2014-01-24

Maximilian Johann Fillinger - Reconstructing the Cryptanalytic Attack behind the Flame Malware

Interesting crypto paper:
Reconstructing the Cryptanalytic Attack behind the Flame Malware
Fillinger, Maximilian Johann

This paper is analyzing this algorithm the authors of the Flame malware (2012) used an MD5 collision to forge a Windows code-signing certificate.
It claims that complexity of the MD5 attack used to fake RSA certificate signatures as used in Flame
was approximately 2^46 - 2^49 of MD5 operations.

It is surprise that it is not (dramatically) faster than the other known solutions as it was originally expected.
So it is contrary to original speculations on it using some backdoor in MD5 or some NSA special intelligenco on MD5 not known to public :).

------------------------------------
Just to recap history of attacks to MD5:

1996 - collisions found in the compression function of MD5 (and rest of the MD family)
2004 - identical prefix collision - Wang et al. - 2^40 operations
2005 - identical prefix collision - Wang and Yu - 2^39 operations
2005 - identical prefix collision - Vlastimil Klima - 2^33 operations
2006 - identical prefix collision -Marc Stevens - 2^32 of MD5
2006 - identical prefix collision - Peter Selinger - code published based on Wang et al. 2^39 operations
2007 - identical prefix collision - Mark Stevens - 2^25
2007 - choosen prefix collision - Mark Stevens,Arjen K. Lenstra, and Benne de Weger - 2^49 operations
2008 - identical prefix collision - Xie et al. - 2^21 operations
2009 - identical prefix collision - Mark Stevens - 2^16 operations
2009 - choosen prefix collision - Mark Stevens,Arjen K. Lenstra, and Benne de Weger - 2^39 operations
2010 - single block collision - Tao Xie, Dengguo Feng - 2^47 MD5 operations
2012 - single block collision - Mark Stevens - 2^50 operations
2013 - single block collision - Tao Xie, Fanbao Liu, Dengguo Feng - 2^41


Sites related:
http://marc-stevens.nl/research/
http://www.win.tue.nl/hashclash/
http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/

2014-01-16

Cridex malware

Third party analysis:

The cridex malware is being spread across german speaking countries with a phishing emails traying to convince the receivers that there is a bill to pay - from vodafone, telecom, volkers bank.
So far I have seen these download places:
151.248.114.193 - RU active 192.240.96.11 - currently down, last seen 2014-01-15 212.7.219.75 - currently down 37.58.57.162 - currently down, last seen 2014-01-07 37.58.57.175 - currenlty down, last seen 2014-01-08 5.133.179.12 - GB active 5.254.96.215 - currenlty down, last seen 2014-01-17 5.254.96.216 - currently down 5.254.96.237 - RO active 5.254.96.238 - currently down, last seen 2014-01-16 5.254.96.239 - currenlty down, last seen 2014-01-15 5.39.47.13 - currenlty down, last seen 2014-01-15 62.4.8.133 - currenlty down, last seen 2014-01-13 64.15.75.70 - CA active 69.197.18.171 - OK ... this is blackhole 75.87.188.28 - currenlty down 85.158.241.184 - currenlty down, last seen 2014-01-10 85.158.241.33 - currenlty down, last seen 2014-01-15 92.53.104.167 - currenlty down, last seen 2014-01-09 Examples: 2014-01-20 14:59 http://serverrequiestcont.ru/volksbank_eg/ active 151.248.114.193 RU 2014-01-20 14:58 http://alishkasuper.ru/telekom_deutschland/ active 151.248.114.193 RU 2014-01-20 14:58 http://frtyui.ru/vodafone_online/ active 151.248.114.193 RU 2014-01-20 14:57 http://markelooo.ru/volksbank_eg/ active 151.248.114.193 RU 2014-01-20 14:53 http://frtyui.ru/vodafone_online/ active 151.248.114.193 RU 2014-01-20 14:40 http://gerbercvt.ru/volksbank_eg/ active 151.248.114.193 RU 2014-01-20 03:00 http://upddezember.com/telekom/ active 5.133.179.12 GB 2014-01-20 02:57 http://lopper.ru/vodafone_online/ active 151.248.114.193 RU 2014-01-16 18:21 http://basanaj.ru/telekom/ active 5.254.96.215 RO 2014-01-16 18:23 http://gorbache.ru/vodafone_online/ active 64.15.75.70 CA 2014-01-16 18:28 http://opa-oba.ru/vodafone_online/ active 64.15.75.70 CA ... + many other domain names 2014-01-16 18:33 http://upddezember.com/telekom/ active 5.133.179.12 GB http://pososh.ru/vodafon/ 2014-01-16 09:18 http://byuhera.ru/volksbank/ active 5.254.96.238 ... + many oyther domains 2014-01-15 19:31 http://5g4xte.vol.com.br/vodafon/ active 5.39.47.13 FR

Once the malware is executed it stores itself with a name that mimics the MS updates.

Then it starts dowloading secondary malware. In cases I have analyzed it was from:
SITE IP Code Last active beliyvolkalak.ru 185.10.201.168 GB 20140113 buriymishka.ru 185.10.201.186 GB 20140110 deepandtouch.ru 31.215.205.193 RO 20140113 djubkafriend.ru - glebstark.ru 185.5.55.9 LT 20140116 godaddy-up.ru 185.5.55.9 LT 20140116 gossldirect.ru - jvrdwnload.ru 212.7.219.46 PL 20140116 jarovojfanatik.ru - kapikapifrmaleku.ru - karabarad.ru - karadubecc.ru - kolodavoloda.ru - korenlipi.ru kuchereneltd.ru 94.76.240.56 UK 20140116 lightham.ru - masterupdate.ru - micrupdaserv.ru - montierco.ru - officialpartkkk.ru - pianiykrolik.ru - portasible.ru 37.235.48.69 PL 20140116 renataltd.ru 5.135.71.226 FR 20140116 securesrvr8.ru - softsysdnl.ru - ssshsecur.ru 185.10.201.168 GB 20140113 toolsdownloads17.ru - travodoktor.ru - updatecheck.co.ua - updote-serv3.ru 91.230.204.132 PL 20131217 uppdate-servs.ru 91.230.204.229 PL 20131217 upper-service.ru - volodakoloda.ru -

Based on the strings templates contained in the malware we can assume that it can steal passwords to FTP, POP3 and certificates, data from Internet Explorer, data from FireFox, . : application/x-www-form-urlencoded <http time="%%%uu"><url><![CDATA[%%.%us]]></url><useragent><![CDATA[%%.%us]]></useragent><data><![CDATA[ ]]></data></http> <httpshot time="%%%uu"><url><![CDATA[%%.%us]]></url><data><![CDATA[ ]]></data></httpshot> <ftp time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server><user><![CDATA[%%.%us]]></user><pass><![CDATA[ ]]></pass></ftp> <pop3 time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server><user><![CDATA[%%.%us]]></user><pass><![CDATA[ ]]></pass></pop3> <cmd id="%u">%u</cmd> <cert time="%u"><pass><![CDATA[ ]]></pass><data><![CDATA[ ]]></data></cert> <ie time="%u"><data><![CDATA[ ]]></data></ie> <ff time="%u"><data><![CDATA[ ]]></data></ff> <mm time="%u"><data><![CDATA[ ]]></data></mm> <message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u"><header><unique>%%.%us</unique><version>%%u</version><system>%%u</system><network>%%u</network></header><data> MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqc9owreYFWWw7dWyebIKAxYwYx+V6bdlMGyN35YV/AM6ziObAkkVHtrvZFziejahX+ctQFmjy+vClz4nZubNU8dZlK/tBUcHbax/yr2ZdzjzimhvWvsNdA3YG6DTqb30GfOjcXwOHPPIycn1iYSjg1igdbg3a9mXklAouWzaD6wIDAQAB </data></message>