Month: February 2015

It seems as if we are caught in a flash zero-day storm. It has not yet been two weeks from the disclosure of CVE-2015-0311 and we are already informed that there is yet another attack flying under the radar of signature-based security solutions.

Similar to its older kinsmen, CVE-2015-0313 was discovered in attacks utilizing the Angler exploit kit.  According to security reports, around 3,294 hits related to the exploit were already identified and as is usually the case with zero days, what we see is only the tip of the iceberg.

Standard security measures do not offer sufficient protection. In browsing through various security vendor responses, we see recommendations to disable Flash’s targeted version until a patch will become available or to block the URL which – temporarily – hosts the exploit kit. We might expect that quite soon a signature will be generated to the exploit which – again temporarily – utilizes CVE-2015-0313 to execute malicious code in victim endpoints.

These are all reactive steps. They have limited mitigation value, but they lag behind the attackers. And what’s more, they are reactive to what thus far is a small manifestation of a potentially larger threat. Attackers are evolving and it’s not farfetched to assume that out of the box URLs are standing in line to replace the one which was already tagged as malicious and that the exploit code is being modified right away, emptying the original’s one signature of any value.

This zero-day is yet another example of why advanced attacks need to be addressed in a manner that tackles them at the core and sustains security — regardless of changing factors.

Palo Alto Networks Traps analysis of CVE-2015-0313 reveals that exploits utilizing this vulnerability attempt to bypass standard DEP protection using a ROP chain. Once the ROP is successfully carried out, the exploit tries to access OS functions.

What Traps “sees” in this case is not an unknown threat but an understandable and well-defined pattern. In fact, it quite resembles the one we described in our last zero day post. Obstructing the exploit in these phases breaks the chain and crashes the attack.

Traps has knowledge of the techniques attackers need in each critical stage of exploitation. Possessing that knowledge enables Traps to obstruct them in real time, proactively preventing the exploitation from reaching its goal. The result is that endpoints are completely protected from exploitation trying to make use of zero day CVE-2015-0313.

Installing Traps on your endpoints protects your enterprise from known attacks and zero days alike. Learn more about Advanced Endpoint Protection here.

[Palo Alto Networks Blog]

For a moment, put yourself in the shoes of a cyber criminal. You’ve collected an array of tools (malware), built up your infrastructure (command and control (C2) servers) and you have a process to make money off your hard work. You wake up on Monday morning and the domains your carefully built malware uses for command and control are shut down. Some security researcher has taken control of them, completely halting your operation. This would certainly be good news to anyone reading this blog, but for the criminal it’s a big setback and source of frustration. These kinds of takedowns are the impetus for some of the most impressive developments in malware technology over the last decade.

Takedown-Resistant Command and Control

Once attackers have infected a PC through some exploit or social engineering, one of their major challenges is keeping control of that system. Antivirus programs running on the PC are trying eradicate the threat, the command and control domains and IPs are being added to blacklists and blocked by networks around the world. Many malware authors have taken to building complex mechanisms to ensure that their malware is resistant to these kind of blocks and takedowns. Some of the more innovative mechanisms include:

• Peer-to-peer (P2P) Networks: Rather than relying on a single (or small) number of failure ports for command and control, P2P bots communicate with other infected systems that can relay commands from the attacker. These systems aren’t perfect though, as Operation b49proved in the takedown of Waldac.
• Domain Generation Algorithms (DGAs): Why use one domain for command and control when you could use 100, or 1,000, or more? DGAs work by algorithmically generating possible C2 domains that change over time. The attacker often only needs to register one of these domains to ensure control of the network. Conficker, one of the most well-known DGA-based botnets generated 50,000 possible domains each day in it’s final variant.

These mechanisms are often only used when the primary (and simpler) C2 mechanism has been shut down, but their use makes shutting down a botnet much more challenging.

Abusing I2P

Last year we highlighted two malware families on this blog: CryptoWall 2.0 and Dyreza/Dyre. CryptoWall is one of multiple ransomware families that generated income for the attacker by encrypting files on the infected PC with a private key that is in the control of the attacker. The attacker then charges a ransom (normally around $500) to give up the key that will unlock the files. In October, CryptoWall 2.0 began using the Tor anonymity network to serve web pages to infected users who wanted their encrypted files back. In this case a legitimate service (Tor) was being abused by CryptoWall so it could avoid having its C2 servers shut down. Presently another anonymity network, I2P is being abused by both the latest version of CryptoWall (3.0)and the Dyre banking Trojan.

While I2P is far less popular than Tor, it provides similar functionality to the user. I2P is an overlay network on top of the Internet that creates encrypted links between nodes that are running the I2P software. I2P users can access specific I2P services that are only accessible on I2P, or access Internet resources without exposing their IP address.

In the case of CryptoWall 3.0, the malware is attempting to access multiple .i2p resources only accessible through I2P, also known as “eepSites.”

• proxy1-1-1.i2p
• proxy2-2-2.i2p
• proxy3-3-3.i2p
• proxy4-4-4.i2p
• proxy5-5-5.i2p

The CryptoWall 3.0 uses I2P in the same way CryptoWall 2.0 used Tor, to give the victim access to a decrypting service to get their files back.

The Dyre banking Trojan has multiple C2 mechanisms, including encrypted HTTPS requests to a list of hard-coded IP addresses, a DGA generating 1,000 new domains each day as well as an I2P based plugin. These many C2 mechanisms make Dyre much more difficult to fully take down than a simple single (or small group) of C2s. the following IP address are known Dyre C2 servers.

• 228.17.152
• 228.17.155
• 228.17.158
• 78.103.85
• 114.0.58
• 203.50.17
• 203.50.69
• 153.35.133
• 183.172.196
• 56.214.130
• 56.214.154
• 239.209.196
• 172.179.9
• 172.181.164
• 172.184.75
• 23.8.68
• 59.2.42
• 248.224.75
• 25.134.53
• 25.138.12
• 25.145.179
• 190.139.178
• 23.196.90
• 23.61.172

It’s not possible to list all of the domains generated by the DGA, which is the main advantage of this mechanism.

To protect your network from the I2P communication used by both Dyre and CryptoWall 3.0, the easiest route is simply to identify I2P traffic and block it completely. While there are certainly many legitimate reasons to use an anonymity network, many organizations should be weary of I2P (or Tor) traffic transiting their network. Palo Alto Networks App-ID technology can identify I2P traffic as well 51 other tunneling applications.

[Palo Alto Networks Blog]