When we look through the evolution of UTM, it is easy to understand how this technology was initially positioned, and today still carries a connotation of Small / Medium Business (SMB). In truth, the first products were targeted at SMB customers for a couple of reasons:

1. Economics – As many small businesses struggle with balancing profit vs. the cost of operating their businesses, they often look for the products and services that provide the biggest “bang for the buck”.  This is one of the main benefits offered by UTM products as they integrate multiple security features like firewall, VPN, antivirus, intrusion prevention (IPS) and a host of additional security elements into a single product.  This means that instead of purchasing many solutions to fend of the barrage of security attacks, they need only invest in one – UTM.
2. State of the technology – After the UTM term was uniformly adopted by the industry, in the early days it opened the floodgates for entrepreneurs trying to capitalize on this growing market, and the barrage of software-based solutions exploded. Many of these were a simple combination of off-the-shelf packages thrown together under a common management interface.  This provided a barrier for many, as they were not scalable enough to meet the demands of medium and large enterprise businesses.

Given the early roots and initial attempts by software UTM vendors, it created an inappropriate connotation of SMB for UTM.  This unfortunately is not the case, especially for vendors that helped shaped the vision of UTM and saw that custom hardware, ASIC acceleration and an integrated approach to security features would pave the way for high-performance UTM that are viable replacements and alternatives to aging layer 3/4 security infrastructures.

Consider a parallel evolution in security technology history with respect to the convergence of firewall and VPN technologies.  When the VPN world began to evolve, the networking and security vendors produced effective, scalable VPN concentrator products that delivered on their promise – high-performance, secure, remote communications.  Today, it would be almost absurd to think of firewalls and VPNs as separate appliances.  This begs the question as to how and why this convergence occurred.  One proposition is that the computing power requirements to support firewall processing and VPN encryption were met with advances in hardware acceleration, therefore allowing the combination we are familiar with today.  Obviously technology maturity was a major factor, and you can argue that the combination made logical sense as these technologies are typically deployed together at a security border.

Now, if you consider the combination of firewall/VPN as a valid combination based on the result of advances in technology supporting the complex processing required, it goes to reason that the same should be said for UTM.  In fact, vendors that are focused on UTM will argue that they are building on that same philosophy.  Development in hardware based platforms that employ purpose-built custom ASICs with integrated security software are able to deliver high-performance UTM solutions, breaking the previous adoption barriers for medium and large enterprises.

Recent UTM products introduced into the industry have proven that not only are they capable of delivering comprehensive security, far superior to traditional firewall/VPN devices, but they are able to keep pace with network infrastructure demands of the largest networks.  Solutions available today designed for mid-range and high-end enterprises utilize state-of-the-art custom silicon (ASICs) to accelerate application content inspection, allowing for multi-features security processing without grinding network performance to a halt.  Additional advances in blade-based products with load distribution capabilities provide multi-Gigabit performance for UTM and show the ability to deliver up to 10-Gig and beyond performance capabilities today with an estimated 10 fold increase in the near term.

The lesson: We should consider advances in UTM good for the industry and not believe the naysayers who urge us to believe that UTM is SMB.  The proof is in the pudding, and I would urge any customer looking at security infrastructure upgrades to evaluate a UTM product both on security features as well as performance – I believe many will surely be surprised with the result.

Key Name:          HKEY_CLASSES_ROOT\idid

Name:            url0

00000000   1e 9b 6d d8  89 e6 c4 50  7f fd 13 6b  fa e2 f4 17

00000010   1a 80 78 cc  d6 bb c4 55  73 b5 07 77  a4 81 3a 71

00000020   a4 98 ba d8  2c 85 17 ad  ce c0 b1 a5  9f c8 07 0b

But what URL could this be, if it is one? Most of these bytes are not in the normal text range, so it would have to be encrypted. Even when there was no network connection, the url0 data was added, so I knew it must be hard coded into the bot. From the tests I had been doing, I also knew that the bot contained a hard coded URL for its Command and Control server. So it seemed possible that the C&C URL was encrypted here, but of course I would have to prove that.

The first 16 bytes of the url0 values, from six bot tests, with their test identifiers (T3, M2 etc.), are listed below. The list is sorted by the opening bytes. They fall into two groups where the first seven bytes are identical. The T2 data is slightly different from the ones below it, but the one different byte (f1) could be the result of an encryption error.

T3   1e 9b 6d d8  89 e6 c4 50  7f fd 13 6b  fa e2 f4 17

M2   1e 9b 6d d8  89 e6 c4 5f  60 ff 12 7b  bd ea f3 4c

T2   f1 9b 20 62  fc 48 d0 3e  27 fc 1d f7  94 5a ff 3f

T1   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

M1   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

M5   f8 9b 20 62  fc 48 d0 2b  2a fd 17 e2  87 46 ea 7e

Looking at this, it seems fairly likely that each group was encrypted with the same key. And if these are URLs, the seven common bytes at the beginning of each line could be “http://”, if we are on the right track.

The obvious move at this point is to test this theory. We can start with the first row of hex data from the T3 and M2 tests, recover the key for T3 using the hard coded URL for that variant, then find out if the key is correct by decrypting M2 with it. The worksheet below shows the hard coded URL and the url0 registry data for T3 in the first two lines. At the bottom is the URL in text format and in the plain line are the equivalent hex bytes.

T3 http://gnfdt.cn/loader/bb.php

00000000   1e 9b 6d d8  89 e6 c4 50  7f fd 13 6b  fa e2 f4 17  (encrypted in registry)

key

plain      68 74 74 70  3a 2f 2f 67  6e 66 64 74  2e 63 6e 2f (url in hex format)

text       h  t  t  p   :  /  /  g   n  f  d  t   .  c  n  /   (known hard coded URL)

We will assume that the key was XORed with the plaintext to produce this encryption. That is the most likely case, but if we are wrong it will be necessary to try some other methods. From this basis we will now XOR the encrypted and plain bytes to recover the key.

T3 http://gnfdt.cn/loader/bb.php

00000000   1e 9b 6d d8  89 e6 c4 50  7f fd 13 6b  fa e2 f4 17 (encrypted in registry)

key        76 ef 19 a8  b3 c9 eb 37  11 9b 77 1f  d4 81 9a 38 (recovered key)

plain      68 74 74 70  3a 2f 2f 67  6e 66 64 74  2e 63 6e 2f (url in hex format)

text       h  t  t  p   :  /  /  g   n  f  d  t   .  c  n  /   (known hard coded URL)

Now we have some key bytes, but there is no proof that they are real. To prove that, we can use the key bytes to decrypt M2. The result is below. Part of the URL that is hard coded into the M2 bot has been revealed.

M2 http://hqdedikit.com/mld/bb.php

00000000   1e 9b 6d d8  89 e6 c4 5f  60 ff 12 7b  bd ea f3 4c (encrypted in registry)

key        76 ef 19 a8  b3 c9 eb 37  11 9b 77 1f  d4 81 9a 38 (recovered key)

plain      68 74 74 70  3a 2f 2f 68  71 64 65 64  69 6b 69 74 (decrypted hex)

text       h  t  t  p   :  /  /  h   q  d  e  d   i  k  i  t   (decrypted text)

So our case is proved, the hard coded URL is the one hidden in the registry key. We can easily extend this through the rest of the encrypted data to show the whole URL, and remove any lingering doubt.

But what would we do if each bot variant had its own key? The method above would not work, but there are other ways to approach this problem. One way is to check whether this is a repeating key encryption system. They are very common, and if it is we can make comparisons within one URL, instead of using two as we did above.

Let’s try this method with T3. The simple way is to use the whole URL to find as many key bytes as possible, then look for repetitions.

T3 http://gnfdt.cn/loader/bb.php

00000000   1e 9b 6d d8  89 e6 c4 50  7f fd 13 6b  fa e2 f4 17

key        76 ef 19 a8 b3 c9 eb 37  11 9b 77 1f  d4 81 9a 38

plain      68 74 74 70  3a 2f 2f 67  6e 66 64 74  2e 63 6e 2f

text       h  t  t  p   :  /  /  g   n  f  d  t   .  c  n  /

00000010   1a 80 78 cc  d6 bb c4 55  73 b5 07 77  a4 81 3a 71

key        76 ef 19 a8 b3 c9 eb 37  11 9b 77 1f  d4

plain      6c 6f 61 64  65 72 2f 62  62 2e 70 68  70

text       l  o  a  d   e  r  /  b   b  .  p  h   p

Here we can see that the key starts to repeat at the start of the second row. So the key length is 16 bytes, and again we have proved that the key holds the hard coded URL. Decrypting the next byte at the end provides a little bonus, 0×81 XOR 0×81 = 0×00, the null terminator for the string. Decryption from this point onward exposes bytes that appear to be random.

But now consider another scenario, what would we do if we had no idea what the encrypted URLs were? If we have bots with different URLs using the same key, the problem is not beyond solution. To demonstrate I will use the data from T1 and M1, from the other key group. It turns out, in the end, that only the first two lines of hex are needed for this, so the example below will not show the third line.

First we need to locate the key repetition. We can try “http://” at the start to find the first seven key bytes. With these key bytes we can  decrypt at different locations until some URL-like text appears. The bot code probably processed this as DWORDs, so we will take a shortcut by checking at four byte intervals, and use only four key bytes for each decryption. If this fails we will have to try decrypting at different intervals, possibly even at every byte. The “?” marks below indicate decrypted bytes outside the normal text range, which we would not expect in a URL.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff 90 ef 54 12  90 ef 54 12

plain      68 74 74 70  3a 2f 2f     ac 13 43 e3  01 be be 2d

text       h  t  t  p   :  /  /      ?  ?  C  ?   ?  ?  ?  -



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12 90 ef 54 12 90 ef 54 12 90 ef 54 12

plain      63 6e 2f 6d  3a ec 84 2f  b7 51 5c ea  15 d8 10 95

text       c  n  /  m :  ?  ?  /   ?  Q  \  ?   ?  ?  ?  ?

The true decryption appears to be “cn/m”, at the start of the second row. None of the others is even close. So it looks like we have found the key repetition and the key length. With this information we can set up our work sheet, with the known key bytes and decryptions they give us filled in. It can be seen below, where the decrypted parts confirm our work so far.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff

plain      68 74 74 70  3a 2f 2f

text       h  t  t  p   :  /  /



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12  c6 67 ff

plain      63 6e 2f 6d  6c 64 2f

text       c  n  /  m   l  d  /



M1 00000000   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

key        90 ef 54 12  c6 67 ff

plain      68 74 74 70  3a 2f 2f

text       h  t  t  p   :  /  /



00000010   e4 c0 38 7d  a7 03 9a 2d  6a f2 1a be  85 5c e8 11

key        90 ef 54 12  c6 67 ff

plain      74 2f 6c 6f  61 64 65

text       t  /  l  o   a  d  e

Now we need to extend the URL text parts to uncover more key bytes. In other words we need to make some good guesses, but because the structure of URLs is well known to us, this should not be too difficult.

Notice that the second text line under T1 starts with “cn/mld/”. This looks like a “.cn” top level domain, so let’s fill in the “.” and apply the key byte we get.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff                           11

plain      68 74 74 70  3a 2f 2f                           2e

text       h  t  t  p   :  /  /                            .



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12  c6 67 ff 11

plain      63 6e 2f 6d  6c 64 2f                           96

text       c  n  /  m   l  d  /                            ?



M1 00000000   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

key        90 ef 54 12  c6 67 ff                           11

plain      68 74 74 70  3a 2f 2f                           65

text       h  t  t  p   :  /  /                            e



00000010   e4 c0 38 7d  a7 03 9a 2d  6a f2 1a be  85 5c e8 11

key        90 ef 54 12  c6 67 ff 11

plain      74 2f 6c 6f  61 64 65                           00

text       t  /  l  o   a  d  e                            \0

Now we have some more decrypted bytes. There is a null at the end of M1, this must be the URL string terminator, and a non-text byte (0×96), but let’s ignore that one for now. It may be junk from beyond the end of the URL string, and we will know soon enough if this was a bad guess. At the end of the first M1 line the text character is an “e”, so that we now have “et/loade”. This looks like it must be “.net/loader”, so next we will fill this in and decrypt some more.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff 5f 34 98 11

plain      68 74 74 70  3a 2f 2f 6d                  65 72 2e

text       h  t  t  p   :  /  /  m e  r .



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12  c6 67 ff 5f 34 98 11

plain      63 6e 2f 6d  6c 64 2f 62                  00 dc 96

text       c  n  /  m   l  d  /  b \0 ? ?



M1 00000000   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

key        90 ef 54 12  c6 67 ff 5f                  34 98 11

plain      68 74 74 70  3a 2f 2f 75                  2e 6e 65

text       h  t  t  p   :  /  /  u .  n e



00000010   e4 c0 38 7d  a7 03 9a 2d  6a f2 1a be  85 5c e8 11

key        90 ef 54 12  c6 67 ff 5f 34 98 11

plain      74 2f 6c 6f  61 64 65 72                  68 70 00

text       t  /  l  o   a  d  e  r h  p \0

There is nothing very obvious here, but at the end of the second row of M1 we have “hp\0″. This looks like it could be “.php”, so let’s try that next.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff 5f 90  f5 34 98 11

plain      68 74 74 70  3a 2f 2f 6d           61  64 65 72 2e

text       h  t  t  p   :  /  /  m            a   d e  r  .



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12  c6 67 ff 5f 90  f5 34 98 11

plain      63 6e 2f 6d  6c 64 2f 62           68  70 00 dc 96

text       c  n  /  m   l  d  /  b            h   p \0 ?  ?



M1 00000000   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

key        90 ef 54 12  c6 67 ff 5f 90  f5 34 98 11

plain      68 74 74 70  3a 2f 2f 75           69  74 2e 6e 65

text       h  t  t  p   :  /  /  u            i   t .  n  e



00000010   e4 c0 38 7d  a7 03 9a 2d  6a f2 1a be  85 5c e8 11

key        90 ef 54 12  c6 67 ff 5f           90  f5 34 98 11

plain      74 2f 6c 6f  61 64 65 72           2e  70 68 70 00

text       t  /  l  o   a  d  e  r            .   p h  p  \0

This looks good, and now we have some good hints. In T1, in the first line, it looks like we have “//m?loader.” and in the second line another “.php” is developing. We can put these in.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff 5f     90 78 90  f5 34 98 11

plain      68 74 74 70  3a 2f 2f 6d     6c 6f 61  64 65 72 2e

text       h  t  t  p   :  /  /  m      l  o a   d  e  r  .



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12  c6 67 ff 5f 90 78 90  f5 34 98 11

plain      63 6e 2f 6d  6c 64 2f 62     2e 70 68  70 00 dc 96

text       c  n  /  m   l  d  /  b      .  p h   p  \0 ?  ?



M1 00000000   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

key        90 ef 54 12  c6 67 ff 5f 90 78 90  f5 34 98 11

plain      68 74 74 70  3a 2f 2f 75     6c 69 69  74 2e 6e 65

text       h  t  t  p   :  /  /  u      l  i i   t  .  n  e



00000010   e4 c0 38 7d  a7 03 9a 2d  6a f2 1a be  85 5c e8 11

key        90 ef 54 12  c6 67 ff 5f 90 78 90  f5 34 98 11

plain      74 2f 6c 6f  61 64 65 72     62 62 2e  70 68 70 00

text       t  /  l  o   a  d  e  r      b  b .   p  h  p  \0

Now, in the second line of M1, we have “bb.php”, and it looks like this also appears in “mld/b?.php” at second line of T1. With this we can fill in the last missing byte.

T1 00000000   f8 9b 20 62  fc 48 d0 32  3c fc 17 f1  91 51 ea 3f

key        90 ef 54 12  c6 67 ff 5f 45 90 78 90  f5 34 98 11

plain      68 74 74 70  3a 2f 2f 6d  79 6c 6f 61  64 65 72 2e

text       h  t  t  p   :  /  /  m   y l  o  a   d  e  r  .



00000010   f3 81 7b 7f  aa 03 d0 3d  27 be 08 f8  85 34 44 87

key        90 ef 54 12  c6 67 ff 5f  45 90 78 90  f5 34 98 11

plain      63 6e 2f 6d  6c 64 2f 62  62 2e 70 68  70 00 dc 96

text       c  n  /  m   l  d  /  b   b .  p  h   p  \0 ?  ?



M1 00000000   f8 9b 20 62  fc 48 d0 2a  2e fc 11 f9  81 1a f6 74

key        90 ef 54 12  c6 67 ff 5f 45 90 78 90  f5 34 98 11

plain      68 74 74 70  3a 2f 2f 75  6b 6c 69 69  74 2e 6e 65

text       h  t  t  p   :  /  /  u   k l  i  i   t  .  n  e



00000010   e4 c0 38 7d  a7 03 9a 2d  6a f2 1a be  85 5c e8 11

key        90 ef 54 12  c6 67 ff 5f 45 90 78 90  f5 34 98 11

plain      74 2f 6c 6f  61 64 65 72  2f 62 62 2e  70 68 70 00

text       t  /  l  o   a  d  e  r   / b  b  .   p  h  p  \0

So even if the URLs are unknown, we can still decrypt them if bots with different URLs use the same key. In fact all of the pairs from this group {T1-M1, M1-M5, and T1-M5} can be solved without any really difficult guessing, and using all three makes it much easier. Even when it is not clear what text to fill in next, we can always try different guesses until we find the right one.

Of course the weaknesses in this encryption could have been avoided, or at least reduced. For example, not re-using keys would have helped. What we may be seeing here is evidence that, like many computer users, bot herders don’t take security as seriously as they should.

The email used for the HTML/Goldun.AXT campaign may look familiar, because we have seen this campaign quite some time ago in late 2008, during the first large flood of scareware that hit cyberspace. Here is the example email outlined in our November 2008 Threatscape Report. At that time, the very same spam template was delivering the Goldun trojan; now, this spam is used to spread the FakeAV downloader that installs the Security Tool ransomware. This is a great example of how tried and true attack techniques / social engineering can be recycled into future attacks, and how layered security really helps mitigate against these variants. For example, spam detection in this case can help mitigate against old and current attacks being used with new virus binaries: as another layer, antivirus helps guard against the malicious binaries even if the spam campaigns change. In this report, we witnessed multiple, varying spam campaigns for Security Tool. So, who is behind these attack campaigns? We know that the engine driving these record-breaking spam runs is none other than Cutwail (see our in-depth analysis here for more info on this spam botnet). Some of the more prevalent spam campaigns driven by Cutwail distribute scareware / ransomware; it is popular because of the high amounts of profits available to cyber criminals. We have seen Cutwail grow because it has proven to be effective and successful with its scareware campaigns. Cutwail will also spam out botnet binaries (”seeding campaigns”) and other advertisements, which indicates Cutwail is likely hired out as a spamming service (Crime as a Service) for multiple cyber criminals. Thus, it is likely not just one individual and/or group behind these campaigns. With record levels and Cutwail operating in parallel with Webwail – its web spamming counterpart – there’s no doubt we will see much more troublesome activity from this pair in the future.

Apart from ransomware, our malware top 10 this period was riddled with many other active threats including, in second place, the Buzus spam trojan, followed in respective order by the Bredolab, Gumblar and Sasfis botnets. This is further emphasized in our attack top ten list, with Gumblar.Botnet traffic taking position as our number one detected malicious network chatter. While these threats remain the main players, many individual botnets still thrive such as Kneber – discussed here in our blog. Perhaps most interesting in our attack list is the addition of the fifth-ranked attack, Sun.Java.HsbParser.GetSoundBank.Stack.Buffer.Overflow (CVE-2009-3867), a vulnerability in Sun Java which can be triggered through a malicious Java Applet by visiting a malicious website. We have confirmed that the majority of these detections come from Metasploit setups, no doubt a favorite attack platform for a quick-and-easy campaign. Overall, active exploits for new vulnerabilities remained high this period, with 39% of newly covered vulnerabilities being attacked in the wild (Figure 1c). Apart from these, zero-days continue to be an issue: we saw the release of two out-of-band patches by Adobe (Feb 11 and Feb 16), as well as a breaking zero-day for Oracle. As we always remind, stay up to date with patches when they are released, while keeping mitigating solutions in place such as antivirus and intrusion prevention.

I wanted to mention our load balancing capability as another one of those surprising Fortinet free features.

Of course in the current economic climate, consolidation, something Fortinet has pioneered for the past decade, is always being sought and the more features that a unified solution can provide the better.  Realists will always point out, however, that consolidation only works when the features being offered are of a sufficient quality compared with other solutions on the market.  This is where the little known FortiGate load balancing feature often surprises.

The Fortinet load balancing feature set contains all of the features you would expect of a server load balancing solution.  Traffic can be balanced across backend servers based on multiple methods including static (failover), round robin, weighted to account for different sized servers, or based on the health and performance of the server including round trip time, number of connections.  The load balancer supports HTTP/S, SSL or generic TCP/UDP or IP protocols.  Session persistence is supported based on the SSL session ID or based on an injected HTTP cookie.  The load balancing feature is supported on all devices from the FG50B upwards and supports 10,000 virtual servers on the high end systems.

In addition to the load balancing features, there is also a range of heavy duty options including:

• SSL Offload where the decryption process is offloaded to the FortiGate custom ASIC to accelerate performance
• HTTP Multiplexing where multiple HTTP streams are pipelined into a single request to the backend server
• Intrusion Prevention performed on the traffic before distribution out to the servers, protecting them from attack.

Quite the UTM appliance…

I guess every analyst has noticed this variant of the malware contacts the following URLs:

http://XXXX/Jump.jsp?Version=2.0&PhoneType=...&PhoneImei=...&PhoneImsi=...&Source=...
http://XXXX/Kernel.jsp?Version=2.0&PhoneType=...&PhoneImei=...&PhoneImsi=...&Source=...
http://XXXX/KernelPara.jsp?Version=2.0&PhoneType=...&PhoneImei=...&PhoneImsi=...&Source=...

The PhoneType argument contains the model of the infected phone (e.g nokia3250, nokian95…), while the PhoneImei and PhoneImsi arguments respectively contain the phone’s IMEI and IMSI. The Source argument is new to this variant, and its use has not been reversed yet. It could possibly contain the name of the malicious website used to infect the phone.

The first of those JSP pages, Jump.jsp, redirects the user to a Chinese mobile social networking site (3g.kaixin001.com then wap.kaixin001.com). Actually, we had already noticed this behaviour in at least 2 former JSP pages used by previous versions.

The second JSP page, Kernel.jsp, actually replies the following string (host name removed):

http://XXXX/download/root/plugucsrv.sisx

And, from this location, we get a new minor variant of Yxes.D. This is a consistent behavior in Yxes: the worm indeed often works in pairs (e.g variants A, B, D or E download variants C, D or F). In this case, variant H silently downloads and installs a remotely hosted new version of variant D.

Its certificate says:

Serial Number:
 2a:2f:00:01:00:23:37:98:0c:73:b2:c7:69:17
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, O=Symbian Limited, CN=Symbian CA I
Validity
 Not Before: Jan 23 17:55:42 2010 GMT
 Not After : Jan 24 17:55:42 2020 GMT
Subject: C=CN, ST=Fujian, L=XiaMen, O=Xiamen Jindoucheng Tech Co. Ltd.,
OU=plugucsrv  2.1.0, OU=Symbian Signed ContentID,
CN=Xiamen Jindoucheng Tech Co. Ltd.

A notification has been sent to Symbian, who tells us the certificate should soon be revoked. Meanwhile, be cautious if you encounter a file named plugucsrv.sisx that installs as a ‘Setting Wizard’.

That variant D then actually does most of the malicious work: collect data on the phone, report it back to the malicious web servers and send SMS messages. The URLs it contacts are:

http://XXXX/bs.jsp?Version=2.1&PhoneType=...&PhoneImei=...&PhoneImsi=...
&PhoneNumber=...&Succeed=...&Fail=...&Source=... &Time=...&Component=...

http://XXXX/index.jsp?Version=2.1&PhoneType=...&PhoneImei=...&PhoneImsi=...
&PhoneNumber=...&Succeed=...&Fail=...&Source=... &Time=...&Component=...

http://XXXX/number.jsp?Version=2.1&PhoneType=...&PhoneImei=...&PhoneImsi=...
&PhoneNumber=...&Succeed=...&Fail=...&Source=... &Time=...

The PhoneNumber, Succeed, Fail and Time arguments are obviously used to report contacts listed on the phone. The Succeed and Fail arguments are followed by an integer, probably the number of times that phone number has successfully been called or not.

Quite interestingly, if we try to get http://XXXX/bs.jsp, using a credible user agent (the malicious websites are known to check user agents – in particular, if it detects Internet Explorer, it responds “404 Not Found”):

SUCCESS reponse: 200 OK
http://hew1ett-packard.com/bs.jsp?

Notice the letter L of Hewlett has been replaced the number 1 (one).

So, the first malicious web server redirects the requests to another malicious web server, whose name is obviously intentionally crafted to fool the end-user. The URL does not respond any longer. Note that the Yxes worm is already known to use such mispellings:

• www.megac1jck.com
• www.mozi11a.com
• www.makt00b.com
• www.mediafir8.com
• www.megaup10ad.com

The third JSP, KernelPara.jsp, is still a mystery we have to work on. It returns a file named encrypt_Kernel_Para.txt. If its name is meaningful, it is likely to be an encrypted version of a file named Kernel_Para.txt (the worm already uses files with similar names: Local_Para.txt and Remote_Para.txt). In our case, its content is fixed and 32-byte long. It is not an XOR encrypted URL.

Finally, to evaluate the worm’s authors progress, it is interesting to follow the dates and versions of samples. The dates are taken from the first validity date in the X.509 certificate used to sign the sample, and the version numbers are included either in the main executable of the sample or in the certificate.

Apart from a sporadic ‘accident’ end of June 2009 where a version 1.0 goes in the wild (probably an error in versioning), we see the worm authors are continuously working on Yxes since the end of 2008. So my first prediction for 2010 was nearly bound to be true…

– The Crypto Girl

With supporting for multiple browsers, a menu driven captive portal, and a tunnel mode with client software available across a range of operating systems, (windows family, linux, mac, iPhone) our SSL-VPN solution simplifies VPN connectivity. Of course, we also use our FortiASIC technology to drive the performance and don’t limit access by user or license key.

This is no cut-down feature set either, we provide integration with Active Directory, E-Directory, LDAP, RADIUS, TACACS+ with multiple token and certificate based two factor authentication options, with portals and access permissions controlled by user groups. There is support for posture checking, virtual desktop, cache cleaning and single sign on. We’ve also ensured that we integrate with the FortiGate WAN optimization feature to give that remote client some network performance optimization.

Malware authors also use dynamic function loading to enable itself to adapt to different operating system. They use it to enable their program to run on Windows XP, Vista, Windows 7 or other platform.

Common practice is to list all function names as an array of strings to be loaded once the application is running. They used a combination of LoadLibrary and GetProcAddress functions to get the proper addresses. Still some try to use other techniques of getting those addresses without even using those two functions.

Let’s take a closer look at how W32/Bredolab.AC!tr.dldr resolved its API addresses.

W32/Bredolab.AC!tr.dldr did not use a list of API strings,  instead it uses a list of hash values equivalent of the APIs. The hash is computed as below:

These are the steps how the malware got the right API  addresses without using LoadLibrary and GetProcAddress functions.

Step 1:

It first copies the DLL file that it needs in a “%temp%” folder with TMP??.tmp as the filename(?? is a 2-digit number).

Step 2:

It then loads the TMP??.tmp to its address space.

Step 3:

After loading the tmp file which is the equivalent dll file, it can now work on parsing it.  It parses its content, technically in the export table to get the list of function names. It then computes a hash value for each name and compare it to its own list.

Once it gets the right hash value, it then gets the address of the function. And it starts back on Step 1 till it gets all the addresses it needs.

This technique of getting API addresses is not new. But it still serves as a basis of how malware works. Malware authors go to some lengths just to try to make analysis harder. I imagine that this is not even half of what the malware does.

All Your Data Are Belong To Us
Ransomware comes in many shapes and forms, with the most recent variation using malware masquerading as antivirus protection. The goal of an attacker is simple: cripple, lock down and encrypt files/applications, then offer a service to unlock the data. Ransomware has already begun to leave a destructive trail in 2010. Watch as Derek Manky, cyber security and threat researcher, discusses and demonstrates these threats live in the theater.

The Art of Industrial Spying
Every organization and individual has more and more confidential or regulated data to manage, with growing amounts of data being moved to digital storage and transferred digitally. This has wedged the door open to data theft and/or manipulation for financial gain, while bypassing physical security measures. Steve Fossen, senior manager of security research and development, will discuss and demonstrate how enterprises can protect their data from this kind of intellectual property theft so that it doesn’t end up in the wrong hands – or on the open market.

Presentations will take place every 30 minutes during show floor hours. Please stop by the Fortinet booth (#2225) for the schedule and for information on these presentations.

Providing this flexibility does of course leave us another problem to solve. In a mixed home environment with parents and children of various ages different levels of access are desirable, or a least the parent paying the bill wants to have some additional choice. With our in home residential control here at Fortinet we believe in allowing parents to have a different level of access than others in the house with an over ride capability which can unlock a reduced, or unfiltered access. Depending of course on how the provider has defined the service offering. But it is possible to match the service to just to the house, but to it’s occupants, all sharing the same IP address.

For providers it gives them the ability to create flexible services that are dynamically provisioned, helping the scalability, and profitability of the offer. For the customer we provide the protection they need, without the restrictions they are happy to do without.

Effortless Efficiency

Speed and efficiency is of the essence in protecting your network and its users from threats. It is also key to a quick response for web site ratings.

As previously discussed, the latency is minimized through the FortiGate monitoring of FortiGuard servers for the most responsive server within its geographic region. Further, rating responses can also be cached locally, minimizing the hits on the FortiGuard servers. This is a very effective method for common sites. Search engines and other frequently visited sites for your business can remain cached locally. Other sites less frequently visited, can be cached locally for a determined amount of time. For a site such as Google, the frequency of its access can keep it in the cache, other sites can remain in the cache up to 24 hours, or less depending on the configuration.

But what other options can you have to maximize the response time to web filter ratings? Well you need to minimize the network latency, how we do that is provide you with your own copy of the FortiGuard database, automatically synchronized to the main FortiGuard Network.

This copy is stored on the FortiManager device that you would own and deploy at a location most appropriate to your network environment and the demands placed upon it. Having this local access minimizes any network latency for web site filtering for individual requests while having the same coverage offered by the host FortiGuard network.

Read Part I: Cloud-Based FortiGuard Web Filtering Services

Read Part II: Web Filtering: Controlling the Flow

Zeus is often associated as a banking trojan, but because of its flexible configuration, it is very easy to target any information the attacker wishes. For some examples, including a video demonstrations, please see the detailed analysis of Zeus/ZBot available on our FortiGuard Center. It can easily be configured to steal social networking credentials (we used Facebook as an example in our labs) — and indeed with Kneber, it has been used for such purposes. For quick reference, here is a screenshot which shows targeted Facebook information reported by ZBot to its controller (left). The form data (username and password) is passed along to view in clear text by the attacker:

ZBot reports stolen social networking credentials

This particular botnet was named after the email address used to register a domain used in this attack, though in reality, it is just another recent example of a new ZBot variant active in the wild. Further, infected machines were reported to also have Waledac infections — another very active spamming botnet. For more information, please see our detailed writeup on Waledac here. This is not a surprise, many machines are multi-infected nowadays, especially when it comes to botnets that are used as “loaders” to download and distribute malware, essentially infrastructure for hire. This is widely the case with the Pushdo and Bredolab botnets which have been active for years. Because of this, it should not be a focus to lock down against one particular attack: in my mind, layered security is a feasible approach to guarding against blended threats, multi-infections and the growing array of attacks we see in cyberspace today. FortiGuard Labs detects Zeus/ZBot network traffic through IPS as “Zeus.Botnet”, and guards against ZBot variants such as Kneber through antivirus as well.