For several weeks there has been a great deal of talk about the “undeclared global cyber war”. There have been accusations that China is stealing almost anything they choose and that they have a “shopping list” that gives priority to key industries like:
- Clean energy industry
- Biotechnology
- Semiconductors
- Information technology
- Aerospace technology
- Medical technology
This month, Lockheed Martin raised the alarm on an Adobe Reader zero-day exploit that was being exploited in the wild. Once again the payload dropped was Sykipot, a known malware that has appeared several times in combination with zero-day exploits and has been used to launch targeted attacks since 2007. The list of known zero-day exploits used by Sykipot’s authors during these years is as following:
CVE | Date | Product |
---|---|---|
CVE-2007-0671 | 2007-02-02 | Microsoft Excel |
CVE-2009-3957 | 2010-12-01 | Adobe Reader |
CVE-2010-0806 | 2010-05-04 | Internet Explorer |
CVE-2010-2883 | 2010-09-08 | Adobe Reader |
CVE-2010-3654 | 2010-10-28 | Adobe Flash Player |
CVE-2011-2462 | 2011-12-06 | Adobe Reader |
The “drone” campaign
There have been a lot of different campaigns with different Command-And-Control servers. The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit to key employees of different organizations.
In most of the campaigns the malware dropped displays some document or media attractive to the victim. After analyzing most of the campaigns, we discovered a group of samples connecting to the same C&C server that attracted our attention because of the media displayed after the infection:
As you can see, all the content is related with US UCAVs (unmanned combat air vehicle):
- http://www.airforce-technology.com/projects/x-45-ucav/
- http://www.airforce-technology.com/projects/boeing-x37/
We can imagine that this campaign could target organizations related to technology used in this kind of vehicles like aerospace and military industries.
Some of the mails used contain attachments with names like:
- X-37B Orbital Test Vehicle.scr
- X-45b.scr
With the information we collected it appears that this campaign has been running for months. The domain used for the C&C server was registered on 2011-03-04 and we detected two different campaigns with timestamps on 09/08/2011 and 09/26/2011.
Here is the list of analyzed samples:
MD5 | Creation Date | Campaign String |
---|---|---|
d978d8071c19a4aca13b4180d250f4db | 09/08/2011 13:16:19 | -help20110908 |
425c0856e5aec8bdf91ac0cf5aec2805 | 04/19/2011 12:55:24 09/08/2011 13:16:19 |
-help20110908 |
cb0ceb37e2eb11ea4ee5090a09fd8b4d | 09/26/2011 09:16:19 | -help20110926 |
6f8601931c450e1f79ae560f4de98665 | 04/19/2011 12:55:24 09/26/2011 09:16:40 |
-help20110926 |
23309fbec1b3a063415c00fbeb50ee66 | 04/19/2011 12:55:24 09/26/2011 09:16:40 |
-help20110926 |
e36a8ff79bc641530071da6c8b8f15d7 | 04/19/2011 12:55:24 09/26/2011 09:16:40 |
-help20110926 |
45b8cb1b9aa3c22ff10a2a00deed82a6 | 04/19/2011 12:55:24 09/08/2011 13:16:19 |
-help20110908 |
bf61f5d008c385b63429127849998745 | 04/19/2011 12:55:24 09/08/2011 13:16:19 |
-help20110908 |
248def2faa654efb0fb4c4d594757957 | 04/19/2011 12:55:24 09/08/2011 13:16:19 |
-help20110908 |
08883b00a3969db54bbfb7bb1a20b531 | 09/08/2011 13:16:05 | -help20110908 |
5144c11008eae61f7c654794b00b119d | 04/19/2011 12:55:24 09/08/2011 13:16:19 |
-help20110908 |
The trojan injects itself into Internet Explorer, Firefox or Outlook process memory and then connects to the C&C server, retrieving an encrypted configuration file with commands to execute on the victim’s system and then sends the results back to the C&C server. In this case the config file is as follow:
C:DOCUME~1userCONFIG~1gthelp.tmp,0 iexplore findpass2000 process ipconfig /all net start net view /domain net group "domain admins" /domain tasklist /v net localgroup administrators dir c:*.url /s systeminfo type c:oot.ini
Apart from this, the C&C mechanism permits the following actions:
- cmd
- shell
- run
- getfile
- putfile
- kill
- process
- reboot
- time
- door
Tracing C&C servers
After an analysis of the different domains used this year by Sykipot and the C&C headers and data, we discovered that they were using hacked servers mainly in the US to mask the real C&C server.
It appears that they used well known public exploits to hack into US based servers and then install a software to proxy the connections between the infected systems and the real C&C server.
We realized that most of the C&C servers were running a webserver called “Netbox” (http://www.netbox.cn) and most of them were using a self-signed certificate with the following subject:
/C=US/ST=North Carolina/L=Salisbury/O=Internet Widgits Pty Ltd/OU=VeriSign Trust Network/CN=ITU Server/emailAddress=marry.smith@ltu.edu
After a short investigation on the Netbox webserver, we learnt that it is a windows based webserver that allows developers to compile and deploy ASP web applications into a stand-alone executable file.
We also checked Shodan and discovered that there were only a couple of thousand servers running the webserver and nearly the 80% of the servers were located on China.
With this information, we thought that there was a good chance to localize these servers on Chinese network ranges. So we began to search Netbox servers running SSL on port 443 with a certificate issued to marry.smith@ltu.edu on the main Chinese ISP providers.
After some time, we confirmed our suspicion and we found 7 ip addresses belonging to “China Unicom Beijing province network” that matched our criteria.
Six of them were pointing to the same webserver (same certificate, same headers, timestamps) so it appears that they are using that machines to proxy the connections as well but we don’t know if one of them was the last C&C server.
Here is the certificate information:
Download http://alienvault-labs-garage.googlecode.com/svn/trunk/Sykipot/cert1.txt [no longer available]
There was another server serving a different certificate that seems to be pointing to a different C&C server:
Download http://alienvault-labs-garage.googlecode.com/svn/trunk/Sykipot/cert2.txt [no longer available]
Here is the Map with the active redirections (2011-12-17):
As we can see, the malware authors are masquerading the C&C through US servers in order to make the connections less suspicious as well as using SSL certificates that contain a mail address from Lawrence Tech University (mary.smith@ltu.edu).
They are using the default common name on the certificate. I have seen this behavior in other malware’s C&C. In order to detect a remote site serving this kind of certificates is good to run the following IDS signature:
alert tcp any 443 -> any any (msg:"POLICY self-signed certificate default common name detected"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"Internet Widgits Pty Ltd"; within:400; classtype:bad-unknown; sid:11111111113; rev:8;)
Apart from this rule, I think it is good to run the following rules for a while to detect the certificate serial number and other certificates that they can be serving using the mary.smith@ltu.edu mail address:
alert tcp any 443 -> any any (msg:"MALWARE Sykipot certificate serial number detected"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"|00 ec 32 09 67 c9 34 3f 50|"; within:30; classtype:bad-unknown; sid:11111111112; rev:8;)
alert tcp any 443 -> any any (msg:"MALWARE Sykipot certificate subject emailAddress detected"; flow:established,to_client; ssl_state: server_hello; content:"|16|"; content:"|0b|"; within:8; content:"marry.smith@ltu.edu"; within:400; classtype:bad-unknown; sid:11111111113; rev:8;)
Who is behind Sykipot
We shouldn’t jump to assumptions but whoever is behind Sykipot is massively collecting information from targeted victims that covers dozens of industries.
It’s true that the piece of malware isn’t too sophisticated, but it is related with at least six zero-day attacks that require skills and/or money. Anyway we have been seeing that “not too sophisticated malware” works, see Shady RAT for instance that targeted organizations ranging from defense contractors to accounting firms.
On the other hand, we have identified at least six Chinese ip addresses that are used to proxy or host the C&C servers. We also identified a tool that the Sykipot authors use to package and create campaigns:
In some of the samples it contains some Chinese message errors.
Apart from this, the “Netbox” webserver used in the C&C servers is mainly used by those who speak Chinese. In fact all the documentation to setup and learn the framework is only available in Mandarin.
Most of the domains used on these campaigns are registered on Xinnet, a Chinese domain registrant. Also the information of the domain owners (names, addresses, etc) are from China (not very relevant).
The origin of the tool seems to be from China, someone called LZX (lzx@qq.com) but anyone could have gotten the code, and compiled it.
The last piece of information is a string embedded in all of the Sykipot binaries: “19990817” used for another layer of encryption. It can be the date “Aug 17, 1999”. The only relevant event on that date was a 7.6 magnitude earthquake that killed around 17000 people in Turkey (http://en.wikipedia.org/wiki/1999_%C4%B0zmit_earthquake).
Someone has said that cyberwar does not exist?. Draw your own conclusions.