Today s malicious code threat js scob trojan analysis
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis PowerPoint PPT Presentation


  • 405 Views
  • Uploaded on
  • Presentation posted in: General

Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis. Peter Schawacker, CISSP. Overview. The JS.Scob.Trojan Timeline IE Security Overview How the attacks work Effects Solutions. Scob. AKA Download.Ject JS.Scob.Trojan JS.Toofeer Backdoor.Berbew.F JS.Toofeer . MS04-011? ?. Scob.

Download Presentation

Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Today s malicious code threat js scob trojan analysis

Today’s Malicious Code Threat ~JS.Scob.Trojan Analysis

Peter Schawacker, CISSP


Overview

Overview

  • The JS.Scob.Trojan

  • Timeline

  • IE Security Overview

  • How the attacks work

  • Effects

  • Solutions


Today s malicious code threat js scob trojan analysis

Scob

  • AKA

    • Download.Ject

    • JS.Scob.Trojan

    • JS.Toofeer

    • Backdoor.Berbew.F

    • JS.Toofeer


Today s malicious code threat js scob trojan analysis

MS04-011??

Scob


Internet explorer security

Internet Explorer Security

  • Cross Domain Model

    • Local Machine Zone

    • "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust."


Timeline adodb stream object bug

Timeline: ADODB.Stream Object Bug

  • FullDisclosure Post August 26, 2003!!

  • IE Bug allows client-side code execution

  • Detailed Analysis

    • http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.html

    • Harmless example: http://62.131.86.111/security/idiots/repro/installer.htm


Scob discovered june 24

Scob Discovered June 24

  • The original post is available in the June 24 Internet Storm Center Handlers Diary

    • http://isc.sans.org/diary.php?date=2004-06-24&isc=400aeeda81e747d8889dacd941b7ebf6


Effects

Effects

  • Trojan horse installation – Scob

  • Purpose of trojan to steal accounts

  • An account is an identity!!

  • First time web servers used since Nimda


Compromised iis servers

Compromised IIS Servers

  • A file is dropped on an IIS Server and subsequently executed to prepare the server. The relevant actions are:

    • File is dropped on IIS Server

    • Create ads.vbs

    • Drop files in C:\winnt\system32\inetsrv/iis###.dll

    • Server configured to use this file as a footer

  • Modify the configuration of the IIS Server such that served web pages are appended by a footer that contains malicious Java code


What scob does

What Scob does

  • Redirects IE to http://217.107.218.147/dot.php

  • Visitor redirected to a file called new.html

  • Exploit code redirects the visitor to Shellscript_loader.js

  • In turn, downloads and installs msits.exe

    • (ADODB.Stream Object File Installation Weakness vulnerability)


What scob does continued

What Scob does (continued)

  • msits.exe application writes itself to a random executable file in c:/winnt/system32

    • Windows Media Player?

  • Reruns the process from the system directory.

  • Copies two HTML forms, crude login templates and a log file (surf.dat) to the system directory

  • msits.exe attempts to record authentication credentials and their corresponding URLs

  • Quasi-rootkit patches “PhysicalMemory” device

    • Doesn’t appear in Task List


Sites of interest to scob msits exe

Paypal.com

Signin.ebay

.earthlink.

juno.com

my.juno.com/s

webmail.juno.com

yahoo.com

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.ph

http://lovingod.host.sk/index.ph

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

http://kadet.ru/index.htm

http://cvv.ru/index.htm

http://crutop.nu/index.htm

http://crutop.ru/index.htm

http://mazafaka.ru/index.htm

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

Sites of Interest to Scob/msits.exe


Workarounds

Workarounds

  • Set the “Kill Bit” on the ADODB.Stream Object (no patch from MS)

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveXCompatibility\{00000566-0000-0010-8000-00AA006D2EA4}] "CompatibilityFlags"=dword:00000400

  • Make Local Zone/My Computer Zone visible from the Internet Options Security tab

  • Don’t use IE (USCERT) (!!)


Host ips countermeasures iis server

Host IPS Countermeasures (IIS Server)

  • Triggers event “IIS Shielding - File Mod. in System folder”

  • Triggers event “IIS Shielding - Conf. File Activity (ADMCOMConnect)”


Network ips countermeasures iis

Network IPS Countermeasures (IIS)

  • SHELLCODE: Shellcode Exploit Detected for i386 Family CPUs

  • KERBEROS: Microsoft Kerberos ASN.1 Double Free Encoding Error

  • LDAP: Active Directory BO

  • SSL: Invalid Client Hell Cipher Suite Value

  • SSL: Overly Long PCT Client Hello Challenge

  • SSL: Microsoft ASN.1 Double Free Code Execution

  • SSL: PCT THCLame Challenge Buffer Overflow

  • DCERPC: Microsoft Windows LSASS Buffer Overflow

  • DCERPC: Microsoft RPC DCOM Buffer Overflow

  • DCERPC: Microsoft RPCSS Heap Overflow

  • DCERPC: Microsoft Message Queue Service Heap Overflow

  • DCERPC: Microsoft Messenger Service Buffer Overflow

  • DCERPC: Microsoft Workstation Service Buffer Overflow

  • DCERPC: W32/Gaobot.worm Detected


Ips countermeasures ie client

IPS Countermeasures (IE Client)

  • Triggers event "IE Envelope Suspicious Executable Modification”


Anti virus

Anti-virus

  • Detected by McAfee VirusScan

    • BackDoor-AXJ.gen

    • VBS/Psyme  

    • Exploit-MhtRedir.gen

    • BackDoor-AXJ.dll


Why is this important

Why is this important?

  • What if your web server is trojaned?

  • What if your desktop is trojaned?

  • Who is doing this?

  • What’s next?

  • What should be done?


Sources

Sources

  • http://www.microsoft.com/security/incident/download_ject.mspx

  • http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

  • http://62.131.86.111/analysis.htm

  • http://www.incidents.org/


Questions

Questions

  • Peter Schawacker

  • [email protected]

  • 760-880-4258


  • Login