Cybercrime in nowadays businesses - A real case study of targeted attack

Your texte here ….

Hashdays 2011

Cybercrime in nowadays businesses:
A real case study of targeted attack

Frédéric BOURLA
Head of SWISS ETHICAL HACKING
ORIGINAL Ethical Hacking Department
©2011 High-Tech Bridge SA – www.htbridge.ch

0x00 - #whoami

Frédéric BOURLA
Head of Ethical Hacking Department
High-Tech Bridge SA

~12 years experience in Information Security
LPT, CISSP, CCSE, CCSA, ECSA, CEH, eCPPT
CHFI, GCFA & GREM in progress
RHCE, RHCT, MCP

frederic.bourla@htbridge.ch

ORIGINAL SWISS ETHICAL HACKING

0x01 - #readelf prez

Cyber attacks
Your texte here ….have evolved:
evolved
They became more sophisticated
They are often targeted
It is not uncommon anymore to observe
attacks managed by specialized groups and
initiated by unfair competitors

This talk is an example of such threats. It is
based on a post-incident investigation which
post-
took place in October 2010 To preserve
2010.
client’s anonymity, let’s call him Fedor-
Fedor-
Trading.
Trading

1 round of 50’. To save time, please keep
your questions until the end.

Table of contents

0x00 texte here ….
Your - About me
0x01 - About this conference
0x02 - Project’s context
0x03 - Mail analysis
0x04 - Client’s Website analysis
0x05 - Malware analysis
0x06 - Conclusion


0x02 - Project’s context

Last year, the CTO of a well known financial
us.
institution contacted us

Fedor-
Fedor-Trading thought about a kind of
Phishing attempt and the CTO expected us
attempt,
to help him reassuring the CEO that
everything was fine, and that no real attack
really occurred.

The initial project was a quick investigation
driven by political reasons and it began
reasons,
with an analysis of the emails that they
received in one of their administrative
mailboxes.


They received emails which appeared
Your texte here ….several
to have been sent from Fedor-Trading:



At a first glance,
Your texte here …. all suspicious emails
received didn’t look like Phishing
Phishing:
There is no multiple spelling mistake per
line
The content itself sounds sophisticated
All emails dealt with real matter and
entice Forex users to open a PDF

Instead, all those emails sounded like
targeted attacks.
attacks



Your texte here …. reveal
SMTP headers the sending domain:



FQDN matches
Your texte here …. IP address 67.227.134.84.

The hosting server is located in US
US.



Your texte domain
Parent here …. neonrain-vps.com belongs to
Neon Rain Interactive since 26 March 2008.



Your texte system
Remote here …. hosted an out-of-date Apache
out-of-
engine and is weakly configured
configured:
Talkative banners
Some indexed directories
Lots of Information Disclosure
Publicly available cPanel interface
Some outdated components



A texte here ….
Yourreverse DNS lookup shown that the IP
address 67.227.134.84 was used to host
multiple websites
websites.

At least 82 domains were hosted on the
same server.

The combination of these factors gave us a
strong likelihood that malicious emails were
sent from a compromised Web server thus
server,
attackers.
concealing the identity of attackers



Domain host.neonrain-vps.com
Your texte here …. had an MX
record for this host.

This configuration permitted to bypass most
antispam protections,
protections and all Fedor-
Trading’s clients who did not rely on a
deeper SMTP analysis have probably received
those suspicious emails.

A quick analysis of the received emails
consequently lead us to think about a
targeted attack and not to a blind one… We
attack,
definitely needed to get more information
and asked for an FTP access to Fedor-
Trading’s website.


The frontal website
Your texte here …. was hosted externally,
externally
on Infomaniak Network.

The first thing we noticed is that the
website hosted a talkative «robots.txt» file
«robots. file:



Your texte here file
The passwd …. revealed several forgotten
accounts, but no trace of a potential
compromise.

The website contained huge amount of logs.
logs
We downloaded them to carry out local
inspection.



Fedor-Trading’s website
Your texte here …. was often under
attacks.
automated attacks



In parallel with attack patterns queries in
those huge logs (quite slow as there were
quite slow,
no timeframe for this hypothetic attack), we
looked furtively at the website security
level.

Despite a kind of Web Application Firewall
successfully prevented our first attacks,
the website sounded vulnerable to SQLi
SQLi.



Your texte herelogs
We parsed …. for usual SQL injections
signatures, and lots of occurrences were
also identified.



Your texte here ….injections
Quite evolved were attempted.

First identified attacks were unsuccessful
and only relied on automated exploitation
tools.

For example, banner & hexadecimal constant
used while trying to determine the number of
fields in the SQL query indicated Havij tool.



Your texte here step
The next …. therefore consisted in
simulating such automated attacks to assess
the level of information which could have
been collected by hackers.

Indeed, we used the current 1.12 version of
Havij against Fedor-Trading.

This tool has been proven inefficient in this
specific case.



Nevertheless it permitted to confirm the
SQLi attack vector as the name of the
vector,
database was successfully dumped.



Your order to….
In texte here efficiently
identify successful
SQLi exploitation in the huge web server
logs, we asked the client for temporary
credentials on their Infomaniak’s web
administration page.

This offered us the best view of operational
structures, and therefore permitted to fine-
fine-
tune our queries with keywords which had a
high probability of occurrence in case of
successful SQLi exploitation.



This was much faster.
Your texte here …. faster

New attacks were quickly identified
identified.

More pernicious, those attacks clearly
shown that Fedor-Trading’s website was
Fedor-
compromised,
compromised and that nearly whole backend
stolen.
database was stolen



Indeed, here tables
Your textemost…. were remotely dumped by
hackers, and customers email addresses of
stolen.
our client were stolen

The source IP address 89.165.79.237 was
located in Iran and didn’t hosted any
publicly available service. It was most
probably a bot intended to hide attackers’
identity.


Your texte here …. web
The impacted application consisted of
self-
self-made code as well as Joomla open
source CMS and several commercial plugins
plugins.

The exploited vulnerability resided in a
Joomla commercial plugin named Sh404Sef
Sh404Sef.
404Sef
The latter security module provides SEO,
SEO
analytics and URL Rewriting It is also
Rewriting.
supposed to prevent XSS, flooding and
other malicious page requests…
requests But
unfortunately it allowed hackers to inject
SQL code In that particular case, the
code.
insecurity.
security module brought insecurity



The SQLi injection
Your texte here …. vulnerability was a little
bit tricky
tricky, and none of the leading
it.
automated tools was able to exploit it

Most of them even didn’t detect any security
problem on Fedor-Trading’s website.

Facts are that only a slow and manual
attack could have permitted its exploitation.



Your texte PoC,…. we
As a here demonstrated that the
following parameters in GET requests
permitted to remotely dump all sensitive
information from the backend database:



Your this attack,
In texte here …. information leakage occured
in the title bar of Internet browser’s
window.

The 1st request simply permits to identify the
version.
PHP engine version



3 permit to get username
Requests 2 and
and database name
name.



Your texte hereto
Requests 4 …. 6 permit to list databases
databases.



GSDB only hosts 3 databases as there is no
databases,
result for the 7th GET request
request:
?id=3-9999+union+SELECT%20schema_name%20FROM
%20information_schema.schemata%20limit%203,1--



Your texte here and
Requests 8 …. 9 permits to get schema and
tables.
tables



Your texte th request
The 10 here …. permits to enumerate
database.
tables from main database

Request 11 enumerates columns from the
table.
jos_users table



And finally the
Your texte here ….12th request permits to
collect names, emails et passwords hashes
from the jos_users table.

With a small automation script it was
script,
possible to remotely dump all sensitive
tables,
tables such as personal data related to
Forex accounts from the TAibs_c table and
trading platform administrators' password
hash from the USERS table.


After the version 1.5, Joomla relied on a
random salt in its password hashing
function.

This approach permits to efficiently disturb
Time-
Time-Memory TradeOff attacks
attacks:
$hash=md5($pass.$salt)

Since then, Rainbow Tables attacks against
accounts gathered from compromised
Joomla websites remain inefficient.


Nevertheless,
one of the administrators’
accounts had no salt The password was
salt.
therefore stored in a weak MD5 hash It was
MD5 hash.
most probably an old account created with a
previous version of the web application,
which remained unchanged since the
migration.

The vulnerable account belonged to an
consultant.
external consultant
Anonymised:Anonymised:anonymised@anonymised
.com:c2e285cb33cecdbeb83d2189e983a8c0



It was possible
Your texte here …. to break it in a few seconds
seconds.

account.
Hackers never logged with this account

Fortunately, a noisy defacing would have
been out of scope and totally
counterproductive.
counterproductive



Internal adminaccounts were salted and
strong enough to resist most dictionary
attacks.



Your texte having
After here ….stolen MySQL databases
through an SQL Injection on the trading
platform, hackers ran into a Social
Engineering phase which targeted Forex
users. Most of them received a credible fake
email which enticed into opening an embedded
PDF file.

Therefore, the last part of the attack which
required a deep analysis dealt with the PDF
files attached to the fake emails.

Several emails were sent, but all of them
included a renamed version of the same PDF.
PDF


PDF is one of the most prevalent method for
exploitation:
remote exploitation
Victims can be easily sent targeted
socially engineered emails with such
attachments
PDF links are common on websites and may
permit drive-by exploitation
drive-
This file format is widely spread among
companies and most often authorized by
perimeter protections
It is still quite hard for antivirus to
detect malicious content



The 9th October
Your texte here ….2010,
2010 only 4 antivirus on
43 detected a threat in this PDF, which is a
rate:
9.3% detection rate
AntiVir
Emsisoft
Ikarus
Microsoft

One year later, the 13rd October 2011 only
2011,
16 antivirus on 43 efficiently detect a
threat. This is still a low detection rate of
37.
37.2%.



Indeed, here supports
Your texte PDF …. different compression
formats which help hiding code
code:
FlateDecode
ASCIIHexDecode
LZWDecode
ASCII85Decode
RunLengthDecode

It also supports encryption
encryption:
40+128 bits RC4
128 bits AES



And PDF format
Your texte here …. also natively supports
Unicode, Hex as well as fromCharCode All
fromCharCode.
of them are widely used for obfuscation
purpose.

Internal logical streams can embed other
objects which support further client side
scripting, such as Flash’ ActionScript
ActionScript.

It offers an efficient way to carry out Heap
Hunting.
Spraying and Egg Hunting

For all those reasons, PDF is an attack
hackers.
vector of choice for hackers


Yourour case, ….
In texte here the
maliciously crafted PDF file
exploited a critical vulnerability which
affected all Adobe Reader applications prior
to version 9.4 on multiple OS (CVE-2010-
2883).

Opening this file within Adobe Reader v9.3.4
or any older version could alter its
execution flow and run arbitrary code
code.

This vulnerability was actively exploited on
Internet when the attack occurred. Since
Adobe Reader v.9.4 was publicly available on
5th October 2010 this attack implied a 0-day
2010,
with a high rate of successful compromise.


Yourquick here ….
A texte search for risky keywords within
PDFID revealed client-side code.

Quite unusual in malicious PDF

Action automatically performed

executed on form load



The proportion of randomness in the file can
also tell us more about this PDF.

The total entropy and the entropy of bytes
inside streams objects are close to the max
of 8, which suggest a normal PDF document.



Nevertheless, the entropy outside streams
object is also quite high In a normal PDF, it
high.
is usually between 4 and 5. This may leads
us to think about a malformed PDF
document, where data is added without
stream objects
stream objects.

We can also notice that there is only one
%%EOF
%%EOF in the document despite there are
document,
lots of bytes after the last %%EOF which
%%EOF
EOF,
added.
also suggests that data has been added



So a good idea should be to dig a little bit
further through Origami Unfortunately the
Origami.
errors.
Walker GUI was tricked into errors



Your texte here ….extraction
Command line problems,
also got problems
but at least confirmed some results.



Yourfact, even….
In texte here Adobe damaged.
thought it was damaged
Unfortunately he managed to read it
it.



Logical here remained
Your texte flaw …. identify.
easy to identify



Nevertheless, we were still not able to
extract embedded JavaScript code.



Your texte 3 contains
Object here …. the string “/JavaScript”
and was configured to execute code from
object 7. Object 30 also contained the
string “/JS” and holds code
code.



Nevertheless,
Your texte here …. the payload was quite heavily
obfuscated.
obfuscated



rely on simple XOR with a
Your texte here ….PDF
Most crafted
single byte long key or use ROL/ROR
operations for obfuscation purpose…

But not there As a consequence, tools like
there.
result.
XorSearch didn’t get any result

The only one solution seemed to be the
reverse engineering approach
approach.



Indeed, interesting
Your texte here …. content was encrypted
with a 4 bytes XOR operation
operation.



After the identification
Your texte here …. of the 4 bytes key
0x4114D345, we were able to extract the
“mea.
“mea.dll” file embedded in the malicious PDF.

This one was not encrypted and revealed
encrypted,
the final URL which hosted the ultimate
payload, as confirmed by following analysis.



Opening CoolType.dll
CoolType.
Your texte here …. in Adobe Reader with
IDA revealed the abused “strcat”. The
“strcat”
“uniqueName” field from the SING table
structure was being used in that function.



The exploit relied
Your texte here …. on /AcroForm JavaScript
to detect the version of Adobe Reader and
payload.
switch to the appropriate payload

Then the heap spray was used to put ROP
data into memory at a guessable address.
This heap spray followed a huge RED sled,
which acted as a more classical NOP string
while transitioning between the stack Buffer
Overflow and the ROP payload.

Gadgets used in the ROP payload come from
module “icucnv36.dll
icucnv36
icucnv36.dll”, which was not
compiled with ASLR, as discussed soon.
ASLR


Attackers used
Your texte here ….ROP techniques Instead of
techniques.
redirecting the execution flow on the heap,
it jumps to a Code section in a DLL which
indeed has the Execute rights. This is
achieved by overwriting the Saved EIP on the
stack, and by chaining calls on this DLL at
specific places through a RET sled crafted
on the stack.



Your texte here created
The exploit …. an empty iso88591 file
iso88591
and mapped it to memory in order to get an
executable space where shellcode could be
space,
copied and executed.



The AcroRd32.exe
Your texte here …. process was also abused
to load icucnv34.dll module, a DLL which
icucnv34
34.
was not compiled with ASLR and is therefore
always loaded at the same address in
memory. It is then possible to use its own IAT
Kernel32
to get the address of Kernel32 ASLRed
APIs.
APIs



As a consequence,
Your texte here …. both DEP & ASLR were
bypassed!
bypassed

Finally, the exploit also worked on Vista and
7, as it didn’t use hardcoded XP syscall.
syscall

So basically it was already the end of the
game…



Malware also used some tricks to prevent
its analysis For example, each time we used a
analysis.
Memory BP we arrived in a long loop which
BP,
always ended by an exception
exception.

After having dropped another binary from
itself, the “mea.dll” overwrites part of its
“mea.
own Text section to prevent memory dump
dump.

Malware also skipped part of its code while
running within Immunity Debugger. For
example, the “adobe1.exe” file was not
dropped, even if hidedebug plugin was used.



Your texte here …. was
Another trick name.
to parse processes name
When Process Monitor was running, we
didn’t see anything… We had far more
results by just renaming the tool, we
binary.
showed the creation of a new binary

File access monitoring confirmed the
creation of the new “adobe1.exe” binary.


This new binary
Your texte here …. was an unencrypted dropper
dropper.



This was also
Your texte here ….confirmed through a behaviour
analysis.
analysis

Here we simply used a rogue DNS service to
redirect traffic to an analysis server.



This process downloaded
Your texte here …. the “update2.exe”
“update2
binary on www.bringithomedude.com.



Your texte here ….are!
And here we The final aim of hackers
was to silently get and execute a banking
Trojan derived from SpyEyes code.

So let’s summarize what’s happened here.



The file adobe
adobe1 is a simple loader of
Your texte here …. 1.exe
2’560 bytes. It was not encrypted.
encrypted

On the other hand, the final update2.exe
update2
malware was a C# based binary of 668 Kb
which included several protections aimed at
preventing its reverse engineering.
Disassembly revealed BASE64 encoding for
BASE64
raw data as well as encryption algorithms
based on MD5 (System.Security.Cryptogra
MD5
phy.MD5CryptoServiceProvider), 3DES (Sys
tem.Security.Cryptography.TripleDESCryptS
erviceProvider) and AES (System.Security.
Cryptography.RijndaelManaged).


When this attack
Your texte here ….occurred, Those files were
antivirus.
undetected by most antivirus

A few European antivirus detected a
potential threat, but all Eastern solutions
such as Kaspersky, NOD32, DrWeb32 or
VBA32 didn’t detect anything
anything.

It is therefore possible that the Russian
market was the initial target of our malware
writers.



The 8th October
Your texte here …. 2010,
2010 16 antivirus on 43
detected a potential threat in the final
binary. Detection rate was about 37%.
37%

The 15th October 2010 19 antivirus on 43
2010,
were efficient. Detection rate is about 44%.
44%

Around 8 months later, the 2nd June 2011,2011
34 antivirus on 43 detected a potential
threat. This is a detection rate of 79%.
79%

Kaspersky, McAfee, Sophos and Microsoft
were the most reactive.


Your texte Panda
Gdata, here …. and Sophos were the next
ones.

ClamAV, eSafe, F-Secure, Fortinet & PrevX
have proven far less effective.

The final payload behave like Zbot It was
Zbot.
based on a mutation of SpyEyes It is a
SpyEyes.
Trojan aimed to target financial sector and
it is able to disable Windows Firewall and
steal financial data, such as credit card
numbers, eBanking information or trading
credentials. Common Trojan features were
also available, such screen capture,
additional malware download or remote
administration capabilities.


Upon execution,
Your texte here ….the Trojan creates a folder
named svhostxxup.exe in the c: drive. Then it
svhostxxup.
config. svhostxxup.
creates files config.bin and svhostxxup.exe
in that folder.

The latter binary is then called. It is
responsible for creating new memory pages
in several system applications’ address
space,
space and therefore permits attackers to
inject their malicious code into privileged
programs.
programs



Your textethen ….
Trojan here modifies a few registry keys and
persistent.
become persistent



The Reverse-Trojan
Reverse-
Your texte here …. also verifies the path
from which it was run and it checks that
run,
file “C:Documents.exe”, “C:Documents and
SettingsuserDesktop.exe” or “C:Documents
and SettingsuserDesktopupdate2.exe” does
exist in order to authorize or deny its own
execution.

It also check for the registry key
“HKEY_CLASSES_ROOTAppIDupdate2.exe”.

These are common practices among malware
writers to help disturbing Reverse
Engineers.
Engineers


Your textethen ….
Trojan here gets the compromised computer
name by querying LSA and lists the C: drive
before doing a recursive search of living
directory.
files within its parent directory

Getting computer and user names is also a
common practice for Trojans as they most
Trojans,
often need to declare unique zombies on
their C&C server to permit accurate
communication with Bot Herders.



Your texte tried to
Trojan here …. send HTTP packets to 2
servers:
different servers

After having redirected those IP addresses
with ARP Poisoning and simulating an HTTP
service,
service we can see Trojan saying a kind of
“Hello, I’m here to those web applications.
Hello, here”



The first serverwas probably aimed to offer
an alternate route in case the second one
was taken down. It actually forwarded its
packets to greenchina.com.



Involved domains
Your texte here …. exist since quite a long
time.
time

serv.com and greenchina.com domains were
respectively registered in November 1994
and April 2001 The IP addresses which
2001.
received the suspicious GET requests,
211.119.134.
211.119.134.197 and 218.145.65.200,
218.145.65.200
respectively hosted 1'644 and 11 websites
websites.

Despite its parameters, the URL
http://www.greenchina.com/?guid=UserName!COMPUTERNAME!
dangerous...
00CD1A40 did not look like so a dangerous



It visually reached
Your texte here …. webpage…
a standard webpage

But there were hidden information
information.

0x06 - Conclusion

Finally, the target
Your texte here …. of this complex attack
was not directly our client, but his own
customers.
customers

For sure, it has also impacted Fedor-Trading
Fedor-Trading.

Once the website was compromised,
fast.
everything happened really fast

Attacks were initiated by an unfair
competitor who afforded the services of
market.
underground market

Both financial companies are present in
Switzerland and abroad.
abroad

0x06 - Conclusion

Your globally the
So texte here …. attack implied:
Malware Code Writing
(dropper, downloader, Banking Trojan)
0-day Uncovering
(Adobe Reader stack buffer overflow)
Social Engineering
(Forex Regulation)
Web Attacks
(Sh404Sef SQL Injection)
And most probably money transfer

In fact, we are typically in a modern scenario
of underground skills renting.
renting.

0x06 - Conclusion



0x06 - Conclusion

Your texte heremany
This offers …. business opportunities.


0x06 - Conclusion

Your texte here cybercrimes
Organised …. exist in lots of
countries, and a sophisticated underground
economy has rapidly flourished those last
years. But the huge majority of attacks
Brazil.
involved China, Russia and Brazil


0x06 - Conclusion

There is much less Hacking For Fun and
Your texte here …. Fun,
Profit.
much more Hacking For Profit Cybercrime
has therefore become an enterprise with a
thriving underground economy.

New cybercriminals don’t have to develop
their own code… They can rent botnets and
even purchase licensed malware that comes
with its own tech support
support.

Cybercrime is now developing and spreading
faster than ever.

So welcome in the World Wild Web
Web… And
happy Forensics! :)

xC29900: RETN 99


Your questions are always welcome!
frederic.bourla@htbridge.ch


Cybercrime in nowadays businesses - A real case study of targeted attack

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (17)

Ähnlich wie Cybercrime in nowadays businesses - A real case study of targeted attack

Ähnlich wie Cybercrime in nowadays businesses - A real case study of targeted attack (20)

Mehr von High-Tech Bridge SA (HTBridge)

Mehr von High-Tech Bridge SA (HTBridge) (6)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Cybercrime in nowadays businesses - A real case study of targeted attack