Today s malicious code threat js scob trojan analysis
Download
1 / 20

Today s Malicious Code Threat JS.Scob.Trojan Analysis - PowerPoint PPT Presentation


  • 540 Views
  • Uploaded on

Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis. Peter Schawacker, CISSP. Overview. The JS.Scob.Trojan Timeline IE Security Overview How the attacks work Effects Solutions. Scob. AKA Download.Ject JS.Scob.Trojan JS.Toofeer Backdoor.Berbew.F JS.Toofeer . MS04-011? ?. Scob.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Today s Malicious Code Threat JS.Scob.Trojan Analysis' - etta


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Today s malicious code threat js scob trojan analysis

Today’s Malicious Code Threat ~JS.Scob.Trojan Analysis

Peter Schawacker, CISSP


Overview
Overview

  • The JS.Scob.Trojan

  • Timeline

  • IE Security Overview

  • How the attacks work

  • Effects

  • Solutions


Scob

  • AKA

    • Download.Ject

    • JS.Scob.Trojan

    • JS.Toofeer

    • Backdoor.Berbew.F

    • JS.Toofeer


MS04-011??

Scob


Internet explorer security
Internet Explorer Security

  • Cross Domain Model

    • Local Machine Zone

    • "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust."


Timeline adodb stream object bug
Timeline: ADODB.Stream Object Bug

  • FullDisclosure Post August 26, 2003!!

  • IE Bug allows client-side code execution

  • Detailed Analysis

    • http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.html

    • Harmless example: http://62.131.86.111/security/idiots/repro/installer.htm


Scob discovered june 24
Scob Discovered June 24

  • The original post is available in the June 24 Internet Storm Center Handlers Diary

    • http://isc.sans.org/diary.php?date=2004-06-24&isc=400aeeda81e747d8889dacd941b7ebf6


Effects
Effects

  • Trojan horse installation – Scob

  • Purpose of trojan to steal accounts

  • An account is an identity!!

  • First time web servers used since Nimda


Compromised iis servers
Compromised IIS Servers

  • A file is dropped on an IIS Server and subsequently executed to prepare the server. The relevant actions are:

    • File is dropped on IIS Server

    • Create ads.vbs

    • Drop files in C:\winnt\system32\inetsrv/iis###.dll

    • Server configured to use this file as a footer

  • Modify the configuration of the IIS Server such that served web pages are appended by a footer that contains malicious Java code


What scob does
What Scob does

  • Redirects IE to http://217.107.218.147/dot.php

  • Visitor redirected to a file called new.html

  • Exploit code redirects the visitor to Shellscript_loader.js

  • In turn, downloads and installs msits.exe

    • (ADODB.Stream Object File Installation Weakness vulnerability)


What scob does continued
What Scob does (continued)

  • msits.exe application writes itself to a random executable file in c:/winnt/system32

    • Windows Media Player?

  • Reruns the process from the system directory.

  • Copies two HTML forms, crude login templates and a log file (surf.dat) to the system directory

  • msits.exe attempts to record authentication credentials and their corresponding URLs

  • Quasi-rootkit patches “PhysicalMemory” device

    • Doesn’t appear in Task List


Sites of interest to scob msits exe

Paypal.com

Signin.ebay

.earthlink.

juno.com

my.juno.com/s

webmail.juno.com

yahoo.com

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.ph

http://lovingod.host.sk/index.ph

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

http://kadet.ru/index.htm

http://cvv.ru/index.htm

http://crutop.nu/index.htm

http://crutop.ru/index.htm

http://mazafaka.ru/index.htm

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

Sites of Interest to Scob/msits.exe


Workarounds
Workarounds

  • Set the “Kill Bit” on the ADODB.Stream Object (no patch from MS)

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveXCompatibility\{00000566-0000-0010-8000-00AA006D2EA4}] "CompatibilityFlags"=dword:00000400

  • Make Local Zone/My Computer Zone visible from the Internet Options Security tab

  • Don’t use IE (USCERT) (!!)


Host ips countermeasures iis server
Host IPS Countermeasures (IIS Server)

  • Triggers event “IIS Shielding - File Mod. in System folder”

  • Triggers event “IIS Shielding - Conf. File Activity (ADMCOMConnect)”


Network ips countermeasures iis
Network IPS Countermeasures (IIS)

  • SHELLCODE: Shellcode Exploit Detected for i386 Family CPUs

  • KERBEROS: Microsoft Kerberos ASN.1 Double Free Encoding Error

  • LDAP: Active Directory BO

  • SSL: Invalid Client Hell Cipher Suite Value

  • SSL: Overly Long PCT Client Hello Challenge

  • SSL: Microsoft ASN.1 Double Free Code Execution

  • SSL: PCT THCLame Challenge Buffer Overflow

  • DCERPC: Microsoft Windows LSASS Buffer Overflow

  • DCERPC: Microsoft RPC DCOM Buffer Overflow

  • DCERPC: Microsoft RPCSS Heap Overflow

  • DCERPC: Microsoft Message Queue Service Heap Overflow

  • DCERPC: Microsoft Messenger Service Buffer Overflow

  • DCERPC: Microsoft Workstation Service Buffer Overflow

  • DCERPC: W32/Gaobot.worm Detected


Ips countermeasures ie client
IPS Countermeasures (IE Client)

  • Triggers event "IE Envelope Suspicious Executable Modification”


Anti virus
Anti-virus

  • Detected by McAfee VirusScan

    • BackDoor-AXJ.gen

    • VBS/Psyme  

    • Exploit-MhtRedir.gen

    • BackDoor-AXJ.dll


Why is this important
Why is this important?

  • What if your web server is trojaned?

  • What if your desktop is trojaned?

  • Who is doing this?

  • What’s next?

  • What should be done?


Sources
Sources

  • http://www.microsoft.com/security/incident/download_ject.mspx

  • http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

  • http://62.131.86.111/analysis.htm

  • http://www.incidents.org/


Questions
Questions


ad