Does this site look plain?

This site uses advanced css techniques

Unixwiz.net - Software Consulting Central

Log of Security Response: Online-Employer Incident

• Home
• Contact
• About
• TechTips
• Tools&Source
• Evo Payroll
• CmdLetters
• Research
• AT&T 3B2
• Advisories
• News/Pubs
• Literacy
• Calif.Voting
• Personal
• Tech Blog
• Evo Blog

On around 23 Sept, 2009, Paychoice's "Online Employer" portal had a security incident where portal users received emails purportedly from Paychoice, informing them that they had to download and install an update to work with the portal.

The English was not particularly well written, but the email included their portal username and part of their real password. This was not a random phishing expedition: somebody had private information.

The links were to websites hosted at Yahoo!, and the badware was a password-stealing Trojan horse that phones home its stolen information to a webserver in Sweden.

It's said that Paychoice took down the portal at ~noon on Wednesday and provided new usernames and passwords. Apparently, a lot of service bureaus had some very uncomfortable phone calls to make, while many of their staff were at the Paychoice annual user conference.

I became involved on Thursday afternoon when a customer casually mentioned that he was having a bad day, and that started the process: I'm a security consultant.

The log below represents activies that I was directly involved in; there have been rumors and claims of other events or actions; I'll not address them.

Update 2009/09/30 — After following this incident for almost a week, I've come to the conclusion that this is far less serious than it appears at first. The bad guy did not get private data, and it was not an inside job. I have written my analysis here, though of course this is all speculation.

Blog posts

• Sep 30: Security Response: the Paychoice/Online Employer incident
• Oct 2: How not to respond to a targeted malware attack
• Oct 6: Payroll Associates doesn't care about its customers
• Oct 17: Paychoice update

24 Sep 2009 — Thursday

(All times are Pacific Daylight Time)

14:00~

Obtained samples of the malicious emails, including the links.

14:15

Note: All malware URLs are broken up with spaces so they are never linkified.

Emailed Yahoo! Security with two domains used in the scam, plus introductory/background information:

update - onlineemployer . com online - employer - dnl . com

I'm fortunate to have a good working relationship with the Yahoo! Paranoids, the top-tier security guys there.

15:10~

Yahoo! disables those two sites.

15:37

Yahoo! Security reports that my submission was the first they have heard of this matter. This does not indicate anything about other departments at Yahoo!, including the website support center (about which I have no idea).

15:42

I provide Yahoo! Security with the email address of Charles Kershes (@paychoice.com), which was given to me by a customer.

16:25

Reported four more domains hosted at Yahoo!

onlineemployer - update . net onlineemployer - download . net secure - onlineemployer . com plugin - online - employer . org

16:29

Yahoo! Security first submits the badware, plugin_setup.exe (but named e.png) to VirusTotal with detection of 5/11.

17:25

Noticing a pattern in the domain names, wrote some perl code that generated all the permutations of the known words of the bad-guy's domains, and it found several more (all reported to Yahoo! Security)

onlineemployer - download . biz plugin - online - employer . com plugin - online - employer . net

Perl program: find-malurls (but a .txt file).

17:38

Yahoo! Security tells me that two of the previous set had been registered 2 hours ago and had not been deployed yet.

(unk)

Paychoice Support emails their customers:

PAYCHOICE SOFTWARE
Support Notification

September 24, 2009

PayChoice continues to investigate a security incident with Online
Employer that began Wednesday morning.  Access to Online Employer was
reactivated shortly after 12:00 am yesterday.  We have provided new
credentials to the licensee service bureau users and, working with
the licensees, are in the process of providing the same information to
company and employee users.

For the third day, some registered users received emails from a sender
not affiliated with PayChoice directing them to a website to download
and install a plug-in that would be required to view the site. PayChoice
again notified users that the plug-in was not required and directed them
not to download or install it.

After reviewing the content of the emails, we have concluded that valid
user IDs were included in the message.  Additionally, some emails included
4 characters of a valid password.

At this time, we have no evidence that any other confidential data has
been accessed.

We have engaged Symantec, a leading provider of computer security and
anti-virus solutions, in the analysis of the plug-in being provided by the
email sender.  While the assessment is continuing, the initial feedback
is that the purpose of the plug-in is to block browser access to certain
websites that have names similar to that of online-employer.com.

Our security expert consultants are working on a number of different
fronts.  First, they are working to neutralize the sender web sites from
which the plug-ins are downloaded.  This would preclude the infection
of any user machines that receive the email and follow the links.
Second, they are working to neutralize the sites from which the emails
are generated so no further emails are sent from those sites.  Thirdly,
they are beginning to perform forensics on the PayChoice infrastructure
to determine how the information used in the emails was acquired by
the sender.  Fourthly, they are attempting to determine if any other
confidential data has been accessed.

Finally, the law enforcement agencies are escalating this matter to the
appropriate authorities.

PayChoice is committed to the secure handling of all client data and
will send further communications as events dictate to keep you informed.

25 Sep — Friday

07:27

Reported more domains to Yahoo!

onlineemployer - download . biz plugin - online - employer . com plugin - online-emp . info onlimemp - plugin . com onlimemp - software . org

11:18

Virustotal detects 14/40. Symantec does not detected yet.

Morning

Obtained a copy of the Friday fake mailes.

11:47

I email support @ paychoice.com, Cc: Yahoo! Security attempting to make an introduction.

Date: Fri, 25 Sep 2009 11:47:20 -0700
From: Steve Friedl <steve@unixwiz.net>
To: support @ paychoice.com
Cc: {Yahoo! Security email}
Subject: Paychoice / Yahoo! Security

Good morning,

I'm a security consultant working with a number of Paychoice licensees
on the excitement of late, and have also been working with Yahoo! to
have the malware domains taken down as we find them. It's been maybe a
dozen or so by now.

Yahoo! Security would like to get in touch with somebody at Paychoice
regarding this, to perhaps put your heads together.

Could somebody from Paychoice please contact {Yahoo! Security email}
They know who you are and will be expecting your email.

Good luck with this - I know it's been really awful for you folks.

Steve

12:09

Yahoo! Security reports they've made contact with Paychoice (20 minutes!)

~13:00

Paychoice sends this message to its licensees:

From: Thomas McNeila
Sent: Friday, September 25, 2009 1:41 PM
To: (customers)
Subject: Online Employer Security Update

Over the past three days, you may have received emails from a sender
not affiliated with PayChoice with the subject line "Online Employer
Browser Plug-in", or something similar, requesting you to download a
plug-in to access your online account information.

Immediately delete these messages. DO NOT OPEN THEM or click on any of
the links in the email. This plug-in is not required to view Online
Employer or any of the PayChoice websites. It is possible that you
will receive similar emails in the future, and you should continue to
immediately delete them.

Because of this third party email activity, new login ID's have been
issued and user passwords have been expired. Users will be able to
access the site with their new login ID and their current password, and
will then be required to select a new password prior to being able to
access any other website functionality. These changes will ensure that
your data is protected. At this time, we have no evidence that any other
confidential data has been accessed. We apologize for this inconvenience.

We have engaged Symantec, a leading provider of computer security and
anti-virus solutions, and SecureWorks, a world-class information security
services provider, in the analysis of the plug-in being provided by the
email sender. The assessment is continuing, and PayChoice will provide
additional details as they become available.

Users who have selected the link and have the plug-in installed on their
computers should shut them down and refrain from using them until the
purpose of the plug in and a mechanism for removal can be determined. If
you do not have an alternate computer from which to access Online
Employer, please call your Support Representative for assistance.

Our security expert consultants are working on a number of different fronts.

* Working to neutralize the sender web sites from which the plug-in
  is downloaded. This would preclude the infection of any user machines
  that receive the email and follow the links.

* Working to neutralize the sites from which the emails are generated so no
  further emails are sent from those sites.

* Beginning to perform forensics on the PayChoice infrastructure to determine
  how the information used in the emails was acquired by the sender.

* Attempting to determine whether any other confidential data has been accessed.

The law enforcement agencies are escalating this matter to the appropriate authorities.

PayChoice is committed to the secure handling of all client data and
will send further communications as events dictate to keep you informed.

If you require assistance with your login access please contact your
Support Representative. Should you require assistance after hours or over
the weekend please contact us via the Support Call Center and include
your contact information so we may reach you.

Thank you for your understanding and patience.

The following information may be useful to distribute to your client
base to assist in implementing secure procedures.

**********************************************************

Things to look for to avoid scam email and Web sites:

Fraudulent email and Web sites are designed to deceive you and can be
difficult to distinguish from the real thing.

* Whenever you get an email about your Online Employer account,
  the safest and easiest course of action is to open a new web browser,
  type https://www.onlineemployer.com, and log in to your Online Employer
  account directly. Do not click on ANY link in an email that requests
  personal information.

To help you better identify fake or fraudulent emails, we follow strict
rules. We will never ask for the following personal information in
an email:

* Credit and debit card numbers
* Bank account numbers
* Social Security Numbers
* Employer tax ID numbers
* Driver's license numbers
* Email addresses
* Passwords

An authentic Online Employer email will never include:
* Attachments (other than a pdf)
* Software
* A link to download anything that is not from our website directly

How to report a suspicious email or other activity regarding your Online Employer account:
* Contact your payroll provider immediately with as much detail as possible.
* Do not alter the subject line or forward the message as an attachment.
* Delete the suspicious email from your account.
* Follow your internal security procedures

More steps to help protect you from vulnerability:
* Monitor your account. Check your account periodically for suspicious activity.
  If you notice unauthorized use, report it to us.
* Keep your security software current. Update your firewalls and security patches frequently.

* Be smart about your password. Change passwords often and use unique
  passwords that include letters, numbers, symbols as well as upper and
  lower case text.

If you require assistance with your login access please contact your Support Representative.

15:00

Protect your network! Since this malware is not yet fully detected by all the major antivirus vendors, users concerned about this might wish to follow these procedures to block the malware at their border firewall.

I submit the samples of malware to a private submission list that gets it to ~60 antimalware and protection companies (to their priority queue).

17:00

Ran the malware in a protected Virtual Manchine to watch behavior of the malware with the WireShark network sniffer: it phones home to http: // iicon - metal . org, and that IP 83.233.30.157 is located in Sweden.

The badware fetches a file, /la/config.bin, which appears to be encrypted, then a few exchanges via POST /forum/showthread.php, also transacting small encrypted packets.

I understand there are other maldomains and other malware that behave differently; I only captured one.

26 Sep — Saturday

08:08

Emailed support@everydns.net & abuse@bredband2.se (cc: Yahoo! Security) reporting the botnet phone home information noted above (hoping for a takedown).

08:08

Received auto-response from everydns, ticket #4519

09:00

Reran the badware in a virtual machine after localhost-ing iicon - metal . org (cutting off the mothership), found it doesn't appear to have a backup phone-home contact.

09:26

Resubmitted plugin_setup to Virustotal: now 18/40. Symantec not detected.

28 Sep — Monday

08:04

Virustotal picks up 22/41. Symantec still not detected.

10:10

Forwarded a copy of this log to Phil McLaughlin and Jim Costello of Paychoice.

12:00~

Developed a technique to help partly protect a network from infection: Protecting from the badware impersonating Online Employer.

29 Sep — Tuesday

01:59

Virustotal picks up 23/41. Symantec still doesn't have it.

10:04

Virustotal picks up 24/41. Symantec defs 1.4.4.12 (2009.09.29) still don't have it.

13:50

Link to this analysis posted to the Payroll Group member mailing list.

30 Sep — Wednesday

14:18

Virustotal picks up 28/41. Symantec seems to have them now, more than a week later.

1 Oct — Thursday

11:42

Virustotal still at 28/41.

2 Oct — Friday

~15:00

DNS for iicon-metal.org (one of the botnet command-and-control systems) is pulled by EveryDNS — Thanks David! Thanks

15:09

Email EveryDNS requesting termination of the calvinkleinstuffz.com domain.

16:24

Blog post: How not to react to a targetted malware attack

4 Oct — Sunday

~9:00

DNS for calvinkleinstuffz.com (the other domain) is pulled by EveryDNS.

09:40

Noticed that iicon-metal.org moved to EditDNS, emailed their abuse department with a report asking for the domain to be terminated. The webserver at iicon-metal.org is down.

14:49

Found that the webserver iicon-metal.org (83.233.30.157) is back up and commanding the botnet. Ugh.

17:26

Observe that iicon-metal.org does not resolve in DNS; Tyler @ EditDNS reports that mine was the only report he received for this domain.

5 Oct — Monday

04:45

Observe that DNS for iicon-metal.org is now hosted at DNS.GEN.IN, and the C&C is live (ugh).

05:45

Spent the last hour researching DNS.GEN.IN, could not find any obvious contact information. Sent abuse report to the three ISPs (HopOne, The Planet, Optical Jungle) in whose address space the nameservers reside.

05:46

Got autoresponse ticket [ThePlanetAbuse-C46427121Z] for DNS.GEN.IN.

06:02

Got autoresponse ticket [ir.hopone.net #11535] for DNS.GEN.IN.

07:59

Virustotal shows 31/41

6 Oct — Tuesday

13:01

DNS for iicon-metal.org disappears (!). No root resolution, but "whois" shows registration to NS1/NS2.MEGABANDISA.COM - this name does not show up anywhere in whois or the root servers. Odd.

10 Oct — Friday

05:00

Bredband2 (the Swedish ISP) reports that the mothership IP has been killed.

This page will be updated as events unfold.

VirusTotal Results

• 2009/09/24 16:29 PDT detected by 5/41
• 2009/09/25 19:18 PDT detected by 14/40
• 2009/09/26 16:26 PDT detected by 18/41
• 2009/09/29 08:59 PDT detected by 23/41
• 2009/09/29 17:04 PDT detected by 24/41
• 2009/10/01 21:18 PDT detected by 28/41
• 2009/10/02 18:38 PDT detected by 28/41
• 2009/10/05 07:59 PDT detected by 31/41

Other references

• My weblog entry on this incident.
• Security Fix blog by Brian Krebs - the Washington Post (he broke this story)
• Computerworld article on this.
• My analysis of the rationale and motives for this attack

Important Disclaimer