Tuesday, December 23, 2014

PDF Versions Malicious Content Distribution

While attack vectors based on Malicious PDF are a well known topic (SANS, Didier's tools), understanding how those vectors are spread up nowadays is an interesting "research" (at least in my personal opinion). Recently, Yoroi 's toolset gave me the ability to analize almost 2k PDF per hour, so I decided to analyze an entire hour of captures harvested from many different sources (mainly emails, repositories and http streams) and to put my findings in this quick and dirty post just to fix them in my "diary".

Since PDF are one of the most used document format, attackers figured out how to make them malicious.The following image shows a romantic attack vector used to infect a victim through PDF Malware. The infected PDF wraps up an object content which eventually downloads a payload from Internet (for example a .exe or junk of bytes excetuded "directly in memory") and runs it. The payload might perform several tasks such as: reading/writing fylesystem, executing objects, sniffing passwords, listening for contents, substitute content and so on and so forth, making the original PDF malicious.
Romantic Attack Path driven by PDF
A commonly used way to implement the downloader is through JavaScript which is able to run on PDF in order to introduce simple effects, anchors and dynamisms. The following image shows a simple JavaScript downloader hidden into a PDF.

A Romantic PDF Malware Object
My curiosity was about discovering how many malicious PDF over 2k PDF total I was able to find. By using simple scripts I was able to automize the 'first level of analysis' including:
  • Downloading PDF from internal/external sources
  • Automatize Detection (I borrowed some code from pdfid.py by Didier)
  • Calculating simple statistics on analyzed Malware
A NodeJs downloader script grabs the entire files from Yoroi's internal repository as follows (you might use the same code to download from google or whatever you like).

A simple downloader script
Once the PDF has been locally saved, a python script starts its execution to analyze the PDF content. The following image shows a piece of code taken from Didier's tools (pdfid.py) that has been used to build the automatic first stage analyzer in oder to extract content.

Analyze PDF content from pdfid.py by  Didier Stevens
A post processing static analyzer runs to figure out the "stream content maliciousness". After several hours of computational analysis (ok, performances and timing were not an issues in my case since what I did was just for personal curiosity) I came out with the following results:

Total PDF analyzed: 1988
Total Size on Disk: 1.83GB

Figuring out the most affected PDF version was my next step. The following graph shows the distribution of malicious content (JS, Encrypted and Embedded File) found in 1988 PDFs.

Malicious Content Over PDF Version

If we assume the analyzed set of data as "significant set of data" we might assert that PDF1.1 and PDF1.7 are the most safe PDF versions regarding malicious JS, EncryptedContent and Embedded Executalbes. Less than ten (10) malicious contents were found in both versions. Contrary PDF1.6 and PDF1.4 result as the most "affecteed" PDF versions. But malicious contents might hid after EOF and use the PDF as a passive carrier. The following graph shows the distribution of malicious content found after the End Of File.

Malicious Content after EOF

If we assume the analyzed set of data as "significant set of data" we might assert that PDF version 1.1 and PDF version 1.2 are the most safe versions against malicious content after the End Of File. Surprisingly PDF version 1.7 is not "so safe" anymore. Comparing the averall data I came out with the following pie chart in where we might appreciate the fact that PDF version 1.4 is the most affected of malicious contents. We might see PDF version 1.3, PDF version 1.5 and PDF version 1.6 following it.  

Overall Malicious Content By Type

Not much conclusions here: if you are working with these versions most (1.4,1.3,1.5), you'd better watch out since the probability to get a Malware PDF is higher than other PDF versions.

Just remember we are assuming the data I collected as significant data because comming from many different organizations within different businesses.

I do have an open question so far:
  1. Does it make sense for anti-malware engines ponderate the use of computational resources depending of what PDF version is currently processing? For example: if an anti-Malware is running analysis on PDF version 1.6 should it allocate more computational resource (RAM, CPU, IO, etc.) rather then if it is analysing PDF version 1.1 ?

Thursday, December 4, 2014

Operation Clever

I knew the presence of "Clever" Malware, actually with no real evidence, (at that time I didn't know "Clever" it was its future name) from a cyber friend of mine who worked with me on Malware evasion techniques. I knew Iranian hackers were getting better and better, but what I did not know was the high cyber security level they reached ! (NOTE: PrivEsc is a clear plagiarism of MS10-015 ! I do agree to Cylance).  Cylance did a great job in putting al the information and all the spread analysis together discovering this incredible targeted cyber attack originated from Iran. Are you wondering when and where did we hear about Iranian hackers ? No problem, let's take a look to a clear timeline from Cylance showing Iranian-centric attacks either as victims (on the left) and attackers (on the right)

From Cylance Report
If you are wondering how Cylance  knows about the attacks' origin ... well, the answer is straight into the code. If you reverse Clever Malware (BTW, you want to download it from  here) you'll see : Persian names, most ips and DNA written into the code belong to Iranians, ASN belonging to Iranian companies, the entire infrastructure is hosted in Netafraz.com an Iranian provider, and so on.

The initial compromise techniques according to Cylance where simple and well known even if having them all together into an unique piece of Malware make this attack "spectacular"! Quoting the report:
  • "Initial compromise techniques include SQL injection, web attacks, and creative deceptionbasedattacks – all of which have been implemented in the past by Chinese and Russian hacking teams.  
  • Pivoting and exploitation techniques leveraged existing public exploits for MS08-067 and Windows privilege escalations, and were coupled with automated, worm-like propagation mechanisms. 
  • Customized private tools with functions that include ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging. "
One of the most difficult questions to be answered is "What the most attacked country" ? Well, it's going to be easy answering to such a question talking about numbers but considering opportunities and economy speaking... almost all the top countries (economy wise) in the world have been targeted.

Targeted Countries, taken from Cylance Report

Interesting the way the attackers want to make sure the victims are not coming from IRAN. The following image show how the shell client controls the IP location. The code handles the XML response from freegeoip.net, and displays the information as different colors based on different attributes. For instance, if the string “ERROR” is in the response, the text is displayed with the color magenta. If the string IRAN is in the response, the text is displayed with the color red. It should be noted that no other country name contains the substring IRAN. 

Piece of Shell Creator from Cylance Report

The entire system has been detected to use at least two different proxies: CCProxy (a China and MiddleEast based company) and Squid (OpenSource, world wide).  Interesting the way the attackers made use of CCProxy sources [... thinking about it ...] From the proxy configurations Cylance folks figured out IPS, Usernames and Passwords of Command -and- Controls belonging. They did find that domains, usernames and password were attributable to Tarh Andishan. Quoting Cylance Report:

"Tarh Andishan has been suspected in the past of launching attacks in the interest of Iran. The operators of the blog IranRedLine.org, which comments on Iran’s nuclear weapons efforts, has mentioned in multiple posts having been the target of debilitating brute-force authentication attacks from IP addresses registered to the same Tarh Andishan team found in Cleaver. In one of IranRedLine.org’s blog posts8, the author speculates on Tarh Andishan’s involvement with the Iranian government by showing close proximity to SPND, the Organization of Defensive Innovation and Research; however, the phone number listed under the registrant contact information has yet to be completely validated."
The Clever Malware owns many ways to be delivered from spread phising to watering leak. Once the Malware is dropped into the victims PC, it grabs local and network credentials (by using standard techniques) and use them to spread itself through PsExec, SMB shares, DLL injections etc, making it wormable. Clever Malware grabs user infos and sends them to external sources through FTP servers, SMTP Servers, SOAP based servers and if needed ssh controllers. Clever Malware uses a common version of TinyZBot (ut to 2013) to communicate back to ComandAndContols.

It is a pretty nice piece of Malware which, in my personal point of view, shows how easy could be  making a world wide targeted attack having good development skills and wise "underground knowledge". "Undergraund Knowledge" is useful to re-use piece of malware, shellcode generators, encryptors, proxies, spreading techniques, infection vectors, multiple stage infections, etc... in order to avoid new developments or new infection processes; development  skills are useful to fit all the re-used software together and to make it working.

Thursday, November 27, 2014

ReGeneration (Regin) Targeted Attack

Nowadays every security bloggers is writing about how Regin (it should be read as Re-Gen, like regeneration), a new sofisticate targeted attacks discovered by Symantec (here), works and how it spied several thousands of PC mostly in Russia, Germany and Middle East. I wont write about its "hidden 6 stages" Malware or about its incredibly high number of payloads, I want to facalize my research on the initial vector, which happens to be undisclosed so far. Symantec believes that some targets may be tricked into visiting spoofed versions of well-known websites and the threat may be installed through a Web browser or by exploiting an application. Symantec asserted:
On one computer, log files showed that Regin originated from Yahoo! Instant Messenger through an unconfirmed exploit.
According to CVE (from here) the last exploit affecting Yahoo Messenger seen is almost 3 years old, isen't weird ? Yahoo Messenger is a well know piece of software and commonly used to communicate, it's quite weird that no security breaches came out in the past 3 years.. at least this is my personal opinion.. Who knows how many security flas are aflicting such a software...

On the other side of the net --  reading kasperski secure list I find:
The exact method of the initial compromise remains a mystery, although several theories exist, which include man-in-the-middle attacks with browser zero-day exploits. For some of the victims, we observed tools and modules designed for lateral movement. So far, we have not encountered any exploits. The replication modules are copied to remote computers by using Windows administrative shares and then executed.
Naturally it means the malware must be run through administrative priviledge... which makes me thinking about the real initial vector..

The reality is that no reproducible vector has been established as Symantec released its findings, showing just how incredibly sophisticated this malware threat is, with custom modules able to be deployed at will to change attack vectors and go after targets with razor sharp accuracy. We might consider this Malware one of the most complex Malware ever released (for the tim being), even more complex than Duqu or Stuxnet. 

Some pieces of code have been written in 2003, most of them are still encrypted and undisclosed.This is another scaring factor.If you don't believe me and you want to try your own analysis please feel free do download some samples of Regin malware from here (the password is: "infected"). If you have some troubles in finding the file feel free to drop me an email.

UPDATE: new link to Regin Sample (Here)

Thursday, November 6, 2014

WireLurker, a shock in Apple World.

I am not used to write "Malware centric" posts, contrary I do love to focalize my writing on specific techniques used by Malware to infect systems and/or to evade analysis. However today,  I want to stamp in my digital diary WireLurker since I see a "paradigm shift" on it. I find it a super fascinating peace of code where motivations are still unclear. WireLurker has been firstly analyzed by Unit42 (Palo Alto Networks) and suddenly became a quite spread news. It targets OSX and iOS devices (one of the first Malware entirely written for Apple platforms). WireLurker owns the following specif characteristics:
  • It is only the second known malware family that attacks iOS devices through OS X via USB 
  • It is the first malware to automate generation of malicious iOS applications, through binary file replacement 
  • It is the first known malware that can infect installed iOS applications similar to a traditional virus 
  • It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning 
PaloAlto networks writes:
Of known malware families distributed through trojanized / repackaged OS X applications, it is the biggest in scale we have ever seen.  .
 WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users. The following image shows the complete infection workflow.

Complete infection workflow: From PaloAlto unit42 report

Fascinating how simple is the thechnique used by the Malware writers to Trojanize a legitime APP.  Please substitute %@ with real paths to make sense on it.

Trojanize script used by WireLurker. From PaloAlto unit42 report
Once the "Trojanized App" has been saved on the infected machine, WireLurker builds its own "empire" by downloading applications, updating itslef and hiding files into folders spread on the file system. The following image  shows the amount of dropped, created, deleted file into the targeted machine.

From PaloAlto unit42 report
Even more fascinating the way WireLurker get persistence on the device. Generally speaking WireLurker runs as a background process, waiting for iOS devices to infect over USB connection, this represents a quite simple process, however it adopts multiple redundancy methods to guarantee its own presence such as:
  • It does not check if the device is already infected, each time it executes malicious code. 
    • This is actually a weak point. Detectors might exploit this behavior to identify it.
    • It is not really "silent" adopting this "forcing method"
  • WireLurker initialization and update scripts create and load launch daemons, ensuring persistence after reboot.
    • Pretty simple approach if compared to complex Bootkit Malware who does not initialized a direct daemon.
  • It invokes the following launchctl 
From PaloAlto unit42 report

Comunication to Command and Control happens by using a Data Encryption Standard (DES) with Cryptographic Message Syntax Standard (PKCS7) padding. Researcher from PaloAlto Networks figured out that for each piece of TCP data WireLurker receives or sends, the first 10 bytes of the data are used to generate a session key. The session key is then combined with a fixed string, “dksyel”, to generate a decryption key. Remaining bytes of the data are encrypted data that has also been encoded using Base64. From here the analysis is quite usual.

Quoting the unit42 report:
The ultimate goal of the WireLurker attacks is not completely clear. The functionality and infrastructure allows the attacker to collect significant amounts of information from a large number of Chinese iOS and Mac OS systems, but none of the information points to a specific motive. As infected devices regularly request updates from the attackers command and control server, new features or applications could be installed at any time. It’s clear the tool set is still undergoing active development and we believe WireLurker has not yet revealed its full functionality.
It is a quite weird behavior. Right now I do not have enough elements to understand the goal of such a targeted attack. Having a general information about Apple device owners seems to me a quite original target per se. For shure the security perspective for Apple users have been deeply changed.

Monday, October 13, 2014

The Most Famous Malwares in APTA

During my talks and during my daily working life people asks me about the most interesting Malware used to perform Advanced Persistent Targeted Attacks (APTA). So I decided to give my personal answer in this post, beeing concious that things would change pretty soon.

Lets start with Stuxnet, maybe one of the most known APTA known in the history, also responsible to giving pubblic begin to the cyber-espionage.

Stuxnet is a computer worm that was discovered in June 2010. It was designed to attack industrial Programmable Logic Controllers or PLCs. PLCs allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, or centrifuges for separating nuclear material. Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart. Stuxnet’s design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems (e.g. in the automobile or power plants), the majority of which reside in Europe, Japan and the US.Stuxnet reportedly ruined almost one-fifth of Iran's nuclear centrifuges.
From TrendMicro Report

Stuxnet has three modules:
  1. a worm that executes all routines related to the main payload of the attack; 
  2. a link file that automatically executes the propagated copies of the worm; and 
  3. a rootkit component responsible for hiding all malicious files and processes, preventing detection of the presence of Stuxnet. 
Stuxnet was able to exploit the following vulnearbilities: CVE-2010-2568, CVE-2008-4250, CVE-2010-2729 and CVE-2010-277. It mainly got started from USB sticks and spread over PCs throught vulns. What it did was to substitute a Siemens DLL getting control of Siemens SCADA systems. A later updated version was also able to exploit the CVE-2010-2772being able to read and write directly on Siemens SCADA database (.DBI).

Another great example is Flame.

also known as Flamer, sKyWIper and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is being used for targeted cyber espionage in Middle Eastern countries.Flame can spread to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices. This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.

SecureList Thread

Flame was actualy one of the most complext computer malware ever. Super "heavy" it comes within database server, very uncommon virtual machines (lua), file sharing, specific "red protocols", gzlibs, encryption libs and so on.. A great client analysis can be found here. My favorite Server analysis can be found here.

Duqu is another big name in the APTA's world.

Duqu malware is a variety of software components that together provide services to the attackers. Currently this includes information stealing capabilities and in the background, kernel drivers and injection tools. Part of this malware is written in unknown high level programming language, dubbed "Duqu framework". It is not C++, Python, Ada, Lua and many other checked languages. However, recent evidence suggests that Duqu may have been written in Object Oriented C (OO C) and compiled in Microsoft Visual Studio 2008.

Duqu main components and modules from this report

The  dropper file recovered and disclosed by CrySyS Lab uses a Microsoft Word (.doc) document which exploits the Win32k TrueType font parsing engine and allows execution (btw, a nice article on that vulnerability is here). The Duqu dropper relates to font embedding, and thus relates to the workaround to restrict access to T2EMBED.DLL, which is a TrueType font parsing engine if the patch released by Microsoft in December, 2011 is not yet installed. Microsoft identifier for the threat is MS11-087. Duqu has tons of similarity with Stuxnet, common code have been prooved.

A most recent attack to spy diplomats'name is Turla.

Turla has been used for classic espionage-type operations for at least four years. Because of the targets chosen and the advanced nature of the malware used, Symantec believes that a state-sponsored group was behind these attacks. Turla provides the attacker with powerful spying capabilities. Configured to start every time a computer starts, once the user opens a Web browser it opens a back door that enables communication with the attackers. Through this back door, the attackers can copy files from the infected computer, connect to servers, delete files, and load and execute other forms of malware, among other capabilities. The group behind Turla uses spear phishing emails and watering hole attacks to infect victims. Some of the spear phishing emails purported to come from a military attaché at a Middle Eastern embassy and had an attachment masquerading as the minutes of meetings. Opening the attachment resulted in Trojan.Wipbot being dropped on to the victim’s computer. It is believed that Wipbot may be the delivery mechanism for Turla as they share several similarities in code and structure.

How Turla is pread, from here.
 Turla malware has been used to to facilitate watering hole attacks since 2012, its most advanced feature was to be totally FUD for many years. Later on it has been used to deliver Wipbot, a famous malware used to gather further information about the infected computer. If the attackers deemed the victim of interest, it appears likely that a second back door (Trojan.Turla) with far greater capabilities was downloaded on to the victim’s computer.

In 2012 Gauss Malware hit the Middle east community.

Like Flame and Duqu, the propagation of Gauss seems to be controlled in order to maintain stealth and avoid detection. Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines. The online banking Trojan functionality found in Gauss is a unique characteristic that was not found in any previously known cyber-weapons. Kaspersky write: “The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed. One can only speculate on the purpose of this mysterious payload.” The malware copies itself onto any clean USB inserted into an infected PC, then collects data if inserted into another machine, before uploading the stolen data when reinserted into a Gauss-infected machine.
From kaspersky labs

HiKit is one of the most advanced RootKit used in APTA.

Entirely described by Mandiant (Here and Here) the “Hikit” Malware uses an interesting covert mechanism for command and control. It installs itself as a virtual network adapter layered between the NIC and overlying protocol drivers. This allows it to covertly monitor incoming packets, intercept command and control data as it enters the network stack, and then spawn user-mode threads to parse them accordingly.

(Extracted from Mandiant Analysis)
HiKit writes to the system  two main files :
  1. C:\WINDOWS\system32\wbem\oci.dll 
  2. C:\WINDOWS\system32\drivers\W7fw.sys 
“oci.dll” extracts a number of files from its resources section:
  1. The rootkit driver “W7fw.sys” 
  2.  Several requisite .INF and .CAT files for the driver 
  3. A digital certificate “GlobalSign.cer”, along with a copy of Microsoft’s Certificate Manager tool “certmgr.exe” 
The attacker self-generated “GlobalSign.cer” to masquerade a legitimate certificate issued by GlobalSign – it was not stolen nor legitimate. The malware proceeds to use “certmgr.exe” to install the certificate to the local trust store as a root CA and Trusted Publisher using the following two commands: 
  • certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root
  • certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher 
It then attempts to disable driver signing verification by tampering with several registry keys. Finally, it completes the driver installation process and checks that it is properly loaded.
After the installation and the infection procedure HiKit starts to grab usernames and passwords of Window Locals and Windowns Remote accesses as well as well-known profiles of internet banking and famous serives. It does provide a modular backdoor to manage the malware and the hosting system 

I am aware those are only some of the most famous Malware used in APTA, I am aware this little "list" will change over time as well, but as now, I believe those Malware are the most remarkable in APTA.

Wednesday, September 24, 2014

Bash Vulnearbility: CVE-2014-6271

Test if you are vulnerable

Nothing really to add here. It makes me just thinking.... those things still happens (thxG). More here, here, here, here and here

UPDATE (click to enlarge):
From PasteBin (here)
  No Way... Wondering of many triggering vector would be out there


After some days from the original 6271, more than 5 vulnerabilities have been found on the same "way".  My favorite place to stay up-to-date on this topic is that Repository.
If you are still wondering what are the real risks for your company, here some simple examples from (here).

Find out your vulnerable cgi. Get it, and learn from the results...

As simple is a curl, remove everything you want (this is freaking scary).

And then be sure everything went as you whished.

Are you wondering.... if I could....  , ... , yes you can !

And, yes.. this vulnerability is "wormable", it might be used for spreading worms.

Wednesday, September 10, 2014

Nice Way To Evade Dynamic Analysis

One of the most important rules in building dynamic analysis environments is to avoid internet connection by the "potential malicious code". Indeed the "potential malicious code" would try to exploit the analysis system per se if an internet connection is available. To respect this basic rule, when a sandboxed code tries to open an internet page, the sandbox environment sends back a static 200 code, letting the "potential malicious code" compare the received page to the needed one. At such point the analysis system might try to "taint" and/or to apply its own detection mechanisms. 

A smart way to detect if a code is sandboxed or not is to try to reach out an unreachable internet site. If the code reads back 200 means the malicious code has been sandboxed since the malicious code is trying to reach an unreachable page. Following a simple python example.

Python2.7 Example

Following a simple JavaExample of the aforementioned technique.

A Java Example
Another tipycal example written in C

C esample
That trick has been known since 2012. Have a nice evasion.

Sunday, July 27, 2014

Cyber Intelligence abusing Internet Explorer to perform Targeted Attacks

A "mandatory" step to achieve a complete and successful targeted attack is the so called: "Cyber Intelligence Phase". By definition every targeted attack owns at leeast one specific characteristic which makes it perfectly fit for a given target. As you might want agree, one of the most important activities on develping a targeted attack is to exactly know what's running on the target system. The activity which takes care of "discovering" what's running on a given system is often called Cyber Intelligence (many of you on the Cyber Intelligence field might know a little bit different definition... but this is not the point). I wont write, in this quick and dirty blog post,  about cyber intelligence, indeed I want to point you out simple techniques to perform a target enumeration by using Internet Explorer. 

One of the most used techniques to perform Cyber Intelligence through Iinternet Explorer (IE) is the "abusing of resources" (res://) calls. This techniques afflicts IE from 6. to 8. It has been widely discussed in many online sites (for example: here, here, here and here). The technique is based on the assumption that IE blocks access to local file system trhough the "file://" call, but let the "res://" call to have access to image resources on file system. To exploit this IE's behavior the attacker might look at specific executables holding (as resource)  specific images. The res abuse://  has been used as Cyber Intelligent Weapon in serveral attacks including the "waterhole campagin afffecting a Thailand NGO" as posted here. The aforementioned behavior could be exploited as follows:

From AlienVault Article
The resList contains the list of executables files used to detect AntiVirus Software. Following a simple example taken from a real case. A similar code was found into Skipot too...

From AlienVault Article
Another used technique to map software into a target host sees its implementation through the Microsoft XMLDOM ActiveX Info disclosure vulnerability. This vulnerability has been videly discussed as well (here, here, and here). Basically Microsoft.XMLDOM is an ActiveX control that can run in Internet Explorer without requiring any prompting to the user. This object contains methods that can leak information about a computer system to the operator of a website. By looking at error codes provided by the XMLDOM ActiveX control, an attacker can check for the presence of local drive letters, directory names, files, as well as internal network addresses or websites. It is confirmed that this issue affects Internet Explorer versions 6 through 11 running on Microsoft Windows through version 8.1. The following code shows an example of the implementation of such a vulnerability. It looks for the presence of specific files into the target system.

Implementation of XMLDOM ActiveX vulns
 Following on this way attackers might use more XMLDOM vulnerabilities such as CVE-2014-0322 in which Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the "onpropertychange" attribute of a script element, as exploited in the wild in January and February 2014. MSF exploits are available out there. As WebSense discussed on his Security Blog Post attackers used the described technique to identify the Microsoft EMET presence on the target system. The same technique was found into Angler Exploit Kit and later on Goon and Cool Exploit Kits too.

Cyber Intelligence, is one of the most fascinating field. It does nothing bad per se, it simply offers detailed infos to next "phases". As always happens such infos could be used by legitim systems as well as by attacker' systems. As you problably have learned in the past years... whatch out what you browse  !

Tuesday, July 1, 2014

OpenSSL CCS Attack

As you might see from my posts frequency, last months have been pretty busy to me. My hacking team and I are working really hard and we are achieving incredibly results which makes me happy but really busy as well. OpenSSL CCS Attack (CVE-2014-0224) is almost one month old and not super interesting to be exploited so far, but since we got a great experience on that specific vulnerability I decided to "fix-it" on my memories in the following way.

CVE-2014-0224 bug exists since the very first OpenSSL release and this makes (at least to me) the whole story very fascinating. The issue basically happens because OpenSSL inappropriately accepts the ChangeCipherSpec (CCS) during a handshake. The following picture shows the correct way to implement a full protocol handshake.

The bug finds its own start if If a ChangeCipherSpec message is injected after the ServerHello but before the master secret has been generated  (ClientKeyExchange). At this point ssl3_do_change_cipher_spec generates the keys pair and the expected Finished hash for the handshake with an empty master secret (implementation bug). Moreover, the keys pair will be latched because further ChangeCipherSpec messages regenerate the expected Finished hash, but not new keys anymore. The following image shows the injection time frame.

The buggy code is the following one (the red numbers follow the above description):

int ssl3_do_change_cipher_spec(SSL *s)
 int i;
 const char *sender;
 int slen;

 if (s->state & SSL_ST_ACCEPT)

 if (s->s3->tmp.key_block == NULL)1
  if (s->session == NULL)
   /* might happen if dtls1_read_bytes() calls this */
   return (0);

  if (!s->method->ssl3_enc->setup_key_block(s)) return(0); 2

 if (!s->method->ssl3_enc->change_cipher_state(s,i))

 /* we have to record the message digest at
  * this point so we can get it before we read
  * the finished message */
 if (s->state & SSL_ST_CONNECT)

 i = s->method->ssl3_enc->final_finish_mac(s,
  sender,slen,s->s3->tmp.peer_finish_md); 3
 if (i == 0)
  return 0;
 s->s3->tmp.peer_finish_md_len = i;


Fortunately a patch is available here and a simple go tool to check the bug presence is here. For having more detailed infos, please visit (this post, and the original post).

Friday, May 16, 2014

MalControl Video

After the big success obtained through MalControl open source software, people asked me to record a simple video to show how it's supposed to work. I did use screencast this time.


This short quick'n dirty video shows how MalControl is supposed working. Please refer to the original GitHub page (https://github.com/marcoramilli/malcontrol) for every needs, tickets, request and so on. If you want to add your scraper and/or new frontend features please email me, every support is welcome.

Friday, May 2, 2014

Say Hello to MalControl: Malware Control Monitor

Gathering open data from malware analysis websites is the main target of Malware Control Monitor project. Visualize such a data by synthesize statistics highlighting where threats happen and what their impact is, could be useful to identify malware propagations.  

Open Data:

We actually scrape the following services:
  1. malwr 
  2. phishtank 
  3. urlquery 
  4. virscan 
  5. webinspector 
If you are a malware scan provider and you would like to actively partecipate to the project by giving some of your data, please contact us, we'll be glad to add your service to our project. Each visualized threat comes with the original and 'clickable' URL pointing to the original report. The original report owns all the specific information to the threat. 

Backend Structure:

A backround node scrapes websites to grab malware informations and fills up a mongod database. An API node serves API useful to frontend layer. Public API are available, please read doc/index.html for a full list of API. If you are interested on developing a website scraper take as example one of the scrapers available into the scrapers folder. Each scraper must be a function 'goScraper' ending-up saving scraped data to db using the functionsaveMalwareToDB respecting the db schema placed into schemas folder.

Screen Shots:

Screenshots talk laudly :) The following image shows how MalControl geolocalize malware and threts by grouping them by country. On the rigth side of the screen graphs with transparent gradient shows trends and totals of the analized sources. The top two charts show the "top countries" spreading malware/threats.  

The second top two charts shows how many malware/threats per hour Malcontrol is able to capture. This feature gives an instant view on how the "malware world" is progressing. The last two charts show the totals of malware/threats coming from the scraped sources. If you are interested on adding a source (by writing a scraper) please make a pull request or contact us.

 By drilling down into a specific malware/threat you will see the icons of the scraped sources. By clicking on such icons a tooltip pops-up within detailed informations on the selected malware/threat. The imformations are source specific and might be different from source to source. The following image shows you detailed information on a PhishTank which provides Malicius URL and Report specific Report.

Download and Contribute:

If you like to download it, try-it, put into your home room or helping us to develop MalControl, a good place to start over is on Github Repository:https://github.com/marcoramilli/malcontrol 

Super Important Note:

Everything is: as it is, this projects is still "under construction", what you see on Github Repo is an early version of the full stack implementation.  "Dont' even thik to use it on any production environment". Code might change, might be deleted and so on..

Monday, April 28, 2014

InfoSec London 2014

Just a quick note to my readers from London. I'll attend InfoSec London 2014, if you want to have a beer or share some "Security Thoughts" I'll be more then happy. Just drop me an email I'll answer you shortly.

While I'll be most of my time in M96 Stand, I'll try to attend some of the following sessions:

Hope to meet you there !

Thursday, April 3, 2014

Malware Writers.

I am not used to report malware analysis made by "big security companies" since easy to find in planty of media. Linking such a reports to my blog is useless because many of my reders would probably read those feeds before my blog. However today I 'd like to share a pretty nice article written by Symantec titled: Simple njRAT Fuels Nascent Middle East Cybercrime Scene. The described Malware ("njRAT") is an  old and simple malware already well described in reports: 1009 and 1010 by General Dynamics. The malware could be taken back to hacker team called "STTEAM" (2013), one of the last born Middle East hacking teams. For the time being, the last malware' built and its own CandC could be find on the "official" njRat  website  (high risk of infection on that site). Underground sources assert one of the main .net developers behind njRat is called "Zehir" (zehirhacker@hotmail.com) already known for a revisited version of the ancient "asp shell".

Image taken from here.

Beside technical notes -- if you are interested on "bits and bytes" regarding this specific  topic please refer to reports 1009 and 1010 by General Dynamics -- what is interesting on this malware is its geolocalization. It  has been developed in "middle east" and it is spreading on most of the Middle East and North Africa regions, including Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya as the images shows up. 
Quoting the Symantec report:
"The main reason for njRAT’s popularity in the Middle East and North Africa is a large online community providing support in the form of instructions and tutorials for the malware’s development. The malware’s author also appears to hail from the region. njRAT appears to have been written by a Kuwait-based individual who uses the Twitter handle @njq8. The account has been used to provide updates on when new versions of the malware are available to download."
I am deeply fascinated on the fast paradigm change of the malware distribution. Few years ago the malware writers would never let public his/her email address and/or his/her twitter account even if fake ones, nowadays malware writers let their signature on what they deliver without caring too much about identity protection. Thanks to their uncovered traces is possible to profile them such as: where they are from, which programming language they prefer, what malware they have already written, what is the favorite target, what websites they reads and so forth and so on. On my personal point of view this behavior is due to the last hiring fashion ( namely: hire a hacker!) which makes hacker heros. Lets think about it and how fast the malware world is growing up.  

Tuesday, April 1, 2014

Cloud Security: Infographics

In the last 2 years I've been working mostly on private companies. Since often the "computer security" is not on the company main business ( ... in fact, for many companies computer security is just a kind of "utility"... ) because belonging to a different, often even not digitalized, world, having a survey of what they think about "security" is always a welcomed help. The following infographic, made by PersecSys is a nice, coincise and good looking survey of what 130 security professionals from RSA conference think about Cloud Security in the companies they serve.

Cloud Security Opinion

Cloud Security graphic by PerspecSys

Saturday, March 8, 2014

Managing and Writing

Today I want to simply share on my diary a great picture of my working day (this picture is a screen capture of a double monitor running a progect in nodejs). This picture represents an amazing security project finally ready to the first public release and ...  the desire of writing "amazing code".

You will never have enough time to write the "perfect code" (whatever definition you are giving to "perfect code"), it doesn't care if you are working on Agile programming, Extreme programming, RAD (Rapid Application Development), waterfall, prototype development or sphiral development the time you have to build your amazing applications will be money driven a so, quite often, you will need to deal with timing issues.
But the great news is that nobody wants you to write the perfect code. What you have to do is to improve your code step-by-step and writing the best code for the time being.