Archive for December, 2012


Content In Brief

An exploit kit, namely The KaiXin Exploit Kit, was discovered roughly 4 months ago by the malware analyst community. I also posted a decent report of this malware back in August. Since then, KaiXin has made another go for it, introducing Version 1.1, which was blogged today by Eric Romang.

I immediately set out to compare file sizes and detection number on VirusTotal. What I found out was rather shocking. Check out the results of 2 different variants, both shellcode exploits [Note: names are randomly generated, but the size of the files are so similar as to assume they are different variants]:

KaiXin Version 1.0 (cLpl7.html)
[NEW] KaiXin Version 1.1 (JSZlR.html)

KaiXin Version 1.0 (gADSr.html)
[NEW] KaiXin Version 1.1 (WysBRr.html)

The detection rate is lower than before. Why is that?

Keep searching,
~!Donovan

Advertisements

Searching For Exploit Kits

A unique trick to searching Exploit Kits on Google is to use the following query: “* exploit kit.zip”.

This searches for all websites with the content of (any characters) exploit kit.zip, not case sensitive. This search provides the best results. For a more specific, yet less knowledgeable result, replace the star (*) with the name of the exploit kit you wish to download. For example: “Crimeware exploit kit.zip”.

Keep hunting,
~!Donovan

Yesterday, Polonus addressed the issue on the avast! forums. Let’s check out the inform.htm.

First, review the VirusTotal results.

The malicious code is as follows:

inform.htm

As you can see, no obfuscation. They aren’t trying to hide anything. Maybe they are trying to reduce general AV detection. And the script looks simple enough, with a redirect to this podarunoki(dot)ru site…

Now we will look two at two urlQuery references: here and here.

Both of these sites, including the one given in the picture above, lead to .ru domains with :8080.

You can check for new malicious inform.htm sites on CleanMX,
~!Donovan

LFI allows you to include files through a web server; however, specific injections of parameters in the URL string can lead to other files being called, if not used properly. A basic LFI file looks like the following:

   <?php
   $file = $_GET['file'];
   if(isset($file))
   {
       include("pages/$file");
   }
   else
   {
       include("index.php");
   }
   ?>

A legit referral would look like this: example.com/index.php?file=services.php. It searches the current directory and does not induce upper directory levels. This is the safe approach and should be a standard that you use.

There is also the malcreant approach: example.com/index.php?file=../../../etc/passwd. What this does is show all the passwords (in hash form) that are found on a nix-running system. The malcreant would then be able to crack these passwords and get file access.

However, PHP includes an amazing function called str_replace(), which takes three arguments: The value to replace, what to replace it with, and what string we’re dealing with. Naturally, we can remove all the ‘up directory’ symbols as follows:

   <?php
   $file = str_replace('../', '', $_GET['file']);
   if(isset($file))
   {
       include("pages/$file");
   }
   else
   {
       include("index.php");
   }
   ?>

There is also the option to exclude the request altogether:

if (strpos($file,'../') !== false) {
    echo 'Invalid Request.';
}

The PHP parser only detects the given utf-8 value, so how about if we use hexadecimal as follows?

example.com/index.php?file=..%2F..%2F..%2F/etc/passwd

The following would avoid our current security plans because hexadecimal is not parsed when it meets the PHP script, but is parsed by the client’s browser.

The best way to avoid this exploit is to not use LFI unless you absolutely have to and it cannot be done any other way,
~!Donovan