cyberwart

I got this message on Skpe. I haven’t seen much phishing there before, but I guess phishing anywhere is trendy now:

[7:35:01 PM] Update ® says: WINDOWS REQUIRES IMMEDIATE ATTENTION
=============================

ATTENTION ! Security Center has detected
malware on your computer !

Affected Software:

Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows NT Server 4.0
Microsoft Windows Win98
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns

Recommendation: Users running vulnerable version should install a repair
utility immediately

Your system IS affected, download the patch from the address below !
Failure to do so may result in severe computer malfunction.

http://www.registryservice.org/?q=scan

Today we executed another phishing attack as part of a pen test. We did the traditional network VA and Pen Test last week with limited results (well we did own their routers). Web apps were fairly tight, but nothing that stood out as a solid remote exploit. So the phishing excercise was important for me.

We sent out about 70 emails, had 100+ hits on the site and 10 credentials. About half the receipients were prompted with an ActiveX control. The activex excited me but didn’t work. I learned after the fact that there were two problems. First, the customer used an authenticated proxy. We have some tools to get around that, but unless we expect it we usually don’t set up for it. Generally speaking you need at least SYSTEM to inject a safe process like IE to get out. Beyond that, I discovered my ActiveX control was triggering some AV products. I grabed the implant (a PE) from the remote server but labeled it .JPG. Well that triggered alarms and killed the transfer. Not that it matters anymore, but I wrote a quick bit of code to XOR encode files.

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#define BUFSIZE 2

int main(int argc, char * argv[])
{
char * buf, * pwd, * b, *p;
FILE * IN, * OUT;

buf = (char *) malloc(BUFSIZE+1);
pwd = strdup(“XORKEY”);
p = pwd;
char t;

IN = fopen(argv[1], “r”);
while(fread(buf, 1, BUFSIZE, IN))
{
b = buf;

for(int c = 0; c < BUFSIZE; c++)
{
if(*p == ‘\0′)
p = pwd;

t = *b^*p;
printf(“%c”, t);
b++; p++;
}

}
fclose(IN);
return 0;
}

Nothing fancy, but it gets the job done.

Security Focus is running an article about businesses hit by cyber crime in 05. Their big point is that 2/3 of businesses reported some incident. Included in the “other incident” category though are phishing/DoS/Adware/etc. My concern is more about the 33% of businesses that DIDN’T see that.

I currently have a customer that, officially, has never had a computer security incident. A pen test and log analysis proved that isn’t true but my thought now is that the above suggests 33% of businesses have that same delusion.

You all know I love phishing so here is a good one I saw today:

Received: from pool-68-236-35-77.phil.east.verizon.net ([68.236.35.77] RDNS failed) by mail.cyberwart.com with XYZ ; Tue, 16 Sep 2008 12:21:56 -0400
Date: Tue, 16 Sep 2008 14:34:23 +0000 (10:34 EDT)
Message-ID: <15752.ragunath@leison>
From: Bank Of America Account Support <manager#5412@bankofamerica.com>
To: XYZ@cyberwart.com
Subject: Bank of America Alert: SERVER UPDATE.
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”=_5sGpXHhyTCKKwH”
Return-Path: manager#5412@bankofamerica.com

Attention All Bank of America Customers.
Security & Fraud Protection Update.

At Bank of America, were committed to keeping your information confidential and secure, and we take that responsibility very seriously.
Our Fraud detection solution helps to protect your business against the risk of fraudulent transactions alerting you to potential risks.
We have developed the following protection tools to insure you confidentiality.

You can download the latest security pack from our Customer Service Department>>

Sincerely, Juliana Ballard.
2008 Bank of America Corporation. All rights reserved.

The page is as follows:

It’s become apparent that the traditional Pen Test is dying out. The pen test is evolving and is still very relevant, but the nmap, nessus, metasploit days are passing. Most enterprises now run their own Nessus scans or have 3rd party scanning vendors so traditional network remotely exploitable vulns are becoming increasingly rare. One of the ways G2 compensates is by building phishing and/or web attacks.

I was recently tasked with building an ActiveX control that loads G2insider (our remote access trojan). Surprisingly, it’s very difficult to find documentation on how to write ActiveX controls. I found the following links helpful:

• http://msmvps.com/blogs/pauldomag/archive/2006/08/16/107758.aspx
• http://dotnetwithme.blogspot.com/2007/07/activex-programming-using-visual-studio.html

There were a couple caveats for VS2008, but nothing too troubling.

Initially, I planned to to move the code from G2insider to the ActiveX control. That would have been too painful though, so in the end I wrote a simple loader. The control creates a HTTP connection, pulls the file, writes it to disk, and runs CreateProcess(). Wham bam, remote access tool installed!

The next thing I want to do is find some old code I have to load a PE (executable) from a buffer into a loaded executable. That task is a little tricky, but for non-weird PEs my simple loader usually works. The benefit here is that you don’t have to write to disk.

This is embarassing:

http://www.purethenightclub.com/reserve/includes/contacts.csv