A few months ago on this blog I described PowerLoader functionality
including an interesting way for privilege escalation into the
explorer.exe system process. The leaked PowerLoader code is also used in
other malware families. For example the Win32/Gapz
dropper is based on leaked PowerLoader code. In August 2013 we have
tracked a new modification of PowerLoader for 64-bit operating systems
(detected by ESET products as Win64/Vabushky.A). This modification uses
three exploits for local privilege escalation (LPE): MS13-053 (CVE-2013-3660), MS12-041 (CVE-2012-1864), and MS12-042
(CVE-2012-0217). Use of this set of LPE exploits was not previously
observed in PowerLoader samples or by related malware families.
Win64/Vabushky is a good example of how cybercriminals update their projects with code based on leaked Carberp sources. Two 64-bit exploits (CVE-2012-1864 and CVE-2012-0217) from the updated PowerLoader update are based on the leaked code. Before this leak into the public domain, 64-bit exploitation code for these vulnerabilities was not available. It’s also worth noting that the PowerLoader code was leaked in April 2013 and initiated the wave of distribution of droppers based on PowerLoader leaked code.
The dropper for Win64/Vabushky is packed by MPRESS because this packer is one of the few free products that support x64 PE32+ files. After unpacking, the dropper extracted the original PE32+ header with the time of compilation:
All binaries include a payload compiled at the beginning of August,
according to time stamp data. PowerLoader’s export table also shows a
few changes after unpacking when compared to the older version:
The main exploitation code for CVE-2013-3660 is presented in the following figure:
The shellcode which executed by nt!NtQueryIntervalProfile() looks like this:
It looks to be pretty much the same structure. All the differences
are found only in additional debugging code which is not included in
PowerLoader modification. Also there are some specific techniques for
making the exploitation more stable that look exactly the same.
This trick is not new and was mentioned in the blog post “The “Hikit” Rootkit: Advanced and Persistent Attack” by Mandiant. Also, during the installation process modifications are made to Boot Configuration Data (BCD) so as to activate test-signing policy for loading the unsigned driver module. The next figure presents registry keys with system configuration to allow the malicious driver to load (safeboot with various options is covered too):
The next steps are to install the malicious driver for locking the system and displaying a demonstration screen with the picture downloaded from the following URL’s, hardcoded into malicious code:
After successful infection the locked desktop screen looks like this:
Win64/Vabushky is a good example of how cybercriminals update their projects with code based on leaked Carberp sources. Two 64-bit exploits (CVE-2012-1864 and CVE-2012-0217) from the updated PowerLoader update are based on the leaked code. Before this leak into the public domain, 64-bit exploitation code for these vulnerabilities was not available. It’s also worth noting that the PowerLoader code was leaked in April 2013 and initiated the wave of distribution of droppers based on PowerLoader leaked code.
The dropper for Win64/Vabushky is packed by MPRESS because this packer is one of the few free products that support x64 PE32+ files. After unpacking, the dropper extracted the original PE32+ header with the time of compilation:
The most interesting part of latest changes provided concern the exploitation code for local privilege escalation.
LPE exploits update
After code injection into explorer.exe the modified version of PowerLoader tried to execute following local privilege escalation exploits into trusted process address space:
This
set of LPE exploits can bypass some types of sandbox technologies used
by security products. This is because direct manipulation of some
kernel-mode structures is possible from user-mode using legitimate
WinAPI calls.
CVE-2013-3660
Google researcher Tavis Ormandy discovered the MS31-053 vulnerability in March and exploitation details
were disclosed in May. The patch only became available with July’s
patch Tuesday. Before this modified version of PowerLoader, I hadn’t
seen a 64-bit version of MS13-053 exploit in-the-wild. Only an x86
version of proof of concept code has been seen made available publicly,
but PowerLoader uses 64-bit exploitation code. There is a good
description of the way in which this vulnerability is exploited in the VUPEN blog.
Before the start of the exploitation process a second desktop is
created for hiding visible artifacts by manipulating GDI objects.The shellcode which executed by nt!NtQueryIntervalProfile() looks like this:
This
exploitation code does not work for the 64-bit MS Windows 8 platform
because it cannot bypass the Intel SMEP (Supervisor Mode Execution
Protection) technology in modern CPU’s (for which support has been
provided since the Ivy Bridge line of processors). Microsoft only
started to support SMEP with Windows 8 and upwards. This technology
blocks attempts to execute code from user-mode memory pages into
kernel-mode. A good description of Intel SMEP as exploit protection
technology can be found here. The SMEP technology in Windows 8 for x64 can be bypassed using a ROP (Return-Oriented Programming) technique.
However, Intel announced the new protection technology SMAP (Supervisor
Mode Access Prevention). Intel’s SMAP blocks attempts to read memory
pages from user-mode into kernel-mode. SMAP and SMEP were developed to
prevent exploitation of NULL pointer dereferences in kernel-mode but
SMAP is not supported in Microsoft operating systems yet.
CVE-2012-0217 and CVE-2012-1864
The CVE-2012-0217 and CVE-2012-1864
exploitation code is based on leaked Carberp sources. The 64-bit
versions of CVE-2012-1864 had never been made public before the source
code leakage. The exploitation code for CVE-2012-0217 released on public
doesn’t work reliably on 64-bit versions of operating systems. Neither
exploit will work on Microsoft Windows 8 because of the restricted
vulnerability of the platform. After observing the similarity to leaked
Carberp source code I checked compiled exploit binaries found in the
leaked archive. In both compiled exploits I found the same path to the
build directory.
This
finding points to the same developer and seller for these exploits. The
exploitation code for CVE-2012-0217 is different in many respects to
the publicly available Proof of Concept exploits. The leaked exploit
works more reliably and supports 64-bits operating systems.
I’m going to check similarities in the code from the PowerLoader
modification and the leaked exploit for CVE-2012-0217. The following
flow graph shows the similarity of basic structural blocks (PowerLoader
code on the left side):
This
code provides modifications in nt!HalDispatchTable for avoiding 100%
CPU activity with multiple threads in exploitation process.
The same thing was found with exploitation code for CVE-2012-1864
vulnerability. This exploit has never before been publicly available
either. CVE-2012-1864 was discovered by Tarjei Mandt from Azimuth
Security. The vulnerability details were disclosed on the slides “Smashing the Atom”
at the Recon conference in June 2012 but exploitation code was not
released to the public. The exploit code from PowerLoader looks more
optimized and doesn’t have debugging code with console output. For
example, as seen in this code (disassembly code from PowerLoader is the
second image):
CVE-2012-0217
and CVE-2012-1864 are good examples of exploits that make it possible
to bypass sandboxes in security software. Both of these exploits can
manipulate kernel-mode structures from user-mode using standard WinAPI
functions. A nice description of vectors for bypassing sandboxes using
these types of vulnerabilities is presented in the research report “Application Sandboxes: A Pen-Tester’s Perspective” by Bromium Labs.
The Payload
After successful PowerLoader execution and
privilege escalation, the ransomware (Win64/Vabushky.A) was downloaded
in order to infect the system. Earlier this week my colleague Jean-Ian
Boutin discussed another example of ransomware in the blog post “Nymaim – Obfuscation Chronicles”.
The downloaded file was executed once escalated privileges were
achieved to SYSTEM. The Win64/Vabushky installer uses the trick with a
self-generated legitimate certificate and the following installation to
the local trust store as a ROOT CA and TrustedPublisher. The following
code shows this technique:
This trick is not new and was mentioned in the blog post “The “Hikit” Rootkit: Advanced and Persistent Attack” by Mandiant. Also, during the installation process modifications are made to Boot Configuration Data (BCD) so as to activate test-signing policy for loading the unsigned driver module. The next figure presents registry keys with system configuration to allow the malicious driver to load (safeboot with various options is covered too):
The next steps are to install the malicious driver for locking the system and displaying a demonstration screen with the picture downloaded from the following URL’s, hardcoded into malicious code:
The
user-mode part of Win64/Vabushky also encrypts the user’s files using
the Microsoft CryptoAPI and uses the .crypted file extension for
encrypted files. The driver code uses standard tricks for locking that
don’t merit further discussion in this blog.
Conclusion
The Win64/Vabushky dropper uses an interesting modification
to the PowerLoader code. However the PowerLoader modifications are
based on leaked LPE exploits for 64-bit operating systems from Carberp
code. All modules and components dropped by Win64/Vabushky target x64
versions of Microsoft Windows. Only one exploit, CVE-2013-3660, can
attack MS Windows 8. However the exploitation code does not work for the
64-bit version of Windows 8 because it can’t bypass Intel SMEP
technology. Microsoft is implementing better kernel-mode protection on
Windows 8, making x64 exploits for this operating system more expensive.
These security mechanisms can be bypassed in such cases with targeted
attacks but this adds up to an expensive exploitation technique for
run-of-the-mill cybercriminals.
Special thanks to R136a1 who reported the new modification of PowerLoader.
Aleksandr Matrosov, Security Intelligence Team Lead
SHA1 hashes for analyzed samples:
Win64/Vabushky.A (dropper) – 110e23ce497d6cd1fd3dc570e50cd701c612b7ba
Win64/Vabushky.A (driver installer) – 62a53ff68d1c862c9c68fb577b06fa261ef573e4
Win64/Vabushky.A (driver) – 9434792df305f59a7b9deb99dd8b2617942513b0
Author Aleksandr Matrosov,
No comments:
Post a Comment