Brainfoldb4u's Blog

Just another WordPress.com weblog

Archive for the ‘Exploit’ Category

Zues, IM threats

Posted by brainfoldb4u on January 25, 2010

A new threat to instant Messaging (IM) has been identified with a previously well known trojan called Zues attacking users of AOL Instant Messaging and stealing passwords.Zues is one of the best-selling Trojan kit on the black market today  and become the popular choice among cybercriminals because it’s easy to set up and control, and can be used for a variety of purposes. And, like popular commercial software, Zeus comes in a standard version (costing a minimum of $1000) and a professional version with extra features such as a large library of target templates.

So What is Zues is?

Zues network of affected computers

Zues also known as Zbot is an threat organised by army of attackers (known as Zeus builders) who pay thousands for the latest zues builder to make sure they distribute the most up-to-date undetectable bot builds. But they are also available for free in various black market and web sites such as file sharing web sites.

Zeus/Zbot samples are distributed every day in alarming rate. It’s kind of an attack  where multiple modifications of the bot are being produced in-the-wild, packed and encrypted on top with all sorts of packers, including modified, hacked, or private packer builds. Before being released, every newly generated and protected bot is uploaded into popular multi-AV scanner services to make sure it is not detected by any antivirus vendor. Hence, quite a bit of a problem in terms of its distribution scale.

latest generation Zues are capable of using the rootkit techniques to hide its presence on a customer machine.

The bot uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. The collected details are then silently delivered to remote websites, and added into remote databases. The databases are then sold to other criminal elements down the chain who specialize in withdrawing the funds. The money laundering groups anonymously hire physical people to withdraw money from their personal accounts – in the criminal world these people are called “drops”, and their accounts are called “drop accounts”.

Current Threat to Instant Messengers (IM)

People using the popular instant messaging platform receive an email message announcing an update and are then prompted to click through to download what appears to be a legitimate file, aimupdate_7.1.6.475.exe. However, the so-called update is actually the Zeus installer, which can then transfer itself onto the victim’s machine, whether or not the AIM user clicks on the link to download the executable file.

“It opens an IFRAME to a site that attempts to use vulnerable versions of Adobe Reader to push the Zeus keylogger down to the victim’s computer, then executes it within a few moments of the page loading. The fake web page to which victims are brought appears to be an AOL site, but a close look reveals inconsistencies to an authentic web page. Notably,

  • a true AIM installer has a digital signature from parent company AOL attached. This one does not contain that signature.
  • Further, the URL used for the download begins with a legitimate-seeming address, “update.aol.com”,
  • but that is followed by a six- to seven random-character word followed by .com.pl.

“The exploit opens, in an IFRAME, a page hosted on the IP address in the Vishclub network, which in turn loads a fairly large (15,628 byte) blob of obfuscated JavaScript,” according to the Webroot blog post. “The script invokes the browser to load Adobe Reader, then pushes a file called ‘pdf.pdf’ down to the Reader. That file is built to attack the Collab overflow exploit, the util.printf overflow exploit, and the getIcon exploit in order to force the operating system to download and execute files.”

Webroot Advices
Webroot advises that to avoid this particular exploit focused on AIM, users turn off Adobe Reader’s embedded JavaScript. “There’s almost no circumstance where JavaScript is required,” Brandt said. Turning it off will give web users an extra prompt should they encounter a site that calls for Java, at which point they can make a choice.

Brandt also said that he recommends web surfers use the Firefox browser with the NoScript plug-in extension.

Known facts about Zues:

  • The ZEUS Trojan will commonly use names like below so search your PCs for files with this names:
  1. NTOS.EXE,
  2. SDRA64.exe
  3. LD08.EXE,
  4. LD12.EXE,
  5. PP06.EXE,
  6. PP08.EXE,
  7. LDnn.EXE
  8. PPnn.EXE
  • Typical size for Zues be 40KBytes and 150Kbytes .
  • Additionally look for folder with the name WSNPOEM, this is also a common sign of infection for the ZEUS Trojan.
  • Finally, check the Registry looking for RUN keys referencing any of these names.
  • Do not assume because your antivirus or internet security suite does not show any signs of infection that your PC does not have the ZEUS Trojan infection.

Sample Zues infection diagram from Trend Micro

Ways to remove Trojan manually

I found this information on Spyware techie’s blog as manual removal method for techie computer users. Unknown Trojan manual removal may be difficult and time consuming to remove. There’s no guarantee that Unknown Trojan will be removed completely. So read the Unknown Trojan removal steps carefully and good luck.

Before you start: Close all programs and Internet browsers and back up your computer incase if something goes wrong.

  1. Uninstall Unknown Trojan Program
    Click on StartSettingsControl Panel > Double-click on Add/Remove Programs. Search for and uninstall Unknown Trojan if found.
  2. To stop Unknown Trojan processes
    Go to StartRun > type taskmgr. The click the Processes tab and you’ll see a list of running processes.
    Search and stop these Unknown Trojan processes:
    There are no processes.
    For each unwanted process, right-click on it and then select “End task”.
  3. To Unregister Unknown Trojan DLLs .To find how to delete DLL files click here
    Search and unregister these Unknown Trojan DLLs: There are no dll’s.

    To locate the Unknown Trojan DLL path, go to StartSearchAll Files or Folders. Type Unknown Trojan and in the Look in: select either My Computer or Local Hard Drives. Click the Search button.
    Once you have the Unknown Trojan DLL path, go to Start and then click on Run. In theRun command box, type cmd, and then click on OK.
    To locate the exact DLL path, type cd in order to change the current directory. To display the contents of the directory, use the dir command. To remove the DLL file typeregsvr32 /u FILENAME.dll (FILENAME is the name of the file that you want to unregister).

  4. To unregister Unknown Trojan registry keys To know about how to remover register keys click here
    Go to StartRun > type regedit > press OK.
    Edit the value (on the right pane) by right-clicking on it and selecting the Modify option. Select the Delete option.
    Search and delete these Unknown Trojan registry keys:
    There are no registry keys.
  5. If your homepage has been changed, go to StartControl PanelInternet Options> click on the General > click Use Default under Home Page. Add the your desired default homepage, then click Apply > click OK. Open a new web browser to check that you have your desired default homepage.
  6. Remove Unknown Trojan Directories.
    To find Unknown Trojan directories, go to StartMy ComputerLocal Disk (C:) >Program FilesShow the contents of this folder.
    Search and delete the following Unknown Trojan directories:
    There are no directories.

    Right-click on the Unknown Trojan folder and select Delete.A message will appear saying ‘Are you sure you want to remove the folder Unknown Trojan and move all its contents to the Recycle Bin?’, click Yes.
    Another message will appear saying ‘Renaming, moving or deleting Unknown Trojan could make some programs not work. Are you sure you want to do this?’, click Yes.

  7. To remove Unknown Trojan icons on your Desktop, drag and drop them to the Recycle Bin.

Posted in Exploit, Hacking, Information Security, Passwords | Tagged: , , | Leave a Comment »

Adobe blacklisting framework

Posted by brainfoldb4u on January 11, 2010

As abode said it is not practically feasible to disable whole of javascript in adobe, it introduced a feature called black listing. This allows users to define any specific javascript API as a black list item, which then it wont be allow it to be called. Say we found a vulnerability in docmedia.newplayer, you can add this to black list and hence you can safeguard your system by doing so.
By putting that into the black list, then any PDF document that it attempts to call that, that call will be denied.  And so, it’ll deny valid calls as well as malicious calls that try to corrupt the call in order to create a crash. And this is something individual users can do, and also administrators for managed desktop environments can also do this using group policy objects to roll-out the change as a registry key. Below video should demonstrate on how to add a javascript function to blacklist item.

Given that Adobe currently has no automatic updates in place, my question is how will a normal user will get to know what needed to be blacklisted. This fix may help the technical users but for average user they have to wait for adobe’s next major update which is likely to be within next three months.

Posted in Exploit, Hacking, Information Security, Vulnerability | Tagged: , , | Leave a Comment »

Dlink router with HNAP vulnerability

Posted by brainfoldb4u on January 11, 2010

A flawed implementation of the Home Network Administration Protocol (HNAP) reportedly allows attackers to gain unauthorised admin access to numerous D-Link router models

SourceSec Security research webpages claims finding a flaw in D-Link’s CAPTCHA implementation, around a way to view and edit D-Link router settings without any administrative credentials.

Simply said,  D-Link routers have a second administrative interface, which uses the Home Network Administration Protocol. While HNAP does require basic authentication, the mere existence of HNAP on D-Link routers allows attackers and malware to bypass CAPTCHA “security”. Further, HNAP authentication is not properly implemented, allowing anyone to view and edit administrative settings on the router.

For detailed vulnerability summary click there pdf

Posted in Exploit, Hacking, Information Security, Vulnerability | Tagged: , | Leave a Comment »

USB's hardware encryption cracked

Posted by brainfoldb4u on January 11, 2010

Kingston, SanDisk and Verbatim all sell quite similar USB Flash drives with AES 256-bit hardware encryption that supposedly meet the highest security standards. NIST validates the USB drives for use with sensitive government data. Security firm SySS, however, has found that despite this it is relatively easy to access the unencrypted data, even without the required password.

The hole could allow unauthorized access to encrypted data on a USB flash drive by circumventing the password authorization software on a host computer.

“It’s really onerous. It’s a stupid crypto mistake and they screwed up, and they should be rightfully embarrassed for making it,” said cryptographer and computer security specialist Bruce Schneier.

The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers’ nets. During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations – and this is the case for all USB Flash drives of this type.

Read computer world for complete analysis on the vulnerability

Posted in Exploit, Vulnerability | Tagged: | Leave a Comment »

Adobe's javascript issue

Posted by brainfoldb4u on January 7, 2010

I was reading this article from Threat post where Adobe’s security chief Brad Arkin had  interviewed by Threat-post editors Dennis Fisher and Ryan Naraine. It was long but interesting conversation with Brad Arkin explaining about what the recent malware exploit and what really went wrong and how there team responded to this  exploit. Questions from Dennis and Ryan were more straight to the point and made more sense on adobe’s reply on this issue. It is interesting to know how impossible it is to completely remove javascript without causing major compatibility problems.  But it is a lengthy conversation and here are the few very informative key points.

JavaScript black list:

i am not sure how many of you out there are aware of the JavaScript blacklist function a new feature that shipped along with their October update. JavaScript blacklist will allow users to define any specific javascript API as a black list item, which than wont be called. By putting a javascript into the black list, any PDF document that it attempts to call that will be denied. it’ll deny valid calls as well as malicious calls that try to corrupt the call to create a crash. And this is something users can do, and also administrators for managed desktop environments can also do this using group policy objects to roll-out the change as a registry key.

Document.netplayer:

The actual malware identified in adobe flash and adobe reader is in an API called Document.netplayer. Brad’s response for the possible disruption this API can cause is

Docmedia.newplayer is not one of the new API calls that is showing-up in every single PDF that we see.  It’s something that’s used a lot less often.  And so, if you were to disable JavaScript altogether, that would disrupt a lot of things.  Disabling this here, you know, for the people who rely on it, obviously, it would disrupt what they’re doing.  But, the majority of PDFs that use JavaScript don’t have this in it.  And so, for most users, their experience and their workflows are gonna be the same.  It’s something that, you know, enterprises need to understand what’s in their workflow so they can check what the impact would be.

Mitigation:

  • Utilizing the JavaScript black list function.  This is the most powerful mitigation.  It completely protects users against the attack, and at the same time it will cause the least disruption for legitimate uses of the program.
  • Something that’s a lot more disruptive, but also completely mitigates the current attack is disabling JavaScript altogether

Adobe’s steps to mitigate future attacks:

Back in May we announced this security initiative that the Reader and Acrobat engineering teams were working on.  And the – the three big legs of that process, we were doing – improving our process for urgent patch release, and then moving through the quarterly security update cycle.  But, the most important thing that we were doing there was the code hardening activities, and a big part of the code hardening, for us, was looking at the JavaScript APIs and doing things like looking for problems and fixing them, but also tightening up input validation, so that even if there might be a latent bug somewhere deep in the code that we don’t know about, if we can prevent the ability of the attacker to get malicious data to that weak spot in the code, then that’ll protect against the problem.  And so, tightening-up the input validation, working on, you know, any potentially risky areas and seeing what we could do there.

Why don’t you just remove JavaScript support from Adobe Reader?

No.  JavaScript is really an integral part of how people do form submissions.  And so, anytime you’re working with a PDF where you’re entering information, JavaScript is used to do things like verify that the date you entered is the right format.  If you’re entering a phone number for a certain country it’ll verify that you’ve got the right number of digits.  When you click “submit” on the form it’ll go to the right place.  All of this stuff has JavaScript behind the scenes making it work and it’s difficult to remove without causing problems.

Flash cookies

Flash player local shared objects, because they behave quite differently from browser cookies.  But, the local shared object is something that – what we find is that there’s a lot of great uses for that where the developer will store data locally, it’ll improve network performance, it’ll improve the user experience where they can queue stuff up immediately and not having to wait for network latency.  But, then we’ve see there’s some confusion about how to manage the local shared object, and then also there’s things that subvert the user’s intention where, you know, we’ve seen things like this respawning that you talked about.  And so, our goals are to make it as easy as possible for the user to exercise whatever it is they’re intending to do.  And it’s actually not any harder managing local shared objects through Flash Player in terms of just, if you measure the number of clicks required.  It’s just, it’s less familiar to users, and so people know how to go to their browser file menu and click on, you know, “clear cookie cash.”

But, doing those same clicks for Flash Player is something that people aren’t as familiar with, and we for a long time have tried to work with the web browser vendors for them to open-up the API, so that when the user clicks “clear browser cookies,” it’ll also clear the Flash Player local shared objects.  But, the browsers don’t expose those APIs today.  And so, that’s something that we’ve been working with those guys, because if they can make that open up that API ability, then we can hook into that as Flash Player, so that when the user clicks “clear” it’ll clear Flash Player as well as the browser cookies.

For complete story click here. Now its time for me to research how possible is to get browsers to clear the flash cookies along with browser cookies when user clicks “clear it”?  If you got any ideas please do comment..

Posted in Exploit, Information Security | Tagged: , | Leave a Comment »