Tuesday, March 29, 2011

Make your old add-ons work with Firefox 4.0

Every major release of Firefox brings the joy of great new features, along with the frustration of having plenty of add-ons that no longer work. Fortunately, it's quite easy to get most add-ons to work just fine with Firefox 4.0, even if they are not maintained or updated.

Add-ons not updated for Firefox 4.0

Add-on description

In an earlier post, I described how Firefox add-ons work. The important part is that each plugin must mention which Firefox version it can work on. This information is stored in the file named install.rdf, within the minVersion and maxVersion tags.

In order to work with Firefox 4, the maximum version number must be 4.0 or 4.0.*. The full list of possible version numbers is available on Mozilla's site. New versions are added only a few weeks or days before they are made available to the public. Even if a plugin author is pretty sure his add-on will be compatible with future 4.x versions (4.1, 4.5, etc.), he is allowed to list 4.0.* only.

So, with every major version of Firefox, all plugin authors have to update the maximum version. This means releasing a new version of the plugin. If the plugin is hosted on the official Mozilla add-on website, there is a nice web interface to easily update the version number.

Tool for authors to easily update an add-on

But if the add-on is hosted outside of the official site, a new release, meaning a new XPI file, has to be released.

If the plugin is not maintained anymore, Firefox will refuse to enable the plugin, even though it would very likely work just fine...

Fix your existing plugins

You can force old plug-ins to work with a newer version of Fireox by modifying the local install.rdf file. All plugins are stored in the user profile at the following locations:
  • Wndows: C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxx.default\extensions\
  • Linux: ~/.mozilla/firefox/xxxxxx.default\extensions\
Each add-on is stored in its own sub-folder. Open install.rdf for the plugin you want to enable, look for the tag em:maxVersion, and change its value to 4.0.*. Restart the browser, and the add-on will be enabled.

Modify the em:maxVersion value
Then, do the same in extensions.rdf.

Some plugins may need code changes to work with version 4 (like Firesheep), but most of the plugins I upgraded (Live HTTP headers, etc.) worked just fine with Firefox 4.0.

Install "old" plugins

The same trick can be used for plugins you want to install. Firefox add-ons are distributes as .xpi archives. They are just Zip files. Save the plugin locally, open it with Windows Explorer or any Zip manager and then modify the install.rdf by changing the em:maxVersion to 4.0.*. Open the modified .xpi file in Firefox, and the add-on will be installed just fine.

Don't postpone your upgrade to Firefox 4.0 because of unmaintained add-ons. Modify the install.rdf and enjoy the great new features of version 4.

-- Julien

Wednesday, March 23, 2011

Randomization of code and binaries used by a fake antivirus website

Last week, I talked about heavy obfuscation being used by attackers to hide their HTML source code from detection. This time we came across an interesting fake antivirus website, which not only continually changes the source of the webpage but also the malicious binaries being used in the attack. This occurs when you revisit that same malicious site. The malicious site also changes certain strings used inside the animation sequences. For this blog, I have visited that site a few times in span of a minute and collected the various source files and malicious binaries. Here are the screenshots of fake security warnings for different visits:

The highlighted fake security message in the above images varies each time with different trojan count. If you look at the source code of these webpages, it has been randomized for each subsequent visit. Here is a sampling of the altered source code:

The code contains different random variables and fake security warnings, which have been split into smaller variables in an effort to evade antivirus and IDS/IPS engines that may seek to match common string patterns. As with other fake AV sites, when a victim visits the page, he is social engineered into downloading fake security software which in turns out to be malicious program. Interestingly, each time you visit this website the malicious binary changes, which results in a different MD5 hash. The size of those malicious binaries remains same. Here are the MD5 hashes for different binaries downloaded from the same website:

The Virustotal AV detection results remain very poor with only 8/43 antivirus vendors detecting the files as malicious. Here are the results for above binaries:





The example demonstrates that pure pattern matching engines will fail to detect the attack based on pattern matching strings in source code. Randomization of malicious binaries will also evade good antivirus engines.



Tuesday, March 22, 2011

Many University websites used for spam

In January, I wrote about many high profile websites, mostly universities, that were hijacked to redirect to fake stores. Many have since been cleaned up, but a few of these University websites are still redirecting users to new fake stores (adobe-discount.com, terrific-software.com, successful-software.net, mmpsoftstore.com, successful-software.com, successful-downloads.com, general-oem.com, etc.)

In the past 2 weeks, I've seen a significant amount of spam hosted on University websites. Spammers seem to be using compromised user accounts on wiki-like services to upload spam for Viagra, banking loans, online casinos, etc.

Fake pharmacy page hosted on the UCSF website
The list of Universities hosting such spam include:
  • MIT (hxxp://nola.mit.edu/~cil/nolawiki/images/7/70/Amortizing-loan-calculator.pdf)
  • Cornell (hxxps://confluence.cornell.edu/download/attachments/140416416/tab15.html)
  • UCSF (hxxp://dingo.ucsf.edu/twiki/pub/People/EricAadnes/tab7.html)
  • University of Pennsylvania (hxxp://george.isc-seo.upenn.edu/ocladmin/ocl/uploads/204599.txt)
  • University of Massachusetts (hxxp://xserv1.umb.edu/groups/podcasts/wiki/ce448/attachments/cec02/xs57.html)
  • Colorado State (hxxp://writing.colostate.edu/files/personal/108957/File_0FFC8EF8-EC2C-2238-F165D3DC0AA636A9.txt)
  • Oregon State (hxxp://foodfororegon.oregonstate.edu/sites/default/files/imagecache/al65.html)
  • OSU (hxxps://carmenwiki.osu.edu/download/attachments/16256437/tad44.html, down)
  • WUSTL (hxxp://cssa.grad.wustl.edu/sites/cssa.grad.wustl.edu/files/imce/user1208/ed60.pdf)
  • Eastern University (hxxp://ccgps.eastern.edu/members/dstore/member-blog.blog2/items/Cialis-Viagra-Online)
  • University of Washington (hxxp://modular.math.washington.edu:9001/role?action=AttachFile&do=get&target=sl45)
  • Oklahoma State (hxxp://asdevelopment.okstate.edu/logs/x.php?wy334=287)
  • Tufts University (hxxps://wikis.uit.tufts.edu/confluence/download/attachments/29761132/ced46.html)
  • National University of Singapore (hxxp://wiki.nus.edu/download/attachments/76947595/doc11.html)
  • and many others
There are thousands of these spam pages. They are used mainly in e-mail spam campaigns, hidden by a URL shortener.

The university and the fraternity I attended are amongst the victims as well: hxxp://alumni.iit.edu/s/946/forms/757/100824/game31.html, hxxp://pkp.iit.edu/bog/l.php?n249=300

University websites are becoming a preferred vector for different types of spam. The vast number of sub-domains, each of them likely managed by a different group which may not have professional IT/Security skills, make them an easy target.

-- Julien

Friday, March 18, 2011

Heavy obfuscation used by Fake Antivirus websites

Just a few days back, I published a post discussing the popularity of fake antivirus websites in 2011. As I mentioned in the blog, attackers are continually creating new domains and websites promoting their fake software using various obfuscation techniques to hide their code from detection by IDS, IPS, antivirus etc. We have since encountered a number of malicious websites hosted on the same IP address. The main pages of the websites are heavily obfuscated. The structure of obfuscated JavaScript remains the same, throughout, but all variables are random. This likely means that the attacker has created, or is using a tool to handle the code obfuscation. Here are screenshots of the JavaScript code from two different websites:

Looking at the above images, you can see that the structure of code remains the same and only the variable names are randomized. Even the source of the page contains only a body tag and the malicious JavaScript. When this page loads, it starts creating animations that deliver security warnings to scare the victim. Here is one example:

As I mentioned in the earlier blog post, these are fake security attempting to coerce the victim into downloading fake antivirus software that will download additional malware onto the system. The code for doing these animations and initiating the download of malicious binaries is hidden inside the malicious script. Let’s decode the main script. The malicious JavaScript code has two functions defined and three lines of code to decode the content. Here is how they look:

The variable “euqbvulz” is passed in the first iteration to the decoding function “ikcmfynlzk()”. The decoded content is then stored in a variable called “wfuaydtmd”. The “wfuaydtmd” variable is again passed to in a second iteration to a second function called “fiyctdv()” with a “document.write()” function call. So the code will go through two iterations of the decoding. Let’s decode this code using Malzilla.

Malzilla successfully decoded the contents. But the decoded results contain another three heavily obfuscated JavaScript snippets and some HTML code. Let’s decode them one by one. Here is first one:

The first malicious JavaScript snippet decodes to the HTML “title” tag, which will be displayed as the title of the webpage, claiming it is a legitimate Windows security website. This means the HTML code displaying warnings and animation is hidden in the remaining malicious scripts. Here is second one:

The above script code will load the animated images with message “Initializing virus Protection System…”. Here is the third one:

If you look at the above image, you will notice some strings related to security, which suggests that this JavaScript code actually loads the animation. The first variable is declared as “strategy” so the strategy used by the attacker is to load the variable with JavaScript code in a CSS format. Here are some of the screenshots of that CSS code:

So, the code displaying the security warnings and messages are obfuscated multiple times by the attacker. You will notice the strings used by the attacker are displayed in warning images mentioned in the first few images. Due to the heavy obfuscation used, the detection rate remains very poor for legitimate antivirus vendors when scanning this HTML file.


Monday, March 14, 2011

Facebook Likejacking, phishing and spam

Last Thursday, I wrote about Facebook Likejacking. Today, similar pages were brought to my attention. They use Likejacking to spread through user profiles using much more aggressive spam techniques.

The pages looks like they come from Facebook. The teaser is a video that should be watched "only if you are 16 or older". The play button hides a Facebook Like widget.

Spam page looking like Facebook

Before the user can play the video, he must either verify that he is at least 18, or that he is a human ... by filling out surveys, trying games, etc.! The spammers are paid for each action taken by the user (PTC campaign).

"Security check": the user must fill out a survey

If you stay on these pages long enough, they will attempt to send a form on your behalf. Fortunately, Firefox throws a warning.

Firefox prevent the automatic POST

acidattacker.com shows a Facebook page and a Youtube page with the same content.

Fake Youtube page from spammers

These spam pages can be found at:
  • hxxp://bnltwo.info/video2/
  • hxxp://acidattacker.com/

-- Julien

Thursday, March 10, 2011

A bookmarklet to uncover Facebook Likejacking

Spammers love to use hidden Facebook "Like" buttons to spread their spam quickly, a technique called Likejacking. Recently, I was forwarded a few German Likejacking pages:
  • hxxp://www.ksmp3.de/Guten-Morgen-Schatz-geht-daneben/ (live)
  • hxxp://www.mir-gefaellts.eu/erwischt/webcam-girl1/index.html (down)
  • hxxp://respectmiley.info/ (down)
Spam page with hidden Facebook "Like" button

The spam pages contain a lot of ads (of course!), a video and an hidden iframe. The hidden iframe contains the Facebook "Like" button. It follows the mouse as the user hovers over the video to click on the Play button. The user's click triggers both the Facebook "Like" widget and starts the video. The spam page then appears in the user's Facebook news feed, spreading the spam to more people.

Source code of the hidden iframe

To hide the iframe, it is reduced to 2x2 pixels and has a black background (same as the video background).

Bookmarklet to uncover hidden iframes

A simple way to uncover the hidden iframe is to make the parent iframe bigger. I removed the "width: 2px" and "height: 2px" attributes for the "hidden" iframe, and the "Like" button became apparent.

The Facebook "Like" widget uncovered. Notice the black background.

All browsers allow users to run Javascript in the context of the page through a bookmarklet. I've transformed the JavaScript I used in the example above into a bookmarklet. Drag and drop the link below to your bookmarks. This will create a new bookmark "Uncover Facebook Likejacking 1.0(Zscaler)". If you browse to a suspicious page and suspect an hidden "Like" widget, click on this bookmark to uncover any potential Likejacking.

Uncover Facebook Likejacking (Zscaler)

You can find the original JavaScript here.

Here is short video of how it works.

Same origin policy

Because the Javascript from the bookmarklet is running in the context of the page, it is subjected to the Same origin policy. This means the JavaScript cannot access frames or iframes loaded from a domain different from the main page. The script shows a warning if a page contains frames. You can load each frame in a different tab and run the bookmarklet on each of them.

Warnings on pages using frames

If you're ever victim of Likejacking, you can always remove the spam from your news feed and mark it as spam. But Facebook does seem pretty slow at reacting to Likejacking, as this web page is still being shown in users news feeds after several days of spamming people.

-- Julien

    Wednesday, March 9, 2011

    Analyzing PDF exploits for finding payloads used

    We have written a couple of previous blogs which focus on an in-depth analysis of PDF exploits as this is yet another techniques used by attackers to package malicious code and avoid antivirus detection. We have also written in the past about different decoding filters used to hide the malicious code inside PDF files. In this blog, we will examine yet another in the wild PDF exploit which has hidden it’s malicious code under different objects. We will also identify the final payload used to carry out the attack. The malicious PDF sample was retrieved from “hxxp://sj1s.co.cc/games/pdf.php?f=21”. Here is the PDF source code:

    The above PDF file is small in size and contains clear text JavaScript. Let’s look at object 1, which contains malicious JavaScript code. This code is very simple to read and understand. The JavaScript accesses some property values declared elsewhere such as “this.producer”, “this.subject” etc. Now, where are those declared values coming from? If you look at the object 3, you will notice that all other variables are accessed from these object properties. The strings used like “eval” and “StringfromCharCode”, suggest this JavaScript is used for malicious purposes. Now, we have 3 different strings from object 3, which will be used in the malicious JavaScript code.

    1) Property Producer contains a long array of values
    2) Property Subject contains string “eval”
    3) Property Title contains string “StringfromCharCode”

    We will use Malzilla for decoding this malicious JavaScript. For that, we need to substitute the respective values into the variables. We will re-create the JavaScript code for Malzilla using those values to as it with the decoding process. We will need to look at the code carefully, because the array contains some substitution and arithmetic operations. Here is what we need to substitute:

    Let’s take the first value from the Producer property array, which is “t9.5*w”. The malicious JavaScript contains one variable “w”, declared with a value of 4 and then there is another function (axp = axp.replace\(/t/g,'2'\);), which will replace character “t” with value 2. So the first integer of the array will become (29.5*4) = 118. When we substitute the whole array with values of “t” and “w” we can create the final simple JavaScript code:

    We will now decode the above simplified code using Malzilla. The decoded content is shown below:

    The decoded content contains malicious heap spray code, shellcode and code for attacking different Adobe vulnerabilities. However, we have to yet identify what this malicious code does once it exploits the vulnerability? What payloads does it use for the exploit? For this we need to identify the shellcode used. Here is what the shellcode looks like:

    The shellcode used, is in %u Unicode-encoded format. We will convert this code into byte code or executable code for further reversing using IDA pro or OllyDbg. For this, we will use favorite online tool Shellcode 2 EXE. We will copy and paste the shellcode bytes from the variable, which will generate a sample “.exe” file to analyze. Here is the screenshot:

    Now, we have executable file to analyze. So let’s open in IDA pro first to look at the strings used inside the payload. Here are the strings found,

    The string shows that this payload is going to download additional files on the system. Now let’s open this file in OllyDbg for obtaining the malicious URL used inside the payload.

    The shellcode starts with NOP instructions followed by another loop which will decode the malicious code. Look at the instructions above, inside the highlighted box. Those are the instructions which are used to decode everything. By stepping through the code, we come to know that there is an instruction that will compare the value with E9 to exit and another, which is XORing byte with a value of 31. We will put breakpoint at the RETN instruction. The code will successfully run and we will be presented with the decoded content, which contains more interesting strings.

    Look at the highlighted string above in the dump area. This URL will be used to download another binary from the server. Now, we have identified this malicious payload and the URL used. For reference, here is the result from ThreatExpert for the same shellcode.

    That’s it for now.


    Tuesday, March 8, 2011

    Fake Security Software Websites – Still popular in 2011

    Fake security software is a form of computer malware that misleads users into installing and potentially paying for fake security software. The sites convince users to download the malicious software by displaying fake security warnings such as “Your computer is infected” etc. End users are clearly not educated about such attacks, as the campaigns remain highly successful. Below is a short blog analyzing a recent infection on a friend’s machine to illustrate the problem.

    We continue to see numerous infected sites, which are redirecting users to fake security software campaigns. The pages display animated fake security warnings to users in order to scare them and convince them to download and install a binary, which is generally packaged as fake antivirus software. The victim will be infected with a downloader Trojan that will then download additional malware. Below are a few screenshots of animations typically used in the attacks:

    After this initial load animation, the user will be prompted with another security warning:

    Once a user clicks on the OK button, additional animated fake security warnings will be displayed.

    At this point, the user is prompted to download the fake antivirus software.

    This same campaign has been used over and over again and can be found hosted at thousands of domains.

    All of the above animations are from the same malicious website. The content is randomly changed for each new visit to the site. Once installed the victim is forced to activate or buy a license key to remove these fake threats from the system. Here are some tips for users who still wants to stay away from those attacks.

    1) No real Antivirus vendor displays such security warnings, animations and popups.

    2) No website will scan a system when visited and display immediate warnings about threats on the system.

    3) No real Antivirus vendor will force you to download an execuatble.

    4) When you need AV software, go directly to the site of a reputable vendor yourself.

    5) Keep an eye on address bar for the URL name and redirected URL names.

    6) Keep any eye on the status bar of the browser, which is present at the bottom to spot redirection taking place.

    7) If you want to download executable but are unsure that it is legitimate, it can be scaned against various antivirus vendiors by submitting it to a service such as VirusTotal If popular vendors triggers or declare the file as malicious, immedeatly delete it from the system.

    8) Install a common antivirus solution and keep it updated with latest virus definitions.

    9) Last but not least, never pay for such fake security software.

    The VirusTotal results for the fake security software from the above example show that it was detected by only 21/42 popular AV vendors. Even now, we are still seeing a large number of fake security software websites promoting their fake products.

    Stay safe


    Trojan infection through Facebook

    It’s no surprise to see Facebook becoming a primary focus for spreading malware. Attackers are leveraging Facebook as a means of reaching end users, delivering links in order to convince victims to click on them. The links deliver malware that allow attackers to access sensitive information or take control of a voctim machine, Recently, I found such an incident where Facebook was used to spread a known Trojan.

    The victim usually gets a message containing a malicious link which looks like:

    Visiting link redirects user to the following page:

    The above page delivers a binary called “surprise.exe”. Virustotal shows most common antivirus engines flag it as known Torjan Dropper. If you accidentally execute “surprise.exe”, the victim machine prompts with the following message:

    Currently no malware is hosted on the site “facebook-surprise-nmsk.tk”. But its not guaranteed that it will remain in same state. Report from “ scumware.org” shows different domains used to spared this malware.All the different domains were registered with same ip. DNS lookup for the ip can found here.

    This clearly shows how attackers are taking advantage of power of social networking to spread malware. Always make sure the links are safe before clicking on them.