TO ISEC Labsre: w***wet bug PoC with fixing ADVICE

1. // As promised to Mr. Marco Cova, I did send the email below
2. // regarding to the w***wet bug of PseudoDomain multilayer+packer obfuscation scan.
3. // Ref: http://malwaremustdie.blogspot.jp/2012/10/fuzzy-in-manual-cracking-of.html
4. // Looks like he cannot receive email from GMAIL I don't know how to contact so I pasted
5. // the report here instead, and tweet the bug to him.
6.  
7. Delivery to the following recipient failed permanently:
8. ========================================
9. m.covaxxx@xxxcs.bham.ac.uk
10. ========================================
11. Technical details of permanent failure:
12. Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 Encrypted zip attachments are not allowed (state 17).
13.  
14. ----- Original message -----
15.  
16. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
17. d=gmail.com; s=20120113;
18. h=mime-version:in-reply-to:references:date:message-id:subject:from:to
19. :content-type;
20. bh=Dw9pzl4ZPN/QK1b6xi4EC8L7l2odRNM+Ymv0gkLNgQY=;
21. b=xiB+7bNu8mJCyJkiqejh5Z/HjwlPrY4j6/mWh3PRJ7I0sVFxvcJJInfaiXj1pcI3Xw
22. ZA5zp3p59eGFqRCr5OajcNe8AR+Wy4ACd0zA85PgGR5VKH7yA02IS8SEjKhL70+O+dsT
23. Y4jQJNkB9qNk8qNlRgeCHBKeG/l4xl70xhRoyikUxqE7zsOSH83clxK4wQumYc9Ujm6R
24. kHF0fG5Gizb5GlgzmMVqCB+YREjByfh6R8ZjxSF9Gx6pjNVa7QfYCSEWWhU5qI1F+JBo
25. KEdRMg7mPsB5RMO3Y7HAwOf2rK0Mp8RUp2usZTZwIjmw01jBiwzizoiLkcnhlDkFFR0f
26. EMSQ==
27. MIME-Version: 1.0
28. Received: by 10.224.176.201 with SMTP id bf9mr583304qab.80.1350648059201; Fri,
29. 19 Oct 2012 05:00:59 -0700 (PDT)
30. Received: by 10.49.87.71 with HTTP; Fri, 19 Oct 2012 05:00:58 -0700 (PDT)
31. In-Reply-To: <CAAhuQpNgR15GE1U2PVbGwZ1GqTXJEK3fMeBG84s69eq_WY5g2w@mail.gmail.com>
32. References: <4AB6FE67-6AC4-46CD-A8C3-D767FBC4C59E@cs.bham.ac.uk>
33. <CAAhuQpNgR15GE1U2PVbGwZ1GqTXJEK3fMeBG84s69eq_WY5g2w@mail.gmail.com>
34. Date: Fri, 19 Oct 2012 21:00:58 +0900
35. Message-ID: <CAAhuQpMSzb=Pykecs-9dWsazepnYkhYRs1Lyoq+4uv+11V87Rg@mail.gmail.com>
36. Subject: Re: wepawet
37. From: =?ISO-2022-JP?B?GyRCJSIlSSVqJSIlcyVYJXMlSSVqJUMlLxsoQg==?= <unixfreaxjpxxxxx@gmail.com>
38. To: Marco Cova <m.covaxxxx@xxxxcs.bham.ac.uk>
39. Content-Type: multipart/mixed; boundary=20cf30334e41c907e004cc6841b6
40.  
41. Hello Mr. Cova,
42.  
43. Allow me to report the obfuscation that cannot be cracked well by wepawet.
44. The infected files contains the obfuscated JavaScript is as per attached
45. index.html.zip/pass: infected.
46.  
47. It is an obfuscation of the Pseudorandom JavaScript which is currently used
48. by some Exploit Kit malware infectors as per described
49. here<http://malwaremustdie.blogspot.jp/2012/10/fuzzy-in-manual-cracking-of.html>
50. But this time this "thing" was obfuscated 2 times, get packed one time
51. (with what so-called JS/Packer that often being used by these malware
52. makers) and get obfuscated again.
53.  
54. The result of the current scan is as per below url in wepawet:
55. http://wepawet.iseclab.org/view.php?hash=000bcb872c056f3702e80cab6dbbfeb6&type=js&t=1350578657
56.  
57. Interesting part of it was the message shown in the result as per pasted
58. below:
59. ===============================
60.  
61. Malware
62.  
63. *No additional malware was retrieved.*
64. ================================
65.  
66. ↑ the above statement is wrong, we received the exploit kit payload as per
67. desribed in our blog, the messages can make other developer thinks a non infected
68. page... Please fix the wepawet logic regardingly.
69.  
70. ---------------
71. @unixfreaxjp
72. #MalwareMustDie!
73. http://malwaremustdie.blogspot.jp