Sunday, March 29, 2009

Jsunpack: Automated JS Unpacker (or Deobfuscator)

As we have seen the recent growth of HTTP Botnets and DIY toolkits used to drive more sophisticated and targeted attacks to deny, deceive and destroy various network infrastructures and services. There is a famous saying in Chinese as:
"Deceive the sky to cross the ocean"

Today's rapidly growing embedded javascript attacks (e.g. iframe tags) has raised a red flag at the client's browser landing space. Increase in number of encoding and encrypted exploits based on JS include common functions, such as, eval(), document.writeln(), createElement(), setTimeout(), appendChild(), etc. Assuming the IDS/IPS basic functionality with an advanced set of rules and dynamic plug-ins but still today these attacks bypass and evade the network defenses because they require manual inspection of code. Since, doing manual decoding could take an effective time and resources.


This process could involve the use of some debuggers like MS-debugger or Firefox debugger plug-in. On contrast, there could be a malicious adversary who managed to apply advanced techniques to defeat manual decoding such as escape sequences, envrionment variables, timing and black listing.

An example of simple javascript hooking is given below:
----
function func0() {
var abc = new Array;
eval('print (abc);');
}
func0();
----

Prior to Jsunpack, other javascript decoding solutions were:
-jsDecode
-SpiderMonkey
-The Ultimate Deobfuscator
-Malzilla

The main features of Jsunpack are:
-Safe Browser simulation
-Process ActiveX, PDF and Flash contents
-Advanced hooking techniques and evaluate multiple paths
-Can be integrated with IDS/Crawler

Friday, March 27, 2009

SSL vs EVSSL - What's new inside or just a cryptography myth?

Till the date many online websites (commercial or non-commercial) worked under normal SSL (secure socket layer) certificates. However, as a part of placing secure transactions over the internet these certificates play an important role to any organization's creditibility. Sniffing and decoding against SSL based traffic has got enough disputes that the online merchant services like 'VeriSign' started putting efforts to find stable solution for data encryption and the reliability for highest level of identity and fraud protection from an SSL Certificates. Prior SSL-encryption mechanism worked with RC2,RC4 or IDEA encryption with key sizes ranging from 40 to 128 bits. Is that hard to decrypt? Absolutely not (but also depends on the encryption type).

The main purpose behind introducing the Extended Validation SSL Certificates was to give a new level of trust to the web visitors by providing some sort of proof at user end. Applying EVSSL, give advantage for user to verify the website's identity as the browser address bar will turn green by confirming the site identity and verified it with Certification Authority (CA). On the other side, CA not only validates domain registry but it also checks operational, legal and the company/website's physical existence. As the recent growth of Fast Flux network attack proved that SSL encryption and its validation is crackable which pose a serious loss in faith and confidence for end-users.


According to Anti-Phishing Working Group (APWG), 90% of phishing attacks carried out in December 2006 were perpetrated against financial services companies. The esitmated loss reported was USD$1-billion per year. Handling EVSSL based transactions ensure better protection. The organization deploying EVSSL certificates have to find their suitable CA from CA/Browser Forum (www.cabforum.org). According to Tec Ed report (2007) in which various responses were gathered to show the usage and attitudes toward e-commerce and EVSSL, the results were outstanding. Overall, EVSSL is the best way to ensure that phishers do not wreck a merchant's reputation, and that an end user/consumer doesn't get their sensitive data stolen from them. VeriSign has recently highlighted the views on the best practices of EVSSL just after last month's MiTM attack simulation at BlackHat D.C. The attack was just a twist of existing MiTM attack which fools the users to visit false website. What makes it different from previous MITM attack is the way fraudlent site attempts to leverage falst visual appearance. It simply replaces the site's favicon with the padlock. Although, the method is capable of reproducing the padlock but unable to create a legitimate HTTPS indicator or even the green address bar. Thus, that is where EVSSL got success.

Monday, March 23, 2009

Anti-Virus Solutions: Are they still 'Anti'? or AV is dead?

As we have seen from the past year when it came out to the public, that all AV solutions are dead. It was a real public fear rather than just a marketing trend. Examining the available market solutions on the basis of practical testing reports given out by AV-Comparitives.org, give us a clear picture of what is still alive or dead in the area of statistical viruses. These tests are conducted on the ground of following areas:

1.Performance Tests
2.Dynamic Tests (proactive/normal conditions analysis)
3.Cleaning Tests (detective solution under infected machines to measure the cleaning capabilities)

However to remind that these tests are not limited and are extended with other considerable factors such as, retrospective detection rate (heuristics and signature based) and statistical analysis without user interaction. Looking into the latest February-2009 Report, following products were tested for speed and false alarm rates.

----
avast! Professional Edition 4.8.135
AVG Anti-Virus 8.0.234
AVIRA AntiVir Premium 8.2.0.374
BitDefender Antivirus 12.0.11.4
Command Anti-Malware 5.0.8
eScan Anti-Virus 10.0.946
ESET NOD32 Anti-Virus 3.0
F-Secure Anti-Virus 9.00.149
G DATA AntiVirus 19.1.0.0
Kaspersky Anti-Virus 8.0.0.506a
Kingsoft Antivirus 2008.11.6.63
McAfee VirusScan Plus 13.3.117
Microsoft Live OneCare 2.5.2900
Norman Antivirus & Anti-Spyware 7.10.02
Sophos Anti-Virus 7.6.4
Symantec Norton Anti-Virus 16.2.0.7
TrustPort Antivirus 2.8.0.3011
----

In the overall test evaluation provided in the report at:
http://www.av-comparatives.org/images/stories/test/ondret/avc_report21.pdf

The test-bench given above is contructed and evaluated on the basis of two sets of tests described in the report itself. However, the most interesting factor to notice is "how many malware samples have been tested"? to detect the static (and partially dynamic) behavior of the next-generation badwares.

Today's highly motivated attackers are more diverted into changing the detectable signature to undetectable and transparent malwares. This can easily be accomplished by applying latest cryptors, protectors and/or packing techniques. Thus, it is still viable to consider these set of AV solutions for static virus detections rather than complex and polymorphic malwares.

Comparing the false alarm rate with the set of malware composition from Test-Bench "A"(April 2006-2008) and Test-Bench "B"(May 2008 - Feb 2009), following outcome has been highlighted:

As we can see, Microsoft won this round, but what could be the reason behind it. On further determination, it can be justifiable that Microsoft has a good stand of Win32 machine learning capabilities in-depth at user/kernel layer. On the other side, no matter whichever AV vendor is trying to protect "at best" their customers from rising malware threats, they have to eat the bits
and pieces under the table before coming into the market.

Friday, March 20, 2009

Hackers inside the ATMs: A red alert to world's major financial institutions


When talking about electronic disobedience, many different aspects come forward to point the criminal activities launched using electronic media (computers and internet). Apart from those of money laundering and vandalism issues one is considered to be the most intenseful fraud, "credit card fraud" or "e-fraud". As from the years of data breaches and theft reports, such as:

"11 Mar 2009 - Computerweekly.com: Data theft Trojans fastest growing cyber threat"
http://www.computerweekly.com/Articles/2009/03/11/235229/data-theft-trojans-fastest-growing-cyber-threat-says.htm

"The ITC 2008 Reports: Data Theft/Data Breaches - by industry/cause"
http://idtheftmostwanted.org/ITRC Breach Report 2008.pdf

It has been proved that the underground criminal market is growing fast and find new ways to remain undetectable in almost every first attempts. These changes of development can be noticeable from 2002-2009, an enormous increase in data theft pushed at various firms in the world. Cracking the ATMs is not new, but quite far changing the shape of existing attack in new ways.

Recently there was a news published at DarkReading.com, in which it has been stated clearly about how cyber criminals are moving and driving their thirst of money by passing any sort of security infrastructure to accomplish their goals. From time to time these criminals are changing and adobting new methods, for instance, a creation of normal phishing attack using DIY toolkits driven more towards serving the automated information-stealing malware today.

Sophos recently revealed a latest hack which affects the Diebold based ATM machines:
http://www.sophos.com/blogs/gc/g/2009/03/18/details-diebold-atm-trojan-horse-case/

Although, Diebold has published the security update in late January for their Windows-based Opteva platform. A trojan identified gave complete access to the criminal. One thing to notice that how far today's high-tech criminals have moved a step forward to understand the internal functions and API calls of the cash machines. This has not only to deal with virtual access of ATM but also a physical access (or internal access) to install the malware. The trojan was silently collecting PINs (aka. Track2 information) from the magnetic strips which further allows an attacker to clone real cards.

Looking at other perspectives where the recent incident in Europe "Several Checkout card readers in major supermarket chains", a news reported by Sophos in which the card readers were tampered with built-in sniffers. Among the known victims were Wal-Mart and Asda chains. These all aspects give a clear high-lights on how the cyber criminals of past moving faster in finding their ways to inject new ideas to steal the financial records.

Thursday, March 12, 2009

Major Economy Crisis: Any affects to underground hackers? Who is behind the game?

For many years we have obvsevered several economy downtimes. Out of which this time is supposed to be the most worst in more than 20 years. Looking back in 2000, recession does not reflect much longer period of downtime comparing 2008-2009. However, this industry laid vicious circles which keep changing the shape of economy when bankruptcy and massive losses has been reported across United States, United Kingdom and Europe. As a result, this has affect the major Western zone of the world indeed an Asia too.

Looking forward into media and underground world of hackers, the first question arise: Who is behind all this? or who could be a part of this dramatical changes? Let's justify it in one or the other way. This is a reality indeed a fact that Hackers run the underground economy but what if someone somewhere out to control the real world economy. To clarify more, lets take an example:

"One man sitting behind the stock market place in NYSE (New York Stock Exchange), playing with old terminal type computers pushing and poping the index rates of various companies. Good Person? Yes." But what could be the probability if he opens his email containing virus/worm capable of infecting the major financial mainframes and the overall network one-by-one. Assuming this worm has multi-spreading capabilities (e.g. spam, hoax, bots) it would have given full control to the remote attacker to change the ONE 0.56223 value to another 0.56001. In practical world, this is TRUE and 100% possible. Lets examine the stock market security breaches in between 2006-2009, to name few in public:

At Zdnet.co.uk News, 03 Feb 2006, Virus crashes stock exchange systems
At Zdnetasia.com, October 14, 2008, McAfee sees rise in stock scams, social-engineering attacks
At Sharescity.com Blog, 12 March 2009, Online Stock Trades: Tigger Virus Targetting Online Trading Accounts
-----
Jan 17, 2007: The TJX Companies Inc
July 3, 2007: Some 8.5 million customer records were stolen by a database analyst employed by Certegy Check Services Inc.
Sept. 15, 2007: Online stockbroker TD AMERITRADE’s computer system was infiltrated by hackers
July 20, 2007: SAIC, a Pentagon contractor, failed to encrypt data on 580,000 military households before transmitting it over the Internet.
...and many more...

As you can see this has pumped into media early by McAfee in late 2008. The only outcome of the above discussion is to alert the financial firms and other business entities holding their fortune on stock market and how this could be going into major risks.

Apart from the above discussion, experts evaluate that "IT Compliance" area is supposed to be more affected from late 2008 due to credit crunch across the world. On the other side, more companies seem to deploy in-house projects on security products and services rather than contracting with third party. Although, there is sharp increase in information security needs which would always be needed and never been removed due the fact of digital world? Well, hackers rule the economy of the world.

Monday, March 9, 2009

A Step into Automated Behavioral Malware Analysis (Zero Wine, the after math!)

Today's typical botnet architectures which have been ported from IRC C&C envrionment to web, has put forward more challanges in dealing with more sophisticated malware. Although in contribution to my previous post of "Malware Analysis Tools and Techniques", this post will put spotlight on examining thoroughly into specific malware behavior. Following toolset and envrionment needed to be set-up before pushing any experiments:

- Zero Wine VM Image (http://sourceforge.net/projects/zerowine/)
- QEMU (http://www.nongnu.org/qemu/status.html)
- PEiD (http://www.peid.info/)

ZeroWine runs a dynamic analysis under WINE based virtual sandbox envrionment (completely isolated from host operating system). ZeroWine is currently avaiable as an independent Debian operating system. Once deployed correctly, will give web interface access to upload any PE(portable executable) file and generate a report on the basis of malware execution process under various API calls.

As we can its has more details under "Report", "Strings" detected, "Headers" identified and "Signatures" matched. Looking into complete report set will give an idea on malware execution process:


Going step by step, finding common strings, headers and relevant signatures will identify the malware activites. But on the other side, intercepting the communication launched by these suspicious programs can lead the actual traceback operation done. To notice, today's malware development is getting more complex that a single point of clue may conclude wrong results. This is far more unacceptable when special/private packers, cryptors or compilers are used to wrap the PE files. In order to overcome these problems at certain level, programs like PEiD were developed to identify common signatures of any known packers or cryptors used for compiling unique or variants of similar malware.

However, an increase in number of anti-virtualization and anti-debugging techniques has proved to thawrt many defensive gates. As discussed in paper, "Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware".

A study conducted at Av-Test has provided the unique sampling statistics of different malwares collected since early 90's and 2007. The total range cross over 5.5 million as shown in the figure below.


The overall outcome of this discussion is to let the infosec community to know that where we are standing and what more advanced procedures required to achieve the final goal. Although, the movement of underground economy has never stopped or affected instead changing the digital face by the time and standing with the new challanges.