The first one writing about this new threat was Marco Giuliani. So, Murofet or Zeus++?
Taking a look at a couple of samples we were able to identify:
Same API hooks Same encryption routine for configuration file (RC4) Pretty much the same configuration file format Here you can take a look at a decrypted configuration file. It’s possible to realize that it makes use of the same block-based structure of Zeus configuration files.
I’m interested in infostealers and specifically in banking-trojans so I didn’t want to miss this one. Samples of Carberp are floating around at least since last spring but in late September we saw such numbers increasing.
Taking a look at how Carberp hooks API it looks like yet another Zeus “clone”. What I found interesting is how it hooks system calls. This is how a normal syscall looks like
MOV EAX,0xce // ZwResumeThread syscall id MOV EDX,0x7FFE0300 // pointer to KiFastSystemCall CALL DWORD PTR DS:[EDX] RETN 0x8 And this is how the hooked syscall looks like
The deadline for the Forensic Challenge 2010/5 - Log Mysteries is quickly approaching. It seems like this challenge is a hard nut to crack as we only received a few submissions so far. If you like a challenge, give it a try. The deadline is September 30th 2010. You can access the challenge at https://honeynet.org/challenges/2010_5_log_mysteries. Did I mention there are prizes?
- “it bypasses DEP and ASLR using impressive tricks and unusual methods” - Vupen
- “it uses a previously unpublished technique to bypass ASLR” - Metasploit Blog
- “exploit uses the ROP technique to bypass the ASLR and DEP” - ZDnet/Kasperky
- “it’s so scary I ran away screaming” - anonymous
Is that PDF so scary? I don’t think so.
DEP is an hardware feature that prevents execution of data, it obviously works if software sets the execution flag only on memory pages containing code.
I’ll tell you the truth: Export Address Table Filtering, the feature of the upcoming release of EMET, “designed to break nearly all shell code in use today”, intrigued me a bit.
Since I wasn’t able to find docs about the actual implementation, I started to think about how that could be done and I wrote a simple POC that uses VirtualProtect to flag the relevant pages of the .data section of ntdll and kernel32 with PAGE_GUARD to intercept read operations over the PEB.
A new improvement in PHoneyC DOM emulation code was committed in SVN r1624. The idea is to better emulate the DOM behaviour depending on the selected browser personality. Let’s take a look at the code starting from the personalities definition in config.py.
39 UserAgents = [ 40 (1, 41 "Internet Explorer 6.0 (Windows 2000)", 42 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", 43 "Mozilla", 44 "Microsoft Internet Explorer", 45 "4.
The Discoverer module (see zhongjie’s blog entry) has been completed.
It consists of 2 programs, the Format Discovery and Pre-Replay processing.
Format Discovery is pretty much what i’ve blogged about in my earlier post.
Since that entry, I’ve completed the to-do tasks:
have a function to summarise all output for this program.
solve a memory leak problem in this program.
match replay packet to format, and if length segment changes (eg: due to shellcode change), then length field needs to change.
I’ve been working on the GSOC Project 14 in recent months. We are meant to start a new tool which can replay the collected exploit traces.
We know that during the process of exploit replay, there’re many fields need to be changed in the original application messages. Some of them are platform independent, and the others are platform specific. Platform-independent variables are those changed each time we exploit, like timestamp, cookie, length, etc.
“Dionaea is meant to be a Nepenthes successor, embedding Python as scripting language, using libemu to detect shellcodes, supporting IPv6 and TLS” (taken from Dionaea homepage). Besides being the most interesting project for trapping malware exploiting vulnerabilities, Dionaea supports a really cool feature which allows it to log to XMPP services as described here. TIP now exploits this feature receiving and storing such logs (really thanks to Markus Koetter for his help and support).
A few weeks ago I started reviewing the PHoneyC DOM emulation code and realized it was turning to be hard to maintain and debug due to a huge amount of undocumented (and sometimes awful) hacks. For this reason I decided it was time to patch (and sometimes rewrite from scratch) such code. These posts will describe how the new DOM emulation code will work. The patch is not available right now since I’m testing the code but plans exists to commit it in the PHoneyC SVN in the next days.