Digging deep into BlackHat SEO – Part1

It was used before for tragic news and has been seen once again now when actress Brittany Murphy passed away over the last weekend. Cybercriminals have been very effectively using SEO techniques to download malware on users machines who are trying to browse Internet looking for latest breaking news.

A simple Google search for “Brittany Murphy death” reveals some interesting search results. After the first two-three valid results, there are some mysterious links that at first seem very valid based on the preview text you see in the results.

There is no way any average user can figure this out but when you actually click on one of such links, it takes you to some completely different URL and often through multiple redirects.

This is all done using Search Engine Optimization (SEO) techniques. The bad guys first create a page and dump all the popular sentences surrounding a breaking news like – “Airline crash” or “Michael Jackson death” onto that page. They also inject an iframe on the same page that will have one or more redirects to a malicious web page. Then using special SEO tools like XRumer they increase their page ranking by spamming their URL all over the internet.

When you click on one such poisoned search result, suddenly out of no where there will be a windows pop-up alert on your screen -

Ultimately you end up landing on a page that first seems like an Antivirus which is scanning your local machine but is in fact a very cleverly designed web page.

So depending on which OS you are running, the malicious webserver shows you a corresponding look and feel type of Antivirus program. This one above shows a Vista/Win7 look and feel to it where as if you are running WinXP you get this -

If you look closely, it is completely designed to trick a user into believing that a Antivirus is scanning the PC. If you are an average Internet user, you won’t even realize that this is being rendered through Internet Explorer ! That is some clever use of HTML and JavaScript code ;)

At this point, irrespective of where you click, you will be prompted to download and install a setup file which is nothing but a downloader Trojan. It downloads Rogue Antivirus program which not only have a look and feel of popular AV programs but also have funky names like “Antivirus 2010” or “PC Protect 2010”. But before you can say clean, it will prompt you for registration which can be anywhere from 30$ to 80$ :P !

This trick of threatening the a victim by showing how infected his PC is, works out rather well. A lot of not-so-tech-savvy people fall for such kind of tricks and the bad guys seem to be earning a lot. The Rogue AV products keep changing their names and so do the various domains that host these malicious pages. This has been one of the very popular attack vector for malware distributers in 2009.

In the next part I will show you what all things go behind the scene in these type of attacks.

Stay tuned and Merry Christmas ! :)

NetBIOS Spoofing

The other day I came across a post at skullsecurity.org that spoke about an interesting way of using NetBIOS name service for doing MiTM attack. The author showed how his tool nbpoison could be used to inject false NetBIOS information on the wire and spoof other hosts.

This is very interesting form of doing MiTM as there is no arp-spoofing involved and that is good, since every Tom, Dick and Harry’s device in the network today detects/blocks arp-poisoning kind of attacks. Also, arp-spoofing is way to noisy and can easily give away attackers presence in the network. Not to mention that its a old-school attack that has been there for quite some time now.

So, I decided to explore this and have some fun using the nbtools and figure out what all attacks can be made possible in my Lab. I have in all 3 machines in my lab - 2 WinXP Hosts and 1 Linux host which acts as the gateway for the windoze boxes. As the author has mentioned, this attacks are more useful in hotels or conferences where there are internet kiosks with captive portal authentication mechanisms.

Scenario 1: DNS Choking

This attack is useful when, for some reason, DNS server on a network is not reachable. There could be multiple possibilities -either uplink of the switch you are connected to is (purposely) physically disconnected or network/firewall miss-configuration or DNS server/service itself is down. Even some captive portals prevent access to any resources before you authenticate. So, if the DNS server is not available, as a last resort, Windoze will fall back to NetBIOS name resolution and this is where we can 0wn the box.


So, as you can see, webserver on the Linux box was used to host the fake page which could have been anything from fake captive portal logins to fake Gmail login page to trick the user into entering his credentials. In the above scenario, I had blocked all connections from the victims (10.10.10.7) machine using iptables on the gateway (Linux Box). FYI, the nbpoison tool can be run on any machine and need not be on the gateway.

Scenario 2: Abusing WPAD Requests

This type of attack is useful when browsers have the “Automatically detect settings” enabled in the “LAN Settings” menu. IE and Firefox both have this setting in order enable network administrators to automatically configure proxy settings. This is made possible using WPAD (Web Proxy Auto Discovery) protocol which also uses NetBIOS requests to look for the “wpad.dat” file. This is nothing but a simple plain-text configuration file that tells the browser which proxy to connect to for browsing the internet.

So, here we use the famous “sslstrip” to force HTTPS connection to HTTP and sniff passwords in clear text. Like before, we use the webserver on the Linux box to host the wpad.dat file which redirects the victims browser to sslstrip (running on port 8080) and we get to see all the good stuff :) !

The possibilities in this scenario are endless. We could use our own proxy, something like Paros to completely manipulate the victims browsing experience. But I will leave all the evil thinking to the reader as an exercise ;)

** DISCLAIMER: This is meant as a pure instructional tutorial. I am not responsible for the damages caused by any script-kiddies stupidity or lack of understanding thereof. No harm in any form was caused to anybody in the making of this tutorial.

Dissecting Zeus Botnet...

Posting after a long time.. was quite busy with some presentations to make as well as with my Protocol Fuzzer script which should be ready soon.

Anyways, the Zeus Botnet has been around for quite some time now and has gained some attention with its Internet Banking password stealing campaigns and Zeus Crimeware Kit ! Recently I received a sample which happened to be one of the Trojans belonging to this family.

“uk.exe” as it being distributed around in the wild initially seemed something else as VirusTotal results reported a rather poor detection percentage by AV vendors and also a different name like Trojan.Meredrop or Bancos.lgi. At the time of this analysis, only 2 of the major five AV companies were able to detect this Trojan and Microsoft reports suggested it as a downloader.

But, when I started up with my usual dynamic analysis, things were a little different. I had no idea that I was dealing with Zeus Botnet Trojan. This Trojan has a root kit functionality and it injects itself into one of windows processes to avoid detection. As soon its executed, the orginal process (uk.exe) exited and soon the Trojan became part of svchost.exe as expected. It then connected to “ogurchik.cn” like any typical downloader over HTTP.

  Fig1: Trojan communication

As I was looking at wireshark trying to search patterns to write IPS signature, I noticed that everything was encrypted :( A little disappointed, I started digging in deeper looking at File/Registry changes done by the malware to see if I could locate the downloaded stuff on the disk. Even that too was encrypted and file locked by the Trojaned process itself. So, as usual when nothing works google does :) .. searching for “ogurchik.cn” directly landed me to zeustracker.org website and I realized that I was dealing with something more sinister than just a downloader.

After reading an excellent article at Threatexpert blog on the Zeus Botnet, I knew that I was dealing with “variant 4” of the Zeus Botnet and that the encrypted communication is nothing but the configuration file of the Bot. Luckily I got hold of the Zeus Decryptor tool so I didn't have to re-invent the wheel. The encryption is done using RC4 algorithm and the funny part is that the 256-bit key is stored within the Trojan exe when its built. So for the Decryptor tool to work, it has to run on the same infected machine so that it can extract the key from the  memory  of the Trojaned process.

  Fig2 : Dumping raw data from Wireshark / Decryptor in Action

After dumping raw data from the HTTP Response into file (zeus.cfg.raw), I ran the decryptor tool to get the clear text data and was shocked to see js code in it ! When I was reading more on the Zeus functionality, I was amazed at one of the Trojans capability and that was to intercept & inject HTML code in Browser in real-time ! So, I decided to play around more with the Trojan hoping to see the password stealing process in action. After going through the fairly elaborate Java code, I figured out that it was designed to manipulate code for banking sites belonging to HSBC, Abbey Santander, Alliance & Leicester and NatWest banks – all UK based Internet banking sites.

 Fig3: The Zeus configuration file

So, I opened the NatWest website and entered some fake details for all the fields and voila ! .. Apart from the encrypted traffic, there was a HTTP request to “ety8sj.cn” submitting all the data captured in clear text ! There it was – all the credentials nicely packaged along with “ZCID” (Zeus ID) which was my machine name followed by random string. I wonder why the malware authors decided to keep this part in clear text, they might as well have had used encryption for this too – but hey, it definitely made my life easier since I could now write a IPS signature for it ! :)

 

Fig4: Stolen credentials being submitted to the attacker

But the ability to inject code and manipulate data in the Browser was just amazing ! I mean who thought of this thing – it just defeated everything - SSL, Secured Login everything ! As If that was not enough - it detects the virtual keyboard in use and starts taking screenshots leaving end user completely helpless !

At this moment there are Zeus Kits being sold in the wild for anywhere between $400 to $800 and mind you these are sophisticated kits with a proper User Interface and statistics logging which allow you to completely customize the Trojan as per the needs. Some guys are also selling “Zeus as a service” giving control of their botnet on rent for a few days ! :o Since each binary of the Trojan generated from the kit is designed to have different code, the criminals can virtually churn out thousands of such Trojans and that explains the poor detection rate by the AV companies.