Monthly Archives: February 2018

Control Flow Integrity: a Javascript Evasion Technique

Understanding the real code behind a Malware is a great opportunity for Malware analysts, it would increase the chances to understand what the sample really does. Unfortunately it is not always possible figuring out the "real code", sometimes the Malware analyst needs to use tools like disassemblers or debuggers in order to guess the real Malware actions. However when the Sample is implemented by "interpreted code" such as (but not limited to): Java, Javascript, VBS and .NET there are several ways to get a closed look to the "code”.

Unfortunately attackers know what the analysis techniques are and often they implement evasive actions in order to reduce the analyst understanding or to make the overall analysis harder and harder. An evasive technique could be implemented to detect if the code runs over a VM or it could be implemented in order to run the code only on given environments or it could be implemented to avoid debugging connectors or again to evade reverse-engineering operations such as de-obfuscations techniques. Today "post" is about that, I'd like to focus my readers attention on a fun and innovative way to evade reverse-engineering techniques based on Javascript technology.

Javascript is getting day-by-day more important in term of attack vector, it is often used as a dropper stage and its implementation is widely influenced by many flavours and coding styles but as a bottom line, almost every Javascript Malware is obfuscated. The following image shows an example of obfuscated javascript payload (taken from one analysis of mine).

Example: Obfuscated Javascript


As a first step the Malware analyst would try to de-obfuscate such a code by getting into it. Starting from simple "cut and paste" to more powerful "substitution scripts" the analyst would try to rename functions and variables in order to split complexity and to make clear what code sections do. But in Javascript there is a nice way to get the callee function name which could be used to understand if a function name changed over the time. That function is the arguments.callee.caller. By using that function the attacker can create a stack trace where it saves the executed function chaining name list. The attacker would grab function names and use them as the key to dynamically decrypt specific and crafted Javascript code. Using this technique the Attacker would have an implicit control flow integrity because if a function is renamed or if the function order is slightly different from the designed one, the resulting "hash" would be different. If the hash is different the generated key would be different as well and it wont be able to decrypt and to launch specific encrypted code.

But lets take a closer look to what I meant. The following snip shows a clear (not obfuscated) example explaining this technique. I decided to show not obfuscated code up here just to make it simple.



Each internal stage evaluates ( eval() ) a content. On row 21 and 25 the function cow001 and pyth001 evaluates xor decrypted contents. The xor_decrypt function takes two arguments: decoding_key and the payload to be decrypted. Each internal stage function uses as decryption key the name of callee by using the arguments.callee.name function. If the function name is the "designed one" (the one that the attacker used to encrypt the payload) the encrypted content would be executed with no exceptions. On the other side if the function name is renamed (by meaning has been changed by the analyst for his convenience) the evaluation function would fail and potentially the attacker could trigger a different code path (by using a simple try and catch statement). 

Before launching the Sample in the wild the attacker needs to prepare the "attack path" by developing the malicious Javascript and by obfuscating it. Once the obfuscation took place the attacker needs to use an additional script (such as the following one) to encrypt the payloads according to the obfuscated function names and to replace the newly encrypted payload to the final and encrypted Javascipt file replacing the encrypted payloads with the one encrypted having as a key the encrypted function names.

The attacker is now able to write a Javascript code owning its own control flow. If the attacker iterates such a concept over and over again,  he would block or control the code execution by hitting a complete reverse-engineering evasion technique.
  
Watch it out and be safe !

INVESTIGATION ON WINTER OLYMPICS CYBER-ATTACK HAS BEGUN



IN BRIEF: Following the cyber-attack on Winter Olympics, security teams and experts from South Korea's defence ministry, plus four other ministries, formed part of a taskforce investigating the shutdown.
----------------------------
The official Winter Olympics website was taken down after being hit by a cyber-attack (Denial Of Service attack, DOS), officials have confirmed.

The site was affected just before the beginning of the opening ceremony in Pyeongchang, South Korea.

Internal internet and Wi-Fi systems crashed at about 7:15 pm (1015 GMT) on Friday, though operations were restored about 12 hours later - Games organisers said.

However, a spokesman said that the International Olympic Committee would not be commenting on who might have been behind the incident.


"Maintaining secure operations is our purpose," said Mark Adams.
He added that the issue was being dealt with but that he was not aware who had carried out the attack.


Cyber-security teams and experts from South Korea's defence ministry, plus four other ministries, formed part of a taskforce investigating the shutdown.

RUSSIA RESPONDS

Prior to the Games, some cyber-security experts had expressed concern that countries like Russia and North Korea might try to target the event.


But the Russian Foreign Ministry has denied rumours that Russian hackers were involved.

"We know that Western media are planning pseudo-investigations on the theme of 'Russian fingerprints' in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea," the foreign ministry said.
"Of course, no evidence will be presented to the world."

There have been concerns for months that the Games and spectators could be targeted by cyber-attacks.

Earlier this month, the US Department of Homeland Security published a warning to travellers.

"At high-profile events, cyber-activists may take advantage of the large audience to spread their message," it said.

"There is also the possibility that mobile or other communications will be monitored."
The Pyeongchang Games are certainly not the first to be targeted by hackers.


In January, Konstantinos Karagiannis, BT's chief technology officer for security consulting, tweeted that during the 2012 London Olympics he and his team, "fought back quite a cyber-onslaught".

ANGALIZO KWA MABENKI DHIDI YA UHALIFU WA ATM JACKPOTING


KWA UFUPI: ATM jackpotting imgonga Hodi Nchini Marekani ambapo imesababisha upotevu mkubwa wa fedha zinazo kadiriwa kuzidi kiasi cha Dola milioni moja hadi sasa.
----------
Kumekua na aina nyingi za uhalifu mtandao unaolenga mashine za ATM ambao umekua ukiathiri mabenki mengi maeneo mengi duniani.


Mataifa ya Afrika yamesha kumbwa na changamoto za uhalifu katika mashine za ATM kama vile “card skimming” ambapo wahalifu mtandao mara kadhaa wamekua wakiripotiwa kughushi kadi za ATM zilizopelekea upotevu wa fedha kupitia mashine za ATM.


Toka mwaka 2014, Kumeendelea kuibuka aina nyingine za uhalifu unao athiri Mashine za ATM maeneo mbali mbali – Itakumbukwa Niliwahi kutoa taarifa inayosemaka hapa: TYUPKINYATIKISA MASHINE ZA ATM

Ilipo gundulika chanzo cha uhalifu huo kulipelekea kutolewa maelekezo ya namana ya kujilinda ambapo Mabenki mengi hayakuzingatia – Kitu kilichopelekea kuibuka kwa uhalifu mwingine aina ya ATM Jackpotting, Ambapo mwaka 2015 Nchi za bara la Asia, Ulaya na marekeani ya Kusini walikumbwa na Uhalifu aina ya Remote ATM Jackpotting (RAJ)

Maelekezo Zaidi yalitolewa na baadhi ya Nchi zikachukulia uzito ulinzi mtandao katika mashine za ATM ikiwa ni pamoja na kufanyia kazi maelekezo yaliyotolewa.

Toka mwaka Jana ATM jackpotting imeendelea kukumba mataifa ya Marekani kusini ingawa sio kwa kiasi kikubwa.

Na Mwaka Huu wa 2018, ATM jackpotting ikagonga Hodi Nchini Marekani ambapo imesababisha upotevu mkubwa wa fedha zinazo kadiriwa kuzidi kiasi cha Dola milioni moja hadi sasa.



Natumia nafasi hii kukumbusha mabenki yetu mambo makuu ma tatu kwa sasa.

Moja, ELIMU YA UELEWA (Awareness) – Tumehimiza elimu kubwa ya uelewa ifanyike katika taasisi za kifedha ikiwa ni pamoja na kuwaelimisha wafanyakazi wa taasisi hizo juu ya kutambua na kujilinda dhidi ya uhalifu kama Social engineering, Key loggers, Phishing na aina nyingine zozote zinazoweza kupelekea benki husika kukumbwa na uhalifu wa ATM Jackpotting pamoja na aina nyingine za kihalifu.

Aidha, Elimu kwa watumiaji wa Mashine na mifumo mingine ya kibenki inapaswa kufanyika pia.


Mbili, MIFUMO YA UFATILIAJI (Implementation of Monitoring tools) – Kampuni nyingi zinazojihusisha na usalama mitandao zimekua zikiwekeza kwenye uzalishaji wa mifumo inayo saidia kufuatilia na kubaini aina yoyote ya viashiria vinavyoweza kupelekea uhalifu wowote wa kimtandao katika taasisi zetu.

Naziasa taasisi za fedha kuhakiki zinachukua hatua za muhimu kuweka na kuimarisha mifumo iyo ili iwe ni usaidizi wa kubaini viashiria vyovyote vya uhalifu mtandao.


Tatu, KUONDOKANA NA MATUMIZI YA WINDOW XP KATIKA MASHINE ZA ATM – Hili tumekua tukizungumza toka kuonekana ya kua uhalifu wa Tyupkin uliathiri Zaidi mashine za ATM ambazo zilikua na Window XP. Wito ni kua kuna kila sababu wa Taasisi za kifedha kufanya operation ya haraka kuhakiki ina angazia mashine zake zote za ATM na kuziboresha kwa kuweka mifumo iliyo juu ya window XP.


Ni moja ya mafunzo ambayo mataifa tumeyahimiza ya jifunze ili kuweza kubaini, kuzuia na kujilinda na uhalifu mtandao - Mafunzo haya yameanza kutolewa katika mataifa mengi ikiwa ni pamoja na mataifa ya Bara la Afrika.