Read without ads and support Scribd by becoming a Scribd Premium Reader.
See Premium Plans
 
The“MSUpdater”Trojan
AndOngoingTargetedAttacks
AZscalerandSeculertJointReport
©2012ZscalerInc.andSeculertLtd.AllRightsReserved.
Contents
CONTENTS...................................................................................................................1OVERVIEW...................................................................................................................1“MSUPDATER”TROJANINCIDENTSOBSERVED.............................................................2OSINTAGGREGATIONANDCORRELATION...................................................................2INFECTION
VECTOR:
PHISHING
EMAIL
WITH
MALICIOUS
ATTACHMENT........................3RELATED
BACKDOOR
/
BEACONING
PATTERN
..................................................................
3
SEPTEMBER2010CVE-2010-2883PDFPHISH................................................................5SEPTEMBER23,2010ISSNIPPHISHINGEMAILWITHMALICIOUSATTACHMENT………….8RELATED
ANTIVIRUS
VENDOR
“FAMILY”
NAMES..........................................................9“CONFERENCE”LURE.................................................................................................10CLOSINGREMARKS....................................................................................................11APPENDIXA:CONSOLIDATEDLISTOFMALICIOUSMD5HASHES................................13
Overview
ResearchersfromZscalerandSeculertseparatelyidentifiedincidentsandthreatsdiscussedinthisreport.Withinaprivatesecurityforumwediscussedanddeterminedthatwehadidentifiedrelatedincidents.ZscalerandSeculertcollaboratedonthisreporttoaggregateandcorrelateourfindingsalongwithopen-sourceintelligence(OSINT)todetailalesser-known“MSUpdater”remoteaccessTrojan(RAT)anditslinkagetocurrenttargetedattacksandothersdatingbacktoatleastearly2009.Foreignanddomestic(UnitedStates)companieswithintellectualpropertydealinginaero/geospaceanddefenseseemtobesomeoftherecentindustriestargetedintheseattacks.Thegoalofthisreportistoaggregateinformation,drawsomecorrelations,andprovideanoverviewofthisthreattofacilitateitsidentification,detection,andfunctionality.Withthisgoalinmind,wealsoaimnottorevealanythingthatmightdisruptanyinvestigationsorstatesomethingwithoutadditionalopen-sourcecorroboration.Weassecurityresearchersbelievethatoursuccessisnotmeasuredbyhowmuchinformationwecollect,butinhowweuseandsharetheinformationtobettersecureandprotecttheInternetcommunityfromthreats.Wehopethattheinformationwithinthisreporthelpstodetectandremediatethisthreatwithinorganizations.
 
2
©2012ZscalerInc.andSeculertLtd.AllRightsReserved.
“MSUpdater”TrojanIncidentsObserved
ZscalerandSeculertseparatelyidentifiedsecurityincidentswhereinfectedcustomersinthefore-mentionedindustrieshadcommandandcontrol(C&C)beaconsmatchingthebelowpatterns.StandardMicrosoftInternetExploreruser-agentstrings(versions6–8)wereobservedfortheC&Ccommunications.Themostoftenobservedpattern,andlikelytheC&C“check-in”behaviorfollowedthepattern:
 
HTTPGETrequeststothepath:/microsoftupdate/getupdate/default.aspx?ID=[num1]para1=[num2]para2=[num3]para3=[num4]Wherethe[num]fieldsareplaceholdersforparameterspassedbythevictimintheformofnumbers.OtherpatternsobservedfromtheinfectedhoststotheC&Cswere:
 
HTTPGETandPOSTrequeststothepath:/microsoft/errorpost/default/connect.aspx?ID=[num1]
 
HTTPPOSTstothepath:/microsoft/errorpost/default.aspx?ID=[num1]ClearlytheabovepatternsaretryingtoappearasthoughtheyarerelatedtoMicrosoft’s“WindowsUpdate”serviceversussomethingmalicious.Aclear,commonnameforthisparticularthreatdidnotseemtoemergeintheopen-source,sowehavecommonlyreferredtothisthreatfamilyasthe“MSUpdater”Trojan.ThefirsttimethispatternwasloggedintraffictraversingZscaler’sCloudinfrastructurewason12/25/2010(Christmasday).ItislikelythattheChristmasdayinfectionresultedfromatargetedphishingemailasrelatedattacksinthisreportidentifythisastheinfectionvector.NosuspiciouswebtransactionswereobservedfromtheinfectedhostpriortotheC&Cbeaconing.SeculertFogSenseCloud-basedserviceobservedinstancesofthissameinfectedbeaconingpatternfortheircustomersasearlyasMarch2010.ZscalerandSeculerteachidentifiedtheseinfectionsseparatelybyconductingtrafficanalysistoidentifypreviouslyunknownthreatstothenprotecttheircustomers.Open-sourceintelligence(OSINT)onthebeaconingpatternsweobservedprovidedadditionalinformationtothispreviousthreat.
OSINTAggregationandCorrelation
Inadditiontoindustrycollaborationtobetterunderstandandprotectagainstthreats,“Google”ormorespecificallyOSINTisavaluableresourcewhenlookinginto“unidentified”threats.Thefollowingprovidessomedetailsaboutwhatisknownandhasbeendiscussedintheopen-sourcerelatedtothisthreat.
 
3
©2012ZscalerInc.andSeculertLtd.AllRightsReserved.
InfectionVector:PhishingEmailwithMaliciousAttachment
Apubliclyavailablepresentationfrom
Sword&ShieldEnterpriseSecurityInc.
1
includesaslidediscussingthecorrelationofamaliciousphishingattachmenttoC&Cbeaconingthatresemblesthesamepatternidentifiedabove.Specifically,thepresentationprovidesascreenshotofanassociatedmaliciousphishingemailshowingthatitwassentApril28,2011withthesubject“InformationforContractor”and“chap6.pdf”attachment:
Figure1Screenshotof4/28/2011Phish
ThepresentationthengoesontoshowthatopeningthePDFattachmentexploitedavulnerabilityandcausedaprocessnamed“GoogleTray.exe”tolaunchandconnectto:
 
mail.hfmforum.com/microsoftupdate/getupdate/default.aspx
RelatedBackdoor/BeaconingPattern
BylinkingdomainregistrationinformationfromsomeoftheC&Csobserved,wewereabletodetermineotherC&Cdomainsusedbythismaliciousactor/group.Aspecificexampleofthiswasthefollowingregistrationinformationobservedina“MSUpdater”TrojanC&Cdomain:
1
http://ilta.ebiz.uapps.net/ProductFiles/productfiles/782804/2011siems.pptx
Search
Search History:
Searching...
Result 00 of 00
00 results for result for
  • p.
    • Notes
    Load more