Belmoo
Promon Guard proactively blocking Nobel-attack
23.11.2010 - During the last days of October 2010, security analysts discovered that the Nobel Peace Prize website (nobelpeaceprize.org) had been compromised in a targeted attack to host a malicious JavaScript that exploits a vulnerability in certain Firefox versions. Once run under any of the affected Firefox versions, the exploit will download and execute a backdoor on the compromised system which allows an attacker virtually unlimited control and access to the system. Mozilla, the authors of Firefox, have now released an updated version of Firefox to resolve this issue, and users of affected versions are strongly advised to update immediately. According to Telenor (www.telenor.com), at the time the vulnerability was discovered, none of 41 tested anti-virus vendors were capable of detecting either the exploit, or the backdoor component. Whilst they were working on updating their signature databases, Promon already had the technology in place to provide 100% proactive detection, which is capable of blocking this attack out of the box without the need for prior knowledge of the exploit.The Promon technology is implemented as a compact program which can be deployed in different ways; stand alone, compiled in and session based. With these different deployment alternatives Promon introduces a new paradigm of information security delivery called integrated security. Instead of the traditional approach of system wide protection Promon binds security directly to the application or service that needs protection.
For more detailed technical information about the actual attack we refer to these attached documents about: Following is a demonstration video showing what the actual attack looks like and how Promon stops it.
Exploit Nobel attack
JS/Belmoo (CVE-2010-3765)
Aliases
- JS_NINDYA.A (Trend Micro)
- Exploit:JS/CVE-2010-3765 (Microsoft)
- JS/FFExploit.A (Norman)
- JS/Exploit.Belmoo.A (NOD32)
Brief overview
JS/Belmoo is a malicious HTML/JavaScript file that utilizes a heap spraying technique to exploit a zero-day vulnerability in the Mozilla Firefox web browser (see CVE-2010-3765), specifically targeting versions 3.6.8, 3.6.9, 3.6.10 and 3.6.11 of the browser in order to download and execute a backdoor. This exploit has gained particular notoriety after being discovered in-the-wild on the official Nobel Peace Prize website, in what appears to have been a targeted attack.Technical overview
The body of the HTML page containing the JavaScript exploit code contains several hidden “div” elements, used to hold version specific shell code, as well as shell code common to all vulnerable versions of the Firefox browser. The malicious backdoor executable, named svchost.txt on the server, is included as script in the malicious HTML page, which will cause it to be downloaded automatically to the Firefox cache directory under %USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\. The first task the embedded JavaScript will perform is a version check, based on the user-agent string, which will only allow the script to execute under Firefox versions 3.6.8, 3.6.9, 3.6.10 or 3.6.11, and only if the platform is not Windows NT 6.0 or 6.1 (i.e. not Windows Vista or Windows 7). If the version check fails to meet these conditions the browser is redirected to the default “about:blank” page. Assuming the version check fulfills all requirements, the script will then proceed to construct version specific shell code and execute a heap spraying routine that involves excessive string manipulation, before entering a lengthy loop that will write all possible string attributes for the “audio”, “a” and “base” tags to the output document. It is Firefox’s failure to handle DOM element processing relating to the tag attributes that can ultimately be exploited. Upon exploitation of this vulnerability the shell code will execute the following command to locate and execute the backdoor component that was previously downloaded via the script include;cmd.exe /c FOR /R "%USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\" %i IN (*) DO if %~zi equ 48640 cmd.exe /c copy "%i" "%temp%\scvhost.exe" /y & "%temp%\scvhost.exe"
Our labs our currently analyzing this threat further, and will provide additional information as it becomes available.
Backdoor Nobel-attack
W32/Belmoo
Aliases
- W32/Belmoo.A (Norman)
- Backdoor.Belmoo (Symantec)
- BKDR_NINDYA.A (Trend Micro)
Brief overview
W32/Belmoo is a malicious Windows executable that contains backdoor functionality, allowing an attacker to gain remote access to a machine and execute commands. The file is 48640 bytes long and not packed or encrypted in any way.Technical overview
Upon execution W32/Belmoo will copy itself to the %WINDOWS% directory as “symantec.exe”, and create the following registry keys to ensure that it is automatically executed when Windows starts;- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update = "%TEMP%\symantec.exe"
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update = "%TEMP%\symantec.exe"
W32/Belmoo will then attempt to resolve the following host names, although it does care whether or not this succeeds;
- nobel.usagov.mooo.com
- www.update.microsoft.com
- l-3com.dyndns-work.com
- l-3com.dyndns.tv
