Tuesday, November 29, 2011

Nov 3 CVE-2011-0611 1104statment.pdf analyzed via Cuckoo sandbox


I have been away and busy with all kinds of stuff (some malware related and some not :)  but I am back.
I played a little recently with Cuckoo sandbox - an awesome free sandbox developed by Claudio Guarnieri (Linkedin). The sandbox has been out for several months, constantly being improved and got a lot of fans. You can read the Cuckoo guide here and also follow active discussions on the Malwr forum. I think the sandbox works very well and very flexible -  it can be developed and extended to analyze any (many) kinds of exploits. You can find descriptions of the sandbox online but I want to post results of the sandbox analysis - something I didn't have chance to see until I installed it. I will post unfiltered results and with some minimal processing (conversion of pcaps to text, filtering out search results, etc.). This tool is still in development and you will not get polished reports like you see on Threatexpert but they are exportable into a database of your choice, searchable, and "tweakable". If you already tried it a while ago, try it again, I heard the later versions are much better than the earlier ones.


Common Vulnerability & Exposures CVE#

CVE-2011-0611

  General File Information

CVE-2011-0611
File: 1104statment.pdf
Size: 91010
MD5:  86730A9BC3AB99503322EDA6115C1096

Download

Original Message and Headers

Received: (qmail 3627 invoked from network); 3 Nov 2011 02:53:35 -0000
Received: from msr8.hinet.net (HELO msr8.hinet.net) (168.95.4.108)
xxxxxxxxxxxxxx
Received: from deepin-f12c1fc0 (60-249-181-163.HINET-IP.hinet.net [60.249.181.163])
    by msr8.hinet.net (8.14.2/8.14.2) with SMTP id pA32pCaW016745
xxxxxxxxxxxxx
Date: Thu, 3 Nov 2011 10:51:17 +0800
From: "cy.hsiao" <cy.hsiao@msa.hinet.net>
xxxxx
Reply-To: "jun.lun" <jun.lun@msa.hinet.net>
Subject: 1104statment
X-Priority: 1
X-GUID: 2AE71A5A-DDDA-497A-B8B7-1850D647AC9D
X-Mailer: Foxmail 7.0.1.84[cn]
MIME-Version: 1.0
Message-ID: <201111031040202773896@msa.hinet.net>
Content-Type: multipart/mixed;
    boundary="----=_001_NextPart150125300633_=----"
 

60.249.181.163
60.249.0.0 - 60.249.255.255
Taiwan
CHTD, Chunghwa Telecom Co.,Ltd.
Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
Taipei Taiwan 100


Automated Scans

86730a9bc3ab99503322eda6115c1096
http://www.virustotal.com/file-scan/report.html?id=8a2b54f64d1866ac8c46c99651cadba1597bc5671cf9b4a966c1d23898b19ce6-1320344807
Submission date:2011-11-03 18:26:47 (UTC)
Result: 10 /42 (23.8%)
Avast     6.0.1289.0     2011.11.03     SWF:Dropper [Heur]
BitDefender     7.2     2011.11.03     Script.SWF.C08
F-Secure     9.0.16440.0     2011.11.03     Script.SWF.C08
GData     22     2011.11.03     Script.SWF.C08
Microsoft     1.7801     2011.11.03     Exploit:Win32/Pdfjsc.XD
Norman     6.07.13     2011.11.03     Exploit/2011-0611.A
nProtect     2011-11-03.01     2011.11.03     Script.SWF.C08
Sophos     4.71.0     2011.11.03     Troj/SWFExp-AK
Symantec     20111.2.0.82     2011.11.03     Trojan.Pidief
VirusBuster     14.1.44.0     2011.11.03     SWF.CVE-2011-0609.C
MD5   : 86730a9bc3ab99503322eda6115c1096


Created files

 Trojan Taidoor
Cuckoo sandbox does a great job on binaries (and can capture deleted files too) but the document analysis results require a bit more filtering due to many legitimate Adobe and Office files that get generated during the analysis. It also does not calculate hash.

Dropped files (Results of a filtering script)  -
[2011-11-29 00:13:25] [INFO] Dropped file "C:\APT_1104statment.pdf"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\Documents and Settings\Angie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\WINDOWS\system32\d3d9caps.dat"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\WINDOWS\system32\d3d8caps.dat"
[2011-11-29 00:13:28] [INFO] Dropped file "iso88591"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
[2011-11-29 00:13:29] [INFO] Dropped file "C:\WINDOWS\system32\OLEACCRC.DLL"
[2011-11-29 00:13:29] [INFO] Dropped file "C:\WINDOWS\system32\oleacc.dll"

Here is a unfiltered log (you would get all these files in the "Files" analysis folder as well)

This is a zipped folder with the entire unfiltered analysis (use the password scheme or email me if you need it)


www.virustotal.com/file-scan/report.html?id=e4875a7fe94b53f0088b0aedd88a2601b4bee99ed8d8196b547adfdb5cafe638-1322293498
 2011112
Submission date:2011-11-26 07:44:58 (UTC)
Result:33 /43 (76.7%)

Antivirus     Version     Last Update     Result
AhnLab-V3     2011.11.25.00     2011.11.25     Backdoor/Win32.CSon
AntiVir     7.11.18.78     2011.11.25     TR/Hijacker.Gen
Antiy-AVL     2.0.3.7     2011.11.26     Backdoor/Win32.Agent.gen
Avast     6.0.1289.0     2011.11.25     Win32:Malware-gen
AVG     10.0.0.1190     2011.11.25     BackDoor.Generic14.AJZQ
BitDefender     7.2     2011.11.26     Gen:Trojan.Heur.TP.bq1@byoLvWnb
CAT-QuickHeal     12.00     2011.11.25     Backdoor.Agent.bwtk
Comodo     10789     2011.11.26     UnclassifiedMalware
DrWeb     5.0.2.03300     2011.11.26     Trojan.Taidoor
Emsisoft     5.1.0.11     2011.11.26     Backdoor.Win32.Simbot!IK
eSafe     7.0.17.0     2011.11.24     Win32.TRHijacker
F-Secure     9.0.16440.0     2011.11.26     Gen:Trojan.Heur.TP.bq1@byoLvWnb
Fortinet     4.3.370.0     2011.11.26     W32/Injector.JQA!tr
GData     22     2011.11.26     Gen:Trojan.Heur.TP.bq1@byoLvWnb
Ikarus     T3.1.1.109.0     2011.11.26     Backdoor.Win32.Simbot
Jiangmin     13.0.900     2011.11.25     Backdoor/Agent.diki
K7AntiVirus     9.119.5542     2011.11.25     Backdoor
Kaspersky     9.0.0.837     2011.11.26     Backdoor.Win32.Agent.bwtk
McAfee     5.400.0.1158     2011.11.26     Generic BackDoor!dtm
McAfee-GW-Edition     2010.1D     2011.11.25     Generic BackDoor!dtm
Microsoft     1.7801     2011.11.26     Backdoor:Win32/Simbot.gen
NOD32     6660     2011.11.26     a variant of Win32/Injector.JQA
Norman     6.07.13     2011.11.25     W32/Suspicious_Gen2.RUNSA
Panda     10.0.3.5     2011.11.25     Generic Backdoor
PCTools     8.0.0.5     2011.11.26     Backdoor.Trojan
Sophos     4.71.0     2011.11.26     Mal/Simbot-A
Symantec     20111.2.0.82     2011.11.26     Backdoor.Trojan
TheHacker     6.7.0.1.347     2011.11.24     Trojan/Injector.jqa
TrendMicro     9.500.0.1008     2011.11.26     TROJ_GEN.R47C7K4
TrendMicro-HouseCall     9.500.0.1008     2011.11.26     TROJ_GEN.R47C7K4
VBA32     3.12.16.4     2011.11.25     TrojanDownloader.Rubinurd.f
VIPRE     11151     2011.11.26     Trojan.Win32.Generic!BT
VirusBuster     14.1.85.0     2011.11.25     Backdoor.Agent!kZFb0jr2OQ4
Additional information
MD5   : a3a71678576164e93e882392e609a917


It also generates many screenshots to capture the malware behavior (you can turn off this feature) - see one screenshot below


Traffic

Cuckoo creates a dump pcap file you can download from there. You can of course run conversion to text as part of your post-processing routine  like you see below.


 74  50.331130    10.0.2.15 -> 110.142.12.95 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 76  62.360903    10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 77  65.352406    10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 78  71.361654    10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 81  83.379329    10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 83  86.382691    10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 85  92.391543    10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 89 104.309538    10.0.2.15 -> 108.77.146.124 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 91 107.313022    10.0.2.15 -> 108.77.146.124 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 94 113.321174    10.0.2.15 -> 108.77.146.124 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
100 127.342043    10.0.2.15 -> 110.142.12.95 TCP 1049 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
102 130.345727    10.0.2.15 -> 110.142.12.95 TCP 1049 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
108 136.354881    10.0.2.15 -> 110.142.12.95 TCP 1049 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 
110.142.12.95
hirudo.lnk.telstra.net
Host reachable, 259 ms. average
110.142.0.0 - 110.143.255.255
Telstra
Level 12, 242 Exhibition St
Melbourne
VIC 3000
Australia


108.77.146.124

108-77-146-124.lightspeed.tulsok.sbcglobal.net
Host unreachable
108.64.0.0 - 108.95.255.255
AT&T Internet Services
2701 N. Central Expwy # 2205.15
Richardson
TX
75080
United States


Examples of other captures  (I will post these files separately)

 42  23.708044    10.0.2.15 -> 68.87.73.246 DNS Standard query A sh.antivirusbar.org
 43  24.209549 68.87.73.246 -> 10.0.2.15    DNS Standard query response A 58.68.224.24
 44  24.213107    10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 48  24.732612 58.68.224.24 -> 10.0.2.15    TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 49  24.733912    10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 50  24.735034    10.0.2.15 -> 58.68.224.24 TCP [TCP segment of a reassembled PDU]
 51  24.735034 58.68.224.24 -> 10.0.2.15    TCP 80 > 1045 [ACK] Seq=1 Ack=236 Win=65535 Len=0
 52  24.736365    10.0.2.15 -> 58.68.224.24 HTTP POST /phqghumeaylnlfdxfircvscxggbwkfn.htm HTTP/1.1
 53  24.736428 58.68.224.24 -> 10.0.2.15    TCP 80 > 1045 [ACK] Seq=1 Ack=1516 Win=65535 Len=0



 74  40.881943    10.0.2.15 -> 68.87.73.246 DNS Standard query A checkip.dyndns.org
 75  41.032372 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME checkip.dyndns.com A 216.146.39.70 A 91.198.22.70 A 216.146.38.70
 76  41.033219    10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 77  41.269469 216.146.39.70 -> 10.0.2.15    TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 78  41.270321    10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0


2 comments:

  1. Wow, this is a great article.
    Thank you for posting!

    ReplyDelete