2011年12月31日 星期六

APT Attack against Hong Kong Political Parties

Story
Recently, I have received two samples from two fellows who work in political party. It is all about election of coming Chief Executive. Meanwhile, those guys have joined the election recently as well. Then I simply submit the samples to various sandbox es and engines for analysis.

Wepaweb:-
Basically, if you passed these two samples to Wepaweb for analysis, it hanged and sucks.



JSUNPACK:-
If I pass them to JSUNPACK, it shows you some decoded script, be frank, it doesn't help me up at all, however, it is good to see it decodes a lot at least.


GFI Sandbox:-

Afterwards, I submitted the samples to GFI sandbox, it seems it cannot tackle files with Chinese filename, alright, let me change to English one. An analysis shows me that there is nothing wrong with the sample and I cannot even get the result on another sample (i.e. aha, may be, the engine is struggling against the decoding:)):

SandBox results for 111226EC_members_contact list.pdf
Analysis ID: 3053
Date Analyzed: 2011-12-30 13:13:56
Sandbox Attributes: IE 9, Office 2003, Adobe Reader 9.4, Flash 10.1, Java 6
MD5 Hash: cd151586b11090878fc495f3cea59525
Filename: 111226EC_members_contact list.pdf
File Type: PDF document, version 1.7
Digital Behavior Traits
Injected Code NO
More than 5 Processes NO
Copies to Windows NO
Windows/Run Registry Key Set NO
Makes Network Connection NO
Creates EXE in System NO
Starts EXE in System NO
Starts EXE in Documents NO
Deletes File in System NO
Hooks Keyboard NO
Creates Hidden File NO
Creates DLL in System NO
Creates Mutex YES
Alters Windows Firewall NO
Checks For Debugger NO
Could Not Load NO
Opens Physical Memory NO
Modifies Local DNS NO
Starts EXE in Recycle NO
Creates Service NO
Modifies File in System NO
Deletes Original Sample NO
VirusTotal Results
No Results

Manual Decoding Kungfu:-
I have used typical manual analysis "kungful" including Javascript extraction and shellcode identification, it seems it cannot be helpful to identify the exploit indeed. However, the finding is that it uses a lot of simple but annoying obfuscation indeed (4 diagrams shown below). However, I do feel disappointed with the above sandboxes and analysis tool, which readily can't help researchers indeed.







Xescan Engine:-
However, let me try it out with our Xecure Engine, we have identified both samples with CVE-2009-4324 and 2010-2883 (Credit to Mila Parkour as she got this one out ;-)). I have found that the samples do not originate from any big and major evil task force, it looks it is a new emerging one. Finally, I say "Good Luck" to my fellows.



2011年12月13日 星期二

Adobe failed to patch the U3D 0day Exploit (CVE-2011-2462) on time as promised

Xecure Lab's free online APT scanning service - XecScan (http://scan.xecure-lab.com) successfully identified a new vulnerability being actively exploited in targeted attack and Adobe had released security advisory of this critical issue as the U3D memory corruption vulnerability (CVE-2011-2462).

Originally, Adobe aims to make an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011, however a security patch for CVE-2011-2462 is still not yet available.

For the past one week, we have received three different md5 version of the APT samples, however they all point to the same known APT attack group.


As it's U3D vulnerability, we found all samples have the U3D-related strings.

MD5 of our CVE-2011-2462 samples:
  1. 409256cfdeb1932392aa7e63ccb38644
  2. c72484172babcc53fcb28e9427283d95
  3. 721fda5df552f4130218ad9bd2a4ab78
Suggestions for Mitigation:

  • If you're our XecMail customer, there is nothing to be worried, such APT emails would be identified.
  • If you favor manual inspection, please look for U3D-related patterns.
  • Once again, there is always our free XecScan service that you can leverage to scan any suspicious document.
  • Lastly, the official patch from Adobe should be available pretty soon.






We have free anti-APT services for the community:

  • XecMail Cloud is online APT scanning service for your Gmail account.
  • XecScan is online APT scanning service for your local document.

2011年12月11日 星期日

CVE-2011-2462, Xecure Lab 偵測到最新 PDF ZeroDay Exploit

Xecure Lab 領先在傳統防資安設備前,偵測到 CVE-2011-2462 的 U3D 0Day Exploit 樣本正用APT攻擊中 ! 

Xecure Lab 的免費線上APT快篩服務( )
前天捕捉到最新的 PDF 0day Exploit CVE-2011-2462,並且該 Exploit 已經使用在 APT 攻擊中。

(本篇兼賣菜...)

2011年12月6日 星期二

揭露網路威脅秘辛 40分鐘搞懂 APT!

2011 年資安事件越來越多,也越來越多人會把入侵矛頭指向難以察覺的 APT 攻擊,妙哉!

到底什麼是 APT? 可以吃嗎? 上個月我們在日本 AVTokyo 駭客年會演講時,台下笑稱 apt-get 超好用 (Wikipedia: Advanced Packaging Tool)

美國空軍 (USAF) 在 2006 年創造 APT 這個名詞是意旨來自網軍的攻擊,所以不管 APT 的全名 “Advanced Persistent Threat” 如何讓大家記不太起來,而中文翻譯 「進階持續性威脅」 是多麼有聽沒有懂,正經來說 APT 就是一種資安威脅來源,而這種威脅來源嗅覺敏銳,哪裡有黃金百兩,就往哪裡鑽!

什麼意思?

以前駭客是找最脆弱的地方攻擊,現在駭客是找最有價值地方攻擊!

過去廣為人知的木桶理論告訴我們,資訊安全的防護等級,要由木板中最短的那片高度來決定,水一定從那邊流出來,因為那邊是最脆弱的地方。
只要我們逐步墊高防護能力,也就可逐漸降低被駭客攻擊的可能性,因為以往駭客在選定目標時,柿子挑軟的吃,以耗費越少的攻擊資源獲得越多的入侵電腦與資料。

APT 不一樣!

以前你只要比隔壁防禦的好,現在你要比駭客更厲害才行!

從2003年至今,我們一直觀察到的一種特別難以招架的網軍攻擊模式是寄送惡意郵件。說穿了,但凡收到任何一封有附件檔案的Email,只要防毒軟體說沒事,有什麼好懼怕開啟點擊的?啥?看起來像垃圾郵件?客官好眼力,駭客見你沒上當,會持續做足功課,偵蒐你的社交網路與公務交辦,越寄越像,總有一天你會上鉤。

No worry. Be happy.

我們前陣子推出的免費線上 APT 惡意文件掃描服務 XecScan (http://scan.xecure-lab.com) 就是要解決這個困擾。

而現在我們推出免費線上 APT Gmail檢測服務 XecMail for Gmail (http://xecmail.xecure-lab.com/),輸入您的Gmail帳號,透過Google授權(不需要提供密碼),XecMail會對該帳號過去 3 個月的電子郵件,進行一次性的 APT 惡意文件掃描。此免費服務每帳號每天得使用一次。

揮別 2011 年,邁向 2012!

Xecure Lab今年最後一場公開演講 12/06 (二) 就在今天
鳥人(Birdman)登台娛樂大家講 揭露網路威脅秘辛 40分鐘搞懂 APT! (2012資安趨勢論壇 - 換個腦袋坐資安)
歡迎來開心交流。

2011年11月12日 星期六

新版免費APT鑑識服務上線啦 XecScan release!



新版免費 APT 鑑識服務上線啦
XecScan http://scan.xecure-lab.com/


這是之前 aptdeezer的改版,聯名字也改版了,一樣都是分析APT的惡意文件為主,所以是不支援 EXE的分析喔 :P


這次除了原本的APT sample clustering功能之外,還多了malware的forensics report分析,他會透過非VM且特殊到不行的特殊分析方式
分析APT的 Malware,反正你多用就對了 :)







有時候前面很多同學在上傳,大家守秩序,耐心排隊 :D


這個新功能還是 Beta 中,為來還會陸續改版,大家多多測試,可以給我們更多建議!


info@xecure-lab.com
實驗室工友敬上

2011年10月11日 星期二

Exploit CVE-2009-3129 sample was found in APT activities!


Xecure Lab 在近期的APT 攻擊中發現到一個新鮮可口的惡意文件,不僅該樣本罕見地利用 CVE-2009-3129, MS09-067 漏洞 (exploit),係針對 MS-Excel 2002~2007 版本的使用者族群。

Type : XLS
MD5 : 8c711e4b10e0e327bebc7b220416ff59
Malware : 2011-09-30

樣本使用到的惡意程式 (malware) 才大概剛在 2011-09 製造出爐,整個還是熱呼呼。該 malware 經過我們的自動化惡意程式鑑識,屬於較新的變種,它會把 DLL 跟 Code 注射到 IE 瀏覽器中,再對外進行活動,中繼站是 http://nod32.mobwork.net (目前它還沒有對應的 IP)。



特別提到這個弱點的原因是之前幾乎沒發現過這樣的攻擊,我們觀察到這個 exploit 出現在 APT 的惡意郵件中,相信接下來會有大量的攻擊活動出現。

如果你有樣本需要作APT攻擊鑒定,可以寄給我們 support@xecure-lab.com 或是直接使用我們線上的 APT快篩服務 http://aptdeezer.xecure-lab.com

2011年9月29日 星期四

有關悠遊卡事件一些誤會的澄清 [轉貼]

關於悠遊卡事件,最近網路上出現很多嘴砲老師,
像是陳X成老師硬說他好像HIT的工作人員...
>_< 老天爺壓,這傢伙哪來的壓....他應該也沒來參加過HIT (剛過教師節,要忍住不能說不雅的話)
 http://www.chen0001.idv.tw/ 
推薦陳老師上一下"關鍵時刻"...

--- [HIT關方說明]
有關悠遊卡事件一些誤會的澄清 悠遊卡事件到目前為止,在網路上或新聞中,代表駭客年會發言的人幾乎都不是我們的成員,錯誤消息很多,為了避免大眾對駭客年會有錯誤的認知和誤解,我們希望利用這篇公告來跟大家澄清。
  http://blog.hitcon.org/2011/09/blog-post.html [更多內容]

2011年9月28日 星期三

我們的成員 Anthony 將在 10月 OpenGroup 研討會上發表 Xecure Lab 在 APT相關研究

我們的成員 Anthony 將在今年10月25號台北的 OpenGroup 研討會上發表 Xecure Lab 在 APT 相關研究。
下半年還有幾場研討會,陸續地我們還會發表 APT 相關的一些研究,敬請期待~~

Advanced Persistent Threat (APT) DNA Clustering and Defense "Kungfu"

Tuesday, October 25, 2:30 - 3:00


http://www3.opengroup.org/taipei2011/presentation-details



Advanced Persistent Threat (APT) (a.k.a. Targeted Attacks from Cyber Taskforces) may not be identified in the wild but target specific a organization and company like incidents from RSA, Lockheed Martin, and Mitsubishi Heavy Industry. This entire new class of threat could not be dealt with traditional virus detection and IDS/IPS.
We will share our research on clustering APT samples in various task forces in Asia and demonstrate the tools called APT Deezer and the tool of email with APT document attachement detection for enterprise defense.
Anthony Lai specialized in penetration test, code audit, crime investigation and threat analysis. He founded VXRL (Valkyrie-X Security Research Group, http://www.vxrl.org) after attending to DEFCON 15, connecting to and learning from world hackers and security researchers.
Anthony has formed Xecure Lab (http://www.xecure-lab.com) with Birdman and Benson from Taiwan. He undertook APT and threat research and provided corresponding enterprise defense and service. Anthony has spoken at Blackhat USA 2010, DEFCON 18 and DEFCON 19 and Hack In Taiwan 2010 and 2011 and been certified with SANS GREM Gold, GCFA and GWAPT certifications.

2011年8月17日 星期三

Xecure Lab 上香港壹週刊



香港壹週刊今天(8/18)大篇幅報導全港網站普遍不設防,上週香港交易所被駭客入侵,導致多支股票異常最終全面停牌半日,此次壹週刊專訪 Xecure Lab 共同創辦人 Anthony Lai,深入了解全港網站安全性普查狀況,以此嚴正呼籲港府應加強資安意識。防駭錦囊妙計終極方案,收到可疑檔案,你懷疑對方已巧妙騙過你的防毒軟體,來吧,有我們 Xecure Lab 的 APT Deezer http://aptdeezer.xecure-lab.com/ 挺你。


2011年8月6日 星期六

Xecure Lab at Defcon 19

Last year thousands of Defcon folks had to squeeze at the Riviera, it was a nightmare to move between different tracks; but this year thanks to Defcon goons for choosing Rio, the venue is big and cozy! It feels like paying a Defcon ticket and enjoy a Blackhat venue! xd

Our talk APT Secrets in Asia was given on the first day, first session. We really appreciate everyone that came over and stayed with us for almost 2 hours. The talk was rejected by Blackhat 2011 but accepted by Defcon 2011, otherwise we wouldn't have chance to share with the security community. As we always believe in, hackers and security gurus should team up, have fun, and together we can outsmart the attackers making them in the light.

Special thanks to many good friends of us, Mila, you inspired us; TT and Nanika, you guys sitting in the first row, awesome; Birdman, PK, Mars, Bob, safe guarding our home base, the system ran very smoothly and did not get owned, save Anthony and Benson on the stage; and buddies from Chroot security group in Taiwan, you are always with us. There are also several respected seniors flying over for the talk, we really appreciate their support. Thank you mama!

This year we had developed a free APT online scanning service,
Xecure Lab APT Deezer, http://aptdeezer.xecure-lab.com/, and is now available to everyone*. APT Deezer would tell you whether the document is APT-related or not, and provide visualization of analysis data (clustering of APT taskforces). Both file names and md5 are rounded-off a bit to keep anonymity. If you have more concerns or questions, feel free to write us at benson.wu (at) xecure-lab dot com
*Disclaimer: We have no interest with your PII, we will not collect any of your identity information, e.g. your IP, your geographical location, and so-on.

Oh, this time the Defcon badge is not electronic, but a piece of metal, made from commercially pure titanium. Awesome. (The Blackhat badge is made from Nylon as usual)


The badge on the left is the speaker badge, the one on the right is the human badge, there are also (G)oon, (P)ress, (V)endor, (C)ontest, (U)ber, etc. Enough variants to entertain everyone.

Anyway, the antiqued badge is cool, and moving to a puzzle based reality game is something different.


We want all these swag, but cash only... -.-



More readings:

Sincerely yours,
Xecure Lab team

2011年8月1日 星期一

韓國最大社交網站被黑 3500萬用戶資料泄露,台灣居然是駭客的幫兇!?

新浪科技訊 北京時間7月28日上午消息,由於韓國網絡公司SK Communications遭遇黑客攻擊,導致3500萬韓國網民的個人信息泄露,其中有2500萬是韓國最大社交網站賽我網(Cyworld)的用戶。
  SK Communications旗下擁有社交網站賽我網和搜索引擎Nate。該公司周四表示,黑客攻擊導致用戶的姓名、電話號碼、電子郵箱、居民身份證號碼以及密碼泄露。
  SK Communications稱:“公司已經證實,用戶信息泄露源於7月26日的黑客攻擊。本次攻擊的規模仍在調查之中。估計約有3500萬Nate和賽我網的用戶個人信息被盜。”

2011年7月23日 星期六

請指名 "Xecure Lab" 的 APT Deezer 惡意檔案快篩服務 ;-)

Xecure Lab 團隊在台灣駭客年會推出這個免費的 APT [註] 惡意檔案快篩服務 它可以告訴國人是否手上的這個可疑文檔 1) 是不是惡意文件, 2) CVE漏洞編號, 3) 隸屬於哪個組織集團, 如果是最大的"一坨", 那麼你不僅是個咖, 還是大咖!! (更何況一般人非常難收到APT的惡意文​件), 請一直都非常小心...

註: APT (Advanced Persistent Threat), 是一種有組織有計畫,陰魂不散的網路攻擊,可視為"國家層級資訊戰"

Xecure Lab APT Deezer
aptdeezer.xecure-lab.com





















近期我們陸續在各場合跟大家分享 Xecure Lab 在APT的所見所聞所學:


喜歡我們做的東西嗎? 歡迎寫信給我們 ;-)




2011年5月26日 星期四

Xecure Lab要出國囉~ 去Defcon講亞洲的APT秘密

跟鄉親報告,Xecure Lab團隊的研究成果APT Secrets in Asia (亞洲的APT秘密)今年Defcon 2011 (戰備大會)首輪就被挑中,真是讓我們備感欣慰,另外Blackhat 2011(黑帽大會)的議程應該也快公布了。

今年之前,專研網頁掛馬監控、程式源碼檢測、靜態特徵碼比對、動態沙盒行為分析是我們的家常便飯;今年大夥再聚熱情不減,因為世界變化非常快,我們非常不滿足於這些,我們要持續創新。

這時APT在敲門。鄉親也許會好奇是哪位…? 對世界強權美國而言,這幾年APT (Advanced Persistent Threats;進階持續威脅)是舉國上下在Cyberspace防禦的當務之急,去年鬧得沸沸揚揚攻擊Google的極光行動(Operation Aurora),以及今年初長驅直入RSA竊得雙因子認證相關資料,兩家公司都無奈表示遭遇難以招架的APT攻擊。2010年底,國防部(DoD)致白宮的最新防護檢討中應加強的第一道防線就是"Detect & Counter Advanced Persistent Threats"

不過老外這樣的APT概念太抽象,中文解釋也不夠給力,「進階的,持續的,威脅」,哪個目標鎖定攻擊不是這樣搞…? Xecure Lab而言,我們覺得APT就是「防毒軟體掃不到的!」簡單明瞭,下課。 XD

甚麼是正? 甚麼是邪? 美國是最正義的嗎? 大家一定都在笑。 攻擊方是為了過日子進行攻擊,防守方也是一樣,不然大家都會生活不下去。一邊就是見縫插針,一邊就是滴水不漏,稍有失衡,就兵敗如山倒。

在這次的演講我們會呈現許多APT樣本的分析結果與研究發現,敬請期待。

最後Xecure Lab要謝謝熱心公益的PK和mila,吾道不孤!

話說Blackhat(黑帽大會)Defcon(戰備大會)是全球最頂尖的兩場年度安全大會。兩場大會的議程有許多雷同,每年也都相鄰地點緊接著舉辦,Blackhat以價制量,把門票拉到美金2,500元左右(約台幣75千元),會議地點在寬敞頂級飯店,所吸引的上千聽眾多半是代表公司的高階主管與政府官員。相反地,Defcon則以價衝量,把門票壓在美金150元左右(約台幣45百元),所吸引的上萬聽眾幾乎都是安全界的玩咖。

這次有甚麼好玩的所見所聞,再跟鄉親報告分享 ;-)