O PERATION XXXX

D E TE C T , D I A GNOSE , R E SPOND

Jan 27, 2010

Cyber Espionage is a critical issue. Over 80% of intellectual property is stored

online digitally. The computing infrastructure in a typical Enterprise is more
vulnerable to attack than ever before. Current security solutions are proving
ineffective at stopping cyber espionage. Malware is the single greatest problem
in computer security today. Yet, malware represents only the tip of the spear.
The true threat is the human being who is operating the malware. This human,
or the organization he represents, is the true threat that is targeting information
for the purposes of financial gain, theft of state secrets, and theft of intellectual
property. True threat intelligence requires reaching beyond malware infections
to identify the individuals, country of origin, and intent of the attacker.
 T HREAT S UMMARY
The XXXX malware operation was identified by HBGary XXXX. This malware
operation has been associated with potential intellectual property theft including
XXX. HBGary continues to track this threat, and will provide updates as new
facts emerge.

KEY FINDINGS

Evidence collected around the malware operation suggest that Operation XXX
originates from XXX. The primary intent of the attack is XXX.

Aspect Description
Target The operation is targeting US Defense Contractors.
Origin The malware was developed in native Chinese language, and the
operation is designed for Chinese users, indicating the entire
operation is Chinese.
Developer Forensic toolmarks can be traced to at least XXX distinct developers.
s The malware has been in development for XX years. It has been
updated several times.
Operators A social space exists where users obtain technical support. This
space exists in native Chinese language and is hosted in China.
Intent The primary intent is the theft of intellectual property.
Coms Communication is encrypted over HTTP, port 80, obfuscated within
legitimate looking HTTP requests
SOURCE: Fictitious data, for illustration purposes only

ATTRIBUTION
Forensic toolmarks left in the payload
packages can be traced to Chinese-
language only sources. The Palantir
screenshot XXX illustrates a subset of
the data being tracked by HBGary.

Fill in more XXXX.

ac vel amet orci penatibus amet,voluptas elit etiam eget

Forensic toolmarks XXX. Lorem ipsum dolor sit amet, natoque
felis sollicitudin ante iaculis. Nec et id sociosqu. Sit erat quam
sodales, duis et, rhoncus id dolor risus a urna. Tincidunt ac vel
amet orci penatibus amet, voluptas elit etiam eget integer ante
arcu, urna magna ligula.
F IGURE 1 - KLJHKJH LKJH JLK HJKLLK J HLKJL

Toolmark Description
/xxxx/xxxx/x/x Key logging file
D ETECT
This section of the report details how you can detect Operation XXX in your
Enterprise. The exploit and payload methods XXXXX The attack consists of four
components:
 Javascript based exploit vector
 Shellcode component
 Secondary payload server
 Payload packages

JAVASCRIPT
The javascript based attack vector was published in the public domain in XXX. With medium technical
skills, it is possible for an attacker to rewrite key components of this javascript, most importantly, they
can customize the javascript to point at any secondary payload server of their choosing.

Javascript Exploit Vector

XXX XXX XXX XXX

PAYLOAD
The shellcode XXX. The payload server XXXX. The secondary payload server exists to serve a primary
and secondary payload executable. The primary executable is downloaded first, and this subsequently
will download one or more secondary payloads. These secondary payloads represent potential advanced
persistent threats (APT). Markers for APT. How can you tell the difference?

Known Payload Servers URL Pattern

www.qvodcom1.com
www.qvodcom1.com
www.qvodcom1.com
www.qvodcom1.com
The payload package obtained from www.qvodcom1.com is clearly an instance of a Chinese developed
malware package known as 'NB' (Netbot Attacker).

COMMAND AND CONTROL

Command and control packets are encrypted over port XX. The packets can be decrypted using an XOR
byte XXX.
Known C&C Server Packet Pattern
Blocks
homeunix.com 00 ?? 00 00 ?? 00 00 00 00 ?? 00 00

REGISTRY AND FILE

Infected machines will have the following file and registry patterns.

Path Purpose
/xxxx/xxxx/x/x Key logging file
D IAGNOSE
Forensic toolmarks left in the payload packages can be traced to XXX. This indicates that the actors
responsible for compiling the malware package were, in fact, from Chinese origin.

HOW THE MALWARE WORKS

The primary control logic can be found in module XXXX. This module has been written in
XXXLanguage, and public source intelligence reveals algorithms and methods that are only available on

Chinese language forums. The primary payload XX Lorem ipsum dolor sit amet, natoque felis
sollicitudin ante iaculis. Nec et id sociosqu. Sit erat quam sodales, duis et, rhoncus id dolor risus a urna.
Tincidunt ac vel amet orci penatibus amet, voluptas elit etiam eget integer ante arcu, urna magna ligula

HOW TO DETECT WHAT IS BEING STOLEN

Lorem ipsum dolor sit amet, natoque felis sollicitudin ante iaculis. Nec et id sociosqu. Sit erat quam
sodales, duis et, rhoncus id dolor risus a urna. Tincidunt ac vel amet orci penatibus amet, voluptas elit
etiam eget integer ante arcu, urna magna ligula
The payload module in question uses older techniques, that have been in operation for at least XXX years.
The cutout sites used to communicate with the payload operate on a different server than the payload
dropper.

RECENT GLOBAL ACTIVITY

Lorem ipsum dolor sit amet, natoque felis sollicitudin ante iaculis. Nec et id sociosqu. Sit erat quam
sodales, duis et, rhoncus id dolor risus a urna. Tincidunt ac vel amet orci penatibus amet, voluptas elit
etiam eget integer ante arcu, urna magna ligula Again, highlight endgames data if possible.
R ESPOND
The command and control is provided by a wholly distinct server system, with the IP and location in no
particular relation to the placement of the payload dropper server. The command and control server
operates on port XXX and will contain traffic similar to the following pattern:

There are two servers involved in the drop and control steps. The drop itself will have a primary and
secondary download. Configure your perimeter security devices to search for the following pattern:
XXXXX

Path Purpose
/xxxx/xxxx/x/x Key logging file

Due to the nature of the infection, and the ability for the malware to extend its capabilities in-field by
downloading additional tools, we suggest that any infected machine be taken offline immediately and the
only sound approach is to re-install the machine for a trusted gold image. No attempt should be made to
“remove” the malware – these attempts are likely to fail and the malware will remain on the machine.
Digital DNA(tm) : the following Digital DNA sequence can be used to detect the presence of this
malware payload. A search should be performed with an 80% match threshold.
00 00 00 00

Instructions for using Digital DNA with HBSS / ePolicy Orchastrator can be found in attachment XXXX.
The attack javascript in question has a very specific pattern. Perimeter security devices should be
updated to detect the following patterns:
XXXXX PHIL HAS THIS.
360/ie2.htm
360/what.jpg

Archived netflow data can be reviewed for the same.

The secondary payload servers are likely to be configured for rapid replacement as to resist black holes
and IP blacklists. Why do we think this? Elaborate. An updated blacklist of potential Aurora C&C
servers can be obtained via FEED from XXXXXX. (Can we highlight endgames data here?) IF WE
COULD PRIORITIZE THE FEED PROCESSOR ON LIKELY AURORA, WE COULD ACTIVELY
EXTRACT THESE FROM OUR DAILY DROP.
M ORE I NFORMATION
HBGary xxx xxx xxx xxx