Today - PowerPoint PPT Presentation

About This Presentation
Title:

Today

Description:

an implicit zone for content that exists on the local computer. ... earthlink. juno.com. my.juno.com/s. webmail.juno.com. yahoo.com. http://crutop.nu/index.php ... – PowerPoint PPT presentation

Number of Views:975
Avg rating:3.0/5.0
Slides: 21
Provided by: bobe152
Category:

less

Transcript and Presenter's Notes

Title: Today


1
Todays Malicious Code Threat JS.Scob.Trojan
Analysis
  • Peter Schawacker, CISSP

2
Overview
  • The JS.Scob.Trojan
  • Timeline
  • IE Security Overview
  • How the attacks work
  • Effects
  • Solutions

3
Scob
  • AKA
  • Download.Ject
  • JS.Scob.Trojan
  • JS.Toofeer
  • Backdoor.Berbew.F
  • JS.Toofeer

4
MS04-011??
Scob
5
Internet Explorer Security
  • Cross Domain Model
  • Local Machine Zone
  • "...an implicit zone for content that exists on
    the local computer. The content found on the
    user's computer, except for content that Internet
    Explorer caches on the local system, is treated
    with a high level of trust."

6
Timeline ADODB.Stream Object Bug
  • FullDisclosure Post August 26, 2003!!
  • IE Bug allows client-side code execution
  • Detailed Analysis
  • http//archives.neohapsis.com/archives/fulldisclos
    ure/2004-06/0104.html
  • Harmless example http//62.131.86.111/security/id
    iots/repro/installer.htm

7
Scob Discovered June 24
  • The original post is available in the June 24
    Internet Storm Center Handlers Diary
  • http//isc.sans.org/diary.php?date2004-06-24isc
    400aeeda81e747d8889dacd941b7ebf6

8
Effects
  • Trojan horse installation Scob
  • Purpose of trojan to steal accounts
  • An account is an identity!!
  • First time web servers used since Nimda

9
Compromised IIS Servers
  • A file is dropped on an IIS Server and
    subsequently executed to prepare the server. The
    relevant actions are
  • File is dropped on IIS Server
  • Create ads.vbs
  • Drop files in C\winnt\system32\inetsrv/iis.dll
  • Server configured to use this file as a footer
  • Modify the configuration of the IIS Server such
    that served web pages are appended by a footer
    that contains malicious Java code

10
What Scob does
  • Redirects IE to http//217.107.218.147/dot.php
  • Visitor redirected to a file called new.html
  • Exploit code redirects the visitor to
    Shellscript_loader.js
  • In turn, downloads and installs msits.exe
  • (ADODB.Stream Object File Installation Weakness
    vulnerability)

11
What Scob does (continued)
  • msits.exe application writes itself to a random
    executable file in c/winnt/system32
  • Windows Media Player?
  • Reruns the process from the system directory.
  • Copies two HTML forms, crude login templates and
    a log file (surf.dat) to the system directory
  • msits.exe attempts to record authentication
    credentials and their corresponding URLs
  • Quasi-rootkit patches PhysicalMemory device
  • Doesnt appear in Task List

12
Sites of Interest to Scob/msits.exe
  • Paypal.com
  • Signin.ebay
  • .earthlink.
  • juno.com
  • my.juno.com/s
  • webmail.juno.com
  • yahoo.com
  • http//crutop.nu/index.php
  • http//crutop.ru/index.php
  • http//mazafaka.ru/index.php
  • http//color-bank.ru/index.php
  • http//asechka.ru/index.php
  • http//trojan.ru/index.php
  • http//fuck.ru/index.php
  • http//goldensand.ru/index.php
  • http//filesearch.ru/index.php
  • http//devx.nm.ru/index.php
  • http//ros-neftbank.ru/index.ph
  • http//lovingod.host.sk/index.ph
  • http//www.redline.ru/index.php
  • http//cvv.ru/index.php
  • http//hackers.lv/index.php
  • http//fethard.biz/index.php
  • http//ldark.nm.ru/index.htm
  • http//gaz-prom.ru/index.htm
  • http//promo.ru/index.htm
  • http//potleaf.chat.ru/index.htm
  • http//kadet.ru/index.htm
  • http//cvv.ru/index.htm
  • http//crutop.nu/index.htm
  • http//crutop.ru/index.htm
  • http//mazafaka.ru/index.htm
  • http//xware.cjb.net/index.htm
  • http//konfiskat.org/index.htm
  • http//parex-bank.ru/index.htm

13
Workarounds
  • Set the Kill Bit on the ADODB.Stream Object (no
    patch from MS)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
    Explorer\ActiveXCompatibility\00000566-0000-0010-
    8000-00AA006D2EA4 "CompatibilityFlags"dword000
    00400
  • Make Local Zone/My Computer Zone visible from the
    Internet Options Security tab
  • Dont use IE (USCERT) (!!)

14
Host IPS Countermeasures (IIS Server)
  • Triggers event IIS Shielding - File Mod. in
    System folder
  • Triggers event IIS Shielding - Conf. File
    Activity (ADMCOMConnect)

15
Network IPS Countermeasures (IIS)
  • SHELLCODE Shellcode Exploit Detected for i386
    Family CPUs
  • KERBEROS Microsoft Kerberos ASN.1 Double Free
    Encoding Error
  • LDAP Active Directory BO
  • SSL Invalid Client Hell Cipher Suite Value
  • SSL Overly Long PCT Client Hello Challenge
  • SSL Microsoft ASN.1 Double Free Code Execution
  • SSL PCT THCLame Challenge Buffer Overflow
  • DCERPC Microsoft Windows LSASS Buffer Overflow
  • DCERPC Microsoft RPC DCOM Buffer Overflow
  • DCERPC Microsoft RPCSS Heap Overflow
  • DCERPC Microsoft Message Queue Service Heap
    Overflow
  • DCERPC Microsoft Messenger Service Buffer
    Overflow
  • DCERPC Microsoft Workstation Service Buffer
    Overflow
  • DCERPC W32/Gaobot.worm Detected

16
IPS Countermeasures (IE Client)
  • Triggers event "IE Envelope Suspicious Executable
    Modification

17
Anti-virus
  • Detected by McAfee VirusScan
  • BackDoor-AXJ.gen
  • VBS/Psyme  
  • Exploit-MhtRedir.gen
  • BackDoor-AXJ.dll

18
Why is this important?
  • What if your web server is trojaned?
  • What if your desktop is trojaned?
  • Who is doing this?
  • Whats next?
  • What should be done?

19
Sources
  • http//www.microsoft.com/security/incident/downloa
    d_ject.mspx
  • http//www.microsoft.com/technet/security/bulletin
    /MS04-011.mspx
  • http//62.131.86.111/analysis.htm
  • http//www.incidents.org/

20
Questions
  • Peter Schawacker
  • ps_at_nai.com
  • 760-880-4258
Write a Comment
User Comments (0)
About PowerShow.com