28 Feb The Future of Bitcoin After the Mt. Gox Incident Stefan Tanase
05 Feb CVE-2014-0497 a 0-day vulnerability Vyacheslav Zakorzhevsky
10 Dec Microsoft Updates December 2013 - Patching Critical 0day Exploited in the Wild Kurt Baumgartner
05 Dec Corporate threats in 2013 - the expert opinion GReAT
14 Nov The rush for CVE-2013-3906 - a hot commodity Dmitry Tarakanov
11 Nov CVE-2013-3906 : another 0-day for Microsoft Office Vyacheslav Zakorzhevsky
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
No doubt it-s been a crazy week for anyone even remotely interested in Bitcoin. Mt. Gox, once the largest Bitcoin marketplace out there, has shut down, putting a bitter end to an almost month-long situation in which all withdrawals were halted because of ?technical issues.
Mt. Gox BTC price evolution in February 2014, source: Clark Moody
As customers were unable to move their funds out from Mt. Gox, the world-s most famous exchange essentially became isolated from the rest of the Bitcoin ecosystem, making the Bitcoin price traded on Mt. Gox plummet to as low as $100 for 1 BTC before the exchange went completely offline.
In our forecast for 2014, we-ve stated that attacks on Bitcoin, specifically attacks on Bitcoin pools, exchanges and Bitcoin users will become one of the most high-profile topics of the year. These attacks will be especially popular with the fraudsters as their cost-to-income ratio is very favorable.
While the Mt. Gox incident might be the most significant in Bitcoin history to-date, as it is rumored to be worth 744,408 Bitcoins, or more than $300 million at current BTC prices, the only question that remains unanswered is what actually caused it.
A short while ago, we came across a set of similar SWF exploits and were unable to determine which vulnerability they exploited.
We reported this to Adobe and it turned out that these ITW exploits targeted a 0-day vulnerability. Today, Adobe released a patch for the vulnerability.
This post provides a technical analysis of the exploits and payload that we discovered.
All in all, we discovered a total of 11 exploits, which work on the following versions of Adobe Flash Player:
All of the exploits exploit the same vulnerability and all are unpacked SWF files. All have identical actionscript code, which performs an operating system version check. The exploits only work under the following Windows versions: XP, Vista, 2003 R2, 2003, 7, 7x64, 2008 R2, 2008, 8, 8x64. Some of the samples also have a check in place which makes the exploits terminate under Windows 8.1 and 8.1 x64.
Operating system version check algorithm
Eight Microsoft Security Bulletins are being pushed out this month, MS13-096 through MS13-106. Five of them are rated "Critical" and another six are rated "Important". The top priorities to roll out this month are the critical GDI+ (MS13-096), Internet Explorer (MS13-097), and Scripting Runtime (MS13-099) updates.
Several of the vulnerabilities have been actively exploited as a part of targeted attacks around the world, and one of them is known to be ItW for at least six months or so.
The GDI+ update patches memory corruption vulnerability CVE-2013-3906, which we have been detecting as Exploit.Win32.CVE-2013-3906.a. We have seen a low number of ITW variations on exploitation of this vulnerability as a malformed TIFF file, all dropping backdoors like Citadel, the BlackEnergy bot, PlugX, Taidoor, Janicab, Solar, and Hannover. The target profile and toolset distribution related to these exploit attempts suggest a broad array of likely threat actors that got their hands on it since this July, and a wide reaching distribution chain that provided the exploit around the world. Considering the variety of uses and sources, this one may replace cve-2012-0158 as a part of targeted attacks in terms of overall volume.
The Internet Explorer Bulletin fixes seven different elevation of privilege and memory corruption vulnerabilities, any one of which effects Internet Explorer 6 on Windows XP SP 3 through Internet Explorer 11 on Windows Server 2012 R2 and Windows RT 8.1. We expect to see exploits for some of these vulnerabilities included in commodity exploit packs.
Finally, another critical vulnerability exists in the Windows Scripting Engine as yet another "use after free", which unfortunately enables remote code execution across every version of Windows out there and can be attacked via any of the common web browsers. Patch!
This post will likely be updated later today, but in the meantime, more about this month's patches can be found at the Microsoft site.
Companies are increasingly falling victim to cyber-attacks. According to a recent survey conducted by Kaspersky Lab and B2B International, 9% of the organizations polled were the victims of targeted attacks - carefully planned activity aimed at infecting the network infrastructure of specific organization. The extensive use of digital devices in business has created ideal conditions for cyber-espionage and the deployment of malware capable of stealing corporate data.
The full report is available here.
Two days ago FireEye reported that the recent CVE-2013-3906 exploit has begun to be used by new threat actors other than the original ones. The new infected documents share similarities with previously detected exploits but carry a different payload. This time these exploits are being used to deliver Taidoor and PlugX backdoors, according to FireEye.
At Kaspersky Lab we have also detected that yet another APT group has just started spreading malicious MS Word documents exploiting CVE-2013-3906. This APT actor is the Winnti group, which we described in detail here. They have sent spear-phishing emails with an attached document containing the exploit. As usual the Winnti perpetrators are trying to use this technique to deliver 1st stage malware - PlugX.
We became aware of an attack against one gaming company which constantly undergoes attacks from the Winnti group. The MS Word document containing the exploit shows the same TIFF picture - 7dd89c99ed7cec0ebc4afa8cd010f1f1 that triggers the exploitation of the vulnerability, as in the Hangover attacks. If the exploitation is successful, the PlugX backdoor is downloaded from a remote URL:
On November 5, Microsoft announced the discovery of a new vulnerability CVE-2013-3906 which can be exploited when TIFF images are processed. By exploiting this vulnerability it is possible to attack software – including Microsoft Office and Lync – that uses a vulnerable DLL for processing TIFF images. On the same day, there were reports that Microsoft had recorded attacks that exploit CVE-2013-3906.
Several malware samples became available to us that exploit CVE-2013-3906. We analyzed them in detail. All of them make use of heap spraying, recording their code to the address 0x08080808, and execute the code from that location. Exception generation and memory rewrite is performed in the vulnerable ogl.dll.
Fragment of WinDbg shellcode execution
The exploits that we had access to can be divided into two groups according to the shellcodes used in them.
The Ekoparty Security Conference 2013 was held in the beautiful city of Buenos Aires, Argentina, from 25 to 27 September, This event,the most important security conference in Latin America, is now in its ninth year and was attended by 1,500 people. The slogan of this years conference was Somebody is watching.
In September Microsoft published information about a new Internet Explorer vulnerability – CVE-2013-3893. The vulnerability affects IE versions 6 through 11 for platforms from Windows XP through Windows 8.1. Later in September, the company released a patch closing the vulnerability.
Cybercriminals are happy to exploit such vulnerabilities because they are easy to monetize – the Internet Explorer remains popular.
Top 5 browsers according to http://gs.statcounter.com
This type of vulnerability is very dangerous because it allows the execution of arbitrary code on the target system. In late September, we discovered an exploit for the vulnerability, which uses an attack of the Use After Free type against the Internet Explorer’s HTML rendering engine –mshtml.dll.
We have recently discovered that a modification of the exploit was used in targeted attacks against a number of high-profile organizations in Japan.
The vulnerability is exploited only on those computers which are part of specific subnets of the target organizations’ networks:
Defining subnets in which computers will be attacked
If a computer’s IP address belongs to one of the ranges defined by the cybercriminals, the vulnerability will be exploited after a user visits an infected web page.
The following information is obtained in the first stage of the attack:
The exploit selects the appropriate ROP chain and shellcode based on the data obtained in this stage:
Choice of ROP chain and shellcode
It is worth mentioning that the exploit will not work on those Windows 7 systems which do not have Microsoft Office installed.
Checking OS version and whether Microsoft Office is installed
This is because today’s operating systems include mechanisms that make exploiting vulnerabilities more difficult. One of such mechanisms is ASLR (Address Space Layout Randomization). The exploit uses a clever trick to evade the mechanism: it loads a module compiled without ASLR support into the context of the browser process – the hxds.dll library.
Code after executing which hxds.dll is loaded
The library, which is part of the Microsoft Office package, does not support ASLR. It is loaded at known addresses in memory, after which the attackers use the ROP technology to mark the memory containing shellcode as executable.
The following shellcode is executed after the vulnerability has been successfully exploited:
It can be seen in the figure above that the shellcode decrypts its main part using 0x9F as key.
After decryption, the code searches for functions needed to download and launch the payload, finding them by their hashes:
Hashes of the functions used
When the search for the addresses needed is completed, the following activity takes place:
Downloading the payload
Decrypting the module downloaded
As mentioned above, the targeted attack used only one modification of the exploit for CVE-2013-3893. At the same time, the total number of modifications discovered to date amounts to 21. Attacks using this exploit have mostly been detected in Taiwan:
We have the following information on the servers from which the exploit’s payload has been downloaded:
A brief analysis of one of the payload’s variants (md5 - 1b03e3de1ef3e7135fbf9d5ce7e7ccf6) has shown that the executable module has encrypted data in its resources:
Encrypted data in the payload’s resources
The executable module extracts the data and converts it to a DLL module:
Extracting encrypted data
The DLL created by converting the data extracted from the payload is written to disk using the following path:
TempPath\tmp.dll (md5 - bf891c72e4c29cfbe533756ea5685314).
The library exports the following functions:
Functions exported by tmp.dll
When the library has been written to disk, it is loaded into the process’s address space and the ishk exported function is called:
Calling the ishk exported function
The library itself performs an injection into another process’s address space.
After launching, the malware communicates to a server in South Korea. The following requests are sent from the infected machine:
Requests sent from the infected machine
Kaspersky Lab detects the payload downloaded as Trojan-Dropper.Win32.Injector.jmli.
We detect the exploit as HEUR:Exploit.Script.Generic.
Microsoft releases a long list of security bulletins this month on the server and client side, patching a longer list of vulnerabilities in this month's array of technologies. Only four of the bulletins are rated "critical" this month: Internet Explorer, a variety of built-in Windows components, and Sharepoint and Office Web Services. Thirteen security bulletins are released in total, patching almost fifty vulnerabilities. Mostly every one of this month's vulnerabilities were reported privately, other than the XSS vulnerability in Sharepoint, which Microsoft claims would be difficult to exploit. In all likelihood, at some point Windows folks will have to reboot following download and install of around 100Mb of system updates this month.
For mass exploitation purposes, the most problematic issues have to do with Internet Explorer, with working exploits likely being developed in the near future to attack these memory corruption vulnerabilities. These are the sort of things that can happen to anyone online, so all Windows users should address them asap. These ten vulnerabilities enable remote code execution across all supported versions of IE across all Windows clients and servers, so most likely, they will receive immediate attention from the offensive security global peanut gallery.
On the targeted attack side, Sharepoint and Web Office Service administrators need to be aware of the critical vulnerabilities addressed with the large cumulative update MS013-067. Flaws in this code base enable RCE that could be exploited with the spear phishing techniques very commonly and effectively in use.
Also problematic from both perspectives is this interesting Outlook update, which patches a flaw in Outlook 2007 and 2010 S/MIME handling. It can be triggered in preview mode, which seems to make this the first severe, potentially wormable issue seen in Outlook in years. Patch immediately.
The long list of important updates are presented at Microsoft's Technet site here.
Today, Microsoft released a set of eight security Bulletins (MS13-059 through MS13-066) for a broad variety of vulnerable technologies and exploit categories. The critical vulnerabilities are not known to be exploited publicly at the time of Bulletin release. The more interesting Bulletins this month address RCE and EoP vulnerabilities in Internet Explorer, Windows components, and yet again Exchange/OWA components licensed from Oracle. Also included in this month's release are fixes for RPC, kernel drivers, Active Directory, and the networking stack.
MS13-059 is the priority update to roll out across Windows clients, as it fixes nine critical memory corruption vulnerabilities (that look like use-after-free to me) in IE6, IE7, IE8, IE9, IE10 and even IE11 preview on Windows 8.1 preview, along with XSS due to flawed Kanji font handling and flawed code in the "Windows Integrity Mechanism", which is used for sandboxing apps like Internet Explorer, Adobe Reader and Google Chrome. On Windows server, the maximum severity is "Moderate" and doesn't effect "Server Core" installations at all. Admins need to refer to the severity ratings and maximum impact table to prioritize server patch deployments, but those that need to prioritize patch deployments probably shouldn't surf the web from these types of systems anyway.
MS13-060 corrects code in the Unicode Scripts Processor implementing OpenType font handling, a format developed by Microsoft and Adobe over the past decade built on top of the TrueType format, in USB10.dll. This dll is used by Windows and all sorts of third party applications to handle right-to-left scripts like Arabic and Hebrew, and other complex fonts like Indian and Thai scripts too. The vulnerability is a user mode vulnerability that effects only Windows XP SP 2 and 3 (64 bit too) and Windows 2003 versions. These types of systems continue to be widely deployed, especially in government and critical infrastructure systems around the world. Exploits may be delivered via spearphish, as in the Duqu incident, or via a web page for a browser like Internet Explorer, as in Duqu copycat malcode like the Blackhole exploit pack that continues to be widely distributed and highly active.
Another interesting update includes MS13-061 that patches code in third party components built by Oracle and licensed by Microsoft for Outlook Web Access on Exchange Server 2007, 2010, and 2013. Applying the patch will not require a system reboot, but it will restart related Exchange services. The interesting thing about this critical set of issues is that they enable exploitation of the WebReady Document Viewing and Data Loss Prevention features on OWA for code execution not on the client system, but on the server itself with LocalService credentials. So a client system browsing code sent to their email account can remotely execute code on the server in the service's context, which is very problematic.
Please review the set and update ASAP. While most of the vulnerabilities this month were privately reported, these present high risk opportunities and the Exchange issues and exploitation are publicly known.