Destructive malware used by unknown computer network exploitation (CNE) operators has been identified. This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods. Analysis of this malware is presented to provide the computer network defense (CND) community with indicators of this malware.
As related to malware which may exhibit a potentially destructive capability, organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. Destructive malware presents a direct threat to an organization’s daily operations, directly impacting the availability of critical assets and data. In addition, the response required for such an event can be extremely resource intensive.
Websites and emails referencing the Boston Marathon bombing should be viewed with caution, as malicious actors are using the incident to disseminate malware and conduct fraud. While other agencies investigate the frauds, the NJ ROIC provides this information for situational awareness.
Various cyber actors have engaged in malicious activity against Government and Private Sector entities. The apparent objective of this activity has been the theft of intellectual property, trade secrets, and other sensitive business information. To this end, the malicious actors have employed a variety of techniques in order to infiltrate targeted organizations, establish a foothold, move laterally through the targets’ networks, and exfiltrate confidential or proprietary data. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation and other partners, has created this Joint Indicator Bulletin, containing cyber indicators related to this activity. Organizations are advised to examine current and historical security logs for evidence of malicious activity related to the indicators in this bulletin and deploy additional protections as appropriate.
This report focuses on Windows Rootkits and their affects on computer systems. We also suggest that combining deployment of a rootkit with a BOT makes for a very stealth piece of malicious software. We have used various monitoring tools on each of the rootkits and have included most but not all of the monitor logs due to space constraints. However, if a log is needed for perusal it is available. Some of the rootkits we investigated contained readme files which were, for the most part, quite informative and actually substantiated some of our monitoring log findings. For the rootkits that contained readme files we have either included them within the document or have included a link for them. At the beginning of this report we have included clean monitoring logs from two different tools that we employed on the rootkits. We have other clean logs but did not include them for the sake of space. Once more, as the logs for the rootkits will be available if needed so will these clean logs.
General Dynamics has selected HBGary Inc to provide this proposal for development of a software tool, which provides the user a command line interface, that will enable single file, or full directory exfiltration over TCP/IP. General Dynamics has requested multiple protocols to be scoped as viable options, and this quote contains options for VoIP (Skype) protocol, BitTorrent protocol, video over HTTP (port 80), and HTTPS (port 443). HBGary will research and analyze the best solution given the client’s choice of protocol(s). As outlined in the Bill of Materials on page 4 of this document, cost per protocol is provided separately, and one or more of the options can be chosen by General Dynamics. HBGary will develop this user mode application with listen capabilities, trace cleanup, and ensure network sniffer testing doesn’t trigger any alerts. The application will be provided for user testing, and validation at the close of the development cycle which will be scheduled jointly between HBGary, and General Dynamics.
General Dynamics has selected HBGary Inc to provide this proposal for development of a software application targeting the Windows XP Operating System that, when executed, loads and enables a covert kernel-mode implant that will exfiltrate a file from disk (or other remotely called commands) over a connected serial port to a remote device. The enabling kernel mode implant will cater to a command and control element via the serial port. The demonstration will utilize an exploit in Outlook as the delivery mechanism for said software application. The subsequently loaded implant will be stable and will not crash the demonstration system. A usermode component will be included as part of the exploitation package that exercises the kernel mode implant for demonstration purposes. The loaded implant will use the connected serial port to remotely enable functions which can be visible on the collection computer connected on the other end of the serial line. The purpose of the demonstration setup is to verify the functionality for the customer and validate that all work has been completed.
Over the past few days, there has been an increase in computers infected with Fake spyware and anti-virus malware. These infestations produce a popup stating that your machine is infected with viruses and offer a way to remove them. The object of this software is to trick you into believing you have viruses that need to be removed. A scan will launch after you “click” anywhere on the message and will request payment for removal of the “viruses”.