We at SpiderLabs investigate many suspicious webpages on a daily basis. Occasionally we run into something that seems new and unfamiliar to us, which is generally when things become interesting.
A recent discovery of ours began just like that and ended with our identification of an Internet Explorer 8 vulnerability being actively exploited in the wild. Through collaboration with the Microsoft Security Response Center (MSRC) Team we confirmed that the new zero- day (CVE-2013-3897) has been in the wild for a month (the new CVE-2013-3897 and the previous zero-day CVE-2013-3893). The patch was just released today, and users need time to install it. So we can’t reveal the full technical analysis of this vulnerability yet, but we can share some interesting details about the attack.
The attackers distributed the zero-day exploit via the following URL hxxp://126.96.36.199/mii/guy2.html (currently offline). It turns out that this isn’t the first time we have encountered this kind of URL. One month earlier a similar URL on the same class-C IP address: hxxp://188.8.131.52/mii/guy2.html (currently offline) served an older zero-day (CVE-2012-4792). We continued to track this IP class segment and a few days ago found a new live instance of this attack serving the new zero-day on a different IP address with the same URL path.
The zero-day campaign seems to have launched in the first half of September 2013 targeting Japanese and Korean users:
The attacker also checks the operating system and Internet Explorer versions as can be seen in the image below:
The code validates that the user’s machine runs Windows XP with Internet Explorer 8. If it doesn’t, the attack will once again terminate. From tests conducted in our lab, we determined that the exploit also works on Windows 7 with an adjustment to the shellcode: using valid ROP chains (a technique to bypass DEP by taking advantage of existing commands) for each Windows environment and overcoming ASLR which is part of the operating system.
The last check the attackers perform before invoking the exploit itself is making sure that the exploit will only execute once per machine to avoid detection. It does so by setting a cookie named “Cookie1=KK20130912;”.After performing the checks discussed above, the attack also uses ROP chains targeting Korean/Japanese browser language packs to further validate the targets of the attack, but this time implicitly:
The attack also uses the "DOM Element Property Spray," a technique also used in the last Internet Explorer zero-day (CVE-2013-3893) a couple of weeks ago. A Metasploit module has already been written for this specific vulnerability (CVE-2013-3893).
The code above creates a new Array and fills it with new elements (DIV elements in this case) and proceeds to change the title attribute of each element with many NOPs.After successful exploitation the attacker uses an XORed shellcode. After XORing the shellcode with 0x94 we get the following payload:
This payload results in the downloading and execution of the following file:
As you may have guessed, this file is not a GIF at all but rather a Windows PE file. Upon execution the malware begins dropping a number of malicious files and drivers on the system.
For the sake of brevity, we have included a high level analysis of each file. In short, the payload is quite messy dropping at least ten drivers, executables and DLLs on the victim machine.
- The main fird.gif file is dropped on the victim machine and attempts to detect a number of anti-virus/security products that are popular in Asia (AhnLab, NaverVaccine, ALYac, etc). It then drops C:\WINDOWS\system32\drivers\thhovsyfw.sys and installs/executes the driver (See #2). It then downloads hxxp://184.108.40.206/mii/firw.gif to C:\DOCUME~1\User\LOCALS~1\Temp\decodervsview.exe (See #3) and spawns this file in a new process. Finally, it executes a batch script that will delete the fird.gif file.
This driver ensures a number of security processes are not running on the system. The following is a list of a few of the many processes targeted:
- The decodersview.exe has three PE files appended to the executable. Each is individually dropped to C:\WINDOWS\Temp\temp1.exe, \temp2.exe and \temp3.exe and subsequently executed (See #4, #7, and #9).
- Temp1.exe drops C:\WINDOWS\system32\drivers\xpV3001.sys and installs/executes this driver (See #5). It then drops C:\WINDOWS\system32\drivers\420a0a1f.sys and installs/executes this driver (See #6).
- The xpV3001.sys driver ensures a number of security processes
are not running on the system. The following short list demonstrates some of
the many processes targeted by this malicious driver:
- 420a0a1f.sys targets a number of online games, stealing
passwords in the event they are installed.
- DIABLO III.EXE
- Temp2.exe removes C:\WINDOWS\Tasks\TespayServer.exe. It then copies itself to C:\WINDOWS\Tasks\TespayServer.exe and adds this path to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit. Finally, it spawns a new instance of C:\WINDOWS\Tasks\TespayServer.exe (See #8).
- TespayServer.exe downloads http://220.127.116.11:8888/5.txt to C:\WINDOWS\system32\drivers\etc\Changer.bat. It then creates C:\WINDOWS\system32\drivers\etc\Changer.bat in a new process. See the excerpt below for a sample of this batch script. The script attempts to modify the /etc/hosts file and redirects popular Korean banks to a malicious IP address.
- Temp3.exe creates C:\1041200.dll (randomly named). It proceeds to register C:\1041200.dll as a service and starts it (See #10).
- This service injects itself into a number of processes on the victim machine and attempts to steal credentials for popular on-line games.
In short, this payload is responsible for a number of malicious activities. It attempts to disable any security products that may be running on the victim machine, redirects banking sites to a malicious IP address and tries to steal credentials for popular on-line games.
The various techniques used indicate that this payload is not meant for any targeted scenario but instead will simply try to target any Korean or Japanese users it stumbles upon.
Trustwave’s Secure Web Gateway blocked the known attacks for both of the discussed zero-days out-of-the-box using its generic protection engine and did so without any update. We have, however, released Security Update 155 that includes additional protection for this particular zero-day exploit using the Entrapper engine.
For more information about CVE-2013-3897 and CVE-2013-3893, please see this article on Microsoft's Security Research & Defense blog.Special thanks go to my SpiderLabs colleague Josh Grunzweig for his contribution for this blog post.