Monday, January 25, 2010

IE 0-Day on GOV.CN

A few days back, there was a post on a forum about malware warnings displayed when visiting: www[dot]latax[dot]gov[dot]cn


Translates:



Upon analysis of the page, it appears that this GOV.CN page is hosting a page exploiting the Internet Explorer 0-day vulnerability (CVE-2010-0249). The same vulnerability exploited to compromise Google, Adobe, and other vendors in an attack dubbed 'Operation Aurora.'

Here is a snippet of the GOV.CN source, building the shellcode variable:

There is a slight deviation to the way that the shellcode is constructed (visible in above image) from some of the other variants that we have seen. Though, it uses the same exploit structure as past variants, including the ev1() and ev2() function names.
The ev1() function is used to dereference the previously declared event object:and attack the vulnerability
using the ev2() function to load the shellcode into memory and call the previously dereferenced object:
The JavaScript loads the shellcode and exploits the vulnerability, which downloads the payload v.exe from the same GOV.CN domain.
VirusTotal identifies 12/41 Anti-Virus engines detect the v.exe payload. It is a variant of the Chinese based Hupigon Backdoor, which F-Secure lists some of its features as:
• It allows others to access the computer
• Allows for recording with the user's webcam
• Can make the user's computer to attack various servers
• Send victim's computer messages
• Has rootkit functionality so it has a stealth component that hides files
• Create logs from keystrokes, steals passwords, and sends this information to remote servers

The Hupigon malware kit is described as being "maintained in a very professional fashion with a highly developed User Interface (UI)." Screenshot below:


This is just one example of this IE 0-day impacting GOV.CN sites; I have seen a few other reports of this. While there are several other examples of malware being hosted on GOV.CN domains, for example,
  • .wscz.gov.cn
  • .zhepb.gov.cn
  • .jssalt.gov.cn
  • .xfgh.gov.cn
  • .laspzx.linan.gov.cn
  • .zsjs.nmfc.gov.cn
The question is: are these CN Government sponsored for the purposes of potentially spying on its citizens, or have GOV.CN websites been infiltrated by hackers? In either case, browse safe, and if you are using IE 6, please upgrade or consider a different browser.

3 comments:

Anonymous said...

Holy $hit. Are you kidding me? This is what you do for a living?

Do you jump to the same conclusions, and ask questions when similar exploits are found hosted on US-government affiliated websites?

Let me get this straight. When it's hosted on an English-language, US-based site... it's suggestive of Chinese government involvement (because, after all, it's attacking Western users). When the exploit is found on a Chinese-language, China-based site... then it's still suggestive of Chinese government involvement (because, after all, it's hosted on a Chinese site).

Brilliant.

Mike Geide said...

Anonymous, point taken about jumping to conclusions, which is why the entire post is related to technical analysis of the attack. I asked a fair, and open ended question toward the end about CN Gov't involvement - I don't conclude or speculate to their involvement if any, though that question seemed to be the sentence that you focused on and that you have the biggest problem with.

Again, I'm not concluding or speculating CN Gov't involvement in the attacks, however, I will state that there are indicators:
- Google has made allegations based on their evidence that CN Gov't was involved in the Aurora project for the purposes of monitoring specific Chinese activists' Gmail accounts.
- China is a controlling Government, then why don't they have better control over their Government's websites / TLD - or do they, and this exploit is part of it.
- The potential victim base are Chinese citizens or companies doing business / paying taxes in China.
- The malware delivered has surveillance components, which was the alleged goal of the Aurora project. Granted that a lot of malware out there that has these components, but they are usually geared toward capturing financial credentials versus actual surveillance.
- The exploit kit used to generate the malware requires understanding of the Chinese language.
- The exploit/delivery mechanism was the same as in Aurora.

Indicators are not conclusions though. Time and additional facts will tell the entire story. Thanks for reading.
-M

Anonymous said...

why is it so difficult to believe that chinese are involved, they are openly blamed and suspected for a lot of cyber attack incidents.

And here is an example of that happening again.