Overview
WAMP is an all-in-one package that installs Apache, MySql, and PHP on a windows system. It's the lazy man's way of getting a web-server up and running in almost no time. However, I discovered today that they have injected javascript in their page that redirects users to exploits.
WAMP
WAMP's main page. Doesn't look suspicious on the outside.
Once you check their code, it is immediately apparent there is injected script at the bottom of the page.
It's the typical exploit pack injected code of course. All it really does is take the body of 'jibberish', remove the 'a' characters and replace them with commas. Then it multiplies all the numbers by 2 which gives you an array of whole numbers to which it String.fromCharCode()s into normal javascript. It throws in a bunch of other stuff just to make de-obfuscating a little harder. Or to make it look more legit? Pastebin for the full injected code is here
Deobfuscated
Of course that Iframe redirects me to some more bad code. Here's the pastebin for this code
Deobfuscated. Another layer of obfuscation. But it's just the Dean Edwards JS packer, so no big deal.
Layer 2 deobfuscated. Heyoo PDF version enumeration
That isn't the only query that the redirect generated. It also generated a query to some obfuscated code that enumerates the system's Java version Here is the pastebin for this code
Same type of obfuscation.
I haven't notified WAMPServer.com that their site is owned yet because I'm lazy. But this just goes to show that you can never tell what sites will get owned next. So keep your Flash, PDF, Java, and browsers up-to-date all the time.
Some domain information. This reminded me a lot of a SANs blog post I read about how these malware rings alter domain information for actual legit domains in order to capitalize on SEO and other things. Maybe I'm wrong.
A quick google search on some of this information and I found at least a couple more domains that have the injected code as well, ie: marijuanapictures.com
There are probably dozens/hundreds/etc.. of domains that got blasted and now have injected redirects.
Thursday, October 20, 2011
Thursday, September 29, 2011
Neat little find - Network forensics
Overview
This post may seem trivial, pointless, and indicative of a security noob, but the other day I was perusing some network traffic between a windows DC and a client and found some interesting traffic. As I later discovered, what I found is standard traffic from a Windows domain controller, but since it was the first time I saw it, I was intrigued. It began with me looking at some larger-than-usual ICMP traffic.
The Pcap
When I first saw the Pcap, it looked rather normal. Then I noticed the 'Length' of some of the ICMP replies, and I wondered why they were so big.
So I popped into a couple of the big ICMP reply packets and instantly saw a JPEG magic number in the hex-offset. "JFIF" aka 0x4a464946
I started to think, "what the heck is this?". The best way to figure that out was to carve the image right out of the pcap and see what it was.
To do this was super easy. There are a lot of programs than can carve files out of pcaps for you automatically, but this file was so small that I just did it manually. First I started by copying the bytes in a hex-stream format.
Once I copied the hex-stream, I moseyed on over to Malzilla since it has a fantastic converter functionality for "Hex to File". So it'll decode the hex-stream straight to a file.
Once that completes it will save the file as "hexfile.bin", so I just changed the extension to .jpg and presto...wait...wtf?
Yeah. That's the image all right. Anyways, a quick google of that behavior from a client/ MS domain controller and I came to realize I discovered standard DC operation. It's basically their method for slow link detection which if you were unaware of this like me, you can read about it from Microsoft's site
So call me a noob if you must. I thought it was a neat find.
This post may seem trivial, pointless, and indicative of a security noob, but the other day I was perusing some network traffic between a windows DC and a client and found some interesting traffic. As I later discovered, what I found is standard traffic from a Windows domain controller, but since it was the first time I saw it, I was intrigued. It began with me looking at some larger-than-usual ICMP traffic.
The Pcap
When I first saw the Pcap, it looked rather normal. Then I noticed the 'Length' of some of the ICMP replies, and I wondered why they were so big.
So I popped into a couple of the big ICMP reply packets and instantly saw a JPEG magic number in the hex-offset. "JFIF" aka 0x4a464946
I started to think, "what the heck is this?". The best way to figure that out was to carve the image right out of the pcap and see what it was.
To do this was super easy. There are a lot of programs than can carve files out of pcaps for you automatically, but this file was so small that I just did it manually. First I started by copying the bytes in a hex-stream format.
Once I copied the hex-stream, I moseyed on over to Malzilla since it has a fantastic converter functionality for "Hex to File". So it'll decode the hex-stream straight to a file.
Once that completes it will save the file as "hexfile.bin", so I just changed the extension to .jpg and presto...wait...wtf?
Yeah. That's the image all right. Anyways, a quick google of that behavior from a client/ MS domain controller and I came to realize I discovered standard DC operation. It's basically their method for slow link detection which if you were unaware of this like me, you can read about it from Microsoft's site
So call me a noob if you must. I thought it was a neat find.
Wilkes-Barre PA Site owned
The Gist
Wilkes-Barre PA's official site has fallen victim to an injected blackhole exploit toolkit redirect that uses the Twitter trends API to generate different domains. Some may already know of the little town named Wilkes-Barre for their delicious and super cheap college-beer called "Lionshead", brewed by Lions Brewery. It's 8:30am, and I go could for a refreshing Lionshead right now. Mmmm.
The Injected JS
The site looks innocent enough, but behind the scenes there some bad JS ready to own you.
When checking the source code, there are script tags sourcing a javascript file named 'PopBox.js'. It is within this javascript file that the injected redirect is located.
When you check the popbox.js file, it is immediately apparent that there is some obfuscated code down at the bottom. I uploaded the full obfuscated JS to pastebin.
Layer 5 is using the same obfuscation technique as layer 1. Simply replacing eval() with document.write(), I FINALLY got the 'basically de-obfuscated' code. It still has randomized variables and all that jazz, but you can essentially see what it's doing in plain site. It's using the twitter trends API information to construct different domains, which is rather cool.
Wilkes-Barre PA's official site has fallen victim to an injected blackhole exploit toolkit redirect that uses the Twitter trends API to generate different domains. Some may already know of the little town named Wilkes-Barre for their delicious and super cheap college-beer called "Lionshead", brewed by Lions Brewery. It's 8:30am, and I go could for a refreshing Lionshead right now. Mmmm.
The Injected JS
The site looks innocent enough, but behind the scenes there some bad JS ready to own you.
When checking the source code, there are script tags sourcing a javascript file named 'PopBox.js'. It is within this javascript file that the injected redirect is located.
The first layer is easy enough to de-obfuscate. I just replaced eval with document.write()
Layer 2 is also easy enough to de-obfuscate. Same story, just document.write() 'd'
3 Layers of obfuscation already. What in the hell. Just from the look of layer 3, you can basically just guess that it's char-code separated by some gibberish. All I really did was comment out one statement in the "trim()" function that was called, and I got all the char-code.
Char code is the easiest to handle. Just a simple document.write(String.fromCharCode(blahblah)); and presto, I have layer 5.
Here's what it looks like all formatted and pretty
I've found a couple of instances of this type of injection before, but I never really felt like doing a write-up on it since others already have. I figured I'd do the write-up on this one because it was a Wilkes-Barre gov't site, and I was in the mood for Lionshead beer. In the end it turned out to be yet another blackhole exploit injection that was redirecting to RogueAVs/FakeAVs.
Check out a pretty decent write-up about the same type of injection, done on the Websense Blog: sophisticated-injection-abuse-twitter-trend-service
My question is, if these people are willing to obfuscate 5 layers deep, why the hell don't more people who use BH change the formatting of the redirecting URLs so they're not all "/index.php?tp=xxxx" or "/forum.php?tp=xxxx".
Sunday, July 17, 2011
Gear Patrol site redirecting to malware
Gearpatrol.com , the "definitive men's resource site", had an owned javascript file linked on their main page that was redirecting users to java exploits/malware the other day. I'll show you.
The owned JS File
If you would have gone to Gearpatrol.com the other day, on their main page is a link to a JS file that you won't notice has loaded.
"The definitive men's resource" - haha
Gearpatrol.com loads up when all of a sudden shit starts going wrong. Then you think, "What in the hell...?"
Some weird Jquery.js file is sourced in the main page that is set to load
Here is what the request/response looks like. You can see the code served by gearpatrol.com is awkward looking but doesn't look definitively malicious at first site.
Jquery javascript files always look rather fucked to me, but this one in particular looked especially strange. So I decided to determine what it was doing. I statically assigned two JS properties that were being called since Malzilla can't handle them. I changed "navigator.platform" aka operating system, and "navigator.useragent" aka web browser. After these two changes, the script simply compiled and told me exactly what it was doing, thankfully.
In the bottom pane you can see the iframe the javascript file was injecting into Gearpatrol.com's main page. Let's see where that iframe takes us.
Ahh that first redirect was most likely for statistic purposes. We then get bounced off to a risque site, teenporntubeonly.com . But we won't find porn there. Instead we find obfuscated javascript using typical techniques. It just multiplies the number by the variable 'g', then performs String.fromCharCode on each product. In the lower-pane are the results after de-obfuscating the code.
And once it's formatted you can tell it's serving various Java exploits which no doubt drop various malware. These were your typical Java exploits, nothing special, but it goes to show how you can get snagged from nearly any site these days, ESPECIALLY if you have outdated Java, Adobe anything, or web browser.
There's nothing amazing going on here. This happens to a lot of sites, and some are faster than others at removing them (this one appears to be fixed on Gearpatrol.com). Really the main thing you can do to prevent any issues is to keep your software updated and hope the malware people don't utilize 0-days or very new exploits.
The owned JS File
If you would have gone to Gearpatrol.com the other day, on their main page is a link to a JS file that you won't notice has loaded.
"The definitive men's resource" - haha
Gearpatrol.com loads up when all of a sudden shit starts going wrong. Then you think, "What in the hell...?"
Some weird Jquery.js file is sourced in the main page that is set to load
Here is what the request/response looks like. You can see the code served by gearpatrol.com is awkward looking but doesn't look definitively malicious at first site.
Jquery javascript files always look rather fucked to me, but this one in particular looked especially strange. So I decided to determine what it was doing. I statically assigned two JS properties that were being called since Malzilla can't handle them. I changed "navigator.platform" aka operating system, and "navigator.useragent" aka web browser. After these two changes, the script simply compiled and told me exactly what it was doing, thankfully.
In the bottom pane you can see the iframe the javascript file was injecting into Gearpatrol.com's main page. Let's see where that iframe takes us.
Ahh that first redirect was most likely for statistic purposes. We then get bounced off to a risque site, teenporntubeonly.com . But we won't find porn there. Instead we find obfuscated javascript using typical techniques. It just multiplies the number by the variable 'g', then performs String.fromCharCode on each product. In the lower-pane are the results after de-obfuscating the code.
And once it's formatted you can tell it's serving various Java exploits which no doubt drop various malware. These were your typical Java exploits, nothing special, but it goes to show how you can get snagged from nearly any site these days, ESPECIALLY if you have outdated Java, Adobe anything, or web browser.
There's nothing amazing going on here. This happens to a lot of sites, and some are faster than others at removing them (this one appears to be fixed on Gearpatrol.com). Really the main thing you can do to prevent any issues is to keep your software updated and hope the malware people don't utilize 0-days or very new exploits.
Monday, July 11, 2011
PDF Exploit De-Obfuscation
The Gist
In the exploit code mentioned in my previous blog, there is code to embed a couple PDFs into the page which will exploit different vulnerabilities. Since I have a copy of one of the PDFs that exploits a vulnerability, I figure I'll show the process of de-obfuscating the exploit and determining the vulnerability. I can provide the malicious PDF, just ask. This is mainly just about de-obfuscating the JS, not really about analyzing the actual exploit TIFF and what it does.
The easiest tool to use for analyzing PDFs is PDFStreamDumper from HERE. All you have to do is load the PDF into PDFStreamDumper and it will give you the header info and any data streams in the PDF. In this case we only have one data stream
Without much effort you can see the opening <script> tags indicating embedded javascript. The javascript is what builds and executes the exploit, so you basically just grab all the script from the opening tag until the closing </script> tag. Then just click the Javascript_UI button and it will open a javascript decoder right in PDFStreamdumper
once the Javascript_UI comes up you can simply format the code and you have your neatly formatted, yet obfuscated exploit code
De-Obfuscate JS
The nice thing about this PDF is that the javascript is obfuscated almost identically to the exploit code that served it. As I stated previously in my previous blog post, there is one function doing all the decrypting of the obfuscated actions. In this case the function's name is 'ask'. One of the tricks used to throw off javascript decompilers is to grab data in XML fields by using rawValue. I'll highlight where the function is grabbing the other data.
All it's doing in this case is grabbing everything in the XML field "rye" and replacing any occurrence of Z,h,P,w,I,v,g,F,l, or P with '' aka, nothing. So it's just setting a variable equal to the value of that XML field while removing those particular letters (case sensitive).
Now to show you where the XML field "rye" is located and what it contains.
With that value, you should now be able to use the function 'ask' to decode a good portion of the javascript.
I basically just continue that process and follow the code until the final exploit code is constructed. At which point it is all concatenated and assigned into the 'rye' XML tags.
Since we're just decoding javascript I just simply document.write(g); to write the exploit code to the window.( I did this in malzilla because PDFStreamdumper didn't like document.write - screw it)
and then decode base64
So a PDF is generating a TIFF file.
CVE-2010-0188 Adobe PDF LibTiff Integer Overflow
In the exploit code mentioned in my previous blog, there is code to embed a couple PDFs into the page which will exploit different vulnerabilities. Since I have a copy of one of the PDFs that exploits a vulnerability, I figure I'll show the process of de-obfuscating the exploit and determining the vulnerability. I can provide the malicious PDF, just ask. This is mainly just about de-obfuscating the JS, not really about analyzing the actual exploit TIFF and what it does.
Dump the Data Stream(s)
The easiest tool to use for analyzing PDFs is PDFStreamDumper from HERE. All you have to do is load the PDF into PDFStreamDumper and it will give you the header info and any data streams in the PDF. In this case we only have one data stream
Without much effort you can see the opening <script> tags indicating embedded javascript. The javascript is what builds and executes the exploit, so you basically just grab all the script from the opening tag until the closing </script> tag. Then just click the Javascript_UI button and it will open a javascript decoder right in PDFStreamdumper
once the Javascript_UI comes up you can simply format the code and you have your neatly formatted, yet obfuscated exploit code
De-Obfuscate JS
The nice thing about this PDF is that the javascript is obfuscated almost identically to the exploit code that served it. As I stated previously in my previous blog post, there is one function doing all the decrypting of the obfuscated actions. In this case the function's name is 'ask'. One of the tricks used to throw off javascript decompilers is to grab data in XML fields by using rawValue. I'll highlight where the function is grabbing the other data.
Now to show you where the XML field "rye" is located and what it contains.
With that value, you should now be able to use the function 'ask' to decode a good portion of the javascript.
Since we're just decoding javascript I just simply document.write(g); to write the exploit code to the window.( I did this in malzilla because PDFStreamdumper didn't like document.write - screw it)
and then decode base64
So a PDF is generating a TIFF file.
CVE-2010-0188 Adobe PDF LibTiff Integer Overflow
Sunday, July 10, 2011
Injected sites serve heavily Obfuscated JS
The Gist
Within the past few weeks I've discovered a decent amount of sites that have been injected with iframes that redirect to heavily obfuscated javascript. I usually do write-ups on stuff like this just for myself for future reference. However, I figure I might as well post them in a blog so others can check it out if they want.
First the injected obfuscated html tags. The injected code has appeared on several sites, and it still exists on a couple. Here is a short list of the owned sites I found:
So a random users visits one of these sites and the obfuscated JS is injected into the page, this is the basic process
The site loads, and appears normal
But behind the scenes is injected javascript that decodes to some script HTML tags that source the malicious domain
Once you decode the JS you will see it returns HTML script tags with the malicious domain as the script source
The Exploit Code
I showed how the exploit code gets served. Now it is time to check it out. For anyone who wants to check out the full exploit code on their own, I uploaded it to pasteBin: Full Obfuscated Code
The first thing to note is the hidden input value and the 8 empty divs. The hidden input value is grabbed by the first function 'fez' which is the function that de-obfuscates everything. This is hugely important because 'fez' is called to deobfuscate nearly every action in the code. Below is an example
Here is an example of what nearly every function in the code looks like. Every single action is obfuscated and then decoded by 'fez'. I added the actual values of the obfuscated variables to highlight what the code is looking for and doing.
Going back to the empty div tags mentioned above, it did not seem clear at first what they were for. However, after de-obfuscating some of the code I had an "ahh no shit!" moment. Each of those empty div tags are for a particular exploit if the version criteria is met (among other things). So I continued to de-obfuscate the entire document, all 1000+ lines of it. Once completed I was able to discern what the divs would contain if every exploit were to launch.The only div name that is not mentioned at all in the code is 'mix'. I'm not sure what that div was meant for.
I haven't been lucky enough to get a hold of most of these exploits to categorize them with their CVEs, but based on what versions the exploit code was looking for to drop some of these exploits, I determined a couple of the vulnerabilities. I ordered them by div name.
CVE-2009-0927 - Adobe Reader/Acrobat Collab.getIcon Buffer Overflow
CVE-2010-0188 - Malicious Tiff embedded in PDF
CVE-2010-0842 - Java JMF MIDI 3
Java exploit (unsure of which)
Java exploit (unsure of which)
Java exploit (unsure of which)
CVE-2011-0611 - Adobe Flash Player SWF Memory Corruption Vulnerability
It's becoming more typical to see exploit kits using more Java exploits than anything else. However it's interesting to note that the flash vulnerability they use is fairly new. The three java exploits that I was unsure of are probably your typical exploit kit java exploits. Like: skyline, deployment toolkit, etc.... I just wasn't sure so I didn't act like I was and bullshit what vulnerability they are exploiting.
Some additional reading about the same injections/exploit code described above
http://research.zscaler.com/2011/06/cotv-domains-serving-heavily-obfuscated.html
http://research.zscaler.com/2011/06/google-news-search-results-for-laurence.html
Within the past few weeks I've discovered a decent amount of sites that have been injected with iframes that redirect to heavily obfuscated javascript. I usually do write-ups on stuff like this just for myself for future reference. However, I figure I might as well post them in a blog so others can check it out if they want.
Injected JS
- blogohblog.com/cool-javascript-tricks/
- thebudgetfashionista.com/archive/guest-post-fall-classics-fashion-copycat/
- countryuniverse.net/2008/11/19/review-jason-aldean-shes-country/
- beaconequity.com/wp-content/themes/Beacon3.0/js/jqueryanim.js
- cinemablend.com/television/Laurence-Fishburne-Done-With-CSI-Decides-Let-TV-Criminals-Get-Away-32685.html
- rosemont.com/js/swfobject.js
So a random users visits one of these sites and the obfuscated JS is injected into the page, this is the basic process
The site loads, and appears normal
But behind the scenes is injected javascript that decodes to some script HTML tags that source the malicious domain
Once you decode the JS you will see it returns HTML script tags with the malicious domain as the script source
The Exploit Code
I showed how the exploit code gets served. Now it is time to check it out. For anyone who wants to check out the full exploit code on their own, I uploaded it to pasteBin: Full Obfuscated Code
The first thing to note is the hidden input value and the 8 empty divs. The hidden input value is grabbed by the first function 'fez' which is the function that de-obfuscates everything. This is hugely important because 'fez' is called to deobfuscate nearly every action in the code. Below is an example
Here is an example of what nearly every function in the code looks like. Every single action is obfuscated and then decoded by 'fez'. I added the actual values of the obfuscated variables to highlight what the code is looking for and doing.
Going back to the empty div tags mentioned above, it did not seem clear at first what they were for. However, after de-obfuscating some of the code I had an "ahh no shit!" moment. Each of those empty div tags are for a particular exploit if the version criteria is met (among other things). So I continued to de-obfuscate the entire document, all 1000+ lines of it. Once completed I was able to discern what the divs would contain if every exploit were to launch.The only div name that is not mentioned at all in the code is 'mix'. I'm not sure what that div was meant for.
I haven't been lucky enough to get a hold of most of these exploits to categorize them with their CVEs, but based on what versions the exploit code was looking for to drop some of these exploits, I determined a couple of the vulnerabilities. I ordered them by div name.
CVE-2009-0927 - Adobe Reader/Acrobat Collab.getIcon Buffer Overflow
CVE-2010-0188 - Malicious Tiff embedded in PDF
CVE-2010-0842 - Java JMF MIDI 3
Java exploit (unsure of which)
Java exploit (unsure of which)
Java exploit (unsure of which)
CVE-2011-0611 - Adobe Flash Player SWF Memory Corruption Vulnerability
It's becoming more typical to see exploit kits using more Java exploits than anything else. However it's interesting to note that the flash vulnerability they use is fairly new. The three java exploits that I was unsure of are probably your typical exploit kit java exploits. Like: skyline, deployment toolkit, etc.... I just wasn't sure so I didn't act like I was and bullshit what vulnerability they are exploiting.
Some additional reading about the same injections/exploit code described above
http://research.zscaler.com/2011/06/cotv-domains-serving-heavily-obfuscated.html
http://research.zscaler.com/2011/06/google-news-search-results-for-laurence.html
Subscribe to:
Posts (Atom)