Thread-topic: Targeted attack: experience from the trenches
http://isc.sans.org/diary.php?storyid=1345
Targeted attack: experience from the trenches (NEW)
Published: 2006-05-19,
Last Updated: 2006-05-19 09:32:44 UTC by Chris Carboni (Version: 2(click
to highlight changes))
Learning lessons from incidents is a very important part of incident
handling. Yet with targeted attacks it is very hard as you need to have
a case before you can learn. So learning from others is even more
important in this case.
Michael reported on an unnamed organization being hit by a limited,
targeted attack.
Detection is mostly the very hard part in these attacks. This case seems
to have been detected by a very alert user detecting a domainname in an
email that wasn't completely right.
That user detected an email coming in that originated from a domain that
looked like their own, but wasn't their own (actually only had an MX
record in it). The email was written to look like an internal email,
including signature. It was addressed by name to the intended victim and
not detected by the anti-virus software.
To say it in Michael's words:
"Emails were sent to specific individuals within the organization that
contained a Microsoft Word attachment. This attachment, when opened,
exploited a previously-unknown vulnerability in Microsoft Word (verified
against a fully-patched system). The exploit functioned as a dropper,
extracting a trojan byte-for-byte from the host file when executed.
After extracting and launching the trojan, the exploit then overwrote
the original Word document with a "clean" (not infected) copy from
payload in the original infected document. As a result of the exploit,
Word crashes, informs the user of a problem, and offers to attempt to
re-open the file. If the user agrees, the new "clean" file is opened
without incident." They are working with Microsoft on this.
"We are still analyzing the trojan dropped by the exploit. What we do
know is that it communicates back to localhosts[dot]3322[dot]org via
HTTP. It is proxy-aware, and "pings" this server using HTTP POSTs of 0
bytes (no data actually POSTed) with a periodicity of approximately one
minute. It has rootkit-like functionality, hiding binary files
associated with the exploit (all files on the system named winguis.dll
will not be shown in Explorer, etc.), and invokes itself automatically
by including the trojan binary in
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows". Note that, as of this morning, no
anti-virus signatures detected this file as problematic according to
virustotal.com.
We have traced nearly this attack to the far east; specifically, China
and Taiwan. IP's seen are registered there, domains seen are registered
there, and the emails received originated from a server in that region.
The attackers appear to be aware that they have been "outed", and have
been routinely changing the IP address associated with the URL above.
Due to the aggravating circumstances (0-day, no AV detection), we wanted
to make sure the community is aware that this problem exists as soon as
possible."
We're having a look at the word document ourselves. So far we found it
has aparently embedded excel and powerpoint components and we found a
string in Chinese that translates to: "report test file structure
information write into stack"
Many thanks to all handlers active on this: Johannes, Chris, William,
Adrien.
--
Swa Frantzen - Section 66
Update:
When the exploit is launched, early on in the process, it drops a bot,
possibly Rbot or some variant.
Once the bot is in place, it begins an extensive recon of the system;
installed patches, installed AV, contents of My Documents, startup file
contents, IE config ..
More to follow as information becomes available.
-Chris