Apples for the Army

Forbes Article

In an effort to reduce vulnerability exposure the US Army is adding Mac OS X into the mix of possible targets.  There's nothing wrong with this approach.  These days different organizations apply various methods to reduce the risk of incidents.

In my younger and innocent days I was under the impression that the government utilized custom applications running on custom operating systems designed by them for them.  I guess the government doesn't have enough budget and resources to maintain teams of engineers and support staff to design and implement custom information technology infrastructure.

Most think and will say that this is a complicated issue with many pros and cons.  However, if one really thinks about it then it's not that complicated.  Investment into custom code will outweigh all the cons in the long term.  Look at all the recent reports about cyber warfare attacks and their success.  It was largely due to known vulnerabilities in the common software products.


Neosploit exploit toolkit

The Neosploit toolkit is an advanced exploit framework to compromise web site visitors. It was written by "grabarz". It is unknown if this is a group or an individual. There's some information which suggests it is an individual.

It's not as popular as the Mpack toolkit but is gaining popularity steadily. It was written in the C language and is used as a CGI script. It can support multiple users from the same script. The exploit code will be the same from all users but the delivered executables can be different.

Similar to other toolkits this one provide various statistics too. Instead of using a database as the means to store them Neosploit uses several files with specific internal structures. The following information about the visitor is logged: Operating System, Web browser and its version, IP address, and the Referer.

Delivered exploit code is obfuscated using custom Javascript decoding function. The function name and all local variables are random in order to avoid detection by Network IDS. Often, several layers of obfuscation with anti-decoding tricks are used to deter the faint-hearted.

Toolkit's URL scheme is designed in such a way which will prohibit thecurious of obtaining the executables even if the same one is used from previous exploits.

Perhaps the reason for its slow adoption is its high price. It ranges, depending on version, from $1500 to $3000. Common version seen today in the wild is 1.5.x, with 2.0.x in beta mode. First detected version was 1.0.x early this year.

More in-depth analysis will follow.


How effective is AV?

To see how effective AV engines are at detecting threats some malware samples were sent to Virustotal for analysis.

Samples used were binaries which would end up on victim's computer by exploiting vulnerabilities in web browsers or addons/controls associated with browsers.

Upto %65 of the submitted executables were obtained from fall of last year to spring of this year and checked by AV this month. Others are mainly from this summer.

%Found #Total #Missed AV
29.00 369 264 FileAdvisor
33.00 369 249 eTrust-Vet
45.00 369 203 ClamAV
45.00 369 204 TheHacker
45.00 369 206 AhnLab-V3
46.00 369 201 Ewido
46.00 369 202 VirusBuster
48.00 369 195 Norman
49.00 369 190 McAfee
51.00 369 182 Authentium
58.00 348 147 Prevx1
58.00 369 156 Sunbelt
60.00 350 141 Rising
60.00 369 148 F-Prot
61.00 369 146 Microsoft
62.00 364 139 Symantec
62.00 369 143 Fortinet
67.00 368 124 Avast
68.00 369 119 eSafe
68.00 369 120 VBA32
69.00 369 115 Panda
69.00 369 117 Sophos
70.00 369 112 Kaspersky
71.00 361 107 DrWeb
71.00 364 107 F-Secure
71.00 368 107 NOD32v2
72.00 369 105 AVG
72.00 369 107 CAT-QuickHeal
74.00 369 96 Ikarus
74.00 369 99 BitDefender
79.00 378 81 AntiVir
84.00 354 59 Webwasher-Gateway


IcePack Platinum Edition 2007

This exploit framework is nicely designed and has a somwhat object oriented approach.

Browser based exploit code is broken down into seperate modules. Its statistics engine logs several important user variables such as IP, Browser and OS version. By default, it performs a check of the visiting IP to determine if it's already been seen and if so then avoids further interaction with that session.

Another interesting aspect is that it uses output stream buffering with a callback function which will obfuscate all data to avoid detection and readability. Specifically, it uses a random ASCII based substitution table to create a Javascript function which will decode the payload and run it.

The people who wrote this framework (IDT Group), or at least that's their header on top of every source file, know what they're doing. Their code layout and some documentation is displayed in a manner often seen in professional programming projects.


Interesting "Downloader"

Get it offensivecomputing: "f5c3bf7be349b36983d2a07b917f4bb7"

It uses a rather simple walking XOR decryption with a single byte that decrements at each iteration. This is used to decrypt code and data.

Next, it will setup a Vectored Exception Handler and execute INT 3. So, if you're debugging and don't pass this to the code then nothing happens.

Another interesting aspect is that for every API name which it calls, obtained through PEB structures, is hashed. Thus, to call an API it calls an internal function with a predetermined hash of the API, this function traverses all current exports and hashes each one to compare. Once found, the API's address is returned in EAX, which is followed by "call eax".

Moreover, all data blocks are XORed with a different key and the moment this data is used the decrypted memory is cleared.



Taken from David LeBlanc's blog:
"writing code to explore how things worked (previously known as hacking)."

What's so different about that definition now?

Ahh, is it the kiddies looking for a quick buck or an organized effort to make lots of quick bucks?

I'd say that deep down, fundamentally, it's the same now as it was before. The only difference is that it attracted bigger fish to steal someone else's catch. Evolution, survival of the fittest, has reached the net.


Bureaucracy or Incompetence?

Quoting HDM:
"Look at how a hacker gets access to the driver: Right now I'm working on Microsoft's automated process to get Metasploit-certified. It [only] costs $500."

Quoting ISN:
"The irony of his statement lies in the idea that Vista trusts Microsoft-certified programsprograms that can include a hacker exploit platform that walks through the front door for a mere $500 and a conveyor-belt approval process."

Imagine the possibilities. I wonder, is this due to bureaucracy or just plain incompetence.


Wi-Fi leeches, attaching to open wireless networks often without the owner's knowledge or permission in order to access the Internet.

How can one complain about "permission or knowledge" if the access is open?

Incompetent fools?!