Brian Pennington

A blog about Cyber Security & Compliance



Tor detections jump by more than 1,000%

Vectra Networks announced the results of the second edition of its “Post-Intrusion Report”, a real-world study about threats that evade perimeter defenses and what attackers do once they get inside your network.

Report data was collected over six-months from 40 customer and prospect networks with more than 250,000 hosts, and is compared to results in last year’s report. The new report includes detections of all phases of a cyber attack and exposes trends in malware behavior, attacker communication techniques, internal reconnaissance, lateral movement, and data exfiltration.

According to the report, there was non-linear growth in lateral movement (580%) and reconnaissance (270%) detections that outpaced the 97% increase in overall detections compared to last year. These behaviors are significant as they show signs of targeted attacks that have penetrated the security perimeter.

While command-and-control communication showed the least amount of growth (6%), high-risk Tor and external remote access detections grew significantly. In the new report, Tor detections jumped by more than 1,000% compared to last year and accounted for 14% of all command-and-control traffic, while external remote access shot up by 183% over last year.

The report is the first to study hidden tunnels without decrypting SSL traffic by applying data science to network traffic.

A comparison of hidden tunnels in encrypted traffic vs. clear traffic shows that HTTPS is favored over HTTP for hidden tunnels, indicating an attacker’s preference for encryption to hide their communications.

The increase in lateral movement and reconnaissance detections shows that attempts at pulling off targeted attacks continue to be on the rise,” said Oliver Tavakoli, Vectra Networks CTO. “The attackers’ batting average hasn’t changed much, but more at-bats invariably has translated into more hits

Key findings of the study include:

  • Botnet monetization behavior grew linearly compared to last year’s report. Ad click-fraud was the most commonly observed botnet monetization behavior, representing 85% of all botnet detections.
  • Within the category of lateral movement detections, brute-force attacks accounted for 56%, automated replication accounted for 22% and Kerberos-based attacks accounted for 16%. Although only the third most frequent detection, Kerberos-based attacks grew non-linearly by 400% compared to last year.
  • Of internal reconnaissance detections, port scans represented 53% while darknet scans represented 47%, which is fairly consistent with behavior detected last year.
  • Lateral-movement detections, which track the internal spread of malware and authentication-based attacks such as the use of stolen passwords, led the pack with over 34% of total detections.
  • Command and control detections, which identify a wide range of malicious communication techniques, were close behind with 32% of detections.
  • Botnet monetization detections track the various ways criminals make money from ad click-fraud, spamming behavior, and distributed denial of service (DDoS) attacks. These botnet-related behaviors accounted for 18% of all detections.
  • The reconnaissance category looks for internal reconnaissance performed by an attacker already inside the network and represented 13% of detections.
  • Exfiltration detections look for the actual theft of data. The good news here is that it was by far the least common category of detection at 3%.

The data in the Post-Intrusion Report is based on metadata from Vectra customers and prospects who opted to share detection metrics from their production networks. Vectra identifies active threats by monitoring network traffic on the wire in these environments. Internal host-to-host traffic and traffic to and from the Internet are monitored to ensure visibility and context of all phases of an attack.

The latest report offers a first-hand analysis of active “in situ” network threats that bypass next-generation firewalls, intrusion prevention systems, malware sandboxes, host-based security solutions, and other enterprise defenses. The study includes data from 40 organizations in education, energy, engineering, financial services, government, healthcare, legal, media, retail, services, and technology.

The full report can be found here

RSA’s June 2013 Online Fraud Report featuring the Bugat Trojan

RSA’s June 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below

RSA researchers analyzing Bugat Trojan attacks have recently learned that Bugat’s developers managed to develop and deploy mobile malware designed to hijack out-of-band authentication codes sent to bank customers via text messages.

Bugat (aka: Cridex) was discovered and sampled in the wild as early as August 2010. This privately owned crimeware’s earlier targets were business and corporate accounts, its operators attempting high-value transactions ($100K-$200K USD per day) in both automated and manual fraud schemes. It is very likely that Bugat’s operators started seeing a diminished ability to target high-value accounts due to added authentication challenges, forcing them to resort to developing a malware component that is already used by many mainstream banking Trojans in the wild.

Bugat joins the lineup of banking malware that makes use of SMS capturing mobiles apps. The first occurrences of such malware were observed in use by Zeus and SpyEye Trojan variants, which were respectively dubbed ZitMo and SPitMo (Zeus-in-the-Mobile, SpyEye-in-the-Mobile). In mid-2012, RSA coined the name CitMo to denote the Citadel breed of in-the-Mobile activity. The fourth Trojan for which malicious apps were discovered was Carberp in early 2013, and with this case, Bugat is the most recent banking Trojan to have its own SMS-forwarding app, now coined BitMo.

Among other banking Trojan features, Bugat comes with a set of HTML injections for online banking fraud and possesses Man-in-the-Browser script functionality. This very feature is what allows it to interact with victims in real time and lead them to download the BitMo mobile malware to their Android/BlackBerry/Symbian devices. iOs remains almost entirely exempt from this type of malware since the Apple policy limits app downloads from third party sites.

When Bugat infected online banking customers access their financial provider’s login page, the Trojan is triggered to dynamically pull a relevant set of injections from the remote server, displays them to the victim and leads them to the BitMo download under the guise of AES encryption being adopted by the bank.

The malware requests application permissions linked with the SMS relay, while the next injection on the PC side requests that the victim enter a code appearing on the mobile device – connecting the infected PC and the mobile handset. Once installed and deployed BitMo begins hijacking and concealing incoming text messages from the  bank, disabling the phones’ audio alerts, and forwarding the relevant messages to its operators’ drop zones. Bugat’s entrance to the mobile space only demonstrates the increasing use of SMS forwarders as part of Trojan-facilitated fraud.

Although the injection set created by Bugat’s developers, as well as the distribution mechanism designed for delivering APKs/BlackBerry OS BitMo apps are indeed sophisticated, the actual malware apps are rather basic and show no innovation. That being said, it is very clear that all banking Trojans, both commercial and privately operated codes, are increasingly making use of SMS forwarders in their criminal operation.

Phishing Attacks per Month

RSA identified 36,966 phishing attacks launched worldwide in May, marking a 37% increase in attack volume. Trending data shows that a rise in phishing attacks typically occurs in Q2.

Number of Brands Attacked

In May, 351 brands were targeted in phishing attacks, marking a 13% increase. Two new entities suffered their first attack in May.

US Bank Types Attacked

U.S. nationwide banks maintained the highest volume of phishing in May while regional banks saw a 7% increase in phishing volume, from 12% to 19%. Since February, the attack volumes targeting regional banks and credit unions have fluctuated quite a bit.

Top Countries by Attack Volume

The U.S. remained the country most targeted by phishing in May, absorbing 50% of the total phishing volume. The UK held steady, once again recording 11%  of attack volume. South Africa, the Netherlands, Canada, Australia, and India accounted for about one-quarter of attack volume.

Top Countries by Attacked Brands

U.S. brands remained the most targeted by phishing among worldwide brands, absorbing 30% of phishing volume in May. UK brands were targeted by one-tenth of phishing volume followed by India, China and Brazil.

Top Hosting Countries

The U.S. remained the top hosting country in May, hosting 47% of global phishing attacks. Germany was the second top hosting country with 8% of attacks hosted within the country, followed by the UK, the Netherlands, France, and Canada.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA April 2013 Online Fraud Report Summary here.
  • The RSA March 2013 Online Fraud Report Summary here.
  • The RSA February 2013 Online Fraud Report Summary here.


RSA’s March Online Fraud Report

In their March Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

As well as the usual interesting statistics on fraudulent activity this report sheds light on the changes to the Zeus and Citadel Trojans as cybercriminals “migrating” from one Trojan botnet to another.

FraudAction Research Lab has recently analyzed a Zeus variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan. RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, Citadel infrastructures.

RSA researchers have studied a Zeus variant that runs on infected machines, seconds later calling for a download of an additional Trojan: a Citadel v1.3.2.0 variant. Although the Lab already saw Zeus botnets replaced by Ice IX botnets, this is one of the first instances analyzed of the Trojan calling for a Citadel replacement onto the infected PC.

The addition of a Citadel variant is a little peculiar on one hand because that creates two parallel infections on the same bot. On the other hand, it is quite logical if the botmaster intends to gradually move the botnet to the new domain and work with the Citadel Trojan instead.


Is Zeus’ time in the cybercrime arena up? That is very possible. Today’s Zeus-based codes can no longer be named “Zeus”. The last real Zeus was, Zeus Even the v2.1.0.1 development was upgraded by someone outside the original team.

Citadel, Ice IX, Odin, and any other code based on the old king’s exposed source code will each have their own name. It’s only a matter of time before botmasters will move away from Zeus to Trojans for which the development of upgrades and new features continue to thrive. We will likely see less of Zeus on the monthly charts – although its offspring will live on.

Phishing Attacks per Month

While 2012 kicked off with an increase of over 40% in global phishing attacks, February marked a 30% drop – with only 21,030 phishing attacks detected. After five consecutive months of being heavily targeted, the UK finally got replaced by the U.S. as the country enduring the most phishing volume.

Number of Brands Attacked

A total of 281 brands were targeted by phishing attacks in February. Of those targeted brands, 53% endured less than five attacks (150 brands) and 47% endured five attacks or more (131 brands).

US Bank Types Attacked

U.S. nationwide brands and regional banks both saw an eight percent increase in phishing attacks in February while credit unions saw a 16% drop in attacks.

Top Countries by Attack Volume

Following five consecutive months during which the UK topped the chart as the country that absorbed the highest volume of phishing, the U.S. topped the chart once again in February with 35% of global phishing volume. Just as surprising, Canada made an unexpected leap. After accounting for only 4% of worldwide attacks in January, Canada accounted for a 27% of the world’s phishing attacks in February.

Top Countries by Attacked Brands

The U.S. and UK remained the countries with the highest number of attacked brands in February with 42%, followed by Australia, India, Italy and Canada who together accounted for 17% of attacked brands.

Top Hosting Countries

The share of phishing attacks hosted by the U.S. dropped significantly this month, falling from 82% in January to 46% in February. In January, six countries accounted for hosting about 90% of global phishing attacks, while in February, we witnessed 17 countries share that same portion of hosting.

See the full report on the RSA website.

Previous RSA Online Fraud Report Summaries:

  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.


How advanced attacks succeed, despite $20B spend on enterprise IT security

Image representing FireEye as depicted in Crun...
Image via CrunchBase

FireEye has recently released their research into why IT Security attacks continue to be successful despite an annual IT Security spend of $20 billion.

A summary of key findings of the FireEye research are below:

1) 99% of enterprises have a security gap, despite $20B spent annually on IT security. Within a given week, the typical enterprise network has anywhere from hundreds to thousands of new malicious infections and all industries are under sustained attack.

2) 90% of malicious executables and malicious domains changed in just a few hours. The dynamic nature of modern attacks is the primary means to bypass signature-based tools, making defenses such as antivirus and URL blacklists ineffective.

3) The fastest growing malware categories are Fake-AV programs, which take part in extortion tactic and info stealers, which abscond information.

4) The top 50 out of thousands of malware families account for 80% of successful infections. Sophisticated toolkits and other means are enabling the rapid production of advanced malware.

Extended details on the four findings:

Finding 1: 99% of enterprise networks have a security gap despite $20B spent annually on IT security.

Despite the massive investment in IT security equipment each year, our analysis of FireEye MPS deployments shows that essentially all enterprises are compromised with malware: 99% of enterprises had malicious infections entering the network each week, and 80% of enterprises faced more than one hundred infections per week, with many in the thousands per week. The median weekly infection caseload was 450 infections per week (normalized per Gbps of traffic), with wide variations.

These are all events that have made it through standard gateway defenses, such as firewalls, next-generation firewalls, IPS, antivirus, email and web security Gateways. These malicious events make it through because traditional security systems either rely on signatures, reputation and crude heuristics or were originally designed for policy control. They no longer keep up with the highly dynamic, multi-stage attacks that have become common today for targeted and APT attacks.

Even the most security-conscious industries are fraught with dangerous infections.

Every company studied in every industry looks to be vulnerable and under attack. Even the most security-conscious industries, such as Financial services, health care and government sectors, which have intellectual property, personally identifiable information, and compliance requirements—show a significant infection rate.

Based on this data, FireEye see that today’s cyber criminals are nearly 100% effective at breaking through traditional security defenses in every organization and industry, from security-savvy to security laggards.

Today’s attacks also exhibit a global footprint with infected sites, malicious servers, and callback destinations distributed around the world.

Finding 2: Successful attacks employ dynamic, “zero-day” malware tactics. 90% of malicious binaries and domains change in just a few hours; 94% within a day.

Our Q2 2011 data showed that 90% of both malicious binaries (MD5 hash files) and malicious domains (URLs hosting malware) changed almost immediately, and 94% changed within a day. This dynamism increased noticeably from Q1 to Q2 2011.

FireEye believe the daily morphing of malicious binaries and domains is timed to stay ahead of the typical practice of daily DAT and blacklist/reputation updates, enabling the malware to remain undetected and its communications unblocked.

Those that change within a few hours stay ahead of centralized “real-time” threat intelligence services that assess risk based on signatures, reputation, and behavior. Those that change once a day stay ahead of defenses that use scheduled daily updates.

Malicious executables are constantly being repacked to appear new each time. Most of the MD5s FireEye observed are so dynamic that they persist for an hour or less or are seen just once. The curve has moved noticeably up and to the left from Q1 to Q2,  indicating that a smaller fraction of malware samples remain unchanged over the course of days (note that this is despite the fact that the Q2 sample is larger than the Q1 sample, increasing the size of our view into malware behavior). It’s also striking that the curve steps up at each 24-hour interval indicating that some malware authors are using an integer number of days as the expiration  time before they generate a new packing.

Note that FireEye are not implying that all malware attacks are dynamic, just that the successful attacks penetrating through the signature and reputation-based defenses use dynamic tactics to defeat those static defenses.

Therefore, FireEye believe that dynamic binaries and dynamic domains form the core of today’s advanced, zero-day malware tactics. Cybercriminals are moving quickly and building manoeuvrability into their tools and operations.

In part, the move to malware dynamism explains the rapid expansion in botnets. For example, criminals need more IP addresses (aka bots or zombies) to evade signature and reputation-based filters.

Another conclusion from these findings is that network defenses must tool up for constant change and resilience. Countermeasures must be designed for highly dynamic threats across vectors, such as Web and email. FireEye also see a trend in which organizations must treat every attachment or Web object as suspicious.

Finding 3: The fastest growing malware categories are Fake-AV programs and Info-stealer executables.

While malware programs have multiple capabilities, the FireEye research team provides a general categorization of each malware executable with what they believe to be its primary purpose. For example, Click Fraud software makes money by creating automated HTTP transactions to particular websites in the interest of distorting (driving up) payments to advertisers. Fake-AV software is sold on the pretence that it has found non-existent malware on consumer computers and then offering to “clean” out the infection if consumers buy the full version.

Several things stand out. The three largest categories of malware in Q2 are Fake-AV (listed as Rogue Anti_malware), Downloader Trojans (whose primary function is to download other pieces of malware), and information stealers of various forms. Comparing to Q1, they see a striking growth in Fake-AV (Rogue Anti_malware) and information stealing malware most likely due to a successful monetization model.

Of these, the information stealers are clearly the greater threat to corporate integrity. While FireEye would certainly not advocate ignoring Fake-AV programs, they are a threat to employees’ private finances and act as a conduit for more serious malware infections, it’s clear that information theft is currently the highest priority problem for enterprises.

  • Zbot (Zeus) Primarily a banking Trojan, Zbot has become extremely famous for fraud against online banking for both consumers and small and medium enterprises and likely represents a high priority threat even to large enterprises in the form of fraud against senior executives.
  • Papras (aka Snifula) has received far less publicity, but in our sample it appears to have become just as widespread as Zbot. Papras is less specialized: it steals account credentials for various online services and also logs information entered in web forms. As such, it’s probably a basic tool in a number of different kinds of manually directed intrusions and information thefts.
  • Zegost is also primarily a keylogger
  • Multibanker are specialized banking trojans.
  • Coreflood is a botnet that operated in many versions for ten years until taken down by the Department of Justice in April of 2011.
  • Licat is believed to be associated with Zbot.

Finding 4: The “Top 50″ of thousands of malware families generate 80% of successful malware infections.

In  reviewing several hundreds of thousands of events, they found that the vast  majority of them derive from a few hundred malware families (as evidenced by  the particular callback protocol we detected in use), and that the Top 50 most  frequent malware families are represented in about 80% of all cases.

From  the figure, they conclude that the exploding zoo of malware executables can be attributed to a much smaller number of malware toolkit code bases. In reviewing the top 50 families, the more successful code bases have optimized aspects of their malware binary output to be dynamic and deceptive.

Note that the frequency of appearance is not  correlated with risk. One of the most common malware families, Fake-AV, extorts  payments from users for falsified virus scans. This class of malware is less of a concern from an enterprise perspective, though Fake-AV should be seen as a “gateway malware” to introduce more serious information-theft malware into the network. On the other hand, nation-state APT malware used for espionage is likely to be out in the long tail of comparatively rare malware. In the range between these two zones, they find very potent, very dangerous attacks.

Many of the Top 50 attacks reflect advanced malware used by criminal syndicates for financial gain. This variety of threat is characterized by periodic campaigns combining exploit toolkits and specific malware families such as “Rogue AV” or “Fake-AV.” The attacks cast a relatively “wide but shallow” net, harvesting data and relying on automation for efficiency and profitable success rates.

Here’s  the anatomy of a typical “wide and shallow” attack, one that is dynamic and  short-lived (in each campaign), but not especially targeted or heavily  personalized:

  • Hunt new victims for a few hours at certain infectious IP addresses
  • Install malware via drive-by download or phishing campaign (possibly run  through a social networking site)
  • Collect account data from victims’ computers (or install data-stealing malware on these hosts)
  • Pause (or move on to a new site)
  • Monetize the data that has been collected (for perhaps days or weeks)
  • Run another campaign with a tweaked version of the malware and different IP  addresses when we look at malware by family, and the event timeline of malware activity, they see evidence of the compressed timelines used in campaigns today. FireEye see sharp spikes. Even with a relatively protracted activity, like that shown with Rogue.AV, FireEye see significant spikes above a significant baseline.

The other major category of attack is the “Narrow and Deep” attack that includes  targeted and APT attacks. These attacks infect a relatively small number of machines that act as the beachhead from which to further infiltrate other enterprise systems, especially those that contain critical or sensitive information.

The deeper infiltration is accomplished via lateral movement by propagating the malware infection to other systems and servers in the enterprise network. Only real-time monitoring of suspicious code will detect these subtle attacks.

How do criminals make their malware and domains dynamic? Point-and-click Toolkits?

Criminals make code appear new by packing, encrypting, or otherwise obfuscating the nature of the code. Malware toolkits like Zeus (banking Trojan) and Blackhole (drive-by downloads) automate this process today, which FireEye believe explains some of our finding of increasing and almost ubiquitous dynamism.

The prevalence of dynamic domain addresses indicates that criminals are moving their distribution sources very quickly as well, like a drug dealer moving to a different street corner after every few deals. By moving their malware to an unknown site (often a compromised server or zombie), and using short URLs, cross-site scripting or redirects to send traffic to that site, the criminals can stay ahead of reputation-based defenders.

Criminals invest in toolkits and dynamic domains because signatures and reputation engines have become adept at blacklisting known bad content and “bad” or “risky” URLs sites. Any stationary criminal assets will quickly be blacklisted, therefore these assets must move to remain valuable.

FireEye Conclusions

The new breed of cyber–attacks are evading existing defenses by using dynamic malware, toolkits and novel callback techniques, leaving virtually every enterprise vulnerable to data theft and disruption. Although enterprises are investing $20B per year on IT security systems, cybercriminals are able to evade traditional defenses, such as firewalls, IPS, antivirus and Gateways, as they are all based on older technology: signatures, reputation and crude heuristics.

Enterprises must reinforce traditional defenses with a new layer of security that detects and blocks these sophisticated, single-use attacks. New technologies are needed that can recognize advanced malware entering through Web and email, and thwart attempts by malware to call back to command and control centers. This extra  defense is designed specifically to fight the unknown threats, such as zero-day  and targeted APT attacks, thereby closing the IT security gap that exists in all enterprises.

The FireEye report can be found here.


Create a free website or blog at

Up ↑

%d bloggers like this: