Wednesday, February 10, 2010

More flowers with some poison ivy


Mikko Hyppönen from F-Secure posted today a nice postcard with a cute tiger and flowers. Gunther (thank you:)) sent one just like Mikko's as a present to Contagio and now you can enjoy them too.


What is interesting is that I have this file already except I received it as a boring "project.pdf"  (Jan 13 CVE-2009-4324 Re: Project from spoofed [Redacted]@state.gov 13 Jan 2010 06:17:21 -0000). Of course it is identical to the postcard, despite the uninspiring name.

Update March 8, 2010 -a few additional details thanks to an anonymous contributor. (scroll down)




Download  116d92f036f68d325068f3c7bbf1d535.pdf as a password protected archive (please contact me if you need the password)

Download Javascript, shellcode, stage2 shellcode and dropped exe (scroll down for more information)






Virustotal
File 116d92f036f68d325068f3c7bbf1d535.txt received on 2010.02.09 16:24:16 (UTC)
Result: 21/41 (51.22%)
a-squared 4.5.0.50 2010.02.09 Exploit.JS.Pdfka!IK
AhnLab-V3 5.0.0.2 2010.02.09 PDF/Exploit
Authentium 5.2.0.5 2010.02.09 PDF/Expl.FO
BitDefender 7.2 2010.02.09 Exploit.PDF-JS.Gen
CAT-QuickHeal 10.00 2010.02.09 Expoit.PDF.FlateDecode
ClamAV 0.96.0.0-git 2010.02.09 Exploit.PDF-9757
Comodo 3876 2010.02.09 UnclassifiedMalware
DrWeb 5.0.1.12222 2010.02.09 Exploit.PDF.687
eSafe 7.0.17.0 2010.02.09 Win32.Pidief.H
F-Secure 9.0.15370.0 2010.02.09 Exploit.PDF-JS.Gen
GData 19 2010.02.09 Exploit.PDF-JS.Gen
Ikarus T3.1.1.80.0 2010.02.09 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.02.09 Exploit.JS.Pdfka.adn
McAfee-GW-Edition 6.8.5 2010.02.09 Heuristic.BehavesLike.PDF.Shellcode.Z
Microsoft 1.5406 2010.02.09 Exploit:JS/Heapspray
nProtect 2009.1.8.0 2010.02.09 Exploit.PDF-JS.Gen.C02
PCTools 7.0.3.5 2010.02.09 Trojan.Pidief
Sophos 4.50.0 2010.02.09 Troj/PDFJs-GQ
Symantec 20091.2.0.41 2010.02.09 Trojan.Pidief.H
TrendMicro 9.120.0.1004 2010.02.09 TROJ_PDFKA.AK
File size: 149706 bytes
MD5   : 116d92f036f68d325068f3c7bbf1d535

Wepawet detects it as project.pdf
http://wepawet.iseclab.org/view.php?hash=116d92f036f68d325068f3c7bbf1d535&type=js
Analysis report for Project.pdf
Sample Overview
File Project.pdf
MD5 116d92f036f68d325068f3c7bbf1d535
Analysis Started 2010-01-19 14:15:12
Report Generated 2010-01-19 14:16:24
Jsand version 1.03.02

Detection results
Detector Result
Jsand 1.03.02 benign


F-Secure already pointed out that it generates traffic to 202.150.213.12. 
Indeed, a lot of traffic on port 443

      Hostname:    202-150-213-12.rev.ne.com.sg
      ISP:    NewMedia Express Pte Ltd, Singapore Web Hosting
      Organization:    NewMedia Express Pte Ltd, Singapore Web Hosting
      Country:    Singapore
      State/Region:    00
      City:    Singapore

Update March 8, 2010 
Here are a few additional details (thanks to an anonymous contributor)
Shellcode imports via ror7 hashes, 
SetFilePointer, GetFileSize, ReadFile, VirtualAlloc.
http://www.google.com/search?q=0xdbacbe43

The GetFileSize filehandle brute force is not exact, but it additionally checks for signature "0x909083c0" at 0x1510 (location of 2nd stage shellcode).
2nd stage shellcode: xor decrypts itself (0x97) for 0x700 bytes.
dd if=116d92f036f68d325068f3c7bbf1d535 of=116d92f036f68d325068f3c7bbf1d535.shellcode-stage2.bin skip=5392 bs=1 count=4096
skip decryption stub (0x1b) and xor the rest with 0x97.

Imports via ror7 hashes:
GetModuleFileNameA
GetFileSize
SetFilePointer
CreateFileA
ReadFile
WriteFile
CloseHandle
WinExec
GetTempPathA
CreateProcessA
GetCurrentProcess
TerminateProcess

Gets filehandle to pdf by exact filesize (0x248CA, 149706) reads from file @ 0x6BCE file size 0x906E
dd if=116d92f036f68d325068f3c7bbf1d535 of=116d92f036f68d325068f3c7bbf1d535.exe.bin bs=1 skip=27598 count=36974
The last byte of the size (0x6E) is used as xor key, on every byte the key is decreased with 1.
( this is something you can add to your heuristics)

 After that the embedded pdf is decrypted, Acrobat reader starts while the old process gets terminated. 

No comments:

Post a Comment