This entry is the monthly continuation of Anitian’s series of threat intelligence insights from our Sherlock Managed Threat Intelligence team. The purpose of these briefings is to publish some of the significant campaigns that our team of Sherlocks are tracking at this time.
A new year, same old problems. 2015 ended with lots of bangs, though as you will see, a lot of them are not new. We have been keeping our sights on a number of campaigns including the stream of exploits that client-side Flash and Java seem to enable as well as the increasingly widespread proliferation of crypto malware. Here are a sample of some of the things our Sherlocks have been hunting.
Flash, infinitely continued
WHAT: It is difficult to not make fun of Adobe Flash, because it is perpetually complicit in endpoint attacks. However, the end of 2015 was even more brutal than the prior months: Adobe released 78 patches for it in December, of which 75 addressed remote code execution vulnerabilities.
If you do not need Flash on your desktops and laptops, remove it.
WHY: Spurred from some of the exploit kit behavior that piggy-backed on these vulnerabilities—exploit kits LOVE Flash—we more carefully hunt traffic to “odd” top level domains (TLDs). While not foolproof, and likely to become less reliable as time goes on, legitimate browsing of websites in such TLDs as “.top” or “.xyz” is very low and noticeable. Additionally, malware domains or subdomains may often be composed of just random character strings. Web filters and services such as OpenDNS are usually capable of blocking domains used in malware distribution. However, it can take a few hours to a few days before those controls catch new malware domains, which allows for plenty of damage while those URLs are active.
Yeah, Yeah, so .EXEs are trouble…
WHAT: On the Bugtraq and Full Disclosure lists, Stefan Kanthak posted, and may continue to post, a series of threads regarding vulnerabilities included in common application .EXE installers. He presents a compelling case for entirely deprecating use of non-platform specific installers in favor of native installers such as .MSI. The primary argument being that native installers have some built in controls for dealing with privilege escalation, execution from inappropriate directories, and sloppy DLL handling.
WHY: As a behavior analysis hunt, we started looking at .EXE downloads with correlations to suspicious outbound traffic. The infection vector from these threats is usually small and complicated, but it’s a simple hunt to run and can aid helpdesk staff with more timely incident response.
Remember Ponmocup? It’s back.
WHAT: Ponmocup, a botnet that was sinkholed in 2011, has returned with modern malware amenities to evade endpoint protections. Ponmocup; aka VirtuMonde, Swisyn or Vundo, involves itself in ad-injection, data theft and acts as a malware insertion point for the botnet.
WHY: Many variants check the site http://checkwebspeed.net which is not a popular user destination in every day usage, so we’ve been looking for that. Unfortunately it appears that many of the domains new Ponmocup checks may be randomly generated and it is still to be determined if this site remains a useful indicator of compromise. We’re investigating further.
The re-emergence of something like Ponmocup can be disheartening to our profession. Afterall, even after “eradicating” a piece of malware, there’s nothing that guarantees someone won’t simply pick it back up again, polish it off and add some fancy new sprockets before sending it our way. If anything it should highlight the required vigilance we have to espouse in order to deal with threats—both new and old.
We welcome any conversation on these topics in the comments below! Check back next month for our resumed February Sherlock report!