Monday, August 27, 2012

Java 7 0-day vulnerability analysis

Here is our second article about Java 7 0-day vulnerability. Read more at
Considering that Rapid 7 posted a working exploit and addition to the exploit packs is imminent (Attackers Pounce on Zero-Day Java Exploit by Brian Krebs), plus other analysis articles are being published such as New Java 0day exploited in the wild  -by Alienvault, we decided that witholding details of the exploit will not offer additional protection but only hinder development of protection and signatures.

As we mentioned earlier, we contacted Michael Schierl, the Java expert who discovered a number of Java vulnerabilities and asked him to have a look. He sent back his detailed analysis, exploit source, the interim patch with the source code of the patched class.

Patch request:
  • Interim patch with the source code of the patched class. See the Readme of the patch in the previous post (thanks to Michael Schierl). 
Email from your company email address to admin <at>  and explain the planned use, please.

DeepEnd Research: Java 7 0-Day vulnerability information and mitigation.

The cat is out of the bag. There is 0-day out there currently being used in targeted attacks.  The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails. Interestingly, Mark Wuergler mentioned on August 10 that VulnDisco SA CANVAS exploit pack now has a new Java 0-day. It makes you wonder if it is the same exploit that leaked from or was found in the wild and added to the CANVAS pack. Or if it is totally unrelated and there are two 0-day exploits now.

The purpose of this post is not to provide the vulnerability analysis or samples but to offer additional information that may help  prevent infections on some targeted networks.   We all know what kind of damage Java vulnerabilities can cause if used in drive by exploits or exploit packs and we think that revealing technical vulnerability details  in the form of a detailed technical analysis is dangerous, while releasing working exploits before the patch is vain and irresponsible.

Oracle patch cycle is 4 months (middle of February, June, October) with bugfixes 2 months after the patch. The next patch day is October 16 - almost two months away. Oracle almost never issue out-of-cycle patches but hopefully they will do consider it serious enough to do it time.

Friday, August 17, 2012

Shamoon or DistTrack.A samples

Image from Kaspersky lab
Here are a couple of Shamoon samples. Such destructive malware is rare because it does not really make much sense to destroy computers when you can steal data or use them.  

CVE-2012-1535 - 7 samples and info

I was still writing my analysis when Alienvault posted CVE-2012-1535: Adobe Flash being exploited in the wild and mine would be pretty much the repeat of the same. I don't like repeating so I will just post the samples and link to Jaime Biasco's article.  As you see from SSDeep they are nearly identical in size, exploit, and payload. All Word documents were authored by "Mark" and have same strings and indicators present as in the analyzed file.

Sunday, August 12, 2012

3322 Dyndns badness


118f208998e12561b03200178edf826b PRORAT
c5ac14a3c80b3c6af4c943e0f3839fbe Keylogger
c5a6de01e10c65a8894bcb32608055b5 Puppetzombie.gen
8a41d4770858cb5af6860f95c00f8224 Virut

Friday, August 10, 2012

Gauss samples - Nation-state cyber-surveillance + Banking trojan

Just a quick post for those who can't sleep until get to play with Gauss
The highest number of infections is recorded in Lebanon, with more than 1600 computers affected. The Gauss code  (winshell.ocx) contains direct commands to intercept data required to work with Lebanese banks – including the Bank of  Beirut, Byblos Bank and Fransabank. 
In Israel and the Palestinian Territory, 750 incidents have been recorded." (Kaspersky)

Thursday, August 9, 2012

CVE-2012-0158 generated "8861 password" XLS samples and analysis

Symantec recently posted an article by Joji Hamada titled "Password “8861” Used in Targeted Attacks", where the attackers continuously using the same passwords sent in emails together with the malicious attachment. Indeed, the password not only allows to evade detection but also makes it difficult to analyse the exploit itself.

All the samples i have that have this password appear to be created via a generator and share certain similarities. I will point out a few but you can find many more if you analyse the files and payloads.  

- Exploit CVE-2012-0158
The hallmark ListView2, 1, 1, MSComctlLib, ListView are clearly seen in the files, as well as excessive calls to MSCOMCTL.OCX during the dynamic analysis.

- Same password 
8861 could be the attacker's lucky number, or it is job related, or being a primary number, it plays some role in the RSA encryption implementation in this generator ( this one perhaps is a bit far fetched, but not more than other theories)

- Antivirus/Malware detection

These files are mostly detected as Exploit.D-Encrypted  by different AV vendors but this signature detects other malicious password protected documents  - it is not limited to this 8861 generator files.

Yara SignaturesYou can develop your own yara signatures based on these and other indicators you find in the files. I will share signatures on Yara Signature Exchange Google Group. If you are interested in making and sharing, please see DeepEnd Research: Yara Signature Exchange Google Group
IDS:  Emerging threats IDS signatures - see below.

- Same file structure
They are each different sizes and have different payloads, however the first 120KB of each file are identical and are completley different from the headers of other typical user created password protected spreadsheets and other malicious and password protected XLS files. I will post two other malicious messages that were NOT generated using the same generator is seems and have a different password  (I don't know password for those two files yet, if your figure it out, please share)

- Same document code page 
Windows Simplified Chinese (PRC, Singapore)

- Same name for the dropped files (ews.exe and set.xls
The dropped payload and the clean XLS document are different sizes, different types of malware for trojans, but have the same names (some are renamed after creation), which suggests a template. The embedded clean XLS documents have different metadata - I guess those were downloaded from internet or stolen from different targets - some were created on the Kingsoft version of Office, different authors, etc.

- Non default encryption (RC4, Microsoft RSA SChannel Cryptographic Provider).
Default is "Office 97/2000 compatible", which I think is 40-bit RC4 encryption. The generator is probably not using Excel interface but has it's own implementation of the encryption for the VBA code.

- Targets do not seem to be related by their occupation
Targets are in different countries  - Japan, China, France and do not seem to be related by business or industry - human rights activists, businesses, politicians. This makes me think it is not the same group of attackers but it is just a generator purchased by/supplied to different groups attacking different targets. The same trojan types, C2 domains, and targets were covered on Contagio and other resources earlier.

Friday, August 3, 2012

Cridex Analysis using Volatility - by Andre' DiMino - samples and memory analysis resources

Andre' DiMino posted an excellent analysis of Cridex banking malware using Volatility on and if you wish to repeat his steps or interested in this malware, I am posting the corresponding samples. Cridex is a complex financial trojan and is being distributed via spam messages (carrying exe files in zipped attachments) and Blackhole Exploit kit.
The messages have various themes - from UPS, Fedex, USPS to Groupon deals and "HP-scan" and other lures. Some message screenshots and corresponding malware are posted below.

If you are interested in memory analysis, please see the resource section of this post (links to the tools: Volatility, Mandiant Redline, memory dumps and other memory analysis done by Andre' and other researchers)

Thursday, August 2, 2012

CVE-2012-1889 Security Update Analysis - Analysis video and presentation from High-Tech Bridge by Brian Mariani and Frédéric Bourla

Sorry for being away for such a long time - I was out of town for almost 2 weeks and came back just a couple of days ago. However, the blog is not dead and I am planning to post more stuff soon. There is Madi/Mahdi epidemic in progress, the exploit pack table needs urgent updates, and I have a quite a few samples accumulated that I need to post before they get old and boring. For now, if you are looking for anything specific, you can ask and I will check if I have them in the pending category.

Today, please enjoy the second part of CVE-2012-1889 analysis (CVE-2012-1889 Security Update Analysis - in video and PDF format ) sent to us by Brian Mariani and Frédéric Bourla from High-Tech Bridge ( High-Tech Bridge CVE Acreditation)