The following analysis will give an insight to some interesting technical details, which were previously introduced in our first overview article about this current exploit.
The malicious site is located in a subdirectory of an erotic dating site. The webserver hosts a lot of different sites and the domain in question has been registered more than 3 years ago. Furthermore, we were able to observe the usage of outdated social network software, which indicates that we are dealing with a hacked website and not a website especially registered for the attack. Therefore, we do not publish the affected domain name but focus on the technical details we could observe.
In the first part of the script, an array is created and a new “img” tag is inserted into the first element of this array. This is similar to the code used in the initial exploit version (exploit.html) first reported about by Eric Romang. Furthermore, an iframe loads further code from the same server into the website. The rest of the code is obfuscated.
The html page loaded by the iframe is not obfuscated at all and contains two interesting elements:
- A function call to document.execCommand(“selectAll”), necessary to trigger the exploit.
- The first array element’s source attribute is set to
which is identical to the string used in the initial version (protect.html).
At this point it becomes clear that the website exploits CVE-2012-4969. However, the initial exploit version involves a flash file performing a JIT-Spray to prepare the memory according to the needs of the exploit. So let’s take a closer look to the obfuscated part of the script and search for the flash file:
The deobfuscated script can be divided into two parts. The first part (figure 3) declares the function “heaplib()”, which is taken from heaplib.js library. It has been developed by the security researcher Alexander Sotirov.
The second part of the script (figure 4) declares the variable “code” where the shellcode is assigned to and which is executed after a successful exploitation. After checking the victim’s browser and operating system version, the heaplib library is used to perform a heapspray.
- In this case, only Internet Explorer version 8.x running on a Windows XP machine is attacked.
The shellcode used in this attack is a typical download and execute code adjusted to work with this specific exploit. It downloads a file from the same server, located under /theme/f5.jpg. The name implies that we are dealing with an image file, but in fact it is a binary payload, directly executed by the shellcode.
On execution of the payload, which is the main bot component, a new process spawns and downloads another component located under /theme/z5.jpg on the same webserver. These processes are displayed in the Windows Task manager and the bot doesn’t attempt to hide its activities.
To assure the persistence of the malware, the main bot component copies itself to %SYSDIR%:\Users\%Username%\AppData\Local\838e5661\juschedj.exe which imitates the name of SUN Microsystem’s Java updater. Furthermore, a shortcut file in the Windows autorun directory (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) is created, named MSupdate.lnk, and it points to the previously copied file and thereby enables the malware to become active again after a system reboot.
A noteworthy fact is the absence of any kind of packer, but the heavy usage of string obfuscation to complicate static analysis. All in all, the bot avoids suspicious operations and therefor has a good chance to stay undetected by behavior based detection mechanisms.
The downloaded file is another binary which has been identified as a Tor Client and it is started directly by the main bot component using these parameters:
- –SocksPort 52300
- –FascistFirewall 1
The Tor Client tries to connect to a Command and Control (C&C) server through hidden services of the Tor network. If the first address is not reachable, another address is contacted after a few attempts:
- anhmgho2efkywudt.onion/ct2.php (initial service)
- xtrb3h5gyswyzdc5.onion/ct2.php (fall back)
The G Data SecurityLabs recently analyzed a different malware also instrumenting a Tor hidden service to hide the C&C server: blog.gdatasoftware.com/blog/article/botnet-command-server-hidden-in-tor.html – The strategy seems to get popular among malware authors.
After successfully connecting to the Tor network, the malware collects some hardware characteristics and sends an HTTP Post request to the C&C server. The anonymized request is listed in figure 5 and shows the following keys sent to the C&C server: id, v, cf, os, d.
The malware repeats this procedure regularly to fetch new commands from the C&C server.
The number of built-in commands accepted from the C&C server is quite limited, but it supports the downloading and decrypting of further binary files which makes it extremely flexible. Given that the C&C by now only seems to send "idle" responses and that the bot’s only significant function is Download&Execute, it is likely that the goal of this attack is to sell the bots in a "pay per install" model.
Since the release of the first article on the IE 0-Day by Eric Romang, on 14 September, and the publication of the MetaSploit module on 17 September, security researchers as well as the underground community have paid a lot of attention to this vulnerability.
At least 10 different versions of the exploit have been seen in the wild, mostly used in targeted attacks, as stated by Anup Ghosh (CEO of Invincea) in this article, by Microsoft’s Yunsun Wee, Driector of Trustworthy Computing and others.
Microsoft’s exemplary and quick response, publishing various instructions, a Fix it and finally an out of cycle patch on 21 September, also hints at the possible impact of the exploit. Every IE user is advised to directly apply the provided security update if it has not already been applied through the auto update mechanism.
|ie2.php?x=2 (iframe source)
|z5.jpg (Tor client)
Leave a reply