Websense® Security Labs™ ThreatSeeker™ Network has detected a new batch of malicious emails containing Zeus payloads.  This campaign is very similar to another which Adobe reported on a couple weeks ago.  The social engineering tricks on this campaign have gotten considerably better.  The messages appear to be forwarded from a Director of Information Services who apparently received update instructions directly from an associate at Adobe.  The message from the Adobe associate states that the update link is to patch CVE-2010-0193.  There are two links in the message that lead to the same IP address hosting a PDF file for instructions and an executable that is meant to be the patch to apply.  The executable file named adbp932b.exe (SHA1 0632f562c6c89903b56da235af237dc4b72efeb3) has minimal coverage of about 7%.

Screen shot of malicious email:

The kicker in these messages is actually the update.pdf (SHA1  d408898e33c207eceea6d5b2affdac8ec266f77e) document.  What would be expected of a malicious email with a PDF document is that it would contain an exploit of some sort that would attempt to do damage and take over the recipient's computer.  This case is much different from that, probably because the attackers are working more of the social engineering angle and counting on the weakest link in the security chain, which would be the end user.  The document is actually benign and  provides the same link as the email to download the "security patch" and tells you to "Click run in each window that appears".  Sharp eyes will actually notice that the IP leading to the malicious application and the IP showing in the screen shot of the document aren't actually the same site.  This ploy of a non-malicious PDF document that looks authentic is an attempt to convince recipients that the instructions contained within are authentic.

Screen shot of attached PDF document:

Websense Messaging and Websense Web Security customers are protected against this attack.

Update:

The attackers sending these messages have taken their social engineering tactics even further with the executable file linked in the messages.  There is a new executable hosted on the attacker's IP address (SHA1 7af53e5924b45ebcb48d8b17e20b66a5979600f3) which seems to behave like a typical installer.  There are even setup prompts and a EULA as you move along in the installation but once the installation is complete, a Backdoor is installed on the victim's computer.  Because there is such a small amount of messages that we have seen and the fact that this installer is infecting with a Backdoor, we believe this to be another targeted attack.

Screen shots of the installation process:

A new malware is making its way across Facebook in messages that claims to be "the sexiest video ever". A screen shot of the message can be seen below.

When clicking on the "video" you are taken to an application installation screen asking you to allow it to access your profile, wall etc. Once approved it claims you have to download an updated FLV Player to view the video and promptly sends an EXE your way.

This is the Hotbar Adware which displays ads in your browser based on your browsing habits etc. In addition, the Facebook application just installed will post messages on your friends wall on your behalf with the same "sexiest video ever" message.

We have seen these malicious applications use names such as K-Multimedia and Winamp.

Here's a video of how it works.

As always, be careful of links you click on Facebook. Note that if you clicked on the link but didn't allow the application access to your profile you are safe. You can also install our security application for Facebook, the world's first and only security app that protects your wall from unwanted messages. It's available for free at http://defensio.com

Major hits

Palm's mobile platform named WebOS failed many basic security measures. White hat hackers found that WebOS could be exploited by specially crafted text messages (SMS). The Apache Foundation's web servers were compromised in an attack that used a combination of cross-site scripting (XSS) vulnerabilities and a URL shortener (TinyURL). In other news, 1.5 million Facebook accounts were up for sale in the malicious underground. The price per 1,000 compromised accounts was segmented by how many friends each compromised account had (the more friends, the more valuable the account).

Web 2.0 uh oh

There was a mass-compromise of fully-patched Wordpress installations hosted by Network Solutions. It turns out that the passwords were stored in plain text in a config file that is supposed to be set to be readable only by Apache (and not anyone else), but victims incorrectly set the file permissions so that it was readable by the attacker. The attacker then inserted an iframe that led to a malicious web site. Ever wonder if bad guys are using Twitter's API? We do. Here's an analysis of how malicious web sites are using Twitter's API to make it appear that their operations are unpredictable.

Browser and friends

A Java zero-day vulnerability has been exploited in the wild. The vulnerability was discovered by two researchers independently (Tavis Ormandy and Ruben Santamarta), and Tavis Ormandy informed Oracle. Details were published and a demo of the exploit was made available (this will make the calculator execute). Pity that Oracle's patch arrived a little late; Websense found dozens of web sites that contained the exploit code before the patch was available. Please keep your Java application updated.

Adobe released a new update for Adobe Reader that patched 15 vulnerabilities.

Apple patched vulnerability CVE-2010-1120 in the Safari browser. This was discovered by Charlie Miller, who used the vulnerability in hacking a fully-patched Macbook at 2010 Pwn2Own. A patch for Quicktime also was delivered this month; 16 vulnerabilities were fixed.

Mozilla also give a quick response to the vulnerability discovered at 2010 Pwn2Own. The vulnerability was fixed in Firefox 3.6.3.

Microsoft

April's Patch Tuesday included fixes for several drive-by remote code execution vulnerabilities affecting Windows, Microsoft Exchange, and Office.  Security researchers at Blackhat EU released a proof of concept exploit demonstrating an XSS flaw in the Internet Explorer filter designed to protect against them.  Microsoft plans to release a patch in June.  One of the Patch Tuesday fixes, addressing a remote code execution bug in Windows Media Services (MS10-025), failed to fix the underlying vulnerability and was re-released two weeks later, on April 27.

Hello ThreatSeeker. You've got mail!

Who says that you can't teach an old dog new tricks!  This month one of the longstanding and more popular threats showed why it's still used so much, by using another new tactic.  We reported on the Zeus gang sending out new types of PDF attacks.  These attacks used a variation of the /Launch attack (reported by Didier Stevens earlier in the month) to attempt to socially engineer the victim into running an embedded executable. The messages contained these poisoned PDF attachments and enticed a user into opening the PDF by making the victim think that there was a report of a missed package in the PDF file.

In another interesting campaign, there were spam messages that looked as though they came from Twitter.  Each message spoofed the "From" address to trick recipients into thinking that it was a legitimate message coming from Twitter's support team. The content of the messages was very believable, because they were basically a scrape of legitimate emails from Twitter, notifying users that they had messages at Twitter.  However, the <href> tags in the messages were modified, so that the link would actually lead to bogus pharmaceutical sites.

Security Trends

According to the Microsoft Malware Protection Center (MMPC),  the hit by the latest wave of zero-day malware attacks targeting a flaw in the Internet Explorer browser spanned over 50 countries. Most frequently targeted were computers in China and Korea, with the US trailing a distant third.

Hackers discovered a way to run an embedded executable within a PDF file without using any JavaScript and without having to exploit any vulnerabilities. Didier Steven’s Escape From PDF hack  and Jeremy Conway's POC show a way to control the message presented to the end user.  When combined with clever social engineering techniques, PDF readers could potentially allow code execution attacks if a user simply opened a rigged PDF file.

Speaking of running an embedded executable within a PDF file, the Zeus malware attacks are now using the “/launch” command feature in Adobe Reader to launch malicious attacks without exploiting a vulnerability in the software. The PDF file contains another PDF file as an attachment that has been compressed inside the file. This attachment is actually an executable file that, if run, will install the Zeus bot.

Google’s Security Team is about to release the results from their 13-month study into the growth of Fake AV. The analysis shows that Fake AV currently accounts for 15% of all malware that Google detects on the web, and is responsible for 50% of all malware delivered via advertisements. Also, Fake AV attacks account for 60% of the malware discovered on domains that include trending keywords.

This month's contributors:

- Chris Astacio (Security & Technology Research)

- Erik Buchanan (Security & Technology Research)

- Lei Li (Security & Technology Research)

- Ulysses Wang (Security & Technology Research)

- Jay Liew (Security & Technology Research)

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new job-search related malware spam outbreak today. The spam is designed to be sent to the inboxes of Human Resources people to infect their computers, and asks them to review a CV without claiming what position the application is for. Moreover, some attachments are disguised as picture files which might catch some email recipients off-guard and make them open the attachment. We have seen more than 230,000 samples in 4 hours this morning, and the number is increasing quickly.

Snapshot of the spam:

Inside the ZIP file is an executable that contains the Oficla bot. This connects to a URL in the davidopolko.ru for its C&C functions. It also connects to topcarmitsubishi.com.br, get-money-now.net, mamapapalol.com and li1i16b0.com. Just over half of the AV vendors have detection for this attack according to VirusTotal.

Once run it changes the wallpaper telling you that your PC is infected.

After which it downloads and installs a Rogue AV called Security essentials 2010.

Update: Added more domains the malware connects to.

Websense Messaging and Websense Web Security customers are protected against this attack.

Today our email honeypots found a new message that purported to be from Facebook, advertising a new toolbar.  The From line was spoofed to look like the message had actually been sent from the Facebook team.  There is no specific recipient name in the message, so it's very generic in how it's addressed.  When a recipient downloads and runs the toolbar.exe file (SHA1 51bcf2fc766e7e59f9b8face45b18843a36f37a5) using a link in the message, they are installing a backdoor with decent coverage as a Zapchast IRC backdoor threat.

Screenshot of the malicious Facebook Toolbar email:

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense Security Labs™ ThreatSeeker™ Network has discovered that search terms relating to the UK General Election are delivering rogue antivirus to end users through the use of BlackHat SEO.

The British General Election polls closed yesterday, and news of the results is gradually making its way into traditional press and online media.  The topical nature of the event is being abused by malware authors to direct users to rogue (fake) antivirus applications, the payloads of which are hosted on a Polish Web hosting provider, a trend that we have seen recently.

Screenshot of Google search result:

Typical search terms that will return malicious links include:
uk election news
uk election
british election 2010
british election results
uk general election 2010

The user is directed to a Web site delivering rogue antivirus:

A VirusTotal result of the payload file (SHA1: 15e1cdebe76aafb97409c4354cf8724542208f8c) shows only a 25% detection rate by AV vendors.

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the popular Web site, phpnuke.org, has been compromised.

PHP-Nuke is a popular Web content management system (CMS), based on PHP and a database such as MySQL, PostgreSQL, Sybase, or Adabas. Earlier versions were open source and free software protected by GNU Public License, but since then it has become commercial software. As it is still very popular in the Internet community, it is not surprising that it has become a target of blackhat attacks.

The injected iframe hijacks the browser to a malicious site, where through several steps of iframe redirections the user finally ends up on a highly obfuscated malicious page.

After de-obfuscating the code, we can see three different exploits, two of them targeting Internet Explorer and the third one targeting Adobe Reader.

The first exploit targets a vulnerability in MDAC (CVE-2006-0003), described in Microsoft Security Bulletin MS06-014. If it succeeds, a malicious application is downloaded and stored in "%temp%\updates.exe". After this the downloaded trojan is executed, at which point it installs itself on the computer and attempts to access several Web sites.

The second exploit uses a Java vulnerability to spawn shellcode, which then initiates the download action. After downloading the malicious executable, everything works as described above.

The third exploit is a PDF exploit -- this actually merges three exploits targeting Adobe Reader. First the JavaScript in the HTML page checks if Adobe Reader is exploitable by checking its version number. The version should be between 7 and 7.1.4, 8 and 8.1.7, or 9 and 9.4. When a vulnerable version is found, the exploit downloads the malicious PDF file and as it is loaded by Adobe Reader, the malicious ActionScript in the file is executed automatically. The PDF itself contains an obfuscated ActionScript that utilizes one of the three different PDF exploits it hides. These are CVE-2009-4324, CVE-2007-5659, and CVE-2009-0927. If it succeeds, the download and installation of updates.exe happens in a similar manner to that described earlier.

The downloaded executable is detected by 12% of antivirus products, according to VirusTotal.

WARNING: At the time of writing the front page of phpnuke.org still contains the malicious iframe, so we advise users to stay away from the site until it has been fixed.

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that a "Thank you for buying iTunes Gift Certificate!" themed malware spam is spreading quickly over the Internet. It disguises itself as a notification from iTunes Store, asking users to open the attached malware to confirm the the certification code it claims to contain. So far, we have received over 300,000 copies of the scam in the latter part of this afternoon.

Screenshot of the spam:

The malware attached to the spam email message has been detected by some heuristic AV engines; however the detection rate is still very low.

Websense Messaging and Websense Web Security customers are protected against this attack.

In my last article, Analyzing Malwares Using Microsoft Tools, we collected a process dump image with an infected ZeuS variant inside it. In this article, we will go through the procedure for separating the ZeuS part from the other parts. With the extracted binary data, we can apply a disassembling process using IDA. You may wonder if it's possible to disassemble the image taken out from the process dump. In this case, the ZeuS variant was injecting a valid DLL file into the process, and somehow managed to hide the existence of the DLL so that it would not appear in the loaded modules list. We can locate that image and can take it out using some tricks.

In the previous article, we found that the following APIs were hooked:

ws2_32.dll:
send, WSASend, closesocket

wininet.dll:
InternetCloseHandle, HttpSendRequestA, HttpQueryInfoA, InternetReadFile, InternetQueryDataAvailable, HttpSendRequestExW, InternetReadFileExA, HttpSendRequestW, HttpSendRequestExA

crypt32.dll:
PFXImportCertStore

user32.dll:
TranslateMessage, DefWindowProcW, NtUserBeginPaint, NtUserEndPaint, DefWindowProcA, GetClipboardData

ntdll.dll:
ZwCreateThread, NtQueryDirectoryFile

With the list of hooked APIs in mind, open the process dump file using Windbg. Then use the "u"(disassemble) command to check the first instructions they have. Below are some of the examples:

From the installed inline hooks, we can get the memory region where the hooking function is installed. Here is one of the "!address" results from the hooking function's addresses:

0:000> !address 00b7dd44

00b70000 : 00b70000 - 00026000

Type 00020000 MEM_PRIVATE

Protect 00000040 PAGE_EXECUTE_READWRITE

State 00001000 MEM_COMMIT

Usage RegionUsageIsVAD

The memory region starts from 0xb70000 and the size is 0x26000 bytes. Let's just dump the start of the memory region using the "db" command, which dumps memory by bytes.

Yes, we got the start of the PE file. We can see the 'MZ' signature and some part of DOS header of the PE file. What we have to do now is simply dump the memory region to a file. Windbg provides a command called ".writemem" to write memory regions to a file.

The following command dumps the region of memory to the file " C:\Malwares\00b70000.bin".

0:000> .writemem C:\Malwares\00b70000.bin b70000 L26000

Writing 26000 bytes............................................................................

We open the file using IDA. It seems to be successful, until we find that there is something wrong with the disassembly listing.

First we get some error message dialog boxes:

Figure 1: Virtual Address Translation Error

We see that the imports table is empty:

Figure 2: Empty Imports Table

Even call instructions are referencing some invalid addresses:

Figure 3: Call Referencing Invalid Region

We notice broken data referencing:

This is happening because the base address for image loading is different from what is set in the PE header. We can check the value of the image base defined in the PE header by looking at the top of the IDA disassembly listing. In this case, the image base is set as 0x400000 as you can see from the following picture, but the image base when we dumped the image was actually 0xb70000.

Figure 4: Image Base is 0x400000

Will only fixing the image base solve the issues? No. We need to take care of the section relocations. When the PE file is loaded into the process address space, it is not just copied exactly. The sections inside are located according to their virtual address. Each section has their position and size in the physical file, and also has a virtual address region to be mapped. All the information is inside the PE file header.

We used the pefile Python module from Ero Carrera to achieve the PE file manipulation. Here's the source code for the script that we used:

Save the python script as "Rebase.py" file. Here's how you can use the script:

c:\python26\python Rebase.py 00b70000.bin 00b70000_rebased.bin 0xb70000

This command will re-base the image base to 0xb70000 and will also correct section location information by setting PointerToRawData to be same as the VirtualAddress value. PointerToRawData is the offset in the file where the section starts. We dumped it from the memory and it should be same as VirtualAddress.

After running the script, open up the re-based image "00b70000_rebased.bin" using IDA.

Now we have a valid and good imports table:

Figure 5: Valid Imports Table

Call instructions are referencing valid APIs:

Figure 6: Call Instruction Referencing Valid APIs

Also, the string referencing is corrected and shows good values:

Figure 7: Valid String Data

Conclusion

Retrieving injected modules and making it valid for disassembling is possible with a few Windbg tricks and python scripts. Tracing malicious code inside a debugger doesn't compare to having it inside a full-blown disassembler. The script presented in this article can be applied to any injected modules in the Windows environment.

Next time we are going to talk about automated scripts that will do all the jobs that we have done with a single command.

Thanks and have a great reversing!

A few of the US Treasury websites were compromised today and loaded a hidden iframe containing exploit code to anyone who visited the following three sites:

• bep.gov
• bep.treas.gov
• moneyfactory.gov

The code that was loaded can be seen in the screen shot below.

This iframe loads a page from gr[REMOVED]ad.com (hosted in Turkey) which in turn redirects to si[REMOVED]e-g.com/jobs/ (hosted in The Netherlands) which is where the exploits are hosted. In this case it's the Eleonore Exploit Kit that is used which has support for several vulnerabilities in Adobe Reader, Flash, Internet Explorer etc. In the video below you can see how the exploit kit pushes a malicious PDF to the user which exploits a vulnerability in Adobe Reader. At the time of writing only 20% of all AV vendors detected that file.

Our customers were protected against this proactively as we had real-time signatures available that blocked all the exploits.