Operation Windigo: “Good job, ESET!” says malware author

Following the recognition at Virus Bulletin 2014 of ESET’s research on Operation Windigo, I took the opportunity to ask Marc-Etienne Léveillé – who worked directly on the Operation Windigo report a few questions. Marc-Etienne is a malware researcher at ESET. He is interested in reverse engineering Linux and OS X malware. He is passionate about making links between different malware to have an overall view of how they are interconnected.

Quite some time has passed since you last spoke about the large Linux crimeware operation dubbed Operation Windigo. Has there been anything happening lately worth of mention?

We are still monitoring the Windigo gang. Unfortunately, we have not observed a decrease in their malicious activities since the publication of the report in March 2014. We still measure and block the same amount of traffic being redirected from Cdorked websites. Moreover, the various pieces of malware have been updated to evade our indicators of compromise (IoC).

What is the biggest challenge posed by threats like these to system administrators?

We have been notifying a lot of infected parties and I would say that the lack of Linux forensic knowledge is the main problem for sysadmins. Windigo uses a lot of tricks to stay under the radar. Since it doesn’t interrupt the affected server’s legitimate activity, such a server could be infected for a very long time before the administrator notices the infection. Some sysadmins may stay in denial and refused to believe their server is infected.

What kind of changes were introduced in the recent versions of the Linux/Ebury malware?

The authors of the Ebury malware react quite quickly to our publications. Within a month, we’ve seen a new version of the malware evading our indicators of compromise. Here are a few of the most noticeable changes:

  • The version number has jumped to 1.5.1 (which is the latest version number that we’ve seen). We also saw version 1.4.1 for the first time in April 2014. At the time we released the Operation Windigo report in March, the latest version observed had been 1.3.5.
  • Ebury no longer uses shared memory for storing stolen credentials and maintaining inter-process communication. Instead, a new process is started and injected with the Ebury payload with LD_PRELOAD. Stolen credentials are kept in this new process address space. Inter Process Communication (IPC) with OpenSSH is initiated over a UNIX domain socket.
  • The domain name generator algorithm (DGA) used as a backup to exfiltrate credentials has changed. This backup is used when it has not been configured by the operator.
  • Version 1.5 no longer infects the so file directly. The Ebury payload is located in a new file in the library directory with the filename libns2.so. The system’s original libkeyutils.so is then patched to link to this new malicious library instead of libc.so.6. The Ebury code will then be loaded and hook OpenSSH.

Using this new information gleaned from our monitoring, CERT-Bund has updated its page with the Ebury IOCs.

In addition to the “Good job, ESET!” from the malware authors, your team has won the first Virus Bulletin Péter Szőr award for your report on Operation Windigo. How does that make you feel?

There were a lot of excellent papers on malware research this year and I would like to give credit and respect to the other nominees and to all the researchers who have published great work in the last years.

In addition to what was said before, I would like to acknowledge that most of the co-authors and researchers involved in the Operation Windigo paper are newcomers to the anti-virus industry. For us, receiving an award like this is much appreciated recognition from our peers and gives us confidence that we are heading in the right direction.

"Good Job, ESET! And thanks for IDA."

Our first priority is to protect our customers against all threats, including new and emerging ones. As a researcher, it is great to be able to focus deeply on a specific threat like this one. Thanks to ESET’s belief in proper research, we were able to really do a deep investigation and protect our customers at the same time. We are really pleased it was so well received by the press, our customers and Virus Bulletin.

Thanks Marc-Etienne for your time.

October is the Cyber Security Month: stats, events and advice

Since October 2012, the European Cyber Security Month is going live as a pilot plan across Europe. Inspired by the concept of other similar projects that were successfully implemented around the globe. One of them is the Stop. Thinking. Connect campaign supported by the National Cyber Security Awareness Month in the United States.


The good news is that this year, we at ESET are also supporting this cause. As you know, we are not only providing security solutions to protect our users, but also we believe in raising awareness in our community through different channels. That’s why we are supporting the Cyber Security Month with our We Live Security Portal in 3 languages and activities in San Diego, United States. We remember that ESET is also part of Securing our eCity in the United States and Argentina Cibersegura, non-profit organizations that aim to create a safe digital neighborhood that protects every citizen through awareness programs, conferences and good practices.

One good thing about these initiatives is that we have the opportunity to get more people involved. In this case we also count with the support of the European Commission and the European Union Agency for Networking and Information Security among a lot of other companies. However, let’s see how this became so important and why.

How is the online criminal service industry?

According to the last report released a couple weeks ago from Europol’s European Cybercrime Centre, 2.8 billion people and over 10 billion devices around the world access the internet. This means the more people getting connected, the greater the attraction is for attackers to find new victims.

Additionally, the report states that the EU will still be one of the most important targets of cybercrime because of its advanced Internet infrastructure and progressively more Internet-dependent economies.

Who is behind cybercrime?

This is another interesting question that people have been asking since the first viruses were seen. According to BBC’s Interview with Troels Oerting, Head of European Cybercrime Centre (EC3), there are only around 100 cybercriminal masters behind global cybercrime scene. Despite of the number of these malicious minds, the one important thing to remember is that no matter how many people are behind Internet attacks, the impact on you as user is always considerable. The quantity of does not cybercriminals necessarily explain severity or the breadth of an attack, which means that people’s information will still be intercepted, personal data compromised and money stolen.

How can we fight cybercrime and what can you do?

There are many ways to help. The most important thing is to keep safe when surfing by using a security solution and some good Internet practices. Here, you may also find interesting information about how to proceed when a company suffers a data breach and information could be compromised.

However, besides protecting yourself from these attacks, awareness is a powerful weapon. Therefore, we think that you may help informing yourself and helping to inform others. Remember, everyone could – and should – help spreading the word.

We wish you a safer Cyber Security Month!

Monthly Threat Report: September 2014


The Top Ten Threats


1. HTML/Refresh
Previous Ranking: N/A
Percentage Detected: 3.89%

HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.


2. Win32/Bundpil
Previous Ranking: 1
Percentage Detected: 2.29%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP protocol is used for comunication with the C&C to receive new commands. The worm may delete the following folders:



3. JS/Kryptik.I
Previous Ranking: 2
Percentage Detected: 2.03%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.


4. Win32/Adware.MultiPlug
Previous Ranking: 3
Percentage Detected: 1.88%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.


5. Win32/RiskWare.NetFilter
Previous Ranking: 4
Percentage Detected: 1.52%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infected computers to allow an attacker to remotely connect to the infected system and control it, in order to steal sensitive information or install other malware.


6. LNK/Agent.AK
Previous Ranking: 5
Percentage Detected: 1.46%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.


7. Win32/Sality
Previous Ranking: 6
Percentage Detected: 1.36%

Sality is a polymorphic file infector. When executed it starts a service and created/deleted registry keys related to security applications activite in the system and to ensure that the malicious process restarts at each reboot of operating system.

It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.

More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah


8. HTML/Iframe
Previous Ranking: N/A
Percentage Detected: 1.34%

Type of infiltration: Virus

HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.


9. Win32/Danger.DoubleExtension
Previous Ranking: N/A
Percentage Detected: 1.26%

Win32/Danger.DoubleExtension is the name for generic detection of file using two or more extensions in filename (to appear to be document/picture file etc.) while the real file format is PE32. The last file extension has executable form.


10. INF/Autorun
Previous Ranking: 7
Percentage Detected: 1.2%

INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.


With Irish tax return deadline advertised, scammers are stepping up their efforts


ESET Ireland finds more elaborate Irish Tax and Customs faked emails targeting Irish mailboxes with “tax refund” phishing.

ESET Ireland has seen a steady increase of Revenue-related phishing scams in Irish mailboxes over time. The latest one has been around since last weekend and is cleverly constructed.

It appears to come from an email address refund@revenue.ie, which appears legitimate although it is faked and lures potential victims with the following:

Dear Applicant,

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive tax refund.
To access your tax refund, please download and fill the Tax Refund Form attached to this email – open it in a browser (recommended mozilla firefox or google chrome)

Please submit the tax refund request and allow us 2-5 days in order to process it.
A refund can be delayed for a variety of reasons. As example, for submitting invalid records or applying over the deadline.

If you find this email in Bulk, Spam or Junk please move it to your inbox as not to jeopardize the future our communication with you. It is essential to receive all emails from us to be in touch.

Anthony Poole.
Irish Revenue Credit Office

Copyright 2014, IRISH Revenue & Customs. All rights reserved.

Below that it offers a form to be filled with ALL personal and banking details saying ”Please enter your Personal Information and a valid Credit / Debit Card where you want the refund to be made.”


Needless to say, things will happen to victims accounts if they do this, but “receiving a refund” will NOT be one of those things.

Irish Revenue warns of these scams on their website: “If you receive an email purporting to be from Revenue and you suspect it to be fraudulent or a scam please forward it to webmaster@revenue.ie. Alternatively, you can contact your tax district to check the status of any refund that may be due.” They also point out that “Revenue will never send emails which require customers to send personal information via email or pop-up windows.”

Sednit espionage group now using custom exploit kit

For at least five years the Sednit group has been relentlessly attacking various institutions, most notably in Eastern Europe. The group used several advanced pieces of malware for these targeted attacks, in particular the one we named Win32/Sednit, also known as Sofacy.

We recently came across cases of legitimate financial websites being redirected to a custom exploit kit. Based on our research and on some information provided by the Google Security Team, we were able to establish that it is used by the Sednit group. This is a new strategy for this group which has relied mostly on spear-phishing emails up until now.

In this blog, we will first examine on recent cases of spear-phishing emails using the CVE-2014-1761 Microsoft Word exploit. We will then focus on the exploit kit, which appears to still be in development and testing phase, and briefly describe the actual payload.

From Spear-Phishing Emails…

Back in April 2014, the Win32/Sednit malware was being delivered through a 0-day vulnerability in Microsoft Word RTF documents, CVE-2014-1761. It was amongst a small number of malware families being delivered through this vulnerability, like BlackEnergy and MiniDuke, which are also used for targeted attacks.

Here are two decoy documents showed to the victims while the vulnerability was silently exploited on their computer. Both of these documents present NATO views on the Ukrainian conflict.


…to custom Exploit Kit

We observed redirections to the exploit kit from websites belonging to a large financial institution in Poland. The exploit kit is loaded through a simple IFRAME that is added near the end of the HTML document; for example hXXp://defenceiq.us/2rfKZL_BGwEQ in the screenshot below. We can also see a very similar looking IFRAME loading the URL hXXp://cntt.akcdndata.com/gpw?file=stat.js, whose domain name was registered on September 18th. We were not able to retrieve the content of this page but we suspect that its purpose is to collect statistics about the number of redirections.

When directly visiting the URL hXXp://defenceiq.us, we were redirected to defenceiq.com, a legitimate website that describes itself as “an authoritative news source for high quality and exclusive commentary and analysis on global defense and military-related topics”.


The domain defenceiq.us was found to resolve to Other suspicious domains also resolved to this IP address and displayed the same redirection behavior when visited, which is a strong indication of the sectors the group is currently targeting. The redirection from Polish financial websites to a defense-related domain name seems less than optimal for a targeted attack and was probably due to the mixing of two ongoing campaigns.

Exploit kit domain
Redirects to
Website content
defenceiq.us defenceiq.us Military news
armypress.org armytime.com Military news
mfapress.org foreignaffairs.com Foreign Affairs magazine
mfapress.com foreignaffairs.com Foreign Affairs magazine
cacitld.com caci.com CACI International, defense & cyber security contractor

The exploit kit, which we named Sedkit as a reference to Sednit, behaves in a similar fashion to others commonly used today, such as the Angler or Nuclear exploit kits. A sample exploitation chain is shown below. The browser is first sent to the landing page which uses JavaScript to detect the browser and installed plugin versions.

Interestingly we can see that the call to DetectJavaForMSIE() is commented out. This follows the current trend in exploit kits of not targeting Java, because recent versions of Java and browsers warnings before loading applets. At the moment only Internet Explorer seems to be targeted: when we tested with Chrome and Firefox we were always redirected to localhost.


The browser then sends back the plugin information via a POST request. Based on this information, the exploit kit redirects the browser either to another URL containing an exploit, or to http://localhost. The kit only attempts one exploit per visit.

We recovered 3 different exploits used by the kit, all targeting Internet Explorer. They are listed below, with the specific version of IE each one targets. Interestingly, CVE-2014-1776 has not yet been seen in any popular exploit kits, and the other two have also seen only limited adoption.

Targeted IE version
Microsoft Security Bulletin
CVE-2013-1347 Internet Explorer 8 MS13-038
CVE-2013-3897 Internet Explorer 8 MS13-080
CVE-2014-1776 Internet Explorer 11 MS14-021

However other aspects of the kit lack refinement. Unlike most contemporary exploit kits, it does not use JavaScript obfuscation. We even found comments in the JavaScript code related to the exploits’ ROP chains. This leads us to believe that the kit is still in its testing phase.



When uncompressing the Flash file used for the CVE-2014-1776, a path is visible. This information is not found in previous samples of this exploit in our collection.


Upon successful exploitation the payload is downloaded; whether it is encrypted depends on the exploit.


The binary deployed on the infected machine is named “runrun.exe”. Its sole purpose is to deploy a second program – initially encrypted and compressed — on the machine and ensure its persistence on the system. The second program is a Windows library named “splm.dll”. According to our data, this malware has been employed in targeted attacks since at least 2009.

Roughly summarized, this payload has been created with a C++ framework. Thanks to the Run-Time Type Information (RTTI), a part of the program architecture can be reconstructed with the names chosen by the programmer. The malware contains agent modules implementing malicious activities, and channels for communications between modules and remote controllers. In this sample, we found the following agent modules, identified by a 16-bit ID:

Module Name
AgentKernal 0x0002 Execution manager
ModuleRemoteKeyLogger 0x1002 Keystroke logging
ModuleFileSystem 0x1102 File system accesses
ProcessRetranslatorModule 0x1302 Provides communication means

It also instantiates one external communication channel named WinHttp, which decrypts three domain names used as command and control: msonlinelive.com, windows-updater.com and azureon-line.com.


In recent years, exploit kits have become a major method employed to spread crimeware, malware intended for mass-scale distribution to facilitate financial fraud and abuse of computing resources for purposes such as sending spam, bitcoin mining, credentials harvesting etc.

Since 2012, we observed this strategy being used for espionage purposes in what has become known as “watering-hole attacks” or “strategic web compromises”. A Watering-hole attack can be described is redirecting traffic from websites likely to be visited by members of a specific organization or industry being targeted. In ESET’s retrospective on Windows exploitation in 2013, Artem Baranov wrote “the past year can rightly be called the year of targeted attacks and watering hole attacks”.

While many instances of watering-hole attacks have been documented for related actors in cases such as noted by Symantec in their Elderwood Project report, we are now seeing this strategy being adopted by another group and it seems likely that others will follow them.

Indicators of compromise

Here are some indicators that could help to identify the payload sample dropped by the exploit kit described in this blog post:

  • Presence of the CLSID {d702b440-b130-47f7-a94c-c1fae33d2820} under the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • Mutex named “XSQWERSystemCriticalSection_for_1232321”
  • Mailslot named “\\.\mailslot\check_mes_v5555”
  • Files in temporary folder (as returned by GetTempPath()) named “edg6EF885E2.tmp” and “edg6E85F98675.tmp”
  • Network communications with the domains named msonlinelive.com, windows-updater.com, or azureon-line.com


Detection name
86092636E7FFA22481CA89AC1B023C32C56B24CF Word exploit Win32/Exploit.CVE-2014-1761.D
12223F098BA3088379EC1DC59440C662752DDAB Word exploit Win32/Exploit.CVE-2014-1761.D
D61EE0B0D4ED95F3300735C81740A21B8BEEF337 Dropper Win32/Agent.WLF
D0DB619A7A160949528D46D20FC0151BF9775C32 Payload Win32/Agent.WLF

by ESET Research

Google faced with $100m legal action over naked celebrity photos

Google is facing a threat of expensive legal action over the recent leaked naked celebrity photographs, according to IT Pro. The basis for the legal threat is built on the idea that the search giant didn’t do enough to prevent people seeing the photographs after the initial leak.

The Telegraph reports that “the company allegedly failed to remove the images from its search results.” It also notes that “many of the stolen images are still on Google sites BlogSpot and YouTube, despite Lavely & Singer sending a notice to have them removed four weeks ago.”

The letter from the law firm representing a group of 12 unnamed celebrities, obtained by the New York Post states that “Google knows that the images are hacked stolen property, private and confidential photos and videos unlawfully obtained and posted by pervert predators who are violating the victims’ privacy rights and basic human decency by stealing and displaying confidential private photos and videos.”

The letter suggests that while websites such as Twitter acted quickly to remove references to the pictures, Google has been far less proactive. The Register quotes the letter as stating the lawsuit “‘could well exceed’ $100 million” if Google fail to comply and remove the remaining remnants of the stolen photographs from its search results.

Speaking to The Register, a Google spokesperson responded by stating that the company had been anything but complacent in dealing with the hack: “We’ve removed tens of thousands of pictures – within hours of the requests being made – and we have closed hundreds of accounts.”

In a blog post on the subject of the stolen photographs, ESET’s Stephen Cobb stated that it is important to ensure that blame is attributed where it is really deserved: with the criminals themselves. “Let’s put some of that anger and outrage into lobbying our government to take more decisive action against cybercrime and the people who perpetrate it,” he wrote.

Ken Wolter / Shutterstock.com

FBI Director “very concerned” with smartphone encryption

With Apple, Google and other tech companies responding to users’ demands for privacy with further smartphone encryption options, not everyone is happy. FBI Director James Comey is “very concerned” about increased mobile OS encryption, according to TechSpot.

In a statement reported by The Huffington Post, Comey stated that while he understood the need for privacy, the added encryption and security added by tech giants could be a severe barrier to government access to devices in extreme circumstances – such as preventing an expected terror attack. “I am a huge believer in the rule of law, but I also believe that no one in this country is beyond the law. What concerns me about this is companies marketing something expressly to allow people to place themselves beyond the law,” he told reporters in Washington last week.

The statement comes off the back of both Apple and Android marketing devices based on their increased smartphone encryption options, as the public is increasingly concerned by what happens to their data in an increasingly connected world. Indeed, Wired states that both companies have promised that the newest versions of their software make it impossible for them to unlock encrypted phones, even when compelled to do so by government. But Comey believes that the balance of privacy and public safety is going too far the other way:

“I like and believe very much that we should have to obtain a warrant from an independent judge to be able to take the content of anyone’s closet or their smartphone. The notion that someone would market a closet that could never be opened – even if it involves a case involving a child kidnapper and a court order – to me that does not make any sense.”

Despite the assurances that devices are increasingly security-focused, it’s important to remember that even the most ‘secure’ device can have its vulnerabilities, as the privacy focused Blackphone discovered when it was hacked in just five minutes as the DEF CON security conference last month.

by We Live Security, ESET


Get every new post delivered to your Inbox.

Join 75 other followers