Posted on Leave a comment

New anti-APT tools are no silver bullets: An independent test of APT attack detection appliances

New anti-APT tools are no silver bullets:
An independent test of APT attack detection appliances

CrySyS Lab, BME http://www.crysys.hu/
MRG-Effitas https://www.mrg-effitas.com/

November 26, 2014.

The term Advanced Persistent Threat (APT) refers to a potential attacker that has the capability and the intent to carry out advanced attacks against specific high profile targets in order to compromise their systems and maintain permanent control over them in a stealthy manner. APT attacks often rely on new malware, which is not yet known to and recognized by traditional anti-virus products. Therefore, a range of new solutions, specifically designed to detect APT attacks, have appeared on the market in the recent past, including Cisco’s SourceFire, Checkpoint, Damballa, Fidelis XPS, FireEye, Fortinet, LastLine, Palo Alto’s WildFire, Trend Micro’s Deep Discovery and Websense.

While these tools are useful, determining their real effectiveness is challenging, because measuring their detection rate would require testing them with new, previously unseen malware samples with characteristics similar to those of advanced malware used by APT attackers. Developing such test samples require special expertise and experience obtained either through the development of advanced targeted malware or at least through extensive analysis of known samples.

We in the CrySyS Lab, together with our colleagues at MRG Effitas, decided to join our forces and perform a test of leading APT attack detection tools using custom developed samples. MRG Effitas has a lot of experience in testing anti-virus products, while the CrySyS Lab has a very good understanding of APT attacks gained through the analysis of many targeted malware campaigns. Therefore, collaborating and bringing together our complementary sets of expertise looked like a promising idea. Our goal was not to determine the detection rates of different APT attack detection products, because that would have required testing with a large set of custom developed malware samples, which was not feasible to obtain within the limited time frame and with the limited resources we had for the test. Instead, our goal was simply to implement some ideas we had for bypassing cutting-edge APT attack detection tools without actually being detected, and to test if our ideas really work in practice.

We developed 4 custom samples in 2 weeks and without access to any APT attack detection tools during the development, and then later tested with these samples 5 APT attack detection solutions in Q3 2014. All 5 tested products are well-established in the market; however, we cannot mention vendor names publicly. The result of the test was alarming:
– one of our 4 custom samples bypassed all 5 products,
– another sample of the remaining 3 samples bypassed 3 products,
– only the two simplest samples have been detected by the tested products, and even those triggered alarms with low severity in some cases.

We made the full report (https://blog.mrg-effitas.com/wp-content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf) on our test available online. It contains our test methodology, including a brief description of each sample we developed for the purpose of the test, and we also present in it the test results in more details. We decided to publish this report for multiple reasons:
– First of all, we believe that our test was more appropriate for evaluating the detection capabilities of APT attack detection tools than some earlier, heavily criticized tests were, because unlike earlier tests, we used custom developed samples that resemble the malware used in APT attacks.
– Second, some of the products that we tested seem to be overestimated by the users who believe that those products are silver bullets. On the other hand, we have already emphasized at multiple occasions that these products can and will be bypassed by determined attackers. Our test is a clear proof of this, and if we could do that, then APT attackers will also be able to do that, if they have not done so yet.
– Third, we observed that some vendors of APT attack detection tools are often reluctant to participate in tests that try to evaluate the effectiveness of their products. On the one hand, we understand their caution, but on the other hand, we all know that the approach of security by obscurity has its own pitfalls. By publishing this report, we would like to encourage anti-APT tool vendors to participate in independent tests more readily and cooperatively, in order to have sufficient amount of convincing results about their products, based on which well-informed decisions can be made by the users.
– And last but not least, we believe that there are significant differences in the APT detection capabilities of the tested products, and users should be aware that not all vendors provide the same detection rate.

The test sample that bypassed all 5 tested products was developed by the CrySyS Lab. It is a custom designed sample written in C++ with a server side written in PHP. It was designed to be as stealthy as possible. It is downloaded by the victim as part of an HTML page, where it is actually hidden in an image with steganography. The downloaded page also contains scripts that extract an executable from the image when the user clicks on something that appears to be a download button. Once the sample is running, it can communicate with a remote C&C server. To hide the C&C network traffic, the sample simulates a user clicking on links in a web forum, and downloads full HTML pages with CSS style sheets and images. The real C&C traffic is hidden inside these HTTP requests. The sample allows for file download from and upload to the C&C server, as well as remote execution of commands on the victim computer.

We named this test sample BAB0, which (babo) means hobbit in Hungarian, as its objective was to stealthily bypass all state-of-the-art defenses, while actually being very simple, and this situation shows a parallel to the story of the Lord of the Rings, where Frodo, the small hobbit managed to bypass all defenses of the fearsome Sauron, the Lord of Mordor, and reached Amon Amarth, where the One Ring was finally destroyed.

We have a strong intention to publish BAB0 in the near future. This may seem to be controversial, as making the details of BAB0 publicly available can help attackers. We have a different opinion: Powerful attackers have probably been using already similar tricks, but apparently detection tools are not yet prepared to cope with them. By publishing BAB0, we push anti-APT vendors to strengthen their products, which will ultimately make the attackers’ job harder.

For further information, please contact either Zoltan Balázs (Zoltan.Balazs@mrg-effitas.com) or Levente Buttyán (buttyan@crysys.hu). Please note that we cannot provide any vendor specific information about the tests, but we can help organizations to test the products integrated in their environment.

Posted on Leave a comment

The Epic Turla Operation: Information on Command and Control Server infrastructure

Together with international partners, we have investigated the Turla/Uroburos/Snake related Epic/Wipbot/TavDig/Wordlcupsec operations and the command and control server infrastructure of it. Although hundreds of servers related to the threats were discovered by the community, most of them are not alive as of the analysis. We tried to obtain as much information as possible on the operation, structure and data related to these servers.

Our findings are summarized in our short report

For further information please also check Kaspersky Securelist Post,Symantec blog entry too.

Posted on Leave a comment

MiniDuke 2 (CosmicDuke)

*UPDATE: fixed 4 hashes – 1 character was missing
*UPDATE: 93deb98d89b8acfa4115ce1ca89ac26a45aae4563c3a454bf8b2a26886f40a46 most likely is a False Positive (FP) and not evil
*UPDATE: 8290b324f5cdb5c3ea17fa48a74bc11c856f0da0b049d07d9316d161f71f26a5 is old miniduke sample from 2013

February, 2013 we conducted research together with Kaspersky Lab on a malware campaign called MiniDuke. The research on the threat has not stopped. In 2014 Eset published MiniDuke still duking it out information on related attacks, which we can confirm and for which we’ve sent out some additional information towards the incident response community.

Lately, F-Secure published on CosmicDuke ( see CosmicDuke – Cosmu with a twist of MiniDuke.
Today, Kaspersky Lab also added more insight ( Miniduke is back: Nemesis Gemina and the Botgen Studio) on the threat.

As the information on the threat is now publicly available, we also release some additional hints that can help you to find infections (indicators of compromise).

Hosts:

194.69.193.147
69.89.31.57
72.167.13.78
192.155.88.252
188.241.115.41
31.44.186.38
94.242.199.88
212.76.128.149
91.224.141.235
199.231.188.109
46.246.120.178
178.21.172.157
188.116.32.164
64.18.143.90
209.99.17.27
212.7.198.107

User names for FTP authentication:

upgor
dlgor
kweku
menelaos
heres
lorine
madonna
johan
horus
lofter
adair

Related file hashes:

8778738067b37380d3d05d3eb6fb39478fc34a209959639db752863ea52776e3
58b6119d24eddc536af94c4cfeb28efe78d42856c8436a69a77fcc9f15414b6c
63035a73a19b2b2033d6ea3a269ba175b3e80ef31b914bb247a829efba30fd01
974e1deb961d2a9228444e02db21943072f981045b026cd171c7ece294351c36
2f7a286504336eb8765e68efbf8447e147585c02066a4f85102f4f6b93bc35cb
bf0d84fdc087c3f37cfab3f0492ec8f04de98e5a4c823d5f60851cc5eef438de
145688e8ebccb088da78216f4661c85e93da376da6ea707bb6b7b746ad47f4e1
880ae80fdc874002a6d9c807802794d4a35c384551d73bb36277b2f1e63d67e2
47f3405ab0da5af125bcc6ebb6d17a1573b090c54d7a0a00630ec170ccc4b9d1
5b50e26a01b320f05d66727e9d220d5858cdac203ff62e4b9ced1cafc2683637
9e3c407d3bbf2a69cf6509994ffb17b45c58c3adaf3dc876b23e7d0575e24ca0
7e371cd323898e403df7a80add34d791e160e443bcd2d02f27ddc0c04ba1bdab
9ce93f04dbb6a3b833f1146a54dadfdc224fdf24e3cca1f8a1eb4e902d597ff6
1fe180e5a40ed462a6544f4e428b996043decfdf863980501c51cbd7e3bd96c6
3161f7389ff0f71484dd8a6e2583cc0ada73f79fd4e6ef8b772fa2a738284d3a
5dc69a1fefa3a050b36a2c3aff037660010824aa5d56a2e03babedd7a53b443e
70fd11726810e30e4dc34a530edf2b349f913b1e492c73eb1115204fcdd3cd59
--> likely False Positive: 93deb98d89b8acfa4115ce1ca89ac26a45aae4563c3a454bf8b2a26886f40a46
c4c4776bed7e69bf8efacb3f6904f8c06889680c590ec728ae59c0ff6e8cfa05
64e3a2bba82027dd6ff631fa5890a7ba8331b62a0a4c0b1ca24d143c2b61c323
9c2562e05eb940ae8d73c9baa7cfe85cb3ec619689227f65e4fbeeb3fec598ad
7d1ca4a7684877753d5f4ca2d7599c7d87f231a7215945ef17447309f25da62a
7e371cd323898e403df7a80add34d791e160e443bcd2d02f27ddc0c04ba1bdab
dad4c4aea24f2bd3e2f4b93bf782ebef70e8fdf930aff25a3e1b85a717314aa0
d19acbc3686e05726ca572ff455519db9d7e0707450a3c9cb804c0f0fe6a0d7a
e94b97716d354a21dcff365e91d2f445fe2cac6a01a38f6dd1c921c57eeafef4
7e9c0bda27bbc80d947bc0c6ce29a19c824288d2b481f92a1637b7b8dfc8b81c
8c6c57f7e9c81fcf194d17a752f8da4295fab5dad8eb79bd289256b9cdb7415e
3f1ec44b421061173f7cbdbe2b4b0ec9457fdb146e126dc2a0763a69a452ce3c
ceff70f02f18ef4c1fa0d1b07b9462e04e57e98c4ea91e6a8ff29478197c4742
4ea49a33977a93aed17fef02a54ee8f6138d005259cf55c32cab3e23480053cf
bdc9c247ad790ec60ffd26455e49425cb1fe32f58623d9ac470a7104a0592dd3
--> This is old miniduke sample 8290b324f5cdb5c3ea17fa48a74bc11c856f0da0b049d07d9316d161f71f26a5
51b4e69183f3d02124f3314cc64a7869425f053d8021c74c12f21d7c2afe2163
bd4928921ddadb44f9f573da61dac034533bf14fe38acd5754f3ccec1d566300
64e3a2bba82027dd6ff631fa5890a7ba8331b62a0a4c0b1ca24d143c2b61c323
14ebcb27436b338d63e731b5c369c5d33c38ce5066f995093bc6826bd799103b
3e889cd495e008760fd12751d6d45cadf8a7280c4545f2ebe469f84b9b77c835
1590bdbaff2c178387e924b689b030057b4cbd2865e9c4dd3886a8791ac8e4ee
cb4fc98f33021ac890e717f8927bfcaddaaacac9bf9be71578c7baaf9f9cbf02

Posted on Leave a comment

GameOver Zeus now uses Encryption to bypass Perimeter Security – .enc encryption

The criminals behind the malware delivery system for GameOver Zeus have a new trick. Encrypting their EXE file so that as it passes through your firewall, webfilters, network intrusion detection systems and any other defenses you may have in place, it is doing so as a non-executable “.ENC” file. If you are in charge of network security for your Enterprise, you may want to check your logs to see how many .ENC files have been downloaded recently.

Gary Warner wrote a blogpost over it, and shared some files and information with us. The question was, how the .enc file is decoded and used.

The droppers sent out through emails are pretty small, around 10-18 kb. These droppers have an obfuscation layer, so hard to directly analyze them. However, with volatility it was relatively easy with procexedump to extract a small, 5k downloader that actually connects to a server to download the related .enc file, decrypt and decompress it, and execute.

The encrypted files look like this at the beginning:

0000000000: 5A 5A 50 00 E7 31 0E 1E │ 02 17 0E 50 58 87 0E D1 ZZP ç1♫▲☻↨♫PX┼♫Ń
0000000010: 5C 87 3E AC A7 87 0E EB │ 58 BF 23 52 58 C7 0A 6B \┼>¬§┼♫ëXż#RXÇ◙k
0000000020: 41 87 E6 53 54 89 11 53 │ E2 89 0E E7 51 4A 2F EB A┼ćST%◄Sâ%♫çQJ/ë
0000000030: 58 86 42 9E 79 D3 66 3A │ 2B 87 2E 23 2A E8 69 21 X┼BžyÓf:+┼.#*či!
0000000040: 39 EA 0E 73 3B E6 60 3D │ 37 F3 2E 53 3A E2 2E 21 9ę♫s;ć`=7ó.S:â.!

ZZP\0 is a magic string, then a compressed and encrypted part is stored (here: 0xE7 0x31…)

After downloading the .enc file the dropper checks the magic:

.text:00971450 cmp byte ptr [esi], 5Ah
.text:00971453 jnz short loc_9714D2
.text:00971455 cmp byte ptr [esi+1], 5Ah
.text:00971459 jnz short loc_9714D2
.text:0097145B cmp byte ptr [esi+2], 50h
.text:0097145F jnz short loc_9714D2
.text:00971461 cmp [esi+3], bl
.text:00971464 jnz short loc_9714D2
.text:00971466 shl eax, 2
.text:00971469 push eax ; dwBytes
.text:0097146A push 8 ; dwFlags

… and does the decryption….
.text:0097149C loc_97149C: ; CODE XREF: start+455j
.text:0097149C xor [esi+ecx*4], eax
.text:0097149F mov edi, [ebp+78h+Buffer]
.text:009714A2 inc ecx
.text:009714A3 shr edi, 2
.text:009714A6 cmp ecx, edi
.text:009714A8 jb short loc_97149C

eax stores the encryption key, which is 32 bits long.
The executable stores its configuration in a compressed form, but in cleartext.

0000001000: 85 B0 00 64 63 6D 73 73 │ 65 72 76 00 69 63 65 73 •° dcmsserv ices
0000001010: 2E 63 6F 6D 02 00 0C 00 │ 2F 69 6D 61 67 65 80 73 .com☻ ♀ /image?s
0000001020: 2F 73 74 6F 72 69 01 1C │ 08 6C 69 64 00 18 70 64 /stori☺∟◘lid ↑pd
0000001030: 66 2E 18 65 6E 63 0D B4 │ 0F 00 B8 37 B8 0A 1E 01 f.↑enc♪´☼ ¸7¸◙▲☺
0000001040: 0E 02 00 06 65 6C 65 63 │ 00 74 72 69 63 69 61 6E ♫☻ ♠elec trician
0000001050: 73 00 64 75 62 6C 69 6E │ 69 72 20 65 6C 61 6E 64 s dublinir eland
0000001060: 04 78 2F 77 00 70 2D 63 │ 6F 6E 74 65 6E 00 74 2F ♦x/w p-conten t/
0000001070: 75 70 6C 6F 61 64 00 73 │ 2F 32 30 31 34 2F 30 16 upload s/2014/0▬
0000001080: 31 22 70 02 6B 01 03 6B │ 00 00 00 00 00 00 00 00 1"p☻k☺♥k

The compression here is RtlDecompressBuffer standard windows call.

rtldecompressbuffer_dword_972000 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))GetProcAddress(v9, "RtlDecompressBuffer");

It is called like this:
rtldecompressbuffer_dword_972000(0x102u, v11, 1024, &unk_974000, 256, &v36);

0x102 stands for: 0x100 for max compression level, 0x02 for LZNT1 compression algorithm.

If you don’t have LZNT1 related code at hand, you might use the tool available at the following address: http://reboot.pro/files/file/121-lznt1-tools-bootmgrntfs/
It does not work for all the samples, but works most of the time.

So decompressed config looks like this:

0000000000: 64 63 6D 73 73 65 72 76 │ 69 63 65 73 2E 63 6F 6D dcmsservices.com
0000000010: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000020: 2F 69 6D 61 67 65 73 2F │ 73 74 6F 72 69 65 73 2F /images/stories/
0000000030: 73 6C 69 64 65 73 2F 70 │ 64 66 2E 65 6E 63 00 00 slides/pdf.enc
0000000040: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000050: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000060: B8 37 B8 1E 00 00 00 00 │ 02 00 00 00 65 6C 65 63 ¸7¸▲ ☻ elec
0000000070: 74 72 69 63 69 61 6E 73 │ 64 75 62 6C 69 6E 69 72 triciansdublinir
0000000080: 65 6C 61 6E 64 2E 63 6F │ 6D 00 00 00 2F 77 70 2D eland.com /wp-
0000000090: 63 6F 6E 74 65 6E 74 2F │ 75 70 6C 6F 61 64 73 2F content/uploads/
00000000A0: 32 30 31 34 2F 30 31 2F │ 70 64 66 2E 65 6E 63 00 2014/01/pdf.enc
00000000B0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
00000000C0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 B8 37 B8 1E ¸7¸▲
00000000D0: 00 01 00 00 02 00 00 00 │ ☺ ☻

The 32-bits xor code used for encryption is stored 0x60 bytes after the beginning of this buffer, that means, for both servers it is 0b8 0x37 0xb8 0x1e.
This should be used cyclically on the .enc file to get the compressed file , which again is compressed with RTLCompressBuffer call.

So how to make a universal decoder for .enc files?

Let’s check this one:

0000000000: 5A 5A 50 00 5F 8D B8 53 │ E2 A7 B8 1D B8 37 B8 9C ZZP _Ť¸S⧸↔¸7¸ś
0000000010: BC 37 88 E1 47 37 B8 A6 │ B8 0F 95 1F B8 77 BC 26 Ľ7?áG7¸|¸☼•▼¸wĽ&
0000000020: A1 37 60 1E B4 39 A7 1E │ 02 39 B8 AA B1 FA 99 A6 ˇ7`▲´9§▲☻9¸Ş+út|
0000000030: B8 36 F4 D3 99 63 D0 77 │ CB 37 98 6E CA 58 DF 6C ¸6ôÓtcĐwË7?nĘXßl

I’m cheating and telling you that it will be decrypted to

0000000000: E7 BA 00 4D 5A 90 00 03 │ 00 00 00 82 04 00 30 FF çş MZ? ♥ '♦ 0˙
0000000010: FF 00 00 B8 00 38 2D 01 │ 00 40 04 38 19 00 D8 00 ˙ ¸ 8-☺ @♦8↓ Ř
0000000020: 0C 0E 1F 00 BA 0E 00 B4 │ 09 CD 21 B8 00 01 4C CD ♀♫▼ ş♫ ´○Í!¸ ☺LÍ

Where B8->00 53->4D E2->5A A7->90 is the transformation.
4D 5A is the standard PE header, and for all the .enc files, the next byte was 0x90. Before the MZ header, the compression magic always contains a 0x00 byte. So we have 4 fixed bytes. Hence let’s calculate the key:

1st byte: 0xB8 xor 0x00 = 0xb8
2nd byte: 0x53 xor 0x4D = 0x1E
3rd byte: 0xE2 xor 0x5A = 0xb8
4th byte: 0xA7 xor 0x90 = 0x37

Remember the config file? The key was B8 37 B8 1E, this is just a rotated version of it with 2 bytes shift as you know, the magic starts with two additional bytes.

So as these bytes are currerntly constants, it’s evident to create a generic decryptor too for the .enc files, that works without the hard coded key, only with the .enc files. After decrypting, of course, you have to run RTLDecompressBuffer to get the actual executable.
Note, there is another small encryption routine in the 5k dropper, we did not fully investigate what it codes:

.text:00971000 encrypt_sub_971000 proc near ; CODE XREF: start+4AFp
.text:00971000
.text:00971000 arg_0 = dword ptr 4
.text:00971000 arg_4 = byte ptr 8
.text:00971000 arg_8 = dword ptr 0Ch
.text:00971000
.text:00971000 mov ecx, [esp+arg_8]
.text:00971004 test ecx, ecx
.text:00971006 jz short loc_971029
.text:00971008 movzx eax, [esp+arg_4]
.text:0097100D imul eax, 1010101h
.text:00971013 mov edx, ecx
.text:00971015 push ebx
.text:00971016 push edi
.text:00971017 mov edi, [esp+8+arg_0]
.text:0097101B shr ecx, 2
.text:0097101E rep stosd
.text:00971020 mov ecx, edx
.text:00971022 and ecx, 3
.text:00971025 rep stosb
.text:00971027 pop edi
.text:00971028 pop ebx
.text:00971029
.text:00971029 loc_971029: ; CODE XREF: encrypt_sub_971000+6j
.text:00971029 mov eax, [esp+arg_0]
.text:0097102D retn
.text:0097102D encrypt_sub_971000 endp

(copied from cef76fa7b4b30f76c7b6d2eefa30d944 sample)

Posted on Leave a comment

Hungarian passwords in the Adobe leaked password list

This article reflects results of joint work with Ukatemi guys.
(A magyar nyelvű változat az angol után található.)

Adobe was compromised this September. Stolen data was first found in September and disclosed in early October by Brian Krebs. Later on, some 10 days ago somebody has leaked a 9GB (uncompressed) authentication database stolen from Adobe.

The database was analyzed recently based on the properties of the encryption scheme.
http://stricture-group.com/files/adobe-top100.txt contains the results of the analysis: the top 100 frequently used encrypted passworts and the most probable guesses for the raw password.
Press write-up is also available on the research: http://www.zdnet.com/just-how-bad-are-the-top-100-passwords-from-the-adobe-hack-hint-think-really-really-bad-7000022782/

We were however curious about the passwords chosen by Hungarians. In the Adobe leak, there are 209 125 email addresses with .hu CCTLD domain name. By the same way how the previous research was carried out, we created a list of most frequent passwords among this 200 thousands of users and tried to pinpoint the most likely cleartext password based on the password hint information and email addresses.

Note, however, that due to the much smaller corpus (200k instead of 154M accounts), we had much lower number of password hints, and thus the confidence of our results is lower.
In the table below, we show the frequency, how many times a password was used in the .hu corpus, and for comparison, we also show the frequency in the full database. If a password is often used in the whole database, then it is most likely not a specific hungarian word, but some internationally known word,phrase or code. In addition to the most likely password, we give secondary ideas in cases where we are not confident enough, and some information about the meaning of the specific word, if it relates to Hungarian language or culture.


Ezév szeptemberében vették észre, hogy valamilyen ismeretlen csoport feltörte a világszerte ismert Adobe szoftvergyártót (többek között az Acrobat Reader, Photoshop és Flash Player gyártóját), és elloptak a cégtől forráskódokat valamint nagyméretű felhasználói adatokat tartalmazó adatbázisokat. Október elején került napvilágra az adatlopás ténye, és október végén hírek kaptak napvilágra arról, hogy a cég 154 millió felhasználójának adatai is napvilágra kerültek. Pár nappal később egyre több helyen volt elérhető ez az ellopott 9GB méretű információhalmaz. Az adatok tartalmazzák a felhasználók e-mail címeit, kódolt jelszavát és ún. jelszó-tanácsát is. A kódolt jelszó egy szimmetrikus rejtjelezővel, egy erősnek számító 3DES algoritmussal van rejtjelezve, a jelszó-tanács egy védelem nélküli szöveg.
A rejtjelezett jelszót kulcs nélkül nem lehet dekódolni, és a kulcs egyelőre nem szivárgott ki. Ezért a jelszavak elvileg nem feltörhetőek. Sajnos azonban az iparági gyakorlattól eltérően a tárolási mód sérülékenységeket rejt magában. A rejtjelezett kulcsok nem salt-oltak és ECB módban “IV” nélkül rejtejelezettek. Ezek a szakkifejezések azt mondják ki: ha két felhasználónak azonos a jelszava, akkor a rejtjelezett párjuk is azonos.

Ez pedig gond. Sok felhasználó esetén sokan használnak azonos jelszót. Ha két felhasználó azonos jelszót használ, akkor a kódolt jelszavuk is azonos lesz. Ha találunk két felhasználót, akiknek azonos a kódolt jelszavuk, és az egyik a jelszó-tanács mezőben az írja, hogy “A jelszó három a betű és az 12 számsor”, akkor nagy valószínűséggel tudjuk, hogy a másik felhasználónak is aaa12 a jelszava. Nincs lehetőségünk a teljes bizonyosság megszerzésére, tehát ez a trükk főleg olyan jelszavakra működik, ahol a jelszavakat sokan használják és sok a jelszó-tanács (password hint) is.

Ennek megfelelően külföldön már pár napja publikáltak egy listát a leggyakoribb 100 rejtelezett jelszóról és annak megfejtett párjairól. A .hu domain névvvel regisztrált email című felhasználók száma meghaladja a 200 000 elemet a listában, közösen az Ukatemi startup cégünk embereivel azt vizsgáltuk meg, hogy mik a magyar jelszóválasztási szokások, és hogyan illeszkednek a nemzetközi környezethez.

Az alábbi listában megtekinthető a magyarok (.hu email) által leggyakrabban használt jelszavak kódolt változata, a darabszám, ahányszor .hu domainről használták, a darabszám, ahányszor nemzetközileg használták (ez is érdekes lehet, hisz vannak magyarok .com cím alatt is, és vannak jelszavak, amik nemzetközi szinten is használatosak). Feltűntettük a legvalósznűbb becslésünket a jelszóra (ami nem biztos, mert nem ellenőrizhető jogszerűen), és a tippjeinket, ha a legbiztosabb ötlet nem igaz. A külföldiek számára kis értelmezést is elhelyeztünk a jelszó jelentéséről.
Összesen csak kb. 3 jelszó esetén nem volt elég adat a nagyjából biztonságos azonosításra, ezeknél valamilyen okból senki, vagy szinte senki nem jelölt meg jelszó-emlékeztetőt.

Érdekességek:

  • Sok citromail.hu felhasználó jelszava “citrom” – nem túl kreatív és veszélyes
  • Sok jelszó-tanács nagyon egyszerű ” a van ellentéte” “nem narancs” “A tudom ellentéte”
  • Sok tanács kiad plusz információt “Ugyanaz, mint az xy@z.hu címemen” – ez külön segítség, hogy mit támadhatunk meg még a jelszóval.
    “Mint mindenhol” – ez is egyértelműen gond, nemcsak, hogy ugyanazt a jelszót használja a felhasználó, de még segíti is a támadót, hogy továbbmenjen.

  • Sok felhasználó “nevem” “barátnő neve” “második nevem” szöveget írt, mondván, esetleg az email címéből ez nem következik. Ugyanakkor, a többi azonos jelszót
    használó felhasználónak elég egy szempillantást venni az email címeire, és triviális, hogy ha 20 emberből 10-nek csilla szerepel a címében, akkor a jelszó csilla, vagy annak becézése lesz. És innentől egy vadidegenről azt is tudhatjuk, hogy mi a neve, barátnője neve, második neve stb., ami segítség ún. social engineering támadásokhoz is.

FRISSÍTÉS: Találtunk pár apróbb hibát, ezeket “FIXED” felirattal javítjuk

Mintaként nézzük meg a következő rövidített listát (lecseréltük X-re a nem releváns részeket):

115103118-|--|-XXcsilla@XXX.hu-|-8Nd+cNdQ360=-|-nevem|--
62657676-|--|-nonXX@XXXXX.hu-|-8Nd+cNdQ360=-|-|--
100898317-|--|-Xcsilla2@XXXX.hu-|-8Nd+cNdQ360=-|-name|--
121149457-|--|-XXcsilla@XXXX.hu-|-8Nd+cNdQ360=-|-nevem|--
123756555-|--|-barXXXX@XXXX.hu-|-8Nd+cNdQ360=-|-kind|--
153339366-|--|-slXXX@XXX.hu-|-8Nd+cNdQ360=-|-Asszony|--
114565459-|--|-zsolt.XXXX@XXX.hu-|-8Nd+cNdQ360=-|-kislanyom|--
63691377-|--|-X_csilla@XXXX.hu-|-8Nd+cNdQ360=-|-|--
66609165-|--|-archer.XXX@XXX.hu-|-8Nd+cNdQ360=-|-|--
67272237-|--|-ylvXXX@XXXXX.hu-|-8Nd+cNdQ360=-|-|--
74715082-|--|-lindusXX@XXXXX.hu-|-8Nd+cNdQ360=-|-nevem|--
174992278-|--|-fXXXX.csilla@XXX.hu-|-8Nd+cNdQ360=-|-|--
177821115-|--|-putirXXXX@XXX.hu-|-8Nd+cNdQ360=-|-|--
183285417-|--|-kXXX.csilla@XXX.hu-|-8Nd+cNdQ360=-|-|--
96471297-|--|-csillapXXX@XXX.hu-|-8Nd+cNdQ360=-|-|--
69058043-|--|-csillalXXX@XXX.hu-|-8Nd+cNdQ360=-|-|--

A “nevem” “name” “Asszony” és “kislanyom” alapján egyértelmű, hogy egy női nevet keresünk. Ezután pedig elég ránézni az e-mail címek listájára, hogy észrevegyük mennyire sok “csilla” szerepel rajta. Persze tévedhetünk, hiszen van egy “lindus” email című is, de a “csilla” elsöprő többségben van.

A jelszavak listájából látszik, hogy nagy az átfedés a nemzetközileg is használt jelszavakkal pl. “123456”, de vannak lokálisak is “szerelem”. A legtöbb jelszó továbbra is név vagy becenév, alig van ettől eltérő az első százban. Tanács: Sose használjuk emberek neveit, beceneveit, vagy azok módosításait, mert ezek a leggyakoribbak. Legyünk kreatívabbak, még mindig igaz, hogy a cseresznye151pok sokkalta biztonságosabb, mint a kr1sztinaIloveyou. A legjobb, ha valami generátorral készítünk jelszavakat, ezek sem tudnak csodát tenni, de egy DooYee7goe5EeFa nagyon erős. Összehasonlíthatatlanul erősebb az eddigi vicces példáknál.

Összegezve:
A helyzet tehát az, hogy aki regisztrált az Adobe-nál bármilyen okból, és a jelszavát máshol is használta, azonnal jelszót kell változtatnia a többi helyen.

Rank No. in .hu No. in all Encrypted PW Most likely password Is it in top100/english? remarks, other guesses
1 3191 1911938 EQ7fIpT7i/Q= 123456 Y
2 525 932 pbn7wO3zb+8= jelszo password in hungarian
3 461 43497 4V+mGczxDEA= 12345 Y
4 394 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789 Y
5 348 13401 uQM9dmQq8vE= qwertz hungarian keyboard layout has y=z
6 337 345834 L8qbAD3jl3jioxG6CatHBw== password Y
7 289 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678 Y
8 273 31555 dA8D8OYD55E= asdfgh Y
9 248 113884 7LqYzKVeq8I= 111111 Y
10 214 76187 diQ+ie23vAA= 000000 Y
11 213 44282 xz6PIeGzr6g= aaaaaa Y
12 209 54651 WqflwJFYW3+PszVFZo1Ggg== macromedia Y
13 202 20961 WlMTLimQ5b4= asdasd Y
14 201 61453 ukxzEcXU6Pw= 1234 Y
15 189 320 q1A6iHNzTFg= valami something in hungarian
16 186 313 MWv89Ddd99M= piglet
17 176 1467 3zV1jrgwEro= attila hungarian male name
18 175 284 MiWs/2HM40w= lacika hungarian male name
19 173 124253 dQi0asWPYvQ= 1234567 Y
20 153 37407 yp2KLbBiQXs= 666666 Y
21 151 274 z5rLiwD12co= almafa appletree in hungarian
22 150 260 N4+iUEuZbPw= cica cat in hungarian
23 137 214 MAEvnIZOuSk= peti peter in short
24 135 6662 uIMAMQyXI/g= something international, 6600 hits
25 134 239 dvqulUaGiQg= zolika zoltan in short, male name
26 126 273 AhfBRgIzdos= tamas maybe tomi tomika, male name
27 125 294 W/jzwDNnaOw= lofasz should be censored
28 124 367 MSycWzt2SLPqvJr9l/X59g== szerelem love in hungarian
29 123 220 rA3xnflDDXI= esztike maybe eszter, hungarian female name
30 119 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop Y
31 118 13044 upIXKNY/ZKY= xxxxxx
32 116 234 zjrHRH4etC0= macika maybe maci, stands for bear or teddy
33 107 234 m0/4nMkmJyM= gabi maybe gabika, female or male name in short
34 106 15910 e21tszGBy4k= matrix Y
35 104 187 P9f9Bgw46Hk= nincs means it does not exist
36 102 194 zwakdT5tFhk= titok secret in hungarian
37 100 192 /jNYdvynVr0= csillag star in hungarian
38 100 1162 +bZCz+Mm7WHioxG6CatHBw== budapest capital of Hungary
39 97 235 iqVZniq2Z6fioxG6CatHBw== cicamica like pussycat
40 97 443 bDjmWzVDGMo= dani male name in short
41 97 17989 NtCzq/i0Ffc= abc Y
42 95 9014 LEdwuvBMkVzioxG6CatHBw== garfield
43 92 16374 QSay9kzQVz8= samsung Y
44 92 155 FClbZZD1l1A= FIXED: nemtom I dunno in short
45 91 149 Xe2T3yCUsCc= balazs maybe balu, balika
46 90 155 lwXlGk4RTzc= mazsola kind name
47 89 247 D0B1TLHoZoTioxG6CatHBw== szeretet love (one version) in hungarian
48 88 197 Yg/0iyYFi+A= janika male name in short
49 86 12160 rkyaRFa+eak= qwe123
50 86 421 FvWPZ2OI8V0= tigris maybe tigris1
51 84 17176 oa/GBGqIApo= killer Y
52 84 4540 TYrTfuuBGm0= monika female name in short
53 83 142 p6kbkduAMhPioxG6CatHBw== FIXED: macilaci/TD>

Yogi Bear
54 82 153 iolWV4U4baM= madar bird in hungarian
55 81 131 TiMyOmRnnYk= mokus second guess: manoka mokus is for squirrel
56 80 214 ugYjb/7SO9DioxG6CatHBw== FIXED: nemtudom “I don’t know”
57 79 11707 rNhveK0RH5Q= ferrari
58 79 1267 ghZhzPTEyrU= viktor
59 79 6920 QkLIDf6naxw= no hint, strange
60 78 27387 XpDlpOQzTSE= 121212 Y
61 78 4829 XWs+3joEULU= 0123456 maybe 012345
62 76 18049 b5LJqTmQmvQ= 555555 Y
63 74 377 syBP2PbOprLioxG6CatHBw== FIXED: freemail
64 73 9787 C6fdPcrsYlU= 123asd or asd123
65 72 20572 ueE89xIj8RTioxG6CatHBw== internet Y
66 72 17454 MEXwK6GOWHk= andrea Y
67 72 130832 5djv7ZCI2ws= qwerty Y
68 71 7991 E3P4TkKmrIE= no hint, strange
69 70 82694 e6MPXQ5G6a8= 123123 Y
70 70 43673 Ypsmk6AXQTk= 654321 Y
71 69 111 WHnoclxstks= some woman’s name, bea, betti, zsuzsa or monika are most likely
72 69 3246 SSCHXSLigpo= roland
73 69 2618 I+sy2I0+oHg= delfin
74 69 230 2e2bx0WPm8o= andi
75 68 10742 ewOK16tiXAs= enimem
76 68 22103 OrzNCxMfwrw= fdsa Y
77 68 139 8Nd+cNdQ360= csilla hungarian female name
78 66 959 remGyraE2+rioxG6CatHBw== viktoria hungarian female name
79 66 5213 SVXt5Rlot1U= clever or something related to iq, cleverness, and a brand of computer mouse
80 66 16177 F9nqBYx2LhA= asdfghj Y
81 66 13531 DuMurYI43dU= blabla blahblah in hungarian
82 65 737 vEldih7WrfY= vivien female name
83 65 129 o2D+z1QYuHo= FIXED: nyuszi bunny in hugarian
84 65 7070 U1yPApWcaOA= barbara female name
85 63 27856 pTkQrKZ/JYM= dragon Y
86 62 128 vQGGxx87Fyk= levente male name
87 62 95 7DOklOXTFPo= zsolesz or other forms of zsolt, like zsolti
88 61 70795 kCcUSCmonEA= abc123 Y
89 61 81 gkfBa7HrOnY= citrom funny, many “citromail.hu” users chose that, hungarian: lemon
90 61 15805 fbO2Wx232qY= secret Y
91 60 102 kiQXbvrKbiA= robi or robert, robby, roby, or similar
92 60 88 GsQ/41R7pXw= FIXED: kriszti female name
93 60 194 /EoAhM0rWA8= kata maybe katalin, kati, female name
94 59 179 mkRrr6/R2oE= richard
95 59 14159 PwB5ue3qkgs= oliver
96 59 181 Kt3DWt8h3tg= ildiko hungarian female name
97 57 6734 u57swGYZlf/ioxG6CatHBw== juventus
98 57 146 MoedSZDdCmk= zsuzsi or zsuzsanna, hungarian name like suzy
99 56 20022 ziypr2hyamc= 123qwe Y
100 56 97 pp3j26xZbvTioxG6CatHBw== kiskacsa stands for duck in hungarian. fix: kacsa->kiskacsa “small duck”
101 56 P2x/N9v5UaM= melinda female name in short

Edited by: Boldizsar Bencsath

Posted on Leave a comment

Evading Intel VT-d protection by NMI interrupts – Security Advisory

UPDATE: A full research report on the NMI and other passthrough attacks is available online at: http://www.crysys.hu/~pek/pubs/Pek+14ACMAsiaCCS.pdf

Gábor Pék (CrySyS Lab)  started to explore possible vulnerabilities in the use of directly assigned (passthrough) devices in contemporary hypervisors (Xen and KVM). As a result of this research, he pointed out some misbehaviors in the interrupt handling method of current platforms. One of this issues is going to be presented in this article.  A paper is to be published about all the discovered issues in collaboration with other researchers from Eurecom, France.

Description

Direct-device assignment is one of the most controversial issues in hardware virtualization, as it allows for using devices almost at native speed, however, raises many security problems.  As most of these issues can be evaded by properly configured system software and hardware, the security issues of that area seemed to be solved.  At the same time, virtual instances with direct-device assignment are publicly available  via various cloud providers, so the security issues have to be examined in more details. In this article,  an interesting vulnerability is going to be presented which is not a simple software bug, but an example for an issue on how to handle improperly a hardware-level mechanism: the interrupt generation.

More precisely, native host-side Non-Maskable Interrupts (NMI) can be generated on systems (e.g., Xen, KVM etc) with System Error Reporting (SERR) enabled via a passthrough device being attached to a fully virtualized  (HVM) guest even when all the available hardware  protection mechanisms are turned on (Intel VT-d DMA and Interrupt Remapping).

As a result of the NMI, the corresponding host-side NMI handler is executed which may cause Denial of Service (DoS).

To reproduce the issue, the attacker has to create a malformed MSI request by writing to the LAPIC MMIO space (0xFEExxxxx) in the guest physical address range. This can be accomplished by a modified DMA transaction. Examples for malformed MSI requests include Interrupt Vector numbers being set below 16 or MSI requests with invalid size (not DWORD).

Output of Xen 4.2 Dom0 after the attack (xl dmesg):

(XEN) NMI – PCI system error (SERR)

Output of KVM 3.4 host after the attack (/var/log/kern.log):

NMI: PCI system error (SERR) for reason a1 on CPU 0.
Dazed and confused, but trying to continue

The NMI is reported as a result of an ‘Unsupported Request’ PCI system error, and has nothing to do with compatibility format MSIs with delivery mode of NMI. Note that Interrupt Remapping disables the use of compatibility format MSIs by clearing the GCMD.CFI flag. By turning x2APIC mode on system software cannot even reconfigure that flag.

Later investigations showed that the host-side NMI was not generated by the PCI device being assigned to a fully virtualized (hardware-assisted) guest, but the Host Bridge(00:00.0). See the output of lspci.

Before the attack:

00:00.0 Host bridge: Intel Corporation 2nd Generation Core Processor Family DRAM Controller (rev 09)
Subsystem: …
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort+ >SERR- <PERR- INTx-
Latency: 0
Capabilities: [e0] Vendor Specific Information: Len=0c <?>

After the attack:

00:00.0 Host bridge: Intel Corporation 2nd Generation Core Processor Family DRAM Controller (rev 09)
Subsystem: …
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort+ >SERR+ <PERR- INTx-
Latency: 0
Capabilities: [e0] Vendor Specific Information: Len=0c <?>

Vulnerable Systems

Affected platforms enable System Error Reporting, where the corresponding NMI handler is executed in the hypervisor/host OS that should have never happened in normal circumstances when Intel VT-d Interrupt Remapping is enabled. Note that only Xen and KVM were tested and verified, however, every other system software can be affected which runs above a platform with SERR and Intel VT-d enabled.

Mitigation
While Intel does not recommend to turn SERR reporting on by default, some platforms do enable it as it carries essential information about legal system errors.

SERR reporting can either be disabled for the Host Bridge, or system software can block SERR error signaling due to Unsupported Request error resulting from malformed MSI requests. The former advice is quite intrusive as it suppresses all the system errors coming from the Host Bridge. At the same time, this is supported by all the chipsets. The second option is a more fine-grained solution, however, there is no information whether it is applicable to all Intel chipsets.

As a consequence, there is no real solution available for the issue for now.

References

Corresponding CVE number: CVE-2013-3495
Corresponding Xen Security Advisory number: XSA-59

Acknowledgement

Many thanks go to Jan Beulich from the Xen security team, the Intel Product Security Incident Response Team and Rafal Wojtczuk from Bromium for the in-depth discussions, recommendations and advices.

More details about this issue is going to be published in our upcoming paper.

May you have any questions please let us know.

 

Posted on Leave a comment

TeamSpy – Obshie manevri. Ispolzovat' tolko s razreshenija S-a

The CrySyS Lab, Budapest has been notified by the Hungarian National Security Authority (www.nbf.hu) about the detection of an ongoing high profile targeted attack affecting our home country, Hungary. During our investigation of the incident, we discovered a number of C&C servers, and a large number of malware samples that have been used in multiple attacks campaigns in the last couple of years. Indeed, the collected evidences suggest that part of the attack toolkit we discovered was used back in 2010. It seems that the main objective of the attackers was information gathering from the infected computers. Many of the victims appear to be ordinary users, but some of the victims are high profile industrial, research, or diplomatic targets, including the case that triggered our investigation. As part of the attackers’ activities is based on misusing the TeamViewer remote access tool, we named the entire malicious toolkit TeamSpy.

We detail the findings in our technical report.

As mentioned above, a distinct feature of the attack is the abuse of the legitimate TeamViewer remote access tool. The attackers install an original, legitimate TeamViewer instance on the victim computer, but they modify its behavior with DLL hijacking, and they obtain remote access to the victim computers in real-time. Therefore, the attackers are not only able to remotely observe the infected computers, but they can also misuse TeamViewer to install other tools to obtain important information, files, and other data from the victim.
The collected evidences suggest that attacks have been carried out in multiple campaigns. In addition to the TeamViewer based campaigns, we also saw signs indicating a number of older attacks based on proprietary malware with C&C server based control. We estimate the number of distinct campaigns to be in the order of tens.

The activities of the attackers might be related to other known attack campaigns, like the TeamBot/Sheldor campaign (banking cyber-crime), as we describe later in this document. Despite of this relation to cyber-crime activities, we believe TeamSpy has been used in high-profile targeted attacks too. This is underpinned by the following observations:

• In case of the Hungarian incident, the signs clearly show that the target is high-profile.
• Some malware samples were created just for the retrieval of specific office documents (see the analysis of module 2016_11.txt below) whose name (e.g. “gaza tunnel”) indicate that the target is probably high-profile.
• The telemetry revealed additional high-profile victims outside Hungary. Indeed, multiple victims were found in Iran, including victims at http://www.sashiraz.co.ir, which is an electronics company with government background. The possible date of infection for this victim is from 2010.
• Some tools used by the attackers run traceroute to an unknown host on a subnet, where some other hosts belong to the Ministry of Foreign Affairs of Uzbeghistan.
• Some tools used in the attacks look for files matching the following templates saidumlo secret.* секрет.* парол.* .xls *.pdf *.pgp *pass.* *.rtf *.doc. This list shows the interest of the attackers in “secret” and “password” documents. In addition, the attackers’ interest in .pgp and .p12 files indicates that they were looking not only for passwords, but also for cryptographic keys, which goes beyond attacks against ordinary users.

During our investigation, we uncovered a large set of malware samples that were probably utilized back in the past; hence, our analysis can also shed light on older malware campaigns and might help victims to reveal incidents that are several years old. Therefore, the information disclosed in this report could be used to perform a longitudinal study of targeted malware attacks.
While identity of most of the victims could not be revealed, we have information on some high-profile victims, e.g.:

  • 11/2012: Hungarian high profile governmental victim.
  • 03/2013: Embassy of NATO/EU state in Russia
  • 04/2010: Electronics company in Middle-East, Govt. background
  • 03/2013: Multiple research/educational organizations in France and Belgium
  • 03/2013: Industrial manufacturer in Russia

Please read the detailed technical report.

Posted on Leave a comment

New miniduke samples hashes

6a2c682163f7bd572e5b32861f339749a5e6338f *bg_efa.gif
5f9d29ff787ee57cf1efc50ba912b8170d877c8c *bg_efa.gif_dec
7594baa64a94147fe4a480bb1f05421499bafbfa *bg_efd.gif
a26b92e612d3a282a294b9fed313998270fb3de8 *bg_efd.gif_dec
3bcd6d97a08406b09c8a1754fc2813b8c31305ec *bg_efssa.gif
3fc74035fefe01a0f88266e1ea6982568db37969 *bg_efssa.gif_dec
a725f94d95ff667657186295c47d4dc487ec3dec *bg_ght.gif
ffabcf3e947aaeefb52ec4385ceb339bc3bbc4a9 *bg_ght.gif_dec
065624d59c2bf607df10bfec1fb104fee09f9dd6 *bg_ldf.gif
5deb581700d373b5890e3bd684306473d34d02cc *bg_ldf.gif_dec
43ef986db9a1c9ff7fd0d84d8495a4f3d9e82543 *bg_lef.gif
131b72a8d950bcf3de273f8a6aac56f8884b5e1e *bg_lef.gif_dec
03ed5e370513eb4d357fbc391ce57c75d179551e *bg_ler.gif
726924e450ffb50c6cd600dca35e8353e0d42c8b *bg_ler.gif_dec
6799b0d8e9ec469fa455b01ffde63b8c *bg_efa.gif
ac1c9fd4c6ba5ef3673a871960a48622 *bg_efa.gif_dec
665eb69b1a917b5c8e3588efcc258539 *bg_efd.gif
a401042e3276bcb4d4012da392e6374a *bg_efd.gif_dec
9253eae9b443f67b12a2b399f54bb2cb *bg_efssa.gif
f3de8feb3ea4f367053755123389c1ae *bg_efssa.gif_dec
9fee2fcc92b74e0fb65dc42214ae9952 *bg_ght.gif
41d4eb3aab5acd87657c4b9ea9432d9b *bg_ght.gif_dec
37307978b24a9185ec8b4ca14afefd99 *bg_ldf.gif
e92584a5624b2fa044a671198c834221 *bg_ldf.gif_dec
9c2433c9768c43a8f4ae0fc72b1cc1cc *bg_lef.gif
0f76f6e9d7659d4fb087d18bec1bd48f *bg_lef.gif_dec
535011c4887a098fc67adb5eebc64525 *bg_ler.gif
3b83c9bb67ce8166c0312b1abe9cd5a7 *bg_ler.gif_dec

Posted on Leave a comment

Miniduke

Earlier in February 2013, FireEye announced the discovery of a new malware that exploited a 0-day vulnerability in Adobe Reader. Now, we announce another, as yet unknown malware that exploits the same Adobe Reader vulnerability (CVE-2013-0640).

This new malware was named Miniduke by Kaspersky Labs with whom we carried out its first analysis. Our participation in this research was justified by a detected Hungarian incident. A detailed report on the results of our joint efforts has been published by Kaspersky Labs on their Securelist blog site. That report describes what we currently know about the operation of Miniduke including its stages, and also information on the C&C infrastructure and communications. We have published another report from CrySys Lab that contains information on the indicators of Miniduke infections and gives specific hints on its detection. This blog entry is a brief excerpt of our report.

The available malware samples are highly obfuscated, and compiled by a polymorphic compiler. The attackers were able to produce new variants with only a few minutes difference between compile times. Therefore, the number of distinct samples could be very large. Hashes of known samples are published in our detailed report on indicators.

Due to a large number of compiled samples, there is a high chance that the current version is difficult to detect by signatures. Yet, there are common features in the samples that can be used to identify the malware components.

In every case we encountered, the “Program Files/Startup” contains a file with .lnk extension after installation. This is used to start up the malware after the computer is rebooted.

A not fully cross-checked information is that, during installation, the malware will be copied in two copies on the system and the two executables differ. This might mean that the executable modifies itself. For example, we recovered the following two files:

md5sum base.cat :113e6fc85317fdd135e3f5f19e6c7a58 *base.cat
md5sum ~6rld.tmp : c786a4cdfe08dbe7c64972a14669c4d1 *~6rld.tmp

where base.cat is the startup file, which is created based on ~6lrd.tmp. base.cat is stored in the “All users” directory, whereas ~6lrd.tmp is stored in a user’s directory, e.g., in the guest user directory as “C:\Documents and Settings\guest\Local Settings\Application Data\~6rld.tmp”. This user directory contains at least one more file, update.cmd, with a specific content that could be used for detection.

As for stage 3 of the attack, it is important to note that it is not yet analyized deeply. So once a victim downloads the ~300k long piece of stage 3 code, we don’t know what happens with the previous stages, and we have no information about detections once this stage is reached, except the usage of the C&C server news.grouptumbler.com. Another variant of the stage 3 code is much smaller, only 14k long, and connects to a server in Turkey.

We have identified the following servers delivering stage 2 and stage 3 code to victims:

arabooks.ch 194.38.160.153 / Switzerland
artas.org 95.128.72.24 / France
tsoftonline.com 72.34.47.186 / United States
www.eamtm.com 188.40.99.143 / Germany

The C&C server used by stage 3 of the malware is news.grouptumbler.com (IP 200.63.46.23) and it is located in Panama.

There are multiple layers of C&C communications in the malware. First, the malware uses Google search to receive information from its master. Then, it uses the Twitter messaging service looking for the twits of a specific Twitter user. Commands received via this channel trigger the download of stage 2 and stage 3 code.

Basic detection can be based on the queries that are initiated by the victim computer within seconds:

www.google.com – port TCP/80 - HTTP
twitter.com –port TCP/443 - SSL
www.geoiptool.com –port TCP/80 - HTTP

Known search strings in Google search can also be used to detect the malware:

lUFEfiHKljfLKWPR
HkyeiIDKiroLaKYr
lUFEfiHKDroLaKYr

Unfortunately, these strings are most likely unique to each C&C server or victim, thus unknown samples might use other strings, but possibly with the same length.

Examples for twits containing the URL of the C&C server are shown below:

The weather is good today. Sunny! uri!wp07VkkxYt3Mne5uiDkz4Il/Iw48Ge/EWg==
Albert, my cousin. He is working hard. uri!wp07VkkxYmfNkwN2nBmx4ch/Iu2c+GJow39HbphL
My native town was ruined by tornado. uri!wp07VkkxYt3Md/JOnLhzRL2FJjY8l2It

The malware also sends a query to the geoiptool. An example is shown below:

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; en-US; Trident/5.0)
Host: www.geoiptool.com

The malware retrieves the URL of the stage 2/3 delivery C&C server from Twitter messages as described above. Then, we can observe the first query from the victim towards the server. This query contains pure HTTP traffic on port 80 to the server following the template below.

GET /original/path/shortname/index.php?e=aaaaaaaaa

where:

  • shortname can be a number of strings, generally human readable (e.g. lib, engine, forum, forumengine etc.)
  • “e=” is not constant, can be anything, but generally 1-2 letters long
  • aaaaaaaaa stands for some Base64-like text (see details below)
  • the servers used are assumed to be legitimate sites, just hacked by the attackers.

Based on this format, we can detect a valid query as follows:

The name of the first GET parameter should be discarded

  • this means “e=” is not important
  • we saw only one GET parameter, queries with multiple parameters are likely not used

For detection, the Base64-like string “aaa…” should be first modified as follows:

  • “-” should be replaced by “+”
  • “_” should be replaced by “/”

This results in correct Base64 encoding, which can be decoded with library functions such as base64_decode. After decoding, a string of data, partially binary, will be available. Parts are separated by the delimiter character “|”. The format and a numerical example are below:

binary data ( ~100 bytes)|numerical ID ( ~10 digits)|version number

e.g.,

binary data|5551115551|1.13

As the binary data itself may contain the ”|” character, parsing should start from the end (i.e., the numerical ID starts from the second “|” character from the end). In additional, the ID length may vary (not fully confirmed), but it seems to be around 10 digits. Finally, the version number always follows the pattern “one digit.two digits”, e.g., 1.1X 3.1X.

gif-image

The C&C server’s response – if it sends encrypted files – is a GIF file containing a small icon, and after that, the malware. For stage 3, the file downloaded has a larger size (~300KB). It also begins with a GIF header, but that header is only 13 bytes long, and then starts the encrypted executable (see picture above).

Posted on Leave a comment

Encryption related to Duqu font expoit (CVE-2011-3402)

You remember the Duqu font related exploit and shell code in the dropper? Yes, that’s the exploit that was recently used in many exploit kits.
First of all, this is a kernel level exploit, it should be kept in mind while checking code.

The original dropper had a decryptor for the stage1 of shell code:

void __fastcall sub_1500(int a1, int a2)
{
int v2; // eax@2
int v3; // ecx@2
int v4; // eax@5
int i; // eax@5

if ( !dword_14FC )
{
v2 = 0;
dword_14FC = 1;
v3 = (unsigned __int8)dword_14F8;
while ( v2 != dword_14F8 )
{
LOBYTE(a2) = v2 ^ *((_BYTE *)sub_17C + v2) ^ v3;
*((_BYTE *)sub_17C + v2) = a2;
a2 = (unsigned __int8)a2;
++v2;
v3 ^= a2;
}
v4 = sub_158C(v2, a2, v3);
sub_17C(v4 - (_DWORD)sub_17C);
for ( i = 0; i != dword_14F8; ++i )
*((_BYTE *)sub_17C + i) = 0;
}
}

It’s not a complicated obfustation/crypto, the interesting thing is that it is not like the ones for Flame. The most similar thing is Stuxnet’s modules’s crypto, maybe later discussed.

The next level is still obfuscated. ntoskrnl.exe function calls are stored in a table by hash of the function call name, just like calls are obfuscated in other parts of Duqu. This is not unusal, but shows specific care on the module.

The hash-function relation table is costructed like under:

seg000:00001043 mov [esi+10h], eax
seg000:00001046 jz loc_11B2
seg000:0000104C push ecx
seg000:0000104D push ecx
seg000:0000104E push 0BF5CA508h ; ExAllocatePool, hash:bf5ca508
seg000:00001053 push edi
seg000:00001054 call sub_7FD
seg000:00001059 add esp, 10h
seg000:0000105C test eax, eax
seg000:0000105E mov [esi+14h], eax
seg000:00001061 jz loc_11B2
seg000:00001067 push edx
seg000:00001068 push edx
seg000:00001069 push 2973E9CCh ; export name: ExFreePool, hash:2973e9cc
seg000:0000106E push edi
seg000:0000106F call sub_7FD
seg000:00001074 add esp, 10h
seg000:00001077 test eax, eax
seg000:00001079 mov [esi+18h], eax

Note the constants 2973ECCh and similar. These are identifiers of ntoskrnl.exe exports (specific functions).

The hash calculation is done like this:
for ( i = 0; ; i += 7 * i * i + 12 * v8 + 17 * v8 * v8 )
{
v8 = (_BYTE *)v3;
if ( !
(_BYTE *)v3 )
break;
++v3;
}

It’s not like encryption/obfuscation code for FLame. Maybe the exploit creators also provided this stage to the customers.

Based on this code function calls in the exploit can be recovered. And still, this is just one step among others to fully understand how original Duqu dropper worked…

A few sample values for hashes based on the function described above:


export name: AlpcInitializeMessageAttribute, hash:f8ab4ead
export name: CcCanIWrite, hash:c833f901
export name: CcCoherencyFlushAndPurgeCache, hash:41ab559d
export name: CcCopyRead, hash:99b1f488
export name: CcCopyWrite, hash:96bc06d5
export name: CcCopyWriteWontFlush, hash:210fdfb4
export name: CcDeferWrite, hash:038897a1
export name: CcFastCopyRead, hash:1e3c8f5c
export name: CcFastCopyWrite, hash:c1874039
export name: CcFastMdlReadWait, hash:2eea7438
export name: CcFlushCache, hash:0a30abdd
export name: CcGetDirtyPages, hash:cc24ab45
export name: CcGetFileObjectFromBcb, hash:8244f064
export name: CcGetFileObjectFromSectionPtrs, hash:9406fe99

… possibly TBC…