“Funded hacktivism” or cyber-terrorists, AmEx attackers have big bankroll

The "cyber-fighters of Izz ad-Din al-Qassam" took American Express down for two hours yesterday afternoon.

On March 28, American Express' website went offline for at least two hours during a distributed denial of service attack. A group calling itself "the cyber-fighters of Izz ad-Din al-Qassam" claimed responsibility for the attack, which began at about 3:00pm Eastern Time.

In a statement, an American Express spokesperson said, "Our site experienced a distributed-denial-of-service (DDoS) attack for about two hours on Thursday afternoon...We experienced intermittent slowing on our website that would have disrupted customers' ability to access their account information. We had a plan in place to defend against a potential attack and have taken steps to minimize ongoing customer impact."

The American Express DDoS is part of a new wave of attacks started two weeks ago by the Izz ad-Din al-Qassam group, which launched a larger campaign targeting US financial institutions that began last September. The group's alleged goal is to force the take-down of an offensive YouTube video—or extract an ongoing price from American banks as long as the video stays up, which could be indefinitely.

Read 15 remaining paragraphs | Comments

Are the 2011 and 2013 South Korean Cyber Attacks Related?

In the past four years there have been several major cyber attacks against South Korea. We have identified a particular back door (Backdoor.Prioxer) that surfaced during the 2011 attacks. A modified version of this back door was also discovered during the 2013 attacks. The back door is based on publicly available code, but there are some indications that the same individuals are responsible for the 2011 and 2013 versions, pointing towards a possible connection between the two attacks.

The first documented major attack was in July, 2009. The attacks began on July 4, Independence Day in the United States, and consisted of a distributed denial-of-service (DDoS) attack against various Korean and US government and financial websites. A second wave of attacks occurred on July 7 and a third wave on July 9. The malware used to launch the attacks was Trojan.Dozer, which was spread through e-mail. Trojan.Dozer contained a time bomb in its code, triggered on July 10. This time bomb would overwrite various types of files on the hard drive and then overwrite the first one megabyte of the hard drive, destroying the MBR and partition table. The hard drive was overwritten with the string, “Memory of the Independence Day.”

The second major attack occurred on the March 4, 2011. This attack was again a DDoS and again, against U.S. and South Korean government institutions. The malware used was Trojan.Koredos. This malware also overwrote a specified set of file types and destroyed the MBR.  During investigations into these attacks, a back door Trojan called Backdoor.Prioxer was discovered. The back door was quite sophisticated and infected files in a discreet manner.  You can see our previous blog, which describes this technique in detail.

The third attack occurred on March 20, 2013. This attack does appear to have used only hard drive overwrites, and no DDoS attacks. Trojan.Jokra overwrites the MBR and then the contents of the hard drive, independent of file format. It then looks for any mapped network drives and attempts to overwrite those as well. There appears to be multiple installation vectors, including e-mail and patch management. Patch management is an auto-update system that was compromised to deliver the malware.

Similar to the 2011 Trojan.Koredos investigation, we discovered a new version of Backdoor.Prioxer (labeled Backdoor.Prioxer.B) while examining files from computers compromised with Trojan.Jokra. This new version shares the same the same C&C base protocol, but does not proxy IRC communications as in the older version. When we investigated this file further, in an attempt to determine how it was installed onto victims’ computers, we established a link with Trojan.Jokra.

Making connections
The Trojan.Jokra samples are obfuscated by the Jokra packer. The Jokra packer was also used to obfuscate a downloader (encountered in August of 2012 with an MD5 of 50e03200c3a0becbf33b3788dac8cd46). This downloader was seen to download Backdoor.Prioxer from the following location:


The link between Trojan.Jokra and Backdoor.Prioxer.B is also based on the Jokra packer. An additional malware sample (Trojan.Gen.2), located in the 2013 incident, which is packed with the Jokra packer, contains a build path string. This string describes where the sample was compiled on disk. 

The path is:

Z:\Work\Make Troy\3RAT Project\3RATClient_Load\Release\3RATClient_Load.pdb

A Backdoor.Prioxer.B sample found in the same investigation also contains a build string:

Z:\Work\Make Troy\Concealment Troy\Exe_Concealment_Troy(Winlogon_Shell)\Dll\Concealment_Troy(Dll)\Release\Concealment_Troy.pdb

Clearly, the two separate pieces of malware were compiled from the same build source directory, Z:\work\Make Troy.

Work or fun?
If the Jokra packer is limited to the one group, then the connections between Backdoor.Prioxer.B and Trojan.Jokra are reliable. We believe that this packer is not publicly distributed because the number of detections for it are very low, are limited to Korea, and so far have only covered Jokra, the downloader, and the back door Trojan containing the “Z:” build string. This low prevalence is an indication that the packer is in use by only one group.

The connection between Backdoor.Prioxer.B and the 2011 attacks is not as clear cut. It is certainly suspicious that versions of Backdoor.Prioxer have been present during both attacks, but it could be explained away as the Trojan merely being discovered during the course of an investigation and not actually being related to the attacks. However, we think it is likely that the samples are related, given the Jokra connection.

Finally, the build path itself used in the Backdoor.Prioxer sample is informative. The path is “Z:\work”, and it seems unlikely that an independent hacktivist would use a folder labeled “work” to store their Trojan. For them, the development of a Trojan is not work, it is fun. The type of person who stores their code in a work folder is someone who is doing this professionally. The implication is that someone has been paid or ordered to perform these attacks, either as a contractor or as an employee.


Sprint, Softbank to shun Chinese networking equipment

Sprint Nextel and its new owner will limit their use of technology made by Chinese companies, and allow US national security officials to monitor changes to their equipment. The pending agreement will help them gain US approval of SoftBank's $20 billion acquisition of Sprint.

US officials have accused Chinese firms Huawei and ZTE of having close ties with the Chinese government and military. They claim the companies' equipment raises the threat of "cyber-espionage" or attacks on US communications networks, although a White House review last year found no clear evidence that Huawei spied for China.

The New York Times last night quoted anonymous government officials as saying that Sprint Nextel and the Japanese SoftBank "are expected to enter an agreement with American law enforcement officials that will restrict the combined company’s ability to pick suppliers for its telecommunications equipment and systems." Further, "The agreement would allow national security officials to monitor changes to the company’s system of routers, servers and switches, among other equipment and processes, the officials said. It would also let them keep a close watch on the extent to which Sprint and SoftBank use equipment from Chinese manufacturers, particularly Huawei Technologies."

Read 1 remaining paragraphs | Comments

Google Releases Google Chrome 26.0.1410.43

Original release date: March 29, 2013

Google has released Google Chrome 26.0.1410.43 for Windows, Mac, Linux, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities could allow a remote attacker to cause a denial of service or execute arbitrary code.

US-CERT encourages users and administrators to review the Google Chrome Release blog entry and update to Chrome 26.0.1410.43.

This product is provided subject to this Notification and this Privacy & Use policy.