LNK (Windows File Shortcut) Parser

CVE-2010-2568 will need to have a LNK file with a malicious dll to cause harm. Feeling the urgency of parsing the LNK file to trace any present dll, we modified a small portion of the code from metasploit’s project to make it run independently from the metasploit framework. The original code is here. The main purpose of the dumplinks.rb is for getting information for each of LNK files. The code is originally coded by davehull. Here is the output of the modified code:

The code in bold shows that the DLL that is  loaded in the LNK file. Below is the result from p0c provided by ivanlef0u.

PDF Stream Filters – Part 2

It is very interesting to study the  obfuscation techniques used by the attackers in malicious PDF docs. As of my previous blog entry, one of the simplest, yet interesting obfuscation technique used is the cascading filtering. This basically means that the  malicious JavaScript code is embedded below the multiple layers of encoded stream.

In this particular  sample that I was analyzing, the malicious js was encoded or obfuscated with 4 stream filters (ASCIIHexDecode, LZWDecode, ASCII85Decode, RunLengthDecode, FlateDecode).

Personally, I find that having to do  stream extraction and decoding manually can be very a frustrating experience. Luckily though, I stumbled upon pyew, a python-based malware analysis tool, and can be used to deobfuscated heavily obfuscated codes (pun not intended!)

By identifying the offset where the content is located, we can seek through the file with pyew and it will automatically decode theencoded content.

PDF Stream Filter – Part 1

One of the challenges in analyzing malicious PDF document is stream filtering. Malicious contents in PDF file are usually compressed with stream filtering thus making  analysis a bit complicated.

In a PDF document , stream object consists of stream dictionary, stream keyword, a sequence of bytes, and endstream keyword. A malicious content inside PDF file typically resides in between stream and endstream keyword, and usually it is compressed with compression scheme, such as:

  • ASCII85Decode
  • ASCIIHexDecode
  • FlateDecode
  • JBIG2Decode
  • LZWDecode
  • RunLengthDecode
  • and etc

Basically, there are two techniques used in stream filtering:  single filtering and  cascaded filtering. Single filtering means that there is just one compression scheme used to compress the stream while cascaded filtering means that there are more than one compression schemes used to compress the stream.

The most common compression schemes used are FlateDecode, ASCIIHexDecode, and ASCII85Decode. However, some of the latest samples of malicious PDF  have shown the trend to include other compression scheme such as JBIG2Decode, LZWDecode, and RunLengthDecode.This is because most of the PDF analyzing tools (at least at the time of thsis writing) do not  have features to decompress those types of compression schemes yet.

From the above screenshot, we can see the components of stream object that I mentioned earlier. By looking at the object dictionary, we can identify the length (/Length) of the byte sequence in the stream which is 4387, and the compression schemes used (from /Filter) are FlateDecode and ASCIIHexDecode.

Decompressing single filtering is straightforward since we only need to decompress one compression scheme. Cascaded filtering on the other hand, need  multiple decompressing operations. If you look at the screenshot above, you’ll notice that the malicious content is compressed with ASCIIHexDecode and then compressed again with FlateDecode. Therefore, we need to follow the filter sequence where decompress of FlateDecode will be done first, and then ASCIIHexDecode to get the final analyzable content.

To name some of the useful PDF analyzing tools available, tools like pdf-parser or pyew allow us to decompress stream object that contains single or cascaded filtering.

FIRST AGM and Annual Conference 2010

The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the wider global security community. The conference also creates opportunities for networking, collaboration, and sharing technical information and management practices. Just as importantly, the conference enables attendees to meet their peers and build confidential relationships across corporate disciplines and geographical boundaries.

We did it again 🙂 and this year, I presented on “Portable Destructive File (PDF): Attacks and Analysis”. The abstact of the presentation can be found  here. The presentation is about how attacks on PDF readers are (generally) carried out and how analysis can be performed on malicious PDF documents.

There are many ways of attacking pdf documents. Exploiting vulnerabilities such as stack overflow (libtiff) and javascript engine bug (util.printd/newplayer/etc/etc) inside PDF application engine are some of the common techniques used. Exploiting features such as /Launch is also possible. During the presentation, I demonstrated how to quickly analyze malicious PDF document using a couple of small tools such pdftk, (patched) SpiderMonkey and sctest.

The conference is awesome and I am already looking forward for next year’s event.  It was good to meet with usual suspects and of course new friends. 🙂

Evolution of Phishing Website

Take a look at the following phishing website:

Just another phishing website? Think again.. Take a look at the page source

The phisher is using image instead of HTML. And YES, this technique can bypass DontPhishMe. I’ve worked on new method to solve this problem and now, DontPhishMe v0.3.1 are able to detect this type of phishing website

Honeynet Project Annual workshop 2010

The Annual Honeynet Project  workshop this year was held at Mexico City, Mexico. The workshop enables chapters from all over the globe to meet, discuss ideas, share experiences and develop our toolsets for data collection and analysis. It is an extremely valuable and unique event, where chapters from around 20 countries find the time to attend the 4 days workshop. What we liked about the event was  the g33ky manner that it was organized.

Three of us from MyCERT (CyberSecurity Malaysia Honeynet Chapter) attended and presented at the annual workshop. We contributed to the workshop by :

1) Presenting on our work on (malicious) PHP Sandbox aka PKAJI
2) Conducting a training on “Analyzing Malicious PDF”

This is one of a harmless photo during our training.  Let us know if you’d like to have the slides.

Lastly, “Muchas Gracias” to UNAM Chapter for hosting the event.

mysql subqueries bug

Setelah projek pkaji, kami cuba menambahkan maklumat/profile untuk setiap serangan RFI.

Ketika menulis kod untuk menggali maklumat yang tersimpan dalam database yang mempunyai hubungan many-to-many, didapati mysql mengambil masa yang terlalu panjang.

Dari penilitian yang dibuat, sql yang paling luar ketika penggunaan subqueries tidak optimize kerana enjin mysql gagal menggunakan index yang sesuai.

Kod yang berkenaan adalah untuk paparkan senarai url setiap kod RFI yang pernah digunakan oleh ip(attacker) tertentu.

Maklumat berkenaan tersimpan dalam 3 table, event, event2rfi dan rfi. Di sini event dan rfi mempunyai hubungan many-to-many. Maka event2rfi adalah table perantara untuk menghubungkan event dan rfi.

Untuk mencari senarai url yang pernah digunakan dalam serangan yang berasal dari ip=, Subqueries yang digunakan adalah seperti berikut:
Select url from rfi where rfi_id in
(Select rfi_id from event2rfi where event_id in
(select id from event where attacker="")

Malangnya dari analisa yang dibuat menggunakan kata kunci explain, didapati mysql gagal menggunakan index yang terdapat dalam table event.(Walaupun index telah di buat untuk field rfi_id dalam table rfi).
explain select url from rfi where rfi_id in (SELECT rfi_id FROM event2rfi WHERE event_id IN ( SELECT id FROM event WHERE attacker = '' ));
| id | select_type | table | type | possible_keys | key | key_len | ref | rows | Extra |
| 1 | PRIMARY | rfi | ALL | NULL | NULL | NULL | NULL | 65696 | Using where |
| 2 | DEPENDENT SUBQUERY | event2rfi | index_subquery | rfi_id | rfi_id | 8 | func | 28 | Using where |
| 3 | DEPENDENT SUBQUERY | event | unique_subquery | PRIMARY | PRIMARY | 4 | func | 1 | Using where |

Pada baris pertama, lajur possible_keys, mengandungi value NULL. Ini bermaksud mysql enjin tidak akan menggunakan sebarang index dan akan meyebabkan prestasi carian data menjunam. Ingin ditekankan sekali lagi bahawa table rfi mempunyai index pada field rfi_id. Namun mysql gagal mengenal pasti sekali gus menggunakan index tersebut.

Kata pakcik google version 5.2 akan mengatasi masalah ini. Version yang kami gunakan adalah 5.1.37, version yang disertakan dalam distro ubuntu.
Untuk melajukan proses carian, kod tersebut diubah kepada 3 sql yang berasingan.

Sql pertama ialah mencari senarai event.id berdasarkan attackerIp.

Hasil yang didapati akan digunakan dalam sql ke-2. Iaitu mencari senarai event2rfi.rfi_id where event2rfi.event_id in (X,Y,Z……).

Kemudian senarai event2rfi.rfi_id pula akan digunakan dalam carian ke-3. Iaitu mencari senarai rfi.url where rfi.rfi_id in (X,Y,Z……)

Masalah selesai. Walaubagaimanapun agak menghairankan bug ini masih berlaku dalam mysql yg rata-rata nya dikatakan orang amat bagus.

ruby mysql blob

Recently, one of mycert’s internal project required that PDF files to be saved into the database (MyQL). Since its is not easy to find the sample code via Google,  here’s a quick note for future reference.

Another thing is that the max file size for blob is 64k. To store more than that, one need to use ‘longblob’. Not sure what is the max size for this type. Otherwise, your binary just been truncated by mysql without any warning (I spend quite some time debugging the code before realizing this. Happy trying!

Analysis on Java Web Start Argument Injection Exploit

The recent discovery of Java Web Start Argument Injection vulnerability (CVE-2010-0886 and CVE-2010-0887) has opened a new opportunity for the bad guy to utilize it in drive-by download attack.

Here is a short write up on the example (in the wild) found early today, which exploiting this vulnerability.

The exploit was found on http://buckomre.com/ and here are the sequence of attack once opened on a vulnerable machine:

  1. http://buckomre.com/ <- The main exploit page
  2. http://buckomre.com/50035/44680 <- A PDF exploit (but we are not going to discuss about it in this entry)
  3. http://buckomre.com/50035/value3.php <- Here is where the Java vulnerability is triggered
  4. http://buckomre.com/50035/C0.php <- The JAR file that will be executed by the previous page
  5. http://buckomre.com/50035/54098876 <- The actual malware that will be downloaded and execute by the JAR

You can get more details from the Wepawet analysis result.

The 4th link from the list above will lead you to a JAR file called t4.jar. JAR file? A Java malware? It is not really a java malware. The t4.jar will later download a binary (MD5: 5493bb325f4b3a1cc6efab226d1c4600 ) , which is the real malware, and execute it.

Lets see the snip code of the JAR file once decompiled :

And finally lets see the result of Anubis analysis on the binary downloaded.

Oracle has released a security update for this issue on April 15, 2010. Users are highly encouraged to download the most recent release of Java SE to address these vulnerabilities.

Embedded Zbot trojan inside PDF file

We came across this new variant of malicious PDF that contains a ZBot infostealer Trojan.

When a user open the PDF file, a pop up will ask the whether the user would like  to save  a file called Royal_Mail_Delivery_Notice.pdf.  The unsuspecting user might assume that the file is just a PDF file, and therefore will just save in in a local drive.

However, instead of  saving the PDF,  a Windows executable (a Zbot Trojan executable file) will be executed and consequently takes control of the computer.

This malicious PDF is actually able to execute an embedded executable without exploiting any vulnerability. It uses the PDF functionality known as  /Launch. In this particular sample, it will ask to save the file that is claimed to be a PDF file and when the users clicked “Open”, the PDF file saved will be executed.

This screen shot containing the code snippet above shows that the malicious PDF file uses /Launch action to run Windows command. The command will find the saved Royal_Mail_Delivery_Notice.pdf and execute it silently.

In the screen shot above, the function, this.exportDataObject() will open the file attachment with the specific file cName “Royal_Mail_Delivery_Notice”. Note that the second input parameter, nLaunch, which is set to 0, will cause the file to be saved on local machine.

To identify where the file is stored inside PDF file, we can trace it through the cName input parameter which happens to be at object 9.

In object 9, the file is not stored there but instead  redirected to object 10 through dictionary /EmbeddedFiles and in object 10 it once again it gets redirected to object 11 through dictionary /Names.

Following the multiple ‘redirection’, we end up  at object 11. Here we can see that object 11 was declared as Filespec object type. It indicates that this object contains the file specification details about the embedded file. According to PDF Reference (2nd Edition), within Filespec object type, the value of the dictionary key /EF is an embedded file stream containing the corresponding file, so in this case, the file stream inhabits inside object 12.

Gotcha! The file stream indeed located inside object 12. From the stream above (after inflated from FlateDecode), it is clear that it is a file stream for an executable file, specifically PE file while the /Subtype is declared as a PDF file.

From here, we can dump the stream to a file for further analysis. Happy analyzing.