Defenses of any sort, virtual or physical, are a means of forcing your attacker to attack you on your terms, not theirs. As we build more elaborate defenses within information security, we force our attacker’s hand. For instance, in many cases, implementing multi-factor authentication systems just forces the attacker to go after that system directly to achieve their goals. Take the breach at RSA, for example. It has been attributed to attackers who needed the SecurID information to go after their real targets in the defense industry.

Recently, our lab has been talking about Sykipot:

• Are the Sykipotʼs authors obsessed with next generation US drones?
• Another Sykipot sample likely targeting US federal agencies

As we discussed, this malware has been used to launch targeted attacks via “spear phishing” campaigns against targets mainly in the US, since around 2007. According to our research, these attacks originate from servers in China with what appears to be the purpose of obtaining information from the defense sector: the same sector that makes extensive use of PC/SC x509 Smartcards for authentication.

Smartcards have a long history of usage in the Defense Sector, for both physical and information access management, and historically have merely forced attackers to route around the smartcard authentication system through other, more vulnerable attack vectors.

It should come as no surprise, then, that we recently discovered a variant of Sykipot with some new, interesting features that allow it to effectively hijack DOD and Windows smart cards. This variant, which appears to have been compiled in March 2011, has been seen in dozens of attack samples from the past year.

Like we have shown with previous Sykipot attacks, the attackers use a spear phishing campaign to get their targets to open a PDF attachment which then deposits the Sykipot malware onto their machine (the attackers here took advantage of a zero-day exploit in Adobe). Then, unlike previous strains, the malware uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. The malware is controlled by the attackers from the command & control center.

Here is more detail on the attack:

Smartcard access

The first one is that it creates a new thread with a keylogger routine. The code is very basic, it stores the window name and the keys pressed under a file named MSF5F0.dat on an unencrypted format, example:

Title:Internet Explorer
www.google.es
Title:My Computer

It uses the WIN32 APIʼs functions [GetKeyState, GetAsyncKeyState,
GetForegroundWindow, GetWindowTextA].

It also saves the information contained in the clipboard using the native functions:
OpenClipboard, GetClipboardDataand CloseClipboard.

This code is very similar to other pieces of APTʼs like:

http://contagiodump.blogspot.com/2010/07/apt-activity-monitor-keylogger.html

Apart from this we found two more modules that attracted our attention. The first one is capable of listing all the certificates that are stored on the windows key store:

This next routine is called if the command “cl” is present on the config file fetched from the C&C.

When you insert a smart card into a reader attached to a Windows computer, the certificate on the smart card is registered to the local certificate store on the client computer.

The second one is even more interesting:

It loads:

C:\Program Files\ActivIdentity\ActivClient\acpkcs201.dll

(a module that handles some of the functions related with ActivIdentityʼs ActivClient solution.)

ActivClient is a smart card-based PKI authentication solution for compliance with:

• U.S. Government Smart Card Interoperability Specifications GSC-IS 2.1
• U.S. General Services Administration (GSA) Basic Services Interface (BSI)

(In fact it is one of the platforms used to support the Department of Defense common access card – DoD CAC)

This routine is called if the command “cm” is present on the config file fetched from the C&C:

So, the modus operandi of the attackers is listing the certificates present on the victimʼs
computer included the smartcards, stealing the PIN using the keylogger module and then
use this information to log onto remote resources protected with certificates/smartcards.

To log onto protected resources they have implemented the command “krundll”, if the C&C sends that command, the victim receives a new dll that implements the required code to login using the certificate and the stolen PIN. This DLL implements the “LoginFunc” and “GetFunc”. These methods will contain all the code depending on the application used:

Summary

We have seen how the attackers are implementing different techniques to bypass two-factor authentication with smartcard/PIN to access protected resources on the victimʼs network. By capturing the PIN for the smartcard and binding the certificate, malware can silently use the card to authenticate to secure resources, so long as the card remains physically present in the card reader. This is similar to what Mandiant described on the 2011 M-Trends report as a “Smart Card Proxy”. While trojans that have targeted smartcards are not new, there is obvious siginficance to the targeting of a particular smartcard system in wide deployment by the US DoD and other government agencies, particularly given the nature of the information the attackers seem to be targeting for exfiltration.

Implications

As defenses get better, attackers will continue to change their tactics to adapt, and as seen here, will hijack the very systems designed to provide more security, if necessary. An interesting by-product of this malware’s necessity of having the card physically present is that attackers can only leverage it for secure authentication to target systems, during times that the user them is physically present at the workstation, making unauthorized activity that much more difficult to discern from legitimate usage. Although smart cards are designed to provide a two factor system of ‘chip and pin’, again we see that true two-factor authentication is not possible without a physical component that is not accessible digitally.

For several weeks there has been a great deal of talk about the “undeclared global cyber war”. There have been accusations that China is stealing almost anything they choose and that they have a “shopping list” that gives priority to key industries like:

1. Clean energy industry
2. Biotechnology
3. Semiconductors
4. Information technology
5. Aerospace technology
6. Medical technology

This month, Lockheed Martin raised the alarm on an Adobe Reader zero-day exploit that was being exploited in the wild.  Once again the payload dropped was Sykipot, a known malware that has appeared several times in combination with zero-day exploits and has been used to launch targeted attacks since 2007. The list of known zero-day exploits used by Sykipot’s authors during these years is as following:

The “drone” campaign

There have been a lot of different campaigns with different Command-And-Control servers. The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit to key employees of different organizations.

In most of the campaigns the malware dropped displays some document or media attractive to the victim. After analyzing most of the campaigns, we discovered a group of samples connecting to the same C&C server that attracted our attention because of the media displayed after the infection:

As you can see, all the content is related with US UCAVs (unmanned combat air vehicle):

• http://www.airforce-technology.com/projects/x-45-ucav/
• http://www.airforce-technology.com/projects/boeing-x37/

We can imagine that this campaign could target organizations related to technology used in this kind of vehicles like aerospace and military industries.

Some of the mails used contain attachments with names like:

• X-37B Orbital Test Vehicle.scr
• X-45b.scr

With the information we collected it appears that this campaign has been running for months. The domain used for the C&C server was registered on 2011-03-04 and we detected two different campaigns with timestamps on 09/08/2011 and 09/26/2011.

Here is the list of analyzed samples:

As we have discussed previously, the trojan injects itself into Internet Explorer, Firefox or Outlook process memory and then connects to the C&C server, retrieving an encrypted configuration file with commands to execute on the victim’s system and then sends the results back to the C&C server. In this case the config file is as follow:

C:\DOCUME~1\user\CONFIG~1\gthelp.tmp,0
iexplore
findpass2000
process
ipconfig /all
net start
net view /domain
net group "domain admins" /domain
tasklist /v
net localgroup administrators
dir c:\*.url /s
systeminfo
type c:\boot.ini

Apart from this, the C&C mechanism permits the following actions:

1. cmd
2. shell
3. run
4. getfile
5. putfile
6. kill
7. process
8. reboot
9. time
10. door

Tracing C&C servers

After an analysis of the different domains used this year by Sykipot and the C&C headers and data, we discovered that they were using hacked servers mainly in the US to mask the real C&C server.

It appears that they used well known public exploits to hack into US based servers and then install a software to proxy the connections between the infected systems and the real C&C server.

We realized that most of the C&C servers were running a webserver called “Netbox” (http://www.netbox.cn) and most of them were using a self-signed certificate with the following subject:

/C=US/ST=North Carolina/L=Salisbury/O=Internet Widgits Pty Ltd/OU=VeriSign Trust Network/CN=ITU Server/emailAddress=marry.smith@ltu.edu

After a short investigation on the Netbox webserver, we learnt that it is a windows based webserver that allows developers to compile and deploy ASP web applications into a stand-alone executable file.

We also checked Shodan and discovered that there were only a couple of thousand servers running the webserver and nearly the 80% of the servers were located on China.

With this information, we thought that there was a good chance to localize these servers on Chinese network ranges. So we began to search Netbox servers running SSL on port 443 with a certificate issued to marry.smith@ltu.edu on the main Chinese ISP providers.

After some time, we confirmed our suspicion and we found 7 ip addresses belonging to “China Unicom Beijing province network”  that matched our criteria.

Six of them were pointing to the same webserver (same certificate, same headers, timestamps) so it appears that they are using that machines to proxy the connections as well but we don’t know if one of them was the last C&C server.

Here is the certificate information:

Download

There was another server serving a different certificate that seems to be pointing to a different C&C server:

Download

Here is the Map with the active redirections (2011-12-17):

As we can see, the malware authors are masquerading the C&C through US servers in order to make the connections less suspicious as well as using SSL certificates that contain a mail address from Lawrence Tech University (mary.smith@ltu.edu).

They are using the default common name on the certificate. I have seen this behavior in other malware’s C&C. In order to detect a remote site serving this kind of certificates is good to run the following IDS signature:

alert tcp any 443 -> any any (msg:"POLICY self-signed certificate default common name detected"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"Internet Widgits Pty Ltd"; within:400; classtype:bad-unknown; sid:11111111113; rev:8;)

Apart from this rule, I think it is good to run the following rules for a while to detect the certificate serial number and other certificates that they can be serving using the mary.smith@ltu.edu mail address:

alert tcp any 443 -> any any (msg:"MALWARE Sykipot certificate serial number detected"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"|00 ec 32 09 67 c9 34 3f 50|"; within:30; classtype:bad-unknown; sid:11111111112; rev:8;)

alert tcp any 443 -> any any (msg:"MALWARE Sykipot certificate subject emailAddress detected"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"marry.smith@ltu.edu"; within:400; classtype:bad-unknown; sid:11111111113; rev:8;)

Who is behind Sykipot

We shouldn’t jump to assumptions but whoever is behind Sykipot is massively collecting information from targeted victims that covers dozens of industries.

It’s true that the piece of malware isn’t too sophisticated, but it is related with at least six zero-day attacks that require skills and/or money. Anyway we have been seeing that “not too sophisticated malware” works, see Shady RAT for instance  that targeted organizations ranging from defense contractors to accounting firms.

On the other hand, we have identified at least six Chinese ip addresses that are used to proxy or host the C&C servers. We also identified a tool that the Sykipot authors use to package and create campaigns:

In some of the samples it contains some Chinese message errors.

Apart from this, the “Netbox” (http://www.netbox.cn) webserver used in the C&C servers is mainly used by those who speak Chinese. In fact all the documentation to setup and learn the framework is only available in Mandarin.

Most of the domains used on these campaigns are registered on Xinnet, a Chinese domain registrant. Also the information of the domain owners (names, addresses, etc) are from China (not very relevant).

Finally, we related one of the tools used that redirects the traffic from the hacked servers to a tool called ZXPortMap:

http://read.pudn.com/downloads64/sourcecode/internet/proxy/225114/ZXPortMap.cpp__.htm

The origin of the tool seems to be from China, someone called LZX (lzx@qq.com) but anyone could have gotten the code, and compiled it.

The last piece of information is a string embedded in all of the Sykipot binaries: “19990817”  used for another layer of encryption. It can be the date “Aug 17, 1999”. The only relevant event on that date was a 7.6 magnitude earthquake that killed around 17000 people in Turkey (http://en.wikipedia.org/wiki/1999_%C4%B0zmit_earthquake).

Someone has said that cyberwar does not exist?. Draw your own conclusions.

Last week Adobe issued an advisory on a zero-day vulnerability  (CVE-2011-2462) that has been being used in targeted attacks, probably defense contractors.

The payload used is Sykipot, a know malware that has connections with several targeted attacks/0days during the past.

During the analysis of this attack, I’ve found a new sample with a fresh command and control server (C&C).

MD5: 4d979bb626e1e61cc4fc0cefefaa3ec7

VirusTotal:

Submission date:
2011-12-12 00:39:51 (UTC)

Result:
25 /43 (58.1%)

The binary drops a DLL:

FileName: WSE4EF1.TMP

MD5: 945FF23E9979A0867B7F3815BB0F9477

Timestamp: 22/11/2011

Original File Name: wship4.dll (IPv4 Helper DLL)

The original malware scans the list of running process looking for outlook, iexplore or firefox. If found it injects the DLL into the process.

After that, the binary will spawn a PDF file,

FY 2012 Per Diem Rates – Effective October 1, 2011

This file shows the continental United States “CONUS rates” for travelling expenses.

The injected DLL will contact XXXhksrv.hostdefence.net/asp/kys_allow_get.asp?name=getkys.kys to download an encrypted configuration file.  This file contains several commands that the victim will execute on the sending the results back to the C&C server.

Example of configuration file:

iexplore
findpass2000
process
ipconfig /all
netstat -ano
net start
net view /domain
net group “domain admins” /domain
tasklist /v
net localgroup administrators
dir c:\*.url /s

The domain info is:

Domain Name: hostdefence.net

Registrant:

Amirhosein

Amirhosein       (parviz7415@yahoo.com)

No 806 8th building YuLin City GuangXi Province

Yu Lin

Guang Xi,537500

CN

Tel. +86.7756853792

Creation Date: 2011-11-14 15:35:24

Expiration Date: 2012-11-14 15:35:24

As part of the IP reputation project we are writing a small engine to avoid false positives and whitelisting some common ips/networks.

Usually when you execute a binary on a sandbox and the executable file has been signed, you receive a lot connections to the servers hosting the Certificate Revocation Lists (CRL) and the Online Certificate Status Protocol (OCSP).

To avoid processing this ips, we use some scripts to parse and extract the most used CRL and OCSP servers extracting this information from certificates.

Right now we are using the EFF SSL Observatory dataset and also the Alexa Top 1M list.

Let’s begin with the SSL Observatory database. Once we have the Mysql database ready, execute the following sql query to extract the OCSP URIs:


select `X509v3 extensions:Authority Information Access:OCSP - URI` as ocsp,count(*) as total INTO OUTFILE '/tmp/ocsp.csv' FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' from all_certs where `X509v3 extensions:Authority Information Access:OCSP - URI` is not NULL group by ocsp order by total desc;


Then you can use this script to parse the file:


tor@tor-VirtualBox:~$ python ocsp.py /tmp/ocsp.csv
ocsp.godaddy.com
ocsp.starfieldtech.com
ocsp.startssl.com
ocsp.cacert.org
ocsplevel101.ipsca.com
...


We can do the same for CRL entries using this other script:


tor@tor-VirtualBox:~$ python crl.py /tmp/crls.csv
crl.geotrust.com
crl.comodoca.com
crl.comodo.net
SVRIntl-crl.verisign.com
...


The other script I want to share parses the Alexa TOP 1M list, extracts the SSL certificate if https is supported and then extracts the OCSP/CRL URIS:


jaimes-MacBook-Pro:PKIS jaime$ python2.7 alexa_top_certs.py

...


So mixing the outputs we have a list of the most used PKI servers that we can classify as normal activity.

DESCRIPTION:
There is a problem with the HTTP client implementation on Cisco IOS. If an administrator loads an application service via these commands:

router#config
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#application
router(config-app)#service name http://ip_address/
router(config-app-param)#end

and the HTTP server responds with a special crafted HTTP response, the device will crash.

AFFECTED VERSIONS:
The vulnerability has been detected in a wide branch of Cisco IOS.

VENDOR RESPONSE:
http://tools.cisco.com/security/center/viewAlert.x?alertId=24436

CREDITS:
Jaime Blasco, Alienvault Labs