3604 Fair Oaks Blvd., Suite 250, Sacramento, CA 95864
Phone. (301) 652-8885
Fax. (301) 654-8745
Incident Response Final Report
FOR QinetiQ North America
STRICTLY CONFIDENTIAL
ATTN:
Mr. Matthew Anglin
Information Security Principal
Office of the CSO
QinetiQ North America
7918 Jones Branch Drive Suite 350
McLean, VA 22102 USA
PRIMARY HBGARY CONTACT
Michael Spohn
Director – Security Services
HBGary, Inc.
3604 Fair Oaks Blvd – Suite 250
Sacramento, CA 95864
949-370-7769
3604 Fair Oaks Blvd., Suite 250, Sacramento, CA 95864
Phone. (301) 652-8885
Fax. (301) 654-8745
1. OVERVIEW ................................................................................................................................................................................3
2. SUMMARY ................................................................................................................................................................................3
3. SCAN SUMMARY – AS OF 8/24/2010 ........................................................................................................................................4
4. FINDINGS SUMMARY ................................................................................................................................................................5
5. HOST EXAMINATION SUMMARY ...............................................................................................................................................5
6. HOST EXAMINATION/INVESTIGATION DETAILS .........................................................................................................................5
PWBACK9 ............................................................................................................................................................................................... 5
QWSCRP1............................................................................................................................................................................................... 6
7. MEMORY AND MALWARE ANALYSIS DETAILS ...........................................................................................................................7
WMDRTC32.DLL (KUKU VERSION 4.0 / SALITY)............................................................................................................................................... 7
MCISERVICE.EXE ......................................................................................................................................................................................... 8
LBD.SYS (VERIFIED AS NOT MALWARE)............................................................................................................................................................. 8
DSLOAD.SYS (VERIFIED AS NOT MALWARE) ....................................................................................................................................................... 8
INJECTED MEMORY MOD (BIGWILLY) (VERIFIED AS NOT MALWARE) .................................................................................................................. 9
AVCODEC.DLL (VERIFIED AS NOT MALWARE) .................................................................................................................................................... 9
APPENDIX A – IOC'S FOR KUKU/SALITY MALWARE.......................................................................................................................... 10
APPENDIX B – IOC'S FOR MCISERVICE.EXE MALWARE ..................................................................................................................... 10
APPENDIX C – MISCELLANEOUS DATA/LOG REVIEW ....................................................................................................................... 10
TERMINOLOGY ................................................................................................................................................................................ 11
END OF REPORT............................................................................................................................................................................... 12
Strictly Confidential Page 2 of 12
3604 Fair Oaks Blvd., Suite 250, Sacramento, CA 95864
Phone. (301) 652-8885
Fax. (301) 654-8745
1. Overview
HBGary, Inc conducted an in-depth analysis of data collected in association with suspicious activity detected at the
Cyveillance network site. Collection and analysis efforts have been focused primarily on host level data in an effort to
locate malware or remote access tools.
The goals during this engagement were to detect compromised systems, both known and unknown malware, and
evidence of hacking activity that may be associated with suspicious outbound traffic, external attacks, or malicious
scanning. The engagement covers 84 host machines physically located at one physical site in Virginia.
2. Summary
During the course of the engagement covering the period of July 21, 2010 to August 21, 2010, HBGary placed an Active
Defense™ server on the client network. HBGary also maintained remote access to the server from a secure operations
center located in Sacramento, CA, where the collection and analysis was managed.
Through use of Digital DNA™, analysis of host memory, and reverse engineering of select files, HBGary was able to
discover compromised hosts on the network and develop indicators of compromise (IOC's) to determine the extent of
compromise across the entire network. At this time, HBGary has located two seriously compromised hosts out of a total
network of 78 hosts analyzed (excluding 6 offline/unavailable hosts). This report details all findings to date.
HBGary has confirmed that the Cyveillance network has been compromised on at least two hosts. Specifically, the hosts
PWBACK9 and QWSCRP1 both show evidence of compromise involving a remote access tool. The remote access tool is
a full featured backdoor and has a primary function to serve as a network traffic proxy. An attacker can route all
network traffic through the compromised hosts. This would account for unexplained suspicious traffic being generated
from these two hosts.
In addition, host QWSCRP1 is also infected with malware classified as “crimeware”. The crimeware malware is an
external non-targeted threat and is not associated with APT activity.
Strictly Confidential Page 3 of 12
3604 Fair Oaks Blvd., Suite 250, Sacramento, CA 95864
Phone. (301) 652-8885
Fax. (301) 654-8745
3. Scan Summary – As of 8/24/2010
Total Hosts 84
Total Hosts Managed 78
Total Hosts Scanned 78
Total Hosts Pending 6
Total Hosts Scanned Total Hosts Pending
Total Scanned Hosts 78
NTF/Clean 76
Malware/Infected 2
Offline-Pending 5
Offline-Technical 1
NTF/Clean Malware/Infected Offline-Pending Offline-Technical
HBGary has scanned the Cyveillance network with extensive IOC's and Digital DNA, and performed follow up analysis on
a large number of binaries and memory images. Two machines were verified as containing malware, one of which is a
full featured RAT.
Strictly Confidential Page 4 of 12
3604 Fair Oaks Blvd., Suite 250, Sacramento, CA 95864
Phone. (301) 652-8885
Fax. (301) 654-8745
Work to date includes:
Triage of Digital DNA results for managed hosts (78 of 84)
Extraction and analysis of several suspicious binaries
Multiple IOC scans across the managed hosts (78 of 84)
4. Findings Summary
Findings Summary
Finding Hostname Description
Sality Virus – file appending virus. Can over-write existing files on the
[wmdrtc32.dll] PWBACK9
hard drive to maintain persistence.
[Mciservice.exe] Win32 Trojan Dialer
QWSCRP1
[.sys] Sality Virus
[lbd.sys] AFORESTIERILTOP Verified to not be a virus (Lavasoft Ad-Aware – antivirus scanner)
[dsload.sys] QWETEST2 Verified to not be a virus (Oracle binary)
-Injected Memory Mod- BIGWILLY Verified to not be a virus (copy of AVG – antivirus scanner)
[Avcodec.dll] CKP Verified to not be a virus (codec file)
5. Host Examination Summary
Host Examination Summary
Hostname State Risk Recommended Actions
Forensic Preservation
PWBACK9 Infected High Inoculate Malware
A/D Rescan
Clean Malware
QWSCRP1 Infected High
A/D Rescan
AFORESTIERILTOP Not Infected Low No Actions Needed
QWETEST2 Not Infected Low No Actions Needed
BIGWILLY Not Infected Low No Actions Needed
6. Host Examination/Investigation Details
PWBACK9
Detection/Finding wmdrtc32.dll (Sality Virus)
Strictly Confidential Page 5 of 12
3604 Fair Oaks Blvd., Suite 250, Sacramento, CA 95864
Phone. (301) 652-8885
Fax. (301) 654-8745
State Compromised Host/Information
Host Type Desktop Host OS Windows 2000 Professional SP4
Host Operator/User Unknown Location PROD
Compromise Date June 23, 2010 7:31AM (EST)
Remediation Date Remediation not performed
Remediation Method Forensic Preservation
(Recommendation) Wipe/Reimage OS
Attack Vector Unknown
Root Cause Unknown
Summary/Description/Notes
QWSCRP1
Mciservice.exe (Win32 Trojan Dialer)
Detection/Finding
.sys (Sality Virus)
State Compromised Host/Information
Host Type Desktop Host OS Windows XP Professional SP2
Host Operator/User Unknown Location QA/Dev
Compromise Date Unknown
Remediation Date Remediation not performed
Remediation Method Clean Malware
(Recommendation) A/D Rescan
Attack Vector Unknown
Root Cause Unknown
Summary/Description/Notes
System offline; cannot do any further analysis on Sality infection. .sys file was detected running; usermode DLL was not
detected.
Strictly Confidential Page 6 of 12
3604 Fair Oaks Blvd., Suite 250, Sacramento, CA 95864
Phone. (301) 652-8885
Fax. (301) 654-8745
7. Memory and Malware Analysis Details
Analysis has been conducted on several suspicious samples collected from the Cyveillance environment. HBGary was
able to identify one remote access tool and one command and control server. What follows are details of each finding.
Some of the findings concluded the sample was not malware.
wmdrtc32.dll (KUKU version 4.0 / Sality)
This malware belongs to a strain called KUKU, commonly referred to as Sality. In this case, the binary appears to be an
alpha version 4.0 of the KUKU/Sality source base. This malware operates as part of a large botnet under centralized
control. Once installed, it contacts a remote site to report the infection and then serves as an HTTP proxy, allowing
attackers the ability to route HTTP traffic through the infected computer. This feature of the malware would explain
why the PWBACK9 host was generating high volumes of unexplained suspicious traffic.
The following host was infected:
Host Time of Infection Notes
PWBACK9 Dropped on Found both DLL and driver files
June 23 6/23/2010 07:31AM EST on disk, found running in live
memory
QWSCRP1 Unknown – System offline It cannot be determined
whether the Sality detection is
related to the mciservice.exe file
also detected on this host
The PWBACK9 malware sample communicates using HTTP with the following URL:
http://www.kukutrustnet666.info/mrow_nrl/
The KUKU/Sality malware is a full featured remote access tool that actively targets and disables anti-virus. This explains
why anti-virus at the Cyveillance site did not detect the malware. This malware has the ability to update the C2 server
addresses on-the-fly which will make it difficult to stop using DNS filtering. Furthermore, the malware installs a kernel
mode rootkit that intercepts all network traffic in and out of the host. This driver is installed so that it remains active
even if the infected host is booted into safe mode.
The following table shows attribution data for the malware.
Sample Location Note Compile Date Infection Date
wmdrtc32.dll System32 Usermode portion 12/27/2006 5:21:40AM 6/23/2010 07:31AM
GMT EST
.sys Kernel rootkit 12/21/2006 2:55:09PM 6/23/2010 07:31AM
portion GMT EST
This malware is extremely virulent and costly to remove from the network. The compromised host should be isolated
and cleaned of the infection immediately to prevent substantial damage to the network.
This malware uses file infection to remain persistent in the network. It will infect executable files on the host and on the
network. It scans for files that are registered under the run key (Software\Microsoft\Windows\CurrentVersion\Run) and
Strictly Confidential Page 7 of 12
3604 Fair Oaks Blvd., Suite 250, Sacramento, CA 95864
Phone. (301) 652-8885
Fax. (301) 654-8745
infects them specifically. It also copies itself to USB removable media and sets to autorun when the USB device is
inserted. It copies itself to network shares with .exe, .cmd, and .pif file extensions.
mciservice.exe
This is a Trojan executable that installs as a service on the computer. The malware is designed to dial-out over a
connected modem or telephone line and connect to high-cost 900 numbers. This is part of a criminal operation and
does not appear to be related to APT activity.
This malware was found on the following host(s):
Host Notes
QWSCRP1 Non-targeted attack, should be cleaned as malware
The following table shows attribution data for the malware:
Sample Compile Date Infection Date
mciservice.exe 11/1/2006 4:52:27 AM Unknown
This malware communicates using HTTP with the following hard-coded URL's:
http://gutenmorgen.org/dia/2.php
http://www.championbb.com/photos/2.php
lbd.sys (verified as not malware)
This is a kernel mode hooking rootkit that intercepts TCP packets and access to the windows registry. Initially, this was
highly suspicious. Further analysis by HBGary determined that this driver is, in fact, part of the Ad-Aware security
program from Lava Soft, Inc. This is not a threat.
This program was detected on the following host:
Host IP Notes
AFORESTIERILTOP 10.8.4.181 Not a threat
dsload.sys (verified as not malware)
This file was initially suspected of being a rootkit. After further analysis, this file was determined to be part of the
"Desktop Sharing Grabber Loader" belonging to the software Desktop Sharing Run-Time by Oracle Corp. This file is not a
threat.
This file was found on the following host:
Host IP Notes
QWETEST2 10.8.3.207 Not a threat
Strictly Confidential Page 8 of 12
3604 Fair Oaks Blvd., Suite 250, Sacramento, CA 95864
Phone. (301) 652-8885
Fax. (301) 654-8745
Injected Memory Mod (BIGWILLY) (verified as not malware)
This file was initially suspected of being malware. After further analysis, this file was determined to be part of the AVG
antivirus product.
This file was found on the following host:
Host IP Notes
BIGWILLY 10.8.3.100 Not a threat
Avcodec.dll (verified as not malware)
This file was flagged as suspicious (possibly infected with Virut), but later determined to be a false positive detection
(not detected using DDNA) related to a codec package (audio/video software).
This file was found on the following host:
Host IP Notes
CKP 10.8.55.103 Not a threat
Strictly Confidential Page 9 of 12
3604 Fair Oaks Blvd., Suite 250, Sacramento, CA 95864
Phone. (301) 652-8885
Fax. (301) 654-8745
APPENDIX A – IOC's for KUKU/Sality malware
The following table summarizes the IOC's for the KUKU/Sality malware:
mciservice.exe
File system IOC's File: %System%\drivers\.sys
File size: 5,477 bytes
File: %System%\wmdrtc32.dll
File size: 40,960 bytes
Memory IOC's Any module containing string:
"System\CurrentControlSet\Control\SafeBoot"
Network IOC's DNS: www.kukutrustnet666.info
NIDS: "mrow_nrl/"
APPENDIX B – IOC's for mciservice.exe malware
The following table summarizes the IOC's for the mciservice.exe malware:
mciservice.exe
File system IOC's File: %System%\mciservice.exe
File size: 36,864 bytes
File size: 9,728 bytes (dropper variant)
MD5: 0x16452B5329A97431E62A26F1A298D005
SHA-1: 0xD95CFB8BF4CC009B5798F0890A6D28264CACCDC5
Registry IOC's HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCISERVICE
HKLM\SYSTEM\ControlSet001\Services\MCIService
HKLM\SYSTEM\ControlSet001\Services\MCIService\Security
HKLM\SYSTEM\ControlSet001\Services\MCIService\Enum
HKLM\SYSTEM\CurrentControlSet\Services\MCIService
HKLM\SYSTEM\CurrentControlSet\Services\MCIService\Security
HKLM\SYSTEM\CurrentControlSet\Services\MCIService\Enum
Memory IOC's MUTEX object: djaAdnx2kdnake1666
Network IOC's DNS: gutenmorgen.org
DNS: www.championbb.com
NIDS: " dia/2.php" (known C2)
NIDS: " photos/2.php" (known C2)
NIDS: "/2.php" (any variant would be suspicious)
Appendix C – Miscellaneous Data/Log Review
Firewall logs were provided in an Excel spreadsheet to HBGary from Cyveillance after the engagement work had been
completed. These logs contained net flow activity for the Cyveillance network. Some of the traffic was for the known
infected host PWBACK9, while other traffic was for multiple external IP addresses belonging to Cyveillance. HBGary has
no ability to cross reference an external IP address with an internal host; therefore these firewall logs provided no
additional capability to identify infected hosts.
An email, originally sent to Pete Nappi but later forwarded to HBGary, was received which contained several action
items related to suspicious/malicious web activity. HBGary attempted to correlate this information via a cursory
examination, however did not find anything.
Strictly Confidential Page 10 of 12
3604 Fair Oaks Blvd., Suite 250, Sacramento, CA 95864
Phone. (301) 652-8885
Fax. (301) 654-8745
Terminology
Several acronyms may have been used throughout this document. These are defined here for the convenience of the
reader.
TTP - Tools, Techniques, and Procedures. These are the methods used by an attacker to compromise and
remain persistent within a network. TTP is a broad term and covers all behavioral characteristics of an attacker,
including methods used to lateral movement, exfiltration of data, scanning the network, preferences for tools,
etc.
APT - Advanced Persistent Threat. This is a catch-all term for any targeted attack that involves one or more
human attackers interacting with compromised hosts. In other words, APT and Hacker are synonymous. The
term APT is not used when malware is the result of large scale autonomous infection and there is no evidence of
interaction with a host (that is, there is no human at the other end of the keyboard).
RAT - Remote Access Tool. These are malware programs designed to allow a remote attacker to execute
programs and move files to and from a compromised host. These programs typically connect outbound to a
server to get commands.
C2 - Command and Control. This refers to the mechanism used by a RAT to communication with an external
host and get commands. The C2 host is usually a compromised host that functions as a cut-out between the
compromised network and the attacker. C2 servers are typically moved on a regular basis to overcome
perimeter security such as NIDS or DNS black holes.
FUD - Fully Undetectable. This term applies to malware that has been tested against a large set of known
security products and has been verified as undetectable. Most APT attackers use tools that are FUD. FUD
typically refers to AV products, but is sometimes used to refer to browser-sandbox technology (sandboxie, etc)
as well. For example, a FUD malware would score zero hits on a scan performed by virustotal.com.
AV - Anti Virus. Refers to anti-virus products and host-based firewalls.
NIDS - Network Intrusion Detection System.
DDNA - Digital DNA. This is HBGary's system to detect suspicious code based on behaviors.
IPI - Initial Point of Infection. This refers to how the machine was initially compromised by an attacker. This can
be an autonomous malware infection, such as that caused by visiting a malicious website, or a targeted attack
such as those caused by spear-phishing. IPI can also refer to lateral movement.
Lateral Movement. This refers to an attacker who has already compromised the network in one location, but is
attempting to gain access to additional machines. Typically this is done using stolen account credentials.
Exfil / Exfiltration. This term refers to the removal of data from the network, typically using some form of
covert communications designed to bypass filtering at the perimeter.
Packer / Cryptor. This term refers to a technology that can create many different variants of the same malware
in an automated way, easily bypassing MD5 checksum scans and many forms of AV scanning.
Strictly Confidential Page 11 of 12
3604 Fair Oaks Blvd., Suite 250, Sacramento, CA 95864
Phone. (301) 652-8885
Fax. (301) 654-8745
Speader. This refers to a function within a malware that allows it to spread across the network in an automated
way - for example by infecting USB keys or connecting over Windows network shares.
Downloader / Dropper / Sleeper. This refers to how a machine is initially exploited. The dropper is a small
program that executes first and downloads a larger program (the payload) and executes the second program.
Some downloaders can be configured with a sleep time and will not connect out for weeks or months. In this
case, the downloader may be called a 'sleeper agent'.
PUP - Potentially Unwanted Program. These are programs that are suspicious by nature but are not actually
malware. Examples are unsanctioned VPN bypass (LogMeIn, etc), invasive toolbar technology (Google Toolbar,
etc), and security tools that are not tied to an attack (packet sniffers, etc). PUP's are typically white listed during
an investigation, but are still reported to the customer for informational purposes.
End of Report
Strictly Confidential Page 12 of 12