Introducing Net Boom
Net Boom is an exploit kit that was produced between 2010 and 2011. The Net Boom Software Group used the web site 1874.cc for sales and support. According to 1874.cc, Net Boom NB Version 1.0.1 was released on 28 April 2010 and was released again on 10 May 2010. Another version named NB Exploiter Version 188.8.131.52, was created in late November of 2010. Net Boom’s NB Exploiter 2011 Version 184.108.40.206 was produced in January of 2011. The Net Boom authors also released single exploit kits for at least an IE 0-Day vulnerability, a Flash 0-Day vulnerability and a Flash Version 10.3 vulnerability. The 1874.cc website is no longer active. A 26 June 2011 screen shot of the site from dawhois.com is reproduced below. Images of their products are included at the bottom of the 1874.cc page.
The Net boom Software Group also developed Korea and English language versions of the Net Boom kits that were probably sold and serviced through the website s-shark.com. Both the Korean and English language versions, however, retained references to 1874.cc. The Korean language Net Boom kits were packaged with the Net Bot Distributed Denial of Service (DDOS) attack software that also originated from China. The Korean NB Exploiter Version 220.127.116.11 and a single-exploit kit for a Flash 10.3 vulnerability was released some time in 2011 and shown in the graphic for s-hark.com. Evidence in Virus Total reveals an English language version of the Net Boom NB Exploiter 18.104.22.168. A screen shot of s-shark.com products is shown below. The image is from a Korean language security research blog post available here.
The security researchers investigating the S-Shark product offerings found what appears to be a 2011 English language version of an unspecified single exploit kit.A screenshot of another unspecified 2011 single Flash 0-Day exploit Net Boom kit was available on a Chinese language hacker site since November 2011. This Chinese language kit looks very similar to the English language single exploit kit.
Another single exploit kit for CVE-2011-0611 and an unspecified NB exploit kit were reported by Kahu Security’s Blog in their 22 April 2011 post entitled “Flash 0Day Found in Drive-By”. The author redacted the name and version of the kits from the graphics. The references to Net Boom in the code fragments, or tool marks as described by the author, reveal that a Net Boom kit was the source of the exploit CVE-2011-0611 exploit described in the post. The types of references included in the code are described in more detail in the following paragraphs.
A Quick Look at a Few of the Kits
NB Exploiter Version 22.214.171.124 and NB Exploiter 2011 Version 126.96.36.199 are available
for download on several Chinese language hacker sites. Net Boom NB Exploiter Version 188.8.131.52 offers six different exploits and a package of exploits for Flash 9 Flash 10 and MS-Office. The packaged exploits were MS Office (CVE-2009-1136), a MS MPEG-3 exploit, MS10-002 (CVE-2010-0249), MS10-018 (CVE-2010-0806), Flash 10 (CVE-2009-1862) and Flash 0Day (CVE-2010-1297).
NB Exploiter Version 184.108.40.206 was significantly different from Version 220.127.116.11 in appearance and content. The code generated in this version lack the much of the script fragmentation, obfuscation and distinctive variable naming conventions found in the previous version. Version 18.104.22.168 generated 31 exploits ranging from MS06-16 to both more recent well-known and obscure exploits including the following: Flash 10.0.32 (CVE-2010-1297), an Apple Safari 4.0.5 exploit, Shockwave Player 11 (CVE-2010-3653), Adobe SVG Viewer MS10-081 (CVE-2010-2746), two IE MS10-090 exploits (CVE-2010-3962), an Advanced File Vault exploit, a Trend Micro 2010 exploit, a Net-Craft Tool Bar exploit, a MS11-XXX 0-Day exploit (IE CSS MS11-003 CVE-2010-3971), a WMI-Tools exploit (CVE-2010-3973), and a Real-Player 0-Day exploit (CVE-2010-3749). It is unclear why Version 22.214.171.124 was so different from this or the original version or the subsequent version. Subsequent versions were probably more similar to Version 126.96.36.199 than to Version 188.8.131.52.
Comment lines inside the code for the Version 184.108.40.206 the Net-Craft Tool Bar exploit that included lyrics from the KC and the Sunshine Band 1975 hit single “Get Down Tonight”. The comments claimed authorship by the 1874.cc Software Group. The Authors appear to be fans of 1970s era Western disco in addition to processing English language skills.
The Korean language NB Exploiter Version 220.127.116.11 offers nine different exploits and a package for CVE-2010-0806, Flash 10.2, Flash 10.3 and an unspecified Flash 0-day exploit. Version 18.104.22.168 single exploits included MS Office (likely CVE-2009-1136), MS10-018 (CVE-2010-0806), IE CSS (likely CVE-2010-3971), Flash 10.2.153 (likely CVE-2011-0611), Flash 10.3.181.23 (likely CVE-2011-2110), an unspecified Flash 10.3 0-Day, an unspecified Fire-Fox 3.6 0-Day, and a Real-Player 14 exploit. The appearance of the user interface is much more similar to Version 22.214.171.124 than it is to Version 126.96.36.199. Screen shots all three versions are provided below.
Based on traffic analysis, it is likely that the Flash 0-Day exploit works against CVE-2011-2140 using a file named NBWM.SWF. This conclusion is supported by analysis of the code fragments in Kahu Security’s 11 November 2011 post, “CVE-2011-2140 Caught in the Wild”. The reasoning between this type of analysis is described in the following paragraphs.
Net Boom Signatures
A closer look at the exploit code reveals origins of Net Boom and reveals distinctive file naming and variable naming conventions that can be used to identify Net Boom exploits in archived network traffic. By building a robust set of distinctive signatures, it may be possible to follow the evolution of the Net Boom kits well beyond the mid 2011 Versions currently available.
Version 1.0 packages exploits for MS Office and Flash into the files 1.HTM, 2.HTM, NB.HTML, NB2.HTM, NETBOOM.HTML and NF9.HTM. The Flash 9 exploit included files selected from I115.SWF, I47.SWF, I45.SWF, I64.SWF, F115.SWF, F47.SWF, F45.SWF, and F64.SWF. The Flash 10 exploit used files NF10.HTM and FA.HTM. File NB.HTML included a place holder for the statistical code. The package contains decision-making algorithms for identifying the optimal exploit for a given victim. NETBOOM.HTML and NF9.HTM contained conditional statements based on browser types and versions. NB2, 1.htm and 2.HTM implemented the exploits. The files generated for the other six single-exploits are listed below:
MS Office (CVE-2009-1136): OF.HTM, QCC.JPG and UBBI.JPG
MS MPEG-3: BB.JPG, BB1.JPG, BBBB.JPG, BBBB1.JPG, BBBBB.JPG, UBB.JPG and MP.HTML
MS10-002 (CVE-2010-0249): MS~10002.HTM, PATY.JS and HaspxcSWmblWluWORuCKy.GIF
MS10-018 (CVE-2010-0806): X6.HTM, X7.HTM, NB.JS, NB.JS, NB.JS, A.JPG, B.JPG, C.JPG and D.JPG
Flash 10 (CVE-2009-1862): IE.HTM, NF10.HTM, FF.HTML, IE.JS, IF.JS, FF.JS and XP.SWF
Flash 0-Day (CVE-2010-1297): FA.HTML and NB.SWF
The NB Exploiter Version 188.8.131.52 exploits are very similar to the Silver Fox and the Anhey Kit exploits. Much of the NB Exploiter code appears to have been copied directly from Silver Fox or Anhey exploit kits. Subsequently, many of the file names and variable names found in the code can also be found in the older kits. To distinguish the new Net Boom file and variable names from the older Anhey and Silver Fox file and variable names, I have italicized the older names and underlined the new Net Boom names in the list below:
Exploit Package Files: SVFOXMM, SVFOXWW
MS Office (CVE-2009-1136): YINHU, YINHUKING, YINHUMM, YINHUGG, YHWMYHWM, YHWM2, YHWM2, YHWM6, SSVVSVSV, SVSVSVSVSVSV, SVANTI, SVCNN,
MS MPEG-3: SILVERFOX, SILVERFOXWM, SILVERFOXFMY, SFWMSFWMSFWM, SILVERCOLOR, SILVERCOLORFOX, SFQQQ, FOXMM, FOXGG, FOXBB, FOXYY, FANGPIJIUCHOU, SUNSHINE, MONEY, YHHAOYUN, NB00-NB27
MS10-002 (CVE-2010-0249): SSS, CC, WMAHWM, OAH, OAHO, LHAH, HHAH, SSAH, SHIT, HUA, HUA1, HUA2, HUA3, HUA4, HaspxcSWmblWluWORuCKy
MS10-018 (CVE-2010-0806): SVFOX, SVFOXNET, YINHUWAGMA, ANHEIWAGMA, AHWMNIUX, ANHEYSIZE, AHEYOK, ANHEINOP, ANHEYANYWAYALRIGHT, ANHEYANYWAYOK, ONLYANHEIWMUP, WOAIANHEYWM, SUN, NB.WM, NBWANGMA
Flash 10 (CVE-2009-1862): PARAM NAME=”MOVIE” VALUE=”DONE.SWF”, EMBED SRC=”XP.SWF”, SSS, QVISI=”YOU”, IFMY, XP.SWF
Flash 0Day (CVE-2010-1297): NB, BB, EMBED SRC=’NB.SWF’
References to Anhey kit include the phonetic representations of “暗黑” ANHEY, ANHEI or the abbreviation AH. References to the Silver Fox Exploit Kit include variations such as SVFOX of SF, and phonetic representation of “银狐”, YINHU, or YH. References to Net Boom NB Exploiter Kit include variations of NETBOOM or the abbreviation NB. References to any of the three kits may be joined to WANGMA or its abbreviation WM. WANGMA is a phonetic representation of “网马” which translates to Network Trojan.
The Net Boom kit included a set of Instructions for injecting the exploit code into third party websites. Nearly identical instructions were found in the Anhey and Silver Fox Exploits Kits. Additionally, the Net Boom, Silver Fox, and Anhey Kits all used the same third party Skin++ library for the user interface.
Consistent use of code fragmentation to evade detection, the presence of shared shell code fragments in the exploit code, used of XoR0 0xBD encoding, use of similar obfuscation methods, the practice of using variations of product name as variable names, the existence of references to multiple exploit kit names in a single file, and the use of the same 2009 Skin++ library DLL file indicate that these three kits may share a single author. For more detail on the Silver Fox Exploit kit, please read my 17 February 2013 post, Silver Fox Galleries. For more details on the Anhey Exploit Kit, please read my 07 February 2013 post, Anhey Menagerie.
In addition to the terms NETBOOM.HTML, NB.HTML, NB.JS, NB.SWF, NBWANGMA, NBWM, NB discussed above, one can find several other very likely Net Boom traffic signatures by searching through security repositories such as JSUNPACK, WEPAWET and Clean-MX. Some very like terms recovered from these sources include the following:
NB.EXE, NB.JS, NB6.SWF, NB8.SWF, NBWM.SWF , NBWM(), NB(), NETBOOM, NETBOOM00, NBBOOM, NBOMM, NBA, NBAA, NBBB, NBCC, NBCODE, NBCODING, NBGG, NBGUAI, NBKING, NBLOL, NBLONG, NBLUCK, NBMAO, NBM, NBMM, NBNB, NBNOP, NBOORPK, NBRPK NBPOWER, NBREPLAY, NBSENDING, NBSIZE, NBSS, NBTIME, NBSTR, NBSUN, NBTOYTA, NBVIVI, NBWMA, NBWMHAHA, NBWMYO, NBWMX, NBWMXIXI, NBX, NBYEAH, NBZF, NB14093,
NB818588, NB818599, NB860488, NB98748
The Net Boom exploit kits are very similar to the earlier Chinese Language Exploit Kits Anhey and Silver Fox. Net Boom products were serviced through the Chinese website 1874.cc in much the same way Silver Fox products were supported by SVFox.net and Anhey products were supported by Cuteqq.cn. The Anhey and Silver Fox kits stopped evolving in late 2010 to early 2011. The Net Boom kits, however, continued to add new exploits through at least late 2011 with the addition of CVE-2011-2140. By tracking networks traffic signatures unique to Net Boom, it may be possible to determine if Net Boom has continued to evolve past 2011.
1874.cc June 2011 Screen Shot (http://dawhois.com/site/1874.cc.html)
Korean Security Research Blog (http://kjcc2.tistory.com/1286)
Kahu Security, 22 April 2011, “Flash 0Day Found in Drive By” (http://www.kahusecurity.com/2011/flash-0day-found-in-drive-by/)
Kahu Security, 12 November 2011, “CVE-2011-2140 Caught in the Wild” (http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/)