Malware Retrospective - Infected Chinese Servers Deploy Metasploit Exploits

It's been a time that our team blogged about malware and other interesting information. Today, we got some time to talk about one of the case that we analyzed while testing a few tools of our own. We prefer to construct custom scripts and tools to automate the process of web malware analysis. Recently, we tested our tool, a simple parser which fetches the scripts, iframes, embed tags present in the remote web pages for faster analysis. We came across a set of malicious domains that were serving an exploit which used JavaScript heap spraying technique to execute payload using drive-by download attack. Well, that's a common technique of silent browser exploitation. But, what was not common is the issue that is discussed below.

The malware domain was hosting an exploit for MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption. More details can be read here: MS12-043. Without any surprise, the IP address of that domain belonged to China as shown below:

Our surprise did not end here. As the exploit of this vulnerability was released last year, it raised our interest to check how the exploit code is structured.  When the exploit code was traced, it was nothing more than a sweet shock. The Chinese domain used the same exploit code hosted on the Metasploit repository for the concerned vulnerability. Now the question: Is it possible that Chinese malware authors simply deploy Metasploit exploits for easy infection process? It could be. Who knows whether the domain was infected by Chinese or it belonged to others. In addition, it is hard to say who hosted that malware but clearly, the servers were present in China.

The exploit for this vulnerability can be found in Metasploit here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb.

A simple check on the one of the code snippet used in the malware domain and legitimate Metasploit repository is shown below:

   

The exploit code was used in conjunction with the JS code hosted here: http://js.users.51.la/15240615.js.

This code dynamically generates the information about the visitor and creates log details for statistical purposes.

We remember that a few traces have been detected earlier where Phoenix exploit kit used the one of  the same exploit present in the Metasploit. Refer: Gangsterware. 

The conclusive points are:

• Metasploit provides neat exploits which are easy to deploy and use.
• The evidence shows that malware authors are using Metasploit exploits.

Well, Reality bites !

Hack In The Box (HitB) Magazine : A Journey of Learning and Sharing

I finally get some time to talk my ( and other team members) journey as a contributor and author for Hack-in-the-Box (HitB) magazine. At this point, HitB ezine has completed more than two years. It's been a great time working with the HitB crew especially Zarul and Dhillon. In addition, Mateusz “j00ru” Jurczyk
Gynvael Coldwind is also contributing a lot. I have been writing for this magazine right from the first edition. It has been a great time of sharing and learning in the last two years. I want to talk about the content that I have written in the last nine editions with a support from my different colleagues.

Edition 1: (Paper) - Malware Obfuscation: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-001.pdf - The first edition was released in January 2010. In this edition, I wrote a paper with Wayne Huang of Armorize on malware obfuscation tactics with an additional support from Fyodor Yarochkin. We discussed several malware obfuscation tactics and how to deobfuscate them manually.

Edition 2: (Paper) - Open Redirect Wreck Off - Web Traffic Forwards: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-002.pdf - The second edition was released in April 2012. In this edition, I presented the complete details of traffic redirection in web applications and websites using real time code snippets collected during open research.

Edition 3: (Paper) - Chinese Malware Factory - Paradox of MS Office Based Malware: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-003.pdf - The third edition came out in July 2010. In this edition, I wrote about my research on MS office based Chinese malware that uses word, excel, etc. files to spread malicious code by exploiting inherent vulnerabilities in the requisite software component.    

Edition 4: (Paper) - Notorious Data-center Support Systems: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-004.pdf - The fourth edition came out in October 2010. In this edition. I wrote a collaborative paper with my colleague Rohit Bansal on vulnerabilities present in the support center web applications that can directly result in gaining access to different virtual hosts.

Edition 5: (Paper) - Exploiting Web Virtual Hosting - Malware Infections: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-005.pdf - The fifth edition was released in February 2011. In this paper, I wrote a paper collaboratively with my colleague Rohit Bansal and my adviser Dr. Enbody and presented about the techniques of infecting virtual hosts present on the same host.

Edition 6: (Paper) - Botnet Resistant Coding: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-006.pdf - The sixth edition came out in June 2011. I released a paper with my colleagues Peter Greko, Fabian and my adviser Dr. Enbody to present on the concept of botnet resistant coding.  In this edition, we talk about a generic approach of coding to subvert the automated log harvesting process in C&C panels.

Edition 7: (Paper) - Extending SQL Injections using Buffer Overflows: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-007.pdf - The seventh edition was released in October 2011. In this edition, I wrote another paper collaboratively with my colleague Rohit Bansal and my adviser Dr. Enbody on the issue of exploiting blind sql injections in web applications that encounter 500 error by using buffer overflow technique. This tactic was developed by Rohit itself.

Edition 8: (Paper) - Exploit Distribution Mechanism in Browser Exploit Packs: http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-008.pdf - The eighth edition came out in April 2012. In this edition, I wrote collaboratively with Dr. Enbody on the techniques of exploit distribution in browser exploit packs such as BlackHole, Phoenix, etc.

Edition 9: (Paper) - Game of Windows 32/64 System Takeover - Bot Wars : http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-009.pdf - The ninth edition was released in November 2012. I detailed on the concept of bot wars in which one bot kills other to gain complete access of the infected system.

HitB Magazine is a great place to talk about hacking techniques. I hope this continues and I wish to contribute more in the coming time.

So, Hack the Box. Cheers !