Clicky

Pages

Thursday, February 24, 2011

ZeroAccess / Max++ / Smiscer Crimeware Rootkit sample for Step-by-Step Reverse Engineering by Giuseppe Bonfa - << (Update 2011 version available)

Post Update Feb 24, 2011

 The new version is available here, thanks to Guiseppe :)

Download MaxRootkit_2011_1.exe as a password protected archive (contact me if you need the password)

  File name: 392ddf0d2ee5049da11afa4668e9c98f

Virustotal
Submission date 2011-02-14 14:41:24 (UTC)
Result:25 /43 (58.1%)
Antivirus     Version     Last Update     Result
AhnLab-V3     2011.02.14.02     2011.02.14     Trojan/Win32.Gen
AntiVir     7.11.3.78     2011.02.14     TR/Dropper.Gen
Avast     4.8.1351.0     2011.02.14     Win32:FakeAlert-FC
Avast5     5.0.677.0     2011.02.14     Win32:FakeAlert-FC
AVG     10.0.0.1190     2011.02.14     Dropper.Generic3.AJH
BitDefender     7.2     2011.02.14     Trojan.Generic.5349632
CAT-QuickHeal     11.00     2011.02.14     Worm.Sirefef.a
DrWeb     5.0.2.03300     2011.02.14     Trojan.DownLoader2.2219
Emsisoft     5.1.0.2     2011.02.14     Worm.Win32.Sirefef!IK
F-Secure     9.0.16160.0     2011.02.14     Trojan.Generic.5349632
Fortinet     4.2.254.0     2011.02.14     W32/Dx.VUZ!tr
GData     21     2011.02.14     Trojan.Generic.5349632
Ikarus     T3.1.1.97.0     2011.02.14     Worm.Win32.Sirefef
McAfee     5.400.0.1158     2011.02.14     Generic.dx!vuz
McAfee-GW-Edition     2010.1C     2011.02.14     Heuristic.BehavesLike.Win32.Suspicious.H
Microsoft     1.6502     2011.02.14     Worm:Win32/Sirefef.gen!A
NOD32     5872     2011.02.14     a variant of Win32/Sirefef.C
Panda     10.0.3.5     2011.02.13     Trj/CI.A
PCTools     7.0.3.5     2011.02.13     Trojan.Gen
Rising     23.45.00.00     2011.02.14     [Suspicious]
Symantec     20101.3.0.103     2011.02.14     Trojan.Gen
TheHacker     6.7.0.1.130     2011.02.13     Trojan/Sirefef.c
TrendMicro     9.200.0.1012     2011.02.14     TROJ_GEN.R3EC1BD
TrendMicro-HouseCall     9.200.0.1012     2011.02.14     TROJ_GEN.R3EC1BD
VIPRE     8416     2011.02.14     Trojan.Win32.Generic!BT
MD5   : 392ddf0d2ee5049da11afa4668e9c98f


 

Infosec resources published  an excellent and very detailed 4 part tutorial by Giuseppe Bonfa
Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit

Part 1: Introduction and De-Obfuscating and Reversing the User-Mode Agent Dropper
Part 2: Reverse Engineering the Kernel-Mode Device Driver Stealth Rootkit
Part 3: Reverse Engineering the Kernel-Mode Device Driver Process Injection Rootkit
Part 4: Tracing the Crimeware Origins by Reversing the Injected Code

The full tutorial is at Infosec resources

To follow the tutorial, you need a hex editor of your choice (e.g. Hex Workshop) , debugger (Ollydbg) plus the malware ZeroAccess rootkit (see download section below)

 

Nov 18, 2010 Whitehat cracks notorious rootkit wide open - The Register

 

Download MaxRootkit_2011_1.exe as a password protected archive (contact me if you need the password)

 If you are interested in other Reverse Engineering tutorials, you can find many at  

read more...

.

read more...
Posted by Mila at 10:07 PM 0 comments Tags: , ,

Thursday, February 17, 2011

Targeted attacks against personal accounts of military, government employees and associates


See this update: Aug 11 Targeted attacks against personal Gmail accounts Part II - CNAS Report

  General threat Information

The spear phishing method used in this attack is far from being new or sophisticated. However, I am posting the following information due to the particularly invasive approach of the attack. Google, Yahoo, and other personal mail services do not offer the same protection against spoofing and malware as enterprise accounts. In addition, it is often being checked at home in a relaxed atmosphere, which helps to catch the victim off guard, especially if it appears to arrive from a frequent contact. Some people have a habit of forwarding messages from enterprise accounts to their personal mail for saving or easy reading at home, which may potentially offer some sensitive information.

 

File  - ServiceLoginAuthen.htm (not malware, file from a phishing site)
from visiting hxxp://google-mail.dyndns.org/accounts/ServiceLoginservice=mail&passive=true&rm=false&continue=bsv=1grm8snv3&ss=1&scc=1&ltmpl=default&ltmplcache=2/ServiceLoginAuth.php?u=VictimGmailID

Domain: 
google-mail.dyndns.org in this example but there are many others in use

Type 
View Download link in Gmail masquerading as a link to view or download an attachment. The message comes without any attachments.

Distribution: 
Email link, targeted phishing message sent to Gmail account of a person associated with military or political affairs. Links are customized and individualized for each target.

Target recipients:
Government and non government employees working on questions of defense, political affairs, national security, defense/military personnel,  etc

Attack approach:
Victims get a message from an address of a close associate or a collaborating organization/agency, which is spoofed. The message is crafted to appear like it has an attachment with links like View Download and a name of the supposed attachment. The link leads to a fake Gmail login page for harvesting credentials.

Once the attackers gets the credentials, they login to the victims gmail account and may do the following

  • Create rules to forward all incoming mail to another account. The third party account ID is made to closely resemble the victims ID
  • Read mail and gather information about the closest associates and family/friends, especially about  frequent correspondents.
  • Use the harvested information for making future mailings more plausible. Some messages are empty while others may have references to family members and friends (e.g. mention names of spouses or refer to recent meetings) and plausible enough to generate responses or conversations from victims. We are not posting those examples due to personal nature.
  • Send such emails on monthly or biweekly basis . The messages are different like you see below but all have have the same link and designed for updating the victim credential information they already have.

 
read more...
read more...
Posted by Mila at 2:00 AM 10 comments Tags: ,

Monday, February 7, 2011

Phishing messages from possibly compromised .edu accounts

Original Message

From: Webmaster [mailto:solorzanojs@guilford.edu]
Sent: Monday, February 07, 2011 11:14 AM
Subject: User Quarantine Release Notification

Hello,

   We are carrying out a routine quarantine exercise . we have started our yearly server (inactive email-accounts / spam protecting etc) clean-up process to enable service upgrade/migration efficiency. Please be informed that your account usage will be fully restricted if you do not adhere to this notice.

You are to provide your account details for immediate Quarantine by clicking on your reply button to respond as follows (This will confirm your account login/usage
Frequency / account continuation potentials):

*username:
*Password:
*Alternate Email:

  All IT Service utilities will not be altered during this period, This will not affect the operation of your IT service systems or the manner in which you currently login to your account.  Account access and usage will be disabled if you fail to comply as required.

Help Desk
Information Technology
© 2011 All rights reserved
 
read more...
read more...
Posted by Mila at 12:21 PM 1 comments Tags:

Saturday, February 5, 2011

Slow / Busy days - 2011 edition

Last year the Chinese New Year was marked not only by the festivities (lovely fun time, I have to admit) but also by the significant reduction in the number of the targeted attacks we receive ( see this post of Feb 20, 2010 Slow / busy days )  This year, I am happy to report that we got another break - the last targeted attack I saw was on February 1, 2011 and it was the message re-sent from earlier in January - two days before the actual Chinese New Year. By the way, I noticed an increase in targeted attacks and malicious activity (attacks on mail servers) around July 4, 2010, which is a holiday in USA but not in Asia.
Again, it might be a coincidence but I don't think so :)

I wish you all a great Year of the Rabbit!




Posted by Mila at 9:59 PM 0 comments

Monday, January 24, 2011

Jan 24 CVE-2010-3970 DOC 'Secretary-General Liao' from dogviceroy@yahoo.com.tw (Update - Analysis by the Sematic)

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3970  Stack-based buffer overflow in the CreateSizedDIBSECTION function in shimgvw.dll in the Microsoft Graphics Rendering Engine in Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted .MIC or unsplecified Office document containing a thumbnail bitmap with a negative biClrUsed value, as reported by Moti and Xu Hao.

  General File Information

File  44.doc (part of ATT63777.7z archive)MD5  f51d3fb324d8f11b734ca63dbccbdc32SHA1 b3c4c84c98c6befaf6a480ae145cdcebb5929a82File size : 10240 bytesType:  DOC
Distribution: Email attachment

  Post Update - Vulnerability Analysis

Feb 23 Sematic blog posted an excellent analysis of the exploit

Ultimately it plans to fetch and execute the file located at:
hxxp://stonebreaker.154.99lm.info/NOTEPAD.EXE
This file would be stored under %SYSTEM32% as 'a.exe'.


Download

read more...
Posted by Mila at 9:00 PM 0 comments Tags:

Thursday, January 20, 2011

Jan 20 CVE-2010-3333 DOC Materials.doc from 216.183.175.3 (Cleveland Council on World Affairs)

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)  29 Dec 2010 12:10 PM

  General File Information

File  Materials.doc
MD5  2EEA004842A335607B612FF10418F6C6
SHA1  a81a35804c056186c533ddd31e22ee0c0d2aa4df
File size : 243663
Type:  DOC
Distribution: Email attachment                            

 Post Update

February 7, 2010

 There was another mailing after the first one but from a different location. 

 From: Anne Principe [mailto:anne.principe@yahoo.com]
Sent: Friday, January 21, 2011 6:54 AM
To: XXXXXXXXXXXXX
Subject: This is the materials you need

This is The Materials I told you about. Please check it and reply as soon as possible.
  Best
Headers
Received: (qmail 736 invoked from network); 21 Jan 2011 11:54:30 -0000
Received: from web120514.mail.ne1.yahoo.com (HELO web120514.mail.ne1.yahoo.com) (98.138.85.241)
  by XXXXXXXXXXXXXXXXX; 21 Jan 2011 11:54:30 -0000
Received: (qmail 38488 invoked by uid 60001); 21 Jan 2011 11:54:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1295610869; bh=T6PYZhAJBvHdbMDRjYJCy748DpISxb703J9WYvNrE8M=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=KNLZKhWTr+Z+UMtiMC6dY7GmKt49wyNHC8Y1j8kv5f/KM8u7bs6ifqGFNhwckx18edFsi+ajzhsNM01R8UN+ox/r9Ss6ut/Mssll5hxwtBHXEmvIxrl8dFTUg/CmMgSjJNhW6KlOZfVkUU2nikWaMzxkqSgTJ9JCM828Qw1xZbM=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=eqwO+5NenEdsqmjuNowZ25VlFcli8zNaedc26kn00QeqFLcMxeSuTDB+vYhmeUYJfAYe+fZ13q8p1qKILMX0AMH7/MDwbeBOBaRL8xTf33LpWE4KwgeYq4uEKjZfptSRvA6RrpPHjDLWoE55D0uAMGV/hMk50g7s/eGes9VnAc0=;
Message-ID: <416336.37770.qm@web120514.mail.ne1.yahoo.com>
X-YMail-OSG: duFcYVsVM1lbQScN.uiS.a_.kSCtbZmEsYYlwKxqs50olw9
 S80HwIFK3gqCA7OM9LSU.JBWKbHZXNzNbBWlx1y8__meJqFUjCoB3qTY9ll4
 79Y_9XKC5KZXY6_OTA6RVB1j8NwW8Ozasz_xzbX5Ajh.yX7Y2NqePEUnApDc
 pWb0wpspWrIpPe9w9gzbAfrYmQRTXiyQtlxFjd_gk272zbKkWkcTAtxtFsiY
 UjAwiofHbox4vUrwVCekO.jf11bo-
Received: from [211.55.34.205] by web120514.mail.ne1.yahoo.com via HTTP; Fri, 21 Jan 2011 03:54:29 PST
X-Mailer: YahooMailRC/555 YahooMailWebService/0.8.107.285259
Date: Fri, 21 Jan 2011 03:54:29 -0800
From: Anne Principe
Subject: This is the materials you need
To: XXXXXXXXXXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1514884592-1295610869=:37770"

211.55.34.205
Hostname:    211.55.34.205
ISP:    KRNIC
Organization:    Korea Telecom
Country:    Korea
State/Region:    Soul-t'ukpyolsi
City:    Seoul

Download

read more...
Posted by Mila at 2:07 AM 0 comments Tags:

Wednesday, January 19, 2011

Jan 12 CVE-2010-3654 + CVE-2009-4324 + CVE-2009-0927 + CVE-2008-0655 PDF JANUARY 2011 from a compromised Thai Police account

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3654 Adobe Flash Player 10.1.85.3 and earlier on Windows, Mac OS X, Linux, and Solaris and 10.1.95.2 and earlier on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.

 

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.  

 

CVE-2009-0927 Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.  

 

CVE-2008-0655 Buffer overflow via specially crafted arguments to Collab.collectEmailInfo

  General File Information

File  JAN 2011.pdf
MD5  F928C39F0BFEBAAF3A5FB149557DDF66
SHA1  87c17dc9282792906ef41670011c2473c87c9b9b   
File size :  384271
Type:  PDF
Distribution: Email attachment 

read more...

read more...
Posted by Mila at 12:13 AM 0 comments Tags: , , ,

Monday, January 17, 2011

PDF Forensics video sent by Mohamed Ramadan

enjoy.


http://blip.tv/file/4640708

Posted by Mila at 5:45 PM 0 comments

Sunday, January 9, 2011

Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)  29 Dec 2010 12:10 PM

This particular exploit was tested on and successfully exploits Office 2003 and 2007 without the patch.

  General File Information

File  Three Big Risks to China's Economy In 2011.doc
MD5  5A0AAC44DDAAD1E512A0D505C217BAFF
SHA1 ab6f90bf582bf01985989c1e9a99932243402479
File size :51643
Type:  DOC
Distribution: Email attachment                            


Download

The message came from the American Chamber of Commerce in China. The interesting thing about this message is that the sender is not spoofed and the headers are real, which means that the message indeed came from the mailbox of the sender @amchamchina.org, who also happens to be a real person working at amchamchina.org - can be easily found in Google searches. The sender name and address do not match the message signature.  I have removed part of the sender's name for privacy reasons.

In this case, there are three possible scenarios:

a) someone broke into that employee mailbox and sent the malicious message (in this case, I hope the IT staff at the American Chamber of Commerce in China see this post and fix the problem)
b) the sender sent a malicious attachment not realizing it is malicious (less likely, as the attached Word document does not display readable text),
c) the sender sent the malicious message on purpose (..)
We may never know how that happened but hope it is a case of a mailbox password compromise.
 The files created by the malicious attachment generate traffic to a server in China.

Upon opening, the file will dispay garbage text if the attack fails (fully patched MS Office) and will just close without displaying any document if the exploit is successful.

The trojan that gets installed is designed for stealing information from the infected computer - files and passwords - see the detailed analysis below.
read more...
Posted by Mila at 2:35 PM 0 comments Tags:

Thursday, December 23, 2010

Dec 23 Zeus/Zbot driven espionage using Merry Christmas card from spoofed jeff.jones@whitehouse.gov

  General File Information

#1 File: card.exe
Size: 177152
MD5:  A486EDD5D966FD167F9D8FA94087913E
SHA1 6cc60b1efb8d82b827634e7e42f2c3c981b1aff6
File Type:  exe
Distribution: Link in email message - download in zip archive
from http://iphonedevelopersdk.com/wp-admin/includes/card.zip (still active as of Jan 2, 2011)



#2 File: card.exe
Size: 179712 bytes
MD5: D51F45E1985DC69CC6BC2B3AE1DA48F1
SHA1 b3b6e3cf9d9e268d2c5d3e692721ed0cdd9e323d
File Type:  exe
Distribution: Link in email message - download in zip archive
from http://quimeras.com.mx/images/card.zip (not active) as seen at http://jsunpack.jeek.org/dec/go?report=908cfa23d23391577a6a5834bf6377d327c7053b

Read more

read more...
Posted by Mila at 11:02 PM 2 comments Tags:

Tuesday, December 21, 2010

Dec 21 CVE-2009-0556 (corrected CVE) Christmas Messages.pps with stolen cert from Syniverse from nicholas.bennett53@hotmail.com

Common Vulnerabilities and Exposures (CVE)number

CVE-2009-0556 Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an an invalid index value that triggers memory corruption, as exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen, aka "Memory Corruption Vulnerability."

CVE-2010-2572  Buffer overflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint 95 document, aka "PowerPoint Parsing Buffer Overflow Vulnerability."

Update

I would like to have a more technical analysis and identification of CVE in addition to this preliminary testing, so if you do it, please send over, I will add :) thank you

Comments: Shih-hao Weng (thank you) noted that he thinks it is CVE-2009-0556.  I tested, indeed - the patch for CVE-2009-0556 (MS09-017 KB957784 May 12 2009) fixes it.

The only patch from Microsoft Updates that is automatically available and fixes it these days is MS10-088, which is for CVE-2010-2572. However MS10-088 replaced earlier patches, including MS09-017 ( CVE-2009-0556 ). CVE-2009-0556 was used a in a lot in malicious attachments in the past 

  You cannot automatically install MS09-017 via Microsoft Updates - see below but if you find it and install manually (for Sp3 MS09-017 KB957784 May 12 2009)MS10-004 KB976881 Feb 4, 2010 would also fix it.

Everything in the post stays the same - except the CVE number changes to CVE-2009-0556 and the patches that will keep you safe are 

For Office 2003 SP3

MS10-088, which is for CVE-2010-2572 OR MS09-017 KB957784  OR MS10-004 KB976881 Feb 4, 2010


  General File Information

File      Christmas Messages.pps 

MD5   51d3e2bd306495de50bfd0f2f4e19ae9

 SHA1  7edd6beff619f86fae7f94a60ac4bcdb04473dfb 

Size :    838144 bytes

Type:    PPS
Distribution: Email attachment                                       

Download

read more...
Posted by Mila at 2:09 AM 2 comments Tags: ,

Wednesday, December 15, 2010

Dec 15 CVE-2010-3333 DOC, CVE-2010-0188 PDF Health Tips Collection from jackey870@yahoo.com.tw

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability." .

CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.  (LibTIFF exploit)

  General File Information

CVE-2010-3333

File      ATT78214.doc
MD5   C31341DF029E6DC2804BA2F97DB7BAF7
SHA1  518ca81280f5bcf7ce98a6a262ac7d74ca261faf
File size :  1066411 bytes
Type:  DOC
Distribution: Email attachment 

CVE-2010-3333

File      ATT27390.doc
MD5   b4e256982947b3c68aaa84545b61c9b1
SHA1  8a6aacaf1a3a741a4c0cf707dcc70ffaa9442fee
File size :  1066411 bytes
Type:  DOC
Distribution: Email attachment 

CVE-2010-0188

File ....pdf
MD5   92db03a6d1db9a9012ccc7bd9b45ed7a
SHA1  b92dd18baf2dc041062b1e862db05a4d097a2411
File size :  232743 bytes
Type:  PDF
Distribution: Email attachment


read more...
Posted by Mila at 11:37 PM 0 comments Tags: , , , , , , , ,

Friday, December 3, 2010

Nov 19 CVE-2010-2883 with Flash JIT Spray (PDF in PDF) Event Invitation from The Heritage Foundation from spoofed Heritage address


read more...
Posted by Mila at 6:07 PM 1 comments Tags: , , , , ,

Friday, November 26, 2010

CVE-2009-4324 CVE-2009-0927 CVE-2008-2992 regional security in east asia.pdf


Common Vulnerabilities and Exposures (CVE)number

This post is to be continued..

CVE-2009-4324

CVE-2009-0927

CVE-2008-2992

  General File Information

File regional security in east asia.pdf
MD5  80e5432f7806564c5fc50738741abf7
SHA1  dc4f71609171e93bb1ad66fb52e8bb330f362a76
File size 37238 bytes
Type:  PDF
Distribution: Email attachment

Download

read more...
Posted by Mila at 8:33 AM 0 comments Tags: , ,
Subscribe to: Posts (Atom)
Home