BIND 9 Dynamic Update DoS

Vulnerability described in CVE-2009-0696 is very easy to exploit and the consequences can be disastrous.

All it takes is a singled DNS UDP packet with Dynamic Update structure specially crafted for any Zone which the target server is Master and the named process will exit.

As stated by ISC BIND's update ACLs do not mitigate this vulnerability. Since this is UDP then source IPs can be spoofed and nearly impossible to track down. Even DNS infrastructures which are designed to expose only slave servers to the Internet can be vulnerable if any of them have Master Zones for netblocks mentioned in RFCs 1912 Section 4.1 and 1918 Section 3.

Anyone who wishes to audit their environment can utilize the following Python script. Make sure you have permission to test your targets!.

Given the criticality of this vulnerability several IDS vendors have released detection signatures. However, as of this writing the above script evades the following signatures: Sourcefire and Emerging Threats. Both groups will be notified with necessary information.


milw0rm is gone

This was on the site before it went down:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don’t :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn’t fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

PS: I'm keeping their link here for historical reasons.


Tornado exploit pack

Like most other exploit packs it's written in PHP with a MySQL backend. Control panel supports configuration options for several users (attackers).

Has the ability to control incoming traffic. It can either:

- Ignore
- Redirect
- Display custom page

based on several criteria such as:

- Country of origin
- Visitor uniqueness
- Vulnerable client
- Not vulnerable client

Displays several different statistics based on:

- Victim's Country
- Originating web site (referer)
- Exploits used
- Detailed Log (IP, time, browser, exploit used, infected (yes/no), and referer)
- Overall Summary - OS and Browser breakd down of traffic and exploit effectiveness

Exploit is delivered in the form of obfuscated javascript. Obfuscated ASCII encoded code and decryption function are delivered to the client as a single long line. This content is unique on every visit except certain parts of the decryption routine. Upon successful exploitation another request will be made to the exploit server to a different script which will deliver the binary to execute.

The following is a list of exploits available to the attacker, which can be individually selected to target:

- WebViewFolderIcon.SetSlice
- MS06-044
- WMF Firefox
- WMF Opera 7
- QuickTime
- WinZip
- Zenturi
- Yahoo Webcam
- Opera 9 - 9.20
- XML Core Services
- Java bytecode

Default script for exploit delivery is "count.php", while individual exploit modules are located in the "exploits/" directory with the following naming convention: "x#.php" where # is the numeric value starting with one (1).

Upon successful exploitation another request will be made to retrieve a binary for execution on victim's computer. By default the requested script will be "getexe.exe" with the following parameters:

?o= integer value to identify attacker
&t= integer value represents time the exploit was generated
&i= integer value represent IP address of victim
&e= integer value represents exploit number used

Following is the schema of the database:

CREATE TABLE `stats1` (
`ip` int(10) unsigned default NULL,
`time` int(10) unsigned default NULL,
`country` tinyint(3) unsigned default NULL,
`browser` tinyint(4) default NULL,
`version` varchar(8) default NULL,
`os` tinyint(4) default NULL,
`refdom` varchar(32) default NULL,
`status` tinyint(4) default NULL,
`loader` tinyint(4) default NULL,
`expl` tinyint(4) default NULL

CREATE TABLE `users` (
`id` smallint(5) unsigned NOT NULL auto_increment,
`user` varchar(16) default NULL,
`pass` varchar(32) default NULL,
`premis` tinytext,
`options` tinytext,
`lasttime` int(10) unsigned default NULL,


Improvements to Zeus

Zeus's development is active these days. Below is a table of release dates for each version:

2008/12/20 -
2008/12/30 -
2009/03/11 -
2009/03/28 -
2009/04/02 -

This change log entry states that during HTTP communication of the Trojan with the C&C server the User-Agent used will be that of system's Internet Explorer. Before, it was a constant string embedded in the binary, which could have raised suspicion or blocked by ISPs.


Zeus / Zbot / Prg / Ntos / Wsnpoem

Real name of the trojan package is Zeus. It comes with a PHP based control panel and a Windows executable to build the trojan. Builder's job is to parse a text based config file, encrypt it, and embed some options into the trojan. The builder can also remove the infection from the system.

Main scripts of the control panel are:


Script which controls authentication to the admin panel as well as all reporting and configuration options of the botnet.


This is the script which accepts all communication from the bot client on a compromised computer. Depending on configured options it will either insert the data into a MySQL database, or store inside a seperate directory, or both.

It's responsable for decrypting the POST data and parsing individual stolen records. Basically, this is the main C&C script of the botnet.

Keep in mind that these filenames are not hardcoded anywhere but are only the defaults. If the filename is changed on the server then the bot client must be updated with a new configuration file, which it periodically polls off the server. Typical configuration file will have entries similar to the ones on this screenshot.

Currently, Zeus' build tree is 1.2.x.x which, depending on subversions, will utilize either RC4 encryption or a simpler form of it. Otherwise, the record and configuration structures remain the same between different 1.2.x.x builds. Older versions, prior to 1.2.x.x used a completely different structure and obfuscation method. They contained a unique field in the HTTP headers during C&C communication and thus were easily detected via IDS signatures from Emerging Threats (2003182, 2003183, 2007688, 2008100, 2008326)

So, what can this bot/trojan do?
It has the following abilities:

Credential stealing of FTP and POP3 on any TCP port.

Via a custom build can capture any data.

Capture of HTTP and HTTPS traffic.

Proxy server via Socks 4/4a/5, even if compromised device is behind a NAT.

Screenshot capture of the desktop.

Theft of "Protected Storage" data.

Here's an example how a communication flow between bot/trojan and C&C server will look like.


Unique Pack

Exploits for Opera9, Firefox, Internet Explorer 4, 5, 6, and 7. Seperate module to exploit Adobe Reader util.printf() (CVE-2008-2992) vulnerability. Also, includes a module to deliver binaries via social engineering the visitor into accepting the download, similar to Fake AV.

So, what's so unique about it? Nothing really. Perhaps the fact that it obfuscates its PHP code which contains exploits, which isn't difficult to take off. Also, maybe because it doesn't use any parameter passing to scripts via URL, as most other packs do. Here's a summary of some scripts:

Defines variables for loader and exploit URLs, database credentials, and control panel credentials.

URLs are defined for loader script ("load.php") and Adobe PDF exploit ("pdf.php").

Filename of binary which will be dropped ("1.exe").

Database host, name, credentials. Default DB name is "spl".

Control Panel's script name ("admcp.php"), username, and password (double MD5 hash of real pass). Default user is "root".

Defines functions and text for 404 page. Functions to identify browser, operating system, country (based on GeoIP), and encoding function to Unicode for Javascript (eg: "%u9090").

Configuration variables for social engineering module to convince the user to download the binary, similar to the idea used in RogueAV schemes.

"install.php" or "_install.php"
Database creation script. Will connect to the database with configured credentials and create necessary table.

CREATE TABLE `statistic` (
`id` int(10) NOT NULL auto_increment,
`ip` varchar(15) default NULL,
`os` varchar(30) default NULL,
`br` varchar(30) default NULL,
`country` varchar(2) default '--',
`good` int(1) NOT NULL default '0',
`mv` int(1) NOT NULL default '0',
`refer` varchar(300) NOT NULL,
`date` datetime default '2008-10-01 00:00:00',

Checks for presence of "install.php" and executes it. If visitor's IP was already logged then aborts with HTTP 200 status but shows a 404 page as defined in the variable of the "cfg/options.php" file.

Identifies country, browser, operating system, referer, IP address and updates the database. Includes "sploit.php" file for exploit generation.

Checks if "Unique" name is defined and aborts with 404 message from predefined variable if not defined. Determines the browser and loads appropriate exploit script:
"sploit/op9.php" - Opera
"sploit/ff.php" - Firefox
"sploit/ie7.php" - Internet Explorer 7
"sploit/ie.php" - Internet Explorer 4, 5, or 6.

Reads the executable which was defined in config file and serves it to the user. Updates database column "good" for this connection's IP address.

Contains the exploit for Adobe Reader ; CVE-2008-2992 ; util.printf(). Interestingly, the file contains obfuscated PHP script to generate the exploit. It has some protection against people attempting to modify the code and print out the exploit. It reads itself and looks for calls to "print | sprint | echo" and aborts if found. This prevents people from simply modifying the "eval" statement to see the real exploit code.

Delivers an executable file using social engineering technique similar to RogueAV by convincing the user of a threat or some required update. Messages can be customized per browser, operating system, and country.

Checks if visiting IP was already given a binary using this method and aborts if found.

If GET parameter "?a" is set then delivers the binary otherwise displays a convincing message and redirects back to itself with proper parameter.


Armitage 1.0

This is a rather old version dated back to November 2007 but perhaps someone will find this info useful.

On the server side it's driven by PHP with MySQL as the backend. File structure is similar to other packs. One noticable difference in the way statistics are tracked, as all packs track visitors and these numbers are used in marketing of packs.

Armitage has an additional section to calculate how many visitors were actually compromised. Typically this is done by recording how many people request a download of a loader (trojan binary) which means the exploit worked. However, this does not account for the fact that loader may have been blocked on the client due to various defenses. Any pack's job is to deliver an exploit and load some binary and many packs are satisfied with just recording such requests. In Armitage's case it is accomplished by recording an additional request which must be made by this loader. This statistic will represent how many devices have been compromised and have gotten the loader to fully execute and check-in. It is unclear why this decision was made for a generic pack since loaders will now have to be specifically written to perform this check-in function. Such loader was not distributed with the pack itself so it is possible that this was not written for general public.

Contains password variables for admin and guest.

Defines variables needed to establish database connection (host, schema, user, and password).

Establishes a database connection and creates the necessary tables. Once complete shows a link to admin page and required credentials.

Defines two valid accounts admin and guest. Shows traffic and loads statistics as well as has the ability to upload a new trojan and change passwords.

Defines various functions which identify the visitor based on UAS.

Creates the URL for loader "exe.php" and if GET contains "?ex=" integer then this value will be passed to "exe.php?ex=".

Checks visitor's IP address for previous visits and aborts if one is found. String "^_~" is returned upon abort.

Identifies the browser, the following list is used: Opera, Konqueror, Lynx, Links, Internet Explorer, Netscape, Firefox, Mozilla, Other.

Identifies the OS with the following list: Windows (95, NT 4, 98, ME, 2000, XP, 2003, Vista), Linux, Mac OS, Other.

Identifes the Country based on GeoIP library from visitor's IP address. Geoip files are borrowed from Icepack.

Updates statistics for HTTP Referrer, domain only. Sanitizes the referrer domain to avoid SQL injection.

Updates statistics for Browser, OS, and Country. Inserts visitor's IP address and time of visit.

Exploit is served for Internet Explorer from "e.php", for Opera from "opera.php", and Firefox from "ff.php".

Second stage of the exploit sequence, which serves the binary file. By default it is "./load/file.exe", but if GET "?ex=" integer was set then file with that value is delivered (eg: "./load/file20.exe"). Identifies the visitor (Browser, OS, Country) and updates "loads" statistics table.

Identifies the Country based on Geoip of the connection and updates the "ots" (otstuk) statistics table. This is the place where loader's check-in stats are kept.

Serves the MDAC exploit slightly obfuscated. CVE-2006-0003 ; MS06-014 ; MDAC (BD96C556-65A3-11D0-983A-00C04FC29E36). If this fails then will load "bof.php".

Contains the shellcode for buffer overflow exploits.

Serves the WFI exploit. CVE-2006-3730 ; MS06-057 ; "WebViewFolderIcon.WebViewFolderIcon.1.setSlice()".

At the end display the 404 Not Found page which is fake since real HTTP Status code is still 200 OK.

Serves exploits for Firefox browsers

Serves exploits for Opera browsers


PE offsets within malware

Building on work mentioned in the previous post couple of more interesting facts were identified. Realizing that implementing the Snort's SO rule may not be feasible in some infrastructures, depending on the design and configuration of the sensors, it would be beneficial to identify most common offsets used by malware and how they compare to legitimate executables.

After reviewing offsets found in an installation of Windows XP SP2 system utilizing 8000 samples, both executable and DLL files, and then comparing with offsets found in malware collected over the last year and a half (450 samples) there were several unique offset identified which were solely used by malware.

As a result of this several regular Snort signatures can be written which will alert on download of binaries which should raise suspicion.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE under 128)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,<,128,58,relative,little; content:"PE|00 00|"; rawbytes; within:130; sid:62; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 12)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,12,58,relative,little; content:"PE|00 00|"; rawbytes; within:14; sid:53; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 16)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,16,58,relative,little; content:"PE|00 00|"; rawbytes; within:18; sid:54; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 64)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,64,58,relative,little; content:"PE|00 00|"; rawbytes; within:66; sid:55; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 96)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,96,58,relative,little; content:"PE|00 00|"; rawbytes; within:98; sid:56; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 124)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,124,58,relative,little; content:"PE|00 00|"; rawbytes; within:128; sid:57; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 144)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,144,58,relative,little; content:"PE|00 00|"; rawbytes; within:146; sid:58; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 152)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,152,58,relative,little; content:"PE|00 00|"; rawbytes; within:154; sid:59; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 160)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,160,58,relative,little; content:"PE|00 00|"; rawbytes; within:162; sid:60; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Suspicious Executable (PE offset 512)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,512,58,relative,little; content:"PE|00 00|"; rawbytes; within:514; sid:61; rev:1;)

Couple of interesting and important notes. There was not a single legitimate binary which contained a PE offset under 128 bytes. The offsets in malware which did not match those of legitimate files occured in %25 of malicious samples.

All offsets found:

Suspicious PE offsets (malware of 467 samples):
12, 16, 64, 96, 124, 144, 152, 160, 512

Legitimate PE offsets (XP Sp2 8582 samples):
128, 168, 176, 184, 192, 200, 208, 216, 224, 232, 240, 248, 256, 264, 272, 280, 288, 296, 304, 312, 320, 336, 344, 392, 584, 592, 600, 608, 616, 624, 632, 1024, 7680