Tuesday, March 1, 2011

Feb 25 CVE-2010-3333 DOC China's Military Build-up from a compromised IBEW-NECA Joint Trust Funds account

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)  29 Dec 2010 12:10 PM

  General File Information

File  China's Military Build-up in the Early Twenty-first Century
MD5   02B77C3941478A05F2EE6559E3B76FB6
SHA1 
cd7a8327dc8917d90bdbe693a310fa75a43a1ae0
File size : 214503 bytes
Type:  PDF
Distribution: Email attachment

Download

Sender: It appears that the message is not spoofed but was sent from a compromised account, which belongs to an existing employee of "The Local 26 IBEW-NECA Joint Trust Funds" located in Laurel, Maryland.

This mail server IP 69.85.28.235 is not shared by multiple customers and it was already featured by the Project Honeypot for sending phishing mail
It appears to be a hosted mail server.  Please see more information about this in the Sender section below.

Attachment: The attachment is a malicious word (RTF) document (CVE-2010-3333), with the payload described below plus a clean word document - the paper named in the subject of the message "China’s military build-up in the early twenty-first century : from arms procurement to war-fighting capability" The paper itself in pdf format is available at the Nanyang Technological University website (Singapore)

Payload: The embedded binary (Trojan.CryptRedol.Gen.3) creates a copy of itself (same MD5 each time) with a new name in %userprofile%\Local Settings, connects to an IP in Thailand, creates a registry setting to run on startup, it runs under svchost.exe.
The names match standard Windows DLL and EXE files. There are 34 (at least 40) variations possible.  Please see older files with  similar  AV detection  here

List of possible names:
    Alerter.exe
    AppMgmt.exe
    CiSvc.exe
    ClipSrv.exe
    COMSysApp.exe
    dmadmin.exe
    Dot3svc.exe
    EapHost.exe
    HidServ.exe
    hkmsvc.exe
    ImapiService.exe
    Messenger.exe
    mnmsrvc.exe
    MSDTC.exe
    MSIServer.exe
    napagent.exe
    NetDDE.exe
    NetDDEdsdm.exe
    Netlogon.exe
    NtLmSsp.exe
    NtmsSvc.exe
    ose.exe
    RasAuto.exe
    RDSessMgr.exe
    RemoteAccess.exe
    rpcapd.exe
    RpcLocator.exe
    RSVP.exe
    SwPrv.exe
    SysmonLog.exe
    TlntSvr.exe
    upnphost.exe
    UPS.exe
    VSS.exe
    WmdmPmSN.exe
    Wmi.exe
    WmiApSrv.exe
    wuauserv.exe
    xmlprov.exe

Original Message

----Original Message-----
From: Cxxxxxxxxxx  Mxxxxxxxxxxx [mailto:cmxxxxxxxx@ewtf.org]
Sent: Friday, February 25, 2011 3:57 AM
To: XXXXXXXXXXXXXX
Subject: China's Military Build-up in the Early Twenty-first Century

Dear all,

1.  Abstract:
Since the late 1990s, China’s military arsenal has been dramatically modernised. However, the actual military value of the newly developed systems has yet to be clarified. This study attempts to do so, on the basic assumption that technological military progress per se is not sufficient to increase military strength. Instead of evaluating arms development in technological terms, it therefore adopts an alternative approach to consider its adaptability to the country’s strategic situation.

To this end, the study employs the concepts of military procurement and military readiness, and makes two assumptions. First, the value of a weapon system is measured by its suitability to the country’s military, economic and technological conditions, and the degree to which it is supplied to the military in the required quantities, timeframe and with the appropriate sustaining support. Second, the country’s ability to meet these requirements depends to a large extent on conditions related to the procurement process.

Exploring China's recent military procurement approaches, the study finds that the relationship between China’s strategic conditions and its procurement efforts tends to be tenuous, China’s inclination towards self-reliance is strengthening, and the technological ambition of its military procurement is ever-increasing. Under these conditions, the paper concludes that in remote and complex conflicts, China’s military procurement process could reduce the actual military value of the newly developed weapon systems.

2. Bio:
Yoram Evron is a Visiting Fellow at the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University. He is also Assistant Professor in the Department of Asian Studies at the University of Haifa, and a Research Fellow at the Institute for National Security Studies (INSS). Dr. Evron’s research interests include theories and practices of China’s national security, military development and military procurement, and China-Middle East relations. He holds a Ph.D. in Political Science from the University of Haifa. Address for correspondence: Yoram Evron, Department of Asian Studies, University of Haifa, Mount Carmel, Haifa 31905, Israel.

Message Headers


Received: (qmail 5101 invoked from network); 25 Feb 2011 08:54:19 -0000
Received: from ewtfdc2.ewtf.org (HELO ewtfexch07.ewtf.org) (69.85.28.235)
  by xxxxxxxxxxxx with SMTP; 25 Feb 2011 08:54:19 -0000
Received: from ewtfexch07.ewtf.org ([192.9.200.202]) by ewtfexch07
 ([192.9.200.202]) with mapi; Fri, 25 Feb 2011 03:56:44 -0500
From: CXXXXX MXXXXXX
To: "XXXXXXXXXXX" 
Date: Fri, 25 Feb 2011 03:56:43 -0500
Subject: China's Military Build-up in the Early Twenty-first Century
Thread-Topic: China's Military Build-up in the Early Twenty-first Century
Thread-Index: AQHL1Mnsw1zqzd9eEkCwCEeLEIBloQ==
Message-ID: <3F535BAE97971649A1F52F35547BEB4361A136548B@ewtfexch07>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/mixed;
    boundary="_002_3F535BAE97971649A1F52F35547BEB4361A136548Bewtfexch07_"
MIME-Version: 1.0


Sender

69.85.28.235

It is blacklisted in one list. 

Hostname:    ewtfdc2.ewtf.org
ISP:    Global Telecom Brokers
Organization:    Global Telecom Brokers
Type:    Corporate
Assignment:    Static IP
State/Region:    Maryland
City:    Ridgely

Sender: It appears that the message is not spoofed but was sent from a compromised account (possibly it is a compromsed/misconfigured Exchange mail server), which belongs to "The Local 26 IBEW-NECA Joint Trust Funds" located in Laurel, Maryland.
This mail server IP 69.85.28.235 is not shared by multiple customers and it was already featured by the Project Honeypot for sending phishing mail
It appears to be a hosted mail server.


Automated Scans

File name:China's Military Build-up in the Early Twenty-first Century.doc
http://www.virustotal.com/file-scan/report.html?id=08c38be704142757bcde9f24a7a9d2db126fcc81ce6de7cc7792c035e956bedf-1298938615
Submission date:2011-03-01 00:16:55 (UTC)
Result:8/ 43 (18.6%)
Avast    4.8.1351.0    2011.02.23    RTF:CVE-2010-3333
Avast5    5.0.677.0    2011.02.23    RTF:CVE-2010-3333
Commtouch    5.2.11.5    2011.02.28    CVE-2010-3333!Camelot
Fortinet    4.2.254.0    2011.03.01    Data/CVE20103333.A!exploit
GData    21    2011.03.01    RTF:CVE-2010-3333
Microsoft    1.6603    2011.02.28    Exploit:Win32/CVE-2010-3333
PCTools    7.0.3.5    2011.02.28    Trojan.Mdropper
Symantec    20101.3.0.103    2011.03.01    Trojan.Mdropper

MD5   : 02b77c3941478a05f2ee6559e3b76fb6
VIcheck.ca https://www.vicheck.ca/md5query.php?hash=02b77c3941478a05f2ee6559e3b76fb6
Embedded executable 

Files Created

Attachment: The attachment is a malicious word (RTF) document (CVE-2010-3333), with the payload described below plus a clean word document - the paper named in the subject of the message "China’s military build-up in the early twenty-first century : from arms procurement to war-fighting capability" The paper itself in pdf format is available at the Nanyang Technological University website (Singapore)

%userprofile%\Local Settings\Temp
0/ 42 (0.0%) 
Clean document, which is supposed to open to fool the victim but it never does. 
 File: China's Military Build-up in the Early Twenty-first Century.doc
Size: 160256
MD5:  91572F3D15588F34F42EE5136D74C738




Payload: The embedded binary (Trojan.CryptRedol.Gen.3) creates a copy of itself (same MD5 each time) with a new name in %userprofile%\Local Settings, connects to an IP in Thailand, creates a registry setting to run on startup, it runs under svchost.exe.

Strings from the dumped process 
WININET.dll
WS2_32.dll
GetAdaptersInfo
iphlpapi.dll
StrChrA
PathRemoveFileSpecA
SHLWAPI.dll
61.7.158.11
regedit.exe /s
~dfds3.reg
%tmp%\
Windows Registry Editor Version 5.00
[%s]
"%s"="%s"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.exe
%tmp%
WinHttp
http://%s:%d/%s.php?id=%06d%s&ext=%s
%temp%\
/%s.php?id=%06d%s&ext=%s
http://%s:%d/%s.php?id=%06d%s
%c%c%c%c%c
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
/%s.php?id=%06d%s
%%temp%%\%u
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
POST
HTTP/1.1
%02X-%02X-%02X-%02X-%02X-%02X
01-01-01-01-01-01
%c%c%c%c%c%c.exe



Update March 1, 2011 = This is not all, I will add more information about this binary later, it is a interesting piece.

The names match standard Windows DLL and EXE files. There are 34 (at least 40)  variations possible.  Please see older files with  similar  AV detection  here

Registry change:  
HKU\S-1-5-21-789336058-1580436667-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Run\FILENAME: "C:\Documents and Settings\username\Local Settings\FILENAME.exe"

List of possible names:
    Alerter.exe
    AppMgmt.exe
    CiSvc.exe
    ClipSrv.exe
    COMSysApp.exe
    dmadmin.exe
    Dot3svc.exe
    EapHost.exe
    HidServ.exe
    hkmsvc.exe
    ImapiService.exe
    Messenger.exe
    mnmsrvc.exe
    MSDTC.exe
    MSIServer.exe
    napagent.exe
    NetDDE.exe
    NetDDEdsdm.exe
    Netlogon.exe
    NtLmSsp.exe
    NtmsSvc.exe
    ose.exe
    RasAuto.exe
    RDSessMgr.exe
    RemoteAccess.exe
    rpcapd.exe
    RpcLocator.exe
    RSVP.exe
    SwPrv.exe
    SysmonLog.exe
    TlntSvr.exe
    upnphost.exe
    UPS.exe
    VSS.exe
    WmdmPmSN.exe
    Wmi.exe
    WmiApSrv.exe
    wuauserv.exe
    xmlprov.exe
Each time the binary is launched (or the Word/RTF document is launched), it creates a copy of the binary with a new name in %userprofile%\Local Settings. 

This ensures all victims get different malicious files names on their system - it is a common feature in malware.

 


File name:1f4e6cad1513e9e7765ef50bce4837b0
http://www.virustotal.com/file-scan/report.html?id=735f4c005ca44073130562e5fd4ac71aabc130ea27a42deddc8247507fa46985-1298938595
Submission date:2011-03-01 00:16:35 (UTC)
Result:7/ 42 (16.7%)
AntiVir    7.11.4.13    2011.02.28    TR/Dropper.Gen
BitDefender    7.2    2011.03.01    Trojan.CryptRedol.Gen.3
F-Secure    9.0.16160.0    2011.03.01    Trojan.CryptRedol.Gen.3
GData    21    2011.03.01    Trojan.CryptRedol.Gen.3
Norman    6.07.03    2011.02.28    W32/Malware
nProtect    2011-02-10.01    2011.02.15    Trojan.CryptRedol.Gen.3
Sophos    4.61.0    2011.02.28    Sus/UnkPack-C
Show all
MD5   : 1f4e6cad1513e9e7765ef50bce4837b0
SHA1  : 0dc6e154341e0331a982e657944998fb06f32370

Network activity

TCP 
61.7.158.11:80 
61.7.158.11:443
 Hostname:    61.7.158.11
ISP:    CAT Telecom public company Ltd
Organization:    CAT Telecom public company Ltd
Country:    Thailand
State/Region:    Krung Thep
City:    Bangkok



 The binary does not download anything, the link gives 404-not found error. However, it successfully beacons on port 443

Download pcap here


2 comments:

  1. Hi Mila

    The svchost.exe (bin2) is launched by the original executable binary (bin1) dropped by the Doc exploit. The SVCHOST.exe takes the path of the original binary as an argument, and is started into a suspended state.

    The body of the svchost.exe (bin2) is then replaced by a decrypted seg inside bin1, before svchost is resumed from suspension.

    svchost.exe here is nothing like the svchost.exe on disk and at launch. You already have the strings from the svchost.exe in memory in your blog.

    Thank you for sharing the files. Cheers.

    ReplyDelete
  2. It is very interesting, thank you for the comment.
    I have another variant - same payload but different alive C&C and more activity but did not get around to post yet. Email me if you want it.

    ReplyDelete