News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
News
Jan
22
Flash 0-day being distributed by Angler Exploit Kit
Posted by ngriffin on 22 January 2015 10:11 AM

Websense is aware of a new zero-day vulnerability in Adobe Flash Player, which has been seen exploited in-the-wild by the Angler Exploit Kit. The exploit, as reported by security researcher Kafeine, is known to affect the latest 16.0.0.287 version of Flash Player and has been seen dropping a trojan downloader called Bedep.

 

Websense customers were already protected against this threat with ACE, our Advanced Classification Engine, at the different stages of the attack detailed below:


  • Stage 3 (Redirect) – ACE has detection for the redirect to the exploit kit landing page.
  • Stage 4 (Exploit Kit) – ACE has detection for the exploit kit landing pages, as well as the Flash Player exploit itself.
  • Stage 6 (Call Home) – ACE detects the communication to the C&C points associated with the Bedep trojan downloader.

 

[UPDATE] 23 January 2015

Adobe released an update to Flash Player on 22 January 2015 although it does not patch the issue discussed in this blog.

In a further announcement Adobe are hoping to patch CVE-2015-0311 (the vulnerability discussed in this blog and by Adobe here) on 26 January 2015.

 

Vulnerability

 

The Adobe Flash Player samples that exploit this vulnerability have been shared with Websense, and protection for these malicious files are in place. Adobe have been made aware of this issue and are currently investigating. At the present time, it is not possible to disclose further information regarding specific details of this threat.

 

Exposure

 

Currently, it is known that Angler Exploit Kit is exploiting this Flash Player vulnerability. As we have mentioned previously, it is becoming a growing trend for exploit kits to drop Java, Internet Explorer, and PDF exploits in favor of the more successful Flash and Silverlight exploits.  Utilizing vulnerabilities in these popular applications provides attackers with a large surface area of vulnerable clients. Due to the nature of exploit kits, Websense technology is able to target the threat at multiple stages and ensure that protection remains in place independent of the exploits used.

 

Mitigation

 

At the present time, Adobe have yet to release a patch for Adobe Flash Player.  One persistent solution, for the time being, is to disable Flash Player in your browser until such time as a patch becomes available.

 

Websense Security Labs will continue to investigate this issue as more information becomes available.


Read more »



Jan
15
Happy Nucl(y)ear - Evolution of an Exploit Kit
Posted by AToro on 15 January 2015 11:20 AM

This blog post discusses how Nuclear Pack, one of the most popular exploit kits, has evolved, and highlights the constant, ongoing arms race between attackers and defenders.

 

While Nuclear Pack is not the most sophisticated exploit kit--that dubious distinction going to Angler, which we will write about in an upcoming post--it is highly effective. It has been used in such high-impact campaigns as the AskMen compromise, and used by the APT group behind Operation Windigo. Nuclear Pack has a wide range of attacks in its repertoire, including Flash, Silverlight, PDF, and Internet Explorer exploits, and it is capable of dropping any malware. Furthermore, Nuclear Pack is constantly being improved by its creators to avoid detection and achieve higher infection rates.

 

Exploit kits are a main source of compromises today; they are one of the primary vehicles for both 0-day and widely effective, known vulnerabilities, offering a free pass to drop active malicious content (such as the banking trojan, Zeus) that embeds on the system giving cyberciminals a way into internal networks and ultimately leads to data exfiltration. Last year Websense has detected and blocked more than 66 million threats specifically with exploit kits, plus over 1 billion catches of later-stages, such as dropper file, C&C traffic (Call Home stage) that are commonly attributable to new exploit kit activity. In essence, exploit kits are complete, off-the-shelf solutions that cybercriminals can buy to compromise systems by exploiting various software vulnerabilities on the victim's system. In addition, these kits are equipped to defeat IDS and Anti-Virus solutions in order to avoid detection, the main technique they use to achieve this is through using code obfuscation, which is used to hide the true nature of the malicious code. Exploit kits constantly change and improve in order to keep up with various security solutions and the new version of NuclearPack is the next stage of exploit kit evolution.

 

Telemetry

Nuclear Pack affects virtually all industries, as it is very often used in high-volume compromises. In addition, the number of exploit attempts varies highly based on the traffic volume of the compromised website, as shown in the charts below.

 

Affected Industries:

 

Nuclear Pack trend activity over time:

 

 

High Level Overview of Nuclear Pack infections

Nuclear Pack follows the traditional kill chain and maps directly to the 7 Stages of Advanced Threats. Websense customers are protected from this threat with ACE, our Advanced Classification Engine, at the following stages:

 

  • Stage 2 (Lure) - ACE has detection for the compromised websites.
  • Stage 3 (Redirect) - ACE has detection for the injected code that redirects the user to the exploit page.
  • Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber attack.
  • Stage 5 (Dropper Files) - ACE has detection for the binary files associated with this attack.

 

The picture below shows all stages, from the first HTTP transaction with the compromised website. It is worth noting that the original version of Nuclear Pack was seen to use predictable URL patterns. In the new version of Nuclear Pack, the redirect URLs and methods are highly random, making the redirect stage much more difficult to detect.

 

Nuclear Pack infection chain:

 

Obfuscation

As with other exploit kits, Nuclear Pack uses various obfuscation techniques to avoid detection by IDS and anti-virus solutions. In order to detect and protect against this threat, it is crucial to understand and identify the obfuscation techniques that are unique to this exploit kit.

After cleaning up the landing page so that it is properly structured, we are still left with highly obfuscated JavaScript code.

 

Cleaned up Landing Page (part I):

 

Cleaned up Landing Page (part II):

 

Investigating the structure of the obfuscated code reveals that it actually consists of only a few parts:

 

  1. Some helper routines for deobfuscation
  2. Obfuscated content (uses decimal format to store the plugin detect and actual exploit part of the exploit kit)
  3. Deobfuscation routines
  4. The actual deobfuscation
  5. Running the deobfuscated JavaScript

 

 

How Nuclear Pack deobfuscation works

 

In essence the landing page just takes the obfuscated content, deobfuscates it, and then runs it.

One of the most unique Nuclear Pack obfuscation techniques is the use of the background color as means to obfuscate and deobfuscate certain functionality.  The original version of Nuclear Pack always sets the background color of the page to an arbitrary color. Later, the variable document.bgcolor is used to deobfuscate a number of functions, which were obfuscated with hexadecimal HTML color values.

 

Unique obfuscation method: <body bgcolor="#333399"> is used in the example below

 

Deobfuscated Content

 

Once the exploit kit is deobfuscated, the true functionality of the exploit kit is revealed. The deobfuscated code has four parts, and they are executed in the following order:

 

  1. Plugin Detect
  2. XMLDOM Information Disclosure exploit to determine whether anti-virus is running on the system
  3. Checking whether victim has vulnerable plugin version
  4. Launching appropriate exploit(s)

 

 

Nuclear Pack uses the popular PluginDetect library to fingerprint the victim. As you can see, the creators were using the latest version.

 

PluginDetect:


 

 

Nuclear Pack uses CVE-2013-7331 XMLDOM ActiveX control vulnerability to enumerate anti-virus software on the target system. Note that the vulnerability only affects Internet Explorer users. The use of this exploit to fingerprint the victim’s machine for anti-virus software is not unique to Nuclear Pack. It is increasingly being adopted by more and more exploit kits (including Angler and RIG). If a specific (hardcoded) anti-virus solution is detected, the infection attempt is aborted in order to avoid possible detection.

 

Anti-Virus Detection:


 

 

Before launching the actual exploits, Nuclear Pack runs a check to see whether the victim has vulnerable plugin versions. As you can see below, Nuclear Pack also checks for vulnerable Java versions. That functionality is just a placeholder, however; it doesn't seem to use any Java exploits.

 

Vulnerable Plugin Check:


 

 

Finally, based on the results of the previous check, the exploit kit runs the appropriate exploit or exploits.

 

Launching Exploits


 

 

New version of Nuclear Pack 

 

During December, a new version of Nuclear Pack emerged. While it has only been used on a low scale at this point, it is very likely that this new version will completely replace the old version. As with any new software release, the new version of Nuclear Pack has new features and various improvements. 

The biggest difference between the new version and its predecessor is that it uses completely different obfuscation techniques to hide malicious code from security products. 

 

Landing page using the new obfuscation

 

In addition to the complete overhaul of it's obfuscation methods, Nuclear Pack now uses a rudimentary second-layer obfuscation. In other words, there is another layer of obfuscation. It is very basic, even human-readable, but probably useful against security products that can only deal with one layer of obfuscation. To increase infection rates even further, Nuclear Pack has detection for more anti-virus products.

 

Second layer obfuscation and AV detection:

 

In the past, NuclearPack also used to use simple URL patterns specific to only this exploit kit. With the new version this is no longer the case. Also, a large chunk of the original PluginDetect library is gone, leaving only the essentials. This makes Nuclear Pack more streamlined and efficient.

The creators of NuclearPack also introduced a XOR based obfuscation method for the malware payload, which makes it significantly more difficult to detect the dropper file with IDS or anti-virus as no signatures will match on the encoded payload. Websense File Sandboxing reports the dropped executable as malicious.

 

Malware Payload XOR-ed with ASCII string "kFLzT" 

 

 

Websense File Sandboxing report showing detection as Malicious:

 

 

Finally, the new version only uses Flash (CVE-2014-8439) and Silverlight (CVE-2013-0074 / CVE-2013-3896) exploits. This seems to be a general trend among various exploit kits; they drop Java, Internet Explorer, and PDF exploits in favor of the more successful Flash and Silverlight exploits. There are two main reasons behind this: first, Flash and Silverlight are widely used plugins, while Java and Adobe Reader plugins are becoming less common. Also, due to the diversity of the browser market, it's becoming less profitable to use Internet Explorer exploits. Secondly, while browser security has steadily increased over the past few years, different plugins seem to lag behind in terms of security.

 

Summary

 

  • Nuclear Pack is a constantly evolving threat, which uses various exploits to compromise a large number of systems.
  • The obfuscation used by different exploit kits, while constantly changing, is unique to each kit, making fingerprinting easier.
  • Flash and Silverlight are the most commonly used exploits

 

For a thorough description of the underground ecosystem surrounding Exploit Kits, see Kafeine’s blog: http://malware.dontneedcoffee.com/2012/12/eyeglanceru.html


Read more »