Oct 28 2011

Tsunami – Backdoor Trojan for Mac OS X Discovered

OSX/Tsunami.A, an IRC controlled backdoor Trojan for Mac OS X, has been discovered that enables the infected machine to become a bot for Distributed Denial of Service (DDoS) attacks.

The analyzed sample contains a hardcoded list of IRC servers and channel that it attempts to connect to. This client then listens and interprets commands from the channel. The list of accepted commands can be seen in the following comment block from the C source code of the Linux variant.

Linux Tsunami

In addition to enabling DDoS attacks, the backdoor can enable a remote user to download files, such as additional malware or updates to the Tsunami code. The malware can also execute shell commands, giving it the ability to essentially take control of the affected machine.

In terms of functionality, the Mac variant of the backdoor is similar to its older Linux brother, with only the IRC server, channel and password changed and the greatest difference being that it’s a 64-bit Mach-O binary instead of an ELF binary.

Oct 27 2011

Facebook Attach EXE Vulnerability

When using the Facebook ‘Messages’ tab, there is a feature to attach a file. Using this feature normally, the site won’t allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.

When attaching an executable file, Facebook will return an error message stating:
“Error Uploading: You cannot attach files of that type.”

Facebook Error Uploading

When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:

Content-Disposition: form-data; name=”attachment”; filename=”cmd.exe”

It was discovered the variable ‘filename’ was being parsed to determine if the file type is allowed or not.

To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable like so:

filename=”cmd.exe ”

Facebook Post Hack

This was enough to trick the parser and allow our executable file to be attached and sent in a message.

Facebook Hot Stuff

Potentially allow an attacker to compromise a victim’s computer system.

Affected Products:

Time Table:
09/30/2011 Reported Vulnerability to the Vendor
10/26/2011 Vendor Acknowledged Vulnerability
10/27/2011 Publicly Disclosed

Discovered by Nathan Power

Execution POC:

Oct 26 2011

Duqu Trojan – FAQs

Duqu TrojanAn emerging malware threat identified as the Duqu trojan has received a great deal of attention because it is similar to the infamous Stuxnet worm of 2010.

What is Duqu?
The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.

Duqu Vs Stuxnet

Attribute Duqu Stuxnet
Infection Methods Unknown USB (Universal Serial Bus)
PDF (Portable Document Format)
Dropper Characteristics Installs signed kernel drivers
to decrypt and load DLL files
Installs signed kernel drivers
to decrypt and load DLL files
Zero-days Used None yet identified Four
Command and Control HTTP, HTTPS, Custom HTTP
Self Propagation None yet identified P2P (Peer to Peer) using RPCs
(Remote Procedure Call)
Network Shares
WinCC Databases (Siemens)
Data Exfiltration Add-on, keystroke logger for
user and system info stealing
Built-in, used for versioning
and updates of the malware
Date triggers to infect or exit Uninstalls self after 36 days Hard coded, must be in the following range:
19790509 => 20120624
Interaction with Control Systems None Highly sophisticated interaction
with Siemens SCADA control systems

The facts observed through software analysis are inconclusive in terms of proving a direct relationship between Duqu and Stuxnet at any other level.

Does Duqu target industrial control systems?
Unlike Stuxnet, Duqu does not contain specific code that pertains to supervisory control and data acquisition (SCADA) components such as programmable logic controllers (PLCs). Duqu’s primary purpose is to provide an attacker with remote access to a compromised computer, including the ability to run arbitrary programs. It can theoretically be used to target any organization.

Is there any evidence in the code indicating specific targets?
Duqu facilitates an adversary’s ability to gather intelligence from an infected computer and the network. Any specific market segments, technologies, organizations or countries that are targeted by the Duqu malware have not yet identified.

What are indicators of a Duqu infection?
The Duqu trojan attempts to use the network to communicate with a remote command and control (C2) server to receive instructions and to exfiltrate data. Analysis of Duqu revealed that it uses the IP address as its C2 server. This IP address is located in India and has been shut down by the hosting provider. Also, Duqu may attempt to resolve the kasperskychk.dyndns.org domain name. The resulting IP address is not used for communications, so this lookup may serve as a simple Internet connectivity check. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.

The byproducts in Table 2 have been collected from multiple Duqu variants and would not be present on a single infected computer.

Name File Size MD5
jminet7.sys 24,960 bytes 0eecd17c6c215b358b7b872b74bfd80
netp191.pnf 232,448 bytes b4ac366e24204d821376653279cbad8
netp192.pnf 6,750 bytes 94c4ef91dfcd0c53a96fdc387f9f9c3
cmi4432.sys 29,568 bytes 4541e850a228eb69fd0f0e924624b24
cmi4432.pnf 192,512 bytes 0a566b1616c8afeef214372b1a0580c
cmi4464.pnf 6,750 bytes e8d6b4dadb96ddb58775e6c85b10b6c
(sometimes referred to as keylogger.exe)
85,504 bytes 9749d38ae9b9ddd81b50aad679ee87e
nfred965.sy 24,960 bytes c9a31ea148232b201fe7cb7db5c75f5
nred961.sys unknown f60968908f03372d586e71d87fe795c
adpu321.sy 24,960 bytes 3d83b077d32c422d6c7016b5083b9fc
iaStor451.sys 24,960 bytes bdb562994724a35a1ec5b9e85b8e054f

The name “Duqu” was assigned to this malware because the keylogger program creates temporary files that begin with the prefix “~DQ”. A computer infected with Duqu may have files beginning with “~DQ” in Windows temporary directories.

How do Duqu infections occur?
The mechanism by which Duqu infections occur is unknown. Current analysis of Duqu has not revealed any ability to infect additional systems like the Stuxnet worm could.

Is antivirus and antimalware protection sufficient for detecting Duqu?
Since its discovery, security vendors have worked to improve their ability to detect Duqu. However, the author may simply release newer variants that are no longer detected by antivirus and antimalware products.

Oct 24 2011

THC SSL DOS Tool Released

THC-SSL-DOS is a tool to verify the performance of SSL.

Establishing a secure SSL connection requires 15x more processing power on the server than on the client.

THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet.

This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed.

This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.

Windows binary : thc-ssl-dos-1.4-win-bin.zip
Unix Source : thc-ssl-dos-1.4.tar.gz

Use “./configure; make all install” to build.

./thc-ssl-dos 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 Err

Comparing Flood DDoS vs. SSL-Exhaustion Attack:
A traditional flood DDoS attack cannot be mounted from a single DSL connection.
This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server.

This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link.

Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.

The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes.

The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

Tips & Tricks for WhiteHats:
– The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
– Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
– Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, … or the secure database port).

Counter measurements:
No real solutions exists. The following steps can mitigate (but not solve) the problem:
– Disable SSL-Renegotiation
– Invest into SSL Accelerator

Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.

Oct 06 2011

SpyEye Banking Trojan – Now with SMS Hijacking Capability

SpyEye TrojanThe Trusteer research team recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks. Using code captured while protecting a Rapport user, researchers discovered a two-step web-based attack that allows fraudsters to change the mobile phone number in a victim’s online banking account and reroute SMS confirmation codes used to verify online transactions. This attack, when successful, enables the thieves to make transactions on the user’s account and confirm the transactions without the user’s knowledge.

Step 1:
In the first step of the attack, SpyEye steals the victim’s online banking login details. This is standard operating procedure for financial malware like SpyEye, Zeus, and others. The fraudsters can now access the victim’s account without raising any red flags that would be picked up by fraud detection systems.

Step 2:
In Step 2, SpyEye changes the victim’s phone number of record in the online banking application to one of several random attacker controlled numbers. In order to complete this operation the attacker needs the confirmation code which is sent by the bank to the customer’s original phone number. To steal this confirmation code the attacker uses the following social engineering scheme.

First, SpyEye injects a fraudulent page in the customer’s browser that appears to be from the online banking application. The fake page purports to introduce a new security system that is now “required” by the bank and for which customers must register. The page explains that under this new security process the customer will be assigned a unique telephone number and that they will receive a special SIM card via mail. Next, the user is instructed to enter the personal confirmation number they receive on their mobile telephone into the fake web page in order to complete the registration process for the new security system. This allows the criminals to steal the confirmation code they need to authorize changing the customer’s mobile number.

Now the fraudsters can receive all future SMS transaction verification codes for the hijacked account via their own telephone network. This allows them to use the SMS confirmation system to divert funds from the customer’s account without their knowledge, while not triggering any fraud detection alarms.