Joe Stewart, Dell SecureWorks’ Director of Malware Research, and the Counter Threat Unit (CTU) research team have long been researching Advanced Persistent Threat (APT) hacking activity. Since different entities may use the term APT differently, it is important to define the term as used in this analysis. According to Stewart , APT is best defined as “cyber-espionage activity targeted at government, industry or activists.”
To date, Stewart and the CTU have catalogued over 60 different families of custom malware involved in APT activity. Stewart and the CTU have developed countermeasures and Threat Intelligence to detect this malware. During this research, Stewart discovered that the hackers using these APT malware families sometimes use a common tool in order to disguise the location of their command-and-control (C2) servers. This tool is known as “HTran”.
HTran is a connection bouncer, sort of like a simplified reverse proxy server. Hackers can install an HTran listener on a host anywhere on the Internet (most often on hacked third-party servers), and bounce incoming connections back to their real C2 server. HTran was authored by “lion”, a well-known Chinese hacker and reported founder of the Honker Union of China (HUC), a patriotic hacking group in the People’s Republic of China (PRC). The name “HTran” actually stands for “HUC Packet Transmit Tool”.
What led Stewart to the discovery of the common use of HTran was an error message that HTran emits to connecting clients whenever the hidden backend C2 server is unreachable. By creating a system to establish regular connections to a list of over 1,000 IP addresses known by the CTU to be associated with APT activity bouncers, Stewart was able to uncover several HTran installations that eventually reported error messages revealing the IP address of the true C2 controllers. While all of the found HTran installations were on computers in the U.S., Europe, Japan and Taiwan, all of the hidden C2 controllers they redirected traffic to were located on just a few networks in the PRC.
Two of the families of malware, where variants were discovered using HTran bouncers, can be directly connected to the RSA Security breach disclosed in March 2011, based on related samples analyzed by Stewart that use C2s from the list disclosed in the CERT bulletin “EWIN-11-077″.
All of the detected HTran and hidden C2 IP addresses are listed in the full report, along with information and Snort signatures which can enable other institutions to detect HTran error messages in network
traffic and possibly uncover not only latent APT activity, but also the true destination of any data that would be exfiltrated.
I had the opportunity to interview Joe Stewart from Black Hat about HTran.
The research started as Joe focused on APT because of a number of reasons. He set about to classify APT, to survey the malware environment and how the APT malware is related as well as how the infrastructure they share is related. A bunch of malware samples related to but not used in the RSA attack and looking at the network traffic he saw a pattern. It was an error message from HTran saying that it couldn’t bounce. So he wondered, how many of these bouncers are there and can we find out where the systems are that are on the other side of the bouncer.
HTran basically gives away the IP address of the hosts that are on the back side. HTran came out in 2000 and is a popular bouncer used widely in hacking so this is significant because it could lend insight to how to combat HTran.
He’s got over 6,000 back end hosts identified and over 60 individual strains of malware isolated as results of this analysis. After resolving all of the host names he ended up with about 1000 IP addresses. He started to connect to them every 10 minutes with software he wrote to obtain that error message from the servers. From those 1000 he ended up with 18 back end servers.
Joe’s written 2 snort rules to detect the activity so this functionality has been rolled out to SecureWorks customers already. The snort rules were publicly posted on Wednesday so anyone running an open source based IPS can take advantage of this knowledge. Someone who has malware using the HTran network could install these rules and spot the traffic in order to protect themselves.
The research is available in full.
CAMBRIDGE, Mass.– The APWG reports in the H2 2010 Phishing Activity Trends Report this month that the development of crimeware surged in the half-year period ending in December, 2010 with one data contributor registering more than 10 million new malware samples in the period, while other analysts describe important shifts in approaches to crimeware deployment by cybercrime gangs.
Cybercriminals repurpose base code of existing crimeware using polymorphic techniques to craft new variations of crimeware to evade detection by filters reliant on fingerprints of known crimeware. In H2, 2010, however, cybercriminals’ crimeware development efforts were more than redoubled with PandaLabs reporting 10,425,663 new malware samples being registered in that period – some 17 percent of all samples the company has recorded since 1990.
Luis Corrons, PandaLabs Technical Director and Trends Report contributing analyst, said, “Fifty-five percent of the new samples created in the 2nd half of 2010 were Trojans, the favorite weapon used by cybercriminals to infect consumers’ computers.”
Trojans, deployed as desktop crimeware, infect a user’s computer with undetectable malware, designed specifically to allow cybercriminals to break into the online bank accounts of consumers and businesses and then initiate fraudulent funds transfers or enter bogus bill payment instructions.
Patrik Runald, Senior Manager, Security Research for Websense and Trends Report contributing analyst said his laboratory noticed a shift toward a binary weapons approach to infecting PCs with crimeware, assembling the final crimeware code from several components that arrive through different mechanisms and at different times.
Rubald said, “During the second half of 2010 we saw a small drop, percentage-wise, in malware aimed specifically at stealing data but an increase in the total amount of samples compared to the first half of 2010. Downloaders are used in many of these cases and the end goal is still to steal data – but using several components instead of including this functionality in the main component.”
Ihab Shraim, chief security officer and vice president, network and systems engineering, MarkMonitor and Trends Report contributing analyst said, “The second half of 2010 saw a 6 percent drop in total phishing attacks from the first half. However, the number of brands targeted went up by over 7 percent and there was an increase of almost 6 percent in unique Brand-Domain pairs. This data suggests that phishers are utilizing more targeted tactics in order to achieve a better ROI on their phishing campaigns.”
Indeed, while measurements for conventional social engineering-based phishing show some slowing of growth during the half, reports of hyper-focused phishing attacks on key personnel have been increasing since H2 2010, and have continued growing through early 2011, indicating a larger shift in tactics by established cybercrime gangs. Though difficult to count automatically, reports of these so-called “spear-phishing” schemes have been increasing in frequency over the past year – and continue to grow.
Dave Jevans, APWG chairman and Trends Report contributing analyst said, “In the latter months of 2010 we have seen an increase in spear-phishing, where individuals inside companies and government agencies are targeted by criminals who send individualized fake emails to their victims, often with crimeware payloads. These emails usually evade spam and anti-virus filters, and are very effective at infecting a user’s computer.
“There are an increasing number of reports where spear-phishing is used as part of a sophisticated attack to gain access into a corporation’s network by infecting a targeted employee’s computer. This trend is accelerating in 2011, and is responsible for many high profile corporate data breaches,” Jevans said.
The full text of the report is available here: http://www.apwg.org/reports/apwg_report_h2_2010.pdf
Other highlights of the report include:
● Unique phishing reports submitted to APWG in H2, 2010 steadily decreased over the half, after reaching a previous high for 2010 in June with 33,617
● Unique phishing websites detected by APWG during H2, 2010 saw a fluctuation of more than 5,000 sites month to month within the half-year period
● The high number of unique brand-domain pairs, 16,767 in November, was down nearly 32 percent from the record of 24,438 in August, 2009
● The number of phished brands reached a high of 335 in September during the half, a decrease of 6 percent from the all-time high of 356 in October, 2009
● Financial Services returned to being the most targeted industry sector in the 3rd and 4th quarters of 2010
● Sweden jumped to the top of countries hosting phishing sites reported during Q3, 2010 with 83.12% of all hosting sites reported in August
● The top 10 most prevalent families of fake anti-virus software are responsible for more than 59 percent of rogueware infections
About the APWG
The APWG, founded in 2003 as the Anti-Phishing Working Group, is a global industry, law enforcement, and government coalition focused on unifying the global response to electronic crime. Membership is open to qualified financial institutions, online retailers, ISPs, the law enforcement community, solutions providers, multi-lateral treaty organizations, research centers, trade associations and government agencies. There are more than 2,000 companies, government agencies and NGOs participating in the APWG worldwide. The APWG’s Web www.apwg.org site offers the public and industry information about phishing and email fraud, including identification and promotion of pragmatic technical solutions that provide immediate protection. The APWG is co-founder and co-manager of the Stop. Think. Connect. Messaging Convention, the global online safety public awareness collaborative www.stopthinkconnect.org and sponsor of the eCrime Researchers Summit, the world’s only peer-reviewed research conference dedicated specifically to electronic crime studies www.ecrimeresearch.org.
APWG’s corporate sponsors are as follows: AT&T(T), Able NV, Afilias Ltd., AhnLab, AVG Technologies, BillMeLater, BBN Technologies, Booz Allen Hamilton, Blue Coat, BlueStreak, BrandMail, BrandProtect, Bsecure Technologies, Check Point Software Technologies, Cisco (CSCO), Clear Search, Cloudmark, Cyveillance, DigiCert, DigitalEnvoy, DigitalResolve, Digital River, Easy Solutions, eBay/PayPal (EBAY), eCert, Entrust (ENTU), eEye, ESET, Fortinet, FraudWatch International, FrontPorch, F-Secure, Goodmail Systems, GlobalSign, GoDaddy, Goodmail Systems, GroupIB, GuardID Systems, Hauri, HomeAway, Huawei Symantec, IronPort, HitachiJoHo, ING Bank, Iconix, Internet Identity, Internet Security Systems, Intuit, IOvation, IronPort, IS3, IT Matrix, Kaspersky Labs, Kindsight, Lenos Software, LightSpeed Systems, MailFrontier, MailShell, MarkMonitor, M86Security, McAfee (MFE), MasterCard, MessageLevel, Microsoft (MSFT), MicroWorld, Mirapoint, MySpace (NWS), MyPW, MX Logic, NameProtect, National Australia Bank (ASX: NAB) Netcraft, NetStar, Network Solutions, NeuStar, Nominum, Panda Software, Phoenix Technologies Inc. (PTEC), Phishme.com, Phorm, Planty.net, Prevx, The Planet, SIDN, SalesForce, Radialpoint, RSA Security (EMC), RuleSpace, SecureBrain, Secure Computing (SCUR), S21sec, SIDN, SoftForum, SoftLayer, SoftSecurity, SOPHOS, SquareTrade, SurfControl, SunTrust, Symantec (SYMC), Tagged, TDS Telecom, Telefonica (TEF), TransCreditBank, Trend Micro (TMIC), Tricerion, TriCipher, TrustedID, Tumbleweed Communications (TMWD), Vasco (VDSI), VeriSign (VRSN), Visa, Wal-Mart (WMT), Websense Inc. (WBSN) and Yahoo! (YHOO), zvelo and ZYNGA.
MOUNTAIN VIEW, Calif. – July 6, 2011 – Symantec Corp. (Nasdaq: SYMC) today announced the availability of Symantec Endpoint Protection 12 as well as results from independent tests demonstrating that the product outperforms the competition in both virtual and physical environments, providing unrivaled protection and blazingly fast performance. According to Symantec’s Internet Security Threat Report, attackers unleashed more than 286 million distinct malicious programs in 2010, creating a challenge for traditional signature-based security solutions that can’t keep up with this volume of attacks. Symantec Endpoint Protection 12 and Symantec Endpoint Protection Small Business Edition are now available to combat the sheer volume of sophisticated attacks targeting organizations of all sizes today.
Click to Tweet: Symantec Endpoint Protection 12 scans 50% faster & protects better than competitors in virtual environs: http://bit.ly/kc1aqk
Symantec engaged with a number of well-known third-party testing organizations to benchmark Symantec Endpoint Protection 12 against competing products in the areas of protection and performance. These tests evaluated products in both virtual environments, particularly highly consolidated virtual desktop infrastructure (VDI) environments, as well as physical environments. Recent testing performed by Dennis Labs demonstrates that Symantec Endpoint Protection 12 running in a VDI environment defended against more real-world threats than comparable solutions from McAfee and Trend Micro. In addition, The Tolly Group measured the performance of these solutions in VDI environments, determining that Symantec completes an on-demand scan in about half the time with 49 percent less disk bandwidth when compared to solutions from McAfee and Trend Micro. In addition, Symantec Endpoint Protection required 20 percent less disk bandwidth when performing on-access scanning compared to Trend Micro’s agentless DeepSecurity solution.
In real-world security tests performed by AV-Test.org in physical environments, Symantec protected better than comparable solutions from Kaspersky, McAfee, Microsoft, Sophos and Trend Micro. In recent Passmark Software Performance Benchmarks, Symantec Endpoint Protection 12 performed faster than competing solutions from Kaspersky, McAfee, Microsoft, Sophos and Trend Micro. Passmark conducted the same evaluation for Symantec Endpoint Protection Small Business Edition against comparable solutions from ESET, Kaspersky, McAfee and Trend Micro; again, Symantec received the top performance scores.
Symantec Endpoint Protection 12: To provide unmatched protection against today’s sophisticated threat landscape, Symantec Endpoint Protection 12 uses Insight, Symantec’s award-winning community and cloud-based reputation technology, to detect and block new threats earlier and more accurately than any other corporate security product. Symantec Endpoint Protection 12 also leverages Insight to reduce the overhead of virus scanning by as much as 70 percent by automatically identifying and whitelisting Symantec-trusted high-reputation files, eliminating significant scanning activity from each endpoint. In addition, SONAR, the world’s first hybrid behavioral-reputation engine, monitors running applications for suspicious behaviors to block zero-day and highly targeted threats in real-time. Symantec’s intrusion prevention system (IPS) technology blocks attacks at the network layer, before they can do damage to a computer. Together, these technologies make Symantec Endpoint Protection 12 the fastest, most effective, corporate endpoint security product on the market.
Optimized for performance on virtual systems, Symantec Endpoint Protection 12 can automatically identify and manage virtual machines (VMs). Symantec Endpoint Protection 12 also integrates directly with VMware’s security APIs to scan for malware inside offline VMware images. To alleviate concurrent scans, known as ‘AV Storms,’ from impacting performance in dense virtual environments, Symantec Endpoint Protection 12 whitelists baseline VM images and shares scan results across VMs so that identical files only need to be scanned once across an entire pool. When combined with the scanning elimination from Insight, Symantec Endpoint Protection 12 enables faster, more responsive host systems, which in turn supports greater density of virtual instances, particularly for highly consolidated VDI environments.
Symantec Endpoint Protection Small Business Edition: Symantec Endpoint Protection Small Business Edition employs the same Insight, SONAR and IPS technologies to offer enterprise-class threat detection technologies and performance improvements for small business customers. With simple-to-use features such as an installation wizard, pre-configured policy settings and automated notifications and reports, Symantec Endpoint Protection Small Business Edition meets smaller organizations’ needs with the fastest, most effective anti-malware capabilities in the industry. Small businesses will have peace of mind that their data is safe from cybercriminals, so that they can stay focused on growing their businesses.
Security for Any Size: Symantec provides a broad portfolio of flexible solutions to meet the varying needs of companies of all sizes—from the largest enterprises to small businesses. For mid- to large-sized organizations, Symantec offers Symantec Endpoint Protection 12 for on-premise deployment. Symantec also offers the Symantec Protection Suite Enterprise Edition which includes messaging security and Web security along with backup and recovery capabilities. For smaller organizations, Symantec offers both cloud-based and on-premise solutions with Symantec Endpoint Protection.cloud and Symantec Endpoint Protection Small Business Edition, giving customers with flexible deployment options to best meet their business needs. Free trial versions are available:
• Symantec Endpoint Protection 12 Trial
• Symantec Endpoint Protection Small Business Edition Trial
• Symantec Endpoint Protection.cloud Trial
Switch to Symantec: Small and medium organizations currently using a competing endpoint security product may qualify for discounted pricing on Symantec Endpoint Protection 12. Symantec customers with a current maintenance contract are entitled to upgrade to Symantec Endpoint Protection 12 at no additional cost. Symantec Endpoint Protection 12 and Symantec Endpoint Protection Small Business Edition are now available for purchase through Symantec’s worldwide network of value-added authorized resellers, distributors and systems integrators or directly.
Symantec Security Framework: Symantec Endpoint Protection is part of the Symantec Security Framework, a portfolio of security products and services that enable organizations to counter emerging threats, support new computing models and simplify security management. Symantec’s portfolio of security products and services allow organizations to pursue innovations – such as mobile, cloud and virtual computing models. By providing relevant, actionable security intelligence and simultaneously simplifying security management, businesses can increase both the efficiency and effectiveness of their security posture.
They’ve been building AV products for 22 years and started in the Czech republic. It’s now privately held by the two founders. They believe they are the most senior of the AV companies in terms of how long the founders have been active in the company.
They’re the #1 or #2 AV in the world – 40 languages, 125 million users. The US is the largest market for revenue and the second largest for the free version.
The interesting thing is that they are community based. They distribute the product for free and it is “every bit as good as paid AV”. The community becomes malware collectors and enables them to see viruses around the world instantly. The community also does the marketing by referral – 3 million users per month. The community also provides online support as volunteers (some have posted as many as 20,000 replies). The community volunteers also help develop the localized versions.
A user can install the free product and a few weeks later is prompted to register. It expires after a year and the user is prompted to either renew the free version or buy the not-free version. Premium versions add sandboxing (“for geeks”) and there is an Internet Security Suite that adds a 2 way firewall and anti-spam. The free version is good enough for most. They recommend the premium version with firewall for online transactions.
The free version does a lot, detecting malware, rootkits, and also doing reputation ranking on websites.
There’s also a complete set of corporate products – desktop, servers, email – all with an enterprise class management GUI. In September the new version comes out with a focus on SMB usability. It’s a completely new management environment. The client version will also have full sandboxing capabilities.
The client product gets refreshed every January and they’re adding some cloud features for delivery of signatures and crowd sourcing website reputation. There will be extra protections for online transactions such as complete sandboxing – it in effect turns the sandbox inside out and creates a complete safe environment so it doesn’t matter if the machine is infected.
They support Windows (back to 95) and have Mac and Linux products. They also support most mobile OS’s but not Android right now. RIM and Apple lock down their environments so viruses aren’t a big worry, but Android isn’t locked down at all. Mac and Linux are managed just like Windows.
There’s white listing and black listing in the corporate version for apps and websites. They provide a big list and it can be customized. Also has heuristic analysis and is not just signature based.
The client is fast and lightweight which is good for netbooks and older PC’s (ie, the consumer market).
Summit Partners just invested $100 million in the company as a minority stake. They see the company as profitable and well-managed and will help AVAST move to “the next stage”. They have a lot of operational experience so this is about more than raising money. They see value in the free version and will continue to build the company. This isn’t like a startup that needs funding, they’re just going to the next level.
Vince did say something interesting:
“Macs aren’t any more secure than Windows. They are just fewer users so it is a smaller target. There’s no reason to attack such a small footprint [yet].”
Norman Issues Malware Warning Concerning Portable Document Format
Oslo, Norway – 12 April 2010 – Norman, a leading security innovator serving single desktops to complex corporate and government networks, today issued a malware warning concerning the exploitation of how applications handle files in the Portable Document Format (PDF).
Exploits involving PDF files are usually accomplished using vulnerabilities in the applications used to read these files, like the popular free program, Adobe Reader. However, a security researcher has recently published information suggesting a two-part technique involving a special utilization of the PDF specification, combined with manipulation of a warning message.
A non-standard technique is used to launch a program embedded in the PDF file. The warning message that is displayed is then manipulated to tempt a user to accept running the embedded file. Both Adobe Reader and the alternative Foxit Reader are potentially vulnerable to this technique.
“We have no reports of malware in the wild that use this technique,” said Ståle Ekelund, Chief Technology Officer. “We believe this vulnerability could be exploited by cyber criminals for malicious purposes. We already see examples of variants, including proof-of-concepts, with infection of other PDF files. Fixing this particular problem may be difficult without changing the PDF specification itself, which is a time-consuming process”.
As a workaround Adobe has published information about how to mitigate the risks involved in this issue. A change in the program’s preferences is required. We refer to the posting in Adobe Reader Blog for details: http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html
For more information about this issue, please go to the Norman Security Center.
For more information on this proof-of-concept attack, please go to this blog.