Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(April 2010) Posts

Analyzing Malwares Using Microsoft Tools

Posted: 29 Apr 2010 01:04 PM | Matt Oh | no comments


We have been seeing reverse engineering on malware for a while. Some time ago you needed to have magic tools from some underground hackers, but the situation has changed a lot since then. This is especially true for reverse engineering on the Windows platform, where there are a lot of good Microsoft-made tools. They are not specifically made for reverse engineering purposes, but they can be very helpful for reverse engineering binaries. They are also very stable because they went through a lot of internal quality assurance processes before being released to the public. It feels like these Microsoft-made tools are underestimated. Many hackers are using ollydbg instead of Windbg. Many people are using some other dumping tools to dump processes instead of userdump. And so on. It's not that ollydbg or other tools aren't good. I just want to show how easily the same thing can be achieved with the tools released by Microsoft. I'll show two things: dumping processes, and finding rootkit components embedded in the process images. Both of these can be achieved with just a few lines of commands. The situation is as follows. We have a machine infected with a malware, a kind of a Zbot variant. We know the malware is doing code injections to collect and control the data flow on the system. So we decide to dump the process image. How can this be achieved with Microsoft tools? We just need to download and install User Mode Process Dumper Version 8.1 on the target system. Here's an example showing the dump of the infected "svchost.exe" process image from the system. Illustration 1: Using userdump to dump live process images You just need to call userdump.exe with the target process name and target dump file name. It will go through every process with that specific name and dump the image to a file with the name you designated plus the process ID. In one shot, you can grab all the dump files for each process with same name. Convenient, right? One more benefit of userdump is that it will not kill the process it dumped. So theoretically, the process will not be affected by dumping the images. We can silently duplicate the process images and let the system carry on without intervention. So now we have the corpse images of the processes and it's time to do some basic autopsy work to see which organs have been tweaked by this infectious botnet client. First, you need a tool called Debugging Tools for Windows (aka Windbg). There are, however, some issues with the Windbg download. The last release date for the standalone download package is March 2009, which is more than a year ago. You need to download and install WDK to use the latest Windbg. But in my case, I was just fine with the March 2009 release. And the examples here will work without any problems with standalone packages. Just move all the dmp files acquired from userdump to a safe location. Launch Windbg and select File > Open Crash Dump . Then choose the dump file you want to...

Read more > 

Filed under: , ,

New blog!!

Posted: 25 Apr 2010 11:00 PM | Patrik Runald | no comments


As you can see we have a new blog. In addition to the new look-and-feel we have a few new things in place. - We have merged the blog and alerts. If you subscribe to our Alerts you will still get emails when we see something that warrants an alert - Added Categories to posts. This will make it much easier to find stories around the same topic We will add the ability to post Comments to the blog as well in the near future. We hope you'll like it. Remember to update your RSS feeder address by clicking on "Subscribe" in the top-right corner as the old RSS feed will not be updated.

Read more > 

Spammers also "Recycle"

Posted: 25 Apr 2010 09:09 PM | Anonymous | no comments


Imagine how much trash or rubbish is being recycled on a daily basis in real life. The same thing is happening on the Internet. Spammers create new Web sites, then they use all sorts of techniques to deliver those sites to end users. However, in most cases there is a Web/email filtering service like that offered by Websense, which will analyze and block such sites. At some point such URLs would be blocked by all known companies providing filtering services, and the URLs would become useless for cybercriminals. The whole process starts again from the beginning: the spammer creates a new page, advertises it and finally it's blocked by a Web/email filtering company! Unfortunately spammers have started to come up with new solutions, something we're calling "Recycled" Spam URLs. "Recycled" Spam URLs could be created from major services, such as caching or translation, provided by major search engines. Recently in Websense Labs we've seen several spam emails with "Recycled" spam links. Some of those emails contain just a link. Others look like legitimate newsletters. Unfortunately ImageShack removed the picture. If they follow the link, the user is redirected to a cached version of the site which either had another redirect, or was compromised and had a malicious iframe or code embedded into a source. As shown in this example pages could stay cached for about 2 months or even longer. And finally the landing page - it's just another Pharma spam! To make it even more difficult for Web/email filtering engines to detect such links, cybercriminals also are trying to obfuscate links with URL encoding, and in most cases criminals use infrequently-seen Google top level domains belonging to countries such as Anguilla, Gibraltar, American Samoa or the Seychelles. hxxp://google.com.ai/search?q=cache:www. [removed] %63%65%6E%74%65%72%2D%6D%73%6B%2E%63%6F%6D#online hxxp://www.google.com.gi/search?q=cache:%6C [removed] %6E%74%65%72%2D%6D%73%6B%2E%63%6F%6D#Zubkepzb2j.html hxxp://www.google.sc/search?q=cache:%6C%61%77 [removed] %6E%74%65%72%2D%6D%73%6B%2E%63%6F%6D#Stoettxgr4j This is also very similar to the BlackHat SEO. If the site has a good ranking, cybercriminals change the content for the one to be cached, then ping the crawlers (<searchengine_URL>/ping?sitemap=sitemap_url) and after a while remove the content or block the site. The cached version has exactly what they wanted and they start their campaigns. As the site does not exist anymore, search crawlers can't pick up the newer version and the cache keeps the last version of the parsed page "forever". The same technique is used for compromised sites with good rank: once the site is abused, cybercriminals wait for the site to be cached, then they remove malicious content and use it in campaigns. The only problem the bad guys face is that high-ranking sites are being parsed with search crawlers very frequently, and the cached version which hosts...

Read more > 

Filed under:

Oversharing and a powerful search engine = FAIL

Posted: 23 Apr 2010 10:56 AM | Patrik Runald | no comments


Users of the Blippy service, a website that lets people share their credit card purchases online, are scrambling to change their settings or even closing their accounts after VentureBeat published a story about how Google searches can disclose users credit card details. As can be seen in the screenshot above Blippy shows every purchase made with linked credit cards, bank accounts, Amazon, iTunes account and more. In today's world of social media and an eagerness to share your with friends (and sometimes the world), Blippy fits right in. And Blippy claim to take privacy seriously as can be seen from the following statement from their website. However, things don't always work as planned. Google has indexed the private information and it's now publicly visible in search results as can be seen below. This is a cyber criminal's dream come true. We advise every user to be really careful when you share your sensitive financial information with anyone and consider the worst case scenario about what could happen. Blippy and Google are working on correcting the problem and we'll update the blog when we know more. Update: Blippy has posted a response here . Update 2: Google's search results have been cleaned up and the information is no longer available.

Read more > 

Filed under:

De-obfuscating the obfuscated binaries with visualization

Posted: 19 Apr 2010 07:42 AM | WebsenseSecurityLabs | no comments


Recently I spent an afternoon reverse-engineering a few packed and obfuscated malware binaries. I was curious as to what kind of tactics and methods had been applied, so I dissected several binaries. I want to share some of my notes about the techniques that these malware programs used. I also want to share some of my analytic techniques and a few of the scripts that I used to help me with the analysis. Most of the obfuscation techniques were in the realm of polymorphism that has been known for years, even decades. I want to show you how a few scripting and graphing tools can ease the burden of de-obfuscating and understanding these malware binaries. Fake Exports Yes, fake exports. In this case, an executable was exporting multiple entries, which is unusual. The program exports some random points of the binary with random names, and IDA (Interactive DisAssembler) is so sure that it is a separate function that it breaks up the control flow. Illustration 1: A function split by exported entry It's very hard to remove a function when it's exported. The exported functions tend to have random names. So I wrote a IDAPython script that searches for functions with names that are not auto-generated by IDA, and removes them. It searches for any function that doesn't have name "start" or default name prefix "sub_". [Update: I got a comment that you can also use GetEntryPointQty()/GetEntryXXX() IDA API to achieve this in more stable fashion] Visual Interference with NOP repetitions As I continued through the disassembly, I found that it had a repeating pattern that had no meaning at all. The pattern just pushed a register, modified the same register, and pop it off again. The register did not change at all. This is just a NOP pattern. And it was inserted all over the place, making the analysis very tiresome. The NOP pattern looked like the following. Illustration 2: Repeating NOPs Actually, the "db 3eh" byte is not valid according to IDA[Update: Many folks pointed out that db 3eh doesn't mean that it's invalid, but meaningless which is more correct word], but the processor didn't care. So, all of the red-boxed regions are simply meaningless overhead put there to make the code more overwhelming. To make analysis easier, I simply replaced all such instances with real NOPs. And I felt a lot better after I did. Here's the script that I used. It searches for the "50 3e 0f c8 58" byte pattern, which is the hex representation of the NOP parts, and patches in real NOPs(0x90...). Here's what I got after the script execution. Illustration 3: NOPs converted to real NOPs Basic Block Chunks The malware had a lot of chunked code, which malware often includes in abundance because it is widely known that IDA doesn't deal with it well. Here's an example of the chunked code. It's heavily split through the binary using jmp instructions. Illustration 4: Chunked code using jmps When you look at it...

Read more > 

Filed under: ,

Multi-layer Obfuscated JavaScript Using Twitter API

Posted: 16 Apr 2010 07:26 AM | Tamas Rudnai | no comments


Nowadays infected Web pages are probably the biggest threat to the IT sector. Most compromised HTML documents contain a JavaScript that generates the malicious content dynamically to make it less obvious what it is doing. To avoid detection, they are using more and more complex obfuscation techniques. In this blog we will analyze a sample with 5 different obfuscation layers using a few tricks to fool automated de-obfuscation engines. Our sample today is a 6KB obfuscated JavaScript that by the end turns into a single iframe pointing to a malicious site. The threat is using a mixture of Codebook , XOR and substitution ciphering as well as the traditional character representation tricks to hide the malicious content. Some of these techniques have already been discussed in this blog . To decrypt it, we need to tweak the code a little bit so that the evil script reveals its true nature - as opposed to silently executing the payload. As you can see the injected code looks strange, but other than that it does not tell us whether the code is malicious or not: What you can see from here is not that much, except you can be sure that the script is obfuscated. For a security expert this kind of code is always highly suspicious as it reveals that the author of the code wanted to hide something for a good reason. If you are indenting the code properly, however, it shows something more to the human eye. Actually you can then divide the code into two parts. In the first part there is only a very short function and a definition of a variable: Note that we cut off the value of the variable as it was just too long and is not needed to understand this algorithm. The second part is another function and a call to the first function mentioned above: As you can see it calls function t() which is only a wrapper around function z(), most probably only to use it as a light anti-de-obfuscation technique. Therefore we need to analyze only the second function. It is very easy to spot that it uses simple substitution ciphering, this time only for the letter 'Z'. Also it uses char representation coding, where for decoding it only uses the unescape() function. At the end of the script, you can see the eval() function call. This one needs to be replaced with a print() instead in order to display the de-obfuscated code: These are the results, and they are something different from the first layer; however, it all still looks quite cryptic. Many of the malicious JavaScripts today are using multi-level obfuscations. As described in an earlier blog we have to decrypt such code layer by layer. In each layer we can see new details of the code: some of them are valuable during the analysis, some of them are not. Have you noticed the clear URLs at the bottom? There is definitely something there to investigate. Again, we can use indentation tools (or to use their more fashionable name, code beautifiers) to see what is behind the scenes: We can see the Twitter links, which are clean...

Read more > 

Filed under: ,

New Zbot campaign comes in a PDF

Posted: 15 Apr 2010 11:45 AM | Patrik Runald | no comments


Websense Security Labs™ has received several reports of a Zbot trojan campaign spreading via email. We have seen over 2200 messages so far. Zbot (also known as Zeus) is an information stealing trojan (infostealer) collecting confidential data from each infected computer. The main vector for spreading Zbot is a spam campaign where recipients are tricked into opening infected attachments on their computer. This new variant uses a malicious PDF file which contains the threat as an embedded file. When recipients open the PDF, it asks to save a PDF file called Royal_Mail_Delivery_Notice.pdf. The user falsely assumes that the file is just a PDF, and therefore safe to store on the local computer. The file, however, is really a Windows executable. The malicious PDF launches the dropped file, taking control of the computer. At time of writing this file has a 20% anti-virus detection rate (SHA1 : f1ff07104b7c6a08e06bededd57789e776098b1f). The threat creates a subdirectory under %SYSTEM32% with the name "lowsec" and drops the "local.ds" and "user.ds" files. These are configuration files for the threat. It also copies itself into %SYSTEM32% as "sdra64.exe" and modifies the registry entry "%SOFTWARE%\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" to launch itself during system startup. When it runs, it injects malicious code into the Winlogon.exe instance in memory. This Zbot variant connects to malicious remote sever in China using an IP address of 59.44.[removed].[removed]:6010. Screen shot of the email message: Saves the malicious embedded file Adobe Acrobat Reader shows a warning about launching the file: The problem lies deep inside the PDF file format. This technique is similar, but not the same, as explained in this blog post . Websense Messaging and Websense Web Security customers are protected against this attack.

Read more > 

Filed under:

This Month in the Threat Webscape - March 2010

Posted: 12 Apr 2010 02:37 PM | Jay Liew | no comments


We presented at RSA 2010 and spoke at the Cloud Security Alliance Summit . Here is our recap of the event . Major hits 1. Highlight pwns from CanSecWest's Pwn2Own hacker 2010 contest include: 2. Contest winner (Peter Vreugdenhil): IE 8 vulnerability exploited on a fully patched Windows 7 machine. 3. A malicious Web site that, when visited from a fully patched iPhone , steals the phone's SMS (text messages), including deleted texts, and uploads them to a server of the attacker's choosing 4. A malicious Web site that, when visited from Safari on a MacBook , allows the attacker full control of the Macbook. This is Charlie Miller's hat trick. 5. Mozilla Firefox had a vulnerability exploited with a drive-by download . ASLR and DEP on Windows 7 were bypassed. In other news, the Sougou BBS Web site was compromised and injected with a malicious iframe. Searching for Corey Haim on Google led to malicious rogue AV Web sites , as did searching for other blackhat SEO poisoned terms like March Madness , and various sensational topics and events . Web 2 dot uh oh Last month, we detected that over a quarter million malicious links were posted on various Facebook pages , including those belonging to celebrities like Justin Timberlake. In the blog post, we include a video showing just how quickly the links are spreading. (Note: be careful what you click on!) Websense Security Labs has also been monitoring the latest WordPress attack that saw over 250,000 injections over a span of just 2 weeks . Browser and friends Is the fully-patched browser safe? Look at the Vancouver Pwn20wn 2010 contest. Fully-patched IE8, Safari, and Firefox have been hacked. The good news is that the zero-day vulnerabilities the hacker used are not spreading in the wild. This will help the browser vendors to complete their products. Apple released security update 4.0.5 for Safari , patching 16 vulnerabilities. Mozilla has also done a lot of work this month, releasing Firefox 3.6.2 , which fixed 15 vulnerabilities. Opera released 10.51 for windows with two vulnerabilities patched. According to F-Secure's research , PDF-based targeted attacks have been increasing in the past few years, reaching 61.2% in 2010. A good example of this type of attack is a campaign related to FIFA World Cup 2010 theme that has spread in the wild in March. Victims receive an email containing a PDF that exploits CVE-2010-0188 , though the vulnerability was back in February. Microsoft March brought two new Internet Explorer zero-days, one requiring an emergency out-of-band patch and one still unpatched. The first is a vulnerability in Internet Explorer ( CVE-2010-0483 ) that gives attackers remote code execution capabilities on the machines of IE users who are tricked into pressing the F1 key for help. The attack involves specially-crafted VBScript and Windows Help Files for IE. While POC code has been released detailing the exploit, no attacks have yet been seen in the wild. Microsoft plans to release...

Read more > 

Filed under:

Celebrity life of Black Hat SEO

Posted: 08 Apr 2010 10:22 PM | Patrik Runald | no comments


It’s not a secret that cybercriminals use all sorts of techniques to promote their fake products and services on the Web. To increase the rating of the newly-created fake medical or rogue AV Web site, criminals sharpen their skills in Black Hat SEO (search engine optimization). While White Hat SEO is basically being used by all businesses as well as other non-profit sites, Black Hat SEO poisoning is mostly used for sites that do not want to build their traffic and popularity in a natural way. In some ways Black Hat SEO is a kind of celebrity life – popularity can be on the rise in a couple of weeks or even days and then abandoned just as quickly. In both cases, this short popularity span can bring enough attention or revenue so that it's not in vain. Search engines like Google, Yahoo, or Yandex invent new solutions every day to filter sites using Black Hat techniques and not allow them to achieve their aim – which is to be seen on the first pages of search engine results when people are looking for genuine information. If such sites manage to reach top search result positions, the traffic generated by people visiting the Web site will rapidly increase. It is worthwhile for Black Hat SEO teams, even with the risks of being shut down, because of the immediate visibility that their site gets - their 15 minutes of fame. This is another similarity to a celebrity's life: to be banned only once means they will never be highly rated again. The popularity can be built fast, and destroyed even faster. There are many common techniques used in Black Hat SEO which lead to more or less the same target. It all depends on the time available, the ability to take a risk, and of course, money. Backlinks – the most common and popular technique. It is not important how many links you point at, but how many links point to you. It's even better if the links are bidirectional, which is of course more difficult to achieve. Therefore "link farms" became a popular service not long ago, offering many servers pointing to one specific site or pointing to each other to build inter-linking. This approach has quickly been discovered and cracked down on pretty well by companies like Google, Yahoo, and others. So Black Hat guys started to infect pages through mass injections or other malicious means to get such links working in invisible form (hidden links) or in a pretty visible way, automatically populating forums, blogs, and directories. Of course, not every link has the same weight. There is a difference if a description of a link says "Go here" and points to "Quality meds", compared to a precise description. Also, links coming from high-ranked sites are weighted much more. Using a high-ranked domain (for example, YouTube) to propagate such products and services. Especially, accounts that have existed for a long time are much more likely to get better visibility. Image Crafting – every search engine advances...

Read more > 

Filed under: , ,