Category Archives: Various

CloudFlare Phishing Email Campaign “Confirmation data changes”

Today, I received on one of my email address a CloudFlare phishing email “CLOUDFLARE.COM. domain.com: Confirmation data changes“.

As you can see this in the above screenshot, the phishing email claim that you’re CloudFlare account has exceeded the limit load available and that the account will be blocked if you don’t adapt the rate plan of the account.

The malicious link “https://cloudflare.com/login/?user=9647dec8-7e4c-40d6-bf15-43e3bd9233d3” was redirecting to “http://cloudflare.com.login.9437dec8-7e4c-40d6-bf15-43e3bd9226d3.alert-cloudflare.com.swteh.ru/login.php?domain=zataz.com” hosted on 77.222.41.100 (Russian SpaceWeb.ru Hosting Provider – AS44112).

I found another malicious link, on a Russian forum:

http://cloudflare.com.login.1647dec1-1e4c-50d6-bf15-43e4bd9133d9.alert-cloudflare.com.swteh.ru/login.php?domain=xxxxx.com” located on the same server.

In the email headers we can see that the phishing has been sent by “grafias.lunarpages.com” hosted on 216.97.235.15 in US.

CloudFlare users have alert CloudFlare team through a post in the support forum and then an alert has been raised to all CloudFlare customers.

Gong Da / Gondad Exploit Pack Evolutions

You maybe remind end of August Java 0day, aka CVE-2012-4681. This 0day was found in an html page containing obfuscated JavaScript. The obfuscation was made by a tool initially called “Dadong’s JS Obfuscator“.

/*Encrypt By Dadong’s JSXX 0.44 VIP*/

This obfuscator was used, in the Java 0day case, to hide the presence of Chinese Gong Da Pack (aka Gondad).

The August version of Gong Da Pack was exploiting CVE-2012-4681 regarding the following diagram, but previous studies, in March, have reveal that this Pack was also dealing with CVE-2011-2140 (Adobe Flash Player), CVE-2012-0003 (Windows Multimedia Library) and CVE-2011-3544 (Oracle Java Rhino exploit).

A new version of Gong Da Pack is emerging, and is getting more complex. This version was discovered on “hxxp://qq.wangmazz.com/xx/index.html” a web site how is actually no more accessible.

qq.wangmazz.com” was hosted on 210.56.55.106, AS38197, in Hong Kong and “wangmazz.com” domain name was created the 2012-10-19, through name.com registrar, for “jie jiu ([email protected])“.

The “index.html” file was containing JavaScript code obfuscated by the same obfuscator as for the Java 0day, but with a different name. I think we could simply rename “Dadong’s JS Obfuscator” to “JSXX VIP JS Obfuscator“. It seem that “Dadong’s” or “xx.xiamaqq.com” are the name of the campaigns. “index.html” file was recognized only by 9 on 44 anti-viruses on VirusTotal.com.

/*Encrypt By xx.xiamaqq.com’s JSXX 0.44 VIP*/

After de-obfuscation of the “index.html” file you can see that Gong Da Pack has involve to the following diagram.

Gong Da Pack is still dealing with CVE-2011-3544 (Oracle Java Rhino exploit) and CVE-2012-4681 (Oracle Java August 0day), has add CVE-2012-0507 (another Oracle Java exploit), CVE-2012-1723 (another Oracle Java exploit) and CVE-2012-1889 (Microsoft XML Core Services), but has removed CVE-2011-2140 (Adobe Flash Player) and CVE-2012-0003 (Windows Multimedia Library) for this campaign.

An interesting part discovered in the code is that the bad guys were trying to target Internet Explorer browsers with korean language support for CVE-2012-1889.

Here under some information s regarding the different files:

“qaz2.exe” PE32 executable is recognized as a trojan by 23/44 anti-viruses targeting online gamers. This file is downloaded from “xx.xiamaqq.com“, located on 210.56.55.161, , AS38197, in Hong Kong. “xiamaqq.com” domain name was also created the 2012-10-19, through name.com registrar, for “jie jiu ([email protected])“.

After installed “qaz2.exe” is connecting to “o108.cvnieksff.com” on 111.68.8.254, in Hong Kong. “cvnieksff.com” domain name was created the 2012-05-11, through enom.com registrar, for “Yu Yuming ([email protected])“. The first connection is HTTP GET method to “/jc/post.asp?d10=MACADDRESS&d11=ver-jc-119xx&d21=56&d22=OSTYPE“. Response to this method is:

In conclusion, Gong Da Pack (aka Gondad) seem to continue to target asian countries, and has involve in order to mostly use latest Oracle Java exploits. As you can see this campaign has target online gamers, what is steal not clear is when and how the August Java 0day has been pushed into Gong Da Pack.

Microsoft Internet Explorer 0Day reported by ZDI to Microsoft ?

As you may know Microsoft has release MS12-063 out-of-band security bulletin, how fix 5 security vulnerabilities including CVE-2012-4969, the Internet Explorer 0day I discovered exploited in the wild by the Nitro gang last weekend.

After analyzing MS12-063 and all the vulnerabilities fixed in this bulletin, I was surprised to see that CVE-2012-4969 was credited to an anonymous researcher, working with TippingPoint’s Zero Day Initiative.

Microsoft thanks the following for working with us to help protect customers: An anonymous researcher, working with TippingPoint’s Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability (CVE-2012-4969)

So, to be clear, this means that this vulnerability was discovered by another researcher, previously to my discovery, reported to ZDI, which then reported it to Microsoft. Hum… Microsoft didn’t yet provide the ZDI reference and ZDI also don’t has communicate around it.

Based on NIST NVD, CVE-2012-4969, has a CVSS base score of 9.3, cause “AccessComplexity” score is set to “Medium“. But really I think that the “AccessComplexity” should be set to “Low” how result then to a CVSS base score of 10.

If you take a look at all Microsoft ZDI upcoming advisories, all related ZDI-CAN, reported by an anonymous researcher, have a maximum CVSS base score of 7.5.

Here under all ZDI CAN’s, reported by an anonymous researcher:

  • ZDI-CAN-1586 was reported the 2012-07-24, with CVSS of 7.5
  • ZDI-CAN-1574 was reported the 2012-07-24, with CVSS of 7.5
  • ZDI-CAN-1373 was reported the 2012-07-24, with CVSS of 7.5
  • ZDI-CAN-1526 was reported the 2012-03-14, with CVSS of 7.5
  • ZDI-CAN-1525 was reported the 2012-03-14, with CVSS of 7.5
  • ZDI-CAN-1524 was reported the 2012-03-14, with CVSS of 7.5
  • ZDI-CAN-1523 was reported the 2012-03-14, with CVSS of 7.5
  • ZDI-CAN-1520 was reported the 2012-03-14, with CVSS of 7.5
  • ZDI-CAN-1402 was reported the 2011-11-29, with CVSS of 7.5
  • ZDI-CAN-1281 was reported the 2011-05-25, with CVSS of 7.5

None of these ZDI CAN vulnerabilities have a CVSS base score of 9.3 or 10. But maybe ZDI doesn’t apply good practices to CVSS scoring ?

If you take a look at the MS12-063 CVE’s assignment, reported by anonymous researchers working with ZDI:

  • CVE-2012-4969, the one, was assigned the 2012-09-18
  • CVE-2012-2557 was assigned the 2012-05-09
  • CVE-2012-1529 was assigned the 2012-03-08

If CVE-2012-4969 was reported to ZDI, by an anonymous researcher, the vulnerability was known by Microsoft since minimum 1 month, a maximum of 462 days, an average time of 168,4 days…

You may know that ZDI (HP related company), is using the reported vulnerabilities, to create IPS filters in order to protect the HP Digital Vaccine customers. So despite the vulnerability affected vendor has not yet release a patch, HP Digital Vaccine customers are “protected” against the potential threat. So, all the potential 0days, reported to ZDI, are modeled as filters.

Our security research team develops new Digital Vaccine® protection filters that address the latest vulnerabilities and are constantly distributed to our customers’ intrusion prevention systems.

You may also know, that ZDI is a part of the zero day exploit market, and that the principal objective of this market is to do money by selling 0days to interested persons or organizations.

Now, just jump back at the end of August, you remember the Java 0day how was also exploited in the wild by the Nitro gang ? Take a look at the Oracle Security Alert for CVE-2012-4681, how is credited ? James Forshaw (tyranid) via TippingPoint. Hum… One more time TippingPoint is present, coincidence ?

An interesting Guardian newspaper article, regarding the Java 0day, was pointing the possible fact that:

Although little is known about the group, it is thought that they did not discover the flaw themselves but may have bought it from a commercial group that specialises in selling details about “zero-day” flaws in software that can be used to penetrate commercial or government systems, even when they have the most up-to-date cybersecurity in place.

This begin to make to much coincidences, I would like to know if:

  • The Microsoft credit is an error ?
  • Has ZDI sold these 0days ?
  • Have HP Digital Vaccine filters been reversed ?
  • Is ZDI victim of a leak ?
  • Is ZDI victim of an internal threat? Lot of ZDI employes have left the company recently.

Updates

09/22:

Robert Graham @ErrataRob has write an interesting article “0-day leaks from IPS” regarding my question “Have HP Digital Vaccine filters been reversed ?“.