In a blog published in November titled ?Explore the CVE-2010-3654 matryoshka?, we discussed a 0-day Shockwave (SWF) exploit that uses JavaScript to do malicious actions. In this blog, we discuss another advanced way SWF malware is combined with JavaScript only this time, without using a 0-day exploit.
In January we noticed a very large spike in telemetry for a threat named Trojan:SWF/Jaswi.A. Going back to December 2010, we had picked up a few spikes for this issue, one around Christmas, a second after New Year?s, a second after New Year?s and then a third and largest spike the weekend after New Year?s:
Image 1a ? Prevalence chart for Trojan:SWF/Jaswi.A
When we looked deeper into the targets of these attacks, we discovered that they were predominantly reported by computers in South Korea. Since the beginning of this year, 89% of the targets were in South Korea with 75% of them specifically in Seoul. Here?s a chart with a breakdown by unique machines in the months January and February of this year (there has been no activity in March):
Image 1b ? Attack attempts by unique machines in the months January and February of 2011
Interested in the anomaly, I decided to have a look. After spending some time reviewing it, an interesting thing emerged. The malware Trojan:SWF/Jaswi.A is unlike other SWF malware; other SWF malware typically calls ?getURL <website address>? within an ACTION tag in order to visit a malicious website link without user consent. For more about this, see the following:
http://blogs.technet.com/b/mmpc/archive/2008/10/31/swf-for-malware-deployment.aspx
Trojan:SWF/Jaswi.A contains an embedded malicious JavaScript that initiates a legal Windows API call to trigger the payload. Although the analysis was only slightly involved, let?s take a simple step by step tour of the malware.
1. SWF with embedded JavaScript
Image 2 ? Embedded JavaScript within Trojan:SWF/Jaswi.A
If we convert the JavaScript into Actionscript, it should appear as below:
Image 3 ? JavaScript from Image 2 converted to Actionscript illustrating Windows API call
From the image above, we can see the legal function ExternalInterface.call() has been made to complete a procedure of initiating JavaScript injection. Well, this is not a new method after all, but only a few SWF malware take advantage of this technique.
2. JavaScript obfuscation
We notice the embedded JavaScript is also simply encrypted by a method ?fromCharCode()?. After decryption, the real JavaScript code appears (edited below):
Image 4 ? Decrypted JavaScript with black-outs added
Looks familiar? Yes, the Microsoft Internet Explorer vulnerability CVE-2010-0806 has been abused! This particular exploit affects Microsoft Internet Explorer versions 6, 6+SP1 and 7, and could allow a remote attacker to execute arbitrary code.
3. Shellcode
In Image 4 above, you can see Unicode encrypted by the method ?unescape()? ? this is the malware shellcode body, which includes a simple xor algorithm to avoid the detection. Further into the obfuscation, we finally see the destination, show below:
Image 5 ? Destination URL indicating an executable named ?uusee.exe?
The file ?uusee.exe? from the obfuscated URL shown above is actually a prevalent password stealer in China that Microsoft antimalware technologies detects as PWS:Win32/Lolyda.AU (SHA1: 0bd98a39c2eaa9c523e41cec250623b44f6d3239).
We mentioned the embedded JavaScript technique used in the malicious SWF here because it appears to be a trend and may become a popular method. As always, use caution while surfing the Interwebs and use on-access antimalware protection from a credible scanner (for more information on antimalware software, see http://www.microsoft.com/windows/antivirus-partners/).
-- Tim Liu, Malware Researcher, MMPC
how to fix pc errors fix pc errors freeware fix pc errors free
没有评论:
发表评论