.

Stealing data from ~50 companies with PoisonIvy trojan?!

<<

p0et

User avatar

Full Member
Full Member

Posts: 197

Joined: Thu Nov 02, 2006 4:38 pm

Location: Victoria, Canada

Post Tue Nov 01, 2011 9:32 pm

Stealing data from ~50 companies with PoisonIvy trojan?!

Talk about an old trojan...  Can't believe this easily detected old trojan got through all of the ~50 companies defenses (if they had any)

http://www.eweek.com/c/a/Security/Nitro ... es-863610/
GCIH, Security+, Network+, A+, MCP, DCSE
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Wed Nov 02, 2011 4:17 am

Re: Stealing data from ~50 companies with PoisonIvy trojan?!

I'll comment on it since I spent the better part of 4 months working on the issue:

-First, Symantec's timeline is wrong.  I know of at least two very large chemical companies that were hit as early as August last year. Same MO.  Same emails. Same malware. Same targeted data.

-Second, yes, PoinsonIvy, but a highly modified one.  We recovered original versions of it and it was modified enough from the original form that AV and IDS didn't pick it up. VirusTotal only had 2 products that flagged it.  It was also VM aware as we couldn't get the emails to dump the payload in our vmworkstations.  We actually had to have the client put one of their images on a laptop in order to get the malware samples.

-Third, the attackers were persistent.  Every time they were pushed out of the environment they'd use information they'd gathered to find a new way back in.  Note to admins: don't be cute and use the same password for web apps and remote access as you do for AD and systems. 
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

p0et

User avatar

Full Member
Full Member

Posts: 197

Joined: Thu Nov 02, 2006 4:38 pm

Location: Victoria, Canada

Post Wed Nov 02, 2011 10:26 am

Re: Stealing data from ~50 companies with PoisonIvy trojan?!

Whoa!  That's quite a bit more advanced than it initially reads (just mentioning the PoisonIvy rat).  Man, I'd love to get my hands on their modified version and have a look.  Sounds like they did a good job of modifying it.

I'm jealous.. I'd love to have your job if it involves working with issues such as this one!  :)
GCIH, Security+, Network+, A+, MCP, DCSE
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Wed Nov 02, 2011 7:59 pm

Re: Stealing data from ~50 companies with PoisonIvy trojan?!

I've got a sample of it on a usb drive in the lab.  It has a ball of duct tape the size of a soft ball wrapped around the body of it with skulls drawn on it because every time someone wanted to move files they'd grab that drive every time. We'd have 50 usb drives sitting on the table and this one would be hidden under a box and still someone would find it and stick it in their laptop.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Wed Nov 02, 2011 8:36 pm

Re: Stealing data from ~50 companies with PoisonIvy trojan?!

I've heard about this. I believe this is the same attack that breached the RSA earlier this year.

http://blogs.rsa.com/rivner/anatomy-of-an-attack/
Put that in your pipe and grep it!
<<

p0et

User avatar

Full Member
Full Member

Posts: 197

Joined: Thu Nov 02, 2006 4:38 pm

Location: Victoria, Canada

Post Wed Nov 02, 2011 10:48 pm

Re: Stealing data from ~50 companies with PoisonIvy trojan?!

Wow!  I heard all about the RSA breach but I guess I forgot or didn't see that it was also Poison Ivy... man that trojan gets around.  ;)
GCIH, Security+, Network+, A+, MCP, DCSE

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software