The Story ------- [start] At approximately 8:05 AM US/Eastern, an analyst at the Maine Energy Research Facility (MERF) discovered anomalous traffic to an IP geolocated in the Macedonian Empire. The analyst reported the traffic to IARC, who requested packet captures. Packet captures reveal port 79 (finger) TCP traffic, which does not conform to the finger protocol. The MERF analyst is investigating proxy logs to determine the internal origin of traffic. Packet captures have been sent to the Cyber Response Team (CRT) for deep analysis. proto ----- #20 "Garfield" protocol identified and decoded. Decodes indicate additional IPs of interest: 10.48.12.16 10.82.173.211 New pcap to be sent to CRT for deep analysis. #30 Further analysis of Garfield protocol indicates attackers interested in primarily JPEG and MP3 files on local hard drive, and network-attached OkiMate 10 color printers. #40 List of transferred files indicates interest in pie- and cake-related images, audio files of bird calls. Password "ARBUCKLE" used for exfiltrated ZIP files. advise addition of snort rule {dsize:48; pcre:"^#~1..PDQ\008"; msg:"CRT Garfield"; sid:1663999; rev:00;} #100 Second stage malware binary identified, named "Odie". 18GB of Odie traffic found at MERF. #1000 Odie protocol decoded. Decodes indicate attackers interested in primarily video files, no indication of further infections. #2000 Video files transferred are all of Maine wildlife, mostly birds. All attacker activity identified. Kevin's Stuff ---------- Kevin has not yet told me what his stuff contains, and probably never will, so I'm making it all up. Investigation at MERF has uncovered three internal machines as traffic origin. These machines are being left online for observation, Files from directory C:\Windows\System32\POOKY have been sent to IARC and CRT for further analysis. Several ZIP files located in deleted filespace on infected machines. Analysis of C:\Windows\System32\POOKY\system_wallpaper.jpg reveals malware dropper. MERF machines all contain the unique registry entry \HOST\UNREAL\LASAGNE_KEY = I_HATE_MONDAYS. IARC has advised sites to search for this key. Visited network file systems all pertain to wildlife photography. ZIP files contain JPEG and MP3 files, all photographs and recordings of birds. rln's stuff -------- rln has also not yet told me what his stuff contains, and may not actually have any stuff. If he does, this is what I'll say it is. "Garfield" drops registry key \HOST\UNREAL\LASAGNE_KEY "Garfield" malware contains C2 capability. Reports all joystick input to web server at atlv.papillon.mcd, recommend policy disabling joysticks at this time. Registry key value I_HATE_MONDAYS indicates successful phone home "Odie" malware contains C2 capability, no registry keys. Odie uses remote host jasex.binky.mcd Odie Malware appears to use 16-byte key "NERMALpookyODIE" Odie has directory walking search capability. Odie has file transfer capability.