Xanda's Blog !~!

Macports on Mavericks

Oct
24

Quick update for those who found something buggy with their Macports after upgraded their OSX to Mavericks

  1. Download and install Xcode 5.0.1
  2. Install Command Line Tool
    xcode-select --install
  3. Accept Xcode license agreement
    sudo xcodebuild -license
  4. Download Macports source
    cd /tmp
    wget https://distfiles.macports.org/MacPorts/MacPorts-2.2.0.tar.gz
  5. Extract and compile
    tar xvfz MacPorts-2.2.0.tar.gz
    cd MacPorts-2.2.0
    ./configure
    make
    sudo make install
  6. Update your Macports
    sudo port -v selfupdate

Thanks

In response to ISC Diary’s “an epidemic of typo squatting”

May
13

I’ve been monitoring placeholder and typo squatting domains for few months now, and I’ve read a write-up on ISC diary on “Is there an epidemic of typo squatting?”. There are a few conclusions that I can make and share:

  1. Most of typo squatting domains are parked on two /24 network, and by default, they are serving placeholder on the main page
  2. The page (content) is detected by McAfee as JS/Redirector.ar or JS/Blacole-Redirect
  3. There are a lot of domains (typo squatting some famous big websites) have been bought/rent, and used in Scam (win an iPad, win a voucher) activities.
  4. Beside of Scam activities as in No 3, I’ve also seen domains that have been used in serving malicious content/redirection.
  5. Speaking about item no 4, one interesting point to share is, after serving the malicious content/redirection for some time (mostly 1 or 2 weeks), the domain will be pointed back to the placeholder server and serving the placeholder again
  6. Item 4, and 5 also applicable for Phishing activities
  7. In the last couple of days (or week), they’ve started to ‘hide’ themself behind CloudFlare IPs.
  8. Today (or maybe it happened in the weekend), a few IPs have changed their default interface (of the placeholder) into some plain page with something like “what are you looking for?” message.

Seeing something similar or totally different? Feel free to share your points in the comment section.

Thanks

Detecting counter.php – The BlackHole Redirector

Apr
05

Have you ever came across the following line of code injected to your (or you visited) website

If I get it correctly, it is the BlackHole Exploit Kit redirector.

The pattern for this “counter.php” injected script will always be the same, so for system administrator or webmasters, you can use the following yara rule for your detection

rule counterPHPredirectBHEK
{
	meta:
		author = "adnan.shukor@gmail.com"
		description = "Detection rule to detect compromised page injected with invisible counter.php redirector"
		ref = "http://blog.xanda.org/2013/04/05/detecting-counter-php-the-blackhole-redirector"
		cve = "NA"
		version = "1"
		impact = 4
		hide = false
	strings:
		$counterPHP = /\<iframe\ src\=\"https?\:\/\/[a-zA-Z0-9\-\.]{4,260}\/counter\.php\"\ style\=\"visibility\:\ hidden\;\ position\:\ absolute\;\ left\:\ 0px\;\ top\:\ 0px\"\ width\=\"10\"\ height\=\"10\"\/\>$/
	condition:
		all of them
}

Thanks

P/S: MyYaraSIG guys, my Macbook is not able to be boot right now, will commit to the repo later

RedKit Redirector Injected into Legitimate JavaScript Code

Feb
15

Hi,

Nothing special and interesting but just to share some (old) info on this topic

I’ve read Sophos’s blog post yesterday on “Malware injected into legitimate JavaScript code on legitimate websites” and it seems like a familiar stuff to me. I’ve also been asked in the comment section of “RedKit Patterns – Additional Info to @fknsec Writeup” entry on something that is related to this issue so lets just blog about it

I’ve performed a quick search in URLquery and managed to get these samples:

  • hxxp://www.nedakitap.com/js/jquery[dot]js
  • hxxp://www.nedakitap.com/js/jquery.carouFredSel-5.5.0-packed[dot]js

You may found more sample of there. The point is there is no specific version of jquery targeted (as asked in the comment section) since in order for you to modify/edit the jquery file, you need to have the CMS/server compromised in the first place and jquery is not a CMS 🙂 . However, by looking at the version of the jquery, you will be able to predict the ‘age’ of the CMS used and the last update date. Mostly they are old (meaning that the CMS is not updated)

Viewing the content of the modified/compromised JavaScript  file (in this example, jquery) you can see the additional code in line no 1, (2 is a empty line), 3, second last, and last line of the JavaScript file. And the pattern will always be the same.

The JavaScript files which have been called will execute the injected script and write an (almost) invisible iframe redirecting victim to another compromised website which is hosting RedKit exploit kit. Most of the time, the host with the compromised JS will also have the RedKit files on it and waiting to be called by another compromised JS on another website

Some other characteristics that can help you to determine these injected code are by looking at these keywords:

  • iframe
  • name=Twitter
  • scrolling=auto
  • frameborder=no
  • align=center
  • height=2
  • width=2
  • a .htm or .html file in the web root directory in 4 char length and sometime came with query variable of ‘h’, ‘i’ or ‘j’ **scroll below to see update on 7 Mar**

Lets make a conclusion and write a simple regex for this

document\.write\('<iframe\ name=Twitter\ scrolling=auto\ frameborder=no\ align=center\ height=2\ width=2\ src=http:\/\/[\w\.\-]{4,}\/[a-z]{4}\.html?(\?[hij]=\d{7})?><\/iframe>'\);

Once you have 4 hits, you know it is RedKit redirector.

Yes you can modify it to be used as yara signature as well 🙂

Thats all from me for now

Thanks and stay safe

** Updated on 16 Feb **
According to Securi, this is a family of TDS

** Updated on 7 Mar **
Found new pattern that use PHP.. A quick yara rule would be:

rule iframeRedKit
{
	meta:
		author = "adnan.shukor@gmail.com"
		description = "Detection rule to detect compromised page injected with invisible iframe of Redkit redirector"
		ref = "http://blog.xanda.org/2013/02/15/redkit-redirector-injected-into-legitimate-javascript-code/"
		cve = "NA"
		version = "1.2"
		impact = 4
		hide = false
	strings:
		$iRedKit_1 = /name\=['"]?Twitter['"]?/
		$iRedKit_2 = /scrolling\=['"]?auto['"]?/
		$iRedKit_3 = /frameborder\=['"]?no['"]?/
		$iRedKit_4 = /align\=['"]?center['"]?/
		$iRedKit_5 = /height\=['"]?2['"]?/
		$iRedKit_6 = /width\=['"]?2['"]?/
		$iRedKit_7 = /src\=['"]?http:\/\/[\w\.\-]{4,}\/(([a-z]{4}\.html?(\?[hij]=\d{7})?)|([a-z]{4,}\.php\?[a-z]{4,}\=[a-f0-9]{16}))['"]?/
	condition:
		all of them
}

Yara Detection for Java Applet JMX Remote Code Execution (CVE-2013-0422)

Jan
12

Hi

It’s a bit to late for me to write this, but at least CVE-2013-0422 is no longer a secret.. and yes I can share some yara rule for this

Anyway, thanks to @kafeine for the disclosure and thanks to Immunity for a very good write up.

So here you go:

rule CVE_2013_0422
{
        meta:
                description = "Java Applet JMX Remote Code Execution"
                cve = "CVE-2013-0422"
                ref = "http://pastebin.com/JVedyrCe"
                author = "adnan.shukor@gmail.com"
                date = "12-Jan-2013"
                version = "1"
                impact = 4
                hide = false
        strings:
                $0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword
                $0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword
                $0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword
                $0422_4 = "findClass" fullword
                $0422_5 = "publicLookup" fullword
                $class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword 
        condition:
                (all of ($0422_*)) or (all of them)
}

Kindly leave comment I you find ways to improvement this rule. Obfuscation? yeah of course can be used to bypassed this rule as well 😉

Thanks

P/S: MyYaraSIG members should have receive this rule/update earlier today. Just git pull everyone 🙂