Archive for November, 2009

Information Escapology, part three – Clippy’s Revenge

Posted in General Security, Information Leaks on 25 November, 2009 by Alec Waters

In the Good Old Days, the clipboard was a simple thing. Highlight some text, copy, paste it somewhere else. These days it’s a little more comprehensive – if you copy some text, there’s a good chance that the text’s attributes will get copied as well. This may or may not be of consequence, depending on where you paste it.

I came across an email recently where the sender had copied two cells from Excel and pasted them into Outlook along with a question. The stuff pasted from Excel looked like this, all nicely formatted in a table, just as if it were two cells in a spreadsheet:

Policy 6gX1 All business units MUST implement Policy 6gX1

It doesn’t tell me much about the super-secret Policy 6gX1, but the clipboard has preserved the Hyperlink properties of the first cell. Ignoring the fact that WordPress has knackered the link (don’t bother clicking it), here is what it actually was:

<a href=”file:///C:/Documents%20and%20Settings/j.bond/Local%20Settings/Temporary%20Internet%20Files/Project%20Rattlesnake%20verysecret.xlsx#%27Guidance%20Notes%27%21AB23″>Policy 6gX1</a>

What can we tell from this:

  • The sender is using Windows XP/Server 2003 or below, belied by the “Documents and Settings” folder
  • The sender’s Windows logon account is called j.bond
  • Policy 6gX1 is related somehow to Project Rattlesnake
  • They’re using a later version of Excel (xlsx extension vs. xls)
  • “Project Rattlesnake verysecret.xlsx” is in the IE cache directory, indicating that it’s available for download somewhere
  • “Project Rattlesnake versyecret.xlsx” has a sheet in it called “Guidance Notes”
  • The “Guidance Notes” sheet is quite large, because the link refers to cell AB23.

Not entirely earthshattering information, but something like this could just provide a social engineer with enough additional context and terminology to establish a credible pretext.

Take care with the clipboard; who knows when Clippy will exact his vengeance!


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk

How cz32ts determines if your site is vulnerable to SQL Injection

Posted in General Security, Malware on 17 November, 2009 by Alec Waters

cz32ts will append some SQL to a URL given to it by its C&C server at 205.209.143.94, and will fetch the results. It then phones home the results of its mischief like this:

C&C: +OK LINK-SERVER READY
cz32ts: CMD PUTLINK http://some.victim.url?sql=goes&after=this InjectAsp:YES
C&C: Finished.

It’s the InjectAsp:YES that denotes a successful SQL Injection vulnerability assessment. Given the appended SQL described in this post, cz32ts is looking simply for:

|number|

…in the page handed back by the server under test. If this pattern appears anywhere on the page, it will report InjectAsp:YES to the C&C server. Even error reports are sufficient, because they indicate that the injected SQL was executed and that the server is ripe for exploitation:

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value ‘|98|’ to data type int.

If you’ve been paid a visit by cz32ts, it’s probably a good idea to replay its requests (based upon the parameter string in your web server’s logfiles) and check the responses for the pattern |number| – if it’s there, you’ve got a vulnerability that needs addressing. A vulnerability that the bad guys know about already!


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk

TL32Sn – feeder for cz32ts?

Posted in General Security, Malware on 17 November, 2009 by Alec Waters

TL32Sn does Google searches. cz32ts performs tentative SQL Injection reconnaissance. Both are controlled by the same server.

Perhaps TL32Sn’s role in life is to build a list of URLs for cz32ts to try? Perhaps the “inurl” part of TL32Sn’s query represents a fingerprint search for known vulnerable web apps? Once it’s done the Google search and has got a list of results (shortened by the presence of the seemingly irrelevant keyword), does it phone these home to 205.209.143.94 for cz32ts to check out later on?


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk

TL32Sn – twisted cousin of cz32ts and NV32ts

Posted in General Security, Malware on 15 November, 2009 by Alec Waters

I’ve come across TL32Sn.exe (Anubis report, VirusTotal report), which appears to be related to cz32ts and NV32ts. Aside from the similar format of the name of the executable, it shares the same C&C server at 205.209.143.94.

cz32ts used port 8998 to get a list of URLs to attack, and the same port to report the results back. TL32Sn uses port 8999 instead, and via a command called PHPGETURL retrieves URLs like this:

http://66.102.11.99/search?hl=en&num=100&newwindow=1&q=cholecystokinin+inurl:asp%3Fcontent%3D&start=300&sa=N

http://66.249.89.44/search?hl=en&num=100&newwindow=1&q=chopin+inurl:asp%3Fnode%3D&start=300&sa=N

These are Google searches which TL32Sn duly carries out (the user agent is TL32Sn.exe). There are lots more questions here:

  • Why start at result #300?
  • Why didn’t they say inurl:”asp?content=” instead of the less effective inurl:asp?content=
  • Why are they searching for cholecystokinin and chopin anyway? The two URLs above were fetched within half an hour of one another – perhaps these words are from an ordered list of search terms?

One thing is for certain – 205.209.143.94 is at the heart of all this!


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk

cz32ts – an interesting banana!

Posted in General Security, Malware on 13 November, 2009 by Alec Waters

I think I’ve found the cz32ts executable – VirusTotal has this to say about it. What is more interesting is what Anubis has to say about it – check out the Network Activity section.

Basically, the executable goes off to a C&C server on 205.209.143.94 for a list of URLs to attack using the GETPHPURL command. It then tries to SQL inject the victim site, using the executable name as its user agent (all of the ones in my capture have i1 as the user agent, because that was the name of the executable I retrieved). Once the SQL injection tests have been carried out, it then reconnects to the C&C server to report the result of the attempt using the CMDPUTLINK command.

I have no idea how cz32ts.exe is distributed, but it would seem like the ideal thing for a dropper to pull down and set to run once on startup.

Anyone fancy shutting down 205.209.143.94?


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk

cz32ts – evil twin of NV32ts?

Posted in General Security, Malware on 13 November, 2009 by Alec Waters

There is an update to this post here.

In the past, we’ve seen various automated SQL Injection attempts bearing a User-Agent of NV32ts. It’s all a little odd, since:

  • The attempts are dead easy to spot, thanks to the user agent (there’s even a Snort rule for detecting it)
  • The attempts could be described as recon-only, since they didn’t seek to change anything.

Two injection attempts would be made by the attacker. The injected SQL would look like this:

%20And%20char(124)%2b(Select%20Cast(Count(1)%20as
%20varchar(8000))%2Bchar(124)%20From%20[sysobjects]
%20Where%201=1)>0

And this:

‘%20And%20char(124)%2b(Select%20Cast(Count(1)%20as
%20varchar(8000))%2Bchar(124)%20From%20[sysobjects]
%20Where%201=1)>0%20and%20”=’

These two cover the cases for vulnerable non-string and string parameters, and each case would be attached to the end of  the URL under test, after the last parameter. We’d usually see a spate of attempts in a short space of time from different source IP addresses, possibly suggesting that some botnet or other is doing all the work (possibly even Conficker).

Yesterday, we saw another run of attempts with the same pattern. A handful of source IP addresses targetted the same victim websites, each trying the same URL twice, appending the same two SQL statements as above. The only difference is the user agent – what was NV32ts has become cz32ts.

It’s still something of a mystery, though. Why use such a distinctive user agent? Why change it? What are the baddies looking for? If they’re going to go to the bother of scanning for sites vulnerable to SQL injection, why don’t they just try to inject something? Why conduct all this recon, when it would be difficult to reliably detect if you’re actually talking to a vulnerable site? Are the botmasters selling lists of potentially vulnerable sites rather than exploiting them themselves?

Any ideas?


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk

Information Escapology, part two – The Perils of Top Posting

Posted in General Security, Information Leaks on 3 November, 2009 by Alec Waters

Posting styles are a matter of personal choice; top posting is probably the most common one, possibly influenced by the design of everyday email clients. When replying to a message, software like Microsoft Outlook will put the original message below the caret, leading to an ever-growing top-posted exchange between the participants.

I’m not going incite a flame war by debating the various merits of each posting style, but I do have a word of caution.

With a top-posted conversation, it’s very easy to get into the cycle of hit-reply->type->hit-send. The context for your thoughts is the message you are directly replying to, the last one in the chain; it’s easy to lose track of what’s been said previously.

The problem comes when you introduce a third party to the conversation – how many times have you received an email like the one below that arrived in Tim’s inbox:

From: Bob, BigCorp CEO
To: Ken, BigCorp HR Director; Tim, IT Support
Subject: RE: Outlook

Tim,

Email seems really slow today. Please could you investigate as a priority.

Bob

——– Original Message ——–
From: Ken, BigCorp HR Director
To: Bob, BigCorp CEO
Subject: RE: Outlook

It’s not just you. Every message I’ve sent today has taken ages to get through.

Ken

——– Original Message ——–
From: Bob, BigCorp CEO
To: Ken, BigCorp HR Director
Subject: RE: Outlook

Is it just me, or is email really slow today?

Bob

——– Original Message ——–
From: Ken, BigCorp HR Director
To: Bob, BigCorp CEO
Subject: RE: Outlook

That’s true, but he’s better at his job than the other two are at theirs. Perhaps we should cut his salary as well as let someone go?

Ken

——– Original Message ——–
From: Bob, BigCorp CEO
To: Ken, BigCorp HR Director
Subject: RE: Outlook

Can we get rid of Brian? He gets paid twice what the others do.

Bob

——– Original Message ——–
From: Ken, BigCorp HR Director
To: Bob, BigCorp CEO
Subject: RE: Outlook

Possible candidates:

Sue, from design.
Tim, from IT.
Brian, from marketing.

Ken

——– Original Message ——–
From: Bob, BigCorp CEO
To: Ken, BigCorp HR Director
Subject: Outlook

Things aren’t looking good. We’re going to have to let some people go. Any thoughts on who?

Bob

It’s perhaps a silly example, but you get the idea. Bob and Ken’s focus has shifted from their company’s impending doom to a technical matter, and they’ve inadvertently disclosed to Tim far more than they intended to. The “top post by design” nature of their email clients has caused them to lose awareness that this email exchange is getting longer and longer and is containing more and more information.

The next time you receive an email with RE: in the subject line, scroll down and see how far the rabbit hole goes. The next time you send a reply, make sure you know exactly what you’re sending. Otherwise you’ll end up on the receiving end of Tim, Sue and Brian…


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk

Follow

Get every new post delivered to your Inbox.

Join 32 other followers