Threatcore Project Malware Investigation...

Quick Links:

More news, less ads: Daily links to technology, science, and health news with emphasis on security and privacy threats.

THREATCORE PROJECT Recovers From Mystery Malware Attack...

Sophisticated series of attacks into email, network wireless router, home based PC...

THREATCORE PROJECT
04/13/2016 - 6:38 PM EDT

It was March 3 when my phone started to blow up. I was getting bounced (rejected) emails - lots of them. Since I didn't send these, I knew this was a situation of my Threatcore email password being brute-forced. What I found odd was that the password was very strong to be subject of a dictionary attack. I wasn't overly concerned about this since the email address is not something I use for personal business. In fact, I only use that specific account for collecting tips through my website. But little did I know then, something more was building.

Details...

I called my hosting provider and alerted them of the email activity. Some web hosting providers can 'blacklist' a user for sending large amounts email which indicates spammers. In my case the support technician told me over the phone "Whoa, you are sending over 200 emails per hour." The high number of emails sent resulted in my hosting company to trigger email limits.

The solution for this attack was quite simple. Delete the email account completely, recreate it [from a clean PC], and set a new password. Problem solved? Not quite.

More...

A few days later I visited the web page of my bank. Glaring at me in bright red, the HTTPS:// was crossed out. This generally means the site's security certificate has a problem, or the computer is victim of a Man-in-the-Middle attack. After checking the same site from my laptop and seeing it in green, I suspected the computer to be dirty. I had antivirus software on the computer, but curious, I grabbed my son who was interested in this and we took a drive to Best Buy where I picked up a copy of Kaspersky. After a full scan, nothing was found. I also ran Malwarebytes, Avast, Spybot, and F-Secure's rootkit detection tool. Nothing found.

Mysterious Wifi Connections...

I logged into my WiFi to audit all connections. There's my laptop, business PC, kid's iPod, Wii, printer, and two other devices named 'UNKNOWN'. What were these two other devices? I went room by room and turned off all devices. Phones, printer, Wii, everything was powered down. Logging back into the wireless router showed only two connections, you guessed it, both 'UNKNOWN' devices. I changed the password of the router and watched the devices disappear from the network.

Intrusion Detection Logs...

At this point, I am very curious to what is going on and this prompted me to take a peek into the logs of my intrusion detection system (IDS). I am one who strongly advises to never keep the logs on an IDS. If I am an attacker, I am deleting the logs and digital trail that I was in your network. Always get those logs off to a secure central repository.

What I saw was very alarming. The suspected compromised computer in my home was attempting an FTP connection into the router, followed by PING requests and a scan of my network:

Mar 4 19:47:21 3355-lvl-snort snort[1046]: Incoming FTP connection {TCP} 10.0.0.4.64386 -> 10.0.0.1:21

Mar 4 19:47:23 3355-lvl-snort snort[1046]: Ping from an external network {ICMP} 10.0.0.4 -> 10.0.0.1

Mar 4 19:47:23 3355-lvl-snort snort[1046]: ICMP PING [Classification: Misc activity] {ICMP} 10.0.0.4 -> 10.0.0.1

Mar 4 19:47:23 3355-lvl-snort snort[1046]: ICMP Echo Reply [Classification: Misc activity] {ICMP} 10.0.0.4 -> 10.0.0.1

Mar 4 19:47:23 3355-lvl-snort snort[1046]: SCAN UPnP service discover attempt [Classification: Detection of a Network Scan] {UDP} 10.0.0.4:64255 -> 10.0.0.1:1900

Some port scanning continues on March 4th followed by this:

Mar 4 21:42:22 3355-lvl-snort snort[1046]: WEB-MISC /etc/passwd [Classification: Attempted Information Leak] {TCP} 10.0.0.4:64930 -> 10.0.0.1:80

This is attempted reconnaissance aimed at the password file on UNIX systems. The /etc/ directory contains login information for users. This file may be used to gather information that can be used in brute force attacks on passwords. Next came a directory transversal attack:

Mar 4 21:42:22 3355-lvl-snort snort[1046]: WEB-MISC http directory transversal [Classification: Attempted Information Leak] {TCP} 10.0.0.4:64930 -> 10.0.0.1:80

The goal of a directory transversal attack is to order an application to access a computer file not intended to be accessible. Immediately following, comes something even more creepy. My NetGear router was attacked with the default password that NetGear loads on their devices in the factory:

Mar 4 21:42:22 3355-lvl-snort snort[1046]: WEB-MISC NetGear router default password login attempt admin/password [Classification: Attempt to Login By a Default Username and Password] {TCP} 10.0.0.4:64949 -> 10.0.0.1:80

To summarize, here's what we know. The computer contains malware that is unknown to antivirus. It pokes its head up occasionally, scans my network, attempts FTP connections, performed reconnaissance and probes, a directory transversal attack, and targeted my specific brand of wireless router. Between sleeping, it pokes back up and performs more scans. Being this is is persistent, remains low and slow, and targeted specific devices, you could question whether this is a crafted APT (Advanced Persistent Threat) in the wild.

More info to follow...

Threatcore Project 2016 - Keeping watch of events from over 200 sources to bring essential daily news with less ads.

Contact: news@threatcore.com
http://www.threatcore.com