Trojan.Taidoor: Balancing the Scales

Contributor: Jeet Morparia

A few weeks ago, we wrote about the Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2012-4681) being used in a targeted attack campaign by the Nitro attackers. Recently, we have discovered another group exploiting this vulnerability in the wild: the Taidoor attackers.

The Taidoor attackers began utilizing the vulnerability when the proof of concept (POC) began to circulate. On August 28, we discovered the malicious file Ok.jar (Trojan.Maljava!gen24) exploiting the CVE-2012-4681 vulnerability. If successfully exploited, an executable payload, Javaupdate.exe, will be dropped which opens a back door on a compromised computer. This is Trojan.Taidoor.
 

Figure 1. Code snippet from Ok.jar
 

This was the first time we saw the Taidoor attackers utilizing a zero-day vulnerability (patched by Oracle Aug 30). In the past these attackers have—as Symantec notes in our Taidoor whitepaper—relied on known, patched vulnerabilities, hoping to target computers with unpatched software.
 

Figure 2. Balancing the scales – Taidoor adds zero-day vulnerability
 

In addition to using the zero-day Java vulnerability, we also observed the attackers attempting to socially engineer their targets without the aid of software vulnerabilities. Targets are enticed through email about damage caused by Typhoon Libra (a major storm that swept across East and Southeast Asia during late August). This particular campaign spoke about damage inflicted to the island of Lanyu:
 

Figure 3. Email with malicious file attached
 

Email (translation):

Lanyu is devastated, having the worst disaster in its history.

Although the typhoon "Libra" is moving away from Taiwan, the whole island of Lanyu lays ruined after the level17 gust brought by "Libra". The gust has totally blown down the island's only supermarket, the only gas station, as well as some other buildings. Many public facilities are almost completely destroyed. The entire island is still currently blacked out. The islanders are in urgent need of the support from outside. This is the most serious disaster in the island’s history.

The email contains a .zip file attachment. Inside this attached file are images that demonstrate the impact the typhoon had on the island—actual images found on the Internet. In addition to the images, however, there is an .scr file, which the attackers hope goes unnoticed so that the file will be opened (just like the image files) and then executed. Once the .scr file is executed, it drops a version of Trojan.Taidoor on the computer while it continues its ruse by displaying another image to the user. Symantec protects users by detecting the .scr file as Trojan.Dropper.

Adding an unpatched vulnerability as a method of attack is a first for the Taidoor attackers and an interesting development. Does this mean that they will start to routinely leverage zero-day vulnerabilities going forward? Unlike the Elderwood Project, we do not believe the attackers behind Taidoor have their own zero-day vulnerabilities available. However, they have definitely balanced the scales with this new development.

Tech Giants Form Internet-Freedom Lobby to Counter MPAA, RIAA Clout

Internet Association President Michael Beckerman will lobby Congress for an open internet. Photo: Internet Association

Another lobbying group hit Washington, D.C. on Wednesday. But think again before you start screaming that it’s just another lobby representing the 1%.

The Internet Association, backed by behemoths Amazon, Google, Facebook and others — 14 groups in all — is focused on internet freedom — something that’s easy in principle and hard when it comes to details.

As a yardstick of what this group’s philosophy is, its president said that had the group been around earlier this year, it would have lobbied against the Stop Online Piracy Act. Among other things, the measure would have required ISPs to prevent Americans from visiting piracy blacklisted sites by altering the system known as DNS that turns site names like Google.com into IP addresses such as 174.35.23.56. Instead, for the blacklisted sites, ISPs would have to lie to their customers and tell their browsers that the site doesn’t exist.

The SOPA legislation — which was heavily backed by the Recording Industry Association of America and Hollywood’s lobbying arm, the Motion Picture Association of America — was among the main reasons for the association’s founding. House hearings on the debate, meanwhile, pitted the MPAA against Google. Lawmakers appeared more concerned about Google linking to pirated material than they were about the ramifications of granting the government the power to remove that content.

Giving the Justice Department the power to order internet service providers like Comcast and AT&T to block their users from visiting blacklisted sites¬†would be unprecedented in the United States, though it’s a common tactic used in countries like Syria, Iran and China to clamp down on political dissent and adult content.

The non-profit lobbying group, unveiled Wednesday, is “absolutely” against SOPA, Michael Beckerman, the coalition’s president, said in a telephone interview.

“We’ll make sure Congress understands how [the bill] will censor the internet and greatly harm the infrastructure of the internet,” he said.

He added: “Our mission is to be the unified voice of the internet economy in the policy debates that arise.”

Beckerman has 12 years experience on Capitol Hill, most recently as deputy staff director of the House Energy and Commerce Committee working for Republican Fred Upton, a vocal opponent of net neutrality. That issue is likely to rear its head again in D.C. when a federal court hears a challenge to the FCC’s new rules in the spring.

He said the group also supports reforming the Electronic Communications Privacy Act. Sen. Patrick Leahy (D-Vermont) is proposing sweeping digital privacy protections requiring the government, for the first time, to get a probable-cause warrant to obtain e-mail and other content stored in the cloud.

That measure, which is an amendment to separate legislation, is to be heard Thursday in the Senate Judiciary Committee.

“That’s obviously important and an issue we care about,” he said.

Another group of dozens of tech companies, called Digital Due Process, was formed for the express purpose of reforming ECPA, but so far has come up empty handed.

The Internet Association is funded by some of the nation’s wealthiest internet companies. (Giants Apple, Microsoft and Oracle, an association spokeswoman said, are not a part of the group because it is composed largely of internet-focused companies.)

The association’s members include: Amazon, AOL, eBay, Expedia, Facebook, Google, IAC, LinkedIn, Monster Worldwide, Rackspace, Salesforce.com, TripAdvisor, Yahoo and Zynga.

Even rival lobbying groups welcomed the association.

“These companies have a crucial role to play in educating policymakers about how what happens in Washington affects online innovation and the ability of internet-based services to empower citizens and communities across the country,” Leslie Harris, the Center for Democracy and Technology president, said in a statement.

Beckerman isn’t spilling details on budgets.

“We’ll have the resources at our disposal,” he said, “to be effective and get the message out.”