While it can be difficult to attribute exploit packs in many cases, I believe it’s safe to say that there are a few made by Chinese authors. Their style can be seen across packs from the script used for traffic analysis to variable names and methods. Chinese packs are different but arguably still befitting the definition of an exploit pack.
Here are two packs found in the wild recently — both were targeting Chinese users.
Exploit Pack #1
I noticed this pack last year and it has been appearing here and there. Here’s a screenshot of this pack’s contents:
The exploit used is IEPeers (CVE-2010-0806) and if successful, executes the “000.exe” program which is a virus. Based on the first screenshot, you can see that CUTE-IE.html was requested 26,791 times with 000.exe loaded 2,833 times. If the numbers are correct then “Cute Pack” has an effectiveness of ~10.5%, not too shabby considering that it’s just one exploit.
I have to wonder why IEPeers is used since it only affects IE 6 and 7 (as opposed to using CVE-2011-1260). I haven’t seen recent browser statistics from China but it’s probable that a lot of users there still use older versions of Windows and IE. Why change if it’s not broken, I suppose?
Here are the VirusTotal results of the payloads:
Results: 37/43 (86.0%)
Results: 40/43 (93.0%)
Results: 40/43 (93.0%)
Exploit Pack #2
This pack starts off with an HTML file called “yg.htm” (let’s call this one the “Yang Pack” based off its filename).
You can see that it calls up three iframes and avoids repeat infections. Each of these iframed HTML pages deliver an exploit or two: one for IE, two for Flash, and one for Java.
The exploit for IE is again IEPeers. Nothing spectacular to report here but it’s the next three exploits that shows “Yang Pack’s” potential.
Let’s deobfuscate the script by replacing “document.write” with “alert”.
This indicates a Java applet is being called up and the value of “nburl” passed to it (nburl is the URL of the payload). Let’s decompile the applet. Wow, it’s using the latest Java exploit, Java Rhino.
The third iframed HTML file is called “t.htm”. It does a plug-in check and depending on the Flash version, you get one of two SWF files that contain an exploit.
Let’s decompile the first SWF file. This shows the Flash exploit code for CVE-2011-2110. (Note that the code looks nearly identical to the one analyzed here but VirusTotal shows it as a dropper).
Now let’s have a look at the second SWF file. We’ve seen this before in another Chinese pack. This is exploit code for CVE-2011-2140. The variable “_local6” contains hexcode for another SWF file that downloads and opens an AVI file. The variable below it, “_local7” is shellcode for the payload.
Here’s the decompiled code for the embedded Flash file.
To summarize, “Yang Pack” only has four exploits but it’s pretty potent:
* IEPeers (CVE-2010-0806)
* Flash 10.3.181.x (CVE-2011-2110)
* Flash 10.3.183.x (CVE-2011-2140)
* Java Rhino (CVE-2011-3544)
And here are the results from VirusTotal:
Results: 32/42 (76.2%)