Things have been pretty rough in the Response world the past few weeks. The number of exploits taking advantage of unknown and unpatched vulnerabilities has been breathtaking.
One such case started few days ago when we received information about a possible exploitation using older versions of Internet Explorer as targets. Hackers had sent emails to a select group of individuals within targeted organizations. Within the email, the perpetrators added a link to a specific page hosted on an otherwise legitimate website. The hackers had gotten access to the website account and uploaded content without the owners knowing. Here is what the email looked like:
The link pointed to a page which contained a script looking to see what version of the browser and operating system the visitor was using. Since the specific exploit page only worked when someone was using Internet Explorer 6 and 7, the script only transferred the visitor to the page hosting the exploit when this condition was met. In other cases, the users didn't see anything but a blank website.
Visitors who were served the exploit page didn't realize it, but went on to download and run a piece of malware on their computer without any interaction at all. The vulnerability allowed for any remote program to be executed without the end user's notice. Once infected, the malware set itself to start up with the computer, along with a service named 'NetWare Workstation'. The piece of malware opens a backdoor on the computer and then contacts remote servers. It tries to contact a specific server hosted in Poland for small files named with a '.gif' extension. These small files are actually encrypted files with commands telling the Trojan what to do next. It was programmed in a manner to be able to download these small, encrypted files from the following folders on the remote server:
- images
- pic
- image
- binary
- news
- index
- picture
- bbs
We were able to get a network capture of the traffic with a bunch of such '.gif' (named) files that contained commands. Here is a very short snippet of what the attacker did on an compromised computer:
Looking at the flow of commands, it is obvious to us that someone is entering these commands manually from a remote computer.
The files being downloaded by the attacker were hosted on yet another hacked website. The owners of this server were also unaware of their computer being involved in hosting of malicious programs.
In fact, when we contacted the owners of the server which housed the original exploit page and malware, they immediately took down the malicious content. Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations. The files on this server had been accessed by people in lots of organizations in multiple industries across the globe. Very few of them were seen accessing the payload file, which means that most users were using a browser which wasn't vulnerable or targeted.
We informed Microsoft of the vulnerability just as we were able to confirm it, and they were able to confirm our findings about the vulnerability itself. They also confirmed that the vulnerability seems to be limited to IE 6, 7, and 8. Microsoft plans to post an advisory on this subject in the coming hours. Once public, it will be available here. Symantec has detection in place for this IE vulnerability as Downloader. Initial Symantec detection names for the malware served after exploitation were Downloader and Trojan Horse. They have since changed to Backdoor.Pirpi.
I know we normally end such blogs with a little blurb about safe computing. Since you're still reading this article here is one such note to the people who have control of servers facing the Internet—these computers are your responsibility. Make sure you know what is being served off of these computers, patch them, install firewalls with appropriate configuration, change passwords regularly, and—most of all—don't allow it to accept connections from the Web unless you know what you're doing.
Note: Since the posting of this blog, this vulnerability has been assigned the following information:
- CVE-2010-3962
- BID 44536
- Post by Vikram Thakur, Symantec