Inspired with one of the section about Advanced Persistent Threat (APT) and Botnet C&C server from Mr. Yung in Bot2010 2010_[1] conference, I and Mars have worked out and tried to search live C&C servers to dig into more details in APT area. APT is defined as a kind of targeted attack against high value information with strong resources and authority supported.

With reference to the Shadow in the Cloud Report_[2] published in April, in fact, we have experienced that Google has done some filtering itself, however, we have got some lucks and search out active C&C server successfully.

In the Tiger Cave

We have located a .php file and two folders named as “cms” and “tools” respectively (Figure 1). In Figure 2, it shows five files in “cms” folder and the most interesting file is the h_INOC-94C966D10D_4137_t as it contains victim information, OS and IP address. (Figure 3).

For c__BRBRBxxx, c_GTxxx and c_VIRUSCLONExxx, the file size and content is the same (Figure 4) and we have not figured its content meaning.

Figure 1. C&C Server Folder Structure

Figure 2. Files in “cms” folder

Figure 3. List of victim machines shown in h_INOC-94C966D10D_4137_t file

Figure 4. File content found in c_BRBRBxxx, c_GTxxx and c_VIRUSCLONExxx

After 24 hours

We have got a list of victim workstations, which reported to C&C server. We have used domaintools.com_[3] to match corresponding domain and found a brief summary as below:

We have summarized that the attacks targeted India’s government department and infrastructure as well. It is interesting to find that there is a bot planted in Tibet(西藏) Telecom Service Company in China. In addition, most of the attack targets infrastructure/telecom service companies in a country.

Summary

Attack is no longer just for reputation, excitement and fun, there is a kind of attack, which targets high-value information, and for political reasons.

Reference

[1] BoT2010

URL: anti-botnet.edu.tw/confs/BoT2010.htm

[2] Shadows in the Cloud – An Investigation into Cyber Espionage 2.0 (April 2010)

URL: http://www.infowar-monitor.net/2010/04/shadows-in-the-cloud-an-investigation-into-cyber-espionage-2-0/

[3] Domaintools -  For  whois and reverse domain name lookup

URL: http://www.domaintools.com

Appendix: Sample C&C Record

a:2:{s:8:"hostinfo";a:8:{s:6:"hostid";s:8:"BHARAT-2″;s:6:"ipaddr";N;s:9:"outipaddr";s:12:" **maskedIP**”;s:7:"macaddr";s:17:"00:E0:4C:92:64:80″;s:8:"hostname";s:8:"BHARAT-2″;s:6:"ostype";s:34:"Microsoft Windows XP Professional0″;s:7:"version";s:5:"0.5.2″;s:5:"owner";s:6:"bobo10″;}s:10:"reporttime";s:14:"20100716231202″;}s:15:"U-052D8518AEE84″;

TOMTOM WebSite is injected by Malicious link

In most cases, hackers are faster than vendors, so it gives them a great opportunity to build a strong BotNet and be able to control more victims.    

The following flow chart shows the attacking path of Zero-Day.     

Attacking path of Zero-Day

Threat Mitigation :   

You can temporarily disable or block of the flash.   

Here are three useful blocks.   

FlashBlock:  (firefox) 

http://flashblock.mozdev.org/   

ToggleFlash:(IE)   

http://flash.melameth.com/

CubeMe:(Chrome)

https://chrome.google.com/extensions/detail/ilejdkfldemlafkeebadjppfhdiimbfd?hl=en

If we compare these two files deeply(shown as below),

Orginal AES-PHP.swf (0×66)

Exploit pad.swf(0×40)

It is surprised that there is just 1 byte changed. It causes flash ActionScript to execute a newfunction() and disturb the internal ActionScript engine stack .

Here is a problem in the JIT-ed AS code:

0736E2B1 8B 52 28 mov edx,dword ptr [edx+28h]
0736E2B4 83 E2 F8 and edx,0FFFFFFF8h
0736E2B7 89 55 B8 mov dword ptr [ebp-48h],edx
0736E2BA 8B 52 40 mov edx,dword ptr [edx+40h]
0736E2BD 89 55 B4 mov dword ptr [ebp-4Ch],edx
0736E2C0 8B 50 10 mov edx,dword ptr [eax+10h] <—if you spray the range of memory to "0x2xxxxxxx", then eax will point to there. However,in some cases, eax may change due to different versions.
0736E2C3 89 4D B0 mov dword ptr [ebp-50h],ecx
0736E2C6 8B 8A B8 02 00 00 mov ecx,dword ptr [edx+2B8h] <-invalid point may cause access violation
0736E2CC 89 45 A4 mov dword ptr [ebp-5Ch],eax
0736E2CF 8B 55 B0 mov edx,dword ptr [ebp-50h]
0736E2D2 89 55 A8 mov dword ptr [ebp-58h],edx
0736E2D5 89 4D A0 mov dword ptr [ebp-60h],ecx
0736E2D8 8B 4D B4 mov ecx,dword ptr [ebp-4Ch]
0736E2DB 89 4D AC mov dword ptr [ebp-54h],ecx
0736E2DE 8D 4D A4 lea ecx,[ebp-5Ch]
0736E2E1 89 75 9C mov dword ptr [ebp-64h],esi
0736E2E4 8B F0 mov esi,eax
0736E2E6 89 75 98 mov dword ptr [ebp-68h],esi
0736E2E9 89 75 F8 mov dword ptr [ebp-8],esi
0736E2EC 89 4D B4 mov dword ptr [ebp-4Ch],ecx
0736E2EF 8B 4D A0 mov ecx,dword ptr [ebp-60h]
0736E2F2 FF 75 B4 push dword ptr [ebp-4Ch]
0736E2F5 6A 02 push 2
0736E2F7 51 push ecx
0736E2F8 FF 51 0C call dword ptr [ecx+0Ch]

There is a high possibility that adobe will release a patch for JIT engine soon..

>_<

As you can see, the exploit uses a common heap spary method to build a memory that contains the shellcode. When the shellcode gets executed, a malware wll be downloaded from a  compromised website.

The detailed analysis about this malware can be seen from our system.

What  is interesting is that these exploits insert the javascript as well as crafted TIFF(exploit.tif) into XML Form, and  generate malicious PDF by Adobe livecycle ES. The javascript is embedded within the form, and there is not detected by AV.

The track of malicious PDF left by the hacker can be found, and it is likely that the hacker is "Yuange" (袁哥 in Chinese) and "panlab(exploits lab ? If it is really, I also want to join too.. ".  However, in new version of exploit, we can’t find the string of Yuange.

As we know more features; more bugs. It is my belief that PDF Exploit will be increasing significantly and be used widely on targeted attacks.

There are two case studies to share you guys:

The first one is a DLL-Injection Malware, and it also dropped a dll file into c:\windows\system32\pe.dll. The build time of this Malware is just 2010-03-07 (MD5: 5573689815AEBFE7CBD2E3829054A5F0)

Other one is a kind of Code-Injection Malware, there is no any file will drop into disk! it just only injected the code to infect some processes. That will be very stealth, and very hard to be analyzed by the traditional Malware Analysis System, Sandbox and Honeypot.
As what you see, it is no problem with our Automatic Malware Analysis System

Of course there are No Anti-Virus could detect the both Malware samples.
I just want to say to Hackers: Good Job, man!
^_^

This vulnerability originated from  CVE-2006-3459 was reported by Tavis Ormandy, Google Security Team. Adobe just fixed AcroForm.api file ,but ImageConversion.api still have a vulnerability too.

When program load or insert a crafted TIFF image file,the stack of return-addr and SEH can be overflowed by bad fetching data operation.

Pin and Chip bypass the pin code

EMV is the dominant protocol used for smart card
payments worldwide, with over 730 million cards in circulation.
Known to bank customers as “Chip and PIN”, it is used in
Europe; it is being introduced in Canada; and there is pressure
from banks to introduce it in the USA too. EMV secures
credit and debit card transactions by authenticating both the
card and the customer presenting it through a combination of
cryptographic authentication codes, digital signatures, and the
entry of a PIN. In the following paper  that describe and demonstrate a
protocol flaw which allows criminals to use a genuine card
to make a payment without knowing the card’s PIN, and
to remain undetected even when the merchant has an online
connection to the banking network. The fraudster performs a
man-in-the-middle attack to trick the terminal into believing
the PIN verified correctly, while telling the issuing bank that
no PIN was entered at all.