Author: Dr. Philip Cao

Earlier this week Symantec released a blog post detailing a new Trojan used by the ‘Duke’ family of malware. Within this blog post, a payload containing a function named ‘forkmeiamfamous’ was mentioned. While performing some research online, Unit 42 was able to identify the following sample, which is being labeled as ‘Trojan.Win32.Seadask’ by a number of anti-virus companies.

MD5	A25EC7749B2DE12C2A86167AFA88A4DD
SHA1	BB71254FBD41855E8E70F05231CE77FEE6F00388
SHA256	3EB86B7B067C296EF53E4857A74E09F12C2B84B666FC130D1F58AEC18BC74B0D
Compile Timestamp	2013-03-23 22:26:55
File type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

Our analysis has turned up more technical details and indicators on the malware itself that aren’t mentioned in Symantec’s post. Here are some of our observations:

First Layer of Obfuscation

Once the UPX packer is removed from the malware sample, it becomes quickly apparent that we’re dealing with a sample compiled using PyInstaller. This program allows an individual to write a program using the Python scripting language and convert it into an executable for the Microsoft Windows, Linux, Mac OSX, Solaris, or AIX platform. The following subset of strings that were found within the UPX-unpacked binary confirms our suspicions.

• sys.path.append(r”%s”)
• del sys.path[:]
• import sys
• PYTHONHOME
• PYTHONPATH
• Error in command: %s
• sys.path.append(r”%s?%d”)
• _MEI%d
• INTERNAL ERROR: cannot create temporary directory!
• WARNING: file already exists but should not: %s
• Error creating child process!
• Cannot GetProcAddress for PySys_SetObject
• PySys_SetObject

Because the sample was written in Python originally, we’re able to extract the underlying code. A tool such as ‘PyInstaller Extractor’ can be used to extract the underlying pyc files present within the binary.

Figure 1. Extracted Python files from Seaduke

We can then use a tool such as uncompyle2 to convert the Python byte-code into the original source code. Once this process is completed, we quickly realize that the underlying Python code has been obfuscated.

Figure 2. Obfuscated Python code

Second Layer of Obfuscation

Tracing through the obfuscated code, we identify an ‘exec(ZxkBDKLakV)’ statement, which will presumably execute some Python code. Tracing further, we discover that this string is generated via appending a number of strings to the ‘ZxkBDKLakV’ variable. Finally, we find that after this string is created, it is base64-decoded and subsequently decompressed using the ZLIB library.

Figure 3. Second layer of obfuscation identified

The following simple Python code can be used to circumvent this layer of obfuscation:

The remaining Python code still appears to be obfuscated, however, overall functionality can be identified.

Final Payload

As we can see below, almost all variable names and class names have been obfuscated using long unique strings.

Figure 4. Obfuscation discovered in final payload

Using a little brainpower and search/replace, we can begin identifying and renaming functionality within the malware. A cleaned up copy of this code can be found on GitHub. One of the first things we notice is a large blob of base64-encoded data, which is additionally decompressed using ZLIB. Once we decode and decompress this data, we are rewarded with a JSON object containing configuration data for this malware:

Figure 5. Base64-encoded / ZLIB compressed data

This configuration object provides a number of clues and indicators about the malware itself. After this data is identified, we begin tracing execution of the malware from the beginning. When the malware is initially run, it will determine on which operating system it is running. Should it be running on a non-Windows system, we see a call to the infamous ‘forkmeiamfamous’ method. This method is responsible for configuring a number of Unix-specific settings, and forking the process.

Figure 6. Main execution of malware

Continuing along, we discover that this malware has the ability to persist using one of the following techniques:

1. Persistence via PowerShell
2. Persistence via the Run registry key
3. Persistence via a .lnk file stored in the Startup directory

The malware copies itself to a file name referenced in the JSON configuration.

Figure 7. Persistence techniques

After the malware installs itself, it begins making network requests. All network communications are performed over HTTP for this particular sample; however, it appears to support HTTPS as well. When the malware makes the initial outbound connection, a specific Cookie value is used.

Figure 8. Initial HTTP request made

In actuality, this Cookie value contains encrypted data. The base64-encoded data is parsed from the Cookie value (padding is added as necessary).

EBJhZTlKiqN8nYWejKh7UpDycPlcrGMEcTE=

The resulting decoded data is shown below.

\x10\x12ae9J\x8a\xa3|\x9d\x85\x9e\x8c\xa8{R\x90\xf2p\xf9\\\xacc\x04q1

The underlying data has the following characteristics.

Figure 9. Cookie data structure

XORing the first single character against the second character identifies the length of the random string. Using the above example, we get the following.

First Character  : ‘\x10′
Second Character : ‘\x12′
String Length (16 ^ 18) : 2
Random String    : ‘ae’
Encrypted Data   : ‘9J\x8a\xa3|\x9d\x85\x9e\x8c\xa8{R\x90\xf2p\xf9\\\xacc\x04q1′

Finally, the encrypted data is encrypted using the RC4 algorithm. The key is generated by concatenating the previously used random string with the new one, and taking the SHA1 hash of this data.

This same key is used to decrypt any response data provided by the server. The server attempts to mimic a HTML page and provides base64-encoded data within the response, as shown below.

Figure 10. Server response

Data found within tags in the HTML response is joined together and the white space is removed. This data is then base64-decoded with additional characters (‘-_’) prior to being decrypted via RC4 using the previously discussed key. After decryption occurs, the previous random string used in key generation is updated with the random string. In doing so, the attackers have ensured that no individual HTTP session can be decrypted without seeing the previous session. If the decrypted data does not produce proper JSON data, Seaduke will discard it and enter a sleep cycle.

Otherwise, this JSON data will be parsed for commands. The following commands have been identified in Seaduke.

Command	Description
cd	Change working directory to one specified
pwd	Return present working directory
cdt	Change working directory to %TEMP%
autoload	Install malware in specified location
migrate	Migrate processes
clone_time	Clone file timestamp information
download	Download file
execw	Execute command
get	Get information about a file
upload	Upload file to specified URL
b64encode	Base64-encode file data and return result
eval	Execute Python code
set_update_interval	Update sleep timer between main network requests
self_exit	Terminate malware
seppuku	Terminate and uninstall malware

In order for the ‘self_exit’ or ‘seppuku’ commands to properly execute, the attackers must supply a secondary argument of ‘YESIAMSURE’.

Conclusion

Overall, Seaduke is quite sophisticated. While written in Python, the malware employs a number of interesting techniques for encrypting data over the network and persisting on the victim machine. WildFire customers are protected against this threat. Additionally, Palo Alto Networks properly categorizes the URL used by Seaduke as malicious.

Josh Grunzweig

[Palo Alto Networks Blog]

Enterprises, governments and service providers are struggling to secure their networks against a growing number of sophisticated attacks. A multitude of security functions such as IPS, DLP, AV, URL filtering, strung across corporate networks and on endpoints (including mobile devices) is the traditional approach. But in practice, this isn’t an integrated strategy – this is a conga line of security deployments that are nearly impossible to manage, unable to communicate with each other and, let’s be honest, creating a growing number of security holes as a result of complexity.

Let’s look at why this is so and why other consolidative approaches, such as unified threat management (UTM), aren’t solving the core problem.

The security holes mentioned above are a direct result of disparate security technologies not communicating with each other, multiple security rule bases, lots of manual management, and other management challenges.

These conga lines form from reactive security thinking. Stop me if you’ve heard any of these before:

• “The most common ports used in our company are the following – let’s block the other ports with a firewall.”
• “Web-based attacks are most frequent – we should deploy a proxy.”
• “The company next door had a data breach – we need a DLP solution.”

Security deployed this way is not only incredibly difficult to manage and maintain with multiple security rule-bases, but also creates enormous strains on network resources because every individual deployment conducts its analysis without sharing information with another. It is very hard to reconcile policies to find security holes that may be present in the network – but it’s these holes that are leaving organizations open to attack.

What we commonly think of as “unified threat management,” or UTM, doesn’t solve the problem because UTM is really conga line in disguise. While offering streamlined deployment within a single piece of hardware, the basic concept of the technology conga line still holds true with the same inefficient in-series analysis of traffic, with individual defenses activated based on needs but without interacting with each other.

Truth be told, today’s and tomorrow’s cybersecurity starts with complete application control regardless of port. Cybercriminals are utilizing applications as the vehicles to infiltrate networks, and once on the network, common applications such as netbios, ftp, webdav are used to steal your data. They also employ port-hopping capabilities, leaving standard, port-based controls found in traditional firewalls useless.

Palo Alto Networks Security Platform provides powerful security by identifying all applications, regardless of port, checking all content contained, and connecting these applications to users by names. These capabilities provide valuable context that can be used to exert more granular control over the network and prevent threat activity.

We determine the application irrespective of port, the content within the application, whether it is malicious or not and the user in a single pass, eliminating the need for the conga-line approach to security, whether UTM or not. Technologies can learn from each other due to the close integration, enabling more powerful, granular control over the entire network.

The fact that all of this can be done with a single security rule base further reduces policy complexity and the risk for errors (holes) in that security rule base. Palo Alto Networks allows you to strike an appropriate balance between blocking all traffic and allowing all traffic with firewall policies that use business-relevant elements, described above, as a more meaningful way to control network access and grow your business. You can build firewall policies that are based on application/application feature, users and groups, and content, as opposed to port, protocol and IP address.

Learn more about Palo Alto Networks next-generation security platform and our single pass architecture here.

Joerg Sieber

[Palo Alto Networks Blog]

Security is one of the most critical considerations for cloud computing, regardless of whether the deployment is public or private. We recently teamed up with the Cloud Security Alliance (CSA) to offer “Security Considerations for Private vs. Public Clouds,” a whitepaper covering important topics for securing cloud infrastructure, including:

• Contracts and service level agreements
• Roles and responsibilities
• Compliance and auditing
• Physical and virtual attack surface considerations
• Operational challenges, including data migration, logging, monitoring, incident management and recovery
• Change management

Download the whitepaper here. Learn more about the Palo Alto Networks Security Platform, including solutions for VMware, Amazon Web Services, Citrix and KVM environments, on ourpublic cloud and private cloud resources pages.

[Palo Alto Networks Blog]

The U.S. Food & Drug Administration (FDA) is responsible for the oversight of food and medical products sold in the United States. As such, when it finds previously unknown safety concerns, the FDA takes measures to let the public know. Perusing the list of safety communications issued by the FDA, one typically sees product recalls on a range of issues, such as improper labelling, lack of FDA approvals, and manufacturing defects.

On May 13, 2015, the FDA issued a safety communication of a different sort. Vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems: FDA Safety Communicationidentified a medical device that is responsible for the delivery of anesthetic or therapeutic drugs as being vulnerable to reprogramming by an unauthorized third party. There are a number of attack vectors present, as outlined in ISCA-15-125-01B, with the most serious error being an open telnet port on TCP/23. As if telnet itself wasn’t already inherently insecure (which it is), the issue with this particular device is that it provides unauthenticated users with root privileges. Other flags include exploitable vulnerabilities, unprotected keys, cleartext credential storage, and hardcoded accounts.

The Internet of Things introduces a number of challenges for product manufacturers. Many are being pressured to develop network interfaces to their products; doing so greatly simplifies connectivity by doing away with the slew of custom connectors and protocols that litter the market. But these products are not necessarily being developed with security in mind. Many are embedding network stacks into the firmware of their products with poorly implemented security features and packages with unpatched vulnerabilities.

The users of such products face an entirely different challenge. Most end users are not in a position to closely scrutinize how exploitable every device on their network is. Even after running a port scan to look for the open ports, most security teams aren’t staffed to test for vulnerabilities on every device that shows up on their network.

If one cannot trust the security of the device (and by default, one never should), steps must be taken to minimize exposure to risk through other means. That’s why network segmentation is a critical measure to make sure that unnecessary levels of access to applications and networks are not permitted.

At the most basic level, network segmentation can greatly reduce the attack surface area. As a general rule, separating the medical device network from the LAN is a forgone conclusion, but one that many organizations may overlook. That’s because traditional network segmentation with port-based firewalls is often messy work. Setting up the VLANs is the easy part, but the ineffective port-based policy is not capable of scrutinizing what’s happening in application traffic. Modifying the policy every time there’s a change in the segmentation is a nightmare, and ultimately drives many organizations back to a flat network.

If you think about it, network segmentation itself is not all that useful if it’s not doing a good job controlling traffic that passes from one segment to another. That’s what makes the Palo Alto Networks Next-Generation Firewall particularly well suited for this purpose, for it uses applications tied to users and groups to define policy of the traffic passing from one network segment to another. In addition, the use of threat prevention to stop exploits and known/unknown malware establishes protection to stop malicious traffic.

Network segmentation is but one part of a strategy to deal with the Internet of Things using the Palo Alto Networks Security Platform. Through the adoption of additional layers of security, including endpoint protection and the use of global threat intelligence, your security team can build a network that is capable of adopting network connected devices by leveraging prevention measures to reduce risk. Learn more about the platform here.

Brian Tokuyoshi

[Palo Alto Networks Blog]