Thursday, January 20, 2011

Jan 20 CVE-2010-3333 DOC Materials.doc from 216.183.175.3 (Cleveland Council on World Affairs)

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)  29 Dec 2010 12:10 PM

  General File Information

File  Materials.doc
MD5  2EEA004842A335607B612FF10418F6C6
SHA1 
a81a35804c056186c533ddd31e22ee0c0d2aa4df
File size : 243663
Type:  DOC
Distribution: Email attachment
                           

 Post Update

February 7, 2010

 There was another mailing after the first one but from a different location. 

 From: Anne Principe [mailto:anne.principe@yahoo.com]
Sent: Friday, January 21, 2011 6:54 AM
To: XXXXXXXXXXXXX
Subject: This is the materials you need

This is The Materials I told you about. Please check it and reply as soon as possible.
  Best
Headers
Received: (qmail 736 invoked from network); 21 Jan 2011 11:54:30 -0000
Received: from web120514.mail.ne1.yahoo.com (HELO web120514.mail.ne1.yahoo.com) (98.138.85.241)
  by XXXXXXXXXXXXXXXXX; 21 Jan 2011 11:54:30 -0000
Received: (qmail 38488 invoked by uid 60001); 21 Jan 2011 11:54:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1295610869; bh=T6PYZhAJBvHdbMDRjYJCy748DpISxb703J9WYvNrE8M=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=KNLZKhWTr+Z+UMtiMC6dY7GmKt49wyNHC8Y1j8kv5f/KM8u7bs6ifqGFNhwckx18edFsi+ajzhsNM01R8UN+ox/r9Ss6ut/Mssll5hxwtBHXEmvIxrl8dFTUg/CmMgSjJNhW6KlOZfVkUU2nikWaMzxkqSgTJ9JCM828Qw1xZbM=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=eqwO+5NenEdsqmjuNowZ25VlFcli8zNaedc26kn00QeqFLcMxeSuTDB+vYhmeUYJfAYe+fZ13q8p1qKILMX0AMH7/MDwbeBOBaRL8xTf33LpWE4KwgeYq4uEKjZfptSRvA6RrpPHjDLWoE55D0uAMGV/hMk50g7s/eGes9VnAc0=;
Message-ID: <416336.37770.qm@web120514.mail.ne1.yahoo.com>
X-YMail-OSG: duFcYVsVM1lbQScN.uiS.a_.kSCtbZmEsYYlwKxqs50olw9
 S80HwIFK3gqCA7OM9LSU.JBWKbHZXNzNbBWlx1y8__meJqFUjCoB3qTY9ll4
 79Y_9XKC5KZXY6_OTA6RVB1j8NwW8Ozasz_xzbX5Ajh.yX7Y2NqePEUnApDc
 pWb0wpspWrIpPe9w9gzbAfrYmQRTXiyQtlxFjd_gk272zbKkWkcTAtxtFsiY
 UjAwiofHbox4vUrwVCekO.jf11bo-
Received: from [211.55.34.205] by web120514.mail.ne1.yahoo.com via HTTP; Fri, 21 Jan 2011 03:54:29 PST
X-Mailer: YahooMailRC/555 YahooMailWebService/0.8.107.285259
Date: Fri, 21 Jan 2011 03:54:29 -0800
From: Anne Principe
Subject: This is the materials you need
To: XXXXXXXXXXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1514884592-1295610869=:37770"

211.55.34.205
Hostname:    211.55.34.205
ISP:    KRNIC
Organization:    Korea Telecom
Country:    Korea
State/Region:    Soul-t'ukpyolsi
City:    Seoul

Download

The message came from a Yahoo mail account, which was accessed/used from 216.183.175.3, which happens to be a Small Business server belonging to Cleveland Council on World Affairs

The word doc contains embedded encrypted executable and has proven ability to bypass most enterprise AV filters.
The files created by the malicious attachment generate traffic to a server in Singapore Newmedia Express Pte Ltd Singapore Web Hosting

Upon opening, the doc file will dispay a resume.

The trojan that gets installed is designed for stealing information from the infected computer


File Analysis


For the shellcode, see this post by @binjo (Genwei Jiang) https://github.com/binjo/misc/blame/master/x0.html

Original Message



From: John Resig [mailto:johnresig37@yahoo.com]
Sent: Thursday, January 20, 2011 6:54 AM
To: XXXXXXX
Subject: Materials you need

Hi XXXXXXXXXX
This is The Materials I told you about. Please check it and reply as soon as possible.
  Yours


Message Headers

Received: from XXXXXXXXXXXXXXXXXXXX by XXXXXXXXXXXXXXXXXX
 (XXXXXXXXXXXXXXXXXX) Thu, 20 Jan 2011
 06:54:26 -0500
X-VirusChecked: Checked
X-Env-Sender: johnresig37@yahoo.com
X-Msg-Ref: XXXXXXXXXXXXXXXXXXXXX
X-StarScan-Version: 6.2.9; banners=-,-,-
X-Originating-IP: [98.138.82.220]
X-SpamReason: No, hits=0.0 required=7.0 tests=HTML_MESSAGE
Received: (qmail 30083 invoked from network); 20 Jan 2011 11:54:25 -0000
Received: from web120713.mail.ne1.yahoo.com (HELO
 web120713.mail.ne1.yahoo.com) (98.138.82.220)  by
 XXXXXXXXXXXXXXXXXXXXXXXXXXX with SMTP; 20 Jan 2011 11:54:25 -0000
Received: (qmail 29995 invoked by uid 60001); 20 Jan 2011 11:54:24 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1295524464; bh=0LiA/GFk0fBVixLkc6Lv0daaDswB4Y6aZuGINXe6QzQ=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=HEgHjHUk4oArhL3nePrfCSImQkCcwMoLp7uIaxs9kTMrfSiptgmIPEOlze4U+nDekuQgyHZpuF+E7VN2sOPJLsDyCs9XR4Crpx40ERF260xQZGQrNK9dFRdq1FeN0sCF2BY3cImaBw8c5jH8G98KFWdE9P1YMeHrHBP53xcQfF8=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=UPbHxJjJgBCSWCkGYaikDD5YLYJNOWO4ai28rueC9j3MJ0ONCwnf1zPHGMXdHIiUmfYcxo+bsYntj0W3RHdAjwNlnsN0uMKx0l+5s4xaNU922rcEEEO0MWWvJuizPwwWTbLs6ADervut68ylvaS+y7k6ne4qkPv/DyBF/inUYtc=;
Message-ID: <503427.29909.qm@web120713.mail.ne1.yahoo.com>
X-YMail-OSG: qTj3pWkVM1kmufcLulCg4tP_uqiyEH7rDjuPI2A0J0G6ff3
 omr2jR9.0gS2ERYOZNEX.MJBapzDek_EEhzG5tgvyUWtFt7BeEDTb7q4OyoA
 Omqszx4XdIUCYog1YVN79KaTicCO7vdYZwoBpC8A171yy_h.5zzgIMNhn977
 WxbI9CK58yNDuwfYEZWDbB4EpXGliPmpOYgbP.w--
Received: from [216.183.175.3] by web120713.mail.ne1.yahoo.com via HTTP; Thu,
 20 Jan 2011 03:54:24 PST
X-Mailer: YahooMailRC/555 YahooMailWebService/0.8.107.285259
Date: Thu, 20 Jan 2011 03:54:24 -0800
From: John Resig
Subject: Materials you need
To: XXXXXXXXXXXXXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-262391507-1295524464=:29909"
Return-Path: johnresig37@yahoo.com
X-MS-Exchange-Organization-PRD: yahoo.com
Received-SPF: None XXXXXXXXXXXX: johnresig37@yahoo.com does not
 designate permitted sender hosts)
X-MS-Exchange-Organization-SenderIdResult: NONE

Sender

IP Information for 216.183.175.3

IP Location: United States Cleveland Continental Broadband Pennsylvania Inc
Resolve Host: mail.ccwa.org
IP Address: 216.183.175.3    Cleveland Council on World Affairs (via yahoo account)
NetRange:       216.183.160.0 - 216.183.191.255
CIDR:           216.183.160.0/19
OriginAS:
NetName:        CBP
NetHandle:      NET-216-183-160-0-1
Parent:         NET-216-0-0-0-0
NetType:        Direct Allocation
NameServer:     AUTH1.DNS.EXPEDIENT.COM
NameServer:     AUTH2.DNS.EXPEDIENT.COM
NameServer:     AUTH3.DNS.EXPEDIENT.COM
Comment:        ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:        2000-09-07
Updated:        2007-05-22
Ref:            http://whois.arin.net/rest/net/NET-216-183-160-0-1
OrgName:        CONTINENTAL BROADBAND PENNSYLVANIA, INC.
OrgId:          CBP-17
Address:        810 Parish St
City:           Pittsburgh
StateProv:      PA
PostalCode:     15220
Country:        US


Automated Scans

File name:Materials.doc
http://www.virustotal.com/file-scan/report.html?id=68f10c2f8a484fcecdbbaa69cf01caf3d3bb725f66e7db00cd30c3d84a5c6af4-1295557632
Result:3 /43 (7.0%)
Avast     4.8.1351.0     2011.01.20     RTF:CVE-2010-3333
Avast5     5.0.677.0     2011.01.20     RTF:CVE-2010-3333
GData     21     2011.01.20     RTF:CVE-2010-3333
Show all
MD5   : 2eea004842a335607b612ff10418f6c6
SHA1  : a81a35804c056186c533ddd31e22ee0c0d2aa4df
SHA256: 68f10c2f8a484fcecdbbaa69cf01caf3d3bb725f66e7db00cd30c3d84a5c6af4
ssdeep: 3072:G0sQabH8jbvZwI32Vu4xiW3gKKZhXhZs65XgpO:nPwI32VuUiWQKKDXhi6K0

File size : 243663 bytes
First seen: 2011-01-20 21:07:12
Last seen : 2011-01-20 21:07:12
Magic: Rich Text Format data, version 1, unknown character set
TrID:
Rich Text Format (100.0%)

Files Created

Materials.doc
d

I think mailware is similar to the one described here
http://www.threatexpert.com/report.aspx?md5=82e455cb548f392c90246d472077b8fc

Partial Registry changes
It starts MSDTC service, - Distributed Transaction Coordinator and sets it to Auto start
HKLM\SYSTEM\ControlSet001\Services\MSDTC\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\MSDTC\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\MSDTC\ObjectName: "NT AUTHORITY\NetworkService"
HKLM\SYSTEM\ControlSet001\Services\MSDTC\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000B
HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000C

Files created
%system%\oci.dll
Size: 48640
MD5:  29A4D731912C09575244EB47A7FC050A
Virustotal 0/43
Symantec reputation:Suspicious.Insight

File: oci.dll  (same name and location where Oracle client would have oci.dll (Oracle Call Interface), except this file has no resemblance to the real ocil.dll. I am not sure if installed Oracle software would change the behavior of the trojan.

%Windir%\Temp\uid.ax
16 bytes
MD5 1e496c50e87166ee6df33d26824f16c8

 Virustotal 0/43


There is an Alternate Data Stream (ADS) attached to the file, possibly to accept some logs from the system before transmitting them to the attacker. I did not run it long enough to tell exactly but currently there is no data that I can see


Stream Name Filename Full Stream Name Stream Size Stream Allocated Size
: SummaryInformation:$DATA C:\WINDOWS\temp\uid.ax C:\WINDOWS\temp\uid.ax: SummaryInformation 88 4,096
:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA C:\WINDOWS\temp\uid.ax C:\WINDOWS\temp\uid.ax:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 0

Network activity

Download pcap file
[-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    DNS Queries:
        Name: [ update3.effers.com ], Query Type: [ DNS_TYPE_A ],
            Query Result: [ 202.150.208.227 ], Successful: [ 1 ], Protocol: [ udp ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    HTTP Conversations:
to 202.150.208.227:80     - recorded transmission of data like user name and system info







IP Location:
Singapore Singapore Newmedia Express Pte Ltd Singapore Web Hosting
Resolve Host: 202-150-208-227.rev.ne.com.sg
IP Address: 202.150.208.227 
Reverse IP: 1 website uses this address. (example: budai125.net)
inetnum:      202.150.208.0 - 202.150.223.255
netname:      NEWMEDIAEXPRESS-AP
descr:        NewMedia Express Pte Ltd, Singapore Web Hosting
country:      SG
admin-c:      SW640-AP
tech-c:       SW640-AP
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:      This object can only be updated by APNIC hostmasters.
remarks:      To update this object, please contact APNIC
remarks:      hostmasters and include your organisation's account
remarks:      name in the subject line.
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:       20070118
status:       ALLOCATED PORTABLE
mnt-by:       APNIC-HM
mnt-lower:    MAINT-SG-NEWMEDIAEXPRESS
source:       APNIC

person:         Shian Loong Woo
nic-hdl:        SW640-AP
e-mail:         
address:        25 Kallang Avenue
address:      #05-04
address:        Singapore 339416
phone:          +65 63967188
fax-no:         +65 63967189
country:        SG
changed:         20110107
mnt-by:         MAINT-SG-NEWMEDIAEXPRESS
source:         APNIC

No comments:

Post a Comment