|AlienVault warns on new Sykipot malware campaign using drive-by download strategies|
|Written by NStinchcombe|
|Tuesday, 03 July 2012 14:48|
Leading security researcher Jamie Blasco with AlienVault has spotted a new version of the evolving Sykipot malware, this time tapping into the power of drive-by downloads.
In January of this year, Jamie and his team found evidence of Chinese-originated attacks against US government agencies - including the US Department of Defense (DoD) and which used a new strain of the Sykipot malware to compromise DoD smart cards.
Whilst one of the original versions of Sykipot was a trojan horse application that opened a backdoor into the infected PCs, he reports that this latest variant builds on a previous iteration of the malware that was able to bypass two-factor authentication and so access protected resources on the victim's network.
The researcher with AlienVault - the Unified Security Information and Event Management (SIEM) solutions specialist - says that, where earlier versions of Sykipot mainly used file-format exploits to gain access to the systems using a spear phishing email campaign, the use of drive-by downloads is a fascinating step forward for the malware.
"This time it seems they are mainly using drive-by-download exploits like CVE-2011-0611 affecting Flash Player or the new Windows XML Core zero-day vulnerability," he says, adding that, instead of attaching malicious files on emails, the cybercriminals are targeting messages at the victims with a malicious link.
Once the victim clicks on the link, he notes, the malicious server tries to exploit a vulnerability on the user's browser.
Whilst the drive-by approach is different, Jamie says that the hacking methodology behind these latest Sykipot attacks seems to be the same as in the past - the cybercriminals hack US-based servers and then install software to serve up the malicious content, or simply redirect the connections to a remote server.
Again, as before, he reports that the malware code is using Secure Sockets Layer (SSL) protocols to communicate with the remote command-and-control server - once executed, the malware tries to get a configuration file from the remote server.
"On the older versions [of Sykipot] they used an underlying encryption using the XOR key "19990817? for the config files. The XOR obfuscation has been removed and in the new versions a simple byte subtraction routine is used," he reports.
Interestingly, Jamie says that the new configuration format is notable for supporting several commands - and whilst most of the previous names have changed, once the malware downloads the config file it executes the relevant instructions.
It then, he adds, saves the resultant data, which it then obfuscates using a subtraction routine, piping the data to the remote command-and-control server.
The main domain names used by this new version of Sykipot, he notes, include:
"Most of the domains have been registered during the last month and they have used the mail address jimgreen200088 [at] yahoo.com to register most of them," he says, adding that the Netbox Webserver used in previous campaigns is also present in most of the command-and-control servers .
For more on AlienVault: http://www.alienvault.com
For more on the latest Sykipot campaign see Jamie's blog: http://bit.ly/MRIVTh