e S a f e O v e r v i e w

A l a d d i n . c o m

eSafe - Attack Intelligence™ Research Center

NUKE SPLOITS P4CK

February 2009

CONTENT SECURITY

Table of Contents

1. Introduction................................................................................................3

2. Threat Analysis ...........................................................................................4

3. Conclusion...................................................................................................9

4. About the Attack Intelligence Research Center.......................................9

5. About Aladdin.............................................................................................9

eSafe

A l a d d i n . c o m

1. Introduction

In this month’s threat report, we investigate an exploitation kit discovered and tracked through our AID

(Attack Intelligence Datacenter) system. This attack was discovered when an entry in our AID, named

JS.Shellcode.b, caught our attention. About 80 versions of this malicious JavaScript were discovered, all

serving the same URL: hxxp://white[REMOVED].cn/sv/index.php.

3

IMAGE 1: AID SHOWING THE DETECTED MALICIOUS CODE

2. Threat Analysis

The AIRC team was able to access the exploitation kit’s monitoring system, called “NUKE SPLOITS P4CK”,

located at hxxp://white[REMOVED].cn/sv/admin.php.

The following screenshots were taken from the exploitation kit’s monitoring system:

IMAGE 2: NUKE EXPLOITS P4CK SUMMARY PAGE

IMAGE 3: NUKE EXPLOITS P4CK – STATISTICS BY USERAGENT

A l a d d i n . c o m 4

The exploitation toolkit includes standard reporting and statistics expected of all modern toolkits, which

enable the operator to track the efficiency of the malicious code delivery, run statistics on the geographical

origin of the victims, and determine which operating systems and browsers are used most commonly. This is

in line with the “ROI” requirements that eCrime is used to these days.

This exploitation kit has an impressive infection rate, with about 20% of visitors to the malicious website

infected with the Trojan downloaded by the exploitationafter successfully exploiting a vulnerable system.

A l a d d i n . c o m

IMAGE 4: SNUKE EXPLOITS P4CK – STATISTICS BY COUNTRY

5

A l a d d i n . c o m 6

Based on the decrypted script, it is apparent that it is trying to exploit vulnerabilities in various components:

Microsoft Data Access Components1.

Windows Media Encoder2.

Adobe Reader (PDF)3.

Why are multiple versions of the same script visible in AID? This is due to the fact that the exploit kit

generates a new copy of the script for each user request of: hxxp://w[REMOVED]biz.cn/sv/index.php. In

fact, all copies (versions) are the same, and the only difference between them is the value of the “fname”

variable. For example:

Fname is the filename that is used by the MicrosoftDataAccessComponents function as the destination filename

[x.SaveTofile(fname,2)].

The end-script generated by the kit is encrypted. Following is a snippet of the script after having

been decrypted:

IMAGE 5: SOURCE CODE FOR THE MALICIOUS SCRIPT

;'var fname= '6864237faa7b8f2a1ae812f1b1e37ea3.exe;'var fname= 'bf24b6462ca92e8157bf633416dbcc51.exe;'var fname= '3c81af8a932f7a30d893ebd750ec0063.exe

Once the executable file is downloaded and activated, it connects to:

http://213.[REMOVED].32/fine/controller.php?action=bot&entity_list=&uid=7&first=1&guid=1617045269&rnd

=758689

It then posts the bot id, operating system version, system language, and country to the following server:

89.[REMOVED].252.

A l a d d i n . c o m7

IMAGE 6: TCP STREAM…

IMAGE 7: ADDITIONAL TCP COMMUNICATION

A l a d d i n . c o m 8

At this stage, an HTTP GET request is sent to http://af9[REMOVED]095.com.

The returned data includes various commands that the bot has to execute; one of these commands

is to download and execute the following file:

hxxp://s[REMOVED]er.com/71712.exe

After a while, the following changes are made to the system:

Running a rootkit: c:\windows\system32\drivers\hdrmjssvrkw.sys

msauc.exe in c:\windows

crypts.dll, digeste.dll, shell31.dll and wpv[some random number].cpx in System32

The AIRC team succeeded in accessing the C&C system, and grabbed the list of bots for all six

botnets. These botnets are currently utilized for spamming purposes.

At the time of writing this document, we took another look at the botnets’ statistics and

discovered that one of them had already harvested 149015 infected machines, as can be seen in the

examples that follow.

IMAGE 8: GLOBAL STATISTICS FOR ONE OF THE BOTNETS CONTROLLED

BY NUKE SPLOITS P4CK

A l a d d i n . c o m9

4. About the Attack Intelligence™ Research Center

The Aladdin Attack Intelligence Research Center (AIRC) is a premier facility for internet threat detection and cybercrime

investigation. The mission of AIRC is to deliver security research and intelligence that educates, supports and strengthens

the security community, and drives innovation in Aladdin’s content security solutions. Based in Tel Aviv, AIRC is comprised

of global security researchers and law enforcement and cybercrime specialists dedicated to finding and eradicating

internet threats that compromise legitimate business safety. AIRC goes beyond traditional threat detection to provide

business intelligence around evolving threats, predict future trends in internet security, and uncover the inner workings

and affects of the business of eCrime. For more information, visit www.Aladdin.com/AIRC.

5. About Aladdin

Aladdin Knowledge Systems (NASDAQ: ALDN) is an information security leader with offices in 15 countries, a worldwide

network of channel partners, and numerous awards for innovation. Aladdin eToken is the world’s #1 USB-based

authentication solution, offering identity and access management tools that protect sensitive data. Aladdin SafeWord

two-factor authentication technology protects companies’ important information assets and applications. Aladdin HASP

SRM boosts growth for software developers and publishers through strong anti-piracy protection, IP protection, and

secure licensing and product activation. Aladdin eSafe delivers real-time intelligent Web gateway security that helps

protect data and networks, improves productivity, and enables compliance. Visit www.Aladdin.com

3. Conclusion

There were no “surprises” in terms of the techniques that were used to exploit victim systems in this incident.

Nevertheless, the analysis does show, once again, how the basic elements of eCrime persist over time and make the

business model upon which eCrime operates a viable one.

Adding AID to the arsenal of eCrime tracking systems and using it to provide alerts on ongoing as well as upcoming

attack campaigns, is a major step towards enabling improved security for organizations, as well as to the security

industry in general. Tools such as AID provide vendors and customers with a roadmap for building adequate protection

schemes that are more than just reactive systems for recognized threats. As attacks are planned and conceived by

eCriminals, the infrastructure for launching them – from both a technological and a business aspect – has to be in place;

identifying these preparations and processes is imperative in dealing with imminent attacks and stopping them before

they are carried out.

F o r m o r e c o n t a c t i n f o r m a t i o n , v i s i t : w w w . A l a d d i n . c o m / c o n t a c t

e S a f e O v e r v i e w

A l a d d i n . c o m

© 2

008

Alad

din

Know

ledg

e Sy

stem

s, Lt

d. A

ll rig

hts

rese

rved

. Ala

ddin

is a

regi

ster

ed tr

adem

ark

of A

ladd

in K

now

ledg

e Sy

stem

s, Lt

d. A

ll ot

her n

ames

are

trad

emar

ks o

r reg

iste

red

trad

emar

ks o

f the

ir re

spec

tive

owne

rs.

North America: +1-847-818-3800 • International: +972-3-978-1111 • UK: +44-1753-622-266

Germany: +49-89-89-4221-0 • France: +33-1-41-37-70-30 • Benelux: +31-30-688-0800

Spain: +34-91-375-99-00 • Italy: +39-035-697080 • Portugal: +351 21 412 36 60

Sweden: +46(0)8-588-370-40 • Israel: +972-3-978-1111 • India: +91-22-67955943

China: +86-21-63847800 • Japan: +81-426-607-191 • Mexico: +52-55-4159-9733