Yara Detection for Java Applet JMX Remote Code Execution (CVE-2013-0422)

Hi

It’s a bit to late for me to write this, but at least CVE-2013-0422 is no longer a secret.. and yes I can share some yara rule for this

Anyway, thanks to @kafeine for the disclosure and thanks to Immunity for a very good write up.

So here you go:

rule CVE_2013_0422
{
        meta:
                description = "Java Applet JMX Remote Code Execution"
                cve = "CVE-2013-0422"
                ref = "http://pastebin.com/JVedyrCe"
                author = "adnan.shukor@gmail.com"
                date = "12-Jan-2013"
                version = "1"
                impact = 4
                hide = false
        strings:
                $0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword
                $0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword
                $0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword
                $0422_4 = "findClass" fullword
                $0422_5 = "publicLookup" fullword
                $class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword 
        condition:
                (all of ($0422_*)) or (all of them)
}

Kindly leave comment I you find ways to improvement this rule. Obfuscation? yeah of course can be used to bypassed this rule as well ;)

Thanks

P/S: MyYaraSIG members should have receive this rule/update earlier today. Just git pull everyone :)

Weekly Summary : Internet Explorer Vulnerability & New BlackHole 2.0 Pattern

The biggest news for this week is of course related to the recent 0day vulnerability found in Internet Explorer, CVE-2012-4969. The exploit code that has leaked on the same server with the previous Java oday, has been discovered by several researchers and without any delay, it has been ported to Metsaploit framework.

I’ve done a quick writeup on this news earlier, and back then, there is no patch/fixit yet released by Microsoft. So I end up make a reference to MyCERT advisory which recommend users to use EMET and disable Active Script. But recently, Microsoft has released fixit and out of band patch to address this issue. As for now, there is no reported/blogged/twitted information saying that Malaysia has been targeted with this new vulnerability, and there is no Information on this vulnerability has been ported to BlackHole 2.0 as well.

Speaking about BlackHole 2.0, I’ve been seeing new pattern used in BlackHole 2.0 and could bypass most/some detection rules that specifically written based on the initial release of BlackHole 2.0. Thanks to #MalwareMustDie and MalwareDomainList for the brand new and fresh samples. My yara rules updated for both CVE-2012-4969 and BlackHole 2.0++, and MyYaraSIG members may perform a git pull to see the update.

Thats all for this week.

Thanks

Starting Your Yara Rule With a Wild Card

I’ve worked on an update of BlackHole rule yesterday, after seeing new patterns appear on BlackHole 2 which is different compare to the initial release of BlackHole 2. Samples were downloaded from MalwareDomainList and Contagiodump.

These new changes require me to use extreme regex for the detection. I’ve accidentally start one of the regex with a wild card and on the dry run test, I’m very disappointed with the performance. Lets see the time taken:

After performing some tweak to the regex, so here is the screenshot of the time taken:

What a different!!

So as for the advice, please read Yara PerformanceGuidelines documentation to get the best performance for your rule.

For MyYaraSIG members, you may refer to commit 8b12d51463

Thanks

Update

Btw, don’t you wanna know the detection rate in virustotal? :)

Weekly Summary : SCTV Cup and Blackhole Exploit Kit v2

2 of the events that will be highlighted in this “weekly summary” are SCTV Cup and Blackhole Exploit Kit v2.

Earlier this week, there was a football match between Malaysia (under 22) and Indonesia (under 22) for the SCTV Cup 2012. Malaysia won the match with 1-0, and I was expecting “yet another soccer related war” gonna happen. But again, just like my previous expectation on the Merdeka day, it didn’t happen. I hope, kiddies from both countries are now matured enough and could move to more serious matters. Congrats for the winner (Malaysia U22) and for the ‘armies’ of both countries.

Blackhole Exploit Kit v2 has been released this week. malware.dontneedcoffee.com did a writeup on the release announcement and not so long after that, a few samples ware found in the wild. The most noticeable changes (from my view) was the URL pattern. So a minor tweak need to be done to the signature pattern. I’ve performed deobfuscation to the obfuscated javascript of Blackhole v2.0 and manage to do it with no harm. Old school method still works ;) If you need detail discussion on this Blackhole v2, you may refer to write by SpiderLabs and by malware.dontneedcoffee.com

I’ve decided NOT to share any Yara rules anymore (including for this Blackhole v2.0), since based on my previous rules posted, I don’t get enough response & feedback from the users. So I’ve change the game plan, where I will only release it to some of the private groups and SIG (special interest group) mailing list. If you need to get the feeds, kindly drop me an email at adnan.shukor @ G!

 

That’s all for this week.

Thanks

[img source]

Weekly Summary : Merdeka and Internet Explorer

This week I’ll be writing on a short update related to Malaysia merdeka (independence) day and Internet Explorer MS12-052 bug.

It is almost like a tradition here, in Malaysia, to receive a massive number of system intrusion and website defacement on our merdeka (independence) day. Based on the data of the previous years, most of the attacks came from the foreign countries, and the messages left by them clearly reflect their political motive on performing the attack.

But in 2012, the incidents landscape on the merdeka day (week) shifted. The total number of system intrusion and website defacement reduced a lot compare to the same period of time in the previous years. This data can be verified by performing zone-h search, and you can cross check your findings with MyCERT monthly statistic by end of this month (or early next month).

One thing that is sad to be shared here is, it is not only the number that has shifted, the source of attack for this year is also showing some differences. Most of the defacement cases this year, that is related to .MY domain, or websites that are hosted in the IP range of Malaysia, were performed mostly by local attackers. Their messages are not clear, but a quick conclusion that I can make is, it was for fame.

Also in this week’s update, I’ll cover a bit on the “Internet Explorer Script Interjection Code Execution (updated)” that has been posted to Bugtraq mailing list. You can read the details part of the advisory in the “VULNERABILITY DETAILS” section. As of the writing of this update, there is no news yet on this vulnerability (MS12-052) has been used in the wild, and I’ve cross checked with Metasploit and confirmed that, it is not yet ported to Metasploit. However, with the detail explanation provided in the advisory, I don’t think it will take any longer for the working exploit to be made public.

You can use the following generic Yara rule to detect a malicious html/JS file exploiting this vulnerability:

rule MS12_052
{
        meta:
                author = "Adnan Mohd Shukor" 
                author_email = "adnan.shukor @ G!"
                ref = "MS12-052"
                ref_url = "http://seclists.org/bugtraq/2012/Sep/29"
                cve = "CVE-"
                version = "1"
                impact = 4
                hide = false
        strings:
                $ms12052_1 = /mailto\:.{2000,}/ nocase fullword
                $ms12052_2 = /\.getElements?By/ nocase
                $ms12052_3 = /\.removeChild\(/ nocase
                $ms12052_4 = /document\..*?= ?null/ nocase
        condition:
                $ms12052_1 and $ms12052_2 and ($ms12052_3 or $ms12052_4)
}

Thats all for this week.

Thanks

Go to top