Analyzing CVE 2012-0158
November 02, 2012
On a recent engagement, we encountered a number of malicious documents. Among these, we discovered a mostly undocumented strain of CVE-2012-0158 exploit samples. These tainted files performed the usual exploit of the ListView2 control within the MSCOMCTL.OCX library, however in this case, the container format was a Microsoft Compound File Binary Format of the Word variety. Along with the move to a more complicated and conveniently abusable binary file format, these samples employed a simple XOR/rotate encryption utilizing a 256 byte key instead of the more common single-byte key schemes. With this technique, the malware authors embed two files in the malicious Word containers. The first payload contained is a benign Word document file, complete with content such as plagiarized news articles or other information. The second file is a simple dropper, designed to fetch and launch the next stage of the malware campaign.
This article will detail some steps taken in the analysis of these samples. In addition, we introduce a helpful Python script written to extract the embedded files from samples of this class. So far, the script is able to handle all of the samples encountered in the original engagement, as well as samples collected from multiple sources, including a set of files kindly provided by Mila and ContagioDump. Continued research has revealed that CFB Excel files are now being used to exploit CVE-2012-0158 in the wild; however, we have not yet had a chance to fully analyze these examples.
Initial analysis of the samples was performed in a sandboxed environment. Sandboxie, a sandbox package for Windows, paired with Buster Sandbox Analyzer, can provide a wealth of information about the low-level activities performed during the analysis of a sample. Testing the sample inside a protected environment is also important to limit the effect of any malicious behaviors.
Launch Word via the Sandboxie menus
After loading the sample, successful exploitation will cause the first instance of Word to exit while launching a second instance of Word with an apparently benign document, complete with content. However, the activity behind the scenes will be most interesting.
Sandboxie will contain all file system activities to the directory designated in the configuration. This malicious sample will drop not only the benign document displayed to lower suspicion of an attack, but will also drop the binary file or files used for the second stage of the infection. In this case, both the binary file and the benign document are discovered in the sandboxed file system.
Two files dropped by the malware sample
The files left on the disk are not the only evidence of this malware attack, and in the case of highly advanced malware, file system evidence may not exist at all. Buster Sandbox Analyzer was running for this analysis, and thus provided a detailed log of not only file system behavior but also API calls performed, network traffic (if installed with Winpcap drivers) and other behaviors.
Buster Sandbox Analyzer produces detailed logs of API calls
By searching on the CreateFile API call, it can be seen that the malicious sample writes a file to a disk, while the next few lines detail the transfer of execution to the new file.
- Buster Sandbox Analyzer
Though there are relatively few tools for analyzing Word documents, some static analysis can be performed on the file structure and contents that yield important data. In the case of the sample detailed here, it is simple to detect the presence of the CVE-2012-0158 exploit. It is also possible to find the XOR encryption key used to embed additional files within the sample. The key can then be used to decrypt and extract the embedded files.
Utilizing alternative viewers is a helpful option for analyzing suspicious document formats. In this case, using OpenOffice Writer will show suspicious content in the sample without being vulnerable to the same bugs as Microsoft Word.
Writer shows the string of 1s and ActiveX control
A hex-editor such as Okteta (a KDE project application) will allow a deeper examination of the file structure and contents, showing the string of 1s in addition to a reference to ListView.2, one of the ActiveX controls vulnerable to exploitation.
The name of the ActiveX control is listed within the file structure
The ActiveX control specified here is a vulnerable function, detailed in CVE-2012-0158 and MS12-027, first seen in malware attacks in April 2012. The attacks exploited a bug in the MSCOMCTL.OCX library and affected many Microsoft products including both 32 and 64-bit versions of Office 2010 Suite and Windows 7.
Dynamic analysis showed that, upon exploitation, additional files are dropped onto the target file system. Browsing through the structure of the file in Okteta showed a large section of binary data appended to the end of the Word file.
The start of the encrypted data
Looking further into the file, a pattern is evident in the data. Where the original binary file contained any null bytes (0x00), the bytes of the XOR key are available for recovery.
The repeating key easily visible at the end of the file
With the entirety of the key available, it is relatively simple to decrypt the embedded files using a binary filter within Okteta. It should be noted that this method of extracting a key from the end of the file could result in a misaligned key. Since the encryption of the embedded files is typically performed beginning at the first byte rather than the last, alignment mismatch could result in the incorrect decryption of embedded content. To correct the alignment, it would be possible to find the file header and re-align the key accordingly for the rest of the data. This sample aligns properly, however, and the last full 256 bytes of the file contain the true key.
Data after applying the XOR key
The data looks structurally similar to what might be expected; however, it is still not completely decrypted. Malware authors commonly combine bitwise rotation with XOR operations to make the data slightly harder to recover. After some trial and error, a rotation of 3-bits is able to uncover the encrypted data.
Applying a bitwise rotation reveals the standard Windows executable header
In addition to the executable file, a second file is uncovered in the data. The header of an additional Word document marks the beginning of the benign document that displays to a user upon exploitation.
This byte signature marks the beginning of a Word document
- OpenOffice Writer
- Okteta (part of the KDE desktop tools)
Analysis showed the samples encountered so far fall into two primary families, with all the samples in a family utilizing the same key and rotation parameters, as well as placing the embedded data at the same offsets within the malicious file. This information can be utilized to programmatically decrypt and extract embedded files from samples. Through the process of this research, a script was written to handle this basic extraction. In addition to automatic handling of the known samples, a manual mode and a brute force mode were added, which should be able to handle similar samples. We will further demonstrate and release this tool in a subsequent blog post.
$ python ~/bin/attempt.py /home/emiles/bin/attempt.py -- A Tool To Extract Malware Present Therein Usage: python /home/emiles/bin/attempt.py [-b|--brute] [-r #|--ror #] [-l #|--rol #] [-k #|--key #] [-x|--extract] [-s|--summarize] (file list) -b | --brute ~ enable brute force mode -r # | --ror # ~ specify bitwise rotate right of # bits -l # | --rol # ~ specify bitwise rotate left of # bits -k # | --key # ~ specify XOR key -x | --extract ~ enable extraction of discovered files -s | --summarize ~ summarize results $ python ~/bin/attempt.py -b -s cve-2012-0128-sample.doc found start of encrypted data using key: 00fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0dfdedddcdbdad9d8d7d6d5d4d3d2d1d0cfcecdcccbcac9c8c7c6c5c4c3c2c1c0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a09f9e9d9c9b9a999897969594939291908f8e8d8c8b8a898887868584838281807f7e7d7c7b7a797877767574737271706f6e6d6c6b6a696867666564636261605f5e5d5c5b5a595857565554535251504f4e4d4c4b4a494847464544434241403f3e3d3c3b3a393837363534333231302f2e2d2c2b2a292827262524232221201f1e1d1c1b1a191817161514131211100f0e0d0c0b0a090807060504030201 trying ror: 1 trying ror: 2 trying ror: 3 Found cbf with: 3 rotate at 0x13400 d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900 Found exe with: 3 rotate at 0xe200 4d5a90000300000004000000ffff0000b8000000000000004000000000000000
Although CVE-2012-0158 has been known for some time, new techniques and variants continue to be introduced and used. From the initial RTF containers to the current trend of CFB formats, CVE-2012-0158 appears to be a popular exploit for the numerous malware campaigns encountered. Since much work has been done on the RTF examples of this exploit, there is no current plan to include RTF support in attempt.py; however we are working to add support for the Excel variants discovered. Please look forward to the next post and the introduction of attempt.py!