Tuesday, November 5, 2013

Virus Bulletin : Analysis of Styx Exploit Pack

We released a paper in Virus Bulletin Magazine on the design analysis of Styx exploit pack.

" In this paper, we discuss the details and design of the Styx exploit pack. According to the dictionary, Styx is a river in the underworld, over which Charon ferried the souls of the dead. According to the Styx service provider website, ‘Styx is a river in Greek mythology that formed the boundary between earth and the underworld... It circles the underworld nine times.’ So it seems that the origin of the name is as rigorous as the exploit pack itself."

Download the paper from here: http://secniche.org/released/VB_Styx_Exploit_Pack.pdf

Monday, June 10, 2013

ToorCon 14 Slides : Malandroid : The Crux of Android Infections

Just uploaded the deck of slides used in ha talk that I presented at ToorCon 14 Security conference in San Diego.

ToorCon 14 : Malandroid : The Crux of Android Infections 

Abstract: The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.

Enjoy !

Monday, May 20, 2013

Contrarisk Security Podcast: A look into Socioware !

I recently did a podcast on the Socioware with Steve from Contrarisk.

"Microsoft recently warned about Man in the Browser (MitB) malware exploiting Facebook sessions. When a user is infected – often by drive-by downloads on infected or malicious sites – the malware uses authenticated sessions on Facebook to post messages, ‘like’ pages and get up to general mischief."

Listen to the podcast here: http://contrarisk.com/2013/05/19/csp-0011/

Tuesday, March 26, 2013

Malware Retrospective - Infected Chinese Servers Deploy Metasploit Exploits

It's been a time that our team blogged about malware and other interesting information. Today, we got some time to talk about one of the case that we analyzed while testing a few tools of our own. We prefer to construct custom scripts and tools to automate the process of web malware analysis. Recently, we tested our tool, a simple parser which fetches the scripts, iframes, embed tags present in the remote web pages for faster analysis. We came across a set of malicious domains that were serving an exploit which used JavaScript heap spraying technique to execute payload using drive-by download attack. Well, that's a common technique of silent browser exploitation. But, what was not common is the issue that is discussed below.

The malware domain was hosting an exploit for MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption. More details can be read here: MS12-043. Without any surprise, the IP address of that domain belonged to China as shown below:

Our surprise did not end here. As the exploit of this vulnerability was released last year, it raised our interest to check how the exploit code is structured.  When the exploit code was traced, it was nothing more than a sweet shock. The Chinese domain used the same exploit code hosted on the Metasploit repository for the concerned vulnerability. Now the question: Is it possible that Chinese malware authors simply deploy Metasploit exploits for easy infection process? It could be. Who knows whether the domain was infected by Chinese or it belonged to others. In addition, it is hard to say who hosted that malware but clearly, the servers were present in China.

The exploit for this vulnerability can be found in Metasploit here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb.

A simple check on the one of the code snippet used in the malware domain and legitimate Metasploit repository is shown below:


The exploit code was used in conjunction with the JS code hosted here: http://js.users.51.la/15240615.js.

This code dynamically generates the information about the visitor and creates log details for statistical purposes.

We remember that a few traces have been detected earlier where Phoenix exploit kit used the one of  the same exploit present in the Metasploit. Refer: Gangsterware

The conclusive points are:

  • Metasploit provides neat exploits which are easy to deploy and use.
  • The evidence shows that malware authors are using Metasploit exploits.

Well, Reality bites !

Tuesday, March 5, 2013

VB Magazine - A Look into Sweet Orange and Propack Exploit Pack

We have just released our thoughts on "Sweet Orange" and "ProPack" exploit packs in VB magazine this month.

"Blackhole has been the major player in the exploit kit market for a while now, but the Sweet Orange and ProPack kits have recently entered the market and are rapidly gaining in popularity. Aditya Sood and colleagues take a look at advancements in the design of the new kits on the block."

Refer: http://www.virusbtn.com/virusbulletin/archive/2013/03/vb201303-SweetOrange-ProPack

Enjoy !

Wednesday, February 13, 2013

IEEE Security and Privacy Magazine - Targeted Cyber Attacks Paper

Our paper on targeted attacks is out in IEEE Security and Privacy Magazine.

"Targeted cyber attacks play an increasingly significant role in disrupting the online social and economic model, not to mention the threat they pose to nation-states. A variety of components and techniques come together to bring about such attacks"

Refer here: http://www.computer.org/csdl/mags/sp/2013/01/msp2013010054-abs.html

Enjoy !

Wednesday, February 6, 2013

Elsevier IJCIP - Crimeware-as-a-service – A survey of commoditized crimeware in the underground market

Our paper on Crimeware-as-a-Service (CaaS) has been accepted for publication in Elsevier's Journal of Critical Infrastructure Protection and is available at http://www.sciencedirect.com/science/article/pii/S1874548213000036.

Abstract: Crimeware-as-a-Service (CaaS) has become a prominent component of the underground economy. CaaS provides a new dimension to cyber crime by making it more organized, automated, and accessible to criminals with limited technical skills. This paper dissects CaaS and explains the essence of the underground economy that has grown around it. The paper also describes the various crimeware services that are provided in the underground market.

Wednesday, January 30, 2013

IEEE Internet Computing - Dissecting the State of Underground Enterprise

Our paper on "Dissecting the State of Underground Enterprise" is finally out in IEEE Internet Computing.

Abstract: "Cybercrime's tentacles reach deeply into the Internet. A complete, underground criminal economy has developed that lets malicious actors steal money through the Web. The authors detail this enterprise, showing how information, expertise, and money flow through it. Understanding the underground economy's structure is critical for fighting it."

Sunday, January 27, 2013

Hack In The Box (HitB) Magazine : A Journey of Learning and Sharing

I finally get some time to talk my ( and other team members) journey as a contributor and author for Hack-in-the-Box (HitB) magazine. At this point, HitB ezine has completed more than two years. It's been a great time working with the HitB crew especially Zarul and Dhillon. In addition, Mateusz “j00ru” Jurczyk
Gynvael Coldwind is also contributing a lot. I have been writing for this magazine right from the first edition. It has been a great time of sharing and learning in the last two years. I want to talk about the content that I have written in the last nine editions with a support from my different colleagues.

Edition 1: (Paper) - Malware Obfuscation: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-001.pdf - The first edition was released in January 2010. In this edition, I wrote a paper with Wayne Huang of Armorize on malware obfuscation tactics with an additional support from Fyodor Yarochkin. We discussed several malware obfuscation tactics and how to deobfuscate them manually.

Edition 2: (Paper) - Open Redirect Wreck Off - Web Traffic Forwards: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-002.pdf - The second edition was released in April 2012In this edition, I presented the complete details of traffic redirection in web applications and websites using real time code snippets collected during open research.

Edition 3: (Paper) - Chinese Malware Factory - Paradox of MS Office Based Malware: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-003.pdf - The third edition came out in July 2010. In this edition, I wrote about my research on MS office based Chinese malware that uses word, excel, etc. files to spread malicious code by exploiting inherent vulnerabilities in the requisite software component.    

Edition 4: (Paper) - Notorious Data-center Support Systems: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-004.pdf - The fourth edition came out in October 2010. In this edition. I wrote a collaborative paper with my colleague Rohit Bansal on vulnerabilities present in the support center web applications that can directly result in gaining access to different virtual hosts.

Edition 5: (Paper) - Exploiting Web Virtual Hosting - Malware Infections: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-005.pdf - The fifth edition was released in February 2011. In this paper, I wrote a paper collaboratively with my colleague Rohit Bansal and my adviser Dr. Enbody and presented about the techniques of infecting virtual hosts present on the same host.

Edition 6: (Paper) - Botnet Resistant Coding: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-006.pdf - The sixth edition came out in June 2011. I released a paper with my colleagues Peter Greko, Fabian and my adviser Dr. Enbody to present on the concept of botnet resistant coding.  In this edition, we talk about a generic approach of coding to subvert the automated log harvesting process in C&C panels.

Edition 7: (Paper) - Extending SQL Injections using Buffer Overflows: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-007.pdf - The seventh edition was released in October 2011. In this edition, I wrote another paper collaboratively with my colleague Rohit Bansal and my adviser Dr. Enbody on the issue of exploiting blind sql injections in web applications that encounter 500 error by using buffer overflow technique. This tactic was developed by Rohit itself.

Edition 8: (Paper) - Exploit Distribution Mechanism in Browser Exploit Packs: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-008.pdf - The eighth edition came out in April 2012. In this edition, I wrote collaboratively with Dr. Enbody on the techniques of exploit distribution in browser exploit packs such as BlackHole, Phoenix, etc.

Edition 9: (Paper) - Game of Windows 32/64 System Takeover - Bot Wars : http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-009.pdf - The ninth edition was released in November 2012. I detailed on the concept of bot wars in which one bot kills other to gain complete access of the infected system.

HitB Magazine is a great place to talk about hacking techniques. I hope this continues and I wish to contribute more in the coming time.

So, Hack the Box. Cheers ! 

Wednesday, January 9, 2013

Virus Bulletin Papers Added to Respository

We have added the papers to our repository. The newly added ones are:

1. ICE IX Analysis: http://secniche.org/released/VB_ICE_IX.pdf

2. Winlocker Ransomware Analysis: http://secniche.org/released/VB_WINLOCKER.pdf

3. Malware Strategies - Part 1: http://secniche.org/released/VB_MAL_DET_STR_PART1.pdf

4. Malware Strategies - Part 2: http://secniche.org/released/VB_MAL_DET_STR_PART2.pdf

Enjoy !

Elsevier Network Security : Abusing Glype Proxies

Update : 29th April 2014

Download : Paper available herehttp://www.slideshare.net/adityaks/abusing-glype-proxies-exploits-and-defences

Our paper on "Abusing Glype Proxies: Attacks, Exploits and Defenses" are out in Elsevier Network Security.

Abstract: Proxies play a critical privacy role because these are widely used for anonymous surfing and identity cloaking on the Internet. In addition, proxies also assist in traffic filtering, traffic management, log auditing, access policies and surfing restricted sites. There are several types of proxies available, but the Glype HTTP proxy is used extensively.
The Glype open-source HTTP proxy is used extensively. However, proxies can be transformed into attack platforms for exploitation.