Thursday, 10 April 2014


executive summary


A tiny malicious binary code may be the biggest threat of our personal to professional life. There is rapid boom of malicious signed binary codes day by day and year over year. Some of these binary combinations may be potentially unwanted programs and not truly malicious, however, the misuse of legitimate code signing authentication erodes user trust. Many times, it is difficult to distinguish good authentications from malicious authentications. Our research will help the world to identify the trustworthiness of binary. CCFIS Research Labs also assigns the level of trust.
Our lead research is focused on malware attack to our nation’s most critical area.  CCFIS Advanced Research Threat Report (ARTR) provides a high level overview of computer network attacks discovered by Center for Cyber Forensic and information Security for quarter, January 2014 to March 2014. This report is based on the detailed research on various parameters of captured latest malicious code and thus giving “Alert” trends in Cyber Security.
The entire report is completely based on data collected by CCFIS sensors installed at different locations in India and across the globe.

region wise analysis

Based on CCFIS research data, the top most used county’s IPs who were involved in malicious activities and for APTs in recent time are -






According to our analysis based on captured data, the top three country’s IPs used for malicious activities are Taiwan, U.S and Canada. 

file extension of malware

Malware is one of the highest level weapon used to attack any industry or country. Malware writers use packing technology to bypass automated threat scanners and advanced firewalls. Every time attacker uses new exploit or malware to get the security clearance. The extension of the malware tells for what platforms it has been designed, and the most Interesting fact is that most of the malwares are cross platform and can infect    system after understanding its platform and version automatically. According to CCFIS Research Labs, the following extensions were used for suspicious activity.







malware types

We did analysis of captured malware and detected that most of malwares were targeted malwares. We decoded every malware and analyzed it’s behavior and categorized accordingly. We have detected various types of malware ranging from brute force based to information stealing malware.
Brute forced based malwares downloads entire dictionary in  infected system and keep trying multiple combinations to find the perfect match of username and passwords. Backdoor  malwares create a backdoor in compromise machine and later on provide a route for further pivoting based attacks.
We also analyzed a very smart malware designed specially for stealing information from infected system; these malwares do not perform any suspicious activity and hence, remains undetected by most security software. DDoS based malware make their  victims a part of their botnet and perform DDoS attacks using these compromised machines as bots. Few malwares bind themselves in system drives and loads before the operating system boots. Few of the malwares are so sophisticated and packed that it remains dormant in systems and perform their tasks silently.

 coding language

Most of the malwares were highly packed but CCFIS Research Team was able to decode most them in our advance   malware analysis lab. We analyzed the code and tried to understand its working, behaviors and intent.

So far, CCFIS research team has concluded that most of the malwares are written in pearl language due to its simplicity, high functionality and full community support. Security   professionals’ uses python for various purposes, one of them are for writing Proof of Concepts but malware coders take advantage of rich libraries of Python and code state-of-art malwares. Pearl is in the lead role but the base of most of the languages C/C++ also is in race. It is still one of the most favorite attacker’s choices.  
Also few of malwares were so packed that even our advance research lab were not able to decode the malwares and our elief is that these malware remain undetected by most anti-virus companies. We declared these files as malwares, based on their behavior.

executable platform

Final aim of any attacker is to execute its malware into operating system to get desired access. According to CCFIS Research Labs, we found that most of the malwares were written for Windows platform and majority was for Windows XP systems as Windows is still most preferable Operating System and Windows machines are used in various critical sectors.

We also found that attackers are focusing more on creating cross platform malwares. These cross platform malware detects operating system and its version automatically and infect accordingly ranging from Windows to Android.

malware size

The malicious binaries have no fixed size in the Security World. According to CCFIS Research Lab Report, which is based on malwares captured by our sensors, most of the malwares were very small in size. Malware coders pack the malicious code again and again and try their best to keep the file as short as possible. Some of malwares were coded only to get access into the system and after getting the access of system they start downloading other part of malware to intrude further into network using pivoting. These malware are more intelligent than your general security software.

The trend shows that files greater than 65MB are mostly the speed tester files which are used to check the uploading and downloading speed. Below 65 MB to 5 MB files are mostly used for brute force attack as they contain a large username’s and password’s dictionary. Below 5 MB are either .rar, .tar, or .jpeg extension files used for compromising machines and adding them to botnet. Also small malwares were Trojans, backdoors, adware, bitcoin miners, etc.

Most of the malwares written in Python or Perl are used to be of less size because these scripts acts as a OS backdoor, allowing remote hackers to secretly send commands,   uploading code to the computer, stealing files and running commands without the user's knowledge. These functionality can be easily achieved using Perl or Python due to rich libraries and huge community support.
 The speed tester files are mostly the corrupted files of older service packs of windows used by an attacker to test the server speed or to degrade OS version to try already available exploits.

region – based on CCFIS sensors

Based on the CCFIS sensors installed on different locations in India, we captured a huge number of malwares. Below graph shows the area which allure attackers.
 The analysis shows that Alfa-Loc is at the first place and one of the reasons for choosing the Alfa-Loc by an attacker can be the rapidly growing industries and trade in Alfa-Loc. Most of the DoS and Brute force based malwares were uploaded in this location.
 We found various types of malware at Alfa-Loc sensor. The attacker tried to compromise the server by sending the files which could downgrade the server version and make prone to known attacks. All the activities logs and input commands were recorded by CCFIS sensors and a proper analysis were performed. It has been observed that attackers are more interested to attack the location in which could either get benefit financially or steal some information relevant to attacker.Beta-Loc has recorded the malware files less than 30 MB and the case is similar with Delta-Loc and Epsilon-Loc.
At Gamma-Loc, speed tester files are used to either get the bandwidth of the server or to compromise the server by installing older service packs.
*Alfa, Beta, Gamma, Delta & Epsilon are not the real locations but the code names of CCFIS Sensors.

list of bad ips



 CCFIS has divided the suspicious IP’s into four domains. Each domain represents the severity level. We have defined our levels based on the IP’s found during the analysis. Most of the IP’s are found in malware having behavior quite similar to the categories like backdoors, Brute force attackers, Dos or DDoS.

Compiled from CCFIS’s data, the graph below shows the bad IP’s in the widest range of targeted computer network operations.
Low level:
65.54.89.146,65.55.95.11,65.54.89.224,54.228.232.89,178.19.99.72,89.39.89.40,212.193.243.188,89.187.135.150,209.59.194.20,176.74.176.178,63.251.38.197,66.254.108.157,93.119.25.20, 208.146.35.5, 186.202.153.36
Medium Level: 207.46.120.187(2), 23.67.1.48(2)
High Level: NA
Critical Level: NA
Thus, from the data it indicates that an attacker has always tried to attack from different IP. In that case it is the possibility that we always see the Low level and Medium level percentage quite higher than other levels.
Most of the IP’s after being used are not active now. This means that an IP once used is only active for a short period of time.  By the time a network administrator block that malicious IP, it might be left by an attacker. Similar is the case with their subdomains and domains. The domain names once used are not available now. In fact, the domain names found are also available on some of the domain name registration sites, which mean they are not being officially used.

bad domain

Based on the IP addresses found, the analysis is done and list of some domains have been found. These domain names are the one which were used by attacker to attack their targets. Some domain names are still active while some of them are down. Just like IP address, domain name also keeps on changing. It also contains some blacklisted domain names. Our belief is that these IPs or domain names are made live when attackers intent to attack.
 low level:            
  • MundiGames.com
  • bc2server.ru
  • www.laleagane.ro
  • EnjoyGame.ru
  • Espana Romania.es
  • Herniserver.cz
  • Cs.GenerationCs.Net
  • Best.FullCs.Com
  • FullBK.Best.Com
  • DarkZM.SKZ.Com
  • Zombie.BestRedDevil.Com
  • Hellzone.MasterServer.Com
  • [Zombie Plague]
  • WristHaX.com
  • MorTaLGaMes.com.br

 medium level: 
  • adsyndication.msn.com-2
  • cx.msn.com-2
  • images.adsyndication.msn.com-2
  high level: NA
  critical level:  NA
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)