Attack and IE 0day Informations Used Against Council on Foreign Relations

Council on Foreign Relations (CFR.org), a foreign policy web group, has been victim of a targeted attack who seem to be linked to computer hackers traced to China.

Regarding information’s posted on the Washington Free Beacon, infected CFR.org website was used to attack visitors in order to extract valuable information’s. The “drive-by” attack was detected around 2:00 pm on Wednesday 26 December and CFR members who visited the website between Wednesday and Thursday could have been infected and their data compromised, the specialists said.

Through Washington Free Beacon news we know that only Internet Explorer 8 and higher versions have been targeted. A possible Internet Explorer 0day was used to infect visitors computers. We also know that the attack was limited to CFR members and website visitors who used browsers configured for Chinese language characters.

As always, I was curious and tried to have more information’s regarding this attack and potential 0day.

urlQuery.net investigations

On urlQuery.net, we can see that the first submission was done, the 20 December. More interesting is the submission of 21 December on URL “/js/js/news_123432476.html“. “/js/js/” directory seem to be a strange behavior. We can see that a “deployJava.js” was involved by loading this page.

Other URLs are interesting like “/js/js/robots.txt“, “/js/js/today.swf“, “/js/js/news_435435s.html” but all these URLs have been submitted the 27 December and after, and the file are no more available.

jsunpack investigations

On jsunpack we can observe that the “deployJava.js” was submitted the 26 December. All other files have been submitted the 27 December and after, and the file are no more available.

CLEAN MX realtime database investigations

On CLEAN MX we can observe an analysis the 20 December.

Why so many parallel submission ? Ok guys, the infection has started since minimum the 20 December, so not since Wednesday 26 December. Now, if you have some skill in researching information’s and if you are still curious, you will find part of the “drive-by” attack source code. By doing some additional researches I found the source code of the “drive-by” attack, and I can confirm you that this attack has started since minimum the 7 December !

Capture d’écran 2012-12-28 à 22.25.31

Let analyze this source code.

I can confirm that only visitors with Internet Explorer 8 and higher versions have been targeted.

cfr-ie8

But, a fact who was not pointed is if the visitor don’t has Adobe Flash, he will not be part of the party, Flash free Internet Explorer are not targeted.

cfr-flash

I can also confirm that visitors who used browsers configured for Chinese language characters were targeted, but also Taiwanese and American visitors…

cfr-language

If you load the malicious page for the first time, a “visit” named cookie is create with a lifetime of 7 days through the “DisplayInfo()” function. If you have already a cookie, you will no more be exploited until the expiration of the cookie.

cfr-cookie

Then the page is loading the “download” Javascript function. This function is trying a XML HTTP request to a “xsainfo.jpg” file. After some discussion with @binjo, it could be that “xsainfo.jpg” maybe just a clean file, ajax trick to call the “callback” function.

cfr-download

cfr-xmlhttp-xsainfo

xsainfo.jpg” file is maybe “320e0729e1a50fd6a2aebf277cfcad66” found on VirScan and VirusTotal. This file was submitted the 13 December.

The “callback” function verifies if the “xsainfo.jpg” has been loaded and that a “200” HTTP status code has been returned.

cfr-callback-xmlhttp

If the visitor operating system is Windows 7 or Windows 2008 R2, an Office document is opened through the “SharePoint.OpenDocuments” ActiveX control. Depending the way the document is opened the “key” variable is initiated with funny values “boy” or “girl“. I’m not specialist in this domain, maybe one of the blog post reader could provide some more information’s.

cfr-callback-opendocuments

Depending if you are “girl” or a “boy“, the “test” division of the HTML document will be manipulated, a “today.swf” flash object will be loaded plus a “news.html” iframe.

cfr-callback-boy-girl

If you are not a “girl” or a “boy“, you will need to have Java SE 6, but not JSE 7, in order to load the two same files as previously mentioned. If the visitor operating system is Windows XP, the “test” division of the HTML document will be also manipulated, and the two same files are loaded.

cfr-callback-java-xp-2

Unfortunately, actually I didn’t find these two files, but after more discussions with @binjo it could be that the swf is used to setup payload, “news.html” used to trigger the vulnerability.

So if 0day exist, this 0day is surely in “news.html” file, and it is also sure that this targeted attack has not begin on Wednesday, not only targeted visitors who used browsers configured for Chinese language characters.

I keep you in touch if I have additional information’s regarding this potential new Internet Explorer 0day.

Update 1 – 12/29 2am:

FireEye has post some additional information’s regarding the attack. It seem that “today.swf” trigger a heap spray in Internet Explorer in order to complete the compromise. Once the browser is exploited, it appears to download “xsainfo.jpg,” which is the dropper encoded using single-byte XOR (key: 0x83, ignoring null bytes).

What is also new regarding FireEye blog post is that their version is targeting English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian. My version of 7 December was only targeting English (U.S.), Chinese (China), Chinese (Taiwan), so the guys had time to release new version of they’re code during this elapse of time. Also they didn’t mention the news.html file.

Update 2 – 12/29 11am:

@binjo has release further information’s regarding “new IE 0day coming-mshtml!CDwnBindInfo object use after free vulnerability”.

Also, I can observe that a certain number of people have samples of the 0day, I could not imagine that an active exploit will not be out before the end of the year.

Update 3 – 12/29 6pm:

AlienVault has publish more detailed information’s regarding the attack and the 0day.

Update 4 – 12/29 10pm:

@_sinn3r is on the way to deliver a Metasploit module for the CFR.org 0day exploit.

Update 5 – 12/30 00am:

Microsoft has release MSA-2794220 and confirm the vulnerability targeting Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. Internet Explorer 9 and Internet Explorer 10 are not affected by the vulnerability. CVE-2012-4792 has been assigned to this vulnerability.

Update 6 – 12/30 2am:

Metasploit team has release the Microsoft Internet Explorer 0day.

https://twitter.com/_juan_vazquez_/status/285186813637849088

Update 7 – 12/30 11am:

Here under is the code version I found in Google cache as it appeared on 7 Dec 2012 14:12:28 GMT

Got some more samples:

  • Helps.html (a25c13d4edb207e6ce153469c1104223)
  • news.html (76d14311bae24a40816e3832b1421dee)
  • robots.txt (96b01d14892435ae031290cd58d85c2e)
  • xsainfo.jpg (7c713c44e34fa8e63745744e3b7221db)

Java 0Day and the Targeted Nitro Attacks Campaign Analysis

Symantec, Kaspersky Labs, Trend Micro, Sophos and other security vendors continue to surf on the Java 0day targeted attack stuff.

The vendors have agreed, in communion, that Java 0day was potentially used by the Chinese Nitro gang, through spear-phishing campaign. Nitro gang is well-known since another targeted campaign in 2011, reported by Symantec, focusing on organizations in the United States, Bangladesh and U.K.

Nitro gang, potentially the source of the newly discovered Java 0day, is using IP addresses and other characteristics that were common from the 2011 targeted attack, like the same C&C (223.25.233.244 for example) and the same files (“Flash_update.exe” for example).

For Kaspersky Labs, “the attacks have been going on for more than a week“. For Symantec, “the attackers have been using this zero-day for several days since August 22“. For Trend Micro, “Nitro attackers were continuing to send out emails to their targets with direct links to Poison Ivy executables in early August 2012“.

As all the vendors agree on the time frame and the source of the attack, we will take a  look on all information’s we can gather around this story.

First C&C server

The first known C&C was “223.25.233.244“, also used in the 2011 campaign. I reported in my previous blog post, that the IP address was well-known since many months. As you will see here under the C&c server is well-known, dropping lot of malwares, with various domain names.

All information’s gathered on this C&C server:

2012-04-18 – Malwr.com Analysis (2819365de89a5e07c2c20b2b462a3487): Analyzed file was “upgrade.exe“, with DNS request to “who.hzlo.net” aka “223.25.233.244“.

2012-04-20 – Malwr.com Analysis (156d00c795d6d2857fd49f570e894803): Analyzed file was “upgrade.exe“, with DNS request to “who.hzlo.net” aka “223.25.233.244“.

2012-04-24 – Malwr.com Analysis (af6d20abc953e18a84beac84ea87fce3): Analyzed file was “Flash_updata.exe” with DNS request to “who.hzlo.net” aka “223.25.233.244“.

2012-04-25 – Malwr.com Analysis (ac1066eeab14150e2ed20e88d8ca1acb): Analyzed file was “flash_updata.exe” with DNS request to “who.hzlo.net” aka “223.25.233.244“.

2012-06-21 – Malwr.com Analysis (d0d335fbc6d9fdbaf8a0af44ae2944c7): Analyzed file was “update.exe” with DNS request to “goodluck.betr.co” aka “223.25.233.244“.

2012-06-25 – URL Query Analysis (75475): Analyzed URL was “http://admin.fcph.org” aka “223.25.233.244“.

2012-06-26 – URL Query Analysis (75932): Analyzed URL was “http://admin.fcph.org” aka “223.25.233.244“.

2012-07-10 – URL Query Analysis (86487): Analyzed URL was “http://ok.icon.pk” aka “223.25.233.244“. Domain name used during the Java 0day discovery, coincidence ?

2012-07-11 – URL Query Analysis (87414): Analyzed URL was “http://domain.rm6.org” aka “223.25.233.244“.

2012-08-17 – Sophos Analysis (Troj/Agent-XNE): DNS request to “hello.icon.pk” and “admin.fcph.org” aka “223.25.233.244“.

2012-08-20 – Malwr.com Analysis (e2fc730981c1c9c55b961bbbd609c6d3): Analyzed file was “KB2690533.exe” with DNS request to “ok.icon.pk” aka “223.25.233.244“. Interesting “KB2690533.exe” binary name we will search later same occurrences.

2012-08-27 – Malwr.com Analysis (1360ac6d139f19d590bd3b05fa12c8c0): Analyzed file was “upgrade.exe” with DNS request to “admin.fcph.org” aka “223.25.233.244“.

2012-08-27 – URL Query Analysis (147268): Analyzed URL was “http://223.25.233.244“.

2012-08-27 – URL Query Analysis (147552): Analyzed URL was “http://wagoo.fcph.org” aka “223.25.233.244“.

2012-08-27 – Malwr.com Analysis (4a55bf1448262bf71707eef7fc168f7d): Analyzed file was “hi.exe“, the famous one, with DNS request to “ok.icon.pk” aka “223.25.233.244“.

2012-08-27 – Malwr.com Analysis (c0c81cf499136515e22f39e70ef78eec): Analyzed file was “antivirus.exe” with DNS request to “ok.icon.pk” aka “223.25.233.244“, and two HTTP requests to “http://ok.icon.pk/4213538n.txt” and “http://ok.icon.pk/4214189n.txt“.

First reported infected server

The first reported infected server was “ok.aa24.net” with “59.120.154.62” IP address. The related infection URL was “ok.XXXX.net/meeting/index.html” with malicious loaded “applet.jar“. The IP address is located in Singapore. I also reported, in my previous blog post, that the IP address was well known since many months.

Second reported infected server

The second reported, by Symantec the 30 August, infected server was “62.152.104.149“. The related infection URL was “62.152.104.XXX/public/meeting/index.html” with malicious loaded “applet.jar“. The IP address is located in Italia.

Until the 30 August, “index.html” file, present on the second infected server, was an obfuscated JavaScript charging the malicious Java 0day “applet.jar” aka “cve2012xxxx.Gondvv.class” and the Poison Ivy backdoor “Flash_update.exe“. The “index.html” file was part of Gondad exploit kit, like as for the first infected server.

URL Query report that “62.152.104.149” is known since the 2012-08-24 with the same malicious URL. The date is corresponding on the “Last modified” date reported by the infected server. All the files have the 2012-08-24 date, except “1.php“.

Screenshot taken the 29 August
Screenshot taken the 29 August

If you browse the server indexed directories, you can find a Rhino exploit “index.jar“, how is available since 2012-03-16.

Screenshot taken the 29 August
Screenshot taken the 29 August

I you continue to browse the directories, you can also find CVE-2010-3856 Linux exploit “glibc.sh“, used to backdoor the server. These files date are 2011-11-29.

Screenshot taken the 29 August
Screenshot taken the 29 August

As you have seen, all the screenshots were taken the 29 August. I have monitor the server and the files present in the “/public/meeting” directory have change the 30 August, with a new variant of “applet.jar” and some new files like “feq.html” (VirusTotal analysis / Malwr.com analysis). Malwr.com analysis reported a new C&C server aka “12.163.32.15“, how is actually down.

KB2690533.exe C&C dropped binary

The 20 August “KB2690533.exe” file was dropped, from the C&C server, and we can find some additional information’s regarding the file name.

2012-08-16 – URL Query Analysis (133150): Analyzed URL was “http://erp.claridy.com.tw/rndy/download.war/KB2690533.exe” aka “211.72.230.236“.

2012-08-17 Cisco Threat Outbreak Alert: “significant activity related to spam e-mail messages that claim to contain a Security Update for the recipient”. What mean significant ? The spam e-mail message text is looking similar to the spam e-mail message reported by Trend Micro the 30 August. Coincidence, we will see that it is not a coincidence.

Subject: Security Update

 

Message Body:
Dear,
Because of the office network interfaces changed.Please download the Security Update fot windows XP (KB2690533),and install it. Download address: hxxp://www.microsoft.com/en-us/download/KB2690533.exe

Also the following Chinese web site is reporting some URLs the 2012-08-21 and we can find “http://erp.claridy.com.tw/rndy/download.war/KB2690533.exe“, “http://erp.claridy.com.tw/rndy/download.war/Flash_update.exe” and “http://haitimissionschool.org/updateflashplayer.exe“.

Spam e-email message reported by Trend Micro

In his blog post Trend Micro is reporting some typical spam e-mail message with direct links to Poison Ivy executable in early August 2012.

As you can see this email message is in the same style as the message detected by Cisco the 17 August.

If we search on the username string “alcoauser“, we can find some additional information’s:

2012-08-02 – Another Cisco Threat Outbreak Alert: “significant activity related to spam e-mail messages” with exactly the same content as the content provided by Trend Micro and we can find the “59.120.154.62” server where the 0day was discovered.

Other e-mail message spotted by a Chinese website

In his blog post Trend Micro is reporting another e-email how was spotted in April 2012.

Dear,
If you already have VPN installed on your computer, you’ll be asked to download and install update the next time you start VPN. Once the new update is installed, VPN should function normally.
Download and install the updated:http://www.cisco.com/vpn/upgrade.exe
You must have administrative privileges on your computer to install any VPN client. Please contact your desktop support staff if you need assistance.
Morris Kristi
[email protected]

This e-mail message is in the same style as the previous e-mail messages. The malicious URL was “http://out.hzlo.net/update/upgrade.exe” with IP address “71.216.92.29“. This domain name and IP address were first spotted by ScumWare.orgthe 30 March. Another additional domain name was reported “http://adobe.flash-mail.tk/update/Flash_updata.exe” on the same server the 24 April.

out.hzlo.net” domain name was spotted by 04 April by Clean MX realtime database, but if you take a look on the complete “*.hzlo.net” domain names, you can see that “http://jack.hzlo.net/download/antivirus.exe” was catched the 23 February !

More interesting, the characteristic of the Java 0day spreading was URL like “/public/meeting/index.html” or “/meeting/index.html“. Clean MX realtime database report this URL for the first time for “http://jack.hzlo.net/meeting/index.html” the 02 July.

Conclusion

If they’re was an active targeted Nitro campaign, this campaign has start during February 2012 with different infection vectors. The campaign has been catched many times by different security researchers and vendors, but nobody has raise the alert flag until end of August. I think that nobody has care on the pseudo earlier catched “targeted” campaign, and that the Java 0day was the alert flag.

Second opinion, I really think that the Java 0day was out for a minimum of 2 or 3 months before his public discovery.

And last but not least opinion, I still continue to believe that it was not so targeted as the vendors try to make us believe.

CVE-2010-3962 : Nouveau 0day ciblant Internet Explorer et nouveau APT ?

Une nouveau “0day”, utilisé dans des attaques ciblant Internet Explorer, a été détecté par Symantec et remonté à Microsoft.

Suivant Symantec, ce “0day” a été découvert par le biais d’email envoyés à certains organisations ciblées. Ces emails contenaient un lien vers un site web légitime. Ce site web avait été piraté au préalable et diffusait des pages web qui ciblaient les versions 6 et 7 d’Internet Explorer. Une fois la version de navigateur et de l’OS du visiteur détectées, l’exploitation de la nouvelle vulnérabilité d’Internet Explorer entrait en jeux et un téléchargement invisible était lancé et tentait d’installer un cheval de Troie sans que l’utilisateur final ne puisse détecter quoi que ce soit. Ce cheval de Troie se connectait ensuite sur un serveur en Pologne, lui aussi piraté au préalable, pour récupérer les commandes à exécuter sur l’ordinateur infecté.

Microsoft a été prévenu de la nouvelle vulnérabilité par Symantec, qui a confirmé l’exploitation possible sous Internet Explorer 6, 7 et 8 par le biais d’un bulletin de sécurité MSA-2458511. Dans ce bulletin de sécurité, et sur le blog de “Microsoft Security Response Center” (MSRC), l’on peut y apprendre qu’effectivement les versions vulnérables sont Internet Explorer 6, 7 et 8 sur la majorité des plates-formes Microsoft supportées.

Par contre, la version d’Internet Explorer 8 semble la moins exposée à l’exploitation de cette vulnérabilité, du fait que le support de DEP (Data Execution Prevention) est activé par défaut dans cette version du navigateur phare de Microsoft. DEP permet de réduire l’impact des attaques en prévenant l’exécution de code dans des segments de mémoire déclarés comme non exécutables. Il est possible d’activé DEP aussi sur Internet Explorer 7 en utilisant “Enhanced Mitigation Experience Toolkit v2.0” (EMET).

Cette nouvelle vulnérabilité affecte effectivement toutes les plate-formes, ainsi que tous les navigateurs supportés par Microsoft, par contre l’exploitation de celle-ci n’a l’air d’être utilisée actuellement que contre des cibles bien précises, une nouvelle attaque ciblée du type Stuxnet (APT). Ce type d’attaque ciblée contre des organisations devient de plus en plus courantes, et la plupart du temps les “0day” découverts reviennent assez rapidement dans le domaine publique pour être exploités en masse sur tous types d’internautes.

Microsoft devrait, normalement, fournir une mise à jour comme chaque deuxième mardi du mois. N’hésitez pas à effectuer celle-ci, même si pour l’instant vous n’êtes pas une cible intéressante, demain vous pourriez l’être.

Ci-dessous des statistiques décrivant la répartition des versions d’Internet Explorer utilisées par les lecteurs ZATAZ :

  • 71.77% des lecteurs ZATAZ sous IE ont la version 8
  • 16.04% des lecteurs ZATAZ sous IE ont la version 7
  • 9.85% des lecteurs ZATAZ sous IE ont la version 6
  • 2.31% des lecteurs ZATAZ sous IE ont la version 9

0Day Windows Shell LNK dans la nature

Nous vous avions fait part ce week-end de la découverte d’une bien étrange affaire d’espionnage numérique ciblant les grandes industries nationales, principalement nucléaire. Cet espionnage numérique utilise une vulnérabilité non connue (0Day) de Windows qui s’avère toujours aujourd’hui être très dangereuse, nommée “Windows Shell LNK”. L’exploitation de cette vulnérabilité est très simple, car il suffit de naviguer sur un site Internet, ou que vous ouvriez un document (Word, par exemple) contenant des raccourcis, pour qu’un internaute malveillant prenne la main sur votre ordinateur, et cela en toute transparence sans que vous ne remarquiez quelque chose.

D’ailleurs, la vulnérabilité est considérée comme tellement dangereuse que l’institut SANS ISC a monté, Lundi, son niveau d’alerte (fait rarissime), pour finalement le redescendre à un niveau vert ce Mercredi.

Plusieurs PoC (Proof of Concept) sont actuellement disponibles sur Internet, mais aussi intégrés dans des outils d’audits de sécurité informatique, tel que Metasploit de Rapid 7. Voir la petite vidéo vous faisant une démonstration de la simplicité d’exploitation de cette vulnérabilité par le biais de Metasploit.

Microsoft a bien sûr fourni plusieurs solutions de contournements de cette vulnérabilité, mais celle-ci demeurait trop complexe à mettre en oeuvre pour de simples utilisateurs. C’est pour cela, que poussé par la pression des professionnels de la sécurité informatique, Microsoft a mis à disposition une solution “Fix it 50486” qui permet en un seul clic de ne plus se rendre vulnérable à celle-ci. Par contre, attendez-vous à avoir des surprises lors de l’application de ce “Fix it” car vous allez vous retrouver avec des raccourcis sans icônes… Bien sûr, vous pouvez faire marche arrière par le biais d’un autre “Fix it” cette fois-ci le “50486”.

Toujours suite à cette affaire d’espionnage numérique, nous vous remontions, aussi dimanche, que le malware distribué par le biais de l’exploit “Windows Shell LNK” tentait d’installer deux drivers signés numériquement par “Realtek Semiconductor Corp.“, une société connus dans le monde de l’informatique. Le fait que deux drivers contenu dans un malware, participant à une infection, soient signés par Realtek signifiait éventuellement que la clé privée de RealTek aurait été compromise, et que celle-ci aurait éventuellement servie pour signer d’autres logiciels malveillants. Par mesure de précaution, Microsoft et Verisign, en collaboration avec Realtek ont décidé de révoquer le certificat mis en cause. Sage décision…

Sage décision, quand on apprend un jour après qu’une autre société “JMicron Technology Corp”, un constructeur de matériel informatique, aurait lui aussi été la victime d’un vol de clé privé permettant aussi de signer les drivers d’installation Windows ! Comme par hasard ces deux sociétés se retrouvent toutes les deux à Taïwan et dans le même quartier (Hsinchu Science-based Industrial Park), la Silicon Valley de Taïwan. Bien sûr, le certificat de la société JMicron à lui aussi été révoqué en collaboration avec Microsoft et Verisign.

Pour l’instant les informations récupérées par le malware ne sont pas encore connus, ni même les auteurs de celui-ci. Dès que nous aurons plus d’informations nous vous tiendrons au courant.