SSS: Security-Sucks

Introduction

Inspired with one of the section about Advanced Persistent Threat (APT) and Botnet C&C server from Mr. Yung in Bot2010 2010_[1] conference, I and Mars have worked out and tried to search live C&C servers to dig into more details in APT area. APT is defined as a kind of targeted attack against high value information with strong resources and authority supported.

With reference to the Shadow in the Cloud Report_[2] published in April, in fact, we have experienced that Google has done some filtering itself, however, we have got some lucks and search out active C&C server successfully.

閱讀全文…

In recent days, the vulnerability of flash(CVE-2010-1297) has been used for drive-by download. Therefore, many websites are injected by malicious links such as  (hxxp://2677.in/yahoo.js), and those comprised webistes are intruded by automatic mass injection tools.   

TOMTOM WebSite is injected by Malicious link

In most cases, hackers are faster than vendors, so it gives them a great opportunity to build a strong BotNet and be able to control more victims.    

The following flow chart shows the attacking path of Zero-Day.     

閱讀全文…

After analyzing the PDF sample (which is still exploited in the wild),we extract the embedded flash file called "pad.swf"，This file seems modified from the website http://lostinactionscript.googlecode.com/svn/trunk/bin/AES-PHP.swf.

If we compare these two files deeply(shown as below),

Orginal AES-PHP.swf (0×66)

Exploit pad.swf(0×40)

It is surprised that there is just 1 byte changed. It causes flash ActionScript to execute a newfunction() and disturb the internal ActionScript engine stack .

Here is a problem in the JIT-ed AS code:

閱讀全文…

We have noticed a new and powerful PDF exploit ( CVE-2010-0401 ) in the wild,
that leverages CVE-2010-0401 in order to install a Happy Backdoor in fool’s system.
This exploit is more stable, it could bypass ASLR and DEP.
The test environment is Adobe Reader 10.0 in Microsoft Windows XP SP3.

>_<

The new IE zero-day attacking is immediately used in targeted attacks.In the past few days, we have captured a number of samples derived from the version published on  rec-sec website.

As you can see, the exploit uses a common heap spary method to build a memory that contains the shellcode. When the shellcode gets executed, a malware wll be downloaded from a  compromised website.

The detailed analysis about this malware can be seen from our system.

閱讀全文…

Recently, we also found very frequent, targeted attacks, making use of the patched (not complete ) TIFF  vulnerability (CVE-2010-0188). 

What  is interesting is that these exploits insert the javascript as well as crafted TIFF(exploit.tif) into XML Form, and  generate malicious PDF by Adobe livecycle ES. The javascript is embedded within the form, and there is not detected by AV.

The track of malicious PDF left by the hacker can be found, and it is likely that the hacker is "Yuange" (袁哥 in Chinese) and "panlab(exploits lab ? If it is really, I also want to join too.. ".  However, in new version of exploit, we can’t find the string of Yuange.

As we know more features; more bugs. It is my belief that PDF Exploit will be increasing significantly and be used widely on targeted attacks.

Recently, we have captured many PDF files from Chinese hackers (Exploit CVE-2010-0188), and our private Automatic Malware Analysis System could inspect such exploit files and analyze Malware.

There are two case studies to share you guys:
閱讀全文…

Adobe Reader has been recently updated to version 9.3.1, fixing a vulnerability for LibTiff  "TIFFReadDirectory" function.

This vulnerability originated from  CVE-2006-3459 was reported by Tavis Ormandy, Google Security Team. Adobe just fixed AcroForm.api file ,but ImageConversion.api still have a vulnerability too.

When program load or insert a crafted TIFF image file,the stack of return-addr and SEH can be overflowed by bad fetching data operation.
閱讀全文…