Last Updated: 2016-02-07 15:15:15 UTC
by Rick Wanner (Version: 1)
For many reasons,most ISPs are finding that service affecting DDOSes, which were a common occurrence as little as a year ago are rare in the later half of 2015 and so far in 2016. Hopefully the arrest of some alleged members of DD4BC will also put a damper on the DDOS for ransom fad. That said DDOS is not dead. It appears booters services, DDOS for hire services with intent to be a nuisance for individual Internet users, are still a problem which ISPs worldwide are seeing.
The graph shows the common UDP traffic for one ISP.
The large spikes show DDOS attacks, typically aimed at a single IP. As you can seen the traffic is typically a mix of DNS, port 0, with some chargen thrown in. For some reason SSDP, which was a large part of attacks in the recent past, has become a small part of the traffic mix in today's attacks.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
Last Updated: 2016-02-07 15:15:09 UTC
by Jim Clausing (Version: 1)
It has been a while, but I finally got around to fixing a bug in my script for putting kippo text logs into a kippo-formatted MySQL database. In this case, it was a bug that caused the sensor column in the sessions table to be NULL instead of the correct value. I just used the updated script to analyze 2.8M login attempts from 2015 in one of my kippo honeypots. I first wrote about the script here. I've also moved some of my tools including this script to github. You can find the latest version here. I think I may have another bug that was reported by a user a while back to fix, I'll try to get to that in the next month. In the meantime, I welcome thoughts and comments by e-mail or in the comments.
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
Last Updated: 2016-02-07 15:14:53 UTC
by Brad Duncan (Version: 1)
I was discussing malicious spam (malspam) with a fellow security professional earlier this week. He was examining malspam with zip attachments containing .js files. This is something I've covered previously in ISC diaries [1, 2]. However, the traffic patterns he saw was somewhat different than I've seen, so I figured it's time to revisit this type of malspam.
I found 13 messages with the following subject lines during the past two days:
- Problem with the Order, Reference: #117931
- Problem with the Order, Reference: #469155
- Problem with Your Order, Reference: #543361
- Problem with Your Purchase, Reference: #629146
- Problem with Your Purchase, Reference: #913251
- Problems with the Purchase, Reference Number #568643
- Problems with Your Purchase, Reference Number #199837
- Problems with Your Purchase, Reference Number #797440
- Problems with Your Purchase, Reference: #113736
- Troubles with the Order, Reference: #719684
- Troubles with the Purchase, Reference Number #459991
- Troubles with the Purchase, Reference Number #529057
- Troubles with Your Order, Reference: #987848
Attachments names were different for each of the 13 messages:
- Ali Washington.zip
- Cary Harris.zip
- Dino Hayden.zip
- Garth Porter.zip
- Hans Fitzgerald.zip
- Harold Walter.zip
- Leonel Mcneil.zip
- Marc Harding.zip
- Nickolas Baldwin.zip
- Romeo Wright.zip
- Stanley Floyd.zip
- Ted Fields.zip
- Ward Shea.zip
Each of the attachments were zip files that contained a .js file. The .js file is typically launched by Windows Script Host (wscript.exe) when the file is double-clicked on a Windows desktop.
The script in these .js files is highly-obfuscated. ISC Handler Xavier Mertens wrote a diary on how to examine these scripts ; however, I prefer to execute the .js files and see where the traffic takes us.
Traffic and malware
Each of the scripts tried to download and execute three malware items. The HTTP requests were:
- csonegame.com - GET /img/script.php?wndz1.jpg
- csonegame.com - GET /img/script.php?wndz2.jpg
- csonegame.com - GET /img/script.php?wndz3.jpg
I tried all 13 of the extracted .js files and saw the same URL patterns.
Unfortunately, by the time I ran these .js files, the malware was no longer available.
Fortunately, others had already ran the malware through different online tools, and I was able to find all three items downloaded by the .js files.
script.php_wndz1.jpg - 255.5 KB (261,632 bytes) - File type: Windows EXE
script.php_wndz2.jpg - 159.5 KB (163,328 bytes) - File type: Windows EXE
script.php_wndz3.jpg - 84.5 KB (86,528 bytes) - File type: Windows EXE
Based on the callback traffic reported on the first sample, that file appears to be CryptoWall. I haven't had the time to dig into the other two items.
After posting this diary, someone deobfuscated the script from the .js files and emailed me the results (Thanks Ali!). Images of the work are included below.
The malspam and malware samples can be found here. My thanks to Chris, who emailed me about this most recent wave of malspam.
If you have more information or corrections regarding our diary, please share.