CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Identify Crimeware Strains with Edit Distance

When trying to identify crimeware/malware, it's a good idea to design a multi-part system that deploys a variety of detection techniques to increase your chances of detection. You can start with one technique and then layer on additional techniques as time and resources will allow.

In this short blog post, I'm going to share just one of those techniques (using edit-distance) that you can plug into your multi-part system to perform rudimentary detection for popular crimeware admin panel strains like Pony, Citadel, and Zeus.

 

Edit Distance Basics

Edit distance (aka: Levenshtein distance) is a term for determining how different two strings are from one an another. The basic idea is that we take String A ("bananas") and String B ("apples") and determine how many individual changes would be required to make the first string equal the second string. Each change can be an insertion, a deletion or a substitution.

For example, if we wanted to compute the edit distance between A and B we can do this manually like so:

  1. Delete the 'b' (ananas)
  2. Sub first 'n' for 'p' (apanas)
  3. Sub second 'a' for 'p' (appnas)
  4. Sub second 'n' for 'l' (applas)
  5. Sub last 'a' for 'e' (apples)

So, assuming we took the most efficient path from bananas to apples, we have an edit distance of 5 between the two strings.

It's a very simple concept, but how can something this simple help us identify crimeware?

Let's start by getting our hands on some crimeware.

Obtaining Crimeware Samples

There is a metric ton of web-based crimeware that's available in the wild, many of which we at Trustwave already classify using more sophisticated means. I've taken 2 separate instances of 3 different "strains" of web-based crimeware (Pony, Citadel, and Zeus) from our malware repositories to demonstrate this technique.

These are the files I'm starting with:

  • pony1
  • pony2
  • citadel1
  • citadel2
  • zeus1
  • zeus2

Now that we have some samples, let's identify them with edit-distance.

Identifying Crimeware Strains

We start this process by identifying a baseline sample for each strain. Let's use sample #1 for each strain. We'll take the baseline examples and place them in a templates folder and then move the remaining items in a samples folder. We can also add 100 normal HTTP responses and play a little game called "find the crimeware."

Now, on disk, our footprint looks like this:

  • templates/
    • pony1
    • citadel1
    • zeus1
  • samples/
    • pony2
    • citadel2
    • zeus2
    • random1..100

I've written this small proof of concept code to demonstrate the process with a couple performance and tuning tweaks added, including normalized edit distance and a sample qualifying pre-processor:

We can now use this script to quickly and efficiently identify the crimeware strains within the sample set in about 0.017 seconds:


Parting Thoughts

Again, as I mentioned earlier in this post, this is a rudimentary technique for identifying web-based crimeware of this size and static content. If an attacker wanted to deploy an evasion to such detection techniques, the effort involved would be trivial by adding additional content or simply obfuscating the content. In such scenarios, this is when having a more sophisticated algorithms and detection technology would be required for proper identification.

At any rate, at least for the time being it is possible to identify some web admin panels using an edit-distance technique. Maybe in the future we'll see more crimeware authors invest futher in mechanisms for obfuscation in these admin panels as they do in other crimeware infrastructure components.

Latest SpiderLabs Blogs

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More