Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43451
  • Total Topics: 16543
  • Online today: 2994
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 2796
Total: 2797









Author Topic: Targeted Attack Focuses on Single System  (Read 2187 times)

0 Members and 1 Guest are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Targeted Attack Focuses on Single System
« on: 22. October 2013., 08:45:02 »
Targeted Attack Focuses on Single System

A few weeks ago McAfee Labs received samples of a Java dropper malware that can decrypt its payload on a specific computer or network. After an investigation, we discovered that the payload is also locked to run only on a specific machine.

This threat uses interesting techniques to ensure it can run only on the target computer. This method also makes it very hard to analyze.

The .jar files contained two class files: web.class and stream.class.

Stream.class was a binary file. Web.class was obfuscated using Allatori Obfuscator Version 4.4, which makes it hard to decompile the Java class. We used a Java disassembler to read the Java byte code. After decoding the string (by reassembling the Java byte code to print to terminal), it was clear what the dropper was doing.



("click the images to make them larger!")

The dropper was getting the machine’s Internet IP address by surfing to http://checkip.dyndns.com and then using the IP to generate a decryption key to decrypt stream.class and execute it and delete the jar.

Because we were able to get one of the IPs, we could decrypt stream.class. The decrypted payload was a packed executable. After unpacking it, we got another obfuscated executable; it contained a DLL and two encrypted binaries.

The DLL was obfuscated. Every string was encrypted with a different key and algorithm (this technique returns with the other payloads). The DLL opened two ports in the Windows firewall: UDP 1900 and TCP 2869.

The first encrypted file was a well-known adware: SanctionedMedia. But it might be a decoy for researchers and malware automation systems.

The second file is a packed DLL. After unpacking we get another packed DLL that contains an encrypted payload. This payload can be decrypted only using a key that is machine specific.

The machine-specific key is generated using the system directory’s creation timestamp and the volume serial number for the partition containing the system directory.



We didn’t have the info to generate the key but we did obtain one unpacked sample.

This DLL was packed using a modified version of UPX. This executable was obfuscated like the firewall DLL–with every string encrypted with a different key and algorithm.

This threat was specific to a single machine, so it’s not something you need to worry about. Nonetheless, here’s our advice for avoiding this type of attack:

• Always keep your personal firewall on

• Exercise caution when opening file attachments from an unknown or suspicious source

• Browse websites cautiously and avoid browsing to unknown sites

• Keep your antimalware software up to date and consider employing application whitelisting

• Apply the latest security patches for Windows and third-party applications, including these popular targets: Internet Explorer, Microsoft Office, Adobe Reader, Flash Player, Java, and QuickTime


Original article: By Itai Liba on Oct 18, 2013
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

Targeted Attack Focuses on Single System
« on: 22. October 2013., 08:45:02 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023