In the previous quarter, we reported that we protected against more than 142 million threats in the first half of 2012 alone. One prominent threat in this period was ZACCESS, which is also known as ZeroAccess or SIREFEF. It can push fake applications and other malware onto infected systems, while using its rootkit capabilities to hide from detection.

The table below shows Japan places 2nd in terms of infection ranking, followed by US. In fact, Japan Regional TrendLabs received a lot of queries from our customers, which also triggered our in-depth analysis.

Peer-to-peer functionality

Backdoors typically establish each session by connecting from affected PCs to command-and-control (C&C) servers in order to receive commands from attackers. However, it’s not the case that a corresponding session is established from the C&C servers to affected PCs. Based on our analysis of BKDR_ZACCESS, it establishes bidirectional connections with other infected machines using its P2P functionality. This helps reduce the load on its C&C servers, as well as making the network more robust against a potential takedown of its C&C servers. This allows it to send and receive commands between affected PCs and not using any C&C servers.

Read the rest of this entry »

As discussed in our previous blog entries, we found an exploit (Trend Micro detection HTML_EXPLOYT.AE) that targets a vulnerability found in Microsoft XML Core Services (CVE-2012-1889). Based on our analysis, HTML_EXPLOYT.AE contains three key features: its usage of Microsoft XML Core Services, heap spray, and No ROP (Return-Oriented-Programming) function. Our two initial blog entries already gave in-depth details on how HTML_EXPLOYT.AE uses Microsoft XML Core Services and how it executes heap spray method. This time, we focus on the No ROP function of HTML_EXPLOYT.AE, which leads to the downloading of a backdoor (detected as BKDR_POISON.HUQA).

HTML_EXPLOYT.AE Feature 3: No ROP(Return-Oriented-Programming) function

Let’s check how HTML_EXPLOYT.AE executes malicious code in the heap- sprayed area after successfully exploiting CVE-2012-1889.

When we checked the exploit code, we did not find any ROP (Return-Oriented-Programming) function. This means HTML_EXPLOYT.AE jumps directly to the malicious code in the heap-sprayed memory area.

The Data Execution Prevention (DEP) in Internet Explorer version 8, 9, 10 DEP is enabled, which prevents HTML_EXPLOYT.AE from jumping heap sprayed area. Let us now check the protection conditions of heap sprayed areas with Windbg extensions.

On IE 9 and 10 where DEP is enabled by default, HTML_EXPLOYT.AE fails to jump to the heap sprayed area. This is because there is no PAGE_EXECUTE flag, which executes access to the committed region of pages. DEP detects the attack scenario and mitigates the threat by terminating the application.

However, IE8 is a different story since its DEP status can be enabled or disabled. On a DEP disabled scenario, HTML_EXPLOYT.AE can proceed with its malicious task without problem. On the other hand, if DEP is enabled, the attack is prevented. It should be noted that in earlier versions of Internet Explorer (version 7, 6 etc.), DEP settings are disabled by default.

After exploiting CVE-2012-1889, HTML_EXPLOYT.AE then downloads the backdoor BKDR_POISON.HUQA and executes it in the infected system.

Once executed, BKDR_POISON.HUQA connects to specific malicious remote user via command-and-control (C&C) servers using TCP port 80. In effect, the malicious user can perform any malicious routines onto the infected system, which includes stealing system-related information.

Because Microsoft XML Core Services is installed on most PCs, this exploit poses a significant threat among users. Furthermore, its attack code was made public, which may empower potential attackers to use the code for their future schemes.

Trend Micro users are protected from this threat via Smart Protection Network™, which detects the malware HTML_EXPLOYT.AE and BKDR_POISON.HUQA via file reputation services. It also blocks access to the related C&C servers via web reputation services. More importantly, Trend Micro Deep Security and Officescan with IDF enabled prevent attacks exploiting CVE-201-1889 via the rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889).

For added protection, users must update their systems with the latest security patch made available by software vendors such as Microsoft. To know more about the related vulnerability, users may refer Microsoft’s security bulletin. Microsoft also released a fix tool as a workaround solution for this vulnerability. Users must observe best computing practices, such as avoiding visiting unknown websites and opening email messages from dubious sources.

In the first part of our three-part blog entry about HTML_EXPLOYT.AE, we provided an analysis on how HTML_EXPLOYT.AE uses Microsoft XML Core Services vulnerability (CVE-2012-1889). As previously discussed, HTML_EXPLOYT.AE has three key features: its usage of Microsoft XML Core Services, use of heap spray technique, and No ROP (Return-Oriented-Programming) function. In the second part of this three-part series, we will now focus on how HTML_EXPLOYT.AE uses the heap spray technique.

HTML_EXPLOYT.AE Feature 2 : Heap Spray

When we checked the error codes below using Windbg, HTML_EXPLOYT.AE uses heap overflow instead of stack overflow to refer to an object and call its virtual function. Heap Spray is a technique used in exploits in order to facilitate arbitrary code execution.

Based on our analysis, HTML_EXPLOYT.AE uses the following heap spray code below:

Using Windbg, we were also able to check the heap spray memory area created by HTML_EXPLOYT.AE. The following code shows that the number of heap-sprayed block amounted to 230 and each block contains 80,000 bytes.

Below is the malicious code in the heap spray memory area

Because Microsoft XML Core Services is installed on most PCs and the attack code is made public, HTML_EXPLOYT.AE may potentially have a significant impact among PC users everywhere. We may see potential attackers exploring this threat to target users with their malicious schemes. Users are advised to regularly update their systems with the latest security patch distributed by software vendors. Microsoft also released a fix tool as a workaround solution for this vulnerability. For added precaution, users must be wary of visiting untrusted sites and opening email message from unknown senders. Observing best practices is important in preventing this kind of attack.

Fortunately, Trend Micro users need not worry as they are protected from this threat via Smart Protection Network™, which detects HTML_EXPLOYT.AE. In addition, both Trend Micro Deep Security and OfficeScan with IDF enabled prevent attacks exploiting CVE-201-1889 via the rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889).

In the last installation of our 3-part series about this exploit, we will share our findings regarding the third feature of HTML_EXPLOYT.AE: No ROP function.

Last month, Microsoft released a fix tool in order to address a vulnerability in Microsoft XML Core Services. The said vulnerability, according to the Microsoft Security Advisory, could allow remote code execution if a user views a specifically crafted webpage using Internet Explorer. It has been given the identifier CVE-2012-1889.

Since the vulnerability exists in Microsoft XML Core Services by way of IE, which is installed on most of PCs in the world, we assume that this attack code would give users the extremely big impact once it is exploited by malicious users. Another factor that would contribute to is impact is the fact that its attack code was made public.

In line with this, we’d like to share the results of our analysis of a malware which exploits CVE-2012-1889. Trend Micro products detect this particular malware as HTML_EXPLOYT.AE.

HTML_EXPLOYT.AE Overview

HTML_EXPLOYT.AE may arrive in a system through a variety of means, such as email or a malicious website. It attempts to exploit CVE-2012-1889 via Internet Explorer.

It should be noted that this specific exploit does not have a function to bypass DEP (Data Execution Prevention). If HTML_EXPLOYT.AE runs on an Internet Explorer with DEP enabled, it causes IE to crash.

However, considering that the attack code for this exploit has been released in the wild, it is possible that we will see a sample that can bypass DEP and ASLR.

HTML_EXPLOYT.AE has three main features, which we will discuss in a 3-part blog series. For part 1, we will discuss the usage of Microsoft XML Core Services.

HTML_EXPLOYT.AE Feature 1: Usage of Microsoft XML Core Services

HTML_EXPLOYT.AE uses object element by using Classid to exploit Microsoft XML Core Services.

Specifically, HTML_EXPLOYT.AE exploits CVE-2012-1889 by referring to uninitialized object.

In order to confirm the root cause of CVE-2012-1889 vulnerability, it is better to check how this code has been used in normally. So here we have the code to exploit CVE-2012-1889, with the heap spray codes deleted:

Now let’s check the vulnerable code above when executed normally:

The upper [eax] points to an object by a virtual function of “msxml3!Document::`vftable”” and[ ecx+18h] point to the “msxml3!Document::weakRelease” function. Its vftable is the following:

From this we can see that the exploit HTML_EXPLOYT.AE takes advantage of the Microsoft XML Core Service (mxml3.dll) vulnerability. Internet Explorer Microsoft XML Core Service (mxml3.dll) uses this module in order to process HTML/XML codes making this program and other applications that uses this module, vulnerable to this attack.

Based on this, we can conclude that it is possible for attackers to use other vectors in order to exploit the Microsoft XML Core Service vulnerability.

Trend Micro protects users from this threat via Smart Protection Network™, which detects and deletes HTML_EXPLOYT.AE. Furthermore, Deep Security prevents attacks exploiting CVE-201-1889 via IDF rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889).

In the second installation of our 3-part series about this exploit, we will share our findings regarding the second feature of HTML_EXPLOYT.AE: Heap Spray.

Last June 13, Microsoft released its security update for Cumulative Security Update for Internet Explorer (2699988) (CVE-2012-1875), which is exploited by a malware detected by Trend Micro as JS_DLOADER.SMGA. The attack code for this vulnerability has also been made public. There are few cases where that attack code is released simultaneously with Microsoft’s security update. In general, malware exploiting such vulnerabilities don’t show up quickly. Since the affected software is Internet Explorer, this attack has significant impact among millions of IE8 users.

By exploiting CVE-2012-1875, JS_DLOADER.SMGA poses a bigger threat to users as it also downloads the backdoor BKDR_AGENT.BCSG, disguised as a .JPG file. This backdoor is capable of communicating with a command-and-control (C&C) server via port 80. In effect, this communication compromises an infected system’s security, making it exposed to further infection.

Read the rest of this entry »