Tuesday, September 6, 2011

DigiNotar facts - just some links

DigiNotar Certificate Authority breach “Operation Black Tulip”
Google, Mozilla and Microsoft ban the DigiNotar Certificate Authority in their browsers

Thursday, August 4, 2011

Operation Shady RAT - HTran

HTran and the Advanced Persistent Threat
http://www.secureworks.com/research/threats/htran/

The code  http://www.pudn.com/downloads119/sourcecode/windows/network/detail508294.html.
(appears also in the Secureworks analysis)

What follows it's an abstract of the code:

Monday, July 4, 2011

an old bug for a new job ? CVE-2004-0194

A couple of months ago I receive an interesting challenge for get the final (I think) step in the job selection path for a big company (not a well known exploit research company but probably if you are reading this post you are using once of their os). The challenge it consist in the writing an exploit for the CVE-2004-0194. Obviously, at the first step I did follow, was a good googling acrivity. With my surprise I didn't get anything. I did found only the original advisory in a lot of version . The original is at the following link http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0051.html that is an old NGSSoftware Insight Security Research Advisory:


This issue was detected in the 5.1 version of Adobe Reader (if you want try you cand find it here: http://www.oldversion.com/download/acrobat51.exe).This issue was related to a bug that it's triggered due a misuses of sprintf for format the OutputDebugString during the XFDF parsing. The origianl XFDF schema use the UTF-8 encoding. For fit well the unicode shell code via Metasploit module I have to choose another encoding like this one:

<?xml version="1.0" encoding="ISO-8859-1"?>
Anyway what follows is the proof of concept that launch calc.exe For this task I have used a SEH Overwriting technique using the code of not safeseh DLLs.


Also it’s possible download the poc from here: http://www.exploit-db.com/exploits/17488/. Anyay what did happens ? Well if I'm still updating this blog is because I haven't get this job although their compliments. Anyway what I did learn? I learn how to write up unicode shell code and that sometimes the encoding techniques are your best friends. What is sound strange is that the cve id is very near to my nightmare: cve-2010-4091. 

So, why I decided to post just now this stuff ? I dunno why . Enjoy it!
Greeting to 0xff for open my mind to the bytes encoding landscape (http://whsbehind.blogspot.com)

Wednesday, June 22, 2011

TDSS - SRVs list

I just found via pastebin (http://pastebin.com/jWDhEfGB) a domains list related to TDSS. The SRVs , in according with this analysis http://resources.infosecinstitute.com/tdss4-part-2/, are the C&C from where bots receive commands.What's sound a bit strange is that the content in the pastebin above match with the syntax used in the configuration file of the rootkit. Anyway is possible count 2514 entry (or config file ?). I simply sorted the domains reported with the following result:

https://01n02n4cx00.cc/
https://01n02n4cx00.com/
https://01n20n4cx00.com/
https://0imh17agcla.com/
https://10n02n4cx00.com/
https://178.17.164.129/
https://178.17.164.92/
https://1il1il1il.com/
https://1l1i16b0.com/
https://34jh7alm94.asia
https://34jh7alm94.asia/
https://4gat16ag100.com/
https://4tag16ag100.com/
https://61.61.20.132/
https://61.61.20.135/
https://68.168.212.20/
https://68.168.212.21/
https://68b6b6b6.com/
https://69b69b6b96b.com/
https://7gaur15eb71.com/
https://7uagr15eb71.com/
https://86b6b6b6.com/
https://86b6b96b.com/
https://91.193.194.8/
https://91.212.226.67/
https://91.216.122.250/
https://9669b6b96b.com/
https://cap01tchaa.com
https://cap01tchaa.com/
https://cap0itchaa.com/
https://countri1l.com/
https://dg6a51ja813.com/
https://gd6a15ja813.com/
https://i0m71gmak01.com/
https://ikaturi11.com/
https://jna0-0akq8x.com/
https://ka18i7gah10.com/
https://kai817hag10.com/
https://kangojim1.com/
https://kangojjm1.com/
https://kur1k0nona.com/
https://l04undreyk.com/
https://li1i16b0.com/
https://lj1i16b0.com/
https://lkaturi71.com/
https://lkaturl11.com/
https://lkaturl71.com/
https://lo4undreyk.com/
https://n16fa53.com/
https://neywrika.in/
https://nichtadden.in/
https://nl6fa53.com/
https://nyewrika.in/
https://rukkeianno.com/
https://rukkeianno.in/
https://rukkieanno.in/
https://sh01cilewk.com/
https://sho1cilewk.com/
https://u101mnay2k.com/
https://u101mnuy2k.com/
https://xx87lhfda88.com/
https://zna61udha01.com/
https://zna81udha01.com/
https://zz87ihfda88.com/
https://zz87jhfda88.com/
https://zz87lhfda88.com/

Anoter interesting Google dork is "wsrv:=http://" that shown another Pastebin link with a WSRVs domain lists. The WSRVs are the handlers of results of the search provider activity on impacted systems.

Tuesday, June 7, 2011

DroidKungFu - just some piece of code

Following the trend of the moment, I play a bit with the sample of DroidKungFu retrieved from the  contagiodump malware sample repository. For obtaining the JAR archive I used dex2jar (http://code.google.com/p/dex2jar/downloads/list) after that I extracted the Dalvik Executable Format embedded in the APK. Once obtained the JAR file is very easy obtain the clear code with (for example) Java Decompiler
One of the more interesting thing is that , at least the variant that I analyzed (md5 39D140511C18EBF7384A36113D48463D) use the method DoSearchReport notified using the well know Google Search gadget. Seems that this malware install as legacy app for grant persistence even after remove the rest of malicious packages from device. This is easily readable from the source code as shown in the following screen shots:



In the screenshot above is shown the  begin of DoSearchReport method where is called a custom method named  (updateInfo() ). While the following screenshot shown the place in the DoSeachReport method where all data , collected from impacted devices, are dropped via HTTP POST:

The data collected and sended to the URL are the following (extracted by code):
Some info about the URL (from Robtex):

Other domains related to the 222.186.37.93 IP address: 


Playing a bit more with the URL above I found this IP form request:

This variant seems forged for Chinese users. In the code there are many others evidence of this.

Friday, March 18, 2011

FlashUtil10m_Plugin.exe command line crash

Is interesting observing how nowadays some old style bug are still available. I think that this one is not a security bug but a deeper investigation is left to all whose are interested.Anyway is sufficient pass a single char as command line parameter to this FlashUtil10m_Plugin.exe (also called Flash Player Installer/Uninstaller) for generate a crash. If you are Admin appear something like the following screenshot:



Opening it with a disassembler (in this case IDA) is possible know that is a problem within the parser that handle the command line parameters:

In screen shot above is reported  the function address where the bug is triggered. While in the following screen shot is shown the line of code where is tried an write in an address of kernel32.dll a not readable address:


This bug impact Adobe Flash Player Installer/Uninstaller 10.2 r152 distributed with the latest version of Adobe Flash Player..

Tuesday, March 15, 2011

cve-2011-0609 - bugix blog analysis

April 4, 2011 - Update:
RSA has release a blog post where is described that in the recently data-breach is been used this issue:
http://blogs.rsa.com/rivner/anatomy-of-an-attack/

March 15, 2011: 
A researcher has just added a very interesting analysis about this 0day:

bugix blog cve-2010-0609 analysis - by villys777
http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html

Adobe Security Advisory APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html

Sunday, March 6, 2011

mmspicture.ru - mobile malware depot

Following a well known mailing list (clean-mx aka viruswatch) it was been retrieved the following URL:

http://mmspicture.ru/mms112/mms112.jar (md5: 33EA90E2029478D47D33409B5F48E4EB)

The JAR file is already detected from Virustotal. Playing a bit around the URL path is possible retrieve another JAR file:

http://mmspicture.ru/mms113/mms113.jar

The MD5 (4CC0EBCE1428EE3649C67A13734F2EDE) of this JAR file is not still known around. Anyway, what follows is just a quick analysis of the contents of this file. Open it with Java Decompiler appears like a canonical small JAR apps for mobiles devices (Midlet class):


The main class is named "b" and is extended from Canvas Java class:


As shown above is possible view some Cyrillic strings:


Is also show a reference to a stream (embedded in the JAR) named "info.dat". The code above use this file for decode the stream that as we'll see is the destination phone number of the data gathered from mobile devices. The "info.dat" contains the following string:  75;4x=1?==8:<95

I write a small Java app that use the code for decoding the stream:


The output revealed is the following:

The string obtained is the phone destination number used for receive SMS from the user mobile devices. The content of the SMS body is still under investigation. Probably it send entire phonebook as well the phone number could be a payment number. The SMS is send when the user accept to view the picture in the postcard ("card.png") embedded in the JAR. There is also a file named "readme" which contains an ICQ id:


In according with the countrycode.org web site (http://countrycode.org/russia) the number "+7 497 878542104" is a Russian phone number. Another detail is that the domain mmspicture.ru is attested on one IP (91.201.66.209) where is attested another interesting domain:

Wednesday, February 2, 2011

Egypt Telecom back online– ASN8452 TE DATA– prefix 81.10.0.0/17

The prefix 81.10.0.0/17 “ALL-Routes” seems announced again to the rest of the world via Telecom Italia Sparkle Autonomous System (ASN 6762). Here the animation made  with BGPlay:

video

The time range is between the 29 of January 2011 00:00 and 2 of February 2011 08:00 PM (local time). For more info on bgplay see my previous post http://extraexploit.blogspot.com/2011/01/egypt-telecom-as-isolation-bgplay-show.html.

Friday, January 28, 2011

Egypt Telecom AS isolation - BGPlay show it ?

January 31, 2011 – Update:
An interesting snapshot of Egyptian's malware activity. ASN 20928 appears like still active

Egypt's malware activity post internet shutdownhttp://www.unveillance.com/latest-news/egypts-malware-activity-post-internet-shutdown/

Why One Egyptian ISP is Still Online

http://newsgrange.com/why-one-egyptian-isp-is-still-online/

January 29, 2011 – Update:


I try to make the following video to shown what's  happened. BGP Isolation "frame by frame":

video

January 28, 2011:

Following
isolation of the Internet in Egypt, I tried to see if is possible see something with a good tool: BGPlay. As input data I inserted AS8452 (Egypt Telecom) prefix labeled as "all routers". This information I obtained via robtex as follows: http://www.robtex.com/as/as8452.html#bgp. So, the inserted data are the prefix 81.10.0.0/17 and the range date/time in latest 24h:



The result
is interesting
. For an animation could be better try to insert the value using BGPlay directly. (http://bgplay.routeviews.org/)

The BGP traffic situation at 27/01/2011:


After the BGP withdrawals sequence the situation, now, appear in this mode:



The RIPE has also released a tool for check BGP withdrawals and announment requests:

Saturday, January 22, 2011

the sourceforge entry point seems still active

February 3, 2011 - Update:

A discussion on e107 official web site: http://e107.org/comment.php?comment.news.878


February 2, 2011 - Update:

Just another evidence of the sourceforge breach used by a web bot. At least , from the following screenshot, seems that the entrypoint was detected by a web vuln scanner bot. The following figure shown a well known method by web bots to post in some pastebin clone web site the result of their work.


This pastie was released at the end of 2010. The bad thing is that OFF keyword tell to bots admin that php_safe is OFF


January 30, 2011 – Update:
Sourceforge has formally admitted the problems that I have notify in December 2010. My research and my message on full disclosure mailing list about the possible exploiting of a not so new e107 bug that could permit privilege escalation attempts, looks like confirmed. Here the update:

Sourceforge Attack: Full Report
http://sourceforge.net/blog/sourceforge-attack-full-report/

January 28, 2011 - Update:

On Hacker news is reported an update about and seem that the sourceforge server has been compromized:

Sourceforge servers compromised
http://news.ycombinator.com/item?id=2150639

The SourceForge response:
http://sourceforge.net/apps/wordpress/sourceforge/2011/01/27/sourceforge-net-attack-update/

January 22, 2011:

just now I found a post from Imperva http://blog.imperva.com/2011/01/major-websites-govmiledu-are-hacked-and-up-for-sale.html. Intrigued by their results, similar to that published in my previous post approximately one month ago (http://extraexploit.blogspot.com/2010/12/some-considerations-on-ettercap-source.html), I decided to do some check. I noticed that the entry point of source forge is still active. This is what seem possible from the error message that appears on this page. As you can see from this screen shot the problem seems reside in a project home page that include a bugged e107 version:

sourceforge2

With further investigation is possible find the page where is placed the vulnerable (to a remote command execution issue) version of e107 . This entry point could be used from a remote script for send system command on the server (http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html). The following screen shot is the well common form that expose sourceforge  to this vulnerability:

forme107

The problem is that this breach, if confirmed, can be exploited to modify source code so as to fail the trust levels of applications mantained by this software repository.