Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2014 > April
2014

The Kargen Zbot variant has been around for a few months, but it has recently added new Command and Control domains to its traditional stable of high-availability hosts.  A host infected with the Kargen Zbot has been observed to engage in Search Engine abuse, bitcoin mining, pay-per-click advertising abuse, and pay-per-install software referral abuse.  But what makes this variant unique is its tell-tale beaconing pattern as shown below.

 

First, Security Analytics' new Coordinates Visualization Tool in Investigator makes it easy to see how these Command and Control domains are spread among several providers to provide maximum uptime.  They don't use Dynamic DNS, nor fast flux- just standard round-robin name resolution.  (click image to see larger version)

 

83346

Next, you can see the hostnames involved, along with the multiple destination IP addresses used by the botnet to maintain it's uptime.

 

83347

Now you will also see the unique beaconing pattern.  24character filenames are posted to two distinct directories.

 

83348

And finally, the beacon session is encoded and looks like this:

 

83352

 

The simple rule to detect this beaconing pattern is:

action=put && directory='/b/req/', '/b/opt/'

 

Name the Rule Kargen Zbot Variant Beacon and alert it into risk.warning or your preferred alert key.

 

Finally, each of the domains listed above have been added to the FirstWatch C2 Domain feed so customers will better detect this threat.

 

Good Luck and Happy Hunting!

The RSA FirstWatch Team has seen an increase of the GameOver Zeus variants submitted to our malware database over the past few weeks.  Here is the trendline.

 

82883

 

The GameOver Zeus variant uses an encoded secondary file download that is decrypted by the initial infection file on an affected host.  This encoded download is actually an executable, but typical file fingerprinting-  looking for the MZ at the beginning of the file, as many gateway products do, such as NextGen firewalls, IDS/IPS, etc will not typically stop this file type from being delivered to the endpoints.  A great blog detailing the encryption scheme is located here.


When GameOver first appeared, these secondary download files typically had a .ENC filename extension.   However, as of late, the extension has become randomized.  In the screenshot below, you can see the pattern of these filename extensions and directory structure.

 

82932

So you can see the pattern of the 6 character alphanumeric filename followed by the randomized extension.  Also, you can see that many of these files are hosted on WordPress blog sites that were likely compromised at the beginning stages of the GameOver campaign to host these downloads.  Why pay for a Content Delivery Network (CDN) when you can make your own from vulnerable webhosts?

 

Below is a sample session from Security Analytics so you can see what happens on the network.  As you will see, there is a marker at the beginning of the file-  the distinctive "ZZP." which is unique to these GameOver sessions.  This tells us that it is possible to fingerprint these filetypes by looking for that marker as a token with a parser.

 

82933

 

There is one additional piece of meta that is common to every GameOver variant detected-  It's simple and distinct User-Agent string.

 

82934

 

So detecting this threat uses three approaches-  two application rules and one new parser.  The rules are:

 

GameOver Zeus Installer Detected

client='Updates downloader'

 

Possible GameOver Binary Downloaded

extension='enc' && directory begins '/wp'

 

But should the UA string ever change with a new GameOver variant, the LUA parser attached below will find the token "ZZP" mentioned above.  We have also added a few dozen known GameOver Download domains to the FirstWatch Threat feeds.  And finally, a sample PCAP is also attached so analysts can see what this activity looks like and to test the attached parser.

 

So check your environments for the past few months using these rules/queries above to see if you have been affected by GameOver.  And Happy Hunting!

 

UPDATE!

This, like other malware, evolves over time.  The dropper file that was faithfully detected by the parser below has changed, although the extensions are still rar, zip, tar, etc.  However, we have observed new User-Agent strings for communications and you should update your capture rules to include the following:

client='onlymacros','opera10','update sdb','conchita wurst','acheckupdate'

IT-Harvest's Richard Stiennon speaks with RSA's Matthew Gardiner about what incident response means today, why prevention is insufficient, and what capabilities are required to do it better, including the role of a CIRC or SOC. http://youtu.be/CtC_pwtKX18

IT-Harvest's Richard Stiennon speaks with RSA's Christina Jasinski about why traditional SIEM tools can't keep up with today's advanced threats and how RSA Security Analytics can provide the context and analytical capabilities required for incident detection and investigation. http://youtu.be/BOXnPDU7VFI

Dear Valued RSA Customer,

RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. We have added a few useful submission links this month, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment. Of particular note this month, we have created parsers for identifying servers vulnerable to the latest Heartbleed exploits, as well as exploit attempts:

 

How to detect the Heartbleed Vulnerability using RSA Security Analytics

 

Parsers that have been created to address Heartbleed are now available in RSA Live.  These are available for all RSA Live subscription tiers.  The specific parsers are “TLS” and “TLS_lua”. Users subscribed to either of these parsers will be automatically updated. For users that are not currently subscribing to either piece of content, they should disable the default TLS parser and subscribe to one of the two TLS parsers available on RSA Live. For customers running RSA NetWitness / RSA Security Analytics version 10.2 and below, use the Flex parser “TLS”. For those running versions 10.2 and above, use the LUA parser “TLS-lua”.

 

To detect vulnerable  servers, look for instances of “openssl vulnerable to heartbleed” under the risk.informational meta-key. For detecting exploit attempts, look for “heartbleed data leak” under risk.warning meta-key.

 

Search for tag “heartbleed” on Live for a full list of parsers associated with Heartbleed.

 

 

 

The categories of new and updated content is as follows:

 

Application Rules

Event Stream Analysis Rules

Log (Device) Parsers

LUA Parsers

Flex Parsers

Security Analytics Rules

           

 

The Latest Research from RSA

 

Introducing a new blog that details how emergent malware is designed to defeat hash-based solutions.

 

The Malware Factory and Massive Morphing Malware

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/26/the-malware-factory-and-massive-morphing-malware

 

RSA’s FirstWatch team has posted a blog detailing a new variant of Kazy that uses a wrapped JSON file for its Command and Control. A simple detection rule is included, as is a PCAP for analysis and testing purposes.

New Kazy Variant: Kazy Force

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/28/new-kazy-variant-kazy-forces

 

Additionally, RSA’s Content team is updating log parser support for major IDS/IPS vendors as they release Heartbleed specific signatures. Currently RSA’s Content team has updated support for Cisco, Snort, and SourceFire, with more being added as they become available.

 

 

We look forward to presenting you new content updates next month!

Regards,

The RSA Security Analytics Content Team

 

Content Updates

 

Updated Application Rules

 

Enhanced

Title: suspicious php put long query

Desc: Detects puts to PHP pages that include extremly long query strings. This behavior is often indicative of botnet or malware encoded check-in traffic.

 

 

New ESA Rules

 

Title: Detect Port Knocking Packet

Desc: Detects when four failed port connection attempts are followed by a successful connection from a single source within the specified time period. You can configure the time period (default is five minutes), IP sources (list of IP addresses to exclude from the alert), and the port range (RANGE followed by the port numbers).

 

Title: Multiple Login Failures from Same Source IP with Unique Usernames

Desc: Detects when log events that contain multiple failed login events from the same source IP address with unique usernames occur within the specified time period. You can configure the time period (default is 180 seconds) and number of failed logins (default is three).

 

Title: Detects Router configuration attempts

Desc: Detects when someone tries to change a router configuration. The alerts triggers when the Event Classification Tags (ECT) of ec.subject is equal to Configuration, ec.activity isequal to Modify, and device.class is equal to Router. The alert also triggers when NWFL_config:router-change application rule is matched.

Title: Multiple SYN packets from Same Source

Desc: Detects when the specified number of SYN packets from the same source occur in the specified time period. You can configure the time period (default is 60 seconds) and the SYN count (default is 100 packets).

Title: Backdoor Activity Detected

Desc: Detects backdoor activity within log files. The rule triggers an alert when the Event Classification Tags (ECT) of ec.theme is equal to TEV and ec.activity is equal to Detect in combination with a variation of the backdoor keyword found in policy.name or event.category.name. You can add a list of backdoor names that the rule looks for by default in both policy.name and event.category.name.

Title: Windows User Added to Administrators Group and Security Disable.

Desc: Detects when a Windows user was added to an administrative group and the security center or manager was disabled within the specific time period. You can configure the list of administrator groups and time period (default values is five minutes). Note: This rule uses the accesses and event.desc non-standard meta keys. You must implement these non-standard meta keys after you download this rule.

 

Title: Detection of Encrypted Traffic to Countries

Desc: Detects when there is encrypted traffic to an IP address registered in the specified list of destination countries.Note :- You must upload and enable the TLS_lua parser, the SSH_lua parser and their dependencies on the Decoder.You can configure the list of destination countries using a colon ":" as a delimiter to separate each country in the list.

 

Title: Multiple Logs from a MsgID Set with Same SourceIP and DestinationIP

Desc: Detects when multiple log events from the specified list of message IDs with Same Source IP and Destination IP take place in the specified time period. You can configure the number of log events (default value is three), the list of message IDs, and the time period (default is 300 seconds).

 

Title: Multiple Unique Logs from MsgID Set with Same SourceIP and DestinationIP

Desc: Detects when the specified number of log events from the specified list of message IDs (each log has to have a unique message ID among the specified set of IDs) with Same Source IP and Destination IP occur in the specified time period. You can configure the number of log events, (default value is 3), the list of message IDs, and the time period (default is 300 seconds).

 

Updated ESA Rules

 

Title: Multi-Service connection attempts_Pckt

Desc: Multiple Connection Failures detected based on Packet data from the Same Source to multiple common service ports (destination ports - ex. TCP 21, 22, 23, 25, 80, 8080, 443) of Same Destination within time period of 5 minutes. Time window and List of destination ports to be monitored, Number of Connection Attempts is configurable.

Title: Account Created and Deleted within an hour.

Desc: Account Created and Deleted within an hour.

 

New Log Parsers

 

Title: Oracle Access manager

Desc: Log Device content for event source Oracle Access manager - oracleam

 

Updated Log Parsers

 

Title: Envision Content File

Desc: This file is used to update the content file for NWFL

 

Title: Arbor Peakflow SP

Desc: Log Device content for event source Arbor Peakflow SP - arborpeakflowsp

 

Title: F5 BigIP

Desc: Log Device content for event source F5 BigIP - bigip

 

Title: Blue Coat ELFF

Desc: Log Device content for event source Blue Coat ELFF - cacheflowelff

 

Title: Cisco ASA

Desc: Log Device content for event source Cisco ASA - ciscoasa

 

Title: Cisco Secure IDS XML

Desc: Log Device content for event source Cisco Secure IDS XML – ciscoidsxml

 

Title: Cisco Security Agent

Desc: Log Device content for event source Cisco Security Agent - ciscosecagent

 

Title: Dragon IDS

Desc: Log Device content for event source Dragon IDS – dragonids

Title: eEye Blink

Desc: Log Device content for event source eEye Blink - eeyeblink

 

Title: eEye REM

Desc: Log Device content for event source eEye REM - eeyerem

 

Title: F5 Firepass

Desc: Log Device content for event source F5 Firepass - firepass

 

Title: Fortinet FortiGate

Desc: Log Device content for event source Fortinet FortiGate - fortinet

 

Title: Infoblox NIOS

Desc: Log Device content for event source Infoblox NIOS - infobloxnios

 

Title: IntruShield

Desc: Log Device content for event source IntruShield - intrushield

 

Title: Invincea

Desc: Log Device content for event source Invincea - invincea

 

Title: McAfee Email Gateway

Desc: Log Device content for event source McAfee Email Gateway - ironmail

 

Title: iSeries

Desc: Log Device content for event source iSeries - iseries

 

Title: ISS Realsecure

Desc: Log Device content for event source ISS Realsecure - iss

 

Title: Juniper SSL VPN

Desc: Log Device content for event source Juniper SSL VPN - junipervpn

 

Title: Kaspersky Anti-Virus

Desc: Log Device content for event source Kaspersky Anti-Virus - kasperskyav

 

Title: Microsoft Exchange

Desc: Log Device content for event source Microsoft Exchange - msexchange

 

Title: Netapp

Desc: Log Device content for event source Netapp - netapp

 

Title: Netscreen

Desc: Log Device content for event source Netscreen - netscreen

 

Title: Oracle

Desc: Log Device content for event source Oracle - oracle

 

Title: Palo Alto Networks Firewall

Desc: Log Device content for event source Palo Alto Networks Firewall - paloaltonetworks

 

Title: SAP ERP Central Component

Desc: Log Device content for event source SAP ERP Central Component - sap

 

Title: Snort/Sourcefire

Desc: Log Device content for event source Snort/Sourcefire - snort

 

Title: Symantec AntiVirus/Endpoint Protection

Desc: Log Device content for event source Symantec AntiVirus/Endpoint Protection - symantecav

 

Title: Trend Micro Deep Security

Desc: Log Device content for event source Trend Micro Deep Security - trendmicrods

 

Title: Trend Micro Deep Security Agent

Desc: Log Device content for event source Trend Micro Deep Security Agent - trendmicrodsa

 

Title: VMware ESX / ESXi

Desc: Log Device content for event source VMware ESX / ESXi - vmware_esx_esxi

 

Title: VMware View

Desc: Log Device content for event source VMware View - vmware_view

 

Title: Windows Events (NIC)

Desc: Log Device content for event source Windows Events (NIC) - winevent_nic

 

Title: Linux

Desc: Log Device content for event source Linux - rhlinux

 

New Lua Parsers

 

Title: TFTP_lua

Desc: Identifies Trivial File Transfer Protocol and extracts names of files transferred.

 

Updated Lua Parsers

 

Title: TLS_lua

Desc: Identifies TLS and SSL sessions. Extracts the Certificate Authority Subject and Serial Number from x509v3 certificates.


Title: MAIL_lua

Desc: Replicates in lua the functionality of the native and flex MAIL parsers. Extracts from email messages values such as -from;to; and subject.


Title: rtmp_lua

Desc: Identify Tunneled Real Time Messaging Protocol packets.


Title: fingerprint_job

Desc: Identifies windows .job task scheduling files.


Title: RDP_lua

Desc: Identifies the Microsoft Remote Desktop Protocol


Title: windows executable

Desc: Identifies windows executables and analyzes them for anomalies and other suspicious characteristics


Title: IRC_verbose_lua

Desc: Expanded IRC parsing implemented in lua.

 

Updated Flex Parsers

 

Title: TLS

Desc: Parses SSL/TLS certificates. Specifically, it looks for the first certificate in a chain and extracts the Issuer Organizational Name (meta ssl.ca), Subject Organizataional Name (meta ssl.subject), and Subjecet Common Name (meta alias.host).


Title: DNS - Verbose

Desc: Identifies DNS sessions. Registers queries and responses including record types. Registers protocol errors. Detects and registers anomalies.


Title: Advanced Windows Executable

Desc: Detects executable content and threat rates it according to the level of code obfuscation that is evident in the binary structure.


Title: Botnet Traffic Patterns

Desc: Detects patterns associated with many known botnets.


Title: File Fingerprints

Desc: Forensically fingerprints various filetypes.

NOTE: This parser is deprecated and the individual "fingerprint_*" parsers should be used in its place.

 

Updated Security Analytics Rules

 

Title: Failed Remote Access Summary

Desc: Compliance Rule- Failed Remote Access Summary


Title: Successful Remote Access Summary

Desc: Compliance Rule- Successful Remote Access Summary

 

Seeking Customer Developed Parsers, Rules, and Reports

 

Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.

 

-Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it!  Reach out to us at:

 

      ASOC-LIVE-CONTENT@emc.com

     Your emails will go directly to the Content Management team and we are looking forward to working with you to help evolve our content    offering.


-Do you want to request support for a new log source or protocol?

 

For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx

For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx

 

-Do you want to request use cases for Event Stream Analysis Rules?

 

Please use our request form: https://emcinformation.com/204401/REG/.ashx

 

-The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:

 

 

https://developer-content.emc.com/login/register.asp

Filter Blog

By date: By tag: