I thought it would also be interesting to create a graph based on which countries have hosted the most malware during the previous 30 days. I was a little surprised at the results seeing the United States at the top of the list with China coming in second place.

Keep in mind that this data only represents a tiny snapshot in the overall scheme of things and is specific to malware collected by malc0de.com.

Last but not least the list below represents the top ten binaries seen during the past 30 days.

Count – MD5
251 – 7981f884202bf9f50bb5cb9bf3adbeb1
200 – 105082712e5a14db357fb9432bc9ca22
198 – eeda586b324d69ebf6b537724ad122cb
178 – 1bf3bbfa188f1b8fd0ffc498be481d53
171 – eec01f6a39e56ae3efe0a9866ba09b33
125 – 9ec690317e2109169c371c81341ec3d3
82 – 4f4a22a1391fe11be2c9c9b77ded0949
75 – a1e96a96471e08dae17d0b9b6873d726
75 – a17a76e2f0f8343bbd4c49c9eaef83a3
67 – 1620ef6bb04e2ca548f3e7951f2a8a6f

The MD5′s above are all related to Trojan Koobface. If you are interested in tracking domains and IP’s contacted by or distributing Koobface click here for an updated list.

This summer a study was conducted where a worm was introduced to a network which consisted of 64 computers. The army of digital ants was able to successfully identify the infected hosts. Computer users need not worry that a swarm of digital ants will decide to take up residence in their machine by mistake. Digital ants cannot survive without software “sentinels” located at each machine, which in turn report to network “sergeants” monitored by humans, who supervise the colony and maintain ultimate control.

More on this interesting article can be found here

Malware Infection

“Imagine if instead, in the case of Britney Spears account for example, that the hacker had posted a link that said: ‘Here’s my new video. Click on this link.’ Imagine how many people would have clicked on that and it could have pointed to malware? And Barack Obama is one of the most followed people on Twitter. If he said: ‘I’ve just made a new speech. Check it out.’ a lot of people would click on that link and get infected.”

Read About the other 2 ways

1) improved URL tracking using ‘urlattr’ class and urls dictionary
1a) new command line option -g, to create a URL graph (only when pcap contains 10 or fewer URL requests)

2) bug fixes for stream reassembly and pdf parsing
2a) stream reassembly now handles all streams when processing a pcap file, regardless of whether the nids state is in end_states
4) detection of NOP sled shellcode and performance improvements in shellcode processing (this was one of the performance bottlenecks)
5) new output format with ./files/ directory or -d OUTDIR command line option
6) CVE references are available in the ‘rules’ file but are temporarily unavailable in alerts

One of the major differences is this release is dependent on Yara.. Before you attempt to install Yara make sure you install PCRE by running the following command

apt-get install libpcre3 libpcre3-dev

Now download the following files

1) http://yara-project.googlecode.com/files/yara-1.2.1.tar.gz
2) http://yara-project.googlecode.com/files/yara-python-1.2.1.tar.gz

For yara-python-1.2.1.tar.gz you can build by running the following commands

$ tar xzvf yara-python-1.2.0.tar.gz
$ cd yara-python-1.2.0
$ python setup.py build
$ sudo python setup.py install

And then for yara-1.2.1.tar.gz simply run

$ tar xzvf yara-1.2.1.tar.gz
$ cd yara-1.2.1
$ sudo ./configure; make; make install

Next run the following commands

$ sudo echo “/usr/local/lib” >> /etc/ld.so.conf
$ sudo ldconfig

I then ran jsunpack-n against one the sample .pcap files with the new -g option to generate an image file however immediately received the following error

sudo ./jsunpack-n.py sample-http-exploit.pcap -g url
Traceback (most recent call last):
File “./jsunpack-n.py”, line 1030, in
main()
File “./jsunpack-n.py”, line 1026, in main
graph(file, js.urls, options.graphfile)
File “./jsunpack-n.py”, line 924, in graph
import yapgvb
ImportError: No module named yapgvb

The error is from a missing python module which can easily be installed by running the following command.

apt-get install python-yapgvb

Now that everything is working I scraped MalwareURL.com for the most recently IPs/Domains associated with Exploits by using the following command.

links2 -dump http://www.malwareurl.com/search.php?domain=\&s=exploits\&match=0\&rp=100\&urls=on\&redirs=on\&ip=on\&reverse=on\&as=on | awk ‘{print $1}’ | sed ‘s/|//’ | egrep “[A-Za-z0-9\/]” | awk ‘{print “http://”$1}’ >> t3stURLS.txt

The result of the command stores a list of URLs into a file called t3stURLS.txt while running jsunpack-n in the background we can use wget to loop through the file t3stURLS.txt and download the content to see what gets picked up and decoded.

wget -i t3stURLS.txt -T 1 -t 3

Below is a small sample of the Jsunpack Output that was generated.

*Caution Malicious URLS*

[suspicious:5] 55x5h.2288.org/fkzd/2.htm
[impact=5] DecodedIframe  detected <iframe
[info] [iframe http] http://wm.7udij.cn/x87/xx.html
[info] [script http] http://js.tongji.linezing.com/1240663/tongji.js
[suspicious:5] wm.7udij.cn/x87/xx.html
[impact=5] DecodedIframe  detected <iframe
[info] [iframe .] wm.7udij.cn/x87/Td14.htm
[info] [iframe .] wm.7udij.cn/x87/yt.htm
[info] [iframe .] wm.7udij.cn/x87/td09.htm
[info] [iframe .] wm.7udij.cn/x87/yut.htm
[suspicious:5] 44x5h.2288.org/fkzd/2.htm
[impact=5] DecodedIframe  detected <iframe
[info] [iframe http] http://wm.7udij.cn/x87/xx.html
[info] [script http] http://js.tongji.linezing.com/1240663/tongji.js
[suspicious:5] wm.6bief.cn/x3/xx.html
[impact=5] DecodedIframe  detected <iframe
[info] [iframe .] wm.6bief.cn/x3/Td14.htm
[info] [iframe .] wm.6bief.cn/x3/yt.htm
[info] [iframe .] wm.6bief.cn/x3/td09.htm
[info] [iframe .] wm.6bief.cn/x3/yut.htm

As you can see from the output above jsunpack-n was able to decode the obfuscated JavaScript and output the Iframes that were buried within. Because I am using Wget the Iframes are not followed so this test only touches on some of the functionality jsunpack-n provides. Originally I believe jsunpack-n was developed to act as an IDS application however it can also be used for research purposes.

The New file directory now organizes the decodings by MD5 and also saves the executables.
decoding_048c802efcc40b164a42cf29c95ad9e13cf28995
decoding_742d479309d69fd4bc7353647cc66f5cc9418bf9
decoding_d6641a882f77807034ff0a1f5530b1b781ee1019
original_86c2d76a7ba524487ab518c7fae29dcc60c6fc54
decoding_17278448f71fbb774fd420d6bb6dc9f1bf1d8689
decoding_75d715bee572a79d9fba6bae2fff79cf2cb1620d
decoding_f867d1bc0da9a69c286131639f474a5c2521f46d

This tool has come along way and has become one of my favorite. Many thanks to the author for sharing with everyone in the community.

The vulnerability is a stack overflow in the FTP service when listing a long, specially-crafted directory name. To be vulnerable, an FTP server would need to grant untrusted users access to log into and create that long, specially-drafted directory. If an attacker were able to successfully exploit this vulnerability, they could execute code in the context of LocalSystem, the service under which the FTP service runs.

Configurations at risk

The vulnerable code is in IIS 5.0 (Windows 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003). IIS 7.0 (Windows Vista, Windows Server 2008) is not vulnerable. IIS 6 is at reduced risk because it was built with /GS which help protect the service from exploits by deliberately terminating itself when the overflow is detected before attacker’s code runs. We have not seen exploit code for this vulnerability that is able to bypass the /GS protection.

Also, remember that only servers that allow untrusted users to log on and create arbitrary directories are vulnerable.
Read More
Exploit

Upon execution the binary makes the following HTTP GET requests which you can search for within your proxy logs to identify infected hosts.

GET 174.133.34.178/p0723/2.0/d.bin?axa072776988
GET 174.133.34.178/p0723/2.0/ms.bin?axa0727588773
GET 174.133.34.178/p0508/2.0/so.bin?axa0727737721

You can also search your FW logs to identify any communication to the IP addresses listed below.

Name Query Result
bfkq.com (174.133.126.2)
74.54.201.210
174.133.72.250
jsactivity.com (74.52.142.226)
74.55.37.210
174.133.126.2

Click here for Anubis Report
Virus Total Results

What the article fails to say is what domain is distributing this malware and how many other AV vendors are picking this up. I did a little digging through the sample collection and came across the following URL which fits the description.

hxxp://adobeupdateserver.com/download/AdobeUpdate.exe

DNS Information
Name: adobeupdateserver.com
Address: 216.146.130.104

Very Low detection by AV vendors at the time of this posting (6/41).

Virus Total Results for AdobeUpdate.exe
Threat Expert Report for AdobeUpdate.exe

They do mention how you can tell if you have fallen victim to this clever scheme.

Look for the following

– A Firefox plugin named “Adobe Flash Player 0.2″
– Having recently installed a file called install_flash_player.exe or Install_Flash.exe from an unknown source

“A potent trojan cocktail consisting of backdoors, password stealers, and downloader is being loaded by a malicious iframe on nearly 55,000 compromised website pages. The iframe points to an intermediary exploit site, http://a0v.org/x.js, which in turn loads additional exploits and malware from up to seven different malware domains.

A Google search on the iframe script tag resulted in 54,900 hits. Victim sites include www.feedzilla.com, latindiscover.com, and a number of charitable and nursing facilities, including howellcarecenter.com, sweetgrassvillagealf.com, www.foodsresourcebank.org, and morningsideassistedliving.com.”

I started seeing these domains pop up around 8/5. Follow the links below for more information.

ahthja info
laogong info

Read More

Alternate Data Streams in NTFS (NT file system) is a rather unknown compatibility feature in Windows NT systems. It was introduced in NTFS with the intent of compatibility with HFS, or the old Macintosh Hierarchical File System. The Primary Function of ADS is to hold metadata about files: Writing details in summary of a text document (right clicking the TXT file, selecting properties, and then selecting the summary tab) gets attached as an ADS.

So what’s so special about ADS?

One may think, “A text document’s summary is stored as ADS… so what?” Well, there’s more to it — executable code can also be stored as an alternate data stream without the Timestamp, listed File’s size or running process name being modified. Moreover, files with ADS are almost impossible to be detected by native file browsing techniques like Windows Explorer or the command line; software that can identify them are few and far in between…

Exploiting ADS

The lengths a malicious hacker can go to hide his tracks can be astonishing, and this is what makes ADS the worst nightmare of a System Administrator. Due to the concealed nature of ADS, detecting and preventing execution of malicious code is intricate.

Once a hacker has acquired administrator access on the system, he’ll strip off all information of concern, covering the detection of his presence and will try to install a backdoor (a remote access Trojan) for easy future access. This backdoor needs to be veiled from the system administrator, this is where ADS comes to in – it can be used to hide files on the breached system, evading detection and executing them without the knowledge of the sys admin.

The ability to hide executable code in an invisible form inside ADS can also make viruses difficult to be detected within a file system, because most virus scanners only verify the default data stream of files. Major Anti-virus vendors point out that ADS must be loaded into the memory before execution and thus will be detected with real-time scanning (when a file is scanned after it is loaded in memory (just after commanded to execute), the type of scan is known as a “real-time” scan). The problem with this approach is that many network administrators do not run real-time scanning on their servers or workstations due to performance issues.

Denial of Service (DoS) attacks that exploit the use of ADS also exist. It is the difficulty of detection that increases the threat. For example, it is quite common for an attacker to create a file large enough to fill up the system partition on a Windows NT/2000 system, to crash the server due to lack of space for temporary files. When using the main stream of a file in such an attack, the violating files are easily identified due to their abnormally large size. By using Alternate Streams here, it can be made difficult to detect where the violating files are located on the system. Another attack exploiting ADS can be launched by creating a large number of alternate streams, more than 6,000 on a specific file. If the attacker or the system tries to access the default stream of the file, the system’s response slows considerably and in worst case, the system crashes thus creating a Denial of Service.

Moreover, this vulnerability is not confined to the NTFS file system; any other file system that uses streams for alternate data is vulnerable.
Read More

“ The reality is that not enough of these companies at that level, particularly in the financial sector, properly do intake for vulnerabilities. ”

Russ McRee, HolisticInfoSec.org
The XSS, or cross-site scripting, flaws made it possible for phishers to send Ameriprise customers bona fide links to the Ameriprise website that opened pages that intermingled counterfeit content with legitimate text and graphics. The holes could also allow criminals to steal browser cookies used to authenticate online accounts.

In the five months since Russ McRee of HolisticInfoSec.org first identified the bugs, Ameriprise offered customers statements like this one, which assures visitors that “no one without the proper web browser configuration can view or modify information contained on our systems.” And yet, not one of the half-dozen warnings McRee sent was answered.

“The reality is that not enough of these companies at that level, particularly in the financial sector, properly do intake for vulnerabilities,” said McRee. “There should be something on their site that says ‘If you see a security issue on our site, please report it.’”

It was only earlier this week that federal prosecutors revealed that another garden-variety web vulnerability, known as an SQL injection, was the chink that allowed Albert Gonzalez and other hackers the toehold they needed to steal more than 130 million credit card numbers from card processor Heartland Payment Systems and four other companies. Like SQL injection flaws, XSS vulnerabilities have been around for more than a decade and are routinely discounted as insignificant by many of the websites plagued by the bugs.

Indeed, Benjamin Pratt, Ameriprise’s vice president of public communications, played down the severity of the bugs brought to his attention, saying they affected only one portion of the company’s site.

“It’s an important point to note that none of our client data can be exposed by this,” he said shortly after being alerted to the bug. “There’s no one at risk here. Like any other vulnerability, we’re aware of it and we’re moving as quickly as we can to repair it.”

He said Ameriprise officials have no way of verifying that the bugs were reported as long ago as March, but in any event he said that there are no plans to review any of the mechanisms the company may have in place to receive notifications from the public about website vulnerabilities.

“There are plenty of customer service and other phone numbers available on our website,” he said. “I can’t speak to that specific experience.”

It’s not the first time a major financial services company has been caught sitting on a bug that could undermine the security of its online customers. In December, web application developers fixed several XSS holes on the website of American Express, more than two and a half weeks after McRee reported them to company representatives.

That bug was particularly embarrassing because Amex is a founding member of the PCI Security Standards Council, the group that sets the rules governing the Payment Card Industry. According to the rules, sites that suffer from XSS vulnerabilities are not compliant with payment card industry data-security standards.
Read More