Friday, February 21, 2014

Probing into the Flash Zero Day Exploit (CVE-2014-0502)

Yesterday, a targeted campaign leveraging a Flash zero day exploit hit the news. Adobe has now released a security bulletin regarding this vulnerability. Based on the attack vector mentioned in prior research, we have concluded that recently observed .SWF exploitation is related to the recent zero-day threat flagged as CVE-2014-0502. Upon successful infection, the exploited victim is served a RAT (Remote Access Trojan). 

While we were doing our daily review of logs, we found a significant number of transactions related to this campaign. We specifically started looking for those compromised servers which have been mentioned in prior research.  We began investigating all suspicious transactions which used a known compromised site as a referral location. 

After some brief inspection of this location, we found not only the malicious .SWF, but also all other connected malicious files detailed in the analysis below. We will cover the dropped Flash file that exploits the vulnerability using an image that contained embedded shell code. This shellcode is then used to download the malware.

The Flash file was found to be encrypted using the DoSWF flash encryptor.

Upon throwing the Flash file into an ActionScript viewer, we immediately see the script shown below. The script tries to make a URL Request to a GIF Image file, which contains the embedded shellcode for an ROP exploit.

The script checks for the presence of a cookie labeled 'XPT2013111'. If this cookie is not already present, it sets the same.

The script then checks the operating system version and in the case of Windows XP, further checks the OS language. Details of the OS language and version are then used to determine the base address for the exploit. In case of Windows 7, the script further probes for unpatched and outdated versions of Java (Web Start 1.6 and 1.7) or Microsoft Office (Sharepoint OpenDocuments 3 or 4).

Here we can see on XP, based on the version and language, the base address for the exploit is determined by the script. Then the ROP sled is built to carry out the exploit.

The GIF image used for embedding the shellcode is shown below, which of course seems innocuous to the victim.


When opened in a hex editor, the magic bytes for a GIF image file can be seen.

However, upon careful examination, we further see extra bytes appearing toward the end of the image as shown below.

Using a shellcode emulator like libemu, we can see that this extra data represents the shellcode to be executed.

Here we see that the shellcode makes a call to the LoadLibraryA function and then to VirtualProtect to allocate memory in which to place the shellcode. It then checks for the /temp folder path and makes calls to InternetOpenUrlA to download the malware from a remote location http://[x.x.x.x]/common/update.exe and drops it into the /temp folder.

A sandbox analysis of the final dropped file can be seen here.

Browser plugins continue to be the Achilles heel of enterprise security. While enterprises struggle to ensure that browser plugins are up to date on all end user systems to prevent browser exploit kits from targeting known vulnerabilities, here we see yet another demonstration where even that is not enough. Attackers continue to identify and exploit 0day vulnerabilities in popular web browser plugins such as Adobe Flash, which unfortunately has a long history of dealing with such threats.

Tuesday, February 4, 2014

New Asprox Variant Goes Above and Beyond to Hijack Victims

[UPDATE] After further analysis, this threat was identified as Asprox botnet and not Zbot

Asprox is an extremely venomous threat, which has strong persistent tactics to ensure that the victim remains infected despite removal attempts. We will get to the overabundance of methods used to keep the victim infected later on. First, I'll share some of the latest download locations for this threat, which researchers should take note of:
  • hxxp://king-orbit[.]com/libs11.18/ajax/
  • hxxp://message-tvit[.]com/libs17.19/ajax/
  • hxxp://bidcos-fact[.]com/libs20.17/ajax/
  • hxxp://vespula-grants[.]com/libs31.56/jquery/
  • hxxp://bee-smoka[.]com/libs29.89/ajax/
The bulk of these threats are tied to a server found in Russia: 88[.]85[.]215[.]129.

Reminiscent of other malicious infections, the second the threat is run, it deletes itself in order to hinder researchers when conducting a reverse engineering analysis of the attack. The next step is to create a Security Center Task in Windows, to ensure that even if the threat is removed, it will reoccur.

The filename is randomly generated.

Note the filename of the .job file, which is dropped on the victim's machine.  This name is randomly generated.

In addition to ensuring that the threat restarts if the victim were to reboot, it also disables key Windows processes to hinder removal of the threat.  This includes disabling Safe Boot registry keys.

This disables users access to boot into Safe Mode to run standard AV solutions.
Once installed and hooked into the victim's environment, it begins the task of phoning home to its Command & Control (CnC) location for tasks to complete.  Periodically, it will receive a GET request from the CnC to make sure that the victim is still listening.

Hi! to you too.
Given the stealth tactics employed by this threat, you may not be aware of the infection straight away.  You may however become suspicious when you start to feel the drag on your Internet connection. Behind the scenes, the threat is actively reaching out to several different ad servers as a means to promote ad revenue for the attacker.  Below is only a portion of the servers that were contacted in the course of a few minutes.

All transactions do not take place in the browser, but behind the scenes.

Administrators concerned for their user's safety should take note of usage patterns.  It won't be difficult to spot a user sending out absurd amounts of ad traffic.  You can either look through your logs for large amounts of advertisement traffic OR find HTTP POST requests with the string '/b/opt/' in the URI path.

2.254 Mbps!!!
While this threat is persistent, it is easy to spot from a Network Administrator's point of view.  The information provided should be enough to find your infected users to take them off of the network until remediation of the threat can be completed.

You can find open source sandbox analysis of this threat here and here.  There is also a more detailed analysis found here.

Mind Your Clicks.