Buffer overflows

 

Buffer overflows

Buffer is a fixed storage space

Buffer space is used to store a data for example: Suppose you added 2 numbers 5+6=11 now you if you want to multiple the output of this two numbers then you need to store this number in a buffer so 11 will be store in buffer and then in next step we will multiple 11 with a new number.

As we know buffer has a fix size so if we will try to store a values whose size is more than buffer size then it may create big issue.

Type of buffer overflow:

1. Stack overflow attack

2. Heap overflow attack

3. Integer overflow attack

4. Unicode overflow

Buffer overflow issue can be seen in C and C++ programming

There is few function like Scanf, gets Printf, Sprintf, Strcat, Strcpy etc which can lead to a buffer overflow.

Lets take an example of buffer over flow, we will assume it is Last in first out

Main(int argc, Char *argv[])

{

   func(argv[1]);

       {

          Char buffer [10];

          Strcpy(buffer, v);

       }

}

The strcpy() function in the above example copies the command arguments into the destination buffer variable without checking the string length

 

We will enter value “AAAAAAAAAAAAAAAAAAA”

Here we enter values more than the size 10, now how program run:

Fun()

Buffer[10]

return address

main()

local variables

 

 

Here value will store in buffer memory but if value is more than 10 then it will store in return address and it will return wrong value

 

 

Phishing

 

Phishing

 

You may get email or message which contain similar type of URL, but not the real one and when you will check on that you will get similar type of website:

For ex: https://rahulprakash156.blogsport.com

https://rahuulprakash156.blogsport.com ---Wrong Website

 

After logging in wrong website you may share your user name, email id Password etc

Vishing (Voice Phishing)

In office they may call and say they are calling from bank or from your boss office.

In India there is a case under investigating in which a man call a business man’s wife and said that they are from ruling part and they need donation and like that he took 200 cr.

Smishing (SMS Phishing) is done by text message

Spear Phishing:

They target a very particular person like CEO of a company for a particular information

 

 

 

Cross Site Scripting

 

Cross Site Scripting

 

XSS stands for cross site Scripting is  code injection attack executed an the client side of a web application

Here attacker injects malicious script through the web brouser

The malicious script is executed when the victim visits the web page or web server

Attacker try to steals cookies, session, token and other sensitive information

It is a web application hacking technique

Virus Hoax

 

Virus Hoax

A computer virus hoax is a message warning that recipients of a non-Existent computer virus threat.

 

It is a Threat that doesn’t actually exist but they seem like they could be real

Virus Hoaxes are usually harmless and accomplish nothing more than annoying wasting the time of people who forward the message.

Example of few Virus hoax:

Good Times:

Warnings about a computer virus named “Good times” began being passed around among internet user in 1994. The good time virus was supposedly transmitted via an email bearing the subnet header “Good Times” or Goodtimes” Hence the virus name and the warning recommended deleting any such email unread. The Virus described in the warning did not exist but the warning in effect virus like.

 

Invitation attachment:

The invitation virus hoax involved an email spam in 2006 that advised computer users to delete an email with any type of attachment that stated with invitation.

Botnet

 Botnet

 

A bot is a computer that has been compromised through a malware infection and can be controlled remotely by a cyber-criminal by command and control server.

Bot is short for robot

Botnet could be brought by a network worm it could be a virus or by a Trojan horse.

Types of attack that can be launched after a computer has been taken over as a bot include

(i) Spam Bot: Spambot is a machine that automatically distributes spam emails

(ii) Denial of Service: Attacker can do denial of service attack

(iii) Attacker can install spyware or keylogger

Java buzzwords

 The Java programming language is a high-level language that can be characterized by all of the following buzzwords:

1. Simple
2. Object-oriented
3. Distributed
4. Interpreted
5. Robust
6. Secure
7. Architecture neutral
8. Portable
9. High performance
10. Multithreaded
11. Dynamic

Now we will explain each and every term in detail.

Simple: 

Java is a simple language it's syntax is taken from C and C++ there is no concept of pointer which makes it easy to understand if anyone has knowledge of opps based language it's very easy to understand java.

Secure: 

Java is secure language Error  handling features make it easy to use in real time. Classloader bytecode verify and security manager.

Classloader helps to separate package bby classes of local file system

SolarWinds attack and rundll32.exe

                                           SolarWinds attack and rundll32.exe

Dynamic-link library (DLL) is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems. These libraries usually have the file extension DLL.

Typically, there’s no technical way to launch a DLL file directly. Hence, Windows uses a rundll32.exe process to execute the DLL files.

But we have seen these days that attackers use rundll.32 to execute malicious file,  recently attacker target  SolarWinds in which attacker used rundll.exe processor, I will share the details below. How it happens, I used the below information from the Microsoft security blog, where they explained how the attach happened.   

The attackers achieved this by having the SolarWinds process create an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe. This is a known MITRE ATT&CK technique used for persistence, but it could also be abused to trigger execution of malicious code when a certain process is launched. Once the registry value is created, the attackers simply wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped.

The VBScript in turn runs rundll32.exe, activating the Cobalt Strike DLL. using a clean parent/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution and also deletes the following registry keys related to HTTP proxy:

• HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
• HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

So it’s very important to check rundll32.exe running which file or process, is that genuine or not? we get such information in EDR workflow data where it explain all the process run with a very clear diagram. But I am writing this blog to explain basic steps to deal with rundll32.exe, for normal user its difficult to use EDR AV and to understand how it works but they can follow few things that can help to monitor and protect his own computer.

 

rundll32.exe helps to run programs in DLL (Dynamic Link Library) files, because DLL file cannot launch directly

 

We can check which files are running by rundll32.exe by below command.

tasklist /m /fi "imagename eq rundll32.exe

You will see the list of details of what services are being run by rundll32.exe

 

Second investigation: Find the location of rundll32.exe file, if it is not running at right location means it is not the right file.

Go to task bar, right click on rundll32.exe, and open the location

The correct file path is: C:\Windows\System32\rundll32.exe. 

 

Check the filename carefully sometime attacker user same type of file name like. Rund1l32.exe at the place of L they use 1 or something similar