Thursday, June 12, 2014

Tweetdeck XSS Vulnerability Cause User Auto-Retweet

As I'm one of the Tweetdeck user, somebody has post new XSS on twitter causing thousand of user automatically retweet the XSS script message. This is only affected on TweetDeck on browser so far.


An example of post has been retweet.


An example of XSS message poping up. Once user click OK, it will retweet the post.



By the time this is happened, Tweetdeck server temporarily down for awhile for fixing and 40k of retweeted post has been done.

~ alternat0r

Wednesday, April 9, 2014

HeartBleed May 'Broken Your Heart' as Data Leaks

Recent OpenSSL bug called Heartbleed (CVE-2014-0160) causing million of website in trouble. Heartbleed test developed by Filippo Valsorda has been release as open source. I just give some play around with Heartbleed.

BTW, What is Heartbleed bug? Heartbleed bug is actually vulnerability on OpenSSL cryptography library that cause any user to read system memory (Affected on vulnerable version only).

Dalam bahasa Malaysianya, ia adalah kelemahan yang terdapat pada library kriptografi perisian OpenSSL yang membolehkan pengguna luar membaca sistem memori (terjejas pada versi tertentu sahaja).

As I giving test to several Malaysia website, most critical organisation website exposed to this vulnerability including government.


Filippo also provide a website for you to test your webserver and if it is vulnerable you will get message like image below:


Alternatively you can access to Malaysia honeynet heartbleed website to test your webserver:
http://heartbleed.honeynet.org.my/

Here some good advice how to protect yourself from heartbleed bug:
http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/

References:
http://heartbleed.com/
https://github.com/FiloSottile/Heartbleed
http://filippo.io/Heartbleed
http://heartbleed.honeynet.org.my/
https://gist.github.com/harlo/10199638

~ alternat0r

Thursday, March 13, 2014

Dendroidbot Quick Analysis

As I get the sample of Dendroid APK malware I decided to make quick analysis on it. Thanks to +Mila Parkour for the sample.


DB01F96D5E66D82F7EB61B85EB96EF6E
52A30B58257D338617A39643E2216D0C

The original sample is protected with Dexguard to give extra protection on its code as its will appeared to be obfuscated when decompiling.

The following permission can be used once it has been installed:
  • directly call phone numbers
    • read phone status and identity
    • reroute outgoing calls
  • edit your text messages (SMS or MMS)
    • read your text messages (SMS or MMS)
    • receive text messages (SMS)
    • send SMS messages
  • take pictures and videos
  • record audio
  • precise location (GPS and network-based)
  • read call log
    • read your contacts
  • read your Web bookmarks and history
  • modify or delete the contents of your SD card
  • find accounts on the device
  • full network access
    • view network connections
  • retrieve running apps
  • prevent phone from sleeping
  • modify system settings
    • test access to protected storage
As we analyzed the java class, its also can determine if its running on emulator or not. There are many functionality that would be able to completely spy your phone as we going through its java classes.


initiate() load pre-defined configuration with base64 encoded.


Here from VirusTotal detection list:
https://www.virustotal.com/en/file/099a57328de9335c524f44514e225d50731c808145221affdd684d8b4dad5a1d/analysis/

Although, this sample is an earlier version of Dendroid. Some user might already found recent version of it bind with other application to make it seem legitimate apps.


~ alternat0r

Saturday, February 1, 2014

ApacheBench behind the Encoded VBE file

Recently I received a VBE file from a friend that looks suspicious with its encoded content and request to do quick analysis on it. So, I manage to play around with it and see what's inside.

The file name that I got is s64.vbe (0B826D9869B139B2C5BB139234C08D43) which is an encoded script file content. The size of this file is around 608,904 bytes. The content of the encoded file is shown below:


To decode this file I use scriptDecode.vbs from Jean-Luc Antoine. The output of the decoded file is a VBScript as shown in the picture below:


If we scroll to the bottom of the file we can see this is some kind of Windows binary file that is converted into ASCII format within VBS. The file svchost.exe is the file name use to save into the disk and run it.


Most of antivirus product is already detect this file as malicious:

https://malwr.com/analysis/YzkzNDUxOTlmOTQxNDAxYmEwNjdmNGI4MTk5YjBmYzI/share/1a8cbf4acb5944d1856d04d4e72b8ed7

https://www.virustotal.com/en/file/6b01071c7936d4a1ba1f53b5651db5f604dfe7f5aa3e4ed38d48f6ba66eebd5e/analysis/

The svchost.exe (333ABC2F9864B70F7EF48B049CBA9286) file is a program called ApacheBench command line utility. At first place, this program use to measure performance test of HTTP web servers. Although, the binary file that I got is not correctly run as it not responsive sometimes. It is possible to use this tool as DDOS attack.

~ alternat0r

Friday, June 21, 2013

Python - Basic VirusTotal Uploader

Just my little/quick note about submitting malware sample to VirusTotal.com. Be reminded that this python code is not handling an error properly. Just for quick reference.

import postfile
import sys, getopt

def main(argv):
 inputfile = sys.argv[1]
 host = "www.virustotal.com"
 mfile = inputfile
 selector = "https://www.virustotal.com/vtapi/v2/file/scan"
 fields = [("apikey", "YOUR PUBLIC API KEY")]
 file_to_send = open(mfile, "rb").read()
 files = [("file", mfile, file_to_send)]
 json = postfile.post_multipart(host, selector, fields, files)
 print json
 
if __name__ == "__main__":
 main(sys.argv[1:])

You can replace the 'YOUR PUBLIC API KEY' with your own key. Get it at VirusTotal.com.

~ alternat0r

Monday, February 18, 2013

'Business Flash Player' appear to be Facebook spammer


Just received this wild Facebook post that suddenly tagged me for unknown reason. Its look like a community page that received 87 million user 'Like' on it. That's something fishy to me.


This look suspicious to me when the provided URL is unreadable to me. Obviously it is in unicode character or IDN. It's Armenian language there (ask Google translate or Wikipedia).

Well, lets check it out whats so special about this FB post. Once you click on that weird URL you will be redirected to the fastotolike.com. The website looks like some kind of 'auto-like' or click jacking script.


If you click anywhere on the page you will be prompted another strange popup (I'm using Google Chrome for this test). The popup message prompt you to install some kind of plug-in or extension for Chrome. There is multiple popup open up 8 times according to its javascript. See image below:


Looking at the source code you will find there is Turkish language hoping that user will click the 'Add' button.


It's look like the app is available at Google Web Store and disguise as 'Business Flash Player !' With no description and no screenshot, definitely looks fishy. See image below:




If you try to install it you will see your extension appear in the Chrome Extensions list.


Lets take a look on installed extension source code. There is two link which is one of it will be redirect to malicious website. See image below:


The redirect URL will be go to the http://fastotolike.com/yeni.php which is some how reveal its long line comment source code. So, for this test I just uncomment the js code and make it beautiful.



This script is look like responsible to post a spam to the victim user Facebook wall. The post appear to be submit along with picture of random girl dancing on Youtube.