Sunday, April 25, 2010

Jan 5 JAVA Exploit Kit Malware #1 by Donato "ratsoul" Ferrante - www.InReverse.net Post #1

The following article was written and published by Donato "ratsoul" Ferrante (http://www.inreverse.net/) on January 5, 2010. His recent java analysis publications attracted attention of the exploit kit owners who launched a heavy DDoS attack on April 16, 2010. DDoS is still in progress today, April 25, 2010. They sent their  demands - remove the analysis articles because it hurts their 'business'.
http://www.inreverse.net/ is currently inaccessible, therefore, we are publishing all InReverse java articles here (this is Post #1) but this time together with the malware samples provided by the InReverse crew. 


 
Download 9 files listed below as a password protected archive (please contact me for the password, if you need it)


All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5

  1. 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1                       Virustotal 26/40
  2. 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2                         Virustotal 17/41  
  3. 38f083169319d0141532db992d295448.jar  from JAVA Sound malware Post #3                          Virustotal 11/41
  4. 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3                             Virustotal  19/41
  5. 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4                                    Virustotal 20/38
  6. a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4                                   Virustotal 21/39
  7. d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4                                      Virustotal 16/40
  8. 2138bfc0c92b726a13ff5095bd2f2b72.jar  from JAVA Malware evading decompilation Post #5      Virustotal 11/39
  9.  a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5      Virustotal 10/40
        --------------------------------------------------
Tuesday, January 5, 2010
Donato "ratsoul" Ferrante

JAVA Exploit Kit Malware #1

This is my first blog post of the new year. New year new target!
I am going to analyze a JAVA exploit kit malware, the md5 is: 8d499308df04932ed1b58a78417d6fb9.

Since our target is a jar, containing three class files, we try to get more information about it by using a java decompiler (i.e. jd).

After decompilation, we have a java package that contains three classes:

  • C1. AppletX.java

  • C2. LoaderX.java

  • C3. PayloadX.java
C1. AppletX.java

 Here we have an Applet subclass that mainly does three things:

  1. It deserializes a serialized object;

  2. It grabs a couple of information via applet parameters: data and cc;

  3. It plays with a custom class loader named: LoaderX.

The most interesting part is the serialized object obviously.
Do you have any idea about the usage of the serialized object in the above code ?

Well, I will lead you to the right answer. Please just focus on the above AppletX code. If you pay attention to the above code, you can see the initialization of localObject, it is located just above the if test. But we can't see any sort of explicit initialization for LoaderX.instance. In fact the initialization lies in the deserialization routine... nice eh ?

Here is a visual recap:

Let's examine the custom class loader now.



C2. LoaderX.java


Here is the custom loader, I will report only the relevant parts. We have a custom class loader that inherits from the Java ClassLoader class.


The custom class loader (LoaderX) sets the "instance" static field to "this", in order to be not garbage collected. This trick allows LoaderX to be used further after the deserialization. In fact it is required in order to use the following method:

The bootstrapPayload method above does the following things:

  1. It loads the payload class (PayloadX), by setting the ProtectionDomain;

  2. It sets data and cc parameters for the PayloadX class and then instantiates the PayloadX object.

As we can see, this custom class loader (LoaderX) is used to exploit a Java Runtime Environment (JRE) vulnerability, which is reported here.

Well, we have finished playing with the LoaderX class, let's play with the PayloadX class now :]


C3. PayloadX.java


I will summarize the behaviour of this class with the following schema:


 It uses data parameter and cc parameter as follow:

  • data: points to a malicious site where it will find one or more malwares to download.

  • cc: indicates the number of malwares to download. By default "null" means one.

So suppose that data is: malicious.x/mw and cc is: 3.
The above method will download (and execute) the three malwares located at:

  • malicious.x/mw0

  • malicious.x/mw1

  • malicious.x/mw2

into the system temporary directory of the victim system. Each downloaded file will be an EXE file with a random number as name.


Final Notes.

This jar is a pre-built kit that allows to infect victim systems with custom malwares, by exploiting a well known JRE vulnerability. This kit is thought to be embedded into malicious webpages and customized by using data and cc applet parameters to control its behaviour.

It's all.. I hope you have enjoyed the reading.

Alla prossima ;]


 Virustotal results on April 25, 2010


http://www.virustotal.com/analisis/d00fa63f4202a980ab4d854172eed4fce57fcf1fd5cff32e846107982573a91b-1272218810
 File a0585edf638f5d1c556239d3bfaf08db.  received on 2010.04.25 18:06:50 (UTC)
Result: 11/41 (26.83%)
Avast    4.8.1351.0    2010.04.25    Java:Djewers-L
Avast5    5.0.332.0    2010.04.25    Java:Djewers-L
eSafe    7.0.17.0    2010.04.25    Win32.Horse
Ikarus    T3.1.1.80.0    2010.04.25    Trojan-Downloader.Java.Agent
McAfee    5.400.0.1158    2010.04.25    Exploit-CVE2008-5353
Sophos    4.53.0    2010.04.25    Troj/JavaDL-L
Sunbelt    6221    2010.04.25    Trojan.Java.Agent.c (v)
Symantec    20091.2.0.41    2010.04.25    Trojan Horse
TrendMicro    9.120.0.1004    2010.04.25    JAVA_BYTEVER.DP
TrendMicro-HouseCall    9.120.0.1004    2010.04.25    JAVA_BYTEVER.DP
File size: 43253 bytes
MD5...: a0585edf638f5d1c556239d3bfaf08db


http://www.virustotal.com/analisis/f95aeffa63f809a419dddc32c5bd65e28a1e6d21c587aef4342ac95c07bd9e80-1272218387
 File 2138bfc0c92b726a13ff5095bd2f2b72.  received on 2010.04.25 17:59:47 (UTC)
Result: 12/40 (30%)
Antiy-AVL    2.0.3.7    2010.04.23    Exploit/Java.CVE-2009-3867
eSafe    7.0.17.0    2010.04.25    Win32.Horse
F-Secure    9.0.15370.0    2010.04.25    Trojan-Downloader:Java/Agent.DIVS
Ikarus    T3.1.1.80.0    2010.04.25    Exploit.Java.Agent
Kaspersky    7.0.0.125    2010.04.25    Exploit.Java.Agent.a
Norman    6.04.11    2010.04.25    JAVA/Byteverify.O
Sophos    4.53.0    2010.04.25    Troj/Agent-NBP
Sunbelt    6221    2010.04.25    Trojan.Java.Byteverify.c (v)
Symantec    20091.2.0.41    2010.04.25    Trojan Horse
TrendMicro    9.120.0.1004    2010.04.25    JAVA_BYTEVER.DP
TrendMicro-HouseCall    9.120.0.1004    2010.04.25    JAVA_BYTEVER.DP
ViRobot    2010.4.24.2293    2010.04.25    JS.EX-Agent.2276
File size: 32260 bytes
MD5...: 2138bfc0c92b726a13ff5095bd2f2b72


http://www.virustotal.com/analisis/fba57ff8cfed809e8fdc1b6647515090933f4dd6f1c3cc0b02d80044c6c50f7b-1272216836 File 38f083169319d0141532db992d295448.  received on 2010.04.25 17:33:56 (UTC)
Result: 20/41 (48.79%)
a-squared    4.5.0.50    2010.04.25    Exploit.OSX.Smid.c!A2
AntiVir    8.2.1.224    2010.04.23    JAVA/Dldr.Agen.NA.1
Antiy-AVL    2.0.3.7    2010.04.23    Exploit/OSX.Smid
BitDefender    7.2    2010.04.25    Java.Exploit.Smid.A
Comodo    4678    2010.04.25    Exploit.Java.Agent.~A
DrWeb    5.0.2.03300    2010.04.25    Exploit.Java.10
eTrust-Vet    35.2.7448    2010.04.24    Java/ByteVerify!exploit
F-Secure    9.0.15370.0    2010.04.25    Exploit:OSX/Smid.B
GData    21    2010.04.25    Java.Exploit.Smid.A
Kaspersky    7.0.0.125    2010.04.25    Exploit.OSX.Smid.c
McAfee-GW-Edition    6.8.5    2010.04.23    Java.Dldr.Agen.NA.1
Microsoft    1.5703    2010.04.25    Trojan:Java/Classloader.T
NOD32    5059    2010.04.25    OSX/Exploit.Smid.B
nProtect    2010-04-25.01    2010.04.25    Java.Exploit.Smid.A
PCTools    7.0.3.5    2010.04.25    Trojan.ByteVerify
Sophos    4.53.0    2010.04.25    Troj/Clsldr-U
Symantec    20091.2.0.41    2010.04.25    Trojan.ByteVerify
TrendMicro    9.120.0.1004    2010.04.25    JAVA_BYTEVER.Y
TrendMicro-HouseCall    9.120.0.1004    2010.04.25    JAVA_BYTEVER.Y
VBA32    3.12.12.4    2010.04.23    Exploit.OSX.Smid.c
Additional information
File size: 1955 bytes
MD5...: 38f083169319d0141532db992d295448



http://www.virustotal.com/analisis/ce21ea5e25fe92ef6fa182c7fe588b050021796ea880e277aa7acd6e547f0994-1272218599
 File 52586e8a85188a0ada59294650c91362.  received on 2010.04.25 18:03:19 (UTC)
Result: 19/41 (46.35%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.50    2010.04.25    Exploit.OSX.Smid.b!A2
AntiVir    8.2.1.224    2010.04.23    EXP/Java.mo.232
Antiy-AVL    2.0.3.7    2010.04.23    Exploit/OSX.Smid
BitDefender    7.2    2010.04.25    Java.Exploit.Smid.A
Comodo    4678    2010.04.25    Exploit.Java.Agent.~B
eTrust-Vet    35.2.7448    2010.04.24    JAVA/Smid.A
F-Secure    9.0.15370.0    2010.04.25    Exploit:Java/Agent.NHV
GData    21    2010.04.25    Java.Exploit.Smid.A
Ikarus    T3.1.1.80.0    2010.04.25    Exploit.OSX.Smid
Kaspersky    7.0.0.125    2010.04.25    Exploit.OSX.Smid.b
McAfee-GW-Edition    6.8.5    2010.04.23    Exploit.Java.mo.232
Microsoft    1.5703    2010.04.25    Trojan:Java/Classloader.T
NOD32    5059    2010.04.25    OSX/Exploit.Smid.B
nProtect    2010-04-25.01    2010.04.25    Java.Exploit.Smid.A
PCTools    7.0.3.5    2010.04.25    Exploit.OSX.Smid.b
Symantec    20091.2.0.41    2010.04.25    Trojan.ByteVerify
TrendMicro    9.120.0.1004    2010.04.25    TROJ_SMID.B
TrendMicro-HouseCall    9.120.0.1004    2010.04.25    TROJ_SMID.B
File size: 1847 bytes
MD5...: 52586e8a85188a0ada59294650c91362


http://www.virustotal.com/analisis/b69f0e77a89df3af21c4ad2bae57cdf19dc01edea3cf2958931ebbbe4e428e99-1272241193
  File 7e92d280472ca426aff1c20fbeb8d2db.  received on 2010.04.26 00:19:53 (UTC)
Result: 17/41 (41.47%)
Antiy-AVL    2.0.3.7    2010.04.23    Trojan/J2ME.Swapi
Avast    4.8.1351.0    2010.04.25    Other:Malware-gen
Avast5    5.0.332.0    2010.04.25    Other:Malware-gen
Comodo    4678    2010.04.25    UnclassifiedMalware
DrWeb    5.0.2.03300    2010.04.26    Java.SMSSend.4
F-Secure    9.0.15370.0    2010.04.26    Riskware:Java/SmsSend.Gen!A
Fortinet    4.0.14.0    2010.04.25    Java/Swapi.KS!tr
GData    21    2010.04.26    Other:Malware-gen
Ikarus    T3.1.1.80.0    2010.04.25    Trojan-SMS
Kaspersky    7.0.0.125    2010.04.26    Trojan-SMS.J2ME.Swapi.k
McAfee    5.400.0.1158    2010.04.26    JS/Downloader-Class.b
NOD32    5059    2010.04.25    probably a variant of Win32/Agent
PCTools    7.0.3.5    2010.04.26    Trojan.Generic
Symantec    20091.2.0.41    2010.04.26    Trojan Horse
TrendMicro    9.120.0.1004    2010.04.25    TROJ_SWAPI.E
TrendMicro-HouseCall    9.120.0.1004    2010.04.26    TROJ_SWAPI.E
VBA32    3.12.12.4    2010.04.23    Trojan-SMS.J2ME.Swapi.k
Additional information
File size: 2903 bytes
MD5...: 7e92d280472ca426aff1c20fbeb8d2db


http://www.virustotal.com/analisis/c52137b3dc1d700ee0b094b995b0da6d3bf13da40bca00d567209ce3cdd1a7cb-1272241740
  File 3af7627af6348a76d1bf3b7bf31514e0.  received on 2010.04.26 00:29:00 (UTC)
Result: 21/39 (53.85%)
AntiVir    8.2.1.224    2010.04.25    EXP/Java.Bytverif.I
Antiy-AVL    2.0.3.7    2010.04.23    Trojan/Java.Agent
Avast    4.8.1351.0    2010.04.25    Java:Agent-B
Avast5    5.0.332.0    2010.04.25    Java:Agent-B
BitDefender    7.2    2010.04.25    Java.Trojan.Exploit.Bytverify.I
ClamAV    0.96.0.3-git    2010.04.26    Trojan.JS.Selace-1
Comodo    4678    2010.04.25    UnclassifiedMalware
DrWeb    5.0.2.03300    2010.04.26    Exploit.Java.5
F-Secure    9.0.15370.0    2010.04.26    Java.Trojan.Exploit.Bytverify.I
GData    21    2010.04.26    Java.Trojan.Exploit.Bytverify.I
Ikarus    T3.1.1.80.0    2010.04.25    Exploit.Java.BytVerify
Kaspersky    7.0.0.125    2010.04.26    Trojan-Downloader.Java.Agent.as
McAfee-GW-Edition    6.8.5    2010.04.25    Exploit.Java.Bytverif.I
Microsoft    1.5703    2010.04.25    Exploit:Java/CVE-2008-5353.C
NOD32    5059    2010.04.25    Java/TrojanDownloader.Agent.NAG
Norman    6.04.11    2010.04.25    JAVA/ByteVerify.A
PCTools    7.0.3.5    2010.04.26    Trojan.ByteVerify
Sophos    4.53.0    2010.04.26    Troj/ClsLdr-V
Symantec    20091.2.0.41    2010.04.26    Trojan.ByteVerify
TrendMicro    9.120.0.1004    2010.04.25    JAVA_BYTEVER.BN
TrendMicro-HouseCall    9.120.0.1004    2010.04.26    JAVA_BYTEVER.BN
Additional information
File size: 8397 bytes
MD5...: 3af7627af6348a76d1bf3b7bf31514e0



http://www.virustotal.com/analisis/eb4f3bd460824c701f3a99463a16e4307f5a4c111f1dc610d26db82d6436f842-1272242166
File 8d499308df04932ed1b58a78417d6fb9.  received on 2010.04.26 00:36:06 (UTC)
Result: 28/41 (68.3%)
a-squared    4.5.0.50    2010.04.25    Trojan-Downloader.Java.OpenStream!IK
AntiVir    8.2.1.224    2010.04.25    JAVA/OpenStream.AE
Antiy-AVL    2.0.3.7    2010.04.23    Trojan/Java.OpenStream
Avast    4.8.1351.0    2010.04.25    Java:Agent-B
Avast5    5.0.332.0    2010.04.25    Java:Agent-B
AVG    9.0.0.787    2010.04.25    Java/OpenStream
BitDefender    7.2    2010.04.26    Trojan.Generic.IS.614610
Comodo    4678    2010.04.25    TrojWare.Win32.Trojan.Agent.~318
DrWeb    5.0.2.03300    2010.04.26    Exploit.CVE2008.5353
eSafe    7.0.17.0    2010.04.25    Win32.TrojanHorse
eTrust-Vet    35.2.7448    2010.04.24    Java/ByteVerify!exploit
F-Secure    9.0.15370.0    2010.04.26    Trojan.Generic.IS.614610
Fortinet    4.0.14.0    2010.04.25    Java/OpenStream.AD!tr.dldr
GData    21    2010.04.26    Trojan.Generic.IS.614610
Ikarus    T3.1.1.80.0    2010.04.25    Trojan-Downloader.Java.OpenStream
Kaspersky    7.0.0.125    2010.04.26    Trojan-Downloader.Java.OpenStream.ad
McAfee    5.400.0.1158    2010.04.26    Exploit-ByteVerify
McAfee-GW-Edition    6.8.5    2010.04.25    Java.OpenStream.AE
Microsoft    1.5703    2010.04.25    Exploit:Java/CVE-2008-5353.B
NOD32    5059    2010.04.25    probably a variant of Win32/Agent
Norman    6.04.11    2010.04.25    Exploit/ByteVerify.A
nProtect    2010-04-25.01    2010.04.25    Trojan.Generic.IS.616012
PCTools    7.0.3.5    2010.04.26    Trojan.Generic
Sophos    4.53.0    2010.04.26    Troj/BytVrfy-C
Symantec    20091.2.0.41    2010.04.26    Trojan Horse
TrendMicro    9.120.0.1004    2010.04.25    JAVA_BYTEVER.AT
TrendMicro-HouseCall    9.120.0.1004    2010.04.26    JAVA_BYTEVER.AT
ViRobot    2010.4.24.2293    2010.04.25    Java.S.OpenStream.2238
Additional information
File size: 4519 bytes
MD5...: 8d499308df04932ed1b58a78417d6fb9 



 http://www.virustotal.com/analisis/e5daafafa3eedcff7577a1545a1e45fbaa964547cc46846f8d6ae90d9674ea4f-1272242459
File a022524cb52223a939ba50043d90ff94.  received on 2010.04.26 00:40:59 (UTC)
Result: 23/41 (56.1%)
AntiVir    8.2.1.224    2010.04.25    JAVA/OpenStrem.BN.2
Antiy-AVL    2.0.3.7    2010.04.23    Trojan/Java.Agent
Avast    4.8.1351.0    2010.04.25    Java:Agent-B
Avast5    5.0.332.0    2010.04.25    Java:Agent-B
AVG    9.0.0.787    2010.04.25    Generic2_c.TEA
BitDefender    7.2    2010.04.26    Java.Trojan.Exploit.Bytverify.I
ClamAV    0.96.0.3-git    2010.04.26    Trojan.JS.Selace-1
Comodo    4678    2010.04.25    UnclassifiedMalware
DrWeb    5.0.2.03300    2010.04.26    Java.Siggen.11
eSafe    7.0.17.0    2010.04.25    Win32.Horse
eTrust-Vet    35.2.7448    2010.04.24    Java/ByteVerify!exploit
F-Secure    9.0.15370.0    2010.04.26    Java.Trojan.Exploit.Bytverify.I
GData    21    2010.04.26    Java.Trojan.Exploit.Bytverify.I
Ikarus    T3.1.1.80.0    2010.04.25    Exploit.Java.BytVerify
Kaspersky    7.0.0.125    2010.04.26    Trojan-Downloader.Java.Agent.ay
McAfee-GW-Edition    6.8.5    2010.04.25    Java.OpenStrem.BN.2
Microsoft    1.5703    2010.04.25    Trojan:Java/Bytverify
NOD32    5059    2010.04.25    probably a variant of Win32/Agent
Norman    6.04.11    2010.04.25    JAVA/ByteVerify.A
Sophos    4.53.0    2010.04.26    Troj/ClsLdr-Gen
Symantec    20091.2.0.41    2010.04.26    Trojan Horse
TrendMicro    9.120.0.1004    2010.04.25    JS_BYTEVER.AT
TrendMicro-HouseCall    9.120.0.1004    2010.04.26    JS_BYTEVER.AX
Additional information
File size: 9417 bytes
MD5...: a022524cb52223a939ba50043d90ff94 


http://www.virustotal.com/analisis/a19089a18db356fb5ef5cfa78b94a1fd8538381930c5998061d5176c77e136a0-1272243385
File d45a156c76f3c34bac0cf22cb586fdd1.  received on 2010.04.26 00:56:25 (UTC)
Result: 16/40 (40.00%)
AntiVir     8.2.1.224     2010.04.25     JAVA/ClassLoad.AD.2
Antiy-AVL     2.0.3.7     2010.04.23     Trojan/Java.Agent
Avast     4.8.1351.0     2010.04.25     Java:Agent-B
Avast5     5.0.332.0     2010.04.25     Java:Agent-B
Comodo     4678     2010.04.25     TrojWare.Java.TrojanDownloader.Agent.av
DrWeb     5.0.2.03300     2010.04.26     Exploit.Java.8
eSafe     7.0.17.0     2010.04.25     Win32.ByteVerify
F-Secure     9.0.15370.0     2010.04.26     Trojan-Downloader:Java/Agent.NWB
Ikarus     T3.1.1.80.0     2010.04.26     Trojan-Downloader.Java.Agent
Kaspersky     7.0.0.125     2010.04.26     Trojan-Downloader.Java.Agent.av
McAfee-GW-Edition     6.8.5     2010.04.25     Java.ClassLoad.AD.2
NOD32     5059     2010.04.25     probably a variant of Java/TrojanDownloader.Agent.NAI
Sophos     4.53.0     2010.04.26     Troj/ByteVer-I
Symantec     20091.2.0.41     2010.04.26     Trojan.ByteVerify
TrendMicro     9.120.0.1004     2010.04.25     TROJ_BYTEVER.BO
Additional information
File size: 7291 bytes
MD5   : d45a156c76f3c34bac0cf22cb586fdd1


No comments:

Post a Comment