Day: April 1, 2016

In October 2014, Malwarebytes identified a campaign based on thousands of compromised websites that kicked off an infection chain to Angler exploit kit (EK). It was named “EITest” campaign, because “EITest” was a variable consistently found in injected scripts across all of the compromised websites. Malwarebytes noted some changes in this campaign in 2015 and2016.

Like others in the cybersecurity threat research community, we have been tracking the EITest campaign. This blog post focuses on network traffic and how indicators have changed over time.

The Evolution of EITest

We first saw traffic related to this campaign in September 2014. Since then, patterns for injected script in the compromised websites have remained consistent. Only the URLs and variable names have changed.

Figure 1: Injected script from the EITest campaign in September 2014.

Figure 2: Injected script from the EITest campaign in March 2016.

The EITest gate occasionally changes IP addresses, but since January 2016, this campaign used the 85.93.0.0/24 block. So far this year, the TLD for these domains has most often been .tk, but other TLDs are also used. Below is a list with the date, IP address, and domain we have seen for the EITest gate URL

• 2014-09-22: 148.251.56[.]156 – flv.79highstreet.co[.]uk
• 2014-10-02: 148.251.56[.]156 – fix-mo[.]tk
• 2015-06-08: 194.15.126[.]7 – joans[.]ga
• 2015-11-10: 31.184.192[.]206 – ymest[.]ml
• 2015-12-04: 31.184.192[.]206 – vecexeze[.]tk
• 2016-01-19: 85.93.0[.]32 – feedero[.]tk
• 2016-01-25: 85.93.0[.]32 – http://www.bobibo[.]tk
• 2016-01-26: 85.93.0[.]32 – en.robertkuzma[.]com
• 2016-02-03: 85.93.0[.]32 – vyetbr[.]tk
• 2016-02-10: 85.93.0[.]32 – dofned[.]tk
• 2016-02-15: 85.93.0[.]32 – zeboms[.]tk
• 2016-02-18: 85.93.0[.]32 – 14s.syte4[.]com
• 2016-03-04: 85.93.0[.]33 – vovevy[.]tk
• 2016-03-07: 85.93.0[.]33 – nixsys[.]tk
• 2016-03-09: 85.93.0[.]33 – mvcvideo[.]tk
• 2016-03-14: 85.93.0[.]33 – bab.aba98[.]com
• 2016-03-29: 85.93.0[.]34 – folesd[.]tk

When we first noticed the EITest gate in September 2014, the URL format was:[domain]/player.php?pid=[long hexadecimal string]. Sometime in 2015, player.php switched to[random word].php and ?pid changed to ?sid. By mid-February 2016, the EITest gate URL experienced more drastic changes. See figure 3 for details.

Figure 3: Changes in EITest gate URLs since 2016-02-15.

Flash File for Redirection

The EITest gate URL continues to return a Flash file that redirects traffic to Angler EK. This gate URL always generates two HTTP GET requests. The first request retrieves the Flash file and the second request returns script pointing to an Angler EK landing page.

Figure 4: First HTTP GET request to EITest gate returns a Flash file.

Figure 5: Second HTTP GET request to EITest gate returns script pointing to Angler EK.

Differences in Angler EK Used by This Campaign

Angler EK used by this campaign is somewhat different than Angler EK for other actors. Campaigns like pseudo-Darkleech tend to distribute ransomware like CryptoWall or TeslaCrypt. However, the group behind EITest pushes a variety of malware. Below are examples of the Angler EK caused by the EITest campaign and the associated malware.

• 2014-09-22: Vawtrak
• 2014-10-02: Pushdo.s
• 2015-06-08: Vawtrak
• 2015-11-10: Tinba
• 2015-12-04: TeslaCrypt
• 2016-01-19: Bedep and Kovter.B
• 2016-01-25: Fareit/Pony and Pusdo.s
• 2016-01-26: Bedep and TeslaCrypt
• 2016-02-03: HydraCrypt
• 2016-02-10: Ursnif variant
• 2016-02-15: TeslaCrypt
• 2016-02-18: TeslaCrypt
• 2016-03-03: TeslaCrypt
• 2016-03-04: dropper, possible Andromeda
• 2016-03-07: dropper, undetermined
• 2016-03-09: TeslaCrypt
• 2016-03-14: Zeus variant
• 2016-03-29: Bedep and possible Neutrino/Andromeda malware

Conclusion

The EITest campaign has been active since at least September 2014. Patterns of injected scripts sent by the websites compromised in this campaign have remained fairly static. However, the gate URL has evolved considerably since the campaign first started. The EITest gate leads to Angler EK and delivers a variety of malware. This campaign is not limited to ransomware like other campaigns that use Angler EK.

Palo Alto Networks customers are protected from the EITest campaign through our next-generation security platform. Associated domains have been flagged as malicious in Threat Prevention, and WildFire classifies the Flash files used in this campaign as malicious.

Brad Duncan

[Palo Alto Networks Research Center]

We are days away from Ignite Conference 2016! Take a look at the top five things you need to know before heading to our biggest security conference of the year.

1. Build Your Agenda

Use Agenda Builder to create an event that is customized to your interests. Workshops and sessions are designed to be modular, so no matter how you stack them, you’ll get an integrated approach to preventing cyber breaches and securing your organization. Don’t forget to register for the sessions that interest you and reserve your spot before heading to the event.

Learn more about the Agenda Builder, available tracks and sessions, and event highlights.

2. Check Out Cyber Range

Come watch our Cyber Range Threat Prevention workshops in the Expo Hall and cheer on your favorite team. Don’t forget to follow along and join the conversation on Twitter using the#IgniteRanger hashtag.

Session Times:

• Tuesday, April 5 | 12:30 – 3:30 PM PT
• Wednesday, April 6 | 9:00 AM – 12:00 PM PT

3. Get Certified

We are offering a special rate to all Ignite 2016 attendees – 50 percent off your Palo Alto Networks Certified Network Security Engineer (PCNSE) exams .

Exam times:

• Sunday, April 3 | 9:00 AM – 5:00 PM PT
• Wednesday, April 6 | 1:00 PM – 6:00 PM PT

Learn more about taking your PCNSE exam at Ignite 2016.

4. Access Ignite Conference 2016 Anytime, Anywhere

With the Ignite 2016 mobile app, you’ll have everything you need to navigate the event right in the palm of your hands. Access your daily agenda, read up on speakers, and join the#igniteconf16 Twitter conversation.

To download the Ignite 2016 mobile app:

• Step 1: Go to https://install.events/slepa16 on your smartphone or tablet.
• Step 2: Install the app.
• Step 3: Open the app and input your activation code you were emailed, or input your email address and you will be emailed your code.

5. Win Great Prizes

We have two contests this year where you’ll have an opportunity to win some great prizes.

Passport to Prizes contest

Access your “digital passport” from the Ignite 2016 mobile app and scan each sponsor booth’s QR code by 6:00 PM PT on Tuesday, April 5. Once you scan all 27 QR codes, you’re automatically entered to win this Sphero BB-B App-Enabled Droid.

The drawing for each booth will take place in the Expo Hall at 6:30 PM on Tuesday, April 5. 

Most Active Mobile App User contest

Be a power user of the Ignite 2016 mobile app and be eligible to win a $250 gift certificate to the Palo Alto Networks Ignite Shop.

Point system:

• Get 4 points for every completed survey
• Get 2 points for every post to the activity feed

You have until 5:30 PM PT on Tuesday, April 5 to complete your surveys and your submit your posts. The lucky winner will be announced at 6:00 PM on Tuesday, April 5.

We’re looking forward to seeing you next week at Ignite Conference 2016!

About Ignite 2016

April 3-6, 2016 at The Cosmopolitan Hotel Las Vegas
Ignite is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite 2016 website for more on tracks, workshops and marquee sessions, and register today.

Follow us: @Ignite_Conf | #igniteconf16

Catherine Crandall

[Palo Alto Networks Research Center]

Earlier this month, I had the privilege of attending the Cyber 9/12 Student Challenge at American University, sponsored by the Atlantic Council. The Cyber 9/12 Student Challenge is an annual cyber policy competition for students across the globe to compete in developing national security policy recommendations tackling a fictional cyber catastrophe. During the Cyber 9/12 Student Challenge, teams were evaluated on their:

• Understanding of cyber conflict policy concepts and guidance
• Ability to identify key issues and fully respond to critical cyber conflict policy issues posed by a serious cyber-related scenario
• Analysis of policy response alternatives, including the trade-offs involved
• Ability to organize and provide clear and concise policy response options with supporting analysis
• Presentation of original, creative and innovative solutions to the scenario

Each team had to do all of this in a decision document limited to two pages, as well as deliver an oral presentation – no easy task, for sure!

I had the distinct honor and true pleasure to participate in this important event in multiple ways throughout the two days, including in a panel discussion with former U.S. Under Secretary of Defense for Policy Dr. Jim Miller, moderated by Jason Healey, Senior Research Scholar at Columbia School of International and Public Affairs. I also had the opportunity to be a judge in the “final four” competition, awarding the Cyber 9/12 competition. Finally, I presented the Military Cyber Professionals Association’s (MCPA) “Order of Thor” medals to the best military college team, the Air University at Maxwell Air Force Base, Alabama, which just so happened to be the winner of the Cyber 9/12 competition.

I believe that events such as this are both rare and critical to our national security and international economic competitiveness. There’s no shortage of the more technical cyber competitions, such as Capture the Flag. However, there aren’t many events that pit college teams against each other over the development and delivery of clear, precise, well thought out governmental policy options when dealing with the growing cyberthreats and challenges that we face in today’s digital age.

Kudos to the sponsors, hosts, speakers and other contributors to this world-class event, but mostly I want to thank the 39 college teams that competed. They were all magnificent, and I sincerely wish them the very best of success in something that’s of critical importance to our country and the world!

Please take a minute to check out the photos from the Cyber 9/12 Student Challenge.

Are You Maximizing Your Panorama Deployment?

Like most network administrators, you are concerned with manageability, streamlined operations, and ensuring your network security deployment is bulletproof.

In this three-part blog series, I’ll address those concerns by sharing the benefits of moving to a network security management solution such as Panorama and explain how you can maximize your Panorama deployment.

Let’s start with the benefits of Panorama:

• Streamlined policy management: Simplify the creation, import, copying and ongoing management of rules across the network. Provide a single security rule base to further streamline operations in deployments of operational complexity.
• Simplified operations: Streamline day-to-day network security operations, and make the task of implementing and managing policies manageable by maintaining a static security posture in a dynamic and operationally complex network.
• Flexible deployment options: As your security deployment grows, the complexity of managing the network should not. Accommodate geographical or logical differences in policy, management and reporting needs with one central management platform, and simplify the deployment and maintenance of the management system while keeping costs low.
• Unparalleled network and threat visibility: Provide the capability to highlight critical threats across your network, focus on critical threats with actionable data, prioritize a fast response, and do more with less.

If you are already a proud owner, you likely chose Panorama to enhance management functionality, improve visibility across your deployment of next-generation firewalls, and streamline your rule base. But you could take advantage of some additional benefits by slightly changing the way you have deployed the product. There are three key steps you can take to ensure optimum performance of Panorama in your fast-growing or large network. Let’s explore how you can get the most out of your Panorama deployment.

1. Move from a Virtual Machine (VM) to a dedicated hardware platform.
2. Add log collectors.
3. Deploy high availability (HA).

In my next post, I will explain how these three steps will help maximize your investment in Panorama. In the meantime, you can learn more by visiting Panorama at a Glance.

Joerg Sieber

[Palo Alto Networks Research Center]