Post on 03-Feb-2022
e S a f e O v e r v i e w
A l a d d i n . c o m
eSafe - Attack Intelligence™ Research Center
NUKE SPLOITS P4CK
February 2009
CONTENT SECURITY
Table of Contents
1. Introduction................................................................................................3
2. Threat Analysis ...........................................................................................4
3. Conclusion...................................................................................................9
4. About the Attack Intelligence Research Center.......................................9
5. About Aladdin.............................................................................................9
eSafe
A l a d d i n . c o m
1. Introduction
In this month’s threat report, we investigate an exploitation kit discovered and tracked through our AID
(Attack Intelligence Datacenter) system. This attack was discovered when an entry in our AID, named
JS.Shellcode.b, caught our attention. About 80 versions of this malicious JavaScript were discovered, all
serving the same URL: hxxp://white[REMOVED].cn/sv/index.php.
3
IMAGE 1: AID SHOWING THE DETECTED MALICIOUS CODE
2. Threat Analysis
The AIRC team was able to access the exploitation kit’s monitoring system, called “NUKE SPLOITS P4CK”,
located at hxxp://white[REMOVED].cn/sv/admin.php.
The following screenshots were taken from the exploitation kit’s monitoring system:
IMAGE 2: NUKE EXPLOITS P4CK SUMMARY PAGE
IMAGE 3: NUKE EXPLOITS P4CK – STATISTICS BY USERAGENT
A l a d d i n . c o m 4
The exploitation toolkit includes standard reporting and statistics expected of all modern toolkits, which
enable the operator to track the efficiency of the malicious code delivery, run statistics on the geographical
origin of the victims, and determine which operating systems and browsers are used most commonly. This is
in line with the “ROI” requirements that eCrime is used to these days.
This exploitation kit has an impressive infection rate, with about 20% of visitors to the malicious website
infected with the Trojan downloaded by the exploitationafter successfully exploiting a vulnerable system.
A l a d d i n . c o m
IMAGE 4: SNUKE EXPLOITS P4CK – STATISTICS BY COUNTRY
5
A l a d d i n . c o m 6
Based on the decrypted script, it is apparent that it is trying to exploit vulnerabilities in various components:
Microsoft Data Access Components1.
Windows Media Encoder2.
Adobe Reader (PDF)3.
Why are multiple versions of the same script visible in AID? This is due to the fact that the exploit kit
generates a new copy of the script for each user request of: hxxp://w[REMOVED]biz.cn/sv/index.php. In
fact, all copies (versions) are the same, and the only difference between them is the value of the “fname”
variable. For example:
Fname is the filename that is used by the MicrosoftDataAccessComponents function as the destination filename
[x.SaveTofile(fname,2)].
The end-script generated by the kit is encrypted. Following is a snippet of the script after having
been decrypted:
IMAGE 5: SOURCE CODE FOR THE MALICIOUS SCRIPT
;'var fname= '6864237faa7b8f2a1ae812f1b1e37ea3.exe;'var fname= 'bf24b6462ca92e8157bf633416dbcc51.exe;'var fname= '3c81af8a932f7a30d893ebd750ec0063.exe
Once the executable file is downloaded and activated, it connects to:
http://213.[REMOVED].32/fine/controller.php?action=bot&entity_list=&uid=7&first=1&guid=1617045269&rnd
=758689
It then posts the bot id, operating system version, system language, and country to the following server:
89.[REMOVED].252.
A l a d d i n . c o m7
IMAGE 6: TCP STREAM…
IMAGE 7: ADDITIONAL TCP COMMUNICATION
A l a d d i n . c o m 8
At this stage, an HTTP GET request is sent to http://af9[REMOVED]095.com.
The returned data includes various commands that the bot has to execute; one of these commands
is to download and execute the following file:
hxxp://s[REMOVED]er.com/71712.exe
After a while, the following changes are made to the system:
Running a rootkit: c:\windows\system32\drivers\hdrmjssvrkw.sys
msauc.exe in c:\windows
crypts.dll, digeste.dll, shell31.dll and wpv[some random number].cpx in System32
The AIRC team succeeded in accessing the C&C system, and grabbed the list of bots for all six
botnets. These botnets are currently utilized for spamming purposes.
At the time of writing this document, we took another look at the botnets’ statistics and
discovered that one of them had already harvested 149015 infected machines, as can be seen in the
examples that follow.
IMAGE 8: GLOBAL STATISTICS FOR ONE OF THE BOTNETS CONTROLLED
BY NUKE SPLOITS P4CK
A l a d d i n . c o m9
4. About the Attack Intelligence™ Research Center
The Aladdin Attack Intelligence Research Center (AIRC) is a premier facility for internet threat detection and cybercrime
investigation. The mission of AIRC is to deliver security research and intelligence that educates, supports and strengthens
the security community, and drives innovation in Aladdin’s content security solutions. Based in Tel Aviv, AIRC is comprised
of global security researchers and law enforcement and cybercrime specialists dedicated to finding and eradicating
internet threats that compromise legitimate business safety. AIRC goes beyond traditional threat detection to provide
business intelligence around evolving threats, predict future trends in internet security, and uncover the inner workings
and affects of the business of eCrime. For more information, visit www.Aladdin.com/AIRC.
5. About Aladdin
Aladdin Knowledge Systems (NASDAQ: ALDN) is an information security leader with offices in 15 countries, a worldwide
network of channel partners, and numerous awards for innovation. Aladdin eToken is the world’s #1 USB-based
authentication solution, offering identity and access management tools that protect sensitive data. Aladdin SafeWord
two-factor authentication technology protects companies’ important information assets and applications. Aladdin HASP
SRM boosts growth for software developers and publishers through strong anti-piracy protection, IP protection, and
secure licensing and product activation. Aladdin eSafe delivers real-time intelligent Web gateway security that helps
protect data and networks, improves productivity, and enables compliance. Visit www.Aladdin.com
3. Conclusion
There were no “surprises” in terms of the techniques that were used to exploit victim systems in this incident.
Nevertheless, the analysis does show, once again, how the basic elements of eCrime persist over time and make the
business model upon which eCrime operates a viable one.
Adding AID to the arsenal of eCrime tracking systems and using it to provide alerts on ongoing as well as upcoming
attack campaigns, is a major step towards enabling improved security for organizations, as well as to the security
industry in general. Tools such as AID provide vendors and customers with a roadmap for building adequate protection
schemes that are more than just reactive systems for recognized threats. As attacks are planned and conceived by
eCriminals, the infrastructure for launching them – from both a technological and a business aspect – has to be in place;
identifying these preparations and processes is imperative in dealing with imminent attacks and stopping them before
they are carried out.
F o r m o r e c o n t a c t i n f o r m a t i o n , v i s i t : w w w . A l a d d i n . c o m / c o n t a c t
e S a f e O v e r v i e w
A l a d d i n . c o m
© 2
008
Alad
din
Know
ledg
e Sy
stem
s, Lt
d. A
ll rig
hts
rese
rved
. Ala
ddin
is a
regi
ster
ed tr
adem
ark
of A
ladd
in K
now
ledg
e Sy
stem
s, Lt
d. A
ll ot
her n
ames
are
trad
emar
ks o
r reg
iste
red
trad
emar
ks o
f the
ir re
spec
tive
owne
rs.
North America: +1-847-818-3800 • International: +972-3-978-1111 • UK: +44-1753-622-266
Germany: +49-89-89-4221-0 • France: +33-1-41-37-70-30 • Benelux: +31-30-688-0800
Spain: +34-91-375-99-00 • Italy: +39-035-697080 • Portugal: +351 21 412 36 60
Sweden: +46(0)8-588-370-40 • Israel: +972-3-978-1111 • India: +91-22-67955943
China: +86-21-63847800 • Japan: +81-426-607-191 • Mexico: +52-55-4159-9733