Cupfighter.net

By Nicholas J. Percoco (@c7five) and Jibran Ilyas

The Spyderlabs guys had a busy year. They investigated over 200 incidents in 24 different countries and ended up collecting enough malware samples. Based upon last year’s DEFCON talk they are going to dive deeper and bring you the most interesting samples from around the world

This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider.

The malware being demoed are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic, even tough the major categories have stayed the same.

Malware comes in various categories: Keyboard logger, screen loggers and memory scrapers. Disk scrapers are not very popular because it is slow and is noticed to easily due to heavy disk activity. There are three basic ways to own a system: Physical, Easy and Uber . Physical means inserting something like a USB stick or key logger. Easy is e.g. through publicly exposed RDP and default passwords.

Malware is getting much harder to detect because they are better tested and using more stealthy techniques like root kits.

Sample SL2009-127 – Memory Rootkit Malware – Captain Brain Drain

The malware consisted of three files. Loader.exe, ramsys32.sys and searcher.dll. The loader was able to install the sys file, which was the root kit. The main oabjective was to steal credit card data from a Miami Sports Bar. All the data is stored in a system file in the windows system directory. The data is automatically uploaded to the criminals at 10pm every night.

Sample SL2010-018 – Windows Credential Stealer – Don’t Call Me Gina

This malware consists of three files, fsgina.ddl and fsgina.dll and timestop.exe which allows the attacker to change the access times and creation timestamps of the files it creates. Upon installation the malware actually sets the timestamp of fsgina.ddl to the timestamp of msgina.dll so that it looks like the file is created when the system was installed, this applies to all dates, including the datas in the master file table (mft). Next the registry is modified to load the fsgina.dll in front of the msgina.dll. The fsgina.dll looks just like the msgina.dll and even funcitons the same, not letting in users that enter the wrong credentials, but it captures and stores all account names and passwords entered.

Msgina is the dll the handles the graphical logon screen.

Sample SL2009-143 – Network Sniffer Rootkir – Clandestine Transit Authority

This malware was found on the systems of an international voip provider with about 80.000 clients. It was a typical root kit that captured credit card data, but in stead of taking the track data from memory it logged all network packets that contained track data. The captured packets did upload all data to an ftp server at 01:00 when everybody sleeps. The malware actually compresses the data in RAR format and password protects the RAR file to avoid detection by IDS systems.

Sample SL2010-007 0 Client-Side PDF Attack – Dwight’s Duper

This attack was performed against a US defense contractor. The malware was spread by a specially crafted email with PDF attached that exploited the system. The email was actually very impressive, it was coming from the right sender, used his email signture lines and was written in the kind of language used in the organisation.

The malicious PDF file actually first extracts all the files it needs, and then shows another PDF with content you would expect. The malware gets everything that it is in the my documents folder, steals firefox passwords and FTPs them off.

Conclusions

The key to malware success is customisations. Generic malware does not work. The key to successful exploitation is to be slow, steady and stealthy.

Malware is getting more and more advanced.

About the speakers

Nicholas J. Percoco – Trustwave

Nicholas J. Percoco is the head of SpiderLabs at Trustwave -the advanced security team that has performed more than 750 cyber forensic investigations globally, thousands of penetration and application security tests for Trustwave clients. In addition, his team is responsible for the security research that feeds directly into Trustwave’s products and services through real-time intelligence gathering. He has more than 15 years of information security experience. Nicholas acts as the lead security advisor to many of Trustwave’s premier clients by assisting them in making strategic decisions around various security and compliance regimes. As a speaker, he has provided unique insight around security breaches and trends to public and private audiences throughout North America, South America, Europe, and Asia including security conferences such as Black Hat, DEFCON, SecTor and You Sh0t the Sheriff. Prior to Trustwave, Nicholas ran security consulting practices at both VeriSign and Internet Security Systems. Nicholas holds a Bachelor of Science in Computer Science from Illinois State University.

Jibran Ilyas – Trustwave

Jibran Ilyas, is a Senior Forensic Investigator at Trustwave’s SpiderLabs. He is a member of Trustwave’s SpiderLabs -the advanced security team focused on penetration testing, incident response, and application security. He has investigated some of nations largest data breaches and is a regular contributor for published security alerts through his research. He has 7 years experience and has done security research in the area of computer memory artifacts. Jibran has presented talks at security conferences (DEFCON, SecTor) in the area of Computer Forensics and Cyber Crime. Jibran is also a regular guest lecturer at DePaul and Northwestern University. Prior to joining SpiderLabs, Jibran was part of Trustwave’s SOC where he helped Fortune 500 clients with their Security Architectures and deployments. Jibran holds a Bachelors of Science degree from Depaul University and Masters degree in Information Technology Management from Northwestern University.