Signed CryptoWall Distributed via Widespread Malvertising Campaign

Sep 28, 14 Signed CryptoWall Distributed via Widespread Malvertising Campaign

Posted by in Research

This evening, Barracuda Labs’ URL analysis system detected drive-by downloads originating from five Alexa top-ranked websites: hindustantimes[.]com, bollywoodhungama[.]com, one[.]co[.]il, codingforums[.]com, and mawdoo3[.]com. Threatglass entries for these sites are available here, here, here, here, and here. In every case, malicious content arrived via the site’s use of the Zedo ad network. Specifically, the following subchain is common to every site’s sequence of events. <site index> -> hxxp://[c2|c5][.]zedo[.]com/jsc/[c2|c5]/fo.js –> hxxp://ss1[.]zedo[.]com/jsc/fst.js —> hxxp://static[.]rcs7[.]org/seo1.php?ds=true&dr=<…> —-> hxxp://xenon[.]asapparts[.]com/akamai/adsone.php?acc=<…> In the above subchain, ss1[.]zedo[.]com served obfuscated JavaScript that began a series of redirects to malicious content. The last site, xenon[.]asapparts[.]com, redirected to one of several different exploit kit-backed sites. Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim’s system. The particular instance delivered via tonight’s campaign has a valid digital signature and appears to have been signed just hours before its distribution. Per the screenshot below, initial VirusTotal results indicated 0/55 detections. Those results have since improved, with additional tools now identifying the program as malicious. With any luck, the certificate used to sign the executable will be revoked...

read more

The Future of Software Vulnerability Exploitation

Sep 19, 14 The Future of Software Vulnerability Exploitation

Posted by in Research

Next week I will be speaking at Virus Bulletin 2014 about how every month, attackers successfully compromise hundreds of thousands of computers from just tens of legitimate, top-ranked websites. Such campaigns are orchestrated via drive-by downloads, which target vulnerabilities in the web browser or its plugins. Software vulnerability exploitation continues to be the bane of securing an organization’s systems and networks because even security conscious users who follow best practices remain vulnerable. This post briefly considers advances in compiler and OS-level protections that have substantially complicated (and may one day eliminate) the successful exploitation of such vulnerabilities.The execution of arbitrary, attacker-decided code begins with the exploitation of a software vulnerability that corresponds to one of a small number of exploit classes (i.e., stack buffer overflows, heap overflows, use-after-free exploits). New classes of software exploitation or defense mitigation are rare — so rare that vendors like Microsoft will pay $100,000 or more for their discovery. Moreover, because there are a small number of exploit classes, compiler and OS software vendors have developed numerous defenses that must be bypassed (i.e., via the discovery and exploitation of separate vulnerabilities). Thus, an exploit that targets an arbitrary code execution vulnerability in a modern, popular software instance (i.e., Internet Explorer) is but one component that must be combined with others to pull off a successful attack.Finding additional vulnerabilities to create a working attack sequence may sound like a linear increase in the amount of work for an attacker, but there is actually significant asymmetry (that favors the defender) at play. Consider the canonical stack buffer overflow attack: originally, all an attacker needed to do was overwrite the return address so that their shellcode was executed when a function returned. Now, an attacker must:1) Determine a bypass for the results of overwriting a stack canary (e.g., by targeting an exception handler address on the stack instead);2) Determine a bypass for a non-executable stack (e.g., by reusing parts of the original program to create a fake stack frame);3) Potentially identify a...

read more

Italian Mobile Operator Connects Customers to Malware

Sep 13, 14 Italian Mobile Operator Connects Customers to Malware

Posted by in Research

On Monday of this week Tre.it, the website of a major Italian cellular provider, served malware to visitors via drive-by downloads. The set of requests that began with a visit to the Tre.it index page and ended with the installation of malware is as follows. hxxp://tre[.]it -> hxxp://www[.]tre[.]it –> hxxp://www[.]tre[.]it/res/js/adv/adv.js —> hxxp://adv[.]tre[.]it/www/delivery/spc.php?zones=<…> —-> hxxp://scream[.]padsandpalaces[.]com/js/ads/show_ads.js?ver=4 —–> hxxp://nissan[.]charubhashini[.]info:9290/updates/help/js/wifi.php?styles=343 ——> hxxp://nn[.]rainbowthots[.]in:9290/style.php?howto=<…> In the above chain, wifi.php?styles=343 contains obfuscated malicious content generated by a new variant of the Sweet Orange Exploit Kit. Included in the file is an exploit for CVE-2013-2551, which successfully compromised the browser in our URL analysis honeypot. Uploading the file to VirusTotal reveals that just 1 of 55 tools successfully identify the exploit as malicious. As always, a PCAP capture file attesting to the details of this event is available via...

read more

FlashPack Exploit Kit Analysis – Part 2

Sep 06, 14 FlashPack Exploit Kit Analysis – Part 2

Posted by in Research

In describing the malicious infrastructure used in a recent drive-by download campaign, last week I provided an initial overview of the FlashPack Exploit Kit. This post completes that analysis and concludes discussion of the original observation that years later, initial AV detection rates are still low. For reference, below are the final three URLs in the chain of requests that began with a visit to the index page of Alexa top-ranked website Indowebster[.]com and ended with the retrieval and installation of malicious software. —–> hxxp://8k930v312odrz23bvy11otj.full-potencja.pl/kafecodes/pappalldy/mintelext.php ——> hxxp://8k930v312odrz23bvy11otj[.]full-potencja[.]pl/kafecodes/pappalldy/sarmholsterthenc.php ——-> hxxp://8k930v312odrz23bvy11otj[.]full-potencja[.]pl/kafecodes/pappalldy/lodyoathsk.php The previous post on FlashPack stopped after deobfuscation of mintelext.php, which represents the central component of the kit. An analysis of its contents reveals that nine different vulnerabilities across three distinct software components — Internet Explorer, Adobe Flash Player and the Java Web Plugin — were targeted. The corresponding CVEs for each software component are as follows. Internet Explorer: CVE-2013-2551, CVE-2013-3918, and CVE-2014-0322 Adobe Flash Player: CVE-2013-0634, CVE-2014-0497, and CVE-2014-0515 Java Web Plugin: CVE-2011-3544, CVE-2013-2460, and CVE-2013-2471 In the above chain, sarmholsterthenc.php contains an exploit for CVE-2013-2551. Two weeks after the drive-by download campaign, VirusTotal results for that file reveal that AV detections are still low, as only 10 of 54 tools successfully identify it as malicious. In Barracuda Lab’s capture of the event, the exploit for CVE-2013-2551 succeeded and the resulting malware payload — lodyoathsk.php — was retrieved and executed. As predicted, the initially low (8/54) number of successful detections for the payload has improved dramatically over the last two weeks, and 43 of 55 tools now flag the executable as malicious. In fact, as of August 29 (just one week after the initial scan), detections had improved to 40 of 53 tools. While this timescale is a marked improvement from those of the late 2000s, future advances in threat detection must narrow the window much further in order to meaningfully degrade the utility of a compromised...

read more

FlashPack Exploit Kit Analysis – Part 1

Aug 30, 14 FlashPack Exploit Kit Analysis – Part 1

Posted by in Research

Last week I wrote about the low rate of initial AV detections by referencing drive-by download-served malware produced from a visit to Indowebster[.]com, an Alexa top-ranked website. In this and next week’s posts, I cover some highlights of the software used to facilitate the drive-by campaign. To begin, below is the set of redirects that began with a visit to the index page of Indowebster and ended with the retrieval of the malware executable. hxxp://indowebster[.]com -> hxxp://www[.]indowebster[.]com –> hxxp://www[.]nyunyu[.]com/embed/idws2.php —> hxxp://8k930v312odrz23bvy11otj[.]full-potencja[.]pl/index.php?o=bWdl<…> —-> hxxp://8k930v312odrz23bvy11otj629153efc2d1663f040eb9b5094b89713[.]full-potencja[.]pl/index2.php —–> hxxp://8k930v312odrz23bvy11otj.full-potencja.pl/kafecodes/pappalldy/mintelext.php ——> hxxp://8k930v312odrz23bvy11otj[.]full-potencja[.]pl/kafecodes/pappalldy/sarmholsterthenc.php ——-> hxxp://8k930v312odrz23bvy11otj[.]full-potencja[.]pl/kafecodes/pappalldy/lodyoathsk.php In the above chain, Nyunyu[.]com is itself a popular website that normally provides content presented on the front page of Indowebster. However, in this case, the URL redirected to an instance of the FlashPack (or SafePack) exploit kit. The FlashPack instance in turn served a series of obfuscated JavaScript files, which comprise the remainder of the chain. The first two pages (index.php and index2.php) both redirect to Base64-obfuscated URLs via the setTimeout method, which may represent attempts to evade real-time URL analysis systems; the corresponding code excerpts are as follows. index.php: setTimeout ( function() { location.replace( b64dc(str) ); }, 292); index2.php: setTimeout(function() { document.body.insertBefore(wfhlc,document.body.lastChild); }, 803); The second redirection above results in a request for mintelext.php, which contains hex-encoded, RC4 encrypted JavaScript; a code excerpt is as follows. mintelext.php: (this)[‘eval’](rc4(‘OrbitWhite’,hex2bin(’50dadd52ab27aad68cb89ccd<…>’))); Deobfuscating mintelext.php reveals the central component of the kit that facilitates delivery of an exploit cocktail targeting both the browser and its plugins. For discussion of the nine software vulnerabilities this instance of FlashPack was capable of targeting and the conclusion of the analysis, visit Barracuda Labs this time next week! Thanks to Kafeine of Malware Don’t Need Coffee for exploit kit identification...

read more

Years Later, Initial AV Detections Still Low

Aug 23, 14 Years Later, Initial AV Detections Still Low

Posted by in Research

Despite advances in technology that improve the detection efficacy of antivirus (AV) software, identification rates for newly generated threat artifacts continue to be low. As an example, consider the VirusTotal results for malware served this week by drive-by downloads originating from Indowebster[.]com, an Alexa top-ranked website that has regularly appeared in Threatglass during the last several months. Per the aforementioned results, only 8 of 54 tools identify the executable as malicious, and among the many false negatives are the offerings of several popular AV vendors. Come for a Drive-by Download, Stay for a Microcosm of a Long-standing Issue Unfortunately, detection results for the exploit content that resulted in retrieval of the malware executable are no better. Per those results, only 8 of 54 tools identify the exploit as malicious. Meanwhile, detections for the deobfuscated version of the exploit are actually lower than those of the obfuscated version, which reveals continued creation of brittle, easily circumvented signatures and heuristics. If experience is any guide, within one week, detections for both the exploit and the payload should be dramatically improved. While such a timeframe is substantially better than the average delays observed half a decade ago, there is still plenty of room for improvement, as even a several day window provides sufficient time for the attacker to achieve a variety of...

read more