Using JSDetox to Analyze and Deobfuscate Javascript

Published: 2012-06-25. Last Updated: 2012-06-25 22:49:12 UTC
by Guy Bruneau (Version: 1)
2 comment(s)

Last week Daniel published the diary Run, Forest! If you are using Snort IDS and running some of the Blackhole signatures from Emerging Threats, you most likely noticed they trigger on Blackhole regularly. Using JSDetox, you can finally view the content of these scripts. All you need is a copy of the script and install JSDetox on a Linux system (mine is running on Slackware).

Steps to Decode Java Obfuscated Script

1- Copy the code into the Code Analysis window and select Analyze.


 

2- The script will then be formatted in the Code Formatted window.

 


 

3- Select Execute, then select Show Code and Send to Analyze to show the script in its actual deobfuscated form.

 

The final result is quite similar to the Wepawet report in Daniel's diary.


[1] http://www.relentless-coding.com/projects/jsdetox
[2] https://isc.sans.edu/diary.html?storyid=13540
[3] http://wepawet.iseclab.org/view.php?hash=e89cfa2fa6a91f90cfeb125c10c1f0f&t=1340389400&type=js
[4] http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-current_events.rules
[5] http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/
 

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

2 comment(s)

Belgian online banking customers hacked.

Published: 2012-06-25. Last Updated: 2012-06-25 21:43:56 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

According to this newspaper article (in Dutch), the Belgian government has arrested 2 Russian and 2 Polish nationals -legally in the country- in connection to stealing 3 million EURO through hacking online banking customers.

The article reminds me a lot of a diary we brought in 2007 of a Dutch bank being hacked.In the end they managed to arrest the money mules in that case. It seems they got one step closer to those behind it this time.

It seems customers of 5 large Belgian banks were hit by malware, money was then transferred via mules - who got to keep 5 to 10% of the amount stolen and then our 4 friends above collected it.

Now almost all large Belgian banks use solid protection for their online banking: 2 factor authentication using offline hardware tokens, different procedures for authenticating and authorizing ("signing") transactions -well one of them isn't doing this essential step-, awareness campaigns towards their customers, ...  And still the malware appears to have pulled off the job.

Luckily money leaves a trail that can be followed and lead to arrests of these -no doubt- mere middle men. The investigation is said to focus on a "criminal organization".

Interesting are the numbers they got:

  • one bank: 7500 customers for a total of 1836130.52 EURO
  • second bank: 4900 customers for 1496012 EURO
  • [no data on the other 3 banks]

That's from about 250 to slightly over 300 EUR average per victim - not a huge amount. Still, given enough victims it does add up to significant amounts.

If you're using one of these advanced systems for your online banking: make sure to always validate the transactions before you authorize them, not trusting anything you see on the screen, check what you sign: the amount has to match up! Don't just match up large amounts or most significant digits or so: they're stealing hundreds, not tens of thousands in one go. Also with the upcoming holiday season out here: do only use computers you can trust to be malware-free to do online banking, so avoid cybercafes and other public computers to access your online banking.
Now don't gloat if you're not on one of these systems: you're far more vulnerable.

I've no more details at this point - and with an ongoing investigation we're not going to get all that much details of the malware and/or who's behind it for sure.

--
Swa Frantzen -- Section 66

Keywords: bank malware
0 comment(s)

Issues with Windows Update Agent

Published: 2012-06-25. Last Updated: 2012-06-25 20:30:07 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

Microsoft has released an Important update to the Windows Update function (Windows Update Agent 7.6.7600.256) because users have been experiencing update issues. Some users experience failed installation with error code 80070057 or 8007041B. Microsoft has provided a "Fix it" tool that can be directly downloaded here for those cases that won't automatically apply the update and the Knowledge Base article located here. Have you been experiencing this issue? Please let us know!

[1] http://support.microsoft.com/kb/949104
[2] http://social.technet.microsoft.com/Forums/en-US/w7itproinstall/thread/d046bce8-38dd-4be5-8abb-5486200379a6/
[3] http://isc.sans.edu/diary.html?storyid=13453

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

1 comment(s)

Targeted Malware for Industrial Espionage?

Published: 2012-06-25. Last Updated: 2012-06-25 04:19:38 UTC
by Rick Wanner (Version: 1)
1 comment(s)

A number of sites have published an analysis of relatively new malware, ACAD/Medre.A. While we have had some highly specialized malware in recent years like Stuxnet, which targeted Iranian nuclear facilities, and most modern malware seems to have a data exfiltration component, ACAD/Medre.A is somewhat unique in that it seems to be highly targeted and specialized.

The current version of ACAD/Medre.A seems to be targeted at AutoCAD files hosted at IP addresses in Peru. AutoCAD is popular software used to create blue prints, and hardware and chip designs. Obviously these files are valuable intellectual property for the owning company.

ACAD/Medre.A is not just thrown together, low quality malware. Analysis reveals it is well written; at a level that suggests an experienced malware writer wrote it. Some have speculated that this ACAD/Medre.A was been created by a competitor to target a particular Peruvian company.

My belief is that one of two possibilities are more likely. Either it is a limited test of a new malware concept that will be unleashed on the general world in the future. The malware is written using AutoLISP, the AutoCAD built in scripting language. To the best of my knowledge the first malware written in this language. Another possibility is that it is a targeted intellectual property attack by one of the organized malware groups. This malware exfiltrated data to two email addresses in China; while this may provide a clue, it does not really help in identify the involved group.

Who the actors are and what their intentions are is largely irrelevant to us as security practitioners. This type of attack just reiterates that a large part of securing your organization is not technical, but in understanding what data your company owns and needs to protect. Every organization needs policies and procedures for accurately classifying data. Sounds simple in concept, but most organizations struggle to accurately classify data and maintain classification through the data lifecycle. Only once you have a clear understanding of what your most sensitive data is, and where it is stored, can you design and implement controls to protect that data.

What steps have you taken to aid in the accurate classification of your organization’s data?
 

 

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

1 comment(s)
ISC StormCast for Monday, June 25th 2012 http://isc.sans.edu/podcastdetail.html?id=2623

Comments


Diary Archives