Analysis: Old Toolkit -- New Trojan

A number of articles about the Google/Adobe "Aurora" exploit made reference to a "toolkit," such as here, where the author noted that it didn't take long for the Aurora exploit code to be posted around the internet:

A Look at the Google Hack (aka the 'Aurora' Attack)
https://www.bluecoat.com/blog/look-google-hack-aka-aurora-attack

A "toolkit" is a collection of exploit codes, or exploit package, that targets different vulnerabilities. Once the user connects to the infected server, a quick analysis determines the browser, etc, at which point one or more exploits is set in motion.

This type of attack was seen in a more rudimentary form back in 2006, where the code in the web page determined the user's browser:

Code:

// launching exploit which number is depends on Windows and IE versions
function Get_Win_Version(IE_vers)
   
     if (IE_vers.indexOf('Windows 95') != -1) return "95"
     else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
     else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
     else if (IE_vers.indexOf('Windows 98') != -1) return "98"
     else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
     else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
     else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"

Depending on the "return" value, an exploit against the particular IE browser/windows version was launched, and if not patched, could result in an infection.

I received a URL to check that turned out to be an exploit toolkit.

The first was a PDF exploit which downloaded the file, 11.PDF

Code:

{document.write("<embed name=\"fzn\" id=\"11\" src=\"cache/PDF.php?

It turns out to use a 2008 exploit:

CVE-2008-2992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2992

The arbitrary code in current PDF exploits either unpacks an embedded trojan executable, or connects out to download one. This exploit would not work for me, so I don't know what the malware is.

The second exploit on this web page targeted IE6 and the old Snapshot Viewer vulnerability, MS08-041, and attemped to download a trojan using filename WAB.exe:

​

Using the filename "WAB.exe" is not new:

Exploit.SinaDLoader.B
http://www.bitdefender.com/VIRUS-1000386-en--Exploit.SinaDLoader.B.html

You will notice a list of exploits in their article. Bitdefender comments,

The last exploit I encountered attempted to download file.exe:

​

This turns out to be a new trojan related to existing families, and not detected by all AV. Two names given to this trojan are:

Code:

TR/Spy.ZBot.adys.1
Win32/Koobface.B!generic

Evidence of the multi-exploit package, or toolkit, is seen in a look at the IE cache generated upon connecting to the web page:

​

Each of the string of characters/numbers is a reference to a Registry entry (CLSID) for a particular Windows function that is being exploited. For example, the first:

Code:

 
BD96C556-65A3-11D0-983A-00C04FC29E30 (also E36)

refers to an old Microsoft exploit from 2006. Here is a reference:

Non-malicious compromise pointing to a benign VBScript!
http://isc.sans.org/diary.html?storyid=3324

If you search for the other CLSIDs in the above screen shot, you will find references to various exploits -- old to be sure, but informative if you want to understand more how the cybercriminals target vulnerabilities.

It's easy for cybercriminals to find an existing, old toolkit on the internet and use it to download their own trojan, be it a password stealer, gaming, or banking trojan.

So, why do the cybercriminals package old exploits, long since patched? From the bluecoat.com blog again:

https://www.bluecoat.com/blog/look-google-hack-aka-aurora-attack

And so it goes...

This "toolkit" I encountered is typical, in that it contains an Adobe exploit, and also exploits against IE and Windows. The Adobe exploit will catch Opera and Firefox users who don't have scripting and plugins disabled. The others will snag IE users who aren't patched.

The growing importance of Adobe for cybercriminals is emphasized by McAfee:

2010 Predictions
http://www.avertlabs.com/research/b...of-a-major-social-networking-security-breach/

regards,

-rich

 

Great analysis Rmus. Thanks very much.

In the case of a user using a unpatched version of Firefox with User agent Switcher, or a unpatched version of Opera with the built-in option to change the identification of the browser, will prevent a infection from a exploit package analysis targeting the browser?

 

You are welcome.

Regarding browser identification - I can't answer your question. I've not found any consistency when fiddling with browser ID.

With this particular exploit, for example, using Opera with different IDs will load different pages with scripts, but in each case, if Javascript and Plugins are enabled, the PDF file will load, no matter the Browser ID.

Here are example. Note the different Body text message. (see the screen shot in my first post). Each starts with a different function (command):

ID Opera as Opera:

Code:

body text=is public corporation Inc. Google specializing an American 

script>[B][COLOR="DarkRed"]function XvM[/COLOR][/B]( LWv ){var Dnk = "", xot = 0; 
...return Dnk;} /script>

ID Opera as Firefox

Code:

body text=public Google is Inc. American an corporation specializing 

script>[B][COLOR="DarkRed"]function BBW[/COLOR][/B]( LdV ){var bXg = "", OcC = 0; 
... return bXg; /script>}

ID Opera as Internet Explorer:

Code:

body text=specializing Inc. public American is Google an corporation 

script>[B][COLOR="DarkRed"]function kQv[/COLOR][/B]( uRi ){var FJk = "", KHf = 0; 
... return FJk; /script>}

However, if I load the page in Internet Explorer, compare the code, noting the reference to ActiveX:

Code:

body text=corporation Google is an American specializing Inc. public 

script>[B][COLOR="DarkRed"]function zUb[/COLOR][/B]( bfP ){var lcw = ""...

("PDF.PdfCtrl"),mbis1m("AcroPDF.PDF"))
{try{WUW = [B][COLOR="DarkRed"]new ActiveXObject[/COLOR][/B](Weo[bxF]);
src=\"[B][COLOR="DarkRed"]cache/PDF[/COLOR][/B].php?st=[COLOR="DarkRed"][B]Internet Explorer 6.0[/B][/COLOR]\" 

And the PDF file loads along with the other exploits that target IE6.

Note also that body text and filenames change constantly.

Regarding browser exploits against Firefox and Opera: there are plenty of vulnerabilities, but cybercriminals so far have not been attracted to exploiting them. Whether or not changing Browser ID would prevent these would have to be tested specifically.

But why should cybercriminals bother targeting Firefox or Opera vulnerabilites, since the world-wide majority, both home and corporate, use Internet Explorer that comes bundled with Windows. And most evidently have very porous defenses, including not keeping up with patches. Ripe fruit just waiting to be plucked!

Anyway, Adobe exploits work no matter the browser, if not properly configured (scripts, plugins)


regards,

-rich

 

Informative breakdown, nice screenies and good links. Appreciate your time to compile and post this. Old doesn't automatically mean useless, as you've shown.

More on Aurora here http://www.wired.com/threatlevel/2010/02/apt-hacks/#ixzz0eaRljStR

 

Thanks for the detailed reply Rich.

So... i can conclude if the exploit is against a third part plugin or javascript based, they will work independent of the ID.

But if for example, a opera using the ID of IE and the exploit try do a drive by
using urlmon.dll (like described in the Analysis of Trojan.Hydraq , aka "Aurora" ) it will not work right?