Crooks steal security firm’s crypto key, use it to sign malware

Hackers broke into the network of security firm Bit9 and used one of its cryptographic certificates to infect at least three of its customers with digitally signed malware, the company said on Friday afternoon.

The compromise is striking because Bit9's "application whitelisting" approach allows virtually all digitally signed software to run on customers' networks and PCs. Stealing one of its credentials and using it to sign malware all but guarantees it will get a free pass on the systems of customers who use the service. Bit9 is contracted to help secure the networks of the US government and a variety of Fortune 500 companies. The breach was first reported by KrebsonSecurity reporter Brian Krebs.

"Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network," CEO Patrick Morley wrote in a blog post. "As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware."

Read 8 remaining paragraphs | Comments

Malvertising and Dynamic DNS: A Never Ending Story

Contributor: John Harrison

Symantec has been tracking a large malvertising campaign for over 5 months now. The campaign is still active and uses Dynamic Domain Name System (DDNS) to prevent itself from being tracked.

The campaign spread rapidly and compromised popular domains and  adult websites. High profile domains with an Alexa ranking of 5,000 or under have also been compromised. Some compromised websites were cleaned after notice from Symantec products alerted users when the sites were visited. However, many of the domains remain compromised.

The interesting thing about infections delivered through malvertising is that it does not require any user action (like clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the server it is hosted from. Infections delivered through malvertising silently travel through Web page advertisements served by online marketing services.

Symantec has tracked this campaign over the last four months. The campaign is still active and continues to compromise users.

Figure 1. Recent malvertising detections

The infection cycle starts with the attackers creating malicious ads and injecting obfuscated JavaScript. These ads are then hosted on advertising networks across different clean domains which, in turn, compromises the users visiting those domains.

Some obfuscated JavaScript is shown in the following screenshot.

Figure 2. Malvertising using obfuscated JavaScript

The malicious JavaScript can be divided into four parts.

  1. Check for the presence of the Internet Explorer browser with ActiveX enabled because this script only affects Internet Explorer users.

Figure 3. Check for IE browser that has ActiveX enabled

  1. Implement cookies to track compromised computers, deliver targeted ad-redirects, and track URLs.

Figure 4. Tracking implementation

  1. Select random domain name from list. (Symantec has observed the use of over 50 different dynamic domains hosted on multiple servers in the last five months.)

Figure 5. Use of dynamic domains

  1. Create a hidden iFrame and pair dynamic domains with common directory names such as news, finance, songs, and forums.

Figure 6. Pairing dynamic domains with common directory names

This iFrame then redirects users to a final URL created by appending common directory names with dynamic domains. For example:


The final URL generated in the above step then redirects to a page where Java fingerprinting is done and a malicious .jar file is executed accordingly. We have seen variations in .jar file extensions. Apart from “.jar”, we have seen the use of extensions related to image formats (e.g. .gif and .jpg), as seen in Figure 7.

Figure 7. JAR file with .gif file extension

Multiple JAR files are dropped based on the Java runtime version of the affected user. We have observed the JAR files exploiting vulnerabilities identified as Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2012-4681) and Oracle Java Runtime Environment CVE-2013-0422 Multiple Remote Code Execution Vulnerabilities (CVE-2013-0422). The following screenshot shows an obfuscated Java class file extracted from the JAR file which targets CVE-2013-0422.

Figure 8. Java class file targeting CVE-2013-0422

Once the Java vulnerability is exploited successfully and the Java sandbox restriction is bypassed, the JAR file creates dynamic-link library (DLL) entries inside a temporary directory and adds the corresponding registry entries on a compromised computer. The DLL names are randomly generated each time the JAR file is complied. Example file names observed in analysis include:

  • %Temp%\spoolsv.dll
  • %Temp%\winlogon.dll
  • %Temp%\java.dll
  • %Temp%\alg.dll
  • %Temp%\firefox.dll

These DLL files then download other malware onto the compromised computer.

Malvertisement is a growing issue, increasing 20 times over from 2010 to 2012. More than 50 percent of publishers have experienced a malvertising incident one or more times.

Symantec customers are already protected from these attacks using multilayered protection provided by our security products. Symantec Endpoint Protection 11 and 12 include the Network Threat Protection - IPS technology that proactively protects against malvertisements and the resulting drive-by download. Enterprise customers must ensure that they have enabled Network Threat Protection within their product for protection. All Norton solutions have the Network Threat Protection technology automatically enabled in their products.

The following is a partial list of IPS Signatures that block the Web attack toolkit from dropping the malware from the malvertisement:

Symantec antivirus also detects the dropped payload as Backdoor.Trojan and the corresponding JAR files as Trojan.Maljava.

Symantec has recently launched Symantec AdVantage, which is a cloud based anti-malvertisement product with sophisticated detection and reporting capabilities that helps prevent ad publishers and distributors from propagating malware to customers.

Symantec recommends that website owners that include advertising on their websites check out the anti-malvertisement guidelines recommended by the Online Trust Alliance (OTA). The Online Trust Alliance is a non-profit with the mission to enhance online trust, while promoting innovation and the vitality of the Internet.  Symantec is a founding member of the Online Trust Alliance.

Users with the latest Java update (Java 7 update 13) are currently no longer at risk through silent exploitation. To avoid being exploited, it is recommended that users continuously apply the latest updates to their operating systems, software, and antivirus and IPS definitions.

Culture Mapping Tool

Dave Gray posted on his blog that he has created a tool to help understand corporate cultures. This looks very interesting… I could see lots of uses for this tool as an Enterprise Architect. The typical stakeholder management only gets you so far, this takes it to the next level if the tool is effective. 

The collaborative effort between Dave Gray,  Alex Osterwalder, Alan Smith, and Chris Finlay has yielded a prototype and the graphic below:

Culture Mapping


In his words:

The culture mapping tool was so useful that I have long thought it would make an excellent tool for any company that’s dealing with a difficult transformation that will require rethinking, re-imagining or simply shifting the company culture.


More Information and developments


Adobe Zero-day Used in LadyBoyle Attack

Yesterday, Adobe released an out of cycle patch that fixed two zero-day vulnerabilities (CVE-2013-0633, CVE-2013-0634) for Adobe Flash Player 11.5.502.146 and earlier versions for both Windows and Macintosh. The patch was released because the zero-days were being actively exploited for attacks in the wild. Symantec recommends applying the patch immediately. 

Reports of the attack seen in the wild using CVE-2013-0634 have been dubbed “LadyBoyle” following FireEye’s initial analysis of the attack. In the analysis they identified a class file, with the name LadyBoyle, that contained the exploit code. Symantec can confirm that these exploits were actively being distributed in targeted attacks in the wild. Figure 1 shows an example of a targeted attack email with a Word document attachment that contains CVE-2013-0634. Symantec Mail Security for Microsoft Exchange blocked the attack on February 4.

Figure 1. Targeted email containing exploit

If the targeted attack was successful and a victim opened the attached document, the flash object contained within the document would execute the flash zero-day (CVE-2013-0634), as seen in figure 2.

Figure 2.  Targeted attack using CVE-2013-0634

As seen in Figure 2, Symantec has detections in place for the stages of this attack as Trojan.Mdropper, Trojan.Swifi, and Backdoor.Boda. Once a system has been compromised with Backdoor.Boda it will contact a command-and-control (C&C) server hosted at, which is currently offline. The following intrusion prevention signature (IPS) will be released later today for CVE-2013-0634, which is known to be actively delivered through malicious Flash (SWF) content hosted on websites:

Web Attack: Adobe SWF RCE CVE-2013-0634 2

We are currently investigating further protections for this zero-day and will provide an update to this blog when possible. As always, Symantec advises users to ensure that operating systems and software are kept up to date and to avoid clicking on suspicious links and opening suspicious email attachments.

Update 02-13-13:

After further analysis we have confirmed that the exploit refered to in this blog is  CVE-2013-0634 and not CVE-2013-0633 as originally stated.

The following detections for this threat have been added:

IPS signatures