Presentation is loading. Please wait.

Presentation is loading. Please wait.

Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis

Published byGwenda Tucker Modified over 6 years ago

Similar presentations

Presentation on theme: "Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis"— Presentation transcript:

1 Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis
11/20/2018 Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis Peter Schawacker, CISSP

2 Overview The JS.Scob.Trojan Timeline IE Security Overview
11/20/2018 Overview The JS.Scob.Trojan Timeline IE Security Overview How the attacks work Effects Solutions

3 Scob AKA Download.Ject JS.Scob.Trojan JS.Toofeer Backdoor.Berbew.F
11/20/2018 Scob AKA Download.Ject JS.Scob.Trojan JS.Toofeer Backdoor.Berbew.F

4 11/20/2018 MS04-011?? Scob

5 Internet Explorer Security
11/20/2018 Internet Explorer Security Cross Domain Model Local Machine Zone "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust."

6 Timeline: ADODB.Stream Object Bug
11/20/2018 Timeline: ADODB.Stream Object Bug FullDisclosure Post August 26, 2003!! IE Bug allows client-side code execution Detailed Analysis Harmless example:

7 11/20/2018 Scob Discovered June 24 The original post is available in the June 24 Internet Storm Center Handlers Diary

8 Effects Trojan horse installation – Scob
11/20/2018 Effects Trojan horse installation – Scob Purpose of trojan to steal accounts An account is an identity!! First time web servers used since Nimda

9 Compromised IIS Servers
11/20/2018 Compromised IIS Servers A file is dropped on an IIS Server and subsequently executed to prepare the server. The relevant actions are: File is dropped on IIS Server Create ads.vbs Drop files in C:\winnt\system32\inetsrv/iis###.dll Server configured to use this file as a footer Modify the configuration of the IIS Server such that served web pages are appended by a footer that contains malicious Java code

10 What Scob does Redirects IE to http://217.107.218.147/dot.php
11/20/2018 What Scob does Redirects IE to Visitor redirected to a file called new.html Exploit code redirects the visitor to Shellscript_loader.js In turn, downloads and installs msits.exe (ADODB.Stream Object File Installation Weakness vulnerability)

11 What Scob does (continued)
11/20/2018 What Scob does (continued) msits.exe application writes itself to a random executable file in c:/winnt/system32 Windows Media Player? Reruns the process from the system directory. Copies two HTML forms, crude login templates and a log file (surf.dat) to the system directory msits.exe attempts to record authentication credentials and their corresponding URLs Quasi-rootkit patches “PhysicalMemory” device Doesn’t appear in Task List

12 Sites of Interest to Scob/msits.exe
11/20/2018 Sites of Interest to Scob/msits.exe Paypal.com Signin.ebay .earthlink. juno.com my.juno.com/s webmail.juno.com yahoo.com

13 11/20/2018 Workarounds Set the “Kill Bit” on the ADODB.Stream Object (no patch from MS) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveXCompatibility\{ AA006D2EA4}] "CompatibilityFlags"=dword: Make Local Zone/My Computer Zone visible from the Internet Options Security tab Don’t use IE (USCERT) (!!)

14 Host IPS Countermeasures (IIS Server)
11/20/2018 Host IPS Countermeasures (IIS Server) Triggers event “IIS Shielding - File Mod. in System folder” Triggers event “IIS Shielding - Conf. File Activity (ADMCOMConnect)”

15 Network IPS Countermeasures (IIS)
11/20/2018 Network IPS Countermeasures (IIS) SHELLCODE: Shellcode Exploit Detected for i386 Family CPUs KERBEROS: Microsoft Kerberos ASN.1 Double Free Encoding Error LDAP: Active Directory BO SSL: Invalid Client Hell Cipher Suite Value SSL: Overly Long PCT Client Hello Challenge SSL: Microsoft ASN.1 Double Free Code Execution SSL: PCT THCLame Challenge Buffer Overflow DCERPC: Microsoft Windows LSASS Buffer Overflow DCERPC: Microsoft RPC DCOM Buffer Overflow DCERPC: Microsoft RPCSS Heap Overflow DCERPC: Microsoft Message Queue Service Heap Overflow DCERPC: Microsoft Messenger Service Buffer Overflow DCERPC: Microsoft Workstation Service Buffer Overflow DCERPC: W32/Gaobot.worm Detected

16 IPS Countermeasures (IE Client)
11/20/2018 IPS Countermeasures (IE Client) Triggers event "IE Envelope Suspicious Executable Modification”

17 Anti-virus Detected by McAfee VirusScan BackDoor-AXJ.gen VBS/Psyme
11/20/2018 Anti-virus Detected by McAfee VirusScan BackDoor-AXJ.gen VBS/Psyme   Exploit-MhtRedir.gen BackDoor-AXJ.dll

18 Why is this important? What if your web server is trojaned?
11/20/2018 Why is this important? What if your web server is trojaned? What if your desktop is trojaned? Who is doing this? What’s next? What should be done?

19 Sources http://www.microsoft.com/security/incident/download_ject.mspx
11/20/2018 Sources

20 11/20/2018 Questions Peter Schawacker

Download ppt "Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis"

Similar presentations

Windows Vista Security Tidbits

Windows Vista Security Tidbits
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
Information for Developers Windows XP Service Pack 2 Information for Developers.

Information for Developers Windows XP Service Pack 2 Information for Developers.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Similar presentations

Ads by Google