Posts Tagged

trojans

Browser Silent Exploitation (2018) POC

Since 2010 I was following the browser exploits of (Silent Java drive by) methods and techniques, and after 2016 I’ve never heard of another “silent drive by” on the Markets, but another critical thing came through, Browser Local storage.

This is a working example of a HTML/JavaScript browser storage exploitation.

As an example, to show how an attacker could force any PC system to download a executable file onto the system just directing the victim to visit a webpage no clicks needed.

Unlike the old Java Drive by methods which have been patched for many years, which used jar applets to allow VBS to execute on the local systems browser TMP folder.

This exploit works by using the browser Local Storage abilities, 90% of web browsers have built in Local Storage cache abilities which allow the them to store files onto the system and reference to these files later when re visiting the website. This allows the browser to reload images and video / SWF content of the website faster than it would normally load the content on the webpage by download.

Now when the victim re-visit a website on a browser with Local Storage cache enable by default it will load the website faster than it would loading from the first time. And the web browser will load the website resources from the local system rather than downloading them again.

What this means is when a site is coded to store its video or image data to the browsers Local Storage cache, the browser automatically downloads the file with no user input or knowledge to the end user this file is then stored on their PC.

trojan.exe = is a file the attacker wishes to have the PC download it by viewing the webpage.

extract.exe = the file that when run will extract trojan.exe from the browsers Local Storage cache and execute it.

The thing is for example Firefox stores this Local Storage cache in a SQL database format on the local HDD, It stores this data in such a way that the image files and video files are not directly on the system but rather there base64 encodings of the file are stored here as a database table value to load from later.

Here is where this exploit comes to play 🙂

With this POC example provided in my GitHub Repo you can see it uses simple CSS/JavaScript with html to store an exe file to the browser cache of any visitor to the webpage.

So, any user visiting this page will automatically download the trojan.exe onto their system no user input dialogs or notices the exe file is on their system as soon as page is done loading.

But the file is on their systems browser cache database which now needs to be extracted and ran on the system now that it is downloaded.

This is where the attacker send them the extract.exe

the Trojan.exe file is the file they must now run to have the Trojan.exe downloaded from viewing the webpage be extracted and ran on the system.

The extract.exe as of version 1.0 is only designed to work in this POC.

The extract.exe DOES NOT download any file it makes no internet connection at all – It simply extracts and runs the file that was silently downloaded and placed onto the system from the website viewing.

The advantages of using this method is that the attacker can indeed force any system viewing any site to download the file just by viewing the webpage. This makes the download ad placement of the file onto their system extremely undetectable AT ALL.

This would also allow attackers to force the file onto victim’s system even if they have a strict firewall in place.

POC contents:

Exploit.js = a java script file that will download the virus silently into the system.

Trojan.exe = example of a cmd trojan that will be downloaded.

index.html = a web page that has the malicious content.

Extract.exe = a file to translate the base 64 code and extract it from the browser storage.

POC REPO:

https://github.com/JameelNabbo/browser-exploit-POC

How can a Rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?

Microsoft has introduced a number of security features designed to prevent malicious code from running. But attackers are continually finding ways around those protections, an example is a rootkit that can bypass the Windows driver-signing protection.
The functionality is contained in TDL4,TDSS and Alureon Rootkits:

TDSS has been causing serious trouble for users for more than two years, and is an example of a particularly pernicious type of rootkit that infects the master boot record of a PC.

This type of malware often is referred to as a bootkit and can be extremely difficult to remove once it’s detected. The older versions of TDSS–TDL1, TDL2 and TDL3–are detected by most antimalware suites now, but it’s TDL4 that’s the most problematic.

 

TDL4 has a specific function that is designed to bypass a protection in Windows 7 and Windows Vista that requires kernel-level code loaded onto a machine to be signed. The Windows kernel-mode code signing policy is mainly applicable on 64-bit machines.

“Starting with Windows Vista, kernel-mode code signing enforcement is
implemented by a component known as Code Integrity. Code Integrity is a
feature that improves the security of the operating system by verifying
the integrity of a file every time that the image of the file is loaded
into memory. The function of Code Integrity is to detect if an unsigned
driver is being loaded into kernel-mode, or if a system binary file has
been modified by malicious code that may have been run by an
administrator,” Microsoft says in its explanation of the functionality.

The TDL4 rootkit has implemented a feature that evades this protection by changing the boot process on protected machines, according to an analysis of TDL4 by Sunbelt Software. The rootkit accomplishes this by going in and modifying which programs Windows will allow to load an unsigned driver.

“The boot option is changed in memory from the code executed by infected
MBR. The boot option configures value of a config setting named
‘LoadIntegrityCheckPolicy’ that determines the level of validation on
boot programs. The rootkit changes this config setting value to a low
level of validation that effectively allows loading of an unsigned
malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an
infected version normal kdcom.dll that ships with Windows,” Sunbelt’s Chandra Prakash wrote in the TDL4 analysis.

“The rootkit also disables debuggers by NOP’ing debugger activation
functions as described below. This makes reverse engineering this rookit
very difficult! The KdDebuggerInitialize1 function
in infected kdcom.dll called during normal execution of the system
installs the rootkit, which hooks the IRP dispatch functions of miniport
driver below the disk to hide its malicious MBR.”

Joe Johnson of Microsoft presented a talk about Alureon at the Virus Bulletin conference, and discussed the low-level capabilities of the rootkit. The presentation addresses the rootkit’s ability to get the Windows kernel to load a fake version of the legitimate kdcom.dll, but says that the malware does not actually bypass Kernel Patch Protection. In fact, it doesn’t have to because KPP doesn’t inspect all loaded drivers, only the code used by the kernel. Alureon patches the Windows Boot Configuration Data to make the machine think that what’s loading is Windows PE, rather than a normal version of Windows, which prevents code integrity checks from being performed.

Earlier versions of the TDL/TDSS rootkit were used in affiliate marketing programs and black hat SEO campaigns. also were part of botnets and had specific functionality designed to hide other malware programs. An analysis of the first three versions of TDL/TDSS by Kaspersky Lab researchers showed that the rootkit is not only quite advanced, but is under continuous development and refinement by a motivated, talented crew.

“Given that the cybercriminals have put considerable effort into
continuing to support this malware, fixing errors, and inventing various
techniques for bypassing signature-based, heuristic and proactive
detecting, TDSS is capable of penetrating a computer even if an
antivirus solution is installed and running. The fact that bot communication with the C&C is encrypted makes
it significantly more difficult to analyze network packets. An extremely
powerful rootkit component hides both the most important malware
components, and the fact that the computer has been infected. The victim
machine becomes part of a botnet, and will have other malware installed
to it. The cybercriminals profit by selling small botnets and using
blackhat SEO,” Sergey Golavanov and Vyacheslav Rusakov wrote. “As long as a malicious program is profitable, cybercriminals will continue to support and develop it.”