Thursday, January 24, 2013

The 0-day That Wasn't: Dissecting A Highly Obfuscated PDF Attack

This morning, I was made aware of an article in which someone had snagged a PDF from one of the exploit kits that cybercriminals are using to spread malware. The author of this article claimed that the malicious PDF was a 0-day attack; if it actually was, that would be hot news, and we'd need to create coverage. That in mind, I grabbed a copy of the PDF (MD5: eff7d3c7066cac351d3232cccf60fe81) and started analyzing it.

First, I generated a PCAP of the file being transferred over the wire and ran it through Snort. I got an alert for sid:23401: "FILE-PDF EmbeddedFile contained within a pdf". Opening up the PDF in Vim showed an interesting chunk of data:

This turned out to be the embedded file, and with the help of PDF StreamDumper it could be extracted. It turned out that it was an XML file, with JavaScript embedded in it. It had been compressed in the PDF.

The JavaScript inside the XML was obviously obfuscated with simple things like "ret'+'urn" and "repl"+"a"+"ce". The string following the "return" is interesting:


This appears to be hex data separated like this: "x2tdh(hex-byte)jRe(hex-byte)". This is repeated for roughly 8,000 bytes. All those bytes are in the ASCII printable range so I converted it to text:

More JavaScript is revealed with some Base64 encoded data. The interesting piece of the code here is this string concatenation below:

The first part sets a variable equal to "qmnfkyns" which is equal to "SUkqADggAACQAll". When that string is Base64-decoded we get the hex bytes 0x4949002a. These are the first four bytes of the file magic of a tiff image, in little-endian representation.

The JavaScript continues to build a TIFF image by appending base64-encoded to the end of these bytes. I followed along and built a segment of this TIFF image and using ClamAV identified the exploit :

$clamscan tiff-image
tiff-image: Exploit.CVE_2010_0188-1 FOUND

The exploit code used here is very similar to the exploit publicly available at SecurityFocus and Metasploit.

While the original article's claims of a 0-day attack didn't pan out, this PDF is still interesting, given the level of obfuscation used to hide the underlying attack: a Base64-encoded TIFF built with JavaScript that is hex encoded in more JavaScript that is embedded in an XML which is compressed inside a PDF. What's more interesting - at least from our perspective here on the VRT - is that our generic detection of embedded files within PDFs would have caught this in the wild. Though rules such as that will, by their very nature, have some false positives - there are legitimate reasons to embed files in PDFs - if you have the manpower to examine all of the alerts generic rules generate, you're likely to find plenty of malware that might otherwise go undetected.

UPDATE:  2013-01-25 11:33 EST
Some additional info from Hendrik Adrian @unixfreaxjp shows that the image object is part of a widget and will be opened by the Flash Player via CVE 2011-0611. His detailed analysis is available here

Tuesday, January 22, 2013

Bulgarian Android SMSsend

Reported by Dancho Danchev. Visiting a compromised Bulgarian website on an Android phone causes a redirect and download (if you have the option "Allow installation of apps from unknown sources" checked) of premium rate SMS Android malware.

IP address involved in the campaign:

Some domains resolving to


MD5: 29e8db2c055574e26fd0b47859e78c0e
Download sample: flash_player_installer.apk
Download PCAP: 29e8db2c055574e26fd0b47859e78c0e.pcap

MD5: e6be5815a05c309a81236d82fec631c8
Download sample: Android_installer-1.apk
Download PCAP: e6be5815a05c309a81236d82fec631c8.pcap

Snort rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.SMSsend variant outbound connection"; flow:established,to_server; content:"/rq.php"; fast_pattern:only; http_uri; content:"name="; depth:5; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,; classtype:trojan-activity; sid:25512; rev:2;)

ClamAV signature:

Thursday, January 17, 2013

How To Become an Infosec Expert, Part I

I recently put a post on my personal blog seeking applicants for a position with the VRT, working directly with me on public-facing issues (such as writing for this blog, talking to customers, etc.). Since the skill set involved there is subtly, but importantly, different from a traditional analyst position - those folks can be very successful at what they do without ever talking to anyone outside the team, except perhaps peers in the research space - I left the technical qualifications for an entry-level position somewhat open, with the idea being that a person with the right attitude and technical aptitude could be brought up to speed quickly on the finer points of the technical side of the job.

I got a slew of fascinating responses, with people whose technical backgrounds varied wildly (customer support, database administrators, programmers, small business owners, people who play with Metasploit in their spare time but have a non-technical day job, etc.). Invariably, though, these people were enthusiastic, apparently rapid learners, and eager to break into the space.

While I wish I had the time and the budget to hire them all and let the best rise to the top as they faced the trial by fire that is joining the VRT at entry level, obviously I can't. Given my personal career background, however - I spent a brief stint out of high school writing for the Sacramento Bee, parlayed my lifelong exposure to computers into some OK tech jobs when I realized that writing for traditional newspapers is a losing economic proposition these days, and ended up in this awesome job I have today largely because of a combination of good luck and the assistance of others who were willing to mentor me along the way - I've decided to do the next-best thing, and start a mentoring program for these eager young minds I had to disappoint with this round of hiring. Since there are plenty of people beyond those who responded to that particular job posting who are interested in the same sort of mentoring, I'm going to use this blog to put together a series of posts on the things you'll need to learn to break into the modern information security industry.

Obviously, these posts won't be 100% comprehensive, and they'll be a bit skewed towards the skill set that would be helpful for a job with the VRT specifically. Even with that caveat, though, I feel like a set of lessons will be helpful, especially when provided for free on a geographically neutral basis.

That all said, today's lesson is actually a reading assignment, to help get people up to speed on the mindset necessary to be a malware analyst / vulnerability researcher / etc. In much the same way that summer reading for a class back in school helps put the class on the same page, having at least a familiarity with some of the classic texts of information security will help start this process.

Thanks to helpful people on the Internet and some of my colleagues on the VRT, I've complied a list of some of the best works in the field. Many are free (I've created a zip file of all of the free content on my personal site for ease of portability, in case people want to, say, read things on a long airplane flight) and reasonably short. If you like the idea of this series of posts, and you're starting out, don't try to read them all in a sitting; your brain will hurt and you won't learn anything. Pick some that look especially interesting, give them a whirl, and then in a week or so read a few more. There is no "right order" to read them in. If you're already an established pro in the space, and want to suggest other titles, please do so in the comment section on this thread.

A Note on the Confinement Problem, Butler Lampson
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities, Mark Dowd
Ceremony Design and Analysis, Carl Ellison
Computer Security in the Real World, Butler Lampson
The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, Cliff Stoll
End-to-End Arguments in System Design, J. H. Satlzer, D. P. Reed, D. D. Clark
Expert C Programming: Deep C Secrets, Peter van der Linden
Hacking: The Art of Exploitation, Jon Erickson
History and Timeline of UNIX, collaboration
The Jargon File, Collaboration
Practical Cryptography, Neil Ferguson, Bruce Schneier
The Protection of Information in Computer Systems, Jerome Saltzer, Michael Schroeder
Reflections on Trusting Trust, Ken Thompson
RFPolicy, Collaboration
Security Engineering, Ross Anderson
Smashing the Stack for Fun and Profit, Aleph One
With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988, Mark Eichin and Jon Rochlis

Additionally, there are some more large, somewhat textbook-style works that those new to the space should consider adding to their personal bookshelves:

The Art of Computer Virus Research and Defense, Peter Szor
The IDA Pro Book, Chris Eagle
Practical Malware Analysis, Michael Sikorski, Andrew Honig
Reversing: Secrets of Reverse Engineering, Eldad Eilam
TCP/IP Illustrated Volume 1, W. Richard Stevens (note: 1st edition, not the 2nd)
Windows Internals, 6th Edition, Russinovich et al
UNIX Power Tools, Tim O'Reilly et al

The next post in this series is likely to be a practical exercise; how soon it arrives will depend on the level of interest generated by this post. If you like this concept and want to see more, be sure to re-tweet and/or leave a note in the comments, so I can properly gauge response.

Thursday, January 10, 2013

The Ruby on Rails vulnerability that made Metasploit release a patch

This post on the Ruby on Rails Security group January 8th contained a few phrases that cause alarm when used together: "inject arbitrary SQL", "inject and execute arbitrary code" and "perform a DoS attack on a Rails application". Without going into detail the post discussed how user-provided YAML and Symbol data could be crafted to exploit Rails applications and given the identifier CVE-2013-0156.

Rails is used in many projects, including one of the most widespread pentesting frameworks available, Metasploit. Within hours of the post, Metasploit had a security update published for itself (2013010202) and was actively looking into creating a module for exploitation.

The only information to go with before the PoC was released was that Rails could take YAML or Symbol input through xml that could potentially be abused. The worry was that specifying arbitrary classes for string and hash YAML objects would allow attackers to find unsafe objects to abuse with malicious input.

Blog posts explaining the vulnerability have already been published such as this one by Ronin and this one by Adam O'Donnell from Sourcefire's FireAMP group. PoCs have also popped up, the most notable being this one on github and of course the Metasploit module that was rushed through overnight.

We here at the VRT started paying attention to this as soon as the first post came out on Google Groups, and with the help of Christopher Mcbee we wrote SIDs 25287 and 25288 to detect CVE-2013-0156, namely abusing YAML or Symbol object parameter passing to Rails via xml. They will be released in our next SEU, which is targeted for today.

Generic Exploit Kit Detection & The First Java 0-Day of 2013

This morning the first big Java 0-day exploit of 2013 was discovered, and it is already being used in exploit kits worldwide. Regular readers may remember these exploit kit rules from Joel Esler. The combination of existing rules 25041 and 25042 will detect the method the exploit kit authors are using to drop malware after this exploit. Since they're enabled in the Sourcefire balanced and security policies by default, most of you have had protection since December that will keep you safe from the current iteration of the attacks being used in the wild.

Based on information from Malware don't need Coffee and Krebs on Security it looks like this exploit is being used in at least four different active exploit kits - Blackhole, Cool Exploit Kit, Nuclear Pack, and Redkit. Source code has popped up on pastebin as well, and the VRT has been able to compile it and confirm that it is functional. We anticipate that a Metapsloit module will be developed shortly, and that this will be very wildly exploited in the field in the coming days via a variety of different vectors.

Since those additional vectors would not be detected by the SIDs above, we've written SIDs 25301 and 25302 as additional layers of protection; they will be released in our next SEU (ed: 778), which is targeted for today. We will be following additional developments related to this vulnerability as they progress, and will issue additional detection as circumstances dictate. ClamAV signatures are named Java.Exploit.Agent-14 through Java.Exploit.Agent-16.

At the time of writing, Oracle had not yet issued an official response, though unless they have previous intelligence regarding this vulnerability, a patch will likely be at least days in the making. Anyone who can continue to do their job with Java disabled in their browser is strongly encouraged to do so immediately, as that's the only way to ensure complete safety against this attack or others like it - which, based on the history of Java 0-days over the last 12 months, are likely to happen at some point within the not-too-distant future.

UPDATE, 1/11/13 @ 10:11 a.m.: Sourcefire's FireAMP group also released an awesome screenshot of their product's infection trajectory when working with a live copy of this attack, which you can see below:


As you can see, this shows the time of infection, an outgoing connection afterwards, and other relevant information about the nature of the attack as it unfolds in real-time. If you want reports like this on your network, you can click here to sign up for a free trial version of the product.