Archive for the ‘Malware Analysis’ Category

Just some Acrobat exploits

July 11, 2010

In this second post I will explain the functions in the javascript code carved out used to exploit the Acrobat vulnerability.

First of all we take a look at the function that acts as a version-check of Acrobat with which the victim opened to read the pdf infected.

This is the function:

the function name is GDUvmppC (). Inside, yVXd variable is declared, and through app.viewerVersion.toString () function is initialized with the respective version number of Acrobat. At last, through Iterations will start the respective exploit depending on the detected version.

If the version is less than 8, then performs the waDmT () function.
If the version is greater than 8, then performs the FdAY () function.
If the version is less than 9.1, then performs the mLU() function.
If the version is less than version 9.2, then performs the breakfast() function.

As you can see there are 4 functions.

The waDmT() function exploits the collectEmailInfo vulnerability
-> collectEmailInfo({ subj:””,msg:mmk })

The FdAY() function exploits the util.printf vulnerability
-> util.printf(“%45000f”,uzpymeSR)

The mLU() function exploits the getIcon vulnerability
-> app.doc.Collab.getIcon(gGsYFcss)

The breakfast() function exploits the util.printd vulnerability
-> util.printd(GDagaCuyNfRSFzaSZLO, new Date())

All functions contain shellcode, and in particular we find them some interesting links:

http://*/yogetheadshot.php?ids=UdPDF
http://*/yogetheadshot.php

From these two links are downloaded same malware. Malware are identical because they are only called from two different links depending on the version of Acrobat 😉

In the next post I’ll try to explain what makes the malware downloaded through the PDF.

Bye, see you in the next post. =)

Analysis of a malformed and exploited PDF

July 11, 2010

Hi
today I’m going to analyze an infected PDF which allows Acrobat exploitation 🙂

The file target is called soreheadprattler.pdf
md5: AF485196F31F66B07D87E63DFCA41239
At moment when I’m writing, referring to Virustotal, PDF is detected by 29.27% of AV ( 12/41 ), to be honest, very low rate to the potential of the exploit in question. This PDF, using the Sophos nomenclatur, is identified as Troj/PDFJs-LJ

Let’s go to analyze the PDF.

First of all I take this opportunity to thank my friend Daniel for giving me the opportunity to act as tester, being still under development. Thx =)
The tool in question is PDF Insider, for more info visit ntcore.com.

Opening the PDF file in PDF Insider we immediately notice a malformation.

We warned of an unresolved xref. The xref keyword ( Cross-reference ) in PDF format are used to search the objects, in fact for this problem we have no object apparently, but this is not a problem because PDF Insider provides us special functions for finding objects to solve these mishaps ;).
In fact clicking on Detect Object we get 4 objects: 1.0, 2.0, 3.0 and 4.0.
Here a screenshot:

Each object may contain the JS code and / or compressed Stream. Of course in our case being merely 4 would not be a problem to go through each object and check for interesting content, but if it was a pdf with many object was a real suicide, unless you are masochistic :P.

PDF Insider intervenes again to our aid, showing what object or stream contains JavaScript code.

We can see that the 4.0 object contains both Stream ( compressed ) and Javascript code, as well as being the only one!
But let’s go to see what’s interesting inside it:

We note immediately between the Info, interesting Filters:

LZWDecode: This indicats that data are compressed, as I said before. LZW ( Lempel-Ziv-Welsh ) is more used as a data compression algorithm in PDF;
ASCII85Decode: Other encryption algorithm, also known as Base85 encoding used for communication protocols;
ASCIIHexDecode: Decodes data encoded in an ASCII hexadecimal
representation, reproducing the original binary data;
RLE: The RLE ( Run Length Decode ) decompresses data encoded using a byte-oriented run-length encoding algorithm, reproducing the original text or binary data.

Now that we have this info we can also do proper analysis of 4.0 Object. PDF Insider supports LZW algorithm and thus is able to decompress it easily to show the contents of the Stream:

What is immediately evident is the declaration of a variable, specifically named B0b. Skip to the eye because it contains a very long string. But scrolldown to see how this variable is used!

As I thought! It is used in a function that operates a character replacement. It’s easy to see that there are many “@” and indeed this character will be replaced by another. Better explain the whole, below the rest of the code:

First are declared some variables. At z variable is assigned the value app.doc which is then chained to complete the function with syncAnnotScan().
Immediatly below B0b varaible is worked. BOb.replace (/ @ / g, String.fromCharCode (32-1 +6) makes a global research (-> /g) throughout the data block to find “@” char and then replace it by the function String.fromCharCode () with the symbol related to hex code 37 (32-1 +6 == 37) that corresponds to the symbol “%“. Well, we obtein a new data block:

Before I mentioned app.doc and syncAnnotScan so now I report the explanation from Adobe documentation:

app: The app object is a static object that represents the Acrobat application itself. It offers a
number of Acrobat-specific functions in addition to a variety of utility routines and
convenience functions.

doc: The doc object is the primary interface to the PDF document, and it can be used to access
and manipulate its content. The doc object provides the interfaces between a PDF
document open in the viewer and the JavaScript interpreter.

syncAnnotScan: The syncAnnotScan method guarantees that all annotations in the documents are scanned.

Once we’ve done all, we find the classic eval () function and inside the unescape() function.
First of all through the unescape function data block which we talked about before is decoded getting the horrible javascript code and then run through eval () function, so oN ().

In the next post I will explain how functions in the javascript code, which we got after these simple steps, are used to exploit vulnerabilities in various versions of Adobe.

Bye, see you in the next post. =)

A brief analysis about Trojan.Banker.Delf.ZLR

May 22, 2010

Hi to all!

Today I will speak very briefly about a new threat that affects banks. Specifically the Brazilian bank Bradesco [hxxp://www.bradesco.com.br/].

Some info about the Bradesco Bank:


Type: Public (BM&F Bovespa:BBDC3 / BBDC4 NYSE: BBD BMAD: XXBDC)

Industry: Finance and Insurance

Founded: 1943

Headquarters: Osasco, Brazil

Key people: Luiz Carlos Trabuco Cappi (CEO) Lázaro de Mello Brandão (Chairman of the Board of Directors) Antônio Bornia (Vice-Chairman of the Board of Directors)

Products: Banking

Revenue: ▲US$ 36.1 Billion (2009)

Net income: ▲US$ 4.5 Billion (2009)

Total assets: ▲US$ 299.0 Billion (2010)

Employees: 85,577

The Trojan banker in question is called, in according to the nomenclature of the antivirus houses; Trojan.Banker.Delf.ZLR.

Before I start talking about what makes the virus, I give you some general information about the target, such as: the geometry of the PE format, any packer/compressed/Cryptor, etc…

The threat, at the time of this writing, is recognized by 15/41 AV as suggested by VirusTotal.

Hash MD5: fc3f089f7d64eb4dcc7113c5add3bda7

Hash SHA-1: ae521a311bde3667d7bcb74460b4a6e92a8cd2c8

Imports:

advapi32.dll

comctl32.dll

gdi32.dll

kernel32.dll

oleaut32.dll

user32.dll

version.dll

Sections:

UPX0

UPX1

.rsrc

There is also the presence of TLS Directory, so if anyone wants to analyze this virus more in depth must keep in mind to ensure that, going to make a dynamic analysis through a debugger like OllyDbg need to configure the debugger so that it stops before the TLS Callback to prevent any action that the virus anticipates before it goes to the OEP.

It’s easy to understand that the file is packed with the very common free compressor UPX. Since it is so let’s go to decompress it. I did through the splendid suite of Ntoskrnl Explorer Suite which also includes a UPX utility for this purpose.

Immediately after decompressed the file, analyzing it with a PE Scanner, such as PEiD or RDG Packer Detector, and we note that is written in Delphi. Another info which is very helpfull in most cases but not in this specific sample. In Malware Analysis more info we can get from target study and much easier is to analyze our target.

As I already said, this virus is one of those classics that tries to steal the credentials of the bank accounts of the poor unfortunate. That’s why they are called Trojans Banker ;). Trojan.Banker.Delf.ZLR essentially does nothing special. Basically is a fake program was created specifically to belive you need to perform banking transactions directly from your PC.

It consists of a classical form which contains 3 special edit for entering your bank account and a way to “simulate” the installation of this false account management program. But let’s go to see how it is made:

When the victim had entered the bank account details, click on “Instalar” notice that will be simulated to download a dll. I say simulated because it actually does not download any dll, as you can check by running Wireshark while performing these steps, which shows no GET request from any site, but also going to search for the name ib2k1.dll find anything on the system. All this is done only to make the installation process look better.

Simulated the download of this dll, we get the form to enter your account credentials, such as the account holder, password and secret word. This is then sent to the site who created the fake program to steal these credentials.
Between the strings contained by the file I found very interesting two particular things: a URL and a sentence, respectively,

http://firefoxxx.t35.com/Dario.envio.desco.php

Bradesco by D4RiO

What we understand is that he who created the software is called Dario and the URL that contact is: http://firefoxxx.t35.com/Dario.envio.desco.php

Here a screenshot about:

Then we come to form of the credit card owner. In this form must be included the last three digits of its Credit Card Number and press Confirm to send everything that was stored by the program to the URL mentioned above.

For this time it’s all guys. See you at the next post. =)

Virus Win32:Induc

August 20, 2009

Hi all,

this morning while I was programming in Delphi, with my IDE Delphi 7, I noticed that the exe that has been compiled it has been detected by my AV as a Virus.

My AV is Avast! and the exe compiled has been detected as Win32:Induc specifically.

Win32:Induc is a new emerging threat, exactly of 18/08/09.

I have google and looked on my PC and I can say this:

The virus, first searchs in the registry path HKLM\Software\Borland\Delphi\X.0\ RootDir key, that specifies the folder location of your Delphi IDE.

[ X indicates the version of your Delphi IDE installed on your PC ]

When it has been done this, the virus infects the file SysConst.pas, that is Delphi library source file, located in Source\Rtl\Sys\ .
Then, it searchs the directory \lib in the delphi’s root directory, then it copies SysConst.pas to \bin directory and it injects malicious code in it.

Then, this Virus renames the original Delphi library file \lib\SysConst.dcu to \lib\SysConst.bak.

Instead of the original file .dcu, the virus invokes the Delphi compiler [ bin\dcc32.exe ] and it compils a new SysConst.dcu infected Delphi library file.

Soon, it erases the previous file .pas, infected with malicious code, or else SysConst.pas, and it sets the date and the time of new file SysConst.dcu with the same time/data of original file.

After all this things has been done, any project compiled with Delphi IDE will be infected automatically.
Indeed this is what happened to me 😛

I resolved, or at least it seems, to this problem in this way:

– I deleted both SysConst files, or else .bak and .dcu from \lib;

– I replaced the original file of setup file folder SysConst.pas at path \Source\Rtl\Sys and I compiled it when I was going to compile my project.

These two simple steps appear to have solved the problem, in fact the exe file compiled didn’t has been detected as infected file.

For this time is all, see you in the next post 🙂

Bye.