Friday, April 9, 2010

Charlie Miller on Pwn2Own, Mac Security, and Fuzzing

I recently interviewed Charlie Miller about Mac security for MacTech Magazine's podcast, MacTech Live. Charlie talked about fuzzing, a technique that can be used to find vulnerabilities in software. Using 5 lines of Python code, Charlie recently fuzzed PDFs for testing Adobe Reader and Apple Preview, and fuzzed PPTs for testing Microsoft PowerPoint and OpenOffice.org Impress, and found dozens of exploitable bugs (approximately 20 of which he was prepared to use at CanSecWest to remotely exploit Safari).

Charlie recently won the Mac prize at CanSecWest's Pwn2Own contest for the third year in a row by successfully executing a remote code exploit against Safari on a fully patched Mac.

Listen to or download the interview (19 minutes): MP3

If you enjoy the interview, you may also be interested in checking out:

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

Thursday, April 8, 2010

Google Analytics Typosquatters Hosting Malicious JavaScript Files

Typosquatting has been around practically since the dawn of the Web. Often if you're typing a site address whose domain ends in .gov or .org and you mistakenly type .com or .net instead, you'll end up somewhere you didn't expect. There are also countless domains based on various misspellings of google.com, microsoft.com, and numerous other sites.

I recently noticed when browsing through MalwareURL's database that some malefactors are actively using typosquatted Google Analytics domains for nefarious purposes. Google Analytics is a service that allows webmasters to keep track of anonymized statistics about visits to their site. The recently discovered typosquatted Google Analytics domains contain a JavaScript file named urchin.js or ga.js in the root directory—the same filenames and locations of the scripts on the real Google Analytics domain (google-analytics.com).

The operators of the typosquatter domains probably have one of the following scenarios in mind. The first is that they're banking on the idea that some webmasters might have mistyped the Google Analytics code (very unlikely since virtually everyone would have copied and pasted the code directly from Google's site), and if they mistyped the domain just so, they could end up inadvertently injecting malicious JavaScript code into their Web pages. The second scenario is that the typosquatters plan to put this code into their own pages, and they're hoping that individuals or companies that maintain their own URL blacklists might have made the mistake of whitelisting */urchin.js or */ga.js instead of whitelisting the full URL of those scripts on the official Google domain. Either way, it seems like there's an extremely remote chance that it would actually make a difference to go to the trouble of trying to emulate Google Analytics' JavaScript URLs, but someone did it anyway.

To mitigate the threat of malicious JavaScript code, you can do your casual Web browsing or searching in a separate browser with JavaScript disabled. More advanced users may prefer to use the NoScript add-on for Firefox.

Following are additional details that may be of interest to fellow security researchers, including reports for the domains that have been actively hosting malicious urchin.js files in their root directories within the past week and domains to which the obfuscated JavaScript code attempted to redirect:

google-abalytics .info
http://wepawet.iseclab.org/view.php?hash=5fe48a81a1823241ed4a87583a421e30&t=1269703815&type=js
http://wepawet.iseclab.org/view.php?hash=fd99d0ea4496fbc54fc5432231c6829d&type=js
http://wepawet.iseclab.org/view.php?hash=5fe48a81a1823241ed4a87583a421e30&t=1270222974&type=js
http://www.mywot.com/en/scorecard/google-abalytics.info
http://www.mywot.com/en/scorecard/sonyfreevouchers.com
http://www.mywot.com/en/scorecard/finalearth2010.com
http://www.mywot.com/en/scorecard/ladygagaprivate.com

google-nalytics .info
http://wepawet.iseclab.org/view.php?hash=799f31fa4be2dbef7e7c76cf79643141&t=1269367107&type=js
http://wepawet.iseclab.org/view.php?hash=799f31fa4be2dbef7e7c76cf79643141&t=1270224122&type=js
http://www.mywot.com/en/scorecard/google-nalytics.info
http://www.mywot.com/en/scorecard/dragon4star.com
http://www.mywot.com/en/scorecard/dragon4ebay.com

google-aqalytics .info
http://wepawet.iseclab.org/view.php?hash=82a03924c835405e731e7e14a9a06b00&t=1269292716&type=js
http://wepawet.iseclab.org/view.php?hash=82a03924c835405e731e7e14a9a06b00&t=1270225409&type=js
http://www.mywot.com/en/scorecard/google-aqalytics.info
http://www.mywot.com/en/scorecard/novellstars2.com
http://www.mywot.com/en/scorecard/finalearth2010.com again

94.102.52 .27
http://wepawet.iseclab.org/view.php?hash=79d4ff894aa25a5f7fa38c84ba105ab2&t=1269570600&type=js
http://www.mywot.com/en/scorecard/discovermetallica.com
http://www.mywot.com/en/scorecard/google-azalitics.info (mentioned at hxxp://94.102.52 .27)

google-acalytics .info
http://wepawet.iseclab.org/view.php?hash=ba9cd1beb7c3dcda941488a1912efdad&t=1269305698&type=js
http://www.mywot.com/en/scorecard/google-acalytics.info
http://www.mywot.com/en/scorecard/allgirlsvideos2.com

Following are VirusTotal analyses for each of 11 variants of this JavaScript (note that these are current scans, not the original scans prior to when I submitted samples to AV vendors):

https://www.virustotal.com/analisis/e9d1acf3859dca3ca09eaa91b83964b434877a3cf591ca853a2828f8a5e57528-1270753931
https://www.virustotal.com/analisis/cd425d4accdfcd7381ee9762f03f6db66da28cd3e858660d6720c0c91bac1df6-1270753951
https://www.virustotal.com/analisis/c2ae0940214095ff71df887aa6d770741ab8d2409f81f8077812289977358fc4-1270753970
https://www.virustotal.com/analisis/e55157f3c20964ad2e878c5f1a0369b330fa4a7d6698db9385ce2544bc7c295f-1270753988
https://www.virustotal.com/analisis/bfca9da96841ab5dfec4fe23540d11811dbf2af89446f6b7c1981a0b695820d5-1270753997
https://www.virustotal.com/analisis/8807ad064a87978b2ce9b9ac167a6baf134a0f99761121af5f13af524dd3aa48-1270754013
https://www.virustotal.com/analisis/4a5f715f7212fb530a735b24d0989e8f410fc3ea634f44a294f3eaf426f4e365-1270754021
https://www.virustotal.com/analisis/fc4f88247dca91a7d0cc335f29ba5badda5f4e2eb619d542bfd264f2df020232-1270754039
https://www.virustotal.com/analisis/8ac6c153881d8d1bd63bd048b654ed83e52ff519121a75b4a1b96e978db59738-1270754048
https://www.virustotal.com/analisis/eb8c478ad68ac6c2dd7a69c3a3676e728697e60d86f5de0594c724c6dab26cae-1270754067
https://www.virustotal.com/analisis/b55a9b61336f576b28f40949b9c36ef8f143cffb701a70f40f2ea51744a93cb9-1270754105

These variants have been variously detected as JS:Downloader-LP, JS.Crypt.CSA, JS.Siggen.84, JS/Agent.LP!tr.dldr, JS/Crypted.CP.gen, JS/Downloader, JS/Pakes, JS/Psyme.PP!tr.dldr, JS/Redir.AG.gen, JS/Redirector, JS/Redirector.AM!tr, TR/Click.Agent.NG, TR/Click.Agent.NI, TR/Dldr.Agent.fei.2, TR/Dldr.Agent.fej, TR/Dldr.Agent.fek, TR/Dldr.Agent.fel, TR/Dldr.Agent.fem, TR/Redirector.BU, TR/Redirector.BU.1, TR/Redirector.BU.2, Trojan-Clicker.JS.Agent.ng, Trojan-Clicker.JS.Agent.ni, Trojan-Downloader.JS.Agent.fei, Trojan-Downloader.JS.Agent.fej, Trojan-Downloader.JS.Agent.fek, Trojan-Downloader.JS.Agent.fel, Trojan-Downloader.JS.Agent.fem, Trojan.Click.Agent.NG, Trojan.Click.Agent.NI, Trojan.Clicker.JS, Trojan.Dldr.Agent.fei.2, Trojan.Dldr.Agent.fej, Trojan.Dldr.Agent.fek, Trojan.Dldr.Agent.fel, Trojan.Dldr.Agent.fem, Trojan.JS.Redirector, Trojan.JS.Redirector!IK, Trojan.JS.Redirector.bu, Trojan.Redirector.BU, Trojan.Redirector.BU.1, Trojan.Redirector.BU.2, Trojan.Script.397828, Trojan/JS.Redirector, Virus.JS.Downloader.LP, Virus.JS.Downloader.LP!IK, etc.

Additional domains that were actively hosting malicious urchin.js files in January or February according to MalwareURL:

gogle-analitics .info
http://wepawet.iseclab.org/view.php?hash=9366c7b0f0e2675f97f2014ae424ea3a&t=1267176549&type=js
http://www.mywot.com/en/scorecard/gogle-analitics.info
http://www.mywot.com/en/scorecard/wincreeps.com

google-amalytics .info
http://wepawet.iseclab.org/view.php?hash=05abc26abb5c007b3519120d67b64de9&t=1264815145&type=js
http://www.mywot.com/en/scorecard/google-amalytics.info
http://www.mywot.com/en/scorecard/2thomasjefferson.com

google-anaiytics .info
http://wepawet.iseclab.org/view.php?hash=12b02043d52f73a73a58e4de95c251bc&t=1265052560&type=js
http://www.mywot.com/en/scorecard/google-anaiytics.info
http://www.mywot.com/en/scorecard/delhiwebcamera.com

Here's another that apparently hosted a malicious ga.js file last month:

91.213.174 .101
http://www.mywot.com/en/scorecard/91.213.174.101

Strangely enough, most (if not all) of the domains to which the JavaScript code tries to redirect are offline. The Wepawet reports indicate that the sites were also offline when they conducted their initial scans.

See MalwareURL's lists of sites hosting urchin.js or ga.js files:
http://www.malwareurl.com/search.php?urls=on&rp=200&s=urchin.js
http://www.malwareurl.com/search.php?urls=on&rp=200&s=ga.js


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.