NSA Mobility Program

Originally posted by elmo.

The NSA or National Security Agency recently established the NSA Mobility Program to focus on delivering secure mobile capability using commercial technologies to the United States Government (USG) and Department of Defense (DOD).

They have also identified 5 major categories of the mobile ecosystem in a document called Mobility Capability Package:
1. Secure Voice
2. OS/Apps & Mobile Device
3. Mobile Transport (Carrier)
4. Mobile Enterprise Infrastructure
5. Interoperability

You may visit this site for more info.

Read More

The 2012 Cyber Defence University Challenge

Originally posted by elmo.

To raise awareness in cyber security, the Australian government in partnership with Australian universities  and Telstra challenges university undergraduates to join in the Challenge.

The Challenge is 24 hour competition related to security and will start on April 3 and end on April 4, 2012.

The winner will have the opportunity to travel to Las Vegas, USA in July 2012 to join in Black Hat's 2012 Conference.

For more info, you may visit this site.

Read More

Double Winrar self-executable archive packed Fakeav

Originally posted by marc.

Malware authors have been using packers/compression programs to confuse AV detection engines. Here's one mildly annoying technique that I stumbled upon last week.

Step 1. Pack file with Asprotect packer

Step 2. Create a password protected Winrar sfx archive using the file in step 1.

Step 3. Create another Winrar sfx archive using the file created in step 2, but this time, include the password in the execution script.


Most AV engines will usually have some trouble unpacking password protected files wherein the password is in another compression layer of the file. A quick Virus Total scan shows that this is indeed the case.

Password protected RAR SFX archive
Avast Win32:FakeAV-CYX [Trj]
DrWeb Trojan.Fakealert.29018
GData Win32:FakeAV-CYX
Kaspersky Trojan-Dropper.RAR.Agent.a
McAfee Generic Dropper.ady
Microsoft Rogue:Win32/FakePAV
VIPRE Win32.Malware!Drop

Unpacked file
AntiVir TR/Fraud.Gen
Avast Win32:FakeAV-CYL [Trj]
AVG Suspicion: unknown virus
ClamAV PUA.Packed.ASPack
GData Win32:FakeAV-CYL
Kaspersky HEUR:Trojan.Win32.Generic
McAfee FakeAlert-FCG!F72024F90A24
Microsoft Rogue:Win32/FakePAV
NOD32 a variant of Win32/Adware.WintionalityChecker.AA
Panda Suspicious file
Sophos Mal/FakeAV-MJ
VIPRE WindowsShieldTool

Notice how some AV engines didn't even bother detecting the password protected archive and how the same AV engine detects the same malware with two different names. This usually means that the AV vendor couldn't automatically unpack the file and had the write two different detections, one for the password protected file and one for the unpacked file.

An advantage of this technique is that when hosting the file on hacked servers, or when going through email gateways, there is a greater chance that the file remains undetected, since the file is never executed, and the underlying asprotected file is never revealed.

On a related note, here's a screenshot of a variant of the same malware, except this time with excerpts from Romeo and Juliet included in its winrar script. This is done to change the file hash and give AV detection automation a hard time. The process is most likely automated too, so they could be generating thousands of files containing the same malware with a different file hash with each click of a button.

Read More

Fake Skype Vouchers website leads to Java Exploits

Originally posted by kazmot.

I stumbled upon a fake website that targets Skype users through vouchers or gift certificates. Below is the definition of Skype vouchers from their website:

Skype vouchers are electronic Skype Credit vouchers sold in various retail outlets. You don’t have to pay for the vouchers online and they make a great gift for family and friends so that you can keep in touch through Skype.

Vouchers are sometimes included with Skype accessories, or as part of a promotion.

Let's have a look of what is inside the said fake page:

[caption id="attachment_514" align="aligncenter" width="300" caption="Figure 1: Source of the fake website"][/caption]

Figure 1 shows the misleading title. You can also see a hidden iframe connecting to a different website.

Following the hidden iframe, we will now get an obfuscated script.

[caption id="attachment_512" align="aligncenter" width="300" caption="Figure 2: Obfuscated script"][/caption]

Some variables are highlighted in Figure 2. These variables will eventually become a window.eval() function when the script is executed. Now, let us modify the script in order for our script emulator to capture the result of the eval() function:

[caption id="attachment_510" align="aligncenter" width="300" caption="Figure 3: Modification part 1"][/caption]

Figure 3 shows that we need to remove some "if-statements" to make sure that our script will execute. You will also notice that one if-statement checks for the current year. The script will not run properly if it was not satisfied. In addition, proper deobfuscation of the script also depends on the value of the integer in the year check. We will tackle more about this in a while. For now, let's just deobfuscate this script.

[caption id="attachment_511" align="aligncenter" width="300" caption="Figure 4: Modification part 2"][/caption]

Figure 4 shows which variable will become the eval() function. After the modifications, execute the script and then dump the eval result. Figure 5 below will show you the result.

[caption id="attachment_513" align="aligncenter" width="300" caption="Figure 5: Deobfuscated script code"][/caption]

Now, you will see another set of hidden iframes that connect to another site. The said site will now load 2 malicious Java files:

[caption id="attachment_515" align="aligncenter" width="300" caption="Figure 6: Load Java applets"][/caption]

Sample 1: Java Exploit
MD5 hash: d3f933524c85c96a76f7ffd516d335c0
Virus Total scan result available here

Sample 2: Java Exploit
MD5 hash: 58db6e6e25d9b8e4742f2ef9b43c3818
Virus Total scan result available here

These Java files exploit the following vulnerability:

CVE-2011-3544 - Oracle Java Applet Rhino Script Engine Remote Code Execution

Going back to the date check and value change, Figure 7 shows that we changed the integer value from "012" to "011".

[caption id="attachment_524" align="aligncenter" width="300" caption="Figure 7: Integer value modification"][/caption]

Now, let's dump the result to a file.

[caption id="attachment_521" align="aligncenter" width="300" caption="Figure 8: Result of the wrong value"][/caption]

You can see in Figure 8 that the result is now just a bunch of non-readable strings.

Source:
malwaredomainlist


References:
Skype
Virustotal
cve.mitre.org
Sourceforge

Read More

AV-TEST Report on Android Anti-Malware Solutions

Originally posted by elmo.

AV-Test an independent IT security company recently published a test report on different anti-malware product available for android.

It is worth noting that they have tested 41 anti-malware products!

Too many in such a short period and some of the solutions have 0% detections.

So choose wisely and pick an anti-malware product in the top half.

Read More

Justin Bieber Facebook Spam

Originally posted by elmo.

Title: LOL!!! There was a hidden c@mera in Justin's bedroom

Read More

Fake Intuit Quickbooks Page Leads to Black Hole Exploit

Originally posted by kazmot.

The Blackhole Exploit kit is still a very popular attack on the web. Malwares use this exploit kit to propagate and infect unsuspecting users. Here is a detailed analysis of a fake Intuit page that leads to the exploit kit and the obfuscation technique used by the attack. In this specific targeted attack, we were able to download a Cridex worm, 2 PDF files, and an obfuscated Javascript.

Let's see first what the fake page looks like:

[caption id="attachment_380" align="aligncenter" width="300" caption="Figure 1: Fake Intuit Page"][/caption]

In the above screenshot, we can immediately notice that it is really fake. You may view the legitimate site of Intuit Quickbooks here. The title on the web browser shows "Intuit" but you will see on the status bar that a hidden connection goes to a different remote site.

Now, Let's see what is in this HTML file...

[caption id="attachment_386" align="aligncenter" width="300" caption="Figure 2: Content of the Fage Page"][/caption]

I used Malzilla to connect to the site and get its content. You can see that, other than the usual title and header shown earlier, it also contains an obfuscated script.

Now to decode this script...

You will notice that I highlighted some variables in Figure 2. These variables will become a window.eval() function when the script is executed. window.eval() is a javascript function that executes an argument. This function was used to execute the "deobfuscated" code. Malicious scripts commonly use this technique to avoid script debuggers/emulators that hook this function to create a dump of the deobfuscated code.

So now, we need to modify the script so that Malzilla will be able to get the argument of the eval() function...

[caption id="attachment_388" align="aligncenter" width="300" caption="Figure 3: Removing IF conditions"][/caption]

Figure 3 shows that in this specific sample, we need to remove some IF statements to make sure that the script is executed.

[caption id="attachment_389" align="aligncenter" width="300" caption="Figure 4: Run script and Show Eval() results"][/caption]

If you take a look again at the highlighted variables in Figure 2, you will see that the variable "e" will become the window.eval() function. Figure 4 shows the modifications that we applied. Run the script and then hit the "Show eval() results" button. At the bottom box of Figure 4, you will see the deobfuscated code. It is a hidden iframe that connects to a remote site.

Let's follow this site, shall we...

Again using Malzilla, you need to repeat the steps in order to analyze this remote site. On the Download tab, paste the URL and then hit the "Get" button.

[caption id="attachment_394" align="aligncenter" width="300" caption="Figure 5: Contents of the remote site."][/caption]

Figure 5 shows that this site contains two script tags, so we need to use "Send all scripts to Decoder". Again, like the first site, you can see here that it uses the same technique where window.eval has been assigned to a variable "e". Apply the same modification that we did earlier, run the script, and then get the eval result. Figure 5 also shows which part of the script you need to change.

[caption id="attachment_397" align="aligncenter" width="300" caption="Figure 6: Black Hole exploit code."][/caption]

Figure 6 shows the result. You will now see here the "Please wait page is loading...". This display page is very common on Black Hole exploit codes. Initially, the code is in a single line which makes reading it a little bit hard. You can use a "javascript formatter" to insert newlines and tabs in the script. An example is jsbeautifier.org.

Let's now take a look at the exploit code...

It searches for vulnerable applications installed in the target system. In this sample, it checks for the following:

• Adobe Reader


• Flash Player

[caption id="attachment_413" align="aligncenter" width="300" caption="Figure 7: Check installed applications."][/caption]

It deploys an MDAC exploit (CVE-2006-0003 - IE6 COM CreateObject Code Execution) to download and execute a malicious file.

• File: Cridex worm


• MD5 hash: c3124a2981d8e1b9e13e8c21c96448f7


• Virustotal Scan Results

[caption id="attachment_418" align="aligncenter" width="300" caption="Figure 8: Deploying MDAC exploit."][/caption]


It deploys the following PDF exploits:

• CVE-2008-2992 - Adobe Reader util.printf




• File: Pdfjsc exploit


• MD5 hash: 8ad89d5477fe5b074b1767a826207c8a


• Virustotal Scan Results





• CVE-2009-0927 - Adobe Reader Collab GetIcon




• File: Pdfjsc exploit


• MD5 hash: 84fbc15c2d3e460183b853c566bf3ccf


• Virustotal Scan Results

[caption id="attachment_419" align="aligncenter" width="300" caption="Figure 9: Deploying PDF exploits."][/caption]

It deploys HCP exploit (CVE-2010-1885):

[caption id="attachment_417" align="aligncenter" width="300" caption="Figure 10: Deploying HCP exploit."][/caption]

The file in the link is an obfuscated script. When the deobfuscated code is saved in a file:

• File: Javascript iframe


• MD5 hash: 1f082ef7e2bc87efa2926a81925e6c46


• Virustotal Scan Results

[caption id="attachment_426" align="aligncenter" width="300" caption="Figure 11: Deobfuscated HCP exploit script"][/caption]

Finaly, it deploys a flash player exploit (CVE-2011-0611 - Adobe Flash Player Memory Corruption):

[caption id="attachment_414" align="aligncenter" width="300" caption="Figure 12: Deploying Flash exploit."][/caption]

More Information:
Black Hole exploit kit

Sample source:
malwaredomainlist.com

References:
Imperva
ZScaler ThreatLab

Read More

AXMLPrinter2

Originally posted by elmo.

AXMLPrinter2 or AXMLPrinter version 2 is a tool that uses AXmlResourceParser to convert a binary xml file to readable xml document.

Prerequisite:
JDK (java development kit) needs to be installed in your system.

Download:
AXMLPrinter2.jar

Syntax:
1. go to the folder where you downloaded AXMLPrinter2
2. open a command prompt
3. type and execute "java -jar AXMLPrinter2.jar <location of xml file> >> <ouput file>"
e.g. d:\tools>java -jar AXMLPrinter2.jar d:\test\AndroidManifest.xml >> out.log
4. open <output file> or out.log

Read More

Black Hole exploit kit

Originally posted by kazmot.

The Black Hole exploit kit is an unethical off-the-shelf Web application.  The first instance - v.1.0.0 beta - has appeared on the black market and was advertised in August 2010 as a "System for network testing".  As with most of  the exploit kits, it is based on PHP and a MySQL backend. The payload of this kit usually targets Windows operating systems and applications installed on those systems, but depends on the criminals' end goal.

The Black Hole exploit kit uses several protection mechanisms such as:

• Integrated Antivirus based on an API of popular blackhats' AVCheck services


• Forms database of blacklists based on referrers and IP addresses including ranges to block access to the system

Below is a running list of vulnerabilities that have been used with the Black Hole exploit kit:

• CVE-2011-0611 - Adobe Flash Player Memory Corruption Vulnerability


• CVE-2010-1885 - HCP


• CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plugin


• CVE-2010-0886 - Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE


• CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability


• CVE-2010-0840 - Java trusted Methods Chaining Remote Code Execution Vulnerability


• CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll


• CVE-2009-0927 - Adobe Reader Collab GetIcon


• CVE-2008-2992 - Adobe Reader util.printf


• CVE-2007-5659 - Adobe Reader CollectEmailInfo


• CVE-2006-0003 - MDAC (IE6 COM CreateObject Code Execution)

Related topic:
Fake Intuit Quickbooks Page Leads to Black Hole Exploit

Sources:
Websense

Read More

CrimePack exploit kit

Originally posted by kazmot.

CrimePack exploit kit is just like any other exploit kits. It contains various codes that exploit vulnerabilities in a system and also in some of the applications installed. Commonly, these exploit codes download and execute an arbitrary file in the system. We were able to download a Dorkbot Worm in one of the malicious link we got from malwaredomainlist.com (MD5 hash: 9210a2635c63a58af18ed5dffb8f01e8, VirusTotal Scan Result available here).

This particular exploit kit has been around for several years now, version 2.0 appeared in the 1^st Quarter of 2010, and the latest, as of this writing, is version 3.1.3. Some of its features are the following:

1. Undetected from AV Scanners (Javascript & PDF/JAR/JPG files)


2. Random PDF Obfuscation (Not using static pdf file like other packs)


3. Blacklist checker & AutoChecker


4. Prevent Wepawet, Jsunpack and other JavaScript unpackers to decode your page


5. Will autocheck (can be turned off) your domain for blacklist & malware lists, and will notify you if found,  Checks the following:

• Norton SafeWeb


• My WebOfTrust


• Malc0de


• Google Safe Browsing


• Malwaredomainlist


• Mcafee SiteAdvisor


• hpHosts


• Malwareurl

Below is a running list of vulnerabilities that have been used by Crimepack exploit kit:

• CVE-2010-1885 - HCP


• CVE-2010-1423 - JRE 'WebStart' RCE


• CVE-2010-0840 - Java getValue Remote Code Execution


• CVE-2010-0806 - IE iepeers Vulnerability (IE7 Uninitialized Memory Corruption/IEPeers Remote Code Execution)


• CVE-2009-3269 - Opera TN3270


• CVE-2009-1136 - OWC Spreadsheet Memory Corruption


• CVE-2009-0927 - Adobe Reader Collab GetIcon


• CVE-2009-0355 - Firefox 3.5/1.4/1.5 exploits


• CVE-2008-5353 - Java Deserialize


• CVE-2008-4844 - Internet Explorer 7 XML Exploit


• CVE-2008-2992 - Adobe Reader util.printf


• CVE-2007-5755 - AOL Radio AmpX Buffer Overflow


• CVE-2007-5659 - Adobe Reader CollectEmailInfo


• CVE-2006-0003 - MDAC (IE6 COM CreateObject Code Execution)


• Aggressive Mode - This is a Java applet that downloads and executes you exe, the feature can be turned on and off in the admin panel

Sources:
websense
offensivecomputing
malwaredomainlist

Read More

Installing Ubuntu 10.04.1 LTS 64 bit, MongoDB 2.0.3, Lamp, and RockMongo

Originally posted by elmo.

1. Installing Ubuntu 10.04.1 LTS 64-bit

1.1 go to ubuntu download page
1.2 select Ubuntu 10.04 LTS
1.3 select 64-bit
1.4 then click Start download (you will download an iso image)
1.5 burn iso image to disc
1.6 install Ubuntu using disc

Notes:

We have selected 64-bit as MongoDB only supports 2 GB of data for 32-bit builds.

Another cool ubuntu installer is Wubi or Windows Ubuntu Installer which will allow you to install in Windows and dual boot.

To check if you are running 32-bit or 64-bit type "uname -m".
i686 for 32-bit
x64_64 for 64-bit

2. Installing Mongodb 2.0.3

2.1 go to MongoDb download page
2.2 click download under Linux 64-bit or "wget http://fastdl.mongodb.org/linux/mongodb-linux-x86_64-2.0.1.tgz"
2.3 unzip using "tar xzf mongodb-linux-x86_64-2.0.1.tgz"
2.4 move folder using "sudo mv mongodb-linux-x86_64-2.0.1 ~"
2.5 create data directory "sudo mkdir /data"
2.6 create db directory "sudo mkdir /data/db"
2.7 change permission "sudo chmod 777 /data/*"
2.8 go to mongo bin directory "cd ~/mongodb-linux-x86_64-2.0.1/bin"
2.9 start mongo server "./mongod"
2.10 "./mongo"

3. Installing LAMP - Apache, MySQL, PHP on Ubuntu

3.1 install tasksel "sudo apt-get install tasksel"
3.2 install LAMP stack "sudo tasksel install lamp-server"

4. Installing Rockmongo

4.1 install PEAR and development version of php "apt-get install php-pear php5-dev"
4.2 install driver for php mongodb "pecl install mongo"
4.3 configure php "nano /etc/php5/conf.d/mongodb.ini"
;----- start -----
extension=mongo.so
\[mongo\]
; If the driver should reconnect to mongo
mongo.auto_reconnect = true
; Whether to allow persistent connections
mongo.allow_persistent = On
; Maximum number of persistent connections (-1 means unlimited)
mongo.max_persistent = -1
; Maximum number of links (persistent and non-persistent, -1 means unlimited)
mongo.max_connections = -1
; Default host for mongo connection
mongo.default_host = www.example.com
; Default port for mongo database
mongo.default_port = 42
; When saving files to the database, size of chunks to split them into
mongo.chunk_size = 1024
; Specify an alternate character to $ to use for special db functions ($set, $push, $exists, etc.)

mongo.cmd = "$"
;----- end -----

4.4 restart apache "/etc/init.d/apache2 restart"
4.5 download rockmongo-v1.1.0.zip
4.6 unzip to "rockmongo" folder and move folder to /var/www
4.7 open a browser and type http://localhost/rockmongo/index.php
4.8 login using admin as username and password

Read More

Baksmali

Originally posted by elmo.
Baksmali means disassembler in Icelandic language and it is used to dissassemble a dex file.

Prerequisite:
JDK (java development kit) needs to be installed in your system.

Download:
baksmali-x.x.x.jar

Syntax:
1. go to the folder where you downloaded baksmali
2. open a command prompt
3. type and execute "java -jar baksmali-x.x.x.jar <location of dex file>"
e.g. d:\tools>java -jar baksmali-1.3.2.jar d:\test\classes.dex
4. the dissassembled file is located in the "out" folder located in the baksmali directory

Read More