Firepack Analysis

Firepack 0.18
Exploit toolkit which utilizes PHP on the server side, on the client Javascript and Vbscript and exploits only MSIE 6. Instead of using a SQL backend to keep track of visitors and victims it uses regular text files in the same directory.

Requests as seen by the victim:

"index.php" - Serves obfuscated Javascript with random functions and variables.
"breach.php?smc=" - if ms06-014 was exploited
"breach.php?cro=" - if one of the various COM objects were exploited via same method as ms06-014
"breach.php?mdac=" - if ms06-014 was exploited

The following text files are used for statistics tracking instead of a SQL database:

"brow.txt" - count of type of browsers ($ie|$other; eg. 10|0)
"ip_ban.txt" - if IP banning is configured then track here
"block.txt" - list of countries to ignore based on $HTTP_ACCEPT_LANGUAGE
"os.txt" - count of Operating Systems ($w95,$wme,$w98,$w2k,$wxp,$w23,$wvs)
"ref.txt" - more detailed statistics including referer (country code, country name, IP, browser, version, OS, referer, date, time)

The following are specific functions within the obfuscated javascript:
smc() - ms06-014 (BD96C556-65A3-11D0-983A-00C04FC29E36)
downloads EXE via Ajax, upon execution of EXE makes another request to:
breach.php?smc=<###########> - Math.random() number

cro() - looks like it's taken from the Metasploit module "IE COM CreateObject Code Execution"
BD96C556-65A3-11D0-983A-00C04FC29E30 - RDS.DataControl (ms06-014; cve-2006-0003)
BD96C556-65A3-11D0-983A-00C04FC29E36 - RDS.DataSpace (ms06-014; cve-2006-0003)
AB9BCEDD-EC7E-47E1-9322-D4A210617116 - Business.Object.Factory
0006F033-0000-0000-C000-000000000046 - Outlook.Data.Object
0006F03A-0000-0000-C000-000000000046 - Outlook.Application
6e32070a-766d-4ee6-879c-dc1fa91d2fc3 - SoftwareDistribution.MicrosoftUpdateWebControl.1
6414512B-B978-451D-A0D8-FCFDF33E833C - SoftwareDistribution.WebControl.1
7F5B7F63-F06F-4331-8A26-339E03C0AE3D - WMIScriptUtils.WMIObjectBroker2.1 (ms06-073; cve-2006-4704)
06723E09-F4C2-43c8-8358-09FCD1DB0766 - VsmIDE.DTE
639F725F-1B2D-4831-A9FD-874847682010 - DExplore.AppObj.8.0
BA018599-1DB3-44f9-83B4-461454C84BF8 - VisualStudio.DTE.8.0
D0C07D56-7C69-43F1-B4A0-25F5A11FAB19 - Microsoft.DbgClr.DTE.8.0
E8CCCDDF-CA28-496b-B050-6C07C962476B - VsaIDE.DTE

breach.php?cro=<#########> - Math.random() number

mdac() - uses Vbscript; ms06-014; BD96C556-65A3-11D0-983A-00C04FC29E36
"breach.php?mdac=<########>" - round(rnd*99999)

vml() - ms06-055; cve-2006-4868; 10072CEC-8CC1-11D1-986E-00A0C955B42E


Detecting Malicious Javascript

Majority of malicious websites which attempt to exploit browser based vulnerabilities to install spyware/malware utilize various obfuscation methods to hide their code.

A typical "Drive-by" download consists of a victim visiting, or being redirected to, an attacker's webpage which serves obfuscated/encrypted code for the browser to execute.

Following is a Snort IDS signature which attempts to detect this obfuscated code:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL Malicious script"; flow:established,from_server; content:"("; pcre:"/(\x27|\x22)[\w/@=+%!\\-]{500}/iR"; sid:1000;)

This signature has been successfully tested against the following exploit toolkits:

- Icepack
- Mpack (all variations: regular, obfuscated, and XOR encrypted)
- Firepack 0.18
- Neosploit (various builds of version 1 and 2)

Comments, suggestions, criticism, and optimizations regarding the signature are welcomed.