Finjan MCRC Blog: Posts

Attacker toolkits for free

Wed, 07 May 2008 00:00:00 GMT

During our ongoing research we came up against one curious site.
The site is hacking/security oriented, and is written in Russian (hmm... last time i've cheked it was in Netherlands), and not significantly different from many other similar sites.
The same "news" section with recent exploits.
The same "arcticles" section with same "How to get root on server" paper.
And the forum with common "SQL Injection FAQ" thread for newbies. What makes difference is the "download" section.

I think it's the first time we see such a comprehensive, well arranged and recently updated collection of trojans, keyloggers, back-door web-shells and, the most interesting for us, attacker toolkits.

2project
IcePack
Loader_ROBOTS
TDS KALLISTO
cry217
firepack
mpack0.99
Tornado
ADPack

Where is Neosploit? I should file a complaint for not providing it as well in this fine lineup.

All these toolkits installation packages are on the same page. For free!
We have seen some of these toolkits for sale numerous times in the past. And here - everything for free. Very nice site :)
Every toolkit has its installation guide. So, all you need to do in order to run your own crimeware server and a small horde of trojans are some basic unix/php/mysql skills and some server space - thats all.

There is even an article covering the installation and operation of the much-hyped ZeuS kit (toolkit for creating trojans, including the server side control for it, with close ties to the actual money laundering operations built in...).

In the next post, we will introduce you to some of these guys more close.

Posted by Vadim Pogulievsky

Crimeware server catering to “grab and run” criminals

Tue, 06 May 2008 00:00:00 GMT

During our research for the latest Malicious Page of the Month that has just been released, we came across a domain that was being used as a command and control for the Crimeware that was executed on attacked machines. This domain was also used as the “drop site” for private information being harvested by that Crimeware.
When we further examined this server, we found that the stolen data on it was unprotected and freely accessible to anyone - we found no access restrictions, no encryption whatsoever!
In total, we found more than 1.4Gb of personal and business data (including emails and web related data) for grabs, collected from infected PCs.

Obviously, no business or personal data was safe; we found logs with business information on shipments, intellectual property, pension funds, legal cases, patients, marketing strategies etc. but also personal information that criminal elements could use to their own benefit.

Following are some of the records that were on that server for grabs.
We changed/blurred information to protect people’s and companies' privacy.

Medical record:

http://...../de...nts/.../MedicalRecordReview/ "Diagnosis=Admitted for IV abx 2nd spinal rod infection. Hx of SMA, wheelchair bound, on bipap c back up rate. ESR increased. Ctx neg. Not getting meds at home. Will need 42 days abx…. low grade fever 2 days ago."

Email communications:

"…Attached you will find our personnel file. Please fill it out in its entirety and return via email….These forms are kept confidential and locked up"

Outlook with email communications:

Bank customer’s credit card details:

We were especially curious how these user data for grabs were managed by the cybercriminals, and we found a C&C application that they used for that purpose.
The administration of this Command & Control (C&C) function consists of a PHP based web application. It managed the infected machines, and enabled the criminal to address specific groups of “users” –by country, by IP, by type of logs, you name it!

The administrator could also issue commands, instructing the Crimeware on the infected machines to perform certain actions:

The server we investigated hosted multiple “attack campaigns”.
Each campaign had its own logged data from the infected users, as well as an administrative interface to the attack Crimeware toolkit that was used to infect the users (in this case the “AdPack” toolkit).

The administrative (statistics) interface to these AdPack toolkits showed how effective each campaign was, and provided statistical information on the geographical location of the infections, and of course, referral statistics to accurately measure where did the infections come from.

With user data services as described above, we now see that Crimeware has reached a new level of sophistication – again!
We see that Command & Control applications enable administrators to manage the actions and performance of their Crimeware. It gives them also control over the users of the Crimeware as well as its victims. Most scarily of all - it also allows easy access to user data.
The full research is captured in our MPOM April 2008.
We would like to emphasize, that due to restrictions set by law, the research discloses only a fraction of the amount and type of data that we found on the crime server.

Posted by Iftach Amit

New neosploit - without MDAC :)

Sun, 06 Apr 2008 00:00:00 GMT

There are some things in common to most of the attack toolkit, one of which is exploit against the MDAC vulnerability (patched in 2006), MDAC is also in many cases the first exploit the attacker is trying to use.

Looking at the new version of neosploit, we found it to contain the following exploits:

SB.SupperBuddy
CA, AddColumn
NCTAudioFile
GomManager
(and the elder) WebViewFolderIcon

As you can see, after almost 3 years of running strong, MDAC has finally retired :)

Good riddance,

Golan

Posted by Golan Yosef

On the (dis)merits of privacy

Wed, 26 Mar 2008 00:00:00 GMT

Following up on my last post, after filing a complaint with the abuse department of privacyprotect.org (and blogging about the problem), I have just received an update noting that:

--quote--

On investigating on your complaint , we have determined that the domain name "SPYWARESAFE.NET " is in violation of the terms of usage of the Privacy Protect service. We have therefore,

disabled the Privacy Protect service for the domain name, such that it now displays the putative contact details of the domain name holder, and
notified the sponsoring Registrar about the complaint, who shall act upon the complaint in accordance with their policies.

For any further updates on this matter, you can contact ESTDOMAINS, INC. , the sponsoring Registrar for "SPYWARESAFE.NET".

We are extremely particular about preventing misuse of our services in any manner. Should you encounter any other such instances, please feel free to notify us immediately.

--quote--

It’s interesting to note how a little exposure, combined with an email pointing out that the privacy protection is in direct violation of the service terms, gets some gears in motion. Don’t expect though to get complete verifiable details on the domain owner… The known issue with whois data is not limited to hideouts such as privacyprotect.org, but to the entire scheme of how domain registration works, and the accountability (or lack of) of the registrars to make sure that the details of domain owners are at least somewhat relevant. As you can see from the below data, trying to find a “Pavel” that lives in Russia, is like trying to find a “Mohammad” in Saudi-Arabia, or a “Mr. Smith” back in the states...

--quote--

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: SPYWARESAFE.NET

Registrant:
    N/A
    Pavel        (linkwork@mail.ru)
    kremlin st. 1
    Moscow
    Moskovskaya oblast,123456
    RU
    Tel. +495.1231212

Creation Date: 05-Dec-2007
Expiration Date: 05-Dec-2008

--quote--

At least the onion is starting to peel off and maybe hopefully law-enforcement can get better details on the owner, or work with the registrar to track him/her down.

Off to Amasterdam now – see you in BlackHat EU (Friday the 28th, track 2, 10am)!

Posted by Iftach Amit

Taking down a malicious site - the good, the bad, and the ugly...

Wed, 19 Mar 2008 00:00:00 GMT

As part of the "closure" on the February Malicious Page of the Month, which involved meoryprof.info (taken down), and spywaresafe.net we have contacted the appropriate parties in order to notify them that these websites contain malicious code.

Meoryprof.info was the first to buckle (probably under the press exposure), but spywaresafe.net have managed to stay afloat for quite a while. The problem with such domains these days, is that they are usually designed to hide the true owner in the best possible way.

Spywaresafe.net has been running in full-steam for only a short period of time, but has managed to rack up quite a track record of user visits and infections (see the below screenshot from its NeoSploit admin page)

(note that this screenshot is rather old and contains data on the first half of February only… nevertheless, almost 300k visits were logged to the main user and 150k more on the second user)

Looking into the whois record for spywaresafe.net would yield a disappointment – it is hidden using a service provided by privacyprotect.org. This service allows domain owners to hide behind an entity that would provide them "privacy". The practice itself may seem questionable, but privacyprotect.org has a nice website with easy to access forms for requesting the disclosure of a domain owner in case there is some kind of "abuse" done by it.

Well… that didn't really work. Sending a couple of these forms in the past month got us absolutely nowhere. No response, not even a decline for our request. These guys must be doing a too good of a job protecting something (definitely not internet users, but something...).

On the bright side, when we contacted the hosting company that was associated with the IP address for spywaresafe.net (78.109.18.130), the response was surprisingly quick, and the security guys there took the offending site down (p.s. – always use email, trying to call in brought an unbridgeable language barrier):

—quote—

...

The actions accepted by us:

Server IP: 78.109.18.130 it is disconnected and formatted.

...

—quote—

Although the company policy there is not to disclose details about the client who paid for this service (can't blame us for trying ;-) ).

Moral of the story – undecided (hence – good, bad, ugly?). Seems like the law enforcement efforts does work, on targeted incidents (no follow up on the second domain). Trying to be the good samaritan does not always play well, and you get to hurdles such as these privacy protection schemes (which in my opinion have no place on the internet), and to surprises such as the guys in hosting.ua (Ukraine’s national hosting) who diligently stepped up to the plate. One has to admit that there really is no place for discrimination on the net...

In hope that we won’t have to do any more of this and have law enforcement and CERTs kick in for those cases, I'll sign off for this time :)

Posted by Iftach Amit

About window of vulnerability (and MS08-017)

Mon, 17 Mar 2008 00:00:00 GMT

We here at the MCRC conduct independent vulnerabilities research once in a while, in order to provide our customers the best protection we can offer. The last MS security update included fixes for 2 vulnerabilities in the MS Office Web Component that we have discovered, one of which (CVE-2007-1201) was reported to Microsoft two years ago (!!). This means a 2 year long window of vulnerability. Needless to say, Finjan customers have been protected for the last 2 years against exploitation of this vulnerability, even at times when this vulnerability has been used in the wild with no patch available.

The fact, that it took Microsoft 2 years to fix this vulnerability does put our vulnerability disclosure policy (responsible disclosure) under quite a strain.

The exploitation of this vulnerability takes a couple lines of code, and would leave the machine with the following register dump (pending the shellcode used…):

EAX 00000000

ECX 01D62000

EDX 057D0010

EBX 00000050

ESP 01D633B8 UNICODE "AAAAAAA..AAAAAAAAAAAA"

EBP 01D63908 UNICODE "AAAAAAA..AAAAAAAAAAAA"

ESI 00000000

EDI 06830010

EIP 00410041 iexplore.00410041

Until next time

Posted by Golan Yosef

Optimizing Cross Site Scripting - and general security practices

Sun, 16 Mar 2008 00:00:00 GMT

We have been working recently on a XSS attack that impacted a huge number of potential victims, as the attack itself has been “optimized” by SEO (Seacrh Engine Optimization) practices that pushed it to Google’s indexes.

In itself, this is not a new technique, but the sheer size of it made us take a second look (incidentally, another security researcher has gone public with the details at the same time while we were communicating with Google’s security team about it). So how does it work? Basically the recipe is quite simple:

Find an XSS vulnerability on a major site that has a decent amount of traffic (easy).
Decide what you want your victim to “experience” – this can vary from serving some malicious code, to pure Crimeware marketing (lessons learned from “what to avoid” from SPAM email marketing).
Start googling it with the XSS in the URL (most sites normally allow parameters to be passed in a GET rather than enforcing POST only).
Enjoy the show – make sure that the XSS (usually a search page) also contains some keywords that would attract hits from legitimate searches.

XSSed sites used:

From what we have seen so far – including sites such as torrentreactor.net (first one) and zdnetasia.com (on 3/4/2008), tv.com (2/5/2008), torrentportal.com (3/8/2008), University of Pittsburgh’s jurist.law.pitt.edu, torrentfreak.com and fulldownloads.us (3/9/2008).

Unwanted sites used in the attack:

From is-t-h-e.com, through 72.232.39.252, media-toolbar.com, oasdc.info, do-t-h-e.com – all provide some kind of unwanted malware to be eventually dropped onto the unsuspecting user.

And finally – a glimpse into what people are looking for. Looking at the keywords used as part of the search terms, we discovered a sort of a zeitgeist of popular terms. The obligatory mature content terms (which I won’t quote for obvious reasons!) to the other extreme such as “the lost book of the new testament bible”, and the more spiritual “working with emotional intelligence” as well as the mundane “chevy tahoe specs”. Even techies are properly served with “bash if or condition”. In short, it provides us with a truly “inspiring” journey into what makes us tick (although we already know, still, seeing it is truly believing).

And now for the replies we got from some affected parties:

From torrentreactor - who we contacted on 3/4/2008, as their XSS was not public at the time (if you don’t count the outing done by other blogs) – we got a pretty quick response thanking us for the notification, and asking if there were more issues with their site. However, there hasn’t been a fix of the XSS issue yet at the time of this writing).

The more interesting view comes from Google (contacted early 3/4/2008). We contacted them since we saw that some of the search results were sanitized of the offending XSS effect, while other still contained a working XSS.

Google acknowledged that this was a known attack vector, and confirmed that they are indeed working on ways to manipulate and “sanitize” links provided by them in an effort to minimize the effect of incidents such as XSS on indexed sites. They also share our opinion on the reality of XSS and its affects on web browsing: "Google recommends that sites fix their cross-site scripting vulnerabilities as a priority. These can be abused in a number of ways, including bad interactions with search engines. Google is helping by reaching out to affected organizations. In addition, Google has internal processes to block abuses when the situation warrants."

It will be interesting to see how this will work out since sites still cache search results, thus allowing search engines to index those as results as well. That practice is exploited here where the site is affected by a XSS, which is then in turn “immortalized” when a search engine sees it.

In the meantime we would recommend the following:

Website owners and developers - XSS is rated no. 1 in the OWASP top 10 web application vulnerabilities (no pun intended). Most of them are known. Test for it, fix it. It may not be a direct threat to YOUR site, but it's a security issue nonetheless and poses a risk to your users.
Stop allowing the caching of search results. All the XSS were found in the search pages of the vulnerable sites. Just disable search engine caching for them. There is no added value in it.
Search Engines - you have the money and the resources. Although it's OPP (other people's problem), you can help prevent and mitigate such incidents (kudos to Google for their ongoing efforts).

Ending on a high note – we stand for security of online browsing, as well as responsible disclosure.

Posted by Iftach Amit

From 0day PoC to attack

Mon, 03 Mar 2008 00:00:00 GMT

I’m not about to discuss the pros/cons regarding full disclosure, just to show an amusing example of it:

A 0day vulnerability was discovered in “Rising” – a Chinese AV product (insecure method vulnerability) and a PoC was published at milw0rm.com. Today we found a site trying to exploit the vulnerability, but the funny thing is, it used the PoC as is (changing only the payload URL, and using obfuscation to hide it) leaving the original function name (test ) and “GO !” button to trigger it (e.g. the exploit will only run once the user clicks the “GO !” button ). Needless to say, the exploit is served as a hidden IFrame so the user won’t even see the button.

Code (de-obfuscated)

</object>

function test()

{

EXPLOIT CODE

}

</script>

<input type="button" value=" Go " onclick="test()">

Posted by Golan Yosef

Crimeware server and the international man of mystery

Thu, 28 Feb 2008 00:00:00 GMT

While conducting research for the latest Malicious Page of the Month we have just released, we tried to track down the origins of the crimeware.

Obviously, this is a daunting task by itself, and although sometimes security researchers are able to point at specific people as the ones running the criminal activity, it does not always help that much (remember the RBN case where multiple law enforcement agencies were notified, but the people behind the scenes were never arrested or indicted).

Well then, back to our little server – the domain name hosting the crimeware (Neosploit 2.0.13) was hosted in Hong-Kong (see below)

So that does not bring us any closer to who is this – as the address is located at a hosting company. Fortunately, our research brought in some additional IP addresses. We managed to grab these from the web server just like we have uncovered the 8,700 FTP account credentials that the research paper talks about (no exploits or attacks were used to do so – simply thinking outside the box sufficed).

Tracking these down proved to be a nice tour around the globe (long whois info deprecated for clarity):

inetnum: 78.109.19.160 - 78.109.19.167

netname: activebill

descr: activebill - Andrey Smirnov

person: Andrey Smirnov

address: 125167, Leningradsky prospekt, 47, Moscow, Russia

remarks: phone: +7 095 795 0295

phone: +7 495 795 0295

remarks: fax-no: +7 095 795 0295

fax-no: +7 495 795 0295

nic-hdl: AS32250-RIPE

e-mail: admie@svetcorp.net

source: RIPE # Filtered

inetnum: 82.146.40.0 - 82.146.47.255

netname: ISPSYSTEM

descr: ISPsystem at MSM

country: RU

admin-c: DS2036-RIPE

tech-c: AB11726-RIPE

status: ASSIGNED PA

mnt-by: ISPSYSTEM-MNT

source: RIPE # Filtered

<>person: Dmitry Sidorov

address: PoBox 30, 664017, Irkutsk, Russia

phone: +7 495 727 38 79

e-mail: inet@ispserver.com

nic-hdl: DS2036-RIPE

source: RIPE # Filtered

person: Alexandr Brukhanov

address: PoBox30, 664017, Irkutsk, Russia

phone: +7 495 727 38 79

nic-hdl: AB11726-RIPE

source: RIPE # Filtered

inetnum: 85.17.111.0 - 85.17.111.255

netname: LEASEWEB

descr: LeaseWeb

descr: P.O. Box 93054

descr: 1090BB AMSTERDAM

descr: Netherlands

descr: www.leaseweb.com

remarks: Please send email to "abuse@leaseweb.com" for complaints

remarks: regarding portscans, DoS attacks and spam.

remarks: INFRA-AW

country: NL

admin-c: LSW1-RIPE

tech-c: LSW1-RIPE

status: ASSIGNED PA

mnt-by: OCOM-MNT

source: RIPE # Filtered

OrgName: Galaxyvisions Inc

OrgID: GALAX-6

Address: 882 3rd avenue 8th floor

City: Brooklyn

StateProv: NY

PostalCode: 11232

Country: US

Putting all these guys on the map results in a very interesting “international man of mystery” cross-continent network of connections:

Obviously we are looking at some eastern-bloc oriented operation, with some access to resources in the Netherlands and the US (either other people, or just computers from which access could have been made).

Now that law enforcement agencies are involved with this, maybe we would see some developments on the matter, although from the looks of these pins on the map, I expect some really interesting multi-lingual cop-speak to spur out soon...

Posted by Iftach Amit

NeoSploit V.2.0.15 - and behind the scenes

Tue, 19 Feb 2008 00:00:00 GMT

As part of our on-going research we had the chance to “meet in person“ some parts of the server side operations behind the new version of the NeoSploit toolkit.

Although there is nothing new with this attack vector itself, (Iframe is being injected into legitimate websites), we have had some interesting sites that had the malicious code in them.
Some of those websites have a very high reputation and traffic ranking. Some recent vulnerabilities are exploited in order to infect the visitors with a Downloader Trojan (that pulls in financially "aware" trojans from the same host). Data is being sent and retrieved constantly...you know the drill.
BUT, for getting the cool info of this attack, you’ll need to dig-in a bit deeper into this server (well, actually more than just a bit).

On the backend of this attack we discovered about 8,000 FTP accounts, usernames and passwords of respectable organizations, some of them are governmental institutes, leading providers in the technology industry and the most exciting accounts on the list (from my weird security point of view) belongs to Security Vendors. And my favorite one has an upload permission to Security Vendor’s update site. Now I’m really impressed (believe me, it’s not easy to impress a girl like me).

How did they manage to do it? You wish to know don’t you? Well, aren’t we all...
Well, it’s complicated, and involves trading of stolen credentials in the back-alleys of this shadow economy where Trojan generated data is traded.

We are currently performing research on the binary of neosploit version 2.0.15, and will be releasing the analysis data in the coming weeks, in the meantime, you are more than welcome to start the journey into the back-alleys of criminal server management with our current malicious page of the month.

God Speed Security Vendors!

Posted by Ayelet Heyman

The impact of just 5 random letters...

Thu, 17 Jan 2008 00:00:00 GMT

We have been watching in amazement the impact our latest Malicious Page of the Month had on the industry and media.
From coverage at Fox Business News, and the Washington Post, all the way to the more "traditional" security outlets such as SecurityFocus, SC Magazine and bloggers such as Dancho Danchev.

The scary thing is the non-media related impact - we are still seeing a tremendous amount of domains (and sites) that are still compromised. Just a quick preview of the ongoing research we are putting into this - we are getting closer to getting to the root (no pun intended) cause of the problem that seems to affect Linux webservers (and this time it may not be a cPanel related issue for a change).

Looking forward to posting an update soon as we make progress in cracking this one.

And the winner for "top virus" of 2007 is...

Sun, 06 Jan 2008 00:00:00 GMT

Not a virus. Not even a malware. Neither is the runner up… It's the method of how malware is populated.

According to a report, the most common malware attack in 2007 is the notorious IFRAME.

On our monthly and quarterly reports we provided more in-depth analysis of such top-ranking IFRAME and obfuscated code.
In Finjan’s terminology, the top-ranked virus IFRAME is not a malware or a virus, it's more like how criminals are directing users’ browsers to a malware. Interestingly enough – the runner-up is “Mal/ObfJS” – Obfuscated javascript, again no a virus or malware but a simple technique to hide exploits from signature matching inspection.

How come? Well, remember that signature-based solutions are in a dire need to be able to stop the more common techniques employed by attackers (we have actually started to report on them during 2006), since the detection technology is limited in detecting the obfuscation and evasive techniques – typically signaturing the de-obfuscating portions of the script.

This has led to the recent reports of false-positives by multiple AV vendors lately, as active-content is becoming more and more complicated, and the ways to express an action in interpreted code are very complex – meaning that signatures in this realm are almost obsolete (you can see the honorary mention of the “DF” function (Mal/FunDF) in the 10th place, which is a signature on a specific de-obfuscating function – again, no mention of any malicious action taken by it, it’s just that it had it’s 15 minutes of fame when it was used by toolkits to deliver actual malicious code…)

Looking forward to 2008 I really hope that the industry as a whole will not be lagging behind the attack vectors as it did in 2007, and new and improved engines would enable end-users (especially consumers who do not benefit from the more sophisticated solutions offered to enterprises) to have better protection when using the internet.

I know what my new-year resolutions are – do you?

Posted by Iftach Amit