Tuesday, April 15, 2014

Targeted Cyber Attacks Book - Syngress !

Update: A very insightful review of the book published in Network Security.

I started sketching this book about a year ago when I was invited by Syngress for this project based on my previous work on crimeware research. Thanks to the Syngress and Elsevier team for this step. Due to my ongoing job and commitments,  the project got delayed but eventually the book is about to be published on 18th April. The first edition of the book is dedicated to the readers who are interested in understanding the artifacts of targeted cyber-attacks and associated components. Personally, I would like to thank all the researchers and journalists who reviewed the book and provided positive feedback.

Introduction: Cyber-crime increasingly impacts both the online and offline world, and targeted attacks play a significant role in disrupting services in both. Targeted attacks are those that are aimed at a particular individual, group, or type of site or service. Unlike worms and viruses that usually attack indiscriminately, targeted attacks involve intelligence-gathering and planning to a degree that drastically changes its profile.
Individuals, corporations, and even governments are facing new threats from targeted attacks. Targeted Cyber Attacks examines real-world examples of directed attacks and provides insight into what techniques and resources are used to stage these attacks so that you can counter them more effectively.

The book is available to be ordered at following places:
Note: Elsevier Store will offer electronic versions that are readable on Kindles in PDF and MOBI format.

Enjoy !

Thursday, February 27, 2014

Gmail Phishing Attack - Why the Anti-spam Solutions Fail to Trigger ?

Update: 5th March, 2014

Note: I am concerned because it got delivered to my personal gmail inbox -:)

It looks like the phishing attack discussed earlier (a week ago) on gmail users is still underway. Although, the attack is public now, the endpoint security solutions deployed by Google still fails to mark the emails as phished. The latest snapshot of this attack is presented below:

  • hxxp://croydon.com.br/phpthumb/serv/serv/Login.htm 
  • hxxp://croydon.com.br/phpthumb/serv/serv/badu.php

It is not a reliable way to depend heavily on safe-browsing all the time for blacklisting the phishing websites rather the prevention has to be triggered at the time of origin. Let's see how long this continues. 


A recent targeted phishing attack has been launched against gmail.com users. Interestingly, the email slipped through Google end point security solution which fails to detect the spam email and served it properly to the user's inbox.

Visiting the link results in the following webpage showing the same layout as of Gmail. 

Malicious Check: 

Overall, basic steps:
  1. The user is redirected and served with a gmail.com webpage here: hxxp://www.nusurgix.com/virtusite/phpthumb/serv/Login.htm
  2. The form submission sends all the POST data to: hxxp://www.nusurgix.com/virtusite/phpthumb/serv/badu.php
  3. The user redirects successfully to legitimate gmail.com webpage: hxxps://accounts.google.com/

The website is hosted on a CMS hosting server as shown below:

Overall, it might not be that sophisticated attack, but a few inferences:
  • Smart user would have detected that this is a trick even it is delivered to inbox.
  • Big issue, the anti-spam solutions in Google's network fails to detect it and mark it as phished. 
  • There might be a possibility that a few users would have fallen to this trick but we cannot be sure.
  • The attacker used a compromised network infrastructure to execute this attack. A healthcare provider hosting account is compromised.
  • This type of attack if remains active for only few minutes could have already garnered a good set of accounts.
Do not fall for this trap !

Sunday, January 12, 2014

Virus Bulletin - NiFramer Iframer Injector - CPanel

A couple of months earlier, we released a paper on the design of NiFramer, a bash tool to automate the Iframe injections on the compromised servers. It has been used widely by attackers. However, in coming time, we will be covering different variants of automated Iframe injection tools.

You can download the paper at: http://secniche.org/released/VB_CPANEL_IFRAME_INJECT.pdf

Tuesday, November 5, 2013

Virus Bulletin : Analysis of Styx Exploit Pack

We released a paper in Virus Bulletin Magazine on the design analysis of Styx exploit pack.

" In this paper, we discuss the details and design of the Styx exploit pack. According to the dictionary, Styx is a river in the underworld, over which Charon ferried the souls of the dead. According to the Styx service provider website, ‘Styx is a river in Greek mythology that formed the boundary between earth and the underworld... It circles the underworld nine times.’ So it seems that the origin of the name is as rigorous as the exploit pack itself."

Download the paper from here: http://secniche.org/released/VB_Styx_Exploit_Pack.pdf

Monday, June 10, 2013

ToorCon 14 Slides : Malandroid : The Crux of Android Infections

Just uploaded the deck of slides used in ha talk that I presented at ToorCon 14 Security conference in San Diego.

ToorCon 14 : Malandroid : The Crux of Android Infections 

Abstract: The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.

Enjoy !

Monday, May 20, 2013

Contrarisk Security Podcast: A look into Socioware !

I recently did a podcast on the Socioware with Steve from Contrarisk.

"Microsoft recently warned about Man in the Browser (MitB) malware exploiting Facebook sessions. When a user is infected – often by drive-by downloads on infected or malicious sites – the malware uses authenticated sessions on Facebook to post messages, ‘like’ pages and get up to general mischief."

Listen to the podcast here: http://contrarisk.com/2013/05/19/csp-0011/

Tuesday, March 26, 2013

Malware Retrospective - Infected Chinese Servers Deploy Metasploit Exploits

It's been a time that our team blogged about malware and other interesting information. Today, we got some time to talk about one of the case that we analyzed while testing a few tools of our own. We prefer to construct custom scripts and tools to automate the process of web malware analysis. Recently, we tested our tool, a simple parser which fetches the scripts, iframes, embed tags present in the remote web pages for faster analysis. We came across a set of malicious domains that were serving an exploit which used JavaScript heap spraying technique to execute payload using drive-by download attack. Well, that's a common technique of silent browser exploitation. But, what was not common is the issue that is discussed below.

The malware domain was hosting an exploit for MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption. More details can be read here: MS12-043. Without any surprise, the IP address of that domain belonged to China as shown below:

Our surprise did not end here. As the exploit of this vulnerability was released last year, it raised our interest to check how the exploit code is structured.  When the exploit code was traced, it was nothing more than a sweet shock. The Chinese domain used the same exploit code hosted on the Metasploit repository for the concerned vulnerability. Now the question: Is it possible that Chinese malware authors simply deploy Metasploit exploits for easy infection process? It could be. Who knows whether the domain was infected by Chinese or it belonged to others. In addition, it is hard to say who hosted that malware but clearly, the servers were present in China.

The exploit for this vulnerability can be found in Metasploit here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb.

A simple check on the one of the code snippet used in the malware domain and legitimate Metasploit repository is shown below:


The exploit code was used in conjunction with the JS code hosted here: http://js.users.51.la/15240615.js.

This code dynamically generates the information about the visitor and creates log details for statistical purposes.

We remember that a few traces have been detected earlier where Phoenix exploit kit used the one of  the same exploit present in the Metasploit. Refer: Gangsterware

The conclusive points are:

  • Metasploit provides neat exploits which are easy to deploy and use.
  • The evidence shows that malware authors are using Metasploit exploits.

Well, Reality bites !

Tuesday, March 5, 2013

VB Magazine - A Look into Sweet Orange and Propack Exploit Pack

We have just released our thoughts on "Sweet Orange" and "ProPack" exploit packs in VB magazine this month.

"Blackhole has been the major player in the exploit kit market for a while now, but the Sweet Orange and ProPack kits have recently entered the market and are rapidly gaining in popularity. Aditya Sood and colleagues take a look at advancements in the design of the new kits on the block."

Refer: http://www.virusbtn.com/virusbulletin/archive/2013/03/vb201303-SweetOrange-ProPack

Enjoy !