Wednesday, 27 October 2010

Critical Firefox Vulnerability

There's a critical zero day vulnerability in firefox 3.5 and 3.6. There are samples found in the wild exploiting this vulnerability, official Nobel peace prize website is compromised to host this malware. When the user visits the affected website he would download malicious file without his notice.

All firefox users are urged to disable javascript and use Noscript add on.

Tuesday, 21 September 2010

Twitter XSS Vulnerabiliy

Twitter earlier today had a XSS vulnerability in the way they process the URL's in their tweet.As described here when you tweet some URL on Twitter , it identifies and displays it. The Twitter doesn't check the url properly and quotes in particular which allows us to run custom Javascript code.
For example in this URL http://www.blah.com/”onmouseover=alert(‘You are hacked’) would display an alert box when you move over mouse on the link. The alert box can be replaced with any custom javascript to redirect users to malicious websites. According to the recent update Twitter have fixed this flaw. This is just an example of how a small sanity check error by developer could lead into a security disaster.

Thursday, 15 July 2010

Windows Zero Day on Shortcut Files

A new Windows Vulnerability is found by VirusBlokda researchers .
The Vulnerability exists in Windows Shortcut files, its basically new way of Autorunning your file even after disabling the Windows autorun feature.

This was actually exploited by a malware which is detected as Trojan Spy . There is an interesting analysis done by Kaspersky here.

Analysis says that the malware drops shortcut files (or .lnk files) and dlls (named as .tmp files ) on the infected USB drive besides other malware ( which is detected as Stuxnet/Rootkit). If you insert the infected USB drive on a clean machine and open the drive in explorer (or similar ) the malware gets executed. The init function in the dll and shortcut file makes the malware to run automatically without clicking on the file.

As of now Microsoft are working on this issue, all users should be careful not to open suspicious files or USB drives on machine.

Saturday, 12 June 2010

Microsoft Help Centre Exploit

Microsoft help centre could be exploited for a zero day vulnerability according to this disclosure.
Help centre is Microsoft's application to access online help.Using this application it is possible to access url's of the help documents. One of the implementation errors in handling url/escape sequence handling leads to remote code execution.

Microsoft advisory can be found here.

Monday, 10 May 2010

Infostealer.Banker.G ripped Part 2

Welcome back to part two of the malware analyis.

When Installed this malware drops a dll in the system folder (C:\windows\system32\msls52.dll). Dll is pretty much packed with the same packer and the entry point of the dll looks similar to the dropper.
Very Interesting thing about this malware is that it infects windows Uxtheme.dll(system folder) and renames the clean copy as Uxtheme(random char).tmp.Infected Uxtheme.dll locks the file msls52.dll, when you try to delete it you get an "access denied" message. Use Kaspersky free removal tool to get rid of the dll on reboot. 
Since you've deleted the file msls52.dll the infected Uxtheme.dll tries to load it at the startup and gives the message "Unable to load msls52.dll" and makes your machine virtually unusable. 
To make it work again restart your machine with Windows Safe Mode with command prompt (press f8 on startup to safe mode menu). Once you are in safemode delete/rename the Uxtheme.dll and rename the Uxtheme(randomchar).tmp file as Uxtheme.dll. This should make your machine usable after reboot :-).Btw the infected Uxtheme.dll is detected as W32/Patched by some vendors  

Continuing  the analysis from the previous part if you follow the calls and jumps there are couple of interesting instructions.

.00409FA2 B9 BE 80 FF 1F  mov     ecx, 1FFF80BEh
.00409FA7 EB 41                  jmp     short loc_409FEA
....

00409FF6 C1 E1 02             shl     ecx, 2  ; ECX is now 7FFE02F8
00409FF9 EB 67                  jmp     short loc_40A062

0040A062 0F B6 09             movzx   ecx, byte ptr [ecx]

Hmmm..Ecx is now 7FFE02F8 and its trying to move the contents at the ecx value back into ecx register.
So what is this 7FFE02F8 any way. 7FFE0000 is KUSER_SHARED_DATA , this address is a region of the memory mapped in every process and is called as SharedUserData.7FFE000 + 2F8  refers to TestRetInstruction .In this malware i think its mainly used for antidebugging or anti emulation purposes.
If you continue analyzing the sample on the Ollydbg , Olly gets struck at one point unable to debug any further. You need to smartly change the control flow at this point and analyze further.
I didn't have much time to unpack this malware, as the packer in the malware uses VirtualProtect api , i'm sure you should be able find the unpacking routine around this area.
Hope this analysis helps you fight the bad forces.

Sunday, 9 May 2010

Infostealer.Banker.G ripped Part 1

I'll reverse engineer what Symantec call as Infostealer.Banker.G ( SHA: 4b7f41e7b02ed3b100b6afd756c3e551f52da82f )

 Lets see the physical structure of the file first and see what the PE tool says about the file.

 Hmm, Bad guys are crooked they have packed malware with a custom packer. Entrypoint is in first section . Lets open the file with a disassembler and see what the entrypoint looks like. 

.cdata:00409380            sub    esp, 4
.cdata:00409383            pusha            ; push all registers
.cdata:00409384            push    ebp
.cdata:00409385            mov    ebp, esp
.cdata:00409387            mov    edx, 103h
.cdata:0040938C            xor    eax, eax
.cdata:0040938E            inc    eax   ; Junk  to evade antivirus detection

.cdata:0040938F            inc    eax  ; .............
.cdata:00409390            inc    eax  ; junk
.cdata:00409391            inc    eax  ; .........
.cdata:00409392            inc    eax  ; .......
.cdata:00409393            inc    eax  ; .........
.cdata:00409394            inc    eax ; ........
.cdata:00409395            inc    eax ; .......
.cdata:00409396            call    sub_40949E
.cdata:0040939B            jmp    near ptr 0C3035769h 


If you look at the entrypoint it clearly looks like its packed with a polymorphic packer. All the 'inc eax instructions are junk either to stop antivirus detection or to make Emulation more confusing. If you follow the Jmp at the last line leads series of spaghetti ( uneven jmp or call instructions) jumps.

I'll continue the analysis in the next part see you then.

Saturday, 1 May 2010

Microsoft Sharepoint XSS Vulnerability

Microsoft have acknowledged the existence of XSS vulnerability in Sharepoint services and Sharepoint server.Successful exploitation of the vulnerability could allow attacker to run custom code leading to elevated privileges within the Sharepoint site.

According to this technet blog the likely attack scenario could be when attacker sends a malicious link and user clicks the link after logging into the vulnerable Sharepoint server, this results in malicious script running in the user context.  In simple words if you are user(assume Admin user) logged in to a vulnerable Sharepoint server and if you click a malicious link embedded within a malicious script, it could run with the admin privileges.

Thursday, 29 April 2010

Storm is Back

Yes Storm is back, its not the natural disaster but a cyber disaster which rocked the cyber world by sending 20% of spam worldwide. Yes I'm talking about the infamous Storm worm botnet.



Storm authors have created the new variant according to these analysis by Honeynet and CA.  According to these analysis the malware is using the same config file and file name. The malware is said to be wrapped with a additional layer of program to prevent it from Antivirus detection.
Storm worm is said to distribute spams related to usual pharmacy , adult websites and celebrity scans. If you are keen about malware working please go through the analysis,its worth a read.


 

Tuesday, 2 March 2010

IE 0 Day for Help files

Clicking 'F1' (help) in IE (Internet Explor(d)er) can lead to attacker executing arbitrary commands, successful attack can lead to compromise of the machine. Exploit should trick the user to click F1 button.
Temporary solution is to disable active scripting in IE until Microsoft provide a patch.
IE in Windows 2000, Windows XP SP2, SP3 & Windows 2003 SP2 are vulnerable. You can find more details here.

Susan Dey SEO Poisoning

Susan Dey is an American actress known for her roles in TV and films.Today malware authors are utilizing her fame to spread malware.


As you search for Susan dey on Google you can clearly see the dodgy website listed in Google web search results.

 

  If you think its related to Susan and click on the links , its not Susan who greets you, but its rogue antivirus malware (also known as Fake Antivirus)  which gets into your system.

 

  

So all users are advised to be careful about the dodgy websites. Click on only links you trust, as you can see in this case the compromised website redirects to a '.in' domain which seems to be 'fakeav' authors favourite at the moment.

Sunday, 7 February 2010

Computer Viruses

I was working on reverse engineering one of the mid-infecting virus and when i searched google for "mid infecting", i couldn't find much details explaining these terms. So i'll explain these terms briefly .

Computer Viruses are the ones which replicate themselves using different techniques. Viruses should not be confused with Trojans and Worms (they don't infect other files). Malware is the generic term used to cover all the different malicious files or detection.

Coming back to Viruses they are further classified into different types based on the way they reproduce themselves (or replicate ) .

* Boot Virus
   Boot (or boot sector) virus is a virus that can duplicate itself from the boot sector of the disk. ( Boot sector is the area of the disk which runs at the start (or booting ) of your machine )
 
* Appending Virus
   Appending virus is a virus which appends itself to the host (ie it attaches it viral code to the end of the clean file). 

* Prepending Virus 
  Prepending virus does the opposite of  appending virus , it attaches itself before the host.

* Midinfecting Virus
   Midinfecting viruses are the ones you see often in the real world. Midinfecting viruses incorporates itself somewhere inside the hostIn Mid infectors some parts of the host file runs first and then it runs the viral code.

* PolyMorphic Virus 
    Polymorphic virus (poly -many , morph-forms) is a virus which has a mutation engine which makes it appear different everytime it runs. The working of the virus is same but the appearance of the logic of the code changes every time. (This is done mainly to evade Antivirus detections, which detect on signature of the virus).
 
 

Friday, 5 February 2010

New IE Vulnerability

Microsoft have disclosed a advisory that there is a vulnerability in different versions of Internet Explorer.
Looks like a there's lot more IE users should bare with , Microsoft had recently issued a out of band Critical Patch for a IE vulnerability.
This one was discovered in recent Blackhat conference in Washington DC. The exploit can allow the remote user to verify the file's on the victim's computer ,potentially turning into a file server for malicious activities.

Sunday, 31 January 2010

Python Utility to Rename Exe or PE file in a directory

I was writing a small utility to rename all the files in the current directory (in this case its PE file). This doesn't
depend on the file extension and reads the file to check the magic number.

#####################################################################
import os
   
def ren_dir():
# refers to c:\test , if you want use current dir use '.' 
    for f in os.listdir("\\test"): 
        fl = open((os.path.join(os.path.abspath('\\test'),f)),'r')
        if fl.read(2)=='MZ':
                # do whatever operation you want 
        fl.close
    
if __name__ == "__main__":   
    ren_dir()
#############################################################

Sunday, 10 January 2010

Office.microsoft.com leading to FakeAV

Office.microsoft.com which is an official microsoft office website is leading to rogue AV website.[1] This could be  because of  SEO poisoning techniques .
In this case when you are on office.microsoft.com and use the search function you get search results leading to Fake AV.
Its a real cause for concern as this is one of most popular microsoft's website and easily all the website visitors could fall victim to this attack.