Showing posts with label Polymorphic Malware. Show all posts
Showing posts with label Polymorphic Malware. Show all posts

What Hit OPM? What We Know So Far

Paul Shomo

It’s been almost a month since the OPM breach, and there’s been much speculation and leaks pointing to the details of the attack. Here is a recap of released information so far:

June 4, 2015 - OPM announces they’ve been breached.

June 8, 2015 - Guidance Software announces that EnCase® was used in OPM’s investigation. I am quoted by SC Magazine, hinting that the PlugX Remote Access Trojan (RAT) was utilized by OPM’s attackers. 

The OPM Hack: I Smell a RAT

Paul Shomo

In the wake of the OPM hack, where reports suggest that millions of security clearance records headed directly to Chinese intelligence units, let’s talk about remote administrator tools (RATs). These tools are commonly used in this type of attack, so we'll walk through a common methodology for identifying unknown RATs.

In the broadest sense, RATs are used to remotely access and control computers. System administrators often use these tools for good, but black hats develop specialized RATs that infect, hide, and act as back doors.

Malicious RATs like PlugX, Gh0st, Korplug, Gulpix, Sogu, Thoper, and Destory can be built as zero day attacks that avoid signature detection. The Gh0st RAT user interface (UI), shown below, gives some insight into how easily hackers can build zero day variants to infect sensitive machines. Once infected, command-and-control can be established from anywhere on the internet, with traffic re-routed through servers to avoid identification of the true perpetrator.

EnCase and Entropy: Foiling Polymorphic Malware with Thermodynamics

Alfred Chung

You’ve seen it in a dozen movies: a character commits a crime, is ID’ed on security camera footage, then dyes her hair to alter her appearance in hopes of evading capture. The m.o. is the same for polymorphic malware—malicious software that’s constantly evolving or changing in order to evade signature detection or blacklisting solutions. Although it’s not a new addition to the hacker’s arsenal, the use of polymorphic malware has lately become a favorite and highly dangerous tactic of organized cyber crime groups.

Black hats know that, if you change code enough, it will be unrecognizable to intrusion prevention systems that rely on code “signatures” or hashes. This is why we created and patented the Entropy Near-Match Analyzer—part of EnCase Cybersecurity—a few years back: to help incident responders find polymorphic variants of binaries based on a different type of measurement.