securitybananas.com

Trend Micro’s Senior Threat Researcher David Sancho has written a great in-depth analysis of this new threat.

Read it here:

http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/bredolab_final.pdf

In many reports we see that countries like Russia, India, Brasil are taking part in the world of cybercrime. During a research I discoverd an executbale which was new to me. Before going into reverse engineering I always try to use the short-way and searched for it on some forums. The ‘tool’ is called ‘Deeper RAT’. According to the developer with the nickname ‘binaryEvil’, ‘it’s a reverse connection remote administration tool that allows you to remote control computers that are behind firewalls and routers’

According to the developer it has following features:

[Features:]

[1] Main:
[a] Server size ~ 80 Kb
[b] Memory execution
[c] Encrypted connection
[d] All traffics are through one port
[e] Users filtration
[f] Broadcasting
[g] Sound events

[2] Spy:
[a] Information
[b] Unicode Key Logger
-> OFF Keys
[c] CAM Capture
[d] Screen Capture
[e] Clipboard Monitor

[3] Manage:
[a] Process Manager
[b] Service Manager
-> Install Service
-> Edit Service
[c] Window Manager
[d] File Manager
-> File Search
-> Multiple File Transfer
[e] Registry Manager
-> Registry Search

[4] Tools:
[a] CMD Shell
[b] Multiple Downloader
[c] Power Manager

In the next screenshot you will see the ‘Service Manager’

The main port Deeper is running on is TCP 511 and the default password provided is abcd1234 (duh)

No detection (yet) from AV vendors.

Extra information:

File size executable Deeper: 1929216 bytes

MD5 checksum 5581b843081c9cc1d742b4cac0d13fe9

PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×3968
timedatestamp…..: 0x4aa72241 (Wed Sep 09 03:34:25 2009)
machinetype…….: 0x14c (I386)

name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0x19c720 0x19d000 6.66 3e882a17b12c010579566ad855d3eb0f
.data 0x19e000 0xe664 0×1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x1ad000 0x37c1d 0×38000 6.77 71725bba745f5d3fde9ced06721de930

Dexia, a top player in retail banking for Belgium & Luxembourg was hit by a SQL-injection attack. SQL-injection is one of the top attacks which hackers use to attack finincial institutes.

By performing these attacks, the attacker had insight in the schema of the database, execute commands and they managed to get user credential inclusing their passwords. The attackers used a SQL query which can be used to query a MySQL database for information about the database, colomns and schema.

Example queries for MYSQL are:

version of Mysql: UNION+ALL+SELCET+version(),2/*

User lookup: UNION+ALL+SELECT+user(),2/*

Screenshots of the attack:

Schema

etc/passwd

user credentials

Someone atDexia is having a bad Monday

source:http://unu1234567.baywords.com/2009/09/01/dexia-hacked-sql-injection/

To control and administer botnets, a lot of frameworks are developed for simplifying the
tasks. In a posting on an underground forum, the announcement was made for a new framework called Fragus v1.0.

Login screen:

Fragus, build with PHP,  has a nice and shiney interface which supports the English and Russian language. Statistics can be viewed about browsers, OS and the countries in which the zombies are situated. During the investigation some hosts with Windows 7 were detected to be infected.

Some of the features of Fragus:

#  Exploits imaging of high quality with possibility of checking with the help of ajax whether current exploit infects or not before loadint the next one.
# Possibility to edit host on necessary URL after it is done allows not to lose used traffic, and to utilize it pro domo sua.
# Complete exploits modularity in th system. Your coder will be able to add them easily
# Zero-written cryptor of exploits doesn’t overload browser, but nevertheless protects exploits pack safely from antiviruses
# Cryptor lies in separate file and if you want you can easily add you cryptor
# Patterns of pages on exploits imaging, with the page for those who visits twice,lie separately, disguising as 404 error.
# Fragus hides from searchbots, what disables domain detection
# Fragus is highly optimized for operating with massive traffic flows and minimum load on server

Using the exploit modular system is a piece of cake. You can add easily new ones and crypt them to prevent detection from anti-virus vendors.

Examples of malware in Fragus:

xploits:

* Mdac
* PDF: printf(), collectEmailInfo(), getIcon().
* MS DirectShow, large break increment
* MS09-002 – for IE7
* MS Spreadsheet, rather new exploit
* AOL IWinAmp
* MS Snapshot
* MS COM finish IE6

Example:

The basic pricing for this package is 800 USD; some extra features can be purchased e.g. a Zero-written cryptor for another extra 150 USD.

Trendmicro posted following on their blog:

Earlier today, Senior Threat Researcher Joseph Reyes spotted several malicious script files that exploited Mozilla Firefox and Microsoft Internet Explorer vulnerabilities:

• JS_DIREKTSHO.B exploits a vulnerability in Microsoft Video Streaming ActiveX control to download other possibly malicious files.
• JS_FOXFIR.A accesses a website to download JS_SHELLCODE.BV. In turn JS_SHELLCODE.BV exploits a vulnerability in Firefox 3.5 to download WORM_KILLAV.AKN.
• JS_SHELLCODE.BU exploits a vulnerability in Microsoft OWC to download JS_SHELLCODE.BV.

Initial analysis done by Threat Analyst Jessa De La Torre shows that the scripts above may be unknowingly downloaded through either Firefox or Internet Explorer .

According to Mozilla, a Firefox user reported suffering from a crash that developers determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, the just-in-time (JIT) compiler could get into a corrupt state. This could then be exploited by an attacker to run arbitrary code. However, this vulnerability does not affect earlier versions of Firefox, which do not support the JIT feature.

Firefox 3.5 users can avoid this vulnerability by disabling the JIT compiler as described in the Mozilla Security Blog. This workaround is, however, unnecessary for Firefox 3.5.1 users.

On the other hand, the vulnerability in Microsoft Video ActiveX Control allows remote code execution if a user views a specially crafted web page with Internet Explorer, executing the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Microsoft is aware of attacks attempting to exploit the said vulnerabilities and advises its customers to prevent the OWC from running either manually or automatically using the solution found in Microsoft Knowledge Base Article 973472.

Trend Micro advises users to refer to the following pages to download updates/patches for the vulnerabilities the aforementioned script files exploit:

• Firefox: Mozilla Foundation Security Advisory 2009-41
• OWC: Microsoft Security Advisory (973472)
• DirectShow: Microsoft Security Bulletin MS09-032

Trend Micro advises users to download the latest scan engine to protect themselves against the above-mentioned exploits.

http://pastie.org/553314

Jeremiah brought my attention to the new Firefox 3.5+ CORS (Cross-Origin Resource Sharing) which is a way to do a cross domain XMLHTTPReqest. Does that sound scary? Well, it is, but there’s been a ton of work into hardening it. It has all sorts of cross domain opt-in verification built into it to limit the abuse. Honestly, if you look at the people who were acknowledged in it’s construction, it’s a who’s who of people who understand cross domain browser security issues. So it wasn’t surprising that it was fairly free of obvious flaws.

Read the full story on:

http://ha.ckers.org/blog/20090720/xmlhttpreqest-ping-sweeping-in-firefox-35/

On the full disclosure list the following posting was made:

Dear Reader,
In 48 hours, the anti-sec movement will publicly unveil working exploit code and full details for the zero-day OpenSSH vulnerability we discovered. It
will be posted to the Full-Disclosure security list.
Soon, the very foundations of Information Technology and Information Security will be unearthed as millions upon million of systems running ANY
version of OpenSSH are compromised by wave after wave of script-kiddie and malicious hacker.

Within 10 hours of the initial release of the OpenSSH 0-day exploit code, anti-sec will be unleashing powerful computer worm source code with the
ability to auotmatically find and compromise systems running any and all versions of OpenSSH.

This is an attack against all White Hat Hackers who think that running a Penetration Test simply searching for known vulnerabilities is all they have
to do in order to receive their payment. Anti-sec will savor the moment when White Hat Hackers are made to look like fools in the eyes of their clients.

Sincerely,

anti-sec

Any updates or activity or exploit code to investigate is/are welcome