Skip to content

September Was a Rough Month for 0days

2012-10-03

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Taking stock of the security incidents that seemed to pile up past month, I’m reminded of the sage words of Billie Joe Armstrong: Wake me up when September ends.

The month got started on the heels of Oracle’s incident response to the CVE-2012-4681 Java vulnerability; and it closed on an unpleasant note for Java, with the public announcement on September 25th of the existence of an allegedly severe vulnerability that the discoverer, Adam Gowdiak, claims he responsibly reported to Oracle.

On September 17th, Microsoft issued the first of its staged responses to the discovery of a previously unknown vulnerability affecting Internet Explorer. MS12-063 was a worst-case scenario for Microsoft: Not only did it comprise a new vulnerability (CVE-2012-4969), but one which had already been weaponized and prototyped as a malware delivery mechanism, and then left carelessly stored in a browsable open directory on a Web server hosting other malicious content, which a malware analyst stumbled upon purely by chance.

Adobe didn’t escape punishment, either, as the company announced on September 27th a breach of their code-signing process. Malware had been discovered in the wild franked with an entirely valid Adobe Software digital signature, making it appear as legitimate as any other software published by Adobe. The company also released two security updates to Flash, a week apart, the previous month.

Throughout the month, the Solera Networks labs ran malware samples obtained from servers hosting the vulnerabilities, or from other researchers who shared them. Here’s a little slice of what we saw.

On August 30th, Oracle published an update to Java designed to address a fairly serious bug. If someone crafted a special JAR file, and ran it on a computer with a vulnerable version of Java installed, the JAR file could trigger the download and execution of a payload on any computer running the vulnerable versions of Java. On August 31st, I ran into my first public exploit of the so-called sun.awt.SunToolkit vulnerability. A few AV vendors detected the malicious JAR.

The page hosting the exploit pwned the testbed within two seconds. It was the only exploit being hosted on the page, and it was the only one the malware distributor needed.

The payload was Andromeda RAT, a backdoor. The operator of that particular RAT, whose IP address geolocates to Tunisia, later came back to visit the infected testbed host, spending nearly 30 minutes poking around the file system, looking for saved passwords in the browser, and eventually downloading and installing software called Teamviewer on the machine — all while receiving screenshots sent by the RAT to its command-and-control server at a rate of one frame every five seconds. All 231 of which, of course, the Solera appliance watching the lab network captured (as well as everything else that came down the wire).

The Internet Explorer MS12-063 attack came in the form of a small proof-of-concept in three separate files. The malicious script in exploit.htm downloaded a Flash file, Moh2010.swf, which, in turn, retrieved the executable payload. A second script, enclosed in the Eternalian.html file, was used to ensure that the victim computer could only be infected one time.

The majority of the malicious content of the exploit SWF files had been encrypted using commercial software called DoSWF, but function calls to the DoSWF commands were clearly visible.

In the first version of the exploit file, the DoSWF licensed user’s email address was clearly visible in the source code, making it more of a d’oh! SWF.

The payload, in this case, came from a mature family of RATs called Poison Ivy, and this was where the story got weird and the testbeds got all self-destruct-y.

On the morning of September 20th, I started the day by running a sample of the IE 0day Poison Ivy payload on a virtual machine. Within about 30 minutes the VM shut itself down. VM-aware malware isn’t unusual, but if a malware sample detects that it’s running in a virtual environment, it self-terminates right away. It doesn’t normally hang around pinging its CnC — which in this case happened to be located in Seoul, South Korea — for half an hour first. Weird, right? So I emailed Jaime Blasco, my counterpart at AlienVault, who sent me the sample, and he replied that “yes, they [the RAT operators] are actually shutting down every VM that they found.”

OK I can handle that; In fact, I just finished prepping a new laptop to be used as a malware detonation platform, so I fired up the same copy of Poison Ivy over there. The Trojan immediately began communicating over SSL with its CnC server. The command traffic encrypted, I had no idea what the RAT had been doing until, just before 11am, the laptop rebooted suddenly, ran a small program after POST, rebooted again, and then just displayed this on the screen.

Sorry about the quality of the photograph, but I couldn’t take a screenshot of it. The Tarzan-grade sentence structure had me laughing for a while, unsuccessfully trying to come up with a way to use the word Fééééééé as a fierce and intimidating warcry without cracking myself up. (It can’t be done.) In the end, I decided the text was best imagined read aloud in the voice of George of the Jungle. I took a look at the Solera appliance to find out what the heck was going on and found more success there.

There it was, a 1.78KB DOS executable with a stellar reputation. Actually, it was more like a black hole. I extracted the artifact and took a closer look.

Excellent. The genius RAT operator pushed a file down to my testbed that antivirus companies are naming things like HDDKill and KillMBR. This will not end well.

Extracting the file from the Solera appliance, it’s easy to see why it is so small. The program is only designed to blow away the master boot record of the hard drive the operating system boots from. It also inserts code into the boot sector of the hard drive which posts its funny little “I am virus! Fééééééé” message in lieu of the normal “Operating System Not Found” you would expect to see.

Obviously these RAT operators are among the most distinguished masters of subtlety and subterfuge of the Gangnam Style generation. Actual destructive behavior by a malware payload? That’s so 2007. I laughed, cleaned up the boot sector, and reimaged the box (total downtime: 15 minutes).

It was a difficult month for the companies with products affected by the vulnerabilities, for incident responders, and for security analysts. Admins, I know you’re going to hate this part, but unless you have some critical business reason to keep Java installed on desktops, it might be time to clean house and uninstall Java until the mess gets sorted out. And if you’re using Internet Explorer for anything, at all, please download and install the MS12-063 patch to all Windows systems. Sometimes, when it rains, it pours.Solera blog stats

One Comment
  1. Garrick Brandt permalink
    2012-11-28 11:24 pm

    brilliant work, by both the culprit and the sleuth. thanks for the tip.

Comments are closed.

%d bloggers like this: