Tuesday, August 27, 2013

Kelihos botnet: What victims can expect

There is has been a recent surge in security blogs warning users to be extra cautious of a new spin on an old threat.  Kelihos is a botnet which utilizes P2P communication to maintain its CnC Network.  With all of the attention around Kelihos, it should be no surprise that 30/45 AV vendors are detecting the latest installer.  I took some time to analyze recent threat reports that came through our malicious/suspicious files queue, to see if I could find anything to add.  It didn't take long to find a now infamous iteration of this botnet installer in action.  In particular, I found a file called "rasta01.exe".

Besides the common naming convention of this threat, there are many other factors which gave this infection away at a glance.  Firstly, the use of P2P style communication via SMTP raised an eyebrow.  This particular instance called out to 159 distinct IP addresses.

A small portion of the SMTP calls made from a standard instance of Kelihos

Secondly, we observed the overt way the botnet installs several packet capturing utilities and services.  This is done so that the infection can monitor ports 21, 25, and 110 for username and password information.

Everything you need to monitor packets is created/dropped here.

Next, I noticed that the botnet attempts to categorize it's new victim by using legitimate services to gather intelligence.  In this instance, the malicious file actually queried the victim IP address on Barracuda Networks, SpamHaus, Mail-Abuse, and Sophos.  These services primarily exist to notify users of abuse seen on the site or IP address.  Kelihos is using it to to determine if the new victim is already seen as malicious or not.  If the victim isn't seen in the CBLs (Composite Block Lists) yet, then it may be used as either a Proxy C&C or Spam-bot.

References to CBL's from each location will determine what role the victim plays in the botnet.

A final point to make about this threat is that it makes no attempt to hide exactly how loud it is regarding network activity.  We noted a spike in TCP traffic across a distinct 563 IP addresses in the span of two minutes.  Network administrators should take extra care in monitoring users with anomalous levels of traffic.  A single node giving off so much traffic to different services in such a small window could be used to identify potential victims.

Monday, August 26, 2013

Expack continues exploiting Java vulnerability

Exploit kits available in the wild tend to follow a trend by exploiting vulnerabilities reported in various browser components which are commonly deployed. Recently, we have seen an increase in exploitation of a year old vulnerability reported in the JRE component of JAVA (CVE-2012-1723). Exploitation of this vulnerability in JRE allows a attacker to download malware onto a victim's machine and execute it. Let's looks at an analysis of such an exploit kit recently found in the wild.

Exploit Kit URL:

When accessed, the above exploit URL executes obfuscated JavaScript and loads an applet into the browser as shown below:

Obfuscated source code:

Let's analyze the above obfuscated JavaScript code by de-obfuscating it. While de-obfuscating the JavaScript code, we noticed that the code has multiple layers of obfuscation. For the scope of this article, lets skip ahead to the end of the de-obfuscation process. 

As usual, the exploit kit request loads content based on the version of the browser and versions of different plugins installed in a browser by running browser/plugin detection logic embedded in obfuscated JavaScript. The exploit kit targets vulnerabilities in JRE (Java) and Adobe components of the browsers.

Let's take a look at following de-obfuscated code which loads malicious applet into browser:

The following code calls the relevant functions above, depending upon the JRE version found on the victim's machine:

The applet is executed by the browser, which then downloads a malicious .jar file from following URL,


The de-complied code of the downloaded .jar file is also heavily obfuscated. 

VT Result: 13 / 45
MD5:  361b0e1eab5e647315e6873ea16ca720

This .jar files exploits the vulnerability in the JRE, which allows the attacker to download additional malware and execute it the browser context.

 VT Result: 13 / 46 
MD5: a151fdce265ba4fcab1b36bd624d330f

A Trojan then connects to the CnC server by sending POST data and in response, the CnC server replies with 'STATUS-IMPORT-OK'.

After receiving command 'STATUS-IMPORT-OK' from the CnC server, The Trojan then downloads another malware file (6.exe) from the same domain which looks to be a variant of ZerooAccess rootkit. The detection rate for the '6.exe' is also fairly low on VT.
VT-Result: 6 / 46  
MD5: b152b3d170dc089b057fbbe3d6393764

Exploitation of browser components such as Java and Adobe plugins by exploit kits are now a very common reason for enterprise PCs to become compromised. My colleague Krishanan ise in Red Kit Exploit Kit Activity, which also addressed the same vulnerability in Java.It is vital that enterprises ensure that browser plugins are always patched and up to date, something enterprises regularly fail to do. In the case Java, given the now regular stream of 0days that it has inspired, you may want to seriously consider disabling Java altogether, at least at the browser level, something that you can read about in a previous blog post entitled: Are you vulnerable to yet another Java 0Day exploit?


Saturday, August 17, 2013

Malicious .jar files hosted on Google Code

Recently we blogged about Google Code hosting malware. Within a month we have observed a second instance where malicious .jar files are being hosted on Google Code. Using Google code to distribute malware seems to increasing in popularity, no doubt due not only to the free hosting provided, but also the positive reputation of the google.com domain. This indicates that there is presently inadequate validation performed by Google prior to content being uploaded to the Google Code site. In this case, a simple anti-virus scan would have found following pieces of malware.

Google Code URLs: 


Hosted Files:


Both files 'update.jar' and 'Client.jar' have an MD5 of '0521c911e442cd9eec927d8439731a76' and a size of '3,626' bytes.

VirusTotal Result:
URL Scan: 7 / 38 detections
File Scan: 28/45 detections

ZULU Result: 100/100 score
ZULU rules which are flagging .jar files as malicious.

The two projects are hosted on 'code.google.com' by the same uploader who has an email ID of 'daicadad...@gmail.com'. The second project is also currently live (hosted at "hxxp://code.google.com/p/update-java-download/") and contains the same 'Client.jar' file. You will note that other links within the projects like 'Project Home, 'Wiki', 'Issues', etc. contain minimal information about the project, suggesting that malware hosting was the only goal.

Malicious piece of Java code in 'Client.jar' file:


This .jar file basically takes a URL as input and downloads a file from the given URL. The same type of .jar file was previously analyzed and mentioned in an earlier Zscaler blog.

The release date on the 'Download' link indicates Apr 26, 2013, but we have observed in the Zscaler logs, the same file being hosted on "hxxp://heckraiser.fileave.com/youtube/YouTube.jar" as far back as July 24, 2011.  

In the past, we have seen sites like Dropbox, Google Code and other free hosting providers being leveraged to deliver malware. Free hosting providers, especially those with a positive reputation are becoming popular for attackers to serve malicious content. Enterprises and end users alike, should consider any third party content, regardless of location, to be untrusted until it has been appropriately scanned.


Friday, August 16, 2013

Anatomy of an ongoing Drive-by-Download campaign

While doing a weekly review of our logs, we stumbled upon thousands of transactions that seem to be a part of an ongoing malware campaign. We found compromised websites that redirect the browser to an exploit kit, further leading to a drive-by-download dropper. The source was traced to originate from blackhat SEO redirections (yandex[.]ru). 

The attack can be dissected into two stages, an injected malicious script which redirects to a domain and a second stage in which the domain sends the browser through an HTTP 302 redirect that finally leads to the landing page. The 302 redirection domains resolved to an IP range 192[.]133[.]137[.]0/24. The landing page domains were having a very low TTL and were hosted in sub-net 109[.]236[.]80[.]0/24 (AS49981). The server is hosted in NL. The campaign leveraged a DGA (Domain Generation Algorithm) along with Dynamic DNS to deliver the payload and the domains which delivered the exploit were ending with a [.info] TLD. The following snapshot shows some of the sample redirection and dynamically generated landing page domains. 

The mechanism of the attack is as follows. Firstly, a malicious redirection script is injected into the webpage: 

This is followed by a 302 redirect, which then leads to the exploit kit landing page. 

The exploit kit favors the g01pack, which delivers a multistage exploit. Initially, it detects the browser plugins and versions thereof and then serves the exploits accordingly. At the time of analysis, I was using Java v1.6 release 26. The landing page was as follows: 

As seen, the landing page also tries to deliver a Flash exploit. Unfortunately, at the time of analysis I was getting a 404 response for the SWF payload. 

The applet is loaded with the "applet_ssv_validated" passed as an undocumented parameter to the applet, which allows the attacker to carry out a JVM security bypass. The applet then makes the call to the malicious JAR file. 

The JAR file tries to exploit CVE-2012-0507 and drops the malicious executable. The snapshot summaries the code which carries this out.  Only two anti-virus vendors detected this JAR file as seen in this VirusTotal Report

The dropped EXE files are Ransomware/Fake AV/ZeroAccess Trojans, depending upon the payload delivered. Our Behavioral Analysis Engine flagged these files as malicious and the VirusTotal Report shows that 10/46 Anti-virus vendors detected this at the time of analysis. Also shown are some screen shots of the Ransomware/Fake AV after successful infection. 

Given it's rocky history with security, there has and will always be some buzz about new exploits against Java Plugins. Attackers will continue to own browsers as long as the Plugin is enabled and vulnerable. Refer to this post to learn how to stay protected from exploit kits. Wishing you happy & safe browsing ! 

Thursday, August 15, 2013

CookieBomb still dropping malicious content

Cookiebomb is malicious obfuscated javascript injected into legitmate sites.  We've talked on this blog about compromised sites before, but this one appears to still be fully functional and actively spreading malicious content to unsuspecting users.  The talent at MalwareMustDie is onto their shenanigans as well.  As they have mentioned, this is a multi-redirection exploitation that uses two stage obfuscation to hide it's malicious payload.  The curious thing about this situation is that few AV vendors have taken note of the good research.  The final dropped file is being detected by only 7/45 vendors.

Below is the analysis of a single sample taken from the final list of infected sites we have seen propagating this threat.

First, there is the obfuscation of a small JS inclusion into a potentially legitimate site.  This is where the CookieBomb sets a name, special variable, expiry date, and access path for the eventual infection.  If the cookie is not readily available, it will create one for you and redirect you to another obfuscated hidden iFrame.  Once the hidden site is visited, it will read the cookie's expiry date and provide redirection and infection at a later point to avoid security vendor detection.

Figure 1: Obfuscated Code
Please note that the comment at the top of the image ("/*0f24908*/") is changed and is not therefore useful for detection.
Figure 2: De-obfuscated code from Fig.1

In the deobfuscated code above, we see another URL delivered in a 1px iFrame.  Going to this site leads to yet another obfuscated page, where the real magic happens.  The very first thing that it does is attempt to confirm the version of browser plug-ins the attackers are up against.

Depending on the version installed, it will send the next portion of the attack.

The final step sends the malicious payload that the attackers went to so much trouble to obfuscate.  

Attack URLs

Obfuscated content from the obfuscated content

The final drop for this content is a malicious executable that is delivering a small Trojan.  At the time of research, only 7/45 vendors were detecting this content as malicious.

Fiddler session with malicious content being dropped.  (Readme.exe in this case.  Calc.exe in others.)

For the last several weeks, this attack has impacted the below sites:
    •  hxxp://www.citytavern.com/
    • hxxp://www.usadu.cz/park-en/
    • hxxp://bluen.de/jobborse/
    • hxxp://bluen.de/
    • hxxp://www.niblackfuneralhome.com/
    • hxxp://www.kinwindsor.com/
    • hxxp://www.mtldesign.net/
    • hxxp://javiervazquez.me/ernesto/fdjw3hv7.php
    • hxxp://www.cmfurniturerental.com/
    • hxxp://sdrs.splashtop.com/strs01/macupdatenotes/en-us/strs01.html
    • hxxp://www.nauticodiver.de/tauchbas.htm
    • hxxp://www.tmv-alsace-vtt.com/f/parcours.htm
    • hxxp://www.cmstaging.com/
    • hxxp://educationdegreeonlines.com/benefit-from-studying-with-the-laptop/
    • hxxp://www.gute-reise-berlin.de/aussteller.html
    • hxxp://lexespana.com/comunes                                                                                                          
    • hxxp://livehappylife.com/
    • hxxp://corpdeli.com/
    • hxxp://www.sudan-sudan.com/sudan/architecture-sudan-sudan.html
    • hxxp://www.cmfurniturerental.com/index.php?main_page=index&cPath=114&zenid=8557f58ea51118a7bd633015e3b954ec
    • hxxp://www.cherokeecountysc.com/id26.html
    • hxxp://www.gute-reise-berlin.de/startseite.html
    • hxxp://www.selbstversuch-spanien.de/
    • hxxp://educationdegreeonlines.com/
    • hxxp://www.nauticodiver.de/schule.htm
    • hxxp://bluen.de/uber-uns/
    • hxxp://www.nauticodiver.de/impresssum.htm
    • hxxp://www.imschuh.de/
    • hxxp://www.nauticodiver.de/preisliste.htm
    • hxxp://familyreunion.blackamericaweb.com/
    • hxxp://bluen.de/jobborse/spezialist-in-akustikversuch/
    • hxxp://www.uppertraining.com/blog/cisco-mobile-apps-cover-a-surprising-range-of-functionality/
    • hxxp://www.opheij.nl/contact.html
    • hxxp://www.hotelmirallac.com/castellano/tarifas.htm
    • hxxp://www.sugargrovechamber.org/member_listing/34/curt+john+karas,+cpa,+mba,+pc/
    • hxxp://www.kinwindsor.com/favicon.ico
    • hxxp://glassdoctor-denver.calls.net/?gclid=CPLt2r3F-LgCFUFyQgodZxwAjQ
    • hxxp://bluen.de/jobborse/spezialist-in-logistikplanung/
    • hxxp://dreamliftgifts.com/faq.html
    • hxxp://www.gute-reise-berlin.de/kontakt.html
    • hxxp://www.plomberiumpierrefonds.ca/robinets-de-cuisine/
    • hxxp://www.cerexagri.nl/
    • hxxp://www.mrbouncehouse.com/
    • hxxp://guia.lexespana.com/familia/servicio-domestico/extincion-del-contrato/
    • hxxp://www.nauticodiver.de/start.htm
    • hxxp://corpdeli.com/lunch-menu
    • hxxp://www.hotelmirallac.com/castellano/habitaciones.htm
    • hxxp://www.nauticodiver.de/
    • hxxp://www.heapoil.org
    • hxxp://www.mtldesign.net/aboutus.htm
    • hxxp://www.le-vieux-four.com/
    • hxxp://www.cleargridsolutions.com/developer.html
    • hxxp://www.horseridingfun.com/
    • hxxp://educationdegreeonlines.com/2013/07/

    The most notable site here is splashtop.com, however, the malicious content has since been removed.  Since AV seems to be uninterested in protecting against this threat, it is advisable to make sure your browsing is safe through other means.

    Technical Research: Krishnan Subramanian

    Wednesday, August 14, 2013

    Facebook phishing: manual session hijacking

    We have reported a number of Facebook phishing pages and scams on this blog. Attackers always come up with clever ideas to fool users in order to obtain their credentials. One of these phishing tricks is a "poor-man" session hijacking attack whereby the user is fooled into copying and pasting a Facebook URL containing the session ID or other credentials into a malicious page. I'll describe such an example that I spotted this past weekend.

    The phishing page starts with the usual bait, a video. This time, no sex, but instead an opportunity to watch "Jackie Chan died after perfecting a deadly stunt. Jackie Chan falls from a building of 12 floors."

    Jackie Chan died!
    The user must click to verify his age, another common trick to get users to click on the page. This displays a list of steps to "verify your age" which involve clicking on another link, copying a link from the window opened, and submitting the data.

    Steps to "verify" the user age
    The new window points to Facebook. The window is too small for the user to understand what he is copying. Also, instead of opening a page, the URL used is "view-source:https://www.facebook.com...". This makes it one step harder for the user to understand that the window displays a page from Facebook.

    Popup window open by the phishing page
    When the user copies and pastes their Facebook URL into the 3rd party web page, they're also sending their authentication token used share content. Once this is done, the scammer can now post content on the user's behalf.

    Fortunately, Facebook reacted quickly to this particular scam. The Facebook  popup is not valid anymore and it shows the following warning:
    Warning from Facebook
    When subsequently logging into Facebook after viewing the scam, I also received a warning about phishing pages:
    Warning about phishing pages

    It looks like Facebook has reacted much faster than they have in the past and added additional warnings for end users. I was asked by Facebook to review my timeline for any suspicious activating just after I logged in. Hopefully more Facebook users will learn about these phishing techniques and will be able to spot them early on.

    Thursday, August 8, 2013

    Gap between Google Play and AV vendors on adware classification

    Two critical items impacting mobile use are privacy and a positive user experience. The mobile app market is built on trust. Questionable mobile advertising practices, such as apps employing deceptive adware practices, negatively impact the end user’s perception of both privacy and the user experience. Doing things like capturing personal information such as email addresses, device IDs, IMEIs, etc. without properly notifying users and modifying phone settings and desktops without consent, is annoying and unacceptable for mobile users. While the majority of mobile ads are not malicious, they are undesirable for most.

    Zscaler regularly analyzes applications in the Google Play store to profile apps and identify those presenting security and privacy risks. By studying this data, we have come up with some interesting statistics concerning the prevalence of ‘adware’ in apps permitted into the Google Play store. We have tracked the top 300 applications in each category

    We have found around 1,845 applications which are flagged by one or more AV vendors as  including adware. This is a big number. Most of the applications were flagged by AV vendors due to their excessive inclusion of ads and deceptive practices for delivering them, including altering device settings. For example, many AV vendors flag the Airpush API as adware. Despite this fact, there are many apps within the Google Play store that include this API. This illustrates the conflicting interests that Google and the AV vendors have. It is in the best interests of Google to appease advertising companies. Google wants to encourage developers to expand offerings in their app store and developers often profit from free apps through advertising. Paid apps may also include advertising, in which case, Google takes a direct cut from from the app proceeds. Therefore, Google has plenty of incentive to allow apps with aggressive advertising practices. AV vendors on the other hand have no such incentive but are instead under pressure to show that they are adding value by identifying malicious/suspicious/unwanted content. As such, there is a big gap between Google and AV vendors when it comes to adware. Ultimately, end users are stuck in the middle as they are left to decide if they will keep or delete the apps being flagged. Other adware commonly flagged by AV vendors includes leadbolt, airmob, plankton  etc.

    We have collected the following AV data for apps flagged as including adware leveraging VirusTotal:
    ·         Number of apps flagged by fewer than 5 AV vendors: 354
    ·         Number of apps flagged by 5 to 10 AV vendors: 854
    ·         Number of apps flagged by 10 to 15 AV vendors: 381
    ·         Number of apps flagged by more than 15 AV vendors: 34

    This above chart shows adware percentage in each app store category
    This above chart shows adware percentages in each game category.

    We have only considered the top 300 applications in each category. As such, the statistics include the most popular applications in the Google Play store.

    Below is an analysis of a single application flagged as adware on Google Play store :


    Zscaler static analysis:

    Requested application permissions:
    ·         android.permission.READ_SYNC_SETTINGS
    ·         com.android.launcher.permission.UNINSTALL_SHORTCUT
    ·         android.permission.USE_CREDENTIALS
    ·         com.motorola.dlauncher.permission.READ_SETTINGS
    ·         android.permission.ACCESS_COARSE_LOCATION  location
    ·         com.motorola.dlauncher.permission.INSTALL_SHORTCUT
    ·         android.permission.READ_SYNC_STATS
    ·         android.permission.WRITE_SYNC_SETTINGS
    ·         android.permission.INTERNET
    ·         com.android.vending.BILLING
    ·         com.lge.launcher.permission.INSTALL_SHORTCUT
    ·         android.permission.SEND_SMS
    ·         com.android.browser.permission.WRITE_HISTORY_BOOKMARKS
    ·         com.android.launcher.permission.INSTALL_SHORTCUT
    ·         com.clearhub.wl.permission.C2D_MESSAGE
    ·         android.permission.WRITE_SMS
    ·         android.permission.ACCESS_NETWORK_STATE
    ·         com.android.browser.permission.READ_HISTORY_BOOKMARKS
    ·         com.htc.launcher.permission.READ_SETTINGS
    ·         android.permission.WRITE_EXTERNAL_STORAGE
    ·         android.permission.ACCESS_FINE_LOCATION  location)
    ·         android.permission.RECEIVE_BOOT_COMPLETED
    ·         com.android.launcher.permission.READ_SETTINGS
    ·         android.permission.CALL_PHONE
    ·         android.permission.READ_PHONE_STATE
    ·         com.motorola.launcher.permission.READ_SETTINGS
    ·         android.permission.READ_SMS
    ·         android.permission.VIBRATE
    ·         com.motorola.launcher.permission.INSTALL_SHORTCUT
    ·         com.fede.launcher.permission.READ_SETTINGS
    ·         org.adw.launcher.permission.READ_SETTINGS
    ·         android.permission.ACCESS_WIFI_STATE
    ·         com.lge.launcher.permission.READ_SETTINGS
    ·         android.permission.WAKE_LOCK
    ·         android.permission.READ_CONTACTS
    ·         com.google.android.c2dm.permission.RECEIVE
    ·         android.permission.GET_ACCOUNTS
    It can clearly be seen that this application asks for excessive permissions.

    By analyzing this app statically, some suspicious privacy related data leakage can be seen :
    • Device UDID
    • Device IMEI(GSM)/MEID or ESN(CDMA) number
    • Device geo-location
    • Personal identification information leakage
    •  Reads contact info.
    • SMS activity
    • Call activity
    • Writes to external storage
    Ad related libraries :
    • Startapp
    • Zestadz
    • Admob
    • Inmobi
    • Airpush 
    • Mdotm
    • Jumptap
    •  Adwhirl
    • Millennialmedia
    List of URLs found in source code:
    • http://api.airpush.com/api.php
    • http://api.airpush.com/model/user/getappinfo.php?packageName=
    • http://api.airpush.com/redirect.php?market=
    • http://api.airpush.com/testicon.php
    • http://api.airpush.com/testmsg2.php
    • http://api.airpush.com/v2/api.php
    • http://api.airpush.com/v2/api.php?apikey=
    • http://cus.adwhirl.com/custom.php?appid=%s&nid=%s&uuid=%s&country_code=%s%s&appver=%d&client=2
    • http://met.adwhirl.com/exclick.php?appid=%s&nid=%s&type=%d&uuid=%s&country_code=%s&appver=%d&client=2
    • http://met.adwhirl.com/exmet.php?appid=%s&nid=%s&type=%d&uuid=%s&country_code=%s&appver=%d&client=2
    • http://cus.adwhirl.com/custom.php?appid=%s&nid=%s&uuid=%s&country_code=%s%s&appver=%d&client=2
    As can be seen, the Airpush API is leveraged by this particular application.

    Zscaler dynamic analysis:


    The URL above illustrates an example of communication sent to the ad network. Advertisers collect such information to develop a profile for the device (and by extension the owner) in order to track the apps that are used so that targeted advertisments can be delivered to the device. The UDID is a unique identifier which can be leveraged to track a specific phone.

    Google Play Store apps flagged by more than 15 AV vendors:


    Why this is happening? Why are AV vendors flagging a huge number of applications as adware while Google is freely permitting them into the Google Play store? The excessive use of advertisements can negatively impact customer privacy and result in a negative user experience. On the other hand, advertisements are necessary for app developers looking to earn money when providing free apps. So where should the line be drawn? Google has clearly chosen to be very lenient with aggressive advertising practices, while Apple has taken the opposite approach, as they have shown that they’re willing to sacrifice advertising revenue to provide a positive user experience, even restricting the ability of advertisers to track device IDs and MAC addresses.
    How do we define adware? We feel that adware exhibits one or more of the following intrusive behaviors without requesting appropriate user consent(ref- Lookout Blog)
    • Harvests excessive personally identifiable information
    • Performs unexpected actions in response to ad clicks without appropriate user consent (appropriate user consent entails providing a clear alert in the application that the user can accept or decline before any behavior takes place)
    • Collects IMEI numbers, UDIDs or MAC addresses
    • Initiating phone calls and SMS messages
    • Changing wallpaper and ringtones
    • Leaks location information
    • Leaks email addresses
    • Leaks personal information such as contacts, birthdays, calendar appointments, etc
          We base our own categorization of adware-enabled apps on the aforementioned definition. Hopefully Google and the AV vendors can reach a compromise in this ongoing adware battle as at present, end users are paying the price.