Adobe recently reported the existence of a new zero day flaw in flash player which, according to them, can affect flash player 10.2.152.33 and earlier versions. Soon after, additional news broke out showing that this flaw had been used as part of limited targeted attacks. The initial attacks used a swf file embedded inside an MS excel file to lure users into clicking it. Once a user opens this excel file, the flash file embedded inside gets activated, exploiting this vulnerability. Bugix-security blog described the exploitation process in great detail here.
Today, I would like to extend this analysis by talking more about the malware behind the exploit. What kind of malware is this? What does it do, and who might be the people behind this attack? During the course of my investigation, I found some clues leading me to the potential hackers behind these attacks. My preliminary analysis shows that Chinese hackers are probably the master minds of this attack. I will come to reasons for this conclusion later.
A detailed investigation of the code and functionality inside the malware payload 'a.exe' (1e09970c9bf2ca08ee48f8b2e24f6c44) shows that this is zero day malware. As of Mar 15, 2011 none of the AV on VirusTotal were able to detect it.
An interesting fact is that if one digs down into the history of this binary on Virus Total, one will find that this file was first seen by VT on Mar 9th 2011. At that time there was one AV which was declaring it as suspicious, sounds great. But if one sees the report from Mar 13 2011, that same AV had marked it as a false positive and was no longer detecting it as malicious. Possibly that AV blindly followed other AVs, thinking that because no one else is declaring it malicious, it must be a false alarm. Funny isn't it.
Ok let's dig deeper into this malware. In the absence of a good name, I named this malware as Trojan.Linxder. 'a.exe' is merely an installer program whose main purpose is to install the final payload onto the infected system. The main activities inside 'a.exe' are:
- Kill all the existing MS excel processes. This means that it will also kill the attacker excel file (with embedded swf ) that launched 'a.exe'.
- Jump to a certain offset within its own PE image and extract a Win32 cabinet file. This cabinet file will contain the next payload binary svchost.exe (90993b5279365b204148e8b04edf477f). It's terrifying that, as of today, none of the AVs listed on Virus Total are able to detect it.
- Run svchost.exe
- Jump further into the PE image and extract another cabinet file. The second cabinet file will contain a harmless excel file 'crsenvironscan2.xls' (1990c787e54a7e96e4cb550d83e9d3f4).
- Run this crsenvironscan2.xls.
From a user perspective it happens very quickly:
Attacker Excel file—-> Exploit SWF —-> a.exe —-> svshost.exe
One can see that an unaware user will feel that he has actually opened crsenvironscan2.xls.
An interesting feature of Trojan.Linxder and its sub components is the use of obfuscation to hide its internal strings, like the cnc url etc.
For example at run time, a hex buffer like this:
0×81, 0x9E, 0x9F, 0x9C, 0x0D7, 0x0C1, 0x0C0, 0x9E, 0×94, 0×85,
0×80, 0x0DA, 0×92, 0×99, 0×98, 0x9F, 0×95, 0x9F, 0x8E, 0x8C, 0×99,
0x9F, 0x8B, 0×65, 0×72, 0×67, 0×71, 0×72, 0x6C, 0×65, 0×62, 0x7B,
0×27, 0×69, 0×64, 0×61, 0×22, 0×66, 0x7B, 0x7D, 0x7D, 0x3D, 0x7F,
0x7B, 0×66, 0×62, 0×39, 0×70, 0x6D, 0×77, 0×77
will get translated into:
The obfuscation scheme is quite trivial:
mov cl, 0xE9
mov dl, byte ptr Buf[eax]
add cl, al
xor dl, cl
mov byte ptr Buf[eax], dl
cmp eax, 287h
jl short loc_402672
or in simple C
result = 0;
byte = result + 0xE9;
buf[result] = buf[result] ^ byte;
while ( result < 267 );
This pretty much explains what 'a.exe' does. Now let's move to other subcomponents i.e. crsenvironscan2.xls and svchost.exe.
As I have explained above, this excel file is just there to deceive the end user into thinking that he/she has actually opened a benign file. The attackers knew that for this attack to execute successfully, without leaving any tell-tale traces behind, they need to provide a valid data file compelling enough to lure users into clicking it.
What's inside this excel file?
If you take a closer look into the contents you might guess who might be the targeted users. But that's not the end of it. If one looks into the meta data associcated with this excel file, there is some interesting information which can lead us to the history of this excel file.
Here is the meta information attached to this file.
Title: Environmental Scan Matrix of Risk and Security Organizations
Author: Center for Risk and Security
Last Saved by: linxder
Company: Clark University
Date created : 2/20/2003
Date last saved: 3/8/2011
If one digs deeper, there is more meta data available inside the excel dump.
"Draft Minutes – CRS Meeting, April 28 email@example.com Joseph Sarkis"
Who is this Joseph Sarkis? A quick search on the google shows that he is a professor at Clark University.
My best guess is that this document was created in 2003 by Joseph Sarkis. It was stolen at some point in time by some hackers. Now the attackers are taking advantage of this authentic document and using it as part of their next targeted attack. This still doesn't lead us to the potential attackers. For this we'll have to consider the next two entries i.e.
Date last saved: 3/8/2011
Last saved by: linxder
One can see that last saved date (3/8/2011) is very close to the known release time of this attack. Apparently it looks as if this file was last saved on a computer having loged-in username as 'linxder'.
Who is this linxder? My colleague Darien pointed me to few links on google that tells us that a guy named “linxder” is a known chinese threat actor. This guy is an old-school hacker that has a fairly expansive social network.
Translation of the above link can be found here:
If one searches linxder's baidu profile, we can see that he talks a ton about weaponizing flash containers in other file formats, which is exactly what happens in this attack.
Based on this evidence it can be said with a reasonable confidence that the chinese hackers are the master minds of this attack. Although it's also possible that some rival group is trying to mislead the world by wrongly involving linxder in this matter.
The details of the functionality inside svchost.exe sheds some further light on the motivations behind this attack. I will cover the low level detail of this component in next part of this post.