Revelo Updated

A colleague of mine received the following email in their Gmail in-box and wondered how it got past their filters and what it does.


What almost tricked him was the fact that it called out his name. Only after looking at the originating email address did it make him pause. Good thing they didn’t spoof that. Let’s have a look at the attachment.


It’s a Javascript file. Malicious scripts are hard to detect because it’s so easy to modify and customize. By the looks of this, it concatenates a value to the variable ‘a’ then jumps to another function. It keeps doing this until the very end then evals it. The problem is trying to find the “end”. Can you find it?


First let’s deobfuscate this manually. You will need to find the end of all of the concatenation it’s doing then replace the eval with alert. After spending about a minute of eyeballing the script, I gave up. I did a search for “(a)” and found in the middle.


Just change that to “alert(a)” and execute the file with your browser and you’ll see what it does.


An easier way is just to append the short script at the end like this. When you run the script, you get the same result as above.


The deobfuscated script, by the way, makes an AJAX call to a website at, downloads a unique file which poses as a JPEG image, renames it as an executable, then runs it.


The downloaded file is definitely not a JPEG image.


The payload keeps changing and the latest one I got was a nearly FUD malware according to VirusTotal.


I’ve been meaning to update Revelo and this script prompted me to do it. The latest version allows you to deobfuscate these types of scripts quicker now by doing the same method we used above.

Run Revelo and paste in the Javascript (or open the file). Revelo needs the “<script></script>” tags so just click on Options > Add Script Tags and it will do so automatically.


Choose the “Append Variable to End” method, type in “a” (the name of the variable we want to view) and click on Execute. Done!


The second method I added is called “Intercept Return and Variable”. What this will do is intercept a user-specified variable that’s being returned from a function back to the caller.

Here’s an example. The script below passes a series of numbers to “CRYPT.obfuscate” then onto a “CRYPT.decode” function. The decode function decodes the values, converts it to a string then returns the deobfuscated result which has been highlighted in red.


All you need to do is select the new method and enter “return output” and click on Execute. Done!


I also added three more options to the menu:


    * “Send Results to Prompt when Possible” – will try to display the results in this way: prompt(1,variable).
    * “Use Double Quote” – when trying various methods to deobfuscate a script, inserting single quotes into the script may mess things up so if this option is selected, double quotes will be used instead.
    * “Convert Object to Text” – simply appends “.text” to objects in order to convert them to text where appropriate.

The latest version of Revelo is available on the Tools page.

Posted in Malicious Email, Malscript, Tools | Tagged , , | Comments Off

Wild Wild West – 12/2014

Added the following packs:

Null Hole
“Hanjuan EK”
“Archie EK”
“Astrum EK”
“SPL2 Pack”

Special thanks to Kafeine for his valuable input.


Posted in Exploit Packs | Comments Off

Registry Dumper – Find and Dump Hidden Registry Keys

The cybercriminals behind Poweliks implemented two clever techniques in their malware. The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys. I’ll be focusing on the second method.

The technique of hiding/protecting registry keys using a non-ASCII character goes all the way back to over a decade ago. It’s remarkable in a sense that after all these years, it still works on the latest Windows platform.

Here we see the built-in Windows Registry Editor choke on the hidden/protected key after infecting the computer with Poweliks.


Clicking past the error dialog, you should see something like this. This default key is exposed and fully downloadable/viewable. However, there’s another key that contains the “trigger” that’s not visible.


If we need to research what this particular malware is doing, we ought to find out what else is hiding there. For that we need to find a tool to help us view these hidden registry keys.

With online registry viewers/editors, you can get mixed results. Some seem to work well but lack some basic functionality like exporting keys as text. Others get confused and display the wrong key.




Offline registry viewers/editors fare much better and offer consistent results. However, you will need to log into a separate account on the computer and use this tool. Or you have to copy the registry off of the infected machine and view it on a computer with the tool installed.


I prefer to do an initial triage on the live machine and get to the data as quickly as possible. Since I couldn’t find a portable, online tool that had the features I wanted, I figure I would try my hand at creating one. The tool is called Registry Dumper and uses a DLL which interacts with the registry via NT native APIs that was written by Hoang Khanh Nguyen.


This tool allows you to scan for null characters in a given path. It will iterate through the path to find all the keys with nulls in them.


If you click on the “Show in Hex” checkbox, you can see the key names in hex. Here you will notice that the second entry’s name is “010001” which is equivalent to 0x01 0x00 0x01. This is impossible to view, edit, or delete using the Windows’ Registry Editor.


From here you can copy/paste the path over to the left side and dump the keys to a text file.


Here’s the text file containing all the key values in the given path.


With this tool you can create hidden keys for testing purposes. And if you wanted to delete that impossible-to-remove key, you can use this tool by entering “[x01][null][x01]” as the key name.


The obfuscated data you see there is the result of running it through Microsoft Script Encoder. To deobfuscate it, you can use an online decoder or download a VBS decoder. A fellow by the name of Lewis E. Moten III wrote a decoder program. I repackaged his function in the following tool.


Here is the decoded version. You will notice that I didn’t have to strip away everything else but the encoded string. The decoder program will look for the start and end markers of the encoded text and replace it with the decoded result.


Just recently, a newer variant of Poweliks was found. It uses a different registry hiding technique based on user permissions. You can read about it here.

If you use this tool to access one of these keys, you will get an error message saying that the key doesn’t exist. It does exist but it’s just that it doesn’t have the rights to view it.


Here’s the permission properties of the key using the Windows Registry Editor. Notice that the current user has no read permissions.


You can still use this tool to dump the keys but you first need to grant permission to the user account that’s running the tool. Just click on the Set Permission to User button and the permission is changed to allow the current user the rights.


Now you can access the key:


Here is the dump of the keys:


And the decoded string:


By the way, that Javascript in the “(Default)” key can be deobfuscated easily using Converter. You will see that the value in between the quotes are shifted over by one character (e.g. the word hello = ifmmp). Just enter the value “-1″ and click on the SHIFTx button (or you can click once on the minus button on the right).


You can download both tools here.

Posted in Malscript, Tools | Tagged , , , | Comments Off

Securing KeePass with a Second Factor

Cybercriminals are now stealing password managers so it’s time to make them more secure. You can check out this article for details about how it’s being done.

I wrote this up as a guide to help friends secure their password manager by implementing a second factor. The second factor will come in the form of a USB token that you insert into your computer when you need to run the password manager. If your password manager database and master password gets stolen by Citadel or anything else, criminals won’t be able to open the database without the physical USB token you have in your possession.

Two popular password managers are currently being stolen based on the article above — Password Safe and KeePass. There is a nice walkthrough on Yubico’s website on how to enable YubiKey for Password Safe here. YubiKey can also be used to secure LastPass, Passpack, and others.

Getting YubiKey and KeePass to work was a little tricky so I’ll be describing my experience here.

1. YubiKey made by Yubico

What’s great about the YubiKey hardware is that it supports a number of use cases such as computer logins, disk encryption, and web applications like WordPress, Google, and others. Unfortunately, not all YubiKey hardware supports all applications so be sure you pick up the right YubiKey hardware.

There are basically two types of hardware and the one you want to get to protect KeePass will either be the Standard or Neo version. The FIDO U2F Security Key doesn’t appear to support the protocol we need.

2. YubiKey Personalization Tool

This software program will allow you to configure your YubiKey. We will be configuring the second slot since the first slot is apparently reserved according to Yubico’s website — “Re-programming your YubiKey’s 1st configuration slot will overwrite the YubiCloud configuration, and you cannot undo this action!”

3. KeePass Professional Edition

You may need to install Microsoft .NET Framework 2.0+ if it’s not installed already.

4. KeePass plugin

You have a choice between two different security models — One-Time Pad (OTP) and Challenge-Response. Here are the links to the KeePass plugin that you’ll need:


If you decide on the OTP method, you can follow the instructions on Yubico’s website. It works but I had trouble. I had it generate three sets of OTP values which required three button presses on the YubiKey. Using the YubiKey Neo version, it worked most of the time. With the YubiKey Standard version, it rarely worked for some reason. I think it has something to do with how quickly you can press the button to generate the values. Tinkering with the OtpKeyProv settings (e.g. counters, look-ahead windows) did not yield consistent results but YMMV.

I opted for the Challenge-Response method via KeeChallenge which I’ll be describing here. With KeeChallenge, I didn’t have any problems like I did using the OTP method.

The KeeChallenge plugin can be downloaded directly from here. You will also need to download the latest YubiKey-Personalization release (download both Windows 32- and 64-bit versions) from Yubico. This was the part that I got hung up with but a helpful tip on a discussion board provided the solution.

Setting Up YubiKey
Install and run the YubiKey Personalization Tool then plug in the YubiKey into an available USB port.


Click on the Challenge-Response menu item at the top then click on the HMAC-SHA1 button.


Click on the Configuration Slot 2, ensure user input is required, and the fixed 64-byte input is selected. Click on Generate then on the Write Configuration buttons. You should get feedback that the configuration change was successful.


Make sure you copy and backup the secret key you generated! You will need this to setup KeePass as well as to regain access to your database should YubiKey fail for some reason. Store this in a safe place, preferably printed on paper and definitely not stored on the same computer that you’ll be using KeePass on.

If you want to set up multiple YubiKeys to work with the same KeePass database, just use the same secret key and write the change to the configuration.

That’s it for the YubiKey setup.

Setting Up KeePass and KeeChallenge
Download KeePass as well as the KeeChallenge plugin and Yubico’s YubiKey-Personalization release.

Install KeePass and go to the folder. Copy over the files and folders from the KeeChallenge plugin into the KeePass folder so it looks like this (the items in red belong to KeeChallenge):


Open the folder called “32bit”. See those DLL files? Replace them with the ones from the YubiKey-Personalization files you downloaded (the DLL files are located in the bin folder). Do the same for the 64-bit files.

Start KeePass and create or open an existing database.


Click on File > Change Master Key. Enter a new master password (twice). Click on the “Key File / Provider” checkbox and choose “Yubikey Challenge-Response”. Click on OK.


You will be asked for the secret. Paste the secret key you generated when you configured your YubiKey.


You will then be prompted to plug in your YubiKey if it’s not in already.


Tap the button on your YubiKey when you see this prompt on the screen.


Setup is done!

Usage and Recovery
To use KeyPass going forward, enter the password and ensure the Key File option is checked and set to YubiKey Challenge-Response.


Insert your YubiKey and tap on the button to log in.


You’re in!


If you lose your YubiKey, it broke, or you just can’t log in using it for whatever reason then unplug it, enter your password, and click OK. You will see this prompt. Choose “Recovery Mode”.


Enter the secret key and click OK.


And you’re back in!


You can feel a little more at ease now while shopping online!

Posted in Awareness | Tagged , , , , | Comments Off

Drupal 7 SQL Injection Info

There’s a lot of sites covering this vulnerability but I wanted to document some indicators for anyone who might need it.

Drupal Security Advisory
Drupal Public Service Annoucement
Drupal Documentation on “Your Drupal Site Got Hacked. Now What?”
Drupal Site Audit
Volexity Blog
Sururi Blog

What follows is a brief walk-through of evidence found on a couple of compromised hosts. YMMV.

Incident Response
Logging into phpMyAdmin and checking out the “users” table. Two accounts were created. The “drupaldev” account seems to have been found on many compromised hosts.


There was one host that had hundreds of accounts. What made the malicious accounts stand out was the missing mail field. This would occur if the user could get past the requirement on the registration page or if the account was added directly to the table.

Going to the “sessions” table, there’s one entry with the “uid” that matches the account created by the attacker. You can find out the attacker’s IP address this way.


Here’s info on this IP address:


The firewall logs showed activity over port 8888. If you visit the IP:port, you get this site:


Looking at the webserver logs, we can see POSTs hitting the user/login file on the host. The server 500 errors probably indicate a failed first attempt.


Going back to phpMyAdmin, a quick search for “.php” was done across all of the tables.


There was an entry found in the “menu_router” table which seems to be a very common indicator.


Clicking on the link, you can download the blob.


Going to the file system, there is a directory called “README.txt” with a php file inside. The folder and file names appear to be random but the script itself is the same as what others have reported.

This PHP script is particularly interesting, it’s a simple backdoor that’s triggered by a cookie. Sucuri covered this awhile ago.

Here’s a cleaned up version. If you hit the script straightaway, you will get the results of phpinfo(). If you wish to send your own commands, you need to pass three variables. The “Kcqf3″ variable contains a value that triggers the script. The second variable “Kcqf2″ will be preg_replace. “Kcqf1″ contains the command. I imagine the attackers might send commands along the lines of uname, wget, curl, etc.


I wrote a program to craft HTTP requests and can include my own cookie values into the header. Here, I’m sending the phpinfo command and you can see the result in the background. What stands out is its simplicity and cleverness.


You could create an IDS rule to look for HTTP requests that contain a cookie with the value “preg_replace” and detect/block those coming in. You can then follow up on the targeted host to see if the backdoor is there.

Good luck!

Posted in Malscript | Tagged , , , | Comments Off