Last Updated: 2007-09-19 16:06:16 UTC
by Maarten Van Horenbeeck (Version: 1)
It need not always be a plain and simple Word attachment.
April 2007. A small group of about 20 people receives an e-mail on a topic that is of great interest to them, and which invites them to sign an attached petition. The petition is a rather benign looking HTML file. Their anti virus had not indicated anything was amiss, and they click away.
They did not realize that the file in fact consisted of a targeted malicious code attack. In fact, the file contained several routines to download and drop an executable from a remote web site on the local system.
evilObject.push( evilString );
var obj = document.getElementById('target').object;
Further down the execution path, resulting data is loaded into CLSID: 0002E510-0000-0000-C000-000000000046, better known as the Microsoft Spreadsheet Object aka Microsoft Excel on Office systems. The target is an old Office vulnerability.
We humans are not capable of looking at every file we open in great depth. We lack both scale as well as in-depth protocol knowledge. We outsource this function to our anti virus solutions:
AhnLab-V3 2007.4.12.0 04.12.2007 no virus found
AntiVir 220.127.116.11 04.12.2007 HEUR/Exploit.HTML
Authentium 4.93.8 04.12.2007 no virus found
Avast 4.7.936.0 04.11.2007 no virus found
AVG 18.104.22.1687 04.11.2007 no virus found
BitDefender 7.2 04.12.2007 no virus found
CAT-QuickHeal 9.00 04.11.2007 no virus found
ClamAV devel-20070312 04.12.2007 no virus found
DrWeb 4.33 04.12.2007 no virus found
eSafe 22.214.171.124 04.11.2007 no virus found
eTrust-Vet 30.7.3562 04.12.2007 no virus found
Ewido 4.0 04.12.2007 no virus found
FileAdvisor 1 04.12.2007 no virus found
Fortinet 126.96.36.199 04.12.2007 no virus found
F-Prot 188.8.131.52 04.12.2007 no virus found
F-Secure 6.70.13030.0 04.12.2007 no virus found
Ikarus T184.108.40.206 04.12.2007 no virus found
Kaspersky 220.127.116.11 04.12.2007 no virus found
McAfee 5006 04.11.2007 no virus found
Microsoft 1.2405 04.11.2007 no virus found
NOD32v2 2183 04.12.2007 no virus found
Norman 5.80.02 04.12.2007 no virus found
Panda 18.104.22.168 04.12.2007 no virus found
Prevx1 V2 04.12.2007 no virus found
Sophos 4.16.0 04.12.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.12.2007 no virus found
TheHacker 6.1.6.088 04.09.2007 no virus found
VBA32 3.11.3 04.12.2007 no virus found
VirusBuster 4.3.7:9 04.11.2007 no virus found
Webwasher-Gateway 6.0.1 04.12.2007 Heuristic.Exploit.HTML
While these solutions generally do a great job, and are continuously improving the way they deal with such droppers, at the time of the attack, they were of little use. Once the final binary was downloaded and executed, users of most security applications were still not quite protected:
AhnLab-V3 2007.4.19.0 04.18.2007 no virus found
AntiVir 22.214.171.124 04.18.2007 TR/Crypt.FKM.Gen
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.18.2007 Win32:Protux-C
AVG 126.96.36.1997 04.18.2007 no virus found
BitDefender 7.2 04.18.2007 no virus found
CAT-QuickHeal 9.00 04.18.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 04.18.2007 no virus found
DrWeb 4.33 04.18.2007 no virus found
eSafe 188.8.131.52 04.18.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3576 04.18.2007 no virus found
Ewido 4.0 04.18.2007 no virus found
FileAdvisor 1 04.18.2007 no virus found
Fortinet 184.108.40.206 04.18.2007 suspicious
F-Prot 220.127.116.11 04.17.2007 no virus found
F-Secure 6.70.13030.0 04.18.2007 no virus found
Ikarus T18.104.22.168 04.18.2007 no virus found
Kaspersky 22.214.171.124 04.18.2007 no virus found
McAfee 5012 04.18.2007 no virus found
Microsoft 1.2405 04.18.2007 TrojanProxy:Win32/Agent.AYY
NOD32v2 2202 04.18.2007 a variant of Win32/Protux
Norman 5.80.02 04.18.2007 no virus found
Panda 126.96.36.199 04.18.2007 no virus found
Prevx1 V2 04.18.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.14.2007 VIPRE.Suspicious
Symantec 10 04.18.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.18.2007 suspected of Malware.Agent.88
VirusBuster 4.3.7:9 04.18.2007 no virus found
Webwasher-Gateway 6.0.1 04.18.2007 Trojan.Crypt.FKM.Gen
The file installed itself in the registry, and then connected to the host ding.pc-officer.com, as well to ihe1979.3322.org. At that point in time, both resolved to 127.0.0.1.
This is a common but rarely discussed trick in targeted attacks, the parking of attack hosts – when the control server resolves to 127.0.0.1, the only way an infected client could be identified is through DNS queries. Traffic will no longer be leaving the machine, and network detection/firewall log analysis wouldn’t result in detection at all. An attacker can ‘switch off’ the compromise when he no longer requires access to information, enabling it at will when a new need exists. All he needs to do is change the DNS resource record to point to a host under his control.
The code itself was a modified version of the Protux backdoor, which provides virtually unrestricted user level access to a compromised client: adding services, command execution, whichever the attacker requires.
September 2007. Five months later, a new HTML file appears attached to a seemingly benign looking e-mail. This time, the entire mail is in Chinese. Clicking on the attachment doesn’t actually do anything – while it contains some dropper code, it appears to have been corrupted, or does not load correctly on our UK English test systems.
It does once again contain an obfuscated download URL pointing to the same North Carolina based web server as in the April attacks. Once downloaded, the binary hosted there points to ding.pc-officer.com. It appears to be a modified version of the PCClient backdoor series, which contains key logging code. This time the host name resolves, but to a false and unused address. Further research shows that over the last few months, the control host had been moved several times, from Taiwan over 127.0.0.1 to South Korea.
In case you’re interested: all recipients of these e-mails were members of the Falun Gong, a large originally Chinese spiritual movement which has been banned by the People’s Republic of China since July 20th, 1999. The first e-mail originated from the systems of FastMail.FM, but was sent by a Taiwanese host. The e-mail attachment posed to be a petition to the International Olympic Committee on Chinese human rights violations and appeared very trustworthy and within context.
There’s plenty we can learn of just this single sample to better protect our organization against targeted attack:
- HTML exploits or droppers attached to e-mails have been used in ‘public’ viruses as well, dating back to 2003’s W32/MiMail. Nevertheless, it’s still pretty rare;
- Regular public host names don’t resolve to 127.0.0.1. If they do, it’s the administrators trying to counter a Denial of Service attack, or not a valid web site at all (and as such the user making a typo). If you’re suspicious, try to monitor DNS resource records returned from public DNS servers for this value. Generally difficult to implement, but interesting;
- Ensure users are correctly trained on the threat of e-mail attachments, and use strong heuristic scanners at the mail gateway. While heuristics can do damage to internal machines, where software is deployed, they are much less likely to cause significant issues on the gateway, where you have centralized control;
- If you’ve had an incident like this, try to get permission to share through your local ISAC (Information Sharing and Analysis Centre), so that other organizations can learn and information security is advanced as a whole;
The privacy problem posed by trojans increases significantly when the attackers actually have a goal of gathering information about us, and it isn’t just a random infection. This type of behavior is something we as security teams should never tolerate towards our users.
By request, here are the MD5 hashes for each of the affected files:
April dropper: 7611a842392d0c3b57d2106835a27c5b
April binary: 86b426cf4162df7782df5bdeff76a1c2
September dropper: d1d78cc086466f8d2c01d02fc0c0d3c5
September binary: d7ba1cfd3ee2ddd235ddf599f73ab8fb
Maarten Van Horenbeeck