Posts

Experts Identify IE Exploit on Indian Defense Site, Find Link to PlugX RAT

Image
Most security firms are currently busy analyzing the  latest Internet  Explorer (IE) zero-day exploit . One of these companies is AlienVault  which has not only found websites that host the malicious code, but it has   also uncovered a connection to  the PlugX RAT. Experts have identified a new version of the moh2010.swf Flash file utilized in the attacks that leverage the IE exploit. Their analysis led them to a file called Nv.exe which is used by Nvidia for several of its applications.  As it turns out, the cybercriminals are relying on Nv.exe to load a DLL file which executes the binary content of another component named Nv.mp3.  The malicious payload present in this Nv.mp3 file is actually a version of the PlugX Remote Administration Trojan (RAT).  “We know that the group actively using the PlugX malware also called Flowershow had access to the Internet Explorer ZeroDay days before it was uncovered. Due tot he similarities of the new discovered exploit code a

AlientVault Tracks Down Developer of PlugX RAT

Image
Security experts at AlienVault have tracked down the creator of the PlugX Remote Access Tool (RAT), used in hacker attacks around the world. To their surprise, the brains behind the software was actually one of the directors of a Chinese IT company. The sleuths analysed the traces of PlugX activity, and identified the suspected programmer, which led them to his address, photo and the name of the company he was working for – ChinaNSL Technology. Digital detective work AlienVault has been tracking PlugX, also known as Korplug, for the past few months, analysing the payloads of the attacks and collecting intelligence. Malware builder known as “whg” PlugX is a backdoor malware with a high damage potential. Once on the system, it executes commands from a remote malicious user, effectively compromising the affected computer. The tool was mainly used by hackers in Japan, Taiwan, China, Korea and against Tibetan organizations. The security experts were almost certain that the

Password Strength and Age Considerations

Image
At Redzone, we are frequently asked about password strength and policy recommendations as it relates to password cracking. There are a few considerations around password strength, length, and changes when it comes to establishing a good password policy. Let’s take a look at three common methods of password cracking: brute force, dictionary, and rainbow tables. With brute force attacks, a password is created and hashed using the same hashing algorithm of the operating system then the hash is compared to the hash for an existing user’s password. A brute force attack will systematically analyze combinations until the right password is found. Let’s look at the following statistics using  GRC’s Password Brute Force Calculator : Short Password with Varying Complexities  Password password Password Passw9rd P@ssw9rd  Length 8 8 8 8  Size of Character Set a 26 52 62 95  Possible Passwords b 2.17 x 10 11 5.45 x 10 13 2.22 x 10 13 6.70 x 10 15  Fas

Zero Day Protection with Privilege Management

Image
Have you used Internet Explorer to visit a malicious website recently? Have you used Internet Explorer to visit any website lately? How do you know for sure that you are not infected? On September 17, 2012 a zero-day vulnerability for Internet Explorer versions 6-9 was  reported  affecting everything from Windows XP to Windows 7 and Windows Servers. Zero-day vulnerabilities are a common fact of life, but the same old approaches to protection continue to be insufficient. Let’s discuss this vulnerability and how privilege management can mitigate the impact. In the case of this zero-day vulnerability, a malicious website can be crafted then unsuspecting victims can visit it with Internet Explorer only to be exploited. Once exploited, security software can be disabled, files are downloaded or malicious software is installed so that system can be reused as a zombie or SPAM relay. Traditional endpoint security technologies often struggle with zero-day vulnerabilities as there is no

New Internet Explorer zero day being exploited

Image
After the  last zero day exploit on Java  we reported some weeks ago it appears that a new 0day has been found in Internet Explorer by the same authors that created the Java one. Yesterday,  Eric Romang  reported the findings of a new exploit code on the same server that the Java 0day was found some weeks ago. The new vulnerability appears to affect Internet Explorer 7 and 8 and seems to be exploitable at least on Windows XP. The exploit code found in the server works as follow: - The file exploit.html creates the initial vector to exploit the vulnerability and loads the flash file Moh2010.swf. - Moh2010.swf is a flash file encrypted using  DoSWF .  We’ve seen the usage of DoSWF in the exploit code of other targeted attacks such as: -  Several Targeted Attacks exploiting Adobe Flash Player (CVE-2012-0779) The Flash file is in charge of doing the heap spray. Then it loads Protect.html Due to the usage of DoS

New Java 0day exploited in the wild

Image
A few hours ago, FireEye published some information related to a new Java 0day exploited in the wild. The malicious JAR file was served from ok.aa24.net / meeting / index.html The html loads the Java applet passing some parameters that are used later to build the URL to download the payload. The HTML is encrypted using “Dadong’s JSXX 0.44 VIP”. The Java applet contains the following two .class files: - cve2012xxxx/Gondzz.class - cve2012xxxx/Gondvv.class The applet check if the system is running Windows and gets the parameters passed from the HTML that contains the URL to download the payload. If the system is vulnerable, the payload is downloaded and executed in the system. On the analyzed sample the payload is downloaded from ok.aa24.net / meeting / hi.exe https://www.virustotal.com/file/09d10ae0f763e91982e1c276aad0b26a575840ad986b8f53553a4ea0a948200f/analysis/1346055031/ The payload drops C:\WINDOWS\system32\mspmsnsv.dll (replace the file if presen

Several Targeted Attacks exploiting Adobe Flash Player (CVE-2012-0779)

Image
A couple of days ago,  Adobe issued a security update for Adobe Flash Player  that has been detected in the wild targeting specific objectives. Several spear phishing campaigns have been detected. The mails sent contain a Word document attachment. It contains a reference to a Flash file that is downloaded from a remote server once the document is opened. This Flash file exploits the CVE-2012-0779 vulnerability triggering a shellcode that looks for the payload within the original word document. The payload is decoded using a one byte XOR scheme, dropped on the system and then executed. Most of the malicious Flash files have low AV detection rates so it is very important to apply the vendor’s patch. We have seen several documents sent to a wide range of industries as well as Tibet related NGO’s. Some examples are: Once the victim opens the document, the malicious Flash file is downloaded from a remote server: In the vast majority of the documents we have