Tuesday, February 23, 2010

Feb 22 CVE-2006-6456 MS Word Taiwan 2010 from diguapinggao@gmail.com Febr 22, 2010 4:17 AM

This is an old exploit targeting systems that have been unpatched for a long time. It appears that the document was created using 2007最新DOC捆绑器 (thanks to zha0 for helping translate and spell the tool name). The tool can be easily found online and is designed to exploit CVE-2006-6456 / MS07-014 vulnerabitly. According to the Symantec post describing this tool in April 2007, shellcode in documents generated by the tool usually starts at offset 0x16730, which seems to be our case too. The exploit will not work on Office 2003 SP3 and earlier versions with MS Update kb 929434 (MS07-014).

Update March 3, 2010 - Abhishek Lyall kindly provided additional details about the sample
"The "taskmgr.exe" embedded from offset 0x24E00. The exe is XOR'ed with 64 bit key 0xCA5039AF00000000. If you  XOR the file again with same key you'll find the exe headers at offset 0x24E00." Please see his screenshot below

Download  the following files as a password protected archive. (Please contact me if you need the password)

├───analysis files (by Tom - see below)
exe (taskmgr.ex   441D239744D05B861202E3E25A2AF0CD 32,768 bytes; taskmgr.idb)
│ shell  (shel1.bin; shel1.idb; shel2.bin; shel2.idb)
│ 1.tmp                   441D239744D05B861202E3E25A2AF0CD 32,768 bytes
│ Taiwan 2010.doc 85AF26A74E548B56ADEA933CFB878520 52,224 bytes
│ taskmgr.exe          441D239744D05B861202E3E25A2AF0CD 32,768 bytes
└───original doc
   Taiwan 2010.doc  9EF09819AA5D552ECB15067A14A33152 183,808 bytes

From: 孙丰 [mailto:diguapinggao@gmail.com]
Sent: Monday, February 22, 2010 4:17 AM
To: diguapinggao@gmail.com
Subject: Taiwan 2010

File Taiwan_2010.doc received on 2010.02.23 12:07:47 (UTC)
Result: 8/41 (19.52%)
Authentium    2010.02.23    MSWord/Dropper.B!Camelot
Avast    4.8.1351.0    2010.02.23    MPPT97:ShellCode-A
Fortinet    2010.02.21    MSWord/Agent.Y!exploit
GData    19    2010.02.23    MPPT97:ShellCode-A
Jiangmin    13.0.900    2010.02.23    Exploit.MSWord.b
McAfee-GW-Edition    6.8.5    2010.02.23    Heuristic.BehavesLike.Exploit.OLE2.CodeExec.EBKP
Panda    2010.02.22    Trj/1Table.C
Sophos    4.50.0    2010.02.23    Troj/MalDoc-Fam
File size: 183808 bytes
MD5...: 9ef09819aa5d552ecb15067a14a33152

OfficeMalScanner results

Analysis by Tom (thank you, Tom)---------------------------

 Shellcode in hex
obfuscated shellcode

Obfuscated second part of the shell and part of the exe

Shellcode 1

EXE  - taskmgr.exe
before and after transposition.

Embedded exe  

Virustotal scan results
  File taskmgr.ex received on 2010.02.24 05:10:04 (UTC)
Result: 1/41 (2.44%)
Symantec     20091.2.0.41     2010.02.24     Suspicious.Insight
Additional information
File size: 32768 bytes
MD5   : 441d239744d05b861202e3e25a2af0cd

 Screenshot from Abhishek Lyall

Additional information:

Dropped file tskmgr.exe establishes connection with xwwl8899.vicp.net hosted a server in China
information from robtex.com

      ISP:    CHINANET Anhui province network
      Organization:    CHINANET Anhui province network
      Country:    China
      State/Region:    Anhui

Wireshark capture
DNS queries and TCP connections to

wwl8866.vicp.net has one IP number. vicp.net is a domain controlled by two nameservers at dnsoray.net. They are on different IP networks. vicp.net has one IP number. xwwl8866.vicp.net is hosted on a server in China. It is not listed in any blacklists.

xwwl8866.vicp.net point to It is blacklisted in four lists.

  • dev.null.dk 
  • spamsources.fabel.dk   
  • spam.dnsbl.sorbs.net  - List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS. This zone also contains netblocks of spam supporting service providers, this could be for providing websites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you are out' basis, where the third spam will cause the supporter to be blocked. 
  • no-more-funn.moensted.dk

inetnum: -
netname: CHINANET-AH
country: CN
descr: CHINANET Anhui province network
descr: Data Communication Division
descr: China Telecom
admin-c: CH93-AP
tech-c: AT318-AP
mnt-by: APNIC-HM
changed: hm-changed@apnic.net 20060322
source: APNIC

address: 305 Changjiang West Road
address: Hefei Anhui China
country: CN
phone: +86 0551 5185089
fax-no: +86 0551 5185500
e-mail: wanglinlin2@anhuitelecom.com
trouble: send spam reports to abuse@ah163.com
trouble: and abuse reports to abuse@ah163.com
trouble: Please include detailed information and
trouble: times in GMT+8:00
admin-c: LW604-AP
tech-c: LW604-AP
nic-hdl: AT318-AP
remarks: http://www.ah163.net
notify: wanglinlin2@anhuitelecom.com
changed: wanglinlin2@anhuitelecom.com 20060323
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
source: APNIC

descr: PNAP-SEA usei chinanet routes
origin: AS4134
changed: swhitson@internap.com 20010524
source: RADB

Anubis report

Exe autostart

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run  Value C:\Taskmgr.exe

No comments:

Post a Comment