Robert Hensing's Blog

Software Security . . . and stuff.

W32/HLLP.Philis.bq, Chinese gold farmers and what you can do about it. :)

W32/HLLP.Philis.bq, Chinese gold farmers and what you can do about it. :)

  • Comments 1
  • Likes

Just read a fascinating blog post from the folks over at Secureworks.

Basically they noted that W32/HLLP.Philis.bq has been spreading in certain parts of the world.  They also noted that recently a Chinese national was arrested in Japan for sending lots of money back to China.  He allegedly got the real money auctioning off gold accumulated playing MMORPG's online.  Riiiiiiiiiiight.  As the sharp folks at SecureWorks point out - 1.3mil is a lot of bank for a single dude to harvest playing MMORPGs all by himself (let alone a 'student') . . . :)

Even if this guy doesn't end up being the mastermind behind Philis I think the technique employed by this malware specimen is going to become increasingly more popular / prevalent if it's not already. :)

Let's look at how things compare on XP vs. Vista for this malware specimen. :)

XP (user running as admin by default):
Step 1:  Use browser-specific exploit to get code running on the machine (malware runs as admin). (MDAC AX control / MS06-016)
Step 2:  Once code is running as user - establish persistence (modify autostart entry points (ASEPs), infect system files, etc.)
Step 3:  Seek & Destroy - Setup MMORPG password sniffing component & propagate to internal hosts behind firewall via admin shares.

Vista (user running as protected admin)
Step 1:  Use browser-specific exploit to get code running on the machine (malware runs as admin).
Hrmmm . . . well first you have to find a vulnerability in IE7 that can be used for code execution.  Most likely you won't find one in IE7, you'll find one in a 3rd party add-on or component (AX control etc.) hosted in IE and you'll exploit THAT since it will be easier. :)  But that's assuming IE will even run this control by default . . . it may not even do that and give you a gold bar warning instead!.  So if it's not on the approved control list it will warn / prompt the user to run the control.  I'll assume such a control exists and that the user chooses to run it and get exploited ignoring the dialog.  I'll also assume that NX, SafeSEH, GS and ASLR all failed to prevent the shellcode from running in IE's process space.  Now the malware is running at 'Low' integrity level because of IE7's 'Protected Mode' which is enabled by default on Vista.  What's an integrity level?  Mandatory Integrity Control (MIC) - new in Vista.  Steve blogs it here.

Step 2:  Once code is running as user - establish persistence (modify autostart entry points (ASEPs), infect system files, etc.)
Oohhhh snap!!!  Software running at 'Low' IL can't write to areas of memory / disk that are marked at a higher integrity level.  This basically means the malware can only do stuff within the confines of the IE Temporary Internet Files folder.  It can't modify registry ASEP's, can't modify or infect system files let alone other users files or even the current users important files which would be marked at 'medium' integrity in a different folder.

Step 3:  Seek & Destroy - Setup MMORPG password sniffing component & propagate to internal hosts behind firewall via admin shares.
Again since the initial attack vector (IE7 running at 'Low' integrity) didn't allow for the malware to establish any sort of persistence - it won't be able to survive a logoff, let alone a restart and it will be quite easy for Defender to identify it and remove once signatures are created.  So we'll assume the worms only window of opportunity for spreading is in the current users logon session (however long that lasts - could be days / weeks).  Assuming the malware even works properly at 'Low' IL (i.e. that it can open network sockets and call various API's - I haven't researched this to see if these actions work at 'Low' IL) - guess what?  It won't be able to propagate using the admin shares on Vista - because they aren't enabled by default on Vista anymore.  All those corporate XP machines created from the same stanard image with a lame default admin password - not so much.

This my friends - is defense in depth.

My hope is that by this time next year comparing Vista's security track record to XP will be like comparing IIS6 to IIS5 . . . or *cough* SQL 2005 to Oracle 10g. :)

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment