP headers. After the first 16 bytes will be the actual payload to be decrypted.

As part of the table construction, 1032 bytes of memory is allocated. After skipping the first 8 bytes, the next 1024 bytes are initialized with a counter value ranging 0x00 to 0xff. These values are assigned in chunks of 4 bytes so 256 iterations are enough to initialize this complete buffer. Next comes randomization of this buffer. This randomization is controlled by a dynamic byte value taken from the table itself and using it with one of the key's bytes. Let's explain it using a C style syntax.

buf = Start of 1024 byte long buffer
A    = Initialized with start of buffer
B    = initialized with start of key buffer
R    = Initialized with 0
i and j = two counters initialized with 0

then it happens like this:

START loop

R = R  + A[i] + B[J]
SWAP (A[i], buf[R])

j = j + 1
if ( j >= 16)
    j = 0

i = i + 4

END loop (terminate after 256 iterations)

This is the second article in a row where I am going to disclose the presence of another new backdoor malware. I have recently seen this backdoor emerging on the threat landscape while investigating some targeted attacks. I named this malware Leouncia. Why? I'll make it clear later.

Like Vinself, Leouncia is a powerful backdoor that is designed to take complete control over the infected machine. In terms of code base, both malware look very different, but during my investigation, I found some definite design similarities. I also found additional evidence that is sufficient to link the botnet operators behind these two malware.

Are we prepared to face this threat? When I first submitted this malware to Virus Total last week, anti virus coverage for this backdoor was very limited. There were only two AVs out of 43 available on Virus Total that were able to detect it but using generic heuristics only. At this moment I can see some improvements as one more AV has recently added detection for this, making the detection rate 3 out of 42.

I recently came across a new piece of Modern Malware found to be involved in a highly targeted attack. My initial exploration into the malware revealed it to be a powerful backdoor with the capability to provide an attacker complete control over the infected system.

What's happening at the moment? A few weeks ago, we saw a powerful backdoor Pirpi exploiting the IE 0-day as part of some targeted attacks. Now comes Vinself. The emergence of new and powerful backdoors and their use in the targeted attacks is evidence showing that modern malware is not only used to steal user's credit cards or send spam. There is much more at stake as well.

There are many out-and-out criminal gangs (some with potential political affiliations) who are after something more than material gains. They develop targeted malware to get into sensitive networks and then loiter wating for the chance to snatch confidential documents and/or intellectual property. Cases like Vinself (where malware can fully function even if behind proxy firewalls) are also an indication that the main target here is not desktop users.

During the investigation, I found many interesting facts about this malware like the CnC protocol, the obfuscation in use and the backdoor capability etc. Today I would like to share some high level characteristics of this malware.

It was just a few days ago when Symantec disclosed a new 0-day vulnerability in Microsoft's Internet Explorer (versions 6, 7, and 8). They found at least one malware called 'Backdoor.Pirpi' that is actively exploiting this vulnerability in targeted email attacks posing as hotel reservation notifications. 

Here at FireEye labs, we have identified another type of Modern Malware called 'Hupigon' exploiting the same IE zero-day vulnerability. This malware looks to be more successful/reliable at infecting systems than Pirpi.

It is increasingly common that cyber criminals 'upgrade' Modern Malware with newly uncovered zero-day exploits. Now the question is, are the criminal masterminds behind this second wave of attacks the same as those behind the first wave?  In this article I will try to answer this question.

In order to find a link, let's compare these attacks side-by-side.