Another Day, SpiderLabs Discovers Another IE Zero-Day

We at SpiderLabs investigate many suspicious webpages on adaily basis. Occasionally we run intosomething that seems new and unfamiliar to us, which is generally when things becomeinteresting.

A recent discovery of ours began just like that and ended withour identification of an Internet Explorer 8 vulnerability being actively exploitedin the wild. Through collaboration with the Microsoft Security Response Center(MSRC) Team we confirmed that the newzero- day (CVE-2013-3897) has been in the wild for a month (the new CVE-2013-3897 and the previous zero-day CVE-2013-3893). The patch was just released today, and users need time to install it. So we can't reveal the full technical analysis of this vulnerability yet, but we can share some interesting details about the attack.

The attackers distributed the zero-day exploit via thefollowing URL hxxp://1.234.31.152/mii/guy2.html (currently offline). It turnsout that this isn't the first time we have encountered this kind of URL. One monthearlier a similar URL on the same class-C IP address:hxxp://1.234.31.142/mii/guy2.html (currently offline) served an older zero-day(CVE-2012-4792).We continued to track this IP class segment and a few days ago found a new liveinstance of this attack serving the new zero-day on a different IP address withthe same URL path.

The zero-day campaign seems to have launched in the firsthalf of September 2013 targeting Japanese and Korean users:

The attacker uses navigator.userLanguage to identify theend-user machine's language. If the user machine's language is neither Koreannor Japanese, the JavaScript redirects the page to google.com therebyterminating the attack on that machine.

The attacker also checks the operating system and InternetExplorer versions as can be seen in the image below:

The code validates that the user's machine runs Windows XP withInternet Explorer 8. If it doesn't, the attack will once again terminate. Fromtests conducted in our lab, we determined that the exploit also works on Windows7 with an adjustment to the shellcode: using valid ROP chains (a technique tobypass DEP by taking advantage of existing commands) for each Windows environmentand overcoming ASLR which is part of the operating system.

The last check the attackers perform before invoking theexploit itself is making sure that the exploit will only execute once per machineto avoid detection. It does so by setting a cookie named "Cookie1=KK20130912;".

After performing the checksdiscussed above, the attack also uses ROP chains targeting Korean/Japanesebrowser language packs to further validate the targets of the attack, but thistime implicitly:

The attack also uses the "DOMElement Property Spray," a technique alsoused in the last Internet Explorer zero-day (CVE-2013-3893) a couple of weeksago. A Metasploitmodule has already been written for this specific vulnerability(CVE-2013-3893).

Some code blurred, so as not to reveal sensitive details of the attack

The code above creates a new Array and fills it with newelements (DIV elements in this case) and proceeds to change the titleattribute of each element with many NOPs.

After successfulexploitation the attacker uses an XORed shellcode. After XORing the shellcodewith 0x94 we get the following payload:

This payload results in the downloading and execution of thefollowing file:

As you may have guessed, this file is not a GIF at all but rather a WindowsPE file. Upon execution the malware begins dropping a number of maliciousfiles and drivers on the system.

For the sake of brevity, we have included ahigh level analysis of each file. In short, the payload is quite messy droppingat least ten drivers, executables and DLLs on the victim machine.

1. The main fird.gif file is dropped on the victim machine andattempts to detect a number of anti-virus/security products that are popular inAsia (AhnLab, NaverVaccine, ALYac, etc). It then dropsC:\WINDOWS\system32\drivers\thhovsyfw.sys and installs/executes the driver (See#2). It then downloads hxxp://1.234.31.153/mii/firw.gif to C:\DOCUME~1\User\LOCALS~1\Temp\decodervsview.exe(See #3) and spawns this file in a new process. Finally, it executes a batchscript that will delete the fird.gif file.
2. This driver ensures a number of security processes are not running on the system. The following is a list of a few of the many processes targeted:
   • MUpdate2.exe
   • V3LRun.exe
   • V3Medic.exe
   • AvastUI.exe
   • vrmonsvc.exe
3. The decodersview.exe has three PE files appended to theexecutable. Each is individually dropped to C:\WINDOWS\Temp\temp1.exe, \temp2.exeand \temp3.exe and subsequently executed (See #4, #7, and #9).
4. Temp1.exe drops C:\WINDOWS\system32\drivers\xpV3001.sys andinstalls/executes this driver (See #5). It then dropsC:\WINDOWS\system32\drivers\420a0a1f.sys and installs/executes this driver (See#6).
5. The xpV3001.sys driver ensures a number of security processesare not running on the system. The following short list demonstrates some ofthe many processes targeted by this malicious driver:
   • UDATERUI.EXE
   • MSSECES.EXE
   • EGUI.EXE
   • EKRN.EXE
   • CCSVCHST.EXE
   • NAVW32.EXE
   • UPDATESRV.EXE
   • ASDSVC.EXE
6. 420a0a1f.sys targets a number of online games, stealingpasswords in the event they are installed.
   • WOW.EXE
   • DKONLINE.EXE
   • DIABLO III.EXE
   • HEROES.EXE
7. Temp2.exe removes C:\WINDOWS\Tasks\TespayServer.exe. It then copiesitself to C:\WINDOWS\Tasks\TespayServer.exe and adds this path toHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit. Finally,it spawns a new instance of C:\WINDOWS\Tasks\TespayServer.exe (See #8).
8. TespayServer.exe downloads http://174.139.126.66:8888/5.txt toC:\WINDOWS\system32\drivers\etc\Changer.bat. It then createsC:\WINDOWS\system32\drivers\etc\Changer.bat in a new process. See the excerpt belowfor a sample of this batch script. The script attempts to modify the /etc/hostsfile and redirects popular Korean banks to a malicious IP address.

1. Temp3.exe creates C:\1041200.dll (randomly named). It proceedsto register C:\1041200.dll as a service and starts it (See #10).
2. This service injects itself into a number of processes on thevictim machine and attempts to steal credentials for popular on-line games.

In short, this payload is responsible for a number ofmalicious activities. It attempts to disable any security products that may berunning on the victim machine, redirects banking sites to a malicious IPaddress and tries to steal credentials for popular on-line games.

The various techniques used indicate that thispayload is not meant for any targeted scenario but instead will simply try to target any Korean or Japanese users it stumbles upon.

Special thanks go to mySpiderLabs colleague Josh Grunzweig for his contribution for this blog post.