CVE-2014-4114 and an Interesting AV Bypass Technique

Published: 2015-06-16
Last Updated: 2015-06-16 19:22:45 UTC
by John Bambenek (Version: 1)
0 comment(s)

Citizenlabs recently reported on a CVE-2014-4114 campaign against pro-democracy / pro-Tibetian groups in Hong Kong.  The attacks happening should not surprise anyone, nor that the attacks were sophisticated.  The vulnerability itself was patched with MS14-060 and has been used by APT and crime groups for sometime.  Trend Micro wrote a good write-up of the issue here.

What is interesting is what, in effect, is an anti-virus bypass that was employed by the actors.  This bypass was discussed in this report (disclaimer, from my day job).  In short, when CVE-2014-4114 exploit code was put into a .ppsx file generated by the exploit kit, it triggered AV.  When the same file was saved as a .pps file, those same AV engines stop detecting it.  The ppsx file format (Powerpoint slideshow format / XML) is the more modern format.  The .pps format was used in Office 97-2003 using the OLE format.  Even though AV engines stop detecting the malicious document, the exploit code ran without issue.

The first takeaway is, obviously, patch your systems and it is surprising how many targeted political organizations seem vulnerable to exploits that have had patches out for months.

The second is, the same malicious code may be represented differently in different file types and its important to get coverage of those other formats to ensure complete protection.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

0 comment(s)

Odd HTTP User Agents

Published: 2015-06-16
Last Updated: 2015-06-16 14:25:57 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Many web application firewalls do block odd user agents. However, decent vulnerability scanners will try to evade these simple protections by trying to emulate the user agent string of commonly used browsers. To figure out if I can distinguish bad from good, I compared some of the logs from our honeypots to logs from a normal web server (isc.sans.edu). Many of the top user agents hitting the honeypot are hardly seen on normal web sites, allowing me to identify possible vulnerability scanners.

First: There are a number of legitimate scripts that poll our data on isc.sans.edu. While for example "Python" is used by many vulnerability scanners, we do have a good number of python scripts using our APIs. I tried to eliminate some of these requests. 

Odd legitimate user agents:

First lets start with a couple of odd user agents from our normal site:

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.247) Gecko/20100101 Firefox/17.247

Yes, the string "User-Agent:" is part of the user agent string. The version of Firefox is also old... (if legit at all. I don't have Firefox 17 around to verify). This user agent string is used by a web site uptime monitoring service. I assume the developer didn't quite understand how to set the user agent, and ended up with the extra "User-Agent:" text.

Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)

I don't see any actual attacks from "Majestic", but they are certainly an aggressive bot. As explained on their site, you can download the bot and the goal is to build a distributed network of bot spidering web based content.

Vulnerability Scanners

The following user agent strings are much more common in our honeypot then in our normal web site, indicating that these user agents are used by vulnerability scanners. However, these are (in some cases) legitimate user agents.

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0

An old version of Firefox. The #1 user agent right now in our honeypot. Firefox/8.0 does not show up in the top 1,000 user agents used on isc.sans.edu.

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0

#2 in our honeypot. Sure... there may be some people browsing the internet using Firefox 37 (a recent version) on Ubuntu. But certainly not your #2 most common browser. On our real system, this user agent comes in as #220. 

masscan/1.0 (https://github.com/robertdavidgraham/masscan)

#3 in our honeypot is masscan. Of course this is a safe to block vulnerability scanner.

Opera/9.80 (X11; Linux x86_64) Presto/2.12.388 Version/12.16

After some obvious bots (e.g Baidu), we got Opera, a browser that doesn't show up at all in the top 100 user agents used on our ISC website. 

So what can you do with this information?

- Some blocking on the web application firewall is probably a good idea for tools like masscan. You may want to allow them if they are used by legitimate pentesters or vulnerability scans that you use to test your web applications. 

- If some of these user agents have legit uses, but are more often used maliciously, use them for your log reviews. See what kind of requests you see more likely from odd (usually outdated) user agents . Many tools use a current user agent when they are created, but then the user agent is never updated so they end up with outdated user agent strings that start to "stick out" as most of your users upgrade. 

- Decent web application firewalls will look for other artifacts, like header order, to verify the user agent. We also see user agents like Googlebot abused (see a prior diary about identifying fake google bots) .

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
2 comment(s)
ISC StormCast for Tuesday, June 16th 2015 http://isc.sans.edu/podcastdetail.html?id=4529

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives