MOTW: Gobble, Gobble

11.22.2006 - 7:35 PM
This year has been the busiest in history for zero-day attacks. The WMF attacks bled over from late 2005, then CreateText arrived, and more recently, the VML attacks began. All of these vulnerabilities were being actively exploited in the wild long before patches were released to address the vulnerabilities. These zero-day attacks represent a serious threat to users. However, this post will not be getting into specifics on zero-day attacks or the current problems caused by exploit code being released pre-mitigation. Our U.S. Thanksgiving Malcode of the Week entry is going to take a look into the fact that many users are not patching at all. In most cases, Proof-of-Concept (POC) explo...
Read more »

MOTW: Exposing Web Exploits

11.20.2006 - 4:13 PM
Introduction In this issue of "Malcode of the Week," I'm going to analyze an exploit from the recently patched MS06-067 "Direct Animation" vulnerability. I'll demonstrate one tool that I've found extremely useful in turning Unicode-encoded shellcode into bytes, and I&rsquo;ll step through the analysis of what the exploit is doing and how it's doing it. The exploit analyzed here has already been posted publicly, so I won&rsquo;t be revealing any details that have not already been published. The purpose of this post is to give our readers insight on how to analyze this general type of exploit; thus, the information is not necessarily specific to this one vulnerability. This is the payload of the exploit in %u Unicode-encoded format: %u9090 = 0x90 0x90 instructions (NOPs) Unicode encoding is commonly used, but the bytes may be encoded with hexadecimal escape characters as well. %90%90 hex encoding would be equivalent to %u9090. Because we already have the payload in Unicode-encoded instruction format, our next step is to remove the encoding format (%u), and then turn the shellcode bytes into assembly instructions, so that we can understand the effect of this exploit. Converting Unicode-Encoded Shellcode to linear byte order One publicly available tool I like to use is a tool that Dave Zimmer from IDefense wrote called Shellcode 2 EXE This tool will take as input a number of various byte sequence formats such as Unicode-encoded shellcode, \x style c strings, and raw hex strings. Once you insert your byte sequence into the text box, you have two choices: Download an exe (don't check the "Bytes Only"). &nbsp;This will place the bytes inside an exe stub. Download a "Bytes Only" file. <font face...
Read more »

MOTW: Web-Attacker Exposed

11.10.2006 - 1:14 PM
Web-Attacker Exposed While reading our previous posts, you may have noticed quite a few references to something called the Web-Attacker toolkit. The reason we have mentioned Web-Attacker so frequently is that nearly one-third of the malicious websites we discover are using it to infect their victims; it is incredibly popular. Take a look at an introduction to Web-Attacker, translated directly from the Russian website that sells the kit: Dear Friends! We would like to offer you multi-component exploit Web-Attacker, that realizes vulnerabilities in the internet browsers Internet Explorer and Mozilla Firefox. With the help of this exploit you will be able to install any programs on the local disks of visitors of your web pages. In the foundation of work of the exploit Web-Attacker, there are 7 already-known vulnerabilities in the internet browsers. Objective of the Exploit: Hidden drop of the executable from the deleted source to the local hard drive of the site visitor. Simply put, Web-Attacker is a Perl CGI script designed to exploit website visitors and execute code on their local computer. The script may be purchased from a Russian group for $300 or upgraded for $25. Once it is purchased and installed, the buyer simply needs to provide some type of malware (keylogger, spyware, and the like). Check out one of our previous alerts for a more complete overview: http://www.websense.com/securitylabs/alerts/alert.php?AlertID=472 The above information is nothing new; Web-Attacker has been around for well over a year now. But just when we thought we knew practically everything there was to know about the toolkit, we stumbled across something incredibly interesting: its source code. So, guess what our analysis today is going to focus on? But before we jump into the source code, I am going to give a brief overview of the components of Web-Attacker and where the script we discovered fits into the picture. Web-Attacker Components go.php This "begins" the attack. You will typically see this file loaded from within a hidden iframe in a compromised page. It performs some basic checks and then simply forwards to the next step, with the homepage parameter. ie0609.cgi This is the heart and soul of Web-Attacker. This is the script for which we recently obtained the source code and is where the majority of Web-Attacker's functionality lies. This particular version is the 2006 (06) September (09) release. The earliest we are aware of is ie0502 -- 2005 (05) February (02). Records user statistics (timestamp, OS, browser, country, and so forth). Delivers the exploit requested by demo.php If the exploit is successful, provides a malicious executable Records exploit success/failure statistics Displays collected statistics in HTML graph/table format demo.php Contains a block of obfuscated JavaScript. This JavaScript performs several browser checks to determine which exploits should be attempted and then redirects back to ie0609.cgi. *.dat These dat files contain the actual exploit code to be used. They are accessed by ie0609.cgi and are typically not directly available externally. Typical Attack Walkthrough User visits a compromised webpage containing a hidden iframe that loads go.php. go.php&nbsp;redirects to ie0609.cgi?homepage, which redirects to demo.php. Obfuscated JavaScript from demo.php determines which exploit should be attempted and redirects to ie0609.cgi?type=&lt;EXPLOIT_TYPE&gt;. <font face="Arial, Helvetic...
Read more »

Month of Bugs... Kernel Style

11.01.2006 - 2:23 PM
In July, researcher HD Moore set forth to publish a new browser bug for each day of the month (1). This month a group of kernel hackers has brought us a similar project aimed at finding Kernel bugs (2). The project mainly aimed at UNIX environments ...
Read more »