Thursday, June 12, 2014

Tweetdeck XSS Vulnerability Cause User Auto-Retweet

As I'm one of the Tweetdeck user, somebody has post new XSS on twitter causing thousand of user automatically retweet the XSS script message. This is only affected on TweetDeck on browser so far.


An example of post has been retweet.


An example of XSS message poping up. Once user click OK, it will retweet the post.



By the time this is happened, Tweetdeck server temporarily down for awhile for fixing and 40k of retweeted post has been done.

~ alternat0r

Wednesday, April 9, 2014

HeartBleed May 'Broken Your Heart' as Data Leaks

Recent OpenSSL bug called Heartbleed (CVE-2014-0160) causing million of website in trouble. Heartbleed test developed by Filippo Valsorda has been release as open source. I just give some play around with Heartbleed.

BTW, What is Heartbleed bug? Heartbleed bug is actually vulnerability on OpenSSL cryptography library that cause any user to read system memory (Affected on vulnerable version only).

Dalam bahasa Malaysianya, ia adalah kelemahan yang terdapat pada library kriptografi perisian OpenSSL yang membolehkan pengguna luar membaca sistem memori (terjejas pada versi tertentu sahaja).

As I giving test to several Malaysia website, most critical organisation website exposed to this vulnerability including government.


Filippo also provide a website for you to test your webserver and if it is vulnerable you will get message like image below:


Alternatively you can access to Malaysia honeynet heartbleed website to test your webserver:
http://heartbleed.honeynet.org.my/

Here some good advice how to protect yourself from heartbleed bug:
http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/

References:
http://heartbleed.com/
https://github.com/FiloSottile/Heartbleed
http://filippo.io/Heartbleed
http://heartbleed.honeynet.org.my/
https://gist.github.com/harlo/10199638

~ alternat0r

Thursday, March 13, 2014

Dendroidbot Quick Analysis

As I get the sample of Dendroid APK malware I decided to make quick analysis on it. Thanks to +Mila Parkour for the sample.


DB01F96D5E66D82F7EB61B85EB96EF6E
52A30B58257D338617A39643E2216D0C

The original sample is protected with Dexguard to give extra protection on its code as its will appeared to be obfuscated when decompiling.

The following permission can be used once it has been installed:
  • directly call phone numbers
    • read phone status and identity
    • reroute outgoing calls
  • edit your text messages (SMS or MMS)
    • read your text messages (SMS or MMS)
    • receive text messages (SMS)
    • send SMS messages
  • take pictures and videos
  • record audio
  • precise location (GPS and network-based)
  • read call log
    • read your contacts
  • read your Web bookmarks and history
  • modify or delete the contents of your SD card
  • find accounts on the device
  • full network access
    • view network connections
  • retrieve running apps
  • prevent phone from sleeping
  • modify system settings
    • test access to protected storage
As we analyzed the java class, its also can determine if its running on emulator or not. There are many functionality that would be able to completely spy your phone as we going through its java classes.


initiate() load pre-defined configuration with base64 encoded.


Here from VirusTotal detection list:
https://www.virustotal.com/en/file/099a57328de9335c524f44514e225d50731c808145221affdd684d8b4dad5a1d/analysis/

Although, this sample is an earlier version of Dendroid. Some user might already found recent version of it bind with other application to make it seem legitimate apps.


~ alternat0r

Saturday, February 1, 2014

ApacheBench behind the Encoded VBE file

Recently I received a VBE file from a friend that looks suspicious with its encoded content and request to do quick analysis on it. So, I manage to play around with it and see what's inside.

The file name that I got is s64.vbe (0B826D9869B139B2C5BB139234C08D43) which is an encoded script file content. The size of this file is around 608,904 bytes. The content of the encoded file is shown below:


To decode this file I use scriptDecode.vbs from Jean-Luc Antoine. The output of the decoded file is a VBScript as shown in the picture below:


If we scroll to the bottom of the file we can see this is some kind of Windows binary file that is converted into ASCII format within VBS. The file svchost.exe is the file name use to save into the disk and run it.


Most of antivirus product is already detect this file as malicious:

https://malwr.com/analysis/YzkzNDUxOTlmOTQxNDAxYmEwNjdmNGI4MTk5YjBmYzI/share/1a8cbf4acb5944d1856d04d4e72b8ed7

https://www.virustotal.com/en/file/6b01071c7936d4a1ba1f53b5651db5f604dfe7f5aa3e4ed38d48f6ba66eebd5e/analysis/

The svchost.exe (333ABC2F9864B70F7EF48B049CBA9286) file is a program called ApacheBench command line utility. At first place, this program use to measure performance test of HTTP web servers. Although, the binary file that I got is not correctly run as it not responsive sometimes. It is possible to use this tool as DDOS attack.

~ alternat0r