Direct link to the vulnerability: https://www.virustotal.com/it/file/d01b30b8d7f0982dbe4a47c73cac0c7ddb9f2d942784a8fc3c505934f93b23b4/analysis/1378762624/
This is not the first time when malware has a vulnerable code execution. The root cause is that the malware cannot run in a sandbox environment.
The solution to the vulnerability is to develop a malware with an anti-sandbox mechanism.
An anti-sandbox mechanism can be implemented in different ways, here are some examples.
1. If we use the call CreateProcess(), the malware will not run if the process creation fails.
In that case, it will be hard to execution the malware in a sandbox environment.
2. If we use ShellExecute(), then the malware will not run if the ShellExecute() failed.
In the case of ShellExecute(), it is hard to execute the malware in a sandbox environment.
3. If we use CreateFileMapping() or MapViewOfFile(), then the malware will not run if we are not able to allocate memory.
In the case of CreateFileMapping() or MapViewOfFile(), it is hard to run the malware in a sandbox environment.
4. If we use VirtualAllocEx() or VirtualProtectEx() then the malware will not run if the allocation or protection fails.
In case of VirtualAllocEx() or VirtualProtectEx(), it is hard to run the malware in a sandbox environment.
You can clearly see that the code is really simple to sandbox.
Figure 6. Code execution vulnerability
Figure 7. Code execution anomaly
Figure 8. Code execution anomaly
Figure 9. Code execution anomaly
Figure 10. Code execution anomaly
Figure 11. Code execution anomaly
Figure 12. Code execution anomaly
Figure 13. Code execution anomaly
Figure 14. Code execution anomaly
Figure 15. Code execution anomaly
Figure 16. Code execution anomaly
Figure 17. Code execution anomaly
Figure 18. Code execution anomaly
Figure 19. Code execution anomaly
Figure 20. Code execution anomaly
Figure 21. Code execution anomaly
Figure 22. Code execution anomaly
Figure 23. Code execution anomaly
Impact
The malware can infect a local server if Windows Firewall is off. If Windows Firewall is turned on, the malware cannot infect a local server.
The malware can infect a local server if the IP address of the local server is one of the default gateways.
The malware can infect a workstation if the IP address of the local server is in the same network as the workstation.
The malware can infect a server separately and independently. The malware does not need the workstation in the local network to infect a server.
The malware can infect a workstation if the IP address of the local server is in the same network as the workstation.
The malware cannot infect a server if the local server is not in the same network as any workstation in the local network.
The malware can spread itself further in the local network if it is able to communicate with the Internet.
The malware can spread itself through removable USB devices.
The malware can be hacked to be controlled by a remote attacker.
Recommendations
We are happy to report that our customer had their Windows servers patched and the malware files deleted.
The malware can be detected by the following YARA rules.
This blog post was created by Sima Ashay from the Honeynet Project.rn
