Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/17/2013
11:20 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Magic' Malware Uses Custom Protocol And A 'Magic Code' Handshake

Researchers spot a nearly year-long attack campaign that employs some special tricks

Newly discovered malware that has been targeting thousands of businesses -- mostly in the financial, education, and telecom industries in the U.K. -- for almost a year employs its own custom protocol and a "magic code" to communicate with a victim's machine.

Aviv Raff, CTO at Seculert, says the attackers behind the campaign are gathering data from the infected businesses and are constantly adding new features to what appears to be a work in progress and unusual malware family.

"We currently only have visibility to the current phase of the campaign. I believe that, at the end, the attackers will sell the collected information, or provide access to selected targets, as part of an industrial espionage operation," Raff says. "Previous similar operations ended up with a wiper module being downloaded to cover their tracks. This might also be the case here."

The malware uses what it calls "magic code" for authenticating the infected machine. "Without this 'magic code,' the server will not reveal the command intended for victim," Raff says.

It also communicates with the infected machines via a custom-made protocol rather than the standard HTTP for command-and-control. The start of the conversation between the server and the infected machine is the specific code, dubbed "magic code" by the attackers. Seculert discovered the command-and-control server responding to the malware via the custom protocol to add a new backdoor: Username: WINDOWS, Password: MyPass1234. That gives the attacker remote access to the victim's machine.

Raff says it's still unclear who is behind it. But given that the malware appears to still be under development, more information on the intent of the attacks should emerge. "This campaign is using a custom-made malware and has gone undetected for almost a year now, targeting businesses. The attackers are collecting data from the targeted entities, and keep adding features, which will eventually reveal their real intent behind this campaign," he says.

The full blog post from Seculert's Raff, complete with screenshots and code snippets, is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CSMITH1350
50%
50%
CSMITH1350,
User Rank: Apprentice
4/18/2013 | 6:27:04 PM
re: 'Magic' Malware Uses Custom Protocol And A 'Magic Code' Handshake


Courtland from OpenDNS here. According to our product team, the "magic code" is simply a custom authentication added, which is something that was mentioned in our role of DNS in C&C whitepaper. Its especially important with distributed peer-to-peer botnet topologies so that authorities can't hijack the command infrastructure.- This may be how this botnet is operating. For additional reading on the topic, check out the whitepaper, The Role of DNS in botnet Command and Control: http://info.umbrella.com/rs/op...
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.