DeepSight HoneyNet Detects Obfuscated Attacks for MS07-033 and Xunlei WebThunder

Recently, a DeepSight honeypot was compromised by a rogue websitethat served a variety of malicious scripts to users. From the dozens ofWeb sites that we investigate everyday, what makes this case special isthe fact that this is the first detected instance of in-the-wildexploitation of Microsoft Internet Explorer Speech API 4 COM ObjectInstantiation Buffer Overflow Vulnerability (BID 24426).This exploit appears to be a derivation of the publicly availableexploit released at milw0rm.com. The vulnerability lies in the way twoCOM objects in the Speech API 4, namely Windows DirectSpeechSynthesisModule (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) andDirectSpeechRecognition Module (XListen.dll,4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. Themalicious attacker can instantiate these COM objects via InternetExplorer, and pass overly long arguments to certain routines. In thiscase, the exploit passes a maliciously crafted argument (ModeName) tothe DirectSS.FindEngine function. The overflowed buffer is thenpopulated with attacker-supplied shellcode over-writing the StructuredException Handler, thus resulting in the execution of arbitrary code.This exploit is being detected as Bloodhound Exploit.150 by Norton AntiVirus.

Upon further investigation we found that this Web site was also serving an exploit that leveraged an unpatched vulnerabilityin a very popular Chinese peer-to-peer file sharing application calledXunlei (Thunderbolt in English). Xunlei has an estimated user base ofaround 80 million, which makes it a very lucrative target to exploit.The vulnerability lies in the Xunlei WebThunder, which can be used as aWeb-based alternative for the original application accessible throughbrowsers like the Microsoft Internet Explorer. However, the COM control‘ThunderServer.webThunder.1’ (03507A1A-E0C5-4404-AA26-205385C0892D)fails to properly validate the supplied user-input. The attackersabused a certain sequence of routines supplied by this COM control inorder to download arbitrary files on the user’s system. This exploit isbeing detected as Downloader by Norton AntiVirus.

Both of these client side exploits deliver the same malicious payload, which is being detected as W32.Looked.BK.

Another interesting aspect of this attack is the clever JavaScriptobfuscation techniques that are used to hide these attacks. At firstglance, what appeared to be a garbled Web page turns out to be anobfuscated JavaScript exploit using up to six levels of obfuscation(see image). This is primarily used to evade security products like Webapplications that implement on-the-fly script parsers. This is how theexploit is obfuscated:

1. For the original exploit, all the variable names are randomizedand the string values are replaced by their hexadecimal counterparts.
2. It is then encoded using a wrapper function which performs mathematical substitution operations on the code.
3. The wrapper function is further encoded using the JavaScript escape() function.
4. All the new-line characters in the resulting code are then escaped.
5. It is then packed with a routine which performs another set of substitution operations on the code.

Client-side attacks have become the most prominent vector in theever-evolving threat landscape. With their increased reach, ease, andeffectiveness, such attacks have become the bread and butter ofcyber-criminals. Almost every other day we hear of anothe legitimateWeb site being compromised to enable such attacks, with innocuous usersbearing the brunt of them. We anticipate that the frequency and thecomplexity of such attacks will increase in the near future. To avoidfalling victim to such an attack, users should patch their systemregularly, update their antivirus definitions, and browse only trustedWeb sites.