Active Response

Always A Bad Day For Adversaries

Tag: malware

CCleaner Malware 2nd Stage Victimology Highlights Adversary Interest in Telecommunications

Cisco Talos CCleaner Victim Domain List (source)

Recently, the CCleaner tool contained malware likely infecting millions.  Cisco’s Talos threat intelligence group analyzed some of the data around the CCleaner malware command and control (C2) to get deeper into the second stage.   Talos released a list of domains in which victims would receive a second-stage package likely for further operations.

While most names were familiar to myself the subdomains intrigued me.  The adversary was not just interested in – but particularly the JP and AM sub-domains within Sony.  Not just but  Understanding these sub-domains and their role may offer more insight into the interests of the adversary.

This list likely changed over time – and this list is only a snapshot in time, so it’s difficult to provide a complete profile of adversary interest, but it is interesting for that snapshot.

So, I went digging for about 30 minutes and here’s what I found.

Interesting Findings

  • These are not well-known subdomains.  This means the adversary identified them somehow and then assigned them greater value = to recieve the second stage.  This very strongly indicates a targeted activity rather than commodity threat.
  • This isn’t a clear-cut case of economic espionage because of the tendency towards telecommunications which can serve intelligence value well beyond intellectual property theft.
  • While I didn’t find a correlation among them all, many of these  domains were listed in leaked document/email dumps like WikiLeaks and the Panama Papers
  • Especially strong correlation between all domains being associated with electronics and technology
  • A large number (16 of 24 – 66%) of targets involved telecommunications and telephony  [Samsung (mobile handsets), Singtel (telecommunications), Sony (most don’t know about Sony Mobile), Intel (chips for mobile), Microsoft (maker of Windows Phone), Cisco (lots of telephony), O2, Vodafone, Linksys, Dlink)]
  • The odd domain is involved in gaming and gambling equipment which doesn’t have a correlation with any other victims.  This adds strength to the hypothesis that the victim list is a changing requirement set and the adversary may be satisfying a large variety of needs.
  • The three prominent geographic elements amongst the domains: Asia, Europe, and North America

Victim Domains

singtel.corp.root – internal domain related to Singapore Telecommunications Limited is a Singaporean telecommunications company.

htcgroup.corp – This domain is actually ambiguous because there are many “HTC Group” organizations and the well-known electronics manufacturer isn’t publicly referenced as “HTC Group”

samsung – Clearly a reference to the well-known electronics manufacture

samsung-breda – Samsung Electronics Europe Logistics located in Breda, The Netherlands (Yelp Entry)

samsung.sepm – Likely Samsung Electronics Poland Manufacturing (SEPM) (Wiki Page) – Samsung Slovakia (Web Site) – Sony Japan – Sony Americas – I didn’t know anything about the Gauselmann Group.  Know I do!  The “gg” sub-domain likely refers to a subsidiary Gebrüder Gauselmann (source) who has their own domain (  The subsidiary focuses on the development of gaming/gambling electronics and equipment.

The Gauselmann Group is a family-run, internationally active company for the entertainment and leisure industry. In addition to the development, production and distribution of entertainment gambling and money management systems, the Group operates the well-known casino chain CASINO MERKUR-SPIELOTHEK. In addition, the Gauselmann Group is also active in many other areas, such as sports betting, online gaming and gambling.” (Source) – The well-know virtualization software developer – Intel Corporation Germany – Intel Corporation US and Canadian Region (source) – The Windows development network; and older domain dating back to NT kernel development.  (source1, source2) – Well known network-centric equipment manufacturer – An internal domain for the European telecommunications company O2.  This is likely the subdomain for UK operations (source1, source2) – Vodafone is a global telecommunications company. The VF likely refers to Vodafone and the ES likely refers to Spain – there is some data relating this domain to strengthening that assertion (ref1, ref2).

linksys – well-known network equipment manufacturer – Well-known technology company focused on printers, projectors wearables, robots, etc. – Electronics manufacturer – Taiwanese organization -DVRDNS is another name for DynDNS the dynamic networking service.  No information on infoview2u – An internal domain related to Akamai, the well-known internet technologies company.  Several Autonomous System Numbers (ASNs) associated with Akamai (e.g., AS18680) are registered as Akamai DFW Technologies Inc. (source) – quick analysis didn’t reveal any intelligence on this domain but clearly related to the largest consumer email service run by Google, gmail. – Well-known network equipment manufacturer – Domain related to online certification and assessment company Gauge.

Why Malware Numbers Don’t Matter and What it Means for Security Accounting

McAfee recently reported over 75 million new malware samples detected in 2011. This number, while shocking, no longer matters as an absolute value. It also highlights a glaring flaw in network defense philosophy.

First, this number is only calculated from all detected hashes. Any changes in the binary results in a new, unique, hash. This means that only a small change by the adversary is necessary to effect a “new” piece of malware. A simple thought experiment: if there were 75 million malware samples, each with only one byte difference between them – this method would count 75 million “unique” pieces of malware.

Second, the number alone says nothing about the threat environment. It does not illustrate the attack vectors, vulnerabilities, or exposures used by the malware; nor does it describe the danger or effectiveness of the various malware samples. Maybe there is only one piece of malware and it’s 75 million varieties are all harmless. 75 million is now a very large number signifying nothing.

However, it does matter as a relative value showing the number of unique samples over time. For example, in 2007 unique malware samples rose 565% from the previous year [from A Brief History of Malware]. The velocity of unique malware samples detected in the wild (or the slope of the line if you prefer) is clearly increasing.

Why? It means that malware authors and operators are exploiting the primary network defense practice: default allow all – the black list. Defenders are still stuck in the “allow all” mind-set to trust everything except code which does not pass certain tests or follows certain behavior. To exploit this mind-set an adversary only has to change their malware enough to bypass these filters (e.g. AntiVirus). As defenders update their blacklists/AntiVirus/firewalls, the malware authors make a small change or re-pack and re-deploy the malware bypassing the new rules/filters/etc.

For an adversary, changing their capability slightly and re-deploying is a relatively inexpensive operation – particularly with pervasive exploit kits such as BlackHole. Whereas the cost for the defender to find the new malware, develop a signature, and deploy that signature is relatively costly leaving the security accounting on the side of the adversary.

To win this battle, the defender must switch to a known-good model, or “deny all with exceptions.” Also known as the white list. However, as we have seen – this simply adds a new target for the adversary: the white list itself.

Powered by WordPress & Theme by Anders Norén