Advertisement
unixfreaxjp

TO ISEC Labsre: w***wet bug PoC with fixing ADVICE

Oct 19th, 2012
195
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // As promised to Mr. Marco Cova, I did send the email below
  2. // regarding to the w***wet bug of PseudoDomain multilayer+packer obfuscation scan.
  3. // Ref: http://malwaremustdie.blogspot.jp/2012/10/fuzzy-in-manual-cracking-of.html
  4. // Looks like he cannot receive email from GMAIL I don't know how to contact so I pasted
  5. // the report here instead, and tweet the bug to him.
  6.  
  7. Delivery to the following recipient failed permanently:
  8. ========================================
  9. m.covaxxx@xxxcs.bham.ac.uk
  10. ========================================
  11. Technical details of permanent failure:
  12. Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 Encrypted zip attachments are not allowed (state 17).
  13.  
  14. ----- Original message -----
  15.  
  16. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  17. d=gmail.com; s=20120113;
  18. h=mime-version:in-reply-to:references:date:message-id:subject:from:to
  19. :content-type;
  20. bh=Dw9pzl4ZPN/QK1b6xi4EC8L7l2odRNM+Ymv0gkLNgQY=;
  21. b=xiB+7bNu8mJCyJkiqejh5Z/HjwlPrY4j6/mWh3PRJ7I0sVFxvcJJInfaiXj1pcI3Xw
  22. ZA5zp3p59eGFqRCr5OajcNe8AR+Wy4ACd0zA85PgGR5VKH7yA02IS8SEjKhL70+O+dsT
  23. Y4jQJNkB9qNk8qNlRgeCHBKeG/l4xl70xhRoyikUxqE7zsOSH83clxK4wQumYc9Ujm6R
  24. kHF0fG5Gizb5GlgzmMVqCB+YREjByfh6R8ZjxSF9Gx6pjNVa7QfYCSEWWhU5qI1F+JBo
  25. KEdRMg7mPsB5RMO3Y7HAwOf2rK0Mp8RUp2usZTZwIjmw01jBiwzizoiLkcnhlDkFFR0f
  26. EMSQ==
  27. MIME-Version: 1.0
  28. Received: by 10.224.176.201 with SMTP id bf9mr583304qab.80.1350648059201; Fri,
  29. 19 Oct 2012 05:00:59 -0700 (PDT)
  30. Received: by 10.49.87.71 with HTTP; Fri, 19 Oct 2012 05:00:58 -0700 (PDT)
  31. In-Reply-To: <CAAhuQpNgR15GE1U2PVbGwZ1GqTXJEK3fMeBG84s69eq_WY5g2w@mail.gmail.com>
  32. References: <4AB6FE67-6AC4-46CD-A8C3-D767FBC4C59E@cs.bham.ac.uk>
  33. <CAAhuQpNgR15GE1U2PVbGwZ1GqTXJEK3fMeBG84s69eq_WY5g2w@mail.gmail.com>
  34. Date: Fri, 19 Oct 2012 21:00:58 +0900
  35. Message-ID: <CAAhuQpMSzb=Pykecs-9dWsazepnYkhYRs1Lyoq+4uv+11V87Rg@mail.gmail.com>
  36. Subject: Re: wepawet
  37. From: =?ISO-2022-JP?B?GyRCJSIlSSVqJSIlcyVYJXMlSSVqJUMlLxsoQg==?= <unixfreaxjpxxxxx@gmail.com>
  38. To: Marco Cova <m.covaxxxx@xxxxcs.bham.ac.uk>
  39. Content-Type: multipart/mixed; boundary=20cf30334e41c907e004cc6841b6
  40.  
  41. Hello Mr. Cova,
  42.  
  43. Allow me to report the obfuscation that cannot be cracked well by wepawet.
  44. The infected files contains the obfuscated JavaScript is as per attached
  45. index.html.zip/pass: infected.
  46.  
  47. It is an obfuscation of the Pseudorandom JavaScript which is currently used
  48. by some Exploit Kit malware infectors as per described
  49. here<http://malwaremustdie.blogspot.jp/2012/10/fuzzy-in-manual-cracking-of.html>
  50. But this time this "thing" was obfuscated 2 times, get packed one time
  51. (with what so-called JS/Packer that often being used by these malware
  52. makers) and get obfuscated again.
  53.  
  54. The result of the current scan is as per below url in wepawet:
  55. http://wepawet.iseclab.org/view.php?hash=000bcb872c056f3702e80cab6dbbfeb6&type=js&t=1350578657
  56.  
  57. Interesting part of it was the message shown in the result as per pasted
  58. below:
  59. ===============================
  60.  
  61. Malware
  62.  
  63. *No additional malware was retrieved.*
  64. ================================
  65.  
  66. ↑ the above statement is wrong, we received the exploit kit payload as per
  67. desribed in our blog, the messages can make other developer thinks a non infected
  68. page... Please fix the wepawet logic regardingly.
  69.  
  70. ---------------
  71. @unixfreaxjp
  72. #MalwareMustDie!
  73. http://malwaremustdie.blogspot.jp
Advertisement
RAW Paste Data Copied
Advertisement