On November 5, Microsoft announced the discovery of a new vulnerability CVE-2013-3906 which can be exploited when TIFF images are processed. By exploiting this vulnerability it is possible to attack software – including Microsoft Office and Lync – that uses a vulnerable DLL for processing TIFF images. On the same day, there were reports that Microsoft had recorded attacks that exploit CVE-2013-3906.
Several malware samples became available to us that exploit CVE-2013-3906. We analyzed them in detail. All of them make use of heap spraying, recording their code to the address 0x08080808, and execute the code from that location. Exception generation and memory rewrite is performed in the vulnerable ogl.dll.
Fragment of WinDbg shellcode execution
The exploits that we had access to can be divided into two groups according to the shellcodes used in them.
The exploits in the first group use a primitive and unencrypted shellcode whose only task is to download and launch malicious software.
Shellcode of an exploit in the first group
The payload drops a clean .doc file that is displayed to dispel any suspicions the user may have, as well as a malicious program that was earlier spotted in the HangOver attack. That is a backdoor, written in C++ and which isn’t even encrypted.
Fragment of the contents of the clean .docx file
The exploits in the second group are much more sophisticated. For starters, the shellcode they use is already encrypted with standard XOR. After decryption, it became clear that it doesn’t download and launch malicious code, unlike most exploits, including those in the first group targeting CVE-2013-3906.
Decrypted shellcode of an exploit from the second group
There is an OLE2 object integrated into the original .docx document; this object is read in the shellcode. It contains a data stream, consisting of 6 bytes located ahead of the encrypted data, which contains the original decryption key, a dynamic decryption key, and the length of the decrypted data stream. The decryption algorithm is a standard XOR with a key modified with the byte operation ADD.
Fragment of packed data and the header (in red box) containing the keys and the size
After decryption, this data transforms into a DLL named a.l, which is loaded within the process winword.exe. This DLL drops a.exe which is the backdoor Citadel.
Fragment of an unpacked sample of Citadel
It means there are already two groups of cybercriminals out there who are using the new vulnerability.
Interestingly, the TIFF files in the second category of exploits are dated March 2013, but we registered the first appearance of these exploits on July 31. They used the storage, encryption and payload launch technique described above. But the actual payload differs in earlier exploits. In the new samples a dynamic library is dropped which in turn drops and runs an executable file and a clean .docx. In earlier samples the DLL is different and it drops a different clean .docx file and a vbe script. The same vbe script is used in the cross-platform malware Janicab.
Fragment of the dropped .docx from the July sample of the exploit
It appears that either the same people were responsible for spreading Citadel and Janicab – from the exploit to the payload – or someone is selling malware distribution services that make use of 0-day exploits.
From the moment such exploits appear, our Advanced Exploit Prevention (AEP) technology protects users from the launch of malicious code by applications that have been attacked by exploits targeting CVE-2013-3906. By responding to anomalies in the behavior of popular app processes, AEP makes it possible to block the launch of exploits.
These exploits are detected by static signatures as Exploit.Win32.CVE-2013-3906.a.