Revelo Updated

A colleague of mine received the following email in their Gmail in-box and wondered how it got past their filters and what it does.

2015-02-15_01

What almost tricked him was the fact that it called out his name. Only after looking at the originating email address did it make him pause. Good thing they didn’t spoof that. Let’s have a look at the attachment.

2015-02-15_02

It’s a Javascript file. Malicious scripts are hard to detect because it’s so easy to modify and customize. By the looks of this, it concatenates a value to the variable ‘a’ then jumps to another function. It keeps doing this until the very end then evals it. The problem is trying to find the “end”. Can you find it?

2015-02-15_03

First let’s deobfuscate this manually. You will need to find the end of all of the concatenation it’s doing then replace the eval with alert. After spending about a minute of eyeballing the script, I gave up. I did a search for “(a)” and found in the middle.

2015-02-15_04

Just change that to “alert(a)” and execute the file with your browser and you’ll see what it does.

2015-02-15_05

An easier way is just to append the short script at the end like this. When you run the script, you get the same result as above.

2015-02-15_06

The deobfuscated script, by the way, makes an AJAX call to a website at tripenjoy.com, downloads a unique file which poses as a JPEG image, renames it as an executable, then runs it.

2015-02-15_07

The downloaded file is definitely not a JPEG image.

2015-02-15_08

The payload keeps changing and the latest one I got was a nearly FUD malware according to VirusTotal.

2015-02-15_09

I’ve been meaning to update Revelo and this script prompted me to do it. The latest version allows you to deobfuscate these types of scripts quicker now by doing the same method we used above.

Run Revelo and paste in the Javascript (or open the file). Revelo needs the “<script></script>” tags so just click on Options > Add Script Tags and it will do so automatically.

2015-02-15_10

Choose the “Append Variable to End” method, type in “a” (the name of the variable we want to view) and click on Execute. Done!

2015-02-15_11

The second method I added is called “Intercept Return and Variable”. What this will do is intercept a user-specified variable that’s being returned from a function back to the caller.

Here’s an example. The script below passes a series of numbers to “CRYPT.obfuscate” then onto a “CRYPT.decode” function. The decode function decodes the values, converts it to a string then returns the deobfuscated result which has been highlighted in red.

2015-02-15_12

All you need to do is select the new method and enter “return output” and click on Execute. Done!

2015-02-15_13

I also added three more options to the menu:

2015-02-15_14

    * “Send Results to Prompt when Possible” – will try to display the results in this way: prompt(1,variable).
    * “Use Double Quote” – when trying various methods to deobfuscate a script, inserting single quotes into the script may mess things up so if this option is selected, double quotes will be used instead.
    * “Convert Object to Text” – simply appends “.text” to objects in order to convert them to text where appropriate.

The latest version of Revelo is available on the Tools page.

Posted in Malicious Email, Malscript, Tools | Tagged , , | Comments Off

Wild Wild West – 12/2014

Added the following packs:

Null Hole
“Hanjuan EK”
“Archie EK”
“Astrum EK”
“SedKit”
“SPL2 Pack”

Special thanks to Kafeine for his valuable input.

wildwildwest_1214

Posted in Exploit Packs | Comments Off

Registry Dumper – Find and Dump Hidden Registry Keys

The cybercriminals behind Poweliks implemented two clever techniques in their malware. The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys. I’ll be focusing on the second method.

The technique of hiding/protecting registry keys using a non-ASCII character goes all the way back to over a decade ago. It’s remarkable in a sense that after all these years, it still works on the latest Windows platform.

Here we see the built-in Windows Registry Editor choke on the hidden/protected key after infecting the computer with Poweliks.

2014-12-06_01

Clicking past the error dialog, you should see something like this. This default key is exposed and fully downloadable/viewable. However, there’s another key that contains the “trigger” that’s not visible.

2014-12-06_02

If we need to research what this particular malware is doing, we ought to find out what else is hiding there. For that we need to find a tool to help us view these hidden registry keys.

With online registry viewers/editors, you can get mixed results. Some seem to work well but lack some basic functionality like exporting keys as text. Others get confused and display the wrong key.

2014-12-06_03

2014-12-06_04

2014-12-06_05

Offline registry viewers/editors fare much better and offer consistent results. However, you will need to log into a separate account on the computer and use this tool. Or you have to copy the registry off of the infected machine and view it on a computer with the tool installed.

2014-12-06_06

I prefer to do an initial triage on the live machine and get to the data as quickly as possible. Since I couldn’t find a portable, online tool that had the features I wanted, I figure I would try my hand at creating one. The tool is called Registry Dumper and uses a DLL which interacts with the registry via NT native APIs that was written by Hoang Khanh Nguyen.

2014-12-06_07

This tool allows you to scan for null characters in a given path. It will iterate through the path to find all the keys with nulls in them.

2014-12-06_08

If you click on the “Show in Hex” checkbox, you can see the key names in hex. Here you will notice that the second entry’s name is “010001” which is equivalent to 0x01 0x00 0x01. This is impossible to view, edit, or delete using the Windows’ Registry Editor.

2014-12-06_09

From here you can copy/paste the path over to the left side and dump the keys to a text file.

2014-12-06_10

Here’s the text file containing all the key values in the given path.

2014-12-06_11

With this tool you can create hidden keys for testing purposes. And if you wanted to delete that impossible-to-remove key, you can use this tool by entering “[x01][null][x01]” as the key name.

2014-12-06_12

The obfuscated data you see there is the result of running it through Microsoft Script Encoder. To deobfuscate it, you can use an online decoder or download a VBS decoder. A fellow by the name of Lewis E. Moten III wrote a decoder program. I repackaged his function in the following tool.

2014-12-06_13

Here is the decoded version. You will notice that I didn’t have to strip away everything else but the encoded string. The decoder program will look for the start and end markers of the encoded text and replace it with the decoded result.

2014-12-06_14

Just recently, a newer variant of Poweliks was found. It uses a different registry hiding technique based on user permissions. You can read about it here.

If you use this tool to access one of these keys, you will get an error message saying that the key doesn’t exist. It does exist but it’s just that it doesn’t have the rights to view it.

2014-12-06_15

Here’s the permission properties of the key using the Windows Registry Editor. Notice that the current user has no read permissions.

2014-12-06_16

You can still use this tool to dump the keys but you first need to grant permission to the user account that’s running the tool. Just click on the Set Permission to User button and the permission is changed to allow the current user the rights.

2014-12-06_17

Now you can access the key:

2014-12-06_18

Here is the dump of the keys:

2014-12-06_19

And the decoded string:

2014-12-06_20

By the way, that Javascript in the “(Default)” key can be deobfuscated easily using Converter. You will see that the value in between the quotes are shifted over by one character (e.g. the word hello = ifmmp). Just enter the value “-1″ and click on the SHIFTx button (or you can click once on the minus button on the right).

2014-12-06_21

You can download both tools here.

Posted in Malscript, Tools | Tagged , , , | Comments Off

Securing KeePass with a Second Factor

Cybercriminals are now stealing password managers so it’s time to make them more secure. You can check out this article for details about how it’s being done.

I wrote this up as a guide to help friends secure their password manager by implementing a second factor. The second factor will come in the form of a USB token that you insert into your computer when you need to run the password manager. If your password manager database and master password gets stolen by Citadel or anything else, criminals won’t be able to open the database without the physical USB token you have in your possession.

Two popular password managers are currently being stolen based on the article above — Password Safe and KeePass. There is a nice walkthrough on Yubico’s website on how to enable YubiKey for Password Safe here. YubiKey can also be used to secure LastPass, Passpack, and others.

Getting YubiKey and KeePass to work was a little tricky so I’ll be describing my experience here.

Requirements
1. YubiKey made by Yubico

What’s great about the YubiKey hardware is that it supports a number of use cases such as computer logins, disk encryption, and web applications like WordPress, Google, and others. Unfortunately, not all YubiKey hardware supports all applications so be sure you pick up the right YubiKey hardware.

There are basically two types of hardware and the one you want to get to protect KeePass will either be the Standard or Neo version. The FIDO U2F Security Key doesn’t appear to support the protocol we need.

2. YubiKey Personalization Tool

This software program will allow you to configure your YubiKey. We will be configuring the second slot since the first slot is apparently reserved according to Yubico’s website — “Re-programming your YubiKey’s 1st configuration slot will overwrite the YubiCloud configuration, and you cannot undo this action!”

3. KeePass Professional Edition

You may need to install Microsoft .NET Framework 2.0+ if it’s not installed already.

4. KeePass plugin

You have a choice between two different security models — One-Time Pad (OTP) and Challenge-Response. Here are the links to the KeePass plugin that you’ll need:

OtpKeyProv
KeeChallenge

If you decide on the OTP method, you can follow the instructions on Yubico’s website. It works but I had trouble. I had it generate three sets of OTP values which required three button presses on the YubiKey. Using the YubiKey Neo version, it worked most of the time. With the YubiKey Standard version, it rarely worked for some reason. I think it has something to do with how quickly you can press the button to generate the values. Tinkering with the OtpKeyProv settings (e.g. counters, look-ahead windows) did not yield consistent results but YMMV.

I opted for the Challenge-Response method via KeeChallenge which I’ll be describing here. With KeeChallenge, I didn’t have any problems like I did using the OTP method.

The KeeChallenge plugin can be downloaded directly from here. You will also need to download the latest YubiKey-Personalization release (download both Windows 32- and 64-bit versions) from Yubico. This was the part that I got hung up with but a helpful tip on a discussion board provided the solution.

Setting Up YubiKey
Install and run the YubiKey Personalization Tool then plug in the YubiKey into an available USB port.

2014-11-26_01

Click on the Challenge-Response menu item at the top then click on the HMAC-SHA1 button.

2014-11-26_02

Click on the Configuration Slot 2, ensure user input is required, and the fixed 64-byte input is selected. Click on Generate then on the Write Configuration buttons. You should get feedback that the configuration change was successful.

2014-11-26_03

Make sure you copy and backup the secret key you generated! You will need this to setup KeePass as well as to regain access to your database should YubiKey fail for some reason. Store this in a safe place, preferably printed on paper and definitely not stored on the same computer that you’ll be using KeePass on.

If you want to set up multiple YubiKeys to work with the same KeePass database, just use the same secret key and write the change to the configuration.

That’s it for the YubiKey setup.

Setting Up KeePass and KeeChallenge
Download KeePass as well as the KeeChallenge plugin and Yubico’s YubiKey-Personalization release.

Install KeePass and go to the folder. Copy over the files and folders from the KeeChallenge plugin into the KeePass folder so it looks like this (the items in red belong to KeeChallenge):

2014-11-26_04

Open the folder called “32bit”. See those DLL files? Replace them with the ones from the YubiKey-Personalization files you downloaded (the DLL files are located in the bin folder). Do the same for the 64-bit files.

Start KeePass and create or open an existing database.

2014-11-26_05

Click on File > Change Master Key. Enter a new master password (twice). Click on the “Key File / Provider” checkbox and choose “Yubikey Challenge-Response”. Click on OK.

2014-11-26_06

You will be asked for the secret. Paste the secret key you generated when you configured your YubiKey.

2014-11-26_07

You will then be prompted to plug in your YubiKey if it’s not in already.

2014-11-26_08

Tap the button on your YubiKey when you see this prompt on the screen.

2014-11-26_09

Setup is done!

Usage and Recovery
To use KeyPass going forward, enter the password and ensure the Key File option is checked and set to YubiKey Challenge-Response.

2014-11-26_10

Insert your YubiKey and tap on the button to log in.

2014-11-26_11

You’re in!

2014-11-26_12

If you lose your YubiKey, it broke, or you just can’t log in using it for whatever reason then unplug it, enter your password, and click OK. You will see this prompt. Choose “Recovery Mode”.

2014-11-26_13

Enter the secret key and click OK.

2014-11-26_14

And you’re back in!

2014-11-26_15

You can feel a little more at ease now while shopping online!

Posted in Awareness | Tagged , , , , | Comments Off

Drupal 7 SQL Injection Info

There’s a lot of sites covering this vulnerability but I wanted to document some indicators for anyone who might need it.

Resources
Drupal Security Advisory
Drupal Public Service Annoucement
Drupal Documentation on “Your Drupal Site Got Hacked. Now What?”
Drupal Site Audit
Volexity Blog
Sururi Blog

What follows is a brief walk-through of evidence found on a couple of compromised hosts. YMMV.

Incident Response
Logging into phpMyAdmin and checking out the “users” table. Two accounts were created. The “drupaldev” account seems to have been found on many compromised hosts.

2014-11-02_01

There was one host that had hundreds of accounts. What made the malicious accounts stand out was the missing mail field. This would occur if the user could get past the requirement on the registration page or if the account was added directly to the table.

Going to the “sessions” table, there’s one entry with the “uid” that matches the account created by the attacker. You can find out the attacker’s IP address this way.

2014-11-02_02

Here’s info on this IP address:

2014-11-02_03

The firewall logs showed activity over port 8888. If you visit the IP:port, you get this site:

2014-11-02_04

Looking at the webserver logs, we can see POSTs hitting the user/login file on the host. The server 500 errors probably indicate a failed first attempt.

2014-11-02_05

Going back to phpMyAdmin, a quick search for “.php” was done across all of the tables.

2014-11-02_06

There was an entry found in the “menu_router” table which seems to be a very common indicator.

2014-11-02_07

Clicking on the link, you can download the blob.

2014-11-02_08

Going to the file system, there is a directory called “README.txt” with a php file inside. The folder and file names appear to be random but the script itself is the same as what others have reported.

This PHP script is particularly interesting, it’s a simple backdoor that’s triggered by a cookie. Sucuri covered this awhile ago.

Here’s a cleaned up version. If you hit the script straightaway, you will get the results of phpinfo(). If you wish to send your own commands, you need to pass three variables. The “Kcqf3″ variable contains a value that triggers the script. The second variable “Kcqf2″ will be preg_replace. “Kcqf1″ contains the command. I imagine the attackers might send commands along the lines of uname, wget, curl, etc.

2014-11-02_09

I wrote a program to craft HTTP requests and can include my own cookie values into the header. Here, I’m sending the phpinfo command and you can see the result in the background. What stands out is its simplicity and cleverness.

2014-11-02_10

You could create an IDS rule to look for HTTP requests that contain a cookie with the value “preg_replace” and detect/block those coming in. You can then follow up on the targeted host to see if the backdoor is there.

Good luck!

Posted in Malscript | Tagged , , , | Comments Off