Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Another Day, SpiderLabs Discovers Another IE Zero-Day

We at SpiderLabs investigate many suspicious webpages on adaily basis. Occasionally we run intosomething that seems new and unfamiliar to us, which is generally when things becomeinteresting.

A recent discovery of ours began just like that and ended withour identification of an Internet Explorer 8 vulnerability being actively exploitedin the wild. Through collaboration with the Microsoft Security Response Center(MSRC) Team we confirmed that the newzero- day (CVE-2013-3897) has been in the wild for a month (the new CVE-2013-3897 and the previous zero-day CVE-2013-3893). The patch was just released today, and users need time to install it. So we can't reveal the full technical analysis of this vulnerability yet, but we can share some interesting details about the attack.

The attackers distributed the zero-day exploit via thefollowing URL hxxp://1.234.31.152/mii/guy2.html (currently offline). It turnsout that this isn't the first time we have encountered this kind of URL. One monthearlier a similar URL on the same class-C IP address:hxxp://1.234.31.142/mii/guy2.html (currently offline) served an older zero-day(CVE-2012-4792).We continued to track this IP class segment and a few days ago found a new liveinstance of this attack serving the new zero-day on a different IP address withthe same URL path.

The zero-day campaign seems to have launched in the firsthalf of September 2013 targeting Japanese and Korean users:

10809_9a84bd9a-bc6f-40aa-970b-63313f5a511f

The attacker uses navigator.userLanguage to identify theend-user machine's language. If the user machine's language is neither Koreannor Japanese, the JavaScript redirects the page to google.com therebyterminating the attack on that machine.

The attacker also checks the operating system and InternetExplorer versions as can be seen in the image below:

9679_6691564b-316a-4137-a76c-31ef32aa9624

The code validates that the user's machine runs Windows XP withInternet Explorer 8. If it doesn't, the attack will once again terminate. Fromtests conducted in our lab, we determined that the exploit also works on Windows7 with an adjustment to the shellcode: using valid ROP chains (a technique tobypass DEP by taking advantage of existing commands) for each Windows environmentand overcoming ASLR which is part of the operating system.

The last check the attackers perform before invoking theexploit itself is making sure that the exploit will only execute once per machineto avoid detection. It does so by setting a cookie named "Cookie1=KK20130912;".

After performing the checksdiscussed above, the attack also uses ROP chains targeting Korean/Japanesebrowser language packs to further validate the targets of the attack, but thistime implicitly:

8592_30c7066f-2fbf-4581-9b02-ccda40cbfbde

The attack also uses the "DOMElement Property Spray," a technique alsoused in the last Internet Explorer zero-day (CVE-2013-3893) a couple of weeksago. A Metasploitmodule has already been written for this specific vulnerability(CVE-2013-3893).

12804_f9fde501-30dd-48ec-ac50-88a65d89505d
Some code blurred, so as not to reveal sensitive details of the attack

The code above creates a new Array and fills it with newelements (DIV elements in this case) and proceeds to change the titleattribute of each element with many NOPs.

After successfulexploitation the attacker uses an XORed shellcode. After XORing the shellcodewith 0x94 we get the following payload:

9063_48909762-27f2-44dc-858f-88dd5141108c

This payload results in the downloading and execution of thefollowing file:

10709_95bc78cf-868b-417a-8aff-81fe7036012d

As you may have guessed, this file is not a GIF at all but rather a WindowsPE file. Upon execution the malware begins dropping a number of maliciousfiles and drivers on the system.

For the sake of brevity, we have included ahigh level analysis of each file. In short, the payload is quite messy droppingat least ten drivers, executables and DLLs on the victim machine.

    1. The main fird.gif file is dropped on the victim machine andattempts to detect a number of anti-virus/security products that are popular inAsia (AhnLab, NaverVaccine, ALYac, etc). It then dropsC:\WINDOWS\system32\drivers\thhovsyfw.sys and installs/executes the driver (See#2). It then downloads hxxp://1.234.31.153/mii/firw.gif to C:\DOCUME~1\User\LOCALS~1\Temp\decodervsview.exe(See #3) and spawns this file in a new process. Finally, it executes a batchscript that will delete the fird.gif file.
    2. This driver ensures a number of security processes are not running on the system. The following is a list of a few of the many processes targeted:
      • MUpdate2.exe
      • V3LRun.exe
      • V3Medic.exe
      • AvastUI.exe
      • vrmonsvc.exe
    3. The decodersview.exe has three PE files appended to theexecutable. Each is individually dropped to C:\WINDOWS\Temp\temp1.exe, \temp2.exeand \temp3.exe and subsequently executed (See #4, #7, and #9).
    4. Temp1.exe drops C:\WINDOWS\system32\drivers\xpV3001.sys andinstalls/executes this driver (See #5). It then dropsC:\WINDOWS\system32\drivers\420a0a1f.sys and installs/executes this driver (See#6).
    5. The xpV3001.sys driver ensures a number of security processesare not running on the system. The following short list demonstrates some ofthe many processes targeted by this malicious driver:
      • UDATERUI.EXE
      • MSSECES.EXE
      • EGUI.EXE
      • EKRN.EXE
      • CCSVCHST.EXE
      • NAVW32.EXE
      • UPDATESRV.EXE
      • ASDSVC.EXE
    6. 420a0a1f.sys targets a number of online games, stealingpasswords in the event they are installed.
      • WOW.EXE
      • DKONLINE.EXE
      • DIABLO III.EXE
      • HEROES.EXE
    7. Temp2.exe removes C:\WINDOWS\Tasks\TespayServer.exe. It then copiesitself to C:\WINDOWS\Tasks\TespayServer.exe and adds this path toHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit. Finally,it spawns a new instance of C:\WINDOWS\Tasks\TespayServer.exe (See #8).
    8. TespayServer.exe downloads http://174.139.126.66:8888/5.txt toC:\WINDOWS\system32\drivers\etc\Changer.bat. It then createsC:\WINDOWS\system32\drivers\etc\Changer.bat in a new process. See the excerpt belowfor a sample of this batch script. The script attempts to modify the /etc/hostsfile and redirects popular Korean banks to a malicious IP address.

10216_7e14825f-fefc-483b-b751-1e80a429c06a

  1. Temp3.exe creates C:\1041200.dll (randomly named). It proceedsto register C:\1041200.dll as a service and starts it (See #10).
  2. This service injects itself into a number of processes on thevictim machine and attempts to steal credentials for popular on-line games.

11745_c7e07eb9-8262-4de8-8ace-d7a4ff8b97cc

In short, this payload is responsible for a number ofmalicious activities. It attempts to disable any security products that may berunning on the victim machine, redirects banking sites to a malicious IPaddress and tries to steal credentials for popular on-line games.

The various techniques used indicate that thispayload is not meant for any targeted scenario but instead will simply try to target any Korean or Japanese users it stumbles upon.

Special thanks go to mySpiderLabs colleague Josh Grunzweig for his contribution for this blog post.

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More