Adobe, vulnerabilities in Director, no kidding. Who would've thought that? Well, rules are out.
Check it out here: http://www.snort.org/vrt/advisories/2010/08/25/vrt-rules-2010-08-25.html
Adobe, vulnerabilities in Director, no kidding. Who would've thought that? Well, rules are out.
Check it out here: http://www.snort.org/vrt/advisories/2010/08/25/vrt-rules-2010-08-25.html
android-sdk-linux_86/platforms/android-6/toolsLet's run dexdump with the following options on the Trojan "RU.apk" and redirect the output to a file:
./dexdump -d -f -h ~/Desktop/RU.apk > ~/Desktop/out.txtGoing through the output and looking for the "onCreate" method, which is the method used to initialize activity, I found
[00083c] org.me.androidapplication1.HelloWorld.onCreate:(Landroid/os/Bundle;)VHelloWorld?! What? Was this written by a n00b who copied the example project HelloWorld? The following was also found:
[000924] org.me.androidapplication1.MoviePlayer.onCreate:(Landroid/os/Bundle;)VOK, MoviePlayer is the name of the application. I guess it must be some sort of movie player. This is confirmed by the presence of:
000c: const-string v2, "Нажмите ок для доступа к видеотеке" // string@0076That is Russian for "Click OK to access the video library" (thanks Google Translate). On "create", the function DataHelper.canwe() is invoked:
00094c: 6e10 1900 0600 000c: invoke-virtual {v6}, Lorg/me/androidapplication1/DataHelper;.canwe:()Z // method@0019The function checks a SQLite DB for the presence of "was" in table1 (yes, quite an interesting way to see whether the app was run before). If the application had never been run on the device a function call is made to SmsManager.sendTextMessage:
001f: invoke-virtual/range {v0, v1, v2, v3, v4, v5}, Landroid/telephony/SmsManager;.sendTextMessageThis function call is made 3 times with short codes as the destination phone numbers: 3353, 3354 and 3353 again. The content of the each of these short messages is "798657".
./configure ; make ; sudo make installWhen the DAQ library is built, both static and dynamic module flavors will be generated more on "why" later. If you need to tweak certain options see configure for help, run:
./configure --help
./configure --with-daq-includes=<inc dir>--with-daq-libraries=<lib dir>If you install the daq-modules in a non standard place make sure your path is updated with the daq-modules location. Snort's ./configure requires running bin/daq-modules-config. This step isn't necessary if daq is installed in the default location. However ldconfig or other system specific commands may or may not need to be run.
PATH=/daq/install/prefix:$PATHBy default, snort will be built with a few static DAQ modules including PCAP, AFPACKET, and DUMP.
snort [--daq-dir <dir>] --daq-listThe above command searches the specified directory (eg /usr/local/lib/daq) for DAQ modules and prints type, version, and attributes of each. If you just want to see the built-in modules, leave off the --daq-dir.
Available DAQ modules: pcap(v2): readback live multi unprivnfq(v1): live inline multiipq(v1): live inline multiipfw(v1): live inline multi unprivdump(v1): readback live inline multi unprivafpacket(v1): live inline multi unprivYou can see that 6 DAQs are available, that pcap doesn't support inline mode, that nfq and ipq don't support unprivileged operation, etc.
snort [--daq <type>] [--daq-mode <mode>] [--daq-dir <dir>] [--daq-var <var>] config daq: <type> config daq_mode: <mode> config daq_dir: <dir> config daq_var: <var><type> ::= pcap afpacket dump nfq ipq ipfw<mode> ::= read-file passive inline<dir> ::= path where to look for DAQ module so's<var> ::= arbitrary <name>=<value> passed to DAQCaveats:
snort -i <device> snort -r <file> snort --daq pcap --daq-mode passive -i <device> snort --daq pcap --daq-mode read-file -r <file>You can also specify the buffer size PCAP if you need to, using:
snort --daq pcap --daq-var buffer_size=<#bytes>
snort --daq afpacket -i <device> [--daq-var buffer_size_mb=<#MB>] [--daq-var debug]If you want to run AFPACKET in inline mode, you must set device to one or more interface pairs, where each member of a pair is separated by a single colon and each pair is separated by a double colon. There is not need to configure a QUEUE or Bridge with AFPACKET you need to up the interfaces and give snort the correct command line.
eth0:eth1
eth0:eth1::eth2:eth3Running inline Snort
ifconfig eth1 promisc up ifconfig eth2 promisc up snort --daq afpacket -i eth1:eth2 -Q -c snort.conf
buffer_size_mb daq-var
. See README.daq for the gory details of that calculation.In a previous blog post I was writing about an increase in attacks against an at the time, un-patched vulnerability. Microsoft patched it on July 13, which doesn't mean that people aren't still trying to own un-patched machines.
goodgirlsbadguys.com (213.155.12.144) is a domain registered on July 19 2010 with a registrant address listed in Cambodia. Visiting a particular webpage for that domain (trust me and don't go there...despite the name there is nothing juicy on this domain except pwnage) returns a URL as part of an iframe. Microsoft Help and Support Center is invoked with a few parameters, one of which is the URL obtained earlier:Notice the use of the keyword "crimepack" in the hcp:// request.
In a randomly named file (in this case, "bat.vbsautba" in c:\Documents and Settings\user\Local Settings\Temp the following html can be found:
Later, the command line utility is invoked with the following parameters:
The script that is executed is called D.vbs:
Snort detects this Windows Help Center escape sequence cross-site scripting attempt with sid 16665:
08/09-11:26:49.588645 [**] [1:16665:3] WEB-CLIENT Microsoft Windows Help Centre escape sequence XSS attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 213.155.12.144:80 -> 10.11.250.196:107608/09-11:26:49.588645 0:1E:13:F0:2E:19 -> 0:C:29:21:50:D5 type:0x8100 len:0x59E213.155.12.144:80 -> 10.11.250.196:1076 TCP TTL:59 TOS:0x0 ID:11527 IpLen:20 DgmLen:1420 DF
ClamAV has got you covered as well with BC.Exploit.CVE_2010_1885.
Microsoft Security Advisory MS10-046: Previously released rules to detect attacks targeting these vulnerabilities have been updated with the appropriate reference and are included in this release. These are identified with GID 1, SIDs 17042 and 17043. Microsoft Security Advisory MS10-050: A rule to detect attacks targeting this issue is included in this release and is identified with GID 3, SID 17135. Microsoft Security Advisory MS10-051: A rule to detect attacks targeting this issue is included in this release and is identified with GID 3, SID 17133. Microsoft Security Advisory MS10-052: A rule to detect attacks targeting this issue is included in this release and is identified with GID 3, SID 17117. Microsoft Security Advisory MS10-053: A rule to detect attacks targeting this issue is included in this release and is identified with GID 3, SID 17115. Microsoft Security Advisory MS10-054: Rules to detect attacks targeting these errors are included in this release and are identified with GID 3, SIDs 17125 through 17127. Additionally, a previously released rule will also detect attacks targeting these issues and is identified with GID 3, SID 16577. Microsoft Security Advisory MS10-055: A rule to detect attacks targeting this issue is included in this release and is identified with GID 3, SID 17128. Microsoft Security Advisory MS10-056: Rules to detect attacks targeting these errors are included in this release and are identified with GID 3, SIDs 17119 through 17124. Microsoft Security Advisory MS10-057: A rule to detect attacks targeting these issues is included in this release and is identified with GID 3, SID 17134. Microsoft Security Advisory MS10-060: Rules to detect attacks targeting these errors are included in this release and are identified with GID 3, SIDs 17113 and 17114. Microsoft Security Advisory MS10-061: A rule to detect attacks targeting this issue is included in this release and is identified with GID 3, SID 17115. Check out the changelogs here: http://www.snort.org/vrt/advisories/2010/08/10/vrt-rules-2010-08-10.html
Microsoft Windows Shell contains a vulnerability that may allow a remote attacker to execute code on an affected system.
Microsoft Windows Movie Maker contains a programming error that may allow a remote attacker to execute code on an affected system.
The Microsoft MSXML2 ActiveX control contains a programming error that may allow a remote attacker to execute code on an affected system.
Microsoft Windows Media Player contains a programming error that may allow a remote attacker to execute code on an affected system.
Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute code on an affected system.
The Microsoft implementation of SMB contains programming errors that may allow a remote attacker to execute code on an affected system.
Microsoft Windows Media Player contains a programming error that may allow a remote attacker to execute code on an affected system.
Microsoft Office Word contains programming errors that may allow a remote attacker to execute code on an affected system.
Microsoft Office Excel contains programming errors that may allow a remote attacker to execute code on an affected system.
Microsoft Silverlight contains a programming error that may allow a remote attacker to execute code on an affected system.
Microsoft .NET contains a programming error that may allow a remote attacker to execute code on an affected system.
Added and modified multiple rules in the exploit, ftp, imap, mysql, netbios, rpc, specific-threats, sql, web-activex, web-client, web-iis, web-misc and web-php rule sets.
Check here for details: http://www.snort.org/vrt/advisories/2010/08/03/vrt-rules-2010-08-03.html