It is not clear why the guys behind the DDoS got so upset over the old exploits
The following article was written and published by Donato "ratsoul"
Ferrante (www.inreverse.net)
on March 7, 2010. His recent java analysis publications
attracted attention of the exploit kit owners who launched a heavy DDoS
attack on April 16, 2010. DDoS is still in progress today, April
25, 2010. They sent their demands - remove the analysis articles
because it hurts their 'business'.
www.inreverse.net
is currently inaccessible, therefore, we are publishing the
InReverse java analysis here (this is Post #3) but this time together
with the malware samples provided by the InReverse crew. We
ask antivirus and security companies to download, analyze, and develop
protection (if you have not done yet). Thank you.
All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5
- 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1 Virustotal 26/40
- 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2 Virustotal 17/41
- 38f083169319d0141532db992d295448.jar from JAVA Sound malware Post #3 Virustotal 11/41
- 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3 Virustotal 19/41
- 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4 Virustotal 20/38
- a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4 Virustotal 21/39
- d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4 Virustotal 16/40
- 2138bfc0c92b726a13ff5095bd2f2b72.jar from JAVA Malware evading decompilation Post #5 Virustotal 11/39
- a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5 Virustotal 10/40
Sunday, March 7, 2010Donato "ratsoul" FerranteJAVA Sound Malware
Hello guys,
I'm sorry for the few posts in the last weeks, but I was quite busy. Today I am going to analyze another interesting JAVA malware.
Our target is a jar, md5: 38f083169319d0141532db992d295448. The jar contains one class: AppletX. After using a java decompiler on our target, we will get the AppletX class code.
I will report only the relevant parts. Let's go..Firstly, the malware tries to discover the operating system in use by using System.getProperty("os.name"), then it fills str1 according to the O.S. in use.At this point the malware proceeds by exploiting a vulnerability located into getSoundBank method [CVE-2009-3867] to execute malicious code on the victim system. It retrieves the parameters: sc and np (meaningful names) and then it uses the following spray method in order to place the shellcode:As we can see, this function simply converts the parameters into hex and then it calls the real spray method:
This method is the heart or engine(if you prefer) of the malware. I have underlined the value of the variable i, since I have found another variant of this malware md5: 52586e8a85188a0ada59294650c91362, that only changes the value of i to an higher value.
This malware is another good reason to turn off all java* contents while browsing the web. As always feedbacks and comments are welcome.
I hope you have enjoyed this post.
See you soon ;]
Virustotal results on April 25, 2010
http://www.virustotal.com/analisis/d00fa63f4202a980ab4d854172eed4fce57fcf1fd5cff32e846107982573a91b-1272218810
File a0585edf638f5d1c556239d3bfaf08db. received on 2010.04.25 18:06:50 (UTC)
Result: 11/41 (26.83%)
Avast 4.8.1351.0 2010.04.25 Java:Djewers-L
Avast5 5.0.332.0 2010.04.25 Java:Djewers-L
eSafe 7.0.17.0 2010.04.25 Win32.Horse
Ikarus T3.1.1.80.0 2010.04.25 Trojan-Downloader.Java.Agent
McAfee 5.400.0.1158 2010.04.25 Exploit-CVE2008-5353
Sophos 4.53.0 2010.04.25 Troj/JavaDL-L
Sunbelt 6221 2010.04.25 Trojan.Java.Agent.c (v)
Symantec 20091.2.0.41 2010.04.25 Trojan Horse
TrendMicro 9.120.0.1004 2010.04.25 JAVA_BYTEVER.DP
TrendMicro-HouseCall 9.120.0.1004 2010.04.25 JAVA_BYTEVER.DP
File size: 43253 bytes
MD5...: a0585edf638f5d1c556239d3bfaf08db
http://www.virustotal.com/analisis/f95aeffa63f809a419dddc32c5bd65e28a1e6d21c587aef4342ac95c07bd9e80-1272218387
File 2138bfc0c92b726a13ff5095bd2f2b72. received on 2010.04.25 17:59:47 (UTC)
Result: 12/40 (30%)
Antiy-AVL 2.0.3.7 2010.04.23 Exploit/Java.CVE-2009-3867
eSafe 7.0.17.0 2010.04.25 Win32.Horse
F-Secure 9.0.15370.0 2010.04.25 Trojan-Downloader:Java/Agent.DIVS
Ikarus T3.1.1.80.0 2010.04.25 Exploit.Java.Agent
Kaspersky 7.0.0.125 2010.04.25 Exploit.Java.Agent.a
Norman 6.04.11 2010.04.25 JAVA/Byteverify.O
Sophos 4.53.0 2010.04.25 Troj/Agent-NBP
Sunbelt 6221 2010.04.25 Trojan.Java.Byteverify.c (v)
Symantec 20091.2.0.41 2010.04.25 Trojan Horse
TrendMicro 9.120.0.1004 2010.04.25 JAVA_BYTEVER.DP
TrendMicro-HouseCall 9.120.0.1004 2010.04.25 JAVA_BYTEVER.DP
ViRobot 2010.4.24.2293 2010.04.25 JS.EX-Agent.2276
File size: 32260 bytes
MD5...: 2138bfc0c92b726a13ff5095bd2f2b72
http://www.virustotal.com/analisis/fba57ff8cfed809e8fdc1b6647515090933f4dd6f1c3cc0b02d80044c6c50f7b-1272216836 File 38f083169319d0141532db992d295448. received on 2010.04.25 17:33:56 (UTC)
Result: 20/41 (48.79%)
a-squared 4.5.0.50 2010.04.25 Exploit.OSX.Smid.c!A2
AntiVir 8.2.1.224 2010.04.23 JAVA/Dldr.Agen.NA.1
Antiy-AVL 2.0.3.7 2010.04.23 Exploit/OSX.Smid
BitDefender 7.2 2010.04.25 Java.Exploit.Smid.A
Comodo 4678 2010.04.25 Exploit.Java.Agent.~A
DrWeb 5.0.2.03300 2010.04.25 Exploit.Java.10
eTrust-Vet 35.2.7448 2010.04.24 Java/ByteVerify!exploit
F-Secure 9.0.15370.0 2010.04.25 Exploit:OSX/Smid.B
GData 21 2010.04.25 Java.Exploit.Smid.A
Kaspersky 7.0.0.125 2010.04.25 Exploit.OSX.Smid.c
McAfee-GW-Edition 6.8.5 2010.04.23 Java.Dldr.Agen.NA.1
Microsoft 1.5703 2010.04.25 Trojan:Java/Classloader.T
NOD32 5059 2010.04.25 OSX/Exploit.Smid.B
nProtect 2010-04-25.01 2010.04.25 Java.Exploit.Smid.A
PCTools 7.0.3.5 2010.04.25 Trojan.ByteVerify
Sophos 4.53.0 2010.04.25 Troj/Clsldr-U
Symantec 20091.2.0.41 2010.04.25 Trojan.ByteVerify
TrendMicro 9.120.0.1004 2010.04.25 JAVA_BYTEVER.Y
TrendMicro-HouseCall 9.120.0.1004 2010.04.25 JAVA_BYTEVER.Y
VBA32 3.12.12.4 2010.04.23 Exploit.OSX.Smid.c
Additional information
File size: 1955 bytes
MD5...: 38f083169319d0141532db992d295448
http://www.virustotal.com/analisis/ce21ea5e25fe92ef6fa182c7fe588b050021796ea880e277aa7acd6e547f0994-1272218599
File 52586e8a85188a0ada59294650c91362. received on 2010.04.25 18:03:19 (UTC)
Result: 19/41 (46.35%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.25 Exploit.OSX.Smid.b!A2
AntiVir 8.2.1.224 2010.04.23 EXP/Java.mo.232
Antiy-AVL 2.0.3.7 2010.04.23 Exploit/OSX.Smid
BitDefender 7.2 2010.04.25 Java.Exploit.Smid.A
Comodo 4678 2010.04.25 Exploit.Java.Agent.~B
eTrust-Vet 35.2.7448 2010.04.24 JAVA/Smid.A
F-Secure 9.0.15370.0 2010.04.25 Exploit:Java/Agent.NHV
GData 21 2010.04.25 Java.Exploit.Smid.A
Ikarus T3.1.1.80.0 2010.04.25 Exploit.OSX.Smid
Kaspersky 7.0.0.125 2010.04.25 Exploit.OSX.Smid.b
McAfee-GW-Edition 6.8.5 2010.04.23 Exploit.Java.mo.232
Microsoft 1.5703 2010.04.25 Trojan:Java/Classloader.T
NOD32 5059 2010.04.25 OSX/Exploit.Smid.B
nProtect 2010-04-25.01 2010.04.25 Java.Exploit.Smid.A
PCTools 7.0.3.5 2010.04.25 Exploit.OSX.Smid.b
Symantec 20091.2.0.41 2010.04.25 Trojan.ByteVerify
TrendMicro 9.120.0.1004 2010.04.25 TROJ_SMID.B
TrendMicro-HouseCall 9.120.0.1004 2010.04.25 TROJ_SMID.B
File size: 1847 bytes
MD5...: 52586e8a85188a0ada59294650c91362
http://www.virustotal.com/analisis/b69f0e77a89df3af21c4ad2bae57cdf19dc01edea3cf2958931ebbbe4e428e99-1272241193
File 7e92d280472ca426aff1c20fbeb8d2db. received on 2010.04.26 00:19:53 (UTC)
Result: 17/41 (41.47%)
Antiy-AVL 2.0.3.7 2010.04.23 Trojan/J2ME.Swapi
Avast 4.8.1351.0 2010.04.25 Other:Malware-gen
Avast5 5.0.332.0 2010.04.25 Other:Malware-gen
Comodo 4678 2010.04.25 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.04.26 Java.SMSSend.4
F-Secure 9.0.15370.0 2010.04.26 Riskware:Java/SmsSend.Gen!A
Fortinet 4.0.14.0 2010.04.25 Java/Swapi.KS!tr
GData 21 2010.04.26 Other:Malware-gen
Ikarus T3.1.1.80.0 2010.04.25 Trojan-SMS
Kaspersky 7.0.0.125 2010.04.26 Trojan-SMS.J2ME.Swapi.k
McAfee 5.400.0.1158 2010.04.26 JS/Downloader-Class.b
NOD32 5059 2010.04.25 probably a variant of Win32/Agent
PCTools 7.0.3.5 2010.04.26 Trojan.Generic
Symantec 20091.2.0.41 2010.04.26 Trojan Horse
TrendMicro 9.120.0.1004 2010.04.25 TROJ_SWAPI.E
TrendMicro-HouseCall 9.120.0.1004 2010.04.26 TROJ_SWAPI.E
VBA32 3.12.12.4 2010.04.23 Trojan-SMS.J2ME.Swapi.k
Additional information
File size: 2903 bytes
MD5...: 7e92d280472ca426aff1c20fbeb8d2db
http://www.virustotal.com/analisis/c52137b3dc1d700ee0b094b995b0da6d3bf13da40bca00d567209ce3cdd1a7cb-1272241740
File 3af7627af6348a76d1bf3b7bf31514e0. received on 2010.04.26 00:29:00 (UTC)
Result: 21/39 (53.85%)
AntiVir 8.2.1.224 2010.04.25 EXP/Java.Bytverif.I
Antiy-AVL 2.0.3.7 2010.04.23 Trojan/Java.Agent
Avast 4.8.1351.0 2010.04.25 Java:Agent-B
Avast5 5.0.332.0 2010.04.25 Java:Agent-B
BitDefender 7.2 2010.04.25 Java.Trojan.Exploit.Bytverify.I
ClamAV 0.96.0.3-git 2010.04.26 Trojan.JS.Selace-1
Comodo 4678 2010.04.25 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.04.26 Exploit.Java.5
F-Secure 9.0.15370.0 2010.04.26 Java.Trojan.Exploit.Bytverify.I
GData 21 2010.04.26 Java.Trojan.Exploit.Bytverify.I
Ikarus T3.1.1.80.0 2010.04.25 Exploit.Java.BytVerify
Kaspersky 7.0.0.125 2010.04.26 Trojan-Downloader.Java.Agent.as
McAfee-GW-Edition 6.8.5 2010.04.25 Exploit.Java.Bytverif.I
Microsoft 1.5703 2010.04.25 Exploit:Java/CVE-2008-5353.C
NOD32 5059 2010.04.25 Java/TrojanDownloader.Agent.NAG
Norman 6.04.11 2010.04.25 JAVA/ByteVerify.A
PCTools 7.0.3.5 2010.04.26 Trojan.ByteVerify
Sophos 4.53.0 2010.04.26 Troj/ClsLdr-V
Symantec 20091.2.0.41 2010.04.26 Trojan.ByteVerify
TrendMicro 9.120.0.1004 2010.04.25 JAVA_BYTEVER.BN
TrendMicro-HouseCall 9.120.0.1004 2010.04.26 JAVA_BYTEVER.BN
Additional information
File size: 8397 bytes
MD5...: 3af7627af6348a76d1bf3b7bf31514e0
http://www.virustotal.com/analisis/eb4f3bd460824c701f3a99463a16e4307f5a4c111f1dc610d26db82d6436f842-1272242166
File 8d499308df04932ed1b58a78417d6fb9. received on 2010.04.26 00:36:06 (UTC)
Result: 28/41 (68.3%)
a-squared 4.5.0.50 2010.04.25 Trojan-Downloader.Java.OpenStream!IK
AntiVir 8.2.1.224 2010.04.25 JAVA/OpenStream.AE
Antiy-AVL 2.0.3.7 2010.04.23 Trojan/Java.OpenStream
Avast 4.8.1351.0 2010.04.25 Java:Agent-B
Avast5 5.0.332.0 2010.04.25 Java:Agent-B
AVG 9.0.0.787 2010.04.25 Java/OpenStream
BitDefender 7.2 2010.04.26 Trojan.Generic.IS.614610
Comodo 4678 2010.04.25 TrojWare.Win32.Trojan.Agent.~318
DrWeb 5.0.2.03300 2010.04.26 Exploit.CVE2008.5353
eSafe 7.0.17.0 2010.04.25 Win32.TrojanHorse
eTrust-Vet 35.2.7448 2010.04.24 Java/ByteVerify!exploit
F-Secure 9.0.15370.0 2010.04.26 Trojan.Generic.IS.614610
Fortinet 4.0.14.0 2010.04.25 Java/OpenStream.AD!tr.dldr
GData 21 2010.04.26 Trojan.Generic.IS.614610
Ikarus T3.1.1.80.0 2010.04.25 Trojan-Downloader.Java.OpenStream
Kaspersky 7.0.0.125 2010.04.26 Trojan-Downloader.Java.OpenStream.ad
McAfee 5.400.0.1158 2010.04.26 Exploit-ByteVerify
McAfee-GW-Edition 6.8.5 2010.04.25 Java.OpenStream.AE
Microsoft 1.5703 2010.04.25 Exploit:Java/CVE-2008-5353.B
NOD32 5059 2010.04.25 probably a variant of Win32/Agent
Norman 6.04.11 2010.04.25 Exploit/ByteVerify.A
nProtect 2010-04-25.01 2010.04.25 Trojan.Generic.IS.616012
PCTools 7.0.3.5 2010.04.26 Trojan.Generic
Sophos 4.53.0 2010.04.26 Troj/BytVrfy-C
Symantec 20091.2.0.41 2010.04.26 Trojan Horse
TrendMicro 9.120.0.1004 2010.04.25 JAVA_BYTEVER.AT
TrendMicro-HouseCall 9.120.0.1004 2010.04.26 JAVA_BYTEVER.AT
ViRobot 2010.4.24.2293 2010.04.25 Java.S.OpenStream.2238
Additional information
File size: 4519 bytes
MD5...: 8d499308df04932ed1b58a78417d6fb9
http://www.virustotal.com/analisis/e5daafafa3eedcff7577a1545a1e45fbaa964547cc46846f8d6ae90d9674ea4f-1272242459
File a022524cb52223a939ba50043d90ff94. received on 2010.04.26 00:40:59 (UTC)
Result: 23/41 (56.1%)
AntiVir 8.2.1.224 2010.04.25 JAVA/OpenStrem.BN.2
Antiy-AVL 2.0.3.7 2010.04.23 Trojan/Java.Agent
Avast 4.8.1351.0 2010.04.25 Java:Agent-B
Avast5 5.0.332.0 2010.04.25 Java:Agent-B
AVG 9.0.0.787 2010.04.25 Generic2_c.TEA
BitDefender 7.2 2010.04.26 Java.Trojan.Exploit.Bytverify.I
ClamAV 0.96.0.3-git 2010.04.26 Trojan.JS.Selace-1
Comodo 4678 2010.04.25 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.04.26 Java.Siggen.11
eSafe 7.0.17.0 2010.04.25 Win32.Horse
eTrust-Vet 35.2.7448 2010.04.24 Java/ByteVerify!exploit
F-Secure 9.0.15370.0 2010.04.26 Java.Trojan.Exploit.Bytverify.I
GData 21 2010.04.26 Java.Trojan.Exploit.Bytverify.I
Ikarus T3.1.1.80.0 2010.04.25 Exploit.Java.BytVerify
Kaspersky 7.0.0.125 2010.04.26 Trojan-Downloader.Java.Agent.ay
McAfee-GW-Edition 6.8.5 2010.04.25 Java.OpenStrem.BN.2
Microsoft 1.5703 2010.04.25 Trojan:Java/Bytverify
NOD32 5059 2010.04.25 probably a variant of Win32/Agent
Norman 6.04.11 2010.04.25 JAVA/ByteVerify.A
Sophos 4.53.0 2010.04.26 Troj/ClsLdr-Gen
Symantec 20091.2.0.41 2010.04.26 Trojan Horse
TrendMicro 9.120.0.1004 2010.04.25 JS_BYTEVER.AT
TrendMicro-HouseCall 9.120.0.1004 2010.04.26 JS_BYTEVER.AX
Additional information
File size: 9417 bytes
MD5...: a022524cb52223a939ba50043d90ff94
http://www.virustotal.com/analisis/a19089a18db356fb5ef5cfa78b94a1fd8538381930c5998061d5176c77e136a0-1272243385
File d45a156c76f3c34bac0cf22cb586fdd1. received on 2010.04.26 00:56:25 (UTC)
Result: 16/40 (40.00%)
AntiVir 8.2.1.224 2010.04.25 JAVA/ClassLoad.AD.2
Antiy-AVL 2.0.3.7 2010.04.23 Trojan/Java.Agent
Avast 4.8.1351.0 2010.04.25 Java:Agent-B
Avast5 5.0.332.0 2010.04.25 Java:Agent-B
Comodo 4678 2010.04.25 TrojWare.Java.TrojanDownloader.Agent.av
DrWeb 5.0.2.03300 2010.04.26 Exploit.Java.8
eSafe 7.0.17.0 2010.04.25 Win32.ByteVerify
F-Secure 9.0.15370.0 2010.04.26 Trojan-Downloader:Java/Agent.NWB
Ikarus T3.1.1.80.0 2010.04.26 Trojan-Downloader.Java.Agent
Kaspersky 7.0.0.125 2010.04.26 Trojan-Downloader.Java.Agent.av
McAfee-GW-Edition 6.8.5 2010.04.25 Java.ClassLoad.AD.2
NOD32 5059 2010.04.25 probably a variant of Java/TrojanDownloader.Agent.NAI
Sophos 4.53.0 2010.04.26 Troj/ByteVer-I
Symantec 20091.2.0.41 2010.04.26 Trojan.ByteVerify
TrendMicro 9.120.0.1004 2010.04.25 TROJ_BYTEVER.BO
Additional information
File size: 7291 bytes
MD5 : d45a156c76f3c34bac0cf22cb586fdd1
No comments:
Post a Comment