Nitol Takedown: How ThreatSTOP can help identify affected machines.

September 21, 2012 by Leave a comment

There’s a lot of noise out there about “Nitol” and the takedown. What, exactly, does that mean to you?

Before we get into that, let’s do a quick re-cap on what has happened:

Microsoft received a court order to allow them to redirect all subdomains of a dynamic DNS provider called 3322.org. This enabled Microsoft to block tens of thousands of domain names that were being used to serve up malware and commit cybercrime. Now, instead of DNS requests for anything in 3322.org getting resolved by 3322.org’s servers, they’re being resolved via Microsoft’s security group. This applies equally to any domain that is not hosting cybercrime that happened to use 3322.org so that they could provide dynamic DNS (required in order to run your own web or mail server if you have a dynamic IP address, as with a home Internet connection).

It was only a matter of time before action was taken against 3322.org, as it was widely known as a popular haven for Malware authors and unresponsive to researchers and operators seeking to have malware domains shut down.

You can read more here:

Official Microsoft Blog

Krebs on Security

Full Set of Legal Docs

Now, what does this mean for you?

For starters, Microsoft has been granted quite a bit of power…and any connections from your network to anything in 3322.org and its subdomains will either be resolved, or not, based on what Microsoft decides. Currently, it appears that Microsoft’s approach is only intercepting some of the domain names, and recursively resolving the rest through the actual 3322.org nameservers.

In theory, this should only interfere with the malicious domains and do nothing to the legitimate ones. In order to be effective, the list of domains Microsoft is using MUST be accurate (ensuring no false positives), and the domain names Microsoft is intercepting must be the only names the malware uses. The first case seems to be true, but the second is problematic, as it has been our experience that most malware uses multiple ways to call home, and usually multiple domain names.

Gunter Ollmann of Damballa has a very good post discussing the issue with this sort of incomplete takedown.

There have been some problems with MX (mail exchanger, how the Internet routes e-mail) lookups, which have resulted in e-mail to legitimate sub-domains of 3322.org not being deliverable.  Microsoft is working to resolve them. Aside from this, there are many policy issues involved that are under discussion, but out of the scope of this post. If you want to learn more about that, Suresh Ramasubramanian has a very detailed discussion in his blog post.

So, what is ThreatSTOP doing about it?

Currently, ThreatSTOP is propagating a block on the sinkhole that Microsoft is using to trap the botnet domains.

Those IPs are in our Sinkhole feed, but we can’t publicize exactly which ones, due to reasons of confidentiality.

What this will do is stop connections to sinkholed domains from completing, and give you a log of when a system in your network tried to connect to those domains. The IP address that will show as making the attempted connection in your ThreatSTOP reports is the compromised endpoint.

If you are not a ThreatSTOP subscriber, you can use our ThreatCHECK tool on a system you are concerned about, or log all connections outbound on your firewall, and use our Sinkhole Check tool to see if you had any connections to known Sinkholes.

If you see connections to anything on our Sinkhole feed, you should consider that system as infected. Systems that are infected with Malware should be RE-INSTALLED. Cleaning can never guarantee removal of all malware, since, once they get control of a system, cybercriminals install custom software that antivirus may never get a signature for. If you want to know exactly WHICH malware a given sinkhole represents, please contact us.  If you need help, we’re here for you! Don’t hesitate to contact our support.

ThreatSTOP is actively involved in the security community, and works tirelessly to keep our data up to date, so you can stay ahead of the latest threats such as this one. If you aren’t familiar with ThreatSTOP then consider a trial on your firewall today.

Filed under News/Announcements, Specific Threats, ThreatSTOP in use Tagged with , , , , , , ,

ThreatSTOP blocking new OSX/Morcut malware

July 27, 2012 by Leave a comment

As noted by The Register and other places, there’s a new cross-platform vulnerability out that installs via a piece of Java that does a check for “Windows or Mac” and then installs the malware suitable for the platform.

The Mac malware it installs, called either OSX/Morcut or OSX/Crisis – depending on the AV researcher – is most easily detected and blocked by seeing where it tries to go. Intego reports that it calls home every 5 minutes to a single IP address (176.58.100.37) to get instructions and upload anything it may have found.

ThreatSTOP has added this IP address to our feeds and so all ThreatSTOP customers are protected from this malware. Our reporting tool will report the internal IP addresses that are attempting to contact this host, making it easy for IT departments and network administrators to identify and then remediate infected machines.

If you aren’t familiar with ThreatSTOP then consider a trial on your firewall. ThreatSTOP’s IP reputation service provides a way for firewalls to block currently active criminal IP addresses. The list is updated automatically and applies to both inbound and outbound traffic, such as the traffic to known botnet command & control servers.

Filed under Specific Threats, ThreatSTOP in use Tagged with , , , , , ,

Criminals don’t follow the rules

July 12, 2012 by Leave a comment

If you are a criminal and trying to steal things then breaking the law in other ways is unlikely to concern you. To me such a statement seems obvious, but apparently it isn’t – and I’m not just talking about cyber-criminals here.

The classic example in the physical world is the bank robber, who not only breaks the law by robbing the bank but also commits firearms offenses by being a felon in possession of one, violent crimes up to and including murder, traffic offenses in the getaway car and so on. The robber doesn’t care whether, as a result of running a red light, he causes a major traffic accident (as long as he’s not in it) – indeed he may actually like that because it slows down the pursuit.

A moment’s thought shows that the same applies to the cyber-criminal hoping to steal money using your electronic banking credentials. Just as the bank robber neutralizes the guards, the malware that infects your computer disables your anti-virus. And like the way the robber ignores traffic rules, the malware is not going to necessarily bother about using the nameservers, web proxy, configured default protocols etc., that have been set up to make your job as the defender easier. Moreover it certainly isn’t going to be concerned about obeying protocol conventions to call home and get the data back to the criminals. For example, it will pretend to be posting an image to google or yahoo but will actually not use a google IP address (or upload a real jpeg).

The problem here is that a lot of security tools work like traffic lights. They slow down and inspect the law-abiding genuine data flows but don’t do anything about the outlaw ones that, in one way or another, ignore or circumvent them.

The only way to stop them is the cyber equivalent of the roadblock that inspects every vehicle trying to go past and which is placed in such a way that all traffic has to go through it. In computer networking the only device in that position in the overwhelming majority of organizations is the Internet connected firewall.

Tools that don’t see every packet inbound and outbound can only stop malware that doesn’t make the simplest efforts to evade detection. Engineering around any type of protocol specific inspection, directory service, or other resources used by normal traffic is relatively trivial. In fact, in much the same way that the bank’s CCTV system shows the bank-robber’s masked face to investigators after they have fled with the cash, these systems might warn you that a particular computer is infected but they don’t do much about stopping the malware on the computer from calling home. They just make the criminal have to be marginally aware of the usual countermeasures – a bit like how the CCTV means the robber has to wear a disguise.

In the physical world the people that really care about security (e.g. the military) have adopted a policy of ensuring that everything going in and out of a secure location goes through a checkpoint and it is scanned (metal detector, ID check etc.) as it passes through. In theory, organizations have the same policy for the Internet when they place a firewall on the border of their network. In practice, these firewalls work more like the border between the US and Mexico: they are very restrictive on things coming in, but make only cursory checks of anything leaving, if at all. As anyone who has sat at the San Ysidro crossing for hours coming back from Baja knows, full scanning (deep inspection) leads to large increases in latency for legitimate traffic. The result is that, in most cases, organizations elect to skip it for most outgoing traffic and almost all incoming traffic that is related to an outgoing request.

The key insight behind ThreatSTOP is realizing that on the Internet, unlike in the physical world, traffic cannot lie about where it is going to (or coming from for TCP packets). We use a variety of sources and methods to figure out what actual IP addresses malware tries to go TO. This makes it possible for the firewall to block on the IP address. Firewalls are designed to do this very quickly for lots of source and destination pairs. The result is that good traffic is not slowed down.

ThreatSTOP allows your existing firewall to do the job you bought it for, for all traffic, not just the Internet equivalent of the door-to-door salesperson (spammer), gang attire wearing tagger (Website defacement) or opportunistic petty criminal.

With ThreatSTOP it doesn’t matter what the criminal malware does while it tries to call home from your network, it gets stopped (and the attempt logged) as soon as it tries to leave.

The malware can:

  • fake its protocol and port
  • run roughshod over or sneak around your web proxies, DNS and Active Directory (including any outsourced ones)
  • it can obfuscate urls and encrypt content
  • or try a dozen other tricks

but no matter what it has to use a REAL, non encapsulated, routable IP to actually communicate with its masters and “gang”.

If it tries to contact an IP address that we know is an active C&C host it is stopped at the firewall, the internal IP is logged, and there’s no way around our block.

Filed under Technology Tagged with , , , ,

Is there anything in Ukraine except cyber crime?

May 29, 2012 by Leave a comment

On the Kaspersky SecureList blog there’s an interesting post about recent developments for the SpyEye malware. The blogger explains how SpyEye supports a nice plugin architecture and how he examined an interesting new plugin that downloads a flash plugin for certain banking sites which can then switch on the victim’s webcam and stream the data back to the crooks.

So while this is clever, what has it got to do with ThreatSTOP or with the title of this post – the cyber crime in Ukraine? Well the answer is fairly simple. It seems that the malicious flash plugin is downloaded from the “statistiktop.com” domain which currently resolves to 91.206.200.17 and previously resolved to 91.206.200.79, both of which are IP addresses owned by a Ukrainian hosting provider. While said hosting provider is not the worst in our list its 512 IP addresses do contain a number of recent hits and the entire range has been blocked by us via the “Russian Business Network” feed for at least a year.

In practical terms this means that anyone who uses ThreatSTOP would not have been infected by this malicious plugin (and of course it is likely that any call home from it would have been blocked by our SpyEye feed) but while that’s clearly a good thing, it isn’t the thrust of this post.

The point of this post is that, while the attack vectors get smarter using, for example, flash plugins to control a webcam, and they use endless multitudes of domain names as part of their business, the criminals keep on using the same limited numbers of “safe houses” and “fences” – or rather their cyber equivalent, bullet proof hosting companies and compromised servers – to transmit their malware and get the data back.

Many of the places the cyber criminals reuse a lot are in Eastern Europe. If you take a look at the current threat status part of our home page you’ll see that Ukraine is the ‘Worst Large Country’ with about 6% of the 12 million or so IP addresses assigned to it being on our lists. This is not a once time thing. The percentage of bad ip addresses has gradually crept up but Ukraine has been our “worst large country” during the entire time we have run this particular report. Apart from a brief period where the Penguins of Antarctica were our worst small country, that “honor” has almost always gone to one of Haiti, Latvia or the Seychelles. Interestingly Latvia, while still bad, only has 5.9% of its 1.6 million IP addresses on our lists which is a significant improvement and now better than Ukraine.

Fundamentally though, if you don’t do business with countries like Ukraine, you can protect yourself from a lot of malware by simply blocking traffic to/from those countries at the firewall. We created our “Eastern Europe” list precisely because we recognized that this was a useful thing to do. And really when more than 1 in 20 of the IP addresses in a country are suspicious it just makes sense to err on the side of caution.

Filed under Specific Threats, ThreatSTOP in use Tagged with , , , , ,

Block China and other simple DLP/APT remedies

August 12, 2011 by 1 Comment

Blocking foreign countries is one of the simplest and most effective ways to stop data loss and other hack attacks. If your computers/servers/users … have no reason to communicate with devices in certain countries then a geographic block on the firewall to stop all traffic to/from them is a great way to reduce the threat of infection or data loss. What may be the most serious data breach ever – the loss of some 35 million records of personal data from the Korean company SK Comunications – would have been stopped if the SK Comunications computers had been blocked from communicating with China:

The National Police Agency found that the unidentified hacker extracted the information from SK Communications’ user database to an internet protocol address registered in China.

The leaked personal information includes user IDs, passwords, resident registration numbers, user names, dates of year and birth, gender, email addresses, telephone numbers and home addresses.

Passwords and personal ID numbers are encoded, but experts said, judging from the hacker’s level of skills, they may have been decoded already.

ThreatSTOP has been offering geographic blocklists for some time and earlier this year we greatly expanded the number of countries available to our subscribers. The reason why is fairly simple: certain countries do seem to provide an overwhelming amount of hack attacks. This is a fact and it remains true whether or not certain organizations are correct about their allegations of government sponsored hacking in other countries. To put it bluntly IP addresses in China (PRC), Ukraine and Latvia are extremely common as both the sources of attack and the destination of “call homes” from infected machines. As in the case noted above, simply blocking access to China would have avoided the loss of ID data for about 60% of all South Koreans.

Now is a geographic block the only simple remedy for data exfiltration? no of course not. Blocking without subsequently checking firewall logs for attempts is merely going to lead to a second attack where the exfiltration goes via a server somewhere else. However if outbound communication attempts to foreign countries are logged as well as blocked and the logs scanned regularly (ThreatSTOP subscribers typically upload log files at least once a day for analysis) then IT staff can identify the infected machines and clean them up before data is lost.

A third simple but often effective measure is to block and log outbound communications on IRC and the like. While this is less effective than the geographic block – many bots, as I noted last week, use HTTP or HTTPS precisely to avoid firewall blocks – it will still catch some sorts of data exfiltration and again if the blocks are logged then it will help identify computers that are infected and/or users who persist in attempting unsafe computing practice.

Filed under Specific Threats, ThreatSTOP in use Tagged with , , , ,

The ineffectiveness of AV

August 5, 2011 by 3 Comments

Over at ZDnet Ed Bott has a report on the ineffectiveness of anti-vrus tools against current malware where he notes that many AV vendors only detect it a day or two after it has been distributed and that by then a new variant that they don’t detect has also been sent out. In the IT security space, this is not exactly new news. In fact here at ThreatSTOP, we’ve been using similar statistics in our sales pitch for about a year now and in fact the AV vendors themselves admit they have a problem. If you ask them in private that is.

The key thing to note is that most malware (his specimen is a good example) ‘calls home’ to a server owned (or PWN3d) by the crooks who distributed it in order to either download some more effective trojans or to inform the crooks of the juicy private data etc. it has found. It has to call home because without the call home it almost certainly can’t make money for the people who set it up because they need the data or the CPU power to do whatever it is they want.

“Call Homes’ are very rarely blocked because they generally look like regular web traffic. Sometimes it is unencrypted HTTP or IRC which a web-proxy or DPI device may be able to detect (though even that can be problematic – how do you tell the difference between a genuine sessionid in the GET url* (or cookie or AJAX like POST) and one that is encrypted personal data?) but these days it is quite likely to be encrypted HTTPS which they can’t. As far as the DPI device goes one HTTPS session looks very like another except for one teeny little detail. That critical detail, however, is the end-point. If the end point has a bad IP reputation then it makes sense to simply block all the traffic to it.

The key thing that we do at ThreatSTOP is distill gigabytes of threat data from multiple sources into a list of bad stuff that is easy to deploy on a firewall, web filter or other security device. All these devices have the ability to block thousands of IP addresses and networks (even a low end home firewall can typically block at least 1000), they just need that list delivered to them in a form they can easily user and which is regularly updated. That’s our trick and it works well everywhere it has been tried.

*Is a get for /story/SB10001424052702304563104576355623894502788-lMyQjAxMTAxMDMwMTEzNDEyWj.html?id=d1b07e586e12143b3a3f1d1a47e7d45a&ref=0971880107&nodeID=283155 genuine or your name, address and credit card details? What about an AJAX post?

Filed under Technology, ThreatSTOP in use Tagged with , , , ,

SonicWALL IP Reputation Fail

August 4, 2011 by Leave a comment

Since ThreatSTOP is an IP Reputation company, we naturally have a google news feed on the topic of ‘IP reputation’. Today, for some reason, it provided a link to the IP reputation page of the firewall vendor SonicWALL. Naturally I had to test the page out to see how well it did. I picked the 4 addresses currently listed on our home page as being the “worst of the web”:

The Worst IP Addresses for 4 Aug 2011

The Worst Addresses for 4 Aug 2011

The first of these addresses (49.212.100.60 from Japan) has been on our page for a few days now so I thought it would be likely to be listed by SonicWALL.

SonicWALL's IP reputation for 49.212.100.60Just for reference here is a screenshot of the ThreatSTOP opinion of this address which lists 5 currently active entries in feeds plus one past entry:The real IP reputation of 49.212.100.60However all the feeds are basically server side ones, so it occurred to me that perhaps SonicWALL is biased to client side threats like Malware droppers, trojans and bots.

Well I tried the next entry (209.85.51.152 – USA) and SonicWALL was still oblivious to any threat from it:while when I entered that address into our database I got even more hits:

As you can see this one is much more of a threat to regular users. It’s listed in the BLADE malware dropper list, a phishing list and two botnet C&C lists amongst others. So the hypothesis that SonicWALL’s IP reputation is user centric seems to be untrue also.

Just for completeness I queried the two South Korean entries (112.175.243.22 and 112.175.243.24) in the SonicWALL IP reputation engine with similar results:

Needless to say, here at ThreatSTOP we know rather more about both and in fact the latter address (112.175.243.24) has been on a total of 8 different lists since the middle of May which is quite impressive and puts it in the running for the IP reputation award for “most depraved newcomer 2011″

Just for fairness I plugged the 4 addresses into McAfee’s trusted source, which doesn’t share data with us, and all four were reported as bad.

All in all it has to be said that theSonicWALL’s IP reputation service seems to be rather less that efficacious. In fact it rather reminds me of 3 famous monkeys that are in the same country as the first IP address.

Mizaru kikazaru iwazaruThis isn’t exactly the attitude I’d want for an IP reputation service.

Filed under ThreatSTOP in use Tagged with , , , ,

Blocking Bot ‘Call Homes’ Can Stop You Losing $250,000

June 11, 2011 by Leave a comment

Over the last couple of days, Brian Krebs has reported about ACH fraud that is driven by ZeuS and SpyEye trojans/bots. Although the case law is limited it seems like banks have little or no liability if a trojan steals bank login details and, as a result, an organization’s bank account is emptied.

In the first link above a local government lost about $140,000 in a series of $4800 dollar transfers and it seems unlikely that they will be able to recover much more than $4800 of it. In the second link a construction company took their bank to court claiming that it was the bank’s fault that they were not alerted when hundreds of thousands of dollars were transferred from their account. Although the case is not yet totally settled it seems that the judge has decided that the bank took sufficient steps to not be considered negligent and that therefore the loss must be borne by the construction company.

In the light of this it is worth noting that almost every organization that has installed ThreatSTOP as a trial has discovered a bot on their network. In at least one case it was a ZeuS bot on the laptop of the accounting/HR admin. Having ThreatSTOP running on their firewall may well have saved them from being another statistic in the list of ACH victims.

While no single solution is a silver bullet against cybercrime, ThreatSTOP provides a good first filter against inbound malware, and a best last hope against the outbound call home or data theft, using what people already have. We are an essential addition to the toolbox of those protecting their businesses and families from criminals.

ThreatSTOP provides our subscribers with blocklists of known botnet C&C (Command and Control) and dropbox hosts that are automatically installed onto their firewalls and updated every few hours (2 by default) to keep track of changes. For a small organization our service typically costs just $600 a year (less than $2/day). This is inexpensive insurance against a potential loss of thousands or even hundreds of thousands of dollars.

Filed under Specific Threats, ThreatSTOP in use Tagged with , , , , ,

IP Reputation to Reduce the Risk of Being Hacked

May 31, 2011 by Leave a comment

As anyone who reads the technical, financial or even the general news is aware, May has not been a good month for Internet security. We started with Sony which appears to have been comprehensively “PWNed” by one of more groups of criminals and we end up with the news of Lockheed and PBS joining the list of victims. Needless to say these news reports have led to a lot of our customers (and potential customers) asking whether ThreatSTOP’s IP Reputation can save them.

The quick answer is “maybe”. Much as our sales people would like me to say ‘yes’ lingering technical honesty forces me to qualify this. Our IP Reputation feeds will certainly help and they will certainly block a large number of attacks. Moreover since we are faster than other IP reputation sources, we will most likely block more attacks than them. But no unfortunately they are not a magic bullet. Even though we would have stopped the RSA hack, we don’t have the details to know whether we would have stop the attacks on Sony or PBS or Lockheed.

What we can certainly do is reduce the attack surface. If you are a company that does no business with Eastern Europe or China then our Geographic block-lists can ensure that your computers don’t try ‘calling home’ to them. Indeed, even if you do business with China it seems likely that you might want to stop, say, your HR database server having a chat with a computer in Shanghai. And that applies even more if the address in Shanghai is that of a computer known to be a botnet C&C host or similar.

Likewise just because you use VOIP and have an IP PBX doesn’t mean that you want someone on our VOIP Abuse list connecting to it because the chances are high that the connection is not a customer inquiry but an attempt to break in and call Somalia for hours on end. And of course even though your workers need access to almost everywhere to do their job, it would be nice if they don’t get infected when they click on a Google image link (yes we block the drop sites – e.g. 184.82.169.171 – no matter what domain name happens to be used).

Most importantly, because the block is on the firewall, there is no need to update thousands of servers and end user computers to get the latest lists and we protect everything, whether it be a server, a workstation or the smartphone that someone hooked up via an unofficial Wifi hotspot under their desk.

On the other hand we cannot protect against a new attacker that we’ve never met before, and in particular we can’t protect against an attacker that only attacks you and no one else. If you annoy one of your customers (or employees) then their attempts to crack your systems and exfiltrate data likely won’t be stopped – though we do have a list of anonymous proxies that might help – because they are only attacking you and are otherwise perfectly harmless.

So to sum up. Yes we can help a lot. But no, we aren’t perfect and neither is anyone else.

Filed under Technology, ThreatSTOP in use Tagged with , , , , ,

Latest Adobe Zeroday – “Call Home” Blocked by ThreatSTOP

April 12, 2011 by 1 Comment

Adobe have just announced yet another Zeroday Flash etc. exploit that has been seen in the wild in emailed Microsoft Word documents. The document installs the usual sort of backdoor trojan.

According to Mila Parkour, who reported it to Adobe, something, presumably the backdoor, then attempts to call back to a dyn-dns name (liciayee.dyndns-free.com). That name used to point to 123.123.123.123 (it now seems to be pointing to local host in most public DNS systems) which is an interesting IP address. As we have said many times before, bad IP addresses are often reused and this one is no exception. When I plugged it into our IP reputation database it showed up the following (as well as the information that the IP address is in China):

First Identified Most Recently active Present in the following feeds:
2008-01-30 00:00:52
2009-07-18 17:01:32
2010-12-06 10:00:03		 2008-02-06 22:00:50
2009-09-16 17:30:04
2011-04-12 00:00:11		 SSH_CRACKER
Parasites, Hijackers and Spyware Domains
Russian Business Network

We can learn two things from this. The first is that this address has a history of bad behavior (SSH cracker, spyware domain etc.) and the second (and possibly more critical one) is that it has been blocked by ThreatSTOP since December as it was identified then as part of the ‘Russian Business Network‘. That means any recipient of the email whose firewall was running ThreatSTOP was protected by this zeroday – and by any other exploit that happened to try and call back to this IP address.

Now it’s a good thing to run AV and update your Flash when a patch is released and so on, but none of these tools can protect against all zerodays – in fact by definition they won’t protect – so having an orthogonal protection mechanism is a good idea. IP reputation is precisely this orthogonal view of the problem and ThreatSTOP can get you protected in about an hour.

Filed under Specific Threats, ThreatSTOP in use, Uncategorized Tagged with , , , ,

Older posts

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: