2011年12月31日 星期六

APT Attack against Hong Kong Political Parties

Story
Recently, I have received two samples from two fellows who work in political party. It is all about election of coming Chief Executive. Meanwhile, those guys have joined the election recently as well. Then I simply submit the samples to various sandbox es and engines for analysis.

Wepaweb:-
Basically, if you passed these two samples to Wepaweb for analysis, it hanged and sucks.



JSUNPACK:-
If I pass them to JSUNPACK, it shows you some decoded script, be frank, it doesn't help me up at all, however, it is good to see it decodes a lot at least.


GFI Sandbox:-

Afterwards, I submitted the samples to GFI sandbox, it seems it cannot tackle files with Chinese filename, alright, let me change to English one. An analysis shows me that there is nothing wrong with the sample and I cannot even get the result on another sample (i.e. aha, may be, the engine is struggling against the decoding:)):

SandBox results for 111226EC_members_contact list.pdf
Analysis ID: 3053
Date Analyzed: 2011-12-30 13:13:56
Sandbox Attributes: IE 9, Office 2003, Adobe Reader 9.4, Flash 10.1, Java 6
MD5 Hash: cd151586b11090878fc495f3cea59525
Filename: 111226EC_members_contact list.pdf
File Type: PDF document, version 1.7
Digital Behavior Traits
Injected Code NO
More than 5 Processes NO
Copies to Windows NO
Windows/Run Registry Key Set NO
Makes Network Connection NO
Creates EXE in System NO
Starts EXE in System NO
Starts EXE in Documents NO
Deletes File in System NO
Hooks Keyboard NO
Creates Hidden File NO
Creates DLL in System NO
Creates Mutex YES
Alters Windows Firewall NO
Checks For Debugger NO
Could Not Load NO
Opens Physical Memory NO
Modifies Local DNS NO
Starts EXE in Recycle NO
Creates Service NO
Modifies File in System NO
Deletes Original Sample NO
VirusTotal Results
No Results

Manual Decoding Kungfu:-
I have used typical manual analysis "kungful" including Javascript extraction and shellcode identification, it seems it cannot be helpful to identify the exploit indeed. However, the finding is that it uses a lot of simple but annoying obfuscation indeed (4 diagrams shown below). However, I do feel disappointed with the above sandboxes and analysis tool, which readily can't help researchers indeed.







Xescan Engine:-
However, let me try it out with our Xecure Engine, we have identified both samples with CVE-2009-4324 and 2010-2883 (Credit to Mila Parkour as she got this one out ;-)). I have found that the samples do not originate from any big and major evil task force, it looks it is a new emerging one. Finally, I say "Good Luck" to my fellows.



2011年12月13日 星期二

Adobe failed to patch the U3D 0day Exploit (CVE-2011-2462) on time as promised

Xecure Lab's free online APT scanning service - XecScan (http://scan.xecure-lab.com) successfully identified a new vulnerability being actively exploited in targeted attack and Adobe had released security advisory of this critical issue as the U3D memory corruption vulnerability (CVE-2011-2462).

Originally, Adobe aims to make an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011, however a security patch for CVE-2011-2462 is still not yet available.

For the past one week, we have received three different md5 version of the APT samples, however they all point to the same known APT attack group.


As it's U3D vulnerability, we found all samples have the U3D-related strings.

MD5 of our CVE-2011-2462 samples:
  1. 409256cfdeb1932392aa7e63ccb38644
  2. c72484172babcc53fcb28e9427283d95
  3. 721fda5df552f4130218ad9bd2a4ab78
Suggestions for Mitigation:

  • If you're our XecMail customer, there is nothing to be worried, such APT emails would be identified.
  • If you favor manual inspection, please look for U3D-related patterns.
  • Once again, there is always our free XecScan service that you can leverage to scan any suspicious document.
  • Lastly, the official patch from Adobe should be available pretty soon.






We have free anti-APT services for the community:

  • XecMail Cloud is online APT scanning service for your Gmail account.
  • XecScan is online APT scanning service for your local document.

2011年12月11日 星期日

CVE-2011-2462, Xecure Lab 偵測到最新 PDF ZeroDay Exploit

Xecure Lab 領先在傳統防資安設備前,偵測到 CVE-2011-2462 的 U3D 0Day Exploit 樣本正用APT攻擊中 ! 

Xecure Lab 的免費線上APT快篩服務( )
前天捕捉到最新的 PDF 0day Exploit CVE-2011-2462,並且該 Exploit 已經使用在 APT 攻擊中。

(本篇兼賣菜...)

2011年12月6日 星期二

揭露網路威脅秘辛 40分鐘搞懂 APT!

2011 年資安事件越來越多,也越來越多人會把入侵矛頭指向難以察覺的 APT 攻擊,妙哉!

到底什麼是 APT? 可以吃嗎? 上個月我們在日本 AVTokyo 駭客年會演講時,台下笑稱 apt-get 超好用 (Wikipedia: Advanced Packaging Tool)

美國空軍 (USAF) 在 2006 年創造 APT 這個名詞是意旨來自網軍的攻擊,所以不管 APT 的全名 “Advanced Persistent Threat” 如何讓大家記不太起來,而中文翻譯 「進階持續性威脅」 是多麼有聽沒有懂,正經來說 APT 就是一種資安威脅來源,而這種威脅來源嗅覺敏銳,哪裡有黃金百兩,就往哪裡鑽!

什麼意思?

以前駭客是找最脆弱的地方攻擊,現在駭客是找最有價值地方攻擊!

過去廣為人知的木桶理論告訴我們,資訊安全的防護等級,要由木板中最短的那片高度來決定,水一定從那邊流出來,因為那邊是最脆弱的地方。
只要我們逐步墊高防護能力,也就可逐漸降低被駭客攻擊的可能性,因為以往駭客在選定目標時,柿子挑軟的吃,以耗費越少的攻擊資源獲得越多的入侵電腦與資料。

APT 不一樣!

以前你只要比隔壁防禦的好,現在你要比駭客更厲害才行!

從2003年至今,我們一直觀察到的一種特別難以招架的網軍攻擊模式是寄送惡意郵件。說穿了,但凡收到任何一封有附件檔案的Email,只要防毒軟體說沒事,有什麼好懼怕開啟點擊的?啥?看起來像垃圾郵件?客官好眼力,駭客見你沒上當,會持續做足功課,偵蒐你的社交網路與公務交辦,越寄越像,總有一天你會上鉤。

No worry. Be happy.

我們前陣子推出的免費線上 APT 惡意文件掃描服務 XecScan (http://scan.xecure-lab.com) 就是要解決這個困擾。

而現在我們推出免費線上 APT Gmail檢測服務 XecMail for Gmail (http://xecmail.xecure-lab.com/),輸入您的Gmail帳號,透過Google授權(不需要提供密碼),XecMail會對該帳號過去 3 個月的電子郵件,進行一次性的 APT 惡意文件掃描。此免費服務每帳號每天得使用一次。

揮別 2011 年,邁向 2012!

Xecure Lab今年最後一場公開演講 12/06 (二) 就在今天
鳥人(Birdman)登台娛樂大家講 揭露網路威脅秘辛 40分鐘搞懂 APT! (2012資安趨勢論壇 - 換個腦袋坐資安)
歡迎來開心交流。