tag:blogger.com,1999:blog-58365083489080400472024-03-19T00:26:52.240-07:00Better than pastebin...herrcorehttp://www.blogger.com/profile/17172043082379886965noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-5836508348908040047.post-39453291682398441222015-06-04T21:46:00.002-07:002016-09-11T22:01:15.361-07:00Malware Persistence With HKEY_CURRENT_USER Shell Extension Handlers, No Admin Required<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This content has moved to <a href="http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/">http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Update June 8, 2015: </b>Harlan (<a href="https://twitter.com/keydet89">@keydet89</a>), of Regripper fame, has updated Regripper to identify this persistence mechanism. Details can be found <a href="http://windowsir.blogspot.ca/2015/06/links.html">on his blog</a>. On a related note, Harlan takes requests for Regripper features! He was pretty awesome about turning this one around quickly so if you need a new feature just e-mail him.</span></blockquote>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">I was recently exposed to a new (to me anyway) method of persistence that the <a href="http://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechanics-behind-153-6m-defrauded-ad-impressions-a-day/">Bedep malware</a> is using. The novel aspect of this persistence method is that it doesn’t require administrator rights and it evades my two favourite persistence detection tools: <a href="https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx">Autoruns</a>, and <a href="https://github.com/keydet89/RegRipper2.8">RegRipper</a>. The persistence method requires the creation of a per-user shell extension handler where the shell handler DLL is the malware that requires persistence. </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Known Methods of Persistence Through Shell Extension Handlers</span></h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Using a shell extension handler is actually a fairly well known, and <a href="https://books.google.ca/books?id=x4hIH4JEBlsC&lpg=PA135&ots=Yg-e27s8h8&dq=%22shell%20extension%22%20forensics%20persistence&pg=PA135#v=onepage&q=%22shell%20extension%22%20forensics%20persistence&f=false">well documented</a> trick that malware uses for persistence. However, there seems to be a gap in the tooling provided to detect this persistence (autoruns, regripper); these tools focus on detecting Shell Extensions that have been registered for all users on the host. If a Shell Extension is only registered for a single user (Current User) it can evade detection.</span><br />
<br />
<h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">What Is a Shell Extension Handler?</span></h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Explorer.exe is what is referred to as the default “shell” for Windows; it is the GUI that is used to interact with the OS. Explorer provides the ability to extend its functionality using COM objects called Shell Extensions. To quote this <a href="http://yanaware.com/com4me/ShellExtGuide1.php-author=Michael%20DUNN&mail=mdunn@inreach.com&url=http---home.inreach.com-mdunn&idTute=2.htm">excellent article</a> on building shell extensions "a shell extension is a COM object that adds features to Explorer”. </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">A common example of a Shell Extension would be the “WinZip” options that appear when you right click on a file after installing the WinZip program.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitjrWq2gzfZBO1_NWZUjBvVJRjCgcSqzw8K9m3AEJqtznB3gUAEY84hPeExJpgaugyow8jOqM8RVey42edJzydyEyx5_E4v4tnqgi_XhuMK9fus-SHfLLFRJAJwMgyM6T9x_IQVe7FAzc/s1600/winzip.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitjrWq2gzfZBO1_NWZUjBvVJRjCgcSqzw8K9m3AEJqtznB3gUAEY84hPeExJpgaugyow8jOqM8RVey42edJzydyEyx5_E4v4tnqgi_XhuMK9fus-SHfLLFRJAJwMgyM6T9x_IQVe7FAzc/s1600/winzip.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">WinZip Shell Extensions in action</td></tr>
</tbody></table>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">While we won’t get too deep into how a Shell Extension is developed it is important to note that essentially it is a COM object that implements custom functionality based on a defined Interface. The COM object is then loaded into Explorer.exe as an <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms693345%28v=vs.85%29.aspx">in-process server </a>. This is basically just a DLL that is is running inside the process space of Explorer.exe.</span><br />
<br />
<h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Registering a Shell Extension Handler</span></h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Shell Extensions need to be registered with the Shell before they can be used. How they are registered is the key to this stealthy persistence mechanism. There is a good overview of how to register a Shell Extension <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/cc144110%28v=vs.85%29.aspx">on MSDN</a>. Some excerpts from that article have been copied below to quickly illustrate how a Shell Extension might be registered.</span><br />
<br />
<h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Step 1 - CLSID and Path To DLL</span></h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">First the Shell Extension handler has to be assigned a unique GUID called <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms691424%28v=vs.85%29.aspx">CLSID</a>. Then the CLSID is added to the registry <b>HKEY_CLASSES_ROOT\CLSID</b> and the <b>InprocServer32</b> key is added signifying that this is an in-process server. The default value for the InprocServer32 key is set as the path to the Shell Handler DLL.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN7doSnk5P2fhgqEyBxMsD92ZClaKKeGVqrbNeYs1WpG46scoxKVaOIiMTNwQTC88ZJthXNR-DF2XVBCSvjGORXjEqf0t6crU1WW7BVFcU63G-slu7_3_8oJDxL_pCQkwM0H-iSPl350E/s1600/step1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN7doSnk5P2fhgqEyBxMsD92ZClaKKeGVqrbNeYs1WpG46scoxKVaOIiMTNwQTC88ZJthXNR-DF2XVBCSvjGORXjEqf0t6crU1WW7BVFcU63G-slu7_3_8oJDxL_pCQkwM0H-iSPl350E/s1600/step1.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Add Shell Extension CLSID to registry with DLL location.</td></tr>
</tbody></table>
<h4>
</h4>
<h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Step 2 - Assigning the CLSID to File Type or Shell Object</span></h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Once the Shell Extension has been associated with its CLSID the CLSID needs to be associated with a File Type or a Shell Object that it is going to provide extra functionality for. This is done by adding the CLSID as a key to the registry <b>HKEY_CLASSES_ROOT\<ProgID></b>. In this example the CLSID will be added as a ContextMenuHandler to all File Types associated with MyProgram.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4ehYVAWmdmA63A1M6Z5YUyIN79xelb-A3R78UZziWpJFAhA2nwUJkq-XBYk39Rn4rQ0vxLYuzkxP79IOOTuoaKKIOYJdDvol9LvAPl_RizPDW6IqXGMrSX4k1vxW4C4YZGzKKRZQbIIw/s1600/step2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4ehYVAWmdmA63A1M6Z5YUyIN79xelb-A3R78UZziWpJFAhA2nwUJkq-XBYk39Rn4rQ0vxLYuzkxP79IOOTuoaKKIOYJdDvol9LvAPl_RizPDW6IqXGMrSX4k1vxW4C4YZGzKKRZQbIIw/s1600/step2.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Associate CLSID with MyProgram.</td></tr>
</tbody></table>
<br />
<h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Step 3 - Approving CLSID for Use</span></h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">If the <b>EnforceShellExtensionSecurity</b> key has been set then the CLSID will need to registered as Approved before it can be used. Since the EnforceShellExtensionSecurity value may be set per-user instead of globally it is best practice to add the CLSID to <b>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved</b> key by default.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioL-hW5qM6bu_NJTQkkgo9gzXweMYlaA0KLa2zHbPgzJcEHVD_fNO_10-74cxnkghVN3WuELMOnXE2Xi5V8WCEGvNOJKkqhtMAE2TzpvjxUyaievSIFTWgl28vXqUEKjhcg1-N8D03kYQ/s1600/step3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioL-hW5qM6bu_NJTQkkgo9gzXweMYlaA0KLa2zHbPgzJcEHVD_fNO_10-74cxnkghVN3WuELMOnXE2Xi5V8WCEGvNOJKkqhtMAE2TzpvjxUyaievSIFTWgl28vXqUEKjhcg1-N8D03kYQ/s1600/step3.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Add CLSID to approved Shell Extensions.</td></tr>
</tbody></table>
<br />
<h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The Trick is HKEY_CLASSES_ROOT</span></h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The <b>HKEY_CLASSES_ROOT</b> key is a virtual representation of both the <b>HKEY_CURRENT_USER</b> and <b>HKEY_LOCAL_MACHINE</b>. Where settings that are global to the host (apply to all users) are stored in <b>HKEY_LOCAL_MACHINE</b> and settings that are specific to a single user are stored in <b>HKEY_CURRENT_USER</b>. More information can be found <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms724475%28v=vs.85%29.aspx">here</a>.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The trick is that when a key is stored in <b>HKEY_CLASSES_ROOT</b> by default it is stored in <b>HKEY_LOCAL_MACHINE</b>. However, when a key is read from <b>HKEY_CLASSES_ROOT</b> it is read from <b>HKEY_CURRENT_USER</b> first and if no key exists then it is read from <b>HKEY_LOCAL_MACHINE</b>. This means that when a Shell Extension is registered <b>HKEY_CLASSES_ROOT</b> it is stored in <b>HKEY_LOCAL_MACHINE</b> which requires administrative privileges, and if the <b>EnforceShellExtensionSecurity</b> key is set then the Shell Extension must also be registered in the <b>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved</b> key. However, when Explorer.exe loads the Shell Extensions for a user it checks the Shell Extensions in <b>HKEY_CURRENT_USER</b> first before checking in <b>HKEY_LOCAL_MACHINE</b>.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">If malware wants to install a Shell Extension without administrator privileges that will run for the current user it can individually add entries for the Shell Extension in <b>HKEY_CURRENT_USER</b> instead of <b>HKEY_CLASSES_ROOT</b>. An added advantage of this is that since the Shell Extension is only registered for the current user it doesn’t need to be registered in <b>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved</b> regardless of the setting in <b>EnforceShellExtensionSecurity</b>.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Here we see Bedep has taken advantage of this trick to install a Folder Extension Shell Extension handler in <b>HKEY_CURRENT_USER</b>. The <b>FntCache.dll</b> is the persistence DLL used to initialize Bedep.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPN2yTxufW1C8gelb4uLSQdPkyiD4_eHpbBJPlfzM-CoXvFV_B9JyfuMV5NT9Nb_Tn_NYSwPJQz1s14OFWowMyqtMjm_GX5VduVsMQEKUH3DwNr9-7Df8DdAZ7w5gvBSN-Fsq7gguZvy8/s1600/bedep_CLSID.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPN2yTxufW1C8gelb4uLSQdPkyiD4_eHpbBJPlfzM-CoXvFV_B9JyfuMV5NT9Nb_Tn_NYSwPJQz1s14OFWowMyqtMjm_GX5VduVsMQEKUH3DwNr9-7Df8DdAZ7w5gvBSN-Fsq7gguZvy8/s640/bedep_CLSID.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Bedep Shell Extension CLSID installed in Current User.</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP8N8oqdFwzihLN-6bHgrYFhL9fpdxMgBerkM28tp7u5aV3vQSeC2jl4-_lZOsaPTl9hsMlJ7FY14a9Gz-H2WAYsAO16IMEPg6TGWMVPvHgY0KKWA6oJa60CFTb4trqHYbKOYLOlyfRBQ/s1600/bedep_clsid_assoc.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP8N8oqdFwzihLN-6bHgrYFhL9fpdxMgBerkM28tp7u5aV3vQSeC2jl4-_lZOsaPTl9hsMlJ7FY14a9Gz-H2WAYsAO16IMEPg6TGWMVPvHgY0KKWA6oJa60CFTb4trqHYbKOYLOlyfRBQ/s640/bedep_clsid_assoc.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Bedep CLSID associated as Folder Extension.</td></tr>
</tbody></table>
<br />
<h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">A Blind Spot in Our Incident Response Tools </span></h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The problem with the two tools I mentioned; RegRipper (shellext.pl plugin) and Autoruns is that they rely on the Shell Extension to be registered using the standard method with <b>HKEY_CLASSES_ROOT</b>. Because of this they don’t individually enumerate the Shell Extensions in <b>HKEY_CURRENT_USER</b>. Here we see there is no trace of the Bedep persistence Shell Extension handler in the results of Autoruns on the host infected with Bedep.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO0HbjzoNxXhtYsRiCoTEh5x9UXaYDMg-d0FkqppsgLJHS_Pm13USTxpY7NRhvogVgEITqz6r9Ju5IqmDRxtZHV5i9z6pbYXFC00mF_3DDWa1_965WiZ7pN3jQkuNKLeWxjj8JZImXGYU/s1600/autoruns.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO0HbjzoNxXhtYsRiCoTEh5x9UXaYDMg-d0FkqppsgLJHS_Pm13USTxpY7NRhvogVgEITqz6r9Ju5IqmDRxtZHV5i9z6pbYXFC00mF_3DDWa1_965WiZ7pN3jQkuNKLeWxjj8JZImXGYU/s1600/autoruns.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Autoruns is unable to find Bedep Shell Extension.</td></tr>
</tbody></table>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">It is interesting to note that a user on the Sysinternals forum actually <a href="http://forum.sysinternals.com/shell-extensions-approved_topic11891.html">complained about this issue</a> in Autoruns back in 2007. It was based on this comment that I decided to dig into the the Shell Extensions “cached” registry key.</span><br />
<br />
<h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Building a Timeline Using Cached Shell Extensions</span></h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">When a Shell Extension is loaded for the first time (per user) a key is stored in <b>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached</b>. More information on this registry key can be found <a href="http://www.nobunkum.ru/analytics/en-com-hijacking">here</a>. We can see below that the Bedep Shell Extension CLSID has an entry in the <b>Cached</b> key.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUk0uCxl8rvovP7LOEbLmawb5IiMU7v4-fAGARYvoWAOxcvuDpK8FGPqamuHCq4y4TWtzhPodCBQ9rsHPEceg7TQwzS_dBjo8SEK4Dzi5h1GlZrVUkk4AGLgD3sFlkc0ukOujkorA7WaA/s1600/cached.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUk0uCxl8rvovP7LOEbLmawb5IiMU7v4-fAGARYvoWAOxcvuDpK8FGPqamuHCq4y4TWtzhPodCBQ9rsHPEceg7TQwzS_dBjo8SEK4Dzi5h1GlZrVUkk4AGLgD3sFlkc0ukOujkorA7WaA/s640/cached.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Bedep Shell Extension CLSID has an entry in the Cached key.</td></tr>
</tbody></table>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The name of the Cached key is a combination of the CLSID of the Shell Extension, the CLSID for the Shell Object associated with the Shell Extension, and a DWORD (unknown mask value), each separated by a single space. The Bedep Cache key show above has the following parts:</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Bedep Shell Extension CLSID = {F6BF8414-962C-40FE-90F1-B80A7E72DB9A}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">IDriveFolderExt CLSID = {3EC36F3E-5BA3-4C3D-BF39-10F76C3F7CC6}</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Unknown Mask = 0xFFFF</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The binary value that is assigned to the Cache key contains a cache control flag, some unknown data, and the time the Shell Extension was first loaded stored in 64bit little endian FILETIME.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPGkVS_FIoJDiU7pa4ru8Uj7p7nfBm0POkXSNKaO0ZCNcCkXFwxnhKCmnJFh5iCtD_7cXwHCfVHTGQ0lYbjuNriEXxnwnLUEwXbeeZ5FruSvy5V62zrdArRgPN_8AeZjdL9F4v7ZO79ZE/s1600/filetime.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPGkVS_FIoJDiU7pa4ru8Uj7p7nfBm0POkXSNKaO0ZCNcCkXFwxnhKCmnJFh5iCtD_7cXwHCfVHTGQ0lYbjuNriEXxnwnLUEwXbeeZ5FruSvy5V62zrdArRgPN_8AeZjdL9F4v7ZO79ZE/s1600/filetime.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Shell Extension Cached entry showing first loaded time.</td></tr>
</tbody></table>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">This information can be used to build a timeline of all the Shell Extensions that have been loaded by the user when when they were first loaded.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Automated Shell Extension Timeline Generation and Shell Extension Detection </span></h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">I have built a tool (<b><a href="https://github.com/herrcore/LocalShellExtParse">LocalShellExtParse.py</a></b>) to help automate the task of generating a “first loaded” timeline for Shell Extensions and identifying Shell Extensions that are only installed for the current user. I know this probably would have been better as a RegRipper plugin but Python is the future, and we need to collect some extra information that RegRipper doesn’t currently parse.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Data Collection</span></h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">This is an “offline” tool that parses entries in the <b>NTUSER.DAT</b> and <b>UsrClass.dat</b> files. To use the tool you will first need to collect the files from the host that you want to analyze. I prefer <a href="http://accessdata.com/product-download">FTK Imager </a>but any tool that allows you to carve system files will work.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Everyone knows that NTUSER.DAT is located in <b>%userprofile%</b> but <b>UsrClass.dat</b> may be less well understood. When viewing a live registry under <b>HKEY_CURRENT_USER\Software\</b> there is a key called “CLSID” that shows all the CLSIDs for the current user. The data for this key is not stored in <b>NTUSER.DAT</b> it’s actually stored in the <b>UsrClass.dat</b> file located in; <b>%userprofile%\AppData\Local\\Microsoft\Windows\UsrClass.dat</b>.</span><br />
<br />
<h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Data Parsing</span></h3>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Once the files have been collected the can be parsed by LocalShellExtParse.py to produce; </span><br />
<ol>
<li><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">a timeline of the first time each Shell Extension has been loaded by the user </span></li>
<li><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">a list of all Shell Extensions that have been loaded by the user and are only installed for that user.</span></li>
</ol>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Here you can see that it easily identified that Bedep Shell Extension.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFJnUcZJMXb3QWqdDBUxKN3MC8kuiyB10sUPh-9rzMqFGCokj3tSstZCkYrKrSNWwZ1jYXrFbcF_R0jKUgcPmHytj-LRf68D5f0uoTY67eoA3zI2ynZrxetKw2nvNbxUzuNsIaI0lz4D4/s1600/results.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFJnUcZJMXb3QWqdDBUxKN3MC8kuiyB10sUPh-9rzMqFGCokj3tSstZCkYrKrSNWwZ1jYXrFbcF_R0jKUgcPmHytj-LRf68D5f0uoTY67eoA3zI2ynZrxetKw2nvNbxUzuNsIaI0lz4D4/s640/results.png" width="600" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">LocalShellExtParse.py shows Bedep Shell Extension and Bedep DLL "ieapfltr.dll".</td></tr>
</tbody></table>
<br />
<!--?xml version="1.0" encoding="UTF-8" standalone="no"?-->
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The tool can be found on <a href="https://github.com/herrcore/LocalShellExtParse">GitHub here</a>. <b>Note*</b> this tool has only been put through a small amount of testing, use at your own risk. This tool should only be used to prove the existence of a persistence mechanism via a per-user Shell Extension. Do not rely on this tool as proof that no persistence mechanism exists.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Conclusion</span></h2>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Though this persistence mechanism isn't really stealthy it still managed to elude my favourite persistence detection tools and it's something I hadn't seen before. My hope is that a check for HKEY_CURRENT_USER Shell Extensions is added to Autoruns. Until then you can use the <b><a href="https://github.com/herrcore/LocalShellExtParse">LocalShellExtParse.py</a> </b>tool, pull requests welcomed.</span><br />
<br />
<br />
<br />herrcorehttp://www.blogger.com/profile/17172043082379886965noreply@blogger.com2tag:blogger.com,1999:blog-5836508348908040047.post-57284648939832684692014-11-07T01:11:00.000-08:002016-09-11T22:02:01.020-07:00Exposing Malware In Hidden Desktops Using CmdDesktopSwitcher<div class="p1">
<br />
<br />
<br />
<br />
<br />
This content has moved to <a href="http://oalabs.openanalysis.net/2014/11/07/exposing-malware-in-hidden-desktops-using-cmddesktopswitcher/">http://oalabs.openanalysis.net/2014/11/07/exposing-malware-in-hidden-desktops-using-cmddesktopswitcher/</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Have you ever come across malware that has opened a window that you just can’t see? You suspect it is a case of the malware setting the window as hidden. You fire up <a href="http://www.nirsoft.net/utils/winlister.html">WinLister</a> to enumerate the windows in the hopes of finding the hidden window but nothing shows up. If you have ever found yourself in this situation you may be dealing with malware that is hiding in a second desktop. In this article we will walk through the process of identifying extra desktops and switching between them with a new tool called CmdDesktopSwitch.exe. </div>
<div class="p2">
<br /></div>
<div class="p1">
Forget this article just let me <b><a href="https://github.com/herrcore/CmdDesktopSwitch/archive/master.zip">download</a></b> the tool!</div>
<div class="p1">
<br /></div>
<span style="font-size: large; font-weight: normal;"><br /></span>
<span style="font-size: large;"><b>
What is a Desktop</b></span><br />
<div class="p1">
We are all familiar with the term “desktop” as the main graphical window in Windows however the term isn’t just a concept it is actually an object that can be programatically manipulated. Basically a desktop is an object used to create and manage windows. Microsoft actually does a much better job of describing it than me which you can read <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682573(v=vs.85).aspx">here</a>. The name of the default desktop that everyone is familiar with is <i>Default</i>. Windows also creates a desktop called <i>Winlogon</i> that is used for the logon screen.</div>
<div class="p2">
<br /></div>
<div class="p1">
</div>
<div class="p1">
The important thing to remember is that you can programatically create more than one desktop. This is a bit strange since Windows does not provide any native tools for desktop manipulation; all desktop creation and management must be implemented in third-party code. As a result not many people are aware that more than one desktop can exist per user. This makes desktops a perfect hiding place for malware. The Volatility folks have a nice post explaining the malicious uses of desktops <a href="http://volatility-labs.blogspot.ca/2012/09/movp-13-desktops-heaps-and-ransomware.html">http://volatility-labs.blogspot.ca/2012/09/movp-13-desktops-heaps-and-ransomware.html</a>.</div>
<div class="p1">
<br /></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b>
Malware Hiding in a Desktop</b></span><br />
<div class="p1">
</div>
<div class="p1">
Before we get into hidden desktops let's illustrate the difference between a hidden window and a window opened in another desktop. A hidden window is simply a window that has been initialized as hidden using the SW_HIDE flag (note there are other ways to hide a window after initialization but this is the method I have seem most commonly used by malware). </div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8YFLKGNbsv7O1WTnpspspxMSprw-JxBvI6Gewwe6m7l84RPXLY-S5TRG_6oWCAs9NYCXe6GiGS6-cC8RU_Ob9WIri10ev4y4AvW5jfAWdwEJxsNLCZYlurPllPvUN__mnm9gX10BdHfk/s1600/Screen+Shot+2014-11-07+at+1.01.32+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="355" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8YFLKGNbsv7O1WTnpspspxMSprw-JxBvI6Gewwe6m7l84RPXLY-S5TRG_6oWCAs9NYCXe6GiGS6-cC8RU_Ob9WIri10ev4y4AvW5jfAWdwEJxsNLCZYlurPllPvUN__mnm9gX10BdHfk/s1600/Screen+Shot+2014-11-07+at+1.01.32+AM.png" width="640" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
As shown in the example above the hidden window belonging to process <i>HiddenWindow.exe</i> is correctly enumerated by WinLister. WinLister can be used to then change the visibility of the window and make it visible. This is a useful tool that can be used to show you what the malware is doing visually. </div>
<div class="p2">
<br /></div>
<div class="p1">
</div>
<div class="p1">
However, if the malware creates a new desktop and opens a window in the new desktop the window will not be enumerated by WinLister and will remain invisible. </div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1lmtlMRiEvVdIu3fWxP8O1zOXleboLeNF2AVeCu2DQmbrFe5ZN-1XYQty99uFsY9sW3PZL9ECK07GyWSCFJmI4PtRslEYIIb6YbFkFkt4-CnGjTe-aWZ4NdipY4NsjFuk-7aiqEv_uB0/s1600/Screen+Shot+2014-11-07+at+1.06.13+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1lmtlMRiEvVdIu3fWxP8O1zOXleboLeNF2AVeCu2DQmbrFe5ZN-1XYQty99uFsY9sW3PZL9ECK07GyWSCFJmI4PtRslEYIIb6YbFkFkt4-CnGjTe-aWZ4NdipY4NsjFuk-7aiqEv_uB0/s1600/Screen+Shot+2014-11-07+at+1.06.13+AM.png" width="640" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
In the above example the process <i>DesktopWindow.exe</i> has created a new desktop and opened a window in it. As we can see this window is not enumerated by WinLister and remains hidden. </div>
<div class="p2">
<br />
<br /></div>
<div class="p1">
<span style="font-size: large;"><b>Using CmdDesktopSwitch to Display Hidden Desktops</b></span></div>
<div class="p1">
</div>
<div class="p1">
I have developed a small tool that can be used to enumerate all desktops and provides the ability to switch between desktops. The tool will first print a list of desktops it has enumerated.</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8_0R-jEATRQkPnuFblY98GfI_ZsuB8W5Mua5z4GsLlbc2rr7SWD3Dy2EdScoz_cvTWikxG_zL_SW26_aq0DpqaAy7xqbwzxglTahVN7d1sjP5ajlxAeBaXuSEKDDpkVrkLt3dgCGfRko/s1600/Screen+Shot+2014-11-07+at+1.07.01+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="354" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8_0R-jEATRQkPnuFblY98GfI_ZsuB8W5Mua5z4GsLlbc2rr7SWD3Dy2EdScoz_cvTWikxG_zL_SW26_aq0DpqaAy7xqbwzxglTahVN7d1sjP5ajlxAeBaXuSEKDDpkVrkLt3dgCGfRko/s1600/Screen+Shot+2014-11-07+at+1.07.01+AM.png" width="640" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
</div>
<div class="p1">
As seen in the example above the process <i>VirutalDesktopWindow.exe</i> has created another desktop called <i>hidden_desktop</i>. The CmdDesktopSwitch tool has listed this desktop along with the other default desktops. We can now enter the selection number for the <i>hidden_desktop</i> and the tool will switch to that desktop.</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLkf0SY2-gjJ431DSvf4aGZgqA_6Jey-dVp7gTBox_sdGIQs5WEJO86UdQjf72H55jRWcpVSdCgAOMBheiaC7KVaISZ80Ior9CKWKFMdXqvqW1_Wvaa5o2zIG1her55YoaJHlCgFGa3Lo/s1600/Screen+Shot+2014-11-07+at+1.07.47+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="354" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLkf0SY2-gjJ431DSvf4aGZgqA_6Jey-dVp7gTBox_sdGIQs5WEJO86UdQjf72H55jRWcpVSdCgAOMBheiaC7KVaISZ80Ior9CKWKFMdXqvqW1_Wvaa5o2zIG1her55YoaJHlCgFGa3Lo/s1600/Screen+Shot+2014-11-07+at+1.07.47+AM.png" width="640" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
As shown above the tool has switched the view to the <i>hidden_desktop</i> desktop and we can see the previously hidden window belonging to the <i>VirtualDesktipWindow.exe</i> process. We also see a popup box that the CmdDesktopSwitch tool inserts into the desktop allowing us to switch back to our default desktop (and exit tool).</div>
<div class="p2">
<br />
<br /></div>
<span style="font-size: large;"><b>
How Robust Is This Tool?</b></span><br />
<div class="p1">
This tool was mainly developed to be used in the lab not during live response. The tool operates in user land and calls the windows API so it is vulnerable to all the usual hooking techniques used to hide malware. It also only enumerates desktops on the window station that the default desktop is assigned to. The tool can certainly be used during live response but due to these limitations it should only be used to prove a positive (ie. there is malware) and never relied on to prove a negative (ie. there is no malware). </div>
<div class="p2">
<br /></div>
<div class="p1">
</div>
<div class="p1">
During live response I highly recommend using the <a href="https://code.google.com/p/volatility/wiki/CommandReferenceGui22#deskscan">Volatility deskscan plugin</a> and a memory dump to enumerate all desktops. Below is the output from the Volatility deskscan plugin run on a memory dump from our above example with the <i>VirutalDesktopWindow.exe</i> process.</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGze0whyMgdtfW_E5FJafe0_r9mAKLAPPGiAJS-WXBvr-M2J6_397NxMhLaznJNsDDKLFjwHIy4pwAwmzAxqjoDjKQUvwPSUivD5us3g9N32oDmo2_QB3WHtBbjuGE4XgwBpsy6OnkJ14/s1600/Screen+Shot+2014-11-07+at+1.11.59+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGze0whyMgdtfW_E5FJafe0_r9mAKLAPPGiAJS-WXBvr-M2J6_397NxMhLaznJNsDDKLFjwHIy4pwAwmzAxqjoDjKQUvwPSUivD5us3g9N32oDmo2_QB3WHtBbjuGE4XgwBpsy6OnkJ14/s1600/Screen+Shot+2014-11-07+at+1.11.59+AM.png" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
As you can see Volatility has identified the <i>hidden_desktop</i> and listed the <i>VirutalDesktopWindow.exe</i> window that is a descendent of that desktop.</div>
<div class="p2">
<br />
<br /></div>
<span style="font-size: large;"><b>
Why Use This Tool?</b></span><br />
<div class="p1">
</div>
<div class="p1">
As mentioned above Volatility does a much more thorough job of enumerating desktops however if a memory dump is not available and live response is required the tool could be used. Where it really excels though is during malware analysis. You can use the tool to visually watch malware operate. This is especially useful in the case of ad-fraud malware where the malware has opened a browser on a hidden desktop and is using the browser to defraud advertisers. By using this tool you can actually see what the malware is doing, what ads it is loading, etc.</div>
<div class="p1">
<br />
<br /></div>
<span style="font-size: large;"><b>
What To Look For In Your Sandbox - IOCs</b></span><br />
<div class="p1">
If you are analyzing a malware sample and you see the following windows API calls in your sandbox it might be time to give this tool a try.</div>
<ul class="ul1">
<li class="li1">GetProcessWindowStation</li>
<li class="li1">CreateDesktop</li>
<li class="li1">CreateDesktopW</li>
<li class="li1">GetThreadDesktop</li>
<li class="li1">SetThreadDesktop</li>
<li class="li1">CloseDesktop</li>
<li class="li1">CloseWindowStation</li>
</ul>
<div class="p2">
<br />
<br /></div>
<span style="font-size: large;"><b>
Download</b></span><br />
<div class="p1">
</div>
<div class="p1">
You can download the tool and the source code from <a href="https://github.com/herrcore/CmdDesktopSwitch">github</a>. </div>
<div class="p1">
<br /></div>
herrcorehttp://www.blogger.com/profile/17172043082379886965noreply@blogger.com0tag:blogger.com,1999:blog-5836508348908040047.post-61252667325329784352014-09-06T08:36:00.000-07:002016-09-11T22:02:42.917-07:00Crowdsourced Malware Triage <br />
<br />
<br />
<br />
This content has moved to <a href="http://www.openanalysis.net/#training">http://www.openanalysis.net/#training</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This is the long annotated version of a short presentation I put together outlining the the crowdsource tools I have used in the past for malware triage.<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgC9bLMPYS2sbwFj_9oPAITDgIQuEz15IMKnYbjzG-dzH47bgC1ulluGEQGC18RJ8vXiCa7GZFI0PJ_NLVCF4HFMDN_QSG0f6ZhOx-u6vRsaheY3HXlFJqmJkKjJtbMYbMLLdxiOjNzYGY/s1600/look_ma_no_computer_blog.001.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgC9bLMPYS2sbwFj_9oPAITDgIQuEz15IMKnYbjzG-dzH47bgC1ulluGEQGC18RJ8vXiCa7GZFI0PJ_NLVCF4HFMDN_QSG0f6ZhOx-u6vRsaheY3HXlFJqmJkKjJtbMYbMLLdxiOjNzYGY/s1600/look_ma_no_computer_blog.001.jpg" width="640" /></a></div>
Not to be confused with malware reverse engineering, malware triage is a function of an enterprise Incident Response program (or in a large enterprise a SOC). The purpose of malware triage is to gain a quick broad understanding of what type of exposure your organization has when dealing with a new threat.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioe-S0JsfmhS8yIHpAJ_ma_d_LvDKaGtq-uSEwd1lKN5pIduN7fCKr7Cf9IbjBJWzxyMrhUFmCNPWYkc5dIL4xxBtcHCPhFsxfj0CsPd6z27sAjlVpLC-LPLB99ycMQtjuXvdeLNmFuyc/s1600/look_ma_no_computer_blog.002.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioe-S0JsfmhS8yIHpAJ_ma_d_LvDKaGtq-uSEwd1lKN5pIduN7fCKr7Cf9IbjBJWzxyMrhUFmCNPWYkc5dIL4xxBtcHCPhFsxfj0CsPd6z27sAjlVpLC-LPLB99ycMQtjuXvdeLNmFuyc/s1600/look_ma_no_computer_blog.002.jpg" width="640" /></a></div>
In an enterprise environment you may fined yourself in a situation where you need to perform a malware triage but you simply don't have access to the tools you need (sometimes this the result of your GRC approvals lagging behind technology or you may simply be in the early stages of building your Incident Response program).<br />
<br />
In these situations you will need to rely on online tools. You can perform most malware triage simply by using a notepad, web browser, and the internet.<br />
<br />
<b>Pro tip:</b> Instead of using notepad.exe try using OneNote <a href="http://www.onenote.com/">http://www.onenote.com/</a> or EverNote <a href="https://evernote.com/">https://evernote.com/</a> and keep all of your notes from past triages. This will provide a central repository that you can search and use to provide insight into future malware .triage <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV3z7pnrIpoAxEmg2SjtzCsegMQXRDHBChKb6hkb5c43Oe9xqfYbeKbD6eseZmcraCNVQfnhxUtFTOGMDcMTKxATrgz-GDQuu0A-98j3vfhs7p-AtEFd3Dg3BNHYNVsQszLVWzVC0N6Ew/s1600/look_ma_no_computer_blog.003.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV3z7pnrIpoAxEmg2SjtzCsegMQXRDHBChKb6hkb5c43Oe9xqfYbeKbD6eseZmcraCNVQfnhxUtFTOGMDcMTKxATrgz-GDQuu0A-98j3vfhs7p-AtEFd3Dg3BNHYNVsQszLVWzVC0N6Ew/s1600/look_ma_no_computer_blog.003.jpg" width="640" /></a></div>
The crowdsource tools we will look at are a mix of tools specifically aimed at Incident Responders (such as crowdsource intelligence offerings) and tools that are just useful during the triage process if we don't have a local equivalent handy.<br />
<br />
It should be noted that even with a completely vanilla Windows 7 install and application whitelisting many of these tools can be created locally through the use of PowerShell. However, for the sake of this presentation we will try to accomplish all analysis with online tools.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpaGkCJ4dt4QBttJpmT07_erReTFgw2jnJDk_qhncGmxdQdq3V6AsX3B785rGvShDVgj92mlH0QwBTJltKZTXviVN00x12gCAaCgp55vQIdovqaebACioisyvtCJ1slYiPMGqLXZxAnww/s1600/look_ma_no_computer_blog.004.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpaGkCJ4dt4QBttJpmT07_erReTFgw2jnJDk_qhncGmxdQdq3V6AsX3B785rGvShDVgj92mlH0QwBTJltKZTXviVN00x12gCAaCgp55vQIdovqaebACioisyvtCJ1slYiPMGqLXZxAnww/s1600/look_ma_no_computer_blog.004.jpg" width="640" /></a></div>
Obviously by their very nature these tools do not support strong operational security practices! If you are trying to avoid tipping off an adversary that you are investigating them, don't use these tools.<br />
<br />
<b>Pro tip: </b>If you don't have the local tools/lab you need and you are trying to analyze an APT you have already lost. This presentation is not for you.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg88394gL5AOr4ufdcqi_y4cMNiv5xJaKbPRyS04lpclj6A_8MGDbQ_G9Xz7gjsYaVGWVTaMS5MLEmgfq9ygGlSc06LThurjEqAf54U9zDk2kYNFMo-4Oss39tdiRL3a0LxLOrOU9wwtj4/s1600/look_ma_no_computer_blog.005.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg88394gL5AOr4ufdcqi_y4cMNiv5xJaKbPRyS04lpclj6A_8MGDbQ_G9Xz7gjsYaVGWVTaMS5MLEmgfq9ygGlSc06LThurjEqAf54U9zDk2kYNFMo-4Oss39tdiRL3a0LxLOrOU9wwtj4/s1600/look_ma_no_computer_blog.005.jpg" width="640" /></a></div>
<div style="text-align: left;">
The scenario we will use as our demo involves receiving an e-mail with a suspicious link in it. We want to triage that URL.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Pro tip:</b> you will note that in the screen shot it appears as though we are drafting the suspicious e-mail not receiving it... maybe we are... maybe I was tired when I took the screen shot... maybe we should move on...</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKdkDRb_RBMbFh-vzeQMoAFSbKsUXGoVGtFgxw6p84wtE904rZTQVITWYv_OQQR-7YuowvIjWcs8n2MTYW8J98UpXG-14bc18HVK0DHjoqLC9A815yYEQeiha26VwJGCZATzN55CqHtnc/s1600/look_ma_no_computer_blog.006.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKdkDRb_RBMbFh-vzeQMoAFSbKsUXGoVGtFgxw6p84wtE904rZTQVITWYv_OQQR-7YuowvIjWcs8n2MTYW8J98UpXG-14bc18HVK0DHjoqLC9A815yYEQeiha26VwJGCZATzN55CqHtnc/s1600/look_ma_no_computer_blog.006.jpg" width="640" /></a></div>
<div style="text-align: left;">
The triage workflow that we will be using to analyze the URL.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr_v90s_oaKBid6cbK0fDJ5TeRgk2kwDWPWqXkwjfOat04LO12NbQ0jhNxl2CJkCEsSCPoqsWEFexGLWBDAmfEp9QEDVXfb7Tc6FyHqquApwj51WpF7H_P55loXi-My244vZor3ih2O-Y/s1600/look_ma_no_computer_blog.007.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr_v90s_oaKBid6cbK0fDJ5TeRgk2kwDWPWqXkwjfOat04LO12NbQ0jhNxl2CJkCEsSCPoqsWEFexGLWBDAmfEp9QEDVXfb7Tc6FyHqquApwj51WpF7H_P55loXi-My244vZor3ih2O-Y/s1600/look_ma_no_computer_blog.007.jpg" width="640" /></a></div>
<div style="text-align: left;">
During the passive analysis phase we try to gather information about the URL without actually interacting with it. This is one of the areas that tools specific for Incident Responders have really improved in the past few years. There are tons of tools available, I've just listed the ones I use daily. </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2feD-kg2XECK6TiLlmCXLobUO_3nSrPJVN-DhrzqN5T8UCABsliP5GyMftdvbWyfEkMVyTqxlY6S1TURZ1gWCGrPgp8_kNFKQygaCXf_kqMr2PMT82CuNIO7Av61cDDoggmX0JjGaEH8/s1600/look_ma_no_computer_blog.008.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2feD-kg2XECK6TiLlmCXLobUO_3nSrPJVN-DhrzqN5T8UCABsliP5GyMftdvbWyfEkMVyTqxlY6S1TURZ1gWCGrPgp8_kNFKQygaCXf_kqMr2PMT82CuNIO7Av61cDDoggmX0JjGaEH8/s1600/look_ma_no_computer_blog.008.jpg" width="640" /></a></div>
We are all familiar with <a href="https://www.virustotal.com/">https://www.virustotal.com/</a> so not much needs to be said here.<br />
<br />
The URL we are triaging certainly looks malicious...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRxkh327lSFr17LYgfblTH44UvwrneE_uQDtEQ1EgHHjkFMxWYhBGG2ZinWnv65p7lZA3SXTKY0p2LJ9t735nnsUGD0vX-oXom1KiuqfKLZNAZFPxKboMGl5hJLZlYRA_0CdChqDrL0P4/s1600/look_ma_no_computer_blog.009.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRxkh327lSFr17LYgfblTH44UvwrneE_uQDtEQ1EgHHjkFMxWYhBGG2ZinWnv65p7lZA3SXTKY0p2LJ9t735nnsUGD0vX-oXom1KiuqfKLZNAZFPxKboMGl5hJLZlYRA_0CdChqDrL0P4/s1600/look_ma_no_computer_blog.009.jpg" width="640" /></a></div>
BlueCoat offer this great service <a href="https://sitereview.bluecoat.com/sitereview.jsp">https://sitereview.bluecoat.com/sitereview.jsp</a> that will provide a "classification" for a domain you are interested in. In addition to classifying malicious domains they will also provide information on domains that are serving potentially unwanted software and adware.<br />
<br />
Again BlueCoat confirms that the domain for the URL we are triaging appears to be malicious.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCErKzzicYAMzHxL3Rvl47kn3XqYOx-QrBpPrdx44-mD2jowqj3XkeTKt1mwf0LgN46GVmUQM7QsUXYx2hWHi_5e92MHub_8TrfFtaCAtHNoxzE8RhySRnfpqUjxTzcRV_fWMpROOyCCo/s1600/look_ma_no_computer_blog.010.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCErKzzicYAMzHxL3Rvl47kn3XqYOx-QrBpPrdx44-mD2jowqj3XkeTKt1mwf0LgN46GVmUQM7QsUXYx2hWHi_5e92MHub_8TrfFtaCAtHNoxzE8RhySRnfpqUjxTzcRV_fWMpROOyCCo/s1600/look_ma_no_computer_blog.010.jpg" width="640" /></a></div>
The <a href="https://www.passivetotal.org/">https://www.passivetotal.org</a> site is resource that allows researchers and other incident responders to "tag" domains with information such as the malware family they are associated with.<br />
<br />
In this case the URL we are triaging has been tagged as "Crime" for crimeware and "Sweet Orange" possibly indicating that it leads to the Sweet Orange Exploit Kit.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlJMXFZSIBFWHtzqqR7Ifu3-0Z2lybIocg1YTcHHiOs7sChSBdsAmJ5THlA3KnLvmwgXmiDIFKmWcw0WpsBLppMiQ2OwTMyZsn1r0t4Z51rNFzn2zaX3wq8h5atUtXy6ioMmN4DxVcV0o/s1600/look_ma_no_computer_blog.011.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlJMXFZSIBFWHtzqqR7Ifu3-0Z2lybIocg1YTcHHiOs7sChSBdsAmJ5THlA3KnLvmwgXmiDIFKmWcw0WpsBLppMiQ2OwTMyZsn1r0t4Z51rNFzn2zaX3wq8h5atUtXy6ioMmN4DxVcV0o/s1600/look_ma_no_computer_blog.011.jpg" width="640" /></a></div>
The <a href="https://www.domaintools.com/">https://www.domaintools.com/</a> site has a suite of tools that can be used to identify the owners of domains, or group similar domains. This is a good place to start if you suspect a website has been compromised and you want to notify the owner.<br />
<br />
In our case our URL doesn't have too much useful information but we can see that it is hosed on a shared hosting site. Possibly something to note for followup later.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg03T0IHUTnL3GN2BH7BhQQWAJnFcZ-2dTpLI96sa89V3mnbDh0cl8lg1ADoXbiylUCZmXGtPBkZsa_Qro_jccweD_zztlMAb-K6G_N-9wjD6Bk0zqcuYkyXDlH5wKp2oPX61v_xpiH2Oc/s1600/look_ma_no_computer_blog.012.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg03T0IHUTnL3GN2BH7BhQQWAJnFcZ-2dTpLI96sa89V3mnbDh0cl8lg1ADoXbiylUCZmXGtPBkZsa_Qro_jccweD_zztlMAb-K6G_N-9wjD6Bk0zqcuYkyXDlH5wKp2oPX61v_xpiH2Oc/s1600/look_ma_no_computer_blog.012.jpg" width="640" /></a></div>
Once we have gathered all the information we can from passive analysis it is time to interact with the URL.<br />
<br />
Since we won't be using any local tools other than a web browser we will need some online tools to help us download and save a copy of the URL.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeXicmQIWBJw6PN4kSegSlq9mTOgFvIkZ-NLV3W5cIpau-qUFVKB3VPET9rfFvQhKJLuWHLhUGWy5tISIuNUdhW-Nph_dQB0zUMv-hVpu35ibF4j65JhetgAlLaxItsk73pfxGniy_D3A/s1600/look_ma_no_computer_blog.013.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeXicmQIWBJw6PN4kSegSlq9mTOgFvIkZ-NLV3W5cIpau-qUFVKB3VPET9rfFvQhKJLuWHLhUGWy5tISIuNUdhW-Nph_dQB0zUMv-hVpu35ibF4j65JhetgAlLaxItsk73pfxGniy_D3A/s1600/look_ma_no_computer_blog.013.jpg" width="640" /></a></div>
Since we won't be directly interacting with the URL using our web browser we will want to profile the user agent string so we can mirror it with our tools. Many exploit kits will deploy specific exploits based on the user agent string (and other browser features) so it is best to mimic the environment you are trying to protect. <a href="http://www.useragentstring.com/index.php">http://www.useragentstring.com/index.php</a> is a great tool to determine what your user agent is.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje_45pRe-VfhmAu9PtpkllfvjVE6Si3chWDJQ-5YzoImLPakFRI2k5CO9Xt-QOFq0svCGp1CqoDDJMJeO78eNXvw7uHIrSFJ_r7U6R9QsrlAc2UtlF8LZ0FV9pSTmBYrin4Omt6iVcbtA/s1600/look_ma_no_computer_blog.014.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje_45pRe-VfhmAu9PtpkllfvjVE6Si3chWDJQ-5YzoImLPakFRI2k5CO9Xt-QOFq0svCGp1CqoDDJMJeO78eNXvw7uHIrSFJ_r7U6R9QsrlAc2UtlF8LZ0FV9pSTmBYrin4Omt6iVcbtA/s1600/look_ma_no_computer_blog.014.jpg" width="640" /></a></div>
Now that we are ready to interact with the URL we want to download a copy of the page with our first interaction. Many exploit kits have a "request limit" and will stop responding after 2 or 3 requests. This is to protect the EK from people like us : )<br />
<br />
For this task we use <a href="http://onlinecurl.com/">http://onlinecurl.com/</a> an online version of the CURL tool everyone is familiar with. The online version has all the features of the cli version and supports options such as a custom user agent string.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUsTeFcZRzZhsDx7dr4LjTE8pZoapvUKZHcCZNUAgwjCuACWEIYeAfzEW3NSDMaHGZb6QLhJklp7tcgDF7lSl8JQ3aFEUoM-N1ldCurqzCgLThQEdtCLHc74MoZnH8LgGf2KxrX6Fjhlk/s1600/look_ma_no_computer_blog.015.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUsTeFcZRzZhsDx7dr4LjTE8pZoapvUKZHcCZNUAgwjCuACWEIYeAfzEW3NSDMaHGZb6QLhJklp7tcgDF7lSl8JQ3aFEUoM-N1ldCurqzCgLThQEdtCLHc74MoZnH8LgGf2KxrX6Fjhlk/s1600/look_ma_no_computer_blog.015.jpg" width="640" /></a></div>
We request our triage URL and we now we have a copy of the HTML code to analyze (more on this in a minute).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFuQ_A-k6xSe34r5lUrC4fih0w69doFEoOehyMxFi6UB7KeNJVl_koujfNhQjLPnMoACvmuVxMGQ4k4-1UL6dZElaKE5jiItrCM412iP4PFlQVGMH5cVZCOPes89PzYOCH3xdzwEU_iPU/s1600/look_ma_no_computer_blog.016.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFuQ_A-k6xSe34r5lUrC4fih0w69doFEoOehyMxFi6UB7KeNJVl_koujfNhQjLPnMoACvmuVxMGQ4k4-1UL6dZElaKE5jiItrCM412iP4PFlQVGMH5cVZCOPes89PzYOCH3xdzwEU_iPU/s1600/look_ma_no_computer_blog.016.jpg" width="640" /></a></div>
Now that we have a copy of the page and aren't worried about hitting the request limit we can try to analyze the URL with <a href="http://urlquery.net/">http://urlquery.net/</a>. URLQuery is a browser sandbox that will retrieve the URL you want to analyze and run the request traffic past some IDS/IPS sensors. If the sensors detect any malicious traffic the alerts will be displayed.<br />
<br />
I our case we can see that we have had a few IDS hits related to "Sweet Orange EK" confirming our earlier suspicion that this is the Sweet Orange Exploit Kit. We also have a hit for a vulnerable Java version check. Definitely something to keep in mind as we proceed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnehQVU3PP75E1tmpeIVEk6jqRB_oIT6sRjVaSPyMTFxK9KXuQikcguKcI5QMtGInsBz-x7oX1hIPYn7eLdN0SdLJWiOpwQAGkGzjjAx7lPlx2qgxd17RLnMWSS8QjUYcrIS50ukL6gFU/s1600/look_ma_no_computer_blog.018.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnehQVU3PP75E1tmpeIVEk6jqRB_oIT6sRjVaSPyMTFxK9KXuQikcguKcI5QMtGInsBz-x7oX1hIPYn7eLdN0SdLJWiOpwQAGkGzjjAx7lPlx2qgxd17RLnMWSS8QjUYcrIS50ukL6gFU/s1600/look_ma_no_computer_blog.018.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Web component analysis is just fancy language for "read the HTML and JS". During this phase we just want to figure out what the page is doing. The tool you will use the most is your own understanding of HTML and Javascript. </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf2yK5h0-0io1VfSsnYA6xJCVx3Q9HQclYUBXJj1pBJM-9iIF-A2m0aULtlT0TQWGbbG_FUXnlcnP2zw-gL6di1JmCN5XRWED3Y_97QMx10BxIUBt2TrFxPudBts0iuIgtLYNuae4513Y/s1600/look_ma_no_computer_blog.017.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf2yK5h0-0io1VfSsnYA6xJCVx3Q9HQclYUBXJj1pBJM-9iIF-A2m0aULtlT0TQWGbbG_FUXnlcnP2zw-gL6di1JmCN5XRWED3Y_97QMx10BxIUBt2TrFxPudBts0iuIgtLYNuae4513Y/s1600/look_ma_no_computer_blog.017.jpg" width="640" /></a></div>
To help get a human readable version of the web page we can copy the code into <a href="http://jsbeautifier.org/">http://jsbeautifier.org/</a> and have it "beautify" the code for us. This just adds line breaks and white space to make the code easier to understand.<br />
<br />
The code for our URL is already starting to take shape. We can see there is an "<li" tag id=rmWzKHyz that looks like it has some encoded/encrypted data in it and we can see some Javascript functions that look like they may be user to decode/decrypt.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjppKzJheS4AtELTmIZkpRJNFNja9NrVsPnOM63H1zaAXH1yCiIdi-AmSO7ELN45PLpGUaLmkS9l7qkw66lAAv39pVNuO-dftCPyWj1Vs4XAoMbX199opzIUaHfCJK1iV_eOYBpvZ0e3CU/s1600/look_ma_no_computer_blog.019.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjppKzJheS4AtELTmIZkpRJNFNja9NrVsPnOM63H1zaAXH1yCiIdi-AmSO7ELN45PLpGUaLmkS9l7qkw66lAAv39pVNuO-dftCPyWj1Vs4XAoMbX199opzIUaHfCJK1iV_eOYBpvZ0e3CU/s1600/look_ma_no_computer_blog.019.jpg" width="640" /></a></div>
Now that it's time for us to take a closer look at the Javascript it may be tempting to just upload it to one of the many "javascript analysis sandboxes" that exists. In my experience these things never work for what we want. Keep in mind that we are truing to understand <u>what</u> the javascript is doing not just "is it bad".<br />
<br />
In this case we can see that the Wepawet sandbox has identified our web page as benign when it clearly isn't.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmSmJ5VW0bqnYCnmYVsqKVXpsHTMVQ6cZVfDpL_trzbSyxFM0cR9WOe8c4WABU6jVvgLwl4U64THWagv-iL8BMCxFhWXa2s7NVxHt23QZ1EVzWmX_v1Tyq8wxFIgZVxGFhuhbXA-zwYXQ/s1600/look_ma_no_computer_blog.020.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmSmJ5VW0bqnYCnmYVsqKVXpsHTMVQ6cZVfDpL_trzbSyxFM0cR9WOe8c4WABU6jVvgLwl4U64THWagv-iL8BMCxFhWXa2s7NVxHt23QZ1EVzWmX_v1Tyq8wxFIgZVxGFhuhbXA-zwYXQ/s1600/look_ma_no_computer_blog.020.jpg" width="640" /></a></div>
For Javascript analysis I recommend finding an online JS interpreter instead of running the JS live in your browser. This will eliminate the risk of compromising your own workstation if you make a mistake. I prefer the <a href="http://math.chapman.edu/~jipsen/js/">http://math.chapman.edu/~jipsen/js/</a> online JS interpreter as it has no document object so if the JS is appending code to the document you will quickly identify this with an error.<br />
<br />
To analyze our URL Javascript we copy it over to the JS interpreter and run it removing the final eval() statement. As we can see some new javascript is printed to the console... could this be the decrypted JS hidden in the "<li" tag?<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2ziX01PwcXBPPqW-ujn6V8RRnot2hdUNlQUO97XE6TpNQ7k8tPJLFhyphenhyphenKWugCi9D5zWtTdRvjJRxHtXrAwM4xRNYbctk4nqBStPKQz_U2FdOhy2VhuVKamD9p-TqxRiD97mLojbgbz1io/s1600/look_ma_no_computer_blog.021.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2ziX01PwcXBPPqW-ujn6V8RRnot2hdUNlQUO97XE6TpNQ7k8tPJLFhyphenhyphenKWugCi9D5zWtTdRvjJRxHtXrAwM4xRNYbctk4nqBStPKQz_U2FdOhy2VhuVKamD9p-TqxRiD97mLojbgbz1io/s1600/look_ma_no_computer_blog.021.jpg" width="640" /></a></div>
Here I have just presented a different approach for those careless/brave enough to just run the JS in their own browser. Here we are using the Developer Tools native to Google Chrome to debug the JS.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0N7tJ5uHuM6MQ43nj2Ei7rs7U6B-yEylRMqo8KnzlAvR9vH-B6drd7qfg5IpafA3FCSwhELOKlbUTLtRs1Cc4lrrgVnURqJMIuc3lIz32kGV2EU1X8XB7-UfTE7-_PNe4s9eJInczUlk/s1600/look_ma_no_computer_blog.022.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0N7tJ5uHuM6MQ43nj2Ei7rs7U6B-yEylRMqo8KnzlAvR9vH-B6drd7qfg5IpafA3FCSwhELOKlbUTLtRs1Cc4lrrgVnURqJMIuc3lIz32kGV2EU1X8XB7-UfTE7-_PNe4s9eJInczUlk/s1600/look_ma_no_computer_blog.022.jpg" width="640" /></a></div>
If we copy that JS output back into jsbeautifier and clean it up we can now see something that looks very suspicious. There appears to be three different print statements and some javascript that is checking for plugins.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJGWZ32_KQhvxzNu5kq2R3D-7rPtcDW6CVphfoJUomctM2_uCuXOJXMp3AnZ75c4Km4YKEGB-AKlVht0GapjfUGjoWsBUqd2UTzvexyKYlQ88rXt8P0iwhoSkxUpc84HmiPUKgCyaEFzM/s1600/look_ma_no_computer_blog.023.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJGWZ32_KQhvxzNu5kq2R3D-7rPtcDW6CVphfoJUomctM2_uCuXOJXMp3AnZ75c4Km4YKEGB-AKlVht0GapjfUGjoWsBUqd2UTzvexyKYlQ88rXt8P0iwhoSkxUpc84HmiPUKgCyaEFzM/s1600/look_ma_no_computer_blog.023.jpg" width="640" /></a></div>
If we copy the contents of the print statements and beautify them we can see there are three different possible exploits loaded one flash and two java (we don't know they are exploits but we are plenty suspicious). For the purpose of this presentation I have chosen to analyze the second java one as it provides the best opportunity to showcase the most tools.<br />
<br />
If we look at the second java one we can see that there are some parameters that appear to be obfuscated and there is a long string assigned to the jnlp_embedded tag. It's not apparent in this slide but at the end of the string there is "==" suggesting that it might be base64 encoded.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8V1Uwb5nSUPPxf0-xuR4qHehs_C4lRMZw9sLiPi-Px-ao0HaBgcwV3AnMGaH-X_IlK8qMAGO8FGZu2bEOWthaJ88TIqdHUMjTHsPKA-rjFn4Cu7a9sNZC28sUxGpUrhub31tCuvs0n-A/s1600/look_ma_no_computer_blog.024.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8V1Uwb5nSUPPxf0-xuR4qHehs_C4lRMZw9sLiPi-Px-ao0HaBgcwV3AnMGaH-X_IlK8qMAGO8FGZu2bEOWthaJ88TIqdHUMjTHsPKA-rjFn4Cu7a9sNZC28sUxGpUrhub31tCuvs0n-A/s1600/look_ma_no_computer_blog.024.jpg" width="640" /></a></div>
Since we don't have any local base64 decode tools we can use <a href="http://www.base64decode.org/">http://www.base64decode.org/</a> to decode the string.<br />
<br />
Here we see that the string contains a reference to the Jar (OmXIIEr.jar) and the preloader class (WxIOiLd). We can now download the Jar and start analyzing the classes starting with the preloader.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyKwSCq3cLMupGL_Yij1M2AhwkEaF2HPo-EHK14-KEtAPuHzlV3Ecvq3lfzkXbVBo4j9gPn1-Pu65ZmSy0rxeWM3P7pMg2fBfDWQ-v4ukeVSfbf_6mysn8EzvXSp-I5AtsZVJaYIX9xtI/s1600/look_ma_no_computer_blog.025.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyKwSCq3cLMupGL_Yij1M2AhwkEaF2HPo-EHK14-KEtAPuHzlV3Ecvq3lfzkXbVBo4j9gPn1-Pu65ZmSy0rxeWM3P7pMg2fBfDWQ-v4ukeVSfbf_6mysn8EzvXSp-I5AtsZVJaYIX9xtI/s1600/look_ma_no_computer_blog.025.jpg" width="640" /></a></div>
Now that we know how the exploit is going to be delivered it's time to actually analyze the exploit.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggsZ2F_EKXXBwZsg4YUvNg3WP-J8f1rw6eO4i2KPSbADQxcTsUyWtVW4u3eNBYzgGmG7TU1LujdOBXAoz8Dgsreh7hY8Q5_elf5sPcqo3LC85NEzTB-JS80U0ixXYSPx0wyXOWdwovtOc/s1600/look_ma_no_computer_blog.026.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggsZ2F_EKXXBwZsg4YUvNg3WP-J8f1rw6eO4i2KPSbADQxcTsUyWtVW4u3eNBYzgGmG7TU1LujdOBXAoz8Dgsreh7hY8Q5_elf5sPcqo3LC85NEzTB-JS80U0ixXYSPx0wyXOWdwovtOc/s1600/look_ma_no_computer_blog.026.jpg" width="640" /></a></div>
We can download the Jar file with out web browser without any risk as it is benign without the web component to load it. Once downloaded we can just change the .jar extension to .zip and use native tools to unzip it (<a href="http://en.wikipedia.org/wiki/JAR_(file_format)">http://en.wikipedia.org/wiki/JAR_(file_format)</a>).<br />
<br />
Here we can see the jar contains a bunch of class files including the preloader class and a strange file with a .qvcw extension.<br />
<br />
<b>Pro tip: </b>If for some reason you don't have a native unzip tool (maybe you are using a chrome book?) there are plenty of online zip tools <a href="http://b1.org/online">http://b1.org/online</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM21i2ahewyh30lC6ff4AL4C_LPIu-jx2ULI02M1r8EPh51L12JUBm9NuQHRudpvWklMKv0RNckm7QoHIhf1jeAm_vhl-nnPK-xiQKUE-ojt1BsmAErBYWjqL0kEwEJAoyrXu-sY5rheQ/s1600/look_ma_no_computer_blog.027.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM21i2ahewyh30lC6ff4AL4C_LPIu-jx2ULI02M1r8EPh51L12JUBm9NuQHRudpvWklMKv0RNckm7QoHIhf1jeAm_vhl-nnPK-xiQKUE-ojt1BsmAErBYWjqL0kEwEJAoyrXu-sY5rheQ/s1600/look_ma_no_computer_blog.027.jpg" width="640" /></a></div>
We can also try uploading the jar to Virus Total to see what anti-virus thinks of it.<br />
<br />
As always anti-virus working overtime with 2/55 but, one of those 2 hits gives us CVE-2013-2460. Now we have a pretty good idea what exploit is. If you want to stop here you can but I always suggest following through an verifying that the AV guys got it right. We all remember how many false positives they had on CVE-2014-1761, you would have been exposed to lots of risk if you trusted the AV signatures for that...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnug3AvfkhP90JV28S1BZGWlZNWWC7z9V0oL6rNEeMd-2HqJ59A4Ej5Bijjyp6VyZRrfbjXevxb63DE62GqqyU3r7dj-o7WHvq6vhPKvMaYJFoj8sVQe7D5oD0QP_1TnY9NBxIY1sQWfE/s1600/look_ma_no_computer_blog.028.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnug3AvfkhP90JV28S1BZGWlZNWWC7z9V0oL6rNEeMd-2HqJ59A4Ej5Bijjyp6VyZRrfbjXevxb63DE62GqqyU3r7dj-o7WHvq6vhPKvMaYJFoj8sVQe7D5oD0QP_1TnY9NBxIY1sQWfE/s1600/look_ma_no_computer_blog.028.jpg" width="640" /></a></div>
If you aren't familiar with the great work from Dan Guido and the Exploit Intelligence Project go check it out <a href="https://www.isecpartners.com/media/12955/eip-final.pdf">https://www.isecpartners.com/media/12955/eip-final.pdf</a>. The project analyzed all major exploit kits in 2009-2010 and identified the origins of the exploits they were using. It turned out that none of them used 0-day, they all relied on exploits that had been discovered by white hats or were in published analysis of APT campaigns.<br />
<br />
<b>Pro tip: </b>You have a very very high chance of finding the exploit published online if you are triaging crimeware. I like to look in the Metasploit github <a href="https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits">https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits</a>. Once you have found the exploit you are looking for you don't actually need to reverse the malware you just need to do some code comparison. This is the secret to quick triage.<br />
<br />
For our triage we have found CVE-2013-2460 in the Metasploit github. Now all we need to do is look at the jar javacode and see if they match.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8ZrGkHFvsO3GnGNMap7vPvNjebhHAxkb-2cA5SEYbv86Sg0rQK3EI0OSgVMymr6uLvuaNB6g7S_Ml0bl_6cQDafdyH3Ow0rWwSxrhePDWUHE0nv0_hDkcEUc1HvAXIWNoo3B7KUYxneM/s1600/look_ma_no_computer_blog.029.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8ZrGkHFvsO3GnGNMap7vPvNjebhHAxkb-2cA5SEYbv86Sg0rQK3EI0OSgVMymr6uLvuaNB6g7S_Ml0bl_6cQDafdyH3Ow0rWwSxrhePDWUHE0nv0_hDkcEUc1HvAXIWNoo3B7KUYxneM/s1600/look_ma_no_computer_blog.029.jpg" width="640" /></a></div>
In order to decompile the jar class files we can use <a href="http://www.showmycode.com/">http://www.showmycode.com/</a> an online java and flash decompiler.<br />
<br />
Here we have decompiled the preloader class and we can see that the java code is heavily obfuscated.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2Xie6pTgGorsuLBuDgUbXhrSjUdNWvzdM3hL9s4xF4VlRWoqQ2AT2Z02pyf3RSGGph3qkuCNZP2WJvDTVKYJwueUsJPBkMNqtGy8BxpEWd2ApooHjoJsjtWH0Lv-4cb8ePeg6rZT4TVU/s1600/look_ma_no_computer_blog.030.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2Xie6pTgGorsuLBuDgUbXhrSjUdNWvzdM3hL9s4xF4VlRWoqQ2AT2Z02pyf3RSGGph3qkuCNZP2WJvDTVKYJwueUsJPBkMNqtGy8BxpEWd2ApooHjoJsjtWH0Lv-4cb8ePeg6rZT4TVU/s1600/look_ma_no_computer_blog.030.jpg" width="640" /></a></div>
The best way to de-obfuscate java code is to run it with a debugger and print statements. This requires a bit of understand of Java but it's fairly straight forward. I like to use <a href="http://ideone.com/">http://ideone.com/</a> an online IDE, compiler, and debugger all in one, no local Java tools required.<br />
<br />
Here we are decoding encoded strings in the Java code and printing them to stdout.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbwBA5PPYYdvLrgkLf6cDJL57v3Eig0Pc5lPky7tly1GLPqWADSiER_m2swlsiQvbBOKee7kUgQfXPYO9AdDzIWS6_2wtNrkNXM5bMiZDgtP725lel1XIHbdfIPHIU-qAUPlCM9LkZLgw/s1600/look_ma_no_computer_blog.031.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbwBA5PPYYdvLrgkLf6cDJL57v3Eig0Pc5lPky7tly1GLPqWADSiER_m2swlsiQvbBOKee7kUgQfXPYO9AdDzIWS6_2wtNrkNXM5bMiZDgtP725lel1XIHbdfIPHIU-qAUPlCM9LkZLgw/s1600/look_ma_no_computer_blog.031.jpg" width="640" /></a></div>
Once we have decoded all the strings in the Java code we substitute them back into the code and here we have some code that very closely resembles part of the Metasploit CVE-2013-2460.<br />
<br />
But what about that strange file with the .qvcw extension? Here we see it loaded as a string along with the string "555546DZD2A1FD2992".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmBJyA98q4JtqOCgjrfPU9xBbpJKwmLT1y5jLGF8As59lQwH3_xkcDRMmv22l1a45l7SSnGk1Ovor_mU44HUFFJz7g2fs_t7lj3_35LIZDxFnKHaSeIgrSQagsxqtN20x2o3U1tbtzNwE/s1600/look_ma_no_computer_blog.032.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmBJyA98q4JtqOCgjrfPU9xBbpJKwmLT1y5jLGF8As59lQwH3_xkcDRMmv22l1a45l7SSnGk1Ovor_mU44HUFFJz7g2fs_t7lj3_35LIZDxFnKHaSeIgrSQagsxqtN20x2o3U1tbtzNwE/s1600/look_ma_no_computer_blog.032.jpg" width="640" /></a></div>
If we open the .qvcw in notepad we can see that it is a txt file with the 5555 string repeated in it a lot.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBFxFTygPBVdk76Sq_ynelZVOg1kA8jY-FiF6a69tRJMNuo2nq8-xfFmbb2Ef7PML1XjscsZdBMniRPXZMkMXN4__-KhQB00WejuAX9gtjpAn4p2oV25_p2Sv-AYi0VDWXX5k04iiZPIE/s1600/look_ma_no_computer_blog.033.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBFxFTygPBVdk76Sq_ynelZVOg1kA8jY-FiF6a69tRJMNuo2nq8-xfFmbb2Ef7PML1XjscsZdBMniRPXZMkMXN4__-KhQB00WejuAX9gtjpAn4p2oV25_p2Sv-AYi0VDWXX5k04iiZPIE/s1600/look_ma_no_computer_blog.033.jpg" width="640" /></a></div>
Let's use a find/replace on the 5555 string and bingo we have a serialized class.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAzp8Qt4p5qpPsWVN2CNhto7rXHeDnfi1ghV9A5r2Iyhobz7b63BX5Ug3ugkeY8d0DJYZ9OX6WY86IOxsO-vz7TDgjOEmzdix_aOJXfDyrN7sbldGkaxO8TFfr9_4dcSBPiT2wrTu7IPg/s1600/look_ma_no_computer_blog.034.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAzp8Qt4p5qpPsWVN2CNhto7rXHeDnfi1ghV9A5r2Iyhobz7b63BX5Ug3ugkeY8d0DJYZ9OX6WY86IOxsO-vz7TDgjOEmzdix_aOJXfDyrN7sbldGkaxO8TFfr9_4dcSBPiT2wrTu7IPg/s1600/look_ma_no_computer_blog.034.jpg" width="640" /></a></div>
If we deserialize the class and decompile it we are left with the other part of the Metasploit CVE-2013-2460 exploit (the part that disables the sandbox).<br />
<br />
<b>Pro tip:</b> if Virus Total had not provided a CVE for us to look for we would have analyzed the exploit code as we have here but once we got to this point we would have used some of the strings from this class in Google to try and match the exploit. The reasons we use strings from this class is it has been serialized without being obfuscated so there is a good chance that it is copied code, or at lease a better chance that the order of some of the code will match a blog post or git commit.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsUETaXwm8Q2wQ5GGutDwOh9ji5HhGhji771Bshtsx0ltf1Ema1Re8IejUVqG4DfnbAlZL27ZWA9essUMwtatEtBwrUIqtMg44rlxlOvNDQnHOzj-UVYQRAtt-fTwwJ9to7WB_fLzF8TA/s1600/look_ma_no_computer_blog.035.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsUETaXwm8Q2wQ5GGutDwOh9ji5HhGhji771Bshtsx0ltf1Ema1Re8IejUVqG4DfnbAlZL27ZWA9essUMwtatEtBwrUIqtMg44rlxlOvNDQnHOzj-UVYQRAtt-fTwwJ9to7WB_fLzF8TA/s1600/look_ma_no_computer_blog.035.jpg" width="640" /></a></div>
If you are in the unfortunate position that your organization does have exposure to the exploit (perhaps you can't patch Java due to some legacy application) you will want to analyze the payload that is delivered by this exploit so you can better inform the risk function of your security program and/or sweep your enterprise for indicators.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieBrgRBGGKdcayNSldeRnx9Qnmt0ERb8SJHveesoWl-sXlF6u251Vm6Jd3_dVfdDobUrYCgUtpb7oRF9CCsMNrwPVK4m9qBQMvK4qi2ByFwmqFFEefwgAfIfiEDYWaOmIGfCQQTpwZZok/s1600/look_ma_no_computer_blog.036.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieBrgRBGGKdcayNSldeRnx9Qnmt0ERb8SJHveesoWl-sXlF6u251Vm6Jd3_dVfdDobUrYCgUtpb7oRF9CCsMNrwPVK4m9qBQMvK4qi2ByFwmqFFEefwgAfIfiEDYWaOmIGfCQQTpwZZok/s1600/look_ma_no_computer_blog.036.jpg" width="640" /></a></div>
Here we are decoding the strings that provide the URL to download the payload. Since the payload is a PE it can safely be downloaded directly with your web browser.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI9wkdL2HAyYDoafiBshpR24W4PbZE6SzF63CltqWXmH4M5xsn_JRuX4MiA3MUtbvF6-hCRISuPrRvKvkpNbdLNl0-6B13HBeJb_HHgK1tkeKO7jCZU1x1NIUshplLmTgGgU5z8WHxr_0/s1600/look_ma_no_computer_blog.038.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI9wkdL2HAyYDoafiBshpR24W4PbZE6SzF63CltqWXmH4M5xsn_JRuX4MiA3MUtbvF6-hCRISuPrRvKvkpNbdLNl0-6B13HBeJb_HHgK1tkeKO7jCZU1x1NIUshplLmTgGgU5z8WHxr_0/s1600/look_ma_no_computer_blog.038.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
For the payload analysis we aren't going to go deep into malware reversing all we want to do is understand our coverage in terms of AV, identify the malware family/goals, and get some indicators in case we need to sweep our enterprise for compromises. </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh69P2a5UuFtcDnAM6TFLuS3-DyvknMBvuKbSvBczCo2mF4dOvUHWp2ftPXD0CCrBgeIw7QzBd5fw130s5hH6J4vPJ90Jf4hEirJ7IkAEgsBMDYEVKBBpk2rSG2WN3NSs0ONDEroT_UgXg/s1600/look_ma_no_computer_blog.037.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh69P2a5UuFtcDnAM6TFLuS3-DyvknMBvuKbSvBczCo2mF4dOvUHWp2ftPXD0CCrBgeIw7QzBd5fw130s5hH6J4vPJ90Jf4hEirJ7IkAEgsBMDYEVKBBpk2rSG2WN3NSs0ONDEroT_UgXg/s1600/look_ma_no_computer_blog.037.jpg" width="640" /></a></div>
The first step to analyzing the payload is to get it onto Virus Total. Not only will this give you an idea of the AV coverage but it will also submit the sample to the AV vendors so they can start generating signatures. <br />
<br />
Here we have the AV vendors doing a spectacular job 5/55 detections and no clear indication what this malware is.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0IqsXh4RHgFROCV1PXTz_9gDn3lbT0aZwQKoy5s90dTjSwK2447ytUdy_ibewB1DkLxNvoJJF92E__2ccYUWRR_GcDwsBl0vsUD7JTxG-XUbXqqtkl3OFRJjYeQlpDq3kQ36PV4lZX2E/s1600/look_ma_no_computer_blog.039.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0IqsXh4RHgFROCV1PXTz_9gDn3lbT0aZwQKoy5s90dTjSwK2447ytUdy_ibewB1DkLxNvoJJF92E__2ccYUWRR_GcDwsBl0vsUD7JTxG-XUbXqqtkl3OFRJjYeQlpDq3kQ36PV4lZX2E/s1600/look_ma_no_computer_blog.039.jpg" width="640" /></a></div>
Virus Total also comes with a build in sandbox that will provide some high level indicators.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnEn9jEP7AUdkSp0YhT-v3ALsgwsrCbYg6i5mKim1dhR_8OZXwGbDTqTyTM9IkLLsXqEcqh4mI4caSNZGaNHxwcA3jj-KP2H3uBpaXKhFJ1RiXSKWOF95pYGoDzfQ9VG3eJ1nHhKL5Qrs/s1600/look_ma_no_computer_blog.040.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnEn9jEP7AUdkSp0YhT-v3ALsgwsrCbYg6i5mKim1dhR_8OZXwGbDTqTyTM9IkLLsXqEcqh4mI4caSNZGaNHxwcA3jj-KP2H3uBpaXKhFJ1RiXSKWOF95pYGoDzfQ9VG3eJ1nHhKL5Qrs/s1600/look_ma_no_computer_blog.040.jpg" width="640" /></a></div>
The traffic captures from the Virus Total sandbox are particularly useful for identifying the malware family using Google.<br />
<br />
Based on these traffic samples we were able to identify this payload as <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:Win32/Qakbot.gen!C#tab=2">Qakbot</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPNmktJO2bQAxMRgZsoSP4CRK50jeh-T-hst8v6eY92ZFBoSy9D0Gd_48Vnq7Xs4ogTZjwCUwqvtD813ZLIYp2o0RxZ43YfIsCdnW1mxBAerWQ6jt2ZgFyDCa2bRYdd7tDJh-uA7Uqv70/s1600/look_ma_no_computer_blog.041.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPNmktJO2bQAxMRgZsoSP4CRK50jeh-T-hst8v6eY92ZFBoSy9D0Gd_48Vnq7Xs4ogTZjwCUwqvtD813ZLIYp2o0RxZ43YfIsCdnW1mxBAerWQ6jt2ZgFyDCa2bRYdd7tDJh-uA7Uqv70/s1600/look_ma_no_computer_blog.041.jpg" width="640" /></a></div>
Hands down the best tool for analyzing binary malware is <a href="https://malwr.com/">https://malwr.com/</a> an online sandbox. Unfortunately they recently ran out of resourced and had to temporarily stop accepting submissions. They promise to be up and running again soon.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3CTH2ARK8YvIOEhdAT5LBHPOyFyMvWBELMeP0Lm8HdgnC9Z08SG_637n9gpmDHLQ9pizy0T-joruTF8QiZB09VewvkbiDEkbD8ObL2vhm2RvR_fTcyTSJSmtYw4w7L4iy9yKJsAHyaV8/s1600/look_ma_no_computer_blog.042.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3CTH2ARK8YvIOEhdAT5LBHPOyFyMvWBELMeP0Lm8HdgnC9Z08SG_637n9gpmDHLQ9pizy0T-joruTF8QiZB09VewvkbiDEkbD8ObL2vhm2RvR_fTcyTSJSmtYw4w7L4iy9yKJsAHyaV8/s1600/look_ma_no_computer_blog.042.jpg" width="640" /></a></div>
Other online sandboxes tend to leave something to desire. They either don't work or they are overloaded. For a long list see <a href="http://zeltser.com/reverse-malware/automated-malware-analysis.html">http://zeltser.com/reverse-malware/automated-malware-analysis.html</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSSx9YQJHGuwQ6XhapJCw4_qrpwU2-e1e-Td5RAu83O4yv7XCbrA6qWUVLKVkiOoYzUPmkgLEzrCiUu9dsLN1x0aFwoEhF4pDYjJTQJcZyeWD3jCl14-1rUxvJFpTONsdVTVuZp6GGru8/s1600/look_ma_no_computer_blog.043.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSSx9YQJHGuwQ6XhapJCw4_qrpwU2-e1e-Td5RAu83O4yv7XCbrA6qWUVLKVkiOoYzUPmkgLEzrCiUu9dsLN1x0aFwoEhF4pDYjJTQJcZyeWD3jCl14-1rUxvJFpTONsdVTVuZp6GGru8/s1600/look_ma_no_computer_blog.043.jpg" width="640" /></a></div>
You can also try uploading the sample to <a href="http://totalhash.com/">http://totalhash.com/</a>. TotalHash will provide you with it's own set of indicators from a sandbox run which are nice to compare with Virus Total but they will also make your sample hash searchable so that malware researchers can use it to identify groups of similar malware. It's a nice way to give back to the community and you may get some extra info.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOob3rVjgWhogaeEKGdwWB8xEGm7cXNL8oPAT5Z0SExkCHKsl-VnpL7i3GHO8f202uA5tvoSPhVyh0fI0VwJENBdVxEb_g_0-cSIKo3BVZdWxl-zdoGr9qSRZUP09r_-I1GcKH_CfrW4A/s1600/look_ma_no_computer_blog.044.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOob3rVjgWhogaeEKGdwWB8xEGm7cXNL8oPAT5Z0SExkCHKsl-VnpL7i3GHO8f202uA5tvoSPhVyh0fI0VwJENBdVxEb_g_0-cSIKo3BVZdWxl-zdoGr9qSRZUP09r_-I1GcKH_CfrW4A/s1600/look_ma_no_computer_blog.044.jpg" width="640" /></a></div>
Finally now that we have identified the malware as a variant of the Qakbot family we can go to <a href="https://www.iocbucket.com/">https://www.iocbucket.com/</a> and search to see if there are any OpenIOCs available for the malware. IOC Bucket is a initiative to help share malware IOCs within the IR and research community.<br />
<br />
At the time of this presentation there were no IOCs for Qakbot. If you create an IOC be sure to share it : )<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglMH0NzJpggYQUxrzlsCZQXop8Gz1voszNAPHbugA6u-d9ufnM9E7ebw9K9R6MSPIrawEK7NU2SpYDXxCT5aoMdEyg1LmB0egvw92rrY80MOqmaWOV3h243rGY0ssFr7ml6CSymW-sgS4/s1600/look_ma_no_computer_blog.045.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglMH0NzJpggYQUxrzlsCZQXop8Gz1voszNAPHbugA6u-d9ufnM9E7ebw9K9R6MSPIrawEK7NU2SpYDXxCT5aoMdEyg1LmB0egvw92rrY80MOqmaWOV3h243rGY0ssFr7ml6CSymW-sgS4/s1600/look_ma_no_computer_blog.045.jpg" width="640" /></a></div>
Finally, most of these tools would not be possible without community involvement. If you use these tools try to give back. Even leaving comments on Virus Total helps.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg62IewtwKZMOKOXRF9eCZxKVrUhpyZZavSRBqsDr-Nw6z_FahpjYeXMalj72I_KggvQyUWzzMfEf4w9cHAbeXoeDhhk3IB3wL7qhirQfBBAEH92LRh_665PHIYiopV4MU_ie60jiFu19A/s1600/look_ma_no_computer_blog.046.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg62IewtwKZMOKOXRF9eCZxKVrUhpyZZavSRBqsDr-Nw6z_FahpjYeXMalj72I_KggvQyUWzzMfEf4w9cHAbeXoeDhhk3IB3wL7qhirQfBBAEH92LRh_665PHIYiopV4MU_ie60jiFu19A/s1600/look_ma_no_computer_blog.046.jpg" width="640" /></a></div>
<div>
<br /></div>
herrcorehttp://www.blogger.com/profile/17172043082379886965noreply@blogger.com0tag:blogger.com,1999:blog-5836508348908040047.post-41631875563665705042014-01-04T05:11:00.000-08:002016-09-11T22:03:36.482-07:00Inside The New Asprox/Kuluoz (October 2013 - January 2014)<div class="p1">
<br />
<br />
<br />
<br />
<br />
This content has moved to <a href="http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/">http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the past few months we have seen asprox rise to be one of the leading e-mail distributed trojans in North America. Asprox is a lightweight trojan that is used to maintain control of an infected host and download either additional functionality (directy related to the Asprox botnet) or install a second-stage payload to an infected host as part of an affiliate network (partnerkas). </div>
<div class="p2">
<br /></div>
<div class="p1">
A full overview of the botnet can be found in Trend Micro's report "<i><a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf" target="_blank">Asprox Reborn</a></i>" (note the bot behaviour is now different from what is described in the report) or in Michal Ambroz's excellent post "<i><a href="http://rebsnippets.blogspot.ca/2013/05/phishing-malware-as-service-this-blog.html" target="_blank">Asprox Botnet - Phishing Malware As a Service</a></i>".</div>
<div class="p2">
<br /></div>
<div class="p1">
This report details the recent evolution of the asprox first-stage trojan, its behaviour, new encryption scheme, new IOCs. While much has already been written about the asprox botnet this report will expose the inner-working of the first-stage trojan in an effort to help researchers and incident responders both understand and protect against this trojan.</div>
<div class="p2">
<br /></div>
<div class="p1">
A note on semantics: Asprox is also known as Kuluoz by anti-virus vendors. I have been told that asprox is used to refer to the botnet infrastructure while kuluoz refers to the actual trojan. For the sake of simplicity asprox will be the only term used in this report to refer to the malware under analysis. </div>
<h2>
</h2>
<h3>
Delivery Method</h3>
<div class="p1">
</div>
<div class="p1">
Asprox e-mails all follow a similar pattern, one that you are sure to be familiar with if you have been investigating malware in the past few months. The e-mail's masquerade as parcel deliveries, airline reservations, court appointments, resumes, etc. The e-mail references an attachment which is usually an attached .zip file that contains the trojan .exe. In October 2013 the e-mails used a link that would download a .zip but since November 2013 all e-mails collected have had attachments.<br />
<br /></div>
<h3>
</h3>
<h3>
Examples of Asprox E-Mails</h3>
<div>
The following posts and reports detail the types of e-mails that asprox is distributed by: <a href="http://techhelplist.com/index.php/spam-list/419-you-can-download-your-ticket-virus" target="_blank">Fake Delta, American Airlines, or US Airways</a>, <a href="http://techhelplist.com/index.php/spam-list/437-please-look-my-cv-virus" target="_blank">My_CV</a>, <a href="http://garwarner.blogspot.ca/2013/12/asprox-spamming-court-related-malware.html" target="_blank">Court_Notice</a>, <a href="http://www.csis.dk/da/csis/news/4125/" target="_blank">Adobe License Key</a>.<br />
<br /></div>
<h3>
</h3>
<h3>
The Trojan</h3>
<div>
<div class="p1">
Though the trojan in the zip file is just an .exe the icon has been changed to make it appear as a word document. With the default windows configuration set to hide file extensions the trojan can easily trick a victim into clicking on it.</div>
<div class="p1">
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlWV4uY4lqRXcitXSfGCq_AJRO6ndwaDoN1cGRBoEi5iI47XIdq87wAp_G6O4Mm0BYVU6vAOFXoXkFLvEQB38z4RKNDRHd8fvQE4vBSnRB-EaNdT2FgqIzpUpfDew8BvJa5ALci9N2ZNY/s1600/trojan+icon.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlWV4uY4lqRXcitXSfGCq_AJRO6ndwaDoN1cGRBoEi5iI47XIdq87wAp_G6O4Mm0BYVU6vAOFXoXkFLvEQB38z4RKNDRHd8fvQE4vBSnRB-EaNdT2FgqIzpUpfDew8BvJa5ALci9N2ZNY/s1600/trojan+icon.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Asprox trojan attachment</td></tr>
</tbody></table>
<span id="goog_965773379"></span><span id="goog_965773380"></span><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="p1">
When the trojan is executed the victim will see Notepad open with a message. This message changes based on the version of asprox but the current string is "<span style="background-color: #fff2cc;">Unknown ERROR! Please wait and try again later.</span>" This is used to trick the victim into assuming the attachment was an error and nothing malicious has occurred. For a full description of what is happening behind the scenes see the <i>Initial Infection</i> section of this report.</div>
<div class="p1">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiEewEsHCP-uvUDXoF_YJzHw3aed2z40wMQNbaJVdyQsTZLOzF7NHCpcfCSfGJyu3-SR8qjA0o1ZRQgtbBsTxtf0ChqGTXvikGzp3psR-lLauLGdLakahFo4ZVQiJMu40_3vcVsr-DvxI/s1600/notepad.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiEewEsHCP-uvUDXoF_YJzHw3aed2z40wMQNbaJVdyQsTZLOzF7NHCpcfCSfGJyu3-SR8qjA0o1ZRQgtbBsTxtf0ChqGTXvikGzp3psR-lLauLGdLakahFo4ZVQiJMu40_3vcVsr-DvxI/s1600/notepad.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Asprox notepad with fake error message</td></tr>
</tbody></table>
<h2>
</h2>
<h3>
Initial Infection</h3>
<div>
<div class="p1">
When a victim executes the asprox trojan it will appear as though they have opened a Word document in Notepad, strange but not malicious. However, behind the scenes asprox is busy installing itself on the host. In the next sections the true behaviour of the asprox trojan will be revealed. </div>
<div class="p1">
<br /></div>
<h3>
Packer</h3>
</div>
<div>
<div class="p1">
The asprox trojan is packed in what appears to be a custom packer which is refreshed for each e-mail campaign. These packers usually have a fairly high detection rate after the first day of the e-mail campaign (initial detection rates are unknown at this time). This report does not examine the packer in detail as it is simply used to inject a process with the asprox trojan.</div>
<h3>
</h3>
<div>
<br /></div>
<h3>
Injection and Initial Setup</h3>
</div>
<div>
<div class="p1">
The packer behaviour is as follows:</div>
<div class="p1">
</div>
<ul>
<li>unpacks itself to a new process with the same name</li>
<li>executes a copy of 32bit svchost.exe (on a 64bit host it uses the <span style="background-color: #fff2cc;">C:\Windows\SysWOW64\svchost.exe</span> path) </li>
<li>injects the asprox trojan into the new svchost process</li>
</ul>
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIXbc1XPitY0Me7gV24aIrIhHsQCHJtlfmxH8Udl-yb57NrIkgrgaeytc23Sl1SD1q3PWLCbzieCMhmMF7RYEWRaSCf6eFLRdkV2x9LurXABg9F3APbmVuvSlyqBtJMaba034fIub6wjY/s1600/procexp+inital+launch.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIXbc1XPitY0Me7gV24aIrIhHsQCHJtlfmxH8Udl-yb57NrIkgrgaeytc23Sl1SD1q3PWLCbzieCMhmMF7RYEWRaSCf6eFLRdkV2x9LurXABg9F3APbmVuvSlyqBtJMaba034fIub6wjY/s1600/procexp+inital+launch.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Asprox initial injection caught in process explorer </td></tr>
</tbody></table>
<h2>
</h2>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br />
<br />
<br />
The asprox trojan that is injected into the svchost process is a dll. This dll can be extracted from the injected process for further analysis (see <i>Incident Response and Remediation</i> section of this report for further details). Once the asprox.dll is injected it takes over control of the program flow.</div>
<div class="p2">
<br /></div>
<div class="p1">
The asprox.dll actually has a small code stub that it uses to inject itself into the svchost.exe process so technically this is not the packer. Normally this stub would not be of much interest to us except for the way that gets the addresses for the library functions it uses. </div>
<div class="p2">
<br /></div>
<div class="p1">
</div>
<div class="p1">
Since it is injected the asprox.dll gets the address of GetProcAddress by "walking" from the Process Environment Block down to the Module List and comparing the module names against a hash of "kernel32.dll" (the hash is 0x6A4ABC5B). This is where we see the first interesting IOC and gain some possible insight into the origins of asprox. The code used to perform this function matches similar code found in Zeus. It is possible that this section was copied from the leaked Zeus source or from a research blog post explaining how it works. Further explanation of this code can be found <a href="http://interestingmalware.blogspot.ca/2010/07/find-base-address-of-kernel32dll.html" target="_blank">here</a>. </div>
<div class="p1">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibAYZ8FnNJ4ftKWmJ5xUVkfMoD-TLLL-SRvAo5FTN9nxQiN_WPUV7fTXR-RkPsK5ZHXgVk3IgCFqLubssFHwM3oQIt0zxgxLIJYlqGnBcxghZ66jlKRs_KvkCihcNGlI3omOMd5a5FMkQ/s1600/kernel+hash+check.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibAYZ8FnNJ4ftKWmJ5xUVkfMoD-TLLL-SRvAo5FTN9nxQiN_WPUV7fTXR-RkPsK5ZHXgVk3IgCFqLubssFHwM3oQIt0zxgxLIJYlqGnBcxghZ66jlKRs_KvkCihcNGlI3omOMd5a5FMkQ/s1600/kernel+hash+check.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Asprox hash compare to find kernel32.dll module</td></tr>
</tbody></table>
<div class="p1">
As for our IOC we can now use a yara rule to search for the following bytes in memory (ex. with Volatility) <span class="s1" style="background-color: #fff2cc;">0x81 0xff 0x5b 0xbc 0x4a 0x6a</span> which represents the assembly instruction <span class="s2">cmp edi,0x6a4abc5b</span>. This IOC by itself is not unique to asprox. </div>
<div class="p2">
<br /></div>
<div class="p1">
Once the asprox.dll has been successfully injected into svchost.exe it kills its parent processes (the processes started by the packer) leaving an orphan svchost.exe process running under explorer.exe. This is our second IOC; an <span style="background-color: #fff2cc;">svchost.exe process running under explorer.exe</span>. Again this IOC is common to many families of malware and not unique to asprox.</div>
<div class="p1">
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJtCJ694YN2KDTYdn63i3J4k6C0SgTVTNrysyDcYLWpiBdqpPsNH9OIVxSx7IH_HVHf0ZIl4_Bt5VyHSWf8k0u_Y5Z7O-QGLnfuLKf3RwvPmjMV4u0PQG9v_6EN0HCC2y-tlOd801Mxr0/s1600/orphan+svchost.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJtCJ694YN2KDTYdn63i3J4k6C0SgTVTNrysyDcYLWpiBdqpPsNH9OIVxSx7IH_HVHf0ZIl4_Bt5VyHSWf8k0u_Y5Z7O-QGLnfuLKf3RwvPmjMV4u0PQG9v_6EN0HCC2y-tlOd801Mxr0/s1600/orphan+svchost.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Asprox injected svchost.exe under explorer.exe </td></tr>
</tbody></table>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
</div>
<div class="p1">
The main loop for the asprox.dll is then called through the asprox.dll export "<span style="background-color: #fff2cc;">Work</span>". This concludes the initial injection of the asprox.dll.</div>
<h3>
</h3>
<div>
<br /></div>
<h3>
Persistence</h3>
<div>
<div class="p1">
When the Work function is first called it attempts to create a mutex with a hard coded string. If the mutex is already in use the dll knows that another copy of itself is running and it terminates its host process. Though the hardcoded mutex string does make a unique IOC it is frequently changed so it cannot be relied on as a generic asprox identifier.</div>
<div class="p1">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhda3EOufKpP-Jkt3oygwCuA0cl5Zj-ATogdYmdi24Z94qob-WSckFdy3PbKRL1XSRKJoWpD-RHJf_nfFocJvXUsShuc9_Ab0C2NM_WJrE6RasqQrlXCoXVECTtZvNdLJLttxtY7Il2ecI/s1600/test_mutex.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhda3EOufKpP-Jkt3oygwCuA0cl5Zj-ATogdYmdi24Z94qob-WSckFdy3PbKRL1XSRKJoWpD-RHJf_nfFocJvXUsShuc9_Ab0C2NM_WJrE6RasqQrlXCoXVECTtZvNdLJLttxtY7Il2ecI/s1600/test_mutex.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Asprox test for mutex</td></tr>
</tbody></table>
<div class="p1">
Before entering the main loop of the Work function the asprox.dll checks the local user run key (<span style="background-color: #fff2cc;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</span>) to see if any key values have been set for its on-disk .exe file. </div>
<div class="p2">
<br /></div>
<div class="p1">
If no run key is set then it attempts to hide its presence by copying its on-disk exe to a new file in the %LOCALAPPDATA% folder. The new file name is a randomly generated string of 8 lowercase letters. The original on-disk .exe file is then deleted. Here we have our next IOC, there will be <span style="background-color: #fff2cc;">an .exe in the %LOCALAPPDATA% folder with a random 8 letter lowercase name</span>.</div>
<div class="p1">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyvkECc_hcr4fn5-ARjMYvURN5f-C81nLBflZbKp-2sPQlgDkDlxpbXIAXiS8nzq46UQsl-xbJ4BUxMeKjm5DczrbSo7TMwLyeWM3ddb-Mm7jnBRt-PKuzK7syt3Hk6wvdIeOLQfzw3hc/s1600/Screen+Shot+2014-01-03+at+9.15.34+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyvkECc_hcr4fn5-ARjMYvURN5f-C81nLBflZbKp-2sPQlgDkDlxpbXIAXiS8nzq46UQsl-xbJ4BUxMeKjm5DczrbSo7TMwLyeWM3ddb-Mm7jnBRt-PKuzK7syt3Hk6wvdIeOLQfzw3hc/s1600/Screen+Shot+2014-01-03+at+9.15.34+PM.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Asprox copied to %LOCALAPPDATA% folder</td></tr>
</tbody></table>
<div class="p1">
If there is a run key set then it will skip the file copy function and after 10 successful network communications with the c2 it will set a run key for the on-disk exe. The <span style="background-color: #fff2cc;">run key name is generated using 8 random lowercase letters</span>. This provides us with another IOC.</div>
<div class="p1">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGslloSkRndxin_ThcRXY2DcwLwut3SzUTwR4Vbe3gbY5ByBH-8A2Y5V62T349or6zlQUDXJvch3wbV6k1XP7AJiYbz7B6rPH2f4Fes-5QLljU9VIADh-YuqkbPI51pWb5TB6EpczILCs/s1600/Screen+Shot+2014-01-03+at+10.19.02+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGslloSkRndxin_ThcRXY2DcwLwut3SzUTwR4Vbe3gbY5ByBH-8A2Y5V62T349or6zlQUDXJvch3wbV6k1XP7AJiYbz7B6rPH2f4Fes-5QLljU9VIADh-YuqkbPI51pWb5TB6EpczILCs/s1600/Screen+Shot+2014-01-03+at+10.19.02+PM.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Asprox run key using randomly generated 8 lowercase letters</td></tr>
</tbody></table>
<br />
<h3>
</h3>
<h3>
Antivirus/Sandbox/Researcher Detection and Evasion</h3>
<div>
<div class="p1">
All versions of the asprox.dll collect the following information from its environment: firewall configuration, antivirus configuration, OS version, 32/64bit. This information is later reported back to the c2 in the <span style="background-color: #fff2cc;"><debug></span> element.</div>
<div class="p2">
<br /></div>
<div class="p1">
The firewall and antivirus configuration is collected using Microsoft's wbem service via the COM interface. The "ExecQuery" function is called on the wbem object so the input requires ascii strings which can be found in the process memory. These strings provide us with another IOC: "<span style="background-color: #fff2cc;">SELECT * FROM AntiVirusProduct</span>" and "<span style="background-color: #fff2cc;">SELECT * FROM FirewallProduct</span>" (these strings are unicode). This IOC does not indicate malicious behaviour by itself but combined with other IOCs from this report it can be used to identify asprox.<br />
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIkx3GD8c1ly2b1509K4wsqxUTI92sSh8xFz4eKSB5HJf2neD5ZwWkbzgCeuonoiOwfW1VShz63bB-mkXEZNo4bDiSS8tpJ8YzG_nTrp-vh9i0oaWEJ4AhRIvry1XyEoJcIO1SJ_pE-Ao/s1600/wbem2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIkx3GD8c1ly2b1509K4wsqxUTI92sSh8xFz4eKSB5HJf2neD5ZwWkbzgCeuonoiOwfW1VShz63bB-mkXEZNo4bDiSS8tpJ8YzG_nTrp-vh9i0oaWEJ4AhRIvry1XyEoJcIO1SJ_pE-Ao/s1600/wbem2.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Example of asprox checking what antivirus products are installed on the host</td></tr>
</tbody></table>
<div class="p1">
Recent versions of the asprox.dll include examination of the environment in an attempt to determine if the asprox.dll is running in a sandbox or if a researcher is attempting to analyze it. The malware uses the <span class="s1">FindWindow</span> function to search for known analysis tools as well as enumerating various registry keys. This information is then passed to the c2 in <src> element. The window names and registry keys that are searched for are listed below (as of the latest version).<br />
<br />
<h4>
Window Names</h4>
<br /></div>
<div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">wireshark.exe</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">Tfrmrpcap</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">iptools.exe</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">Iris-Version5.59</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">ProcessLasso_Notification_Class</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">TSystemExplorerTrayForm.UnicodeClass</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">PROCMON_WINDOW_CLASS</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">PROCEXPL</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">WdcWindow</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">ProcessHacker</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">99929D61-1338-48B1-9433-D42A1D94F0D2-x64</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">99929D61-1338-48B1-9433-D42A1D94F0D2-x32</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">99929D61-1338-48B1-9433-D42A1D94F0D2</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">Dumper</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">Dumper64</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">APISpy32Class</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">VMwareDragDetWndClass</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">VMwareSwitchUserControlClass</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">vmtoolsd.exe</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">prl_cc.exe</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">prl_tools.exe</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">SharedIntApp.exe</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">VBoxTray.exe</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">VBoxService.exe</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">vmusrvc.exe</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: x-small;">vmsrvc.exe</span></div>
</div>
<h4>
</h4>
<div>
<br /></div>
<h4>
Registry Keys</h4>
<div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;"><br /></span>
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum 0=VMware</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum 0=PTLTD</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum 0=Virtual</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS SystemProductName=VMware</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS SystemProductName=PTLTD</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS SystemManufacturer=VMware</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS SystemManufacturer=PTLTD</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINESYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_15AD&DEV_0774&SUBSYS_040515AD&REV_00 </span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINESYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_15AD&DEV_0774&SUBSYS_074015AD&REV_00</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINESYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\ACPI\\DSDT\\PTLTD__</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum 0=Virtual</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum 0=PRLS</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS SystemProductName=Virtual</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS SystemProductName=PRLS</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS SystemManufacturer=Virtual</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS SystemManufacturer=PRLS</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum 0= VBox</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS\ SystemProductName = VBox</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS\ SystemManufacturer=VBox</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\ACPI\\DSDT\\VBOX__</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS\ SystemProductName = AMIBI</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS\ SystemManufacturer = AMIBI</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00</span></div>
<div class="p1">
<span style="background-color: #fff2cc; font-size: xx-small;">HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\DSDT\\AMIBI</span></div>
</div>
<div class="p1">
<br /></div>
</div>
<div class="p1">
The new versions of asprox.dll also added a <span style="background-color: #fff2cc;">2min sleep</span> to its initialization section which I suspect is an attempt at sandbox evasion. We can see when running the version with the sleep in the cuckoo sandbox that the 2min sleep is enough to <a href="https://malwr.com/analysis/NDdjMWUyMTkwZjQ1NGM3NDgzMjNmZThlYTJiMGZlNjE/" target="_blank">evade much of the detection</a>.</div>
<br />
<div class="p1">
All of the checks happen in the "setup section" before the main loop in the asprox.dll so you can trick the window name searcher by not running any of your tools until after you see the asprox.dll make its first network call. You can also easily hide the registry keys or write a simple hook for RegQueryValueEx. Also if there is a run key that matches the image name of the process then the environment analysis is skipped. </div>
<h3>
</h3>
<div>
<br /></div>
<h3>
Incident Response and Remediation</h3>
<div>
<div class="p1">
Asprox is built to enable downloading and installation of a second-stage payload so it is very likely that the asprox.dll will be replaced by another piece of malware if an infected host is not attended to quickly. However, if a system is infected with the asprox.dll the following steps can be used to collect a sample of the .dll and clean the infected host.</div>
<div class="p1">
<br /></div>
<h4>
<div class="p1">
Evidence Collection and Host Remediation </div>
<ol class="ol1" style="font-weight: normal;">
<li class="li1">Verify the host is infected with asprox using the IOCs in this report. Note the PID of the svchost.exe process that is running under explorer.exe</li>
<li>Use your favourite memory dump tool to dump the host memory and save to your analysis system</li>
<li>Use process explorer to kill the svchost.exe process that is running under explorer.exe</li>
<li>Open the %LOCALAPPDATA% folder and delete all instances of the asprox .exe (identified by the random 8 lowercase letter names)</li>
<li>Open regedit and delete all run keys for the asprox.exe located in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</li>
<li>Open regedit and delete all asprox registry keys in HKEY_CURRENT_USER\Software\ identified by the random 8 lowercase letter names (see more on how to positively identify these keys in the <i>Communication:Group ID</i> section of this report).</li>
</ol>
</h4>
</div>
<h4>
</h4>
<h4>
Evidence Analysis</h4>
<div>
<ol class="ol1">
<li class="li1">If you want to further analyze the asprox.dll that was injected into the scvhost process you can use volatility an run <a href="https://code.google.com/p/volatility/wiki/CommandReference#malfind" target="_blank">malfind</a> on the svchost PID that you noted in the above steps.</li>
<li class="li1">Once malfind has completed dumping the injected code you can easily locate the asprox dll in the segments by searching for the "MZ" header. The header will appear in multiple sections but only one of them has the full DLL (the one that has a sub of set-up code before the MZ). </li>
<li class="li1">Use your favourite hex editor to extract the dll. </li>
<li class="li1">Once you have extracted the dll it doesn't contain any anti-debugging/analysis features so you can easily analyze it.</li>
<li class="li1">Post your analysis : )</li>
</ol>
<h2>
</h2>
<h3>
Communication</h3>
<div>
<div class="p1">
Asprox communicates with its c2 using HTTP. Traditionally the requests where HTTP GET requests using RC4 encryption with a unique but static key. The Trend Micro report "<i><a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf" target="_blank">Asprox Reborn</a>" </i>describes this communication in detail. However, the new versions of asprox use a much more complicated encryption scheme with HTTP POST requests. The new encryption scheme has been described <a href="http://stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html" target="_blank">here</a> but this report will elaborate on the description. </div>
</div>
<ol class="ol1">
</ol>
</div>
<h3>
</h3>
<h3>
ID Generator</h3>
<div>
<div class="p1">
Each bot is assigned a unique ID that is both used to identify them to the c2. The ID is generated using the following algorithm</div>
<div class="p2">
<span style="background-color: #d9ead3;">md5( binary_SID + os_install_date + account_name_string)</span><span class="s1">. </span></div>
<div class="p3">
<br /></div>
<div class="p1">
Note, when RegOpenKeyExA is called to access the os install date registry key the KEY_WOW64_64KEY flag is not passed on the samDesired argument. Since asprox.dll runs in a 32bit process the fact that it is missing this flag means that when it runs on a 64bit system it will access the wrong registry and the will get a null value. This means that os install date that is used as part of the ID hash will be 0x0000 for all 64bit systems. </div>
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiECueW9EXbIP6XP0WJqaOcXmEr6JQYHOECYg-vKBECthuXglo3SuZVxUoBqUmoZMKW_D0shRV31h7FZwHG2qWrekJr0fbsY2YPDjiBnZghwm8Jqzq082xN0uXEyDK9pb_7PZvevtXQDvI/s1600/Screen+Shot+2014-01-04+at+2.43.40+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="92" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiECueW9EXbIP6XP0WJqaOcXmEr6JQYHOECYg-vKBECthuXglo3SuZVxUoBqUmoZMKW_D0shRV31h7FZwHG2qWrekJr0fbsY2YPDjiBnZghwm8Jqzq082xN0uXEyDK9pb_7PZvevtXQDvI/s640/Screen+Shot+2014-01-04+at+2.43.40+AM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">RegOpenKeyExA to get OS install date without the KEY_WOW64_64KEY flag set</td></tr>
</tbody></table>
<div class="p1">
In addition to identification a substring of the ID is also used for encryption. The <span style="background-color: #fff2cc;">first 4 bytes of the ID are used to create an ID_Key</span> that is used to encrypt and decrypt locally stored values in registry keys as well as encrypt the URL for the c2 communication. </div>
<div class="p2">
<br /></div>
<div class="p1">
</div>
<div class="p1">
I have included a small powershell script that will enable you to generate an asprox ID and ID_Key for any system. Note: the script will not work on domain joined systems as the NTAccount method would need to be adapted to get the domain SID.<br />
<br /></div>
<div class="p1">
<br /></div>
</div>
<pre class="brush: powershell">$sUsername = [Environment]::UserName
$bUsername = [system.Text.Encoding]::UTF8.GetBytes($sUsername)
$objUser = New-Object System.Security.Principal.NTAccount($sUserName)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$bSid = New-Object 'byte[]' $strSID.BinaryLength
$strSID.GetBinaryForm($bSid,0)
if([IntPtr]::Size -eq 4){
$key="hklm:\software\microsoft\windows nt\currentversion"
$data = Get-ItemProperty -Path $key -Name "InstallDate"
$bInstallDate = [System.BitConverter]::GetBytes($data.InstallDate)
}
Else{
#account for error in asprox wow64 reg key lookup
$bInstallDate = [System.BitConverter]::GetBytes(0x0000)
}
$md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
$utf8 = new-object -TypeName System.Text.UTF8Encoding
$hash = [System.BitConverter]::ToString($md5.ComputeHash($bSid + $bInstallDate + $bUsername))
$Id = $hash -replace '-',''
$IdKey = $Id.Substring(0,8)
echo "ID: $Id"
echo "ID Key: $IdKey"</pre>
<h3>
<span style="font-family: "times"; white-space: normal;">Group ID</span></h3>
<div>
<div class="p1">
In addition to a unique ID the bot is assigned a Group_ID. Though we can't be certain what the Group_ID is used for we can hypothesize that it is used to track groups of bots and make bot management easier. When asprox.dll runs if there is no run key set for it then it will assign the Group_ID based on hard coded string in the asprox.dll. </div>
<div class="p2">
<br /></div>
<div class="p1">
If there is a run key set then it will enumerate all keys in HKEY_CURRENT_USER\Software and attempt to RC4 decrypt each key value using the ID_Key. It will then compare the decrypted key value against the string "<span style="background-color: #fff2cc;">For group!!!!!</span>" if the string matches then it will take the remaining portion of the string (after the for group part) and use that as the Group_ID.</div>
<div class="p1">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqsdVe7Y9w6IgjY3ylYAx8LVgQrLsoV1ySyQQ2OTM7E8gvsspTlBiTZmvUVW35Q8eIjDtnTK8TTKms6jupliuBzYyLrDvwLzBKzO1Cx0cHwUjR00W_w_Xwli-n9ucQwURkPU3QkAbPpa0/s1600/Screen+Shot+2014-01-04+at+2.37.04+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="475" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqsdVe7Y9w6IgjY3ylYAx8LVgQrLsoV1ySyQQ2OTM7E8gvsspTlBiTZmvUVW35Q8eIjDtnTK8TTKms6jupliuBzYyLrDvwLzBKzO1Cx0cHwUjR00W_w_Xwli-n9ucQwURkPU3QkAbPpa0/s640/Screen+Shot+2014-01-04+at+2.37.04+AM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Asprox enumerating HKEY_CURRENT_USER\Software for "For Group!!!!!" key</td></tr>
</tbody></table>
<div class="p1">
This provides us with another IOC; a registry key in <span style="background-color: #fff2cc;">HKEY_CURRENT_USER\Software with a name composed of 8 random lowercase letters</span> who's value can be decrypted by the host Key_ID to display the string "For group!!!!!<group_id>". This key is only set when asprox.dll has successfully communicated with the c2 10 times.</div>
<div class="p1">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHzyOCMiaL6LrH9CWnmoG5IXuK_b8pHPXnWaaaxlrzGRAbhWwSuDN7R6A0zJqWqkoaGBnmeSeGKPBKUNOrK4P3TV85ftzDvvkQ8MJxzegHq9_6u2tMklC1psV0A64cdY7QvsjJlPL0OLw/s1600/group+reg+key.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHzyOCMiaL6LrH9CWnmoG5IXuK_b8pHPXnWaaaxlrzGRAbhWwSuDN7R6A0zJqWqkoaGBnmeSeGKPBKUNOrK4P3TV85ftzDvvkQ8MJxzegHq9_6u2tMklC1psV0A64cdY7QvsjJlPL0OLw/s640/group+reg+key.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Example of asprox For Group!!!!! registry key </td></tr>
</tbody></table>
<h3>
</h3>
<div>
<br /></div>
<h3>
IP Addresses</h3>
<div>
<div class="p1">
Asprox gets its IP addresses from one of two locations, either a registry key, or hard coded in the asprox.dll. Each time asprox.dll makes a new network request to the c2 it uses the same method described above in <i>Group ID </i>to enumerate all the keys under HKEY_CURRENT_USER\Software, decrypt their values, and compare them to the string "<span style="background-color: #fff2cc;">You Fag!!!!!</span>". If the string compare matches then the part of the key after the you fag string is interpreted as an in_addr struct. This key is only set when asprox.dll receives new IP addresses from the c2.</div>
<div class="p2">
<br /></div>
<div class="p1">
If no registry key is found then the asprox.dll uses a hard coded ip address that is RC4 encrypted with a hardcoded key. The hardcoded key varies with each version of asprox. </div>
</div>
<h3>
</h3>
<div>
<br /></div>
<h3>
URL String</h3>
<div>
<div class="p1">
The URL path is hard coded in the asprox.dll as "<span style="background-color: #fff2cc;">/index.php?r=gate</span>" but it is RC4 encrypted with the ID_Key and prepended with the ID_Key before being sent. The new versions of asprox use a POST instead of a GET so no interesting parameters are passed in this URL.<br />
<br /></div>
<h3>
</h3>
<h3>
Request Body (XML)</h3>
</div>
<div>
<div class="p1">
The actual content sent by aprox.dll to the c2 is encapsulated in XML. There are two versions of the XML a slightly older version and a newer version. Both are described below.<br />
<br />
<h4>
Older Version</h4>
<br /></div>
</div>
<style type="text/css">
table.tableizer-table {
border: 1px solid #CCC; font-family: Arial, Helvetica, sans-serif
font-size: 12px;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #ccc;
}
.tableizer-table th {
background-color: #104E8B;
color: #FFF;
font-weight: bold;
}
</style>
<br />
<table class="tableizer-table">
<tbody>
<tr class="tableizer-firstrow"><th>XML</th><th>Explanation</th></tr>
<tr>
<td><knock></td><td>XML top element open</td>
</tr>
<tr>
<td><id>%s</id></td><td>ID string</td>
</tr>
<tr>
<td><group>%s</group> </td><td>Group ID string</td>
</tr>
<tr>
<td><time>%d</time> </td><td>Negative timestamp</td>
</tr>
<tr>
<td><version>%d</version> </td><td>Hardcoded bot version</td>
</tr>
<tr>
<td><status>%d</status></td><td>Status of last command</td>
</tr>
<tr>
<td><debug>%s</debug></td><td>Environment information such as OS version, 64/32bit, firewall, antivirus</td>
</tr>
<tr>
<td></knock></td><td>XML top element close</td>
</tr>
</tbody></table>
<div>
<div>
<h4>
</h4>
<br />
<h4>
New Version</h4>
<br /></div>
<style type="text/css">
table.tableizer-table {
border: 1px solid #CCC; font-family: Arial, Helvetica, sans-serif
font-size: 12px;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #ccc;
}
.tableizer-table th {
background-color: #104E8B;
color: #FFF;
font-weight: bold;
}
</style>
<br />
<table class="tableizer-table">
<tbody>
<tr class="tableizer-firstrow"><th>XML</th><th>Explanation</th></tr>
<tr>
<td><knock></td><td>XML top element open.</td>
</tr>
<tr>
<td><id>%s</id></td><td>ID string.</td>
</tr>
<tr>
<td><group>%s</group> </td><td>Group ID string.</td>
</tr>
<tr>
<td><src>%d</src> </td><td>Reports if any of the researcher tools or sandbox string are found.</td>
</tr>
<tr>
<td><transport>%d</transport> </td><td>Reports if asprox is running from a removable drive. This may hint at a possible worm version in the future.</td>
</tr>
<tr>
<td><time>%d</time> </td><td>Negative timestamp.</td>
</tr>
<tr>
<td><version>%d</version> </td><td>Hardcoded bot version.</td>
</tr>
<tr>
<td><status>%d</status></td><td>Status of last command.</td>
</tr>
<tr>
<td><debug>%s</debug></td><td>Environment information such as OS version, 64/32bit, firewall, antivirus.</td>
</tr>
<tr>
<td></knock></td><td>XML top element close</td>
</tr>
</tbody></table>
</div>
<div>
<br />
<br /></div>
<div>
<h3>
Request Encryption</h3>
</div>
<div>
<div class="p1">
Once the XML body has been constructed it is bzip compressed and then RC4 encrypted with a dynamically generated key. They key is then RSA encrypted with the following public certificate:</div>
<div class="p1">
<br /></div>
<div class="p1">
<span style="background-color: #fff2cc;">-----BEGIN PUBLIC KEY-----</span></div>
<div class="p1">
<span style="background-color: #fff2cc;">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUAUdLJ1rmxx+bAndp+Cz6+5I</span></div>
<div class="p1">
<span style="background-color: #fff2cc;">Kmgap2hn2df/UiVglAvvg2US9qbk65ixqw3dGN/9O9B30q5RD+xtZ6gl4ChBquqw</span></div>
<div class="p1">
<span style="background-color: #fff2cc;">jwxzGTVqJeexn5RHjtFR9lmJMYIwzoc/kMG8e6C/GaS2FCgY8oBpcESVyT2woV7U</span></div>
<div class="p1">
<span style="background-color: #fff2cc;">00SNFZ88nyVv33z9+wIDAQAB</span></div>
<div class="p1">
</div>
<div class="p1">
<span style="background-color: #fff2cc;">-----END PUBLIC KEY-----</span></div>
</div>
<div class="p1">
<br /></div>
The encrypted key and body are then sent as part of the POST request body. The format of the POST request varies between the slightly older version and the newer version of the bot. Both formats are described below.<br />
<div class="p1">
<br />
<h4>
Older Version</h4>
<div>
<div class="p1">
The older version uses multipart/form-data as the content-type and separates the key and body into two separate streams <span style="background-color: #fff2cc;">name="key" filename="key.bin"</span> and <span style="background-color: #fff2cc;">name="data" filename="data.bin"</span>.</div>
</div>
</div>
<div class="p1">
<br /></div>
<div class="p1">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8FJgXkyLWKYDkBoxRmYWC0QfBFh7JI6SyC48oxHfEvm1Kw9VUiGvoXwr6xx0nz3pf5p2URFwUdUlH-sSBQMtIB3X-VwZMObb__zzK4WEvTab-Vqu_o8ztItZY10Ux94_2eph-nXIhqVo/s1600/Screen+Shot+2014-01-04+at+5.30.34+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="303" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8FJgXkyLWKYDkBoxRmYWC0QfBFh7JI6SyC48oxHfEvm1Kw9VUiGvoXwr6xx0nz3pf5p2URFwUdUlH-sSBQMtIB3X-VwZMObb__zzK4WEvTab-Vqu_o8ztItZY10Ux94_2eph-nXIhqVo/s640/Screen+Shot+2014-01-04+at+5.30.34+AM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Example of older style asprox encrypted request</td></tr>
</tbody></table>
<h4>
</h4>
<h4>
</h4>
<h4>
New Version</h4>
<div>
<div class="p1">
The new version uses <span style="background-color: #fff2cc;">application/x-www-form-urlencoded</span> as the content-type and does not have any ascii strings in the body. This eliminates any network IOCs that we might have used from the older version.</div>
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1BsfpFB7n51jRSYorbRUWGl2zda-F-aYYrfYXLajkulEBlQp0FAXfad8qMMb-zkfourpZV6hKDNuPZyQ89chWTECN7BSbkGZPZ4jyTjccCc3Q35JoaBnM2WbEQz7PCHIa9ZH00S7QsBA/s1600/Screen+Shot+2014-01-04+at+5.31.37+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1BsfpFB7n51jRSYorbRUWGl2zda-F-aYYrfYXLajkulEBlQp0FAXfad8qMMb-zkfourpZV6hKDNuPZyQ89chWTECN7BSbkGZPZ4jyTjccCc3Q35JoaBnM2WbEQz7PCHIa9ZH00S7QsBA/s640/Screen+Shot+2014-01-04+at+5.31.37+AM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Example of new style asprox encrypted c2 request</td></tr>
</tbody></table>
<br />
<div class="p1">
If we take a closer look at the data that is being sent in the body we can decipher how the key and body are combined. The first 4 bytes of the body represent the length of the encrypted key (little endian) 0x00000080. This is followed by the encrypted key. The encrypted key is followed by another 4 bytes that represent the length of the encrypted body 0x000000b6. These 4 bytes are then followed by the encrypted body.<br />
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAx6lvGxGugyfMkNpA7j7DkuI4h8FXsH_Km5IQIAL84fALVv8UKBsbYKy_Csm_T6kUvyzwxmeOgOd4_w1isSfJkGEi89uf3ubjUpqP9roQ76um9qSAKh0MKZqOhi3en976ZRlwbHd63R4/s1600/Screen+Shot+2014-01-04+at+5.37.40+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAx6lvGxGugyfMkNpA7j7DkuI4h8FXsH_Km5IQIAL84fALVv8UKBsbYKy_Csm_T6kUvyzwxmeOgOd4_w1isSfJkGEi89uf3ubjUpqP9roQ76um9qSAKh0MKZqOhi3en976ZRlwbHd63R4/s1600/Screen+Shot+2014-01-04+at+5.37.40+AM.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">A closer look at the new style of asprox encrypted c2 request</td></tr>
</tbody></table>
<h3>
</h3>
<h3>
</h3>
<h3>
Response Decryption</h3>
<div class="p1">
The response that is received from the c2 follows the same pattern as described above but instead of a key and body the c2 sends a RSA signed hash of the response data and the actual response data bzip compressed and RC4 encrypted with the key that was sent with the request. </div>
<div class="p2">
<br /></div>
<div class="p1">
Examining the response we can see the first 4 bytes of the response body represent the length of the RSA signed hash of the data (little endian) 0x00000080. This is followed by the RSA signed hash. The RSA signed hash is followed by another 4 bytes that represent the length of the RC4 encrypted data 0x00000069. These 4 bytes are then followed by the RC4 encrypted data.</div>
<div class="p1">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhljDrIBcal2Iq4ZwoLxv1aQTl3nMsFtH8soEbfG6qMF35BosCqUcfvM_CE7xaG9zehyphenhyphen2oJfKRBTE7SartGdx9hRz_r_NkfL4ZBICktDiQsX1edsPrCW3PQ1J2ClPM1E3sbqJ7X0kPh8EQ/s1600/Screen+Shot+2014-01-04+at+5.50.57+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhljDrIBcal2Iq4ZwoLxv1aQTl3nMsFtH8soEbfG6qMF35BosCqUcfvM_CE7xaG9zehyphenhyphen2oJfKRBTE7SartGdx9hRz_r_NkfL4ZBICktDiQsX1edsPrCW3PQ1J2ClPM1E3sbqJ7X0kPh8EQ/s1600/Screen+Shot+2014-01-04+at+5.50.57+AM.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">A close look at asprox c2 encrypted response </td></tr>
</tbody></table>
<h2>
</h2>
<h3>
</h3>
<h3>
Commands and Capabilities</h3>
<div>
<div class="p1">
The commands have not changed since the release of the Trend Micro report however their encoding has. The commands are now send in XML encapsulation and are parsed by the MSXML 3.0 COM service. An example of a command XML is displayed below.</div>
<div class="p1">
<br /></div>
<div class="p1">
<span style="background-color: #fff2cc;"><knock></span></div>
<div class="p1">
<span style="background-color: #fff2cc;"><id>P35E71L7CK3DF19AD5D138677W6C734T</id></span></div>
<div class="p1">
<span style="background-color: #fff2cc;"><task type="idl" /></span></div>
<div class="p1">
</div>
<div class="p1">
<span style="background-color: #fff2cc;"></knock></span></div>
<div class="p1">
<br /></div>
<div class="p1">
The following commands are available to the asprox c2 server.<br />
<br /></div>
</div>
<style type="text/css">
table.tableizer-table {
border: 1px solid #CCC; font-family: Arial, Helvetica, sans-serif
font-size: 12px;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #ccc;
}
.tableizer-table th {
background-color: #104E8B;
color: #FFF;
font-weight: bold;
}
</style>
<br />
<table class="tableizer-table">
<tbody>
<tr class="tableizer-firstrow"><th>Command</th><th>Explanation</th></tr>
<tr>
<td>idl</td><td>Long sleep, no commands.</td>
</tr>
<tr>
<td>rdl</td><td>Download and run asprox module.</td>
</tr>
<tr>
<td>run</td><td>Download .exe, install and run it.</td>
</tr>
<tr>
<td>rem</td><td>Uninstall. This command removes the asprox .exe, run key, and You Fag!!!!! key but it doesn't remove the For Group!!!!! key. This can be used as a potential IOC to prove asprox was installed if it removes itself.</td>
</tr>
<tr>
<td>red</td><td>Update registry keys.</td>
</tr>
<tr>
<td>upd</td><td>Update asprox .exe</td>
</tr>
</tbody></table>
<div class="p1">
<br /></div>
</div>
<div class="p1">
<h3>
</h3>
<h3>
</h3>
<h3>
Samples and IOCs</h3>
<div>
Memory only IOC can be found in <a href="http://iocbucket.com/iocs/0c0cacc65c64ee83306bd49e62cab949c823da3d" target="_blank">IOC Bucket</a>. This IOC is tailored to only match on the memory strings that will be most difficult for the malware authors to modify.<br />
<br />
Disk IOC can be found on pastebin <a href="http://pastebin.com/WgKj13L7" target="_blank">here</a>. The IOC uses OpenIOCv1.1 as it requires regular expressions for file paths and registry keys. It will be posted it IOC Bucket as soon as OpenIOC 1.1 is supported (note* most tools do not yet support OpenIOCv1.1).<br />
<br />
<h4>
Samples</h4>
<div>
The older new version of asprox and the extracted dll can be found <a href="https://mega.co.nz/#!7hJQmCCI!MtdMNWBK0DQOqNkPUOAuDDdX1vMG-HytS6xB4yVm5JE" target="_blank">here</a> while the new version of asprox and the extracted dll can be found <a href="https://mega.co.nz/#!jk5z3AIB!StLk9xJRsgRCguazs1XK7TzvDuFjXc_XWCF49tlkQ9U" target="_blank">here</a>.</div>
<div>
<br /></div>
<div>
The cuckoo sandbox report for the older new version of asprox can be found <a href="https://malwr.com/analysis/MjZmNzZhZDI5ZjBkNDRkZmIzYjZkN2Y5NjdiMTFkZGE/" target="_blank">here</a> while the cuckoo sandbox report for the new version of asprox can be found <a href="https://malwr.com/analysis/NDdjMWUyMTkwZjQ1NGM3NDgzMjNmZThlYTJiMGZlNjE/" target="_blank">here</a>.</div>
<br /></div>
<div>
I will make all my IDA analysis .idb files available to researchers who are interested in verifying my work or collaborating. Please contact me <a href="https://twitter.com/herrcore" target="_blank">@herrcore</a> (I will only share with folks who I know or who can be verified by someone I know).</div>
<div>
<h2>
</h2>
<h3>
</h3>
<h3>
Next Steps</h3>
<div class="p1">
If you are interested in collaborating on a research project please contact me <a href="https://twitter.com/herrcore" target="_blank">@herrcore</a>. I have a few ideas of where to take this but I'll need some help.</div>
<div class="p1">
<br /></div>
<div class="p1">
I will also be posting a smaller report detailing how asprox has evolved over the past five months. My intent is to provide some insight into how the asprox developers work and what direction the botnet might be heading in.</div>
<div class="p2">
<br /></div>
<h3>
</h3>
<h3>
Final Note</h3>
<div class="p1">
The developers of Asprox have been shown to be very reactive to reports that are generated by researchers; one week after posting about the hard-coded multipart boundary string in their POST requests they updated the bot and removed the string from their POST requests. I expect that this report will cause them to change the communication and encryption of the bot but any changes will be quick to reverse given the information that is provided in this report.</div>
</div>
</div>
<div class="p1">
<br /></div>
</div>
</div>
</div>
herrcorehttp://www.blogger.com/profile/17172043082379886965noreply@blogger.com0tag:blogger.com,1999:blog-5836508348908040047.post-51267029226495945892013-11-19T21:12:00.001-08:002016-09-11T22:04:25.581-07:00Screensaver Malware Like It's 2006<br />
<br />
<br />
<br />
<br />
This content has moved to <a href="http://oalabs.openanalysis.net/2013/11/19/screensaver-malware-using-scr-executables/">http://oalabs.openanalysis.net/2013/11/19/screensaver-malware-using-scr-executables/</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Remember way back in 2006 when custom screen savers were the new hotness and everyone was googling "<a href="http://www.benedelman.org/publications/searchsafety.pdf" target="_blank">free screensavers</a>" and getting infected with trojaned slideshows of majestic wildlife? Well it seems screensaver malware has been re-invented in a clever new way and is being used to infect victims as part of a large e-mail trojan distribution campaign.<br />
<br />
If you are reading this there is a good chance that you are trying to figure out why you are staring at an efax attachment that contains a screensaver (.scr) file. In order to understand this we will need to dive into the internals of windows file associations.<br />
<br />
<h3>
Background - Windows File Associations</h3>
Windows uses the file extension (the part of the file after the last . ) to determine which program should be used to open the file. This is mapped in the HKEY_CLASSES_ROOT registry hive. In the hive there are a bunch of file extension keys.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRHkMAiz7Tfp1qxrO-Kl3zYodV8r_1CCwyah3sSDPL-OHcfpHpV9A-tu0TnzaqkvUwSAI5T6Avnt03Oy91ZyvCL_QqLLMHPu33vnBWTQJkcfj34iSFe8FQYKeByeKf5rthLrBx-SlGAE8/s1600/Screen+Shot+2013-11-16+at+2.28.36+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRHkMAiz7Tfp1qxrO-Kl3zYodV8r_1CCwyah3sSDPL-OHcfpHpV9A-tu0TnzaqkvUwSAI5T6Avnt03Oy91ZyvCL_QqLLMHPu33vnBWTQJkcfj34iSFe8FQYKeByeKf5rthLrBx-SlGAE8/s1600/Screen+Shot+2013-11-16+at+2.28.36+PM.png" /></a></div>
<br />
<br />
The value of these keys maps to a second key in the same hive which describes which how the file should be opened (/shell/open/command).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_do4Y08iCdw4nI3jYlN6cZglLD4q_kLLvrhC6u-XlQuy1zVJ8EyncT0nlgzNnzUOXkqbgHYCfEsaa1TbDb0TzhQqxH2WlvzmcnijqS1tpwDrketIXX19yurcURnXeHCl2WsrD1hx802U/s1600/Screen+Shot+2013-11-16+at+2.29.40+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_do4Y08iCdw4nI3jYlN6cZglLD4q_kLLvrhC6u-XlQuy1zVJ8EyncT0nlgzNnzUOXkqbgHYCfEsaa1TbDb0TzhQqxH2WlvzmcnijqS1tpwDrketIXX19yurcURnXeHCl2WsrD1hx802U/s1600/Screen+Shot+2013-11-16+at+2.29.40+PM.png" /></a></div>
<br />
In the case of a few special files instead of being opened by another program there is a %1 in the key value that indicates the file should be executed itself. As you can see screen savers (.scr) are one such file. This means that any time you double click an .scr file you are really just executing it or to put it in even simpler terms .scr is just another extension for an executable (.exe).<br />
<br />
<h3>
The Malware Threat</h3>
<div>
It seems an <a href="http://blog.mxlab.eu/2013/08/29/corporate-efax-message-with-zip-attachment-contains-trojan/" target="_blank">ongoing</a> e-mail trojan distribution campaign that had been using zipped .exe attachments has re-tooled and are now using zipped .scr attachments. The campaign seems to favour spoofing eFax emails with a spoofed address and a fairly decent replication of a real eFax e-mail.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_COknKDD_pZ9eYiU_9otRIKICzjwajkkRkX_ZCLvfDpFfHrKg8HEINRyWKAI9jhHpnG0RATzgXeZgJWlweYKSfoDf1iW82kB8QDY-VC0OcWvmh3apU0exlsh3lIr_NOB97FRsg3X-Mj4/s1600/Screen+Shot+2013-11-19+at+11.09.34+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_COknKDD_pZ9eYiU_9otRIKICzjwajkkRkX_ZCLvfDpFfHrKg8HEINRyWKAI9jhHpnG0RATzgXeZgJWlweYKSfoDf1iW82kB8QDY-VC0OcWvmh3apU0exlsh3lIr_NOB97FRsg3X-Mj4/s1600/Screen+Shot+2013-11-19+at+11.09.34+PM.png" /></a></div>
<div>
<br />
Attached is a .zip file that contains the .scr file. As you can see on a default Windows7 system the file extensions are not visible and thanks to a pdf icon in the .scr file it does a good job of mimicking a real eFax PDF.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4CaJFI9JNumCNETePVFN0z5pWBVP-xc2jbU5CVc8yTh29Yw2ctD1yOjxhfH3X-qsOQWIvAZuVbstjJVe5b62bq_bQBIOH2lWOhN8ckS6DxrGs3sNDFK6FtFUAvKf04_ccbPsNQjZqjdU/s1600/Screen+Shot+2013-11-19+at+11.19.55+PM.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4CaJFI9JNumCNETePVFN0z5pWBVP-xc2jbU5CVc8yTh29Yw2ctD1yOjxhfH3X-qsOQWIvAZuVbstjJVe5b62bq_bQBIOH2lWOhN8ckS6DxrGs3sNDFK6FtFUAvKf04_ccbPsNQjZqjdU/s1600/Screen+Shot+2013-11-19+at+11.19.55+PM.png" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGKdu67-YUtfnAi-erZAV_hNFdqlo2XJL8UzfyrZFRm1iJC7bn-m_fuIjWj5a63THvG5EG6KLN45xWxAfhjB5oexgyaJnTuo2PnZG8DnChqOgaRHIBaZEciLAuCchrIAZrZ2vFin94QL8/s1600/Screen+Shot+2013-11-16+at+2.40.44+PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGKdu67-YUtfnAi-erZAV_hNFdqlo2XJL8UzfyrZFRm1iJC7bn-m_fuIjWj5a63THvG5EG6KLN45xWxAfhjB5oexgyaJnTuo2PnZG8DnChqOgaRHIBaZEciLAuCchrIAZrZ2vFin94QL8/s1600/Screen+Shot+2013-11-16+at+2.40.44+PM.png" /> </a><br />
<div class="separator" style="clear: both; text-align: left;">
If we take a close look at the efax .scr file we can see that it is really nothing more than an executable with a pdf icon.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS0Dzyrqy1NI1SQRjIcreZYvSwjkLqmrJUx2mj5bnyFwOV5ycXehRUvOqbxPTXfeh5lJN1hQGLcfqlcxWTQRrVn3gffhqLRSMsWUijc95U4jBk1nLN-P0TBqsMoTkKYlC6Z7HZybNEBWk/s1600/Screen+Shot+2013-11-16+at+2.48.39+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS0Dzyrqy1NI1SQRjIcreZYvSwjkLqmrJUx2mj5bnyFwOV5ycXehRUvOqbxPTXfeh5lJN1hQGLcfqlcxWTQRrVn3gffhqLRSMsWUijc95U4jBk1nLN-P0TBqsMoTkKYlC6Z7HZybNEBWk/s1600/Screen+Shot+2013-11-16+at+2.48.39+PM.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWze-Levq_DYp2wWcVgROld-z4S0IAwR22_364w3jtTxvdzzcXQ0WR5pOg5qzNfGa1FF69RV0QX5PnWzfkAdZMs___4nrX9PGtAcX1QaDQticZWxaZYnjTi_CfdWH514ejG6tCUb2T3U4/s1600/Screen+Shot+2013-11-16+at+2.49.53+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWze-Levq_DYp2wWcVgROld-z4S0IAwR22_364w3jtTxvdzzcXQ0WR5pOg5qzNfGa1FF69RV0QX5PnWzfkAdZMs___4nrX9PGtAcX1QaDQticZWxaZYnjTi_CfdWH514ejG6tCUb2T3U4/s1600/Screen+Shot+2013-11-16+at+2.49.53+PM.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As we can see VirusTotal definitely identifies the .scr as a <a href="https://www.virustotal.com/en/file/e65315616ee6ac28ec9e8f0f43ddb0f189a81b515369a72fc8a6b69db280d829/analysis/" target="_blank">malicious file</a> and malwr has a decent profile of its <a href="https://malwr.com/analysis/OWI0MWI4NGJmZGMwNDg1NWI5M2E5Y2U2NGMyNzFkMzA/" target="_blank">malicious behaviour</a>. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h3>
Detection</h3>
</div>
<div>
So, why go to all the trouble of renaming the .exe malware to .scr? At first I suspected that this was part of the social engineering aspect of the e-mail; an attempt to make the file less suspicious to the victim. This may indeed be part of the reason for the renaming but, as noted above, file extensions are not visible on a default Windows7 install so most users will never see the extension. Instead I suspect the more plausible explanation for the rename is to avoid e-mail filter detection (and possibly some network antivirus detection). Some older/lower end/poorly configure IPS/IDS and e-mail filtering technology does not examine the full file contents and only uses the file extension to determine if an attachment is suspicious or not. This is especially true of zipped files given the overhead/bandwidth required to unzip and then inspect files.</div>
<div>
<br /></div>
<div>
Whatever the reason, if you have IPS/IDS or e-mail filters that are just using file extensions in zip files to evaluate threats you will want to add .scr to the list of suspicious files. In fact I used a little powershell magic to search the HKEY_CLASSES_ROOT registry hive for all file extensions that are treated like executable files.</div>
<div>
<pre class="brush:plain;">HKEY_CLASSES_ROOT\.bat = batfile
HKEY_CLASSES_ROOT\batfile\shell\open\command = "%1" %*
HKEY_CLASSES_ROOT\.cmd = cmdfile
HKEY_CLASSES_ROOT\cmdfile\shell\open\command = "%1" %*
HKEY_CLASSES_ROOT\.com = comfile
HKEY_CLASSES_ROOT\comfile\shell\open\command = "%1" %*
HKEY_CLASSES_ROOT\.exe = exefile
HKEY_CLASSES_ROOT\exefile\shell\open\command = "%1" %*
HKEY_CLASSES_ROOT\.pif = piffile
HKEY_CLASSES_ROOT\piffile\shell\open\command = "%1" %*
HKEY_CLASSES_ROOT\.scr = scrfile
HKEY_CLASSES_ROOT\scrfile\shell\open\command = "%1" /S
</pre>
Based on these results you should be detecting .bat .cmd .com .exe .pif and .scr files in .zip e-mail attachments as potentially malicious. In fact, if we look though the most recent efax submission to malwr.com it looks like another file extension .pif is already been used by the malware campaign.<br />
<br /></div>
<div>
<pre class="brush:plain;">pdf_efax_4298299310.pif
pdf_efax_6785462001.scr
efax_9057733019_pdf.zip
efax_9057733019_pdf.exe
efax_9057733019_pdf.scr
pdf_efax_9057733019.scr
pdf_efax_9057733000.scr
</pre>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
herrcorehttp://www.blogger.com/profile/17172043082379886965noreply@blogger.com1tag:blogger.com,1999:blog-5836508348908040047.post-21743949417868625842013-10-02T23:28:00.001-07:002016-09-11T22:05:12.150-07:00Sweet Orange - Update<br />
<br />
<br />
<br />
<br />
<br />
This content has moved to <a href="http://oalabs.openanalysis.net/2013/10/01/sweet-orange-exploit-kit-2013/">http://oalabs.openanalysis.net/2013/10/01/sweet-orange-exploit-kit-2013/</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
After 48h of monitoring the Sweet Orange EK noted in our previous <a href="http://herrcore.blogspot.ca/2013/10/sweet-orange-in-action.html" target="_blank">post</a> some of the indicators have changed. Now that we know what changes and what doesn't we can refactor our previous indicators and make them more robust.<br />
<br />
We now know the refresh rate for the domain generation and url parameter changes. The EK changes url parameters every <u>minute</u> while the domain is changed ever <u>6 minutes</u>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTE5oiRqJCdK1lveyiEVOIGY8eNLNFiQ21ip9y-XLqhmPomB9uRDYKO-JNBof3Mc4JgdWag_WdG8F2f_WJMLQ-orMOZ_C5C3lDZGu1A265pJsFtiZkDThuxRJhnGp-C-aFd7evoGM7jEQ/s1600/Screen+Shot+2013-10-05+at+12.20.00+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="462" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTE5oiRqJCdK1lveyiEVOIGY8eNLNFiQ21ip9y-XLqhmPomB9uRDYKO-JNBof3Mc4JgdWag_WdG8F2f_WJMLQ-orMOZ_C5C3lDZGu1A265pJsFtiZkDThuxRJhnGp-C-aFd7evoGM7jEQ/s640/Screen+Shot+2013-10-05+at+12.20.00+AM.png" width="640" /></a></div>
<br />
<br />
<h2>
<span style="font-size: large;">What Has Changed</span></h2>
The strings used to obfuscate the applet parameters have been changed and the applet has been recompiled to adapt the decryption/de-obfuscation algorithm.<br />
<style type="text/css">
table.tftable {font-size:12px;color:#333333;width:100%;border-width: 1px;border-color: #729ea5;border-collapse: collapse;}
table.tftable th {font-size:12px;background-color:#acc8cc;border-width: 1px;padding: 8px;border-style: solid;border-color: #729ea5;text-align:left;}
table.tftable tr {background-color:#d4e3e5;}
table.tftable td {font-size:12px;border-width: 1px;padding: 8px;border-style: solid;border-color: #729ea5;}
</style>
<br />
<table border="1" class="tftable" id="tfhover">
<tbody>
<tr><th>Before</th><th>After</th></tr>
<tr><td>V-XHNBZ</td><td>1-XHNBZ</td></tr>
<tr><td>ZR-IHNV</td><td>ZR-IHN1</td></tr>
</tbody></table>
<br />
The port that the malware host is using has changed so the URL regex indicators need to change.<br />
<br />
<table border="1" class="tftable" id="tfhover">
<tbody>
<tr><th>Before</th><th>After</th></tr>
<tr><td>http://[a-z]+\.sytes\.net:9101/[a-z\/\.]+[^\?]\?spamnav=82</td><td>http://[a-z]+\.sytes\.net:12601/[a-z\/\.]+[^\?]\?deals=82</td></tr>
<tr><td>http://[a-z]+\.sytes\.net:9101/[a-z\/\.0-9\=\?\&]+</td><td>http://[a-z]+\.sytes\.net:12601/[a-z\/\.0-9\=\?\&]+</td></tr>
</tbody></table>
<br />
The IP address is now fluctuating within the same <b>(AS12695)</b> the IPs seen include <b>95.163.121.17</b>, <b> </b><b>95.163.121.171</b>, <b>95.163.121.169</b>.<br />
<h2>
<span style="font-size: large;"><br /></span></h2>
<h2>
<span style="font-size: large;">What Has Stayed The Same</span></h2>
The exploits and the general frame of the exploit landing page have stayed the same.<br />
<br />
No-ip dynamic DNS is still being used with the domain "sytes.net".<br />
<br />
The binary exploit remains the same, it has been repacked but I wrote a terrible python script that is able to identify it based on a unique pattern of strings in the binary.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVreknpEBtbkcSEhl_-gdFWVBZV3IxQ6JgX9ehzvwqF0IAldfVr7AfDQ_WiHn9YMNqGhl_fERcqdk_vglrYy2hh3KdfBjubyJWs3qSDRBDeNIftF4V8pmjpkC1yhnC5zSLIKcHf08OX7A/s1600/Screen+Shot+2013-10-03+at+2.12.17+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVreknpEBtbkcSEhl_-gdFWVBZV3IxQ6JgX9ehzvwqF0IAldfVr7AfDQ_WiHn9YMNqGhl_fERcqdk_vglrYy2hh3KdfBjubyJWs3qSDRBDeNIftF4V8pmjpkC1yhnC5zSLIKcHf08OX7A/s1600/Screen+Shot+2013-10-03+at+2.12.17+AM.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRsGb1y5a2V2YlJvUEl3L0wJFm8aOcopMybt10wFVzfE1XcZ0lDHoQBuckdptji9gnsp30nedtzmU5NMUr4tl32redBBuxbYaFQUTe0rUdn2QJKiyVTZM3aqmDAh99NBo6Aj01TqD5VAU/s1600/Screen+Shot+2013-10-03+at+2.12.56+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRsGb1y5a2V2YlJvUEl3L0wJFm8aOcopMybt10wFVzfE1XcZ0lDHoQBuckdptji9gnsp30nedtzmU5NMUr4tl32redBBuxbYaFQUTe0rUdn2QJKiyVTZM3aqmDAh99NBo6Aj01TqD5VAU/s1600/Screen+Shot+2013-10-03+at+2.12.56+AM.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2bY4TNcfXqyt86lY9_TCxiwcnqJ71_QWQhc_8UuUKhDrS5d43T2OXCT41p5lsajtd6c4FL9kY3fe5VgtCII1UJqge2Gi1RaRzykZhmHtYhtlMrHt4mElJ_992MgkHt-hbDJETqy-yJkc/s1600/Screen+Shot+2013-10-03+at+2.13.35+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2bY4TNcfXqyt86lY9_TCxiwcnqJ71_QWQhc_8UuUKhDrS5d43T2OXCT41p5lsajtd6c4FL9kY3fe5VgtCII1UJqge2Gi1RaRzykZhmHtYhtlMrHt4mElJ_992MgkHt-hbDJETqy-yJkc/s1600/Screen+Shot+2013-10-03+at+2.13.35+AM.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You can download the bin checker script <a href="https://mega.co.nz/#!sw5TxZKI!D_K2gG162vqnHB4QbEpKXg3mT0Q6-cX76Cm9SHTRrzc" target="_blank">here</a>.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Once I get some free time I'll post about the second Java exploit and reverse the payload.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />herrcorehttp://www.blogger.com/profile/17172043082379886965noreply@blogger.com0tag:blogger.com,1999:blog-5836508348908040047.post-46673632277356496232013-10-01T21:22:00.005-07:002016-09-11T22:05:55.222-07:00Sweet Orange In Action<br />
<br />
<br />
<br />
<br />
<br />
This content has moved to <a href="http://oalabs.openanalysis.net/2013/10/01/sweet-orange-exploit-kit-2013/">http://oalabs.openanalysis.net/2013/10/01/sweet-orange-exploit-kit-2013/</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In this write up we will examine an operational Sweet Orange Exploit Kit. The focus will be on the exploits delivered and the behaviour of the exploit kit.<br />
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiekD-gZ1OZUgoA4SIklZm3Aq1JcbchNSr4TGeSng1ftmtNjh9YeOV1UO2EHCeLYR8KMKCY2NPZUgdsUCZMOGPHizxNOPJJ6pkwh60f2bBSzCUatFjSWxRxPREvlH9neAFbN_hoZMsnkAA/s1600/Screen+Shot+2013-10-01+at+10.51.17+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiekD-gZ1OZUgoA4SIklZm3Aq1JcbchNSr4TGeSng1ftmtNjh9YeOV1UO2EHCeLYR8KMKCY2NPZUgdsUCZMOGPHizxNOPJJ6pkwh60f2bBSzCUatFjSWxRxPREvlH9neAFbN_hoZMsnkAA/s640/Screen+Shot+2013-10-01+at+10.51.17+PM.png" width="640" /></a></div>
<br /></div>
<div>
<h2>
<span style="font-size: large;">
The Drive-By</span></h2>
</div>
<div>
<div class="p1">
The Sweet Orange kit that we will be examining was using an iframe injected into a compromised website to load the exploit landing page. We can see that the iframe has clearly been injected as it sits above the <span style="color: #3d85c6;"><!DOCTYPE></span><span style="color: #93c47d;"> </span>tag.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx-OFp-cDi6DbCsSbwTcJPrJ3D7BKTUjqq3C15kpV8dssu7qVpTntoBLhyjQgmetY8HmiHHMKFKfcFf_cr5A99e2peZ-FfdUq3kj5JeVPS1_XnRMCiCbEPdPb7Y6TXjG3feGLX0uHZeZI/s1600/iframe.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx-OFp-cDi6DbCsSbwTcJPrJ3D7BKTUjqq3C15kpV8dssu7qVpTntoBLhyjQgmetY8HmiHHMKFKfcFf_cr5A99e2peZ-FfdUq3kj5JeVPS1_XnRMCiCbEPdPb7Y6TXjG3feGLX0uHZeZI/s1600/iframe.png" /></a></div>
<br />
<h2>
<b><span style="font-size: large;">The Exploit Kit Landing Page</span></b></h2>
<div class="p1">
The iframe loads the exploit kit landing page which contains some fairly simple obfuscated javascript and a Java applet. The landing page doesn't use any browser/plugin profiling to tailor it's exploits, but the server does use the user agent string to filter out un-exploitable os/browser combinations. If the server deems you un-exploitable you get a nice 404 error (this may also be used to avoid detection).</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="p1">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwHXVJUmDEqZMDtm9DS2VdNR-U-UxJjEjEQMGBxhcR0bJM0LnK51Zs2v4tPxl0XvZIkZ9qyx3kj9p1o09EPbNONbk1P29sLy4MBvJ2U5wPjzbQli9T84Zg2jNAAD-0EsWmXC0ySOk1Evs/s1600/obfuscated_landing_page.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwHXVJUmDEqZMDtm9DS2VdNR-U-UxJjEjEQMGBxhcR0bJM0LnK51Zs2v4tPxl0XvZIkZ9qyx3kj9p1o09EPbNONbk1P29sLy4MBvJ2U5wPjzbQli9T84Zg2jNAAD-0EsWmXC0ySOk1Evs/s1600/obfuscated_landing_page.png" width="900" /></a></div>
<br />
<br /></div>
<div class="p1">
</div>
<div class="p1">
Once we de-obfuscate the javascript we can see that it's written a Java JNLP applet tag to the document. The JNLP applet tag includes a BASE64 encoded JNLP file in the "value" parameter (see ref. <a href="http://docs.oracle.com/javase/tutorial/deployment/deploymentInDepth/embeddingJNLPFileInWebPage.html" target="_blank">here</a>). There is also another applet on the page that does not use JNLP. This writeup will focus on the JNLP applet as it targets victims who are running Java 1.7 while the second applet targets Java 1.6.</div>
<div class="p1">
<br /></div>
<div class="p1">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQtqjtQHkZWlTvXzTeeCtZz9ZueV1IWPSOsgPHStH9eqb6V5l0waqSgo-lotEz3oydi7Z7r5a0upBpFdrCAR3wExEwUKg5Ou1XGkc9PSeYLXF1hdnjj6Mc1GJNJRhnf7Y7dBXYq_UgxDo/s1600/Screen+Shot+2013-10-01+at+1.32.32+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQtqjtQHkZWlTvXzTeeCtZz9ZueV1IWPSOsgPHStH9eqb6V5l0waqSgo-lotEz3oydi7Z7r5a0upBpFdrCAR3wExEwUKg5Ou1XGkc9PSeYLXF1hdnjj6Mc1GJNJRhnf7Y7dBXYq_UgxDo/s1600/Screen+Shot+2013-10-01+at+1.32.32+PM.png" /></a></div>
<br /></div>
<div class="p1">
<br />
<div class="p1">
Once we decode the BASE64 JNLP file we can see just what this exploit kit is up to. We can see the parameter "<span style="color: #a64d79;">__applet_ssv_validated</span>" has been set to "<span style="color: #a64d79;">true</span>" which is a Java security warning (Click2Play) bypass released on April 24, 2013 (see ref. <a href="http://immunityproducts.blogspot.ca/2013/04/yet-another-java-security-warning-bypass.html" target="_blank">here</a>).</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiprli6Q2tnPVNSSvht5IO7462rNfI52rp1tOGpRJEQwuSJIJI-aMLpA_ZvHmz8FijhVo2aVZ8Nc5fKfk5acfBMTQpw-EmWqhymTkO3mGMuEJRRqGicb7KS-73uIIgcY0io30-khb6Xco/s1600/Screen+Shot+2013-10-01+at+1.33.04+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiprli6Q2tnPVNSSvht5IO7462rNfI52rp1tOGpRJEQwuSJIJI-aMLpA_ZvHmz8FijhVo2aVZ8Nc5fKfk5acfBMTQpw-EmWqhymTkO3mGMuEJRRqGicb7KS-73uIIgcY0io30-khb6Xco/s1600/Screen+Shot+2013-10-01+at+1.33.04+PM.png" /></a></div>
<div class="p1">
<br /></div>
</div>
<div class="p1">
<h2>
<b><span style="font-size: large;">Inside the Exploit</span></b></h2>
<div class="p1">
With the Java security warning safely circumvented the exploit kit is free to run the applet. Let's take a closer look at the applet JAR file "<span style="color: #a64d79;">CNOeJXH.jar</span>". We can see there are a few classes in the JAR and a file called "<span class="s1" style="color: #a64d79;">wgSqXvtqE.mp4</span>". Spoiler alert: we find out later that the mp4 file is just a cleverly obfuscated class file.</div>
</div>
<div class="p1">
<br /></div>
<div class="p1">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8CkKQMN72LKHVd61OuEg2q96CelHX4_dLa6bS43LbK3bMp5ZRqZbYt8uxh8oNo9DyBoExgo-0XAKiElwMdCDW8UIN884ASzL9ZidP2XKZopyAh4bonLi7sY-NQCwTzvlFi-XjDfRWueE/s1600/Screen+Shot+2013-09-30+at+10.43.49+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8CkKQMN72LKHVd61OuEg2q96CelHX4_dLa6bS43LbK3bMp5ZRqZbYt8uxh8oNo9DyBoExgo-0XAKiElwMdCDW8UIN884ASzL9ZidP2XKZopyAh4bonLi7sY-NQCwTzvlFi-XjDfRWueE/s1600/Screen+Shot+2013-09-30+at+10.43.49+PM.png" /></a></div>
<br /></div>
<div class="p1">
<br />
<div class="p1">
Let's start by decompiling the main class "<span style="color: #a64d79;">piXDw.class</span>" and go from there. Once we decompile the class files we can see that they are obfuscated. At first these look pretty difficult to decipher but upon closer inspection we can see there is just some junk code added (all of the <span style="color: #a64d79;">Math.ulp</span> assignments are junk) and there is some string manipulation. To illustrate I've included a snip of some obfuscated code before de-obfuscation.</div>
</div>
<div class="p1">
<br /></div>
<div class="p1">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3NoQDamNxrX0HWW5jo02moacWRW51tFC-x1b1WWz0YmcYqSuLUZ3nkLjr2cDULxDFwB9HW1LZ4Jq6V_JwvPCljEnllFJBmcXZlU5AO-QJMUR8_bOcDChCVL2MGfZv-Hi_fsJTBniymMs/s1600/Screen+Shot+2013-10-01+at+2.00.59+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3NoQDamNxrX0HWW5jo02moacWRW51tFC-x1b1WWz0YmcYqSuLUZ3nkLjr2cDULxDFwB9HW1LZ4Jq6V_JwvPCljEnllFJBmcXZlU5AO-QJMUR8_bOcDChCVL2MGfZv-Hi_fsJTBniymMs/s1600/Screen+Shot+2013-10-01+at+2.00.59+PM.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="p1">
After we de-obfuscate we can see the init() for the applet simply checks to see if the victim is running Java 1.7+ then calls a method "<span class="s2" style="color: #a64d79;">wnYoY(piXDw pixdw, Class aclass[])</span>" from "<span style="color: #a64d79;">GVep.class</span>". Lets investigate further.</div>
</div>
<div class="p1">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic0tiEEs2NkUaZw9Ia40TzeHmkewXNEgPatwxooDGhO7qHV5E5IJCvvFOKDS-LzTYLKMhtOyVztAtKf3qwbAje92jsUOlfV5z-mg0lHIOghALfvZhbMrlCBfF-ECzJPPDFNsyM-OU9q8U/s1600/Screen+Shot+2013-10-01+at+2.16.06+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic0tiEEs2NkUaZw9Ia40TzeHmkewXNEgPatwxooDGhO7qHV5E5IJCvvFOKDS-LzTYLKMhtOyVztAtKf3qwbAje92jsUOlfV5z-mg0lHIOghALfvZhbMrlCBfF-ECzJPPDFNsyM-OU9q8U/s1600/Screen+Shot+2013-10-01+at+2.16.06+PM.png" /></a></div>
<span id="goog_1586056350"></span><span id="goog_1586056351"></span><br />
<br />
<div class="p1">
Taking a look at "<span style="color: #a64d79;">GVep.class</span>" we can see that it reads in the mp4 file, de-obfuscates it, then transformed it into a binary file and loads it. We will get to just what is inside the mp4 file in a minute but for now we have spotted the exploit that is being used: <a href="https://github.com/rapid7/metasploit-framework/blob/master/external/source/exploits/cve-2013-2460/Exploit.java" target="_blank">CVE-2013-2460</a>.</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEePgwnyrI4nAS8y-VTgq287olVY2ccm9vKwpVYdsFClQvPQv8fOraBehAlvAMCYOL_JjSyiAmkBAW_aDk8elbOyFPO4PZebNNuj69u8HA9HUly91C9w4aN01x7zJOAqAw1fg41Z890ZI/s1600/Screen+Shot+2013-10-01+at+2.44.47+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEePgwnyrI4nAS8y-VTgq287olVY2ccm9vKwpVYdsFClQvPQv8fOraBehAlvAMCYOL_JjSyiAmkBAW_aDk8elbOyFPO4PZebNNuj69u8HA9HUly91C9w4aN01x7zJOAqAw1fg41Z890ZI/s1600/Screen+Shot+2013-10-01+at+2.44.47+PM.png" width="900" /></a></div>
<div class="p1">
<br /></div>
</div>
<div class="p1">
<br />
<div class="p1">
Well this is interesting, let's take a look at the "<span class="s1" style="color: #a64d79;">wgSqXvtqE.mp4</span>" file and see if we can't extract the class. At first we see we will need to de-obfuscate the ascii by removing "<span class="s2" style="color: #38761d;">------------|||||||||||||||||||||||||||||||||||||</span>".</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOwCsg5tztwaxfE_LudWSnbyftvl1P4cnSCaV6IF9iPD-lQ18NlLuvVCcCDAPIsm_zwffShCVbkwUlcLE7UYbNBqTWANTlTHeAz7OHGUapgSkDuoN0BvbnoIVOmy5adIRUeypcjdVVD7w/s1600/Screen+Shot+2013-10-01+at+3.01.34+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOwCsg5tztwaxfE_LudWSnbyftvl1P4cnSCaV6IF9iPD-lQ18NlLuvVCcCDAPIsm_zwffShCVbkwUlcLE7UYbNBqTWANTlTHeAz7OHGUapgSkDuoN0BvbnoIVOmy5adIRUeypcjdVVD7w/s1600/Screen+Shot+2013-10-01+at+3.01.34+PM.png" /></a></div>
<div class="p1">
<br /></div>
</div>
<div class="p1">
<br />
<div class="p1">
And now we are left with what appears to be an ascii representation of the hex bytes of a class file.</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlt1k9R4NDwSCfE5XLL3aFALBMJvdj_BOGWngVB1D1B0mbNoXLiSs1_2IiJmfBX2CyZkJ9zYm-haz-Dzb_Ta1UdKRcpFdgOE_nzI7ZUwzI1-8ZVkgdiftwlypaFv7yawuhIRqqlWRvHdk/s1600/Screen+Shot+2013-10-01+at+3.02.27+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlt1k9R4NDwSCfE5XLL3aFALBMJvdj_BOGWngVB1D1B0mbNoXLiSs1_2IiJmfBX2CyZkJ9zYm-haz-Dzb_Ta1UdKRcpFdgOE_nzI7ZUwzI1-8ZVkgdiftwlypaFv7yawuhIRqqlWRvHdk/s1600/Screen+Shot+2013-10-01+at+3.02.27+PM.png" /></a></div>
<div class="p1">
<br /></div>
</div>
<div class="p1">
<br />
<div class="p1">
We can use some python to quickly convert this into binary and decompile into it's original java.</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVHI3SIZ5_EeA2QMNeGSeEENNl6UYnVvAqO9gJDIyCGNU7cG3GoWMM_yQu__LaPshmeslumluDPrX1m49gODshHDqgjweMu97LWoaJL_OOfxX4u1Xw7eU5h9BOZfiZONZnPQrnEU3wtg0/s1600/Screen+Shot+2013-10-01+at+3.04.51+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVHI3SIZ5_EeA2QMNeGSeEENNl6UYnVvAqO9gJDIyCGNU7cG3GoWMM_yQu__LaPshmeslumluDPrX1m49gODshHDqgjweMu97LWoaJL_OOfxX4u1Xw7eU5h9BOZfiZONZnPQrnEU3wtg0/s1600/Screen+Shot+2013-10-01+at+3.04.51+PM.png" width="900" /></a></div>
<div class="p1">
<br /></div>
</div>
<div class="p1">
<br />
<div class="p1">
Judging by the similarity of the exploit structure to other examples of "Sweet Orange" we can assume that this is some variation of the Sweet Orange exploit kit. An excellent writeup on the the kit can be found <a href="http://malforsec.blogspot.ca/2013/03/making-orange-jam-analyzing-sweet.html" target="_blank">here</a>. </div>
<div class="p1">
<br /></div>
<div class="p1">
</div>
<div class="p1">
Now that we have confirm that this is indeed <a href="https://github.com/rapid7/metasploit-framework/blob/master/external/source/exploits/cve-2013-2460/Exploit.java" target="_blank">CVE-2013-2460 </a>what happens after the security manager is disabled? We can see that there is one line of code after the security manger has been disabled, let's start there. </div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6Epj9tqMgORsQlb5yO79z1dQ3k5eZMolHfNuoRYIi4q_hzxFOhXOyCiJ8xg8PgtYveuYeYaKjawIuEKWizB9LgVs5Yxk7mQrrJpulzyXealOFMwrsuVoTBpisZojZXHwkm0wez31zGtg/s1600/Screen+Shot+2013-10-01+at+4.42.05+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6Epj9tqMgORsQlb5yO79z1dQ3k5eZMolHfNuoRYIi4q_hzxFOhXOyCiJ8xg8PgtYveuYeYaKjawIuEKWizB9LgVs5Yxk7mQrrJpulzyXealOFMwrsuVoTBpisZojZXHwkm0wez31zGtg/s1600/Screen+Shot+2013-10-01+at+4.42.05+PM.png" /></a></div>
<div class="p1">
</div>
<div class="p1">
<br /></div>
<div class="p1">
If we work backwards we can see that "<span class="s1">String as[]</span>" contains the applet params.</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6RMA2E2tvc7QRBSZgmj2_M37mSxvxYylMKEO7o0NACgr5vxP_xO2lib1Ez12BfW9OrVNdWArKMtyfmxAyVuWKrswsIFoaeWgVKburk5zeX6nfRnNU1VPmguhKl_mB-uLJBL_FNnWg0Yk/s1600/Screen+Shot+2013-10-01+at+4.39.37+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6RMA2E2tvc7QRBSZgmj2_M37mSxvxYylMKEO7o0NACgr5vxP_xO2lib1Ez12BfW9OrVNdWArKMtyfmxAyVuWKrswsIFoaeWgVKburk5zeX6nfRnNU1VPmguhKl_mB-uLJBL_FNnWg0Yk/s1600/Screen+Shot+2013-10-01+at+4.39.37+PM.png" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
</div>
<div class="p1">
Let's decrypt these parameters and see what we have (you can download a copy of my terrible python script <a href="https://mega.co.nz/#!gZRVxQhB!RqWg3waGrI2zz83SbZHJuRg5j_ZsfBWWyA6ebxtE2n0" target="_blank">here</a>).</div>
<style type="text/css">
table.tableizer-table {
border: 1px solid #CCC; font-family: Arial, Helvetica, sans-serif
font-size: 12px;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #ccc;
}
.tableizer-table th {
background-color: #104E8B;
color: #FFF;
font-weight: bold;
}
</style><br />
<table class="tableizer-table">
<tbody>
<tr class="tableizer-firstrow"><th>Param</th><th>Decrypted Value</th></tr>
<tr><td>qUsN</td><td>fnlczho.sytes.net:9101/community.php?stats=606&html=88&fedora=12&click=72&smiles=1251&about=345&image=197&bugs=60&nomic=102</td></tr>
<tr><td>uqXtHmNEr</td><td>DCdJOya</td></tr>
<tr><td>BqJfPJd</td><td>counter</td></tr>
</tbody></table>
<div class="p1">
<br /></div>
<div class="p1">
<br />
<div class="p1">
If we follow this example all the way through we can see that the malware constructs a url request like so in order to download the binary payload (the count.exe parameter number is randomly generated) . </div>
<pre class="brush:plain;">hxxp://fnlczho.sytes.net:9101/community.php?stats=606&html=88&fedora=12&click=72&smiles=1251&about=345&image=197&bugs=60&nomic=102&count.exe=<random_number>
</random_number></pre>
<div class="p1">
<br /></div>
</div>
<div class="p1">
<br />
<div class="p1">
After some manual testing it was confirmed that the "count.exe" parameter is not required to obtain the payload. </div>
</div>
<div class="p1">
<br />
<h2>
<b><span style="font-size: large;">Review</span></b></h2>
<div class="p1">
Before we move on to behavioural analysis we will recap what we have learned so far:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvhh3VCxUS2UgB2Ur3rtbYAlmE8ur1HKcB6U1y2vmUcgD3hufW99pg4WwTo0OfPBrxSRqlNoPxch1QbzEnsK_tW8AZ5_ybqdPrbhcdDjC5bbkX9CuX1zVoagY_WvYsuVABMN0YHeTwN3c/s1600/Screen+Shot+2013-10-01+at+11.43.04+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvhh3VCxUS2UgB2Ur3rtbYAlmE8ur1HKcB6U1y2vmUcgD3hufW99pg4WwTo0OfPBrxSRqlNoPxch1QbzEnsK_tW8AZ5_ybqdPrbhcdDjC5bbkX9CuX1zVoagY_WvYsuVABMN0YHeTwN3c/s640/Screen+Shot+2013-10-01+at+11.43.04+PM.png" width="640" /></a></div>
<h2>
<b><span style="font-size: large;">Behaviour and Indicators</span></b></h2>
<div class="p1">
</div>
<div class="p1">
The exploit kit uses dynamic DNS provided by <a href="http://www.noip.com/">http://www.noip.com</a> under the domain "<b>sytes.net</b>". The kit uses a subdomain generation algorithm to generate a new subdomain every few minutes. Old subdomains are unregistered making research a bit more difficult. After tracking the subdomain generation for 24h it is confirmed that all subdomains that have been used resolve to this IP: <b>95.163.121.17 (AS12695)</b>, not a big surprise. </div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSCEhVz6zw6GdWb2nz1_PQKmsBNO_mbASouAfmgKJRyRRj7P-5oYPYYRrEpC-sPEYvMbuQqSXoZOR4nP9y5SGFJzhzNG-agmD6tUXBDGeXkBkTsvxz2e5a78kpuyAwFHgsj14w-UccyN0/s1600/Screen+Shot+2013-09-30+at+9.46.34+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSCEhVz6zw6GdWb2nz1_PQKmsBNO_mbASouAfmgKJRyRRj7P-5oYPYYRrEpC-sPEYvMbuQqSXoZOR4nP9y5SGFJzhzNG-agmD6tUXBDGeXkBkTsvxz2e5a78kpuyAwFHgsj14w-UccyN0/s1600/Screen+Shot+2013-09-30+at+9.46.34+PM.png" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
</div>
<div class="p1">
A list of identified domains can be found below.</div>
<pre class="brush:plain;">abnzzkpp.sytes.net
abtkslxy.sytes.net
ajijaohoo.sytes.net
ancezvwzvn.sytes.net
azrrfxcab.sytes.net
bnfjqksp.sytes.net
bvakjbktwg.sytes.net
cicduvlypf.sytes.net
cuwfhkb.sytes.net
czjzgxg.sytes.net
dbvutls.sytes.net
ddrejyp.sytes.net
dhwyscid.sytes.net
dwnqxcr.sytes.net
ezuhsvc.sytes.net
ezxpqqc.sytes.net
fsjdwdf.sytes.net
fxgzbecpr.sytes.net
gdeabjxtg.sytes.net
gpapzplefw.sytes.net
gvriojhkty.sytes.net
japurgy.sytes.net
kigtvaq.sytes.net
kwawgdrd.sytes.net
leaudwpnlv.sytes.net
lvvfafoylf.sytes.net
lwswemzjb.sytes.net
mcaezkmyyo.sytes.net
mnzzgocsjh.sytes.net
mobohcw.sytes.net
mpuizserdk.sytes.net
ncgaxjoaz.sytes.net
negzmzouug.sytes.net
ntihkyn.sytes.net
nubeujdblv.sytes.net
nucmbbpifo.sytes.net
olkkqzuip.sytes.net
ozaiuos.sytes.net
pqcscnx.sytes.net
pspnknzz.sytes.net
qdgfvnxryg.sytes.net
qjwyhoespm.sytes.net
qxbsotcgr.sytes.net
rhbftfmol.sytes.net
rlbzvjrub.sytes.net
rpsooqswrs.sytes.net
sumghmrs.sytes.net
tvdgikytl.sytes.net
uilzzkhw.sytes.net
uprcfozkd.sytes.net
vjbflqu.sytes.net
wfdminj.sytes.net
wyoncpoxyv.sytes.net
xdnxnmxnlj.sytes.net
ysofjyh.sytes.net
zbmwqzja.sytes.net
zhlwvmonc.sytes.net
znctlzy.sytes.net
</pre>
<div class="p1">
<br /></div>
<div class="p1">
<br />
<div class="p1">
The url pattern for landing page:</div>
<pre class="brush:plain;">http://[a-z]+\.sytes\.net:9101/[a-z\/\.]+[^\?]\?spamnav=82
</pre>
<div class="p1">
<br /></div>
<div class="p1">
The url pattern for the payload binary is:</div>
<pre class="brush:plain;">http://[a-z]+\.sytes\.net:9101/[a-z\/\.0-9\=\?\&]+
</pre>
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="p1">
<br />
<div class="p1">
</div>
<div class="p1">
The payload is also re-generated every few minutes. It is UPX packed and has a low VT hit rate (about 5/46 for each new generation). Once I have some more time I will take a closer look.</div>
<style type="text/css">
table.tableizer-table {
border: 1px solid #CCC; font-family: Arial, Helvetica, sans-serif
font-size: 12px;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #ccc;
}
.tableizer-table th {
background-color: #104E8B;
color: #FFF;
font-weight: bold;
}
</style><br />
<table class="tableizer-table">
<tbody>
<tr class="tableizer-firstrow"><th>File MD5</th><th>Virus Total</th></tr>
<tr><td>50e073712917e5cc1c53005dc377bdb0 </td><td><a href="https://www.virustotal.com/en/file/b681f8b3eb0a9bcd860d99d5e0c44ab2e7d5efa25d0fe4497b71ad243779ce95/analysis/1380685865/">virustotal</a></td></tr>
<tr><td>43aa3c348f64c9f5ae7001aa461790c1</td><td><a href="https://www.virustotal.com/en/file/c62fdc003dfa6b3a19c15edc2a8c0381e2477f16246212af160dd4a12ce8e7c6/analysis/">virustotal</a></td></tr>
<tr><td>884d0a05f5136db78d7e806a1f007e1f</td><td><a href="https://www.virustotal.com/en/file/872716aa1bb9f06d27ea16fee29443b2d46b6e2a9b97a38cd9b35f58c03bd77f/analysis/">virustotal</a></td></tr>
</tbody></table>
<div class="p1">
<br />
Zip of some payloads can be found <a href="https://mega.co.nz/#!8QwVlBBY!Kl6oBX7gQuAqO-4oFrq2kDmTDFpw6lhkbym713gnMOg" target="_blank">here</a>.<br />
<br />
<h3>
*Update*</h3>
<div>
Updated indicators and analysis can be found <a href="http://herrcore.blogspot.ca/2013/10/sweet-orange-update.html" target="_blank">here</a>.</div>
</div>
</div>
</div>
</div>
</div>
</div>
herrcorehttp://www.blogger.com/profile/17172043082379886965noreply@blogger.com2