Pages

Tuesday, February 23, 2010

Feb 22 CVE-2006-6456 MS Word Taiwan 2010 from diguapinggao@gmail.com Febr 22, 2010 4:17 AM

This is an old exploit targeting systems that have been unpatched for a long time. It appears that the document was created using 2007最新DOC捆绑器 (thanks to zha0 for helping translate and spell the tool name). The tool can be easily found online and is designed to exploit CVE-2006-6456 / MS07-014 vulnerabitly. According to the Symantec post describing this tool in April 2007, shellcode in documents generated by the tool usually starts at offset 0x16730, which seems to be our case too. The exploit will not work on Office 2003 SP3 and earlier versions with MS Update kb 929434 (MS07-014).

Update March 3, 2010 - Abhishek Lyall kindly provided additional details about the sample
"The "taskmgr.exe" embedded from offset 0x24E00. The exe is XOR'ed with 64 bit key 0xCA5039AF00000000. If you  XOR the file again with same key you'll find the exe headers at offset 0x24E00." Please see his screenshot below


 
Download  the following files as a password protected archive. (Please contact me if you need the password)





├───analysis files (by Tom - see below)
exe (taskmgr.ex   441D239744D05B861202E3E25A2AF0CD 32,768 bytes; taskmgr.idb)
│ shell  (shel1.bin; shel1.idb; shel2.bin; shel2.idb)
├───collected
│ 1.tmp                   441D239744D05B861202E3E25A2AF0CD 32,768 bytes
│ Taiwan 2010.doc 85AF26A74E548B56ADEA933CFB878520 52,224 bytes
│ taskmgr.exe          441D239744D05B861202E3E25A2AF0CD 32,768 bytes
└───original doc
   Taiwan 2010.doc  9EF09819AA5D552ECB15067A14A33152 183,808 bytes



From: 孙丰 [mailto:diguapinggao@gmail.com]
Sent: Monday, February 22, 2010 4:17 AM
To: diguapinggao@gmail.com
Subject: Taiwan 2010








Virustotal
http://www.virustotal.com/analisis/0f57baeb3070bf7a806f004ab61243aaf1b16f328e0c5f96d0c9128294d95b2c-1266926867
File Taiwan_2010.doc received on 2010.02.23 12:07:47 (UTC)
Result: 8/41 (19.52%)
Authentium    5.2.0.5    2010.02.23    MSWord/Dropper.B!Camelot
Avast    4.8.1351.0    2010.02.23    MPPT97:ShellCode-A
Fortinet    4.0.14.0    2010.02.21    MSWord/Agent.Y!exploit
GData    19    2010.02.23    MPPT97:ShellCode-A
Jiangmin    13.0.900    2010.02.23    Exploit.MSWord.b
McAfee-GW-Edition    6.8.5    2010.02.23    Heuristic.BehavesLike.Exploit.OLE2.CodeExec.EBKP
Panda    10.0.2.2    2010.02.22    Trj/1Table.C
Sophos    4.50.0    2010.02.23    Troj/MalDoc-Fam
File size: 183808 bytes
MD5...: 9ef09819aa5d552ecb15067a14a33152

OfficeMalScanner results





/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--
Analysis by Tom (thank you, Tom)---------------------------

 Shellcode in hex
obfuscated shellcode






Obfuscated second part of the shell and part of the exe




Shellcode 1






EXE  - taskmgr.exe
before and after transposition.


 
Embedded exe  


Virustotal scan results
http://www.virustotal.com/analisis/d4340b59ef53951316d66f2f171029c7dba363d9fd0c2f4f828544583405a944-1266988204
  File taskmgr.ex received on 2010.02.24 05:10:04 (UTC)
Result: 1/41 (2.44%)
Symantec     20091.2.0.41     2010.02.24     Suspicious.Insight
Additional information
File size: 32768 bytes
MD5   : 441d239744d05b861202e3e25a2af0cd



 ================================================
 Screenshot from Abhishek Lyall





Additional information:
 Connections

Dropped file tskmgr.exe establishes connection with xwwl8899.vicp.net hosted a server in China
information from robtex.com

    Hostname:    218.23.30.101
      ISP:    CHINANET Anhui province network
      Organization:    CHINANET Anhui province network
      Country:    China
      State/Region:    Anhui



Wireshark capture
DNS queries and TCP connections to 218.23.30.101:80














wwl8866.vicp.net has one IP number. vicp.net is a domain controlled by two nameservers at dnsoray.net. They are on different IP networks. vicp.net has one IP number. xwwl8866.vicp.net is hosted on a server in China. It is not listed in any blacklists.

xwwl8866.vicp.net point to 218.23.30.101. It is blacklisted in four lists.

  • dev.null.dk 
  • spamsources.fabel.dk   
  • spam.dnsbl.sorbs.net  - List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS. This zone also contains netblocks of spam supporting service providers, this could be for providing websites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you are out' basis, where the third spam will cause the supporter to be blocked. 
  • no-more-funn.moensted.dk

inetnum: 218.22.0.0 - 218.23.255.255
netname: CHINANET-AH
country: CN
descr: CHINANET Anhui province network
descr: Data Communication Division
descr: China Telecom
admin-c: CH93-AP
tech-c: AT318-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-AH
changed: hm-changed@apnic.net 20060322
source: APNIC


role: ANHUI TELECOM
address: 305 Changjiang West Road
address: Hefei Anhui China
country: CN
phone: +86 0551 5185089
fax-no: +86 0551 5185500
e-mail: wanglinlin2@anhuitelecom.com
trouble: send spam reports to abuse@ah163.com
trouble: and abuse reports to abuse@ah163.com
trouble: Please include detailed information and
trouble: times in GMT+8:00
admin-c: LW604-AP
tech-c: LW604-AP
nic-hdl: AT318-AP
remarks: http://www.ah163.net
notify: wanglinlin2@anhuitelecom.com
mnt-by: MAINT-CHINANET-AH
changed: wanglinlin2@anhuitelecom.com 20060323
source: APNIC


person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC


route: 218.22.0.0/15
descr: PNAP-SEA usei chinanet routes
origin: AS4134
mnt-by: INAP-MAINT-RADB
changed: swhitson@internap.com 20010524
source: RADB

====================================
Anubis report
http://anubis.iseclab.org/?action=result&task_id=1face8929a332692425ef0e12a533fa3a

Exe autostart

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run  Value C:\Taskmgr.exe





No comments:

Post a Comment