Year: 2016

Posted on

Python-Based PWOBot Targets European Organizations

We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.

The malware itself provides a wealth of functionality, including the ability to download and execute files, execute Python code, log keystrokes, spawn a HTTP server, and mine Bitcoins via the victim’s CPUs and GPUs.

There are at least 12 variants of PWOBot, and the malware has been observed in attacks dating back to late 2013. More recent attacks have been observed affecting organizations between mid-to-late 2015.

Targeting

Over the past year, we have witnessed PWOBot affecting the following organizations:

  • Polish national research institution
  • Polish shipping company
  • Large Polish retailer
  • Polish information technology organization
  • Danish building company
  • French optical equipment provider

The majority of the PWOBot samples were downloaded from chomikuj.pl, which is a popular Polish file sharing web service. The following unique URLs have been observed providing copies of PWOBot:

s6216.chomikuj[.]pl/File.aspx?e=Pdd9AAxFcKmWlkqPtbpUrzfDq5_SUJBOz
s6102.chomikuj[.]pl/File.aspx?e=Hc4mp1AqJcyitgKbZvYM4th0XwQiVsQDW
s8512.chomikuj[.]pl/File.aspx?e=h6v10uIP1Z1mX2szQLTMUIoAmU3RcW5tv
s6429.chomikuj[.]pl/File.aspx?e=LyhX9kLrkmkrrRDIf6vq7Vs8vFNhqHONt
s5983.chomikuj[.]pl/File.aspx?e=b5Xyy93_GHxrgApU8YJXJlOUXWxjXgW2w
s6539.chomikuj[.]pl/File.aspx?e=EH9Rj5SLl8fFxGU-I0VZ3FdOGBKSSUQhl
s6701.chomikuj[.]pl/File.aspx?e=tx0a8KUhx57K8u_LPZDAH18ib-ehvFlZl
s6539.chomikuj[.]pl/File.aspx?e=EH9Rj5SLl8fFxGU-I0VZ3ISlGKLuMnr9H
s6539.chomikuj[.]pl/File.aspx?e=EH9Rj5SLl8fFxGU-I0VZ3OFFAuDc0M9m0
s6179.chomikuj[.]pl/File.aspx?e=Want-FTh0vz6www2xalnT1Nk6O_Wc6huR
s6424.chomikuj[.]pl/File.aspx?e=o_4Gk0x3F9FWxSDo4JWYuvGXDCsbytZMY

Additionally, in one instance the malware was downloaded from http://108.61.167.105/favicon%5B.%5Dpng. This IP address is associated with the tracking.huijang[.]com domain, which was also used by a number of PWOBot samples.

The following filenames were observed being used to deliver PWOBot:

  • favicon.png
  • Quick PDF to Word 3.0.exe
  • XoristDecryptor 2.3.19.0 full ver.exe
  • Easy Barcode Creator 2.2.6.exe
  • Kingston Format Utility 1.0.3.0.exe
  • uCertify 1Z0-146 Oracle Database 8.05.05 Premium.exe
  • Six Sigma Toolbox 1.0.122.exe
  • Fizjologia sportu. Krtkie wykady.exe [Physiology of sports. Short lectures.exe]

As we can see from the filenames used, a number of the PWOBot samples purport to be various software utility programs. In some instances, the Polish language is used for what appears to be a more targeted filename.

It is unclear how this malware was originally delivered to the end-user. Inferences can be made based on the filenames witnessed, as this malware may have been delivered to end-users who believed they were downloading other software. Alternatively, it’s possible that phishing attacks were used in order to entice victims into downloading these files.

Malware Analysis

As originally mentioned, PWOBot is written completely in Python. The attackers leverage PyInstaller to convert this Python code into a Microsoft Windows executable. However, as Python is being used, it can easily be ported to other operating systems, such as Linux or OSX.

Upon initial execution, PWOBot will first uninstall previous versions of PWOBot should they be found. It will query Run registry keys searching for instances of previous versions. The majority of versions use a format of ‘pwo[VERSION]’ for the Run registry key, where [VERSION] is the version number of PWOBot.

Figure 1 PWOBot uninstalling previous versions

After the previous versions are uninstalled, PWOBot will install itself and create a copy of its executable in the following location:

%HOMEPATH%/pwo[VERSION]

It will then set the following registry key to point to this newly copied executable:

HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/pwo[VERSION]

If this is the first time the malware is run, PWOBot will execute the newly copied file in a new process.

After installation completes, PWOBot will hook various keyboard and mouse events, which will be used for subsequent keylogging activities. PWOBot is written in a modular fashion, allowing the attacker to include various modules during runtime. Based on the number of samples currently identified, the following services and their accompanying descriptions have been observed being included with PWOBot:

  • PWOLauncher : Download/execute file, or execute local file
  • PWOHTTPD : Spawn a HTTP server on the victim machine
  • PWOKeyLogger : Log keystrokes on the victim machine
  • PWOMiner : Mine bitcoins using the victim CPU/GPU
  • PWOPyExec : Execute Python code
  • PWOQuery : Query remote URL and return results

PWOBot also is equipped with two configuration files, one of which specifies various settings the malware should use, while another specifies what remote servers PWOBot should connect to during execution.

Figure 2 PWOBot settings configuration

Figure 3 PWOBot remote server configuration

As is visible in the settings configuration (Figure 2), PWOBot includes various windows executables that are included when the attackers compile the code using PyInstaller. These executables are used to perform Bitcoin mining and to-proxy requests via Tor. The Bitcoin miner is a compiled version of minerd and cgminer. These files are used for CPU and GPU Bitcoin mining respectively.

PWOBot also makes use of Tor to tunnel all traffic to the attacker’s remote server(s). While this provides both encryption and anonymity, it also should raise alerts to an organization’s network administrators if viewed, as such traffic likely violates said organization’s policies.

PWOBot uses a Python dictionary as it’s network protocol. Every specified period of time PWOBot will send a notification message to the remote server. An example of this notification can be seen below:

Enumerations are configured to represent the various number encountered in the previous example. Once replaced with their respective enumeration, we see a more complete picture of what data is being sent.

After notifications are sent, the attacker may opt to provide a command instructing PWOBot to perform one of the previously defined services. Results from said actions are then uploaded to the attacker using the same format.

In total, 12 variants of PWOBot appear to exist, based on the lastest versions identified by Palo Alto Networks Unit 42. Of the 12 versions, we have witnessed versions five, six, seven, nine, 10, and 12 in the wild. Changes between versions appear minimal, and are likely performance improvements.

Conclusion

PWOBot is interesting as a malware family because it is written entirely in Python. While it has historically been seen affecting Microsoft Windows platforms, since the underlying code is cross-platform, it can easily be ported over to the Linux and OSX operating systems. That fact, coupled with a modular design, makes PWOBot a potentially significant threat.

This malware family has not previously publicly disclosed. It has currently been witnessed affecting a number of European organizations.

Palo Alto Networks customers are protected from this threat in the following ways:

  • All PWOBot samples are properly categorized as malicious by the WildFire service.
  • Domains related to the PWOBot threat have been appropriately categorized as malicious.
  • AutoFocus customers may use the PWOBot tag to monitor this threat.

For a list of SHA256 hashes of PWOBot, please refer to the following file.

[Palo Alto Networks Research Center]

Posted on

Maximizing your Panorama Deployment, Part 3

The Importance of Looking Forward When Deploying Panorama

In this blog series on maximizing your Panorama deployment, we covered the benefits of Panorama and how to customize your Panorama deployment to meet your needs. This final blog post will explain the importance of taking the future into consideration when deploying Panorama.

Panorama provides streamlined management, great visibility and excellent rule management across distributed networks of next-generation firewalls.

When deploying their network security management solutions, most customers deploy them in a way that is optimized for their current situation without consideration of future company or traffic growth. It is, however, critically important to plan a Panorama deployment strategically to optimize processing speeds and logging capacity/retention, as well as availability.

For example, deploying Panorama as a Virtual Machine (VM) makes a lot of sense for smaller companies who don’t have to manage too many logs or firewalls. However, adding just one or two more firewalls to your distributed network, may result in the VM servers being overloaded with the number of logs being generated. A small step to add either a dedicated management appliance or a log collector can ensure that log ingestion and retention won’t reach limits, and processing speeds won’t get impacted.

Thanks to the flexible deployment options of Panorama, you can ensure you maximize the performance of your network security management solution by adding dedicated management appliances and log collectors, or deploying Panorama in High Availability (HA) pairs.

Learn more about Panorama by downloading the datasheet.

Thanks for reading my series on maximizing your Panorama deployment. If you have additional questions or suggestions for future topics, leave a comment for me below.

[Palo Alto Networks Research Center]

Posted on

CCSP Certification a Must for Security Pros Pivoting to the Cloud

Cloud computing is transforming the world of information technology before our eyes. Less than a decade ago, IT teams focused most of their time on building enterprise data centers, managing capacity and building custom applications.

Today, times have changed and many organizations are now shifting their focus toward the cloud, moving to a world where automation and integration dominate, and enterprises purchase much of their computing as a service from a number of different providers.

This shift toward the cloud doesn’t only change the world of developers and engineers, it also dramatically affects the work of information security professionals. In the world of cloud computing, assessments rise in importance and contract language becomes as significant a security control as the configuration of the enterprise firewall.

As security professionals seek to reinvent themselves as cloud security experts, they must gain new knowledge and skills and may wish to pursue professional certifications that help them demonstrate this aptitude to current and potential employers.

Security in the Cloud

Perhaps the most fundamental security difference between the old world of on-premises enterprise IT and the new world of cloud computing lies in the degree of dependence that organizations place in their vendors. Certainly, IT organizations have always relied upon vendors to provide hardware, software and services and those vendors have played a key role in enterprise security.

Even in a completely on-premises model, a security flaw in a vendor-supplied product can have dramatic security implications that open holes for an attacker to exploit. In a cloud model, those dependencies grow larger as organizations call upon vendors to provide services in a more active fashion.

The shared responsibility model is the key to understanding cloud computing security. Both vendors and their customers must take responsibility for different elements of security and that division of responsibility depends upon the scope of services provided by the vendor and the agreement between the vendor and its customers.

For example, an infrastructure-as-a-service (IaaS) vendor offering virtualized servers to its customers is typically responsible for providing physical security in their data centers. The vendor is expected to manage network security, and secure both the hardware underlying the servers and the hypervisor that separates virtual instances from each other.

Customers configure the operating system, install applications, manage firewall rules and manipulate their own data. Therefore, the security of those components remains a customer responsibility.

In a software-as-a-service (SaaS) model, on the other hand, the burden of responsibility swings more heavily in the vendor’s direction. The vendor manages all of the servers as well as the application, assuming responsibility for almost the entire security stack. That said, customers may still manage application security settings and control the flow of sensitive information into the application.

As you move services to the cloud, the most important security concern you should have is a clear and documented understanding of the shared responsibility model. You should clearly articulate your security requirements, perhaps drawing this information from the requirements you use for on-premises environments.

Next, you should work with vendors to spell out the technical, physical and administrative controls that satisfy each objective and state who is responsible for the implementation, configuration, operation and verification of each control.

Preparing Yourself for the Cloud

It’s not just organizations that need to reinvent themselves for the cloud. It certainly is true that technologies and business processes will change as we move toward a cloud-centric computing environment.

Those changes will also require a shift in the individuals performing technology-related functions in those organizations, including information security. Current security professionals will need to update their skills to cover the emerging world of cloud computing.

In a cloud-focused world, security professionals must work closely with internal and external customers and suppliers to ensure that security follows the organization’s data wherever it flows or resides. Key skills for cloud security professionals include vendor relations, contract negotiations, security assessments, cloud platform operation and cloud application security.

In addition, cloud security professionals will need to have a deep understanding of the security services provided by their organization’s slate of cloud vendors, and understand how to manipulate those services to achieve the organization’s security goals.

If you’re hoping to reinvent your career as a cloud security specialist, then you may wish to consider earning a cloud-focused information security certification, such as the Certified Cloud Security Professional (CCSP) certification available as a joint partnership between (ISC)² and the Cloud Security Alliance (CSA).

These two organizations, known for providing some of the premier information security certifications available today, partnered to provide an advanced certification that requires a combination of advanced knowledge and practical, hands-on work experience that complements the other certifications they offer.

The Certified Information Systems Security Professional (CISSP) certification offered by (ISC)² is already considered the gold standard certification in the information security field. It covers an extremely broad range of material and only touches on cloud computing topics.

CISSP holders who wish to focus on cloud security may wish to supplement their existing certification with the CCSP as a specialized credential. The good news is that CISSPs already meet the CCSP’s five-year work experience requirement.

The Certificate of Cloud Security Knowledge (CCSK) certification offered by CSA is more of a foundational certification that focuses on a candidate’s mastery of the CSA’s cloud security guidance and has no work experience requirement.

Earning CCSK can smooth your path to CCSP by checking off a portion of the CCSP professional experience prerequisite. If you’re a practicing information security professional, you are probably better off earning the CCSP credential, either as a stand-alone certification or as a complement to the CISSP.

As enterprises continue to move applications, data and infrastructure to the cloud, they will increasingly require the services of information security professionals skilled in securing cloud computing environments.

Building out your skills in the realm of cloud computing and demonstrating those skills by earning the CCSP credential will position you well to take advantage of this trend and find interesting and lucrative employment opportunities.

Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.

[GoCertify]

Posted on

M&A Due Diligence Must Include Cybersecurity Considerations

Mergers and acquisitions (M&A) are a regular occurrence in the business world. And while we’re all familiar with concept of due diligence when it comes to judging the financial performance of another company, it’s time for enterprises to start applying that same level of scrutiny to the cybersecurity capabilities of a potential acquisition. A thorough review of an acquisition’s security architecture, processes and policies should be a firm requirement for any M&A process.

But where should the cybersecurity due diligence process begin? As a CISO, I recommend that companies start by confirming their acquisition target’s past investments in cybersecurity were made in a manner commensurate with the growth of the company.  Ask the following:

  • Have baseline investments been made not just in detection controls but also in more proactive and preventative measures to protect data?
  • Have investments been made in ensuring that Information Security staff are on hand to support the management of risk?
  • Have non-IT employees gone through cybersecurity training?
  • Can acquirers establish with confidence that the company being assessed has not already been breached?

Due diligence should be maintained throughout the entire M&A process, particularly before information about the activity goes public. While I don’t have specific numbers, I think it’s safe to assume that there have been situations in which a hacker or less than scrupulous employee have hacked an enterprise network in search of material information they could exploit for their own financial gain before news of an M&A became public. The fallout of such activity could be extreme, so it’s important that acquirers and those looking to be acquired consider and implement the appropriate cybersecurity controls to ensure proprietary information doesn’t leak.

The constant stream of security breaches in the news have gained the attention of executive leadership and boards of directors who are now looking to their CSOs/CISOs to minimize their risk exposure when contemplating major business moves like an M&A.

I would encourage my fellow CISOs (or any other executive looking for guidance and recommendations around cybersecurity policy guidance) to visit SecurityRoundtable.org, a community designed to share best practices, use cases and expert advice to help executives better manage cybersecurity risk.

[Palo Alto Networks Research Center]

Posted on

Dear CISOs and Legal Counsel: We Can’t Wait for the Privacy Regulators

Privacy is constantly in the news these days. Should Apple create a “back door” to unlock a terrorist’s iPhone for the FBI? Should Microsoft provide European citizen’s information stored on servers in Ireland in response to a US subpoena? Should data be allowed to be stored outside of Germany, France, Sweden and Russia for cloud services? Should we store information in the cloud without retaining the keys? Should commerce between the US and EU flow under the proposed replacement for Safe Harbor (Privacy Shield)? Or maybe the question is should someone be awarded tens of millions of dollars for having their privacy violated for filming them naked in a hotel room without their consent, or for filming someone’s engagement in a sex tape and releasing it to the Internet?

The Issue is Clear:  Why Should Anyone Trust Anyone?
We could leave this issue to privacy officers, internal and external legal counsel, governments, data protection authorities, politicians, regulators, and technology companies to sort out. We could wait for the ultimate answer to solve the privacy question once and for all. And wait. And wait some more. And wait for another review, debate, newsworthy event (such as needing information from another critical terrorist phone). Or wait for the next cloud service to be hacked, exposing photos that violate an individual’s right to privacy.

The reality is we just don’t trust each other—person to person or country to country. The reality is also, we have to trust each other at some level to interact personally or conduct business with each other.

As we grow up, we implicitly trust our parents to protect and lead us in the right direction. We have temporary moments of insanity during the ages of 5-6 and 13-17, where we don’t trust what they are telling us (because we just know better), and our parents all of a sudden get smarter when we turn about 22! In other words, we have temporary moments of disbelief, or a lack of trust in what they are telling us. It is the receiver of the message (in this case the child), that does not believe the sender (parents), even though thesender of the message was telling the truth and had good intentions all along. Trust is earned by delivering a consistent message that matches the real environment.

So what does this have to do with privacy in our organizations? Everything. We are currently in a state where people and governments are challenging the trust model. However, we cannot stop and wait for resolution of this temporary insanity and total lack of trust to figure out how to enable others to trust our assertions.

We Will Lose Valuable Time
We must, as “parents of our own organizational destiny,” continue to refine the controls on our systems and enhance how we protect information privacy. As we promote our message of information protection, those who make the rules will recognize that the organizations performing fundamental security work, building in privacy considerations and protecting rights through followed processes, will be able to be “trusted” and interact with other people and countries.

Privacy is much more than publishing a privacy notice on the company web site or sending out notices. Privacy is an organizational commitment to build trust by securing information and limiting access to accurate information to only those who have a right to it. Security officers are at the core of this issue and must be literate in the language to be effective.

At the 2016 North America CACS conference in New Orleans May 2-4, 2016, Todd Fitzgerald’s “One-Hour Privacy Primer” session will explore privacy concepts every security officer, privacy officer, auditor, lawyer, and governance professional should know:

  • The role of the CISO with respect to Privacy
  • 8 Universal (OECD) privacy principles
  • Global laws impacting privacy
  • Privacy by Design principles
  • Understanding data elements and the language of privacy

Todd Fitzgerald, CISA, CISM, CRISC, CISSP, CIPP/US, CIPP/E, CIPM, PMP, CGEIT, ISO27000, ITILv3f, Global Director Information Security, Grant Thornton International, Ltd.

[ISACA Now Blog]

English
English
Exit mobile version