Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2013 > March

RSA Firstwatch shines a spotlight in the darker corners of the Internet to better understand Internet Fraud and Criminal trends online.  When possible, RSA Firstwatch members will use this space to share information about some of our findings.


**Welcome DarkReading Readers!  See bottom of the article for the latest update to this post.


Like many of you, I heard about the Korean cyber attacks via the news outlets.  And I also had a hard time believing the description.  In what seemed like a massive state-sponsored attack, many bank computers were "blacked" out for hours.



          (image courtesy of xdmag)


Then this morning I saw this tweet from Mikko Hyponnen of F-Secure describing what the attack actually was-




Then I thought, okay, wiping the master boot record of a disk is bad.  It renders the machine unbootable, but only if it shuts down.  It still didn't explain how a running system was remotely shut down.  And its not a completely destructive attack-  simply make the MBR bootable again and a user has access to his data.  An hour later, an RSA field engineer sent me a pcap from Korea that showed the attack.  I'll screenshot it with highlights below.



So this was a key exchange with a popular Korean Encryption module called Xgate.  Specifically for this bank, the server banner showed it was XGate 3.0, an older, likely vulnerable version of this SSL module.  The key exchange begins normally until the first highlighted area.  See how the data changed from structured to garbled?  This is the beginnings of the buffer overflow attack against the Xgate module.  Since XGate likely runs with administrative privileges, anything this module does after the overflow will be executed as administrator.


The second highlight shows where Kernel32.dll is called.  The next highlight shows another buffer overflow attack, this time against the Windows Kernel itself.  The next highlighted area shows a call to the Physical Drive 0 which is the master boot record, followed by a windows command to reboot the system.  And in case the currently logged in user didn't have permissions to reboot, the overflow commands set the privileges to do that too.


So there you have it-  the Korean attack appears to be a targeted attack against the popular Xgate module, wiping the master boot record and rebooting the system.  This victim was using XGate to handle payment processing.  Other victims across the country were likely using it for open encryption of one sort or another.


But when I was researching the source IP address, I found a website that auto-publishes its own log files.  This IP in my PCAP belonged to Korea Telecom.  It had a user-agent string earlier this month of: Mozilla/5.0 (Linux; U; Android 4.0.4; ko-kr; IM-A840S Build/IMM76I) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30


That's an Android phone.


Other news sources have already tried to claim that this attack originated in China, but clearly this specific attack could have originated anywhere since it is a buffer overflow attack, and clearly my PCAP shows this attack came from within South Korea.  Could both claims perhaps be true, that it came from BOTH China and Korea?  If the attacks came from mobile Android phones, this would make a bit of sense.  This would account for the coordinated attacks and the distribution of sources.  And given that many mobile apps for the Android market have been known to be infected with malware, we might just be looking at the first mobile malware takedown of a National Critical Infrastructure.



Trend Micro and Symantec believe that this Korean MBR wiping attack was malware-driven, likely originating from a Phishing attack.  We at RSA FirstWatch do not discount this point of view, but now view this attack overall as a part of a multi-vector attack against the Korean Critical Infrastructure.  The Xgate Buffer Overflow seems to be just one small portion of this attack.


As quoted in the DarkReading article, RSAFirstWatch Senior Manager Will Gragido is quoted as saying:

Based on what we're seeing, this was a multivector attack," says Will Gragido, senior manager with RSA FirstWatch Advanced Research Intelligence.

It also demonstrates just how fragile networks really are today. "And the evidence is clear that as simple of an attack [as one] launched from a cell or tablet can have pretty significant ramifications" and it can happen anywhere, he says.

This post reflects analysis of a single PCAP that was shared with us by a trusted partner.  But it clearly demonstrates that an IP address typically used for a Mobile Network in South Korea was used to participate in the massive takedown of the South Korean Critical Infrastructure.

RSA Firstwatch shines a spotlight in the darker corners of the Internet to better understand Internet Fraud and Criminal trends online.  When possible, RSA Firstwatch members will use this space to share information about some of our findings.

Every mature Enterprise strives to create a standardized image for their endpoint workstations, and they often refer to this image as their "Gold Release."  These images typically include a hardened operating system, a default browser, a version of Java, the company's preferred Office workflow application suite, and other helper applications such as flash, PDF reader, and a standardized AV suite.  Once that Gold Release is pushed out to the endpoints, Enterprise managers typically expend a lot of audit hours and time to ensure that the endpoints aren't changed too badly by the users or by unauthorized software installations.


It is often frustrating enough that end users install silly software that isn't needed- like Weatherbug, Yahoo Search Toolbars, Daily Coupon Alerting software-  and even more frustrating when users install applications that violate corporate policy such as Online Backup suites, XDrive, Bittorrent, MIRC or other applications.  But with today's malware and adware, many of these endpoint alterations to your Gold Release comes accidentally via Java exploits, Adware phishing or trojanized flash games.  Detecting these types of malware is often as easy as analyzing the rarest user-agent strings on your network.


You should download and install the attached Informer Report below.  It can be further customized to look for other known User-Agent abnormalities you are interested in.  To show a real-life example of a malicious UA string, take a look at the screenshot I ran this morning:



This report looks for the rarest clients where an OS or browser doesn't exist.  I have highlighted the AWI v3 user-agent string.  A google search shows that this string is a known malicious string used to download additional trojan horses according to VirusTotal.



And of course, now that you know that string is malicious, a simple rule can be written to create an alert to notify you of its presence in the future.  I also have attached a couple of rules to this post that you can deploy to your decoders.  Usual caveat of "Your Mileage May Vary" applies.




If you need help understanding what all of the pieces of a User-Agent string represent, there are online resources that decode them for you.  My favorite site for this is  I have created a custom action to send client strings directly to the site from within Investigator.  The custom action should be called "UA Analysis" and the action string is:${VALUE}&action=analyze



Creating rules to normalize your user-agent strings will allow you to passively monitor your endpoints for out-of-date applications and unauthorized software.  And this method can often be quicker, less network intensive, and even more accurate than an active vulnerability and compliance scanner.  So give it a try and let us know what you think.


Happy Hunting!

RSA Firstwatch shines a spotlight in the darker corners of the Internet to better understand Internet Fraud and Criminal trends online.  When possible, RSA Firstwatch members will use this space to share information about some of our findings.


When it comes to current trends that FirstWatch is seeing in our research lab, we must declare that ClickFraud and Bitcoining are still the biggest recurrent threats we see.  And some of this malware has formed an unholy union of these two activities to deliver a constant stream of revenue to the malware authors in the form of ad clicks while also performing some bitcoin mining using spare CPU cycles.


In fact, this activity is so constant and noisy, I had to develop several rules to filter it out of my Security Analytics collections. I am far more interested in trojan programs, DDoS bots and APT exfiltration than I am in meager click fraud. But click fraud is the literal 800 pound gorilla in my room, so this blog will be about understanding and detecting this clickfraud trojan.


For those who don't already know, clickfraud is a way for miscreants to generate money for themselves through referral services via ad banners on various websites.  Step one would be to register with an ad-services provider that pays pennies or more per click.  Step two would be to gain control of a botnet-  followed by step three, programming the botnet to click on ads with the miscreant's referral ID coded into the clicks.  The advertising agency counts the clicks and issues the check at the end of the month.  The trick for the clickfraudsters is to not generate too many clicks to gain the attention of the ad agency's threshholds to automatically detect click fraud.  Or the fraudster has to register scores of referral IDs and randomize his clicks via his botnet to generate his income without detection. 


But not all referral money is derived from adclicks.  Some software companies sponsor referrals as well.  Most seen today is the referral program from  Remember those guys?  They were the big media streaming company back at the turn of the century?  Well now they have a high-paying affiliate program that earns miscreants revenue, and we see Realplayer referrals quite often associated with adclick fraud. 


One enterprising malware author thought to combine the world of adclick fraud with bitcoin mining.  While the user is active, the ad clicking takes place offscreen via an iframe.  When the user is idle, the bitcoining software plays with algorithms to strike virtual paydirt.  There is a decent writeup on this malware over here at ThreatExpert.


You should check your enterprise to see if anyone has this double-whammy malware installed on an endpoint.  The rules are pretty simple:

For the Directdownloader and Bitcoining downloader, look for


The download software are all hosted on Zen servers.


And of course any connection to,,

should be considered a known clickfraud malware action.


Happy hunting!

RSA Firstwatch are a team of analysts that are looking at emergent threats presented by new strains of malware.  The research into this activity produces new feeds of known C&C IPs, domains, APT exfiltration sites and many more.  We are also producing some nifty new rules to detect variants of botnet beaconing, bot checkins, known malicious useragent strings, and more.  These rules work great in our environment, which tends to be pure malware analysis.  But we think some of these rules will be helpful to you as well.  Use at your own risk, your mileage may vary.  If you get any hits on these rules, be sure to provide us feedback and let us know its effectiveness.  Or if you have any questions, let us know as well.


The biggest game in malware these days is still ad click fraud.  Yeah, it doesn't sound sexy, but drive-by downloads are still typically used, and affected endpoints represent weaknesses in your enterprise security.  Several of these rules address this, and if you see large volumes of hits against adware servers or see lots of adware bundlers, you should still investigate.


Each of the below alert into the Alert Key.  You could change this to alert to any key of your choice, such as the risk.warning key.


name="Malware Client Strings" rule="client='Trololo','installer','medialabssiteinstaller','autohotkey','tiny-dl/nix', 'dmfr', 'explorer', 'autoit', 'contype', 'user-agent: mozilla/5.0','testing', 'tiny-dl', 'rpcricheck','HardCore Software For : Public','MyLove', 'VIP_TRACKING', 'MyApp', 'hello','newbrandtest','stubinstaller','sefastsetup','ineturl/1.0','nsis_toolkitoffers','download','fucking','-','getright/6.5','windows installer','dianji-dnas/1.1'" order=89 alert=alert type=application


name="Kryptic Trojan" rule=",,,," order=92 alert=alert type=application

name="Beaconing 22292" rule="service=0 && tcp.dstport=22292" order=93 alert=alert type=application

name="EsFury Worm"\, order=95 alert=alert type=application

name="Apache Synapse Request" rule="client contains synapse" order=96 alert=alert type=application

name="Adware Bundler" rule="client begins 'Tightrope Bundle Manager'" order=97 alert=alert type=application

name="Jkoken Botnet" rule=",," order=98 alert=alert type=application

name="Empty Directory Post" rule="action=put && filename='<none>' && directory='/'" order=99 alert=alert type=application

name=IPChecker rule=" ends" order=100 alert=alert type=application

name="PNG Botnet" rule="action = 'get' && extension=png, jpg && query exists" order=101 alert=alert type=application

name="Vundo Trojan" rule=",," order=102 alert=alert type=application

name="PHP Beaconing W" rule="extension=php && query begins 'w=188'" order=103 alert=alert type=application

name="Zeus Checkin" rule="action=put && filename=login.php && referer = ''" order=104 alert=alert type=application

name="Strings Decode Download" rule=filename\=strings.txt order=105 alert=alert type=application

name="Put to WordPress Plugin Directory" rule="extension=php && action=put && directory begins '/wp-content/plugins/'" order=106 alert=alert type=application

name="UDP Botnet 16471" rule="service=0 && udp.dstport=16471" order=107 alert=alert type=application

name="Zeus Gate Checkin" rule="action=put && filename=gate.php" order=108 alert=alert type=application

name="PHP ini Checkin" rule="extension=php && query begins 'ini='" order=109 alert=alert type=application

name="PHP Put Botnet Long Query" rule="action=put && extension= php && query length 200-u" order=110 alert=alert type=application

name="Palevo Bot Checkin" rule="extension=php && client = 'explorer'" order=111 alert=alert type=application

name="Whuffug Bot Checkin" rule=filename\=whuffuq order=112 alert=alert type=application

name="PHP Put With 40x Error" rule="extension=php && action=put && error contains 40,50" order=113 alert=alert type=application

name="Wordpress Botnet Checkin" rule="extension=php && content = binary" order=114 alert=alert type=application

name="Suspicious Server Banners" rule="server='Oversee Turing v1.0.0'" order=115 alert=alert type=application

name="Zeus Get Checkin" rule="action=get && filename=login.php, posting.php && referer = ''" order=116 alert=alert type=application

name="XOR Download Direct from IP" rule="risk.suspicious = 'direct to ip http request' && risk.warning = 'xor encoded executable'" order=117 alert=alert type=application

name="Perl Installed on Host" rule="client contains pmcinit" order=118 alert=alert type=application

name="Pushdo Malware Checkin" rule="query begins 'ptrxcz_'" order=119 alert=alert type=application

name="ZBOT With Firefox" rule="browser='Firefox 3' && risk.warning begins xor" order=120 alert=alert type=application

name="Suspicious Code Signing" rule="'' &&, authrootseq.txt, 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5.crt, 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.crt" order=121 alert=alert type=application

name="DirectDownloader Trojan Helpers" rule="filename=directdownloaderinstaller.exe, optimizer.exe, playvolcano79048.exe, pricepeepinstaller.exe, gamesleap79048.exe" order=122 alert=alert type=application

name="Virus Login" rule="username contains virus" order=123 alert=alert type=application

name="Ghost Protocol and Xor Encoding" rule="risk.warning begins 'ghost','xor'" order=124 alert=alert type=application

name="UDP 16464 Beaconing" rule="service=0 && udp.dstport=16464" order=127 alert=alert type=application

name="Adware Client" rule="client begins 'downloadm'" order=129 alert=alert type=application

name="QQ Download Client" rule="client contains qq" order=130 alert=alert type=application

name="Chinese Malware Installer" rule="client begins agent" order=131 alert=alert type=application

name="Known Netwitness APT Hits" rule="threat.source=netwitness && threat.category=apt" order=132 alert=alert type=application

name="Known Threats from Research" rule="threat.desc begins unspecified, 'malicious c&c'" order=133 alert=alert type=application

name="Malicious UA strings Matches" rule="client=rlmultysocket, download, 'nsisdl/1.2', v32, ie, windows installer, 'wget 3.0', fortis, generichttp/ver_str_comma, '[mozilla firefox cool]', pipiplayer, nsis_inetload, 'industry update control', babylon, yzf, myurl, mozila, iexplorer 31,' ie 9.0', 'widgitoolbar-159-847320', tionline updater v59, 'stub installer v2.15', shockwave flash, myagent, microgaming install program, 'ineturl:/1.0', http client, get mp3, 'gbot/2.3', umbra, sefastsetup, safesheild, myclearsearch helper service, get torrent, dwplayer, chek, vbtagedit, 'toutatis x.x-x, tiehttp', techbridge application loader, 'scooter-3.2.ex', 'rookie/1.0', qvoddown, mxagent, 'microsoft internet explorer 6.0', lobo lunar, 'kuku v3.04 exp', 'ie 11.0 sp6', getfiles, elucid software downloader, askinstallchecker, 'adobe update manager 6','androiddevdet','setup factory','winhinet example/1.0','google page','our_agent','tiehttp','winhttpclient','utilmind httpget','microsoft-atl-native/8.00','report'" order=134 alert=alert type=application


name="Ad Server" rule="server='mochiweb/1.1 webmachine/1.9.2 (someone had painted it blue)','qs'" order=137 alert=alert type=application

name="Ad Delivery Servers" rule=",,,,,,,,,,,,,,,,,,," order=138 alert=alert type=application


name="ZeroAccess Botnet" rule="tcp.dstport=16471 && payload exists" order=140 alert=alert type=application

Filter Blog

By date: By tag: