[ Technical Teardown: Maybank Phishing Malware – Part 1 ]

Recently, Jacob discovered 2 interesting phishing websites, http://maybankk2u[dot]com  and http://maybank2u-my[dot]com This 2 websites had the same identical codes and come with a malware in it.

The malware that we discovered is a file infector virus. It scans the system for .html files, .exe and autorun.inf and insert malicious codes into the files.

[ Sample used in the analysis ]
MD5: 44A604F9D96368A83DF55E19644321D3
SHA1: CDBF41310DAE6EFF1127BB92A217369FD2F90B37896568D4F34528AC20468B5C
Malware Sample: index page
Password is “infected29A”

[Backdoor Analysis]
A brief high level overview of the malware infection process flow.

Figure 1 – Infection process

[ Initial Exploitation ]
The backdoor was dropped onto victims’ machine via a malicious VBScript in phishing home page.

Maybank Phishing homepage

Figure 2 – Maybank Phishing homepage

[ VBScript analysis ]
Scrolling down the html source of the webpage, you will come across a large chunk of alphanumeric text. If you look closer at the start of this large chunk of text, you will see the hexadecimal “0x5A4D” which stands for MZ in ascii. Files that start with a MZ header suggests that it is a PE file. You may refer to the following website http://wiki.osdev.org/PE for more information about PE files.

To download the payload you may either run the VBScript (which I don’t really recommend) or simply copy the entire hexadecimal wall of text into a hex editor and save it as a .exe file.

MZ

Figure 3 – MZ header spotted

MZ-end

Figure 4 – Dropping malware into temporary folder

When the VBScript is executed, it drops an executable into the targets’ temp folder. The file names are hard-coded as the malware author is probably trying to hide the malware in plain sight by using a common windows executable name, svchost.exe

The details of the extracted malware from the HTML is as follows:
SHA256: FD6C69C345F1E32924F0A5BB7393E191B393A78D58E2C6413B03CED7482F2320
VirusTotal Report: 50/54 (link); 2016-02-03 11:56:14 UTC
Compiled Date/Time: 2008-02-12 11:02:20
Packed: UPX

Let’s unpack the malware using UPX tool itself.

upx decompile

Figure 5 –Unpacking using upx -d

The details of the unpacked malware is as follows:
SHA256: 876C5CEA11BBBCBE4089A3D0E8F95244CF855D3668E9BF06A97D8E20C1FF237C
VirusTotal Report: 44/54 (link); 2016-02-02 23:21:33 UTC
Compiled Date/Time: 2008:02:12 12:02:20+01:00

The malware camouflage itself as a bitdefender management console. Another interesting thing to note is that both the product version and the file version seems to be an ip address (106.42.73.61).

stealth

Figure 6 – Possibly IP address

[ Dynamic Analysis ]
Let’s begin our journey in analyzing this piece of malware. The malware author had used anti reversing techniques to deter malware analyst from reversing it. Using IDA Pro to see the binary isn’t of much use. Using Procmon surface some interesting stuff.

writefile

Figure 7 –New file dropped

As we can see from Figure 7, the malware is writing a new executable into “C:\Program Files\Microsoft\DesktopLayer.exe“. After examining the hashes of the newly dropped executable, I can conclude that the malware simply copy and pasted itself into the new location.

processcreate

Figure 8 – Executing DesktopLayer.exe

After the file has been copied to the new location, A ProcessCreate function is called to execute the newly dropped executable. The current executable will then terminates.

DefaultBrowseri

Figure 9 – Executing Default Browser

Analyzing DesktopLayer.exe via olly debugger shows that the malware is attempting to run the default browser in the operating system. For this case here, it is attempting to execute IEXPLORE.EXE. On further examination, we will notice that the malware is actually trying to write process memory into the suspended IEXPLORE.exe process. This technique is known as process hollowing. Once the malware has finished writing its code into IEXPLORE.EXE process, it will then resume the suspended thread.

mutant

Figure 10 – Mutex

Based on Figure 10 taken from process explorer tool. We can observe that the malware uses a unique string (KyUffThOkYwRRtgPP) as it’s mutex.

It is also noted that the malware adds the following key into the registry “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit“. By doing so, it is able to maintain it persistency in the victims’ machine.

registry

Figure 11 – Persistent Registry Key

To get the actual malware codes that is running off IEXPLORE.exe, we would need to attach ollydbg into the running process and by using the OllyDumpEx plugin we can dump out the running process.

The dumped process contains some interesting strings.

processDump_strings

Figure 12 – Script Tags and Autorun?

There are some more interesting strings in the dump that suggests that there is an Antidote for this virus. It also contained the mutex key and a domain name.

otherstrings

Figure 13 – Antidote is available

I am interested in using the antidote. Analyzing the injected process memory dump we come to this assembly codes. To activate the “Antidot”, we would just need to add a registry key; “HKLM\Software\WASAntidot\disable“.

antidote

Figure 14 – Disable Malware

As shown in Figure 15, we can prevent mass infection of the virus by adding the registry key as earlier . We even get to see a nice message box telling us that Antidot is activated.

enabling antidote

Figure 15 – Antidot Activated

The malware loop through the folders in the victims’ machine and edit all html file it come across with the same malicious code we found in the phishing website. It also attempts to infect suitable .exe files with malicious codes. Once these infected executable gets executed, a copy of the same malware will be dropped and executed on the machine.

The malware also infects removable drives by editing the autorun.inf and planting itself in the RECYCLER sub folder. Better unplug your removable drives from the VM before you try analysing this!

The malware attempts to resolve a domain, fget-career.com. It also attempts to resolve google.com.

wireshark

Figure 16 – DNS queries in Wireshark

Spawning Shell

Figure 17 – Spawning Shell

Once the malware calls fget-career url. It can executes shell on the target machine if commands are given.

port 4678

Figure 18 – Open port 4678

The malware also attempts to listen on port 4678.

tcpmon

Figure 19 – Port 4678 Opened

One of the common ways to find infected or breached systems that most AV companies use is using IOC.  We should be looking for known (or suspicious) command and control (C&C) traffic on the network and looking for known bad or suspicious indicators on the hosts.

Based on our dynamic analysis, below are the known IOC that we can scan our PCs.

[ Host based Indicator ]

  1. Mutex – KyUffThOkYwRRtgPP
  2. File – C:\Program Files\Microsoft\DesktopLayer.exe
  3. File – temp folder\svchost.exe
  4. Registry Key – HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  5. Process – Default Browser with no parent
  6. C:\Program Files\Internet Explorer\complete.dat (Default browser path)
  7. C:\Program Files\Internet Explorer\dmlconf.dat (Default browser path)

[ Network based Indicator ]

  1. fget-career.com (DNS)
  2. User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  3. Listener on port 4678

[ Whois information ]

Domain Name: MAYBANKK2U.COM
Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD.
Sponsoring Registrar IANA ID: 1556
Whois Server: whois.west263.com
Referral URL: http://www.west.cn
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
Status: ok https://www.icann.org/epp#OK
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:  207.226.137.64

Domain Name: MAYBANK2U-MY.COM
Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD.
Sponsoring Registrar IANA ID: 1556
Whois Server: whois.west263.com
Referral URL: http://www.west.cn
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
Status: ok http://www.icann.org/epp#OK
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:  207.226.137.64

networkwhois

Once again network whois on the suspicious ip we got from the product version earlier on points back to China.

However, based on the analysis done on the malware and based on passive DNS and past whois records from Virustotal and who.is, the ip address we got from product version earlier could likely to be a fake to throw us off.

Another thing to note is that fget-career.com seems to be offline at the moment and it will be expiring in March 2016. Therefore if we are interested to know/plot the infection widespread of this malware or to takeover this malware we can attempt to buy this domain and host our own C&C server.

D O

[ Sharing ] Analysing and retrieving the Statistics from shortened URLs

I’m going to talk about how you can view or check whether someone else clicked on the same shortened url as you.
This is also pretty useful if you want to know whether you are a target of a scam or being targetted to a drive-by.

The url which i’m going to test today is this:
http://www.dailychanges.com/

Let’s go through some of the URL shorteners and how we can get more info from these shortened URLs.
Bit.do
======
The original shortened link is http://bit.do/bKoMw
But if you append a “-” without the double quotes like this http://bit.do/bKoMw-
You will get to the statistics page for this shortened url.
It gave some important information about Referer sites, Referer pages and even visitors IP.
Probably dangerous if users are being targetted.

Next we will talk about Is.gd
Is.gd
======
The original shortened link is http://is.gd/MyG7K6
However, if users want to look at the statistics, they can simply change the url to something like the one below.
http://is.gd/stats.php?url=MyG7K6

Next we will talk about
Goo.gl
======
The original shortened link is http://goo.gl/z8w84
But if you append a “.” without the double quotes or “info” like this http://goo.gl/z8w84+ or http://goo.gl/z8w84.info
Once you go to the statistics pages, you will be redirected to something like this below.
https://goo.gl/#analytics/goo.gl/z8w84/all_time

Next we will talk about
Bit.ly
======
The original shortened link is https://bit.ly/1LsiFyY
But if you append a “.” without the double quotes like this https://bit.ly/1LsiFyY+
Using the statistics page, you can also check which other user are also sharing the exact same url as you did.
Please note that if the other user(s) used Google analytics in the url, you might not be able to see them in your statistics page.

Next we will talk about
crop.is
=======
The original shortened link is http://crop.is/NV8
However, if users want to look at the statistics, they can simply change the url to something like the one below.
http://crop.is/NV8+

tiny.ph
=======
The original shortened link is http://tiny.ph/2mCe
In order to access the statistics, they can simply change the url to something like the one below.
http://tiny.ph/2mCe+

tny.im
=======
The original shortened link is http://tny.im/3Bm
In order to access the statistics, they can simply change the url to something like the one below.
http://tny.im/3Bm+

tiny.cc
=======
The original shortened link is http://tiny.cc/xtad8x
In order to access the statistics, they can simply change the url to something like the one below.
http://tiny.cc/xtad8x~

Then again, if there isn’t any means to check the stats of the shortened URL.
Always make sure to use online services like http://longurl.org/ to make sure the shortened url is not redirecting to some malicious url.

I hope that readers will find all the information written here useful.

Have Phun
Jacob Soo

[ Technical Teardown: Malware Targetting Singapore Banks ]

[ Background ]
Originally i wanted to let one of the local student to write about it but he was busy with school, internship and solving challenges.
It’s also been a very long time since we written any “Technical Teardown” on malware/exploits here.

I got hold of this particular malware sample just days after these 2 reports.
http://www.abs.org.sg/pdfs/Newsroom/PressReleases/2015/MediaRelease_20151201.pdf
http://www.channelnewsasia.com/news/singapore/50-smartphone-users-in/2308976.html

The Association of Banks in Singapore (ABS) released an advisory to alert consumers on malware targeting mobile banking customers in Singapore.
We hope this technical teardown might be interesting to some of you.

[ Sample used in the analysis ]
MD5: 76745CE873B151CFD7260E182CBFD404
SHA1: 0F7C012466157891C1D12ADDDD4DFA0B8291DD75
Malware Sample: 76745ce873b151cfd7260e182cbfd404
Password is “infected29A”

Since it’s an Android malware, let’s check the permissions of this malware and further dissect it. Now, use apktool and run the following command:

Now let’s take a look at the AndroidManifest.xml file, you should see the following and the permissions requested by the APK file.

As we can see from the AndroidManifest.xml, it ask for quite a lot of permissions and it’s probably obfuscated.

Looking at the strings.xml and styles.xml, we can see that customised themes had been created for various banking applications.
This malware targets a number of banks by trying to mimic the authentic one and phishes for important banking information from the infected user as shown below.
0x0003
Figure 1 – Customised Themes

[ Junk Codes as Anti-Analysis? ]
It took me 20-30mins to realise that this author uses lots of junk code. Possibly with the purpose of deterring people like me from reversing the malware.
Import metadata such as strings and function names are also obfuscated as shown in the image below.
0x0001

Figure 2 – Junk Code with no useful functionality

Since the malware sample is heavily obfuscated, some of the things that i usually look out for is commands like Base64.decode or loadDataWithBaseURL or sendTextMessage

[ Revealing of Hidden Configuration Strings ]
So i did a quick grep and found out that it did use “Base64.decode” as shown below.
0x0002
Figure 3 – Base64 encoded string

The following is the base64 string which i extracted from the malware.

After doing a base64 decoding on it, i got back the following strings.

As we can see, the decoded strings contained IP addresses and other interesting strings. We also can safely assume that the malware author uses “@” as a delimiter.
For better illustration, i replaced all the “@” with newline.

[ Assessment of Malware ]
We can see that the IP addresses are the C&C servers communicating on port 34580.
http://37.235.48.177:34580/
http://46.108.39.12:34580/

Within the malware sample, we also found out that it is targeting victims with the following bank accounts.
Austria
=======

Dexia Kommunalkredit Bank
Bank Austria
Erste Bank und Sparkassen (Thanks to Alex Inführ for pointing my mistake.)
RGB (Raiffeisen Banking Group)
George (https://mygeorge.at/)
DK (Deutsche Kreditbank AG)
Bawag (BAWAG P.S.K)

Australia
=========

Westpac
St George
Gomoney
National Australia Bank
Commbank

New Zealand
===========

Westpac
Bank of New Zealand
ANZ Bank New Zealand

Singapore
=========

DBS
OCBC
POSB

Hong Kong
=========

Citibank
Bank Of China
Hang Seng Bank
Breeze

I’ll update this post later on how we can reverse such malware much more easily.
In the meantime, i do hope you enjoy reading it.

Happy Reversing,
Jacob Soo

[ Walkthrough : SANS 2015 CDI DFIR Challenge ]

Sorry that we haven’t been able to write anything interesting for the last few months.

I thought of publishing this first thing right after the competition had ended but Real Life gets the better of most of us. I totally forgotten about this as i was busy helping NUSGreyhats with their CTF and with my own personal stuff. It was lying on the draft folder collecting virtual dust just like my entry for SANS HolidayHackChallenge. 🙁
I don’t remember whether did i submit my answers for this challenge. 🙁

Below is my walkthrough for SANSCDI Forensic Challenge and i hope the process of solving the questions might be useful to someone out there. The entire challenge consists of 3 parts.

[ NTUSER.DAT CHALLENGE ]
In Part 1, we were given a link, http://dfir.to/EVIDENCE1 to download the data.
I have attached the file here incase the link is gone. Vibranium-NTUSER
On the page, we were asked the following questions.

1. What was the most recent keyword that the user vibranium searched using Windows Search for on the nromanoff system?
2. How many times did the vibranium account run excel.exe on the nromanoff system?
3. What is the most recent Typed Url in the Vibranium NTUSER.dat? (Enter in the following format: http:///)

On Windows XP, there is actually the ACMru key located in the following registry key:
ntuser.dat\Software\Microsoft\Search Assistant\ACMru
This key stores the search terms that have been typed into a Windows search dialog box.
The following subkeys define where the search term was used:
5001 – List of terms used for the Internet Search Assistant
5603 – List of terms used for the Windows XP files and folders search
5604 – List of terms used in the “word or phrase in a file” search
5647 – List of terms used in the “for computers or people” search

Unfortunately on Windows Vista, it did not include a registry key for user searches.
However on Windows 7, the history of search terms using Windows Search can be found in the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
The WordWheelQuery subkey records information about user searches.

There are many great registry tools out there. But for this particular challenge, i will be using Windows Registry Recovery.

Challenge.0x0001

As we can see from the above image, the very first entry in the MRUListEx is “01 00 00 00.”
This simply means that the entry “1” is the most recently searched item.

In this particular case, we can see that the value for the first entry is “alloy” and that’s our answer.
Challenge.0x0002

Moving on to the 2nd question, 2. How many times did the vibranium account run excel.exe on the nromanoff system?
For this particular question, we are required to check the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Challenge.0x0003

As we can see, the entries are all encoded using Rot13, the value we should be looking at is:
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
After decoding, the value will be:
{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office14\EXCEL.EXE

The number of times EXCEL.EXE was executed can be found at offset 0x04 in the UserAssist entry.
In this instance, the value is 4, which means that EXCEL.EXE was executed four times and that is our answer. 😀

Next we are asked, 3. What is the most recent Typed Url in the Vibranium NTUSER.dat? (Enter in the following format: http:///)
For this particular question, we need to check the following registry key.
NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs

Challenge.0x0004

As we can see from the image above, the most recent typed url is “http://199.73.28.114:53/” and that is the answer.

[ SYSTEM and SOFTWARE CHALLENGE ]
In Part 2, we were given a link, http://dfir.to/EVIDENCE2 to download the data.
I have attached the file here incase the link is gone. SOFTWARE-SYSTEM-HIVES.zip
On the page, we were asked the following questions.

1. The Windows Registry shows evidence of one USB device connecting to the nromanoff system. What is the serial number for this device?
2. What was the volume letter assigned to this USB device? (Enter just the letter for the volume.)
3. What is the volume name for the USB device that was inserted into the nromanoff system? (Enter the volume name in ALL CAPS.)

For the 1st question, there are many different methods to find out the answer. So i will go through 2 of the common methods.
The first method that i will be using is to check the following registry:
SYSTEM\ControlSet001\Enum\USBSTOR

As we can see from the image below, the serial number of the usb device is “AA951D0000007252”
Challenge.0x0001

For the 2nd method, we can check the following registry:
SYSTEM\MountedDevices

As you can see from the below image, we found out usb device and also the volume letter, “E” assigned to it. We have found the answer to question #2 too.
Challenge.0x0002

Moving to question #3, 3. What is the volume name for the USB device that was inserted into the nromanoff system? (Enter the volume name in ALL CAPS.)
We need to check the following registry key:
SOFTWARE\Microsoft\Windows Portable Devices\Devices

Challenge.0x0003

Once again, we found out the volume name for the usb device, “SECRETPLANS”

[ MEMORY ANALYSIS CHALLENGE ]
In Part 3, we were given a link, http://dfir.to/EVIDENCE3 to download the data.
I have attached the file here incase the link is gone. memory-raw.zip
On the page, we were asked the following questions.

1. To what remote IP address did the spinlock.exe process (PID 1328) have a connection?
2. What is the name of the user who is logged into Romanoff at the time the system memory was acquired?
3. Enter the time/date the system last booted according to the creation time of the initializing Windows process in the memory image. (Enter UTC time/date in the following format: YYYY-MM-DD HH:MM:SS)

For this particular challenge, we were given a memory dump file. The best way to solve this is to use Volatility
As i am unsure of the profile to use, i used the imageinfo option to see what profiles should i use.
volatility-2.5.standalone.exe -f memory-raw.img imageinfo

As we can see from the image below, we can use the following profile. Win7SP0x86, Win7SP1x86
Challenge.0x0001

The first question, 1. To what remote IP address did the spinlock.exe process (PID 1328) have a connection?
The option that we should be using is “netscan” and the command is
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img netscan

The returned results should look like the following image.
Challenge.0x0002

However, we are suppose to look for the remote IP address that spinlock.exe connected to.
We can see that spinlock.exe (PID 1328) is connected to “199.73.28.114” and that is our answer.
Challenge.0x0003

For the 2nd question, 2. What is the name of the user who is logged into Romanoff at the time the system memory was acquired?
We should check the following registry key in order to know the name of the user who is logged into Romanoff.
HKEY_CURRENT_USER\Volatile Environment

The option that we will be using for volatility is “printkey -K ‘Volatile Environment'”
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img printkey -K “Volatile Environment”

As we can in the image below, the username is “vibranium”
Challenge.0x0004

Hooray, we are moving to the last question of this challenge.
3. Enter the time/date the system last booted according to the creation time of the initializing Windows process in the memory image. (Enter UTC time/date in the following format: YYYY-MM-DD HH:MM:SS)

This is fairly straight forward, according to https://technet.microsoft.com/en-us/library/bb457123.aspx.
“ntoskrnl.exe” is the first to load, we know that the process”System” will be process we should be checking

Using “pslist” option,
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img pslist

As we can see in the image below, the time for “System” is 2012-04-04 11:47:29 UTC+0000 and that is our answer to the last question.
Challenge.0x0005

I hope that the entire walkthrough is simple enough to follow and do on your own.

Happy Reversing
Jacob Soo

[ Walkthrough 2015移动安全挑战赛(第二届): iOS Challenge 1 ]

It’s been a long time since we wrote something here.
Today i will be writing on a simple iOS crackme which i found some time to play with 10days ago.

To make it easier for everyone to follow this lame guide of mine.
I’ve attached the file here: iOS Crackme

iOS.0x0001

The original question given to participants is like above.

But i’ve loosely translated the above text for simplicity sake. 😀

Opening the binary file in IDA Pro, the first thing that i usually look for in iOS Crackmes are “Strings” or “onClick” first.

In this case, i went for “strings”. The first thing that caught my eye is “decryptPassword
iOS.0x0001_1

Double click that string and then press “X” to list the cross references. I selected the method using that.

iOS.0x0001_2

After selecting that, you will get the following.

iOS.0x0001_3

As i’m on of those lucky ones to have the “Decompiler”, pressing “tab” and we will see this beautiful pseudo code.

iOS.0x0001_4

I’ve extracted out the codes for better reading purposes.

 

Based on the above pseudo codes, we can identify several things.

1.) There are 5 loops. Each loop started off by doing Caesar Cipher on the following base64 encoded string.

2.) After the Caesar Cipher, it base64 decoded the returned result .

3.)  Then it did a AES decrypt with the base64 decoded string and the key is the following:

4.) Then it repeats this process until the loop ended.

5.) Finally it compared the final result with the entered input by the user.

I made a simple python script to illustrate the steps.

 

The key for this challenge is “Sp4rkDr0idKit

Happy Reversing
Jacob Soo

[ Technical MeetUp ] Hack The World : Scada Hacking

The next technical meetup is another of our collaboration with the students from NUS GreyHats.
We try to be an open, inclusive and responsible volunteer driven community.

We are also committed to the spread of hacker culture & free/open-source software by continuously writing technical articles.
We hope that all these technical meetups not only helps to spread information security awareness but also allow us to learn from other members of the community as well.

We are also glad that NSHC had not only one of their employee, HyungWoo Kim, presenting for this event but also their CEO, Louis Hur. Grateful to the students from NUSGreyHats are helping me setting this up.

All the technical meetups are free for anyone to attend.
Thanks a lot to everyone involved. 😀

When Wednesday 12th August 2015
Where NUS, 13 Computing Drive
Singapore, School of Computing, COM1 Level 2 Seminar Room 3
Time 5:00 PM – 6:30 PM
After Talks Nothing planned at this point of time
Organisers NSHC, NUS GreyHats
Contact Comments below.

 

You can indicate your interest in attending here:
https://www.facebook.com/events/844396792303482/

In case you are lost in NUS, here is floorplan provided by NUS GreyHats.
COM1_L2_V21

PRESENTATIONS: 
The state of Scada System Security – Louis Hur
Hack The World : Scada Hacking – HyunWoo Kim

Level:
Beginner-Intermediate

Nowadays, many attack methodologies against SCADA systems are published on conferences or papers. However, it is a little hard to apply them on real world. So, we will discuss attack scenario and methodology to SCADA systems, focusing on Korea’s SCADA systems. but i think other country also very similar. Of course, there will be an attack demo in a simulated network.

Bio:
Mr Louis Hur is CEO & Founder of NSHC Inc. Mr. Louis brings more than 15 years of field-proven experience security businesses that help clients reduce their enterprise-wide IT security risk. Prior to starting NSHC, Mr. Louis served as the Pen-Tester and General Manager of TSONNET Global Professional Services organization. He specialised in pen-testing, Bug Hunting, Malware Analysis & Cyber-espionage investigation.
He is also the Team leader for Korea Cyber Terror Response Team. He has presented at Black Hat, HITCON, ISEC, CSS, etc.

Bio: 
HyunWoo Kim is a Security Researcher at NSHC.
In this role, HyunWoo analyzes and performs root-cause analysis of vulnerabilities.
His primary focus includes performing root-cause analysis and exploit development.
In 2015, he is one of the top 10 finalist from KITRI ‘Best of the Best’ 3rd edition.
He has spoken at numerous security related events, including CODEGATE 2015, SECUINSIDE 2015, CIISCON 2014, and POC 2014
BigBossMan

Thanks & Regards
Jacob Soo

[ VXSecurity.sg Vulnerability Research Advisory : IZArc file extension spoofing ]

This is another bug which i’ve found long ago while i was bored.
This could be a problem for IZArc users if they were targeted. If not, it’s not really serious.
I had written it previously in my old blog but i’m slowing moving some of the stuff over as i’m discontinuing the other blog.

[ Summary: ]
This article is on the following bug found in IZArc v4.1.8 – v4.1.9,
The bug had been assigned the CVE identifier CVE-2014-2720.

[ Tested Versions: ]
IZArc version 4.1.8 – 4.1.9

[ Tools Used: ]
HexEdit

[ Details: ]
I’ve created a zip file using WinRar containing putty.exe.
I’ve changed the filename at offset 0x460AE to putty.jpg as shown in the image below.
izarc.0x01

When i am modifying the offset at 0x460AE, I am basically modifying the Central Directory entry.
This is done so that it will appear on IZArc as “putty.jpg” instead of “putty.exe”.

Opening the newly modified zip file in IZArc version 4.1.9, we will see something like this.
izarc.0x02

This seems like a “File extension spoofing”.
While after decompression the user will get the real file name, putty.exe.
However, if the user double click “putty.jpg” instead. “putty.exe will execute as an application instead of executing using user’s imager viewer.

However if attackers were to use RTLO (Right to Left Order) in unicode: U+202E.
So, U+202E converts to 0xE280AE.
With a simple RTLO, we can reverse the right side of the filename, so “puttygnp.exe” looks like “puttyexe.png”.

This will pose a problem to all users of IZArc.
To date, according to download.com by CNET. IZArc had 2,153,572 downloads.
izarc.0x03

To make this a more comprehensive blog entry, the following are the tests which i did during this bug finding process.
It may be useful to list all of the different cases and their security properties.

Test Case 1:
============

Central Directory entry filename = putty.jpg
Local file header filename = putty.exe
File content = Microsoft EXE format
The user sees: putty.jpg
If the user clicks: putty.exe is executed

Test Case 2:
============

Central Directory entry filename = putty.jpg
Local file header filename = putty.jpg
File content = Microsoft EXE format
The user sees: putty.jpg
If the user clicks, user’s default JPEG viewer is launched instead.
This is safe behavior.

Test Case 3:
============

Central Directory entry filename = putty\xE2\x80\xAEexe.png
Local file header filename = putty\xE2\x80\xAEexe.png
File content = Microsoft EXE format
The user sees: puttygnp.exe
If the user clicks, puttygnp.exe is executed
This is normal behavior as user will see that this is an executable.

Test Case 4:
============

Central Directory entry filename = puttyexe.png
Local file header filename = putty\xE2\x80\xAEexe.png
File content = Microsoft EXE format
The user sees: puttyexe.png
If the user clicks, puttygnp.exe is executed

This is a valid spoofing attack. However, it is exactly the same
problem as test case 1. The attack methodology (using a “graphics image” file extension in the Central Directory entry) is the same.
The only part that is different is the real filename in the original unmodified ZIP file.

Test Case 5:
============

Central Directory entry filename = putty\xE2\x80\xAEgnp.exe
Local file header filename = puttygnp.exe
File content = Microsoft EXE format
The user sees: puttyexe.png
If the user clicks, puttygnp.exe is executed

This is also same as test case 1.

The people at mitre.org had been patient with me and very helpful while i am reporting this bug.
Probably other file archive tools have similar problems as well.
I’ve attached the files for Test Cases 1,3 & 5 for reference.
IZArc_POC

Below is the timeline of my disclosure.

Timeline:
=========

Date Discovered: 24 March 2014 – Vulnerability Discovered.
Vendor notified: 24 March 2014 – Initial Vendor Notification, no reply.
Vendor notified: 01 April 2014 – Second Vendor Notification, no reply.
Advisory posted: 05 May 2014 – No response from Vendor, published.
Version checked: 30 July 2015 – Bug still exists in new version

Thanks & Regards
Jacob Soo

[ VXSecurity.sg Vulnerability Research Advisory : ALZip for Android ZIP Archive Extraction Directory Traversal & Local File Inclusion Vulnerability ]

This is just a simple vulnerability research advisory where i talk on ALZip for Android ZIP Archive Extraction Directory Traversal & Local File Inclusion Vulnerability.
Since vendor don’t want to reply me for 3 months and i personally don’t think it’s severe.
Here goes…

[ Summary: ]
An archive extraction directory traversal vulnerability has been found in ALZip for Android.
When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user’s Android device.

[ Tested Versions: ]
ALZip Android Version 1.0.21 – 1.0.22

[ Tools Used: ]
Drozer

[ Details: ]
This advisory discloses an archive extraction directory traversal vulnerability in ALZip for Android.
When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user’s Android device.

When extacting compressed files from an archive, the extraction functionality does not properly sanitise compressed files that have directory traversal sequences in their filenames.
By tricking a user to extract a specially crafted archive containing files with directory traversal sequences in their filenames, an attacker can write files to arbitrary locations within the SD card of the user’s Android device, possibly overwriting the user’s existing files.

For example, a malicious archive can contain a compressed file with the following filename:

[ PoC: ]
1.) Copy the PoC.ZIP archive into the /storage/sdcard0/Download/ directory of your Android device.

IMPORTANT: Ensure that the /storage/sdcard0/Download/ directory exists on your Android device in order for the POC to work.
Extract the POC ZIP archive into the /storage/sdcard0/Download/ directory. i.e. tap and hold on to the POC ZIP file until the action selection pop-up appears, then select the “Extract” option.

alzip.01

Finally select “Extract here” option

alzip.02

When the extraction completes, navigate to the /storage/sdcard0/ directory. You’ll notice that pwnies.txt has been extracted into /storage/sdcard0/pwnies.txt instead of into /storage/sdcard0/Download/pwnies/pwniestxt.

Hence, by tricking a user to extract or download a specially-crafted archive, an attacker can potentially exploit this issue to write files into arbitrary locations within the SD card in the user’s Android device, or to overwrite files in known locations within the SD card.

For example, an attacker who is aware of the filenames of the user’s photo in the /storage/sdcard0/ directory can exploit this vulnerability to overwrite the user’s photo files.
But i doubt anyone knows the filenames.

Another bug was found manually via reversing the application and in the same time via Drozer due to exposed content provider.
But for simplicity sake, i will write about the method using Drozer
So what this means is that you can read the contents of any file in the victim(s)’ Android device if you got a specially crafted apk that abuses the exported content provider of ALZip.

The reason for this bug is that you expose the content provider.
A content provider can provide access to the underlying file system.
This allows apps to share files, where the Android Sandbox would otherwise prevent it.
Since we can reasonably assume that “files” is a file system backed content provider and that the path component represents the location of the file that we want to open.

So in drozer if you run the following command.

You will get back the contents of /etc/hosts

But this particular bug is not critical since /etc/hosts is world readable anyway.
It’s only serious if your app stores critical info about user or have a SQLite database.

[ POC/Test Code: ]
You can download the PoC here and follow the instructions as described in this blog post..

[ Disclosure Timeline : ]
01-04-2015 – Vulnerabilities Discovered.
01-04-2015 – Vulnerabilities Details Sent to Vendor.
01-04-2015 – No Reply From Vendor.
13-05-2015 – 2nd Email Sent to Vendor
13-05-2015 – No Reply From Vendor.
01-07-2015 – Public Release.

Thanks & Regards
Jacob Soo

[ VXSecurity Meetup ]

To be honest,  i really don’t know how to call this up-coming event since i don’t organise any sort of technical meetup except for CTF or drinking.

VXSecurity is run by a group of friends in SG committed to the spread of hacker culture & free/open-source software by continuously writing technical articles.  We try to provide a platform for like-minded people in SG who are currently building or breaking things (be it for charity, business or pleasure).

We usually hold workshops and give presentations in local Universities.  So this technical meetup is kind of a new experience for us.

We firmly believe that breaking & building is a good way forward for any type of good innovation.  As an extension to that, we think that tinkering is good for everyone to try and learn new things. I am also glad that NSHC had let us use their meeting room for this event and the students from NUSGreyHats are helping me setting this up.
Thanks a lot. 😀

When Monday 06th July 2015
Where 8 Shenton Way, #04-01 AXA Tower, Singapore 06811
Time 6:30 PM
After Talks Nothing planned at this point of time
Organisers Meder Kydyraliev
Contact Comments below.

 

PRESENTATIONS: 
Securing the Tangled Web: Preventing Script Injection Vulnerabilities through Software Design – Meder Kydyraliev

Level:
Beginner (presentation of concepts described in the paper with the same title by Christoph Kern [1])

If you’ve developed software, you’ve probably been told at least once that security should be built into your application. But what does it mean? It’s clear that modern web application frameworks are too busy trying to make security “easy”, some with the goal of never exposing developers to it at all. In this talk I’ll present an example of building security into your application and why I think it’s not a good idea to hide security critical pieces of your application.

[1] http://research.google.com/pubs/pub42934.html

Bio: 
Meder has been working in the area of application security for nearly a decade.  He’s poked at, broken, and helped fix a lot of code businesses and parts of the Internet depends on (Struts2, JBoss Seam, Google Web Toolkit, and Ruby on Rails, to name a few).  Some of the things that excite him include: karaoke, server-side security, kumys and making software security easier.
BigBossMan

Thanks & Regards
Jacob Soo

[ Walkthrough : SyScan 2015 Badge Challenge ]

2days ago, a few of us recently went to SyScan and completed the Badge Challenge that was put together by the SyScan crew.
Here is the a short writeup of our experience with all of the puzzles, their solutions, and the steps to solve them.
Of course, @miaubiz gave us a huge clue for solving the last stage and he also found the “Easter Egg” or “Debug Mode” in it.

Spoiler Alert: The following article is a detailed and methodical walk through of how to solve the challenge.
So please do take note and understand that this document contains MASSIVE spoilers!
If you’d rather try it for yourself, stop reading now and go and play NOW!

 

 

 

 

 

 

 

 

 

 

 

 

Still here?
Alright, lets go!

[ Stage 1 ]

One of the options we had when we power up the badge is “Unlock 1”
So we tried a bunch of options like “Open”, “Open Sesame”, “Open now God Damn It”. But we are always returned with the following QR Code.
IMG_0073
The above QR Code translate to “Try \”Unlock\”
So we thought, why not just try “Unlock”

Surprisingly, we got back another QR Code.
IMG_0075
This QR code translate to “insufficient privilege
Initially, we thought that maybe we need to have a special “Username” before we can unlock this.
So we started brute-force all the possible “usernames” used by “admin”.
But all these still failed until after the 1st tea break, we tried “sudo unlock” as shown in the image below.
IMG_20150328_012534288[1]
w00t h00t, we have successfully unlocked “Stage 1

[ Stage 2 ]
When we tried to unlock “Stage 2” using the same password as “Stage 1”, we got back something that looked like “morse code
IMG_20150328_012730132[1]
After decoding the “morse code“, we got back “ttall
We tried that but alas, it didn’t work at all. Then Thomas give everyone this clue, it’s not a full morse code.

We are wondering could it be “–all” since it sounds and looks like it.
So we entered “–all” but it wasn’t the key to “Stage 2
After another round of tea break, we thought whether could it be that “–all” is be appended to the answer for “Stage 1
So we tried “sudo unlock –all“. “Stage 2” unlocked.

[ Stage 3 ]
For “Stage 3“, we saw a new option for us to choose, “Crypt-analysis
Firing this option, we can see the following instruction.
IMG_0084

Our initial thoughts were, “Let’s use Base32 to decrypt it”.
However, we tried and it failed. We overcome this when @miaubiz gave me a clue, “Try bit flipping technique like +1 and -1 to the character.”
So we listened to his sagely advice and start brute-forcing by using “Ask Oracle
For simplicity sake, we tried the first 2 characters and we saw this english looking-like word.
IMG_0085

srueamishossifrage” seems like an english word so we started “Googling” for this word but no results…then we pondered for a while and realised it could be “squeamishossifrage” and we found this page.
Hmmmm…”The Magic Words” and “Cipher” were found in this Wikipedia page.

So we tried “squeamishossifrage” and Bingo we solved this.
IMG_0086

[ Easter Egg or Debug Mode ]
@miaubiz found this interesting “Easter Egg” or is it “Debug Mode“. It bypass “Stage 1” and “Stage 2” and go straight to “Stage 3“. O_O

So what @miaubiz did was took out the battery, push the joystick to “Up” position and then re-inserted the battery.
Next thing you know, the username is adm1n and you have reached “Stage 3

This “Easter Egg” is useful if you don’t want to keep repeating the process of solving the first 2 stages if your badge resets itself back to default.

Let me repeat this again. @miaubiz is a GENIUS.

Another thing we found out but we are still unclear what use does it have is the secret number in “Waste of Time

When you start the Game, it showed “Game of Life”. One of us are very familiar with “Game of Life” and immediately he found this secret number.
IMG_0064
Could “Godfather” Thomas Lim be giving us 8696 as the winning number for this week’s 4D? xDDD

We hope that this walkthrough is simple to understand. Please let us know if we did anything wrong in our process in solving this.

Well, all the guys here wished that the “Godfather” Thomas will organise another wonderful .SG conference in 2016 if there is no SyScan 2016….or will SyScan 2016 happen? xDDD

Happy Reversing,
Jacob, Damian & Glenn