3380-1 (CFNOC/DND CIRT)
10 May 06
(U) Recently it appears that several websites were compromised and a hostile script inserted into the HTML source; follow-up investigation appears to indicate that the compromises in question may have occurred sometime in April 2006.
(U) In order to determine the nature of the threat and the vulnerability
associated with the hostile code, initial analysis of this threat was conducted in the
author's personal computer laboratory.
(U) After configuration of the laboratory environment was complete the
internal/external IDS/Sniffer platforms were initialized. The following compromised
websites were then browsed to generate packet captures for the initial visit and a
period of 60 minutes thereafter:
a. creativemods.com (IP address 22.214.171.124);
b. modelmayhem.com (IP address 126.96.36.199);
c. sensuflex.com (IP address 188.8.131.52);
d. topwallpapers.com (IP address 184.108.40.206); and
e. pinupparadise.com (IP address 220.127.116.11);
(U) VMWare was utilized to emulate both patched and unpatched Windows XP/Windows 2000 platforms; the virtual machines were reinitialized after each visit in order to ensure that the results were unadulterated.
(U) Whilst loading the compromised webpage, a hostile script embedded in
the page's HTML source (refer to annex B) runs and attempts to install malware
designated "start.exe" from one of the following URIs (the URIs purposely broken to
prevent accidental infection:
(U) In addition to downloading the malware in question, the hostile code also appears to incorporate a web counter facility; this is conceivably used by the entity responsible for the malware in order to record the number of compromised hosts.
exploitation by the hostile script:
a. Windows XP SP2 unpatched - infected;
b. Windows XP SP2 patched to current patch level - no infection noted;
c. Windows 2000 SP 4 unpatched - infected; and
d. Windows 2000 SP 4 patched to current patch level - no infection
implementations are as follows:
a. McAfee - PWS-JA;
b. Norton - Trojan.Download;
c. Symantec Corporate - Trojan.Anserin, Trojan.Download
c. Avast Home Edition - Win32:Trojano-P; and
d. AVG Free - no detection.
(U) The script in question contained several obfuscated strings; obfuscation of
hostile code is a very common technique used to evade detection and hinder
analysis. All of the obfuscated and reconstituted strings found in the hostile script are
demonstrated in annex C.
(U) One of the reconstituted strings appeared to be a Class ID1 (clasid)
designated "BD96C556-65A3-11D0-983A"; this clasid corresponds to the client-side
(U) The hostile code appears to specifically address the RDS.DataSpace
object, which is deployed in Windows installations as an MDAC3 component.
Considering this, the script clearly exploits the CVE-2006-0003 vulnerabilityi; the
patches associated with Microsoft Security Bulletin MS06-014ii, issued on 11 April
2006, address this vulnerability.
c. although the current deployment of the organization's A/V suite will
detect the threat automatically, no further action (e.g. deletion/
quarantine) is taken as the default response is "leave alone".
c. given the performance history of the current A/V implementation,
heuristic detection protection should be set at maximum vice the
current default level.
This action might not be possible to undo. Are you sure you want to continue?