Modified Malware for the IE Expoit
Its always interesting around the ISC and you'll never know what you'll be handed on any given day. Its even more interesting when there is an unpatched IE vulnerability and an exploit available for it. That is where we find ourselves now. There are several sites that have been compromised and now contain the exploit code. These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it. It is calc.exe that we want to focus on briefly.
This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process. The malware creates the following on install:
C:\WINNT\fyt\mn32.dll
C:\WINNT\fyt\nm32.exe
C:\WINNT\fyt\~ipcfg636
C:\WINNT\fyt\~start636
C:\WINNT\fyt\~tmp636
C:\WINNT\fyt\~view636
It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information it can get from the Let's look at what is in the files. The information I'm about to show is from my VM box, so it won't get you anywhere:>)
File: ipcfg636
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : vmwindows2k
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
Physical Address. . . . . . . . . : 00-0C-29-16-36-AB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.227.128
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
File: start636
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 192.168.227.128:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1026 *:*
UDP 192.168.227.128:137 *:*
UDP 192.168.227.128:138 *:*
UDP 192.168.227.128:500 *:*
File: tmp636
Protected Storage settings / PWL:
InfoDelivery
IdentityMgr
IdentitiesPass ::::?:ϻb[
HASH values:
Administrator:500:AF6E956C6F6836C4F3F9505A2D0958A7:0B14980C258F0D7178186CE65030A4A6:Built-in account for administering the computer/domain::
Guest:501:********************************:********************************:Built-in account for guest access to the computer/domain::
RAS:
Total 0 entries
Network settings:
File: view636
Server Name Remark
-------------------------------------------------------------------------------
\\VMWINDOWS2K
The command completed successfully.
File: Sub.txt
res://C:\WINNT\system32\shdoclc.dll/dnserror.htm#http://www.msn.com/
http://winxphome/index.html
http://winxphome/index.html
http://winxphome/index.html
email=lorna.hutcheson@somewhere.com
pw=password
pw-conf=password
The malware FTP's all the information out to a location. It also has email capability. The location given by McAfee in their writeup found here was as follows: "The trojan attempts to upload harvested information to an FTP server (66.242.129.251)." However, when I downloaded the malware and looked at it that was not the location I found in the strings. I found:
0040F530 ASCII "200.182.57.13",0
0040F630 ASCII "21",0
So its seems that the malware has been swapped for a new version with the FTP server portion being changed. I have not observed it attempting to FTP yet, still waiting with a sniffer running. The strings also contained the username and password for the new site. The file on the new IP is now encrypted and the file wasn't before on the first FTP site. So the individual seems to realize that folks are on to them. I'm pretty sure that the malware has just been changed since its easier to modify the malware and where it FTPs to than to go back to all the hacked sites.
Anyway, please keep your eyes and ears open for any new sites exploiting this vulnerability! As always, be careful its a jungle out there!
Lorna J. Hutcheson
CACI
This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process. The malware creates the following on install:
C:\WINNT\fyt\mn32.dll
C:\WINNT\fyt\nm32.exe
C:\WINNT\fyt\~ipcfg636
C:\WINNT\fyt\~start636
C:\WINNT\fyt\~tmp636
C:\WINNT\fyt\~view636
It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information it can get from the Let's look at what is in the files. The information I'm about to show is from my VM box, so it won't get you anywhere:>)
File: ipcfg636
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : vmwindows2k
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
Physical Address. . . . . . . . . : 00-0C-29-16-36-AB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.227.128
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
File: start636
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 192.168.227.128:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1026 *:*
UDP 192.168.227.128:137 *:*
UDP 192.168.227.128:138 *:*
UDP 192.168.227.128:500 *:*
File: tmp636
Protected Storage settings / PWL:
InfoDelivery
IdentityMgr
IdentitiesPass ::::?:ϻb[
HASH values:
Administrator:500:AF6E956C6F6836C4F3F9505A2D0958A7:0B14980C258F0D7178186CE65030A4A6:Built-in account for administering the computer/domain::
Guest:501:********************************:********************************:Built-in account for guest access to the computer/domain::
RAS:
Total 0 entries
Network settings:
File: view636
Server Name Remark
-------------------------------------------------------------------------------
\\VMWINDOWS2K
The command completed successfully.
File: Sub.txt
res://C:\WINNT\system32\shdoclc.dll/dnserror.htm#http://www.msn.com/
http://winxphome/index.html
http://winxphome/index.html
http://winxphome/index.html
email=lorna.hutcheson@somewhere.com
pw=password
pw-conf=password
The malware FTP's all the information out to a location. It also has email capability. The location given by McAfee in their writeup found here was as follows: "The trojan attempts to upload harvested information to an FTP server (66.242.129.251)." However, when I downloaded the malware and looked at it that was not the location I found in the strings. I found:
0040F530 ASCII "200.182.57.13",0
0040F630 ASCII "21",0
So its seems that the malware has been swapped for a new version with the FTP server portion being changed. I have not observed it attempting to FTP yet, still waiting with a sniffer running. The strings also contained the username and password for the new site. The file on the new IP is now encrypted and the file wasn't before on the first FTP site. So the individual seems to realize that folks are on to them. I'm pretty sure that the malware has just been changed since its easier to modify the malware and where it FTPs to than to go back to all the hacked sites.
Anyway, please keep your eyes and ears open for any new sites exploiting this vulnerability! As always, be careful its a jungle out there!
Lorna J. Hutcheson
CACI
Keywords:
0 comment(s)
Email attachment vector for IE createTextRange() Remote Command Execution
Just for the sake of clarity, there is an email attachment vector for this exploit that's not widely reported. I have not seen any reports of it being used at this time. MS's bulletin, in the FAQ's, in "Could this vulnerability be exploited through e-mail?", says it can be exploited if one "open(s) an attachment that could exploit the vulnerability." ISS obliquely says attacks may occur by "...simply embedding the required logic in specially crafted HTML emails.".
Note - My Outlook Web Access runs in the Local intranet Zone, and MS's suggested workaround for this IE Zone is change the Local intranet setting to prompt or disable for Active Script, or just crank the zone security setting to high for prompting.
HTML attachments, the IE Local Machine Zone Lockdown
According to MS, "Web pages accessed from the local computer are placed in the Local Machine zone" and "The Local Machine zone is an Internet Explorer security zone, but is not displayed in the settings for Internet Explorer.". "In Windows XP Service Pack 2, all local files and content that is processed by Internet Explorer has additional security applied to it in the Local Machine zone.".
"Specifically, these settings are:
URLACTION_ACTIVEX_ RUN resolves to Disallow.
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY resolves to Disallow.
URLACTION_SCRIPT_ RUN resolves to Prompt.
URLACTION_CROSS_DOMAIN_ DATA resolves to Prompt.
URLACTION_BINARY_BEHAVIORS_BLOCK resolves to Disallow.
URLACTION_JAVA_PERMISSIONS resolves to Disallow.".
Since "script in local HTML pages viewed inside of Internet Explorer prompts the user for permission to run", disallowing HTML attachments might be worth considering.
In addition, keeping gateway email AV sigs up to date is advisable. Drop us a note if you notice attacks coming at you via email. Thanks!
Note - My Outlook Web Access runs in the Local intranet Zone, and MS's suggested workaround for this IE Zone is change the Local intranet setting to prompt or disable for Active Script, or just crank the zone security setting to high for prompting.
HTML attachments, the IE Local Machine Zone Lockdown
According to MS, "Web pages accessed from the local computer are placed in the Local Machine zone" and "The Local Machine zone is an Internet Explorer security zone, but is not displayed in the settings for Internet Explorer.". "In Windows XP Service Pack 2, all local files and content that is processed by Internet Explorer has additional security applied to it in the Local Machine zone.".
"Specifically, these settings are:
URLACTION_ACTIVEX_ RUN resolves to Disallow.
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY resolves to Disallow.
URLACTION_SCRIPT_ RUN resolves to Prompt.
URLACTION_CROSS_DOMAIN_ DATA resolves to Prompt.
URLACTION_BINARY_BEHAVIORS_BLOCK resolves to Disallow.
URLACTION_JAVA_PERMISSIONS resolves to Disallow.".
Since "script in local HTML pages viewed inside of Internet Explorer prompts the user for permission to run", disallowing HTML attachments might be worth considering.
In addition, keeping gateway email AV sigs up to date is advisable. Drop us a note if you notice attacks coming at you via email. Thanks!
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments