Advocate (Dr.) Prashant Mali's Blog

Monday, March 3, 2014

Citadel : The Banking Trojan for Cyber Attacks on Banks

Citadel : The Banking Trojan wanna buy one ..

Citadel is a banking trojan based on the Zeus source code. A few months after the Zeus source code was leaked, a threat actor using the moniker "AquaBox" was observed on a Russian-language eCrime forum offering Citadel 1.1, a new derivative of Zeus malware. Citadel retained basic Zeus functionality but added modifications to improve the functionality and security of this banking trojan.

Citadel developed a community of customers and contributors around the globe that suggested new features and contributed code and modules as part of an ad hoc criminal social network. Capabilities included AES encryption of configuration files and communications with the C2 server, an ability to evade tracking sites, the capacity to block access to security sites on victims' systems, and the ability to record videos of victims' activities. The network of Citadel contributors continued adding innovative features to the trojan, making it more adaptive and faster, until the trojan became ubiquitous and criminals began using it for all types of credential theft.

The Citadel toolkit is made up of three parts: a builder, the actual trojan, and a C2 web panel. The builder allows the attacker to edit and compile the configuration file and to build the actual trojan that is delivered to victims' systems. The trojan modifies the compromised computers and steals information. The C2 server monitors and controls the trojan and stores all stolen data.

Citadel infects computers through many different methods. The attackers behind the Citadel trojan have made concerted efforts to spread Citadel using spam campaigns and drive-by download attacks using different exploit kits. Table-5 shows the statistics for the Citadel samples and configurations analyzed in 2013.

ATTRIBUTE	COUNT
C2 servers	905
Configuration files	2,296
Samples	21,716
Encryption keys	311
Versions	5
Targets	1,170 (unique); 137,000 (total)

Citadel samples and configuration files analyzed in 2013.

Architecture

Citadel's C2 design is simple. Each trojan is programmed to connect to one or more C2 servers. Attackers can dynamically update the C2 server options from a configuration file. Cybercriminals may rent individual servers to orchestrate their banking campaigns.

The Citadel trojan running on an infected system has two primary functions:

Passive function: automatically executed on the infected system through application programming interface (API) hooking. The hooked code embedded in network and other APIs performs the following tasks:

HTTP session redirection
Web injections (MITB attack)
FTP credential theft
POP3 credential theft
Flash files control
Keystroke logging
Screen capture
Video recording of activities

Active function: executed upon receipt of a command from the C2 server. Citadel supports the following commands, organized by category:

OS — shutdown, reboot
FS — search, download, upload
Bot — install, uninstall, add, remove, httpinject enable/disable
User — logoff, url_block, certs_get, homepage_set, execute, destroy
DDoS — start, stop
Module — execute enable/disable, download enable/disable
Info — system info

Webinject module

Citadel introduced a new feature called "dynamic webinjection." This feature is implemented through an entry in the configuration file and a command issued to the bot from the C2 server. The new dynamic webinject feature is triggered by a command called "webinjects_update", which takes two arguments. A typical command uses the following syntax:

webinjects_update dual "webinjects/new.js"

The first option can be "dual," "single," or "disabled," and the second option is a file path. "Dual" indicates that this webinject file should be used in conjunction with existing webinjects contained in the configuration file; "single" instructs the bot to use the listed webinject file instead of the data in the configuration file; and "disabled" turns web injection off. The second argument is the full path to the server file that contains the webinject code.

When the bot receives this command, it issues an HTTP POST request for the specified webinject file. The C2 server replies with the relevant file. The request and the reply are formatted and scrambled using the AES+RC4 encryption scheme.

Citadel has emerged as a popular choice in the underground economy for use in financial fraud. Its improved feature list suggests that the Citadel authors continue to innovate and improve the overall quality of their product by adding functionality that their competitors do not offer. Citadel has allowed attackers to expand their reach and target a larger variety of web browsers. It provides a platform for additional criminal revenue opportunities, such as installation of ransomware.

Improvements

The Citadel authors created a crowd sourced model for feature improvement by allowing customers and prospective users to propose features. Citadel has built upon the base capabilities of Zeus by introducing the following improvements:

Google Chrome support — Citadel added support for hooking and monitoring Chrome activity.
Revised cryptography — Citadel's encryption routine changed from standard RC4 to 128-bit AES. Citadel also modified the RC4 implementation slightly by adding an XOR operation with the original seed string. This custom RC4 implementation is also used to encrypt stolen data sent to the C2 server.
Sandbox detection — Citadel can detect if it is running within a virtualized environment. If yes, Citadel alters its behaviour, generating a random "decoy" domain name and URL path for the C2 URL rather than connecting to its typical C2 server.
Video capture — The video capture plugin is typically downloaded from the C2 server when the malware connects for the first time. The ability to capture video allows a threat actor to monitor portions of a victim's entire browsing session.
Denial of service — Citadel included the capability for infected systems to participate in a distributed denial of service (DDoS) attack against a specified target. The botmaster initiates this command via the Citadel control panel.
Automated command execution — Citadel improved Zeus's ability to execute an arbitrary command on an infected system by introducing a series of pre-defined commands.
Aggressive DNS filtering — Citadel introduced a capability to alter the domain name resolution to prevent antivirus (AV) and security companies from resolving domain names, block AV software from receiving updates, and prevent victims from visiting AV or other security sites to download removal tools and obtain mitigation advice.

In May 2013, the Citadel 3.1 variant was first identified as introducing the ability to spread via external devices, such as USB, by taking advantage of the "autorun.inf" functionality. It also introduced a "port scan" command and added a new encryption layer for both communication and the configuration file. Compared to the last known Citadel version 1.3.5.1, the encryption scheme was modified slightly with an added XOR layer and a fixed constant value included in the binary and 32 random bytes.

Tuesday, February 11, 2014

Cyber Weapon : Duqu

I have been analyzing an malware threat identified as the Duqu trojan. This Trojan horse has received a great deal of attention because it is similar to the infamous Stuxnet worm of 2010. I had put countermeasures in place to detect Duqu C2 traffic, and they continue to monitor for new Duqu samples and update protections as needed.

What is Duqu?

The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.

In addition to the RAT, another piece of malware was recovered with Duqu in one instance. This malware is an information stealer designed to log user keystrokes and other information about the infected system. This piece of malware is believed to be related due to programming similarities with the main Duqu executables.

What is the relationship to Stuxnet?

There has been much speculation that Duqu is a new version of Stuxnet or that it was written by the same authors. There are several factors that could influence these speculations:

Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an "injection" engine to load these DLLs into a specific process. This technique is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats.
Encrypted DLL files are stored using the .PNF extension. This is normally the extension Microsoft Windows uses for precompiled setup information files. The commonality exists due to the kernel driver implementation being similar.
The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files. Again, these techniques are not unique to either Duqu or Stuxnet and have been observed in other unrelated threats.
Both Stuxnet and Duqu have variants where the kernel driver file is digitally signed using a software signing certificate. One variant of the Duqu kernel driver was signed by a certificate from C-Media Electronics Incorporation. An unsigned Duqu kernel driver claimed to be a driver from the JMicron Technology Company, which was the same company whose software signing certificate was used to sign one of the Stuxnet kernel driver files. The commonality of a software signing certificate is insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources. One would have to prove the sources are common to draw a definitive conclusion.

Attribute	Duqu	Stuxnet
Infection Methods	Unknown	USB (Universal Serial Bus) PDF (Portable Document Format)
Dropper Characteristics	Installs signed kernel drivers to decrypt and load DLL files	Installs signed kernel drivers to decrypt and load DLL files
Zero-days used	None yet identified	Four
Command and Control	HTTP, HTTPS, Custom	HTTP
Self propagation	None yet identified	P2P (Peer to Peer) using RPCs (Remote Procedure Call) Network Shares WinCC Databases (Siemens)
Data exfiltration	Add-on, keystroke logger for user and system info stealing	Built-in, used for versioning and updates of the malware
Date triggers to infect or exit	Uninstalls self after 36 days	Hard coded, must be in the following range: 19790509 => 20120624
Interaction with control systems	None	Highly sophisticated interaction with Siemens SCADA control systems

Table 1. Comparison of Duqu and Stuxnet.

Both Duqu and Stuxnet are highly complex programs with multiple components. All of the similarities from a software point of view are in the "injection" component implemented by the kernel driver. The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated. One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship. The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level.

Does Duqu target industrial control systems?

Unlike Stuxnet, Duqu does not contain specific code that pertains to supervisory control and data acquisition (SCADA) components such as programmable logic controllers (PLCs). Duqu's primary purpose is to provide an attacker with remote access to a compromised computer, including the ability to run arbitrary programs. It can theoretically be used to target any organization.

Is there any evidence in the code indicating specific targets?

Duqu facilitates an adversary's ability to gather intelligence from an infected computer and the network. I have not identified any specific market segments, technologies, organizations or countries that are targeted by the Duqu malware.

What are indicators of a Duqu infection?

The Duqu trojan attempts to use the network to communicate with a remote command and control (C2) server to receive instructions and to exfiltrate data. Analysis of Duqu revealed that it uses the 206.183.111.97 IP address as its C2 server. This IP address is located in India and has been shut down by the hosting provider. Also, Duqu may attempt to resolve the kasperskychk.dyndns.org domain name. The resulting IP address is not used for communications, so this lookup may serve as a simple Internet connectivity check. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.

Duqu uses multiple protocols to communicate with its C2 server, including standard HTTP on TCP port 80 and a custom protocol on TCP port 443. Some of Duqu's communications that use TCP port 443 do not use the HTTPS protocol. Organizations may be able to monitor egress traffic through proxy servers or web gateways and investigate network traffic that does not conform to the SSL (Secure Sockets Layer) specification. Non-SSL traffic on port 443 is commonly observed with other threats, and this behavior is not exclusive to Duqu.

I am aware of the following files that may be installed by the Duqu trojan. The byproducts in Table 2 have been collected from multiple Duqu variants and would not be present on a single infected computer.

Name	File Size	MD5
jminet7.sys	24,960 bytes	0eecd17c6c215b358b7b872b74bfd800
netp191.pnf	232,448 bytes	b4ac366e24204d821376653279cbad86
netp192.pnf	6,750 bytes	94c4ef91dfcd0c53a96fdc387f9f9c35
cmi4432.sys	29,568 bytes	4541e850a228eb69fd0f0e924624b245
cmi4432.pnf	192,512 bytes	0a566b1616c8afeef214372b1a0580c7
cmi4464.pnf	6,750 bytes	e8d6b4dadb96ddb58775e6c85b10b6cc
<unknown> (sometimes referred to as keylogger.exe)	85,504 bytes	9749d38ae9b9ddd81b50aad679ee87ec
nfred965.sys	24,960 bytes	c9a31ea148232b201fe7cb7db5c75f5e
nred961.sys	unknown	f60968908f03372d586e71d87fe795cd
adpu321.sys	24,960 bytes	3d83b077d32c422d6c7016b5083b9fc2
iaStor451.sys	24,960 bytes	bdb562994724a35a1ec5b9e85b8e054f

Table 2. Byproducts of Duqu.

The name "Duqu" was assigned to this malware because the keylogger program creates temporary files that begin with the prefix "~DQ". A computer infected with Duqu may have files beginning with "~DQ" in Windows temporary directories.

How do Duqu infections occur?

The mechanism by which Duqu infections occur is unknown. Current analysis of Duqu has not revealed any ability to infect additional systems like the Stuxnet worm could. In addition, all of the Duqu files I have analyzed would likely have been installed by an initial installer or "dropper" malware. None of the original installers have been recovered. The recovery of one of these installers may help provide clues to how Duqu infections occurred.

Is Duqu an advanced persistent threat (APT)?

I don’t identify individual tools as APT. APT is a threat actor or actors targeting an organization for assets of interest. An APT involves planning by the adversary, teams with specialized roles, multiple tools, patience and persistence. While Duqu does provide capabilities used by other tools observed in APT-related intrusions, an assessment of the particular threat requires knowledge of the adversary, targeted organization and assets and the scope of attacks.

Is antiVirus and antiMalware protection sufficient for detecting Duqu?

Since its discovery, security vendors have worked to improve their ability to detect Duqu. However, the author may simply release newer variants that are no longer detected by antivirus and antimalware products.

What can I do to protect my organization from Duqu?

Administrators should use host-based protection measures, including antivirus and antimalware, as part of a holistic security process that includes network-based monitoring and controls, network segmentation and policies, user access, and controls to help mitigate the threat of malware like Duqu.
A computer infected with Duqu may have files beginning with "~DQ" in Windows temporary directories.
Organizations may want to monitor egress traffic through proxy servers or web gateways and investigate network traffic that does not conform to the SSL (Secure Sockets Layer) specification. Non-SSL traffic on port 443 is commonly observed with other threats, and this behavior is not exclusive to Duqu.
Administrators should monitor their network for systems attempting to resolve Duqu-related domains or connect to Duqu C2 IP addresses for possible infection.

Cyber Security Strategy with focus on DDoS & APT’s

Evaluate Your Cyber Security Strategy with focus on DDoS & APT’s

The Cyber Law Consulting Team(CLC) has observed cyber threats becoming more advanced as hackers seek new ways to breach information security or disrupt operations. Distributed Denial of Service (DDoS) attacks and Advanced Persistent Threats (APTs) are a big concern. Organizations must evaluate and develop their IT security controls to protect themselves from these sophisticated and unpredictable cyber-attacks.

DDoS Attacks and DoS Attacks

In a Denial of Service attack, hackers try to disrupt a website, network or machine. The goal may be solely to prevent people from connecting to the website that is being attacked, but a Distributed Denial of Service (DDoS) attack is often used to distract a business so attackers can conduct other attacks behind the scenes while the business is focused on getting its website back up. Many times, hackers conduct a DDoS test-run on an organization to see whether it is susceptible to DDoS attacks. If the hackers discover they can take down the targeted website, the hackers then return to launch a full-scale DDoS attack that could take a site down for days or weeks. Often DDoS attacks coincide with other malicious activity. For example, in the banking industry attackers may send a DDoS attack to a bank. Once the website is down and the IT team is working to get it back up and running, the cyber attackers are making unauthorized wire transfers from banking customer accounts into the attackers’ accounts overseas.

The CLC team has seen many DDOS Attacks using DNS amplification techniques. This occurs when a botnet is not large enough to launch an effective cyber-attack, so botnets send out a relatively small amount of traffic to other computers that in turn send more traffic toward the actual target. For the victim, such attacks can saturate networks very easily and cripple Web servers so they can’t function. In order to combat DDoS attacks, an organization must understand how exposed it is to an attack and how well it can respond to thwart an attack. A CLC Denial-of-Service Preparedness Assessment will pinpoint how prepared an organization is to mitigate a DDoS attack.

Advanced Persistent Threats (APTs)

APT: Advanced, Persistent, Threat. An Advanced Persistent Threat refers to a group that persistently attacks a target in order to obtain an objective, which could be to obtain information or to hinder the target’s activity. Organizations should discover how well protected they are from a persistent and dedicated attacker, or cyber threat actor, who wants something from it. Consider what attackers might want such as intellectual property, commercial information, personal data and customer data. Consider the IT security controls you need to protect such data. APTs are a big threat to an organization’s intellectual property, financial assets and reputation.

CLC constantly monitors cyber threats and sees millions of information security events worldwide every day. Although malware attackers have become more sophisticated, there are several steps organizations can take to defend themselves, detect attacks and respond fully. Tactics for preparing a security strategy include the following:

Complete thorough staff training: educate the end user

Regularly assess preparedness for cyber-attacks

Look at what is “usual” security activity so it’s easier to spot “unusual” activity

Create an incident response plan just in case the worst situation happens

It’s important to frequently reassess information security strategies in light of DDoS attacks and Advanced Persistent Threats (APTs) to build expertise and implement robust defense strategies. Contact an Cyber Law Consulting Consultant

WordPress Blogging Site Vulnerabilities

WordPress Vulnerabilities

WordPress is an open-source blogging platform and content management system (CMS). Since its inception in 2003, WordPress has become widely used and is very active. It is made up of more than 200,000 lines of code (written mostly in the PHP scripting language) and is used by more than 64 million websites on the Internet. Although WordPress is considered a mature platform, regular updates address serious security vulnerabilities that may be used by an attacker targeting a WordPress site.

WordPress vulnerabilities are even more of a threat when combined with recent large-scale brute-force attacks targeting WordPress websites. These threats are important considerations if you host a website on wordpress.com or use the platform on a different host. If you use WordPress, have you taken steps to secure your installation? Basic security precautions, a strong password policy, and a regular update schedule can have multiple benefits:

Helps ensure your system isn’t compromised.
Minimizes damage if a compromise does occur.
Prevents your server from becoming part of a botnet used to launch further scans or attacks.

Vulnerabilities may be in WordPress core and plugins

Attackers commonly abuse third-party WordPress plugins containing vulnerabilities, as they may introduce additional security flaws into a WordPress installation. During the last weeks of April 2013, vulnerabilities affecting the WP Super Cache and W3TC WordPress plugins (related to caching and website optimization) gained attention. Successful exploitation of these critical flaws may allow an attacker to execute arbitrary PHP code on a vulnerable system. Updated versions of both plugins have been released and should be applied as soon as possible. Users should vet WordPress plugins carefully, and completely remove unwanted or unnecessary plugins.

Several exploits targeting WordPress are also included in the Metasploit exploitation framework. The existence of these exploit modules makes it easier for an unskilled attacker to launch attacks and underscores the importance of keeping WordPress up to date. Even without the use of plugins, the WordPress core has suffered from serious vulnerabilities. The following security vulnerabilities have been addressed by recent WordPress updates:

WordPress 3.5.1:

Server-side request forgery (SSRF) and remote port scanning via pingbacks.
Cross-site scripting (XSS) via shortcodes and post content.
Cross-site scripting (XSS) in the external library Plupload.

WordPress 3.4.2:

Fix unfiltered HTML capabilities in multisite.
Fix possible privilege escalation in the Atom Publishing Protocol endpoint.
Allow operations on network plugins only through the network admin.
Hardening: Simplify error messages when uploads fail.
Hardening: Validate a parameter passed to wp_get_object_terms().

WordPress 3.4.1:

Privilege Escalation/XSS. Critical. Administrators and editors in multisite were accidentally allowed to use unfiltered_html for 3.4.0.
CSRF. Additional CSRF protection in the customizer.
Information Disclosure: Disclosure of post contents to authors and contributors (such as private or draft posts).
Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information.
Hardening: Require a child theme to be activated with its intended parent only.

WordPress 3.3.3:

Cross-Site Scripting: Fix persistent XSS via editable slug fields. (Also fixed in 3.4.0.)
Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information. (Also fixed in 3.4.1.)
Hardening: Require a child theme to be activated with its intended parent only. (Also fixed in 3.4.1.)
Information Disclosure: Restrict some post IDs when dealing with media uploading, which could leak some info (or attach media to a post the user doesn’t have privileges to). (Also fixed in 3.4.0.)
Information Disclosure: Hide post excerpts when the user cannot read the whole post (e.g., a contributor can’t read someone else’s draft beyond the title). (Also fixed in 3.4.0.)
XSS Hardening: Escape the output of get_pagenum_link(). Note that this function was previously considered to have returned unescaped data, so this was not a vulnerability, but an enhancement. (Also fixed in 3.4.0.)
CSRF Hardening: Prevent unfiltered HTML in comments when there is potential for clickjacking (i.e., when the front-end of the site is loaded in a frame). (Also fixed in 3.4.0.)

WordPress 3.3.2:

Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
Cross-site scripting vulnerability when making URLs clickable.
Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.

WordPress 3.3.1:

Cross-site scripting (XSS).

To limit exposure to attacks, updated versions of WordPress should be tested and deployed as soon as possible. Without additional security controls, unpatched flaws may affect any WordPress site, regardless of which plugins may be installed.

Updating is important

A major WordPress version update is usually available every six months. Third-party plugins may be updated at any time. WordPress has the option to update itself automatically, but this functionality may not always work. It may fail for a variety of reasons, such as plugin or database issues. Many organizations opt-out of automatic updates and manually deploy updated versions to perform additional testing. This patch and update schedule is virtually continuous and difficult to maintain, but it is necessary to maintain an acceptable level of security.

Brute-force attacks

In April 2013, a large brute-force campaign targeting WordPress websites was observed. It is reported that a botnet consisting of more than 90,000 servers is being used to scan the Internet for WordPress websites and is attempting to log in to the Administrator’s account using a list of commonly used passwords. Servers using simple passwords such as “123456″ or “qwerty” would quickly fall victim to this attack. If an attacker successfully logs in, a backdoor is installed for future use. Compromised websites may then be used for other activities, such as scanning for more WordPress sites and participating in distributed denial of service (DDoS) attacks.

To protect against brute force attacks, use long passwords that include a combination of uppercase and lowercase characters as well as symbols (#$%^&@), and rename the Administrator’s account to something other than “admin”. By default, WordPress does not limit incorrect logins, which allows an attacker to make a large number of attempts in rapid succession. This ability increases the odds that an attacker will correctly guess the password. Several WordPress plugins limit the number of login attempts, but plugins themselves generally increase the attack surface an attacker has at his or her disposal, and may inadvertently allow access via other means.

WordPress users should follow the steps outlined in the Hardening WordPress guide for additional protections. Securing access to /wp-admin/ (Administrator’s login area), using alternate database prefixes, securing wp-config.php and disabling file editing are recommended to mitigate effects of a potential attack.

Many hosting providers may supply customers with pre-installed versions of WordPress or similar software, which can quickly become outdated. Given the potential for harm in using outdated software, look for WordPress exploits to become more of an issue in the future, especially for shared hosting providers.