SpiderLabs Anterior: Secure Web Gateway

Secure Web Gateway

05 May 2013

Mayday! 0-Day

While many workers around the world were celebrating the May 1st events, the US Department of Labor website got hacked and was used to redirect browsers to a 3rd party site which served a new IE 8 0day exploit, known as CVE-2013-1347. Microsoft already released an advisory about it last Friday.

Having a quick look at the in-the-wild exploit code, it can be seen that the exploit creator targeted only victims running IE 8 on windows XP computers, by using Javascript that triggers the exploit based on the user agent. However, the exploit can work with IE8 on other versions of Windows such as Windows 7. The reason for limiting this attack to Windows XP users is currently unknown.

Apparently, the attackers collected technical statistics on the victims’ browser plugins BEFORE serving them with the IE exploit, for example whether plug-ins from their antivirus product, from Fiddler Proxy or from TamperData are installed. That information is then sent to the aforementioned 3rd party site.

According to a tweet from one of Metasploits’ exploit developers, a module for this CVE will be released soon. Therefore an increase in exploit attempts of this CVE is quite likely.

And to the good news: Trustwave SWG Server (versions 10.1 and higher) blocks this attack out-of-the-box using its generic protection engines, without any further update, thus maintaining good record of blocking the recent 0-day attakcs.

Posted by Dan Meged on 05 May 2013 at 14:40 in MAPP, Secure Web Gateway, Zero-Day | Permalink | Comments (0)

19 April 2013

Java is So Confusing...

It's been a short while, but we find ourselves again with a Java vulnerability in our hands, this time via a PoC provided by IKVM.NET.

This particular vulnerability is somewhat different than most java vulnerabilities we run into, but feels like a natural progression from the last Java 0day we discussed in our blog (CVE-2013-1493). Both these vulnerabilities allow direct memory manipulation, something which is quite uncommon in Java.
The vulnerability itself has to do with type confusion between an int and a double, causing 8 bytes to be copied instead of 4, thus overwriting a pointer and allowing us to reach otherwise inaccessible area in the memory.

Continue reading "Java is So Confusing..." »

Posted by Anat (Fox) Davidi on 19 April 2013 at 17:16 in Java, Oracle, Secure Web Gateway, Security Research | Permalink | Comments (0)

10 April 2013

Ransomware Author <3's Farm Animals

As security researchers, our virtual journey in revealing new threats on the web is never-ending. Every once in a while we come across a curious and interesting web attack. Today’s blog post will tell the story of one such case we’ve encountered recently.

During last week, we ran into what looked like a hacked adult website that redirected browser requests to a web page which served two malicious Java applets. The landing page and the Java applets were recognized as Sweet Orange Exploit kit (thanks to Kafeine):

Continue reading "Ransomware Author <3's Farm Animals " »

Posted by Dan Meged on 10 April 2013 at 09:10 in Java, Malware, Secure Web Gateway, Security Research | Permalink | Comments (0)

12 March 2013

Fresh Coffee Served by CoolEK

As you may already know, the past few months have been problematic to Oracle when it comes to security issues discovered in the popular and notorious Java browser plugin. The latest vulnerability that has been spotted to be exploited in the wild is CVE-2013-1493.

It has already been published that CoolEK became the first exploit kit to add an exploit to CVE-2013-1493, so I won’t bother you with the details of that. What’s probably more interesting is the nature of this exploit. Most Java exploits from the past year or two used missing security checks in the Java source code in order to bypass SecurityManager – the part in Java which is responsible to make sure that unsafe code (unsigned code written by 3^rd parties) won’t be able to perform certain operations which require elevated privileges. Other exploits used some type confusions or tricked the optimizer into doing the same thing. Yet, in our current case, a memory corruption bug was found which allows the attacker to entirely nullify the SecurityManager.

This is the kind of exploits which are usually found in browsers and other non-sandboxed applications, so it was a little bit of a surprise to see such techniques in Java code.

Continue reading "Fresh Coffee Served by CoolEK" »

Posted by Moshe Basanchig on 12 March 2013 at 08:35 in Java, Malware, Secure Web Gateway, Security Research | Permalink | Comments (0)

14 January 2013

Microsoft Patch Tuesday, January 2013 - Part II

It's now official, there is another bulletin (MS13-008) release for the month of January and affected Microsoft Windows users should be expecting a out-band security patch soon. This out-of-band security patch fixes one memory corruption vulnerability discovered in Internet Explorer affecting version 6-8 that can result in remote code execution. Any vulnerability that allow remote code execution is critical and it should be patched ASAP.

Continue reading "Microsoft Patch Tuesday, January 2013 - Part II" »

Posted by Robert Foggia on 14 January 2013 at 13:21 in MAPP, Secure Web Gateway, Zero-Day | Permalink | Comments (0)

10 January 2013

First Java 0day For The Year 2013

Today @Kafeine was the first to announce the new Java 0day. This 0day allows an attacker to execute malicious code on any desktop with Java 1.7 u10 (or prior) installed – which is the latest version from Oracle.

After some preliminary analysis it seems this 0day is using a similar tactic to CVE-2012-5088, which was patched by Oracle last October. On top of using java.lang.invoke.MethodHandle.InvokeWithArguments() from CVE-2012-5088, the attacker smartly takes advantage of MBeanInstantiator in order to get a reference to a restricted class from a trusted caller (MBeanInstantiator is trusted). This is accomplished via the findClass method, which in turn will call the inner loadClass method.

The “heart” of the exploit:

We are glad to announce that all our customers using Trustwave's Secure Web Gateway are protected against this 0day attack. There’s no need for any additional updates to be applied. A good continuation of last year’s streak of 4 out of 4 Java 0days blocked out of the box.

We will continue monitoring this threat and provide protection to our customers.

Posted by Arseny Levin on 10 January 2013 at 10:06 in Java, Oracle, Secure Web Gateway, Zero-Day | Permalink | Comments (1)

08 January 2013

Goodies released with Trustwave SWG Security Update 141

As cliché as it may sound, security is done in layers and so, using our generic rules, we were able to provide 0-day protection against the recent Internet Explorer 0-day CVE-2012-4792 with our Secure Web Gateway (SWG). You can read more in our previous blog posts:
exploit analysis and payload analysis.

With today’s release of Security Update 141 for SWG we are
adding detection rule which is specific to CVE-2012-4792, named “Internet
Explorer CDwnBindInfo Object use-after-free vulnerability”. This rule will
provide another layer of defense against exploits of this vulnerability.

TURKTRUST Inc., a trusted CA, has incorrectly created two subsidiary certificates which one of them was later used to generate a fraudulent digital certificate of Google. That certificate
was then used in an active attack. As a result, SU141 is removing SWG trust of the following certificates:

*.google.com issued by
*.EGO.GOV.TR
e-islem.kktcmerkezbankasi.org
issued by TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri
*.EGO.GOV.TR issued by
TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri

For further information, see Microsoft’s Security Advisory 2798897.

Security Update 141 comes with some more goodies. Here is a link to the release notes for further information.

Stay safe.

Posted by Rami Kogan on 08 January 2013 at 10:27 in Secure Web Gateway, Security Research, SSL, Zero-Day | Permalink | Comments (0)

20 September 2012

The New Zero-Day in Internet Exploder (Oops… Explorer)

The ride on the roller coaster called the web security world never stops and keeps providing us, the security researches, with new challenges. Blackhole v2 that just came out last week and which was in headlines seems like a distant history since the emergence of the new zero-day in Internet Explorer at the beginning of this week (CVE-2012-4969).

Continue reading "The New Zero-Day in Internet Exploder (Oops… Explorer)" »

Posted by Rami Kogan on 20 September 2012 at 10:50 in Exploit Kits, Malware, Secure Web Gateway, Security Research, Zero-Day | Permalink | Comments (0)

13 September 2012

Blackhole Exploit Kit v2

A few days ago a new version of THE most common exploit kit was released. Unlike most exploit kit authors, who try to keep a low profile, the author of Blackhole publishes his work in Russian forums and even writes detailed information regarding his new product.

Figure1: Blackhole Exploit Kit v2 login panel

Notice, the login panel requires to enter a CAPTCHA to avoid automatic scanners that guess default passwords, this feature is not new in exploit kits, but definitely not common.

Let’s review the important changes that have been made in Blackhole Exploit Kit v2 compared to the Blackhole Exploit Kit v1:

Basically, the author of Blackhole has put a lot of effort into avoiding Anti-Viruses vendors’ and Security Researchers’ detection, and focuses less on new obfuscation techniques.

Let’s compare the new variant of Blackhole Exploit Kit with the old one:

Figure 2: Blackhole Exploit Kit v2 obfuscated code

The older version:

Figure 3: Blackhole Exploit Kit v1 obfuscated code

By comparing the code in the two screenshots above, we can see that the core of the obfuscation algorithm is the same. First, the “try/catch” technique, second is some obfuscated code loaded from the DOM using “getElementsByTagName”, and finally a set of basic math operations that opens the obfuscated code and execute it.

This is what the de-obfuscated code of Blackhole Exploit Kit v2 looks like:

Figure 4: Blackhole Exploit v2 de-obfuscated code

According to the screenshots above the new version of Blackhole focuses on evasion techniques: For example, in the code above the PDF and the Jar files are loaded using a unique link that is generated specifically for the user and is valid only for a limited amount of time (definitely a pain in the ass…). As for the files themselves, we will publish a technical analysis of the PDF and Jar exploits served by the new version of Blackhole in a later blog post.

Let’s take a closer look at some more interesting stuff added in the new version:

Figure 5: Blackhole Exploit Kit v2 control panel - Security section

Referers

This option allows the administrator to allow access to the exploit page only from specific referrers which can be configured using the control panel. The administrator can also configure whether to block access to the exploit when no referrer is present.

Bot List

Blackhole exploit kit holds a list of 132,220 bot IPs which can be automatically blocked by the engine. This way the exploit kit is not exposed to automated security crawlers.

Figure 6: Bots List

ToR List

This feature is really annoying. Blackhole Exploit Kit v2 contains an IP list of ToR endpoint nodes, so if this flag is turned on, security researchers won’t be able to use ToR for analysis.

Figure 7: ToR List

Upon installing the exploit kit a list of 2,147 ToR nodes are loaded into the database and are updated automatically.

Recording Mode

This one is a really cool feature: once the attack campaign is over, the administrator can switch their blackhole exploit kit v2 into a “monitoring mode” of sorts. In this stage the exploit kit is not supposed to receive any traffic, therefore, the exploit kit author assumes the incoming traffic belongs to security vendors. The IPs that are captured during that time are reported back to Blackhole author and added to the list of bots.

Figure 8: IP collected list

These captured IPs inserted into the database and published to Blackhole customers.

Now let’s view the new control panel settings:

Figure 9: Blackhole Exploit Kit v2 control panel - Preferences section

In this new version of Blackhole exploit kit, the administrator can define when the engine will replace the current domain with a new one to avoid Anti-Virus detection. Using the “AntiVirus Check” feature, the exploit kit tests the URL of the exploitation page with underground Anti-Virus websites (VirTest and Scan4you). The administrator can control the change rate of the URL after it has been discovered by a certain number of Anti-Virus vendors.

“Threads” is pretty similar to older version of Blackhole, where the administrator can create multiple attacks with different viruses.

Figure 10: Blackhole Exploit Kit v2 control panel - Threads section

The significant feature added in this section is the “Traffic” feature. Unlike older version of the Blackhole Exploit Kit, the new version serves the exploit only one time per IP address. The administrator can configure a webpage or a message to users that continue to access the server more than once.

In conclusion, it is clear that this new generation of Blackhole Exploit Kit puts a lot of effort into new evasion techniques that are aimed towards making the lives of security researchers as difficult as they can be while taking the focus off obfuscation techniques, which used to be the main theme in exploit kit updates in the past. .

Needless to say, customers of Trustwave Secure Web Gateway (SWG), version 10.1 and higher, are protected by default with no need for any further update.

Thanks to my colleague Anat Davidi for her contribution to this post.

Posted by Daniel Chechik on 13 September 2012 at 23:15 in Exploit Kits, Malware, Secure Web Gateway, Security Research | Permalink | Comments (1)

27 August 2012

It's a sunny (zero) day for Java

Java exploits have been used for distributing malware for a while. See for example our blog post from last month.

Today a new Java 0-day vulnerability has surfaced up. It came with a public PoC armed and ready for exploitation, and even a Metasploit module was published just a few hours later. The “best” part is that currently there is no patch publicly available, nor any estimates as to when it will be released… all the necessary ingredients for a mass exploitation party!

But there is some good news as well – customers of all versions of Trustwave Secure Web Gateway are protected from this 0-day without any need for an update. This is the 4th 0-day Java exploit in the last year or so, but in all of these cases our customers had protection from day zero.

We wish you safe browsing!

Update 08/30/2012: Although this exploit actually leverages two different vulnerabilities, CVE-2012-4681 has now been assigned to it.

Posted by SpiderLabs Research on 27 August 2012 at 11:48 in Secure Web Gateway | Permalink | Comments (1)

SpiderLabs Anterior

Official Blog of Trustwave's SpiderLabs - SpiderLabs is an elite team of ethical hackers, investigators and researchers at Trustwave advancing the security capabilities of leading businesses and organizations throughout the world.

Search

Categories

Security Advisories

Trustwave Press Releases