MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

11.10.11

Inside Phoenix Exploit’s Kit 2.8 mini version

Phoenix Exploit's Kit is a package with more continuity in crime scene crimeware. After all this tour is currently in the wild version 2.8 that, despite having a low activity since the last half of this year, remains one of the many Exploit Pack with greater preference for cyber-criminals.

Perhaps this "slack time" to have your response in high demand now has another crimeware of this style, which is arguably one of the players today: Black Hole Exploit Pack  .

However, PEK has a similar licensing model, where the last version was released with an "alternative" to buy. This is Phoenix Exploit's Kit 2.8 mini. Let us look briefly this alternative to crime which we could access through our Offensive Security Service CrimewareAttack.

The licensing model consists in the version Simple domain closed at a cost of USD 2.200, another version Multithreaded domain also closed to USD 2.700 and an extra-encryption service USD 40 (ReFUDing), already present from several versions back as part of the "added value".

   
PEK Access Panel 2.8. Like previous versions, respects its policy of authentication through a single factor defined by a password that checks its integrity through its MD5 hash.

Basically this new version does not change its characteristics, at least in regards to its graphical interface and functionality in relation to previous versions. Each section shows the same flow crimeware and type of statistical information, minimalist yet concise, this being, though trivial, one of the main reasons for the adoption of Phoenix by cyber-criminals. Simply find the information they need to increase the level of success and attack strategies, and merge the functionality of this Exploit Pack with some Malware Kit as SpyEye or ZeuS.

What is the difference between full version and the mini version?
Basically, the business around licensing model above. In the case of the mini version, the model is subject to a domain under the simple mode, while the full version allows multitasking.

Perhaps this model does not say much in this way, but the reason for their existence is based on the possibility of using different business affiliates with different profiles from the full licensing model. In this way, criminals can expand its business coverage. While with the mini version is limited to a single user profile.

What is new about the exploits?
Basically not much. Everything happens for optimizing the code for exploits a success rate effective in the process of exploitation, adding the exploit for Java Runtime Environment to Trusted.

Also removed were the following exploits pre-compiled in version 2.7:
  • Windows Help and Support Center Protocol Handler Vulnerability – CVE-2010-1885  
  • Integer overflow in the AVM2 abcFile parser in Adobe Flash Player – CVE-2009-1869  
  • Integer overflow in Adobe Flash Player 9 – CVE-2007-0071  
  • IEPeers Remote Code Execution – CVE-2009-0806  
  • Internet Explorer Recursive CSS Import Vulnerability – CVE-2010-3971   
From M86 Security Lab have published this summer "Phoenix Exploit Kit (2.7) Continues to be updated", describing the methodology of obfuscation that had already been using earlier versions. With this modification, the author sought to prevent monitoring of components of PEK and discover its structure, for example, during the research process.

Although it’s basically the same exploits (similar in all cases, including those incorporating other Exploits Pack in the wild), the author's optimized for each version. In this case, includes the following exploits:
Despite the optimization of the components for each version exploits, is striking and interesting that chain optimization and updating MDAC exploit remains the most domination, not only in this Exploit Pack it in any of the existing. What is the reason? Just a lack of maturity on the users (application, customers around the basic procedures update) that transforms him into a potential target and highly drinkable through this old, but effective vulnerability.

More information about Inside Phoenix Exploit’s Pack in other versions:

  
The graph shows some of the domains that the creators of Phoenix Exploit's Kit used in 2011.

Review of the components that are part of Phoenix Exploit's Kit 2.8 mini version

  
Simple statistics. The typical first screen displayed when accessing PEK. Display data of interest to cybercriminals uqe groups are behind its management: Browser (and version) most exploited, the number of compromised machines and exploits with the highest rate of success.


  
Advanced statistics. Information with a broader level of detail regarding compromised browsers and operating systems, along with information on the rate of success for each one of them.

  
Countries statistics. Information similar to the panels above but relevant data on the countries concerned.

  
Referer statistics. Information from reference sites to Phoenix Exploit's Kit.

  
Upload. Exe files. Panel which is updated by the malware spread.

White Paper  
State of the art in Phoenix Exploit's Kit (to 18/08/2010)  
Includes up version 2.3r of Phoenix Exploit's Kit v2.3r


Although some aspects of "subtle", the truth is that virtually PEK changes in each version, and perhaps its simplicity of use is the key for which is still alive in a criminal environment where demand and competition is very strong. As in conventional business, but... the criminal side.

Crimeware Research Team

Ver más

26.9.11

Show me your Kung-Fu. Reversing/Forensic Android

The last week was held in Barcelona the NoConName security conference, and I had the pleasure of attending to give a security conference about Android. It talked about how to perform a dynamic analysis, static and forensic skip protection and release application along with our friend of MalwareIntelligence too, Ehooo, a small PoC reveals a vulnerability of Tap-Jacking.

For those who could not attend on these lines you can find a brief summary of what my conference, so it can access all the information that was used from the following links:


·          Source Code: http://code.google.com/p/tap-android/
·          Video: http://www.youtube.com/watch?v=VN_IR2vUMAw

Riding the laboratory
When analyzing any application on the Android platform, we must clearly distinguish between static and dynamic analysis. As the first study level application code to understand the workings of it and study the features it has, and the second based on the behavior that once executed the application in order to study the connections established with network.

For each of them will be necessary to use a different set of tools that vary according to our purpose.

Static analysis
  · Dex2jar - Allows to convert class files to *. dex files *. jar to be later rotten abierto y editaros specific IDE for them to work it.
· Jd-gui - Load *.jar files and it lets you view them in code java classes that you componen.
· JAD - Turn them files to *. class *.JAD files with the intention of subsequently being loaded onto it su Understand for analysis.
· Dexdump - tools included it in the Android SDK that it allows all code desensamblar it the file *.dex Dalvik Bytecode.
· Understand - Excellent tool to analyze, disseminate, and review the operation and the flow of calls made ​​between the various methods that have been declared in the application source code.
· Axml2print - Learn To clear it AndroidManifest.xml.

Others tools:


Dynamic analysis
1. Create a virtual machine making use of the SDK.
2. Launch the emulator on a given port and store the connections

a.      Emulator –port n @device-name –tcpdump foo.pcap
3.       Install the application to analyze
a.      adb install foo.apk
4.       Launch events on the device and the application
a.      adb shell monkey –v –p package.app n
5.       To analyze the logs created
a.      adb shell logcat –d
6.       Rely on Wireshark to analyze the connections made.

(1)  The fact of throwing events on the device is because on occasion some applications or malware to occur need special circumstances to be operational. See the receipt/sending an SMS, an incoming call from a phone number, etc.

All these activities can be simulated using the following commands:

·         Phone calls
o   Gsm call p-n
o   Gsm accept p-n
o   Gsm cancel p-n

·         SMS
o   Sms send p-n text

·         Change GPS
o   Geo fix -13… 21…

Modus Operandi
If your goal is to begin to analyze applications without having to introduce you to the ins and outs of the Android platform, a modus operandi that can serve is as follows:

·         AXML2Print - Remove the permissions required by the application of AndroidManifest.xml
· Dex2Jar / JAD - To perform code transformations needed.
· JDGUI - To analyze the class files *.jar
· Understand - To make a static analysis of code and get the flow charts of the functions that make up the application.
· Wireshark - To perform the dynamic analysis of the application and see the connections you make.

Forensics
To perform a correlation of the file system is necessary to have root permissions on the device, this can be achieved thanks to various exploits or applications that can be found without too much difficulty, and an explanation of their proper use.

When you lift the phone a shell we see that the system is based on Unix and that the filesystem is mounted as follows:

$ mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/mtdblock3 /system yaffs2 ro,relatime 0 0
/dev/block/mtdblock5 /data yaffs2 rw,nosuid,nodev,relatime 0 0
/dev/block/mtdblock4 /cache yaffs2 rw,nosuid,nodev,relatime 0 0

So there are several different mounting points for each directory mtdblocks important in our telephone:

·         /systen mount in /dev/block/mtdblock3
·         /cache mount in /dev/block/mtdblock4
·         /data mount in /dev/block/mtdblock5

And in case you have an SD card, can be found in /sdcard.

The necessary step to make a correct correlation is to use the dd command to pull together to bring us the image we make the system work to our local environment:

# dd if=/dev/mtd/mtd5 of=/sdcard/data/mtd5.img bs=2048
100480+0 records in 
100480+0 records out
205783040 bytes transferred in 108.504 secs (1896547 bytes/sec)

sebas@Helios:~/Android/sdk/platform-tools$ sudo ./adb pull /sdcard/data/mtd5.img /home/sebas/Android/research/mtd5.img
1799 KB/s (205783040 bytes in 111.650s)

So the process to be as trivial as grep the output for certain strings that can serve useful:

sebas@Helios:~/Android/research$ strings -a ./mtd5.img | grep databases | more
...
/data/data/com.android.providers.contacts/databases/contacts2.db-journal
/data/data/com.google.android.gsf/databases/talk.db-journal
/data/data/com.google.android.gsf/databases/talk.db-mj157DA2E7
...
Concluding that the information in the applications installed on the phone is in the path:

·         /data/data/package.app/databases/…

So the process will be as trivial as the files you want to bring us back to our work environment for further analysis.

By bypassing the protections

To skip the protections of Google there are two possible methods:

Manually:
1.       Disassemble the code using Baksmali:
a.       sebas@Helios:~/Android/research/protection/com.yoyogames/bcode/com$ java -jar baksmali-1.2.6.jar -x -o baksmali_code ../../Android/research/protection/com.yoyogames/classes.dex

2.        Make the following modifications of code in the license file check (./baksmali_code/com/android/vending/licensing/LicenseChecker.smali)

a.       We modified the method checkAccess with the following code  http://pastebin.com/FHfaD6WU

b.      We modified the method handleServiceConnectionError with the following code  http://pastebin.com/fHS8Kp8p

3.       We packed up the application again using the tool APKTool
4.       We signed the application JarSigner
a.       sebas@Helios:~/Android/sdk/tools$ jarsigner -verify -verbose -certs ~/Android/research/protection/com.yoyogames/prueba.apk

5.       Used Zipalign for optimization and efficiency issues:
a.       sebas@Helios:~/Android/sdk/tools$ ./zipalign -v 4 ~/Android/research/protection/com.yoyogames/prueba.apk ~/Android/research/protection/com.yoyogames/prueba-final.apk

6.       Install the application and enjoy.

Automatically
We use the tool Anti-LVL (http://androidcracking.blogspot.com/p/antilvl.html) developed by Lohan Plus:

sebas@Helios:~/Android/sdk/tools$ sudo java -jar antilvl.jar -f ~/Android/research/protection/com.yoyogames.droidtntbf-1.apk pruebafinal.apk

So that with a simple and easy step will automatically perform all steps of the manual method.

Tap-Jacking Vulnerability
The vulnerability is found and exploited due to the trust model that is available Android applications, allowing certain permissions to open dialogues with the user, so that it can make decisions that the application itself can not.

A malicious application that exploits this vulnerability can open a dialogue TapJacking privileges and place an opaque layer above this happens all the screen events to the layer directly below. Getting in this way to make calls, send messages, clicks on ads, banking, all while the user is not aware of it.

The ruling was achieved following the Toasts, special kinds of dialogues, which unlike the "Activities" allowed overlaps the current activity of the application while this screen events were passed to lower layers.

These principles have a look that distinguishes the normal dialogue, could be modified in size and behavior, as you can see in the video that is uploaded.

The vulnerability, edited at first by Google, affects all current versions Android phones. Therefore the risk remains quite high. They developed a total of 4 payloads to test its operation:

·         CallPayload.java – Make phone calls to the number indicated.
·         MarketPayload.java – Download and install applications on the market.
·         ResetPayload.java – Returns to factory phone.
·         SMSPayload.java – Send a text message back to us.

 And the internal structure is as follows:

·         Main.java – Run the main service and cargo payloads.
·         MalwarePayload.java – Internal abstraction to facilitate the implementation of new payloads.
·         MalwareService.java – Creates toast e process starts tap-jacking.
·         Main.xml – Does the layout of the application, launching with an onClick event each payload.
·         Strings.xml – Contains the strings that are used in the application.

Conclusion
After this brief summary and research befell I have some questions for space:
  • In the issue of protection of applications, does the developer's fault for not taking adequate protective measures, or Google is to blame for having a system as 'infallible'?
  • Google is concerned to fight against Malware? Or is it a battle that is lost from the start?
  • Is it necessary to keep learning new versions instead of correcting errors in the previous there? We promote the progress of the platform, versions or fragmentation inevitable?
  • Do you have to protect our data? Can we rely on the protection offered by Google? Nearest Compensates have our digital life knowing the danger we run?
Sebastian Guerrero  
Crimeware Research

Ver más

18.8.11

Black Hole Exploits Kit 1.1.0 Inside

Since its appearance in September 2010, Black Hole Exploits Kit had a very positive insight into the criminal environment. Their life cycle is not over yet so it has developed a natural evolution, and so far there are three generations that exist "in the wild".

Black Hole Exploits Kit was developed by who is known under the nickname Paunch. The main screen allows viewing of each component of interest to the attacker. These statistics are classic and more or less all the exploits pack follow the same pattern, because these data provide a specific map on the state of the campaign of infection.

Displays the overall success rate based on the amount and type of operating systems involved, browsers through which ran the operation through scripts, exploits more effective, the geolocation of affected computers and use the side botmasters criminal appeal.

Main Panel in Black Hole Exploits Kit in which the attacker displays all the processed information related to the infected computers.

Its marketing began through specific forums and so on until, under a licensing model with three alternatives. Some interesting facts concerning its marketing are:

The first version was released, in beta (infinite) in September 2010 at a cost very competitive at that time: $1.500 per annual license, $1.000 per semester and $700 license per quarter. Although its design is the same in every generation, the latest version (1.1.0) incorporates a number of features "extras" about the above.


Exploits Full-On Demand
Black Hole Exploits Kit exploitation strategy focuses mainly based on Java and PDF, but always (like ALL Exploit Pack) without neglecting the classic MDAC. The following list represents the exploit that by default has the first of its versions (1.0.0):
The following versions to 1.0.3, but did not add exploits were optimized, for example by combining the exploits to PDF in a single payload. This latest version continued the optimization of the exploits, adding two more to Java and removing IEPeers.


Scheme of security and antivirus evasion
Over the past two years, crimeware was incorporating different mechanisms of self-defense and anti-virus evasion that provide criminals with new layers of security to prevent early screening and increase their life cycle.

Black Hole Exploits Kit is not limited in this area and incorporates two basic self-defense maneuvers. On the one hand, from the first version incorporates a blacklist to configure a block of IP addresses and URLs to block, as well as import or export the list.

On the other hand, this also includes automation crimeware for checking the integrity of malware spread. In the first version VirTest only through incorporating Scan4you in subsequent generations. Configurable parameters for these options require authentication data for both services associated with the crime area.

The encryption does not escape the range of services, and the same is offered precisely to prevent or hinder the analysis of malicious code propagated, whose value has increased. It costs $50.

Self-defense strategy built into Black Hole Exploits Kit The blacklist is in the "Security" tab, while in "Preferences" are set authentication information for any of the antivirus services ("Virus Check").

 Antivirus Check the first version of Black Hole. At that time, the option is simply called "VirTest", then changing to "Virus Check" to include Scan4you.

To protect the source code, like many others, use an obfuscator for PHP by default Black Hole Exploit sKit uses IonCube but we have seen other variants obfuscated PHP-Cryptor.


Cybercriminals affiliates
Affiliates are others botmasters or "user profiles" that use the control panel. This allows the main botmaster manage a vein of alternative business is managed through the resource rent.

Affiliates present in the Black Hole Exploits Kit"exploited". The default user can be used by the main test botmaster. This section displays information of interest limited to the exploits that profile as configured, operating systems and targeted traffic.


Monetization and business scheme
The monetization is mainly based service for rental and sale of individual packages. All fully managed by three cyber criminals who maintain the structure of the criminal enterprise.

The structure of the business is created and managed by three individuals. Each plays a fundamental role in the criminal scheme behind Black Hole Exploits Kit.

The sale of the panels as part of the service (Crimeware-as-a-Service) is carried out through its own infrastructure of these three characters. That is, offenders are generally host an encrypted copy of the packages on servers violated in this case, the service is from its own servers selling combos consisting of domains, hosting and exploit pack.

Each server in the criminal group has implemented generally over 400 domains ready to negotiate, where each domain corresponds to a copy of Black Hole Exploits Kit The costs of this service is:
    • $ 200 x 1 week
    • $ 300 x 2 weeks
    • $ 400 x 3 weeks
    • $ 500 per month
    • $ 50 x 24 hour test

Optimized for PDAs
This feature is optimized for viewing via PDA, and to our knowledge is the first to implement it. But the functionality is not limited only to known but also PDA smart phones today. Whereupon the botmaster can manage the intelligence of their botnets through any high-end cell phone.

 Display Mode Black Hole Exploits Kit in the form optimized for PDA

When we discover the existence of alternative crimeware criminal, we predicted that security professionals we should take special attention to this Exploit Pack, mainly due to their characteristics. Especially the traffic flow to ensure that offenders have their own bulletproof. We're not wrong!

Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

Related information
Phoenix Exploit’s Kit v2.3 Inside
Black Hole Exploits Kit. Another crimeware in addition to criminal supply
Phoenix Exploit’s Kit v2.1 Inside
State of the art in Phoenix Exploit's Kit
YES Exploit System and Crimeware-as-a-Service
BOMBA Botnet. New alternative crimeware fuel the economy criminal
State of the art in Eleonore Exploit Pack II
Intelligence and operational level by Siberia Exploit Pack
State of the art in CRiMEPACK Exploit Pack
iPack y GOLOD. New on the scene crimeware criminal
YES Exploit System. Official Business Partner’s
Napoleon Sploit. Frameware Exploit Pack
A brief glance inside Fragus
JustExploit. New Exploit kit that uses vulnerabilities in Java

Ver más