Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2012
    S M T W T F S
    « Aug   Oct »
  • Email Subscription

  • About Us

    Archive for September 17th, 2012

    We’re currently investigating a new zero-day exploit that affects Internet Explorer versions 7, 8, and 9. The exploit, which is detected by Trend Micro as HTML_EXPDROP.II, is found to be hosted in {BLOCKED}.{BLOCKED}.104.149. Incidentally, this server also hosted the Java zero-day exploit reported last August 30.

    Based on our initial analysis, when executed, HTML_EXPDROP.II drops a malicious .SWF file (SWF_DROPPR.II). The .SWF file then drops a backdoor detected as BKDR_POISON.BMN. More information the analysis will be posted in this entry.

    Trend Micro Smart Protection Network™ blocks access to the malicious servers and detects the exploit and other malicious files. Watch this space for updates and additional analysis information.

    Update as of September 18, 2012 6:11 AM PDT

    We have identified a second attack that uses this zero-day exploit as well. BKDR_PLUGX.BNM — a variant of the recently discovered PlugX remote access tool (RAT), is the payload of this other attack. It has been demonstrated to have significant information theft and backdoor capabilities, and is used as a component of sophisticated information theft campaigns.

    We detect the malicious files as noted above and URL reputation blocks access to the command-and-control servers. In addition, Deep Security protects users from this threat via IDF rule 1005194 – Microsoft Internet Explorer ‘execCommand’ Use-After-Free Vulnerability.

    Update as of September 18, 2012 6:57 PM PDT

    Microsoft announced that they will be issuing a workaround for this vulnerability within the next few days.

    Update as of September 18, 2012 11:22 PM PDT

    BKDR_PLUGX.BNM has been renamed to TROJ_PLUGX.ME. For more information on PlugX and its capabilities, please check our previous reports:

    Update as of September 19, 2012 10:02 PM PDT

    Microsoft has announced that an out-of-bound patch to resolve this vulnerability will be released on Friday, at 10AM PDT (5PM UTC). In the mean time, a workaround has also been added to the earlier bulletin.

    While this vulnerability may have seen limited exploitation previously, we have seen more and more attacks exploit this security hole. This may have led Microsoft to decide to release a patch outside of the regular Patch Tuesday cycle.

    Until the patch is released, the browser exploit prevention built into Titanium 2013 also protects users against exploits targeting this vulnerability.


    In our previous post, we reported about new breed of Remote Access Tool (RAT) called PlugX, which was used in targeted attacks using Poison Ivy. At first glance, this RAT appears to be a simple tool with limited remote access capabilities. However, further analysis of PlugX reveals that it might be keeping more tricks up its sleeves.

    In a typical attack, PlugX usually comes with the three file components, namely:

    • A legitimate file
    • A malicious DLL that is loaded by the legitimate file
    • A binary file that contains the malicious codes loaded by the DLL.

    The attack starts with a phishing email containing a malicious attachment, usually an archived, bundled or specially crafted document that exploits either a vulnerability in Adobe Acrobat Reader or Microsoft Office (in particular CVE-2010-3333). In this example, it arrives via a specially crafted document (detected as TROJ_ARTIEF.LWO). The said Trojan drops and executed BKDR_PLUGX.SME that drops the following files:

    • All Users’ %User Profile%\Gf\NvSmart.exe – a legitimate NVIDIA file (NVIDIA Smart Maximise Helper Host)
    • All Users’ %User Profile%\Gf\NvSmartMax.dll – BKDR_PLUGX.BUT
    • All Users’ %User Profile%\Gf\boot.ldr – TROJ_PLUGX.SME

    Notice that the malware drops the file NvSmart.exe, which is a known legitimate NVIDIA file.

    Looking at the NvSmart.exe’s import table, we can observe that it imports three functions from NvSmartMax.dll. Normally, it would load a legitimate NvSmartMax.dll. But if a malicious version of this DLL file is located in the same directory, it would load this version instead.

    The malicious NvSmartMax.dll then loads boot.ldr found in the same directory. The said file contains the malicious code used by NvSmartMax.dll.

    Digging deeper at what the loaded code does, we can see that it first decrypts itself to form what seems to be an “executable file” in its memory space. All the backdoor modules can be found in this “executable file”.

    However, the loaded code does not drop this decrypted “executable file”. Instead, it injects the codes to the legitimate process svchost.exe, possibly to avoid detection. After it has injected its code to svchost.exe, it then terminates the initially executed NvSmart.exe.

    Our analysis of the decrypted executable file shows that this threat is designed and filled with several backdoor modules. These modules are organized to perform tasks unique to the module. We uncovered the following modules from the malware:

    PlugX module Backdoor functions
    XPlugDisk Copy, move, rename, delete files
    Create directories
    Create files
    Enumerate files
    Execute files
    Get drive information
    Get file information
    Modify files
    Open files
    XPlugKeyLogger Log keystrokes and active window
    XPlugNethood Enumerate TCP and UDP connections
    Enumerate network resources
    Set TCP connection state
    XPlugOption Display a message box
    Lock workstation
    Log off user
    Restart/Reboot system
    XPlugPortMap Perform port mapping
    XPlugProcess Enumerate processes
    Get process information
    Terminate processes
    XPlugRegedit Enumerate registry keys
    Create registry keys
    Delete registry keys
    Copy registry keys
    Enumerate registry entries
    Modify registry entries
    Delete registry values
    XPlugScreen Screen capture
    Capture video
    XPlugService Delete services
    Enumerate services
    Get service information
    Modify services
    Start services
    XPlugShell Perform remote shell
    XPlugSQL Connect to a database server and execute a SQL statement
    XPlugTelnet Host Telnet server

    Similar to our initial PlugX post, we observed that it drops a debug log file in % All Users Profiel%\SxS\bug.log. This file contains error codes that the malware author can use to improve PlugX. For example, if the malware couldn’t access certain files or folders, it would create a log of this incident. Using this debug log as reference, the malware author can then modify future versions of PlugX to access these files or folders. The author could even use this log to know how it can avoid detection or being disabled. Thus, this file may be crucial in creating more effective versions of PlugX tools in the future.

    Trend Micro users are protected by the Smart Protection Network™. In particular, file reputation service detects and deletes PlugX (BKDR_PLUGX and TROJ_PLUGX). Web reputation and email reputation services blocks access to the said C&C and related email respectively. Trend Micro Deep Security users are protected from this threat via rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.

    Trend Micro will continue to monitor PlugX’s development and the campaign behind it.

    Posted in Targeted Attacks | Comments Off on Unplugging PlugX Capabilities


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice