ZeroAccess Trojan: Custom Local Privilege Exploit (LPE) Analysis: CVE-2015-1701

5/25/2016

Reference: https://www.virustotal.com/en/file/1f8c42caeacb44f2a738ee2104457220eca6d7a7416f953d01bc716a63b3db8d/analysis/

Objective:

Analyze the ZeroAccess trojan custom local privilege exploit (LPE) related to CVE-2015-1701.

CVE-2015-1701:

Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."

LPE Implementation and Functionality:

Registers a vectored exception handler and setts a hardware breakpoint on a specific function. When this function is then called, the exception handler jumps in and continues the execution.
The hardware breakpoint is set on KiUserExceptionDispatcher.
Loads UxTheme.dll via LoadLibraryA, detected by Kernel API Logger.
Prints MessageBoxA with "Error" and "User32."

Additional Analysis:

File: exploit_1f8c42caeacb44f2a738ee2104457220eca6d7a7416f953d01bc716a63b3db8d
Size: 24064 Bytes
MD5: B5DADAAF9C8FEDF84542DD69C9776B04

Dumped Process:

File: exploit_1f8c42caeacb44f2a738ee2104457220eca6d7a7416f953d01bc716a63b3db8d_dmp.exe_
MD5: 2b6f803b5ade6eb0b0b960782640765c
Size: 40962 Bytes

PDB Path:

d:\ZZZ\release\ui.pdb

Kernel31 Api Log:
--------------------------------------------------
***** Installing Hooks *****
71ab74df RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)
71ab80c4 RegOpenKeyExA (Protocol_Catalog9)
71ab2623 WaitForSingleObject(794,0)
71ab87c6 RegOpenKeyExA (NameSpace_Catalog5)
71ab835b RegOpenKeyExA (Catalog_Entries)
71ab2623 WaitForSingleObject(78c,0)
71aa1af2 RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters)
71aa198e GlobalAlloc()
7c80b719 ExitThread()
5ad8bdf9 GetCurrentProcessId()=3644
5ad7a0e2 IsDebuggerPresent()
773d3faf LoadLibraryA(UxTheme.dll)=5ad70000
773ea4a1 GetCurrentProcessId()=3644

Yara Signature:

/* Global Rule -------------------------------------------------------------- */
/* Will be evaluated first, speeds up scanning process, remove at will */

global private rule gen_characteristics {
   condition:
       ( uint16(0) == 0x5a4d or uint16(0) == 0x0000 ) and filesize < 70KB
}

/* Rule Set ----------------------------------------------------------------- */

rule crime_zeroaccess_lpe_win
{
   meta:
       description = "Detects the ZeroAccess trojan local privilege exploit realted to CVE-2015-1701"
       author = "Vitali Kremez"
       reference = "https://www.virustotal.com/en/file/1f8c42caeacb44f2a738ee2104457220eca6d7a7416f953d01bc716a63b3db8d/analysis/"
       date = "2016-05-23"
       md5 = "b5dadaaf9c8fedf84542dd69c9776b04"

   strings:
       $s0 = "<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyTok" ascii
       $s1 = "\\KnownDlls\\user32.dll" fullword wide
       $s2 = "\\KnownDlls\\kernel32.dll" fullword wide
       $s3 = "<requestedExecutionLevel level='asInvoker' uiAccess=\"false\"/>" fullword ascii
       $s4 = "d:\\ZZZ\\release\\ui.pdb" fullword ascii
       $s5 = "%p->VirtualProtect([%p, %p) %08X, %s)" fullword ascii
       $s6 = "%p->VirtualAlloc(%p, %08X)" fullword ascii
       $s7 = "%p SSL_SetURL(%s)=%p" fullword ascii
       $s8 = "@Microsoft Unified Security Protocol Provider" fullword wide
       $s9 = "rrrrtm" fullword ascii
       $s10 = "ddddtt" fullword ascii
       $s11 = "%p %s=%p" fullword ascii
       $s12 = "AQAPRQH" fullword ascii
       $s13 = "6\"60696G6P6^6g6u6~6" fullword ascii

       $op0 = { 3b 58 34 74 0c bf 03 00 00 40 eb 05 bf 01 00 00 } /* Opcode */
       $op1 = { c3 e9 3a 05 00 00 48 8d 05 01 } /* Opcode */
       $op2 = { 8b 45 fc ff 70 10 68 72 72 72 72 8b 4d fc e8 9c } /* Opcode */

condition:
       uint16(0) == 0x5a4d and filesize < 70KB and all of ($s*) and 1 of ($op*)
}

0 Comments

ZeroAccess Trojan: Custom Local Privilege Exploit (LPE) Analysis: CVE-2015-1701

Leave a Reply.

Author

Archives

Categories