Posted by: realsecurity | October 22, 2008

Exploit kit with 22 exploits and updated obfuscation techniques

While investigating an attack, I came across a piece of javascript that was quite unusual. Most javascript obfuscated malware uses custom “packers” if you will to mangle the actual code that performs the attack. This code must become “unpacked” at some point to be interpreted by the web browser. Simply looking for document.write or eval in a piece of javascript usually indicate the point where the code becomes readable. There are many different techniques for decoding these types of obfuscation.

At first glance, the sample I obtained today had neither document.write or eval. Not knowing what I was up against, I decided to debug the script in firebug. The script was wrapped as a single line of text which you can’t set individual breakpoints on. Thankfully, malzilla has a great code beautifying feature which came in handy. After formatting the code and loading it up in firebug, I noticed an unusual function being called, document.body.appendChild.

var PULksjC=document.createElement("script");
PULksjC.type="text/javascript";
PULksjC.text=AVlWGTj;
document.body.appendChild(PULksjC);

A quick read of this MSDN page and it’s easy to understand that this code is appending the contents of the AVlWGTj variable into the body tag of the current document. I’ve cut out most of the junk text, however there are a couple readable lines that appear to be setting up another javascript tag to be appended into the current document.

To get the contents of AVlWGTj, simply set a breakpoint on the corresponding line in Firebug.

After the unpacking routine, the variable contains…. more encoded text of course!

var loqxkPWh=document.createElement("script");
loqxkPWh.type="text/javascript";
loqxkPWh.text=mjTBHaN;
document.body.appendChild(loqxkPWh);

The same technique is used a second time, this time the unpacked code will be contained in mjTBHaN.

After copying out the code a second time, we are left with something more familiar.

function Ze399gTPLj(dlqiZX2l)
.....
return(zPZh3GW0Ng);
......
eval(Ze399gTPLj(kApgf4zk));

Finally an eval statement! At this point you could use the more common alert, textarea or spidermonkey techniques however I just continued in the debugger. Eval is called against the function Ze399gTPLj, so to get the fully unpacked code without executing the evil script, we must put a breakpoint on the return function within Ze399gTPLj.

Once the breakpoint on return(zPZh3GW0Ng); is hit, the code is finally fully unpacked.

The resulting unpacked code is astounding. There are no less than 22 exploits included in this piece of malware (21 active)!!!

if ( alert("1") ||
mdac() ||
dl() ||
flash() ||
pdf() ||
wme() ||
wfi() ||
com() ||
ya1() ||
ya2() ||
fb() ||
mdss() ||
creative() ||
wks() ||
ogame() ||
ca() ||
buddy() ||
gomweb() ||
xmlcore() ||
quick() ||
real() ||
ntaudio()

Here are the exploits:

MDAC – MS06-014
Sina DLoader Class ActiveX Control ‘DonwloadAndInstall’ Method Arbitrary File Download Vulnerability
Adobe Flash Player (don’t have the CVE at the moment)
Adobe Acrobat collab.CollabEmailInfo CVE-2007-5659
Microsoft Media Encoder – MS08-053
WebViewFolder setSlice – MS06-057
CreateControlRange – MS05-014
Yahoo! Messenger Webcam 8.1 ActiveX Remote Buffer Overflow Exploit x2
Facebook / Myspace – Aurigma ImageUploader ActiveX control stack buffer overflows CVE-2008-0660
Microsoft Speech API ActiveX controls contain buffer overflows CVE-2007-2222
Creative Software AutoUpdate Engine ActiveX Vulnerability CVE-2008-0955
Microsoft Works 7 ‘WkImgSrv.dll’ ActiveX Control Remote Code CVE-2008-1898
Ourgame GLWorld GLIEDown2.dll ActiveX Control Vulnerabilities – 0day
CA BrightStor ‘AddColumn()’ ListCtrl.ocx ActiveX Control Buffer Overflow Vulnerability
AOL SB.SuperBuddy.1 ActiveX Control Remote Code Execution Vulnerability CVE-2006-5820
Gretech GOM Player GomWeb3.DLL Remote Buffer Overflow Vulnerability CVE-2007-5779
Microsoft XML Core Services – MS06-071
Apple QuickTime RTSP Response Header Content-Type Remote Stack Based Buffer Overflow Vulnerability CVE-2007-6166
RealNetworks RealPlayer ActiveX controls property heap memory corruption CVE-2008-1309
Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow CVE-2007-0018
Microsoft Access Snapshot Viewer ActiveX Vulnerability MS08-041 (multi language support)

Notice how the attacker included alert(“1”) in their code? That may try to prevent automated analysis by requiring user input to actually execute the exploits.

We have learned that:

Malware authors are using document.body.appendChild to add another layer of code obfuscation
The days of exploitation kits using a relatively small number of exploits may be numbered
This code included a mind blowing 22 exploits for all manor of applications
Attackers are continuing to investigate ways of foiling automated analysis via javascript

I’ll post a couple more details when I have a chance.

*Update*

The site that begins the attack is hxxp://85.17.166.230/counter/singletrip.php, this page generates a unique ID for each infection and forwards the user onto the next hop.

Exploits: hxxp://85.17.166.231/gtest2/index.php?sid=[36 character ID]

Redirect hxxp://85.17.166.231/gtest2/load.php?id=0&sid=[36 character ID]

Payload hxxp://193.33.61.160/cntr.exe?sid=[36 character ID]

Virus Total Results

Main exploit script 0/36 detections

Payload 9/36 detections

Flash player exploit 8/36 detections

Adobe Acrobat PDF exploit 9/36 detections

Advertisements

Responses

  1. Great write-ups! Keep up the great work. I came across your site as have been looking at a site that has been serving this up for a few weeks now. This one definitely is different serving so many attacks! One note – Virus total results limited and SHOULDN’T be used to determine if customers are protected or not. It is only for the resulting files (I am sure you know this already ). Too many people quote stats from there and think there is no protection available. Norton IS 2008 and 2009 (the consumer versions) stops every one of the attacks in the browser with a combination of methods. Those results won’t show up in virus total. Feel free to drop me an email and I can share more. Thanks. John


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: