‘Tis The Season… For Malware

The holidays are a wonderful time of the year, a time when folks get together and spend time with the ones they love. Unfortunately, along with the holiday season comes new waves of targeted attacks geared towards taking advantage of holiday commonalities. These attacks come in various shapes and sizes, normally taking the form of an errant shipping notice, holiday greeting cards, coupons, gift certificates, and many more.

Spear phishing vectors are incredibly effective during this time of year due to the ever-increasing number of folks shopping online and taking advantage of e-cards as opposed to traditional snail mail holiday greetings. For these reasons it is imperative to pay even closer attention to the messages you receive to avoid becoming a victim.

To help illustrate this, I’d like to examine a basic spear phishing email that one of LogRhythm’s own business leaders received recently. The phish is a basic fake FedEx email. In the screenshot below, I’ve highlighted some red-flags within the message itself that give away its blatant illegitimacy.

Figure 1: Textbook Spear Phishing Example

Figure 1: Textbook Spear Phishing Example

This message is so similar to the phishing emails I used to send out for training exercises years ago that it was rather nostalgic in a way. The interesting part was just how targeted the message, attachment, and even the malware itself was — containing references to the recipients first and last name throughout. In fact, when I checked our internal Network Monitor instance, they were the only individual here to receive such a message over the past couple days…

Figure 2: Network Monitor Email Search

Figure 2: Network Monitor Email Search

So, we took this malware sample apart and ran it in our lab environment. The attachment is delivered in a compressed .zip file that, when extracted, reveals a doc.js file. This attack attempts to take advantage of the age-old Right to Left Override (RTLO) ‘feature’ within Windows, wherein it executes the last (often hidden) file extension.

Figure 3: Original file, as it appears by default in Windows 8.1

Figure 3: Original file, as it appears by default in Windows 8.1

If you uncheck the ‘Hide extensions for known filetypes’ setting, the JavaScript extension is exposed – as if the icon didn’t already give this away…

Figure 4: File as displayed when common extensions are revealed

Figure 4: File as displayed when common extensions are revealed

Since this is just a JavaScript file, we can view its contents easily with a text editor.

Figure 5: Obfuscated JavaScript code

Figure 5: Obfuscated JavaScript code

They’ve attempted to obfuscate their code, however JSunpack makes quick work of this, revealing important information about the malware in question.

Figure 6: FYI - JSunpack is awesome

Figure 6: FYI – JSunpack is awesome

In short, this script leverages Internet Explorer to pull down 2 executables that allow the attacker to gain a persistent access to the host. Once this process has completed, the malware performs textbook malicious activity by beaconing out to multiple Command and Control servers based in Germany.

Figure 6: Procmon analysis of the initial connection

Figure 6: Process Explorer analysis of the initial connection

The funny thing with this malware is that even though it was heavily customized to target a specific individual at a specific company, it still would not make it past basic Anti Virus in an enterprise environment. The malware was flagged by eight major Anti Virus vendors on VirusTotal.

Figure 8: VirusTotal analysis

Figure 8: VirusTotal analysis

This just goes to show that even targeted malware is not really all that advanced. The attackers likely took an educated guess at what Anti Virus LogRhythm used and tried to just bypass that one. This tactic will work against many organizations, however LogRhythm takes a layered approach to security…

Even though this is a basic spear phishing attempt and the malware is trivially caught by Anti Virus, what about those instances where it does slip by and the recipient decides to open the attachment?

You can leverage the SIEM to alert on this activity by monitoring for new files with multiple extensions. This can also be applied over the network, analyzing attachments delivered through email by way of network flow analysis. A rule such as this is easy to implement and results in relatively few false-positives — as any legitimate double extension file types can be white-listed.

Figure 9: AIE Double File Extension Rule Block

Figure 9: AIE Double File Extension Rule Block

RTLO is a very common vector hat has been used in phishing attacks for years. In fact, if this malicious file was able to evade Anti Virus, security analysts would still be notified of the suspicious event via the SIEM, giving them the chance to respond to the threat and potentially avert a major breach. The simplicity of the rule is that there are very few legitimate instances where double file extensions should be used.

Figure 10: AIE Double Extension Alert

Figure 10: AIE Double Extension Alert

Happy holidays from your friends at LogRhythm and be careful when shopping online!

Tags: , , , , , ,

none | Digital ForensicsSecurity


Domain Privilege Escalation Vulnerability

Privilege Escalating Evil Unicorn

Privilege Escalating Evil Unicorn, credit: Zack Rowland

On Tuesday Microsoft released an emergency update to Windows Server 2003 through 2012 R2 to address a vulnerability that enables an attacker to escalate privileges for any account on a Windows Domain. The vulnerability can be detected in Windows Server 2008 and later by analyzing Windows Event Log ID 4624 and looking for a discrepancy under New Logon between the Security ID and Account Name as shown:



In LogRhythm this is easily detected with a new AI Engine Rule that watches for any differences between the Security ID field, captured into Account and, the Account Name field, captured into Origin Login. This AIE Rule, Account Anomaly: Domain Privilege Escalation, is available with the latest knowledge base update (KB

Advanced Intelligence Engine Parsing Rule

Advanced Intelligence Engine Parsing Rule

While it is most critical to first apply Microsoft’s prescribed patch for this vulnerability, this is a helpful way to easily detect if this vulnerability has been exploited on your Windows domain.


Tags: , , , ,

none | GeneralSecuritySIEM


The detailed cost of cyber crime in 7 countries and in 17 industry sectors in 2014

As a LogRhytm Sales Engineer I meet many customers who love our technology but struggle to convince their hierarchy of the true ROI of a full SIEM solution.

The good news is that the Ponemon Institute has just released their annual survey results based on a sample of:

  • 257 companies over 1,000 seats
  • 2,081 separate interviews
  •  in 7 countries (USA, UK, Germany, France, Japan, Australia and Russia)
  •  in 17 industry sectors

Among all their results they found that:

  • Cyber crime cost has increased by 10.4% [MR1] from last year
  • Cyber crime costs by enterprise seat [MR2]  varies from $1,600 for small companies to $437 for larger ones
  • Productivity loss accounts for 30% of the total cost companies incur as a result of a breach
  • The most costly cyber crimes are those caused by malicious insiders
  • Security Intelligence technologies (including SIEM) has the biggest ROI in all security technology categories

The graph below shows the average annualized cost of cyber crime attacks in $US million.   According to the Ponemon report, companies that had security intelligence technologies deploys experienced an average cost savings of their breach of $2.6M when compared to companies breached that did not have a SIEM deployed.


Image: Ponemon Institute

This survey provides over 30 figures which can help our customers put together a detailed business case with many statistics including those of their country and for their industry sector.

The full report is available free of charge here: 2014 Global Report on the Cost of Cyber Crime

none | Uncategorized


Professional Malware

There is an adage in physical security that criminals will go for the lowest hanging fruit — if a car parked on the street has a security system (denoted by a blinking light), it will be fine when next to a model without one. So the cost-effective strategy is to stay just ahead of the weakest competition. Ten years ago, this held true in information security, when the field was still a large unknown for many organizations, and criminals didn’t need to work particularly hard to compromise an unprotected one. But organizations slowly began catching up to best security practices with an expansion of security devices throughout networks: moving beyond just anti virus to add full endpoint monitoring with virtualized malware sandboxes; beyond a single firewall to intrusion detection systems; and beyond disparate monitoring of multiple devices to centralized security information and event management.

But in this rapidly evolving environment, the attackers didn’t just give up — they became more professional. As a result, malware tools have reached commercial-grade quality. In particular, modularity, first introduced several years ago, now allows variants to be customized to the victim.

The Zeus Trojan, now one of the older pieces of malware (developed nearly 10 years ago), became one of the earliest to be customized in this way after its source code was released in 2010. At first, Zeus was primarily used to target financial institutions. But as they ramped up security, attackers moved to pilfering vulnerable business payrolls. Most recently, malware authors have gone after large retailers payment systems, stealing credit card information.

The introduction of malware loaders, with the ability to covertly pull down any program that the attacker chooses, allowed malware authors to share their best features, giving criminals had the ability to greatly accelerate their progress. Smoke Loader, now a few years old, is a prime example. While investigating a machine that was exfiltrating passwords a couple years ago, I noticed the traffic pattern matched another piece of malware, Carberp. Further analysis showed that the password grabbing function was placed into Smoke Loader. Just as exploit kits customized their payload depending on their victim’s vulnerabilities, botnet operators could customize their control over their bots.

Smoke Loader Interface

The latest assessment of BlackEnergy shows that it now includes modules for nearly any feature an attacker would want — the ability to target different operating systems (including routers), launch DoS attacks, read BIOS details from the motherboard, and decrypt or destroy data. More importantly, these tools are being used by attackers with significant infrastructure and skill to target organizations like NATO and government agencies. And most alarmingly, some BlackEnergy modules target critical infrastructure such as energy and water sectors.

Information security divisions will be facing increased complexity and professionalism in attacks. Simply buying and deploying a security device is not going to protect an organization — to do so requires utilizing the defense’s one major asset — homefield advantage. By understanding their own network, an security operations team can use Cyber Discovery techniques to find the unusual activity that criminals will inevitably generate. This requires significant effort, but defenders must evolve along with their adversaries.

Tags: , ,

none | SecuritySIEM


UK government and insurers join forces to develop cyber-insurance market

Last week the UK government announced that it has partnered with 12 insurance companies to develop the cyber-insurance market and highlight the threat of cyber attacks to businesses.  As part of this, new working groups will be put in place and will be tasked with reporting back to the Cabinet Office on what the key issues in the market are.  Cabinet Office Minister, Francis Maude, said that, while cyber insurance adds an extra layer of protection for organizations, it must be used in good conjunction with good cyber-security practices.

We’ve seen a slew of very high-profile security breaches take place this year, with organizations, such as eBay, finding themselves in the firing line.  What’s slightly concerning is the fact that cyber crime is now so commonplace that these incidents go by with barely an eyebrow raised when they are reported.  While businesses themselves clearly have to deal with the consequences of these attacks, they also cost the UK as a whole a vast sum of money.  Joining forces with insurers makes sense for the government as it will enable it not only to raise awareness of the issue, but also ensure damage is limited.

While cyber insurance has been around for a while, the market has been relatively slow to take off.  However, as cyber criminals become more sophisticated and we realise the inevitability of attack, it makes sense that businesses would want to have the greatest level of protection as the aftermath of a serious breach could be akin to a large-scale burglary.  For insurers it’s not surprising they would want to capitalize on this modern risk facing UK businesses, and working with the government only provides a greater opportunity to get the word out there.  However, Francis Maude is right and businesses must see insurance as a safety net, and not as a security tool.  Just as you wouldn’t forgo your fire alarm when you purchase contents insurance for your house, organizations must not do the same with their defensive security measures.

It is imperative that the right checks and balances are maintained to keep corporate networks watertight, as the protection of private information should be paramount – rather than simply covering the costs of a breach.  Protective monitoring and security intelligence should be the go-to strategy throughout organizations, as it provides the most granular view into all network activity.  This ensures that anything untoward can be immediately identified and stopped in its tracks before any lasting damage is done – or big insurance payouts are required.  So, while there is no harm in having insurance, and it will likely prove advantageous to both businesses and the UK economy, it must not be seen as the be all and end all, otherwise we’re going to be seeing a lot more breaches, a lot sooner.

none | Uncategorized