Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

View all posts > 

Filtered by : Reverse Engineering, Exploits

In 2011, this exploit kit won't work

Posted: 30 Dec 2010 10:30 AM | Chris Astacio

And some Web sites will be a lot safer! While reviewing incidents and deobfuscating a Web site today, I discovered an installation of a particular exploit kit that won't work after New Year's Eve.  The site I found caught my attention because the code simply looks like garbage.  As the saying goes, "One man's trash is another man's treasure."  So I started digging into the obfuscation of the code and found something that I thought would be topical considering today's date.  The code in this exploit kit will actually expire at midnight on New Year's Eve local time!  In this post, I'll cover how I came across this and show you how and why the exploit kit installations will expire.


Here is a screen shot of the code in the original state as I found it:



Filed under: , ,

1 comment(s)

Installation Protection Mechanisms of Phoenix Exploit's Kit

Posted: 27 Dec 2010 12:00 PM | Chris Astacio

As part of my research within Websense Security Labs, I collaborate with a group of researchers tasked with profiling exploit kits.  This helps us refine the analytics used in ACE, our Advanced Classification Engine.  In this post I want to cover the installation of Phoenix Exploit's Kit.  I'm not going to tell you how to install and use it, but I will cover some of the more interesting aspects of installation.  Specifically, I want to cover how the developers protect their code from being reverse engineered and how the developers have attempted to keep researchers from poking around in installed kits. 



Filed under: , , ,

2 comment(s)

Crypto-Analysis in Shellcode Detection

Posted: 03 Jun 2010 03:32 AM | Tamas Rudnai

Probably the biggest computer threats nowadays are the Exploits . Exploits seek out the vulnerabilities of an application to launch their malicious activities. Cyber criminals target popular applications such as Shockwave Flash and Adobe Acrobat PDF to keep the chances high that a user's computer is vulnerable. In this blog we will examine a Flash exploit using a very simple crypto-analysis technique we call X-ray. Crypto-analysis of malicious code is not a new technology or invention. It has been used in fighting MS-DOS viruses since the '90s. This article provides an in-depth, detailed discussion on this subject, explaining how it works and how it can be used for malicious content detection in shell code. First we need to understand the X-ray technique and how it works, and then we can see how it helps us to analyze and detect malicious content in shell code. X-ray is basically a differential crypto-analysis method which is a very easy way to attack simple encrypted data. What we assume is that when a simple block encryption algorithm is used, the difference between the consecutive data blocks remains the same. One very good way to explain this is to encrypt a picture and then try decrypting it. Take a look at this picture: The picture does not tell us much, except that we can see that it is encrypted. It looks random enough, even though we can spot some repetition. In fact the algorithm used is very simple stream ciphering with some avalanche effect. The result is a picture that suggests very little about itself. However, when we generate the difference in between the consecutive bytes, we get this: Ah-ha! Now we see that this is the logo of our secret weapon against Internet threats. :-) (See the original graphic below) Now, no wonder it is called X-ray! We may not see the 'skin', but we clearly see the 'bones'. The resulting picture is far from the original one, but is good enough to see what it was. Nice, but how does it work? To understand, we need to get into the math behind cryptography. Take a look at this very simple block ciphering algorithm. We have a message of: Where M is the n length of plaintext message and m is the block of the message (typically a character). In order to get the ciphered message of: Where C is the n length of ciphertext (encrypted) message and c is the block of the message (typically a character), we need to apply an encryption to each one of the message blocks using the same key: Where E is the encryption algorithm using k key. When E encryption algorithm is a simple XOR using the same k key on each block, then the (above) formula gives us the encrypted stream. Usually we see this simple method in shell code with byte size blocks. In other words, each one of the characters of clear text is simply XORed with a constant (see the pseudo code). The reason this kind of encryption is so popular is that it is easy to understand and it is also easy to obfuscate the data and the code sections enough...


Filed under: , , ,

no comments