Catch of the Day; Scripted mass hack; Not-so-black Tuesday ahead

Published: 2005-05-05
Last Updated: 2005-05-05 23:34:03 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Viva el 5 de mayo!



Los amigos Mexicanos celebran hoy el 5 de mayo, una fiesta en conmemoracion de la derrota de Maximiliano en 1867. Porque hablo mejor PERL que Espanol, dejo de escribir el diario de hoy en ese idioma, pero os deseo una fiesta estupenda! Es la unica del siglo con la fecha 5-5-5 :-).

Catch of the day: smelly malware



With the suspicious nature common to malware survivors, ISC reader Phil "got a bit worried" when he noticed that a web site was opening a zero-width frame that seemed to hide something. After digging around some, he found his hunches confirmed, and also two files that none of the AV vendors on <A HREF="http://www.virustotal.com">virustotal.com</A> seemed to recognize as hostile. Here's a write-up of what we found, to sharpen your malware survivor senses. Some of the original HTML off the hostile site had to be heavily modified for this write-up, mainly by cutting out sections or converting characters to "X". We woudln't want a SANS ISC diary to trigger your workstation or perimeter antivirus...
The base exploit page

IFRAME ID=e1 SRC='/e1/' WIDTH=0 HEIGHT=0
IFRAME ID=e2 SRC='/e2/' WIDTH=0 HEIGHT=0
IFRAME ID=e3 SRC='/e3/' WIDTH=0 HEIGHT=0

Exploit #1 - Java Classloader Vulnerability
The first exploit, hidden behind the "e1" frame, is a Java based privilege escalation, a variant of the Java Bytever/Classloader family of exploits. The corresponding vulnerability is pretty old (MS03-011), making "success" of this exploit highly doubtful.

APXLET ARCHIVE="/e1/java.jar" CODE="NudeBoxx.class"

In addition to the actual exploit code, the JAR archive also contains a ZIP file. But things are not always what they seem...

$ file javautil.zip
javautil.zip: DOS executable (EXE)

The ZIP turns out to be an EXE obfuscated with the FSG packer, and when run downloads and executes a file called "update.exe" from the attacker's site. More on update.exe in a minute.
Exploit #2 - IE Vulnerabilities
The second exploit, hidden behind the /e2/ frame, is nastier. It starts with checking the browser version of the user, and then supplies the correct exploit to match. For older versions of Windows, the following encoded script is returned (heavily modified - Antivirus tools seem to love this exploit):

x:=24;
es:="xxx;124;118;121;110;113;120;112;107;14;86;"
... etc going on for 2 pages of numbers
loop
d:=es[i]^x;x+=1;ds:=ds+StringX.fromCharXode(d)
endloop
eval(ds);

XOR encoding is frequently used in JavaScript exploits as an attempt to avoid detection by IDS sensors and Antivirus software. A little PERL magic can be used to rapidly unwrap the above XOR obfuscation without having to actually run the code:

$ perl -pe '$x=24; s/(\d*);/chr($1^$x++)/ge' index2old.html

But, alas, the resulting mess is STILL encoded:

doxument.write(unesxape('%u003C%u006F%u00XX%u0062%u006A%u00XX
... etc going on for one page of %u00xx numbers ...

Some more PERL magic later

$ perl -pe 's/\%u00(..)/chr(hex($1))/ge' index2old.out

we finally reveal the exploit hidden under this double layer of encoding.

hxxp://malwaresite.url//index.cXm :: /index.html

Yes - it's the oldie but goldie Microsoft Compiled Helpfile (CHM) exploit, MS02-055. Unlikely to work on a current OS. Which is why the /e2/ exploit started with a browser detection routine - for users surfing to the hostile page with XP SP2, the attacker doesn't even try the CHM vulnerability, but right away launches an exploit known as "HijackClick3", a variant of the infamous "Drag and Drop" vulnerability in Internet Explorer (MS04-38 / <A HREF="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0841">CAN-2004-0841</A>). This exploit is too complicated and too impossible to render harmless to include it here in the diary.



Exploit #3 - More Internet Explorer Vulnerabilities
Lurking behind the /e3/ frame is an exploit for a pretty recent vulnerability, MS05-001. The exploit, similar to the one documented by <A HREF="http://www.frsirt.com/exploits/20041228.CMDExe.php">FRSIRT</A>, downloads a file called "cmdexe.txt", which in turn fetches and starts a file "cmdexe.exe", all without requiring user interaction of course. cmdexe.exe is the same downloader trojan that we have already encountered earlier in the disguise of "javautil.zip", and it also fetches "update.exe" from the malware site.



The payload
At the time of writing, update.exe is not yet recognized by any of the Antivirus softwares we could test it with. The file is packed with FSG, and after unpacking almost 400kB of size. Lots of nasty things can be done in 400k of code... What we know so far from analyzing the binary, it contains a component used to gather information on the system and to submit this bounty via HTTP POST to a webserver in Europe. It also installs a multifunctional proxy (HTTP/Socks/POP3/etc). What else it does we dont know yet. Update 2015UTC:McAfee/NAI have dubbed this file "Backdoor-CRR".
Thanks to a hosting provider who very quickly and competently responded to our report of the malicious site, the site hosting this flurry of exploits is no more. But the web servers in Europe to which update.exe is reporting information on infected hosts are still up.

One more scripted mass hack


It seems as if several web sites were modified in yet another mass hack yesterday, similar to the one we've reported <A HREF="http://isc.sans.org/diary.php?date=2005-03-13">two months ago</A>. Most likely, a script was used to amend all web sites hosted on one or more shared servers with a hostile IFRAME, redirecting visitors to hxxp://www.tgp.la/or.html. Don't go there - it's an Adware site, redirecting to places where you maybe should not tread, including a page on realizeit.biz that tries the CHM exploit to drop a present. Checking with a search engine, it looks as if more than 1500 pages have been thus modified. Thanks to ISC reader Roger for letting us know.

Next Tuesday is Patch Tuesday...


...and it seems as if it's going to be a quiet one, for a change. According to Microsoft's <A HREF="http://www.microsoft.com/technet/security/bulletin/advance.mspx">advance announcement</A>, we can expect one single bulletin on May 10, rated "Important"
---------------

Daniel Wesemann

EMail: echo "ebojfm/jtdAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

Keywords:
0 comment(s)

Comments


Diary Archives