News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
News
Oct
23
Ebola Spreads - In Cyber Attacks Too
Posted by uwang on 23 October 2014 12:08 PM

The Ebola virus has been spreading in West Africa since first appearing in Guinea in December, 2013. Its rising rate of infection, high mortality rate, and challenging isolation and containment requirements have raised world-wide alarm.

 

Against that backdrop, Websense® Security Labs has found two distinct malicious campaigns that take advantage of the Ebola issue, and it's probably safe to assume that the topic will continue to be abused in the future.

 

DarkKomet RAT/Backdoor Campaign

Beginning October 10, 2014, Websense® ThreatSeeker® Intelligence Cloud has detected thousands of malicious emails taking advantage of the Ebola topic. The subject line is:


  • Subject: Ebola Safety Tips-By WHO

 

At the beginning of the campaign, the messages contained a redirect URL that led victims to a download location for a RAR archive. The archive contained the DarkKomet RAT/Backdoor. DarkKomet is a Remote Administration Tool (RAT) that provides full access to remote clients. It is used by attackers to control the victim's computer and steal information. In more recent emails, the campaign evolved to include direct attachment of executables, and then to direct attachment of a RAR archive containing the executable. The sample below shows the RAR attachment variant.




The malware in this campaign contacted a server located in Romania: 5.254.112.46:1604

ThreatScope has identified malware samples as malicious. Here are two file variants in the campaign:

SHA1 : e2bdede8375da63998562f55a77d4b078d3b5646     ThreatScope Analysis Report : Link

SHA1 : 91ff874eb5bde1bb6703e01d7603d3126ddd01fc       ThreatScope Analysis Report : Link

 

 

CVE-2014-4114 & CVE-2014-6352 - Windows OLE Remote Code Execution Vulnerabilities


On October 14, 2014, iSIGHT discovered vulnerability CVE-2014-4114, used in the Sandworm campaign that targeted NATO, the European Union, and members of the Telecommunications and Energy sectors. CVE-2014-4114 can allow remote code execution if a user opens a specially crafted Microsoft Office file containing an OLE object. The vulnerability is in all supported releases of Microsoft Windows, excluding Windows Server 2003. Because the vulnerability does not involve memory corruption that can result in shellcode, and because it is in the category of 'design error', protection methods like DEP and ASLR are not effective. Example exploit code for CVE-2014-4114 has been spotted posted on the web. Criminal actors could potentially use it to build a vulnerable PowerPoint file to spread the malware. Also, shortly after the disclosure of CVE-2014-4114, a very similar vulnerability that also targets OLE objects, surfaced  and is described as CVE-2014-6532. While CVE-2014-4114 has been patched by Microsoft, CVE-2014-6532 still awaits a patch.

 

Websense® Security Labs has noticed that the Ebola topic has been abused in relation to CVE-2014-4114. A sample from a third-party source, named "Ebola in American.pps", was leveraging CVE-2014-4114 to download and execute a payload from a remote address via the SMB protocol, which most of the time isn't allowed to connect to public Internet addresses.

 

  • \\220.135.249.228\public\install.inf
  • \\220.135.249.228\public\word.exe

 

It is possible to detect CVE-2014-6352 using Yara. Here is a Yara rule that can be run against Microsoft Office files to surface the vulnerability. The rule could use a bit of tweaking and expanding to include INF files:

 

rule cve_2014_6352

{
strings:

        $rootentry = {52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 05 00 ff ff ff ff ff ff ff ff 01 00 00 00}

        $ole10native = {4F 00 ( 4C | 6C ) 00 ( 45 | 65 ) 00 31 00 30 00 4E 00 61 00 74 00 69 00 76 00 65 00 00}

        $c = "This program cannot be run in DOS mode"


condition:

    ($rootentry or $ole10native) and $c

}

 

Websense customers are protected against this threat with ACE, our Advanced Classification Engine, at the different stages of the attack detailed below:

 

  • Stage 2 (Lure) – ACE protects against lure email messages and URLs containing the threat.
  • Stage 4 (Exploit) – ACE has real-time detection for exploit code that attempts to deliver the threat.
  • Stage 5 (Dropper) – ACE has detection for the malicious files delivered by this threat.
  • Stage 6 (Call Home) – ACE detects the communication to the associated C&C points associated with this threat.

 

Blog contributors: Ulysses Wang, Ran Mosessco, Nicholas Griffin.

 

 


Read more »



Jun
12
Putting Cyber Criminals on Notice: Watch Your Flank
Posted by AToro on 12 June 2014 01:15 PM

In their rush to exploit users, hackers have littered their own creations with easily exploitable vulnerabilities. They're learning that it's not so easy to write secure code. In fact, most of us in the business of securing our applications and systems know that bulletproofing software is an extremely expensive and exhaustive undertaking. Most attackers lack the necessary resources and community peer review to harden their malware, and that provides an opportunity for the security community to advance a conversation about what we should do about it.

 

Some food for thought:

 

  • Hackers hide in the shadows and thrive in anonymity; probing their attack networks would shine a light on their own techniques and tactics
  • Law enforcement and the security community could use the information to track down suspects and shut down attack infrastructure
  • Malware creators who have to look to their own defenses would have to slow down the production of new attacks

 

 

Is it legal? Is it ethical? Let's look at a vulnerability in the C&C of a Zeus Trojan in circulation and envision the possibilities together.

 

The Vulnerability

 

As we have explained in previous blogs, Zeus is a banking Trojan, which is designed to steal login credentials and other Personally Identifiable Information (PII). In this analysis, we will demonstrate that malware authors make numerous mistakes as regular software engineers and show how a particular publicly known vulnerability present in the Zeus C&C server can lead to full access to the botnet’s Command Panel or possibly full system compromise of the server. We have set up our own Zeus C&C and bot in our internal research network where we can simulate this attack and show its implications.

 

In order to understand why the vulnerability exists in the first place, we must understand the basic workings of Zeus. Zeus bots operate in the following pattern: 1) Infect a system 2) Gather credentials and PII, and 3) Upload the stolen data in the form of reports to the C&C Server. The crucial point here is that the bot uploads some file to the remote server. What if we could leverage this mechanism to impersonate a bot and upload our own file to the server? Let’s say an executable, with which we could execute commands on the server.  

 

Unfortunately, we can’t just simply upload a file. Zeus uses RC4 algorithm to encrypt all communications between the bot and the server, so it will only accept files if they are encrypted with the same key that the server uses. Luckily for us, RC4 is a symmetric cipher, which means that both parties (in this case the bot and the C&C) use the same pre-shared key. This further implies that the key is embedded somewhere in the bot. So we need to capture a Zeus binary and find the keys in order to be able to communicate with the C&C. We can achieve this by using the Volatility memory analysis tool to dump the RC4 keystream from an infected machine’s memory.

 

 

Now that we have the key, we can use this key to encrypt the file we want to upload, thus impersonating a bot trying to upload a report. However, the C&C tries to make sure that only valid report files are ever uploaded, and what we want to upload is not going to be a valid report file. We would like to execute something on the server, so we need to upload an executable file, which the server knows how to execute. We know that the C&C is using .php files, therefore, we will try to upload a php file too, which will be executed on the server side by the PHP interpreter. But, the server won't let us upload .php files, however, there is a vulnerability in the C&C’s code and a well-known technique to bypass the checks they are performing on uploaded files. Below is the code for checking which file extensions are allowed.

 

 

As you can see, it doesn’t allow us to upload any PHP file or .htaccess file in addition to a lot of other possibly executable files. The problem lies in the fact that this sort of very simple check can be easily bypassed. One of the most widely used bypass methods is to use a trailing dot with the file extension, that is, instead of just filename.php we can use filename.php. (note the additional dot after the php). The PHP interpreter is quite liberal, and it will interpret it as a valid php file. With PHP we could execute a number of commands on the server, but in our case, we would like to get access to the control panel, so we will use a PHP web-shell (we have talked about web-shells in a previous blog) , which will allow us to browse the filesystem, interact with the backend database, and (possibly, depending on the server configuration) execute system commands. 
Now, we have everything we need to compromise the C&C server: the RC4 key, the file we want to upload (web-shell), and a way to bypass the checks. By default, Zeus C&C’s use gate.php to receive the reports, and they will store these reports in C&C’s IP/_reports/files/BOTNET_ID/BOTID/ directory. 

 

 

Since we are impersonating a bot, we control both the BOTNET_ID and BOTID values, so we can predict where our uploaded file will end up. All we have to do after uploading our file is to browse to this location and our code will be executed.
After we browse to the uploaded file, we are presented with a web-shell.

 

 

Now, this shell will enable us to browse to files containing important information about the particular Zeus C&C and also to interact with the backend SQL database.
Please note that while we have set up Zeus on a Windows XP machine in our own testing environment, usually Zeus C&C’s in the wild run on Linux servers. Furthermore, our server shown here was set up with very liberal file permissions, which is rarely the case with Zeus C&C’s in the wild. However, this is irrelevant in this case, since we are trying to gain access to the Control Panel. It would only matter if we tried to fully compromise the server by gaining a remote shell  and escalating our privileges to root or NTAUTHORITY\SYSTEM (depending on the operating system). 
In order to gain access to the Control Panel, we need to get hold of the password for it, which is stored in the MYSQL database. However, the database is password- protected, too. Fortunately for us, since the bot needs to interact with the database, the credentials are stored in one of the configuration files of the bot, namely in config.php under /system/ directory.

 

 

While it contains other interesting information (such as a bot encryption key), only the relevant part of the config file is shown here. Normally, mysql_user is changed to something different from root, and mysql_pass is usually something more complex, but we intentionally left it as "password." With these credentials, we can gain access to the backend database.
The database stores information about the bots in the botnet, reports the bots uploaded, and finally, one table is used for storing information about the Control Panel user, such as username, hashed password, and so on.

 

 

Zeus stores these passwords using a simple MD5 hash without any salting, thus they are relatively easy to crack. Another option would be – since we have full read/write access to the database – to create our own password, hash it with MD5, and insert that into the database instead of the current password. Now, we will try to crack the password, hoping that it is not a very strong one. If it is, we can still fall back on the second method of gaining access.

 

 

As you can see, it was indeed a very weak password ("123456") making it easy to crack. At this point, we have all the information we need to finally enter the Zeus C&C’s Control Panel.
We can simply browse to ./cp.php and log in with our newly acquired credentials.

 

 

We now have full access to the Zeus C&C’s Control Panel, just as the original botnet owner would.

 

 

Summary

 

As we have demonstrated, while Zeus is regarded as an ‘advanced’ banking Trojan it is also susceptible to bugs that may allow, in an ironic twist, an attacker with the technical skillset to take over a botnet’s C&C server. While our previous blog posts went into details regarding the internal details of the Zeus bot, in this blog post, we tried to provide a different perspective and an insider look into how the C&C server operates.

 

Now, what should we do about it?


Read more »