There are two axioms that represent different sides of the same coin that are relevant to this blog post: “The cobblers children always go barefoot … ” and “eating your own dog-food.” The good news is that because we were eating our own dog-food (and hence not going barefoot) we may have literally avoided a notable monetary loss that could have left us figuratively barefoot and eating dog-food …
As you are likely all too aware, there are a number of variants of credential stealing malware that steal banking credentials with the intent of emptying your bank account. Several weeks back we dodged a bullet when one of our internal machines hit a web server known to propagate malware and then began to communicate with several know Zeus “command and control” servers.
Fortunately, we were eating our own dog-food and piloting a new extension to our OSCAR security event monitoring solution. What this extension does, in short, is look at your firewall logs in real-time and send an email alert if it detects communication with known malware propagation and/or command and control servers. As an information assurance firm, we like to think that we run a pretty tight ship – so we were a bit surprised when we got the email.
The first thing we did was to isolate the machine on a non-trusted LAN segment.
The email linked directly to the concerning events (highlighted below). Tracing the event, you can see that one of our desktops was maliciously redirected by 126.96.36.199. Approximately 25 minutes later that same host began communicating with 188.8.131.52.
At first we were not overly worried when we realized that the redirected desktop was one of our Macs, as Zeus is known to target Windows.
But a quick Google search left us disappointed in our level of Zeus awareness, and a little more concerned.
We logged in to a number of prominent banking sites (using fake user names and passwords) and monitored our outbound logs. Interestingly, on multiple occasions we saw “shadow traffic” outbound on port 80 to some suspicious locations. At this point we had to make a decision – fire up a sniffer and dig in a little further, or clean this up and get back to work? The official story line is that we chose the latter.
Fortunately, remediation was relatively straight-forward. Just to be sure we tightened up the Mac firewall running on that box (Little Snitch), kept that host on an isolated LAN segment for a while, and continued to let OSCAR observe traffic until we were confident that we were all clear.
As a side note – we were never really at any notable risk as we do not do any Internet banking on Windows or Mac systems. We have a single, locally fire-walled Ubuntu machine that has no inbound network access, and which is only allowed access to two HTTPS banking URLs.