This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

Following the Trail: Determining the Origins of Linux/Bckdr-RKC

It is already known that the two Linux/Bckdr-RKC variants I have received have both been hosted by 216.83.44.229.  Furthermore, the first variant had a phone-home address of 216.83.44.226.

Both of these IP addresses are registered to the netblock owned by WIRELESS-ALARM.COM (not to be confused with the actual website wireless-alarm.com, which is registered to a different contact completely, and unrelated here).

Let's use what we already know to try to find the organization responsible for this malware.

Chinese Origins in .ssyslog Decompiled - Linux/Bckdr-RKC and Hutizu

 I have partially decompiled the second piece of malware which was similar to the original Linux/Bckdr-RKC dropped on my honeypot.

Update: .ssyslog is now detected as "Hutizu".

I am publicly posting the first section of this file to highlight my findings so far...

Update: The full decompiled source of both pieces of malware is now available at Google Code

The first part of this decompiled code which really stood out was a clear marker that this malware is definately of Chinese origin.  This snippet of code is from the following function  
int autoupdate(char* url_address, char* local_to_file)
Code:

L0805FF50( &_v3660, "GET /%s HTTP/1.1
\nAccept: */*
\nAccept-Language: zh-cn
\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
\nHost: %s:%d
\nConnection: Close
\n
\n",  &_v2380);
The "Accept-Language" of zh-cn represents Traditional Chinese as the desired web browse language.

This means the malware in question was most likely programmed by a native speaker of Chinese.  Add to this the fact that the malware is hosted by a fake corporation in China, and that the previous version of this malware also phoned home to the same fake corporation, this all becomes very interesting.

Here are a few other function names from this latest version:
  • copy_myself(const char* name)
  • autostart(const char* inser_to_file)
  • int SendSevMonitor()
  • int SendServerPack()
  • GetNetPackets(long long unsigned int* lNetOut, long long unsigned int* lPacketOut)
  • int moniter(char* host)
  • int udpflood(_Unknown_base* ThreadData)
  • int synflood(_Unknown_base* ThreadData)
  • int synbigpacket(_Unknown_base* ThreadData)
  • int ackflood(_Unknown_base* ThreadData)
  • int ackbigpacket(_Unknown_base* ThreadData)
  • GetStructureDnsPacket(char* QueryDomain, char* QueryData, int* nQueryData)
  • int dnsflood(_Unknown_base* ThreadData)
  • int more_ip_dns_test(_Unknown_base* ThreadData)
  • int autoupdate(char* url_address, char* local_to_file)
  • int get_online_ip(char* domain, char* return_ip)
  • int parse_dns_response(char* return_ip)
  • parse_dns_name(unsigned char* chunk, unsigned char* ptr, char* out, int* len)
  • send_dns_request(const char* dns_name)
  • connect_to_server()
Make no mistake, this malware is clearly designed to perform reconnaissance on internal networks and disrupt communications when instructed to do so by the command and control server.

The malware has self-replication and automatic update capabilities.

I find this malware very disturbing.

What I find even more distrubing is the fact that since my submission of this malware to antivirus vendors, with the exception of Avira who believes this file is clean, none of the antivirus vendors have completed their analysis.

These two pieces of malware seem very professionally crafted with a clear purpose - to serve as a "cyber weapon".

Protect Insider Data By Googling First, Often

Dark Reading has an excellent article called "Protect Insider Data By Googling First, Often".  The summary of the article states:
Sensitive company data is often leaked via Google, Bing, and other search engines -- find it before the bad guys can
Sound advice, and excellent example of why it's important to setup Google Alerts to monitor for privacy breaches, as I described in a previous post.

Anonymous: Friend or Foe?


Is Anonymous a force for good, or just another threat online? This video has been posted in response to the Stratfor hacking incident.

How to Get a Cyber Security or Information Assurance Job

So, you've decided you want to start working in the security field?

Where do you start?

First, develop a plan and some career goals.  Do you want to just be a tech all your life, or do you want to eventually become a manager?  What interests you?  Do you want to know how to protect networks and computers, or do you want to analyze malware and perform penetration testing?

There are many paths available to you.  This is a brief guide on what to do and how to get the job you want.

Woman Gives Birth to Three Plates

Just saw this email in the "funsec" mailing list:

Hello,

My name is Mrs Yetunde Owolabi from Republic of Benin, I gave birth to three plates, 3 children at a time after the death my husband on 18th of June 2011 by auto car
accident. Already we have received 5 children from God, right now I can't take care of them so I have decided to give them out for adoption, if you are interested let me know, I am not selling them but you will only pay for adoption fees to the ministry in concern and the Lawyer will legalized all the relevant documents and the baby will become legally yours.

Thanks,

Mrs. Yetunde Owolabi
You read that right.  She gave birth to 3 plates.

I really wish I had her email address, as I would be very impressed if she could provide some pictures of these plates.

Linux/Bckdr-RKC: A New Variant Appears

Someone was busy this Christmas.

A new variant of Linux/Bckdr-RKC has been placed on my honeypot.

Unfortunately detections by Sophos do not detect this variant, so I've sent it back to them for analysis.

I have posted the strings from the unpacked malware, as well as a diff between the strings of the old version and new version.

I will post updates as I can.

Protect Your Family While Using Social Media

Cyberbullying and sexual predators are an ever increasing threat online, especially with social media sites like Facebook. See how to protect your children with this great informational video!




Linux/Bckdr-RKC Initial Analysis

A malicious user dropped off a VERY interesting piece of malware on my honeypot today with the filename ".xsyslog"

This piece of malware was previously undetected, and many kudos to Sophos for being the first to confirm my findings that the software was malicious.

So far, I have been able to determine the following:

This is a UPX packed Linux ELF which appears to have been around since late November 2011, according to internet searches.



The malware is installed from a compromised system after cracking a SSH server's root password, in the path /etc/.xsyslog

The malware is downloaded from an IP address which appears to be hosted in Hong Kong by a fake corporation: 216.83.44.229 port 99

It phones home to an IP address which appears to be hosted by the same fake corporation: 216.83.44.226 port 81

I have uploaded all relevant strings within the unpacked file to Pastebin.

I will provide additional details as I find/receive them.  This malware has been forwarded to US-CERT, as well as multiple anti-virus vendors.

Track current AV coverage at http://md5.virscan.org/58c23ca549c941f0d44b35fa31d77011

Related Reading:
Sophos Whitepaper Protection for Mac and Linux Computers: Genuine Need or Nice to Have?

New Resource: Threat Watch

The "bad guys" never sleep.

I'm happy to announce that now even when I'm sleeping, my blog will be able to bring up-to-date news alerts relevant to computer security.

Check out the Threat Watch page today!

Insider Threats and Data Loss Prevention

One of the biggest challenges many organizations face is how to deal with the insider threat.

A common means of attempting to control insider threats is through Data Loss Prevention software.

Unfortunately, there is no one clearly superior method for implementing Data Loss Prevention.

I'm happy to offer to my readers a free research report on different Data Loss Prevention techniques from the Aberdeen Group.

The ideal approach to security and compliance is like the ideal referee: one that makes good calls and enforces the rules regarding safety and fair play, but generally doesn't get in the way of the people playing the game. In its fifth annual study on best practices in data loss prevention (DLP), Aberdeen analyzed and compared the results from more than 600 organizations which have adopted one of four distinct approaches to the operational use of DLP technologies. The best approach, in terms of balancing enterprise risk and reward, is like the children's fairy tale of Goldilocks and the Three Bears: the bed we choose to lie in should be neither too soft (Do Nothing, Monitor / Notify), nor too hard (Stop / Go), but just right (Adapt / Protect).

Access Your Complimentary Copy Today. This $399 Value Offer Expires 01/09/2012

Holiday Computer Essentials CD

The holidays are here again.  A wonderful time to eat too much, exchange presents, and secure your family's computer systems.

Each year IT professionals travel to relatives houses, and are called upon as free tech support to remove the latest virus infections.

It helps if you have a CD-R burned and ready to go, so that you can properly clean and secure your family's computer systems.

So what should you include on your "holiday disaster recovery" CD? Fortunately you can assemble such a CD at no cost to you.


Iran, a Lost Drone, and a Computer Virus - Lessons to be Learned

Did a computer virus infection result in Iran acquiring a United States recon drone?

In October, the major news outlets announced that the piloting systems used by unmanned recon drones in Afghanistan and other nearby countries was compromised by a virus capable of recording keystrokes or user authentication information.  The Air Force followed up with a press release that this virus was only a credential stealer, and was not designed to transmit or corrupt data, and that the systems were completely disconnected from the internet and that the malware was introduced through removable media.

Free Subscription to Security Magazine

I'm happy to provide my blog readers a chance to get a free subscription to the print or digital versions of Security magazine, which focuses on ways to apply technology and services to solve security problems.

Security magazine reaches 35,000 security end-user and integrator subscribers in government, healthcare, education, airports, seaports, transportation, distribution, utilities, retail, industrial, financial, hospitality / entertainment, construction, industrial/manufacturing and other markets.

Sign up today!

Mystery Malware: An echo powered DDoS Script?

Christmas came early today, and a hacker dropped off a present...a piece of mystery malware.

This piece of malware was dropped onto my Linux honeypot simply named "DDoser".

The file has a 0% detection rate.  Interesting.


This appears to simply be a Linux/UNIX shell script.

It starts with the following line repeated multiple times:

echo "2e61e112030709378914f8280fd09f62e

61e112030709378914f8280fd09f62e61e11203

0709378914f8280fd09f62e61e1120307093789

14f8280fd09f62e61e112030709378914f8280f

d09f6"

And ends with the following lines:
clear
echo
echo "**********************************************"
echo "The Installation Of D3v1Lz T34m Ddoser"
echo "Should Be Running Now On D3v1Lz Ircds"
echo
echo "Make Sure That Ddoser Is Running - Use This Command:"
echo "ps x"
echo
echo "If You See 'addict' Listed, Then It's Running."
echo "You Can Then Fuck Ips Randomly On Your Botnets."
echo "**********************************************"
echo
echo "Enjoy Our Best Services At WebShells Co. , For More"
echo "Info Contact Us On Tech@WShells.Ws Or Call Us On 03-50 12 10"
echo "More Info About Script: Chadi@WShells.Ws"
exit 0
fi
An echo powered DDoS script?  That doesn't make sense...


Introducing Caffeine Security Secure Firefox!

I'm proud to announce I have completed my Secure Firefox add-on.

Make your Firefox browser more secure! This add-on uses Defense Information System Agency guidelines to harden your browser from attackers. For maximum security, combine this add-on with other security related add-ons such as NoScript!

Download Now!

The (VERY) Unofficial Guide To Facebook Privacy

To fully understand the privacy of Facebook and how it's likely to evolve, you need to understand one thing...Facebook executives want everyone to be public.

As the service evolves, executives tend to favor our open access to information, meaning information you think is private will slowly become public, but that doesn't mean you can be private if you want to. Facebook gives its users the option to lock things down, but users need to be aware of their controls, how to use them and how to prepare for future Facebook privacy changes. Facebook has not and will not make information obvious, and that's where this guide comes in.

Get your copy today!

And please share this link with your friends and family, so they can better protect their privacy as well!

Misuse of Your Personal Information and Google Alerts

It's always a good idea to keep tabs on your online presence.  This can help prevent embarrassing situations, such as an ex girlfriend posting all your dirty laundry for the world to see, or keep someone from stealing your identity, or using your name or address for fraudulent activities, resulting in the police knocking on YOUR door instead of theirs.

Here is an excellent example...

One of my former co-workers had a rather interesting event happen to him after moving in to his new house... Someone was running a "women's retreat" business from his home address!

He found this out through randomly searching for his own home address using Google.

Apparently someone had setup an entire website for this fake business using the real estate information from his home before purchase.

Luckily, this site did not remain online for long, but things could have become really interesting if someone showed up with suitcases in hand expecting to spend a weekend at the "retreat" they already paid for in full...

A few other situations which could happen...
  • Someone decides to try to rent or sell your house without your knowledge
  • Someone posts your address for a "everything for free" event on Craigslist as a cover for looting your house
  • A former co-worker or client posts your personal information on an online bulletin board accusing you of something "bad", resulting in harassing phone calls from thousands of complete strangers
  • An online group such as Anonymous posts your name and address on bulletin boards to coordinate a "prank SWAT raid"
  • Your college or university accidentally publishes a list of student names and social security numbers
The above are very real situations which have occurred, and could possibly have been avoided (or at least provided some warning) if only the victim would have regularly checked the internet for their personal information.

So how can you protect yourself from these situations?


Free IT Security Magazines and Whitepapers from TradePub

Caffeine Security has joined forces with TradePub.com to offer you a new, exciting, and entirely free professional resource. Visit http://caffinesecurity-blogspot.tradepub.com today to browse our selection of complimentary Industry magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. Try it today!


We are pleased to offer you this exciting, new, and entirely free professional resource. Visit our Free Industry resource center today to browse our selection of 600+ complimentary Industry magazines, white papers, webinars, podcasts, and more. Get popular titles including:

It\'s Time to Think Differently About Access and Data Center Networks!
Cloud First IT: Managing a Growing Network of SaaS Applications
Busting the Myth of Email Encryption Complexity

No credit cards, coupons, or promo codes required. Try it today!

See who's trying to hack your Facebook profile!

Many links claim to let you see who's "stalking" you on Facebook.  This link claims to let you see who's trying to HACK your Facebook profile!

http://bit.ly/vXjiBw

Were you brought to this blog post by a shortened link on Facebook? Why did you click that?

Haven't we learned yet not to click on strange links?

After all these years, users are STILL being infected with malware and helping to propagate it by clicking on links they shouldn't. (And yes, that link is safe)


URL shorteners such as bit.ly can be very conveniently used to hide malicious links.

Here's a little trick to help keep you safer.

There are actually URL "unshorteners" such as UnFwd4Me and Unshorten.com which will reveal the true address of a shotened URL.

So, now that your security awareness has been raised, please, share this link with others by copying the text below, and help them raise their security awareness as well!  To be more effective, please turn the URL preview OFF.


See who's trying to hack your Facebook profile! http://bit.ly/vXjiBw


Related Reading: