Tuesday, December 6, 2011

MS Word Document (CVE-2010-3333) Exploit

A week ago as I checking for the new email and suddenly received an email with MS Word document as an attachment on my inbox (not spam box). This make me curious to know what the heck is that. Lets take a look closer. I rename the MSWord document to 'gigi.doc'. The .doc file size is about 160,192 bytes long.

The .doc file contain Rich Text Format (RTF) encoding format and we can see a lot of 0x41 slide until we found the exact shellcode within the slide character. Below show you the location of the exploit code in hex format:


As I convert the hex format to binary, we can see some interesting strings. I'm not sure why its trying to execute ping command to localhost. Well, after execute the malicious .doc file. It will create a file named csrss.exe (921C724CCB04B9F672B294FFFF83CE7B) and execute it then rename it to 'winword.exe'. Then it will launch the cmd.exe to execute the ping command to 127.0.0.1 with 1 byte. After that, the malware will execute a clean Word.doc file.

The running csrss.exe will create the Update.bat on user StartMenu startup folder with the following content:

Echo off
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe" /f
del %%0

The batch command file will add a startup into user Windows registry pointing to csrss.exe located in user temporary folder. Then, lets take a look through packet capture:


The captured packet show that the malicious file attempt to POST request to the following URL:
http://ymhz1.dyndns.biz:8080/
http://2011fm.dyndns.org:8080/
IP Addess: 114.248.90.120

The IP address was originated from China and still active at the time I was writing these. The csrss.exe will keep running on memory and sleep for every 60 second and check back to the given URL.

Note: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333

No comments:

Post a Comment