The following article was written and published by Donato "ratsoul" Ferrante (http://www.inreverse.net/) on January 5, 2010. His recent java analysis publications attracted attention of the exploit kit owners who launched a heavy DDoS attack on April 16, 2010. DDoS is still in progress today, April 25, 2010. They sent their demands - remove the analysis articles because it hurts their 'business'.
http://www.inreverse.net/ is currently inaccessible, therefore, we are publishing all InReverse java articles here (this is Post #1) but this time together with the malware samples provided by the InReverse crew.
All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5
- 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1 Virustotal 26/40
- 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2 Virustotal 17/41
- 38f083169319d0141532db992d295448.jar from JAVA Sound malware Post #3 Virustotal 11/41
- 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3 Virustotal 19/41
- 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4 Virustotal 20/38
- a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4 Virustotal 21/39
- d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4 Virustotal 16/40
- 2138bfc0c92b726a13ff5095bd2f2b72.jar from JAVA Malware evading decompilation Post #5 Virustotal 11/39
- a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5 Virustotal 10/40
Tuesday, January 5, 2010
Donato "ratsoul" Ferrante JAVA Exploit Kit Malware #1
This is my first blog post of the new year. New year new target!
I am going to analyze a JAVA exploit kit malware, the md5 is: 8d499308df04932ed1b58a78417d6fb9.
Since our target is a jar, containing three class files, we try to get more information about it by using a java decompiler (i.e. jd).
After decompilation, we have a java package that contains three classes:
- C1. AppletX.java
- C2. LoaderX.java
- C3. PayloadX.java
C1. AppletX.java
Here we have an Applet subclass that mainly does three things:
- It deserializes a serialized object;
- It grabs a couple of information via applet parameters: data and cc;
- It plays with a custom class loader named: LoaderX.
The most interesting part is the serialized object obviously.
Do you have any idea about the usage of the serialized object in the above code ?
Well, I will lead you to the right answer. Please just focus on the above AppletX code. If you pay attention to the above code, you can see the initialization of localObject, it is located just above the if test. But we can't see any sort of explicit initialization for LoaderX.instance. In fact the initialization lies in the deserialization routine... nice eh ?
Here is a visual recap:Let's examine the custom class loader now.
The custom class loader (LoaderX) sets the "instance" static field to "this", in order to be not garbage collected. This trick allows LoaderX to be used further after the deserialization. In fact it is required in order to use the following method:
The bootstrapPayload method above does the following things:
- It loads the payload class (PayloadX), by setting the ProtectionDomain;
- It sets data and cc parameters for the PayloadX class and then instantiates the PayloadX object.
As we can see, this custom class loader (LoaderX) is used to exploit a Java Runtime Environment (JRE) vulnerability, which is reported here.
Well, we have finished playing with the LoaderX class, let's play with the PayloadX class now :]
C3. PayloadX.java
I will summarize the behaviour of this class with the following schema:It uses data parameter and cc parameter as follow:
- data: points to a malicious site where it will find one or more malwares to download.
- cc: indicates the number of malwares to download. By default "null" means one.
So suppose that data is: malicious.x/mw and cc is: 3.
The above method will download (and execute) the three malwares located at:
- malicious.x/mw0
- malicious.x/mw1
- malicious.x/mw2
into the system temporary directory of the victim system. Each downloaded file will be an EXE file with a random number as name.
Final Notes.
This jar is a pre-built kit that allows to infect victim systems with custom malwares, by exploiting a well known JRE vulnerability. This kit is thought to be embedded into malicious webpages and customized by using data and cc applet parameters to control its behaviour.
It's all.. I hope you have enjoyed the reading.
Alla prossima ;]
Virustotal results on April 25, 2010
http://www.virustotal.com/analisis/d00fa63f4202a980ab4d854172eed4fce57fcf1fd5cff32e846107982573a91b-1272218810
File a0585edf638f5d1c556239d3bfaf08db. received on 2010.04.25 18:06:50 (UTC)
Result: 11/41 (26.83%)
Avast 4.8.1351.0 2010.04.25 Java:Djewers-L
Avast5 5.0.332.0 2010.04.25 Java:Djewers-L
eSafe 7.0.17.0 2010.04.25 Win32.Horse
Ikarus T3.1.1.80.0 2010.04.25 Trojan-Downloader.Java.Agent
McAfee 5.400.0.1158 2010.04.25 Exploit-CVE2008-5353
Sophos 4.53.0 2010.04.25 Troj/JavaDL-L
Sunbelt 6221 2010.04.25 Trojan.Java.Agent.c (v)
Symantec 20091.2.0.41 2010.04.25 Trojan Horse
TrendMicro 9.120.0.1004 2010.04.25 JAVA_BYTEVER.DP
TrendMicro-HouseCall 9.120.0.1004 2010.04.25 JAVA_BYTEVER.DP
File size: 43253 bytes
MD5...: a0585edf638f5d1c556239d3bfaf08db
http://www.virustotal.com/analisis/f95aeffa63f809a419dddc32c5bd65e28a1e6d21c587aef4342ac95c07bd9e80-1272218387
File 2138bfc0c92b726a13ff5095bd2f2b72. received on 2010.04.25 17:59:47 (UTC)
Result: 12/40 (30%)
Antiy-AVL 2.0.3.7 2010.04.23 Exploit/Java.CVE-2009-3867
eSafe 7.0.17.0 2010.04.25 Win32.Horse
F-Secure 9.0.15370.0 2010.04.25 Trojan-Downloader:Java/Agent.DIVS
Ikarus T3.1.1.80.0 2010.04.25 Exploit.Java.Agent
Kaspersky 7.0.0.125 2010.04.25 Exploit.Java.Agent.a
Norman 6.04.11 2010.04.25 JAVA/Byteverify.O
Sophos 4.53.0 2010.04.25 Troj/Agent-NBP
Sunbelt 6221 2010.04.25 Trojan.Java.Byteverify.c (v)
Symantec 20091.2.0.41 2010.04.25 Trojan Horse
TrendMicro 9.120.0.1004 2010.04.25 JAVA_BYTEVER.DP
TrendMicro-HouseCall 9.120.0.1004 2010.04.25 JAVA_BYTEVER.DP
ViRobot 2010.4.24.2293 2010.04.25 JS.EX-Agent.2276
File size: 32260 bytes
MD5...: 2138bfc0c92b726a13ff5095bd2f2b72
http://www.virustotal.com/analisis/fba57ff8cfed809e8fdc1b6647515090933f4dd6f1c3cc0b02d80044c6c50f7b-1272216836 File 38f083169319d0141532db992d295448. received on 2010.04.25 17:33:56 (UTC)
Result: 20/41 (48.79%)
a-squared 4.5.0.50 2010.04.25 Exploit.OSX.Smid.c!A2
AntiVir 8.2.1.224 2010.04.23 JAVA/Dldr.Agen.NA.1
Antiy-AVL 2.0.3.7 2010.04.23 Exploit/OSX.Smid
BitDefender 7.2 2010.04.25 Java.Exploit.Smid.A
Comodo 4678 2010.04.25 Exploit.Java.Agent.~A
DrWeb 5.0.2.03300 2010.04.25 Exploit.Java.10
eTrust-Vet 35.2.7448 2010.04.24 Java/ByteVerify!exploit
F-Secure 9.0.15370.0 2010.04.25 Exploit:OSX/Smid.B
GData 21 2010.04.25 Java.Exploit.Smid.A
Kaspersky 7.0.0.125 2010.04.25 Exploit.OSX.Smid.c
McAfee-GW-Edition 6.8.5 2010.04.23 Java.Dldr.Agen.NA.1
Microsoft 1.5703 2010.04.25 Trojan:Java/Classloader.T
NOD32 5059 2010.04.25 OSX/Exploit.Smid.B
nProtect 2010-04-25.01 2010.04.25 Java.Exploit.Smid.A
PCTools 7.0.3.5 2010.04.25 Trojan.ByteVerify
Sophos 4.53.0 2010.04.25 Troj/Clsldr-U
Symantec 20091.2.0.41 2010.04.25 Trojan.ByteVerify
TrendMicro 9.120.0.1004 2010.04.25 JAVA_BYTEVER.Y
TrendMicro-HouseCall 9.120.0.1004 2010.04.25 JAVA_BYTEVER.Y
VBA32 3.12.12.4 2010.04.23 Exploit.OSX.Smid.c
Additional information
File size: 1955 bytes
MD5...: 38f083169319d0141532db992d295448
http://www.virustotal.com/analisis/ce21ea5e25fe92ef6fa182c7fe588b050021796ea880e277aa7acd6e547f0994-1272218599
File 52586e8a85188a0ada59294650c91362. received on 2010.04.25 18:03:19 (UTC)
Result: 19/41 (46.35%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.25 Exploit.OSX.Smid.b!A2
AntiVir 8.2.1.224 2010.04.23 EXP/Java.mo.232
Antiy-AVL 2.0.3.7 2010.04.23 Exploit/OSX.Smid
BitDefender 7.2 2010.04.25 Java.Exploit.Smid.A
Comodo 4678 2010.04.25 Exploit.Java.Agent.~B
eTrust-Vet 35.2.7448 2010.04.24 JAVA/Smid.A
F-Secure 9.0.15370.0 2010.04.25 Exploit:Java/Agent.NHV
GData 21 2010.04.25 Java.Exploit.Smid.A
Ikarus T3.1.1.80.0 2010.04.25 Exploit.OSX.Smid
Kaspersky 7.0.0.125 2010.04.25 Exploit.OSX.Smid.b
McAfee-GW-Edition 6.8.5 2010.04.23 Exploit.Java.mo.232
Microsoft 1.5703 2010.04.25 Trojan:Java/Classloader.T
NOD32 5059 2010.04.25 OSX/Exploit.Smid.B
nProtect 2010-04-25.01 2010.04.25 Java.Exploit.Smid.A
PCTools 7.0.3.5 2010.04.25 Exploit.OSX.Smid.b
Symantec 20091.2.0.41 2010.04.25 Trojan.ByteVerify
TrendMicro 9.120.0.1004 2010.04.25 TROJ_SMID.B
TrendMicro-HouseCall 9.120.0.1004 2010.04.25 TROJ_SMID.B
File size: 1847 bytes
MD5...: 52586e8a85188a0ada59294650c91362
http://www.virustotal.com/analisis/b69f0e77a89df3af21c4ad2bae57cdf19dc01edea3cf2958931ebbbe4e428e99-1272241193
File 7e92d280472ca426aff1c20fbeb8d2db. received on 2010.04.26 00:19:53 (UTC)
Result: 17/41 (41.47%)
Antiy-AVL 2.0.3.7 2010.04.23 Trojan/J2ME.Swapi
Avast 4.8.1351.0 2010.04.25 Other:Malware-gen
Avast5 5.0.332.0 2010.04.25 Other:Malware-gen
Comodo 4678 2010.04.25 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.04.26 Java.SMSSend.4
F-Secure 9.0.15370.0 2010.04.26 Riskware:Java/SmsSend.Gen!A
Fortinet 4.0.14.0 2010.04.25 Java/Swapi.KS!tr
GData 21 2010.04.26 Other:Malware-gen
Ikarus T3.1.1.80.0 2010.04.25 Trojan-SMS
Kaspersky 7.0.0.125 2010.04.26 Trojan-SMS.J2ME.Swapi.k
McAfee 5.400.0.1158 2010.04.26 JS/Downloader-Class.b
NOD32 5059 2010.04.25 probably a variant of Win32/Agent
PCTools 7.0.3.5 2010.04.26 Trojan.Generic
Symantec 20091.2.0.41 2010.04.26 Trojan Horse
TrendMicro 9.120.0.1004 2010.04.25 TROJ_SWAPI.E
TrendMicro-HouseCall 9.120.0.1004 2010.04.26 TROJ_SWAPI.E
VBA32 3.12.12.4 2010.04.23 Trojan-SMS.J2ME.Swapi.k
Additional information
File size: 2903 bytes
MD5...: 7e92d280472ca426aff1c20fbeb8d2db
http://www.virustotal.com/analisis/c52137b3dc1d700ee0b094b995b0da6d3bf13da40bca00d567209ce3cdd1a7cb-1272241740
File 3af7627af6348a76d1bf3b7bf31514e0. received on 2010.04.26 00:29:00 (UTC)
Result: 21/39 (53.85%)
AntiVir 8.2.1.224 2010.04.25 EXP/Java.Bytverif.I
Antiy-AVL 2.0.3.7 2010.04.23 Trojan/Java.Agent
Avast 4.8.1351.0 2010.04.25 Java:Agent-B
Avast5 5.0.332.0 2010.04.25 Java:Agent-B
BitDefender 7.2 2010.04.25 Java.Trojan.Exploit.Bytverify.I
ClamAV 0.96.0.3-git 2010.04.26 Trojan.JS.Selace-1
Comodo 4678 2010.04.25 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.04.26 Exploit.Java.5
F-Secure 9.0.15370.0 2010.04.26 Java.Trojan.Exploit.Bytverify.I
GData 21 2010.04.26 Java.Trojan.Exploit.Bytverify.I
Ikarus T3.1.1.80.0 2010.04.25 Exploit.Java.BytVerify
Kaspersky 7.0.0.125 2010.04.26 Trojan-Downloader.Java.Agent.as
McAfee-GW-Edition 6.8.5 2010.04.25 Exploit.Java.Bytverif.I
Microsoft 1.5703 2010.04.25 Exploit:Java/CVE-2008-5353.C
NOD32 5059 2010.04.25 Java/TrojanDownloader.Agent.NAG
Norman 6.04.11 2010.04.25 JAVA/ByteVerify.A
PCTools 7.0.3.5 2010.04.26 Trojan.ByteVerify
Sophos 4.53.0 2010.04.26 Troj/ClsLdr-V
Symantec 20091.2.0.41 2010.04.26 Trojan.ByteVerify
TrendMicro 9.120.0.1004 2010.04.25 JAVA_BYTEVER.BN
TrendMicro-HouseCall 9.120.0.1004 2010.04.26 JAVA_BYTEVER.BN
Additional information
File size: 8397 bytes
MD5...: 3af7627af6348a76d1bf3b7bf31514e0
http://www.virustotal.com/analisis/eb4f3bd460824c701f3a99463a16e4307f5a4c111f1dc610d26db82d6436f842-1272242166
File 8d499308df04932ed1b58a78417d6fb9. received on 2010.04.26 00:36:06 (UTC)
Result: 28/41 (68.3%)
a-squared 4.5.0.50 2010.04.25 Trojan-Downloader.Java.OpenStream!IK
AntiVir 8.2.1.224 2010.04.25 JAVA/OpenStream.AE
Antiy-AVL 2.0.3.7 2010.04.23 Trojan/Java.OpenStream
Avast 4.8.1351.0 2010.04.25 Java:Agent-B
Avast5 5.0.332.0 2010.04.25 Java:Agent-B
AVG 9.0.0.787 2010.04.25 Java/OpenStream
BitDefender 7.2 2010.04.26 Trojan.Generic.IS.614610
Comodo 4678 2010.04.25 TrojWare.Win32.Trojan.Agent.~318
DrWeb 5.0.2.03300 2010.04.26 Exploit.CVE2008.5353
eSafe 7.0.17.0 2010.04.25 Win32.TrojanHorse
eTrust-Vet 35.2.7448 2010.04.24 Java/ByteVerify!exploit
F-Secure 9.0.15370.0 2010.04.26 Trojan.Generic.IS.614610
Fortinet 4.0.14.0 2010.04.25 Java/OpenStream.AD!tr.dldr
GData 21 2010.04.26 Trojan.Generic.IS.614610
Ikarus T3.1.1.80.0 2010.04.25 Trojan-Downloader.Java.OpenStream
Kaspersky 7.0.0.125 2010.04.26 Trojan-Downloader.Java.OpenStream.ad
McAfee 5.400.0.1158 2010.04.26 Exploit-ByteVerify
McAfee-GW-Edition 6.8.5 2010.04.25 Java.OpenStream.AE
Microsoft 1.5703 2010.04.25 Exploit:Java/CVE-2008-5353.B
NOD32 5059 2010.04.25 probably a variant of Win32/Agent
Norman 6.04.11 2010.04.25 Exploit/ByteVerify.A
nProtect 2010-04-25.01 2010.04.25 Trojan.Generic.IS.616012
PCTools 7.0.3.5 2010.04.26 Trojan.Generic
Sophos 4.53.0 2010.04.26 Troj/BytVrfy-C
Symantec 20091.2.0.41 2010.04.26 Trojan Horse
TrendMicro 9.120.0.1004 2010.04.25 JAVA_BYTEVER.AT
TrendMicro-HouseCall 9.120.0.1004 2010.04.26 JAVA_BYTEVER.AT
ViRobot 2010.4.24.2293 2010.04.25 Java.S.OpenStream.2238
Additional information
File size: 4519 bytes
MD5...: 8d499308df04932ed1b58a78417d6fb9
http://www.virustotal.com/analisis/e5daafafa3eedcff7577a1545a1e45fbaa964547cc46846f8d6ae90d9674ea4f-1272242459
File a022524cb52223a939ba50043d90ff94. received on 2010.04.26 00:40:59 (UTC)
Result: 23/41 (56.1%)
AntiVir 8.2.1.224 2010.04.25 JAVA/OpenStrem.BN.2
Antiy-AVL 2.0.3.7 2010.04.23 Trojan/Java.Agent
Avast 4.8.1351.0 2010.04.25 Java:Agent-B
Avast5 5.0.332.0 2010.04.25 Java:Agent-B
AVG 9.0.0.787 2010.04.25 Generic2_c.TEA
BitDefender 7.2 2010.04.26 Java.Trojan.Exploit.Bytverify.I
ClamAV 0.96.0.3-git 2010.04.26 Trojan.JS.Selace-1
Comodo 4678 2010.04.25 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.04.26 Java.Siggen.11
eSafe 7.0.17.0 2010.04.25 Win32.Horse
eTrust-Vet 35.2.7448 2010.04.24 Java/ByteVerify!exploit
F-Secure 9.0.15370.0 2010.04.26 Java.Trojan.Exploit.Bytverify.I
GData 21 2010.04.26 Java.Trojan.Exploit.Bytverify.I
Ikarus T3.1.1.80.0 2010.04.25 Exploit.Java.BytVerify
Kaspersky 7.0.0.125 2010.04.26 Trojan-Downloader.Java.Agent.ay
McAfee-GW-Edition 6.8.5 2010.04.25 Java.OpenStrem.BN.2
Microsoft 1.5703 2010.04.25 Trojan:Java/Bytverify
NOD32 5059 2010.04.25 probably a variant of Win32/Agent
Norman 6.04.11 2010.04.25 JAVA/ByteVerify.A
Sophos 4.53.0 2010.04.26 Troj/ClsLdr-Gen
Symantec 20091.2.0.41 2010.04.26 Trojan Horse
TrendMicro 9.120.0.1004 2010.04.25 JS_BYTEVER.AT
TrendMicro-HouseCall 9.120.0.1004 2010.04.26 JS_BYTEVER.AX
Additional information
File size: 9417 bytes
MD5...: a022524cb52223a939ba50043d90ff94
http://www.virustotal.com/analisis/a19089a18db356fb5ef5cfa78b94a1fd8538381930c5998061d5176c77e136a0-1272243385
File d45a156c76f3c34bac0cf22cb586fdd1. received on 2010.04.26 00:56:25 (UTC)
Result: 16/40 (40.00%)
AntiVir 8.2.1.224 2010.04.25 JAVA/ClassLoad.AD.2
Antiy-AVL 2.0.3.7 2010.04.23 Trojan/Java.Agent
Avast 4.8.1351.0 2010.04.25 Java:Agent-B
Avast5 5.0.332.0 2010.04.25 Java:Agent-B
Comodo 4678 2010.04.25 TrojWare.Java.TrojanDownloader.Agent.av
DrWeb 5.0.2.03300 2010.04.26 Exploit.Java.8
eSafe 7.0.17.0 2010.04.25 Win32.ByteVerify
F-Secure 9.0.15370.0 2010.04.26 Trojan-Downloader:Java/Agent.NWB
Ikarus T3.1.1.80.0 2010.04.26 Trojan-Downloader.Java.Agent
Kaspersky 7.0.0.125 2010.04.26 Trojan-Downloader.Java.Agent.av
McAfee-GW-Edition 6.8.5 2010.04.25 Java.ClassLoad.AD.2
NOD32 5059 2010.04.25 probably a variant of Java/TrojanDownloader.Agent.NAI
Sophos 4.53.0 2010.04.26 Troj/ByteVer-I
Symantec 20091.2.0.41 2010.04.26 Trojan.ByteVerify
TrendMicro 9.120.0.1004 2010.04.25 TROJ_BYTEVER.BO
Additional information
File size: 7291 bytes
MD5 : d45a156c76f3c34bac0cf22cb586fdd1
No comments:
Post a Comment