Catching Flies with Honey

Symantec often utilizes honeypots to acquire new samples and observe attacks in the wild. Many threats encountered on honeypots are related to botnets. However, on a rare occasion a honeypot may encounter a targeted attack. In these cases the attacker is after a specific entity, be it a person, corporation, government, or any other such body. When a computer is compromised by such a threat, the behavior can be similar to a bot, connecting to a command and control (C&C) server and awaiting commands. However, the commands received are usually not generic. They are interactive, with the attacker seeking some specific information in real-time.
 We recently encountered one of many such targeted threats on a basic honeypot and logged the activity. The attack was quite straightforward and did not utilize any new techniques. Nonetheless it is a good example of the processes such attackers use. This particular threat was targeting a corporate entity, using a tailored PDF document containing an exploit. The exploit dropped an executable from within the PDF, executed it, and the loaded a second PDF. This second PDF was non-malicious—a simple guise to convince the user that nothing is wrong.
The dropped executable created an entry for itself in the Run registry subkey, to ensure it was loaded when Windows started, and then attempted to report back to the C&C server. An HTTP GET (continue reading...)