Archive

Archive for August, 2008

Clipboard Hijacking

Couple of weeks ago, Ryan Naraine posted this blog article “Adobe Flash ads launching clipboard hijack attack” which mentions that this threat is cross platform, affecting Windows, Linux and Mac OS X users.

The latest post in Apple Discussion relating to this threat describes:

“my keyboard appears to be taken over and things are typed either in the chat box or in Safari, or basically in any app that is open.”

So, what’s happening here? I curiously investigated the proof-of-concept published by Security researcher Aviv Raff. **The link will automatically execute the code and automatically hijacks your clipboard**

The file responsible for clipboard hijacking is in a Shockwave flash file (.SWF) format. Since most of websites are implementing flash, you can’t imagine how nasty it can go if this threat will get in-the-wild.

Base from the proof-of-concept, the malicious activity was implemented using ActionScript contained in DoABC tag. As far as I understand, the malicious code does not exploit any vulnerability instead it uses a legitimate class linkages, which imports a SymbolClass “test_fla.mainTimeline”.

It’s 1:33am, I’ll update further my analysis tomorrow. Btw, there’s another report but this time, it’s Browser Hijacking, I suppose that this was implemented in SWF as well.

For the meantime, if you’re going to browse and surf the net, please make sure to disable Java, Java Script in Safari Preferences under Security Tab to avoid this threat.

Stay safe online!

Unusual Pop-up Ads

If you thought Trojan DNSChanger is dead, think twice ‘coz lately there has been series of reports from Mac OS X users experiencing unusual pop-up ads in their machines. Most of the infected users noticed that the unusual ads is coming from IP Address 216.255.xxx.xxx or as shown in the screen shot above.

This IP Address points to Intercage [AS27595] which is hosted by Atrivo in US, which apparently related to Russian Business Network(RBN). This domain host different names related to fake codec and rogue applications such as spysheriff, winspykiller, AntiVirGear and lot more. [Further Reading]

Unusual pop-up ads and internet browser results were amongst visible symptoms of this threat. Infected user should immediately change their DNS Settings and remove the following files in this folders:

~/Library/Internet Plug-Ins/plugins.settings
~/Library/Internet Plug-Ins/sendreq (usually the malware deletes this, but just double check)
~/Library/Internet Plug-Ins/QuickTime.xpt
~/Library/Internet Plug-Ins/Mozillaplug.plugin
Related Post:

Analysis of Trojan DNSChanger
Malware Retailer Includes Trojan for Mac
Fake YouTube Installs OS X Trojan DNSChange

Free Update Windows XP, Vista Spammed

 This is the screen shot of a malicious swf introduced in a spammed email – which is another attack vector of this threat.

The title “Free Update Windows XP,Vista” links to this malicious url:

h t t p : //img339.imageshack.us/img339/5168/32552204dv7.swf

The extracted code of this swf contains the following data:

Further analysis published in this site.

Summary of ASF File Specification

Related to recent threat infecting Windows media files, this summary definitely help researcher understand how to dissect ASF file.

But what is ASF file?

The ASF is the file format used by Windows Media. Audio and/or Video content compressed with a wide variety of codecs can be stored in a ASF file and played back with the Windows Media Player (provided the appropriate codecs are installed), streamed with Windows Media Services or optionally package with Windows Media Rights Manager. [Defined by Microsoft]

Further explanation from Wikipedia as follows:

  • ASF is part of the Windows Media framework.
  • The ASF container provides framework for digital rights management in Windows Media Audio (.WMA) and Windows Media Video (.WMV).
  • Although the ASF container format can technically include any codec, Microsoft encoding tools (including Windows Media Encoder and Windows Movie Maker) produce ASF/WMA/WMV files using the DirectX Media Objects framework.

Let’s take a closer look on ASF Top-level file structure:

 

Identifying ASF objects using GUIDS

GUIDs are used to uniquely identify all objects and entities within ASF files.

The following table contains the names and values of top-level ASF object GUIDs.

Name

GUID

ASF_Header_Object

75B22630-668E-11CF-A6D9-00AA0062CE6C

ASF_Data_Object

75B22636-668E-11CF-A6D9-00AA0062CE6C

ASF_Simple_Index_Object

33000890-E5B1-11CF-89F4-00A0C90349CB

ASF_Index_Object

D6E229D3-35DA-11D1-9034-00A0C90349BE

ASF_Media_Object_Index_Object

FEB103F8-12AD-4C64-840F-2A1D2F7AD48C

ASF_Timecode_Index_Object

3CB73FD0-0C4A-4803-953D-EDF7B6228F0C

Note: All ASF objects and structures (including data packet headers) are stored in little-endian byte order (the inverse of network byte order).

ASF Object Structure

Let’s take Windows sample music “Beethoven’s Symphony No.9 (Scherzo).wma (which can be found in your %Document and Settings% folder) as an example.

 

Name

GUID

ASF_Header_Object

75B22630-668E-11CF-A6D9-00AA0062CE6C

ASF_Data_Object

75B22636-668E-11CF-A6D9-00AA0062CE6C

ASF_Simple_Index_Object

33000890-E5B1-11CF-89F4-00A0C90349CB

 Take note of ASF header object size, this indicates the size of the header and this information suggest the offset of next object which is the data object of the file.

Let’s check it…

 

Name

GUID

ASF_Header_Object

75B22630-668E-11CF-A6D9-00AA0062CE6C

ASF_Data_Object

75B22636-668E-11CF-A6D9-00AA0062CE6C

ASF_Simple_Index_Object

33000890-E5B1-11CF-89F4-00A0C90349CB

Identifying ASF Codec Used

As explained earlier, ASF is a container and could contain any codec.

Let’s follow the Header Object GUIDs to help us determine which codec is used to our sample file.

Name

GUID

ASF_File_Properties_Object

8CABDCA1-A947-11CF-8EE4-00C00C205365

ASF_Stream_Properties_Object

B7DC0791-A9B7-11CF-8EE6-00C00C205365

ASF_Header_Extension_Object

5FBF03B5-A92E-11CF-8EE3-00C00C205365

ASF_Codec_List_Object

86D15240-311D-11D0-A3A4-00A0C90348F6

ASF_Script_Command_Object

1EFB1A30-0B62-11D0-A39B-00A0C90348F6

ASF_Marker_Object

F487CD01-A951-11CF-8EE6-00C00C205365

Codec List Object Definition

The Codec List Object provides user-friendly information about the codecs and formats used to encode the content found in the ASF file. The Codec List Object is represented using the following structure.

Field name

Field type

Size (bits)

Object ID

GUID

128

Object Size

QWORD

64

Reserved

GUID

128

Codec Entries Count

DWORD

32

Codec Entries

See below

Varies

 

Codec Entries are described in the following table.

Field Name

Field Type

Size (bits)

Type

WORD

16

Codec Name Length

WORD

16

Codec Name

WCHAR

varies

Codec Description Length

WORD

16

Codec Description

WCHAR

varies

Codec Information Length

WORD

16

Codec Information

BYTE

varies

 

The fields are defined as follows:

Type

Specifies the type of the codec used. Use one of the values in the following table.

Values

Meaning

0x0001

Video codec

0x0002

Audio codec

0xFFFF

Unknown codec

Ok, now we understand ASF file structure, it’s time to check some malicious ASF files.

First things first, let’s investigate the ASF header:

Let’s follow the Header Object GUIDs to help us investigate the ASF header object:

Name

GUID

ASF_File_Properties_Object

8CABDCA1-A947-11CF-8EE4-00C00C205365

ASF_Stream_Properties_Object

B7DC0791-A9B7-11CF-8EE6-00C00C205365

ASF_Header_Extension_Object

5FBF03B5-A92E-11CF-8EE3-00C00C205365

ASF_Codec_List_Object

86D15240-311D-11D0-A3A4-00A0C90348F6

ASF_Script_Command_Object

1EFB1A30-0B62-11D0-A39B-00A0C90348F6

ASF_Marker_Object

F487CD01-A951-11CF-8EE6-00C00C205365

 

Let’s check the next object, which is the ASF script command.  The script command object is represented using the following structure.

Field name

Field type

Size (bits)

Object ID

GUID

128

Object Size

QWORD

64

Reserved

GUID

128

Commands Count

WORD

16

Command Types Count

WORD

16

Command Types

See below

varies

Commands

See below

varies

 

Inside this malicious ASF file contains the following script command object information:

 

1 – ASF script command object GUID

2 – ASF script command object size which is 72 bytes

3 – ASF script commands count which is 1

4 – ASF script command type count which is 1

5 – ASF script command type length which has 0x0A value

6 – ASF script command type name which is URLANDEXIT 81

The structure of each Command Type entry is shown in the following table.

Field name

Field type

Size (bits)

Command Type Name Length

WORD

16

Command Type Name

WCHAR

varies

 

7 – ASF script command “h t t p : / / I s v b r . n e t ? t = 3 6 “

 

So, when infected user executes this malicious ASF file (whether .WMA or .WMV), Windows Media Player will read the header object and consequently executes the script command which opens an URL serving malicious codec installer.

As Microsoft explained:

When a content owner creates an audio or a video stream, that content owner can add script commands (such as URL script commands and custom script commands) that are embedded in the stream. When the stream is played back, the script commands can trigger events in an embedded player program, or they can start your

Web browser and then connect to a particular Web page. THIS BEHAVIOR IS BY DESIGN.

Unfortunately, Attackers exploited legitimate feature in ASF file.

Alert: PDF Vulnerability in Mac OS X

Summary
Mac OS X is “a Unix operating system built from the XNU kernel. Mac OS X provides all the standard Unix capabilities and tools with an additional GUI component”.Remote exploitation of an integer overflow vulnerability in Apple Inc.’s Mac OS X could allow an attacker to execute arbitrary code with the privileges of the currently logged in user.

Vulnerable Systems:
 * Mac OS X version 10.5.2

This vulnerability exists due to the way PDF files containing Type 1 fonts are handled. When processing a font with an overly large length, integer overflow could occur. This issue leads to heap corruption which can allow for arbitrary code execution.

Analysis:
Exploitation of this issue allows an attacker to execute arbitrary code. An attacker could exploit this issue via multiple attack vectors. The most appealing vector for attack is Safari. An attacker could host a malformed PDF file on a website and entice a targeted user to open a URL. Upon opening the URL in Safari the PDF file will be automatically parsed and exploitation will occur. While this is the most appealing attack vector, the file can also be attached to an e-mail. Any application which uses the Apple libraries for file open dialogs will crash upon previewing the malformed PDF document.

Vendor response:
Apple addressed this vulnerability within their Mac OS X 2008-005 security update. More information is available at the following URL:http://support.apple.com/kb/HT2647

Published by SecuriTeam

Stay Safe Online!

Alert: Adobe Reader User-assisted execution of arbitrary code

Adobe Reader is vulnerable to execution of arbitrary code via a crafted
PDF.

Impact
=====

A remote attacker could entice a user to open a specially crafted PDF
document, possibly resulting in the remote execution of arbitrary code
with the privileges of the user.

Workaround
==========

There is no known workaround at this time. 

Published by Gentoo Linux Security Advisory.

Malicious user may exploit this vulnerability, refrain from opening spammed, untrusted or unknown PDF document.

Latest update …

Some of my recent activities

Interesting analysis from Zarestel, Win32/Kollah Family which was also known as “Ransomware” .