Thursday, February 25, 2010

National Cyber Alert - Technical Cyber Security Alert TA10-055A

Malicious Activity Associated with "Aurora" Internet Explorer Exploit

Original release date: February 24, 2010
Last revised: --
Source: US-CERT


Systems Affected

  • Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6, 7, and 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows 7, and Windows Server 2008 R2


Overview

Malicious activity detected in mid-December targeted at least 20 organizations representing multiple industries including chemical, finance, information technology, and media.  Investigation into this activity revealed that third parties routinely accessed the personal email accounts of dozens of users based in the United States, China, and Europe. Further analysis revealed these users were victims of previous phishing scams through which threat actors successfully gained access to their email accounts.


I. Description

Through analysis of the malware used in this incident, McAfee discovered one of the malware samples exploited a vulnerability in Microsoft Internet Explorer (IE). The vulnerability exists as an invalid pointer reference within IE and, if successfully exploited, allows for remote code execution.
Microsoft has released Security Bulletin MS10-002, which provides updates for Internet Explorer that address this and other vulnerabilities.
US-CERT is providing technical indicators that can be incorporated into an organization’s security posture to detect and mitigate any malicious activity.
In addition to the discovery of the IE exploit, the following malicious domains were identified as associated with this incident:
Domain IP Resolution as of 15 January Notes
blogspot[dot]blogsite[dot]org 209[dot]200[dot]236[dot]253 IP address hosts at least 4 domains
voanews[dot] ath[dot]cx 200[dot]55[dot]186[dot]66
ymail[dot]ath[dot]cx 59[dot]36[dot]101[dot]217 IP address hosts at least 3 domains
tyuqwer[dot]dyndns[dot]org 75[dot]101[dot]212[dot]55
google[dot]homeunix[dot]com 173[dot]201[dot]21[dot]161
ftp2[dot]homeunix[dot]com 127[dot]0[dot]0[dot]2 Domain resolution indicative of offline site status. Call-back discovered through analysis of malware file AppMgmt.dll
360[dot]homeunix[dot]com 127[dot]0[dot]0[dot]2 Domain resolution indicative of offline site status. Call-back domain discovered through analysis of malware file rasmon.dll
update[dot]ourhobby[dot]com 127[dot]0[dot]0[dot]1 Domain resolution indicative of offline site status. Call-back discovered through analysis of malware file securmon.dll
demo1[dot]ftpaccess[dot]cc/demo/ad[dot]jpg 127[dot]0[dot]0[dot]2 Domain resolution indicative of offline site status
360[dot]homeunix[dot]com
ad01[dot]homelinux[dot]com
ads1[dot]homelinux[dot]org
ads1[dot]webhop[dot]org
Aep[dot]homelinux[dot]com
Aka[dot]homeunix[dot]net
alt1[dot]homelinux[dot]com
Amd[dot]homeunix[dot]com
amt1[dot]homelinux[dot]com
amt1[dot]homeunix[dot]org
aop01[dot]homeunix[dot]com
aop1[dot]homelinux[dot]com
app1[dot]homelinux[dot]com
asic1[dot]homeunix[dot]com
Bbsnewss[dot]ath[dot]cx
Bdc[dot]homeunix[dot]com
blog1[dot]servebeer[dot]com
Connectproxy[dot]3322[dot]org
Corel[dot]ftpaccess[dot]cc
Csport[dot]2288[dot]org
ddd1[dot]homelinux[dot]com
demo1[dot]ftpaccess[dot]cc
du1[dot]homeunix[dot]com
Filoups[dot]info
fl12[dot]ftpaccess[dot]cc
ftp1[dot]ftpaccess[dot]cc
ftp2[dot]homeunix[dot]com
Ftpaccess[dot]cc
hho1[dot]homeunix[dot]com
hp1[dot]homelinux[dot]org
i1024[dot]homelinux[dot]com
i1024[dot]homeunix[dot]org
Ice[dot]game-host[dot]org
il01[dot]homeunix[dot]com
il01[dot]servebbs[dot]com
il02[dot]servebbs[dot]com
il03[dot]servebbs[dot]com
Jlop[dot]homeunix[dot]com
li107-40[dot]members[dot]linode[dot]com
lih001[dot]webhop[dot]net
lih002[dot]webhop[dot]net
lih003[dot]webhop[dot]net
list1[dot]homelinux[dot]org
live1[dot]webhop[dot]org
Members[dot]linode[dot]com
on1[dot]homeunix[dot]com
Patch[dot]homeunix[dot]org
patch1[dot]ath[dot]cx
patch1[dot]gotdns[dot]org
patch1[dot]homelinux[dot]org
ppp1[dot]ftpaccess[dot]cc
sc01[dot]webhop[dot]biz
sl1[dot]homelinux[dot]org
temp1[dot]homeunix[dot]com
Tor[dot]homeunix[dot]com
ttt1[dot]homelinux[dot]org
up01[dot]homelinux[dot]com
up1[dot]homelinux[dot]org
up1[dot]mine[dot]nu
up1[dot]serveftp[dot]net
up2[dot]mine[dot]nu
Update[dot]ourhobby[dot]com
update1[dot]homelinux[dot]org
update1[dot]merseine[dot]nu
vm01[dot]homeunix[dot]com
Voanews[dot]ath[dot]cx
Vvpatch[dot]homelinux[dot]org
war1[dot]game-host[dot]org
Webswan[dot]33iqst[dot]com
Xil[dot]homeunix[dot]com
Yahoo[dot]8866[dot]org
Yahoo[dot]8866[dot]org
McAfee provided several IP addresses involved in the incident:
69[dot]164[dot]192[dot]46
69[dot]164[dot]192[dot]0/24
72[dot]32[dot]6[dot]235
203[dot]69[dot]40[dot]128/27
203[dot]69[dot]41[dot]0/26
203[dot]69[dot]41[dot]64/27
203[dot]69[dot]66[dot]0/27
203[dot]69[dot]68[dot]96/27
203[dot]69[dot]68[dot]128/25
168[dot]95[dot]1[dot]1
– Call-back IP address discovered in file rasmon.dll.
The table below contains the file characteristics of the malware analyzed:
File Name IPs/Domains File Details Description
uploaded_data MD5: 1AEA206AA64EBEABB07237F1E2230D0F Byte Size: 17310 ASCII text, with very long lines, with CRLF line terminators
securmon.dll call-back: update[dot]ourhobby[dot]com:443 MD5: E3798C71D25816611A4CAB031AE3C27A Byte Size: 62464 MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit
Rasmon.dll call-backs: 360[dot]homeunix[dot]com:443, 168.95.1.1:DNS MD5: 0F9C5408335833E72FE73E6166B5A01B Byte Size: 90112 Path: C:Windows\system32\Rasmon.dll Type: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit Installs as service that begins with "UPS", followed by a random string. Example: Upskvk command-line: C:\WINDOWS\System32\svchost.exe -k SysIns
ad_1_.jpg MD5: CD36A3071A315C3BE6AC3366D80BB59C Byte Size: 34816 Appears to be packed executable. Significant portion of file is XOR'd 0x95
b.exe MD5: 9F880AC607CBD7CDFFFA609C5883C708 Byte Size: 34816 MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit, UPX compressed Drops: Rasmon.dll
cdef MD5: 29F52213E171C3D4B4418939D9E466C3 Byte Size: 41984 MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit Drops: AppMgmt.dll
AppMgmt.dll call-backs: ftp2[dot]homeunix[dot]com:443 MD5: 6A89FBE7B0D526E3D97B0DA8418BF851 Byte Size: 31744 MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit. Installs as service "Application Management"
A0029670.dll MD5: 3A33013A47C5DD8D1B92A4CFDCDA3765 Byte Size: 90112 MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit
msconfig32.sys MD5: 7A62295F70642FEDF0D5A5637FEB7986
VedioDriver.dll MD5: 467EEF090DEB3517F05A48310FCFD4EE
acelpvc.dll MD5: 4A47404FC21FFF4A1BC492F9CD23139C
wuauclt.exe MD5: 69BAF3C6D3A8D41B789526BA72C79C2D
jucheck.exe MD5: 79ABBA920201031147566F5418E45F34
AdobeUpdateManager.exe MD5: 9A7FCEE7FF6035B141390204613209DA
zf32.dll MD5: EB4ECA9943DA94E09D22134EA20DC602
The following signatures can be deployed to assist in detecting malicious activity associated with this incident:
Primary Malware Beacon
alert tcp any any -> any any (msg:"Targeted Malware Communication Beacon Detected"; flow:to_server,established; dsize:20; content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff|"; depth:20; sid:7777777; rev:1;)  
Secondary Malware Beacon
alert tcp any any <> any any (msg:"ORC:DIS:BEACON_380DFF"; content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; sid:99980060; rev:1;)
Note: US-CERT has not verified or tested these signatures and recommends proper testing prior to deployment.



II. Impact

By convincing a user to view a specially crafted HTML document or Microsoft Office document, an attacker may be able to execute arbitrary code with the privileges of the user.


III. Solution

The Internet Explorer vulnerability used in these attacks is addressed with the updates provided in Microsoft Security Bulletin MS10-002.
Other recommendations include:
  • As a best practice, limit end-user permissions on systems by granting minimal administrative rights.
  • Enable Data Execution Prevention (DEP) for IE 6 Service Pack 2 or IE 7. IE 8 automatically enables DEP.
  • Inspect network traffic history for communication with external systems associated with the attack.
  • Examine computers for specific files or file attributes related to the attack.


IV. References

No comments:

Post a Comment