Exceptional – Botnets and Exploit Kits

Posted on 2012/02/14 by R Sachin

Exploit Kits and Botnets are synonymous to each other. If one is responsible for infecting then the other is utilised for generating revenue, they just cannot co-exist without each other.

For past few weeks, we have been observing a new wave of infection. Win32.XPAJ . This is a polymorphic file infection virus which after successful infection turns into a bot-net client.

There are many things which have been observed are new to this virus

As with every piece of technology, evolution is a must and Win32.XPAJ is not far behind. The method used to infect is highly complex and every bit of care has been taken to protect itself from detection by Anti-Viruses.

Most Antiviruses detect by using MD5 signatures or by inspecting the internals of the file. Secondly, based on the number of computer systems / networks or a geographical area which are infected by a particular trojan/malware, the threat factor is decided.

Computer Domains such .gov and .mil are related to governments and military, which already are paranoid about such threats and if infected the threat level posed by such a trojan/malware is raised exponentially.

Organizations such as Google and some of the AV product developers, which are known to aggressively deny access to websites which host these exploit kits or incorporate detection algorithms are the number two enemy of such Exploit kits and Botnet Clients.

The success of Exploit Kits is based on

A: Evasion- How can this piece of code evade the existing technologies during all the stages of infection?
B: Stealth- How can it not raise suspicion after delivering and for what period?
C: Penetration – How many computer systems/networks can it exploit?

Win32.XPAJ has done it all.

Before infecting any system/network, Win32.XPAJ verifies the domain and exits if it finds .mil or .gov. It just refuses to infect these domains.

It also verifies the country in which the computer is located by way of IP address geo-location and doesn’t infect certain European Countries and a few others. In other words, it chooses who should be infected and who shouldn’t be.

Entry point is changed and payload resides in the different parts of the infected executable / DLL. Thus ensuring that detection by an Anti-virus is difficult if not impossible.

Its very rare to find a trojan/virus/phishing site which is selective in nature (country specific , domain specific).

A few hours ago, Cryptome.org was hacked and infected with Blackhole Exploit Kit.

According to Wikipedia

Cryptome is a website hosted in the United States since 1996 by independent scholars and architects John Young and Deborah Natsios that functions as a repository for information about freedom of speech, cryptography, spying, and surveillance.

Targeting this website ensures infecting a select group of individuals and organizations but there is a similarity between Win32.XPAJ and BlackHole exploit Kit residing on Cryptome Servers.

No need for guessing, its “Exception“. This infection on Cryptome avoids attacking Google IP addresses while Win32.XPAJ goes one step ahead by not attacking .mil .gov and certain countries.

Since, a security related web-site was targeted, it has ensured a prompt reaction from the whole community.

The future of “Threat Escalation” is going to change as we will come across more and more exploit kits and trojans / viruses which are selective about their targets. We will have to change our perspective and segregate the threat based on global and geographically specific attacks.

We have seen a lot of Phishing Sites employing such “Exception” based techniques, and Win32.XPAJ is not the last.

Win32.XPAJ, upon infection converts itself into a botnet client and the payload this time is Ad-Click fraud.

For the year 2012, we had said that India would be the largest hub of botnets and with Win32.XPAJ, this will soon become a reality as most of the infected computers are based in India. My previous blog on DNS MITM is a bleak reminder.

Posted in Miscellaneous, Phishing, Security, botnet, eScan 11 | Tagged , , , , | Leave a comment

Disclosure : Router based DNS MITM Attack

Posted on 2012/01/12 by R Sachin

—[ Attacked Hardware ]

CPE Router, which provides Internet Access over ADSL.

—[ Severity level ]

Severity level    :   Critical
Impact        :   DNS Injection MITM
Access Vector    :   Network exploitable

—[ Hardware Description ]

CPE Routers which are used to provide Internet access and are directly connected with the ISPs. These routers are specifically used by millions of home users and organizations world-wide, to connect with the ISP. These devices also act as a NAT Device, providing a rudimentary DMZ, a DHCP server being embedded into the OS of these routers, is shipped out by all the CPE manufacturers.

—[ Attack Description ]

We have observed an attack vector, targeting CPE Routers used for facilitating ADSL connectivity.

The Victim, when browsing or accessing internet is directed to a server, which does not belong to the requested Domain.

The Victim has enabled DHCP on the client machine, the DNS server IP address and the Machine IP address is provided by the embedded DHCP server residing on the affected hardware.

Normally, DNS server IP address is configured at the time of installation and once the initial configuration is complete, no one bothers to make any changes to this configuration, including the configuration access password.

The attacker gained access to the router, changed the DNS server to 109.74.196.50 and also changed the password of the router. Effectively taking over the control of the DNS queries by a rogue DNS server and a Rogue IP which accepts connections.

109.74.196.50 has “A records” for in.yahoo.com, indiatimes.com and rediff.com pointing to 212.113.36.83.

In the past, we have observed DNS Cache Poisoning attacks, modification of “hosts” file but, modifying the DNS server IP of a router and also deploying a Rogue DNS server is  first of its kind for me. This type of attack, opens up the flood-gates for a lot of different attack vectors.

The web-server IP address in question has links to below mentioned advertising links

Link 1:

hxxp://www.googleadservices.com/pagead/aclk?sa=L&ai=BQpZjMbYOT_X7KoeGiAfcmLQSweK0kQOps6idQ8CNtwHwkwkQARgBIO3RuBo4AFCDsfy1-_____8BYOXS5oO8DqABh_vn2gOyAQ0yMTIuMTEzLjM2LjgzugEKMzAweDI1MF9hc8gBAtoBFW
h0dHA6Ly8yMTIuMTEzLjM2LjgzL4ACAagDAcgDFegDNegDBegDDfUDAAAAwPUDAABAEIgGAaAGAg&num=1&cid=5GgGexj0cW8pXlxeTn4aLTAP&sig=AOD64_2XdwXuNKwt_zLnH8ll-xvW1vQTlg&client=ca-pub-3451543299263350&adurl=http://www.softlayer.com/lp/singapore-hosting&nm=2

Link 2:

hxxp://www.googleadservices.com/pagead/aclk?sa=L&ai=BVmcsMLYOT8CPLeOBiAe5ldX5D_mWm68CiYLLmSSRh5GDY-D2xQIQARgBIO3RuBo4AFDL6Y3g-P____8BYOXS5oO8DqABn6uj5wOyAQ0yMTIuMTEzLjM2LjgzugEKMzAweDI1MF9hc8gBAtoBFWh0dHA6Ly8yMTIuMTEzLjM2LjgzL-ABAoACAakClWJAw222VD7AAgaoAwHIAxXoAzXoAwXoAw31AwAAAMT1AwAAQBCIBgGgBgI&num=1&cid=5GiWmEtBLveZ3g0hCcQDaPyc&sig=AOD64_08TL32M9LfVt6X-FYMbanPfO4ysg&client=ca-pub-3451543299263350&adurl=http://www.bigrock.in/discounted-dot-com-domains.html%3Fa_aid%3D4d2c643cb0d0a%26location%3DIN%26chan%3Dga_sit_tar%26ad%3Dga_sit_tar&nm=9

The targeted domains are
1: in.yahoo.com
2: indiatimes.com
3: rediff.com

As of this moment, this seems to be an India Centric Operation, with very few domains but may increase over a period of time. But the scope of the method used by this attack vector is global.

—[ Available Information ]

Google Adsense ID    : ca-pub-3451543299263350

IP Address 1        : 109.74.196.50 DNS Server
Cloud based Service provided by linode.com is being used to deploy the DNS server. This is a paid Service

IP Address 2        : 212.113.36.83 Web Server
This server is located in JSC Ukrtelecom Data Center (Ukraine) as per the robtex records.

—[ Mitigating the Attack ]

In my previous blog-posts I had mentioned about CPE Routers being the least protected IP Device, with the least amount of security features, yet an attack vector of this type changes the security perception of the entire community. One fact which is never taken into consideration is that Firewalls, IPS, IDS are all residing behind the router.

So, how do we protect a router?

Recently, there was a telnet bug which had surfaced, hence how secure are these embedded devices, is a question everyone should ask. I am yet to ascertain, whether this bug existed in the CPE.

Secondly, if these embedded devices are affected by the bug then changing the password, as a method to mitigate the attack, doesn’t make any sense.

To mitigate this type of attack

1: Manually assign the DNS server IP address. In my case, I used 8.8.8.8

2: DeSOPA the firefox extension. Initially this Firefox extension was used to circumvent SOPA related DNS Blocks, but we have used it for circumventing the DNS MITM attack.

3: Change the router access password and ensure that telnet port is available from the internet network.

—[ The Future ]

As of this moment, it is an Advertising Revenue Generation Site but future possible scenarios are as follows:

1: Phishing Site (Cloned Web-Site) – This would be very difficult to detect as the browser’s url will be a valid but the IP would be incorrect.

2: Drive-By Download with Cloned Site

3: Transparent Proxy with http interception capabilities.

4: Tunnels? I haven’t yet come across any low-end router with tunneling capabilities but mid-range to high-end routers with telnet bug / weak passwords, do have this capability. Would anyone ever attempt redirecting the traffic?

A Network Diagram will be uploaded.

—[ The Proof ]

Screen-shot from affected system:

Victim's Machine
Screen-Shot from a non-affected system

Rogue DNS Server

[UPDATE]

http://www.ipillion.com/ip/212.113.36.83 this IP has been tagged with loads of complaints.

Posted in Miscellaneous, Security, eScan 11 | Tagged , | 13 Comments

2012 Spoilers

Posted on 2011/12/30 by R Sachin

Do not present #infosec with any #2012predictions. Many in the community hate #spoilers.

Hactivism

Defination: A Collective without any known leadership, with its utopian set of ethos, trying to bring in sense in this chaotic world.

Anonymous, as a collective is mostly active in US and European Countries, but in 2012 we would see them making active inroads into Asian Countries especially India.

Why India?

1: Recently, Indians have been agitating against corruption, corrupt officials but nothing really has materialized on the online front.

2: Though India has Cyber Laws but when it comes to out-of-india attacks nothing much is expected.

3: A few months ago, Indian hackers had tried to go the anonymous way but lost their way and ended up getting doxed by the Anonymous.

DOX: Personal information about people on the Internet, often including real name, known aliases, address, phone number, SSN, credit card number, etc.

I wouldn’t be surprised IF Anonymous collective has already started contacting and recruiting Indian hackers.

Money Mules and Credit Card related Frauds

India will see a sharp rise in both Money Mules related activity and Credit Card Related crimes.

In India, the list of petty criminals is huge, due to which, the activity of money-mules will be out-sourced to India and that too in a big way. I think the year 2012 would build the foundation for India’s future IT related crimes.

Would these type of cases be detected ?

I have my own reservations over this, cause of lots of factors but banks do have the option of keeping a tab on Foreign ATM withdrawals / purchases from local business located in a different country.

In the past, we have seen non-compliance of PCI-DSS by some of the top-most organizations, whether it was Sony or Stratfor or Heartland, hence it is imperative that all organizations should take the year 2012 very seriously when it comes to PCI-DSS non-compliance, and shouldn’t take web-security / data security for granted.

I have observed a lot of Shopping Malls, which store entire Credit-Card and Debit Card Data on their personal servers and their employees are encouraged to swipe the Card into their own POS alongwith the one provided by the Banks, its only a matter of time until someone hacks into these and finds a treasure trove of information. Whether the information stored by Indian Shopping Malls, is using the PCI-DSS norms or not, only time will tell.

The security of Indian Organizations will be severely tested or has it already been tested and no one knows about it?

Phishing and Malware

Phishing will never cease to exist. As long as email servers and domains are non-compliant to atleast one industry standard i.e. DKIM or SPF with strict enforcement , phishing is not going to stop.

Phishing mails with malware attachments or malware laced urls or plain data stealing web-site clones can always be expected.

AV Industry will have to rethink their strategy when it comes to content scanning and detection of phishing / malware sites. Why? The answer is simple, who will clean up the ever increasing database of urls?

2012 the year itself 21/12/2012

According to Mayan calender there is no 2013 and this will lead to lots of phishing mails, or scams, especially in the month of November/December first half.

Key Collision / Digital Certificate

State sponsored snoops either on their own citizens or on foreign entity will take a new shape, either ways, its going to gain prominence.

What has a State got to do with Key Collision/Digital Certificate? these symbolize ‘Trust’. The trust which we users have on the services which we avail from the service providers. The trust a government official will have on the exe / pdf / email,  he has received from his boss/department head.

A rogue Government having access to a CA either legally or otherwise – the eventualities are limitless.

Smart Phones and Tablets

India has seen a jump in sales of Smart Phones and the cheaply available android based Tablets for less than 3000 INR i.e. approx 56 USD. Hence, the market of mobile malware is now evenly balanced with the conventional version.

When a particular piece of technology/hardware is available so cheaply, it garners extreme interest in all the circles and in turn grabs a huge market share. Tablets, provide computing power as well as mobility and adds a new segment of IT users but nothing much can be said about their security awareness.

Premium rate SMS/Call hacks, Premium Image downloads will occur alongwith this data-harvesting and tracking apps will increase. Not only Indians but the rest of the smart phone / tablet users will be at risk .

Long URLs have already proved to be excellent USP for phishing syndicates, QR codes for long urls wont be much far behind. After all, the display screen size and font size does matter.

One fact I would love to mention is that QR codes often dont accompany the visually displayed links which they are supposed to represent. This is one big flaw and can / will be exploited.

Botnets and Anonymous proxies

Botnets have always been a pain to Organizations and Security researchers worldwide. Botnets are being used for various tasks, from launching DDOS attacks to Spamming, but very recently, it has been observered that a botnet was being used to provide paid Anonymous browsing Proxy services.

In the year 2012, India will be the largest host for such services.

Unauthorised access coupled with data pilferage is generally termed as a Hack and generally organizations treat these cases quite seriously, but when unauthorized processes are not leaking out organizations data but are utilizing their resources then ? Well these are termed as a virus / malware / trojan or simply a failure of the organization to deploy a proper AV solution.

It doesnt matter if there is a hack or a infection, every unauthorised resource access is to be dealt and handled. Bandwidth availability on the other hand is increasing exponentially while the cost to avail the bandwidth is decreasing.

Normally, everyone concentrates on Corporations but what about SMBs and home users and their security awareness?

Based on this perception, we believe that India will be the largest hub of Botnet and Anonymous Proxy services by the end of 2012.

We have recently seen IP addresses of SMBs and Home users with broadband being used by Paid Anonymous Proxy Services.

Which also raises a question about the ISPs and their own detection mechanism for such activity.

Last but not the least …

Stuxnet and Duku

StuxNet and Duku required access to the internal networks but with freely available service like ShodanHQ being made available and the latest telnet exploit making rounds in the Security Circles, I wouldn’t be surprised to find an automated attack on embedded devices which are exposed on Internet being taken over by rogue entities.

Rogue entities / states having their own database of vulnerable IPs, similar to ShodanHQ is just waiting to be exposed.

If this exposure ever takes place its going raise a lot of questions especially related to espionage.

Some of the spoilers mentioned maybe combined with different permutations and combinations and maybe used to wage a covert cyberwar. Though Cyberwar is not a new term but is all set to become a reality.

eScan wishes you a Safe and Secure 2012 and as usual We shall be striving to come out with newer algorithms and ideologies .

Posted in Miscellaneous, Security, eScan 11 | Tagged , , | 1 Comment