ZeroAccess Trojan: CVE-2015-1701 –> Local Privilege Exploit (LPE) Analysis

Picture

Objective:

  • Analyze the ZeroAccess Trojan custom local privilege exploit (LPE) related to CVE-2015-1701.

​CVE-2015-1701:

  • Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka “Win32k Elevation of Privilege Vulnerability.”
LPE Implementation and Functionality:

  • Registers a vectored exception handler and sets a hardware breakpoint on a specific function. When this function is then called, the exception handler jumps in and continues the execution.
  • The hardware breakpoint is set on KiUserExceptionDispatcher.
  • Loads UxTheme.dll via LoadLibraryA, detected by Kernel API Logger.
  • Prints MessageBoxA with “Error” and “User32.”
Additional Analysis:

  • File: exploit_1f8c42caeacb44f2a738ee2104457220eca6d7a7416f953d01bc716a63b3db8d
  • Size: 24064 Bytes
  • MD5: B5DADAAF9C8FEDF84542DD69C9776B04


Dumped Process:

  • File: exploit_1f8c42caeacb44f2a738ee2104457220eca6d7a7416f953d01bc716a63b3db8d_dmp.exe_
  • MD5:  2b6f803b5ade6eb0b0b960782640765c
  • Size: 40962 Bytes


PDB Path:

  • d:\ZZZ\release\ui[.]pdb


Api Log:

————————————————–
***** Installing Hooks *****  
71ab74df     RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)  
71ab80c4     RegOpenKeyExA (Protocol_Catalog9)  
71ab2623     WaitForSingleObject(794,0)  
71ab87c6     RegOpenKeyExA (NameSpace_Catalog5)  
71ab835b     RegOpenKeyExA (Catalog_Entries)     
71ab2623     WaitForSingleObject(78c,0)  
71aa1af2     RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters)  
71aa198e     GlobalAlloc()  
7c80b719     ExitThread()  
5ad8bdf9     GetCurrentProcessId()=3644  
5ad7a0e2     IsDebuggerPresent()  
773d3faf     LoadLibraryA(UxTheme.dll)=5ad70000    

773ea4a1     GetCurrentProcessId()=3644  

Yara Signature:

rule crime_win32_zeroaccess_lpe
{
    meta:
        description = “Detects the ZeroAccess trojan local privilege exploit related to CVE-2015-1701”
        author = “Vitali Kremez”
        date = “2016-05-23”
        hash = “b5dadaaf9c8fedf84542dd69c9776b04”

    strings:
        $s0 = “\\KnownDlls\\user32.dll” fullword wide
        $s1 = “\\KnownDlls\\kernel32.dll” fullword wide
        $s2 = “” fullword ascii
        $s3 = “d:\\ZZZ\\release\\ui.pdb” fullword ascii
        $s4 = “%p->VirtualProtect([%p, %p) %08X, %s)” fullword ascii
        $s5 = “%p->VirtualAlloc(%p, %08X)” fullword ascii
        $s6 = “%p SSL_SetURL(%s)=%p” fullword ascii
        $s7 = “@Microsoft Unified Security Protocol Provider” fullword wide
        $s8 = “rrrrtm” fullword ascii
        $s9 = “ddddtt” fullword ascii
        $s10 = “%p %s=%p” fullword ascii

        $op0 = { 3b 58 34 74 0c bf 03 00 00 40 eb 05 bf 01 00 00 }
        $op1 = { c3 e9 3a 05 00 00 48 8d 05 01 }
        $op2 = { 8b 45 fc ff 70 10 68 72 72 72 72 8b 4d fc e8 9c } 
 condition:
        uint16(0) == 0x5A4D and filesize < 70KB and all of ($s*) and 1 of ($op*)
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s