Neosploit update

For a while now we have been observing version 2.0.15 used by many malicious sites. However, it seems that recently there's been an update to the toolkit.

There were two exploits added, initially reported by Exploit Prevention Labs, and some slight changes in the decryption function of the obfuscated Javascript. Also, minor changes in the URL scheme used to track statistics on visitors and victims.

Here are the vulnerabilities exploited as of today:

"Internet Explorer"

(3) - cve-2007-0018 "NCTAudioFile2" ActiveX control "SetFormatLikeSample()" method (77829F14-D911-40FF-A2F0-D11DB8D6D0BC)
(7) - cve-2006-4777 "DirectAnimatioin.PathControl" ActiveX control "KeyFrame()" method (D7A7D7C3-D47F-11D0-89D3-00A0C90833E6)
(9) - cve-2006-5820 "Sb.SuperBuddy.LinkSBIcons()"
(12) - cve-2006-3730 "WebViewFolderIcon.WebViewFolderIcon.1.setSlice()"
(13) - cve-2007-5779 "GomWebCtrl.GomManager.1.OpenURL()"
(19) - cve-2008-0624 Yahoo! Music Jukebox DataGrid ActiveX control AddButton() method (5F810AFC-BB5F-4416-BE63-E01DD117BD6C)
(20) - cve-2007-2222 MS07-033 Microsoft Speech API ActiveVoice control (EEE78591-FE22-11D0-8BEF-0060081841DE)

"Firefox"

cve-2006-0005 Windows Media Player Plugin MS06-006
cve-2007-0015 QuickTime RTSP Response Header Content-Type

Adpack analysis

Adpack stands for "Advanced Pack" and was written in PHP on the server side along with SQL backend for tracking and statistics.
Analysis was performed on a toolkit which had file timestamps of September 2007.
The pack attempts to exploit the following vulnerabilities:
- MS06-014 (MDAC)
- Java ByteVerify
- Opera 9 (?)

URLs as seen by the victim:

"index.php" - collects statistics and serves the obfuscated Javascript.
"index.php?java" - returns HTML page to load Java applet.
"java.php" - returns a JAR archive for the Java exploit.
"load.php" - returns an Executable file (default: "load.exe").

Details on server side execution of PHP:

"load.php"

Inserts victim's IP address into the database under the compormised table ("ips2").
If unable to INSERT then returns plain text string: "ai siktir vee?".
Increment the "loads" count.
Return an executable file ("load.exe") with MIME type: "application/octet-stream".

"index.php"

Check if configured to serve the Java exploit and URL parameter contains a request for it, and
IP address already visited this script (to get the redirect), and IP address has not been exploited,
only then serve the <applet> tag.

Insert IP address into the database under visitors table ("ips"). If IP address already exists the update will fail.
Failure to INSERT will abort the script and return the same string as for "load.php".

Increment statistical counts for Browser, Operating System, and Country.
The following browser strings are tracked:
"MSIE 7", "MSIE", "Nav", "Lynx", "Bot", "Firefox", "Mozilla".
Following is a list of Operating System strings which is tracked:
"Windows 95", "Windows NT 4", "Win 9x 4.9", "Windows 98", "Windows NT 5.0", "Linux",
"SV1" (as WinXPsp2), "Windows NT 5.1", "Windows NT 5.2", "FreeBSD", "Gentoo", "Ubuntu"

Uses the GeoIP library to identify visitor's country.
Stores the Referer's FQDN field and increments its count.

Passes control (include) to "exploits.php" which serves the Javascript.

"exploits.php"

Defines the Javascript's obfuscation code and the URL used to obtain the Executable file.
By default URL resides in the same directory as the "index.php" script and will be called

"load.php"

Javascript obfuscation function is a simple static single byte XOR routine.

If Java exploit was requested then serve the HTML applet tag with JAR archive as "java.php",
class to run "BaaaaBaa.class" and a single parameter "url" with value of the URL for the Executable.

OR, if browser is "MSIE" then return the obfuscated HTML page.
HEAD will contain a 3 second redirection timeout to the Java exploit URL ("index.php?java").
Rest is Javascript code for the MDAC (MS06-014) exploit.

OR, if browser is "Opera" serve an Opera exploit which will reconfigure a preference for the
TN3270 handler to execute the downloaded Executable file.

"mysql.php"

Connects to the database as defined in "config.php".
Contains definitions for various functions which are used by the toolkit.
:) - contains a blind SQL Injection vulnerability.

"install.php"

Creates the necessary tables in the database. If tables already exists they will be dropped.

"config.php"

Contains the Database configuration and credentials, pack's admin credentials, name of the Executable file.
Boolean toggle for Java exploit.

"admin.php"

Admin page which displays various statistics and allows to reset statistics.
Requires authentication.

Firepack Analysis

Firepack 0.18
Exploit toolkit which utilizes PHP on the server side, on the client Javascript and Vbscript and exploits only MSIE 6. Instead of using a SQL backend to keep track of visitors and victims it uses regular text files in the same directory.

Requests as seen by the victim:

"index.php" - Serves obfuscated Javascript with random functions and variables.
"breach.php?smc=" - if ms06-014 was exploited
"breach.php?cro=" - if one of the various COM objects were exploited via same method as ms06-014
"breach.php?mdac=" - if ms06-014 was exploited

The following text files are used for statistics tracking instead of a SQL database:

"brow.txt" - count of type of browsers ($ie|$other; eg. 10|0)
"ip_ban.txt" - if IP banning is configured then track here
"block.txt" - list of countries to ignore based on $HTTP_ACCEPT_LANGUAGE
"os.txt" - count of Operating Systems ($w95,$wme,$w98,$w2k,$wxp,$w23,$wvs)
"ref.txt" - more detailed statistics including referer (country code, country name, IP, browser, version, OS, referer, date, time)

The following are specific functions within the obfuscated javascript:

smc() - ms06-014 (BD96C556-65A3-11D0-983A-00C04FC29E36)
downloads EXE via Ajax, upon execution of EXE makes another request to:
breach.php?smc=<###########> - Math.random() number

cro() - looks like it's taken from the Metasploit module "IE COM CreateObject Code Execution"
BD96C556-65A3-11D0-983A-00C04FC29E30 - RDS.DataControl (ms06-014; cve-2006-0003)
BD96C556-65A3-11D0-983A-00C04FC29E36 - RDS.DataSpace (ms06-014; cve-2006-0003)
AB9BCEDD-EC7E-47E1-9322-D4A210617116 - Business.Object.Factory
0006F033-0000-0000-C000-000000000046 - Outlook.Data.Object
0006F03A-0000-0000-C000-000000000046 - Outlook.Application
6e32070a-766d-4ee6-879c-dc1fa91d2fc3 - SoftwareDistribution.MicrosoftUpdateWebControl.1
6414512B-B978-451D-A0D8-FCFDF33E833C - SoftwareDistribution.WebControl.1
7F5B7F63-F06F-4331-8A26-339E03C0AE3D - WMIScriptUtils.WMIObjectBroker2.1 (ms06-073; cve-2006-4704)
06723E09-F4C2-43c8-8358-09FCD1DB0766 - VsmIDE.DTE
639F725F-1B2D-4831-A9FD-874847682010 - DExplore.AppObj.8.0
BA018599-1DB3-44f9-83B4-461454C84BF8 - VisualStudio.DTE.8.0
D0C07D56-7C69-43F1-B4A0-25F5A11FAB19 - Microsoft.DbgClr.DTE.8.0
E8CCCDDF-CA28-496b-B050-6C07C962476B - VsaIDE.DTE

breach.php?cro=<#########> - Math.random() number

mdac() - uses Vbscript; ms06-014; BD96C556-65A3-11D0-983A-00C04FC29E36
"breach.php?mdac=<########>" - round(rnd*99999)

vml() - ms06-055; cve-2006-4868; 10072CEC-8CC1-11D1-986E-00A0C955B42E

Detecting Malicious Javascript

Majority of malicious websites which attempt to exploit browser based vulnerabilities to install spyware/malware utilize various obfuscation methods to hide their code.

A typical "Drive-by" download consists of a victim visiting, or being redirected to, an attacker's webpage which serves obfuscated/encrypted code for the browser to execute.

Following is a Snort IDS signature which attempts to detect this obfuscated code:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL Malicious script"; flow:established,from_server; content:"("; pcre:"/(\x27|\x22)[\w/@=+%!\\-]{500}/iR"; sid:1000;)

This signature has been successfully tested against the following exploit toolkits:

- Icepack
- Mpack (all variations: regular, obfuscated, and XOR encrypted)
- Firepack 0.18
- Neosploit (various builds of version 1 and 2)

Comments, suggestions, criticism, and optimizations regarding the signature are welcomed.

Antivirus against old threats

In light of the fact that many Information Security companies post their end of year reports as well as predictions for the new year we thought it would be interesting to perform another AV statistics study. Many researchers and professionals are begining to accept the long overdue fact that Antivirus products are losing the battle against modern malware. We decided to test samples of old malware which was collected between 04/2001 and 11/2006. Altogether, there were 86 unique samples. These samples were submitted to Virustotal in 01/2008 and here are the results:

% Found  Total   Missed          AV
------------------------------------------------------
59.00    86      36              VirusBuster
64.00    86      31              eTrust-Vet
64.00    86      31              FileAdvisor
66.00    86      30              ClamAV
66.00    86      30              TheHacker
69.00    86      27              CAT-QuickHeal
69.00    86      27              Prevx1
75.00    86      22              AhnLab-V3
80.00    86      18              eSafe
87.00    86      12              Sophos
87.00    86      12              Sunbelt
89.00    86      10              DrWeb
90.00    86      9               Rising
92.00    86      7               Authentium
94.00    86      6               Ewido
95.00    86      5               Panda
97.00    86      3               AVG
97.00    86      3               Microsoft
97.00    86      3               NOD32v2
97.00    86      3               Norman
97.00    86      3               VBA32
98.00    86      2               Avast
99.00    86      1               Fortinet
99.00    86      1               Ikarus
99.00    86      1               McAfee
100.00   81      0               Symantec
100.00   86      0               AntiVir
100.00   86      0               BitDefender
100.00   86      0               F-Prot
100.00   86      0               F-Secure
100.00   86      0               Kaspersky
100.00   86      0               Webwasher-Gateway

Neosploit server side execution

Toolkit is written in C and runs as a CGI program in the web server. Here are some details about its execution. Data obtained from analysis of version 1.0 of the toolkit. Current versions seen in the wild are 1.5 and 2.0, which may change or add some of the URL schemes.

Exploit URL sequence as seen by the victim:

"?p=user1" - serves the obfuscated Javascript code
"?u2_1_600_2_0_870665223_2792316769_2354152789" - gets the first stage loader (values are not static)
"?l=user" - second stage loader, first stage will contact this URL

*** Populate internal structures ***

Load environment structure obtained from web server's environment variables:
HTTP_USER_AGENT, QUERY_STRING, HTTP_HOST, REQUEST_URI, REMOTE_ADDR, HTTP_COOKIE, SCRIPT_NAME, HTTP_REFERER

Load the form structure obtained from values either in POST or GET request.

Populate statistics structure: Operating System (via UAS), Browser (via UAS), generate hash of referer, userid (toolkit is a multiuser system, this isn't the userid of the victim), Some additional data ("?a=").

Loads the structure with necessary filenames used for statistics and config (starts w/ name of script: "in.cgi")
"in.hits" = Traffic file
"in.loads" = Loads file
"in.loads2" = Loads 2 file
"in.key" = License file
"in.passwd" = Password file (username, passwd, user's configs)
"in.refs" = Referers

*** Generate exploit code and URLs ***

Check if REMOTE_ADDR is in traffic file (.hits). If IP is visiting again within the block time (default 60m) then abort, otherwise serve exploit.

Check if query contains a referenced user ("?p=user") then use his config otherwise default.

Exploit is served based on browser (exploits reside in seperate header files).

Exploitation of Firefox, Netscape, and Opera is configured during toolkit's build time. Internet Explorer is always enabled.

Build a URL to download the loader in format of "%s?u%hu_%hu_%u_%hu_%lu_%lu_%lu_%s": Script name, OS, Browser, Browser Version, Exploit used, additional (??), Hash of REMOTE_ADDR, Hash of HTTP_REFERER, Exploit user.

Shellcode and Loader's URL are inserted into the dynamically generated Javascript code with random variables names and sent to browser.

*** Response to shellcode's request ***

Populate log structure with data taken from GET URL ("?u1_1_10_...")

To get the loader the following conditions must be true: Browser is one of: IE, Firefox, Netscape, Opera; OS is one of: 95, 98, NT, XP, ME, 2k, 2k3 (? Vista); Browser version is set; REMOTE_ADDR is in statistics file ("in.loads") within the block time (IP isn't compared if current time is passed the block time); and the IP's hash in the request URL has to match hash of REMOTE_ADDR.

If unable to open malicious EXE file to send to victim then responds with message: "can't open (pipe stream|file) ${EXE_path}".

Log visitor's IP and time into loader's log ("in.loads").

*** Second stage loader ***

Initial loader may be part of multi-stage loading sequence. If configured as such then first stage loader will callback for the second stage EXE w/ request URL in form: "?l=user".

Check if REMOTE_ADDR is in statistics file ("in.loads") and is within the block time (IP isn't compared if current time is passed the block time). Record IP and time into "in.loads2" file.

If second stage loader exists then serve it.

MPack Analysis

Has the ability to serve exploits to a defined set of countries. If it is configured to block duplicate visitors, which is done by checking the MD5 hash of REMOTE_ADDRESS and User Agent String, then changing anything within UAS will serve the exploit again.

If a database is not utilized to track statistics then everything is kept in text files ("ip_${stat}.txt"): 0day, all, expl, firefox, jar, opera7, file, qtlexp, ani2 (e.g. "ip_all.txt").

"users.txt"
used to track visitors to "index.php" if DB isn't used, contains MD5 hash of IP and UAS.

"maketable.php"
creates the necessary DB tables for tracking statistics.

"settings.php"
configuration such as use DB, credentials, exploit only once.

"admin.php"
displays statistics for exploits and loads (requires DB login, via POST).

"stats.php"
displays statistics, requires only the password via GET "?pass=mpack" (seperate from DB credentials).

"flush.php"
deletes all statistics, requires a password via GET "?pass=mpack" (not DB credentials).

"index.php"
serves the obfuscated javascript code, increments total traffic count. Accepts an optional parameter "?id=168" for different loader which will be passed to "file.php". Calculates MD5 hash of IP + UAS, if identical entry is found it will not serve the exploit, returns:
";[" - if DB isn't used, or
":[" - if DB is used.

"file.php"
serves an executable (1st stage), increments exploited counter. Accepts an optional variable via GET "?id=trojan" which is stored on the filesystems as "loader_trojan.exe".

"fout.php"
serves the 2nd stage (last) executable, increments "loads count". Basically, this is the sure way to tell if the 1st stage loader made the callback home.