Archive for the ‘Exploit’ Category

« Older Entries

Bredolab Hook Overwrite Sequence

Monday, September 14th, 2009

ThreatFire continues to prevent high levels of activity from the Bredolab downloaders this week. The ongoing spam activity described several weeks ago is not abating. Our research then began to pry into the several kernel level hook overwrite attempts that Bredolab implements with the end goal of evading behavioral based security products. ThreatFire effectively prevents this malware, while other behavioral based products do not seem to perform quite so well, their kernel mode hooks duly overwritten and bypassed.

Two of the kernel hook overwrite attempts abuse straightforward Windows vulnerabilities, and they both have been patched. The other Bredolab hook overwrite attempt targets a mechanism that isn’t officially a vulnerability. When users are not logged in as admin, Bredolab is not effective. Here is the short list of the targeted vulnerabilities, in the order called by the Bredolab code:

1st Bredolab targeted vulnerability – MS07-017 – GDI Local Elevation of Privilege Vulnerability
CVE-2006-5758

2nd Bredolab targeted vulnerability- MS08-025 – Windows Kernel Usermode Callback Local Privilege Escalation Vulnerability
CVE-2008-1084

3rd Bredolab targeted vulnerability- Flaw allows local users with the SeDebugPrivilege privilege to execute arbitrary code as kernel
CVE-2004-2339

Just before exploiting the vulnerabilities to gain access to the kernel, Bredolab copies ntkrnlpa.exe from the drive to a location in virtual memory, examining the code for the addresses of nine kernel APIs that are frequently hooked by security solutions. It finds them and stores the virtual addresses for these api’s in its text section for use in the overwrites:
ZwAllocateVirtualMemory
ZwWriteVirualMemory
ZwProtectVirtuallMemory
ZwCreateThread
ZwAdjustPrivilegesToken
ZwOpenProcess
ZwOpenThread
ZwQueueApcThread
ZwSetValueKey

The first exploit attempt to overwrite security solutions’ hooks involves abusing Windows graphics functionality. After calling MapViewofFile and searching for the api’s listed above in the mapped copy of ntkrnlpa.exe, Bredolab maliciously initializes a Palette object:


Hook overwriting shellcode is delivered via a carefully crafted GetNearestPaletteIndex call:

cr0 manipulation in the shellcode to obtain write permissions on kernel memory here:

The first method will fail for Bredolab if the system is MS07-017 patched (patch your systems!). To account for that issue, Bredolab will check for the patch, and if present, deliver its next exploit.

First, it calls GetDesktopWindow to retrieve a handle to the desktop. Next, it sets up the first of two interrupt trampolines to NtUserMessageCall

After the two are setup, it then tricks ZwSetIntervalProfile to call user mode code from the kernel, passing a pointer to its hook overwrite function

Sometimes these first two exploits do not work on a system for the malware. But Bredolab arrives with a solution for that situation. When the first two are patched, Bredolab checks that its calling user has SeDebugPrivilege privilege

If SeDebugPrivilege is present, Bredolab calls ZwSystemDebugControl with two interesting parameters: Debug_Control_Code=9 and SysDbgCopyMemoryChunks_1. Providing that debug code to the call, Bredolab copies arbitrary code from user space to kernel space:


Using a bug in the read I/O sub-function of NtSystemDebugControl, not shown here, Bredolab writes to kernel memory. It modifies an IDT entry with a pointer to its malicious code, and provides control to the code by again calling ZwSetIntervalProfile.

While the bulk of the attacks appear in the U.S., outbreaks of this stuff occured the past year throughout Italy, England, Germany and Russia as well. Unfortunately, there remains large enough numbers of unpatched systems in these countries to gain these attackers’ attention.

Posted in Bredolab, Exploit, Vulnerability | No Comments »

No Microsoft FTP Module 0day, but Spybot/Kolab Exploits

Tuesday, September 1st, 2009

We’ve been waiting for some stats to come rolling in, but we haven’t seen a hint of an 0day worm or any attacks for that matter on the current Microsoft Ftp module 0day.

Instead of the Ftp 0day showing global activity, Spybot/Kolab is attempting to rip across the Russian Federation and the Ukraine by attacking a several-year-old vulnerability in srvsvc.dll, the server service hosted within one of the several svchost.exe processes running on Windows systems. (Why rush development of a new stack overflow exploit when users don’t patch systems for various reasons for years?) The worm itself attempts to exploit the aged vulnerability and deliver download and execute shellcode, pulling down and running more malware on the compromised host. That shellcode has been downloading an incremented-daily URL from a server hosted in England since August 2nd. Today it is 94.76.194 .116/ 37.exe. Threatexpert report for the payload here.

Posted in 0day, Exploit, Worm | No Comments »

Clamping Down on Clampi

Thursday, July 30th, 2009

The banking password and information stealer Clampi recently was described as infecting anywhere from 100,000 and 1 million windows PC’s. Let’s take a closer look at this menace, and what interesting Clampi behaviors ThreatFire has been preventing in our community.

First, let’s talk about the distribution over the past year. Most of the Clampi executables appear to be unique, and appear to have been run on no more than one machine. The bulk of these executables are repacked and re-obfuscated to evade AV solutions, so only a quarter of the Clampi malware prevented in the ThreatFire community over the past year showed up on more than one system. Mostly all of the Clampi variants seen on multiple user desktops appear to have been delivered via an Adobe Acrobat client-side exploit. As posted previously about mainstream Windows pdf readers, be sure to update the software on your system, especially popular web browser third party plugins. A high number of these Clampi-delivering exploits successfully attacked Acrobat 7.0. Unfortunately, while the message may be getting out that third party plugins need to be updated on a regular basis, the advice does not seem to be followed reliably.

The trojan runs a new instance of Internet Explorer and injects it with executable code of its own, accesses the personal store of saved passwords, and phones the data off of the system to multiple web sites. It’s not a set of new malicious techniques, but highly problematic nonetheless. ThreatFire prevents these behaviors reliably, and PC Tools AV reliably detects the malware with one of several heuristic routines: Trojan.DL.Ilomo.Gen!Pac, Trojan.DR.Ilomo.Gen!Pac.2, Trojan.DL.Ilomo.Gen!Pac .

Symantec named this malware Trojan.Clampi, and it has been labelled inconsistently by other groups with a handful of other names, including Clomp, Downloader, Inject, Rscan, Small, Ilomo, Agent2, Agent, and often it is detected by its packer’s characteristics. Unfortunately, its packer changes and old signatures can become ineffective against this malware as it appears on systems around the world over time. PCTAV heuristics were effective over time, however.

Update: Please see post with a bit of technical information regarding Clampi variant’s injection technique.

Posted in Bot, Crimeware, Evasion technique, Exploit | No Comments »

« Older Entries