1 / 20

Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis

Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis. Peter Schawacker, CISSP. Overview. The JS.Scob.Trojan Timeline IE Security Overview How the attacks work Effects Solutions. Scob. AKA Download.Ject JS.Scob.Trojan JS.Toofeer Backdoor.Berbew.F JS.Toofeer . MS04-011? ?. Scob.

etta
Download Presentation

Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Today’s Malicious Code Threat ~JS.Scob.Trojan Analysis Peter Schawacker, CISSP

  2. Overview • The JS.Scob.Trojan • Timeline • IE Security Overview • How the attacks work • Effects • Solutions

  3. Scob • AKA • Download.Ject • JS.Scob.Trojan • JS.Toofeer • Backdoor.Berbew.F • JS.Toofeer

  4. MS04-011?? Scob

  5. Internet Explorer Security • Cross Domain Model • Local Machine Zone • "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust."

  6. Timeline: ADODB.Stream Object Bug • FullDisclosure Post August 26, 2003!! • IE Bug allows client-side code execution • Detailed Analysis • http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.html • Harmless example: http://62.131.86.111/security/idiots/repro/installer.htm

  7. Scob Discovered June 24 • The original post is available in the June 24 Internet Storm Center Handlers Diary • http://isc.sans.org/diary.php?date=2004-06-24&isc=400aeeda81e747d8889dacd941b7ebf6

  8. Effects • Trojan horse installation – Scob • Purpose of trojan to steal accounts • An account is an identity!! • First time web servers used since Nimda

  9. Compromised IIS Servers • A file is dropped on an IIS Server and subsequently executed to prepare the server. The relevant actions are: • File is dropped on IIS Server • Create ads.vbs • Drop files in C:\winnt\system32\inetsrv/iis###.dll • Server configured to use this file as a footer • Modify the configuration of the IIS Server such that served web pages are appended by a footer that contains malicious Java code

  10. What Scob does • Redirects IE to http://217.107.218.147/dot.php • Visitor redirected to a file called new.html • Exploit code redirects the visitor to Shellscript_loader.js • In turn, downloads and installs msits.exe • (ADODB.Stream Object File Installation Weakness vulnerability)

  11. What Scob does (continued) • msits.exe application writes itself to a random executable file in c:/winnt/system32 • Windows Media Player? • Reruns the process from the system directory. • Copies two HTML forms, crude login templates and a log file (surf.dat) to the system directory • msits.exe attempts to record authentication credentials and their corresponding URLs • Quasi-rootkit patches “PhysicalMemory” device • Doesn’t appear in Task List

  12. Paypal.com Signin.ebay .earthlink. juno.com my.juno.com/s webmail.juno.com yahoo.com http://crutop.nu/index.php http://crutop.ru/index.php http://mazafaka.ru/index.php http://color-bank.ru/index.php http://asechka.ru/index.php http://trojan.ru/index.php http://fuck.ru/index.php http://goldensand.ru/index.php http://filesearch.ru/index.php http://devx.nm.ru/index.php http://ros-neftbank.ru/index.ph http://lovingod.host.sk/index.ph http://www.redline.ru/index.php http://cvv.ru/index.php http://hackers.lv/index.php http://fethard.biz/index.php http://ldark.nm.ru/index.htm http://gaz-prom.ru/index.htm http://promo.ru/index.htm http://potleaf.chat.ru/index.htm http://kadet.ru/index.htm http://cvv.ru/index.htm http://crutop.nu/index.htm http://crutop.ru/index.htm http://mazafaka.ru/index.htm http://xware.cjb.net/index.htm http://konfiskat.org/index.htm http://parex-bank.ru/index.htm Sites of Interest to Scob/msits.exe

  13. Workarounds • Set the “Kill Bit” on the ADODB.Stream Object (no patch from MS) • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveXCompatibility\{00000566-0000-0010-8000-00AA006D2EA4}] "CompatibilityFlags"=dword:00000400 • Make Local Zone/My Computer Zone visible from the Internet Options Security tab • Don’t use IE (USCERT) (!!)

  14. Host IPS Countermeasures (IIS Server) • Triggers event “IIS Shielding - File Mod. in System folder” • Triggers event “IIS Shielding - Conf. File Activity (ADMCOMConnect)”

  15. Network IPS Countermeasures (IIS) • SHELLCODE: Shellcode Exploit Detected for i386 Family CPUs • KERBEROS: Microsoft Kerberos ASN.1 Double Free Encoding Error • LDAP: Active Directory BO • SSL: Invalid Client Hell Cipher Suite Value • SSL: Overly Long PCT Client Hello Challenge • SSL: Microsoft ASN.1 Double Free Code Execution • SSL: PCT THCLame Challenge Buffer Overflow • DCERPC: Microsoft Windows LSASS Buffer Overflow • DCERPC: Microsoft RPC DCOM Buffer Overflow • DCERPC: Microsoft RPCSS Heap Overflow • DCERPC: Microsoft Message Queue Service Heap Overflow • DCERPC: Microsoft Messenger Service Buffer Overflow • DCERPC: Microsoft Workstation Service Buffer Overflow • DCERPC: W32/Gaobot.worm Detected

  16. IPS Countermeasures (IE Client) • Triggers event "IE Envelope Suspicious Executable Modification”

  17. Anti-virus • Detected by McAfee VirusScan • BackDoor-AXJ.gen • VBS/Psyme   • Exploit-MhtRedir.gen • BackDoor-AXJ.dll

  18. Why is this important? • What if your web server is trojaned? • What if your desktop is trojaned? • Who is doing this? • What’s next? • What should be done?

  19. Sources • http://www.microsoft.com/security/incident/download_ject.mspx • http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx • http://62.131.86.111/analysis.htm • http://www.incidents.org/

  20. Questions • Peter Schawacker • ps@nai.com • 760-880-4258

More Related