Thursday, November 6, 2008

MS08-067 and Trojan.Gimmiv.A

On 24 October 2008, Microsoft released an out-of-cycle patch that addressed a stack buffer overflow vulnerability in the Microsoft Windows Server service MS08-067, CVE-2008-4250. Per Microsoft, "This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit."

Public exploit code and malware began circulating as soon as the patch was released. Microsoft and Symantec provided analysis on malware known as Gimmiv.A. The malware harvests and exfiltrates system information and is able to scan and exploit the MS08-067 vulnerability. The following provides analysis findings for Gimmiv.A.

Site 59.106.145.58 (JP) was found to host nine Gimmiv.A binaries, n*1-9.

http[:]// 59.106.145.58/n*.exe

dc3fdfde66fffb6cfbec946a237787d8 397312 59.106.145.58/n1.exe
f173007fbd8e2190af3be7837acd70a4 397312 59.106.145.58/n2.exe
3ee354cc8b63b8849b28e6f376f2b263 397312 59.106.145.58/n3.exe
6c3e53864541bb13fa7853f7b580b807 397312 59.106.145.58/n4.exe
24cd978da62cff8370b83c26e134ff4c 397312 59.106.145.58/n5.exe
86d75ae361637a8f9114bb3a40f710d3 397312 59.106.145.58/n6.exe
ee70f981514803e1fb4e6b65f492a56d 397312 59.106.145.58/n7.exe
8d66f28d028a4838d09ce4b91d35b7cb 397312 59.106.145.58/n8.exe
477aac8d472a7bea8b906718a2f50c67 397312 59.106.145.58/n9.exe

The malware n2.exe was analyzed as an example.

n2.exe creates c:\WINDOWS\system32\wbem\sysmgr.dll

sysmgr.dll
1cdc67b1d55e9a2d30c0dba193375c11
336384 bytes

The following registry keys are created to install the malware as a service.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
"sysmgr" = sysmgr
"DisplayName" = System Maintenance Service
"ErrorControl" = 0
"ImagePath" = %SystemRoot%\System32\svchost.exe -k sysmgr
"ObjectName" = LocalSystem
"Start" = 2
"Type" = 10, 01, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Enum

"0" = Root\LEGACY_SYSMGR\0000
"Count" = 1
"NextInstance" = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters
"ServiceDll" = C:\WINDOWS\System32\wbem\sysmgr.dll
"ServiceMain" = ServiceMainFunc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Security
"Security" = binary data

The malware searches the registry for the presence of installed antivirus programs and active processes for avp.exe and dwm.exe.

0002549C 1002549C 0 SOFTWARE\BitDefender
000254B4 100254B4 0 avp.exe
000254BC 100254BC 0 SOFTWARE\Jiangmin
000254D8 100254D8 0 SOFTWARE\KasperskyLab
000254F0 100254F0 0 SOFTWARE\Kingsoft
00025504 10025504 0 SOFTWARE\Symantec\PatchInst\NIS
00025524 10025524 0 SOFTWARE\Microsoft\OneCare Protection
0002554C 1002554C 0 SOFTWARE\rising
0002555C 1002555C 0 SOFTWARE\TrendMicro
00025574 10025574 0 dwm.exe

The malware sysmgr.dll sends ICMP Echo requests to 202.108.22.44 and 64.233.189.147. An Echo reply was returned from 64.233.189.147.

Source Destination Protocol Info
192.168.0.13 202.108.22.44 ICMP Echo (ping) request
192.168.0.13 64.233.189.147 ICMP Echo (ping) request
64.233.189.147 192.168.0.13 ICMP Echo (ping) reply

The ICMP packet contains a string of characters abcde12345fghij6789.

0000 00 0f 66 5e 0e 78 00 0c 29 ec 1c 43 08 00 45 00 ..f^.x..)..C..E.
0010 00 30 00 81 00 00 80 01 98 fe c0 a8 00 0d ca 6c .0.............l
0020 16 2c 08 00 ba 5f 02 00 02 00 61 62 63 64 65 31 .,..._....abcde1
0030 32 33 34 35 66 67 68 69 6a 36 37 38 39 00 23 45 fghij6789.

The binary strings of sysmgr.dll reveal the ICMP string and a third IP 212.227.93.146

00039018 00439018 0 abcde12345fghij6789
00039030 00439030 0 212.227.93.146
00039070 00439070 0 64.233.189.147
00039090 00439090 0 202.108.22.44

202.108.22.44 (CN)
Reverse lookup xd-22-44-a8.bta.net.cn

64.233.189.147 (US)
Reverse lookup hk-in-f147.google.com

212.227.93.146 (DE)
Reverse lookup s167748465.websitehome.co.uk

The malware captures host information such as IP address and hostname and credentials from Outlook Express and Protected Storage.

00025E04 10025E04 0 Username
00025E10 10025E10 0 82BD0E67-9FEA-4748-8672-D5EFE5B779B0
00025E38 10025E38 0 Advapi32.dll
00025E48 10025E48 0 CredEnumerate
00025E58 10025E58 0 CredFree
00025E64 10025E64 0 Passport.Net\*
00025E74 10025E74 0 pstorec.dll
00025E80 10025E80 0 PStoreCreateInstance
00025E9C 10025E9C 0 89c39569
00025EA8 10025EA8 0 5e7e8100
00025EB4 10025EB4 0 e161255a
00025EC8 10025EC8 0 StringIndex
00025ED4 10025ED4 0 :String
00025EDC 10025EDC 0 :String
00025EE4 10025EE4 0 http:/
00025EEC 10025EEC 0 https:/
00025EF8 10025EF8 0 ===============Outlook Express===============
00025F28 10025F28 0 ===============Credential Info================
00025F58 10025F58 0 ============Protected Storage Info=============
00025F94 10025F94 0 Pass:
00025F9C 10025F9C 0 URL:
00025FA8 10025FA8 0 GetWebInfo
00025FB4 10025FB4 0 <%s %d> !!! Web ID/Pass Info ERR
00025FE7 10025FE7 0 ksysmgr

The malware exfiltrates the captured information to 59.106.145.58/test2.php?abc=[num]?def=[num]. The abc value represents the installed antivirus version and the def value represents the OS version. The exfiltrated data protected with encrypted with AES encryption.

00025638 10025638 0 ?abc=1
00025648 10025648 0 ?abc=3
00025658 10025658 0 ?abc=4
00025668 10025668 0 ?abc=5
00025678 10025678 0 ?abc=6
00025688 10025688 0 ?abc=7
00025698 10025698 0 ?abc=8
000256A8 100256A8 0 ?abc=9
000256B8 100256B8 0 ?abc=2
000256C8 100256C8 0 ?def=2
000256D8 100256D8 0 ?def=3
000256E8 100256E8 0 ?def=1
000256F8 100256F8 0 ?def=4
00025708 10025708 0 ?def=5

Gimmiv.A attempts to connect to the remote IP address 59.106.145.58 to download a CAB file to %System%\initproc02x.cab. From the CAB file, the trojan extracts the following files:

winbase.dll
basesvc.dll
syicon.dll

311296 82ba009746da8603c463f37e381a42a4 basesvc.dll
200704 60d692fd52098f145e448bd985fcff6d syicon.dll
49152 40cb861ad59c804f340fd8a2a28e226c winbase.dll

The additional dlls provide the functionality of scanning and exploiting the MS08-067 vulnerability.

No comments: