Thursday, April 26, 2012

Flashback MAC OS X Malware - Can We Control It ?



Flashback malware has been used effectively to infect MAC OS X machines. Typically, it follows the process of drive-by-download attacks to exploit a vulnerability in a stealthy manner which results in downloading of bot in the MAC OS X machines. Several Java vulnerabilities have been used to execute this attack. Flashback scrutinizes the presence of several set of files on MAC OS X machines to detect if there are any anti malware tools installed. If the files are not found, it triggers the routine to install itself and connect back to the C&C server. The list of severs are generated after the successful verification of anti-virus tools. The infected machines are segregated using UUID strings which are unique in nature to manage and control the bots. More details can be found on following links about the behavior of this malware


http://news.drweb.com/show/?i=2341&lng=en&c=5

Our team conducted a small set of experiments and we wrote a detection signature that can be ported directly into IDS running as a peripheral network monitoring device by various ISPs. We are not disclosing the details of the signature but a quick test presented us with a list of IP addresses that are running C&C severs for flashback MAC OS X bots. Here are some of the IP addresses

23.21.71.54
142.165.4.26
174.129.221.183
208.67.216.146
212.154.192.98
50.116.35.158
50.62.12.103
67.215.65.132

208.86.225.38
82.141.230.155
91.233.244.102
68.178.232.100
So even the MAC OS X is not secure as believed. We will be doing some static analysis of this malware to understand the design from the core.

Wednesday, April 25, 2012

BlackHole BEP Still Rising High!

Last year at Virus Bulletin conference, we presented about the techniques and tactics used by Browser Exploit Packs (BEPs). We discussed about the functionality of BlackHole. The paper can be downloaded from http://www.secniche.org/papers/VB_2011_BRW_EXP_PACKS_AKS_RJE.pdf.

We also discussed about the exploit distribution mechanism in BEPs by presenting the study of Phoenix BEP in the HITB Ezine.The paper can be downloaded from http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-008.pdf.

However, we have not seen any decrease in the infection rate of BlackHole BEP. Our team conducted some tests and results are as expected. Deployed IDS signatures collected several IP addresses that are infected with BlackHole. We are not disclosing the details of our detection payloads. Here is a list of IP addresses as presented below

176.65.155.84  
199.230.54.74 
206.188.192.117      


195.39.12.62  
174.36.24.216   
206.188.192.129  
195.210.4.16 
205.178.145.119    

173.230.138.185  
115.249.190.46  
12.133.182.133 
206.188.192.37 

68.178.232.100
205.178.145.150   
74.207.249.7 
206.188.192.79   
205.178.145.125  
206.188.192.148

205.178.145.65  
195.39.12.61  
199.30.89.187 

206.188.192.116 
176.65.157.82   
205.178.145.142  
199.30.89.180   
205.178.145.140  

206.188.192.74  
188.190.98.79
205.178.145.124    
173.212.218.123  
206.188.192.188 
205.178.145.130 
 
184.173.73.174    
193.200.167.30   

206.188.192.13   
193.104.153.44   
206.188.192.21   
205.178.145.71  
206.188.192.40 

129.121.93.254  
141.136.16.116   
206.188.192.230  

206.188.192.244  
109.235.49.23  
206.188.192.89   



Most of these IP addresses are found to be in Canada and US. The point is, BlackHole BEP is still rising high. We are still in process of conducting more experiments to decipher the running behavior of BlackHole.

Monday, April 23, 2012

JavaScript Obfuscation - Manual Armor (2)

Everyday we encounter different set of obfuscated scripts running hidden iframes in the infected websites. Several of the Brazilian (.br) domains are serving a similar set of obfuscated scripts. One of the example has been discussed earlier in our article - JavaScript Obfuscation - Manual Armor (1). We came across another variant of this file. A simple methodology has been presented in the earlier post. This time we have an obfuscated JavaScript as follows


So, we need to clean it and we did as follows:

At this point, we need to get the value of variable "f" which can be calculated using JavaScript interpreter by triggering "split" calls. and then feeding into the loop so that every single element value is increased by 41 ( values with "+" and "-" will be added and subtracted respectively). After
all this, a simple python program having list with these elements and applied logic results in the deobfuscation of JavaScript as follows


So we get the URL serving malware, that's what we want. :)

Wednesday, April 11, 2012

Exploit Distribution Mechanism in BEPs - HITB

We have release another paper on exploit distribution mechanism in Browser Exploit Packs (BEPs).

Abstract:"Browser Exploit Packs (BEPs) have been used extensively for spreading malware. In this paper, we present details of the techniques chosen by malware writers to distribute exploits across the Internet."

Download - http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-008.pdf

Saturday, April 7, 2012

JavaScript Obfuscation - Manual Armor (1)

Recently, we came across a similar set of obfuscated JavaScripts that are being used continuously in conjunction with automate Browser Exploits Packs (BEPs) such as BlackHole etc. There are several variations of this type of obfuscated JavaScript. Our team prefer to do obfuscation manually because sometimes automated tools are not good enough to perform the deobfuscation. In this post, we are going to discuss about the methodology that  we prefer to follow at SecNiche labs. Let's take a look at the obfuscated JavaScript shown below



















The methodology  goes like this:

Step1: Beautify Your JavaScript: 
The very first (basic) step is to beautify the obfuscated JavaScript. For analysis perspective, beautifying the code such as appropriate indentation makes it very easy to decipher the initial structures in the JavaScript. Always do this step before proceeding further.

Step 2: Divide and Rule
This strategy works perfectly fine while analyzing obfuscated JavaScripts. The motive behind this step is to analyze the code in small snippet for better grasp.

Applying step 1 and step 2 to the given JavaScript code,  we get part 1 of the code as follows


and part 2 of the code as follows


In part 2, to interpret the given code as single string , one has to use characters ["" +]. Even for doing automated analysis, these parameters are required to be tuned so that appropriate interpretation of the string can be done. Check the string passed to variable "n".

Step 3: Extract the Logic
On the modular code (divided code snippets), try to apply the logic step by step (top to bottom). When we compute the value of "h" we get : h=-2*Math.log(Math.E);   //     h = -2      //

The next logic is to compute the value of "n" first. We have the n="[string]".split("a"), which means we have to split the string. By default, split function actually dissects the string n by a delimiter ",". We tweak the code a bit as presented below:

On executing this code in JavaScript interpreter we get the output as follows,

At this point, we successfully unwraps some part of code by having the value of h and n. Now, we have to dissect the loop present in the part 2 as follows

for(i=0;-n.length<-i;i++)
        {
            j=i;
            ss=ss+s[f](-h*(1+1*n[j]));
        }

   
    if(1)q=ss;
    if(s)e(q);

To compute the code finally, we need to unwrap the logic used in the loop. Step 4 involves the automation of the code.

Step4: Automating the Process - Python
In step 4, we need to automate the process to get the next value of the string. On understanding the logic, we write a following python script to compute the loop


The code actually multiply the every single value by 2 and build up the new string. So, we are almost at the end. So we need to build up the final code as presented below


So here we have the final script as follows
A good methodology always  helps to attain the target.

Wednesday, April 4, 2012

Conferences Presentation Slides are Posted

I have uploaded the PDF's of my talks from last two years. You can download it from : http://secniche.org/presentations.html

Enjoy !

Tuesday, April 3, 2012

VB Magazine - Zombifying Targets using Phishing Campaigns



Abstract: Phishing has grown exponentially over recent years. In this article we analyse the Google E-Card phishing campaign and its accompanying binary to show how a victim’s machine is compromised. Aditya Sood and Richard Enbody analyse the details of the Google E-Card phishing campaign and its accompanying malicious binary to understand the propagation and distribution of the malware.

http://www.virusbtn.com/virusbulletin/archive/2012/04/vb201204-zombifying

Enjoy !