Hiring Security Architect needed at Fortune Best Place to Work, South FL (Reddit) SANS ISC SecNewsFeed(cached at December 18, 2015, 11:58 pm)

Congress Passes Long-stalled Cybersecurity Bill (SecurityWeek) SANS ISC SecNewsFeed(cached at December 18, 2015, 11:58 pm)

Juniper issues patch for ScreenOS to eliminate unauthorized code (SC Magazine) SANS ISC SecNewsFeed(cached at December 18, 2015, 11:58 pm)

FBI probes breach at Juniper Networks: CNN (Yahoo Security) SANS ISC SecNewsFeed(cached at December 18, 2015, 11:58 pm)

Actor using Rig EK to deliver Qbot, (Fri, Dec 18th) SANS Internet Storm Center, InfoCON: green(cached at December 18, 2015, 11:57 pm)

Introduction

On Thursday 2015-12-18 during a Rig exploit kit (EK) infection in my lab environment, I saw the same infection chain patterns from a criminal group I hadnt noticed in a long time.

This appears to be the same actor that was using Sweet Orange EK to distribute Qbot malware in 2014 and early 2015 [1, 2, 3]. Why? Because the same type of obfuscation is used to generate the gate URL that I saw last year. The payload is also the same that Ive seen from this actor (Qbot).

This actor appears to be using Rig EK now. Let" />
Shown above: Flow chart for todays infection by this actor.

The traffic

The EK traffic was identified as Rig EK when I read a traffic of the traffic using Snort 2.9.8.0 with the Snort registered rule set." />
Shown above: Alerts from the traffic using the Snort subscriber ruleset.

Gate traffic

How does this actor generate the gate URL from the compromised website? Its done through injected script that uses several obfuscation tricks. One of the HTTP GET requests to the compromised website returned a .js file withe the malicious script tacked on the end of it. If you look at the TCP stream for this HTTP GET request in Wireshark, it" />
Shown above: HTTP GET request for the .js file when viewing the TCP stream in Wireshark.

Youll neet to export HTTP objects from the pcap to look at the actual .js file." />
Shown above: Malicious script in .js file from the compromised site.

In the above image, the end of the normal .js file is highlighted in orange near the top. Everything after that is the injected malicious script. Ive highlighted code for the gate URL in yellow. How do you translate that to the actual gate URL? It uses both unicode and hexadecimal obfuscation for some of the letters in the URL. Theres also a j7aMn function thats previously defined earlier in the script, and that" />
Shown above: How to resolve some of the obfuscation for the gate URL.

The gate URL returns a variable called main_color_handle. This contains a long string of characters that the earlier malicious script uses to get the Rig EK landing page URL. First, youll have to take everything away except 0 through 9 and a through f from the variable. Then translate the result from hexadecimal to ASCII. Thats how you" />
Shown above: How to get the EK landing page URL from data returned by the gate.

Final words

Todays Rig EK example follows the same traffic patterns that Ive examined many times before." />
Shown above: VirusTotal results showing recent URLs on 192.185.21.183.

Pcap and malware samples used in this diary are available here.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://www.malware-traffic-analysis.net/2014/10/27/index2.html
[2] https://isc.sans.edu/forums/diary/An+Example+of+Evolving+Obfuscation/19403/
[3] http://malware-traffic-analysis.net/2015/02/09/index2.html
[4] https://www.virustotal.com/it/ip-address/192.185.21.183/information/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Swedish Researchers Break 'Unbreakable' Quantum Cryptography Slashdotby Soulskill on encryption at January 1, 1970, 1:00 am (cached at December 18, 2015, 11:31 pm)

New submitter etnoy writes: Quantum key distribution is supposed to be a perfectly secure method for encrypting information. Even with access to an infinitely fast computer, an attacker cannot eavesdrop on the encrypted channel since it is protected by the laws of quantum mechanics. In recent years, several research groups have developed a new method for quantum key distribution, called "device independence." This is a simple yet effective way to detect intrusion. Now, a group of Swedish researchers question the security of some of these device-independent protocols. They show that it is possible to break the security by faking a violation of the famous Bell inequality. By sending strong pulses of light, they blind the photodetectors at the receiving stations which in turn allows them to extract the secret information sent between Alice and Bob.

Read more of this story at Slashdot.

The Hillary Landslide inessential.comat January 1, 1970, 9:00 am (cached at December 18, 2015, 11:29 pm)

If Trump wins the nomination — which is more likely every day — then Hillary Clinton could win all 50 states.

Democrats might gain both houses of Congress, because the presidential candidate has an effect on Congressional and even state and local races.

As a Democrat, I should be ecstatic at the thought of such a landslide. But I’m not.

* * *

I’m not ecstatic because I’m an American.

In modern times both parties have nominated some awful people, but none so extreme that they’d fit better as a National Front candidate.

Think about how other nations and people around the world would see us then. Think about how we’d see ourselves.

Even if he loses big — the biggest and best loss ever — there’s no going back. We will be a nation where one of the two major parties nominated the favorite candidate of white supremacists.

If you’re a Democrat, you might blame them, those Republicans, for this. But that’s not right: it’s the fault of the entire American people.

* * *

Same thing holds for Ted Cruz.

(“Lady Nixon,” I heard him called. Which is completely unfair to ladies and to Nixon.)

UN Security Council agrees on Syria peace plan AL JAZEERA ENGLISH (AJE)(cached at December 18, 2015, 11:28 pm)

Draft resolution calling for peace conference in January and ceasefire adopted unanimously by council's 15 members.
Friday Squid Blogging: Penguins Fight over Squid (Schneier blog) SANS ISC SecNewsFeed(cached at December 18, 2015, 11:28 pm)

Obama Signs Cyberthreat Information Sharing Bill (InfoRiskToday) SANS ISC SecNewsFeed(cached at December 18, 2015, 11:28 pm)

Researcher claims Facebook tried to gag him over critical flaw (The Register) SANS ISC SecNewsFeed(cached at December 18, 2015, 11:28 pm)

How Long Until the Cyborg Olympics Are Better Than the Traditional Games? Slashdotby Soulskill on technology at January 1, 1970, 1:00 am (cached at December 18, 2015, 11:01 pm)

the_newsbeagle writes: In October 2016, a stadium in Zurich will host the world's first cyborg Olympics. During this event, more officially called the Cybathlon, people with disabilities will use advanced technologies such as exoskeletons and powered prosthetic limbs to compete in the games. This article chronicles one team's training for the bicycle race, where the athletes will be people with paralyzed legs. The team is composed of the paralyzed biker who has an electrical stimulation system implanted in his body, and the engineers who built the gear that energizes his nerves and muscles.

Read more of this story at Slashdot.

Attacks increase against Australia's Muslims AL JAZEERA ENGLISH (AJE)(cached at December 18, 2015, 10:58 pm)

Warning issued against backlash as survey shows community experiencing racism three times the national average.
Recording facility fosters S African music talent AL JAZEERA ENGLISH (AJE)(cached at December 18, 2015, 10:58 pm)

Downtown Music Hub in Johannesburg is a government initiative offering high-quality recording facilities at a low cost.
Industry pros, tech firms displeased with cyber bill (SC Magazine) SANS ISC SecNewsFeed(cached at December 18, 2015, 10:58 pm)