FireEye Malware Intelligence Lab: Vulnerability Research

4 posts categorized "Vulnerability Research"

2010.04.15

Who is Exploiting the Java 0-day?

Update: Oracle released an emergency patch recently to fix this major flaw. See details in the bottom.

-------------

The recent discovery of a 0-day design flaw in the 'Java Web Start' module has opened new avenues for malware drive by attacks. This flaw was exposed by Tavis Ormandy a few days back and it did not take a long time for bad guys to start using the proof of concept code for real exploitation. I have been reading about the exploit details for the last few days, but very few details were available on the active use of this exploit. Who are the guys using this exploit and for spreading what? This article is all about this, with emphasis on the post infection stuff.

Users who are interested in the inner workings of this 0-day flaw itself, can read the full disclosure here.

It all started like this... yesterday afternoon my colleague Stuart Staniford pointed me to a malicious domain hxxp://zikkuat.com (dead at the moment) which he believed seemed to be exploiting this 0-day flaw. After a little analysis, I found it to be true indeed. Here are the details of my findings after a detailed analysis.

Continue reading "Who is Exploiting the Java 0-day?" »

FE Malware Researcher on 2010.04.15 in Botnet Activities / Outbreaks, Exploit Research, Vulnerability Research, Zero-day | Permalink | Comments (3) | TrackBack (0)

2010.03.19

Win32 API Shellcode Hash Algorithm

1. A Modest Proposal

Daylight Saving Time

Allegedly, the purpose of Daylight Saving Time is to save energy by manipulating a unit of measurement.

Mileage Saving Time

I have a similar proposal for how to save on gasoline usage. If we redefine the mile to be 4,800 feet during Summer — when people drive the most. Then everyone will drive 10% more miles per gallon of gas. So for example, during the winter, if your car gets 30MPG, then during Mileage Saving Time, you'd be getting 33MPG!

(Actually, it's more like redefining the distance between San Francisco, and Sacramento from 90 miles to 80 miles. That way the two cities are closer together, reducing the amount of time and energy spent traveling between them.)

2. Something Technical

Simple Hash Function(s)

I occasionally spend time reverse engineering shellcode used in various attacks. And, someday, should you find yourself in a similar situation, the following information might be useful…

The Last Stage of Delerium research group, back in 2002, published a technique for doing Win32 API RVA lookups using only the hash of a string — the name of the API function — rather than storing, and performing a full compare on the very long string. (Which some shellcode still does anyway.)

Continue reading "Win32 API Shellcode Hash Algorithm" »

FE Malware Researcher on 2010.03.19 in Exploit Research, Malware Research, Vulnerability Research | Permalink | Comments (2) | TrackBack (0)

Technorati Tags: hash, Julia Wolf, reverse engineering, shellcode, win32 api

2010.01.14

PDF Obfuscation using getAnnots()

Since around October 2009, Neosploit ¹, a black-market exploit toolkit, has been fabricating PDF files in a slightly new way, but in a way which is difficult for many parsers to analyze for maliciousness. In summary, all of the metadata in a PDF is accessible from the Acrobat Javascript environment. And this metadata is being used for obscuring embedded Javascript code. A PDF parser would need to fill in all the document objects with the correct data, and evaluate the Javascript to find the exploit. (Needless to say, many PDF signature parsers don't do this.) These malicious PDFs ultimately install Mebroot (aka: Sinowal)².

[And, oh yeah, our product detects this.]

Breaking News

Update: There's another exploit toolkit doing similar metadata tricks to obscure a CVE-2009-4324 attack. (That's the most recent 0-day.)

Continue reading "PDF Obfuscation using getAnnots()" »

FE Malware Researcher on 2010.01.14 in Current Affairs, Exploit Research, Malware Research, Vulnerability Research | Permalink | Comments (4) | TrackBack (0)

Technorati Tags: 0-day, Acrobat, Adobe, Adobe Reader, annotation, attack, CVE, exploit, getAnnots, hexdump, howto, ISO 32000-1:2008, javascript, Julia Wolf, malware, Mebroot, Neosploit, obfuscation, PDF, shellcode, Sinowal, syncAnnotScan, toolkit, zlib

2008.03.03

Instruction Pointer Relative Addressing (for position independent code)

So, here's an interesting trick I've been using, that I've never seen anyone mention before. One of the new features that AMD added to the x86 instruction set when they did the AMD64/x86-64, was that in "long mode" (64-bit mode), the encoding for the old 32-bit immediate offset addressing mode, is now a 32-bit offset from the current RIP, not from 0x00000000 like before. In English, this means that you don't have to know the absolute address of something you want to reference, you only need to know how far away it is from the currently executing instruction [technically the next instruction].

So, let's say you're writing a fairly generic execve() shellcode. I'm going to assume that everyone here has read Aleph One's paper on this, so I'm not going to repeat that here. (Gripe: What is it with all these shellcode tutorials, that are just slightly rewritten copies of "Smashing the Stack…"?)

This is what we want to do:

Continue reading "Instruction Pointer Relative Addressing (for position independent code)" »

FE Malware Researcher on 2008.03.03 in Vulnerability Research | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: 64-bit, AMD64, assembly, exploit, Julia Wolf, shellcode

FireEye Malware Intelligence Lab

Threat research, analysis, and mitigation | www.fireeye.com