As a result of a successful attack, the bad guys modify the core index.jsp on the affected server, to include a snippet like the following:
The associated site is still live, which is why the above is an image and not a clickable URL. If you still insist to go looking, be careful, and don't blame us! Leaving the web server and Struts vulnerability aspect of things, let's now look at what's lurking on that namu-in site:
daniel@foo3:~/malware$ ls -al Init.jar
daniel@foo3:~/malware$ unzip Init.jar The presence of the "MyColorModel" and "MyColorSpace" files in the JAR archive suggests that this could be an exploit for CVE-2013-2465, the 2D/AWT vulnerability which affects all Java Versions up to 1.7_21. On closer investigation, this is confirmed, Init.class indeed exploits CVE-2013-2465, and then calls Print.class, which in turn seems to create a file named "mspaints.exe":
daniel@foo3:~/malware$ echo "3A2D" | perl -pe 's/(..)/chr(hex($1)^0x77)/ge' Busted! :)
Feeding the entire two "data" arrays through the same Perl operation turns the hexadecimal set into binary files, all while XOR-ing every byte with 0x77: Searching for this MD5 hash on VirusTotal https://www.virustotal.com/#search gives us a result with a rather dismal 3/47 detection rate. But at least someone else already uploaded it earlier today. The next stage of the analysis is now on the two EXE files, data.exe and data1.exe. This task is - commonly - quite a bit more tricky than just reverse-engineering JavaScript or Java, because static analysis (like we did on the Applet) can be quite reliably thwarted on an EXE, and dynamic analysis (= actually running the file) can be full of "surprises". Case in point:
daniel@foo3:~/malware$ strings data.exe | grep -i Debug Looks like our EXE invokes the Windows API method "IsDebuggerPresent" to verify whether a debugger is currently running. Chances are, the EXE will behave differently when is suspects that someone (like a malware analyst :) is watching its every move. In this case here it is nonetheless quite readily possible to determine what the two EXEs are doing: They are, as so often, simply "downloaders" that fetch the next stage of the attack code. There are four downloaded files, and all come from www-sandulsori-co-kr.
daniel@foo3:~/malware$ ls -al * Note how all four files claim to be an image, even though they are an EXE. The two files named "common" contain the Windows EPathObj exploit (CVE-2013-3660) which results in SYSTEM privileges on versions of Windows that don't have Patch MS13-053 (July 2013). Analysis of the two favicon files is still ongoing. The involved domains (overall) are: www-namu-in-com, currently at 110.45.165.42 for Stage#1, www-sandulsori-co-kr, currently at 111.92.188.21 for Stage#2, and www-staticscount-com, currently at 74.82.173.187 for the Command&Ccontrol (C&C). These sites and IP blocks are not necessarily hostile per se, they could also be victims of an earlier hack / take-over. The moral of the story is that all of the above is based on Exploits of vulnerabilities that have patches available since about three months. If your patching of OS and Applications is lagging behind to this extent because of lack of resources or priority, you'll need to catch up asap. As shown above, the bad guys are delivering exploit cocktails that provide SYSTEM level privileges on Windows machines which lack the necessary patches, and current anti-virus patterns offer little coverage against it.
|
Daniel 385 Posts ISC Handler Oct 28th 2013 |
Thread locked Subscribe |
Oct 28th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!