Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2013
    S M T W T F S
    « Oct   Dec »
  • Email Subscription

  • About Us

    Archive for November, 2013

    Recently, independent security researchers found that the Angler Exploit Kit had added Silverlight to their list of targeted software, using CVE-2013-0074. When we analyzed the available exploit, we found that in addition to CVE-2013-0074, a second vulnerability, CVE-2013-3896, in order to bypass ASLR. These vulnerabilities are discussed in two separate Microsoft security bulletins, namely MS13-022 and MS13-087, respectively.

    This particular exploit checks what version of Silverlight is installed on a user’s system and only runs on the following versions:

    • 4.0.50401
    • 4.0.60310
    • 4.1.10329
    • 5.0.61118
    • 5.1.10411

    Up-to-date versions of Silverlight are not affected by this exploit; in this case it simply exits.

    Anti-analysis Capabilities

    The main component of the exploit is a DLL named fotomaster.dll (MD5 hash: 5f36a4c019d559f1be9fdd0cd770be2e), which is a PE file that contains MSIL (Microsoft Intermediate Language) code, as is expected of an app written using Silverlight. We detect this as TROJ_EXPLOIT.SVL. The exploit is loaded via a Silverlight app on a malicious website; when the app is loaded fotomaster.dll is loaded and the MSIL code inside is executed.

    The exploit also uses several techniques to make analysis more difficult. These include:

    Preventing Decompiling

    Normally, the first step in reverse-engineering a .NET binary is to decompile it into its source code, in order to understands its logic and flow. However, this exploit has obfuscated its code. This causes standard decompiling tools to fail, as can be seen here:

    Figure 1. Failed decompilers

    Preventing Disassembly

    If a .NET binary cannot be decompiled, disassembly into MSIL code would be the next step. The .NET SDK provides a tool, ildasm.exe, to do this. However, Microsoft itself has provided a technique that prevent this.

    Figure 2. Failed disassembler

    Obfuscated names and code

    The above technique makes disassembly more difficult, but does not prevent it completely. However, if one looks at the resulting MSIL code, one finds that it is highly obfuscated and not human-readable. For example, all the class names and method names use unreadable characters and junk code is inserted everywhere to hide the actual control flow of the program.

    Exploit Analysis

    Vulnerabilities used

    As mentioned earlier, the exploit uses two separate vulnerabilities in Silverlight. The first one, CVE-2013-3896, is an information leak vulnerability which can be used to leak sensitive information which is in memory. The exploit uses this vulnerability to leak a pointer address in memory, and then uses this leaked address to compute the base address of, bypassing ASLR. Later, this base address is used to compute the ROP gadgets in order to bypass DEP.

    The second vulnerability, CVE-2013-0074, is a double-dereference vulnerability, which is used to control the execution flow to jump to the ROP gadget.

    The ROP Gadget

    Instead of using a sequence of ROP gadgets as many other exploits do, this exploit contains only one ROP gadget, as shown below:

    83493440        or      dword ptr [ecx+34h],40h
    b801000000      mov     eax,offset <Unloaded_pi.dll> (00000001)
    ret     4

    The effect of this ROP gadget it to temper the length field of a .NER uint array. After the ROP gadget is executed, the length of the array becomes a very large value (0x40000003). This array can be used to read/write nearly arbitrary memory in the process’s memory space. This technique of overwriting the length of buffers is well-known, as similar techniques have been in used in Adobe Flash, Java, and Internet Explorer.

    The Shellcode

    After the buffer’s length field is modified, the exploit will use this buffer to search the process memory space to find some executable memory (a JIT-compiled function’s code area), then copy the shellcode into the executable memory area and execute it. The shellcode resolves the necessary APIs dynamically, and downloads the payload from the server by invoking APIs in wininet.dll, as shown below:

    Figure 3. Shellcode

    Silverlight and Java

    Java is currently the favored targets of exploit kits today. However, there are many similarities between Java and Silverlight:

    • Both of them are VM languages (Java bytecode versus MSIL code).
    • Both of them can be embedded in a web page and started remotely.
    • Both of them run in a sandbox which is based on dynamical privilege checks in critical library functions. When started from web browser, both of them have low privileges by default.
    • Both require breaking the sandbox to create exploits.

    More exploits against Silverlight in the future cannot be ruled out, but mass attacks are unlikely considering Java’s superior market penetration. However, for targeted attacks, it does offer a tempting target. We will continue to monitor the threat landscape for other Silverlight-related threats.

    Microsoft has released two bulletins for the two vulnerabilities:

    Posted in Exploits, Malware, Vulnerabilities | Comments Off on A Look At A Silverlight Exploit

    Cybercriminals can do just as much damage deleting users’ data as stealing it because file deletion can result in both data or monetary loss. One example would be CryptoLocker, which became notorious for combining the two—demanding money with the threat of data destruction. We recently came across a malware, detected as VBS_SOYSOS, that deletes important image files including .DWG files.

    As far as malware techniques go, VBS_SOYSOS is not the first malware to delete files. However, it is rare for VBScript malware to delete files. The deletion of DWG files, which is a known output of computer-aided design (CAD) software, poses risks to certain industries, including the automotive, engineering, manufacturing and architectural design industries, which are known to use these software.

    Based on feedback from the Smart Protection Network, this malware is currently spreading in Mexico. The number spiked on November 10, with a single variant accounting for 3,331 infections. VBS_SOYSOS was found to spread in systems via removable drives.

    Further analysis of the obfuscated code reveals that the malware contains a simple script. Once executed, it creates copies of itself using file names of files with .MP3, .JPG and .DWG extensions found in all removable drives. But rather than hiding the original files, VBS_SOYSOS deletes these.


    Figure 1. Screenshot of VBS_SOYSOS script

    Users can check if if their system is infected with the malware by looking for its copy, which is named D&D.vbe. It also adds a marker 4U Denia & Dania to the registry.


    Figure 2. VBS_SOYSOS Autostart Registry

    This VBScript malware disables the  Task Manager and the Registry Editor so manual cleanup will require third-party tools with similar functions terminated applications. It is important for users to install security solutions like those from Trend Micro to avoid malware infection. To prevent data loss, users are encouraged to back up their important data by using the 3-2-1 rule.

    Posted in Malware | Comments Off on VBScript Malware SOYSOS Deletes CAD Files

    We recently came across some AutoCAD malware which we detect as ACM_SHENZ.A. It appears to be a legitimate AutoCAD component with a .FAS extension, but on analysis it actually opens up systems to exploits, specifically those targeting old vulnerabilities.

    It first creates a user account with administrative rights on the system. It then creates network shares for all drives from C: to I:. It then opens four ports on the system: ports 137-139, and port 445.

    Figures 1-2. Decompiled code

    Perhaps because of the malware’s limited goals, the author did not bother to obfuscate his code.

    Figure 3. Malware code without obfuscation

    These ports are associated with the Server Message Block (SMB) protocol, which provides access to files, printers, serial ports, and miscellaneous communications between nodes on a network running on Windows. By opening the ports, exploits that target SMB can successfully run on affected systems, provided that the relevant vulnerabilities have not yet been patched. Security bulletins that cover the SMB vulnerabilities include MS10-020 and MS11-043.

    The decision to create an account with administrator privilege is a strategic one.  Without the said account, the attacker will have to crack passwords for existing accounts or remotely create one—processes that can be difficult and time-consuming. With the admin account, the attacker can easily steal all the files in those drives and plant other information-stealing malware.

    Historically, AutoCAD malware is very rare, although not completely unheard of. Aside from disabling certain AutoCAD functions and ensuring that all opened AutoCAD documents spread the malware as well, these kinds of malware may also be used to download or run other malware components. The primary advantage of AutoCAD malware may well be that users do not expect this type of document to be malicious; users should be careful about all document types and not just those that are “well-known” to contain malware.

    Posted in Malware | 1 TrackBack »

    Five years ago, Conficker/DOWNAD was first seen and quickly became notorious due to how quickly it spread and how much damage it caused.

    Remarkably, after all that time, it’s still alive. It can still pose a serious problem, as it can propagate to other systems on the same network as an infected machine – a factor that may explain its high rate of infection to this day.

    Based on feedback from the Smart Protection Network, DOWNAD has been a leading threat for years. It has been the most prolific threat – as measured by the number of infections seen in the wild – since 2011. It has beat out a wide variety of threats – from crack key generators to ZeroAccess – for this dubious distinction.

    It also popularized the use of domain generation algorithms. This technique generates multiple (hundreds, in the case of DOWNAD) domains on a daily basis. It uses these domains to connect to its command-and-control servers. The sheer number of generated domains makes blocking this C&C much more difficult. Since then, it has been adopted by other malware families as well.

    In order to propagate across networks, it used a zero-day vulnerability, which was later designated by Microsoft as MS08-67.  Despite the availability of a patch, many users remain vulnerable due to negligent patching practices as well as piracy. Pirated versions of Microsoft Windows, are often unable to download and install security patches.

    In the long-term, as Windows XP machines are retired due to its end of extended support period next year, DOWNAD is destined to recede into the background. However, some systems may still be at risk. The simplest solution is simple: ensure that the software you ran – particularly your operating system – has the latest security updates. You should also check out our tips on how to see if your system is in fact infected.

    We have prepared a full malware profile which describes the capabilities, the spread, and the risks of DOWNAD/Conficker.


    Throughout all of 2013, there have been numerous revelations about how the NSA conducts mass surveillance on the Internet. These have sent the Internet Engineering community reeling. Protocols that have been in use for decades and based heavily on intrinsic trust have had that trust violated.

    This has caused the Internet standards community to take a look at the need for encryption. Specifically, it’s been discussed whether HTTP/2.0 – the latest version of the protocol that powers much of the Internet – should be encrypted by default. Overall, this is a positive trend, but there are some challenges that should be considered.

    First, encryption without pre-existing trust adds little value. Casual eavesdropping can be prevented, but it is ineffective against a sophisticated operator. Consider, for example, self-signed certificates (often found in small or local web applications). An attacker could easily impersonate the server with a key and certificate that they create and proxy your traffic unencrypted to the real web server, giving them access to read, modify, and inject traffic within your session.

    Second, certificate authorities are not always reliable or secure either. Various CAs like Comodo, DigiNotar, GlobalSign, and Starcom, have all suffered some kind of security incident. One can argue (for a very long time) whether non-trusted CAs or having no encryption is “better”. DANE (specified in RFC 6698) allows service operators to publish keys and certificates within DNSSEC, which means that certificates can be verified without a CA being involved. Challenges like how to deal with typo-squatting domains and compromised DNS infrastructure remain, but it’s technically possible to establish public trusted encryption without the involvement of a CA.. Whether it will be put into wide use is unclear.

    Third, what percentage of the traffic needs to be encrypted? In the past, encryption was used sparingly due to the cost and the increased resources necessary. Banking-related pages and transactions were the most frequent cases where this was done. However, improvements by CDNs and gains in processing power have reduced the relative costs to the point where it is feasible to encrypt all traffic. Many sites are doing just that today.

    Finally, we have to look at encryption primitives themselves.  The security of some of these critical building blocks of security has been called into question. Some are worried that these algorithms have been weakened in such a way that government agencies can decrypt otherwise secure traffic. For example, it has been alleged that the Dual_EC_DRBG random number generator (RNG) has been compromised by the NSA by specifying insecure constants. While by no means a master key, a cryptanalyst would have an enormous head-start if they had any insight into the next number that is likely to come out of a RNG.

    Of course, some would say that wide-scale HTTP encryption is not necessary. “If I haven’t done anything wrong, I have nothing to hide.” These fall rather flat in the face of bulk large-scale data collection by governments. Could simply making the same set of search-engine queries as a terrorist put you on a watch list?

    This may seem like hyperbole, but in the world of big data small similarities often trigger associations that may or may not exist in reality. Did you sell your couch to the brother in-law of a terrorist three years ago on Craigslist? Connections that we would consider insignificant in person can take on new meaning as part of data correlation.

    We have come a long way from the early days of the World Wide Web, where everything was in plain text and images were a novelty. Now that so much of our lives exist online, it is increasingly important to have trustworthy infrastructure behind the services we use. Changes in the threat landscape mean that our infrastructure has to change too. HTTP/2.0 won’t solve all of the problems facing the Internet. However, it is a step in the right direction.

    Posted in Bad Sites | Comments Off on Are The Days Of Unencrypted HTTP Numbered?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice