Handling Sinkhole HTTP drone security incidents

Description

Reports that indicate a server (or a machine/ connected PC via VPN, NAT, ...) has joined a Sinkhole server operated by a security organization but did not arrive through the usage of an HTTP referrer.

Since the Sinkhole server is only accessed through previously malicious domain names, the activity detected indicates that this server must be infected or is providing VPN services to an infected host. 

More details about these reports: https://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone

Details about reported drones 

  • Drone type: Sality

The virus is a polymorphic file infector which modifies executable files by appending its encrypted body to the end of the files. To reach its code, the virus replaces the code at the entry point with a polymorphic sequence holding the description routine.

Affected systems: Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP 

More details:

http://www.bitdefender.com/VIRUS-1000630-en--Win32-Sality-2-OE.html

  •  Drone type: downadup

Worm/Downadup is a malicious software that once executed, has the capability of replicating itself and infecting other files and programs. These type of malware, called viruses, can steal hard disk space and memory and slow down or completely halt your PC.

Affected systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

More details:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99

http://www.avgthreatlabs.com/virus-and-malware-information/info/worm-downadup/

http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html

  • Drone type: Beebone

Win32/Beebone is a family of Visual Basic-compiled trojan downloaders that download and run other well-known malware, such as Win32/VobfusWin32/FareitWin32/ZbotWin32/SirefefTrojan:Win32/Necurs.

More details:

http://home.mcafee.com/virusinfo/virusprofile.aspx?key=3255551#none

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Beebone

http://threatpost.com/vobfus-worm-beebone-trojan-create-malware-infection-loop

http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/trojandownloaderwin32beebonebr 

  • Drone type: Glupteba

The trojan serves as a backdoor. It can be controlled remotely.

More details:

http://www.virusradar.com/en/Win32_Glupteba.G/description

https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=588

https://www.sonicwall.com/us/en/esblogs.html?id=63 

  • Drone type: stealrat

StealRAT was a botnet that piggy backed onto many breached WordPress sites back in July of 2013.  StealRAT is a advancement in mass-mailing or spamming.  As new spam detection is released and put into place, spammers must find ways to circumvent these new technologies. TrendMicro was one of the first companies to discover this piece of malware, the methods of the malware consists of 3 essential things, as stated in their blog post:

- Compromised website for sending spam
- Compromised systems for harvesting and delivering the spam data
- Compromised website for delivering the payload

Source: http://zerosecurity.org/2014/06/stealrat-pops-back-2014 
 

More details:

http://blog.trendmicro.com/trendlabs-security-intelligence/compromised-sites-conceal-stealrat-botnet-operations/

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf

http://blog.trendmicro.com/trendlabs-security-intelligence/compromised-sites-conceal-stealrat-botnet-operations/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29

  • Drone type: IRCBot

The IRCBOT malware family uses Internet Relay Chat (IRC) to send and receive commands from a bot master that operates each specific variant. IRCBOT malware are known to propagate via removable drives using software vulnerabilities. IRCBOT can also use instant messaging programs like Yahoo! Messenger, MSN Messenger, and Windows Live Messenger to propagate.

More details:

http://www.symantec.com/security_response/writeup.jsp?docid=2011-040711-0927-99

http://about-threats.trendmicro.com/Malware.aspx?language=au&name=IRCBOT 

http://about-threats.trendmicro.com/us//archive/malware/BKDR_IRCBOT.AGF 

  • Drone type: pushdo

Pushdo is a botnet primarily used for spamming. Recently it has been observed launching Distributed Denial of Service (DDoS) attacks against certain SSL-enabled websites. The Pushdo malware is also known as Pandex and some components are known as Cutwail.

Pandex is Symantecs name for that Trojan.  Trojan.Pandex is a Trojan horse that sends spam from a remote server and gathers email addresses from the compromised computer.

More details:

https://www.symantec.com/security_response/writeup.jsp?docid=2007-042001-1448-99 

http://www.iss.net/threats/pushdoSSLDDoS.html

http://en.wikipedia.org/wiki/Cutwail_botnet

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129

http://msmvps.com/blogs/harrywaldron/archive/2010/02/02/pushdo-botnet-new-ddos-attacks-on-major-web-sites.aspx 

  • Drone type: Ransomware

Ransomware is a type of malware that stops you from using your PC. It may then tell you that you have to pay money, complete surveys, or perform other actions to unlock and use your PC.

Some types of ransomware are also called "FBI Moneypak" or the "FBI virus". They often use the FBI or local police logos and ask you to pay a fine using the legitimate money transfer service Green Dot MoneyPak.

Most ransomware shows a notification that says your local authorities have detected illegal activity on your PC. They then demand you pay a "fine" (the ransom) to avoid prosecution and to get access to your files again.

More details:

http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/

http://en.wikipedia.org/wiki/Ransomware

http://news.techworld.com/security/3343528/ransom-trojans-spreading-beyond-russian-heartland/

http://www.infoworld.com/t/security/mcafee-cyber-criminals-using-android-malware-and-ransomware-the-most-219916

http://www.ic3.gov/media/2012/121130.aspx

http://www.fbi.gov/news/stories/2012/august/new-internet-scam/new-internet-scam

http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

http://www.securitycentral.org.nz/cybersecurity-for-small-businesses/dealing-with-ransomware-and-remote-access-hacking/

http://en.wikipedia.org/wiki/CryptoLocker

http://www.sophos.com/en-us/support/knowledgebase/119006.aspx 

  • Drone type: sinkhole

These IP addresses are all the devices that joined our Sinkhole server that did not arrive through the usage of an HTTP referrer. Since the Sinkhole server is only accessed through previously malicious domain names, only infected systems, or security researchers should be seen in this list.  

More details:

http://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone 

  • Drone type: torpig

Torpig, also known as Sinowal or Anserin (mainly spread together with Mebroot rootkit), is a type of botnet spread by a variety of trojan horses which can affect computers that use Microsoft Windows. Torpig circumvents anti-virus applications through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer and can perform man-in-the-browser attacks. (Source: http://en.wikipedia.org/wiki/Torpig)

Also known as Win32.Anserin.C [Computer Asso, Troj/Torpig-k [Sophos]

More details:

http://en.wikipedia.org/wiki/Torpig

http://www.spamfighter.com/News-11683-Rootkit-Torpig-Described-as-Most-Dangerous-Malware.htm

http://www.symantec.com/security_response/writeup.jsp?docid=2005-112315-0608-99

http://www.symantec.com/connect/blogs/flow-mbr-rootkit-trojan-resumes

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Torpig-A.aspx 

  • Drone type: Trojan.Simda

Trojan:Win32/Simda is a multi-component trojan that downloads and executes arbitrary files. These files may include additional malware.

More details:

http://www.virusradar.com/Win32_Simda.B/description

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Simda

http://www.virusradar.com/Win32_Simda.B/description

http://www.avgthreatlabs.com/virus-and-malware-information/info/simda/ 

  • Drone type: urlzone

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

More details:

https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Base#Urlzone

http://www.pcmag.com/article2/0,2817,2353610,00.asp

http://krebsonsecurity.com/tag/url-zone-trojan/

https://threatpost.com/inside-urlzone-trojan-network-100609/72203

http://labs.m86security.com/2009/09/malware-analysis-trojan-banker-urlzonebebloh/ 

  • Drone type: zeus

Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers using versions of the Microsoft Windows operating system. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. (Source:http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29)

More details:

http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29

https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Base#Zeus

https://zeustracker.abuse.ch/statistic.php

http://www.antisource.com/article.php/zeus-botnet-summary

https://www.youtube.com/watch?v=CzdBCDPETxk

http://www.b3b.ch/2010/12/12/zeus-le-dieu-des-virus-contre-les-banques/

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf

http://www.secureworks.com/cyber-threat-intelligence/threats/zeus/ 

  • Drone type: zeus3np2p

New variants of the Zeusbot/SpyEye cybercrime toolkit are moving away from reliance on command-and-control (C&C) servers towards a peer-to-peer architecture.

More details:

http://www.theregister.co.uk/2012/02/27/p2p_zeus/ 

  • Drone type: Other

If the Drone type is not listed above, you can search for more information here:

https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Base

http://www.bitdefender.com/site/Search/

http://www.symantec.com/security_response/landing/threats.jsp

http://www.avgthreatlabs.com/virus-and-malware-information/

- http://www.microsoft.com/security/portal/threat/threats.aspx

http://windows.microsoft.com/en-us/windows/security-essentials-download

http://about-threats.trendmicro.com/us/threatencyclopedia

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk