Blog

Trojan.Linxder and the Flash 0-day (CVE-2011-0609)

Adobe recently reported the existence of a new zero day flaw in flash player which, according to them, can affect flash player 10.2.152.33 and earlier versions. Soon after, additional news broke out showing that this flaw had been used as part of limited targeted attacks. The initial attacks used a swf file embedded inside an MS excel file to lure users into clicking it. Once a user opens this excel file, the flash file embedded inside gets activated, exploiting this vulnerability. Bugix-security blog described the exploitation process in great detail here.

Today, I would like to extend this analysis by talking more about the malware behind the exploit. What kind of malware is this? What does it do, and who might be the people behind this attack? During the course of my investigation, I found some clues leading me to the potential hackers behind these attacks. My preliminary analysis shows that Chinese hackers are probably the master minds of this attack.  I will come to reasons for this conclusion later.

A detailed investigation of the code and functionality inside the malware payload 'a.exe' (1e09970c9bf2ca08ee48f8b2e24f6c44) shows that this is zero day malware. As of Mar 15, 2011 none of the AV on VirusTotal were able to detect it.

report:

Vt_report

An interesting fact is that if one digs down into the history of this binary on Virus Total, one will find that this file was first seen by VT on Mar 9th 2011. At that time there was one AV which was declaring it as suspicious, sounds great. But if one sees the report from Mar 13 2011, that same AV had marked it as a false positive and was no longer detecting it as malicious. Possibly that AV blindly followed other AVs, thinking that because no one else is declaring it malicious, it must be a false alarm. Funny isn't it.

Ok let's dig deeper into this malware. In the absence of a good name, I named this malware as Trojan.Linxder. 'a.exe' is merely an installer program whose main purpose is to install the final payload onto the infected system. The main activities inside 'a.exe' are:

  1. Kill all the existing MS excel processes. This means that it will also kill the attacker excel file (with embedded swf ) that launched 'a.exe'.
  2. Jump to a certain offset within its own PE image and extract a Win32 cabinet file. This cabinet file will contain the next payload binary svchost.exe (90993b5279365b204148e8b04edf477f). It's terrifying that, as of today, none of the AVs listed on Virus Total are able to detect it.
  3. Run svchost.exe
  4. Jump further into the PE image and extract another cabinet file. The second cabinet file will contain a harmless excel file 'crsenvironscan2.xls' (1990c787e54a7e96e4cb550d83e9d3f4).
  5.  Run this crsenvironscan2.xls.

From a user perspective it happens very quickly:

Attacker Excel file—-> Exploit SWF —-> a.exe —-> svshost.exe
                                                                      —-> crsenvironscan2.xls

One can see that an unaware user will feel that he has actually opened crsenvironscan2.xls.

An interesting feature of Trojan.Linxder and its sub components is the use of obfuscation to hide its internal strings, like the cnc url etc.

For example at run time, a hex buffer like this:

0×81, 0x9E, 0x9F, 0x9C, 0x0D7, 0x0C1, 0x0C0, 0x9E, 0×94, 0×85,
0×80, 0x0DA, 0×92, 0×99, 0×98, 0x9F, 0×95, 0x9F, 0x8E, 0x8C, 0×99,
0x9F, 0x8B, 0×65, 0×72, 0×67, 0×71, 0×72, 0x6C, 0×65, 0×62, 0x7B,
0×27, 0×69, 0×64, 0×61, 0×22, 0×66, 0x7B, 0x7D, 0x7D, 0x3D, 0x7F,
0x7B, 0×66, 0×62, 0×39, 0×70, 0x6D, 0×77, 0×77

will get translated into:

http://news.googleupdateservices.com/html/lost.html

The obfuscation scheme is quite trivial:

mov     cl, 0xE9
mov     dl, byte ptr Buf[eax]
add     cl, al
xor     dl, cl
mov     byte ptr Buf[eax], dl
inc     eax
cmp     eax, 287h
jl      short loc_402672

or in simple C

 

result = 0;
  do
  {

      byte = result + 0xE9;

      buf[result] = buf[result] ^ byte;
   
      ++result;
     
  }
  while ( result < 267 );

This pretty much explains what 'a.exe' does. Now let's move to other subcomponents i.e. crsenvironscan2.xls and svchost.exe.

crsenvironscan2.xls

As I have explained above, this excel file is just there to deceive the end user into thinking that he/she has actually opened a benign file. The attackers knew that for this attack to execute successfully, without leaving any tell-tale traces behind, they need to provide a valid data file compelling enough to lure users into clicking it.

What's inside this excel file?

 

  Crsenvironscan2

If you take a closer look into the contents you might guess who might be the targeted users. But that's not the end of it. If one looks into the meta data associcated with this excel file, there is some interesting information which can lead us to the history of this excel file.

Here is the meta information attached to this file.

Title: Environmental Scan Matrix of Risk and Security Organizations

Author: Center for Risk and Security

Last Saved by: linxder

Company: Clark University

Date created : 2/20/2003

Date last saved: 3/8/2011 

Excel_meta

If one digs deeper, there is more meta data available inside the excel dump.

"Draft Minutes – CRS Meeting, April 28           jsarkis@clarku.edu         Joseph Sarkis"

Who is this Joseph Sarkis? A quick search on the google shows that he is a professor at Clark University.

http://www.clarku.edu/~jsarkis/

My best guess is that this document was created in 2003 by Joseph Sarkis. It was stolen at some point in time by some hackers.  Now the attackers are taking advantage of this authentic document and using it as part of their next targeted attack. This still doesn't lead us to the potential attackers. For this we'll have to consider the next two entries i.e.

Date last saved: 3/8/2011  

and

Last saved by: linxder

One can see that last saved date (3/8/2011) is very close to the known release time of this attack. Apparently it looks as if this file was last saved on a computer having loged-in username as 'linxder'.

Who is this linxder? My colleague Darien pointed me to few links on google that tells us that a guy named “linxder” is a known chinese threat actor. This guy is an old-school hacker that has a fairly expansive social network.

http://hi.baidu.com/linxder/home

Translation of the above link can be found here:

If one searches linxder's baidu profile, we can see that he talks a ton about weaponizing flash containers in other file formats, which is exactly what happens in this attack. 

Based on this evidence it can be said with a reasonable confidence that the chinese hackers are the master minds of this attack. Although it's also possible that some rival group is trying to mislead the world by wrongly involving linxder in this matter.

The details of the functionality inside svchost.exe sheds some further light on the motivations behind this attack. I will cover the low level detail of this component in next part of this post.

Atif Mushtaq

4 thoughts on “Trojan.Linxder and the Flash 0-day (CVE-2011-0609)

  1. The real question is what the US Government is going to do about it. These highly successful attacks have been wrecking havoc across our nation and our allies. I find it strange that this would be called a false positive and then removed. There is no way in hell that was a coincidence. This is absolutely malware. Additionally Baidu should turn over logs on the individual to identify him and the systems he operates from. AV Vendors should be forced to explain why they did not initiate detection from this sooner when they have automatic signature generation systems that process samples as they are recieved and then push those updates back out to the public. This malware is certain not the only tool in their toolbox as they have many others, but the real issue is not the tool, its the actor. Its about time China put up or shut up. Make an example of one if its soldiers for being a slack a.. operator and embarassing its Goverment with weak skills.
    http://shpata0xff.wordpress.com/2011/03/16/cve-2011-0609-payload-a-exe-analysis/

  2. I wouldn’t call that evidence or a reasonable assumption. It seems just as likely that someone would use linxder’s research and credit him, than someone would actually be that careless.

  3. Would the fireeye sandbox have detected this attack if one were to upload the malicious xls file?

Comments are closed.