The perpetrators of targeted attacks want to maintain a persistent presence in a target network in order to extract sensitive data when needed. To maintain this, attackers seek to blend in with normal network traffic and use ports allowed by firewalls.

Frequently, the malware used in targeted attacks uses HTTP and HTTPS to appear like ordinary web traffic. However, while these malware tools do give attackers full control over a compromised system, they are often simple and configured to carry out few commands.

Some attackers prefer to use remote access Trojans (RATs), sometimes as “second stage” malware, which typically have graphical user interfaces (GUIs) and remote desktop features that include directory browsing, file transfer, the ability to take screenshots, and activate the microphone and web camera of a compromised computer. Publicly available RATs like Gh0st, PoisonIvy, Hupigon, and DRAT, and “closed-released” RATs like MFC Hunter and PlugX are both in common use. However, the network traffic these RATs produce is well-known and easily detectable, although attackers still successfully use them.

To get around this, attackers are always looking for ways to blend their malicious traffic with legitimate traffic to avoid detection. We found a family of RATs that we call “FAKEM” that makes their network traffic look like various protocols. Some variants attempt to disguise network traffic to look like Windows® Messenger and Yahoo!® Messenger traffic. Another variant tries to make the content of its traffic look like ordinary web traffic. The FAKEM RAT appears to have been actively used in attacks since September 2009.

Read the rest of this entry »

Just a word of caution those who will update their systems with the recent Java zero-day security patch: make sure to get it from a reliable source or else face the possibility of a malware infection.

Oracle has recently released its fix to the much talked-about Java zero-day (CVE-2012-3174) incident though with lukewarm reception from certain sectors, which include the US Department of Homeland Security. However, we encountered a malware under the veil of a Java update.

We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}currencyreport.com/cybercrime-suspect-arrested/javaupdate11.jar.

Read the rest of this entry »