Monthly Archives: April 2016

Security Weekly #462 – Interview with Sean Metcalf, Microsoft Certified Master

Sean Metcalf (@PyroTek3) is a Microsoft Certified Master (MCM) / Microsoft Certified Solutions Master (MCSM) in Directory Services (Active Directory Windows Server 2008 R2) which is an elite group of Active Directory experts (only about 100 worldwide). As of 2016, he is also a Microsoft Most Valuable Professional (MVP). We ask him about his start in information security and PowerShell. Listen in now!

Humble Hacking Bundle from No Starch Press

No Starch Press is teaming up with Humble Bundle again to raise money for the EFF, the Electronic Frontier Foundation. Pay $15.00 to help support the EFF and receive a bundle of thirteen eBook titles.
Some of the titles are: Hacking: The Art of Exploitation, Hacking the XBox, Automate the Boring Stuff with Python, Python Crash Course, Practical Malware and The Linux Command Line.

Any amount gets you four titles and a $15.00 donation gets you all 13. You decide how much goes to EFF, No Starch or Humble Bundle.

Details are at

Open-Source CMS Security In The Enterprise

Regardless of the size of your organization, the security challenges with open-source Content Management Systems (CMS) security are the same. In the enterprise the issue stems not from the technology or existing processes, but...

Read More

The post Open-Source CMS Security In The Enterprise appeared first on PerezBox.

Bedep has raised its game vs Bot Zombies

Simulacra & Simulation - Jean Baudrillard
Featured in Matrix
Bedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's intimate to Angler EK and appeared around August 2014

On the 2016-03-24 I noticed several move in Bedep. 

Angler infecting a VM and integrating it into an instance of Bedep botnet
No more variable in the URI (as several month before), the protocol Key changed and in most of my manual checks, all threads were sending a strange payload in the first stream.

2ko size for Win7 64bits :
Popup shown by the first payload from Bedep Stream - Win7
(in the background Angler Landing)

48ko size for WinXP 32bits:

Popup shown by the first payload from Bedep Stream - WinXP

Looking at my traffic I thought for some time that one of the Bedep instances was split in two.

Then I understood that I got different result on my "manually" driven VM (on VMWare ESXi) and my automated Cuckoo driven one ( on VirtualBox). I suspected it was related to hardening, as this is one of the main difference between those two systems.

And I got confirmation. Here is an example on a GooNky ([1] [2] [3]) malvertising traffic in Australia :

A VM not hardened enough against Bedep got redirected to a "decoy" instance of Bedep that i will refer as :
Bedep "Robot Town" - 2016-04-12
Now look what i get instead with a VM that is not spotted as is:
Same Angler thread - VM not detected. 1st Stream get Vawtrak

I am not skilled enough to give you the list of checks Bedep is doing. But here is one of them spotted by Cuckoo :

Bedep doing some ACPI checks
I think there are multiple level of checks. Some resulting in Bedep not trying to contact the C&C, some where the positive check end up with a different seed for the Bedep DGA redirecting spotted machines in a dedicated instance. 
This is quite powerful :
- the checks are made without dropping an executable. 
- if you don't know what to expect it's quite difficult to figure out that you have been trapped
- there is a lot of things that operators can do with this list of known bots and initial Bedep thread ID. 

One of them is for instance knowing which of the infection path are researcher/bots "highway" :

Illustration for Bedep "Robot Town" from an "infection path" focused point of view

This could be just a move to perform different tasks (AdFraud only (?) ) on VMs, but my guess it that this Bedep evolution on 2016-03-24 is a fast reaction to this Proofpoint Blog from 2016-03-18 which  show how Bedep threads are additional connectable dots. 

Sharing publicly is often a difficult decision. The question is which side will benefits the most from it, in the long time.

For researchers:
In the last 3 weeks, if your VM have communicated with : (which is a Bedep ip from end of 2015 reused) || (  && http.uri.path  "ads.php?sid=1901" ) and you are interested by the "real payload" then you might want to give PAfish a run.

Image result for robot movie sad robot
Marvin - Paranoid Android
On the other hand, any of your VM which has communicated with (Bedep "standard" 18xx 19xx instance)  since the 24 of March is hardened enough to grab the real payload.

- Removed the AU focused mention on the Vawtrak. I have been told (Thanks ! ) it's US focused. Got geo 
Glitched. Maybe more about that a day or the other.
- Refine the check conditions for Researcher. IP and sid=1901...otherwise...ok :)

Acknowledgements :
Thanks Will Metcalf and Malc0de for the discussions and help on this topic
I'm sorry, but I must do it...Greetings to Angler and Bedep guys. ;) You are keeping us busy...and awake !

Reading :
Bedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schwarz - ArborSert

CVE-2016-1019 (Flash up to and Exploit Kits

Spotted in a "degraded" version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack, Adobe was really fast at fixing  this vulnerability with the patch released on the 2016-04-07 bringing Flash Player to version

It's not the first time a "0day" exploit is being used in a "degraded" state.
This happened before with Angler and CVE-2015-0310 and CVE-2014-8439

You'll find more details about the finding on that Proofpoint blog here :
"Killing a zero-day in the egg: Adobe CVE-2016-1019"
and on that FireEye blog here:
CVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit
Note : we worked with Eset, Kaspersky and Microsoft as well on this case.

Nuclear Pack :
2016-03-31 "Degraded"
Identification by  Eset, Kaspersky and FireEye (Thanks)
Exploit sent to Flash Player by Nuclear Pack on the 2016-03-31
CVE-2016-1019 inside

Sample in that pass:  301f163644a525155d5e8fe643b07dceac19014620a362d6db4dded65d9cad90
Out of topic example of payload dropped that day by that instance of Nuclear : 42904b23cff35cc3b87045f21f82ba8b (locky)

Note the string "CVE-2016-1001" in the Nuclear Pack, explaining why maybe this exploit is being used in a degraded state.

CVE-2016-1001 string spotted by Denis O'Brien (Malwageddon), the 2016-04-05 in Nuclear Pack exploit

Magnitude :
2016-04-02 "Degraded" to
Identified as is by FireEye
[2016-04-07: TrendMicro told me they found some hits for this exploit in Magnitude back from 2016-03-31 as well]

Magnitude exploiting Flash with CVE-2016-1019 the 2016-04-02 in the morning.
Payload is Cerber.

Side note : the check on the redirector in front of Magnitude ( ) which might have been fixed with the CVE-2015-2413 was in Magnitude landing itself from September to end of November 2015.
res:// onload check features unobfuscated at that time in Magnitude Landing 2015-09-29

Sample in that pass: 0a664526d00493d711ee93662a693eb724ffece3cd68c85df75e1b6757febde5
Out of topic payload: 9d92fb315830ba69162bb7c39c45b219cb8399dd4e2ca00a1e21a5457f92fb3c Cerber Ransomware

Note: I got successful pass with Windows 8.1 and Flash as well and Windows 10 build 1511 (feb 2016) via Flash on Internet Explorer 11. Edge seems not being served a landing.

2016-04-11 - "degraded" as well it seems. (at least didn't got it to work on Flash 21.x)
CVE id by @binjo and Anton Ivanov (Kaspersky)
Neutrino successfully exploit Flash with CVE-2016-1019
Fiddler : Sent to vt
Out of topic payload: 83de3f72cc44215539a23d1408c140ae325b05f77f2528dbad375e975c18b82e

Reading :
Killing a zero day in the egg : CVE-2016-1019 - 2016-04-07 - Proofpoint
CVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit - 2016-04-07 -  Genwei Jiang - FireEye
Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player - 2016-04-07 - Peter Pi, Brooks Li and Joseph C. Chen - TrendMicro

Hack Naked TV – April 7, 2016

This week Paul takes the place of Aaron Lyons who is busy fighting Ninja Lamas. Paul discusses Car future Malware, Ubuntu Patches Kernel Vulnerabilities, OSVDB Shuts Down For Good, Flash zero-day in the wild to be fixed by Adobe, and FBI: $2.3 Billion Lost to CEO Email Scams. Check out the Security Weekly Wiki for more information!