Malicious Website / Malicious Code of the Week

09.29.2006 - 10:07 AM
HTML/JS Obfuscation This week we are going to shift gears away from the topic of malicious executable analysis, and address another important battlefront in the malcode wars: obfuscated HTML and Javascript. We will first talk about some simple regular-expression based approaches to unwinding the simpler types of obfuscation, and then discuss a more complicated example that requires us to directly manipulate Javascript. What is it? Normally, when you are viewing a web page through your browser, you can "view source" on the page to view the HTML markup directly. Most of the time, everything is human readable, meaning the document's structure is clearly visible in the page text. For example: One of the main areas of focus when performing security research on a HTML specimen is any URLs that show up as links to other sites or resources. There are several alternate ways to literally represent these URLs in the web page, and one of them is through a process called "escaping" or "uri-encoding". The general conversion process involves taking the plain single character such as "." and converting it to its 2-character hexadecimal representation such as "2E", and then prefixing the sequence with a percent sign. So, to represent a period as its uri-encoded form, the result would be the sequence "%2E". This is commonly used to express reserved characters in a URI in a standardized way. As you might expect, this formatting can be abused by people who wish to hide the content of an external link from casual view. Here is a fairly common example, which is to escape the entire URI: <img alt="source example 2" src="/se...
Read more »

Web Attacker with VML being setup.

09.24.2006 - 8:15 PM
We are starting to see some sites attempting to upgrade to the latest version of Web Attacker. As previously noted, there is a new version of the widely used and distributed Web Attacker toolkit that includes exploit code for the latest I.E. "zero-day" attack (VML). See: <a href="http://www.websense.com/securitylabs/blog/blog.php?Blo...
Read more »

Keep an eye on NEWS stories.

09.24.2006 - 6:41 AM
There is a story that has surfaced out of France that Osama Bin Laden has died of Typhoid. The French newspaper&nbsp;L'Est Republicain&nbsp;posted this earlier today. There are several follow-up re...
Read more »

MOTW: VML Payload Analysis

09.22.2006 - 6:00 PM
While deciding what piece of malcode to do this week, I thought it would be interesting to do something related to the VML vulnerability uncovered earlier this week. In light of that, we have uncovered some sites that are using this vulnerability to install malcode on users' machines, and this week's malcode was dropped by one of these malicious websites. This discussion will be split into two pieces, and it will be clear why as we reverse the code. Programs we will be using are: IDA Pro 5 (http://www.datarescue.com) UPX (http://upx.sourceforge.net) The first thing we need to do is determined if this piece of malcode is packed. I like to jump right into things from the start and take a look around, so I opened the mal...
Read more »

VML Candid Camera

09.22.2006 - 11:00 AM
Now that we are seeing VML exploits proliferate the Internet, we thought it would be fun to grab a video capture of what happens when a workstation visits an infected site. We did a similar video when the WMF zero-day was released and our workstation was instantly flooded with Spyware applications and pop-ups galore. It was an impressive sight and obvious that you had just visited an infected site. So, we fired up our trusty video capture tools and pointed a VMWare workstation at a random site where our miners had recently discovered an iframe conta...
Read more »

Proof-of-Concept (POC) for&nbsp;I.E.&nbsp;zero-day&nbsp;posted.

09.20.2006 - 7:02 AM
The recently reported VML Internet Explorer "zero-day" exploit now has attack code publicly posted on ...
Read more »

New Internet Explorer Zero-Day being utilized.

09.19.2006 - 8:45 AM
As of last night a new Internet Explorer "zero-day" exploit is being utilized on the Internet. The exploit appears to use a weakness within VML inside Internet Explorer (details: http://s...
Read more »

MOTW: Downloader Analysis

09.16.2006 - 4:42 PM
P R O L O G U E This week I'm going to demonstrate the analysis of a simple Trojan.Downloader. I'm going to show from start to finish, the unpacking process and static and dynamic analysis phase that I use for categorization of a malicious binary. For the purpose of demonstration, each time I do an "malcode of the week analysis" I'm going to attempt to use a different set of tools in order to give the readers of this blog some variety in examples of toolsets available for malware analysis. This week I'm going to use: PEiD (http://PEiD.has.it) IDA Pro 5 (http://www.datarescue.com) Import Reconstructor (http://wave.prohosting.com/mackt/projects.htm) S C A N N I N G We use PEiD as well as some other internally-built file scanning tools to scan the file. PEiD results show that the file is packed with "FSG 1.33 -&gt; dulek/xt". FSG stands for [F]ast [S]mall [G]ood exe packer. It's one of the most widely used packers for malicious binaries, and lucky for us it's normally easy to unpack since most versions of FSG do not contain any anti-debugging tricks to make unpacking more time-consuming. U N P A C K I N G Step 1) We open the file up in IDA Pro. When we open it up in the IDA, We are going to start up with all the default options except one, when the wizard presents us with the "Segment Creation" dialog box we are going to uncheck "Create imports segment", because most packers corrupt the imports segment and build it dynamically at run-time. Once IDA starts up, we'll get a screen that looks like this: Step 2) The next step in unpacking is to locate the original entry point (OEP), this is the entry point of the binary befo...
Read more »

MOTW: zCodec Delivers

09.08.2006 - 2:28 AM
At the end of last week, a certain Trojan started to receive an inexplicable barrage of media coverage. Interestingly enough, this Trojan first appeared back in May of this year. We're not sure what ignited the sudden interest but we're here to hop on the bandwagon as well. In this edition of our Malicious Code of the Week we'll be taking a look at the infamous zCodec. Let's start by paying a visit to the site so we can find out what all the hubbub is about. Note: We do not link to any malicious code directly, but it should not be too difficult to locate the sites discussed in this article. Please exercise extreme caution should you decide to visit these sites on your own. This is amazing! This codec will give me 40% better quality on Pulp Fiction, Sin City, and my Korn albums -- no wonder everyone has been going crazy over this thing. I can't wait to check it out, but... maybe I should glance over the Terms of Use first. ZCODEC LICENSE AGREEMENT YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND COND... blah, blah, blah...Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and...blah, blah, blah...may offer additional components through our version checking/update sy...
Read more »

MOTW: VMProtect Analysis

09.01.2006 - 1:50 PM
Starting today, Websense Security Labs presents the analysis of the "Malicious Website / Malicious Code of the Week" which will be posted at the end of each week. These weekly postings will provide highly detailed, in-depth analysis of a piece of malicious code that the Labs has captured and classified. General Description: This malware is a simple Trojan downloader.Today's analysis will not focus on the actual payload, but on how the file is being protected against Reverse Engineering. The file has been protected by a PE protector called : VM Protect (Virtual Machine Protect). This protection converts Assembly instructions to pseudo code. There is a Virtual Machine embedded in the binary that will interpret this newly created code. Disassemblers are then useless because they don't support the Virtual CPU instructions. VMProtect uses a rather complex Virtual Machine, and analyzing it would take a long time. The VM are most likely different in each protected binaries, which makes the analysis useless on any other protected binary. Rather, I choose a different approach to analyze the code since the Imports were not scrambled. You will find an ollydebugger script that will sets breakpoints on every API functions that are imported by the binary. Simply parsing the Import Address Table. Then it is very easy to trace the application flow and guess what is going on in this binary. Technical Details: If we look at our file with a PE Editor, we notice section named ".vmp". This is a good hint that our file is VMProtected. Using IDA Pro to disassemble it, we see that our application starts with Assembly code, and it doesn't look like clean assembly. It is obviously obfuscated on purpose. Also important information, the ImageBase of our executable is: 0x13140000 Here is the disassembly of the Entry Point: ...
Read more »