Blogs

Analysis of a CVE-2013-3346/CVE-2013-5065 exploit with peepdf

There are already some good blog posts talking about this exploit, but I think this is a really good example to show how peepdf works and what you can learn next month if you attend the 1day-workshop “Squeezing Exploit Kits and PDF Exploits” at Troopers14 or the 2h-workshop "PDF Attack: A Journey from the Exploit Kit to the Shellcode" at Black Hat Asia (Singapore).  The mentioned exploit was using the Adobe Reader ToolButton Use-After-Free vulnerability to execute code in the victim's machine and then the Windows privilege escalation 0day to bypass the Adobe sandbox and execute a new payload without restrictions.

This is what we see when we open the PDF document (6776bda19a3a8ed4c2870c34279dbaa9) with peepdf:
 

cve-2013-3346_info

 

Advertisement network installing Android FakeAV (Mobile Defender)

One month ago I was trying to find a streaming site to watch a Spanish soccer match and I found futbolenvivoaldia.com. It was a redirection to the famous site Tarjeta Roja, but the interesting thing was that when I browsed the site with my mobile phone I saw the typical Antivirus scanner saying that my device was infected. Also, an app called “androidav_free.APK” (24f0a666a714e26c6c07ab407e37b112) was trying to be downloaded to my device.
 

 
The source of this fake page was one of the advertisement networks of the site tarjetaroja.eu, Mobicow. After some redirections and some tracking URLs this network was returning the following URL to the user's browser:
 

hxxp://cleanupnowonline10.biz/?u=Y0vbAf0fW9lIhVAxPi2nZQo

 
This page was loading Javascript code from here:
 

hxxp://cleanupnowonline10.biz/js/wapc.js

 
The code was obfuscated and this was the second stage of Javascript code:
 
 
Taking a look at the script content we can see that it contains all the functions necessary to show the  fake infection page to the user. Also, we can see that the following URL was used to download the app:
 

hxxp://cleanupnowonline10.biz/apk.php

 

Styx Exploit Kit installing Simda

I was already missing these SPAM emails with some advice about my sexual life: “Your woman wants you to be the best lover”, “The greatest technique to gratify your lady”, etc. I was getting upset about this, I needed some help...;p
 

Styx Spam email

 
So finally I am receiving a lot of these again. After visiting the link (hxxp://goozix.com/its.html) we can see a redirection to a page to buy Viagra and other “medicines”. But also there is some malicious Javascript code hidden there:
 
 
The result of the deobfuscation contains code to create a cookie (“visited_uq=55”) and also an iframe to load the URL hxxp://gylaqim.com/exit.php. This domain, created on the 21st of September, resolves each time to a different IP and has a history of more than 400 IPs. It has 6 authoritative DNS servers, ns*.gylaqim.com, also resolving to multiple IPs.

Depending on the server which is responding after visiting hxxp://gylaqim.com/exit.php we will be redirected to another initial page - with another redirection to a Viagra site plus malicious Javascript code -  or to the actual exploit kit.

The initial pages seen until the moment are the following:
 

hxxp://178.170.104.124/destruction.html
hxxp://178.170.104.124/seed.html
hxxp://actes-lyon.org/true.html
hxxp://aybabtu.ru/express.html
hxxp://brave.net.nz/ocean.html
hxxp://goozix.com/its.html

Control of friends and followers on Twitter (API 1.1 update)

More than 2 years ago (that's a lot of time!) I published a simple Python script to monitor a Twitter account using Tweepy: basic account information, inactive friends and new/lost followers. But this script stopped working some time ago because Twitter updated its API to version 1.1. This update made obligatory using authentication to make any request and they also modified the request limits. Before the update, there was a limit of 150/350 requests per hour, depending on whether the request was authenticated or not, but now these limits are per request type and per 15 minutes. For example, to get a list of friends you can make a maximum of 15 requests per quarter of hour, but you can make other 15 to get a list of followers. If someone is late (like me) with the new API here you can find the full changelog.

Before starting to modify the code I had to update the Tweepy version too (2.1). The best and easiest way is using pip:
 

$ pip install tweepy

 

Yet another Andromeda / Gamarue analysis

Some days ago I read the post about Joe Security's error when they analyzed an Andromeda sample and I also found new samples of this Trojan. Then I decided that I should write something about it. At least, just to remember some tricks of Andromeda for the next time and not starting from scratch. I'm Dory, I forget things ;)

When I analyzed this malware some months ago I thought that it was quite interesting due to the Anti-debugging and Anti-VM tricks it uses. You can also find references to the same malware with the name of Gamarue. It seems it is cool to rename the same malware with different names. Then you can find some families with three different names, like Cridex / Feodo / Bugat. Anyway, I also found these two links with very good and detailed information about analyzing Andromeda:
 

 

PDF Attack: A Journey from the Exploit Kit to the Shellcode (Slides)

As I already announced in the last blog post, I was in Las Vegas giving a workshop about how to analyze exploit kits and PDF documents at BlackHat. The part related to exploit kits included some tips to analyze obfuscated Javascript code manually and obtain the exploit URLs or/and shellcodes. The tools needed to accomplish this task were just a text editor, a Javascript engine like Spidermonkey, Rhino or PyV8, and some tool to beautify the code (like peepdf ;p). In a generic way, we can say that the steps to analyze an exploit kit page are the following:
 

  • Removing unnecessary HTML tags
  • Convert HTML elements which are called in the Javascript code to Javascript variables
  • Find and replace eval functions with prints, for example, or hook the eval function if it is possible (PyV8)
  • Execute the Javascript code
  • Beautify the code
  • Find shellcodes and exploit URLs
  • Repeat if necessary

 

 

PDF Attack: A Journey from the Exploit Kit to the Shellcode

 
BlackHat USA 2013 is here and tomorrow I will be explaining how to analyze exploit kits and PDF documents in my workshop “PDF Attack: From the Exploit Kit to the Shellcode” from 14:15 to 16:30 in the Florentine room. It will be really practical so bring your laptop and expect a practical session ;) All you need is a Linux distribution with pylibemu and PyV8 installed to join the party. You can run all on Windows too if you prefer.

Now Spidermonkey is not needed because I decided to change the Javascript engine to PyV8, it really works better. Take a look at the automatic analysis of the Javascript code using Spidermonkey (left) and PyV8 (right).
 

 

The Boston Marathon bombings, RedKit and a malware zoo

Just some hours after the bombings during the Boston Marathon we already had several spam campaigns using that subject to infect users. It seems that cybercriminals don't respect anything, did we really expect something different? :p

On the past Wednesday I received four emails talking about the Boston incident. They were really suspicious, just a URL in the body, the URLs had just an IP instead of a good domain...I think someone was in a rush trying to profit from this as soon as possible, while it was still on the news...
 

 
The subjects were:
 

BREAKING - Boston Marathon Explosion 
Explosion at the Boston Marathon
Aftermath to explosion at Boston Marathon
Explosions at the Boston Marathon

 
And the URLs I saw:
 

hxxp://94.28.49 .130/boston.html 
hxxp://78.90.133 .133/boston.html
hxxp://118.141.37 .122/news.html
hxxp://110.92.80 .47/news.html

 
These URLs leaded to a simple webpage with six iframes. Five of them pointed to real videos about the tragedy and the other one redirected to a RedKit exploit kit which was trying to exploit a CVE-2012-1723 Java vulnerability (take a look at the vulnerability explanation). Also, a Meta Refresh Tag was leading to this URL:
 

Troopers13 conference - Day 2

I started the second day with the Marcus Niemietz's talk “UI Redressing Attacks on Android Devices” about the chances to cheat on the users using hidden layers to perform unwanted actions. After this, another mobile subject, Peter Kieserberg shared his ideas about the use of QR codes as a vector attack.

After lunch it was Sergey Bratus and Travis Goodspeed's turn to speak about the security of USB ports, telling how it is possible to compromise the whole system via a unattended USB port. This was a really interesting talk that one can explore by himself taking a look at some good documentation on Travis' blog.

 

 

The talk “We Came In Peace – They Don’t: Hackers vs. CyberWar” by FX was next. He gave his opinion about the actual cyberwarfare and the difference between the point of view of Governments and cybersecurity experts about this subject. Some ideas from his talk: avoid the use of 0-days as weapons through Full-Disclosure, learn how to protect you playing CTFs and don't give up.
 

Troopers13 conference - Day 1

Until now I had not had enough time to write about my experience at my first Troopers. Due to some good comments about it I had had in mind going to Troopers since some time ago, but for one reason or another I hadn't been able to do it. Last year I had the opportunity to share table with Enno Rey, Troopers organizer and CEO of ERNW, at BlackHat Europe. That time I saw they were a good team and good people, and this year, living closer to Heidelberg, I had no excuses to go.

I arrived in Heidelberg at 3:30AM after 9 hours on the road due to the bad weather conditions. I was able to rest to be ready for the talks in the next morning. I missed the keynote by Rodrigo Branco, but I heard that it was really good. The first talk I attended was “Paparazzi over IP” by Daniel Mende and Pascal Turbing about hacking a CANON camera, equipped with a wireless adapter and other features. The result was that it was possible to see all the photographs taken, control the device remotely and intercept the images while they were about to be sent to a cloud storage.

 

 

Sopelka VS Eurograbber: really 36 million EUR?

Almost one month ago I had the opportunity of giving a talk at Rooted CON for yet another year. Mikel Gastesi and me talked about Sopelka Botnet and the Eurograbber report published by Check Point and Versafe at the beginning of December 2012. You can take a look at the slides here.

 

 

After reading the Eurograbber report and taking into account that there were a lot of similarities with Sopelka Botnet, which I had analyzed some months before, I decided to write a blog post about it. At the same moment, the Rooted CON CFP was closing, so I submitted this subject and then I forced myself to research further to demonstrate that Eurograbber was just a hype. Thanks to the investigations by S21sec and Fox-IT there was more than enough information.

Give me your credit card, the NFC way

More than one month ago I gave a presentation about the NFC credit cards privacy at No cON Name (NcN), a well known Spanish security conference. It's not a new subject and, also, some researchers presented talks about it in other conferences during this year, but, until that moment, there were no proofs of concept with Spanish credit cards (at least public ones). You can take a look at the presentation here (Spanish).

 

 

As I have mentioned in some posts about this subject, NFC payments are a normal part of life in some Asiatic countries, like Japan. However, this technology has arrived this year to Spain and other European countries, supported by banks, mostly. The result is that a person could have an NFC credit card in his wallet without even knowing it. It wouldn't be a problem if data were correctly protected, but we can't assume anything in the security world and this is another proof of that.

Uncovering the "new" Eurograbber: really 36 million EUR?

Eurograbber is in the news, beware. Some days ago Versafe and Check Point Software Technologies published a “new” threat report titled “A Case Study of Eurograbber: How 36 Million Euros was Stolen via Malware”. A bit sensationalist, yes. If it was well documented and there was real proof of that, I would have nothing to say, but it turns out that this threat is not so new and I wrote about it by the end of September, when I was working at S21sec. I called this Sopelka botnet.

Apart of being new or not (I think all of us thought that we were the first ones when really not), the report throws some data about affected banks/users and, the most important, the amounts stolen from each country by the fraudsters: more than 16 million EUR in Italy, almost 13 million EUR in Germany, almost 6 million EUR in Spain and more than 1 million EUR in Netherlands. In summary, more than 36 million EUR in Europe. Taking into account the sad times we are living in, crisis times, it's pretty noteworthy, isn't it?

This report and, above all, these stolen amounts have been quickly published everywhere and are quite widespread, faster than some of the most infamous Trojans. That's why I would like to say some words about the report and these astonishing amounts:

 

  • It's not a new Trojan, not a new customized ZeuS, it's just Citadel. Citadel, but also Tatanga and Feodo. In this botnet were used at least three different Trojans.
     

Sopelka Botnet: three banking trojans and one banking panel

Sopelka botnet started life in May this year and was taken down by end of September. It has been called Sopelka because of the path used in the distribution of binaries and configuration files, and was an odd mixture of variants of the known banking trojans Tatanga, Feodo and Citadel.

This botnet’s objective was the collection of banking credentials from European entities, mostly banks from Spain and Germany, but also Holland, Italy and Malta. In addition, it made use of different mobile components for Android, BlackBerry and Symbian phones. Symbian was the first operating system where this type of malicious component emerged two years ago.

During the botnet’s lifetime there were at least five campaigns and it’s likely that more were carried out. Of the five known campaigns, three of them installed variants of Citadel (versions 1.3.4.0 and 1.3.4.5), another Feodo, and Tatanga was the chosen trojan in the other one. All the Citadel campaigns carried the name “sopelka” (a flute type in Russian) in their download paths for binaries and configuration files, but this was not the case with Tatanga and Feodo.

New peepdf v0.2 (Black Hat Vegas version)

Last week I was in Vegas presenting the new release of peepdf, version 0.2. Since my release at Black Hat Amsterdam some months ago I hadn't created a new package so it was time to do it. You can now download the new package here or use “peepdf -u” to update it to the latest version.

 

 
So the main new features, besides the fixed bugs, are the following:

  • Added support for AES in the decryption process: Until now peepdf supported RC4 as a decryption algorithm but AES was a must. Now here it is, so no more worries for decrypted documents. I will be ready for new changes in the decryption process, someone in Vegas told me that the next AES modification for PDF files is coming...

 

 

Syndicate content