Sunday, April 25, 2010

Mar 7 JAVA Sound Malware by Donato "ratsoul" Ferrante - www.InReverse.net Post #3

Update May 14. The old www.inreverse.net was indefinitely suspended by the provider last month because of the DDoS. The new blog is here http://blog.inreverse.net/ 
It is not clear why the guys behind the DDoS got so upset over the old exploits


The following article was written and published by Donato "ratsoul" Ferrante (www.inreverse.net) on March 7, 2010. His recent java analysis publications attracted attention of the exploit kit owners who launched a heavy DDoS attack on April 16, 2010.  DDoS is still in progress today, April 25, 2010. They sent their  demands - remove the analysis articles because it hurts their 'business'.
www.inreverse.net is currently inaccessible, therefore, we are publishing the InReverse java analysis here (this is Post #3) but this time together with the malware samples provided by the InReverse crew.  We ask antivirus and security companies to download, analyze, and develop protection (if you have not done yet).  Thank you.

Download 9 files listed below as a password protected archive (please contact me for the password, if you need it)
All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5
  1. 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1                       Virustotal 26/40
  2. 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2                         Virustotal 17/41  
  3. 38f083169319d0141532db992d295448.jar  from JAVA Sound malware Post #3                          Virustotal 11/41
  4. 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3                             Virustotal  19/41
  5. 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4                                    Virustotal 20/38
  6. a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4                                   Virustotal 21/39
  7. d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4                                      Virustotal 16/40
  8. 2138bfc0c92b726a13ff5095bd2f2b72.jar  from JAVA Malware evading decompilation Post #5      Virustotal 11/39
  9.  a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5      Virustotal 10/40
        -----------------------------------------
Sunday, March 7, 2010
Donato "ratsoul" Ferrante
  
JAVA Sound Malware

Hello guys,

I'm sorry for the few posts in the last weeks, but I was quite busy. Today I am going to analyze another interesting JAVA malware.

Our target is a jar, md5: 38f083169319d0141532db992d295448. The jar contains one class: AppletX.  After using a java decompiler on our target, we will get the AppletX class code.

I will report only the relevant parts. Let's go..
Firstly, the malware tries to discover the operating system in use by using System.getProperty("os.name"), then it fills str1 according to the O.S. in use.

At this point the malware proceeds by exploiting a vulnerability located into getSoundBank method [CVE-2009-3867] to execute malicious code on the victim system. It retrieves the parameters: sc and np (meaningful names) and then it uses the following spray method in order to place the shellcode:

As we can see, this function simply converts the parameters into hex and then it calls the real spray method:



This method is the heart or engine(if you prefer) of the malware. I have underlined the value of the variable i, since I have found another variant of this malware md5: 52586e8a85188a0ada59294650c91362, that only changes the value of i to an higher value.

This malware is another good reason to turn off all java* contents while browsing the web. As always feedbacks and comments are welcome.

I hope you have enjoyed this post.
See you soon ;] 

 Virustotal results on April 25, 2010


http://www.virustotal.com/analisis/d00fa63f4202a980ab4d854172eed4fce57fcf1fd5cff32e846107982573a91b-1272218810
 File a0585edf638f5d1c556239d3bfaf08db.  received on 2010.04.25 18:06:50 (UTC)
Result: 11/41 (26.83%)
Avast    4.8.1351.0    2010.04.25    Java:Djewers-L
Avast5    5.0.332.0    2010.04.25    Java:Djewers-L
eSafe    7.0.17.0    2010.04.25    Win32.Horse
Ikarus    T3.1.1.80.0    2010.04.25    Trojan-Downloader.Java.Agent
McAfee    5.400.0.1158    2010.04.25    Exploit-CVE2008-5353
Sophos    4.53.0    2010.04.25    Troj/JavaDL-L
Sunbelt    6221    2010.04.25    Trojan.Java.Agent.c (v)
Symantec    20091.2.0.41    2010.04.25    Trojan Horse
TrendMicro    9.120.0.1004    2010.04.25    JAVA_BYTEVER.DP
TrendMicro-HouseCall    9.120.0.1004    2010.04.25    JAVA_BYTEVER.DP
File size: 43253 bytes
MD5...: a0585edf638f5d1c556239d3bfaf08db


http://www.virustotal.com/analisis/f95aeffa63f809a419dddc32c5bd65e28a1e6d21c587aef4342ac95c07bd9e80-1272218387
 File 2138bfc0c92b726a13ff5095bd2f2b72.  received on 2010.04.25 17:59:47 (UTC)
Result: 12/40 (30%)
Antiy-AVL    2.0.3.7    2010.04.23    Exploit/Java.CVE-2009-3867
eSafe    7.0.17.0    2010.04.25    Win32.Horse
F-Secure    9.0.15370.0    2010.04.25    Trojan-Downloader:Java/Agent.DIVS
Ikarus    T3.1.1.80.0    2010.04.25    Exploit.Java.Agent
Kaspersky    7.0.0.125    2010.04.25    Exploit.Java.Agent.a
Norman    6.04.11    2010.04.25    JAVA/Byteverify.O
Sophos    4.53.0    2010.04.25    Troj/Agent-NBP
Sunbelt    6221    2010.04.25    Trojan.Java.Byteverify.c (v)
Symantec    20091.2.0.41    2010.04.25    Trojan Horse
TrendMicro    9.120.0.1004    2010.04.25    JAVA_BYTEVER.DP
TrendMicro-HouseCall    9.120.0.1004    2010.04.25    JAVA_BYTEVER.DP
ViRobot    2010.4.24.2293    2010.04.25    JS.EX-Agent.2276
File size: 32260 bytes
MD5...: 2138bfc0c92b726a13ff5095bd2f2b72


http://www.virustotal.com/analisis/fba57ff8cfed809e8fdc1b6647515090933f4dd6f1c3cc0b02d80044c6c50f7b-1272216836 File 38f083169319d0141532db992d295448.  received on 2010.04.25 17:33:56 (UTC)
Result: 20/41 (48.79%)
a-squared    4.5.0.50    2010.04.25    Exploit.OSX.Smid.c!A2
AntiVir    8.2.1.224    2010.04.23    JAVA/Dldr.Agen.NA.1
Antiy-AVL    2.0.3.7    2010.04.23    Exploit/OSX.Smid
BitDefender    7.2    2010.04.25    Java.Exploit.Smid.A
Comodo    4678    2010.04.25    Exploit.Java.Agent.~A
DrWeb    5.0.2.03300    2010.04.25    Exploit.Java.10
eTrust-Vet    35.2.7448    2010.04.24    Java/ByteVerify!exploit
F-Secure    9.0.15370.0    2010.04.25    Exploit:OSX/Smid.B
GData    21    2010.04.25    Java.Exploit.Smid.A
Kaspersky    7.0.0.125    2010.04.25    Exploit.OSX.Smid.c
McAfee-GW-Edition    6.8.5    2010.04.23    Java.Dldr.Agen.NA.1
Microsoft    1.5703    2010.04.25    Trojan:Java/Classloader.T
NOD32    5059    2010.04.25    OSX/Exploit.Smid.B
nProtect    2010-04-25.01    2010.04.25    Java.Exploit.Smid.A
PCTools    7.0.3.5    2010.04.25    Trojan.ByteVerify
Sophos    4.53.0    2010.04.25    Troj/Clsldr-U
Symantec    20091.2.0.41    2010.04.25    Trojan.ByteVerify
TrendMicro    9.120.0.1004    2010.04.25    JAVA_BYTEVER.Y
TrendMicro-HouseCall    9.120.0.1004    2010.04.25    JAVA_BYTEVER.Y
VBA32    3.12.12.4    2010.04.23    Exploit.OSX.Smid.c
Additional information
File size: 1955 bytes
MD5...: 38f083169319d0141532db992d295448



http://www.virustotal.com/analisis/ce21ea5e25fe92ef6fa182c7fe588b050021796ea880e277aa7acd6e547f0994-1272218599
 File 52586e8a85188a0ada59294650c91362.  received on 2010.04.25 18:03:19 (UTC)
Result: 19/41 (46.35%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.50    2010.04.25    Exploit.OSX.Smid.b!A2
AntiVir    8.2.1.224    2010.04.23    EXP/Java.mo.232
Antiy-AVL    2.0.3.7    2010.04.23    Exploit/OSX.Smid
BitDefender    7.2    2010.04.25    Java.Exploit.Smid.A
Comodo    4678    2010.04.25    Exploit.Java.Agent.~B
eTrust-Vet    35.2.7448    2010.04.24    JAVA/Smid.A
F-Secure    9.0.15370.0    2010.04.25    Exploit:Java/Agent.NHV
GData    21    2010.04.25    Java.Exploit.Smid.A
Ikarus    T3.1.1.80.0    2010.04.25    Exploit.OSX.Smid
Kaspersky    7.0.0.125    2010.04.25    Exploit.OSX.Smid.b
McAfee-GW-Edition    6.8.5    2010.04.23    Exploit.Java.mo.232
Microsoft    1.5703    2010.04.25    Trojan:Java/Classloader.T
NOD32    5059    2010.04.25    OSX/Exploit.Smid.B
nProtect    2010-04-25.01    2010.04.25    Java.Exploit.Smid.A
PCTools    7.0.3.5    2010.04.25    Exploit.OSX.Smid.b
Symantec    20091.2.0.41    2010.04.25    Trojan.ByteVerify
TrendMicro    9.120.0.1004    2010.04.25    TROJ_SMID.B
TrendMicro-HouseCall    9.120.0.1004    2010.04.25    TROJ_SMID.B
File size: 1847 bytes
MD5...: 52586e8a85188a0ada59294650c91362


http://www.virustotal.com/analisis/b69f0e77a89df3af21c4ad2bae57cdf19dc01edea3cf2958931ebbbe4e428e99-1272241193
  File 7e92d280472ca426aff1c20fbeb8d2db.  received on 2010.04.26 00:19:53 (UTC)
Result: 17/41 (41.47%)
Antiy-AVL    2.0.3.7    2010.04.23    Trojan/J2ME.Swapi
Avast    4.8.1351.0    2010.04.25    Other:Malware-gen
Avast5    5.0.332.0    2010.04.25    Other:Malware-gen
Comodo    4678    2010.04.25    UnclassifiedMalware
DrWeb    5.0.2.03300    2010.04.26    Java.SMSSend.4
F-Secure    9.0.15370.0    2010.04.26    Riskware:Java/SmsSend.Gen!A
Fortinet    4.0.14.0    2010.04.25    Java/Swapi.KS!tr
GData    21    2010.04.26    Other:Malware-gen
Ikarus    T3.1.1.80.0    2010.04.25    Trojan-SMS
Kaspersky    7.0.0.125    2010.04.26    Trojan-SMS.J2ME.Swapi.k
McAfee    5.400.0.1158    2010.04.26    JS/Downloader-Class.b
NOD32    5059    2010.04.25    probably a variant of Win32/Agent
PCTools    7.0.3.5    2010.04.26    Trojan.Generic
Symantec    20091.2.0.41    2010.04.26    Trojan Horse
TrendMicro    9.120.0.1004    2010.04.25    TROJ_SWAPI.E
TrendMicro-HouseCall    9.120.0.1004    2010.04.26    TROJ_SWAPI.E
VBA32    3.12.12.4    2010.04.23    Trojan-SMS.J2ME.Swapi.k
Additional information
File size: 2903 bytes
MD5...: 7e92d280472ca426aff1c20fbeb8d2db


http://www.virustotal.com/analisis/c52137b3dc1d700ee0b094b995b0da6d3bf13da40bca00d567209ce3cdd1a7cb-1272241740
  File 3af7627af6348a76d1bf3b7bf31514e0.  received on 2010.04.26 00:29:00 (UTC)
Result: 21/39 (53.85%)
AntiVir    8.2.1.224    2010.04.25    EXP/Java.Bytverif.I
Antiy-AVL    2.0.3.7    2010.04.23    Trojan/Java.Agent
Avast    4.8.1351.0    2010.04.25    Java:Agent-B
Avast5    5.0.332.0    2010.04.25    Java:Agent-B
BitDefender    7.2    2010.04.25    Java.Trojan.Exploit.Bytverify.I
ClamAV    0.96.0.3-git    2010.04.26    Trojan.JS.Selace-1
Comodo    4678    2010.04.25    UnclassifiedMalware
DrWeb    5.0.2.03300    2010.04.26    Exploit.Java.5
F-Secure    9.0.15370.0    2010.04.26    Java.Trojan.Exploit.Bytverify.I
GData    21    2010.04.26    Java.Trojan.Exploit.Bytverify.I
Ikarus    T3.1.1.80.0    2010.04.25    Exploit.Java.BytVerify
Kaspersky    7.0.0.125    2010.04.26    Trojan-Downloader.Java.Agent.as
McAfee-GW-Edition    6.8.5    2010.04.25    Exploit.Java.Bytverif.I
Microsoft    1.5703    2010.04.25    Exploit:Java/CVE-2008-5353.C
NOD32    5059    2010.04.25    Java/TrojanDownloader.Agent.NAG
Norman    6.04.11    2010.04.25    JAVA/ByteVerify.A
PCTools    7.0.3.5    2010.04.26    Trojan.ByteVerify
Sophos    4.53.0    2010.04.26    Troj/ClsLdr-V
Symantec    20091.2.0.41    2010.04.26    Trojan.ByteVerify
TrendMicro    9.120.0.1004    2010.04.25    JAVA_BYTEVER.BN
TrendMicro-HouseCall    9.120.0.1004    2010.04.26    JAVA_BYTEVER.BN
Additional information
File size: 8397 bytes
MD5...: 3af7627af6348a76d1bf3b7bf31514e0



http://www.virustotal.com/analisis/eb4f3bd460824c701f3a99463a16e4307f5a4c111f1dc610d26db82d6436f842-1272242166
File 8d499308df04932ed1b58a78417d6fb9.  received on 2010.04.26 00:36:06 (UTC)
Result: 28/41 (68.3%)
a-squared    4.5.0.50    2010.04.25    Trojan-Downloader.Java.OpenStream!IK
AntiVir    8.2.1.224    2010.04.25    JAVA/OpenStream.AE
Antiy-AVL    2.0.3.7    2010.04.23    Trojan/Java.OpenStream
Avast    4.8.1351.0    2010.04.25    Java:Agent-B
Avast5    5.0.332.0    2010.04.25    Java:Agent-B
AVG    9.0.0.787    2010.04.25    Java/OpenStream
BitDefender    7.2    2010.04.26    Trojan.Generic.IS.614610
Comodo    4678    2010.04.25    TrojWare.Win32.Trojan.Agent.~318
DrWeb    5.0.2.03300    2010.04.26    Exploit.CVE2008.5353
eSafe    7.0.17.0    2010.04.25    Win32.TrojanHorse
eTrust-Vet    35.2.7448    2010.04.24    Java/ByteVerify!exploit
F-Secure    9.0.15370.0    2010.04.26    Trojan.Generic.IS.614610
Fortinet    4.0.14.0    2010.04.25    Java/OpenStream.AD!tr.dldr
GData    21    2010.04.26    Trojan.Generic.IS.614610
Ikarus    T3.1.1.80.0    2010.04.25    Trojan-Downloader.Java.OpenStream
Kaspersky    7.0.0.125    2010.04.26    Trojan-Downloader.Java.OpenStream.ad
McAfee    5.400.0.1158    2010.04.26    Exploit-ByteVerify
McAfee-GW-Edition    6.8.5    2010.04.25    Java.OpenStream.AE
Microsoft    1.5703    2010.04.25    Exploit:Java/CVE-2008-5353.B
NOD32    5059    2010.04.25    probably a variant of Win32/Agent
Norman    6.04.11    2010.04.25    Exploit/ByteVerify.A
nProtect    2010-04-25.01    2010.04.25    Trojan.Generic.IS.616012
PCTools    7.0.3.5    2010.04.26    Trojan.Generic
Sophos    4.53.0    2010.04.26    Troj/BytVrfy-C
Symantec    20091.2.0.41    2010.04.26    Trojan Horse
TrendMicro    9.120.0.1004    2010.04.25    JAVA_BYTEVER.AT
TrendMicro-HouseCall    9.120.0.1004    2010.04.26    JAVA_BYTEVER.AT
ViRobot    2010.4.24.2293    2010.04.25    Java.S.OpenStream.2238
Additional information
File size: 4519 bytes
MD5...: 8d499308df04932ed1b58a78417d6fb9 



 http://www.virustotal.com/analisis/e5daafafa3eedcff7577a1545a1e45fbaa964547cc46846f8d6ae90d9674ea4f-1272242459
File a022524cb52223a939ba50043d90ff94.  received on 2010.04.26 00:40:59 (UTC)
Result: 23/41 (56.1%)
AntiVir    8.2.1.224    2010.04.25    JAVA/OpenStrem.BN.2
Antiy-AVL    2.0.3.7    2010.04.23    Trojan/Java.Agent
Avast    4.8.1351.0    2010.04.25    Java:Agent-B
Avast5    5.0.332.0    2010.04.25    Java:Agent-B
AVG    9.0.0.787    2010.04.25    Generic2_c.TEA
BitDefender    7.2    2010.04.26    Java.Trojan.Exploit.Bytverify.I
ClamAV    0.96.0.3-git    2010.04.26    Trojan.JS.Selace-1
Comodo    4678    2010.04.25    UnclassifiedMalware
DrWeb    5.0.2.03300    2010.04.26    Java.Siggen.11
eSafe    7.0.17.0    2010.04.25    Win32.Horse
eTrust-Vet    35.2.7448    2010.04.24    Java/ByteVerify!exploit
F-Secure    9.0.15370.0    2010.04.26    Java.Trojan.Exploit.Bytverify.I
GData    21    2010.04.26    Java.Trojan.Exploit.Bytverify.I
Ikarus    T3.1.1.80.0    2010.04.25    Exploit.Java.BytVerify
Kaspersky    7.0.0.125    2010.04.26    Trojan-Downloader.Java.Agent.ay
McAfee-GW-Edition    6.8.5    2010.04.25    Java.OpenStrem.BN.2
Microsoft    1.5703    2010.04.25    Trojan:Java/Bytverify
NOD32    5059    2010.04.25    probably a variant of Win32/Agent
Norman    6.04.11    2010.04.25    JAVA/ByteVerify.A
Sophos    4.53.0    2010.04.26    Troj/ClsLdr-Gen
Symantec    20091.2.0.41    2010.04.26    Trojan Horse
TrendMicro    9.120.0.1004    2010.04.25    JS_BYTEVER.AT
TrendMicro-HouseCall    9.120.0.1004    2010.04.26    JS_BYTEVER.AX
Additional information
File size: 9417 bytes
MD5...: a022524cb52223a939ba50043d90ff94 


http://www.virustotal.com/analisis/a19089a18db356fb5ef5cfa78b94a1fd8538381930c5998061d5176c77e136a0-1272243385
File d45a156c76f3c34bac0cf22cb586fdd1.  received on 2010.04.26 00:56:25 (UTC)
Result: 16/40 (40.00%)
AntiVir     8.2.1.224     2010.04.25     JAVA/ClassLoad.AD.2
Antiy-AVL     2.0.3.7     2010.04.23     Trojan/Java.Agent
Avast     4.8.1351.0     2010.04.25     Java:Agent-B
Avast5     5.0.332.0     2010.04.25     Java:Agent-B
Comodo     4678     2010.04.25     TrojWare.Java.TrojanDownloader.Agent.av
DrWeb     5.0.2.03300     2010.04.26     Exploit.Java.8
eSafe     7.0.17.0     2010.04.25     Win32.ByteVerify
F-Secure     9.0.15370.0     2010.04.26     Trojan-Downloader:Java/Agent.NWB
Ikarus     T3.1.1.80.0     2010.04.26     Trojan-Downloader.Java.Agent
Kaspersky     7.0.0.125     2010.04.26     Trojan-Downloader.Java.Agent.av
McAfee-GW-Edition     6.8.5     2010.04.25     Java.ClassLoad.AD.2
NOD32     5059     2010.04.25     probably a variant of Java/TrojanDownloader.Agent.NAI
Sophos     4.53.0     2010.04.26     Troj/ByteVer-I
Symantec     20091.2.0.41     2010.04.26     Trojan.ByteVerify
TrendMicro     9.120.0.1004     2010.04.25     TROJ_BYTEVER.BO
Additional information
File size: 7291 bytes
MD5   : d45a156c76f3c34bac0cf22cb586fdd1

No comments:

Post a Comment