This post is a small part of an in-depth analysis of the watering hole campaign of December involving an Internet Explorer 0day.  Jindrich Kubec and my self are working hard in order to synthesize all these information’s in order to provide you a high level overview.

As I mentioned to threatpost.com, the 14th January, additional web sites were discovered hosting Internet Explorer CVE-2012-4792 exploit. One of the additional web site was “All Jap auto parts” (www.alljap.net), an importer of second-hand japanese engines and car parts located in Brisbane, Queensland, Australia.

StopMalvertising published an analysis I recommend to you for additional information’s.

When I discovered this infected web, I noticed initially that the files were time stamped (HTTP Last-Modified entity-header) at the following dates:

  • deployJava.js : Fri, 14 Dec 2012 15:47:42 GMT
  • index.html : Fri, 14 Dec 2012 15:49:58 GMT
  • news.html : Fri, 14 Dec 2012 15:50:42 GMT
  • robots.txt : Fri, 14 Dec 2012 15:50:57 GMT
  • today.swf : Fri, 14 Dec 2012 15:51:08 GMT
  • xsainfo.jpg : Fri, 14 Dec 2012 15:56:44 GMT

index.html” file was supporting chinese simplified (zh-cn), taiwanese mandarin (zh-tw), japanese (ja), american english (en-us) and russian (ru). “girl” and “boy” patterns were present. And “hello” text was hidden.

CFR.org version of “index.html”, I discovered in Google cache and dating from the 7 December, was only supporting chinese simplified (zh-cn), taiwanese mandarin (zh-tw) and american english (en-us). “girl” and “boy” patterns were also present and “hello” text was not hidden.

CFR.org version, reported by FireEye, of around the 20 December, was supporting chinese simplified (zh-cn), taiwanese mandarin (zh-tw), japanese (ja), american english (en-us), russian (ru) and korean (ko). “girl” and “boy” patterns were no more present and replace by “ms-help:” technique to bypass ASLR on Windows 7. Also “hello” text was hidden.

By only analyzing these samples, from CFR.org and All jap auto part, we can observe that the attackers have changed tactics multiple times during this campaign.

By analyzing all the samples of other infected web sites (around 40 infected web sites samples), I observed that the All jap auto part was not used in the watering hole campaign. No high value legit websites where including, by iframe or by JavaScript inclusion, this website.

By doing some further analysis, regarding All jap auto part, I observed initially that hosted phpmyfaq and wwwboard tools were not updated since a long time. And after some Google dorks, I found two PHP backdoors and the Apache logs (from 13 November to beginning February) who were freely accessible from Internet. We will name the first backdoor BK1 and the second BK2 for further references in this blog post.

Having free access to the logs, was an unique opportunity to find additional evidences, regarding the attackers and the differences in the samples and patterns.

I first researched, in the logs, accesses to the backdoors. BK1 was not present in the logs, but BK2 was accessed the 7 December by IP 112.175.234.199. The IP is located in South Korea and is associated to FlyVPN.com VPN mirror. User agent associated to this IP is Internet Explorer 8 under Windows XP.

112.175.234.199 – – [07/Dec/2012 00:31:22 +0000] “GET /BK2.php HTTP/1.1” 200 371 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)”

By searching additional references to this IP, we can observe a first access to CVE-2012-4792 exploit the 7 December with a different user agent, Firefox 12 under Windows XP.

112.175.234.199 – – [07/Dec/2012 01:18:59 +0000] “GET /wwwboard/news/index.html HTTP/1.1” 200 5776 “http://www.gbn.com/” “Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0”

We can directly observe that the HTTP referer was Global Business Network (www.gbn.com) and that All jap auto part was also involved in a watering hole campaign. Description of GBN:

GBN helps organizations adapt and grow in an increasingly uncertain and volatile world. Using our leading-edge tools and expertise—scenario planning, experiential learning, networks of experts and visionaries—we enable our clients to address their most critical challenges and gain the insight, confidence, and capabilities they need to shape the future.

We can also confirm, like CFR.org, that the exploit was present on All jap auto part since minimum the 7 December.

By doing a complete log analysis we can observe the following time line and information’s.

Alljap - 112.175.234.199 - South Korea IP Activities

DatesUser AgentsActions
07/Dec/2012 00:31:22Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
07/Dec/2012 00:31:25 to 00:32:47Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
07/Dec/2012 00:32:58Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Modify mail.php through BK2
07/Dec/2012 00:33:10Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Modify tw.htm through BK2
07/Dec/2012 00:33:24 to 00:40:05Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
07/Dec/2012 01:18:59Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test 0day through GBN.com
07/Dec/2012 17:55:15Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test 0day through GBN.com

This IP has directly access to BK2, no other web pages visits. You can observe that some PHP mail code (mail.php) was put in place in order to send spear phishing email targeted to Taiwanese people’s (tw.htm). Bunch of operations have been done through BK2. Also you can observe that they test the exploit with Firefox 12.

Alljap - 113.30.106.94 - South Korea IP Activities

DatesUser AgentsActions
10/Dec/2012 08:15:34Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Check presence of 0day
10/Dec/2012 08:15:56 to 08:19:00Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 08:19:25Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to demo.txt (demo~) file
10/Dec/2012 08:19:34Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Test 0day
10/Dec/2012 08:20:13 to 08:22:11Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 08:27:30 to 08:29:54Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Test 0day through GBN.com

This IP has directly access to BK2, no other web pages visits, and manipulate the content of CVE-2012-4792 0day. The IP is located in South Korea with only a pptp VPN open port. You can also observe usage of a file named “demo.txt”.

Alljap - 59.124.14.102 - Taiwan IP Activities

DatesUser AgentsActions
10/Dec/2012 08:42:34Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
10/Dec/2012 08:42:38 to 08:44:00Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 08:54:36 to 08:54:49Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Test 0day through GBN.com
10/Dec/2012 09:09:52 to 09:09:57Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 09:11:08 to 09:11:55Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access 0day files
10/Dec/2012 09:12:14 to 09:13:18Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test presence of deployJava.js
10/Dec/2012 09:13:41 to 09:15:36Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 09:23:10 to 09:28:11Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Operations through BK2

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day and do some test from GBN.com. The IP is located in Taiwan with only a pptp VPN open port.

Alljap - 112.213.97.39 - Hong-Kong IP Activities

DatesUser AgentsActions
14/Dec/2012 15:44:40Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
14/Dec/2012 15:44:47 to 15:49:58Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day. The IP is located in Hong-Kong with only a pptp VPN open port.

Alljap - 113.30.106.92 - South Korea IP Activities

DatesUser AgentsActions
14/Dec/2012 15:50:42Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
14/Dec/2012 15:50:57 to 15:52:57Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day. The IP is located in South Korea with only a pptp VPN open port.

Alljap - 110.4.82.38 - South Korea IP Activities

DatesUser AgentsActions
14/Dec/2012 15:54:14Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Check presence of demo.txt file
14/Dec/2012 15:55:04Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
14/Dec/2012 15:56:44Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operation through BK2
14/Dec/2012 16:02:19 to 16:03:56 Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test 0day through GBN.com
16/Dec/2012 12:08:45 Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test 0day through GBN.com

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day and do some test from GBN.com. The IP is located in South Korea.

As you can see the attackers have use massively VPN connexions in order to connect themselves to BK2. If you compare the “Last-Modified” HTTP headers of the samples, you can see that they are corresponding to the last three different IPs manipulations.

As we have the complete Apache logs, I was also able to analyze the attack surface of the watering hole campaign through GBN.

My first analysis was to see all successful hits to “index.html” file from 7 December to 17 December, without any segregation. By clicking on the following link you will access to a Google Fusion Table providing all associated information’s.

alljap-all-hits

You can find also the TOP 10 of countries how have hit the exploit.

Alljap - All Hits TOP 10 Countries

CountryUnique IP count
US311
BR77
CN64
TR44
GB30
DE25
CA23
IN19
FR19
MX18

My second analysis was to see all potential successful exploitation targeting “MSIE 8.0“, from 7 December to 17 December. By clicking on the following link you will access to a Google Fusion Table providing all associated information’s.

alljap-msie8-hits

You can find also the TOP 10 of countries how have hit the exploit.

Alljap - All MSIE 8.0 Hits TOP 10 Countries

CountryUnique IP count
US35
CN13
TR5
BR3
GB3
RO3
MA3
AU3
HK2
TH2

You can see that the potential success rate, compared to the visitors of GBN is very low. The fact to use a 0day only capable to target MSIE 8.0 was clearly a limiting point.

As explained at the beginning of the blog post, the post is only a small part of that has been analyzed. Jindrich Kubec and me will provide you additional information’s soon.