Apr 262015

The Dutch company Fox-IT has revealed a detailed information about Quantum Insert Attack. HTML Redirection attack by injecting malicious content into a specific TCP session. A session is selected for injection based on selectors, such as a persistent tracking cookie that identifies a user for a longer period of time.

The attack can be done by sniffing an HTTP request then the attacker will spoofed a crafted HTTP response. In order to craft a spoofed HTTP response the attacker should know the following:

  • Source and Destination IP address
  • Source and Destination TCP port
  • Sequence and Acknowledgment Number

Once the packet is spoofed a race condition will occur, if the attacker win the race then he/she would response to the victim with malicious content instead of the legitimate one.

Performing Quantum Insert attack require that the attacker can monitor the traffic and have very fast infrastructure to win the race condition.

To detect Quantum Insert we should look for the following:

  1. Duplicate Sequence number with two different payloads, since the attacker will spoof the response ,the victim will have two packets with same sequence number but with different payload.
  2. TTL anomalies ,the spoofed packets would show a different time to live value than the real packets . TTL different might be legit due to the nature of internet traffic but since the attacker will be closer to the target to win the race condition that might give unusual different in the ttl between the legitimate packets and the spoofed one.



(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apr 252015

Yesterday Steve Basford informed us of yet another type of malicious document (Sales Invoice 519658.pdf MD5 bfe397fb9b7907ab34ba83f0f086336d). It is a PDF document, containing an embedded file, with JavaScript to extract the embedded file to a temporary folder and then open it. The embedded file is a malicious Word document like we" />

You can analyze such PDFs without using Adobe Reader or Microsoft Word, but with my tools pdfid, pdf-parser and oledump.

If you want to know in detail how to do this, I have a video.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apr 242015

In previous diaries we have talked about memory forensics and how important is it . Malware that does not exist in the file system are one of the reasons why memory forensics is important.

Michael Marcos from Trend Micro wrote about Fileless malware. POWELIKS is one of the example he talked about.

POWELIKS hides its malicious code inside Windows Registry Key and it is use Windows PowerShell to run additional encoded code.

Phasebot is the second malware that Marcos has talked about is Phasebot can be defined as a new variant of Solarbot.

The Phasebot has additional features such as Virtual Machine detection and an external module loader which give the malware the ability to add and remove features.

Phasebot encrypt the communication with its Command and Control server using a random password each time it connects to the CC server.

The malware was designed to check for .Net Framework 3.5 and Windows PowerShell which are installed by default in recent versions of Windows.

Then it will creates the following registry key where the encrypted shell code will be written:

  • HKEY_CURRENT_USERSoftwareMicrosoftActive SetupInstalled Components{Bot GUID}

It creates Rc4Encoded32 and Rc4Encoded64 registry values where it will save the encrypted 32-bit and 64-bit shell code. Lastly, it creates another registry value namedJavaScriptthat will decrypt and execute the Rc4Encoded32/64 values.

If the programs are not found in the system, Phasebot drops a copy of itself in the%User Startup%folder. It then hooks APIs to achieve a user-level rootkit that makes the file hidden from a typical end- user. It hooks theNtQueryDirectoryFileAPI to hide the file and hooksNtReadVirtualMemoryto hide the malware process

Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs.




(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
%d bloggers like this: