Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    Last week reports surfaced about a “zero-day” exploit for Adobe Reader (CVE-2011-2462) that had been actively used in targeted attacks beginning in November. The malicious PDFs were emailed to targets along with text encouraging the target to open the malicious attachment. If opened, the malware known as BKDR_SYKIPOT.B installs onto the target system. The reported targets have been the defense industry and government departments.

    Targeted attacks are typically organized into campaigns. Such a campaign commences as a series of attacks against a variety of targets over time – and not isolated “smash and grab” attacks. While information about any particular incident may be less than complete, over time we aim to assemble the various pieces (attack vectors, malware, tools, infrastructure, targeting) to gain a broader understanding of a campaign.

    The Sykipot campaign, which has been known by many names over the years, can be traced back to 2007 and possibly 2006. Here, I will focus on a few key incidents, though there have been a variety of attacks consistently over the years.

    A similar attack occurred in September 2011 that used a government medical benefits document as lure. This attack also leveraged a zero-day exploit in Adobe Reader (CVE-2010-2883). In March 2010, the malware was used in conjunction with a zero-day exploit of Internet Explorer 6. That’s three zero-day exploits in the last two years.

    Another attack was reported in September 2009 that leveraged CVE-2009-3957 using information about a defense conference and the identity of a well-known think-tank as lure. In August 2009, there was another attack targeting government employees leveraging the theme of emergency management and the identity of the Federal Emergency Management Agency (FEMA) as lure. The same command and control (C&C) server used in this attack was also used in a 2008 attack.

    Finally, an attack was reported in February 2007 that used malicious Microsoft Excel files (CVE-2007-0671) to drop malware that is functionally similar and most likely the predecessor of BKDR_SYKIPOT.B. The C&C server used in this attack was used in attacks dating back to 2006.

     

    Date Hash Command and Control
    September 2010 32dbd816b0b08878bd332eee299bbec4
    0ade988a4302a207926305618b4dad01
    68f5a1faff35ad1ecaa1654b288f6cd9
    www.mysundayparty.com
    March 2010 a4bdddf14cee3cc8f6d4875b956384d2 notes.topix21century.com
    September 2009 e42f8e662d39a31b596d86504b9dc287
    590a6e6c811e41505bebd4a976b9e7f3
    230040293ed381e32faa081b76634fcb
    music.defense-association.com
    August 2009 126c0353957a506c0a3b41b0bdfb88ce news.marinetimemac.com
    December 2008 a1c8276b008b9386b36ef73b163a0c75 www.marinetimemac.com
    February 2007 56055a77675058b614a282d9624b67f2
    69ed09e31c06c7763a91c408d9ad9c10
    271e3fa15a81c5b9e7543460808cfbeb
    www.top10member.com

    While the malware remained functionally similar over the years, there were also some changes. For example, early versions of the malware communicated with the C&C server in plaintext (HTTP), while the network traffic of later versions is encrypted (HTTPS).

    We analyzed the DLL dropped by the 2007 and the 2011 version of the malware and they are similar. In addition to having the same URL format for communication with the C&C server the two DLLs also use the exact same encryption key. The 2008 samples contain some differences as the attackers added then later dropped some commands such as “findpass2000″ and “port2000″ that only work on Windows 2000.

    All of the samples over the years contain a backdoor functionality that allows the attackers to have a remote shell on the compromised computers. While the old versions execute shell commands via cmd.exe, the new ones execute via the winexec API. This provides the attackers with full remote control of the victim.

    The Sykipot campaign remains a high priority threat.

    * With analysis from Jonell Baltazar.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice