Somebody once said..

"If you convince people that the wheel isn't right, they will allow you to re-invent it"

Friday, October 29, 2010

Google Code hosting Malware components

Nothing new, It has happened in the recent past as folks at Zscaler had pointed out. But this time its not the malware itself, but part of its configuration and components being hosted on Google code servers. For those who don’t know Google code is a free, Web based platform that provides tools and resources to developers interested in working on Google-related open source software projects or projects that leverage Google services.

[Microsoft : Win32/Mofksys.A] (rather difficult to pronounce) is a worm type of Malware that spreads via network shares, removable drives and by email. While analyzing it today, I found out that It is using *.googlecode.com for hosting its malware components. And its not just a single project site that is being used - there are multiple projects hosting various components of this malware !

image

Once executed, apart from doing all the nasty stuff, one of the activity of this worm is to fetch its configuration and component files. These are being stored as .gif files on Google Code servers.

Despite of what Google claims about protecting users from malware being hosted on their servers, I found that this malware author seems to be using it for quite some time now !

image

Some of the entries date back to as old as 16th Oct 2009, which is when this Project was created ! It means that the worm has been around for almost a year now. No wonder these files have been downloaded so many times !

image

Following projects are being used by this malware -expcmd01.googlecode.com
expcmd02.googlecode.com
expcmd03.googlecode.com
expeml04.googlecode.com
expcmd04.googlecode.com

Based on the Project naming convention - “cmd” and “eml” could be for commands and email template respectively. While it is too early to comment if this is a new kind of BotNet, but this could be another smart way to use Google Code servers for C&C communications just like we saw Twitter being used as C&C sometime back. Haven’t had a detailed look at the downloaded files but they have names like cmsys.gif, udsys.gif, 2picsys.gif and use some kind of encryption (not clear text).

Following are the md5 of the samples that seem to be using the same set of Google code Projects to download components from – ee84838421768c902690281178e7a0ce
c7dcc44cb0c3355bedff8bc7c34ab43c

Google was prompt enough to remove the Projects as soon as I reported the matter to them. So as of this writing they are no longer accessible.

Using popular public services such as Google code, Twitter, Facebook, etc.. as C&C servers is a great way of ensuring that the controls channels stay low on the radar as well as away from content filtering software thus ensuring longevity of the malware. I won’t be too surprised if this turns out to be a part of a new Bot building kit like the Zeus :P

Thursday, September 23, 2010

After long time..

Yeah, Its been a really really long time since I have written something here and I apologize for that. It’s just that I have been a hell lot busy with new stuff at work and a lot of research that I have been doing in building Malware automation Frameworks ! Plus not to mention the ton of 0days that have been piling on recently.

Hopefully, I should get some more free time from now on and I will share my findings with you all. I have been writing a lot of cool python scripts or script-lets some of which I will post here soon.

So ‘till next time, I will leave you with this pic -

image

More later..

Wednesday, April 14, 2010

Trojan Heloag Botnet

Looks like there is a new Botnet on the horizon. Win32/Heloag is treated as Backdoor Trojan by many AV companies but appears to be a new kind of Botnet that uses P2P for communicating with its peers and Bot master. Its been out there for a while now.

A recent post by Arbor Networks on the Bot’s analysis actually prompted me to have a closer look at this piece of malware. Either their report is missing something or I seem to have observed some additional activities that the Bot does ! So here is some insight into the protocol the Bot uses for its communication with Peers as well as its Bot Master.

Once infected, as usual the malware copies itself to the windows system folder as file with names such as “crse.exe” or “conme.exe”. Some initial variants of this malware use TCP port 1106 for the communication with their Bot Master or Command & Control (C&C) server where as the newer variants appear to be using TCP port 8090.

The Bot uses a clear text payload with the first byte being used as a identifier of message or activity that the C&C server wants the Bot to perform. During my analysis I observed following messages:

0x01 – Initial Hello message (sent by Bot)

0x02 – Keep alive

0x03 – Peer information (sent by C&C)

0x04 – File download and execution (sent by C&C)

After infection, the Bot communicates with its C&C using the Hello message followed by the hostname. So, the 32Bytes of payload looks something like this -

01 + Hostname + Null padding

As mentioned earlier, older variants must have been using TCP port 1106 to communicate, so if that is the case they are upgraded to the latest versions. The C&C uses the “04” command for this and looks something like this:

04 + 2Bytes for no. of URLs + 64Bytes of payload info

payload = 00 00 + URL to fetch and execute + null padding

image

The upgraded Bot now starts using TCP 8090 for communication. Next, the C&C sends a “peers list” to the Bot for its P2P using “03” command that looks something like this:

03 + 2Bytes for no. of peers + 64Bytes of peer information

Peer information = 00 00 + Peer-IP + null padding + Peer-port

image

Unlike what the Arbor networks report said, I observed the P2P communication on TCP as well as UDP ports. At the time of the analysis, the Bot was using port ranges 7105 – 7506 for TCP as well as port ranges 9101 - 9301 for TCP & UDP.

It exchanged huge amounts of traffic on the UDP ports – almost 15MB in a very short time ! Though UDP payload appeared to be encrypted it was exactly 100 Bytes in length. Also, the use of its P2P communication is not known yet.

image

While I have not done a static analysis yet, I guess that the use of TCP or UDP is determined on the basis of port range itself and must be hardcoded in the binary as that info is not passed on by C&C as part of its protocol.

Whether or not this is a entirely new piece of Botnet is doubtful, but the communication protocol does appear to be different than what I have seen before in other botnets such as Conficker or Waledac.

That’s it for now. I will be playing around a bit more with this. Will update if I find something new. Following are the md5 of the binaries used for this analysis -

b36a68304cec89cf35ddaea8a7e8406d

6a5759f5e32253e06217baa6e1b1dbe1

ed96a6175f00e21df631b295b3019f6a

Stay tuned !

Thursday, April 1, 2010

PDF Command execution vulnerability

Researcher Didier Stevens just managed to discover that he can make PDF reader execute any command without exploiting any vulnerability ! On his blog he demonstrated how the “Launch” action parameter of PDF document can be abused to execute arbitrary command on the victims machine.

Though he did not reveal complete details, his partial PoC is good enough to guess how the attack can be made possible. I decided to have a look at it and see how this behaves on different platforms and readers.

Apparently what Adobe thought was a feature, leaves gaping holes in the operating system for any attacker to exploit ! By Simply having a look at the PDF file specifications from Adobe’s website, I was able to create the attack that Sevens has described in his Post. It is extremely trivial to manipulate the dialog box prompt -

image

This was tested on WinXP SP3 with Adobe 9.3.1. Clicking on open, directly opens calculator as I just changed “/F” parameter from his PoC to “calc.exe”.

image

But wait, that’s not it, I replaced calc.exe with guess what – a URL and voila … my browser just opened and took me straight to that page. Ohh.. how nice Adobe !!? :/ If your PDF opens directly in your browser, then it gets even better ! -

PDF URL Redirection in action

Now, not only can the attacker take you to a exploit loaded website, but this also becomes a even more lucrative vector for phishing attack. Imagine receiving a PDF from a bank that asks you click on “open” to go its website for entering details !

I decided to try this on my Ubuntu 9.10, but (thank god) the Evince document viewer did not open any file (yes I modified the PDF for xcalc). But what about Adobe Reader 9.3.1 on Ubuntu ?? It did gave the prompt but unlike windows, it did not allow me to execute any program.

Screenshot

Instead I was able to open any file in the default editor. Also, note that I was not able to control the prompt text box as in the case of windows ! Also, the URL demo also didn’t work with Adobe on Ubuntu.

Hope Adobe and others fix this issue soon ! I don’t wanna start analyzing another pile of malicious PDF’s again .. ;)

Thursday, March 25, 2010

Trying to skip the fish

Automated Web application security testing tool “skipfish” was released recently which seem to have generated a lot of attention in the “security community”. So,I decided to give it a try and install it in my lab.

Unfortunately, I run very old Linux distros in my lab (like RedHat 9 for example) and I am too lazy to upgrade to newer versions. Anyways, during installation I soon realized that it’s not that easy to get skipfish up and running on RH9. 

As with any installation on Linux, I had a quick look at the readme and skipfish wiki and went ahead with “make” command only to end up with -

/usr/include/openssl/kssl.h:72:18: krb5.h: No such file or directory
In file included from /usr/include/openssl/ssl.h:179,               from http_client.h:26,

To fix this, I had to edit the “Makefile” in the skipfish dir and add the following entry to the “CFLAGS_GEN” variable –

“-I /usr/kerberos/include/”

Hoping to compile skipfish successfully this time, I proceeded with the make command and was greeted with a different error this time -

http_client.c:39:18: idna.h: No such file or directory

Apparently, I assumed libidn to be present on RH9 and had not read the “knownIssues” doc properly. Thankfully, downloading libidn source and installing was pretty straight forward and went without a glitch. Finally, skipfish compiled successfully !

Sadly, my problems were not over :(. When I tried to run it, I got the following error -

./skipfish: error while loading shared libraries: libidn.so.11: cannot open shared object file: No such file or directory

After some googling I found a way to fix this. Just add “/usr/local/lib” to “/etc/ld.so.conf” and rebuild the dynamic run-time bindings cache using “ldconfig –v”.

That did the trick and I had skipfish version 1.13b running on my RH9 system.

Happy skipfish’ing… :)

Friday, March 12, 2010

CVE-2010-0188 Adobe Reader TIFF vulnerability

The recent Adobe reader vulnerability (CVE-2010-0188) seems to be doing lot of rounds these days. Thanks to Mila (contagio blog), I got a chance to look at the malicious PDF file.

A Quick look at the stats using pdf-parser tool reveals the structure of this file -

C:\Analyze>pdf-parser.py -a "2010 March Luncheon Invitation_FINAL.pdf"
Comment: 4
XREF: 0
Trailer: 0
StartXref: 2
Indirect object: 43
12: 44, 45, 46, 55, 91, 92, 112, 114, 115, 117, 115, 135
/Catalog 1: 43
/EmbeddedFile 9: 2, 3, 5, 6, 7, 121, 122, 123, 124
/Filespec 2: 116, 134
/Metadata 2: 13, 13
/ObjStm 9: 125, 126, 127, 128, 129, 130, 131, 132, 136
/XObject 6: 56, 57, 113, 118, 119, 120
/XRef 2: 133, 137

Since most of the PDF exploits are created using embedded JavaScript, my instinct was to look for JavaScript object streams inside the PDF. But that didn’t reveal any interesting results, so I turned my attention to other objects.

The actual shellcode appears to be present in object 119 -

image

..while the TIFF file in object 122 is used to cause the overflow in the ImageConversion.api -

image

Finally object 3 contains the reference to TIFF file -

image

All the streams in the PDF file are compressed, so I had to use the “-f” option with pdf-parser tool to inflate them and see the content. There was also a wave file stream in the PDF which is a little strange, but I could not get it to play !

Both the dropped files appear to be the same as explained in Mila’s previous analysis on the Contagio blog. Lastly, the PDF seems to have been created on 25-Feb-2010 and modified on 03-Mar-2010 using Adobe LiveCycle Designer ES 8.2.

After reading some more on the exploit, I found that the exploit for this vulnerability does not use JavaScript. Which means even if you have disabled JavaScript in Adobe reader, this exploit will work and that probably explains why bad guys are going after this vulnerability despite Adobe releasing the patches last month !

Tuesday, February 16, 2010

Olympics 2010 news ending up with Malware

Recently I covered how malware authors use Blackhat SEO poisoning to distribute malware on unsuspecting victims. Since then, I have been closely monitoring the news trends and this time the bad guys are targeting is searches related to Vancouver Olympic games 2010.

Tragedy struck at the Olympic games Luge (ice racing) event, when a 21 year old athlete Nodar Kumaritashvili died during a practice session on Friday. Apparently a video of live footage spread across YouTube and other news channels like wild fire.

The IOC moved quickly to take the Luge crash videos off the Internet thus increasing the popularity of this search even further as those not glued to early coverage were desperate to get news on the Luge crash. The bad guys were quick enough to capitalize on this and started poisoning the search results with a lot of “bad” links.

Normally I find just a couple of links poisoned on the first page but this is the first time I saw more than 6 to 7 bad links on the first page of the Google search result itself !

LugeCrash_Search

Once you click on the poisoned link, you are presented with a YouTube like video loading screen which then displays a “ActiveX object missing” error.

LugeCrash_ActiveX

If you click on any of the buttons above a downloader Trojan gets installed on your PC which further downloads more malware. Unlike last time where it appeared that the machine was being scanned by AV, here its “missing video object” that is used to convince a unsuspecting victim to download the malware.

I am not sure why Google is not removing the bad links from their searches as they did last time when valentine day searches were getting poisoned results. This just shows that the bad guys are getting better with every new tragedy that is happening out there.

I would advise caution for all the readers who are trying to search for latest news videos out there. Do not click or install anything that claims to be a missing video codec or object.

99.9% of websites require only Adobe Flash player to be installed in order to play streaming videos. If you find a website that is not playing a video, just find another link that works with Flash ! And incase Flash is not installed, go and install it from adobe’s website rather than from the site which is hosting the video.

Wednesday, February 3, 2010

Trojan using MS SQL ??

Well its my first post in 2010 :) … rather late, apologize for that.

Recently came across a Trojan sample that actually connects to a Database server and does some SQL commands ! This is the first time I saw something like this.

Normally, Backdoors and other malware use HTTP interfaces (POST/GET commands) to talk to their command servers, but in this case the malware was talking directly to the Microsoft SQL Server using standard DB commands on TCP port 1433.

image

After looking around for details on this Trojan, I realized that this malware was one of the components that a variant of Zbot downloads.  Not many AV vendors detected this malware sample.

Once executed, the Trojan attempts to connect  to dbsq0002.whservidor.com on TCP port 1433. I don’t exactly speak TDS (Tabular Data Stream) format but from the looks of it, it tries to access “estargames1” DB and then executes the following SQL command -

SELECT * from TBL_002 where localizador = A0D23C2E

If the Query does not return any results, it goes ahead makes an entry into the database using -

INSERT into TBL_002 (localizador,data,horas) VALUES (‘A0D23C2E’, ‘2/3/2009’, ‘11:09:29 AM’)

The string “A0D23C2E” appears to be random and keeps changing with every infection.

Now the fact the some cares to install a Microsoft SQL database on standard port open facing internet  is really funny ! :) Makes me wonder what’s the exact intention of this malware ? – Is it some online gaming server as the name suggest or is the malware author trying to track the infections of its Trojan ??

Drop me a comment if you have more info on this !