Defending one’s own resources against malicious software is daily business for information security professionals. Usually you deploy a range of measures and try to minimise the risk. It may or may not work, depending if you have to fear the mysterious Advanced Persistent Threat (APT). APTs are highly targeted, very stealthy and can greatly impact your security in terms of damage and level of compromise. Their stealth aspect makes them hard to detect and hard to counter. Tom Ueltschi from the Swiss Post has gained experience with these kind of attacks. This is why he will share his insights at DeepSec 2013. His talk is titled My Name Is Hunter, Ponmocup Hunter.
Ponmocup is a strain of malicious software which forms its own botnet. It is known by a couple of names, depending on the date of discovery. Tom tells the story from a single anti-virus event to the full blown analysis of the Command & Control (C&C) mechanisms along with the underlying botnet. The first chapter begins in 2011 when several host- and network-based indicators of intrusions were found. After several infections within the company were found, countermeasures were implemented. The anti-virus detection names for this particular malware vary greatly and there may be as little as one registry key in common as indicator for all infected hosts. Over time the infection and C&C domains, IP addresses and URL patterns changed to avoid detection. Defence against ongoing attacks involves the sink-holing of communication transmissions, i.e. the blocking of C&C messages. In late 2012 a “anti-sinkholing technique” was introduced in using the C&C domains of the malware. Just recently Tom discovered how this technique can be overcome to allow sink-holing of botnet domains again.
The case is a very good example how malicious activity can be detected, analysed, and how you can derive defensive actions against invading malware. If you are responsible for your organisations network defences, you should definitely take a look at his presentation.