Full disclousure deep technical analisys below. Beware !!!

Dec 30, 2009

CVE-2009-4324 Doc.media.newPlayer (Us-J-India_strategic_dialogue.pdf)



BACKGROUND
A new spreading PDF has been found in the wild: “Us-J-India_strategic_dialogue.pdf" from katieedouglas@yahoo.com Thu, 7 Jan 2010 10:07:18 -0800 (PST) (thx http://contagiodump.blogspot.com/2010/01/jan-7-us-j-indiastrategicdialogue-from.html).

EXPLOITER STAGE
FILENAME
FIND DATE
SIZE (Bytes)
MD5
AV DETECTED
Us-J-India_strategic_dialogue.pdf
7/1/2010
70,437
12AAB3743C6726452EB0A91D8190A473
AV vendors use the following names when detecting the malicious PDF document:  mainly JS.Pdfka
Let's start analyzing them..
PDF doc has obfuscated directives as analyzed by extraexploit (http://extraexploit.blogspot.com/2010/01/adobe-cve-2009-4324-another-one-with.html)
This malicious PDF contains one FlatDecode (Zlib) stream that is the vulnerability exploiter; other code is, as usal, embedded in the pdf . Extracting the malicious stream reveals the JavaScript code. The code is simply hex-coded and obfuscated:
FILENAME
EXPL STREAM OBJ
OBFUSCATION
MD5 Deflated Stream
AV DETECTED
Us-J-India_strategic_dialogue.pdf
#1
FlatDecode + HexCoded
833AA8A34B78FD3063D29314ACF3BC74
JS try to exploit two vulnerabilities: this.media.newPlayer (CVE-2009-4324) and printd(CVE-2008-2992) with different shellcode. Let’s focus on the first one.

SHELLCODE STAGE (this.media.newPlayer )
To analyze the SC, deobfuscate/unenscape it and  then it can be loaded in the debugger.
FILENAME
SHELLCODE
EXPL STREAM OBJ
SIZE (Bytes)
MD5 Bytestream
AV DETECTED
Us-J-India_strategic_dialogue.pdf
1_SC
#1
1,062
D3C4FA1872F8A911565B3A1B5ABA3E5E

AV vendors use the following names when detecting the malicious SC: Heuristic.BehavesLike.Exploit.CodeExec.EOOB
The Shellcode start function expose the self-decrypting routine (be carefull, first XOR occur at address 0x0040103E so the instruction following the JNZ are decrypted at runtime). Be sure also not have any breakpoint in code area changed at runtime, otherwise the decryption will fail xoring with INT 2 bytecode injected in code for BKP debugging:

xor2
So manually execute the first 9-10 round of the loop letting bytecode at 0x0040103E become a consistent instruction and then place a BKP there. Then RUN and decrypt all the remaining code.
As usual the SC search for address referring to external function and save them on stack; then execute its action:
1 – find the path to the malicious PDF father by GetCommandPath (it gets CommandPath and search for the 2nd occurrence of “:”,  supposing that the CommandPath in Adobe exploited context will be like “C:\Program Files\Adobe\Reader x.x\Reader\AcroRd32.exe C:\bla … bla…bla\Us-J-India_strategic_dialogue.pdf”.) So to have a refer to PDF father it needs to take just the second part of CommandPath.
That’s why a simple execution of SC inside a .EXE container (as the result of SANDSPRITE SC2EXE) will fail!!.
To go on it’s possible to in-memory patch the GetCommandPath result with real path to PDF father and patch the search routine to stop on first occurence of “:”
path
2 – then SC simply OPEN the malicious PDF father
open pdf
An interesting “obfuscation of function call” here: note that the CreateFileA (made also for WinExec) function call is made by JMP EAX. All the passed parameter are on the stack with the RETADDR calculated by “CALL $+5, POP EAX, ADD EAX,0DH”. Obviously the start address of function CreateFileA ([edi-4]) & WinExec ([edi-14h]) have been previously changed to work with this obfuscated calling method, adding 5 byte to the function starting address:
call_obfuCreateFileA starting address change from 7C801A28 to 7C801A2D avoiding  the usual “save and update %ebp”. Usually in a called function, it’s needed a new local stack frame pointed to by %ebp, and this is done by saving the current %ebp (which belongs to the caller function's frame) with PUSH EBP and making it point to the top of the stack with MOV EBP,ESP. But in our obufuscated calling method EBP must not change.
call_obfu2
3 – back to the SC, it create a temp file in temp path create temp file
4 – set file pointer to 1000H from SOF
set file pointer
5 – read #7 blocks of 400h bytes each from PDF father, decrypt each block in memory and append it to the temp file.
 decrypt file and write
6 – last step WinExec the tem file extracted from PDF father

winexec
The level 1 malware has been dropped and executed!!

LEVEL 1 MALWARE STAGE (this.media.newPlayer )

FILENAME
SHELLCODE
EXPL STREAM OBJ
SIZE (Bytes)
MD5 Bytestream
AV DETECTED
random.tmp
1_SC
#1
7,168
37AB49086946056449F0ED1ACF80470C

A first look reveal unusefull instruction & invalid bytecode just placed there to get debugger disasm display in trouble.

fake_istr
JZ and JNZ simply let code flow go on, jumping over the invalid bytecode E7h. That’s method is repeated several times (#120) in the code.
So to analyze random.tmp, that’s a PE file, in section “.text” (raw addr 400h, raw size 1200h) patch any hex-string “OF 84 07 00 00 00 0F 85 01 00 00 00 xx” with NOP (13x 90h), keeping section size unchanged and code relative jmp offset.


fake_istr2
Let’s see what Level 1 malware do:
1–  get its full path and set a registry startup key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BITS to be executed at each reboot (strings like key and value are decrypted at runtime..)
2- try for 3 times with a delay of 10 min to InternetOpenUrl:   http://nyralang.zyns.com/album/index.htm
with UserAgent ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)’ using Internet system configuration (INTERNET_OPEN_TYPE_PRECONFIG) and with INTERNET_FLAG_RELOAD to retrieve the original item, not the eventually cached one by a proxy.


internetopenurl
The domain is now 14/1/2010 deactivated

nyralang_zyns
but at 2010-01-07 was associated to  IP 202.153.103.82 (AS9925) that still now is hosting the webpage and now is referenced by for.toh.info.


ip


% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 202.153.96.0 - 202.153.127.255
netname: POWERBASE-HK
descr: 6/F, Somerset House
descr: TaiKoo Place, Quarry Bay,
descr: Hong Kong
country: HK
admin-c: PD28-AP
tech-c: PD28-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-HKTDCS
changed: hostmaster@apnic.net 20000419
changed: hostmaster@apnic.net 20001023
changed: hostmaster@apnic.net 20020219
status: ALLOCATED PORTABLE
source: APNIC
role: Powerbase Datacenter NOC
address: 6/F, Somerset House
address: TaiKoo Place, Quarry Bay,
address: Hong Kong
country: HK
phone: +852-2312-9111
fax-no: +852-2504-0599
e-mail: support@pbase.net
admin-c: PD50-AP
tech-c: PD50-AP
nic-hdl: PD28-AP
mnt-by: MAINT-HK-HKTDCS
changed: nw_admin@pbase.net 20070306
source: APNIC


Webpage seems a normal under construction
webpage
except for it’s first line in HTML code:  a comment
<!—DOCHTMLTuichu –>
comment
3- malware read the first 0x1FFh bytes of webpage in a buffer
internetreadfile and the parse the buffer for command header “<!—DOCHTML” and tailer “ -->” (first char is a blank). So the command in our case is: Tuichu


4- parse command for value “Tuichu”, “Xiuma” e “http://
command_parser
Tuichu –> DO NOTHING, wait 10 min then retry.
Xiuma –> DO NOTHING, don’t wait and retry.
http:// –> DOWNLOAD AND EXECUTE, wait 10 min then retry

The downloaded file must have an extension but not .exe. Infact it is copied in temp path and malware create a copy of file with .exe extension and execute it.

As told before now the command deployed by C&C is “Tuichu” so the BOT are waiting…

Dec 22, 2009

CVE-2009-4324 Doc.media.newPlayer vulnerability in Adobe Reader/Acrobat v8.0 through 9.2 (DEEP INSIGHT)

BACKGROUND

Recently CVE-2009-4324 is related to a vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions. The flaw allows remote attackers to execute arbitrary code and is exploited in the wild in December 2009.

Adobe has published an updated Security Advisory. They plan to make an update available on January 12th.

Also noteworthy, this PDF vulnerability has been added to Metasploit.

EXPLOITER STAGE

Nowadays 5 malicious PDF have been discovered in the wild, all collected by received mail (tks to Contagiodump):

FILENAME

FIND DATE

SIZE (Bytes)

MD5

note200911.pdf 

30/11/2009

400,918

61baabd6fc12e01ff73ceacc07c84f9a
note_20091210.pdf 

11/12/2009

400,918

61baabd6fc12e01ff73ceacc07c84f9a
Outline of Interview.pdf

13/12/2009

400,918

35e8eeee2b94cbe87e3d3f843ec857f6
merry christmas.pdf

18/12/2009

1,226,811

8950bbedf4a7f1d518e859f9800f9347
「寶貝悶」瘋狂照.pdf

18/12/2009

51,822

955bade419a9ba9e5650ccb3dda88844

AV vendors use the following names when detecting the malicious PDF document: Exploit.JS.Pdfka.atq (Kaspersky) - Exploit:W32/AdobeReader.UZ (F-Secure) - Exploit-PDF.ag (McAfee) - Trojan.Pidief.H (Symantec) - TROJ_PIDIEF.PGS (Trend Micro)

Let's start analyzing them..

All malicious PDF contain a FlatDecode (Zlib) stream which is the vulnerability exploiter. Extracting the malicious stream reveals the JavaScript obfuscated code. The code is simply byte-by-byte xored (so it's simple to change it to be FUD) and/or escaped:

FILENAME

EXPL STREAM

OBFUSCATION

MD5 Deflated Stream

note200911.pdf 

#2

XORED + ESCAPED

A48DE372FC64BCABCE5BAD6FF98F8BC0
note_20091210.pdf 

#2

A48DE372FC64BCABCE5BAD6FF98F8BC0
Outline of Interview.pdf

#2

A48DE372FC64BCABCE5BAD6FF98F8BC0
merry christmas.pdf

#156

4F9B900ABA7781335F99D49A896B4586
「寶貝悶」瘋狂照.pdf

#3

HEXED + ESCAPED

0E63A465066B0C0A6AAA56C1925DE3FC

So we have 3 different exploiter. One common to the first 3 PDF, and other two related to the latest malicious PDF.

SHELLCODE STAGE

To analyze the SC, unxored/unenscape it and keep in mind of byte swap due to different format in memory and stored on disk, or directly use Shell2Exe (tks to Sandsprite). Then shellcode.exe can be loaded in the debugger.

FILENAME

SHELLCODE

EXPL STREAM

SIZE (Bytes)

MD5 Bytestream

note200911.pdf 
note_20091210.pdf 
Outline of Interview.pdf


NOTE_SC

#2

3,094

D0C1C15E8C37936E9E199F1F8BAD5A8F

merry christmas.pdf

MERRY_SC

#156

460

F6EA8AA206BDE8BE2B339FE4478C271B
「寶貝悶」瘋狂照.pdf

OTHER_SC

#3

594

51F1AA0CB6B3E9EF373E3E887D427DD4

>> NOTE_SC

The start function is:

main

The F_main revealed that:

check_sw_find_handle

1- shellcode check for presence of software "Kaspersky Internet Scanner", "Kaspersky AV" or "Kingsoft". If detected shellcode will exit without damage.  WHY?? Make your own choice or add a new one:

- The PDF was done for a specific targetted attack

- Malguys don't want to be tracked by Kaspersky/Kingsoft

- Malguys don't want to infect themselves!!!

check_dir_code

 !This check can be used as countermeasure against infection by creating false installation directory of such program! (sc check for the first file or directory found in the following directory):

 check_dir

2- shellcode find handle of PDF file it was executed from  scanning all existing handle for a file, greater than 6A2H bytes in size and with a specific signature 98H 76H 54H 32H at offset –1698d (-6A2H) from EOF. If not found shellcode will exit without further action.

 pdf_signature

3- shellcode then extract from PDF an embedded raw file finding the start offset with a specific signature “1C 0A D1 20 D1 CE F0 27 10 F8 2F EC AC”

embraw_signature

followed by embedded file size (in this case 0002A000h bytes)

embraw_lenght

4- then the embedded file is dumped on disk in file setup.exe, and  is executed

execfile

That's the level 1 dropper!!

 

Update soon about….

>> MERRY_SC

>> OTHER_SC

LEVEL 1 DROPPER STAGE