Just another water hole campaign using an Internet Explorer 0day

December 29, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

At the beginning of the week we started to analyze a water hole campaign that was present on the Council on Foreign Relations (CFR) portal. After studying the attack and the payload and realizing that it was likely using a zeroday exploit against Internet Explorer, we  sent the information to Microsoft Security Response Center (MSRC) that is still investigating the issue. At the same time the issue was communicated to CFR and other third parties that began to work on the issue so we decided to not release public details of this attack.

It seems other researchers didn’t think the same and went public with this (http://freebeacon.com/chinese-hackers-suspected-in-cyber-attack-on-council-on-foreign-relations/) and this led to other companies blogging about this.

Once the attack has been made public we have decided to public some useful details and information that can help companies to detect and respond against this incident.

The malicious code we found in the Council on Foreign Relations portal is a Javascript file that works as follow:

- It first sets a cookie on the victim system to check if the same machine visited the link before:

If it is not the first visit from that system the exploit won’t trigger:

- The next check ensure that the victim is running Internet Explorer 8:

- Since the exploit uses Flash to do the Heap Spray and build the shellcode, the code also checks that Adobe Flash is present on the browser:

- Finally, it won’t continue if the browser language is not Chinese, Chinese (Taiwan), Japanese, Korean, or Russian:

The vulnerability present in Internet Explore 8 seems to be a user-after-free. The exploit is able to exploit both Windows XP and Windows 7 bypassing both data execution (DEP) and address space layout randomization (ASLR) protections. The malicious code loads “ms-help:” in order to bypass ASLR on Windows 7 using the technique described here. We won’t release the piece of code that triggers the use-after-free since Microsoft is still investigating the issue and we don’t want public exploits to be released and compromise thousands of users.

If the system is running Windows 7 it will also load Java since it requires the Java libraries to be loaded in order to leverage return-oriented programming (ROP) chains to bypass protections.

In the case that Windows XP is used it doesn’t load Java since it is not required to perform the exploitation:

Once the Flash file is loaded it will perform the Heap Spray and it will build the shellcode based on the system’s language and operating system supporting the following ones:

(flash.system.Capabilities.language.toLowerCase() == “zh-cn” && this.OS_Version == “windows xp”)

(flash.system.Capabilities.language.toLowerCase() == “zh-tw” && this.OS_Version == “windows xp”)

(flash.system.Capabilities.language.toLowerCase() == “en” && this.OS_Version == “windows xp”)

(flash.system.Capabilities.language.toLowerCase() == “ja” && this.OS_Version == “windows xp”)

(flash.system.Capabilities.language.toLowerCase() == “ko” && this.OS_Version == “windows xp”)

(flash.system.Capabilities.language.toLowerCase() == “ru” && this.OS_Version == “windows xp”)

(this.OS_Version == “windows 7” && loc6 == “default”)

(this.OS_Version == “windows 7” && loc6 == “false”)

(this.OS_Version == “windows 7” && loc6 == “true”)

The shellcode used is very tricky, first the javascript has downloaded a file as seen in the code:

Lets follow the execution of the shellcode:

Using base offset: 0x401000

40122a  LoadLibraryA(shell32)
401246  SHGetSpecialFolderPathA(buf=12ff00, C:\Documents and Settings\user1\Configuraci¾n local\Arch
vos temporales de Internet)
4012a2  GetTempPath(len=100, buf=130000) = 20
4012da  CopyFileA(C:\Documents and Settings\user1\Configuraci¾n local\Archivos temporales de Interne
\Content.IE5\index.dat, C:\DOCUME~1\user1\CONFIG~1\Temp\qwea.dat)
4012fb  CreateFileA(C:\DOCUME~1\user1\CONFIG~1\Temp\qwea.dat) = 7ac
40131b  SetFilePointer(hFile=7ac, dist=50, 0, FILE_BEGIN) = 50
40133c  ReadFile(hFile=7ac, buf=130100, numBytes=80) = 1
40134b  CloseHandle(7ac)
40150b  CreateFileA(C:\Documents and Settings\user1\Configuraci¾n local\Archivos temporales de Inter
et\Content.IE5\x☺?) = 7ac
4013a3  GetFileSize(7ac, 12fe78) = 0
4013ec  CreateFileA(C:\DOCUME~1\user1\CONFIG~1\Temp\flowertep.jpg) = 7a8
401428  ReadFile(hFile=7ac, buf=12f9f4, numBytes=400) = 1
401477   E2EB                            loop 0x401464  step: 1075000
401464   807C0FFF83                      cmp byte [edi+ecx-0x1],0x83
401469   740C                            jz 0x401477
40146b   807C0FFF00                      cmp byte [edi+ecx-0x1],0x0
401470   7405                            jz 0x401477
401477   E2EB                            loop 0x401464  step: 1075005
401464   807C0FFF83                      cmp byte [edi+ecx-0x1],0x83
401469   740C                            jz 0x401477
40146b   807C0FFF00                      cmp byte [edi+ecx-0x1],0x0
401470   7405                            jz 0x401477
401477   E2EB                            loop 0x401464  step: 1075010
401464   807C0FFF83                      cmp byte [edi+ecx-0x1],0x83
401469   740C                            jz 0x401477
40146b   807C0FFF00                      cmp byte [edi+ecx-0x1],0x0
401470   7405                            jz 0x401477
401477   E2EB                            loop 0x401464  step: 1075015
....
....
401466  WriteFile(h=7a8, buf=12f9f4, len=0, lpw=12fe74, lap=0) = 1
401486  CloseHandle(7ac)
401495  CloseHandle(7a8)
4014a3  LoadLibraryA(C:\DOCUME~1\user1\CONFIG~1\Temp\flowertep.jpg)
4014d8   E9C0000000                      jmp 0x40159d  step: 1075965
40159d   8B7650                          mov esi,[esi+0x50]
4015a0   8BBE0C020000                    mov edi,[esi+0x20c]
4015a6   8B9E08020000                    mov ebx,[esi+0x208]
4015ac   8B8610020000                    mov eax,[esi+0x210]
4015b2   B952000000                      mov ecx,0x52  step: 1075970
4015b7   05BC040000                      add eax,0x4bc
4015bc   94                              xchg eax,esp
4015bd   807C240340                      cmp byte [esp+0x3],0x40
4015c2   7203                            jc 0x4015c7
4015c7   33C0                            xor eax,eax  step: 1075975
4015c9   8BF0                            mov esi,eax
4015cb   8BD0                            mov edx,eax
4015cd   8B2C24                          mov ebp,[esp]
4015d0   83C404                          add esp,0x4
4015d3   C20400                          retn 0x4  step: 1075980

Basically the shellcode performs the following:

- It checks the path for the Temporary Internet Explorer Files folder

- It uses index.dat and looks for the path of the file previously downloaded (xsainfo.jpg).

- It creates the file flowertep.

jpg

- It reads xsainfo.jpg and performs a XOR “0x83” operation ignoring the bytes that contain “0x00” or “0x083”.

- It writes the the result of the XOR operation on flowertep.

jpg.

- It uses LoadLibraryA to load flowertep.

jpg that contains the malicious DLL payload.

Once the payload is executed it will be implanted on the system and it will try to contact the C&C server using a binary protocol through HTTP:

We have released an OpenIOC file that contains some indicators of compromise that you can use to detect the attack on your systems:

We recommend to use these indicators of compromise to check the presence of the malicious payload in your system. Hopefully Microsoft will release a patch soon but once again we recommend you to:

- Maintain your system up to date

- Not use Flash, Java and other third party applications in your browser if you don’t use it.

Happy hunting!

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL