Microsoft DirectShow msvidctl.dll 0day

Another 0-day was released in-the-wild targeting Microsoft Internet Explorer. The bug is inside msvidctl.dll when working with media file (*.gif have been used in the wild exploitation). Below is the in-the-wild exploit analyzed by us (we modified the shellcode to %uxcccc).

Figure 1.0 showed the exception handler is executed and will pointing to our jump address (0c0c0c0c).

Figure 2.0 show the shellcode (xcc) been executed.

IE 0day

Figure 2.0

IE 0day 2

It’s not really a common stack overflow bug. Please read excellent vulnerability analysis done by websense here.

We released the advisory and workaround (yes, with pictures) on how to do the ‘kill-bit’ thing for this particular CLSID.

Conficker.C and DNS

We have been working to track conficker’s dns queries in order to  identify infected machines/network with conficker.c. Tracking a 50K DNS names and 500++ queries from each conficker is a bit troublesome when u have to record all the DNS queries (200M records/day) and compare it with 50K/day conficker.c domain names.:). The main idea of why we’re working on this so that the infected machine can be identify based on queries made by conficker.c to contact to the conficker.c’s c&c. Below is one of the result from our tracking on conficker.c dns query to .MY domains in the hitlist :
Conficker's DNS Queries to .MY

Another one:
Another Conficker's DNS Queries to .MY

Looking at the trends from both pictures, its coming from the same source (see over geomap). Why?..:)

The tracker is basically is a ruby code build over dnsruby’s and ruby-pcap library for collecting packets and processing the dns packets only. So far, the tracker is working fine except if it receive malformed dns traffic which normally will be discarded by the tracker

Automated Unpacking Conficker Worm Variant B

The infamous worm, Conficker, which surfaces in 21 November 2009 and is set to time-bomb on 1 April 2009, was literally over the media. Although studying its malware source code is the best way to fully understanding its features and impacts, unfortunately getting the source code to study sometimes are impossible. There is still has alternate way, which is through reverse engineering of the binary file. A lot of malware writers use packer to pack the malware either the packer is written by them or downloaded from internet. During the analysis of Conficker worm, MyCERT found that the worm has been compressed by a custom “run-time packer”. This section will focus on the techniques of automated unpacking Conficker worm variant B.

Useful tools:

  1. Ollydbg v1.10 [Download: http://www.ollydbg.de/ ]
  2. OllySript v1.67.3 [Download: http://odbgscript.sourceforge.net/]
  3. Script [Download:https://blog.honeynet.org.my/mirror/Uncompress_ConfickerB_version2.osc]

Steps:

  1. Copy the files “ODbgScript.dll” and “Uncompress_ConfickerB_version2.osc” into the folder OllyDbg.
  2. Open the OllyDbg.exe, load the binary file of Conficker variant B.
  3. Check the signature of Packer entry as below:
    1. CMP BYTE PTR SS:[ESP+8], 1
    2. JNZ conficker.xxxxxxxx
  4. Open the window of OllyScript with “Plugins” -> “ODbgScript” -> “Script Window
  5. Right click in window of OllyScript -> Select “Run Script” -> “Open Select to open the file “Uncompress_ConfickerB_version2.osc”, the script will auto run and unpack the binary of Conficker worm. Now the debugger OllyDbg landed at Original Entry Point (OEP) of binary file.

Conficker: The other not so famous Variant A

There are lot more discussions are going on for Conficker variant C (ConfickerC) due to 1st April. Why 1st april?. The 1st april is the day ConfickerC should call home for updates. The domain name generator  algorithm  used by ConfickerC is making blocking or detecting live ConfickerC update servers is becoming harder when it will search for about 50K domains name. :D. Please refer to SRI excellent  write-up for more information about ConfickerC here.  MyCERT advisory about ConfickerC is here.

I can’t say much about the current situation but based on my observation on dns traffic we have, we only observed low volume of traffics contacting ConfickerC domains name hosted in .my domain. Maybe because it wasn’t the time yet.(my timeframe of observation was on 27-29 March 09).

Compare to ConfickerA (variant A), we observed more traffics are looking for the domain name: trafficconverter.biz. Trafficconverter.biz is the server that will be contacted by ConfickerA. Take a look at ConfickerA file sample and we’ll see the domain name.It’s very disturbing to notice that variant A is still out there screaming for their C&C server while alot more discussion have been switching to ConfickerC.

....................SNIP ...............SNIP....................
....................SNIP ...............SNIP....................

Sat Mar 28 17:29:00 +0800 2009 - 202.XXX.YY.132 is looking for trafficconverter.biz.XXX.my
Sat Mar 28 16:32:07 +0800 2009 - XXX.60.YY.229 is looking for trafficconverter.biz.XXX.my
Sat Mar 28 15:29:41 +0800 2009 - 203.XXX.YY.85 is looking for trafficconverter.biz.XXX.my
Sat Mar 28 15:46:26 +0800 2009 - 202.YY.56.XXX is looking for trafficconverter.biz.XXX.my
Sat Mar 28 15:15:55 +0800 2009 - 202.XX.XX.229 is looking for trafficconverter.biz.XXX.XXX.my

....................SNIP ...............SNIP....................
....................SNIP ...............SNIP....................

During the timframe ( 27-29 March 09), it is about 1167+ queries to DNS looking for the trafficconverter.biz. it’s still considered a big infection based on DNS traffics query only. Luckily the trafficconverter.biz is no longer running. But, the infected machines is still need to be clean-up.

We already released our advisory for ConfickerA and also mentioned about tools that can be used to remove the ConfickerA. The advisory is here. If you haven’t patch your MS08-67, please do so.

Log Files: Dealing with Inconsistent Field Delimeter

Salam,

Log files are big. Processing  it  would be cumbersome especially if the field separator are not so unique.

Take a look at contain of file example.log below :

"209.34.23.99",6667,"Rembau, NSembilan,Malaysia","GET /phpmyadmin ",404
"238.34.23.99",80,"Selangor","GET /phpmyadmin/ ,200
"21.34.23.99",9090,"A. Star, Kedah, Malysia","GET /phpmyadmin/favicon.ico,404
"120.34.23.99",6667,"Malysia","GET /phpmyadmin/print.css,404
"2.34.23.99",993,"A. Star, Kedah, Malysia","GET /phpmyadmin/phpmyadmin.css.php?lang=en-utf-8,404

At first sight, anybody would agree to use ‘ as field separator. But hey, the third field contain that same character.

If we insist to choose (‘) as our separator, the field number will not be consistent through out the file.
Line 1 would have 7 field, line 2 have 5 field etc.

If the task is to print ip number and the file requested, how should we do that?

Luckily gawk have special keyword, NF, means number of field.
To print just first and second field using gawk:

gawk -F ',' '{print $1 $2 }'  example.log

# -F use to tell what the field separator character

From the example.log, the file requested is on the second last column. On line 1, its in field 6, meanwhile on second line, its on field 4.

In this case we can use NF keyword for gawk. NF would contain the number of field in each line.  To get the second last column, we can use (NF-1) as below:

gawk -F ','  '{print $1 $(NF-1) }' example.log

Hope that helps.

Securing PHP : Disabling Dangerous PHP Functions

PHP is a very popular language nowadays. But at the same time, it’s also one of the main sources for user accounts and servers getting compromised. Every PHP developer and hoster should understand the primary attack vectors being used by attackers against PHP applications. They also should be able to classify PHP functions that allowed to be used and disable cirtain functions that can be categorized as dangerous.

Based on my experience and a big help from Google, I can categorize the following functions as dangerous :-

Now you need to verify your php.ini location

And look for Configuration File (php.ini) Path

phpinfo

Now, edit the configuration file with root permission

sudo nano /etc/php5/apache2/php.ini

Look for the disable_functions = “” and modify it to

disable_functions = "shell_exec, eval, exec, system, proc_get_status, inject_code, proc_nice, proc_open, proc_terminate, apache_child_terminate, apache_setenv, fp, fput, ftp_connect, tp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, popen, escapeshellcmd, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, osix_setuid, posix_setuid, posix_uname, syslog, xmlrpc_entity_decode, proc_close, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, passthru, phpAds_xmlrpcDecode, hpAds_xmlrpcEncode, mysql_pconnect, escapeshellarg, highlight_file, define_syslog_variables, ini_restore,ini_alter, ini_get_all, openlog"

Make sure you save before exit.

Now restart Apache for the changes to take effect.

The default PHP configuration is intended for development purposes. Therefore, it is always advisable to reconfigure PHP before going into production phase. Some security settings are also recommended during the development phase to prevent programmers from producing vulnerable code, and make them stick to secure techniques.

Until next episode..

[References]