All posts by Jacob Soo

[ Technical Teardown: Malware Targetting Singapore Banks ]

[ Background ]
Originally i wanted to let one of the local student to write about it but he was busy with school, internship and solving challenges.
It’s also been a very long time since we written any “Technical Teardown” on malware/exploits here.

I got hold of this particular malware sample just days after these 2 reports.
http://www.abs.org.sg/pdfs/Newsroom/PressReleases/2015/MediaRelease_20151201.pdf
http://www.channelnewsasia.com/news/singapore/50-smartphone-users-in/2308976.html

The Association of Banks in Singapore (ABS) released an advisory to alert consumers on malware targeting mobile banking customers in Singapore.
We hope this technical teardown might be interesting to some of you.

[ Sample used in the analysis ]
MD5: 76745CE873B151CFD7260E182CBFD404
SHA1: 0F7C012466157891C1D12ADDDD4DFA0B8291DD75
Malware Sample: 76745ce873b151cfd7260e182cbfd404
Password is “infected29A”

Since it’s an Android malware, let’s check the permissions of this malware and further dissect it. Now, use apktool and run the following command:

Now let’s take a look at the AndroidManifest.xml file, you should see the following and the permissions requested by the APK file.

As we can see from the AndroidManifest.xml, it ask for quite a lot of permissions and it’s probably obfuscated.

Looking at the strings.xml and styles.xml, we can see that customised themes had been created for various banking applications.
This malware targets a number of banks by trying to mimic the authentic one and phishes for important banking information from the infected user as shown below.
0x0003
Figure 1 – Customised Themes

[ Junk Codes as Anti-Analysis? ]
It took me 20-30mins to realise that this author uses lots of junk code. Possibly with the purpose of deterring people like me from reversing the malware.
Import metadata such as strings and function names are also obfuscated as shown in the image below.
0x0001

Figure 2 – Junk Code with no useful functionality

Since the malware sample is heavily obfuscated, some of the things that i usually look out for is commands like Base64.decode or loadDataWithBaseURL or sendTextMessage

[ Revealing of Hidden Configuration Strings ]
So i did a quick grep and found out that it did use “Base64.decode” as shown below.
0x0002
Figure 3 – Base64 encoded string

The following is the base64 string which i extracted from the malware.

After doing a base64 decoding on it, i got back the following strings.

As we can see, the decoded strings contained IP addresses and other interesting strings. We also can safely assume that the malware author uses “@” as a delimiter.
For better illustration, i replaced all the “@” with newline.

[ Assessment of Malware ]
We can see that the IP addresses are the C&C servers communicating on port 34580.
http://37.235.48.177:34580/
http://46.108.39.12:34580/

Within the malware sample, we also found out that it is targeting victims with the following bank accounts.
Austria
=======

Dexia Kommunalkredit Bank
Bank Austria
Erste Bank und Sparkassen (Thanks to Alex Inführ for pointing my mistake.)
RGB (Raiffeisen Banking Group)
George (https://mygeorge.at/)
DK (Deutsche Kreditbank AG)
Bawag (BAWAG P.S.K)

Australia
=========

Westpac
St George
Gomoney
National Australia Bank
Commbank

New Zealand
===========

Westpac
Bank of New Zealand
ANZ Bank New Zealand

Singapore
=========

DBS
OCBC
POSB

Hong Kong
=========

Citibank
Bank Of China
Hang Seng Bank
Breeze

I’ll update this post later on how we can reverse such malware much more easily.
In the meantime, i do hope you enjoy reading it.

Happy Reversing,
Jacob Soo

[ Walkthrough : SANS 2015 CDI DFIR Challenge ]

Sorry that we haven’t been able to write anything interesting for the last few months.

I thought of publishing this first thing right after the competition had ended but Real Life gets the better of most of us. I totally forgotten about this as i was busy helping NUSGreyhats with their CTF and with my own personal stuff. It was lying on the draft folder collecting virtual dust just like my entry for SANS HolidayHackChallenge. 🙁
I don’t remember whether did i submit my answers for this challenge. 🙁

Below is my walkthrough for SANSCDI Forensic Challenge and i hope the process of solving the questions might be useful to someone out there. The entire challenge consists of 3 parts.

[ NTUSER.DAT CHALLENGE ]
In Part 1, we were given a link, http://dfir.to/EVIDENCE1 to download the data.
I have attached the file here incase the link is gone. Vibranium-NTUSER
On the page, we were asked the following questions.

1. What was the most recent keyword that the user vibranium searched using Windows Search for on the nromanoff system?
2. How many times did the vibranium account run excel.exe on the nromanoff system?
3. What is the most recent Typed Url in the Vibranium NTUSER.dat? (Enter in the following format: http:///)

On Windows XP, there is actually the ACMru key located in the following registry key:
ntuser.dat\Software\Microsoft\Search Assistant\ACMru
This key stores the search terms that have been typed into a Windows search dialog box.
The following subkeys define where the search term was used:
5001 – List of terms used for the Internet Search Assistant
5603 – List of terms used for the Windows XP files and folders search
5604 – List of terms used in the “word or phrase in a file” search
5647 – List of terms used in the “for computers or people” search

Unfortunately on Windows Vista, it did not include a registry key for user searches.
However on Windows 7, the history of search terms using Windows Search can be found in the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
The WordWheelQuery subkey records information about user searches.

There are many great registry tools out there. But for this particular challenge, i will be using Windows Registry Recovery.

Challenge.0x0001

As we can see from the above image, the very first entry in the MRUListEx is “01 00 00 00.”
This simply means that the entry “1” is the most recently searched item.

In this particular case, we can see that the value for the first entry is “alloy” and that’s our answer.
Challenge.0x0002

Moving on to the 2nd question, 2. How many times did the vibranium account run excel.exe on the nromanoff system?
For this particular question, we are required to check the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Challenge.0x0003

As we can see, the entries are all encoded using Rot13, the value we should be looking at is:
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
After decoding, the value will be:
{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office14\EXCEL.EXE

The number of times EXCEL.EXE was executed can be found at offset 0x04 in the UserAssist entry.
In this instance, the value is 4, which means that EXCEL.EXE was executed four times and that is our answer. 😀

Next we are asked, 3. What is the most recent Typed Url in the Vibranium NTUSER.dat? (Enter in the following format: http:///)
For this particular question, we need to check the following registry key.
NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs

Challenge.0x0004

As we can see from the image above, the most recent typed url is “http://199.73.28.114:53/” and that is the answer.

[ SYSTEM and SOFTWARE CHALLENGE ]
In Part 2, we were given a link, http://dfir.to/EVIDENCE2 to download the data.
I have attached the file here incase the link is gone. SOFTWARE-SYSTEM-HIVES.zip
On the page, we were asked the following questions.

1. The Windows Registry shows evidence of one USB device connecting to the nromanoff system. What is the serial number for this device?
2. What was the volume letter assigned to this USB device? (Enter just the letter for the volume.)
3. What is the volume name for the USB device that was inserted into the nromanoff system? (Enter the volume name in ALL CAPS.)

For the 1st question, there are many different methods to find out the answer. So i will go through 2 of the common methods.
The first method that i will be using is to check the following registry:
SYSTEM\ControlSet001\Enum\USBSTOR

As we can see from the image below, the serial number of the usb device is “AA951D0000007252”
Challenge.0x0001

For the 2nd method, we can check the following registry:
SYSTEM\MountedDevices

As you can see from the below image, we found out usb device and also the volume letter, “E” assigned to it. We have found the answer to question #2 too.
Challenge.0x0002

Moving to question #3, 3. What is the volume name for the USB device that was inserted into the nromanoff system? (Enter the volume name in ALL CAPS.)
We need to check the following registry key:
SOFTWARE\Microsoft\Windows Portable Devices\Devices

Challenge.0x0003

Once again, we found out the volume name for the usb device, “SECRETPLANS”

[ MEMORY ANALYSIS CHALLENGE ]
In Part 3, we were given a link, http://dfir.to/EVIDENCE3 to download the data.
I have attached the file here incase the link is gone. memory-raw.zip
On the page, we were asked the following questions.

1. To what remote IP address did the spinlock.exe process (PID 1328) have a connection?
2. What is the name of the user who is logged into Romanoff at the time the system memory was acquired?
3. Enter the time/date the system last booted according to the creation time of the initializing Windows process in the memory image. (Enter UTC time/date in the following format: YYYY-MM-DD HH:MM:SS)

For this particular challenge, we were given a memory dump file. The best way to solve this is to use Volatility
As i am unsure of the profile to use, i used the imageinfo option to see what profiles should i use.
volatility-2.5.standalone.exe -f memory-raw.img imageinfo

As we can see from the image below, we can use the following profile. Win7SP0x86, Win7SP1x86
Challenge.0x0001

The first question, 1. To what remote IP address did the spinlock.exe process (PID 1328) have a connection?
The option that we should be using is “netscan” and the command is
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img netscan

The returned results should look like the following image.
Challenge.0x0002

However, we are suppose to look for the remote IP address that spinlock.exe connected to.
We can see that spinlock.exe (PID 1328) is connected to “199.73.28.114” and that is our answer.
Challenge.0x0003

For the 2nd question, 2. What is the name of the user who is logged into Romanoff at the time the system memory was acquired?
We should check the following registry key in order to know the name of the user who is logged into Romanoff.
HKEY_CURRENT_USER\Volatile Environment

The option that we will be using for volatility is “printkey -K ‘Volatile Environment'”
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img printkey -K “Volatile Environment”

As we can in the image below, the username is “vibranium”
Challenge.0x0004

Hooray, we are moving to the last question of this challenge.
3. Enter the time/date the system last booted according to the creation time of the initializing Windows process in the memory image. (Enter UTC time/date in the following format: YYYY-MM-DD HH:MM:SS)

This is fairly straight forward, according to https://technet.microsoft.com/en-us/library/bb457123.aspx.
“ntoskrnl.exe” is the first to load, we know that the process”System” will be process we should be checking

Using “pslist” option,
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img pslist

As we can see in the image below, the time for “System” is 2012-04-04 11:47:29 UTC+0000 and that is our answer to the last question.
Challenge.0x0005

I hope that the entire walkthrough is simple enough to follow and do on your own.

Happy Reversing
Jacob Soo

[ Walkthrough 2015移动安全挑战赛(第二届): iOS Challenge 1 ]

It’s been a long time since we wrote something here.
Today i will be writing on a simple iOS crackme which i found some time to play with 10days ago.

To make it easier for everyone to follow this lame guide of mine.
I’ve attached the file here: iOS Crackme

iOS.0x0001

The original question given to participants is like above.

But i’ve loosely translated the above text for simplicity sake. 😀

Opening the binary file in IDA Pro, the first thing that i usually look for in iOS Crackmes are “Strings” or “onClick” first.

In this case, i went for “strings”. The first thing that caught my eye is “decryptPassword
iOS.0x0001_1

Double click that string and then press “X” to list the cross references. I selected the method using that.

iOS.0x0001_2

After selecting that, you will get the following.

iOS.0x0001_3

As i’m on of those lucky ones to have the “Decompiler”, pressing “tab” and we will see this beautiful pseudo code.

iOS.0x0001_4

I’ve extracted out the codes for better reading purposes.

 

Based on the above pseudo codes, we can identify several things.

1.) There are 5 loops. Each loop started off by doing Caesar Cipher on the following base64 encoded string.

2.) After the Caesar Cipher, it base64 decoded the returned result .

3.)  Then it did a AES decrypt with the base64 decoded string and the key is the following:

4.) Then it repeats this process until the loop ended.

5.) Finally it compared the final result with the entered input by the user.

I made a simple python script to illustrate the steps.

 

The key for this challenge is “Sp4rkDr0idKit

Happy Reversing
Jacob Soo

[ Technical MeetUp ] Hack The World : Scada Hacking

The next technical meetup is another of our collaboration with the students from NUS GreyHats.
We try to be an open, inclusive and responsible volunteer driven community.

We are also committed to the spread of hacker culture & free/open-source software by continuously writing technical articles.
We hope that all these technical meetups not only helps to spread information security awareness but also allow us to learn from other members of the community as well.

We are also glad that NSHC had not only one of their employee, HyungWoo Kim, presenting for this event but also their CEO, Louis Hur. Grateful to the students from NUSGreyHats are helping me setting this up.

All the technical meetups are free for anyone to attend.
Thanks a lot to everyone involved. 😀

When Wednesday 12th August 2015
Where NUS, 13 Computing Drive
Singapore, School of Computing, COM1 Level 2 Seminar Room 3
Time 5:00 PM – 6:30 PM
After Talks Nothing planned at this point of time
Organisers NSHC, NUS GreyHats
Contact Comments below.

 

You can indicate your interest in attending here:
https://www.facebook.com/events/844396792303482/

In case you are lost in NUS, here is floorplan provided by NUS GreyHats.
COM1_L2_V21

PRESENTATIONS: 
The state of Scada System Security – Louis Hur
Hack The World : Scada Hacking – HyunWoo Kim

Level:
Beginner-Intermediate

Nowadays, many attack methodologies against SCADA systems are published on conferences or papers. However, it is a little hard to apply them on real world. So, we will discuss attack scenario and methodology to SCADA systems, focusing on Korea’s SCADA systems. but i think other country also very similar. Of course, there will be an attack demo in a simulated network.

Bio:
Mr Louis Hur is CEO & Founder of NSHC Inc. Mr. Louis brings more than 15 years of field-proven experience security businesses that help clients reduce their enterprise-wide IT security risk. Prior to starting NSHC, Mr. Louis served as the Pen-Tester and General Manager of TSONNET Global Professional Services organization. He specialised in pen-testing, Bug Hunting, Malware Analysis & Cyber-espionage investigation.
He is also the Team leader for Korea Cyber Terror Response Team. He has presented at Black Hat, HITCON, ISEC, CSS, etc.

Bio: 
HyunWoo Kim is a Security Researcher at NSHC.
In this role, HyunWoo analyzes and performs root-cause analysis of vulnerabilities.
His primary focus includes performing root-cause analysis and exploit development.
In 2015, he is one of the top 10 finalist from KITRI ‘Best of the Best’ 3rd edition.
He has spoken at numerous security related events, including CODEGATE 2015, SECUINSIDE 2015, CIISCON 2014, and POC 2014
BigBossMan

Thanks & Regards
Jacob Soo

[ VXSecurity.sg Vulnerability Research Advisory : IZArc file extension spoofing ]

This is another bug which i’ve found long ago while i was bored.
This could be a problem for IZArc users if they were targeted. If not, it’s not really serious.
I had written it previously in my old blog but i’m slowing moving some of the stuff over as i’m discontinuing the other blog.

[ Summary: ]
This article is on the following bug found in IZArc v4.1.8 – v4.1.9,
The bug had been assigned the CVE identifier CVE-2014-2720.

[ Tested Versions: ]
IZArc version 4.1.8 – 4.1.9

[ Tools Used: ]
HexEdit

[ Details: ]
I’ve created a zip file using WinRar containing putty.exe.
I’ve changed the filename at offset 0x460AE to putty.jpg as shown in the image below.
izarc.0x01

When i am modifying the offset at 0x460AE, I am basically modifying the Central Directory entry.
This is done so that it will appear on IZArc as “putty.jpg” instead of “putty.exe”.

Opening the newly modified zip file in IZArc version 4.1.9, we will see something like this.
izarc.0x02

This seems like a “File extension spoofing”.
While after decompression the user will get the real file name, putty.exe.
However, if the user double click “putty.jpg” instead. “putty.exe will execute as an application instead of executing using user’s imager viewer.

However if attackers were to use RTLO (Right to Left Order) in unicode: U+202E.
So, U+202E converts to 0xE280AE.
With a simple RTLO, we can reverse the right side of the filename, so “puttygnp.exe” looks like “puttyexe.png”.

This will pose a problem to all users of IZArc.
To date, according to download.com by CNET. IZArc had 2,153,572 downloads.
izarc.0x03

To make this a more comprehensive blog entry, the following are the tests which i did during this bug finding process.
It may be useful to list all of the different cases and their security properties.

Test Case 1:
============

Central Directory entry filename = putty.jpg
Local file header filename = putty.exe
File content = Microsoft EXE format
The user sees: putty.jpg
If the user clicks: putty.exe is executed

Test Case 2:
============

Central Directory entry filename = putty.jpg
Local file header filename = putty.jpg
File content = Microsoft EXE format
The user sees: putty.jpg
If the user clicks, user’s default JPEG viewer is launched instead.
This is safe behavior.

Test Case 3:
============

Central Directory entry filename = putty\xE2\x80\xAEexe.png
Local file header filename = putty\xE2\x80\xAEexe.png
File content = Microsoft EXE format
The user sees: puttygnp.exe
If the user clicks, puttygnp.exe is executed
This is normal behavior as user will see that this is an executable.

Test Case 4:
============

Central Directory entry filename = puttyexe.png
Local file header filename = putty\xE2\x80\xAEexe.png
File content = Microsoft EXE format
The user sees: puttyexe.png
If the user clicks, puttygnp.exe is executed

This is a valid spoofing attack. However, it is exactly the same
problem as test case 1. The attack methodology (using a “graphics image” file extension in the Central Directory entry) is the same.
The only part that is different is the real filename in the original unmodified ZIP file.

Test Case 5:
============

Central Directory entry filename = putty\xE2\x80\xAEgnp.exe
Local file header filename = puttygnp.exe
File content = Microsoft EXE format
The user sees: puttyexe.png
If the user clicks, puttygnp.exe is executed

This is also same as test case 1.

The people at mitre.org had been patient with me and very helpful while i am reporting this bug.
Probably other file archive tools have similar problems as well.
I’ve attached the files for Test Cases 1,3 & 5 for reference.
IZArc_POC

Below is the timeline of my disclosure.

Timeline:
=========

Date Discovered: 24 March 2014 – Vulnerability Discovered.
Vendor notified: 24 March 2014 – Initial Vendor Notification, no reply.
Vendor notified: 01 April 2014 – Second Vendor Notification, no reply.
Advisory posted: 05 May 2014 – No response from Vendor, published.
Version checked: 30 July 2015 – Bug still exists in new version

Thanks & Regards
Jacob Soo

[ VXSecurity.sg Vulnerability Research Advisory : ALZip for Android ZIP Archive Extraction Directory Traversal & Local File Inclusion Vulnerability ]

This is just a simple vulnerability research advisory where i talk on ALZip for Android ZIP Archive Extraction Directory Traversal & Local File Inclusion Vulnerability.
Since vendor don’t want to reply me for 3 months and i personally don’t think it’s severe.
Here goes…

[ Summary: ]
An archive extraction directory traversal vulnerability has been found in ALZip for Android.
When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user’s Android device.

[ Tested Versions: ]
ALZip Android Version 1.0.21 – 1.0.22

[ Tools Used: ]
Drozer

[ Details: ]
This advisory discloses an archive extraction directory traversal vulnerability in ALZip for Android.
When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user’s Android device.

When extacting compressed files from an archive, the extraction functionality does not properly sanitise compressed files that have directory traversal sequences in their filenames.
By tricking a user to extract a specially crafted archive containing files with directory traversal sequences in their filenames, an attacker can write files to arbitrary locations within the SD card of the user’s Android device, possibly overwriting the user’s existing files.

For example, a malicious archive can contain a compressed file with the following filename:

[ PoC: ]
1.) Copy the PoC.ZIP archive into the /storage/sdcard0/Download/ directory of your Android device.

IMPORTANT: Ensure that the /storage/sdcard0/Download/ directory exists on your Android device in order for the POC to work.
Extract the POC ZIP archive into the /storage/sdcard0/Download/ directory. i.e. tap and hold on to the POC ZIP file until the action selection pop-up appears, then select the “Extract” option.

alzip.01

Finally select “Extract here” option

alzip.02

When the extraction completes, navigate to the /storage/sdcard0/ directory. You’ll notice that pwnies.txt has been extracted into /storage/sdcard0/pwnies.txt instead of into /storage/sdcard0/Download/pwnies/pwniestxt.

Hence, by tricking a user to extract or download a specially-crafted archive, an attacker can potentially exploit this issue to write files into arbitrary locations within the SD card in the user’s Android device, or to overwrite files in known locations within the SD card.

For example, an attacker who is aware of the filenames of the user’s photo in the /storage/sdcard0/ directory can exploit this vulnerability to overwrite the user’s photo files.
But i doubt anyone knows the filenames.

Another bug was found manually via reversing the application and in the same time via Drozer due to exposed content provider.
But for simplicity sake, i will write about the method using Drozer
So what this means is that you can read the contents of any file in the victim(s)’ Android device if you got a specially crafted apk that abuses the exported content provider of ALZip.

The reason for this bug is that you expose the content provider.
A content provider can provide access to the underlying file system.
This allows apps to share files, where the Android Sandbox would otherwise prevent it.
Since we can reasonably assume that “files” is a file system backed content provider and that the path component represents the location of the file that we want to open.

So in drozer if you run the following command.

You will get back the contents of /etc/hosts

But this particular bug is not critical since /etc/hosts is world readable anyway.
It’s only serious if your app stores critical info about user or have a SQLite database.

[ POC/Test Code: ]
You can download the PoC here and follow the instructions as described in this blog post..

[ Disclosure Timeline : ]
01-04-2015 – Vulnerabilities Discovered.
01-04-2015 – Vulnerabilities Details Sent to Vendor.
01-04-2015 – No Reply From Vendor.
13-05-2015 – 2nd Email Sent to Vendor
13-05-2015 – No Reply From Vendor.
01-07-2015 – Public Release.

Thanks & Regards
Jacob Soo

[ VXSecurity Meetup ]

To be honest,  i really don’t know how to call this up-coming event since i don’t organise any sort of technical meetup except for CTF or drinking.

VXSecurity is run by a group of friends in SG committed to the spread of hacker culture & free/open-source software by continuously writing technical articles.  We try to provide a platform for like-minded people in SG who are currently building or breaking things (be it for charity, business or pleasure).

We usually hold workshops and give presentations in local Universities.  So this technical meetup is kind of a new experience for us.

We firmly believe that breaking & building is a good way forward for any type of good innovation.  As an extension to that, we think that tinkering is good for everyone to try and learn new things. I am also glad that NSHC had let us use their meeting room for this event and the students from NUSGreyHats are helping me setting this up.
Thanks a lot. 😀

When Monday 06th July 2015
Where 8 Shenton Way, #04-01 AXA Tower, Singapore 06811
Time 6:30 PM
After Talks Nothing planned at this point of time
Organisers Meder Kydyraliev
Contact Comments below.

 

PRESENTATIONS: 
Securing the Tangled Web: Preventing Script Injection Vulnerabilities through Software Design – Meder Kydyraliev

Level:
Beginner (presentation of concepts described in the paper with the same title by Christoph Kern [1])

If you’ve developed software, you’ve probably been told at least once that security should be built into your application. But what does it mean? It’s clear that modern web application frameworks are too busy trying to make security “easy”, some with the goal of never exposing developers to it at all. In this talk I’ll present an example of building security into your application and why I think it’s not a good idea to hide security critical pieces of your application.

[1] http://research.google.com/pubs/pub42934.html

Bio: 
Meder has been working in the area of application security for nearly a decade.  He’s poked at, broken, and helped fix a lot of code businesses and parts of the Internet depends on (Struts2, JBoss Seam, Google Web Toolkit, and Ruby on Rails, to name a few).  Some of the things that excite him include: karaoke, server-side security, kumys and making software security easier.
BigBossMan

Thanks & Regards
Jacob Soo

[ Walkthrough : SyScan 2015 Badge Challenge ]

2days ago, a few of us recently went to SyScan and completed the Badge Challenge that was put together by the SyScan crew.
Here is the a short writeup of our experience with all of the puzzles, their solutions, and the steps to solve them.
Of course, @miaubiz gave us a huge clue for solving the last stage and he also found the “Easter Egg” or “Debug Mode” in it.

Spoiler Alert: The following article is a detailed and methodical walk through of how to solve the challenge.
So please do take note and understand that this document contains MASSIVE spoilers!
If you’d rather try it for yourself, stop reading now and go and play NOW!

 

 

 

 

 

 

 

 

 

 

 

 

Still here?
Alright, lets go!

[ Stage 1 ]

One of the options we had when we power up the badge is “Unlock 1”
So we tried a bunch of options like “Open”, “Open Sesame”, “Open now God Damn It”. But we are always returned with the following QR Code.
IMG_0073
The above QR Code translate to “Try \”Unlock\”
So we thought, why not just try “Unlock”

Surprisingly, we got back another QR Code.
IMG_0075
This QR code translate to “insufficient privilege
Initially, we thought that maybe we need to have a special “Username” before we can unlock this.
So we started brute-force all the possible “usernames” used by “admin”.
But all these still failed until after the 1st tea break, we tried “sudo unlock” as shown in the image below.
IMG_20150328_012534288[1]
w00t h00t, we have successfully unlocked “Stage 1

[ Stage 2 ]
When we tried to unlock “Stage 2” using the same password as “Stage 1”, we got back something that looked like “morse code
IMG_20150328_012730132[1]
After decoding the “morse code“, we got back “ttall
We tried that but alas, it didn’t work at all. Then Thomas give everyone this clue, it’s not a full morse code.

We are wondering could it be “–all” since it sounds and looks like it.
So we entered “–all” but it wasn’t the key to “Stage 2
After another round of tea break, we thought whether could it be that “–all” is be appended to the answer for “Stage 1
So we tried “sudo unlock –all“. “Stage 2” unlocked.

[ Stage 3 ]
For “Stage 3“, we saw a new option for us to choose, “Crypt-analysis
Firing this option, we can see the following instruction.
IMG_0084

Our initial thoughts were, “Let’s use Base32 to decrypt it”.
However, we tried and it failed. We overcome this when @miaubiz gave me a clue, “Try bit flipping technique like +1 and -1 to the character.”
So we listened to his sagely advice and start brute-forcing by using “Ask Oracle
For simplicity sake, we tried the first 2 characters and we saw this english looking-like word.
IMG_0085

srueamishossifrage” seems like an english word so we started “Googling” for this word but no results…then we pondered for a while and realised it could be “squeamishossifrage” and we found this page.
Hmmmm…”The Magic Words” and “Cipher” were found in this Wikipedia page.

So we tried “squeamishossifrage” and Bingo we solved this.
IMG_0086

[ Easter Egg or Debug Mode ]
@miaubiz found this interesting “Easter Egg” or is it “Debug Mode“. It bypass “Stage 1” and “Stage 2” and go straight to “Stage 3“. O_O

So what @miaubiz did was took out the battery, push the joystick to “Up” position and then re-inserted the battery.
Next thing you know, the username is adm1n and you have reached “Stage 3

This “Easter Egg” is useful if you don’t want to keep repeating the process of solving the first 2 stages if your badge resets itself back to default.

Let me repeat this again. @miaubiz is a GENIUS.

Another thing we found out but we are still unclear what use does it have is the secret number in “Waste of Time

When you start the Game, it showed “Game of Life”. One of us are very familiar with “Game of Life” and immediately he found this secret number.
IMG_0064
Could “Godfather” Thomas Lim be giving us 8696 as the winning number for this week’s 4D? xDDD

We hope that this walkthrough is simple to understand. Please let us know if we did anything wrong in our process in solving this.

Well, all the guys here wished that the “Godfather” Thomas will organise another wonderful .SG conference in 2016 if there is no SyScan 2016….or will SyScan 2016 happen? xDDD

Happy Reversing,
Jacob, Damian & Glenn

[ Technical Analysis: Deceiving ‘Parked Domain’ & several .SG sites serves exploits ]

I have reported the following Singapore website(s) which might be serving malicious content to SingCERT back in 29th November 2014.
But i have just checked today and all of these site(s) are still serving the same malicious content.
Even though they told me back in 1st December that they have notified all relevant partie(s). O_o”

For the 1st website, I happened to chanced upon this while checking out of Lego related stuff.
Severity: Malware Hidden Inside JPG EXIF Headers
Confidence: Certain
Host: h–p://www[.]thebroerscafe[.]sg
Path: /wp-content/uploads/2013/05/Lego-workshop[.]jpg

Issue Description:
The malicious content hide its data in the EXIF headers of a JPEG image.
So how does malicious content in the EXIF headers of a JPEG image get executed.
Basically, it used the exif_read_data and preg_replace PHP functions to read the headers and execute itself.
If you were to view the EXIF info of the following image:
h–p://www[.]thebroerscafe[.]sg/wp-content/uploads/2013/05/Lego-workshop[.]jpg

You will see something like this.

Image 1 : Exif info of Malicious JPG file

So if you look at it from Notepad++ or from a Hex Editor.
It’s hidden here as shown in the image below.

Image 2 : Malicious JPG opened in Notepad++

Please note the EXIF PHP code in Model information, but also the string /.*/e in Maker.
Once the base64 string is being decoded, the code translates into:

Basically, it evaluates whatever it gets through the POST parameter zz1.
But this is an image, how does this code get executed?
Thanks to the PHP exif_read_data function –

The PHP function preg_replace will interpret the content as PHP code thanks to the string /e (the Maker field in the EXIF data). This will execute the eval code in the second EXIF field (Model). So basically this is a backdoor that will execute any command inside the zz1 POST parameter. The /e pattern modifier is deprecated since PHP 5.5.0, thats good news.

So basically this is a two component backdoor that comprises of a JPEG file with malicious EXIF data, and a PHP code that executes it.
This PHP code can be easily inserted into any other PHP file found in the server, probably not noticed easily.

As the website is using TimThumb and TimThumb had been known to have several security vulnerabilities for years. I would probably recommend the website owner to discontinue the usage of TimThumb.

If anyone is interested to learn about about this, you can read it here.
Related Links:
http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html
http://securelist.com/blog/research/58196/malware-in-metadata/

For the 2nd website,
Severity: Redirection to possibly ExploitKit
Confidence: Certain
Host: h–p://www[.]hinhuatdj[.]com
Path: /index[.]html

Issue Description:
If you take a look at page source of index.html, you will find this malicious Javascript at the bottom of the page.

Image 3 : Source of Index.html in www[.]hinhuatdj[.]com

Please don’t run the script unless you know what you are doing. Once you safely decoded it, you will see this.

Image 4 : Decoded Javascript pointing to Malicious website

A quick check against VirusTotal, you will see that it’s been flagged as malicious previously by Kaspersky and Sucuri

This is the Virustotal report on the website.
https://www.virustotal.com/en/url/57186289dcea318fc52dbfe1ccd850cb5c2e1ffdf3b6be136330cfad1a169f40/analysis/1417239062/

For the 3rd website,
Severity: Compromised website
Confidence: Certain
Host: h–p://www[.]mdas[.]org[.]sg
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below.
The links seem to be be porn urls.

Image 5 : Injected html codes

Visitors to this website might accidentally clicked on the porn urls and potentially be exposed to other malicious stuff..
The IP address of this website is currently at 111.235.138.70
111.235.138.70 currently belongs to Vodien Internet Solutions Pte Ltd which is a local web hosting company.

For the 4nd website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://333bakkutteh[.]com
Path: /index[.]html

Issue Description:
If you were to view the page source of the website in a safe manner. You may find that this website is currently being “Parked” or not in use.

However, if you were take a look at page source of index.html, you will find this malicious Javascript at the bottom of the page.

Image 6 : Injected html codes

Based on personal experiences, i can straight away recognise this as ExploitKit.
Visitors to this website will be exposed to the exploits served by this ExploitKit immediately.
The IP address of this website is currently at 112.140.185.140
112.140.185.140 currently belongs to sparkstation.net which is a .SG web hosting company.

For the 5th website,
Severity: Serving ExploitKit
Confidence: Certain
Host: h–p://fonghsiang[.]com[.]sg/
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below.

Image 7 : Injected html codes

For the 6th website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://hychem-ap[.]com[.]sg
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below. It’s the same as the 5th website.

Image 8 : Injected html codes

For the 7th website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://actinium[.]sg/
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below. It’s the same as the 5th website.

Image 9 : Injected html codes

Based on personal experiences, i can straight away recognise that all are ExploitKit.
Visitors to these website(s) will be exposed to the exploits served by this ExploitKit immediately.
The IP address of both h–p://fonghsiang[.]com[.]sg/ & h–p://hychem-ap[.]com[.]sg are currently at 203.142.25.182 & h–p://actinium[.]sg/ is currently at 202.157.153.5

Both 203.142.25.182 & 202.157.153.5 currently belong to Webvisions Pte Ltd which is a .SG web hosting company.
The impact of these domains is that innocent visitors with no protection could become the next victims if both the malicious scripts and C2 are still working.
This is a “REMINDER” to everyone not to trust a “site” by its cover and always exercise caution. Attacker(s) are always thinking of new ways to trojanised victim(s).
The attacker(s) here are clever to hide the malicious code like they did here because they can easily trick victim(s) who might have thought that the site(s) as “already expired” or “suspended” by the hosting provider”.
But in reality, it’s not the case.

Happy Reversing
Jacob Soo

[ Technical Teardown: PHP WebShell ]

[ How it starts ]
Today, my personal scanner found yet another PHP WebShell.
Since we at VXSecurity.sg haven’t write anything on PHP WebShell, I will be writing one on it today.
So what is a “PHP WebShell”?
A PHP WebShell can give a malicious hackers access to perform the following actions:

  • Archive or extract files
  • Brute-force logins for FTP, MySQL, pgsql
  • Create or delete folders
  • Download files
  • Encode or decode files
  • Open a bash shell command, which allows the remote attacker to execute remote commands
  • Open files
  • Rename files
  • Run SQL commands
  • Search folders
  • Show active connections
  • Show computers the infected computer had access to
  • Show running services
  • Show user accounts
  • Show IP configuration
  • Connects to certain servers

A PHP WebShell also allows attacker(s) to connect to the server(s) for the purpose of receiving arbitrary information, sent by a malicious hacker, about your PC and/or server.
Today, i found this PHP WebShell from http://www[.]motorossarkany[.]hu/images/hir_41_1[.]jpg

[ Sample used in the analysis ]
MD5: 379f63c3df8570a479017757c0826d2e
SHA1: 3f86bd230c01c54d356d910c5ba161b2857ee5fb
PHP WebShell Sample
The pw to the zip is “infected29A

[ Tool Used ]
Notepad++

[ Analysis of the .JPG file ]
If we were to use any hex editor or Notepad++ to open up this .jpg file, the following image is what you will see.

php.webshell.01 Image 1 : hir_41_1.jpg

We can see right here that it’s basically a .php file instead of a .jpg file.
In this case, we can safely say that the .htaccess file is set to run JPG as PHP files. This is why although the file extention is GIF or JPG the PHP code will be executed.

Let’s try decoding the top portion of the script and we should get back this..

Hmmm…seems like $_F and $_X is not used. Or is it?
As we reach the bottom of the file, we saw another interesting part of the script as shown in the image below.

php.webshell.02 Image 2 : Decoding 2nd part of the PHP WebShell

As we can see here, we already got the value of “$OOO0000O0“. The value is “base64_decode”
So basically, it’s just base64 decoding of

Image 3 : String to be base64 decoded

After we had base64 decode it, we will get back the following piece of code.

To avoid anyone from accidentally running the script.
Just replace the above code snippet with the following code snippet.

Now if you run the script again, you should be able to get back 2 .txt files (“file_x.txt” & “file_R.txt”).
I did this just to show you what are the differences between the 2 for those who are not familiar with PHP.

Ok we should be able to see the actual PHP WebShell as shown below.
php.webshell.03
Image 3 : Final Deobfuscated PHP WebShell

So the things that i hope SysAdmins learnt here is that always do your due diligence checks on your webserver and check your .htaccess files if there are any.
If you see new image files and lots of entries in the access logs, do check the files.

I hope this is useful to someone out there.

Happy Reversing
Jacob Soo