Comments on: Post mortem report on the sinowal/nu.nl incident http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/ News and opinions from Fox-IT Sun, 19 May 2013 06:07:16 +0000 hourly 1 http://wordpress.com/ By: Nuclear Pack Exploit Kit plays with smart redirection | ESET ThreatBlog http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/#comment-237 Fri, 04 May 2012 13:45:57 +0000 http://blog.fox-it.com/?p=136#comment-237 [...] update: there's a useful report of a major Nuclear Pack-related incident from Fox-IT at http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/. However, in the case that Aleksandr has been looking at, there's an updated version that [...]

]]> By: Умные редиректы на Nuclear Pack | | CopyBase.RU - Интересное из сетиCopyBase.RU — Интересное из сети http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/#comment-145 Mon, 09 Apr 2012 15:24:29 +0000 http://blog.fox-it.com/?p=136#comment-145 [...] версии Blackhole и в последствии Nuclear Pack. Причем, похожая история уже произошла месяцем ранее в Нидерландах, но в ней [...]

]]> By: IT Secure Site » Blog Archive » Exploit Kit plays with smart redirection (amended) http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/#comment-143 Sat, 07 Apr 2012 14:26:04 +0000 http://blog.fox-it.com/?p=136#comment-143 [...] update: there's a useful news of a vital Nuclear Pack-related occurrence from Fox-IT during http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/. However, in a box that Aleksandr has been looking at, there's an updated chronicle that includes [...]

]]> By: Exploit Kit plays with smart redirection (amended) | Security Antivirus Virus http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/#comment-141 Fri, 06 Apr 2012 02:45:33 +0000 http://blog.fox-it.com/?p=136#comment-141 [...] update: there's a useful report of a major Nuclear Pack-related incident from Fox-IT at http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/. However, in the case that Aleksandr has been looking at, there's an updated version that [...]

]]> By: Alex http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/#comment-139 Wed, 04 Apr 2012 18:52:04 +0000 http://blog.fox-it.com/?p=136#comment-139 Did working without administrative permissions protect against this trojan?

]]> By: 《漏洞攻擊》荷蘭新聞網 nu.nl 遭入侵,專挑午餐播報時段啟動病毒,蒐集系統資訊 | 雲端防毒是趨勢 http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/#comment-131 Fri, 30 Mar 2012 01:27:01 +0000 http://blog.fox-it.com/?p=136#comment-131 [...] TROJ_SINOWAL.SMF也據稱會下載另一個組件去感染受影響電腦的MBR。 [...]

]]> By: Ceptera Security Newswire » Dutch Users Served SINOWAL for Lunch: http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/#comment-118 Tue, 20 Mar 2012 16:05:57 +0000 http://blog.fox-it.com/?p=136#comment-118 [...] is also said to download another component that is capable of infecting the MBR of an affected [...]

]]> By: Dutch Users Served SINOWAL for Lunch | Virus / malware / hacking / security news http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/#comment-117 Tue, 20 Mar 2012 15:05:12 +0000 http://blog.fox-it.com/?p=136#comment-117 [...] is also said to download another component that is capable of infecting the MBR of an affected [...]

]]> By: Michael Sandee http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/#comment-115 Mon, 19 Mar 2012 13:03:51 +0000 http://blog.fox-it.com/?p=136#comment-115 It is not a matter of time per se, there are many variables to verify, the reason we mentioned time will tell is because we cannot know everything but we do know that something was wrong in the cases we investigated. In time we will see the reports from other affected parties who might have additional information on this. A large number of systems was infected but did not get the real intended payload running for a number of reasons, some of those reasons we know and some of those we do not know. This makes it hard to apply this information to the total amount of infected systems, so while we can make a good estimate on how many systems are affected by the initial infection, we cannot say anything about the amount of real infections that is now active, but we are sure at least a percentage of the systems are active.

Everybody who worries, do not read our blogpost in a way that it is an excuse to not do anything (you might conclude otherwise from some information in the press), if you were affected your systems are using outdated software, additionally they might have been infected with one or more pieces of malware causing a possible information leak. See it as a wake-up call. A number of URLs have been mentioned, if your proxy logs contain the the url which fetches the payload (executable) from the exploit kit, or if your logs contain references to the two urls we mentioned of the SmokeLoader command and control server, you should know that the system has been compromised. Verifying the additional Sinowal infection requires some more information that we cannot explain in a few words.

A significant amount of Anti-Virus product vendors now recognizes it, but some remain that do not detect the SmokeLoader infections:
https://www.virustotal.com/file/e625fdb49695886ee2781d6e2c3755f7fc8c9c56ca208bdd14e51f11466abe10/analysis/1332150024/
https://www.virustotal.com/file/c667f39573b4bbd10aa26e841a9dda3ab0407de12606e9a58e16fc9427ce7dc1/analysis/1332150155/

]]> By: Jan http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/#comment-114 Sun, 18 Mar 2012 22:18:54 +0000 http://blog.fox-it.com/?p=136#comment-114 You end with your report with the text “Time will tell”.

Do you have any idee how much time it will take te be sure this is harmless? We really would like to reassure our customers en move on to the ‘business as usual’

]]>