Semiweekly Technical Updates

Java Zero-Day Attacked Again

The popular software companies WebSphere, WebLogic, JBoss, Jenkins, and OpenNMS were exposed as highly vulnerable to zero-day exploits and potentially Remote Code Execution attacks on application servers, according to FoxGlove security in November 2015. This attack allows for the control of the servers, and the exploit has been around for more than two years. As the “Apache Commons Collections library fails to sanitize user-provided input thoroughly,” malicious code can be appended to the input and remote code execution can be performed. This vulnerability was dubbed CVE-2015-4852, and the number of web applications vulnerable to this attack have disturbingly increased, not decreased, since the vulnerability has surfaced.

The Growing Popularity of Crypto-Ransomware

Use of crypto-ransomware increased in November of 2015 and Chimera, Cryptowall, and CryptoLocker Service were the primary culprits in the attacks. These attacks are highly detrimental to organizations and users, as recovery options are severely limited. Chimera encrypts files and networks drives and directs individuals to a Dropbox file where the information is supposedly stored. Those that click on this Dropbox link are demanded to pay nearly $700 to obtain their data. If the sum is not paid, Chimera threatens to publish all documents and photos from the user (primarily businesses), though no compromised data has yet been detected.

Cryptowall, which first appeared in 2013, has been updated to Cryptowall 4.0, and encrypts not only files, but file names, making file recovery extremely difficult. One of the original versions of crypto-ransomware, CryptoLocker has also been updated to Cryptolocker Service, and is run from the Darknet by Fabken, who charges $50, plus ten percent. All three take advantage of vulnerabilities in Flash and Java.

Though it did not affect end users, admin Linux servers have also recently been breached by an attack that had administrative access and encrypted key files. A survey of security professional by Bromium indicated that 90 percent of them believe that “their organization would be more secure if it disabled Flash.” Detection and reaction to crypto-ransomware have proved ineffective, and Bromium reports that the only protection against these attacks are threat isolation security platforms, such as Bromium vSentry.

CloudFlare Recommends Mandatory Entropy in CA Serial Numbers

The cryptographic hash function SHA-1 is no longer considered secure and will soon be replaced with SHA-2. SHA-1 was designed to be collision resistant up to 280 bits and replaced MD5 encryption in 1995. MD5 was replaced when it was demonstrated that a collision could be generated in only a few days of computing and a chosen prefix hash collision could be easily generated. Using these collisions, hackers could then use known prefixes in the collision to append the bytes to determine the hash functions, and generate certificates from trusted browsers with the same hash.

The malware Flame, which was discovered in 2012, infected computers through the Microsoft Windows Update by using a forged Microsoft certificate likely created through a chosen-prefix technique. Typically, signatures include the following information in this order: Serial number, Validity period, Domain name, Public key, X.509 extensions, Signature.

CloudFlare is recommending that the prefix, which is the serial number, validity period and domain name, be less predictable. By introducing 20 bits of entropy into the serial number of the prefix, the signature is one million times more difficult to replicate. Though no proven collisions or forged trusted digital signature have been produced, it is recommended that this entropy be mandatory in signature generation to ensure security and trust in the Internet.

Reverse Engineering with IDAPython

When a malicious sample is encountered and a string decryption function is recognized, IDAPython can assist in scripting the decryption of the large amounts of encrypted strings. First, the malware must be detected and its purpose of decrypting strings must be determined. When large numbers of strings are detected, instead of manually decrypting and renaming or dynamically running the sample and renaming strings as they are encountered, IDAPython easily allows for writing a script that will both decrypt and rename the strings as they are encountered.

In order to defeat the string obfuscation, the decryption function must first be identified and replicated. Next, the code referenced by the decryption function must be identified and data extraction will be supplied as an argument. Then, to get the offset address, one should step backward one instruction at a time and look for a ‘mov esi, offset [addr]’ instructions.

Then, the  GetOperandValue() API function can be used to get the actual address of the offset address. Since the strings are raw binary data, the GetString() API function will not work, but iterating byte-by-byte to the null terminator will allow extraction of the string address. IDAPython will then permit cross-referencing the supplied arguments and, once everything is plugged in, a comment can be added to the string decryption reference and position of encrypted data using the MakeComm() API function. Using these functions within IDAPython can simplify and save time while reverse engineering malicious samples.

Mobile Apps Should Use Page Visibility API

Mobile app users are frequently navigate away from the app, whether the user is switching apps, closing the app, or a notification causes the app to switch into the background. For some apps, when these users switch away from the app for any reason, the user’s data and app state are not maintained because mobile app developers continue to use commands that do not maintain the mobile user’s data and app state. These apps are often using the “pagehide,” “beforeunload,” and “unload” commands when the page is not being used on the main screen of the device.

However, a “clean shutdown” of a mobile app rarely occurs, making these functions the exception rather than the rule. Instead, app developers should be using visibilityChange state changes to activate a session save, gather and restart analytics, and restore logic using Page Visibility API. Page Visibility is activated by all task-switching scenarios and, when implemented, functions across all platforms and browsers. However, Firefox is the only browser that is using this tool during unloading today, though there are Chrome, WebKit, and Edge bugs that allow its use. Once Page Visibility is the standard, mobile users will experience a much improved user experience without lost progress or frequently losing app states.