Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis

Slides:

Advertisements

Similar presentations

Windows Vista Security Tidbits

Advertisements

Thank you to IT Training at Indiana University Computer Malware.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

By Hiranmayi Pai Neeraj Jain

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Security Issues and Challenges in Cloud Computing

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

System and Network Security Practices COEN 351 E-Commerce Security.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Information for Developers Windows XP Service Pack 2 Information for Developers.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Information for Developers Windows XP Service Pack 2 Information for Developers Tony Goodhew Product manager Developer Division Microsoft Corp

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Lesson 15 Client Side Vulnerabilities and you. Active Server Pages MS’s answer to the scripting world of PERL and CGI on Unix Usually Written In Visual.

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Course code: ABI 204 Introduction to E-Commerce Chapter 5: Security Threats to Electronic Commerce AMA University 1.

Recent Internet Viruses & Worms By Doppalapudi Raghu.

Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.

Module 11: Securing a Microsoft ASP.NET Web Application.

The Top 10 Bugs in Windows 2000 From Jesper Johanssen’s W2K Security Vulnerabilities Lecture.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Web Access. Overview  Purpose  Prerequisites  Install Components  Enable Virtual Directories  IIS Configuration & Security  Troubleshooting.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Malicious Software.

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

Understand Malware LESSON Security Fundamentals.

Shasta Console Operations February 2010 Tony Caleb.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Page PearsonAccess™ Technology Training Online Test Configuration.

Information About Microsoft’s August 2004 Security Bulletins August 13, 2004 Feliciano Intini, CISSP, MCSE Security Advisor Premier Security Center Microsoft.

1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.

Computer safety Filip Hruby.

Protecting Servers and Clients

Hacking Windows.

TMG Client Protection 6NPS – Session 7.

Backdoor Attacks.

Remote Control and Advanced Techniques

Cross-Site Request Forgeries: Exploitation and Prevention

Welcome To : Group 1 VC Presentation

Protecting Servers and Clients

Configuring Internet-related services

Lecture 2 - SQL Injection

Implementing Client Security on Windows 2000 and Windows XP Level 150

Crisis and Aftermath Morris worm.

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis 11/20/2018 Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis Peter Schawacker, CISSP

Overview The JS.Scob.Trojan Timeline IE Security Overview 11/20/2018 Overview The JS.Scob.Trojan Timeline IE Security Overview How the attacks work Effects Solutions

Scob AKA Download.Ject JS.Scob.Trojan JS.Toofeer Backdoor.Berbew.F 11/20/2018 Scob AKA Download.Ject JS.Scob.Trojan JS.Toofeer Backdoor.Berbew.F

11/20/2018 MS04-011?? Scob

Internet Explorer Security 11/20/2018 Internet Explorer Security Cross Domain Model Local Machine Zone "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust."

Timeline: ADODB.Stream Object Bug 11/20/2018 Timeline: ADODB.Stream Object Bug FullDisclosure Post August 26, 2003!! IE Bug allows client-side code execution Detailed Analysis http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.html Harmless example: http://62.131.86.111/security/idiots/repro/installer.htm

11/20/2018 Scob Discovered June 24 The original post is available in the June 24 Internet Storm Center Handlers Diary http://isc.sans.org/diary.php?date=2004-06-24&isc=400aeeda81e747d8889dacd941b7ebf6

Effects Trojan horse installation – Scob 11/20/2018 Effects Trojan horse installation – Scob Purpose of trojan to steal accounts An account is an identity!! First time web servers used since Nimda

Compromised IIS Servers 11/20/2018 Compromised IIS Servers A file is dropped on an IIS Server and subsequently executed to prepare the server. The relevant actions are: File is dropped on IIS Server Create ads.vbs Drop files in C:\winnt\system32\inetsrv/iis###.dll Server configured to use this file as a footer Modify the configuration of the IIS Server such that served web pages are appended by a footer that contains malicious Java code

What Scob does Redirects IE to http://217.107.218.147/dot.php 11/20/2018 What Scob does Redirects IE to http://217.107.218.147/dot.php Visitor redirected to a file called new.html Exploit code redirects the visitor to Shellscript_loader.js In turn, downloads and installs msits.exe (ADODB.Stream Object File Installation Weakness vulnerability)

What Scob does (continued) 11/20/2018 What Scob does (continued) msits.exe application writes itself to a random executable file in c:/winnt/system32 Windows Media Player? Reruns the process from the system directory. Copies two HTML forms, crude login templates and a log file (surf.dat) to the system directory msits.exe attempts to record authentication credentials and their corresponding URLs Quasi-rootkit patches “PhysicalMemory” device Doesn’t appear in Task List

Sites of Interest to Scob/msits.exe 11/20/2018 Sites of Interest to Scob/msits.exe Paypal.com Signin.ebay .earthlink. juno.com my.juno.com/s webmail.juno.com yahoo.com http://crutop.nu/index.php http://crutop.ru/index.php http://mazafaka.ru/index.php http://color-bank.ru/index.php http://asechka.ru/index.php http://trojan.ru/index.php http://fuck.ru/index.php http://goldensand.ru/index.php http://filesearch.ru/index.php http://devx.nm.ru/index.php http://ros-neftbank.ru/index.ph http://lovingod.host.sk/index.ph http://www.redline.ru/index.php http://cvv.ru/index.php http://hackers.lv/index.php http://fethard.biz/index.php http://ldark.nm.ru/index.htm http://gaz-prom.ru/index.htm http://promo.ru/index.htm http://potleaf.chat.ru/index.htm http://kadet.ru/index.htm http://cvv.ru/index.htm http://crutop.nu/index.htm http://crutop.ru/index.htm http://mazafaka.ru/index.htm http://xware.cjb.net/index.htm http://konfiskat.org/index.htm http://parex-bank.ru/index.htm

11/20/2018 Workarounds Set the “Kill Bit” on the ADODB.Stream Object (no patch from MS) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveXCompatibility\{00000566-0000-0010-8000-00AA006D2EA4}] "CompatibilityFlags"=dword:00000400 Make Local Zone/My Computer Zone visible from the Internet Options Security tab Don’t use IE (USCERT) (!!)

Host IPS Countermeasures (IIS Server) 11/20/2018 Host IPS Countermeasures (IIS Server) Triggers event “IIS Shielding - File Mod. in System folder” Triggers event “IIS Shielding - Conf. File Activity (ADMCOMConnect)”

Network IPS Countermeasures (IIS) 11/20/2018 Network IPS Countermeasures (IIS) SHELLCODE: Shellcode Exploit Detected for i386 Family CPUs KERBEROS: Microsoft Kerberos ASN.1 Double Free Encoding Error LDAP: Active Directory BO SSL: Invalid Client Hell Cipher Suite Value SSL: Overly Long PCT Client Hello Challenge SSL: Microsoft ASN.1 Double Free Code Execution SSL: PCT THCLame Challenge Buffer Overflow DCERPC: Microsoft Windows LSASS Buffer Overflow DCERPC: Microsoft RPC DCOM Buffer Overflow DCERPC: Microsoft RPCSS Heap Overflow DCERPC: Microsoft Message Queue Service Heap Overflow DCERPC: Microsoft Messenger Service Buffer Overflow DCERPC: Microsoft Workstation Service Buffer Overflow DCERPC: W32/Gaobot.worm Detected

IPS Countermeasures (IE Client) 11/20/2018 IPS Countermeasures (IE Client) Triggers event "IE Envelope Suspicious Executable Modification”

Anti-virus Detected by McAfee VirusScan BackDoor-AXJ.gen VBS/Psyme 11/20/2018 Anti-virus Detected by McAfee VirusScan BackDoor-AXJ.gen VBS/Psyme Exploit-MhtRedir.gen BackDoor-AXJ.dll

Why is this important? What if your web server is trojaned? 11/20/2018 Why is this important? What if your web server is trojaned? What if your desktop is trojaned? Who is doing this? What’s next? What should be done?

Sources http://www.microsoft.com/security/incident/download_ject.mspx 11/20/2018 Sources http://www.microsoft.com/security/incident/download_ject.mspx http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx http://62.131.86.111/analysis.htm http://www.incidents.org/

11/20/2018 Questions Peter Schawacker ps@nai.com 760-880-4258