image n/a

Security Literature

image n/a Hacker Challenge Report (pdf)
image n/a ANI 0-day Analysis (pdf)
image n/a Firepass Security Advisory (pdf)
image n/a eDir Remote Code Exec (pdf)
image n/a ZERT & MS VML Patch (pdf)
image n/a Python To Extract Malware (pdf)
image n/a Torpig VMM/IDT Signatures (pdf)
image n/a Vmware Shellcode Injection (pdf)
image n/a Unpacking FSG (pdf)
image n/a Hacking the Packer (pdf)
image n/a Life and Times of Ddabx (pdf)
image n/a W0rd 0-day Dissassembly
image n/a Cryptography of SSH2
image n/a Upload Scripts & Toolkits
image n/a Red-Headed Browsers & WMF
image n/a Classic Trimode Exploit
image n/a ISC Malware Quiz 5 (pdf)
image n/a Access Log Analytics 2006
image n/a Assorted Incidentals 2005
image n/a Scan of the Month 34
image n/a MS JVMs ByteVerify Trojan
image n/a Awstats Linux Rootkit
image n/a Tri-Mode Browser Exploits
image n/a Namibian TIBS Infection
image n/a Bestfriends and Sdbot Rootkit
image n/a Gwee Exploits Webmail
image n/a XSS, Triple-encoded Exploit
image n/a telnet:// used in IE Exploit
image n/a Investigating CHM Exploits
image n/a Investigating Netwin Malware
image n/a Short Security Discussions
image n/a Short Proof of Concepts
image n/a Attack Signatures and Analysis
image n/a First Trojan Tracking Journey

Browser Attacks!

Browser attacks are those which take place as a result of one's surfing the web. On a rare occassion, an intruder will gain entrance into a system by other means and use the system's browser to futher his intentions. In the more frequent scenario, however, the sites that users visit, potentially by accident or even without knowledge, host malicious content capable of carrying out the attack. Browser attacks are successfull because 1) everyone has them and 2) no one can live without them; just like anyone with a lymphatic system is vulnerable to cancer.

Welcome to the World Wide Web ER, here we share the stories with you and hope to install (but not without your permission) some awareness into your surfing habits. Some samples are in-depth at times and technical, but I make all attempts to explain thing in easy to understand terminology. So if the prior is an issue, hopefully it won't be by the time you're done reading. Enjoy.

Note: a lot of the evidence in these articles are snippets from the real exploits and can cause exceptional damage to your computer. For that reason, all of the html tags have been converted to square brackets instead. That way when you read my articles you really end up reading my articles rather than entertaining an iFrame or downloading a java archive from the malicious documented sites.

Red Headed Browsers - The WMF Exploit

Although browsers are not red-headed stepchildren, sometimes they are treated as such. It's a bit ironic, but although this event involves the 0-day WMF exploit, and the compromised system behaved in a manner consistent with the reported symptoms, it was not the vulnerability which led to initial infection. The machine was exploited by either a vulnerability in Sun's or Microsoft's JVM.

View the report: (Red Headed Browsers and WMF).

Classic Tri-mode Browser Exploits

This is simply another case of a widespread spyware distribution cloud and improper usage of search engine technology. In another report we will discuss the controversy over poor filtering of query results by search engines and their perceived necessity to return even pages that guarantee an infection if the user clicks it. This event is a classic tri-mode that was unsuccessful due to the use of Firefox and patched workstations.

View the report: (Classic Tri-mode Browser Exploits).

MS JVM's ByteVerify Trojan - Turning JPEGs Into DLLs

This attack starts out with a strange combination of servers in the .com, .name, and .pl TLDs. The browser is smacked around through a tunnel of spyware infested servers and ends up downloading a jar file which exploits the Java VM and breaks out into an executable .com file. This program downloads a .jpg from a domain registered to the Cocos Islands (.cc) which does some processing and writes the output to a randomly named .dll, which is then plugged into Internet Explorer's list of BHOs.

View the report: (MS JVMs ByteVerify Trojan).

Jpegs Into JavaScript - Another Image Trick

This reports on an attack scenario similar to the Trimode incident, but includes one additional method. The newexpl.php is base 64 encoded instructions to download a file named with a Jpeg extension. The bytes of this file are decoded with the String.fromCharCode function and interpreted as Javascript by the browser. Eventually executables get downloaded, but the purpose of this analysis is to show other ways that Jpegs are being falsified in the wild.

View the report: (Jpegs Into JavaScript - Another Image Trick).

Tri-Mode Browser Exploits

Here is a pair of similar attacks which each employ at least 3 known exploits against Internet Explorer browsers. There is some pretty slick Javascript and DHTML and an animated cursor that really isn't an animated cursor. But that's not all! There is some in depth analysis of RIFF file headers, ActiveX installations, and the vulerability in Java's virtual machine.

View the report: (Trimode Browser Exploits).

Bestfriends and Sdbot Rootkit

This incident is classified as a browser attack, although it did not originate from the browser realm; rather AOL Instant Messenger. Internet Explorer was only lauched to grab the code that a link on AOL IM provided. After that, a mean screen saver executed, unpacked, and left a whole lot of evidence.

View the report: (Bestfriends and Sdbot Rootkit).

XSS, Triple-encoded Exploit

This (fun) incident steps through how three layers of obfuscation were stripped from the suspicious Javascript in order to reveal the real code. I learned a thing or two about Internet Explorer's MIME detection routines. As one of the first browser attacks investigated, it ends a little abrubtly.

View the report: (XSS, Triple-encoded Exploit).

telnet:// used in IE Exploit

This shows how the telnet:// protocol handler in Internet Explorer can be exploited to allow execution of arbitrary code. Don't confuse this with a buffer overflow or something that spills bytes into RAM for execution; in this case telnet itself is the arbitrary code.

View the report: (telnet:// used in IE Exploit).

Investigating CHM Exploits

In the midst of browsing the web, a user noticed the Windows command prompt flash on the screen and initiate an FTP transfer. We trace this attack back to the original source and show the technique used to recover the username and password for the hacker's toolkit (so they could be fetched for analysis). It was all due to a vulerability in Internet Explorer.

View the report: (Investigating CHM Exploits).

Investigating Netwin Malware

This is the same old story of compressed Windows help documents exploiting browsers into downloading arbitrary executables. In particular, the so called Netwin instance was one of the very first I encounted in the wild. It explains the basic concept of the attack and shows how the malicious code overwrites Windows Media Player and immediately begins updating remote systems with spyware information.

View the report: (Investigating Netwin Malware).

Art of Memory Forensics

Malware Analyst's Cookbook

Site design and layout with umm...a bash shell. Graphic by (Aaron Bieber)
Unless otherwise noted, this work is licensed with (Creative Commons Attribution License).