Understanding CVE-2010-1885 exploit from Blackhole exploitkit.

A friend of mine reported receipt of suspicious email to me. It turned out to be a nice opportunity  to analyze one more client side attack from the bag of BlackHole exploit kit.

Attacker was not at all funky this time, no fancy stuff in the email, just a plain email with an external link. Below is the email screenshot along with snip of message headers. From the Message-ID field from the email headers, we can conclude that the attacker might be using email product from Chilkat on *nux server.

Email and Headers

This link was a google short link http://goo.gl/QC9JW which is currently removed by google. However, this link resolved to hxxp://guardeddenies.com. Knowing the typical attack flow of blackhole, this page was just a redirector to the actual website(hxxp://aboutyourself.in) hosting the blackhole exploit pack.

Poort Disguise attempt

 

I copy-pasted the redirector link in my analysis machine to see a fake blog post on E-Trade. If you recall, the subject of the spam email was “E-trade alert”. The page loaded pretty quickly but my cursor kept showing a busy icon. Web page was actually checking my browser for existing vulnerabilities and trying to exploit them one by one.

After 5-6 seconds my browser got redirected to google.com which was a sign of successful exploitation. Below is the snip of web exploit which was used to compromize my Windows XP SP2 virtual machine.

HCP Exploit Code

 

Yes, you guessed it right. It is an exploit for vulnerability in Microsoft Help and Support center tracked under CVE-2010-1885.

About Vulnerability:

The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka “Help Center URL Validation Vulnerability.”

Attacker can bypass the /fromhcp whitelist by using the string miscalculations caused by failing to check the return code of MPC::HexToNum(). Once the whitelist has been defeated, invoke the Help document with a known DOM XSS due to GetServerName() insufficient escaping. Use the defer property of a script tag to execute script in a privileged zone even after the page has been rendered. Invoke an arbitrary command using the wscript.shell object.

Tavis Ormandy, who discovered and reported the vulnerability, published the detailed description of the vulnerability and PoC at full disclosure. Below is the published PoC on FD.

hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27Run%2528%2522calc.exe%2522%2529%27%29%29%3C/script%3E

If we closely observed the exploit from the exploit kit, we can clearly say that the attacker has not even bothered to do a slight change in the PoC and jut ripped it as is replacing the attack script.

Below is the decoded attack script from exploit. It is written in VBScript with some obfuscation techniques to evade detections.

I de-obfuscated the code and tried to simplify it as shown below. You can clearly see that:

  • Script sets some variables in the beginning

    Decoded shellcode

  • Script uses XMLHTTP to download malware
  • Script uses WScript Shell object to execute the malware and,
  • Finally the script uses FileSystem objects to store and delete the downloaded malwares.

VBScript after removing obfusction

Dropped Malwares:

Above VBScript dropper (SHA1: 021e9bddbe151f8dc914bfd18ac2eb23439f4fce) downloads and executes a binary file exe.exe (SHA1: d8ad8d0f1ea41e2c2494da88c7d6f58e435909a6) which is a self-propagating worm. It tries to propagate by attempting to exploit specific vulnerability in target computer.

Microsoft detects dropper as TrojanDownloader:VBS/Yerwen.A and dropped malware as Worm:Win32/Cridex.B

Detections over Network:

We can easily detect exploit attempt for CVE-2010-1885 by writing custom Snort rule. Below is the sample snort rule which can be used to detect similar exploit attempt.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”Potential MS10-042 exploit attempt”; flow:established,from_server; content:”hcp|2F|//services/search”; fast_pattern; nocase; content:”=eval(”; nocase; distance:100;within:150;reference:” http://seclists.org/fulldisclosure/2010/Jun/205”; sid:1000031; rev:1;)

Conclusion:

In order to protect yourself from such attacks, make sure you use latest operating systems up to date with all the security patches, latest version of internet browsers, install anti-virus engine and regularly update it. Do not click on any hyperlinks received from an unknown source.

Stay safe!!!

Further reading:

 

Rating 4.00 out of 5

Leave a Reply

This entry was posted on Wednesday, January 4th, 2012 at 3:36 am and is filed under Malware analysis, Virus Signature. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes