Monday, October 26, 2009

Client-side validation

One of the rules of application security is to never implement client-side validation but rely on server-side validation.
I came across an e-card greeting on the "Uniquely Singapore" website and decided to try it out. Hmmmm... the form doesn't allow me to submit an e-card with the recipient and sender emails being the same. Did they implement client-side validation? I decided to disable Javascript in Firefox. I reload the webpage and resubmit. Viola!!! Email sent and received.

This confirms that Javascript is used to validate submissions on the client's machine. The secure way would be to validate on the server so that the client cannot manipulate requests to successfully bypass validation.

Thursday, October 22, 2009

Zbot

Downloaded a sample of "Zbot" from Offensive Computing's site. I'm no reverse engineering guru but decided to give it a go at analysing this nasty piece of malware. Fired up "Regshot" to detect modifications made to my virtual machine.
The following registry keys were added.

HKLM\SOFTWARE\Classes\.exe HKLM\SOFTWARE\Classes\.exe \PersistentHandler HKLM\SOFTWARE\Microsoft\DownloadManager HKLM\SOFTWARE\XTB

Corresponding values that were added.

HKLM\SOFTWARE\Classes\.exe \PersistentHandler\: "{098f2470-bae0-11cd-b579-08002b30bfeb}"
HKLM\SOFTWARE\Classes\.exe \: "exefile"

HKLM\SOFTWARE\Classes\.exe \Content Type: "application/x-msdownload"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows: "C:\WINDOWS\explorer.exe "
HKLM\SOFTWARE\XTB\httpaddr: "http://server.xyz/drss,jpg"

HKLM\SOFTWARE\XTB\xintr: "1440"

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe : "C:\WINDOWS\explorer.exe :*:Enabled:explorer"

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe : "C:\WINDOWS\explorer.exe :*:Enabled:explorer"

HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\explorer.exe : "explorer"

HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000

HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings: 3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 10 8A 55 3E 84 54 CA 01 01 00 00 00 C0 A8 DC 89 00 00 00 00 00 00 00 00

HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\tester\Desktop\malware.exe: "malware"

HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\explorer.exe : "explorer"
HKU\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\explorer.exe : "explorer"


The following files were added.

C:\WINDOWS\Prefetch\EXPLORER.EXE -2F6C44D8.pf
C:\WINDOWS\Prefetch\MALWARE.EXE-17DA0AE5.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-4912BB30.pf
C:\WINDOWS\system32\wbem\Logs\wmiprov.log
C:\WINDOWS\explorer.exe

Files were modified.

C:\Documents and Settings\tester\Cookies\index.dat
C:\Documents and Settings\tester\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\tester\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\tester\ntuser.dat.LOG
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\software
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG

As seen by the registry values added, the malware creates a backdoor into the victim's system. A pop-up was triggered by the malware and by clicking on "Unblock", the hacker has access to the system by adding a permit rule in "Windows Firewall". 2 Explorer processes can be seen from "Task Manager". The malware creates a file "explorer.exe " in "C:\Windows". Note that the fake Explorer does not replace the authentic one native in Windows because the hacker adds a space behind the extension. 2 Explorer processes are seen in "Task Manager" and one of them is the backdoor. "Active Ports" and "netstat" (with the -nab switch) confirm that the backdoor listens on TCP port 113 and UDP port 1025.

The malware requests a fake resource, drss,jpg, from a server presumably controlled by the hacker. This is not a typo as the hacker intentionally uses a comma instead of a fullstop. I hypothesize that the hacker uses this fake request to capture the victim's IP address so that he knows which IP address to connect to.

Besides "0wning" bots, I believe that the hacker is after the victim's surfing history and logs based on the files modified.
Launched "Capture BAT" to verify the findings from "Regshot". "Capture BAT" confirms that the same registry keys and values were added. It also confirms the spawning of the fake Explorer process. The packet capture by "Capture BAT" also confirms the HTTP request to "server.xyz".

Thursday, October 1, 2009

Google warning

Google now warns its users of sites with malicious content. Google displayed a warning when I searched for the URL of my toy supplier. It also blocked my access to the suspect site.

Microsoft Security Essentials

M$ released a free AV called "Security Essentials" for home consumers. I gave it a test drive and found it intuitive to manage as well as use.

I tested it against the malicious MP3 file that I analysed previously and "Security Essentials" effortlessly detected the malware instantaneously. Avast! on the other hand needed me to manually trigger a scan before it warned me of the presence of malware. 27 AV engines hosted on VirusTotal missed it.