marco
blog
Menu:
CVE-2009-3459, CVE-2009-4324, and one PDF trick
December 19, 2009
PDF exploits—mostly targeting Adobe Reader and Acrobat programs—are very commonly used on drive-by web sites. This situation is probably the result of the widespread use of the Adobe plugin, a rather large of number of vulnerabilities found in it, and reliable exploitation techniques.
Two recent vulnerabilities for which I have added detection in Wepawet are CVE-2009-3459 and CVE-2009-4324 (click on the links to see analysis reports of two malicious samples). The former is an integer overflow in the PDF parser, the latter is a bug in the JavaScript interpreter.
The analysis of malicious PDF files is often complicated by the use of various obfuscation (or better, “confusion”) techniques. In particular, malicious PDF files are often malformed: expected sections are missing entirely, others are truncated. The attacks are still successful because Adobe Reader does a good job at automatically repairing the damaged file. Of course, analysis tools are not necessarily as good at that.
I recently found an interesting, small trick that was used in the wild.
A little background first. A stream is a basic object (technically, a
dictionary) used in PDF files to contain arbitrary content. In
particular, malicious PDFs use streams to contain the JavaScript code
used to launch an exploit. The Length entry in the stream dictionary
is used to specify, you guessed it, the length of the encoded content.
According to the PDF specification (Section 7.3.8.2 for the curious), the length
is to be specified as an integer. The sample I found, however,
used an expression (a sum) to declare the stream
length in the length declaration.
obj
<</ / / / /Filter/ASCIIHexDecode/Length 100000+12488>>
stream
... stream contents ...
endstream
endobj
Lessons learned: do not trust specs and be a little lenient in the parsing of PDF files...
Update 1/7/2010: Richard B. pointed out that Acrobat seems to detect that the length specification is malformed, discards it, and falls back to a simple parsing strategy to extract the stream contents. Thanks!
Analyzing and detecting malcious flash advertisements
December 10, 2009
Today, Sean Ford is going to present our paper Analyzing and Detecting Malicious Flash Advertisements at the ACSAC Conference.
The paper describes some of the techniques we use to detect malicious Flash files. More precisely, we focused on two main threats:
Flash-based malvertisements that automatically redirect victims to malicious or questionable pages. This type of malware essentially exploits a design flaw in the current advertisement technology: the Flash language and its run time, as implemented in today's browsers, are too powerful and too unrestricted. To put it more plainly, why should an advertisement be able to hijack the browser?
A possible solution here (which we do not explore in the paper) would be to identify a secure subset of Flash and restrict Flash-based advertisement to this subset. Of course, similar work has already been done in the JavaScript camp, see ADSafe or Caja for example, so many lessons could probably be reused.Malformed Flash files that exploit vulnerabilities in common Flash players, typically, Adobe's player. This type of malware exploits classic implementation problems (buffer overflows, integer overflows, etc.).
The paper also describes in some detail a number techniques that are used in malicious Flash files to evade detection (trigger-based behavior, timezone checks, etc.) and obfuscate the malicious code.
Here is the abstract:
The amount of dynamic content on the web has been steadily increasing, and sites now offer user experiences that come close to those found when running local native applications. Advanced scripting languages such as JavaScript and Adobe's Flash have been instrumental in delivering dynamic content on the Internet. Dynamic content has also become popular in advertising, where Flash has achieved success allowing the creation of rich, interactive ads that are displayed on hundreds of millions of computers per day. The success of Flash-based applications and advertisements attracted the attention of malware authors who use Flash to deliver attacks through advertising networks. This paper presents a novel approach whose goal is to automate the analysis of Flash content to identify malicious behavior. We designed and implemented a tool based on the approach, we made it available to the world, and we tested it on a large corpus of real-world Flash ads. The results show that our tool is able to reliably detect malicious Flash ads with very limited false positives.
"Presidential" spam
October 26, 2009
A technique often used by spammers to attempt to get their messages past spam filters consists of mixing the questionable content they advertise with legitimate text. This type of attack is sometimes called Bayesian poisoning since it is believed to specifically target spam filters that rely on Bayesian classifiers.
An example where this technique is applied is a message I received today:
I stand here today humbled by the task before
<a href=http://www.bawwgt.com>dofus kamas</a>, grateful for the trust you
have bestowed, mindful of the sacrifices borne by our
<a href=http://www.bawwgt.com>cheap dofus kamas</a>. I thank President
<a href=http://www.bawwgt.com>dofus power leveling</a> for his service to
<a href=http://www.bawwgt.com>buy dofus kamas</a>, as well as the
generosity and cooperation he has shown throughout this transition.
This message consists of the first few sentences from Barack Obama's
inaugural
address,
where a few words have been substituted with links to the
www.bawwgt.com web site. This web site appears to be in the business
of selling Kamas, the currency used in the MMORPG game Dofus, and,
judging by its graphics, items from other online worlds.
Note that spam messages themed after Obama's inauguration ceremony were used by the Waledac gang to spread its malware back in January this year. If this is a trend, should we expect spam and malware to become one more reason for heated political debates?
YourBizBegin spam campaign on Facebook
October 19, 2009
A fairly successful spam campaign is currently active on Facebook. The
campaign advertises the web sites YourBizBegin.com and
YourBizStart.com, which promise easy money for working from home.
Googling for the site names shows various reports and complaints, for
example, the ones on
hkactivity,
RipoffReport,
and
Google.
The picture above shows a (sanitized) screenshot of a couple of messages that appeared on a compromised account. The text of all the spammed messages I have seen are similar to the ones shown above. The only variations I have observed so far are in the dollar amounts and the 3-letter signatures.
The web sites YourBizBegin.com and YourBizStart.com appear to be just
front-ends for
www.HomeBizOffer.net. HomeBizOffer.net pushes a "Google Profit Club
Kit," which, according to the site itself, should enable one to make an
easy $200–$943 per day via Google ads. Downloading the kit costs
only $3.95 of processing fee. Needless to say, the fine print at the
bottom of the pages discloses that a membership rate of $74.93 is
charged monthly.
Furthermore, the terms of use and privacy policy terms on
homebizoffer.net points at another web site, secureweboffer.com.
Here is some more information about the involved web sites:
- yourbizbegin.com, registrant: HAIJUN ZHAO, IP: 121.199.253.194 (TIMENET BeiJing Sincerity-times Network Technology Project Ltd.)
- yourbizstart.com, registrant: HAIJUN ZHAO, IP: 121.199.253.122 (same)
- homebizoffer.net, registrant: JIANG ZHAO, IP: 121.199.253.125 (same)
- secureweboffer.com, registrant: DomainsByProxy, IP: 174.143.244.146 (RMH-14 - Rackspace.com, Ltd.)
JavaScript anti-analysis tricks: last-modified
October 14, 2009
Writers of malicious JavaScript code have always been keen on developing novel ways to make the analysis of their code harder. One of the most commonly used mechanisms to do so is (no surprise here) simple obfuscation. For example, malware authors commonly encode string literals with custom schemes. A decoding routine then de-scrambles the strings before using them further (for example, as the URL of the next step of an attack or as the CLSID of a vulnerable ActiveX control).
Interestingly, malware authors have also introduced various techniques to make the basic deobfuscation step more difficult, in particular, if performed in an off-line analysis environment, which, for example, examines the pages saved during a crawling session.
One of the earliest trick consists of using the URL of the obfuscated page as a decoding key in the deobfuscation routine. More recently, other techniques have also been used. One I have seen lately uses the time of the last modification of the page in the decoding routine.
Consider, for example, the following script:
<html><body><script>
var gtvwx=true,abwz="",gnru=false,
bfqrv=document.lastModified.split("/"),
dilp=String,
cjltu=bfqrv[2].split(":"),
acinqu=dilp['f#r(o#mZC#h#aZrZC(o,d#e('.replace(/[\(Z,G#]/g,'')],
gnty=bfqrv[0]+"25"+cjltu[2],
ckoxz=window,cklqry=0,klny="",
bfkw=ckoxz['euv9a2lS'.replace(/[S2u9@]/g,'')],
fopv=[150,173,160...90,94,111],
ailmux=function(){
for(var ehlt;cklqry<fopv.length;cklqry++){
klny+=acinqu(fopv[cklqry]-
gnty.substring(cklqry%gnty.length,cklqry%gnty.length+1).charCodeAt(0));
bfkw(klny);
};
ailmux();
</script></body></html>
The code reads the time the page was last modified from the
document.lastModified property. This property is initialized from the
value of the Last-Modified header sent from the web server serving the
page. The script then parses the time and extracts the number of seconds
from the time string into the cjltu variable.
The seconds value is then used to compute the value of the gnty
variable, which is used in the decoding routine to recover the
in-the-clear text from the encoded array fopv..
These are the Wepawet reports for a couple of sites that use this techniques: report for hxxp://www.pipisechka.com/sleep/news.php and report for hxxp://day-evryday.cn/news.php
